Preview only show first 10 pages with watermark. For full document please download

Narbik Ccie Security V4 Workbook Vol1 Editable (asa, Vpn)

Rating
Date

June 2018
Size

12.8MB
Views

1,311
Categories

Computer Network Internet Architecture Networking Standards Computer Architecture Internet Standards

Transcript

CCIE Security V4 Lab Workbook

Vol. 1
Piotr Matusiak
CCIE #19860
R&S, Security
C|EH, CCSI #33705

Narbik Kocharians
CCIE #12410
R&S, Security, SP
CCSI #30832

CCIE SECURITY v4 Lab Workbook

Table of Content
ASA Firewall
LAB 1.1. BASIC ASA CONFIGURATION..................................................................................................... 8
LAB 1.2. BASIC SECURITY POLICY ......................................................................................................... 17
LAB 1.3. DYNAMIC ROUTING PROTOCOLS .......................................................................................... 29
LAB 1.4. ASA MANAGEMENT..................................................................................................................... 46
LAB 1.5. STATIC NAT (8.2)........................................................................................................................... 59
LAB 1.6. DYNAMIC NAT (8.2) ...................................................................................................................... 67
LAB 1.7. NAT EXEMPTION (8.2) ................................................................................................................. 77
LAB 1.8. STATIC POLICY NAT (8.2) .......................................................................................................... 81
LAB 1.9. DYNAMIC POLICY NAT (8.2) ..................................................................................................... 91
LAB 1.10. STATIC NAT (8.3+)....................................................................................................................... 99
LAB 1.11. DYNAMIC NAT (8.3+)................................................................................................................ 115
LAB 1.12. BIDIRECTIONAL NAT (8.3+)................................................................................................... 126
LAB 1.13. MODULAR POLICY FRAMEWORK (MPF) ......................................................................... 131
LAB 1.14. FTP ADVANCED INSPECTION............................................................................................... 138
LAB 1.15. HTTP ADVANCED INSPECTION ........................................................................................... 146
LAB 1.16. INSTANT MESSAGING ADVANCED INSPECTION ........................................................... 156
LAB 1.17. ESMTP ADVANCED INSPECTION ........................................................................................ 159
LAB 1.18. DNS ADVANCED INSPECTION .............................................................................................. 164
LAB 1.19. ICMP ADVANCED INSPECTION ........................................................................................... 169
LAB 1.20. CONFIGURING VIRTUAL FIREWALLS .............................................................................. 175
LAB 1.21. ACTIVE/STANDBY FAILOVER .............................................................................................. 198
LAB 1.22. ACTIVE/ACTIVE FAILOVER.................................................................................................. 212
LAB 1.23. REDUNDANT INTERFACES.................................................................................................... 239
LAB 1.24. TRANSPARENT FIREWALL ................................................................................................... 246
LAB 1.25. THREAT DETECTION .............................................................................................................. 260
LAB 1.26. CONTROLLING ICMP AND FRAGMENTED TRAFFIC ................................................... 264
LAB 1.27. TIME BASED ACCESS CONTROL ......................................................................................... 270
LAB 1.28. QOS - PRIORITY QUEUING .................................................................................................... 276
LAB 1.29. QOS – TRAFFIC POLICING .................................................................................................... 280
LAB 1.30. QOS – TRAFFIC SHAPING ...................................................................................................... 285
LAB 1.31. QOS – TRAFFIC SHAPING WITH PRIORITIZATION....................................................... 290
LAB 1.32. SLA ROUTE TRACKING .......................................................................................................... 296
LAB 1.33. ASA IP SERVICES (DHCP)....................................................................................................... 303
LAB 1.34. URL FILTERING AND APPLETS BLOCKING .................................................................... 310
LAB 1.35. TROUBLESHOOTING USING PACKET TRACER AND CAPTURE TOOLS................. 314

Page 2 of 1033

CCIE SECURITY v4 Lab Workbook

Site-to-Site VPN
LAB 1.36. BASIC SITE TO SITE IPSEC VPN MAIN MODE (IOS-IOS) .............................................. 327
LAB 1.37. BASIC SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS) ............................... 353
LAB 1.38. BASIC SITE TO SITE VPN WITH NAT (IOS-IOS)............................................................... 370
LAB 1.39. IOS CERTIFICATE AUTHORITY........................................................................................... 386
LAB 1.40. SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA) ............................................................ 397
LAB 1.41. SITE-TO-SITE IPSEC VPN USING PKI (IOS-IOS)............................................................... 411
LAB 1.42. SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA)......................................... 421
LAB 1.43. SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA).................................... 441
LAB 1.44. SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING) ................................ 462
LAB 1.45. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-IOS)........................................ 476
LAB 1.46. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-ASA) ...................................... 485
LAB 1.47. SITE-TO-SITE IPSEC VPN USING EASYVPN WITH ISAKMP PROFILES (IOS-IOS) 533
LAB 1.48. GRE OVER IPSEC ...................................................................................................................... 551
LAB 1.49. DMVPN PHASE 1........................................................................................................................ 568
LAB 1.50. DMVPN PHASE 2 (WITH EIGRP) ........................................................................................... 585
LAB 1.51. DMVPN PHASE 2 (WITH OSPF) ............................................................................................. 604
LAB 1.52. DMVPN PHASE 3 (WITH EIGRP) ........................................................................................... 624
LAB 1.53. DMVPN PHASE 3 (WITH OSPF) ............................................................................................. 644
LAB 1.54. DMVPN PHASE 2 DUAL HUB (SINGLE CLOUD) .............................................................. 668
LAB 1.55. DMVPN PHASE 2 DUAL HUB (DUAL CLOUD) .................................................................. 698
LAB 1.56. GET VPN (PSK)........................................................................................................................... 739
LAB 1.57. GET VPN (PKI) ........................................................................................................................... 761
LAB 1.58. GET VPN COOP (PKI) ............................................................................................................... 780

Remote Access VPN
LAB 1.59. CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO IOS) ...... 814
LAB 1.60. CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO ASA) ..... 824
LAB 1.61. CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PSK)........................ 833
LAB 1.62. CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PKI) ........................ 843
LAB 1.63. CONFIGURING SSL VPN (IOS)............................................................................................... 867
LAB 1.64. CONFIGURING SSL VPN (ASA).............................................................................................. 884
LAB 1.65. ANYCONNECT 3.0 BASIC SETUP .......................................................................................... 897
LAB 1.66. ANYCONNECT 3.0 ADVANCED FEATURES ....................................................................... 914
LAB 1.67. EASYVPN SERVER ON ASA WITH LDAP AUTHENTICATION ..................................... 924

Page 3 of 1033

CCIE SECURITY v4 Lab Workbook

Advanced VPN Features
LAB 1.68. IPSEC STATEFUL FAILOVER ................................................................................................ 957
LAB 1.69. IPSEC STATIC VTI .................................................................................................................... 970
LAB 1.70. IKE ENCRYPTED KEYS........................................................................................................... 979
LAB 1.71. IPSEC DYNAMIC VTI ............................................................................................................... 984
LAB 1.72. REVERSE ROUTE INJECTION (RRI).................................................................................... 994
LAB 1.73. CALL ADMISSION CONTROL FOR IKE............................................................................ 1011
LAB 1.74. IPSEC LOAD BALANCING (ASA CLUSTER)..................................................................... 1019

Page 4 of 1033

CCIE SECURITY v4 Lab Workbook

Physical Topology

Page 5 of 1033

CCIE SECURITY v4 Lab Workbook

This page is intentionally left blank.

Page 6 of 1033

CCIE SECURITY v4 Lab Workbook

Advanced
CCIE SECURITY v4
LAB WORKBOOK

ASA Firewall

Narbik Kocharians
CCIE #12410 (R&S, Security, SP)
CCSI #30832
Piotr Matusiak
CCIE #19860 (R&S, Security)
C|EH, CCSI #33705

www.MicronicsTraining.com

Page 7 of 1033

CCIE SECURITY v4 Lab Workbook

Lab 1.1. Basic ASA configuration

 Configure Telnet on all routers using password “cisco”
IP Addressing
Device

Interface

IP address

Lo0

1.1.1.1/24

F0/0

10.1.101.1/24

Lo0

2.2.2.2/24

G0/0

10.1.102.2/24

Lo0

4.4.4.4/24

F0/0

10.1.104.4/24

E0/0

10.1.102.10/24

R2
R4
ASA1

Page 8 of 1033

CCIE SECURITY v4 Lab Workbook

E0/1

10.1.101.10/24

E0/2.104

10.1.104.10/24

Page 9 of 1033

CCIE SECURITY v4 Lab Workbook

Task 1
Configure ASA with the following settings:
Hostname: ASA-FW
Interface E0/0: name OUT, IP address 10.1.102.10/24, security level 0
Interface E0/1: name IN, IP address 10.1.101.10/24, security level 80
On ASA configure default routing pointing to R2 and static routing for the rest
of the networks. On routers R1 and R2 configure default routes pointing to the
ASA.



Basic configuration of ASA requires port configuration including IP address,
interface name and security level. By default the security level is set up
automatically when user tries to name the interface. The ASA will use security
level of 100 for interface name “inside” and security level of 0 for other interface
name (including “outside”). If you need to configure other security level, use
“security-level <level>” command to do so.
What is the security level for? The security level defines what connection will be
considered as Inbound and what connection is Outbound.
The Outbound connection is a connection originated from the networks behind
a higher security level interface towards the networks behind a lower security
level interface.
The Inbound connection is a connection originated from the networks behind a
lower security level interface towards the networks behind a higher security
level interface.
The Outbound connection is automatically being inspected so that it does not
require any access list for returning traffic. The Inbound connection is
considered unsecure by default and there must be access list allowing that
connection.

Page 10 of 1033

CCIE SECURITY v4 Lab Workbook

Configuration
Complete these steps:
Step 1

ASA configuration.
ciscoasa# conf term
ciscoasa(config)# hostname ASA-FW
ASA-FW(config)# int e0/0
ASA-FW(config-if)# ip add 10.1.102.10 255.255.255.0
ASA-FW(config-if)# nameif OUT
INFO: Security level for "OUT" set to 0 by default.
ASA-FW(config-if)# no sh
ASA-FW(config-if)# int e0/1
ASA-FW(config-if)# ip add 10.1.101.10 255.255.255.0
ASA-FW(config-if)# nameif IN
INFO: Security level for "IN" set to 0 by default.
ASA-FW(config-if)# security-level 80
ASA-FW(config-if)# no sh
ASA-FW(config-if)# exit

Verification
ASA-FW(config)# sh int ip brief
Interface

IP-Address

OK? Method Status

Protocol

Ethernet0/0

10.1.102.10

YES manual up

Ethernet0/1

10.1.101.10

YES manual up

Ethernet0/2

unassigned

YES unset

administratively down up

Ethernet0/3

unassigned

YES unset

administratively down up

Management0/0

unassigned

YES unset

administratively down down

ASA-FW(config)# ping 10.1.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA-FW(config)# ping 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Page 11 of 1033

CCIE SECURITY v4 Lab Workbook

On ASA
ASA-FW(config)# route OUT 0 0 10.1.102.2
ASA-FW(config)# route IN 1.1.1.0 255.255.255.0 10.1.101.1
To access non-directly connected subnets a static routing (or dynamic) must be
configured on the ASA. As the ASA is usually located at the edge of the network
the default route points to the edge router using outside interface in most of
solutions. Note that you must use interface name (not direction) to configure
the static routes.

Verification
ASA-FW(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-FW(config)# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Routers R1 and R2 must have default routes pointing to the respective ASA
interface. After adding those routes, R1 should be able to telnet to R2’s
loopback interface.
Note that R2 cannot ping R1 – this is because ASA blocks traffic originated
from the lower security level interface towards higher security level interface
(OUT to IN) without explicit permit in the outbound ACL.

On R1
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.101.10

On R2
R2(config)#ip route 0.0.0.0 0.0.0.0 10.1.102.10

Verification
R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open

User Access Verification
Password:
R2>sh users

Page 12 of 1033

CCIE SECURITY v4 Lab Workbook

Host(s)

Idle

0 con 0

Line

User

idle

00:00:26

Location

*578 vty 0

idle

00:00:00 1.1.1.1

The “Location” field shows source address of user session established on the
router. It is very useful if we need to determine whether or not a connection
goes through NAT or PAT.
Interface

User

Mode

Idle

Peer Address

R2>exit
[Connection to 2.2.2.2 closed by foreign host]
R1#p 2.2.2.2 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)
This is caused by the ASA default rule of traffic processing. See: remark in
the frame above.

Page 13 of 1033

CCIE SECURITY v4 Lab Workbook

Task 2
Configure interface E0/2 on the ASA so that it will connect via dot1q trunk to
the switch and will be connected to R4’s F0/0 interface using VLAN 104 and IP
address of 10.1.104.10/24. Configure static routing on ASA and default routing
on R4 to achieve full connectivity.



The interface on ASA can be configured as a trunk to the switch to make more
subnets on the one physical interface possible. This is useful when there is a
lack of physical interfaces on the ASA and logical segmentation is enough from
the security point of view. Remember that you need to bring a physical interface
up (no shutdown) first and then configure subinterfaces.

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# int e0/2
ASA-FW(config-if)# no sh
ASA-FW(config-if)# int e0/2.104
ASA-FW(config-subif)# vlan 104
ASA-FW(config-subif)# ip add 10.1.104.10 255.255.255.0
ASA-FW(config-subif)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
Remember that ASA sets security level to 0 by default for
interfaces other than “inside”. Don’t forget about that
during your lab exam.
ASA-FW(config-subif)# security-level 50
ASA-FW(config-subif)# no sh
ASA-FW(config-subif)# route DMZ 4.4.4.0 255.255.255.0 10.1.104.4

Step 2

R4 configuration.
R4(config)#ip route 0.0.0.0 0.0.0.0 10.1.104.10

Step 3

SW3 configuration.

Page 14 of 1033

CCIE SECURITY v4 Lab Workbook

SW3(config)#int f0/12
SW3(config-if)#switchport trunk encapsulation dot1q
SW3(config-if)#switchport mode trunk
SW3(config-if)#exi
SW3(config)#vlan 104
SW3(config-vlan)#exi

Page 15 of 1033

CCIE SECURITY v4 Lab Workbook

Verification
ASA-FW(config)# sh int ip brief
Interface

IP-Address

OK? Method Status

Protocol

Ethernet0/0

10.1.102.10

YES manual up

Ethernet0/1

10.1.101.10

YES manual up

Ethernet0/2

unassigned

YES unset

Ethernet0/2.104

10.1.104.10

YES manual up

Ethernet0/3

unassigned

YES unset

administratively down up

Management0/0

unassigned

YES unset

administratively down down

ASA-FW(config)# ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Page 16 of 1033

CCIE SECURITY v4 Lab Workbook

Lab 1.2. Basic security policy

This lab is based on the previous lab configuration.

Task 1
Configure ASA with the policy that Ping and Telnet are allowed from the inside
subnet (IN) to the outside subnet (OUT) and DMZ.



The main rule on the ASA is to allow traffic coming from the interface with a
higher security level towards the interface with a lower security level. However
traffic is blocked in opposite direction by default and there is need for an
inbound ACL to permit that traffic.
Remember that ICMP traffic is stateless, so there is no session available to
track. The ASA has no ICMP inspection enabled by default so that ICMP traffic
coming from the interface with higher security level towards the interface with
lower security level will be blocked by the lower security level interface (ICMP
echo reply will be blocked).

Page 17 of 1033

CCIE SECURITY v4 Lab Workbook

There are two ways to allow that traffic coming through: (1) configure ICMP
inspection globally or on the interface or (2) configure inbound ACL on the
interface with lower security level.

Page 18 of 1033

CCIE SECURITY v4 Lab Workbook

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any echoreply
ASA-FW(config)# access-list DMZ_IN permit icmp any any echo-reply
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT
ASA-FW(config)# access-group DMZ_IN in interface DMZ

Verification
R1#ping 2.2.2.2 so lo0
Test from IN (inside) to OUT (outside) - ICMP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 4.4.4.4
Test from IN (inside) to DMZ (dmz) - ICMP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open
Test from IN (inside) to OUT (outside) - TCP
User Access Verification
Password:
R2>sh users
Host(s)

Idle

0 con 0

Line

idle

00:13:07

*578 vty 0

idle

00:00:00 1.1.1.1

Interface

User

Mode

R2>exi
[Connection to 2.2.2.2 closed by foreign host]

Page 19 of 1033

Idle

Location

Peer Address

CCIE SECURITY v4 Lab Workbook

R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open
Test from IN (inside) to DMZ (dmz) - TCP
User Access Verification
Password:
R4>sh users
Line

Host(s)

Idle

0 con 0

idle

00:11:58

*514 vty 0

idle

00:00:00 1.1.1.1

Interface

User

Mode

Idle

Location

Peer Address

R4>exit
[Connection to 4.4.4.4 closed by foreign host]
R2#ping 1.1.1.1
Test from OUT (outside) to IN (inside) - ICMP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#ping 1.1.1.1
Test from DMZ (dmz) to IN (inside) - ICMP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Note that the ping is not working for the traffic initiated from the interface
with a lower security level. This is because ACL allows only ICMP echo-reply.
Also note that Telnet traffic is allowed automatically as the ASA has TCP
packet inspection enabled by default so all TCP traffic coming from the
interface with higher security level to the interface with lower security level
will be statefully inspected (returning traffic will be allowed back).

Page 20 of 1033

) and then use group names in the ACL. ASA-FW(config)# object-group network MGMT-HOSTS ASA-FW(config-network)# network-object host 2.specifies a group of protocols.1.specifies a group of TCP/UDP ports/services Configuration Complete these steps: Step 1 ASA configuration. such as echo  network .4. subnets.specifies a group of host or subnet IP addresses  protocol . etc. ASA-FW(config)# access-list OUTSIDE_IN permit tcp object-group MGMT-HOSTS host 1. such as TCP. etc  service . ESP.4 ASA-FW(config-network)# exit Object group of network type is for grouping hosts and subnets.1. ports. There are different object group types:  icmp-type . There is also a possibility to not specify the service type and then we can use « serviceobject » to specify any other protocol (for example GRE.4. We need to specify what protocol we’re going to match (tcp or udp).  As this task requires using only one ACL line there is a need for object grouping.1 object-group TELNET-and-SSH Page 21 of 1033 . This method allows us to group up similar objects (hosts. ICMP.2.2. ASA-FW(config)# object-group service TELNET-and-SSH tcp ASA-FW(config-service)# port-object eq telnet ASA-FW(config-service)# port-object eq ssh ASA-FW(config-service)# exit Object group of service type is for grouping TCP/UDP ports. We can also use tcp-udp to match both services in one rule. etc).2 ASA-FW(config-network)# network-object host 4.CCIE SECURITY v4 Lab Workbook Task 2 Allow SSH and TELNET connections from R2’s and R4’s loopback0 interface to the R1’s loopback0 interface.specifies a group of ICMP types. You are allowed to add only one line to the existing access lists.

4 host 1.1.1 object-group TELNET-and-SSH The object groups are then used in ACL building.1.1.4.1 eq ssh (hitcnt=0) 0x04c16117 ASA-FW(config)# sh access-list DMZ_IN access-list DMZ_IN.1 eq telnet (hitcnt=0) 0xbf14a304 access-list OUTSIDE_IN line 2 extended permit tcp host 4.1 Page 22 of 1033 .1.1.1 eq ssh (hitcnt=0) 0x4284ac66 access-list DMZ_IN line 2 extended permit tcp host 4.2.4.1.4 host 1. Verification ASA-FW(config)# sh run object-group object-group network MGMT-HOSTS network-object host 2. 5 elements. 5 elements.2 host 1.1.2.4 host 1.4.1.2.1.1.2.1.1 eq ssh (hitcnt=0) 0x44528edd Note that access-list entry (ACEs) is expanded and displayed as multiple ACEs with the same line number when grouped objects are used.4.2 host 1.1. name hash: 0x229557de access-list DMZ_IN line 1 extended permit icmp any any echo-reply (hitcnt=1) 0x7fb4c5b2 access-list DMZ_IN line 2 extended permit tcp object-group MGMT-HOSTS host 1.1 eq telnet (hitcnt=0) 0xfd96744e access-list DMZ_IN line 2 extended permit tcp host 4.1.1 eq telnet (hitcnt=0) 0x939bf78d access-list OUTSIDE_IN line 2 extended permit tcp host 2.1.1 eq ssh (hitcnt=0) 0x8d022728 access-list OUTSIDE_IN line 2 extended permit tcp host 4.1 eq telnet (hitcnt=0) 0x231b90e2 access-list DMZ_IN line 2 extended permit tcp host 2. R2#tel 1.2 host 1.1.4.1.2.1.4 object-group service TELNET-and-SSH tcp port-object eq telnet port-object eq ssh ASA-FW(config)# sh access-list OUTSIDE_IN access-list OUTSIDE_IN.4.2.2.4. name hash: 0xe01d8199 access-list OUTSIDE_IN line 1 extended permit icmp any any echo-reply (hitcnt=1) 0xc857b49e access-list OUTSIDE_IN line 2 extended permit tcp object-group MGMT-HOSTS host 1.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# access-list DMZ_IN permit tcp object-group MGMTHOSTS host 1.1.4.1.4.2.4 host 1.2 network-object host 4.4.1 object-group TELNET-and-SSH 0x909d621e access-list DMZ_IN line 2 extended permit tcp host 2.2.1 object-group TELNET-and-SSH 0xb422f490 access-list OUTSIDE_IN line 2 extended permit tcp host 2.1.2 host 1.2.1.1.1.1.

1.1.1...1.1. % Connection timed out.. remote host not responding R4#tel 1.1.1 /so lo0 Trying 1.1 Trying 1.1. remote host not responding R2#tel 1. remote host not responding R4#tel 1.1...1.1.1.1..1 /so lo0 Trying 1.1.1.CCIE SECURITY v4 Lab Workbook Trying 1..1. % Connection timed out.1 .1.1.1.1.1 .1.1.1.1 /so lo0 Trying 1.. % Connection timed out. Open Page 23 of 1033 ....1.1 /so lo0 Trying 1.1 .1 closed by foreign host] R4#tel 1..1.1..1.1.1 .1 .1.. Open User Access Verification Password: R1>exit [Connection to 1.1.1.1 closed by foreign host] R2#tel 1.1..1 .1.1..1.1 . Open User Access Verification Password: R1>exit [Connection to 1.1 .1 closed by foreign host] R4#tel 1.1. remote host not responding R2#tel 1.1 Trying 1.1 Trying 1. % Connection timed out.1. Open User Access Verification Password: R1>exit [Connection to 1.

1.1.CCIE SECURITY v4 Lab Workbook User Access Verification Password: R1>exit [Connection to 1.1 closed by foreign host] Page 24 of 1033 .

101.1.0/24 any any tcp/80 tcp/443 tcp/110 icmp/echo Use object groups where possible to simplify the configuration.1.1.1.CCIE SECURITY v4 Lab Workbook Task 3 Configure the following outbound access policy for hosts located in the inside network: Host/Subnet Source port Destination host Destination port 1.102.255.1 ASA-FW(config-network)# object-group network R2-f0 ASA-FW(config-network)# network-object host 10.1.1.255.1 any 10.1.101. However.1.1.4.104.1.2 ASA-FW(config-network)# object-group network Inside-Subnet ASA-FW(config-network)# network-object 10.4 tcp/23 4.1. it must be considered carefully to use as minimum objects as possible.4 tcp/22 tcp/80 1.1 4000 – 5000 10. Note that this is not about how many object groups we can use.0 Page 25 of 1033 .0 255.2 tcp/21 10. ASA-FW(config)# object-group network R1-lo0 ASA-FW(config-network)# network-object host 1.102.4. This task can be done using only three ACL lines.  This time we must use object groups as per task requirement. It is how many ACEs we can use! Configuration Complete these steps: Step 1 ASA configuration.

1.4.1.1.CCIE SECURITY v4 Lab Workbook ASA-FW(config-network)# object-group network R4 ASA-FW(config-network)# network-object host 4.255.4.4 ASA-FW(config-network)# network-object host 10.2 object-group network Inside-Subnet network-object 10.101.255.4.0 object-group network R4 network-object host 4.1 object-group network R2-f0 network-object host 10.2.2 network-object host 4.4.1.102.4 ASA-FW(config-network)# object-group service R4-Services tcp ASA-FW(config-service)# port-object eq telnet ASA-FW(config-service)# port-object eq ssh ASA-FW(config-service)# port-object eq http ASA-FW(config-service)# object-group service FTP-PORT-RANGE ASA-FW(config-service)# service-object tcp source range 4000 5000 ftp ASA-FW(config-service)# object-group service ALLOWED ASA-FW(config-service)# service-object tcp http ASA-FW(config-service)# service-object tcp https ASA-FW(config-service)# service-object tcp pop3 ASA-FW(config-service)# service-object icmp echo ASA-FW(config-service)# exit ASA-FW(config)# access-list INSIDE_IN permit tcp object-group R1-lo0 object-group R4 object-group R4-Services ASA-FW(config)# access-list INSIDE_IN permit object-group FTP- PORT-RANGE object-group R1-lo0 object-group R2-f0 ASA-FW(config)# access-list INSIDE_IN permit object-group ALLOWED object-group Inside-Subnet any ASA-FW(config)# access-group INSIDE_IN in interface IN Verification ASA-FW(config)# sh run object-group object-group network MGMT-HOSTS network-object host 2.4 object-group service TELNET-and-SSH tcp port-object eq telnet port-object eq ssh object-group network R1-lo0 network-object host 1.2.4.0 255.1.104.4.4 Page 26 of 1033 .

1.1. Sending 5.0 any echo (hitcnt=0) 0x0a464bf7 R1#ping 2. 11 elements.1 host 4.104.2.255.0 255.4 eq ssh (hitcnt=0) 0x2f408621 access-list INSIDE_IN line 1 extended permit tcp host 1.4 eq www (hitcnt=0) 0x4e8fc6d9 access-list INSIDE_IN line 1 extended permit tcp host 1.2.2.4.4.1.1 host 10.1.255. Success rate is 0 percent (0/5) Page 27 of 1033 .101.255.4.4.0 any eq pop3 (hitcnt=0) 0xb42c48d1 access-list INSIDE_IN line 3 extended permit icmp 10.1..1.0 any eq https (hitcnt=0) 0x8defc473 access-list INSIDE_IN line 3 extended permit tcp 10.1.1.0 255. name hash: 0xf4313c68 access-list INSIDE_IN line 1 extended permit tcp object-group R1-lo0 object-group R4 object-group R4-Services 0x8a493604 access-list INSIDE_IN line 1 extended permit tcp host 1.1 range 4000 5000 host 10.104.4.1.4.1.0 any eq www (hitcnt=0) 0x2865d7c5 access-list INSIDE_IN line 3 extended permit tcp 10.1.0 255. timeout is 2 seconds: Packet sent with a source address of 1.4 eq telnet (hitcnt=0) 0x929ae368 access-list INSIDE_IN line 1 extended permit tcp host 1.2 so lo0 Type escape sequence to abort.104.4 object-group service R4-Services tcp port-object eq telnet port-object eq ssh port-object eq www object-group service FTP-PORT-RANGE service-object tcp source range 4000 5000 eq ftp object-group service ALLOWED service-object tcp eq www service-object tcp eq https service-object tcp eq pop3 service-object icmp echo ASA-FW(config)# sh access-li INSIDE_IN access-list INSIDE_IN.1.1 host 4. 100-byte ICMP Echos to 2.CCIE SECURITY v4 Lab Workbook network-object host 10.101.1.1.255.4 eq ssh (hitcnt=0) 0xf20b6c11 access-list INSIDE_IN line 1 extended permit tcp host 1.1.4 eq telnet (hitcnt=0) 0xee9f0a8f access-list INSIDE_IN line 1 extended permit tcp host 1.1 .2 eq ftp (hitcnt=0) 0x12709c5b access-list INSIDE_IN line 3 extended permit object-group ALLOWED object-group InsideSubnet any 0x3aba7b0d access-list INSIDE_IN line 3 extended permit tcp 10.2.1.1 host 4.1.1..1.1.4 eq www (hitcnt=0) 0xa6a8ec29 access-list INSIDE_IN line 2 extended permit object-group FTP-PORT-RANGE object-group R1-lo0 object-group R2-f0 0x5add7170 access-list INSIDE_IN line 2 extended permit tcp host 1.1 host 10.1 host 10.102.1.101.255.101..1.255..1.0 255.1.1.255.255.104.2.

CCIE SECURITY v4 Lab Workbook

R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#tel 4.4.4.4
Trying 4.4.4.4 ...
% Connection refused by remote host
R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open

User Access Verification
Password:
R4>exit
[Connection to 4.4.4.4 closed by foreign host]

Page 28 of 1033

CCIE SECURITY v4 Lab Workbook

Lab 1.3.

Dynamic routing protocols

This lab is based on the previous lab configuration.

Task 1
Remove static routing for inside networks and configure RIP version 2 between R1
and ASA only. Ensure RIP updates are being authenticated using MD5 with
password of “cisco123”.



RIPv2 configuration on ASA is pretty simple and very similar to the
configuration on routers. Remember that you need to use passive-interface to
not advertise on all ASA’s interfaces (as all interfaces are in 10.0.0.0/8 network).
RIPv2 authentication is configured on the interface (along with a MD5 key) –
there is no keychain configuration on the ASA.

Page 29 of 1033

CCIE SECURITY v4 Lab Workbook

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# sh run route
route OUT 0.0.0.0 0.0.0.0 10.1.102.2 1
route IN 1.1.1.0 255.255.255.0 10.1.101.1 1
route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1

ASA-FW(config)# no route IN 1.1.1.0 255.255.255.0 10.1.101.1 1
ASA-FW(config)# router rip
ASA-FW(config-router)# version 2
ASA-FW(config-router)# no auto
ASA-FW(config-router)# network 10.0.0.0
ASA-FW(config-router)# passive-interface default
ASA-FW(config-router)# no passive-interface IN
ASA-FW(config-router)# int e0/1
ASA-FW(config-if)# rip authentication mode MD5
ASA-FW(config-if)# rip authentication key cisco123 key_id 1
ASA-FW(config-if)# exit
Note that RIP authentication configuration is different on
ASA and IOS router. On the ASA the MD5 key is configured
directly on the interface whereas on IOS router there must
be a key-chain configured and attached on the interface.

Step 2

R1 configuration.
R1#sh run | in route
ip route 0.0.0.0 0.0.0.0 10.1.101.10
R1#conf t
Enter configuration commands, one per line.

End with CNTL/Z.

R1(config)#no ip route 0.0.0.0 0.0.0.0 10.1.101.10
R1(config)#key chain AUTH
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco123
R1(config-keychain-key)#int f0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authentication key-chain AUTH
R1(config-if)#router rip
R1(config-router)#ver 2
R1(config-router)#no auto-summary

Page 30 of 1033

CCIE SECURITY v4 Lab Workbook

R1(config-router)#network 10.0.0.0
R1(config-router)#network 1.0.0.0
R1(config-router)#end

Verification
ASA-FW(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.1.102.2 to network 0.0.0.0
R

1.1.1.0 255.255.255.0 [120/1] via 10.1.101.1, 0:00:13, IN
This prefix has been injected by RIPv2 to the routing table. R1 has sent
information about its networks to ASA via authenticated RIPv2 update.

4.4.4.0 255.255.255.0 [1/0] via 10.1.104.4, DMZ

10.1.104.0 255.255.255.0 is directly connected, DMZ

10.1.102.0 255.255.255.0 is directly connected, OUT

10.1.101.0 255.255.255.0 is directly connected, IN

0.0.0.0 0.0.0.0 [1/0] via 10.1.102.2, OUT

ASA-FW(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set

Page 31 of 1033

CCIE SECURITY v4 Lab Workbook

1.0.0.0/24 is subnetted, 1 subnets
C

1.1.1.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 3 subnets

10.1.104.0 [120/1] via 10.1.101.10, 00:00:06, FastEthernet0/0

10.1.102.0 [120/1] via 10.1.101.10, 00:00:06, FastEthernet0/0

The ASA has sent information about its connected networks to R1 via
authenticated RIPv2 updates. Note that routes to R2 and R4 loopbacks are not
present in R1’s routing table because dynamic routing is configured only on
inside interface.
C

10.1.101.0 is directly connected, FastEthernet0/0

R1#sh ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 9 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface

Send

Recv

FastEthernet0/0

Triggered RIP

Key-chain
AUTH

This indicates that authentication on Fa0/0 is enabled
Loopback0

Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
1.0.0.0
10.0.0.0
Routing Information Sources:
Gateway
10.1.101.10

Distance
120

Last Update
00:00:15

Distance: (default is 120)
Note that even though there is passive interface configured on the ASA, RIPv2
is sending updates to R1 for all ASA’s directly connected networks.

Page 32 of 1033

CCIE SECURITY v4 Lab Workbook

Task 2
Configure OSPF Area 0 on the outside interface and authenticate it using interface
authentication with password of “cisco456” and key ID 1. Use 10.10.10.10 as OSPF
router ID.
Remove static routing between ASA and R2 and ensure that R2 sends a default
gateway for ASA outside connections using OSPF. Use 2.2.2.2 as a router-id on R2.



The OSPF configuration on ASA is similar to the configuration on the routers.
Remember that on the ASA you need to use network mask when specifying
network/interface where OSPF is running on. On the router however, you need
to configure wildcard mask to specify the network.

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# sh run route
route OUT 0.0.0.0 0.0.0.0 10.1.102.2 1
route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1

ASA-FW(config)# no route OUT 0.0.0.0 0.0.0.0 10.1.102.2 1

ASA-FW(config)# router ospf 1
ASA-FW(config-router)# router-id 10.10.10.10
ASA-FW(config-router)# network 10.1.102.10 255.255.255.0 area 0
ASA-FW(config-router)# int e0/0
ASA-FW(config-if)# ospf authentication message-digest
ASA-FW(config-if)# ospf message-digest-key 1 MD5 cisco456
ASA-FW(config-if)# exit

Step 2

R2 configuration.
R2#sh run | in route
ip route 0.0.0.0 0.0.0.0 10.1.102.10
R2#conf t

Page 33 of 1033

CCIE SECURITY v4 Lab Workbook

Enter configuration commands, one per line.

End with CNTL/Z.

R2(config)#no ip route 0.0.0.0 0.0.0.0 10.1.102.10
R2(config)#int g0/0
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco456
R2(config-if)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 0.0.0.0 0.0.0.0 ar 0
R2(config-router)#default-information originate always
R2(config-router)#end
R2#
%OSPF-5-ADJCHG: Process 1, Nbr 10.10.10.10 on GigabitEthernet0/0
from LOADING to FULL, Loading Done
Note that IOS router does not use key-chain when
configuring OSPF authentication. The OSPF authentication
configuration on the ASA and IOS router is exactly the
same.
The R2 must send default route to the ASA so that “defaultinformation” command is used.

Verification
ASA-FW(config)# sh ospf 1
Routing Process "ospf 1" with ID 10.10.10.10 and Domain ID 0.0.0.1
This indicates that OSPF process 1 is running and router ID is 10.10.10.10
Supports only single TOS(TOS0) routes
Does not support opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 1. Checksum Sum 0x

feab

Number of opaque AS LSA 0. Checksum Sum 0x

Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
This indicates that authentication is not enabled for the OSPF.

Page 34 of 1033

CCIE SECURITY v4 Lab Workbook

SPF algorithm executed 3 times
Area ranges are
Number of LSA 3. Checksum Sum 0x 1520d
Number of opaque link LSA 0. Checksum Sum 0x

Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
ASA-FW(config)# sh ospf 1 int OUT
OUT is up, line protocol is up
Internet Address 10.1.102.10 mask 255.255.255.0, Area 0
Process ID 1, Router ID 10.10.10.10, Network Type BROADCAST, Cost: 10
This shows that interface OUT is used by OSPF process 1. OSPF network type for
this interface is BROADCAST (the default OSPF network type for Ethernet: DR/BDR
election is performed and updates are sent via multicast packets)
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 10.10.10.10, Interface address 10.1.102.10
Backup Designated router (ID) 2.2.2.2, Interface address 10.1.102.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:08
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2

(Backup Designated Router)

Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
The authentication is enabled for that interface.
ASA-FW(config)# sh ospf neighbor
Neighbor ID
2.2.2.2

Pri
1

State

Dead Time

Address

Interface

FULL/BDR

0:00:38

10.1.102.2

OUT

ASA-FW(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Page 35 of 1033

CCIE SECURITY v4 Lab Workbook

Gateway of last resort is 10.1.102.2 to network 0.0.0.0
R

1.1.1.0 255.255.255.0 [120/1] via 10.1.101.1, 0:00:14, IN

2.2.2.2 255.255.255.255 [110/11] via 10.1.102.2, 0:01:13, OUT

4.4.4.0 255.255.255.0 [1/0] via 10.1.104.4, DMZ

10.1.104.0 255.255.255.0 is directly connected, DMZ

10.1.102.0 255.255.255.0 is directly connected, OUT

10.1.101.0 255.255.255.0 is directly connected, IN

O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.1.102.2, 0:01:13, OUT
R2’s loopback IP address is in ASA’s routing table. Note that this IP address
is a ‘host” route (255.255.255.255). This is because the default OSPF network
type for loopback interfaces is LOOPBACK so that OSPF sends out “host” route.
To change that you should use “ip ospf network point-to-point” command on the
R2’s loopback interface.
Also note there is a default route injected by the OSPF process into the
routing table.
R2#sh ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 2.2.2.2
It is an autonomous system boundary router
Redistributing External Routes from,
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway

Distance

Last Update

Distance: (default is 110)
R2#sh ip ospf interface
Loopback0 is up, line protocol is up
Internet Address 2.2.2.2/24, Area 0
Process ID 1, Router ID 2.2.2.2, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
GigabitEthernet0/0 is up, line protocol is up
Internet Address 10.1.102.2/24, Area 0
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 10.10.10.10, Interface address 10.1.102.10
Backup Designated router (ID) 2.2.2.2, Interface address 10.1.102.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:03
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled

Page 36 of 1033

CCIE SECURITY v4 Lab Workbook

IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.10.10.10

(Designated Router)

Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

R2#sh ip ospf neighbor
Neighbor ID

Pri

10.10.10.10

State

Dead Time

Address

Interface

FULL/DR

00:00:35

10.1.102.10

GigabitEthernet0/0

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
C

2.2.2.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets

10.1.102.0 is directly connected, GigabitEthernet0/0

Page 37 of 1033

CCIE SECURITY v4 Lab Workbook

Task 3
Configure EIGRP AS 104 between ASA and R4. EIGRP messages should be
authenticated using MD5 with key of “cisco789”. Remove previously configured static
routes for that segment.



EIGRP has some similarities to the previous two dynamic routing protocols. It
uses keychain on the router (as RIPv2) and requires normal mask to be
provided for a network on ASA (as OSPF).

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# sh run route
route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1
ASA-FW(config)# no route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1
ASA-FW(config)# router eigrp 104
ASA-FW(config-router)# no auto-summary
ASA-FW(config-router)# network 10.1.104.10 255.255.255.255
ASA-FW(config-router)# int e0/2.104
ASA-FW(config-subif)# authentication mode eigrp 104 md5
ASA-FW(config-subif)# authentication key eigrp 104 cisco789 key-id
1
ASA-FW(config-subif)# exit
Note that you must use regular netmask on the ASA and
wildcard netmask on the IOS router when configuring
networks under EIGRP. Authentication is enabled per
interface basis.

Step 2

R4 configuration.
R4#sh run | in route
ip source-route
ip route 0.0.0.0 0.0.0.0 10.1.104.10
R4#conf t

Page 38 of 1033

CCIE SECURITY v4 Lab Workbook

Enter configuration commands, one per line.

End with CNTL/Z.

R4(config)#no ip route 0.0.0.0 0.0.0.0 10.1.104.10
R4(config)#key chain AUTH
R4(config-keychain)#key 1
R4(config-keychain-key)#key-string cisco789
R4(config-keychain-key)#router eigrp 104
R4(config-router)#no auto
R4(config-router)#network 0.0.0.0 0.0.0.0
R4(config-router)#int f0/0
R4(config-if)#ip authentication mode eigrp 104 md5
R4(config-if)#ip authentication key-chain eigrp 104 AUTH
R4(config-if)#end
R4#
%SYS-5-CONFIG_I: Configured from console by console
R4#
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 104: Neighbor 10.1.104.10
(FastEthernet0/0) is up: new adjacency

Verification
R4#sh ip eigrp neighbors
IP-EIGRP neighbors for process 104
H
0

Address

Interface

10.1.104.10

Hold Uptime

SRTT

(sec)

(ms)

Fa0/0

10 00:00:55

R4#sh ip protocols
Routing Protocol is "eigrp 104"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 104
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
0.0.0.0
Routing Information Sources:
Gateway

Distance

Last Update

Page 39 of 1033

RTO

Seq

Cnt Num
200

CCIE SECURITY v4 Lab Workbook

Distance: internal 90 external 170
EIGRP is enabled on every interface.

R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
C

4.4.4.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets

10.1.104.0 is directly connected, FastEthernet0/0

ASA-FW(config)# sh eigrp 104 int
EIGRP-IPv4 interfaces for process 104

Interface
DMZ

Xmit Queue

Mean

Pacing Time

Multicast

Pending

Peers

Un/Reliable

SRTT

Un/Reliable

Flow Timer

Routes

0/0

0/1

On the ASA EIGRP is enabled only on DMZ interface
ASA-FW(config)# sh eigrp 104 neighbors
EIGRP-IPv4 neighbors for process 104
H
0

Address
10.1.104.4

Interface
Et0/2.104

Hold Uptime

SRTT

(sec)

(ms)

00:01:52 1

RTO

Seq

Cnt Num
200

1.1.1.0 255.255.255.0 [120/1] via 10.1.101.1, 0:00:14, IN

Page 40 of 1033

CCIE SECURITY v4 Lab Workbook

2.2.2.2 255.255.255.255 [110/11] via 10.1.102.2, 0:11:03, OUT

4.4.4.0 255.255.255.0 [90/156160] via 10.1.104.4, 0:01:58, DMZ

10.1.104.0 255.255.255.0 is directly connected, DMZ

10.1.102.0 255.255.255.0 is directly connected, OUT

10.1.101.0 255.255.255.0 is directly connected, IN

O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.1.102.2, 0:11:03, OUT

EIGRP prefix for R4’s loopback is in ASA’s routing table.

Task 4
On ASA configure route redistribution between all three dynamic routing protocols, so
that the network will gain full reachability.



Redistribution should be carefully configured as each of dynamic routing
protocols requires specific parameters to successfully redistribute routes. Here
are the most important things you should remember:
-

RIPv2 requires metric (hops) to be specified during redistribution;

OSPF requires “subnet” keyword in order to take subnetted networks
under consideration;

EIGRP requires metric to be specified during redistribution;

Remember that you can use more complex redistribution scenarios (like routemaps or other filtering methods) if required.
If no metric is specified in the task you can use any metric you want during
redistribution.

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# router rip
ASA-FW(config-router)# redistribute ospf 1 metric 2
ASA-FW(config-router)# redistribute eigrp 104 metric 1
ASA-FW(config-router)# router ospf 1
ASA-FW(config-router)# redistribute rip subnets
ASA-FW(config-router)# redistribute eigrp 104 subnets
ASA-FW(config-router)# router eigrp 104
ASA-FW(config-router)# redistribute rip metric 100000 0 255 1 1500

Page 41 of 1033

CCIE SECURITY v4 Lab Workbook

ASA-FW(config-router)# redistribute ospf 1 metric 100000 0 255 1
1500
ASA-FW(config-router)# exit

1.1.1.0 255.255.255.0 [120/1] via 10.1.101.1, 0:00:11, IN

2.2.2.2 255.255.255.255 [110/11] via 10.1.102.2, 0:00:11, OUT

4.4.4.0 255.255.255.0 [90/156160] via 10.1.104.4, 0:06:58, DMZ

10.1.104.0 255.255.255.0 is directly connected, DMZ

10.1.102.0 255.255.255.0 is directly connected, OUT

10.1.101.0 255.255.255.0 is directly connected, IN

O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.1.102.2, 0:00:11, OUT
The ASA sees all networks so that it can redistribute that information into its
routing protocols to let other routers know about those networks.
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.1.101.10 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
C

1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets

2.2.2.2 [120/2] via 10.1.101.10, 00:00:02, FastEthernet0/0
4.0.0.0/24 is subnetted, 1 subnets

4.4.4.0 [120/1] via 10.1.101.10, 00:00:02, FastEthernet0/0
10.0.0.0/24 is subnetted, 3 subnets

10.1.104.0 [120/1] via 10.1.101.10, 00:00:02, FastEthernet0/0

10.1.102.0 [120/1] via 10.1.101.10, 00:00:02, FastEthernet0/0

10.1.101.0 is directly connected, FastEthernet0/0

Page 42 of 1033

CCIE SECURITY v4 Lab Workbook

0.0.0.0/0 [120/2] via 10.1.101.10, 00:00:03, FastEthernet0/0
R1 got all information via RIPv2. Note that prefixes redistributed from the
OSPF have higher metric (hop count) than prefixes from EIGRP. This is due to
“metric” keyword during the redistribution.

1.1.1.0 [110/20] via 10.1.102.10, 00:00:36, GigabitEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets

2.2.2.0 is directly connected, Loopback0
4.0.0.0/24 is subnetted, 1 subnets

O E2

4.4.4.0 [110/20] via 10.1.102.10, 00:00:36, GigabitEthernet0/0
10.0.0.0/24 is subnetted, 3 subnets

O E2

10.1.104.0 [110/20] via 10.1.102.10, 00:00:36, GigabitEthernet0/0

10.1.102.0 is directly connected, GigabitEthernet0/0

O E2

10.1.101.0 [110/20] via 10.1.102.10, 00:00:37, GigabitEthernet0/0
R2 sees all networks as OSPF External type. The cost of a type 2 route is
always the external cost, irrespective of the interior cost to reach that
route.

1.1.1.0 [170/28160] via 10.1.104.10, 00:00:45, FastEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets

D EX

2.2.2.2 [170/28160] via 10.1.104.10, 00:00:45, FastEthernet0/0
4.0.0.0/24 is subnetted, 1 subnets

4.4.4.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 3 subnets

Page 43 of 1033

CCIE SECURITY v4 Lab Workbook

10.1.104.0 is directly connected, FastEthernet0/0

D EX

10.1.102.0 [170/28160] via 10.1.104.10, 00:00:45, FastEthernet0/0

D EX

10.1.101.0 [170/28160] via 10.1.104.10, 00:00:46, FastEthernet0/0

D*EX 0.0.0.0/0 [170/28160] via 10.1.104.10, 00:00:46, FastEthernet0/0
R4 has EIGRP External type with AD (Administrative Distance) of 170. This AD is
much worse than regular EIGRP which is 90. This is a basic loop prevention
mechanism.
R1#p 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#p 10.1.104.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.104.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#p 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#p 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open

User Access Verification
Password:
R4>exit
[Connection to 4.4.4.4 closed by foreign host]
R2#tel 1.1.1.1
Trying 1.1.1.1 ...
% Connection timed out; remote host not responding

Page 44 of 1033

CCIE SECURITY v4 Lab Workbook

R2#tel 1.1.1.1 /so lo0
Trying 1.1.1.1 ... Open

User Access Verification
Password:
R1>exit
[Connection to 1.1.1.1 closed by foreign host]

Full network connectivity has been achived.

Page 45 of 1033

CCIE SECURITY v4 Lab Workbook

Lab 1.4. ASA management

This lab is based on the previous lab configuration.

Task 1
Configure domain name of “micronicstraining.com” and enable Adaptive Security
Device Manager (ASDM) access to the ASA from the inside network. To accomplish
this put the management station (TestPC, 10.1.101.254/24) in the Inside network
(VLAN 101). Create user admin with password of “cisco123”.



ASDM is a graphical user interface (GUI) for managing ASA. Although it is not
mentioned in the CCIE SECURITY v4 Lab Exam Blueprint as a configuration tool
it is useful to know how to use it. There are some configuration tasks which
cannot be done from configuration line interface (CLI) and can be accomplished
using ASDM (i.e. bookmark lists for Clientless VPN, etc.)
ASDM image file is located on the flash disk and needs to be configured before
first use. Access to the ASDM is via HTTP/HTTPS and some special

Page 46 of 1033

CCIE SECURITY v4 Lab Workbook

configuration needs to be done to enable HTTP server on the ASA.

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# domain-name micronicstraining.com
ASA-FW(config)# http server enable
ASA-FW(config)# http 10.1.101.254 255.255.255.255 IN
ASA-FW(config)# sh flash | in asdm
108

11348300

May 25 2010 16:51:02

asdm-621.bin

ASA-FW(config)# asdm image flash:/asdm-621.bin
ASA-FW(config)# username admin password cisco123 privilege 15

Step 2

Test PC configuration.

Page 47 of 1033

CCIE SECURITY v4 Lab Workbook Verification Step 1: Run a web browser and type https://10. Click Run ASDM to run it on your local machine.1. Page 48 of 1033 .10 in an address bar. Step 3: Accept a security warning to be able to run ASDM’s Java scripts.101. Step 2: You have an option to download and install ASDM software on your local computer or to run it remotely. A security alert should show up which needs to be accepted.

After successful authentication ASDM should open configuration GUI.CCIE SECURITY v4 Lab Workbook Step 4: You can create shortcut on your desktop and start menu for later use. Step 5: Once ASDM is downloaded and run you must provide username and password for authentication. Page 49 of 1033 .

Use RSA keys of 1024 bits in length to secure management connections and password of “cisco789”.1.255.  SSH management access requires RSA keys to be generated.1 255.1.CCIE SECURITY v4 Lab Workbook Task 2 Configure remote management access via SSH version 2 from host IP 1.1.255 IN ASA-FW(config)# ssh timeout 12 ASA-FW(config)# ssh version 2 Page 50 of 1033 . The password for this user is the same as enable password.1. You must configure subnets/hosts that will be allowed to connect to the ASA. Make sure user is automatically logged out after 12 minutes of inactivity. There is a built-in username of “pix” configured on the ASA which can be used for SSH access. ASA-FW(config)# ssh 1.1 located in the Inside network. Configuration Complete these steps: Step 1 ASA configuration.255.

1.255.. If your router has no RSA keys already.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# passwd cisco789 ASA-FW(config)# crypto key generate rsa modulus 1024 INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait.com R1(config)#crypto key generate rsa modulus 1024 The name for the keys will be: R1.255 IN Note that to test this configuration you must change source IP address for SSH connections on R1.[OK] R1(config)# %SSH-5-ENABLED: SSH 1. Verification ASA-FW(config)# sh ssh Timeout: 12 minutes Version allowed: 2 1.micronicstraining. You’ll need RSA keys of at least 768 bits size to be able to use SSHv2.. you must generate new keys (remember that you need hostname and domain name to be configured before generating keys). keys will be non-exportable.. R1(config)#ip domain-name micronicstraining.1.99 has been enabled R1#ssh -c 3des -l pix 10.255.1.. By default source address is an IP address of the outgoing interface.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys.10 Password: Type help or '?' for a list of available commands.101.1 255. ASA-FW> Task 3 Page 51 of 1033 . R1(config)#ip ssh source-interface lo0 Please create RSA keys (of atleast 768 bits size) to enable SSH v2.

10 Password: * Welcome to ASA-FW.101. Remember that you can use some variables to be included in the banner automatically.$(domain). Page 52 of 1033 . ASA-FW(config)# banner motd * ASA-FW(config)# banner motd Welcome to $(hostname). *  In this task a Message of the Day (MOTD) banner should be configured.micronicstraining. Only authorized users are allowed to connect. * R1#ssh -c 3des -l pix 10. ASA-FW(config)# banner motd Only authorized users are allowed to connect. * Type help or '?' for a list of available commands.CCIE SECURITY v4 Lab Workbook Configure banner message so that it will display for successful remote connection via SSH. The banner should include the following message: * Welcome to ASA-FW. The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the ASA. ASA-FW(config)# banner motd * Verification ASA-FW(config)# sh banner motd: * Welcome to $(hostname). Configuration Complete these steps: Step 1 ASA configuration.com. Only authorized users are allowed to connect.com.$(domain).micronicstraining. Only authorized users are allowed to connect.1.

254 /backups/ASA-FW.1. Note that you can be unable to test that configuration on remote racks if there is no TFTP server running on the specified IP address. Cryptochecksum: d424e00c c58583c2 0c78ad3a 080ed6f9 !! [OK] Task 5 Enable SYSLOG logging so that it will send all Informational and higher level events to the SYSLOG server located at 10.1.1..  This is a one-line simple task. ASA-FW(config)# tftp-server IN 10. Configuration Complete these steps: Step 1 ASA configuration. All you need is to configure TFTP server remote location specifying an interface which should be used to connect to the TFTP server..101.cfg”.254 and the file should be stored in the directory named “backups” using the file name of “ASA-FW.101. Page 53 of 1033 .cfg Verification ASA-FW(config)# write net Building configuration.CCIE SECURITY v4 Lab Workbook ASA-FW> Task 4 Configure ASA so that it will automatically sends configuration file to a TFTP server after issuing “write net” CLI command. The TFTP server is located in the Inside network with IP address of 10. The logging queue should be able to hold 100 messages when SYSLOG server is busy.101.254 using UDP port 514 as a transport. and IP address of the TFTP server and the file name with a full path to store the configuration in.

Use email address of asafw@micronicstraining. Remember that configured logging level includes all lower levels. This is very dangerous for ASA stability especially when you enable logging on the console. When configuring SYSLOG logging ensure you use appropriate logging level to not be overwhelmed by lots of unnecessary information. Thus.101. You can also configure other logging methods like sending logs to some email using specified SMTP server. configure rate limit for all Debug level messages so that no more than 10 messages are generated in 1 second interval in case console logging is used.com as a source and SMTP server located at 10. there is a good practice to rate limit those messages to not be surprised when debugging is on the console.normal but significant conditions - (6) informational .error conditions - (4) warnings .critical conditions - (3) errors .debugging messages You must be very careful when enabling logging for level 7 (debugging) as this may generate a lot of SYSLOG messages (depending on system usage).  SYSLOG logging is a most popular method of sending system logs to the external server.254. It uses UDP port 514 by default and sends only those logs which are specified by the administrator (log level must be configured). Also. There are the following logging levels: - (0) emergencies .informational messages - (7) debugging .1.CCIE SECURITY v4 Lab Workbook In addition to that. Configuration Complete these steps: Step 1 ASA configuration. Page 54 of 1033 . firewall ([email protected] conditions - (5) notifications . for example when you configure critical (2) level it includes alerts (1) and emergencies (0) as well.com) administrator of every should events be notified regarding by AUTH email logging subsystem which are higher than or equal to level 3.immediate action needed - (2) critical . ASA-FW(config)# logging host IN 10.254 WARNING: interface Ethernet1 security level is 80.system is unusable - (1) alerts .1.

ASA-FW(config)# logging rate-limit 10 1 level debug Debugging is a really good troubleshooting method.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# logging queue 100 ASA-FW(config)# logging trap informational ASA-FW(config)# logging enable SYSLOG server is to be expected behind the most trusted interface (usually having security level of 100). Do not forget to configure SMTP server to send the emails to. Page 55 of 1033 . which should be sent using that method. SNMP Traps are usually sent to some NMS (Network Management System) but we can also send them to the SYSLOG server. do not forget to enable logging. it may be really destructive for ASA’s performance Especially when we want to see debugging messages on the console. which is maximum. In our example we’re sending only Severity level of 3 with a class Auth for user authentication events.101. ASA-FW(config)# logging from-address asa-fw@micronicstraining. However. Logs are processed sequentially by the queue mechanism. You can do that using “logging enable” or “logging on” commands.1.com ASA-FW(config)# logging recipient-address fwadmin@micronicstraining. Note that if you specify the logging queue of zero. but we need to specify what severity level we want to be sent. we should always limit number of logging messages while debugging. If there are so many logs that the ASA cannot handle. the logs can be discarded. Finally. For example.254 There is also a chance to send logs to other destination than SYSLOG. Doing that is pretty risky as there must be a lot of logs to be send so that an email is not a perfect solution. this means the queue is set to 8192. However. you can send logs to the email address you specify. To lower the risk.com level errors ASA-FW(config)# logging list AUTH-ERR level errors class auth ASA-FW(config)# logging mail AUTH-ERR ASA-FW(config)# smtp-server 10. When this server is specified behind lower security level interface then a warning message is displayed. you can create a list of severity levels and classes.

The stratum level defines its distance from the reference clock.  Network Time Protocol (NTP) is used for time synchronization on network devices. It is important to have valid timestamps in the logs to be able to track malicious activity. 0 messages logged ASDM logging: disabled ASA-FW(config)# sh logging queue Logging Queue length limit : 100 msg(s) 0 msg(s) discarded due to queue overflow 0 msg(s) discarded due to memory allocation failure Current 0 msg on queue. Time is also very important when the ASA terminates VPNs and uses X.1. 1 msgs most on queue After configuring logging features we should always check then using “show logg” command. Task 6 Configure ASA as NTP client using MD5 authentication with a key of “Cisco_NTP”. The router can be an NTP server by using “ntp master <stratum>” command. 10 messages logged Logging to IN 10. The NTP server must be configured at 1.1 with a stratum of 4. facility 20. It is important to Page 56 of 1033 .509 certificates for authentication (certificates have validity time and must be checked against reliable time source before usage).254 errors: 1 dropped: 7 History logging: disabled Device ID: disabled Mail logging: list AUTH-ERR. NTP authentication is used to authenticate server to ensure that the ASA gets time from valid source.1.1. Having current time on the ASA is very important from a security audit perspective.CCIE SECURITY v4 Lab Workbook Verification ASA-FW(config)# sh logging Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: disabled Trap logging: level informational.101.

417e5616 (23:17:05.556 UTC Thu Oct 15 2009) filtdelay = 0. Step 2 R1 configuration.CCIE SECURITY v4 Lab Workbook note that the stratum is not an indication of quality or reliability of the NTP server.1. offset -0.1.8ee1a66d (23:17:20.8 37 * master (synced).127. peer mode server. stratum 4 ref ID 127.candidate.235 delay 0. ~ configured ASA-FW(config)# sh ntp associations detail 1. version 3 org time ce822c00. dispersion 890. Without this the NTP Sever does not enable authentication. reach 37.7.87 1. root disp 0.1 ref clock 127.1.00 . sync dist 891.127.08 Page 57 of 1033 1.00 0.1 st when 4 33 poll reach 64 delay offset disp 0.1 key 1 source IN Remember that you must specify the trusted key to be used.1.556 UTC Thu Oct 15 2009) rcv time ce822c00. our_master. R1(config)#ntp authentication-key 1 md5 Cisco_NTP R1(config)#ntp authenticate R1(config)#ntp trusted-key 1 R1(config)#ntp master 4 R1(config)#ntp source lo0 Verification ASA-FW(config)# sh ntp associations address *~1. authenticated. .1. # master (unsynced).9517 msec. time ce822bf1.255 UTC Thu Oct 15 2009) our mode client.95 890.02 0.1 configured.00 msec. sane. our poll intvl 64. valid. Configuration Complete these steps: Step 1 ASA configuration.558 UTC Thu Oct 15 2009) xmt time ce822c00.03.1.85 msec. + selected. peer poll intvl 64 root delay 0.00 0.8e86d0be (23:17:20.89 0.9 -0.1. ASA-FW(config)# ntp authentication-key 1 md5 Cisco_NTP ASA-FW(config)# ntp authenticate ASA-FW(config)# ntp trusted-key 1 ASA-FW(config)# ntp server 1.7.8e573047 (23:17:20.78 precision 2**18.85 0.

actual freq is 99. root delay is 0.0 16000.95 -0.0 0. stratum 5.1.63 16.1.9985 Hz.53 16000.8ee1a66d (23:17:20.97 -1.09 -1.33 -2.00 . precision is 2**6 reference time is ce822c00.0 16000.558 UTC Thu Oct 15 2009) clock offset is -0. peer dispersion is 890.9517 msec.78 msec Page 58 of 1033 0.00 0.77 msec.00 ASA-FW(config)# sh ntp status Clock is synchronized.60 17.55 19.9984 Hz.58 18.CCIE SECURITY v4 Lab Workbook filtoffset = -0.05 filterror = 15.1 nominal freq is 99. reference is 1.85 msec root dispersion is 891.

Static NAT (8.1.2/24 R2 Page 59 of 1033 .101.1.2) This lab is based on ASA 8.1.1/24 F0/0 10.2.1/24 Lo0 2. Make sure you downgrade the ASA code to that version before continuing. Required files should be on flash.CCIE SECURITY v4 Lab Workbook Lab 1.5.2 software version.2. Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.

104.102.1.10/24 E0/1 10.1.1.4.1.104 10.102.10/24 E0/2.4/24 E0/0 10.104.10/24 Page 60 of 1033 .4/24 F0/0 10.101.4.CCIE SECURITY v4 Lab Workbook R4 ASA1 G0/0 10.2/24 Lo0 4.1.

1.1.1.1 1.1 on the ASA’s outside subnet.OUT) 10. However. you need to configure an ACL in the inbound direction on ASA’s outside interface.102. Limit the embryonic connections for hosts using that connection to 2. Thus.102. this is not enough to pass traffic. To accomplish this task you need to configure R1’s loopback0 IP address to be seen as 10.255.1 he/she will be pointed to R1’s loopback0 interface.  First of all NAT Control feature must be enabled to control ASA behavior in such way that all packets need to be translated in order to pass between interfaces.CCIE SECURITY v4 Lab Workbook Task 1 Configure ASA so that when someone from the outside (network segment behind ASA’s OUT interface) tries to connect to IP address of 10.102.1.1.1 ASA-FW(config)# access-group OUTSIDE_IN in interface OUT Verification ASA-FW(config)# sh xlate 1 in use.1 Page 61 of 1033 .102.255.1. This can be done by using Static NAT (SNAT) with a parameter of hosts embryonic connections set to 2.1 netmask 255.102. Configuration Complete these steps: Step 1 ASA configuration. The ASA does not allow connections coming from an interface with a lower security level to an interface with a higher security level without an ACL allowing that connections. Ensure all packets need to be translated in order to pass through the ASA.255 tcp 0 2 ASA-FW(config)# access-list OUTSIDE_IN permit ip any host 10.1.1.1 Local 1.1. 1 most used Global 10. ASA-FW(config)# nat-control ASA-FW(config)# static (IN.

Open User Access Verification Page 62 of 1033 . r .1. i .1 to OUT:10.2 Interface User User Mode Idle Location Peer Address The location field indicates that the source IP address has been translated in the path.102.2. n .1. d .2.no random.portmap.dynamic. This xlate will be in the xlate table all the time.static NAT from IN:1.102.102.1.2..1..2.1.1.1 flags s See the xlate created – there is a flag field indicating that the xlate is due to static translation.dump.2 Trying 2.2.. R1#tel 2. There is NAT Control enabled and all packets must have translation rule in place to be allowed through the ASA. I .1..DNS.1 . R1>exit [Connection to 10.1...identity. s .102. 100-byte ICMP Echos to 10.1.1.1 Type escape sequence to abort.2. R2#tel 10.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# sh xlate detail 1 in use. Sending 5.2.102. Open User Access Verification Password: R1>sh users Host(s) Idle 0 con 0 Line idle 00:03:44 *514 vty 0 idle 00:00:00 10.102.2 .2 /so lo0 Trying 2. % Connection refused by remote host Connection is refused by the ASA as there is no translation configured for that IP address. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1 Trying 10.102. 1 most used Flags: D .2 . round-trip min/avg/max = 1/1/1 ms R1#tel 2.1 closed by foreign host] R2#ping 10.2.

4 eq telnet Note that “telnet” keyword can be changed to port numer (23 in this case).255.1. ASA-FW(config)# static (DMZ. Task 2 Configure ASA so that when someone from the outside (network segment behind ASA’s OUT interface) tries to connect to IP address of 10. The translation must be used only for TELNET traffic.4.2 closed by foreign host] Note that Static NAT works in both ways – no matter if you originate traffic from R2 or R1.102. Configuration Complete these steps: Step 1 ASA configuration.255 ASA-FW(config)# access-list OUTSIDE_IN permit tcp any host 10.2.255.CCIE SECURITY v4 Lab Workbook Password: R2>sh users Host(s) Idle 0 con 0 Line idle 00:00:24 *578 vty 0 idle 00:00:00 10.102.OUT) tcp 10.4 using TELNET.1.4 telnet 4.1 Interface User User Mode Idle Location Peer Address R2>exit [Connection to 2.1.1.102. This is called Static PAT (Port Address Translation) and it’s useful for “port redirection”.4 telnet netmask 255.  This task is similar to the previous however there is one difference. Page 63 of 1033 .2. he/she will be pointed to R4’s loopback0 interface.4.102.

no random. 2 most used Global 10. Page 64 of 1033 .4.1.1.4.4 Type escape sequence to abort. s . 2 most used Flags: D . timeout is 2 seconds: .102.4 closed by foreign host] R2#ping 10.4/23 flags sr The flag field indicates this is “static portmap” rule – port redirection in other words.102.1 Local 1..static NAT from IN:1..CCIE SECURITY v4 Lab Workbook Verification ASA-FW(config)# sh xlate 2 in use.1.identity.1.1..102.1.2 Interface User User Mode Idle Location Peer Address R4>exit [Connection to 10.102.. Success rate is 0 percent (0/5) R4#tel 10.4/23 to OUT:10..DNS.1.1 flags s TCP PAT from DMZ:4.4(23) Local 4. 100-byte ICMP Echos to 10.1.102.portmap.4 .4.102.2 .102.2 Trying 10.102.2 /so lo0 Trying 10.102.4..1..1. Open User Access Verification Password: R4>sh users Host(s) Idle 0 con 0 Line idle 00:07:45 *514 vty 0 idle 00:00:00 10. r . n .4(23) ASA-FW(config)# sh xlate detail 2 in use.4 Trying 10. Sending 5.102.. i .4.102. % Connection refused by remote host R4#tel 10.dynamic.1.102. d .1..1.1.2 ..1.1.1.1 to OUT:10. R2#tel 10.102.1.102.dump. I .1 PAT Global 10.

1.1.1 PAT Global 10.1 Local 1.1.1. I .255.portmap.255.  This task is similar to the previous however in this case the ASA must “listen” on its outside interface on port 2323 and “redirect” all traffic coming to that interface/port to the IP address of R1’s F0/0 interface and port 23.102.102.1. 3 most used Global 10.101.identity.255 SA-FW(config)# access-list OUTSIDE_IN permit tcp any host 10.1.1 flags s Page 65 of 1033 . Note that you still need an ACL entry on the outside interface for those connections.4.102. Task 3 Configure ASA so that when someone from the outside (network segment behind ASA’s OUT interface) tries to connect to ASA’s OUT interface using port 2323. ASA-FW(config)# static (IN.1.DNS. n .1.1 to OUT:10.dump.1.1.101. Configuration Complete these steps: Step 1 ASA configuration.CCIE SECURITY v4 Lab Workbook % Connection refused by remote host Note that when Static PAT is used there is only one-way translation.1 telnet netmask 255.102. r .static NAT from IN:1.4(23) Local 4. i .10 eq 2323 Verification ASA-FW(config)# sh xlate 3 in use.1(23) ASA-FW(config)# sh xlate detail 3 in use. 3 most used Flags: D .4.no random. d . he/she will be redirected to R1’s F0/0 interface using port 23.1.OUT) tcp interface 2323 10. s .dynamic.4(23) PAT Global 10.10(2323) Local 10.102.

4/23 to OUT:10.10.1.4.1.10 closed by foreign host] Page 66 of 1033 Location Peer Address .1.1/23 to OUT:10.2 Interface User User Mode Idle R1>exit [Connection to 10..1.102. Open User Access Verification Password: R1>sh users Line Host(s) Idle 0 con 0 idle 00:08:58 *514 vty 0 idle 00:00:00 10.101.1.CCIE SECURITY v4 Lab Workbook TCP PAT from DMZ:4.102.1.10 2323 Trying 10.4. 2323 .102.102.4/23 flags sr TCP PAT from IN:10.10/2323 flags sr R2#tel 10.102.102.1..

101.2.1.1.1/24 Lo0 2.2) This lab is based on ASA 8. Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.2.2/24 R2 Page 67 of 1033 .CCIE SECURITY v4 Lab Workbook Lab 1.1/24 F0/0 10. Make sure you downgrade the ASA code to that version before continuing. Dynamic NAT (8.2 software version.1. Required files should be on flash.6.

104 10.102.1.10/24 E0/2.104.1.CCIE SECURITY v4 Lab Workbook R4 ASA1 G0/0 10.10/24 E0/1 10.1.4.101.2/24 Lo0 4.4/24 E0/0 10.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the following commands: clear configure static clear configure access-list Page 68 of 1033 .4.102.4/24 F0/0 10.1.1.104.

4 255.255.2 ..2.  NAT Control ensures that every packet going through the ASA must be translated.255.2.CCIE SECURITY v4 Lab Workbook Task 1 Ensure all packets need to be translated in order to pass through the ASA.2.2.4. When we use ID 0 configuring NAT translation (source IP addresses to be translated) it means that packet matched that rule will NOT be translated. Configuration Complete these steps: Step 1 ASA configuration.4 will be identity translated for outbound Verification R4#tel 2. ASA-FW(config)# nat-control ASA-FW(config)# nat (DMZ) 0 4.4..4. in this task we need to bypass this rule by configuring feature called NAT 0 (or Identity NAT). NAT 0 is evaluated before any other NAT statements and you don’t need to configure Global statement for ID 0.2.. This kind of NAT is useful in case of VPN configuration where is a need to not translate packets which are subjected to be going through the VPN tunnel.4. If there is no translation rule in place the packet is dropped.2 .2.2 Trying 2. However. when R4 tries to go outside using its loopback0 interface packets should not be translated.255 nat 0 4.. R4#tel 2.2 /so lo0 Trying 2.2. However. % Connection refused by remote host No translation rule for that connection. Open User Access Verification Password: Page 69 of 1033 .2.

4.4 flags iI Note that the above translation is dynamically created when there is connection from R4’s Lo0. i .4 ASA-FW(config)# sh xlate detail 1 in use.4. r .2. 3 most used Global 4. This can be configured using timeout xlate <idle_time> command.4 has not been translated.DNS.4 Interface User User Mode Idle Location Peer Address R2>exit [Connection to 2. The Identity NAT creates xlates for all IP addresses even though there is the same IP address used for translation.CCIE SECURITY v4 Lab Workbook R2>sh users Line Host(s) Idle 0 con 0 idle 00:12:00 *578 vty 0 idle 00:00:00 4. I .4 to OUT:4.2 closed by foreign host] Note the 4.4 Local 4.4. n .4.no random.dump. s .4.portmap. The xlate will be present in the translation table for duration of 3 hours by default. ASA-FW(config)# sh xlate 1 in use. 3 most used Flags: D .4.4.4.4.2.4. d . Page 70 of 1033 .4.dynamic.static NAT from DMZ:4.identity.4.

1. The ID must match NAT and GLOBAL statements.255.102.255 INFO: Global 10..2 .102.  This is the most common NAT configuration in the real world.255.255.200.0 ASA-FW(config)# global (OUT) 1 10. ASA-FW(config)# nat (IN) 1 10.200 netmask 255.0 255.255.101.1.102. so many connections can be covered). 64k ports can be used.1.0/24) will be translated to the dynamic pool of 10.201 netmask 255.0 ASA-FW(config)# global (OUT) 1 10.2.101.1.102. Open User Access Verification Password: R2>sh users Page 71 of 1033 .1.100-10.255. If the pool is exhausted.1.1.102. This is usually accomplished by configuring one (or more) GLOBAL “backup” IP addresses to translate packets using PAT (ca. Configuration Complete these steps: Step 1 ASA configuration.2. That configuration will dynamically translate each IP address to one GLOBAL IP address (one-to-one translation) so you need to ensure that after exhaustion of GLOBAL IP addresses the communication won’t suffer.1.2.102.100 – 10.255.2.201. configure ASA to perform dynamic port translation using IP address of 10.. Dynamic NAT translates all source IP addresses (specified by “nat (ifname) id IP-addresses” command) to the pool of IP addresses (specified by “global (ifname) ID IPaddress-range” command).1.2 Trying 2.201 will be Port Address Translated Verification R1#tel 2.102.CCIE SECURITY v4 Lab Workbook Task 2 Configure ASA so that all IP addresses from the inside subnet (10.

it will be dynamically translated to ASA’s DMZ interface IP address. no connections allowed between inside and DMZ.1.2 /so lo0 Trying 2.2.2.4.no random.2.4 Trying 4. all packets must be translated.portmap. 3 most used Global 4..170 flags i Task 3 Configure ASA so that when R1 tries to communicate with hosts in DMZ using its loopback0 interface as a source. % Connection refused by remote host R1#tel 4.4 to OUT:4.static NAT from DMZ:4. Page 72 of 1033 .2.4.dynamic.101.2 .2.4.4. R2>exit [Connection to 2.1 ASA-FW(config)# sh xlate detail 2 in use.4 flags iI NAT from IN:10.4. Since NAT Control is enabled.CCIE SECURITY v4 Lab Workbook Host(s) Idle 0 con 0 Line idle 00:00:18 *578 vty 0 idle 00:00:00 10.101. % Connection refused by remote host Note that only connections between inside and outside subnets are translated.102. 3 most used Flags: D .. Thus.4.4.4.4.DNS.102.170 Interface User User Mode Idle Location Peer Address Note that the source IP address has been translated to the random IP address from the pool.102. n .4 Local 4.170 Local 10. s .1.. i . r .4 Global 10.1 to OUT:10.2 closed by foreign host] R1#tel 2. ASA-FW(config)# sh xlate 2 in use.1.4..4.4. d .identity.dump.2.4 . I .1.1.

1.4 closed by foreign host] Do not disconnect from R4 and check ASA’s translations..4.4.CCIE SECURITY v4 Lab Workbook  Instead of configuring GLOBAL pool of IP addresses you can specify ASA’s interface and all source IP addresses specified by NAT command will be PATed to this IP address.255 ASA-FW(config)# global (DMZ) 2 interface INFO: DMZ interface address added to PAT pool Verification R1#tel 4. Open User Access Verification Password: R4>sh users Host(s) Idle 0 con 0 Line idle 00:13:23 *514 vty 0 idle 00:00:00 10.4 Trying 4. % Connection refused by remote host R1#tel 4.1 255.10 Interface User User Mode Idle Location Peer Address R4>exit [Connection to 4.4.4.255.4.4.4.4 .4. If you close the connection ASA will remove XLATE entry.4 .104.. Page 73 of 1033 . ASA-FW(config)# nat (IN) 2 1..1..1.4.255. Configuration Complete these steps: Step 1 ASA configuration.4 /so lo0 Trying 4.4. Remember that you need to use different NAT ID for every NAT/GLOBAL pair.

dump.4.2.170 Local 10.1.1. n .102.170 flags i Task 4 Configure ASA so that when R1 tries to communicate with hosts on the outside network using its loopback0 interface as a source.DNS.102.202 netmask 255.dynamic.1.  Note that the NAT statement for IP address of 1. ASA-FW(config)# global (OUT) 2 10. hence there is just need for GLOBAL statement for the outside interface.1/56160 to DMZ:10.101.4.2 /so lo0 Page 74 of 1033 .1.102.202 will be Port Address Translated Verification R1#tel 2.1.4.104.4. I .255.10/29892 flags ri NAT from IN:10.4 PAT Global 10.4 Local 4.10(29892) Local 1. i . d . r .104.portmap.static NAT from DMZ:4.1.1.1.1. 3 most used Flags: D .1 to OUT:10.1.identity.101.no random. it will be dynamically translated to IP address of 10.4. Configuration Complete these steps: Step 1 ASA configuration.102.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# sh xlate 3 in use.255.1.4.1(56160) Global 10. Use minimal number of commands to accomplish this task.4 to OUT:4.1 has been configured in the previous task.255 INFO: Global 10.4. s .1.1. The NAT ID must be the same to match with NAT command.1. In this example the R1’s loopback0 interface will be translated to two different IP addresses depends on the outbound interface on the ASA. 3 most used Global 4.1 ASA-FW(config)# sh xlate detail 3 in use.202.2.4.102.1.4 flags iI TCP PAT from IN:1.

4 .1.CCIE SECURITY v4 Lab Workbook Trying 2. Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line User idle 00:21:24 578 vty 0 idle 00:01:49 10.2.2.102.202 Interface User User Mode Idle Location Peer Address R2> When you’re using terminal server to access your devices in the rack.10 Interface User User Mode Location Idle Peer Address Location R4> <Ctrl+Shift+6 X> R1#tel 2.4.2 .1.2 .4..4 /so lo0 Trying 4..1.. Do not disconnect previous sessions in order to see XLATE entries on the ASA.4.102.202 Page 75 of 1033 .2.2.104..2.2 Trying 2.4.. <Ctrl+Shift+6 X> R1#tel 4. Open User Access Verification Password: R4>sh users Host(s) Idle 0 con 0 Line idle 00:15:15 *514 vty 0 idle 00:00:00 10. Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line idle 00:19:34 *578 vty 0 idle 00:00:00 10.2.. use Ctrl+Shift+6+x to get back to the R1 and make another connection to R4’s loopback0 using R1’s loopback0 interface as a source.

4 most used Flags: D .4 Local 4.dump.1(29961) Global 10.1.1.4. i .DNS. n .102.1.portmap.1 to OUT:10.1.4.104.104.1.4. s .dynamic.170 flags i Page 76 of 1033 .1.1.170 Local 10.no random.1.4.4 PAT Global 10.202/6995 flags ri NAT from IN:10.1(52849) PAT Global 10.170 Mode Idle Peer Address ASA-FW(config)# sh xlate 4 in use.10(4460) Local 1. I .1 ASA-FW(config)# sh xlate detail 4 in use.1.202(6995) Local 1.1.102.1.101.102.4 to OUT:4.4. 4 most used Global 4.1.1.102.4 flags iI TCP PAT from IN:1.10/4460 flags ri TCP PAT from IN:1.1.1.CCIE SECURITY v4 Lab Workbook *579 vty 1 Interface idle User 00:00:09 10.1/52849 to DMZ:10. r .1.1/29961 to OUT:10.4.4.4.identity. d .1.static NAT from DMZ:4.102.101.

1/24 Lo0 2.2 software version.1.2. Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1. NAT Exemption (8. Make sure you downgrade the ASA code to that version before continuing.1/24 F0/0 10.2. Required files should be on flash.7.1.1.2) This lab is based on ASA 8.CCIE SECURITY v4 Lab Workbook Lab 1.101.2/24 R2 Page 77 of 1033 .

255.255.0 ASA-FW(config)# nat (IN) 1 10.1. This configuration is called NAT Exemption and is useful in VPN scenarios where some flows (usually those going through the VPN tunnel) must bypass translation.0/24 and 1.102.6) but here we need to bypass NAT for traffic between two hosts (not only sourced from the inside network).1.10/24 E0/1 10.1.1.101.1.100 – 10.0/24) and destined to the outside networks to the pool of 10. However.1.2/24 Lo0 4.255.101.102.1 and 2.1. Configuration Complete these steps: Step 1 ASA configuration.4.2 should not be translated.1.4/24 E0/0 10.1.4/24 F0/0 10.CCIE SECURITY v4 Lab Workbook R4 ASA1 G0/0 10. Configure ASA so that it will dynamically translate all IP addresses coming from inside subnets (10.2.104 10. To specify both source and destination we need to use an access list which will be used by “NAT 0” statement.104.  NAT Control feature ensures that every packet going through the ASA will be translated.10/24 E0/2. ASA-FW(config)# nat-control ASA-FW(config)# nat (IN) 1 1.1.1.255.102.1. This task is very similar to Identity NAT (from lab 1.0 255.1.0 Page 78 of 1033 .200.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the following commands: clear configure nat clear configure global clear xlate Task 1 Ensure all packets need to be translated in order to pass through the ASA.2.102. communication between host 1.1.101.104.0 255.1.4.

106 Interface User User Mode R2>exit [Connection to 2.0 ASA-FW(config)# access-list NO-NAT permit ip host 1.102..2 Trying 10.255.2.2 . Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line idle 00:35:59 *578 vty 0 idle 00:00:00 10.255.100-10.1 host 2.2 .2. Open User Access Verification Password: R2>sh users Line Host(s) Idle 0 con 0 idle 00:35:38 *578 vty 0 idle 00:00:00 10.1.1.102..2 .1.2.2.2.2.2.102.1.1.2 Trying 2..2.2.106 Interface User User Mode Idle Location Peer Address R2>exit [Connection to 10..1.2.2 closed by foreign host] R1#tel 2.102...2 /so lo0 Trying 2.1.2.200 netmask 255.102.2 closed by foreign host] R1#tel 2.2 ASA-FW(config)# nat (IN) 0 access-list NO-NAT Verification R1#tel 10. Open Page 79 of 1033 Idle Location Peer Address .CCIE SECURITY v4 Lab Workbook ASA-FW(config)# global (OUT) 1 10.102.1.2.102.1.

2 closed by foreign host] R1#tel 4.101. The Identity NAT creates Identity XLATE (the same Local and Global IP) and allows connections from both sites.4.4. R2>exit [Connection to 2. I .2.1. r .. d .dump.4 Trying 4. However.CCIE SECURITY v4 Lab Workbook User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line idle 00:36:22 *578 vty 0 idle 00:00:00 1. See “sh xlate” to show the difference.1. Page 80 of 1033 .2.4 .4.4.1 Interface User User Mode Idle Location Peer Address Note there is no translation (it seems like Identity NAT but it’s not).identity.1.no random. % Connection refused by remote host Note that Telnet connection between R1’s loopback0 and R2’s loopback0 is bypassing the translation (source IP address is the same after connection).106 Local 10.static NAT from IN:10.1. ASA-FW(config)# sh xlate 1 in use. 4 most used Flags: D . i .portmap. s .dynamic.1.102.1 to OUT:10.106 flags i Note that there is no XLATE for NAT Exemption!!! The NAT exemption DOES NOT work like Identity NAT..101.DNS. 4 most used Global 10. connections to DMZ are unsuccessful because of NAT Control in place (no NAT/GLOBAL statement for such traffic is configured).1 ASA-FW(config)# sh xlate detail 1 in use.1.102. n .

2.CCIE SECURITY v4 Lab Workbook Lab 1. Static Policy NAT (8.2.1.2) This lab is based on ASA 8.1/24 Lo0 2.1.8. Make sure you downgrade the ASA code to that version before continuing. Required files should be on flash.2/24 R2 Page 81 of 1033 .101.2 software version.1. Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.1/24 F0/0 10.

there is a need for ACL in inbound direction to successfully pass the traffic.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the following commands: clear configure nat clear configure global clear xlate Task 1 Ensure all packets need to be translated in order to pass through the ASA.4.  NAT Control must be enabled in order to translate all packets going through the ASA. Configuration Complete these steps: Step 1 ASA configuration.CCIE SECURITY v4 Lab Workbook R4 ASA1 G0/0 10.4/24 F0/0 10.10/24 E0/2.1. This leads to only one conclusion: there must be an access list involved. The translation must be enforced only for traffic going between R1’s loopback0 and R2’s loopback0 interface.101.1.102.OUT) interface POLICY Page 82 of 1033 access-list STATIC- .1.1 host 2.1.1.4.102.2 ASA-FW(config)# static (IN.104 10.2/24 Lo0 4.2.104.104.1. ASA-FW(config)# nat-control ASA-FW(config)# access-list STATIC-POLICY permit ip host 1.4/24 E0/0 10. From the task we know that there must be STATIC translation in place and it should work only for traffic between two hosts. Remember that even you configure ASA’s interface to “serve” global translation IP address. Configure ASA so that it statically translates R1’s loopback0 IP address to its outside interface’s IP address.2.1.10/24 E0/1 10.

.portmap.10 Local 1.2. ASA-FW(config)# access-list OUTSIDE_IN permit ip any host 10.identity.1. I . n ..1 to OUT(STATIC-POLICY):10.2.2 /so lo0 Trying 2..CCIE SECURITY v4 Lab Workbook WARNING: All traffic destined to the IP address of the OUT interface is being redirected.1.1.102.2 Trying 10. WARNING: Users will not be able to access any service enabled on the OUT interface.2 .10 ASA-FW(config)# access-group OUTSIDE_IN in interface OUT Verification ASA-FW(config)# sh xlate 1 in use.102.1.1. % Connection refused by remote host R1#tel 10.102..1.static NAT from IN:1.102.102.. R1#tel 10.2.102.no random. i . This XLATE entry is a conditional static.10 Page 83 of 1033 Location .2 . s .2.dump..1. % Connection refused by remote host R1#tel 2.1. Open User Access Verification Password: R2>sh users Line User Host(s) Idle 0 con 0 idle 00:43:07 *578 vty 0 idle 00:00:00 10.2 . 4 most used Global 10.DNS.2 . d .1.102.2.2.1.2..1.1 ASA-FW(config)# sh xlate detail 1 in use. % Connection refused by remote host R1#tel 2. 4 most used Flags: D . r .1.2 /so lo0 Trying 10.10 flags s Note the ACL name in the brackets.102.dynamic..2 Trying 2.2.

2..102.2 Interface User User Mode Idle Location Peer Address R1>exi [Connection to 10. Open User Access Verification Password: R1>sh users Line Interface User User Mode Idle Peer Address R1>exit [Connection to 10.102. Open User Access Verification Password: R1>sh users Line Host(s) Idle 0 con 0 idle 00:01:39 *514 vty 0 idle 00:00:00 2.1.1.2.1..1.10 .2.1.102.10 closed by foreign host] Note that only traffic between 1.2 is translated.10 . Page 84 of 1033 .2.2. However.10 Trying 10.1 and 2.CCIE SECURITY v4 Lab Workbook Interface User Mode Idle Peer Address Host(s) Idle Location 0 con 0 idle 00:00:21 *514 vty 0 idle 00:00:00 10.1. no other traffic is allowed to go though the ASA because of NAT Control in place.10 /so lo0 Trying 10. R2#tel 10.2 closed by foreign host] Only this traffic is translated.10 closed by foreign host] R2#tel 10.102.102..102.2 R2>exit [Connection to 2..1.1. due to the inbound ACL on the ASA’s OUT interface the traffic can be originated from R2’s loopback0 interface and destined to R1’s loopback0 (destination IP address in this case should be ASA’s OUT interface).1.2.102.

4.1 to OUT(STATIC-POLICY):10.4.1 Global 10. The difference is that here we need to use an arbitrary IP address for translation instead of ASA interface’s IP address.1.4.104.1.1.4.4.1 access-list STATICPOLICY-DMZ Verification ASA-FW(config)# sh xlate 2 in use.4..1.4.dynamic.4 Trying 4.4.1. % Connection refused by remote host Page 85 of 1033 .1.1.1.1 flags s NAT from IN:1.1 host 4.portmap.1.dump.4 towards 1.identity. Read the task carefully to see that the translation must work ONLY for traffic originated from 1.1 you just do NOT need to configure any inbound ACL on ASA’s DMZ interface.1. 4 most used Global 10.10 flags s R1#tel 4. r .4 . Configuration Complete these steps: Step 1 ASA configuration. ASA-FW(config)# access-list STATIC-POLICY-DMZ permit ip host 1.1 ASA-FW(config)# sh xlate detail 2 in use.  This task is very similar to the previous one.10 Local 1.1.1 and destined to 4.102.no random.1. 4 most used Flags: D . Again.4 ASA-FW(config)# static (IN. d . To disallow traffic coming (originating) from 4.1 all traffic coming from R1’s loopback0 interface towards DMZ subnet.104.1..DNS. I . The translation rule should be used only for traffic originated from 1.1.102.1. there is a need for ACL to specify what flows must be subjected to translation.4.1.1 Local 1.1.4. n .1.1.1 to DMZ(STATIC-POLICY-DMZ):10.104.1. s .104.CCIE SECURITY v4 Lab Workbook Task 2 Configure ASA so that it statically translates to the IP address of 10.4.DMZ) 10.1. i .static NAT from IN:1.1.1.

4. % Connection timed out.1 Interface User User Mode Idle Location Peer Address R4>exit [Connection to 4.1 port tcp/23.102.4 closed by foreign host] R4#tel 10.1 Trying 10.104..4.4 .4.CCIE SECURITY v4 Lab Workbook R1#tel 4.4 /so lo0 Trying 4...4 .4..1. % Connection timed out.1.104.4.1. remote host not responding Note that traffic from R4 to R1 is denied by ASA because there is no access list allowing it on DMZ interface..1 .1. % Connection timed out.1. remote host not responding R1#tel 4.1.4 /so lo0 Trying 4. Page 86 of 1033 .4...4. remote host not responding R4#tel 10..104.104.1/23 flags SYN on interface DMZ Task 3 Configure static translation on ASA so that when R2 telnets to the IP address of 10.1 port tcp/2323 using its loopback0 interface as a source it will be automatically redirected to the host 1.1.1.1 .1.1 /so lo0 Trying 10. Open User Access Verification Password: R4>sh users Host(s) Idle 0 con 0 Line idle 00:47:15 *514 vty 0 idle 00:00:00 10.4/46869 to 10.104.4.102.4.1. This translation rule should work only for traffic initiated from R2’s loopback0 interface and destined to 10.4.4.1. The ASA displays the following log (when logging is configured): %ASA-2-106001: Inbound TCP connection denied from 4.104.4.

1(23) ASA-FW(config)# sh xlate detail 3 in use.102. remote host not responding R2#tel 10.1. n .1 2323 /so lo0 Trying 10. 4 most used Global 10.1.. 4 most used Flags: D .1 to OUT(STATIC-POLICY):10.1.1.1. % Connection timed out. Open User Access Verification Page 87 of 1033 .1. Configuration Complete these steps: Step 1 ASA configuration.1/2323 flags sr R2#tel 10. 2323 . there must be ACL involved to specify that hosts and enable translation for that specific flow.1.1 2323 access-list STATIC-R1 ASA-FW(config)# access-list OUTSIDE_IN permit tcp host 2.1 2323 Trying 10..1. Again.1.1(2323) Local 1.1 to DMZ(STATIC-POLICY-DMZ):10.2.10 Local 1.102.2.dynamic.1 eq 2323 Verification ASA-FW(config)# sh xlate 3 in use.1 Global 10.1.DNS.1.1.102. d ..2.1.102.102.OUT) tcp 10.1.identity.104. I .2 host 10..102.1.102.1.102.1.1.1 eq telnet host 2. i .1 PAT Global 10.1 Local 1.104.1.1.dump.no random.1/23 to OUT(STATIC-R1):10.1. r .2.102.1.1.2 ASA-FW(config)# static (IN.1.1. Be careful here because ACL must contain “original” IP address (non-translated) and destination port to be effective.1.1 flags s NAT from IN:1. ASA-FW(config)# access-list STATIC-R1 permit tcp host 1.1.1. s .static NAT from IN:1. 2323 .102.portmap.10 flags s TCP PAT from IN:1.CCIE SECURITY v4 Lab Workbook  This task requires “port redirection” but only for traffic between two hosts.

255.255.104.1 to DMZ:10.104.2.1.255.1.1.255.1.101.0 255.DMZ) 10.1.0 ASA-FW(config)# static (IN.0 access-list STATIC-INDMZ WARNING: mapped-address conflict with existing static IN:1.0 ASA-FW(config)# access-group DMZ_IN in interface DMZ Page 88 of 1033 .CCIE SECURITY v4 Lab Workbook Password: R1>sh users Host(s) Idle 0 con 0 Line idle 00:05:02 *514 vty 0 idle 00:00:00 2.104. Configuration Complete these steps: Step 1 ASA configuration.0/24) to addresses on the 10.104.1.2 Interface User User Mode Idle Location Peer Address R1>exit [Connection to 10.  This type of NAT is useful when we want to make two networks fully accessible for each other.0 255.102.0 255. Traffic originated from other IP address is denied by inbound ACL on the OUT interface. We need to translate whole network to another network and allow traffic to be originated from the subnet behind lower security level interface by configuring inbound ACL.104.1 netmask 255.255.1.0/24 network making them all accessible from DMZ.1.2.1.0 10.255.1. ASA-FW(config)# access-list STATIC-IN-DMZ permit ip 10.255.255.255 ASA-FW(config)# access-list DMZ_IN permit ip any 10.1 closed by foreign host] Note that it works as expected and only traffic originated from R2’s loopback0 interface is translated (redirected). Task 4 Configure ASA so that it statically translate all hosts from the inside network (10.101.

1.1 to DMZ(STATIC-POLICY-DMZ):10.104.1(23) ASA-FW(config)# sh xlate detail 4 in use. n .portmap.1.1 flags s NAT from IN:10.1 closed by foreign host] R4#tel 10.1.1.1.. 4 most used Global 10. this translation is for different source IP address – no big deal in the lab environment.static NAT from IN:1.. I .1 Local 1. However.104.1..102.104.104.1.no random.1 to OUT(STATIC-POLICY):10.CCIE SECURITY v4 Lab Workbook Note there is warning message saying that there is conflict with already configured translation.1. Verification ASA-FW(config)# sh xlate 4 in use.0 flags s NAT from IN:1.10 flags s TCP PAT from IN:1.1.104.1 .DNS.1/2323 flags sr R4#tel 10.104.10 Local 1.1/23 to OUT(STATIC-R1):10.1 PAT Global 10.1 Global 10.1.1.1.0 Local 10. s . r . however in the real world you must ensure there are no conflicts and use the same subnet masks for both networks (so that there are sufficient number of IP addresses for translation).1.1 .1(2323) Local 1.101.dump.1.1.1 /so lo0 Trying 10.1.1.4 Interface User User Mode Idle R1>exit [Connection to 10. i .102.identity.dynamic.1.1.104.0 Global 10.104. Open User Access Verification Page 89 of 1033 Location Peer Address .1.1.1. Open User Access Verification Password: R1>sh users Host(s) Idle 0 con 0 Line idle 00:10:03 *514 vty 0 idle 00:00:00 10.104. d .1.102.1 Trying 10.1.102.104.1..1.101.1.0 to DMZ(STATIC-IN-DMZ):10.1. 4 most used Flags: D .

104.1.4 Interface User User Mode Idle R1>exit [Connection to 10.CCIE SECURITY v4 Lab Workbook Password: R1>sh users Host(s) Idle 0 con 0 Line idle 00:10:50 *514 vty 0 idle 00:00:00 4.4.1 closed by foreign host] Page 90 of 1033 Location Peer Address .4.

Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.9.1.CCIE SECURITY v4 Lab Workbook Lab 1.1/24 Lo0 2.2.101.1/24 F0/0 10.2) This lab is based on ASA 8. Dynamic Policy NAT (8.1.2 software version.2/24 R2 Page 91 of 1033 .1. Required files should be on flash. Make sure you downgrade the ASA code to that version before continuing.2.

1.10/24 E0/1 10.104.10/24 E0/2.4.102.101.104.4/24 E0/0 10.1.1.2/24 Lo0 4.1.104 10.4/24 F0/0 10.CCIE SECURITY v4 Lab Workbook R4 ASA1 G0/0 10.102.1.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the following commands: clear configure static clear configure access-list Page 92 of 1033 .4.

102.1.2.1 and 2. % Connection refused by remote host All connections are denied by the NAT Control function on the ASA.2. R1#tel 2.1..2 .2..1. Configure ASA so that it dynamically translates source IP addresses of telnet traffic going between 1.2.1. Use ASA’s outside IP address as a global address.2 Trying 10.2 /so lo0 Trying 10.  First.2. % Connection refused by remote host R1#tel 2.102.CCIE SECURITY v4 Lab Workbook Task 1 Ensure all packets need to be translated in order to pass through the ASA..2 .2.2. ASA-FW(config)# nat-control ASA-FW(config)# access-list DYNA-NAT permit tcp host 1. Another important thing is that we need translate only packets for specific flows (between two hosts).2.1.102.1 host 2.1..1..102.2.. Configuration Complete these steps: Step 1 ASA configuration.2.2 Trying 2. which means we should look at NAT/GLOBAL configuration.2 .2 /so lo0 Page 93 of 1033 . There is a requirement for using dynamic translation. % Connection refused by remote host R1#tel 10. This should lead us to the final solution that is Dynamic NAT with ACL (called Policy DNAT).2.1. configure NAT Control feature to ensure all packets must be translated to pass through ASA.2 eq telnet ASA-FW(config)# nat (IN) 1 access-list DYNA-NAT ASA-FW(config)# global (OUT) 1 interface INFO: OUT interface address added to PAT pool Verification R1#tel 10.

DNS.1(53426) ASA-FW(config)# sh xlate detail 1 in use.static TCP PAT from IN:1.102.1. i .10(23407) Local 1.10 Interface User User Mode Idle Location Peer Address Note that you can’t connect from other IP addresses as there is no translation rule in place (and NAT Control is enabled).1/53426 to OUT(DYNA-NAT):10..1.1. Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line idle 00:12:57 *578 vty 0 idle 00:00:00 10. ASA-FW(config)# sh xlate 1 in use.CCIE SECURITY v4 Lab Workbook Trying 2.dynamic.102. r .. After establishing telnet session between R1 and R2 do not disconnect to see XLATE on the ASA. d .10/23407 flags ri Page 94 of 1033 .1.2.identity. 4 most used PAT Global 10. n .dump. s .2 .portmap.1. I .102.no random. 4 most used Flags: D .1.1.2.

In addition to that we should back up this pool with one IP address. Configuration Complete these steps: Step 1 ASA configuration. The difference is we need to dynamically translate whole inside subnet to some IP address pool.2..1.201 will be Port Address Translated Verification R1#tel 2.CCIE SECURITY v4 Lab Workbook Task 2 Configure ASA so that it translates source IP addresses for traffic going between inside subnet (10.100-10.101.255.1.2.102.2 .102.1.1..102.0 255.101.102.1.102.1.2 . Use dynamic address pool of 10.0/24).1. Remember that you can also use ASA’s outside interface as a backup.0/24) and outside subnet (10.201 in case the pool is exhausted.255 INFO: Global 10. % Connection refused by remote host R1#tel 10.1.100-200 and ensure it will be backed up by IP address of 10.0 ASA-FW(config)# global (OUT) 2 10.102.1.200 netmask 255.102. Open Page 95 of 1033 .255.102.255..255.0 255.1.2 Trying 2..102. % Connection refused by remote host R1#tel 10.1..102.2.102.0 10.255.201 netmask 255.2.  This task is very similar to the previous one.0 ASA-FW(config)# nat (IN) 2 access-list DYNA-NAT2 ASA-FW(config)# global (OUT) 2 10.255..2 /so lo0 Trying 10.255.1.1.1.2 Trying 10.102.2 . ASA-FW(config)# access-list DYNA-NAT2 permit ip 10.255.

s .static NAT from IN:10.102.102.identity. d .101.CCIE SECURITY v4 Lab Workbook User Access Verification Password: R2>sh users Line User Host(s) Idle Location 0 con 0 idle 00:17:45 *578 vty 0 idle 00:00:00 10. n . i . 4 most used Global 10.102. r .101.196 Note there is a random IP address from the pool.1. In above example we couldn’t initiate telnet session from R2 to R1 even though we had inbound ACL on ASA’s outside interface configured. Page 96 of 1033 .196 Local 10.dynamic.portmap.DNS. 4 most used Flags: D .1 to OUT(DYNA-NAT2):10. I .1 ASA-FW(config)# sh xlate detail 1 in use.dump. Interface User Mode Idle Peer Address ASA-FW(config)# sh xlate 1 in use.1.1.1.no random.1.196 flags i Note that using dynamic translation we can initiate communication from only one direction.

Note that the task is very specific and it clearly states that traffic should be initiated from R1.4.4.104.4.1.4..4 ASA-FW(config)# nat (IN) 3 access-list DYNA-NAT3 ASA-FW(config)# global (DMZ) 3 10.4.1.255..4.1 netmask 255.4.4. Do not configure inbound ACL on DMZ interface in this task as this is not necessary.4. Be careful and check what translation IDs you have configured to ensure you won’t overwrite or add next NAT statement to the previously configured NAT rule instead of adding new NAT statement. Also.  Here. watch out what interfaces you use for NAT and GLOBAL statements.4 Trying 4.. % Connection refused by remote host R1#tel 4. This means we need to use dynamic translation.4.4 .104.1 will be Port Address Translated Verification R1#tel 4.4 /so lo0 Trying 4. Use IP address 10.CCIE SECURITY v4 Lab Workbook Task 3 Configure ASA so that it translates source IP address for traffic initiated from 1.1. Configuration Complete these steps: Step 1 ASA configuration.1.1.1 for this translation. we are requested for dynamic PAT configuration for traffic between R1’s loopback0 and R4’s loopback0 interface.255 INFO: Global 10.1.1.4 .4.4.4. Remember that you should configure ONLY what you’ve asked for. Open User Access Verification Page 97 of 1033 .104. ASA-FW(config)# access-list DYNA-NAT3 permit ip host 1.1 and destined to 4..1 host 4.255.

dynamic.1/63820 to DMZ(DYNA-NAT3):10.1.196 Local 10.1.101. n . r .static TCP PAT from IN:1.1.1/31496 flags ri NAT from IN:10.1.no random.1.101. d .1.1.identity.1.1.CCIE SECURITY v4 Lab Workbook Password: R4>sh users Host(s) Idle 0 con 0 Line idle 00:17:01 *514 vty 0 idle 00:00:00 10. s .102.102.portmap.1.104.1.1(63820) Global 10.DNS. 4 most used Flags: D .1 ASA-FW(config)# sh xlate detail 2 in use.104. 4 most used PAT Global 10. I .dump.104. i .1 Interface User User Mode Idle Location Peer Address ASA-FW(config)# sh xlate 2 in use.1 to OUT(DYNA-NAT2):10.196 flags i Page 98 of 1033 .1(31496) Local 1.

2. Static NAT (8.4.2.1.2/24 Lo0 4.2/24 G0/0 100.3+) Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 10  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 20  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 40  Configure Telnet on all routers using password “cisco”  Configure default routes on R1/R2 and R4 to point to ASA and static routes to reach router’s loopbacks IP Addressing Device Interface IP address R1 Lo0 1.1.2.2.1.1/24 F0/0 10.1/24 Lo0 2.11.10.4.CCIE SECURITY v4 Lab Workbook Lab 1.4/24 R2 R4 Page 99 of 1033 .

4.2.10/24 E0/1 10.10/24 E0/2 10.1.4.4/24 E0/0 100.4.1.2.CCIE SECURITY v4 Lab Workbook ASA1 F0/0 10.4.10/24 Page 100 of 1033 .

4.1.2.1.1.2.4 ASA(config)# access-list R1-LOOP extended permit tcp any host 1.99 he/she will be pointed to R1’s loopback0 interface.CCIE SECURITY v4 Lab Workbook Task 1 Configure ASA so that when someone from the outside (network segment behind ASA’s OUTSIDE interface) tries to connect to IP address of 100.1.4. The following commands are no longer supported in 8.255.255.3(1) software version installed on the ASA.2 ASA(config)# route dmz 4.1.1.1.1 255.255.2.255 100.2. ASA(config)# object network R1-loopback ASA(config-network-object)# host 1.  This is new NAT scenario.1 ASA(config)# class-map CM-R1-LOOP Page 101 of 1033 . embryonic connection and nailed are migrated to MPF.4. Limit the embryonic connections for hosts using that connection to 2 and full connections to 10 per host.outside) static R1-looptranslated ASA(config)# access-list OUTSIDE_IN permit ip any host 1.1.1 ASA(config)# route outside 2. TCP sequence number randomization.99 ASA(config-network-object)# ex ASA(config)# object network R1-loopback ASA(config-network-object)# nat (inside.255. You must have at least 8.255 10.1.2.2.255 10.255.3+ • nat-control • static • global Piggybacked options such as max connection.255.2. Configuration Complete these steps: Step 1 ASA configuration.4.1.2.2 255.4 255.1 ASA(config-network-object)# ex ASA(config)# object network R1-loop-translated ASA(config-network-object)# host 100.1 ASA(config)# access-group OUTSIDE_IN in interface outside ASA(config)# route inside 1.

99 Trying 100.2.1.0.2.1.0.0.0 0.0.2. Open User Access Verification Password: R1>sh users Host(s) Idle 0 con 0 Line idle 00:00:21 *514 vty 0 idle 00:00:00 100.0. R2(config)# ip route 0.0.0.2.0 10.10 Verification R2#tel 100.0 0..2 Interface User User Mode Idle R1> ASA(config)# sh nat Auto NAT Policies (Section 2) Page 102 of 1033 Location Peer Address .0.0 0.2.CCIE SECURITY v4 Lab Workbook ASA(config-cmap)# match access-list R1-LOOP ASA(config-cmap)# exi ASA(config)# policy-map OUTSIDE-POLICY ASA(config-pmap)# class CM-R1-LOOP ASA(config-pmap-c)# set connection per-client-max 10 per-clientembryonic-max 2 ASA(config-pmap-c)# exi ASA(config-pmap)# exi ASA(config)# service-policy OUTSIDE-POLICY interface outside Step 2 R1 configuration.0.10 Step 3 R2 configuration.4.2.0 100.10 Step 4 R4 configuration. R4(config)# ip route 0.99 .2.0. R1(config)# ip route 0.4.0.2..0.0 10.

M . G .2. h . drop 0 Task 2 Configure ASA so that when someone from the outside (network segment behind ASA’s OUTSIDE interface) tries to connect to IP address of 100.GTP t3-response k .awaiting outside SYN. D . H .incomplete.H.inside acknowledged FIN.2.Phone-proxy TFTP connection. V .SIP transient. F .2/49617 inside:1.outside FIN.1. i . n .GUP O . I .outside back connection.awaiting inside SYN.up. J .GTP.SIP.WAAS.323.4 using TELNET.GTP data.initial SYN from outside. idle 1m20s.inside back connection. t .SIP media.inspected by service module TCP outside:100. B .1. a . Configuration Page 103 of 1033 . uptime 1m25s.0. The translation must be used only for TELNET traffic. bytes 403 ASA(config)# sh service-policy interface outside Interface outside: Service-policy: OUTSIDE-POLICY Class-map: CM-R1-LOOP Set connection policy: per-client-max 10 per-client-embryonic-max 2 current conns 3. flags UIOB.CTIQBE media.2. b .2.H.MGCP. m . X .awaiting outside ACK to SYN.inside FIN. p . S .CCIE SECURITY v4 Lab Workbook 1 (inside) to (outside) source static R1-loopback R1-loop-translated translate_hits = 0. untranslate_hits = 19 ASA(config)# sh conn det 1 in use. R . timeout 1h0m. q . 2 most used Flags: A . r .inbound data.UDP SUNRPC. K .SMTP data. E .DNS. s .awaiting inside ACK to SYN.TCP state-bypass or nailed.1/23.Skinny media. j .225. he/she will be pointed to R4’s f0/0 interface.outside acknowledged FIN.SQL*Net data.VPN orphan. This is called Static PAT (Port Address Translation) and it’s useful for “port redirection”.group. g .outbound data. U . f . P . T . R . d . W . C .  This task is similar to the previous however there is one difference.dump.

i .4 service tcp 23 23 ASA(config)# access-list OUTSIDE_IN extended permit tcp any host 10.2.GTP t3-response Page 104 of 1033 .4.GTP.TCP state-bypass or nailed.outside) static 100. F .2. Open User Access Verification Password: R4>sh users Line User 0 con 0 *514 vty 0 Interface Host(s) Idle idle piotr 1w4d idle User Location 00:00:00 100. K .outside FIN.2. untranslate_hits = 4 ASA(config)# sh conn det 1 in use.2.2.4 Trying 100. untranslate_hits = 31 2 (dmz) to (outside) source static R4 100.4.GTP data..dump..H.MGCP.awaiting inside ACK to SYN.initial SYN from outside.incomplete. E . g .inside FIN. a . h . B . d .DNS. H .4.225.group.H.4 service tcp telnet telnet translate_hits = 0.4 ASA(config-network-object)# nat (dmz.2. I .323.2 Mode Idle Peer Address R4> ASA(config)# sh nat Auto NAT Policies (Section 2) 1 (inside) to (outside) source static R1-loopback R1-loop-translated translate_hits = 0.CTIQBE media. 3 most used Flags: A .4 eq 23 Verification R2#tel 100.2.awaiting outside ACK to SYN.4 .CCIE SECURITY v4 Lab Workbook Complete these steps: Step 1 ASA configuration.2.inbound data. ASA(config)# object network R4 ASA(config-network-object)# host 10. f . b . D .2. j .2. C .4.0.outside back connection. G . J .

timeout 1h0m.outside acknowledged FIN.1. Note that you still need an ACL entry on the outside interface for those connections. Verification Page 105 of 1033 . r . s . U . R . m . p . he/she will be redirected to R1’s F0/0 interface using port 23.1. V .UDP SUNRPC. n .SIP media.SIP.inside back connection.VPN orphan.up.1 eq 23 Note that you must configure Real IP address and Real Port number in the outside ACL. P . M .awaiting outside SYN.4/23.outside) static interface service tcp 23 2323 ASA(config)# access-list OUTSIDE_IN extended permit tcp any host 10. T .1. bytes 504 Task 3 Configure ASA so that when someone from the outside (network segment behind ASA’s OUTSIDE interface) tries to connect to ASA’s outside interface using port 2323.1 ASA(config-network-object)# nat (inside. idle 44s. flags UIOB.SQL*Net data.outbound data. ASA(config)# object network R1 ASA(config-network-object)# host 10.2. q . S .SMTP data. X .Skinny media.GUP O .1.CCIE SECURITY v4 Lab Workbook k . R .2.awaiting inside SYN. Configuration Complete these steps: Step 1 ASA configuration. uptime 59s. t . W .4.4.2/16851 dmz:10.WAAS.Phone-proxy TFTP connection.SIP transient.inside acknowledged FIN.inspected by service module TCP outside:100.  This task is similar to the previous however in this case the ASA must “listen” on its outside interface on port 2323 and “redirect” all traffic coming to that interface/port to the IP address of R1’s F0/0 interface and port 23.

B .2. M .TCP state-bypass or nailed.awaiting outside ACK to SYN.UDP SUNRPC. timeout 1h0m. untranslate_hits = 31 2 (inside) to (outside) source static R1 interface service tcp telnet 2323 translate_hits = 0.1.CTIQBE media. G .4 service tcp telnet telnet translate_hits = 0. flags UIOB.inside back connection. n . C .awaiting inside SYN.2.GTP.2. i . F .VPN orphan.H. d . g . a . r . idle 1m22s. h .GTP t3-response k .SMTP data.225..outbound data.1.SIP transient. X .GUP O . j .outside acknowledged FIN.awaiting inside ACK to SYN. E . R .SQL*Net data.inbound data.GTP data.2. 2323 .SIP media.2.DNS.CCIE SECURITY v4 Lab Workbook R2#tel 100.initial SYN from outside.2. t . W .awaiting outside SYN.incomplete.10.inside acknowledged FIN. T . 3 most used Flags: A . S . s . K . uptime 1m27s.323. P . bytes 382 Task 4 Page 106 of 1033 . f . I .outside FIN.dump.2 Interface User User Mode Location Idle Peer Address R1> ASA(config)# sh nat Auto NAT Policies (Section 2) 1 (inside) to (outside) source static R1-loopback R1-loop-translated translate_hits = 0. V .1/23. p .2. m .10 2323 Trying 100.2/57249 inside:10. D .SIP. J . untranslate_hits = 4 ASA(config)# sh conn det 1 in use.0.H. U .outside back connection.group.up.Phone-proxy TFTP connection.2.2.Skinny media.WAAS.inside FIN.. Open User Access Verification Password: R1>sh users Line Host(s) Idle 0 con 0 idle 00:40:49 *514 vty 0 idle 00:00:00 100. q . b . H .inspected by service module TCP outside:100. R .MGCP. untranslate_hits = 1 3 (dmz) to (outside) source static R4 100.2.

2 Trying 2. The translation must be enforced only for traffic going between R1’s loopback0 and R2’s loopback0 interface.2 /so lo0 Trying 2.2.2 ASA(config-network-object)# exi ASA(config)# nat (inside.2 .2 .2. WARNING: Users may not be able to access any service enabled on the outside interface.2.1. Verification R1#tel 2.. Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line idle 00:21:21 *706 vty 0 idle 00:00:00 10.1.2.2..2.2. Configuration Complete these steps: Step 1 ASA configuration. ASA(config)# object network R2-loopback ASA(config-network-object)# host 2.2..2. Open Page 107 of 1033 Location Peer Address .CCIE SECURITY v4 Lab Workbook Configure ASA so that it statically translates R1’s loopback0 IP address to its outside interface’s IP address.2.2.1 Interface User User Mode Idle R2>exit [Connection to 2.outside) source static R1-loopback interface destination R2-loopback R2-loopback WARNING: All traffic destined to the IP address of the outside interface is being redirected..2 closed by foreign host] R1#tel 2.2.

2.H.inside acknowledged FIN.323.1. K .2.inspected by service module TCP outside:2. ASA(config)# sh conn det 1 in use. p .2.GTP t3-response k . d .DNS. S .group.outbound data. i . G . C . h . timeout 1h0m.inside FIN. bytes 408 Page 108 of 1033 . g .UDP SUNRPC. a . untranslate_hits = 31 2 (inside) to (outside) source static R1 interface service tcp telnet 2323 translate_hits = 0. M . V .SIP transient.awaiting outside ACK to SYN.0. f .CCIE SECURITY v4 Lab Workbook User Access Verification Password: R2>sh users Line Host(s) Idle 0 con 0 idle 00:21:32 *706 vty 0 idle 00:00:00 100. untranslate_hits = 1 3 (dmz) to (outside) source static R4 100. j .GUP O .GTP. t .SQL*Net data.outside back connection.2/23 inside:1.SMTP data.1/64664.inbound data.1. U . P . n .WAAS.awaiting inside SYN. E . R .225.awaiting inside ACK to SYN.2. W . I . R . X .dump.awaiting outside SYN.GTP data. J .Skinny media.2.outside acknowledged FIN. s . F .MGCP. D .TCP state-bypass or nailed. untranslate_hits = 4 Note that now the translation is going to Manual NAT section and will be triggered first. r . T .initial SYN from outside. b . uptime 52s. flags UIO.up. 3 most used Flags: A .CTIQBE media. H .SIP.Phone-proxy TFTP connection.VPN orphan. untranslate_hits = 0 Auto NAT Policies (Section 2) 1 (inside) to (outside) source static R1-loopback R1-loop-translated translate_hits = 0. B .10 Interface User User Mode Location Idle Peer Address R2> ASA(config)# sh nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static R1-loopback interface destination static R2- loopback R2-loopback translate_hits = 1.2.outside FIN.H. q .4 service tcp telnet telnet translate_hits = 0.inside back connection.SIP media.incomplete. m . idle 47s.

Open User Access Verification Password: R4>sh users Line User 0 con 0 *514 vty 0 Interface Host(s) Idle idle piotr User Location 1w4d idle 00:00:00 10.4.4 .4.5.1.1.4 /so lo0 Trying 4.4.4 closed by foreign host] R1#tel 4.4 .1 ASA(config-network-object)# exi ASA(config)# nat (inside.4. Configuration Complete these steps: Step 1 ASA configuration.4.4 Trying 4.4 ASA(config-network-object)# exi ASA(config)# object network R1-R4-NAT ASA(config-network-object)# host 10.4.1 Mode Idle R4>exi [Connection to 4.. ASA(config)# object network R4-loopback ASA(config-network-object)# host 4.4.4. The translation rule should be used only for traffic originated from 1...4. Open Page 109 of 1033 Peer Address .5.1 and destined to 4.1 all traffic coming from R1’s loopback0 interface towards DMZ subnet.4.4.1.4.4.5.1.5..dmz) source static R1-loopback R1-R4-NAT destination static R4-loopback R4-loopback Verification R1#tel 4.4.CCIE SECURITY v4 Lab Workbook Task 5 Configure ASA so that it statically translates to the IP address of 10.4.

11.2.5. This translation rule should work only for traffic initiated from R2’s loopback0 interface and destined to 100.1 port tcp/23.2.11 ASA(config)# nat (inside.1 User Mode Idle Peer Address R4> Task 6 Configure static translation on ASA so that when R2 telnets to the IP address of 100.  This task requires “port redirection” but only for traffic between two hosts.outside) source static R1-loopback R1-R2NAT destination static R2-loopback R2-loopback service PORT-23 PORT-2323 Page 110 of 1033 .2.5.2.1.1. ASA(config)# object service PORT-2323 ASA(config-service-object)# service tcp source eq 2323 ASA(config)# object service PORT-23 ASA(config-service-object)# service tcp source eq telnet ASA(config)# object network R1-R2-NAT ASA(config-network-object)# host 100.2.11 port tcp/2323 using its loopback0 interface as a source it will be automatically redirected to the host 1.CCIE SECURITY v4 Lab Workbook User Access Verification Password: R4>sh users Line User Host(s) 0 con 0 *514 vty 0 Interface Idle idle piotr Location 1w4d idle 00:00:00 10. Configuration Complete these steps: Step 1 ASA configuration.2.

. 2323 .2.. untranslate_hits = 0 2 (inside) to (dmz) source static R1-loopback R1-R4-NAT destination static R4- loopback R4-loopback translate_hits = 1.11.2.2. untranslate_hits = 31 2 (inside) to (outside) source static R1 interface service tcp telnet 2323 translate_hits = 0.2.. untranslate_hits = 4 ASA(config)# sh conn det Page 111 of 1033 service tcp telnet telnet . Open User Access Verification Password: R1>sh users Line Host(s) Idle 0 con 0 idle 00:13:37 *514 vty 0 idle 00:00:00 2. remote host not responding R2#tel 100.2 Interface User User Mode Location Idle Peer Address R1> ASA(config)# sh nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static R1-loopback interface destination static R2- loopback R2-loopback translate_hits = 1.2. untranslate_hits = 0 3 (inside) to (outside) source static R1-loopback R1-R2-NAT destination static R2- loopback R2-loopback service PORT-23 PORT-2323 translate_hits = 0.2.. 2323 .CCIE SECURITY v4 Lab Workbook Verification R2#tel 100.2.2.4 translate_hits = 0. untranslate_hits = 1 Auto NAT Policies (Section 2) 1 (inside) to (outside) source static R1-loopback R1-loop-translated translate_hits = 0. % Connection timed out.2.2.11 2323 Trying 100. untranslate_hits = 1 3 (dmz) to (outside) source static R4 100.2.11 2323 /so lo0 Trying 100.2.11.

awaiting inside SYN. We need to translate whole network to another network and allow traffic to be originated from the subnet behind lower security level interface by configuring inbound ACL.inside acknowledged FIN. g . Configuration Complete these steps: Step 1 ASA configuration.SIP transient. n .1. U .awaiting inside ACK to SYN.2.UDP SUNRPC.11.dmz) static NET-10.0. d . j .1.  This type of NAT is useful when we want to make two networks fully accessible for each other.225.H.VPN orphan. uptime 38s.1. J .0/24 network making them all accessible from DMZ.DNS. flags UIOB.255. G . T .outbound data.1.1. a . s . p .incomplete.up. C .SIP.11. W .H.GTP data.outside back connection.outside acknowledged FIN.1.0 ASA(config-network-object)# ex ASA(config)# object network NET-10. S . timeout 1h0m. H .0 255. r .1.0/24) to addresses on the 10.WAAS.11. P .group.Phone-proxy TFTP connection.255. E .11. D . q .0 Page 112 of 1033 .1.2/13444 inside:1.inbound data. M .Skinny media.SMTP data. f . R . R . F .GUP O .awaiting outside SYN. bytes 380 Task 7 Configure ASA so that it statically translate all hosts from the inside network (10.11. m .dump.1/23.0 255. t .CCIE SECURITY v4 Lab Workbook 1 in use.SQL*Net data.0 ASA(config-network-object)# nat (inside.TCP state-bypass or nailed. h . B .255.awaiting outside ACK to SYN. V .323.initial SYN from outside. K .2.1.0 ASA(config-network-object)# subnet 10.GTP t3-response k .MGCP.inspected by service module TCP outside:2. I .SIP media. i .inside FIN.CTIQBE media. 3 most used Flags: A .1.GTP.0 ASA(config-network-object)# ex ASA(config)# object network NET-10. X .255.inside back connection.outside FIN.11. b .11.11. ASA(config)# object network NET-10. idle 33s.0 ASA(config-network-object)# subnet 10.

CCIE SECURITY v4 Lab Workbook ASA(config)# access-li DMZ_IN permit ip 10.0 10..1 . untranslate_hits = 0 3 (inside) to (outside) source static R1-loopback R1-R2-NAT destination static R2- loopback R2-loopback service PORT-23 PORT-2323 translate_hits = 0. remote host not responding R4#tel 10.0 ASA(config)# access-group DMZ_IN in int dmz Verification R4#tel 10.1.1 Trying 10.0 255. untranslate_hits = 1 3 (dmz) to (outside) source static R4 100.11.11.1.1.1.2.4 Interface User User Mode Location Idle Peer Address R1> ASA(config)# sh nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static R1-loopback interface destination static R2- loopback R2-loopback translate_hits = 1.255.11.. untranslate_hits = 31 2 (inside) to (outside) source static R1 interface service tcp telnet 2323 translate_hits = 0. % Connection timed out. untranslate_hits = 0 2 (inside) to (dmz) source static R1-loopback R1-R4-NAT destination static R4- loopback R4-loopback translate_hits = 1.2.255.4. Open User Access Verification Password: R1>sh users Line Host(s) Idle 0 con 0 idle 00:24:41 *514 vty 0 idle 00:00:00 10..4.4.0 255.1.255.1.11.4 Page 113 of 1033 service tcp telnet telnet .255.1 Trying 10.4..1 . untranslate_hits = 1 Auto NAT Policies (Section 2) 1 (inside) to (outside) source static R1-loopback R1-loop-translated translate_hits = 0.

0 NET-10.outside FIN.inspected by service module TCP dmz:10.SMTP data.outside acknowledged FIN. b . f . t .inbound data. bytes 402 Page 114 of 1033 .4.awaiting inside ACK to SYN.CTIQBE media.UDP SUNRPC.MGCP.GTP data.11.1.group. r .GTP. J . G .awaiting inside SYN.323. B . flags UIOB.0.incomplete. U . p .1. I .1/23. V .SQL*Net data.VPN orphan. M . untranslate_hits = 4 4 (inside) to (dmz) source static NET-10. uptime 46s.DNS. q . n . a . m . idle 42s. E .inside FIN. h . R .Skinny media.dump.225. R . P .GUP O .4/18331 inside:10.0 translate_hits = 0. j .CCIE SECURITY v4 Lab Workbook translate_hits = 0. timeout 1h0m.SIP media. d .1. K . W .SIP.up. s .Phone-proxy TFTP connection. g . i . F . X .SIP transient.11.inside back connection.GTP t3-response k .awaiting outside ACK to SYN.awaiting outside SYN.outbound data. 3 most used Flags: A . untranslate_hits = 1 ASA(config)# sh conn det 1 in use.H.inside acknowledged FIN.initial SYN from outside. S . C .1.4. H . D .WAAS.TCP state-bypass or nailed. T .H.outside back connection.

3+) Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 10  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 20  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 40  Configure Telnet on all routers using password “cisco”  Configure default routes on R1/R2 and R4 to point to ASA and static routes to reach router’s loopbacks IP Addressing Device Interface IP address R1 Lo0 1.2/24 R2 Page 115 of 1033 .1/24 F0/0 10.2.1.CCIE SECURITY v4 Lab Workbook Lab 1.2.1.2.1. Dynamic NAT (8.1/24 Lo0 2.2.11.2/24 G0/0 100.11.

outside) dynamic 100.0 0.99. Configuration Complete these steps: Step 1 ASA configuration.0 ASA(config-network-object)# nat (dmz.4.2.2..0. Open User Access Verification Password: R2>sh users Line 0 con 0 User Host(s) Idle idle 13:43:04 Page 116 of 1033 Location .99 ASA(config-network-object)# exi Verification R4#tel 100.2.4.2.2.2.2. ASA(config)# object network ANYNET ASA(config-network-object)# subnet 0.4.2.4.CCIE SECURITY v4 Lab Workbook R4 ASA1 Lo0 4..10/24 E0/1 10.1.0.4/24 F0/0 10.2.2 Trying 100.2.10/24 E0/2 10.4.4.2 .0.0.10/24 Before you start Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the following commands: clear configure nat clear configure access-list Task 1 Configure ASA so that when any IP address from DMZ tries to go outside packets will be translated to an IP address of 100.1.4/24 E0/0 100.

2. flags UIO. f .VPN orphan.2. M . C .0. T . p .outside acknowledged FIN. d . R .awaiting inside ACK to SYN.2. h . Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line idle 13:43:16 *706 vty 0 idle 00:00:00 100.H. P . K .awaiting inside SYN. uptime 45s.2.2. t . U .2.SQL*Net data.0. D . I .inside back connection.2 .GUP O .group.225.inspected by service module TCP outside:100. timeout 1h0m.GTP data.. idle 41s.SIP. b . j . G .323.2.0. a .2 /so lo0 Trying 100.99/32 ASA(config)# sh conn det 1 in use.2/23 dmz:4.Phone-proxy TFTP connection.up.SIP transient. V . Translated: 100.UDP SUNRPC. H . R .2.2. S . g .SMTP data.Origin: 0.0/0.incomplete. 3 most used Flags: A .99 User Mode Idle Peer Address R2>exit [Connection to 100.2.awaiting outside ACK to SYN.99 translate_hits = 2.2 closed by foreign host] R4#tel 100.GTP t3-response k .outbound data. n .2. r .GTP.2.CTIQBE media. i . untranslate_hits = 0 Source .2. F . q . m .H.2.DNS.Skinny media.initial SYN from outside.TCP state-bypass or nailed.awaiting outside SYN..2.inside FIN.inbound data.4.MGCP. bytes 404 Page 117 of 1033 .inside acknowledged FIN. E .2. s .4/31078.outside back connection.CCIE SECURITY v4 Lab Workbook *706 vty 0 Interface idle 00:00:00 100. X .99 Interface User User Mode Idle Location Peer Address R2> ASA(config)# sh nat det Auto NAT Policies (Section 2) 1 (dmz) to (outside) source dynamic ANYNET 100.4. J .outside FIN.WAAS.dump. W .SIP media. B .

Configuration Complete these steps: Step 1 ASA configuration.2 Trying 100.2. r . i .99/57571 flags ri idle 0:01:04 timeout 0:00:30 Task 2 Configure ASA so that when R4 tries to initiate a session from its loopback IP address.4.4. the connection is not translated. I ..CCIE SECURITY v4 Lab Workbook ASA(config)# sh xlate 1 in use.2.2.2.identity.2. s .outside) source static R4-loopback R4loopback Note that there is no Identity NAT in ASA 8. there is Manual NAT entry for ‘exempt’ static..DNS.99 Interface User User Mode Idle Page 118 of 1033 Location Peer Address .portmap.static. ASA(config)# object network R4-loopback ASA(config-network-object)# host 4.4.4/31078 to outside:100.4 ASA(config-network-object)# exi ASA(config)# nat (dmz.dynamic. Verification R4#tel 100.2.4. 7 most used Flags: D .2.2.2 .3+ Instead. Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line idle 13:57:18 *706 vty 0 idle 00:00:00 100.twice TCP PAT from dmz:4. T .

2.2.portmap.4 Interface User User Mode Idle Location Peer Address R2> ASA(config)# sh nat Manual NAT Policies (Section 1) 1 (dmz) to (outside) source static R4-loopback R4-loopback translate_hits = 1.4 flags sI idle 0:07:51 timeout 0:00:00 TCP PAT from dmz:10.2. 7 most used Flags: D .2.201.2.2.99/8106 flags ri idle 0:00:29 timeout 0:00:30 Task 3 Configure ASA so that all IP addresses from the inside subnet (10. i .2.2. untranslate_hits = 0 Auto NAT Policies (Section 2) 1 (dmz) to (outside) source dynamic ANYNET 100.2.static.4.DNS. T .2.2. r . Open User Access Verification Password: R2>sh users Line Host(s) Idle 0 con 0 idle 13:57:28 *706 vty 0 idle 00:00:00 4.2 /so lo0 Trying 100.4.0/24) will be translated to the dynamic pool of 100.4. untranslate_hits = 0 ASA(config)# sh xlate 2 in use.2.twice NAT from dmz:4.dynamic.2.4.2 . s .4.identity. If the pool is exhausted.4. configure ASA to perform dynamic port translation using IP address of 100..1.CCIE SECURITY v4 Lab Workbook R2>exit [Connection to 100.100 – 100. I .2.1.2.99 translate_hits = 3.4.2.2 closed by foreign host] R4#tel 100. Page 119 of 1033 .4/31441 to outside:100..4 to outside:4.200.4.

0 255.1. Translated: 4.0 ASA(config-network-object)# subnet 10. untranslate_hits = 0 Source .200 ASA(config-network-object)# exi ASA(config)# object network PAT ASA(config-network-object)# host 100. ASA(config)# object network NAT-RANGE ASA(config-network-object)# range 100.1.2.2.1.187 Interface User User Mode Idle Location Peer Address R2> ASA(config)# sh nat det Manual NAT Policies (Section 1) 1 (dmz) to (outside) source static R4-loopback R4-loopback translate_hits = 1.4/32.2.2.2.2.4.2.4.4.100 100.4. Open User Access Verification Password: R2>sh users Line Host(s) Idle 0 con 0 idle 14:13:00 *706 vty 0 idle 00:00:00 100.Origin: 4.2 .4/32 Auto NAT Policies (Section 2) Page 120 of 1033 .2.1.201 ASA(config-network-object)# exi ASA(config)# object-group network NAT-PAT-GROUP ASA(config-network-object-group)# network-object object NAT-RANGE ASA(config-network-object-group)# network-object object PAT ASA(config-network-object-group)# exi ASA(config)# object network NET-10..outside) dynamic NAT-PATGROUP ASA(config-network-object)# exi Verification R1#tel 100.CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 1 ASA configuration.0 ASA(config-network-object)# nat (inside.255.2.2.2 Trying 100.2.2.255..

portmap. 100.Origin: 0.dynamic.1.1.100/30.192/29.4 flags sI idle 0:23:24 timeout 0:00:00 NAT from inside:10.4.4.0.2.1.128/26 100. 100.1 to outside:100. s .1.200/32.1. ASA(config)# object network R1-loopback ASA(config-network-object)# host 1.1. Translated: 100. I .2.4 .112/28.4.2. 100.2.2.99 translate_hits = 3.static.DNS.CCIE SECURITY v4 Lab Workbook 1 (inside) to (outside) source dynamic NET-10.1.Origin: 10.2.0/0.0 NAT-PAT-GROUP translate_hits = 3.1 ASA(config-network-object)# nat (inside.4.2. untranslate_hits = 0 Source . 7 most used Flags: D . i .0.2.187 flags i idle 0:04:10 timeout 3:00:00 Task 4 Configure ASA so that when R1 tries to communicate with hosts in DMZ using its loopback0 interface as a source. T .99/32 ASA(config)# sh xlate 2 in use.2.2. Translated: 100..4 to outside:4.0/24.4.2.2. untranslate_hits = 0 Source .2.104/29. 100. r .twice NAT from dmz:4.4. Open User Access Verification Password: Page 121 of 1033 .2.4.4.2.2. 100.2.2.2.1. Configuration Complete these steps: Step 1 ASA configuration.dmz) dynamic interface ASA(config-network-object)# exi Verification R1#tel 10.2.4 Trying 10. it will be dynamically translated to ASA’s DMZ interface IP address.identity.201/32 2 (dmz) to (outside) source dynamic ANYNET 100..

192/29.1/32.100/30.2.Origin: 0.2.1.2.1 User Mode Location Idle Peer Address Host(s) Idle Location idle 00:20:33 idle 00:00:00 10. 100.2.2.Origin: 1.4.4.1.99 translate_hits = 3.4.4 closed by foreign host] R1#tel 10.4. Translated: 100.4 .2.Origin: 10.0/24.4.4... 100. Open User Access Verification Password: R4>sh users Line User 0 con 0 *514 vty 0 Interface piotr User Mode Idle Peer Address R4> ASA(config)# sh nat det Manual NAT Policies (Section 1) 1 (dmz) to (outside) source static R4-loopback R4-loopback translate_hits = 1.0/0.2.4.2.Origin: 4.4/32 Auto NAT Policies (Section 2) 1 (inside) to (dmz) source dynamic R1-loopback interface translate_hits = 1.128/26 100.4.4.1. Translated: 4. Translated: 100.CCIE SECURITY v4 Lab Workbook R4>sh users Line User 0 con 0 *514 vty 0 Interface piotr Host(s) Idle idle 00:20:17 idle 00:00:00 10.10/24 2 (inside) to (outside) source dynamic NET-10.2.4 /so lo0 Trying 10.4.2.1.1.2.112/28.4.2.4.1.4.1.0.200/32.201/32 3 (dmz) to (outside) source dynamic ANYNET 100. Translated: 10. untranslate_hits = 0 Source . untranslate_hits = 0 Source .2. untranslate_hits = 0 Source .2.4/32.2.99/32 ASA(config)# sh xlate Page 122 of 1033 . 100.0.4.104/29.2. untranslate_hits = 0 Source .2.2.10 R4>exit [Connection to 10. 100.1.0 NAT-PAT-GROUP translate_hits = 3. 100.

2.outside) source dynamic R1-loopback PAT202 Note that you cannot add seconf NAT statement under the object.portmap.202.static.2.4.202 ASA(config-network-object)# exi ASA(config)# nat (inside.2.10/32704 flags ri idle 0:00:23 timeout 0:00:30 NAT from inside:10. Do not broke your previous configuration.2.1/35710 to dmz:10.1.4.twice NAT from dmz:4. T .1. Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line User idle 21:00:37 *706 vty 0 idle 00:00:00 100..187 flags i idle 0:09:10 timeout 3:00:00 Task 5 Configure ASA so that when R1 tries to communicate with hosts on the outside network using its loopback0 interface as a source. You must use Manual NAT configuration to accomplish this task. r .2.2.DNS. it will be dynamically translated to IP address of 100.2 Trying 100. Verification R1#tel 100. Configuration Complete these steps: Step 1 ASA configuration.2.1 to outside:100. s .2.2 .2.2. ASA(config)# object network PAT-202 ASA(config-network-object)# host 100.2.4.dynamic.1.CCIE SECURITY v4 Lab Workbook 3 in use.176 Page 123 of 1033 Location .4.4.identity. I . i . 7 most used Flags: D ..1.4 to outside:4.4 flags sI idle 0:28:24 timeout 0:00:00 TCP PAT from inside:1.2.4.

202 Interface User User Mode Idle Location Peer Address R2> ASA(config)# sh nat det Manual NAT Policies (Section 1) 1 (dmz) to (outside) source static R4-loopback R4-loopback translate_hits = 1.10/24 2 (inside) to (outside) source dynamic NET-10. T .2.2.2. 100. 100.2. I . Translated: 100. i .0/0.0.2. 100.2.Origin: 1.1..2.static.1.2.2.100/30..104/29.0/24.202/32 Auto NAT Policies (Section 2) 1 (inside) to (dmz) source dynamic R1-loopback interface translate_hits = 0. untranslate_hits = 0 Source .identity.4.2.4. untranslate_hits = 0 Source . Translated: 100.Origin: 1.2.4. r .1.4/32.99/32 ASA(config)# sh xlate 4 in use.4.1. Translated: 10.4.DNS.2 /so lo0 Trying 100. s .2.0.4/32 2 (inside) to (outside) source dynamic R1-loopback PAT-202 translate_hits = 2.200/32. Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line idle 21:01:25 *706 vty 0 idle 00:00:00 100.2 closed by foreign host] R1#tel 100.4. 7 most used Flags: D .128/26 100.Origin: 4.2.201/32 3 (dmz) to (outside) source dynamic ANYNET 100.2.Origin: 10. untranslate_hits = 0 Source . untranslate_hits = 0 Source . 100.2.2.CCIE SECURITY v4 Lab Workbook Interface User Mode Idle Peer Address R2>exit [Connection to 100.2.1.2.1/32.2.4 to outside:4.99 translate_hits = 3.2. 100. Translated: 100.112/28.0 NAT-PAT-GROUP translate_hits = 5.192/29. untranslate_hits = 0 Source .2.1/32.2.portmap.1.2.4.2 .2.dynamic.4 Page 124 of 1033 .twice NAT from dmz:4.1.4.2.2.Origin: 0.4.2.2.4.1. Translated: 4.

2.2.1.176 flags i idle 0:01:40 timeout 3:00:00 Page 125 of 1033 .2.2.1.1.1/58640 to outside:100.1.CCIE SECURITY v4 Lab Workbook flags sI idle 7:11:51 timeout 0:00:00 TCP PAT from inside:1.1 to outside:100.202/7235 flags ri idle 0:00:20 timeout 0:00:30 NAT from inside:10.

1.1/24 F0/0 10.1.3+) Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 10  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 20  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 40  Configure Telnet on all routers using password “cisco”  Configure default routes on R1/R2 to point to ASA and static routes to reach router’s loopbacks  Do NOT configure static default route on R4 IP Addressing Device Interface IP address R1 Lo0 1.12.2/24 R2 Page 126 of 1033 .2.CCIE SECURITY v4 Lab Workbook Lab 1.11.1/24 Lo0 2.1.2. Bidirectional NAT (8.

10/24 E0/2 10.4.2.CCIE SECURITY v4 Lab Workbook R4 ASA1 G0/0 100.4.4/24 E0/0 100. It works as expected.4 eq 23 ASA(config)# access-group OUTSIDE_IN in int outside This is called Bidir NAT because we’re translating packet SRC and DST at the same time.10/24 E0/1 10.0. however it is not recommended to use Page 127 of 1033 .2/24 Lo0 4.0.4.0 0.4 ASA(config-network-object)# nat (dmz.0 ASA(config-network-object)# nat (outside.2.outside) static 100.4/24 F0/0 10.44 to router R4 f0/0 interface.44 ASA(config-network-object)# exi ASA(config)# object network ANYNET ASA(config-network-object)# subnet 0.0.1.2. Configure ASA to redirect all TCP/23 traffic from the outside destined to IP address of 100.4.1.0. Configuration Complete these steps: Step 1 ASA configuration.dmz) dynamic interface ASA(config)# access-list OUTSIDE_IN permit tcp any host 10. Do not configure default route on R4 to accomplish this task.2.10/24 Before you start Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the following commands: clear configure nat clear configure access-list Task 1 For security reasons R4 has no default route configured.2.2.4.2.2.4.4. ASA(config)# object network R4 ASA(config-network-object)# host 10.4.4.4.

0.identity..0.4.4.4/32. 7 most used Flags: D . Verification R2#tel 100.4.2.2/48411 to dmz:10.10/51855 flags ri idle 0:01:01 timeout 0:00:30 Another mothod (preferred) is called Twice NAT and requires only one lookup and one translation rule. i . I . Page 128 of 1033 .44 . Open User Access Verification Password: R4>sh users Line User 0 con 0 *514 vty 0 Interface piotr Host(s) Idle idle 00:06:22 idle 00:00:00 10.2. untranslate_hits = 1 Source . Let’s clear previous NAT config and try again. It’s simply not efficient.44 Trying 100.2.2.2.2. T .4. untranslate_hits = 0 Source .2.44 flags s idle 0:01:01 timeout 0:00:00 TCP PAT from outside:100.static.2. r .44/32 2 (outside) to (dmz) source dynamic ANYNET interface translate_hits = 1.4 to outside:100.4. Translated: 100.4. s .DNS.4.2.Origin: 0.2. Translated: 10.2.44 translate_hits = 0.CCIE SECURITY v4 Lab Workbook that method as the ASA must do two NAT lookups to translate the packet.10 User Mode Idle Location Peer Address R4> ASA(config)# sh nat det Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static R4 100.2.10/24 ASA(config)# sh xlate 3 in use.4.portmap.4..dynamic.0/0.Origin: 10.twice NAT from dmz:10.4.

clear configure nat ASA(config)# object network R4-NAT ASA(config-network-object)# host 100.dmz) source dynamic ANYNET interface destination static R4-NAT R4 Verification R2#tel 100.0 0.2.44 Trying 100.4.4 ASA(config-network-object)# exit ASA(config)# nat (outside.2.4.2.0.0. untranslate_hits = 1 Page 129 of 1033 destination static R4-NAT R4 .4.. Open User Access Verification Password: R4>sh users Line User 0 con 0 *514 vty 0 Interface piotr Host(s) Idle idle 00:17:27 idle 00:00:00 10.4.CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 2 ASA configuration.2.10 User Mode Idle Location Peer Address R4> ASA(config)# sh nat det Manual NAT Policies (Section 1) 1 (outside) to (dmz) source dynamic ANYNET interface translate_hits = 1.2.2.0..44 .0 ASA(config-network-object)# exi ASA(config)# object network R4 ASA(config-network-object)# host 10.0.44 ASA(config-network-object)# exi ASA(config)# object network ANYNET ASA(config-network-object)# subnet 0.

dynamic. 7 most used Flags: D .4. Translated: 10.44 flags sT idle 0:00:23 timeout 0:00:00 TCP PAT from outside:100. Translated: 10.2. r .portmap.44/32.4.10/50587 flags ri idle 0:00:23 timeout 0:00:30 Note that we have only one NAT rule configured but it creates two xlates where the static one is ‘T – Twice’.static. T .2.Origin: 100.identity. Page 130 of 1033 .4.4.DNS.10/24 Destination .0/0.0.4.2.0. I .twice NAT from dmz:10.2.CCIE SECURITY v4 Lab Workbook Source .2.4.2/17245 to dmz:10.2.4/32 ASA(config)# sh xlate 2 in use. s .Origin: 0.4.4. i .4 to outside:100.

2.4.2/24 Lo0 4.2/24 G0/0 10.1. Modular Policy Framework (MPF) Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.1.1.4/24 R2 R4 Page 131 of 1033 .1/24 F0/0 10.CCIE SECURITY v4 Lab Workbook Lab 1.1/24 Lo0 2.101.2.102.13.1.4.

1.  Packets inspection allows ASA to look deeper inside the packets when they’re traversing the device.10/24 E0/1 10. To perform deep packet inspection (also called L7 inspection) a new class map and policy map type has been introduced. MPF configuration contains three steps: 1.104 10.1. Configure policy-map. Configure class-map to match interesting traffic (to be inspected) 2.101. There is a global inspection policy enabled by default on every interface in the inbound direction.1.CCIE SECURITY v4 Lab Workbook ASA1 F0/0 10. Apply policy-map globally or on an interface MPF can perform deep packet inspection for a number of protocols.4/24 E0/0 10. It allows ASA to automatically open a hole in the inbound direction on the outgoing interface for returning packets. configuring an ACL for the returning traffic is no longer required. This advanced inspection policies allow traffic to pass the device in secure manner disallowing bogus or crafted packets.10/24 E0/2.104.102. Thus.104. This is an “inspection” type class map and policy map which Page 132 of 1033 . however you can configure custom policy and apply it on the interface as well.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the following commands: clear configure nat clear configure nat-control clear configure global clear configure access-list Task 1 Configure ASA so that it inspects HTTP and ICMP in order to pass that type of traffic in secure manner. Each protocol has its own set of attributes and parameters which can be checked against when such traffic comes into the interface. attach previously configured class-map to it and enable inspection 3.1. All inbound packets traversing ASA secure appliance should be inspected (no matter on what interface traffic come).

ASA-FW(config)# policy-map global_policy ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# inspect http ASA-FW(config-pmap-c)# inspect icmp ASA-FW(config-pmap-c)# exit ASA-FW(config-pmap)# exit Verification R1#p 2. reset-drop 0 tcp-proxy: bytes in buffer 0. drop 0.2. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). We do not have to match any traffic. reset-drop 0 Inspect: h323 h225 _default_h323_map.2. The easiest way to accomplish this task is to configure inspection for HTTP and ICMP on a global level. Sending 5. bytes dropped 0 Inspect: h323 ras _default_h323_map. drop 0. All inbound packets on all ASA interfaces will be inspected automatically.CCIE SECURITY v4 Lab Workbook is also called L7 maps. This class map matches a number of default protocols and includes HTTP (port 80) and ICMP by default. packet 0. reset-drop 0 Page 133 of 1033 . Configuration Complete these steps: Step 1 ASA configuration. reset-drop 0 Inspect: ftp. drop 0. round-trip min/avg/max = 1/2/4 ms ASA-FW(config)# sh service-policy global Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map. packet 0.2. packet 0.2 Type escape sequence to abort.2.2. drop 0. packet 0. as it will be done automatically using inspection_default class map. More details will be presented later when it comes to advanced inspection on specific protocols (like HTTP or FTP). Those maps can be used to build up an advanced inspection policy and they can be attached under L3/L4 class map/policy map. 100-byte ICMP Echos to 2.

reset-drop 0 Why 10 packets? Because the default policy is attached globally. Hence. reset-drop 0 Inspect: icmp. reset-drop 0 Inspect: tftp. drop 0. ten packets as there were 5 ICMP Echo Request and 5 ICMP Echo Replies. drop 0. packet 0. drop 0. drop 0. bytes dropped 0 Inspect: sunrpc. reset-drop 0 Inspect: sip . ASA-FW(config)# sh run class-map inspection_default ! class-map inspection_default match default-inspection-traffic ASA-FW(config)# class-map inspection_default ASA-FW(config-cmap)# match ? mpf-class-map mode commands/options: access-list Match an Access List any Match any packet default-inspection-traffic Match default inspection traffic: ctiqbe----tcp--2748 dns-------udp--53 ftp-------tcp--21 gtp-------udp--2123. drop 0. drop 0. drop 0. reset-drop 0 tcp-proxy: bytes in buffer 0. reset-drop 0 Inspect: sqlnet. bytes dropped 0 Inspect: skinny . packet 0. reset-drop 0 Inspect: rtsp.2727 netbios---udp--137-138 radius-acct---udp--1646 rpc-------udp--111 rsh-------tcp--514 rtsp------tcp--554 sip-------tcp--5060 sip-------udp--5060 skinny----tcp--2000 smtp------tcp--25 sqlnet----tcp--1521 tftp------udp--69 waas------tcp--1-65535 xdmcp-----udp--177 dscp Match IP DSCP (DiffServ CodePoints) flow Flow based Policy port Match TCP/UDP port(s) precedence Match IP precedence rtp Match RTP port numbers Page 134 of 1033 . packet 0. packet 0. drop 0. bytes dropped 0 Inspect: netbios. packet 0. packet 0. bytes dropped 0 Inspect: esmtp _default_esmtp_map. reset-drop 0 tcp-proxy: bytes in buffer 0. packet 0. packet 0. drop 0. packet 0. drop 0.3386 h323-h225-tcp--1720 h323-ras--udp--1718-1719 http------tcp--80 icmp------icmp ils-------tcp--389 mgcp------udp--2427. meaning it works on every interface in inbound direction. packet 0. reset-drop 0 tcp-proxy: bytes in buffer 0. reset-drop 0 tcp-proxy: bytes in buffer 0. drop 0. packet 0. packet 10. drop 0. reset-drop 0 Inspect: http.CCIE SECURITY v4 Lab Workbook Inspect: rsh. reset-drop 0 tcp-proxy: bytes in buffer 0. bytes dropped 0 Inspect: xdmcp.

all traffic destined to the port 25 is considered to be SMTP).1.0.0.0.1. flags UDP DMZ 224. bytes 15216.4.0.0.101.4. flags Note that you need to start contiguous ping on R1 to see dynamic connection entries on the ASA.104.102. Configure ASA so that it only inspects ESMTP traffic between 1.102.9:520 NP Identity Ifc 10.0. idle 0:00:06.0.1:2.1.4. idle 0:00:00.10:520. bytes 72 UDP IN 10. in our case we’re asked for SMTP inspection between two hosts only. Task 2 There is a SMTP server located on 4. flags UDP IN 224.1.0.4:520 NP Identity Ifc 224.  ASA can inspect Simple Mail Transport Protocol (SMTP) allowing this traffic to be checked against a number of checks to ensure there are no malicious packets destined to the mail server.2:0 IN 10. idle 0:00:06.0. flags UDP OUT 10. However. 10 most used UDP DMZ 10. bytes 53280. It is also wise to disable SMTP inspection on a global level if we don’t want the inspection to be done on every interface. bytes 15192.1 and 4.9:520 NP Identity Ifc 10.10:520.2:520 NP Identity Ifc 224. idle 0:00:10.9:520.101.10:520.2.1. idle 0:00:18. idle 0:00:20.1. flags UDP OUT 224. bytes 53280.4.9:520.1:520 NP Identity Ifc 224. Configuration Page 135 of 1033 .104. This cannot be done on a global level and we need to match our traffic using an access list and enable SMTP inspection on the interface.0. bytes 15144.CCIE SECURITY v4 Lab Workbook tunnel-group Match a Tunnel Group ASA-FW(config)# sh conn all 7 in use.4.1. SMTP inspection is enabled by default on a global level (matched by inspection_default class map.2. hence there is no need for an ACL for allowing returning traffic and basic checks are enforced to ensure there is no harm in SMTP packets.1.0.101. flags ICMP OUT 2.4. idle 0:00:06.9:520.1. bytes 53280.9:520 NP Identity Ifc 10.0.

4.1. ASA-FW(config)# policy-map global_policy ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# no inspect esmtp ASA-FW(config-pmap-c)#access-list R1-to-R4-inspection permit ip host 1. packet 0.4.1 host 4.CCIE SECURITY v4 Lab Workbook Complete these steps: Step 1 ASA configuration.4 ASA-FW(config)# class-map CM-R1-to-R4 ASA-FW(config-cmap)# match access-list R1-to-R4-inspection ASA-FW(config-cmap)# exit ASA-FW(config)# policy-map PM-R1-to-R4 ASA-FW(config-pmap)# class CM-R1-to-R4 ASA-FW(config-pmap-c)# inspect esmtp ASA-FW(config-pmap-c)# exit ASA-FW(config-pmap)# exit ASA-FW(config)# service-policy PM-R1-to-R4 interface DMZ Verification ASA-FW(config)# sh service-policy interface DMZ Interface DMZ: Service-policy: PM-R1-to-R4 Class-map: CM-R1-to-R4 Inspect: esmtp _default_esmtp_map. reset-drop 0 ASA-FW(config)# sh run all policy-map type inspect esmtp ! policy-map type inspect esmtp _default_esmtp_map description Default ESMTP policy-map parameters mask-banner no mail-relay no special-character no allow-tls match cmd line length gt 512 drop-connection log match cmd RCPT count gt 100 drop-connection log match body line length gt 998 Page 136 of 1033 .1. drop 0.

packet 0 match ehlo-reply-parameter others mask.CCIE SECURITY v4 Lab Workbook log match header line length gt 998 drop-connection log match sender-address length gt 320 drop-connection log match MIME filename length gt 255 drop-connection log match ehlo-reply-parameter others mask Note there are many SMTP checks configured by default. packet 0 match MIME filename length gt 255 drop-connection log. reset-drop 0 mask-banner. packet 0 Page 137 of 1033 . enabling SMTP inspection may cause your mail connections suffer. packet 0. count 0 match cmd line length gt 512 drop-connection log. Be careful and know what you’re doing! ASA-FW(config)# sh service-policy inspect esmtp Global policy: Service-policy: global_policy Class-map: inspection_default Interface DMZ: Service-policy: PM-R1-to-R4 Class-map: CM-R1-to-R4 Inspect: esmtp _default_esmtp_map. drop 0. Hence. packet 0 match sender-address length gt 320 drop-connection log. packet 0 match header line length gt 998 drop-connection log. packet 0 match cmd RCPT count gt 100 drop-connection log. packet 0 match body line length gt 998 log.

14. FTP Advanced Inspection Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.101.1.4.CCIE SECURITY v4 Lab Workbook Lab 1.1.1.2.1/24 Lo0 2.102.4.4/24 R2 R4 Page 138 of 1033 .2.1.2/24 G0/0 10.1/24 F0/0 10.2/24 Lo0 4.

1.104.10/24 E0/2.101.102.CCIE SECURITY v4 Lab Workbook ASA1 F0/0 10.104.10/24 E0/1 10.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the command clear configure all and then paste the initial config.4/24 E0/0 10.104 10. Page 139 of 1033 .1.1.1.

20. We’re required to reset packets containing some FTP commands.104.1. Instead. they first need to be applied under L3/L4 policy map when specifying the inspection.20 Page 140 of 1033 . The ACL is required here as we need to specify destination IP address (if we’d need to match all FTP traffic. To do that. Configure ASA so that it resets any connection from the outside networks to that FTP server containing one of the following commands:  DELE  APPE  PUT  RMD  This task requires configuration of deep packet inspection for FTP. ASA-FW(config)# access-list DMZ_FTP permit tcp any host 10.CCIE SECURITY v4 Lab Workbook Task 1 There is an FTP server located in DMZ at 10. When we see a requirement for checking something which is protocol specific we should automatically start thinking about L7 class maps and policy maps. There is also need for L3/L4 class map matching traffic using an access list.1. So. we need to create L7 policy map (type inspect for FTP protocol) and match required commands inside the packets (we can also use L7 class map here and match it under L7 policy map but since we can match FTP commands using only one configuration line we can do that directly under the L7 policy map). ASA must be able to properly recognize the traffic (as FTP) and then check some fields inside FTP header/body to perform some actions.104. L7 policy maps cannot be applied directly to the interface or at the global level. Configuration Complete these steps: Step 1 ASA configuration. the better option is to use “match port” statement). Last thing is to assign L3/L4 policy map to the interface and since we want to protect our FTP server located in DMZ by resetting some commands which can be sent over from a FTP client (located on the outside networks) we must do it on the outside interface.

packet 0 Task 2 The FTP server located in DMZ at 10. packet 0.1. reset-drop 0 match request-command appe put dele rmd reset.104. reset-drop 0 Interface OUT: Service-policy: OUTSIDE_MPF Class-map: CM_FTP Inspect: ftp strict PM_FTP. drop 0. Page 141 of 1033 . packet 0.20 is managed from the inside network.CCIE SECURITY v4 Lab Workbook eq ftp ASA-FW(config)# policy-map type inspect ftp PM_FTP ASA-FW(config-pmap)# match request-command DELE APPE PUT RMD ASA-FW(config-pmap-c)# reset ASA-FW(config-pmap-c)# class-map CM_FTP ASA-FW(config-cmap)# match access-list DMZ_FTP ASA-FW(config-cmap)# policy-map OUTSIDE_MPF ASA-FW(config-pmap)# class CM_FTP ASA-FW(config-pmap-c)# inspect ftp strict PM_FTP ASA-FW(config-pmap-c)# service-policy OUTSIDE_MPF interface OUT Verification ASA-FW(config)# sh service-policy inspect ftp Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: ftp. Configure ASA so that it denies and logs all users except user “admin” from accessing directory “/secret” on all FTP servers located behind DMZ and OUT interfaces. drop 0.

ASA-FW(config)# regex FTP_USER "admin" ASA-FW(config)# regex FTP_DIR "\/secret" We need to use backslash sign before the “slash” because “slash” is a special character in the regex world. So. This cannot be done using L7 policy map.CCIE SECURITY v4 Lab Workbook  Here we need to block some users from accessing a directory on FTP servers. As we’re required to perform that inspection on every FTP connection originated from the inside network. first we need to create L7 class map matching two regexs (match-all perfectly suits here) and then nest this class map under the L7 policy map (remember that we can’t use L7 class map under L3/L4 policy map). Note that we need to disallow all usernames but “admin” username from accessing “/secret” folder. This can be done using regular expressions matching those two values (username and directory name) and resetting packets containing those values. as policy maps don’t have match-all/match-any keywords available. the easiest way to do that is to use NOT in the match statement. ASA-FW(config)# class-map type inspect ftp match-all CM_FTP_ACCESS ASA-FW(config-cmap)# match not username regex FTP_USER ASA-FW(config-cmap)# match filename regex FTP_DIR Class map has match-all/match-any keywords available so that we can use more “match” statements to build more complex policies. we need to tell the regex engine to treat the “slash” like a normal character. we can simply match port 21 (using ACL is not necessary here) and apply L3/L4 policy map on the inside interface. so that. Configuration Complete these steps: Step 1 ASA configuration. Also note that we must use L7 class map here to match both conditions at once. ASA-FW(config-cmap)# policy-map type inspect ftp PM_FTP_ACCESS ASA-FW(config-pmap)# class CM_FTP_ACCESS ASA-FW(config-pmap-c)# reset log ASA-FW(config-pmap-c)# class-map CM_FTP_TRAFFIC ASA-FW(config-cmap)# match port tcp eq ftp Page 142 of 1033 . Thus.

value_high: 21(0x15) mask_match: NONE. action: reset Filter id: 2. Better than enabling this globally. value_type: VALUE_GENERIC value: 2625(0xa41). value_type: VALUE_REGEX Page 143 of 1033 . packet 0. mask_value: 0x0. subid/is_regex: 0x0/0. packet 0. negate: 0 Filter id: 4. negate: 0 Interface IN: Service-policy: INSIDE_MPF Class-map: CM_FTP_TRAFFIC Inspect: ftp strict PM_FTP_ACCESS. subid/is_regex: 0x0/0. drop 0. reset-drop 0 Class-map: CM_FTP_ACCESS Number of filters 2. this solution does not work for non-standard FTP ports. the best option is to enable inspection on IN interface. drop 0. ASA-FW(config-pmap-c)# service-policy INSIDE_MPF interface IN Since our FTP server is located in the DMZ network and is managed from the inside network only. subid/is_regex: 0x0/0. packet 0. value_high: 0(0x0) mask_match: ANY. value_type: VALUE_REGEX value: 21(0x15)/FTP_DIR.CCIE SECURITY v4 Lab Workbook Since we need to inspect FTP traffic the easiest way to do that is to match FTP port. drop 0. reset-drop 0 INFO: There is no rule in the table. mask_value: 0x0. Verification ASA-FW(config)# sh service-policy inspect ftp table Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: ftp. Be careful! ASA-FW(config-cmap)# policy-map INSIDE_MPF ASA-FW(config-pmap)# class CM_FTP_TRAFFIC ASA-FW(config-pmap-c)# inspect ftp strict PM_FTP_ACCESS The “strict” keyword enables enhanced inspection of FTP traffic and forces compliance with RFC standards. However. reset-drop 0 Match request-command appe put dele rmd Number of filters 1. action: reset log Filter id: 0. Interface OUT: Service-policy: OUTSIDE_MPF Class-map: CM_FTP Inspect: ftp strict PM_FTP.

value_high: 20(0x14) mask_match: NONE. reset-drop 0 Page 144 of 1033 . mask_value: 0x0. You can alter existing configuration to accomplish this task. This can be done by configuring “parameters” part under the L7 policy map (remember that this is protocol specific so it must be done using L7 maps) where we just add some checks to be done while inspecting traffic. drop 0. ASA-FW(config)# policy-map type inspect ftp PM_FTP ASA-FW(config-pmap)# parameters ASA-FW(config-pmap-p)# mask-banner ASA-FW(config-pmap-p)# mask-syst-reply ASA-FW(config-pmap-p)# exit ASA-FW(config-pmap)# exit Verification ASA-FW(config)# sh service-policy inspect ftp Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: ftp.  To protect our FTP server located in DMZ we can mask some information that is usually disclosed while user connects to the server.CCIE SECURITY v4 Lab Workbook value: 20(0x14)/FTP_USER. That information could be used for a reconnesaince part of an attack. negate: 1 Task 3 The FTP server in DMZ should NOT disclose any information about software version or system greeting to the users behind OUT interface. packet 0. Configuration Complete these steps: Step 1 ASA configuration. Since we have some configuration done already (Task 1) we can simply add more lines to existing config.

reset-drop 0 class CM_FTP_ACCESS reset log. packet 0.CCIE SECURITY v4 Lab Workbook Interface OUT: Service-policy: OUTSIDE_MPF Class-map: CM_FTP Inspect: ftp strict PM_FTP. drop 0. reset-drop 0 mask-banner enabled mask-syst-reply enabled match request-command appe put dele rmd reset. packet 0 Page 145 of 1033 . packet 0. packet 0 Interface IN: Service-policy: INSIDE_MPF Class-map: CM_FTP_TRAFFIC Inspect: ftp strict PM_FTP_ACCESS. drop 0.

1.1/24 F0/0 10.1. HTTP Advanced Inspection Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.CCIE SECURITY v4 Lab Workbook Lab 1.2/24 G0/0 10.102.1/24 Lo0 2.2/24 Lo0 4.4.101.4.1.1.4/24 R2 R4 Page 146 of 1033 .2.15.2.

101.102.4/24 E0/0 10.10/24 E0/1 10.CCIE SECURITY v4 Lab Workbook ASA1 F0/0 10.104.1.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the command clear configure all and then paste the initial config.1. Page 147 of 1033 .104 10.1.10/24 E0/2.1.104.

CCIE SECURITY v4 Lab Workbook Task 1 You have discovered a new version of peer-to-peer software uses in your network. After sniffing the traffic you have caught a few HTTP packets with User-Agent = “P2P-new-app” in the header. Configuration Complete these steps: Step 1 ASA configuration. ASA-FW(config)# regex P2P "P2P-new-app" ASA-FW(config)# policy-map type inspect http PM_HTTP_P2P ASA-FW(config-pmap)# match request header user-agent regex P2P ASA-FW(config-pmap-c)# drop-connection log ASA-FW(config-pmap-c)# policy-map global_policy ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# inspect http PM_HTTP_P2P ASA-FW(config-pmap-c)# exit ASA-FW(config-pmap)# exit Verification ASA-FW(config)# sh service-policy inspect http Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: http PM_HTTP_P2P. we can use global policy in that case (remember that global policy uses inspection_default class map which matches HTTP by default). As we want to perform the inspection for HTTP traffic comes from every direction. All we need is to recognize some peer-to-peer software which uses HTTP as a transport by matching against User-Agent HTTP header field. reset-drop 0 Page 148 of 1033 . Configure ASA to block that peer-to-peer application and log that activity. packet 0. drop 0.  This task requires configuration of deep packet inspection for HTTP. This can be done using regular expression and L7 policy map.

com using MPF. In this case we’re requested to look after specific URLs to block out users access to some websites. L7 policy map is used to perform an action on our matched traffic (HTTP traffic containing specific URLs in Host filed). Next. Two regex statements must be matched by L7 type “regex” class map (remember that you need to use “match-any” as those two URLs never be seen in one packet). packet 0 Task 2 Configure ASA so that it disallows Internet surfing for websites http://www.com and http://mail. Last thing is to enable deep packet inspection for HTTP traffic using L3/L4 Page 149 of 1033 . As you can see the URL is carried by the header field named “Host” so we should match that field in our L7 class map (or L7 policy map if we have only one condition to match).google. Then this class map must be used in another L7 type “inspect” class map in order to match by specific header field. This can be easily done using regular expressions as some header fields may contain additional control characters and it’s sometimes hard to match an exact value.CCIE SECURITY v4 Lab Workbook protocol violations packet 0 match request header user-agent regex P2P drop-connection log. Following is an example of HTTP packet capture which depicts most of header fields and their possible values.yahoo. This policy should be enforced on the inside interface.  Using MPF it is possible to filter out packets containing a specific field’s value in HTTP header.

Configuration Complete these steps: Step 1 ASA configuration.com" Note that backslash sign must be used to treat the dot “. ASA-FW(config)# regex URL_YAHOO "www\.CCIE SECURITY v4 Lab Workbook policy map.yahoo\.com" ASA-FW(config)# regex URL_GMAIL "mail\. as the HTTP header field (Host) is sent in the very first HTTP packet from the client to the server and we want to match and reset that session as near to the source as possible.google\. The L3/L4 policy map must be assigned with inside interface. ASA-FW(config-cmap)# class-map type inspect http CM_HTTP_URLS ASA-FW(config-cmap)# match request header host regex class CM_URL_REGEX ASA-FW(config-cmap)# policy-map type inspect http PM_BLOCK_URLS ASA-FW(config-pmap)# class CM_HTTP_URLS ASA-FW(config-pmap-c)# reset log ASA-FW(config-pmap-c)# policy-map INSIDE_MPF ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# inspect http PM_BLOCK_URLS ASA-FW(config-pmap-c)# service-policy INSIDE_MPF interface IN Verification Page 150 of 1033 . The L3/L4 class map used in this task can be either “inspection_default” which is pre-configured and we know it matches HTTP using port 80 or it can be a new L3/L4 class map configured (matching port 80 for example). ASA-FW(config)# class-map type regex match-any CM_URL_REGEX ASA-FW(config-cmap)# match regex URL_YAHOO ASA-FW(config-cmap)# match regex URL_GMAIL We must use class-map type regex here as there are two regex for matching. As this task does not specify that this must be done ONLY for HTTP traffic we can use both solutions.” as a string not a regular expression control sign.

as we need to protect our web server which is specified in the task. Finally. drop 0. packet 0 Task 3 There is a Web Server configured on R4 (10. packet 0. In addition we’re requested to allow only GET and POST HTTP methods to be destined to our web server. reset-drop 0 protocol violations packet 0 match request header user-agent regex P2P drop-connection log. You need to protect this server from the outside networks by the following policy: - replace server name in the server banner to “MySecureServer” - prohibit any HTTP request that does not contain a GET or POST request method and generate SYSLOG message when such a request is detected - silently drop all connections which violates HTTP protocol specification  Each deep protocol inspection has its own set of additional parameters which can be check. packet 0 Interface IN: Service-policy: INSIDE_MPF Class-map: inspection_default Inspect: http PM_BLOCK_URLS. Those parameters can differ in ASA software depends on version as some additional checks can be added in the future. there is a need for an access list matching traffic destined to the server.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# sh service-policy inspect http Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: http PM_HTTP_P2P.1. reset-drop 0 protocol violations packet 0 class CM_HTTP_URLS reset log. As there can be more HTTP methods available in protocol specification (and we do not need to know every method available) it is wise to use NOT in match statement to filter out remaining methods.104. This can be done using L7 policy map with “parameters” subsection. packet 0.4). For HTTP we are requested to mask our server’s banner and enforce protocol compliance with HTTP standard. drop 0. The Page 151 of 1033 .

Configuration Complete these steps: Step 1 ASA configuration. Hence.CCIE SECURITY v4 Lab Workbook policy must be enforced on the outside interface. ASA-FW(config)# class-map type inspect http match-all CM_METHODS ASA-FW(config-cmap)# match not request method get ASA-FW(config-cmap)# match not request method post This will match all HTTP methods but GET and POST. the best option is to mislead the attacker by spoofing server’s banner and pretending this server software is from other vendors. This can be a risk as a malicious user may get information about software version of the server and search for bugs and security holes for that version.4 eq http ASA-FW(config)# class-map CM_WEB_SERVER ASA-FW(config-cmap)# match access-list TO_WEB_SERVER ASA-FW(config-cmap)# policy-map OUTSIDE_MPF ASA-FW(config-pmap)# class CM_WEB_SERVER ASA-FW(config-pmap-c)# inspect http SERVER_PROTECTION ASA-FW(config-pmap-c)# service-policy OUTSIDE_MPF interface OUT Verification ASA-FW(config)# sh service-policy inspect http Global policy: Page 152 of 1033 .1. ASA-FW(config-cmap)# policy-map type inspect http SERVER_PROTECTION ASA-FW(config-pmap)# parameters ASA-FW(config-pmap-p)# spoof-server "MySecureServer" ASA-FW(config-pmap-p)# protocol-violation action drop-connection ASA-FW(config-pmap-p)# class CM_METHODS ASA-FW(config-pmap-c)# reset log A web server is usually introduces itself to every client by attaching some information in HTTP header. ASA-FW(config-pmap-c)# access-list TO_WEB_SERVER permit tcp any host 10.104.

packet 0.20. packet 0 class CM_METHODS reset log.  HTTP tunneling is often used to provide connectivity for applications which have restricted access or with lack of native support for communication. We can block such applications using simple MPF configuration and looking at number of headers inside HTTP and length of the Host field which is usually Page 153 of 1033 .104. Any HTTP request message that containing host field longer than 6 bytes and host field appears more than 3 times in the packet must be dropped. drop 2. All internal users use this server to surf the Internet. packet 0 Interface IN: Service-policy: INSIDE_MPF Class-map: inspection_default Inspect: http PM_BLOCK_URLS. packet 0.1. packet 12. packet 0 Interface OUT: Service-policy: OUTSIDE_MPF Class-map: CM_WEB_SERVER Inspect: http SERVER_PROTECTION. Configure ASA so that it disallows other protocols tunneling though HTTP by configuring strict size and number of headers allowed. drop 0. drop 0. Tunneled application adds additional header information inside the HTTP packet which is processed somehow on the far end. packet 0 Task 4 There is a Web proxy server located in DMZ at 10. reset-drop 0 protocol violations packet 0 match request header user-agent regex P2P drop-connection log.CCIE SECURITY v4 Lab Workbook Service-policy: global_policy Class-map: inspection_default Inspect: http PM_HTTP_P2P. reset-drop 0 protocol violations packet 0 server spoofs. reset-drop 2 protocol violations packet 0 class CM_HTTP_URLS reset log.

reset-drop 0 protocol violations packet 0 Page 154 of 1033 .1. We must be careful here as the task asks us for checking traffic sourced from the Proxy server located in DMZ.104. so the inspection policy must be applied on DMZ interface.CCIE SECURITY v4 Lab Workbook longer than it is in “pure” HTTP traffic. drop 0. Configuration Complete these steps: Step 1 ASA configuration. packet 0. ASA-FW(config)# class-map type inspect http CM_HTTP_HEADER_LENGTH ASA-FW(config-cmap)# match request header host length gt 6 ASA-FW(config-cmap)# class-map type inspect http CM_HTTP_HEADERS ASA-FW(config-cmap)# match request header host count gt 3 ASA-FW(config-cmap)# policy-map type inspect http PM_HTTP_CHECK ASA-FW(config-pmap)# class CM_HTTP_HEADER_LENGTH ASA-FW(config-pmap-c)# reset ASA-FW(config-pmap-c)# class CM_HTTP_HEADERS ASA-FW(config-pmap-c)# reset ASA-FW(config-pmap-c)# access-list PROXY permit tcp host 10.20 any eq 80 ASA-FW(config)# class-map CM_PROXY ASA-FW(config-cmap)# match access-list PROXY ASA-FW(config-cmap)# policy-map DMZ_MPF ASA-FW(config-pmap)# class CM_PROXY ASA-FW(config-pmap-c)# inspect http PM_HTTP_CHECK ASA-FW(config-pmap-c)# service-policy DMZ_MPF interface DMZ Verification ASA-FW(config)# sh service-policy inspect http Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: http PM_HTTP_P2P.

reset-drop 0 protocol violations packet 0 server spoofs. packet 0 class CM_HTTP_HEADERS reset.CCIE SECURITY v4 Lab Workbook match request header user-agent regex P2P drop-connection log. drop 2. packet 0 Page 155 of 1033 . packet 0 Interface OUT: Service-policy: OUTSIDE_MPF Class-map: CM_WEB_SERVER Inspect: http SERVER_PROTECTION. reset-drop 0 protocol violations packet 0 class CM_HTTP_HEADER_LENGTH reset. packet 0 class CM_METHODS reset log. packet 0 Interface IN: Service-policy: INSIDE_MPF Class-map: inspection_default Inspect: http PM_BLOCK_URLS. reset-drop 2 protocol violations packet 0 class CM_HTTP_URLS reset log. drop 0. packet 0 Interface DMZ: Service-policy: DMZ_MPF Class-map: CM_PROXY Inspect: http PM_HTTP_CHECK. packet 12. packet 0. packet 0. drop 0.

2.2/24 R2 Page 156 of 1033 .1.2.1/24 F0/0 10.1. Instant Messaging Advanced Inspection Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.16.CCIE SECURITY v4 Lab Workbook Lab 1.1.1/24 Lo0 2.101.

1. we have two things to do which requires slightly different policy.1. Webcam.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the command clear configure all and then paste the initial config. As you can see.1. Some of those services could be dangerous for our users as they may be used by skilled attacker to upload and run malicious software on user’s computer.4/24 F0/0 10. Thus.101.10/24 E0/2.104 10.  ASA allows us to configure policy settings for Instant Messaging software containing Microsoft’s MSN and Yahoo IM.102. In addition to that one user’s IP address must NOT be able to use messaging applications at all. Both L7 class maps can then be used in one L7 policy map to take an action.101. etc.4. Games.4/24 E0/0 10. Second is to match IM protocols and user’s IP address.104. Conference. we need two L7 class maps.2/24 Lo0 4. Configure ASA to block the following services offered by those applications: - Conference - Games - File transfer - Webcam In addition to that.4. Page 157 of 1033 . File transfer and Webcam).10/24 E0/1 10. totally block usage of both applications for host 10. Games.1. One is to match IM protocols (MSN and Yahoo) and their services (Conference.1. We are requested here to block out some of those services for our internal users. Each of this applications have a number of services which are for example Chat.CCIE SECURITY v4 Lab Workbook R4 ASA1 G0/0 10. Task 1 You have discovered that users in your inside network are using Yahoo and/or MSN instant messenger software.104.123. File transfer.1.102.

255. packet 0. reset-drop 0 class CM_IM_SERVICES reset.123 255.255 ASA-FW(config-cmap)# policy-map type inspect im PM_IM ASA-FW(config-pmap)# class CM_IM_SERVICES ASA-FW(config-pmap-c)# reset ASA-FW(config-pmap-c)# class CM_IM_HOST ASA-FW(config-pmap-c)# drop-connection ASA-FW(config-pmap-c)# policy-map global_policy ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# inspect im PM_IM ASA-FW(config-pmap-c)# exit ASA-FW(config-pmap)# exit Verification ASA-FW(config)# sh service-policy inspect im Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: im PM_IM.1. packet 0 class CM_IM_HOST drop-connection. Configuration Complete these steps: Step 1 ASA configuration. drop 0.255.101. packet 0 Page 158 of 1033 . ASA-FW(config)# class-map type inspect im match-all CM_IM_SERVICES ASA-FW(config-cmap)# match protocol yahoo-im msn-im ASA-FW(config-cmap)# match service conference games file-transfer webcam ASA-FW(config-cmap)# class-map type inspect im match-all CM_IM_HOST ASA-FW(config-cmap)# match protocol yahoo-im msn-im ASA-FW(config-cmap)# match ip-address 10.CCIE SECURITY v4 Lab Workbook We can use global policy to enforce our IM inspection.

4/24 R2 R4 Page 159 of 1033 .2/24 G0/0 10.17.1.1. ESMTP Advanced Inspection Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.1.4.1.2.2/24 Lo0 4.2.CCIE SECURITY v4 Lab Workbook Lab 1.1/24 F0/0 10.102.4.1/24 Lo0 2.101.

Thanks for that.1.CCIE SECURITY v4 Lab Workbook ASA1 F0/0 10. because we can create more flexible policies controlling SMTP traffic before it hits the mail server.1.102.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the command clear configure all and then paste the initial config. Configuration Complete these steps: Step 1 ASA configuration.101.  Simple Mail Transport Protocol inspection is complex and can use lot of parameters.104.104.1.10/24 E0/1 10. As we are requested to apply the inspection policy on the global level.1. You are requested to pro-actively configure the following policy to protect the servers against potential attackers (from all directions): - drop all ESMTP messages longer than 48000 characters and generate log when such incident happen - limit all EHLO commands to 10 per second - drop all messages with more than 10 recipients per transaction - do not allow ESMTP command line to be longer than 600 bytes.4/24 E0/0 10. we first need to disable default SMTP inspection to be able to assign our custom L7 policy map. ASA-FW(config)# policy-map type inspect esmtp PM_SMTP Page 160 of 1033 .10/24 E0/2. In this task we do not need L7 class map as all requested checks can be configured directly under L7 policy map. It is possible to control commands which are sent through SMTP and limit their number to ensure some commands can’t overwhelm our mail server causing DOS attack.104 10. Task 1 There is a plan to deploy a number of SMTP servers in the DMZ.

As you can see. Those default settings can sometimes cause problems and needs to be considered when deploying ASA in the new environment where mail servers are located. ASA-FW(config)# sh run all policy-map type inspect esmtp _default_esmtp_map ! policy-map type inspect esmtp _default_esmtp_map description Default ESMTP policy-map parameters mask-banner no mail-relay no special-character no allow-tls match cmd line length gt 512 drop-connection log match cmd RCPT count gt 100 drop-connection log match body line length gt 998 log Page 161 of 1033 . first remove that configuration and then add the new configuration There is a default ESMTP inspection enabled which uses “_default_esmtp_map” policy map with bunch of checks preconfigured. We need to disable it first before configuring our new policy. ASA-FW(config-pmap-c)# no inspect esmtp ASA-FW(config-pmap-c)# inspect esmtp PM_SMTP ASA-FW(config-pmap-c)# exit ASA-FW(config-pmap)# exit Verification Here is a default SNMP inspection L7 policy map. there are lots of default parameters configured to protect mail servers.CCIE SECURITY v4 Lab Workbook ASA-FW(config-pmap)# match body length gt 48000 ASA-FW(config-pmap-c)# drop-connection log ASA-FW(config-pmap-c)# match cmd verb EHLO ASA-FW(config-pmap-c)# rate-limit 10 ASA-FW(config-pmap-c)# match cmd RCPT count gt 10 ASA-FW(config-pmap-c)# drop-connection ASA-FW(config-pmap-c)# match cmd line length gt 600 ASA-FW(config-pmap-c)# drop-connection ASA-FW(config-pmap-c)# policy-map global_policy ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# inspect esmtp PM_SMTP ERROR: Inspect configuration of this type exists.

packet 0 match cmd RCPT count gt 10 drop-connection. packet 0 match cmd verb EHLO rate-limit 10. Page 162 of 1033 . We can easily match those strings using L7 class map (remember to use “match-any” keyword as those strings may not appear in SMTP packets together). Then we can match sender address using L7 policy map configured in the previous task. packet 0 match cmd line length gt 600 drop-connection. When it comes to strings the best option to use is regular expressions.com - @yahoo. reset-drop 0 mask-banner.com You can alter existing configuration to accomplish this task. packet 0. You need to block emails coming from the following domains: - @gmail. packet 0 Task 2 Recently. count 0 match body length gt 48000 drop-connection log. you have been asked by mail server administrator to help him block senders and domains of malicious mails.CCIE SECURITY v4 Lab Workbook match header line length gt 998 drop-connection log match sender-address length gt 320 drop-connection log match MIME filename length gt 255 drop-connection log match ehlo-reply-parameter others mask ! ASA-FW(config)# sh service-policy inspect esmtp Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: esmtp PM_SMTP.  In this task we need to match SMTP packets containing some string values.com - specific user with e-mail address of jdoe@hotmail. drop 0.

packet 0 Page 163 of 1033 .com" ASA-FW(config)# class-map type regex match-any CM_BLOCK_EMAIL ASA-FW(config-cmap)# match regex GMAIL ASA-FW(config-cmap)# match regex YAHOO ASA-FW(config-cmap)# match regex HOTMAIL There must be class map of type regex as there are three regexs to match. ASA-FW(config-cmap)# policy-map type inspect esmtp PM_SMTP ASA-FW(config-pmap)# match sender-address regex class CM_BLOCK_EMAIL ASA-FW(config-pmap-c)# drop-connection ASA-FW(config-pmap-c)# exit ASA-FW(config-pmap)# exit Verification ASA-FW(config)# sh service-policy inspect esmtp Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: esmtp PM_SMTP. ASA-FW(config)# regex GMAIL "@gmail\. packet 0 match cmd verb EHLO rate-limit 10. packet 0. drop 0.com" ASA-FW(config)# regex HOTMAIL "jdoe@hotmail\. packet 0 match sender-address regex class CM_BLOCK_EMAIL drop-connection. count 0 match body length gt 48000 drop-connection log.com" ASA-FW(config)# regex YAHOO "@yahoo\. packet 0 match cmd RCPT count gt 10 drop-connection. reset-drop 0 mask-banner. packet 0 match cmd line length gt 600 drop-connection.CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 1 ASA configuration.

1.1.4/24 R2 R4 Page 164 of 1033 .1.101.2/24 G0/0 10.4.1/24 Lo0 2.1. DNS Advanced Inspection Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.1/24 F0/0 10.102.2.CCIE SECURITY v4 Lab Workbook Lab 1.2.4.18.2/24 Lo0 4.

Configure ASA so that it allows only this domain to be queried and mask RD bit in the DNS header to prevent the server from sending recursive queries on behalf of a requester. Another useful security control is to ensure that DNS query contains only domain name belonging to us. ASA-FW(config)# regex DOMAIN "micronicstraining\. Task 1 A new DNS server for domain micronicstraining.104. Configuration Complete these steps: Step 1 ASA configuration.1.104 10. If other domain name is requested the DNS server might use recursive lookup for this domain and waste resources.4/24 E0/0 10.CCIE SECURITY v4 Lab Workbook ASA1 F0/0 10.10/24 E0/1 10.1. NOT drop those packets. these attacks can be minimized by dropping DNS messages with the RD flag present in the DNS header. Utilizing the DNS application inspection flag filtering feature. The DNS messages sent to open resolvers set the recursion desired (RD) flag in the DNS header.102.  DNS cache poisoning attacks use DNS open resolvers when attempting to corrupt the DNS cache of vulnerable systems.1. This can be done using “mask” keyword as an action in L7 policy map.101. The inspection policy should be applied on the outside interface as most queries come from the outside networks. Note that we are asked to mask RD bit inside the DNS query.10/24 E0/2.com has been deployed in DMZ.com" ASA-FW(config)# policy-map type inspect dns PM_DNS ASA-FW(config-pmap)# match not domain-name regex DOMAIN Page 165 of 1033 .1.104.10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the command clear configure all and then paste the initial config.

count 0 protocol-enforcement. This server needs to be visible to the outside world as 10. packet 0. drop 0. count 0 protocol-enforcement.101. packet 0. drop 0 nat-rewrite. drop 0 dns-guard.25. drop 0 nat-rewrite.1.1. packet 0 Task 2 There is a new Web Server hosting www. drop 0.CCIE SECURITY v4 Lab Workbook ASA-FW(config-pmap-c)# drop ASA-FW(config-pmap-c)# match header-flag RD ASA-FW(config-pmap-c)# mask ASA-FW(config-pmap-c)# class-map CM_DNS_SERVER ASA-FW(config-cmap)# match port udp eq 53 ASA-FW(config-cmap)# policy-map OUTSIDE_MPF ASA-FW(config-pmap)# class CM_DNS_SERVER ASA-FW(config-pmap-c)# inspect dns PM_DNS ASA-FW(config-pmap-c)# service-policy OUTSIDE_MPF interface OUT Verification ASA-FW(config)# sh service-policy inspect dns Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map. Client workstations located in the inside network must access the Page 166 of 1033 .102.com website deployed in the inside network at 10.25. packet 0 match header-flag RD mask. count 0 Interface OUT: Service-policy: OUTSIDE_MPF Class-map: CM_DNS_SERVER Inspect: dns PM_DNS. reset-drop 0 dns-guard.micronicstraining. count 0 match not domain-name regex DOMAIN drop. reset-drop 0 message-length maximum 512.

Inversely. the A record is rewritten from the real value to the mapped value.1. ASA-FW(config)# nat (IN) 1 0 0 dns ASA-FW(config)# global (OUT) 1 10. I .25 10.102. This can be an issue if the Web server’s IP address is translated on the ASA.dynamic.102.102.no random.1.1.com. Ensure that client workstations get private IP address of the Web Server when connecting to www.100-200.0 ASA-FW(config)# static (IN.25 dns ASA-FW(config)# access-list OUTSIDE_IN permit tcp any host 10.102. d .1. Fortunately. there is an additional “dns” keyword in the static command which rewrites the A (address) record in DNS replies that match this static.102. Page 167 of 1033 .DNS. i . 1 most used Flags: D . n .1. Also note that DNS inspection must be enabled to support this functionality (it is enabled by default in the global policy). Configure ASA so that it performs dynamic NAT translation for all inside hosts to the pool of 10. For DNS replies traversing from a mapped interface to any other interface.102.identity.200 netmask 255. Configuration Complete these steps: Step 1 ASA configuration.CCIE SECURITY v4 Lab Workbook Web Server using its FQDN which has DNS A record pointing to 10.255.dump.25 eq 80 ASA-FW(config)# access-group OUTSIDE_IN in interface OUT Verification ASA-FW(config)# sh xlate detail 1 in use.255. for DNS replies traversing from any interface to a mapped interface.1.102.  The problem here is that internal clients will get public IP address of the Web server from an external DNS server.25 in the external DNS server located in ISP network.micronicstraining.1.OUT) 10. the A record is rewritten from the mapped value to the real value.100-10.

200) translate_hits = 0.102.100 .static NAT from IN:10.portmap.1.1.25 to OUT:10.1.CCIE SECURITY v4 Lab Workbook r . s .102.102.25 flags sD ASA-FW(config)# sh nat IN OUT match ip IN host 10.25 translate_hits = 0. untranslate_hits = 0 match ip IN any OUT any dynamic translation to pool 1 (10.102.1.1.25 OUT any static translation to 10. untranslate_hits = 0 Page 168 of 1033 .102.10.102.1.

101.2.1.1. ICMP Advanced Inspection Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks IP Addressing Device Interface IP address R1 Lo0 1.1.2/24 Lo0 4.2.102.1.1/24 F0/0 10.1/24 Lo0 2.4/24 R2 R4 Page 169 of 1033 .4.19.CCIE SECURITY v4 Lab Workbook Lab 1.2/24 G0/0 10.4.

10/24 E0/2.  We have two things to do in this task: (1) allow ICMP traffic from Inside to outside and DMZ and (2) allow ICMP traffic from outside to DMZ but not inside. This should direct us to the solution using MPF. Fortunately.101.1.104. we’re allowed to alter initial configuration. In addition we are not allowed to use any ACL to accomplish this task.1.102. the best option which meets requirements is to change security level on the outside interface to be higher than security level on DMZ interface. You are not allowed using of access list however you can alter initial configuration to accomplish this task.104 10.1.104. Task 1 Configure ASA so that it allows ICMP traffic coming from inside network to DMZ and to outside and to be initiated from the outside to DMZ. Thus.CCIE SECURITY v4 Lab Workbook ASA1 F0/0 10. ASA-FW(config)# policy-map global_policy ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# inspect icmp ASA-FW(config-pmap-c)# exit ASA-FW(config-pmap)# exit Page 170 of 1033 .10/24 Note that the topology is the same so that you can quickly revert to initial config on the ASA by using the command clear configure all and then paste the initial config. Configuration Complete these steps: Step 1 ASA configuration.1. ICMP inspection won’t work for traffic originated from outside network to DMZ as it is against basic rule that traffic from the interface with lower security level to the interface with higher security level is not allowed by default (there must be an ACL on the outside to allow this traffic).4/24 E0/0 10. However.10/24 E0/1 10. It is enough to enable ICMP inspection in the global policy to accomplish first part of the question.

round-trip min/avg/max = 1/54/188 ms ASA-FW(config)# sh conn all | in ICMP ICMP DMZ 4.2. idle 0:00:00. round-trip min/avg/max = 1/57/204 ms ASA-FW(config)# sh conn all | in ICMP ICMP DMZ 4.4:0 OUT 2. 100-byte ICMP Echos to 2.1. Sending 100.2.4.1.4.2 so lo0 rep 100 Type escape sequence to abort. idle 0:00:00. timeout is 2 seconds: Packet sent with a source address of 2.1.4.2.2.4.4.1:4.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100).1.4. 100-byte ICMP Echos to 4. Sending 100.2.2.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100). 100-byte ICMP Echos to 4.2:0 IN 1.4. timeout is 2 seconds: Packet sent with a source address of 1.1.1.2.2.2. bytes 72 R2#ping 4.4.4 so lo0 rep 10000 Type escape sequence to abort. Sending 100.4. bytes 72 R1#ping 4.4.1. timeout is 2 seconds: Packet sent with a source address of 1.2.4.4:0 IN 1.4.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# int e0/0 ASA-FW(config-subif)# security-level 60 ASA-FW(config-subif)# exit Verification R1#ping 2. idle 0:00:00.2:2.2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100).2. bytes 72 Page 171 of 1033 .4.4 so lo0 rep 100 Type escape sequence to abort.1:4.1.4. round-trip min/avg/max = 4/66/180 ms ASA-FW(config)# sh conn all | in ICMP ICMP OUT 2.

Page 172 of 1033 .1. Enable traceroute packets to go through the ASA and ensure that inside network’s address is hidden when doing traceroute on R2 to the network behind R1 (use R1’s loopback0 IP address).1 (type 8. Task 2 Statically translate R1’s F0/0 interface to be visible on the outside network as 10. %ASA-3-106014: Deny inbound icmp src OUT:10.1..1. 100-byte ICMP Echos to 1.102. Sending 5..1.1.1.2 dst IN:1.2 dst IN:1.1 (type 8..1. 8 messages logged Trap logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled %ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.2 dst IN:1.1.1.1 (type 8.1. timeout is 2 seconds: .1.1.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# logg buffered 7 ASA-FW(config)# logg on ASA-FW(config)# clear logg buffer R2#ping 1.2 dst IN:1.1.1.1..1.102.102. code 0) %ASA-3-106014: Deny inbound icmp src OUT:10.1.1 Type escape sequence to abort.2 dst IN:1.1 (type 8. code 0) %ASA-3-106014: Deny inbound icmp src OUT:10. Success rate is 0 percent (0/5) ASA-FW(config)# sh logg Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level debugging.1. code 0) Note that there is no ACL in the logging output so that this traffic has been denied on the OUT interface by the ASA’s rules.102. code 0) %ASA-3-106014: Deny inbound icmp src OUT:10.1. code 0) %ASA-3-106014: Deny inbound icmp src OUT:10.1 (type 8.1.1.102.1.102.

1.1.1 10.1 Type escape sequence to abort.102.101. However. ASA-FW(config)# static (IN.1. We can mitigate that issue by enabling ICMP error inspection on the ASA. This is useful when traceroute is used as it sends UDP packets with increased TTL and waiting for ICMP time-exceeded or ICMP port unreachable packets.1 252 msec 212 msec * [after enabling ICMP error inspection] Page 173 of 1033 .1. Tracing the route to 1.1.OUT) 10.1 1 10.CCIE SECURITY v4 Lab Workbook  ICMP inspection allows ICMP packets to go through the ASA without configuring ACL on the outbound interface for returning traffic. it can also be used for changing some information inside ICMP packets to not disclose sensitive information about the network.101. When NAT is configured on the ASA a traceroute tools can reveal IP addressing of subnets behind the ASA when tracerouting IP addresses in remote networks.1 ASA-FW(config)# access-list OUTSIDE_IN permit udp any any ASA-FW(config)# access-group OUTSIDE_IN in interface OUT ASA-FW(config)# policy-map global_policy ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# inspect icmp error ASA-FW(config-pmap-c)# exit ASA-FW(config-pmap)# exit Verification [before enabling ICMP error inspection] R2#traceroute 1.1. Then the ASA changes IP address of the translated host (which sends out ICMP timeexceeded or port unreachable) according to the translation configured. Configuration Complete these steps: Step 1 ASA configuration.1.

packet 0. drop 0. drop 0. packet 60. reset-drop 0 Page 174 of 1033 . drop 0. drop 0. packet 0. reset-drop 0 Inspect: icmp. reset-drop 0 Inspect: rtsp.1. packet 0. reset-drop 0 Inspect: ftp. drop 0. packet 2. reset-drop 0 Inspect: xdmcp. packet 0. drop 0. packet 0. drop 0. reset-drop 0 Inspect: esmtp _default_esmtp_map. reset-drop 0 Inspect: skinny . drop 0. reset-drop 0 Inspect: sqlnet. packet 0. drop 0. packet 0.CCIE SECURITY v4 Lab Workbook R2#traceroute 1. packet 0.1. packet 0. reset-drop 0 Inspect: sip . drop 0.1. drop 0.1 200 msec 120 msec * Note that the IP address in returning ICMP packet has been altered based on configured translation. packet 0. packet 0. drop 0. reset-drop 0 Inspect: netbios.1. packet 0. reset-drop 0 Inspect: h323 ras _default_h323_map.1 1 10. drop 0.1 Type escape sequence to abort. Tracing the route to 1. reset-drop 0 Inspect: tftp. reset-drop 0 Inspect: sunrpc. reset-drop 0 Inspect: h323 h225 _default_h323_map. drop 0. ASA-FW(config)# sh service-policy global Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map.102. reset-drop 0 Inspect: rsh. packet 0. drop 0. reset-drop 0 Inspect: icmp error.1. drop 0. packet 0.

2/24 G0/0 10.4.4/24 R2 R4 Page 175 of 1033 .2.20.CCIE SECURITY v4 Lab Workbook Lab 1.1/24 F0/0 10.102.2.1. IP Addressing Device Interface IP address R1 Lo0 1.4.2/24 Lo0 4. Configuring Virtual Firewalls Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/3 interface should be configured in VLAN 104  R5’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco”  Configure static default route on all routers pointing to ASA.101.1.1/24 Lo0 2.1.1.

CCIE SECURITY v4 Lab Workbook R5 F0/0 10.5/24 Page 176 of 1033 .5/24 F0/0 10.5.1.105.1.104.5.4/24 Lo0 5.

CCIE SECURITY v4 Lab Workbook Task 1 Configure ASA with the following security contexts: Context name: CTX1 CTX2 Interfaces: E0/0 – Outside E0/0 – Outside E0/1 – Inside E0/3 – Inside E0/2. and admin. Assigned interfaces should be named as showed in the table so that no physical interface name is disclosed inside the context.cfg (in the root directory of the internal Flash memory). enter command mode multiple.  You can partition a single security appliance into multiple virtual devices. firewall features. including routing tables.CFG The context configuration should be stored on the Flash memory. interfaces. You will be prompted to reboot the security appliance. Multiple contexts are similar to having multiple standalone devices. When you convert from single mode to multiple mode. Multiple context mode supports static routing only.cfg that comprises the admin context (in the root directory of the internal Flash memory). To enable multiple mode (security contexts). Each context acts like an independent device. including VPN and dynamic routing protocols.104 – DMZ Context file: CTX1. with its own security policy.CFG CTX2. Some features are not supported. The system administrator adds and manages contexts by configuring each Page 177 of 1033 . the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration. IPS. The original running configuration is saved as old_running. The security appliance automatically adds an entry for the admin context to the system configuration with the name admin. You can run all your contexts in routed mode or transparent mode. and administrators. The original startup configuration is not saved. known as security contexts. Many features are supported in multiple context mode. and management. you cannot run some contexts in one mode and others in another.

it uses one of the contexts that is designated as the admin context. Those interfaces will be visible in the context mode. To create a new security context you must enter command “context <name>” in the system configuration and specify context configuration file (usually on the Flash) and allocate interfaces to the context. you can name the interface during its allocation. The system configuration identifies basic settings for the security appliance.SHUTDOWN NOW --*** *** Message to all terminals: *** *** change mode Page 178 of 1033 . and other context operating parameters in the system configuration.CCIE SECURITY v4 Lab Workbook context configuration location. which. rather. The system configuration does not include any network interfaces or network settings for itself. is the startup configuration. when the system needs to access network resources (such as downloading the contexts from the server). To ensure that an administrator of the context will not see any physical interface’s name. allocated interfaces. Configuration Complete these steps: Step 1 ASA configuration. ciscoasa(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] ! The old running configuration file will be written to flash The admin context configuration will be written to flash The new running configuration file was written to flash Security context mode: multiple *** *** --. The system configuration does include a specialized failover interface for failover traffic only. like a single mode configuration.

.. Use SPACE to begin boot immediately. CISCO SYSTEMS Embedded BIOS Version 1. Bus Dev Func VendID DevID Class 00 00 00 8086 2578 Irq Host Bridge 00 01 00 8086 2579 PCI-to-PCI Bridge 00 03 00 8086 257B PCI-to-PCI Bridge 00 1C 00 8086 25AE PCI-to-PCI Bridge 00 1D 00 8086 25A9 Serial Bus 11 00 1D 01 8086 25AA Serial Bus 10 00 1D 04 8086 25AB System 00 1D 05 8086 25AC IRQ Controller 00 1D 07 8086 25AD Serial Bus 00 1E 00 8086 244E PCI-to-PCI Bridge 00 1F 00 8086 25A1 ISA Bridge 00 1F 02 8086 25A3 IDE Controller 11 00 1F 03 8086 25A4 Serial Bus 5 00 1F 05 8086 25A6 Audio 5 02 01 00 8086 1075 Ethernet 11 03 01 00 177D 0003 Encrypt/Decrypt 9 03 02 00 8086 1079 Ethernet 9 03 02 01 8086 1079 Ethernet 9 03 03 00 8086 1079 Ethernet 9 03 03 01 8086 1079 Ethernet 9 04 02 00 8086 1209 Ethernet 11 04 03 00 8086 1209 Ethernet 5 9 Evaluating BIOS Options . Default configuration file contains 1 entry.. please wait... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006 Platform ASA5510-K8 Use BREAK or ESC to interrupt boot.0(11)2 01/25/06 13:21:26. Booting system.CCIE SECURITY v4 Lab Workbook Rebooting. Page 179 of 1033 .. Launching BootLoader....17 Low Memory: 631 KB High Memory: 256 MB PCI Device Table.

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.e8d9...0001 5 i82546GB rev03 Ethernet @ irq09 dev 3 index 00 MAC: 0019.0001. Loading.e8d9.e8d9..6273 i82546GB rev03 Ethernet @ irq09 dev 2 index 02 MAC: 0019...0002 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 100 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 5 GTP/GPRS : Disabled VPN Peers : 250 WebVPN Peers : 100 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled UC Proxy Sessions : 2 This platform has an ASA 5510 Security Plus license. Booting..CCIE SECURITY v4 Lab Workbook Searching / for images to boot.6274 i82546GB rev03 Ethernet @ irq09 dev 2 index 03 MAC: 0019.6272 i82546GB rev03 Ethernet @ irq09 dev 3 index 01 MAC: 0019.6271 mcwa i82557 Ethernet at irq MAC: 0000. Processor memory 177934336.bin.6275 i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.e8d9.e8d9. Reserved memory: 20971520 (DSOs: 0 + kernel: 20971520) Guest RAM start: 0xd4000080 Guest RAM end: 0xdd400000 Guest RAM brk: 0xd4001000 IO memory 51224576 bytes IO memory start: 0xd0bff000 IO memory end: 0xd3cd9000 Total SSMs found: 0 Total NICs found: 7 mcwa i82557 Ethernet at irq 11 MAC: 0019.03 IPSec microcode Page 180 of 1033 : CNlite-MC-IPSECm- .0001. Loading /asa821-k8.00 SSL/IKE microcode: CNLite-MC-SSLmPLUS-2.

S. or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software . transfer. Inc. (1) *** Output from config line 23.html If you require further assistance please contact us by sending email to [email protected]. 52.. A summary of U. Done. distributors and users are responsible for compliance with U. By using this product you agree to comply with applicable laws and regulations.Restricted Rights clause at FAR sec.. and local laws. Restricted Rights Legend Use. Delivery of Cisco cryptographic products does not imply third-party authority to import.S. import. "admin-context admin" Cryptochecksum (changed): cf287bec dd6e8cf1 b96cbba9 ca2251ec Page 181 of 1033 .CCIE SECURITY v4 Lab Workbook MAIN-2. export. and local country laws..com/wwl/export/crypto/tool/stqrg. (0) Creating context 'null'.0(4) <system> ****************************** Warning ******************************* This product contains cryptographic features and is subject to United States and local country laws governing. 252. distribute. export.05 Creating context 'system'. ******************************* Warning ******************************* Copyright (c) 1996-2008 by Cisco Systems. Done. laws governing Cisco cryptographic products may be found at: http://www.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 170 West Tasman Drive San Jose.com. If you are unable to comply with U. (257) Cisco Adaptive Security Appliance Software Version 8. California 95134-1706 INFO: Admin context is required to get the interfaces *** Output from config line 20. return the enclosed items immediately..cisco. Done. or use encryption. Cisco Systems. "arp timeout 14400" Creating context 'admin'. and use. duplication. Importers.S. Inc.. exporters..

CFG INFO: Creating context with default config Note that there is no CTX1." Cryptochecksum (changed): 6f50b7d4 8539ef8c b6c4265c 7c8ef765 Type help or '?' for a list of available commands. the ASA would import that file as a configuration of the context. physical interfaces must be up when allocating to the context. Thus.CFG file on the flash/disk0 so that the ASA creates a new file with basic configuration template.CFG to disk0:/CTX1. (2) ciscoasa(config-ctx)# config-url flash:/CTX1... Done.CFG INFO: Converting flash:/CTX1.CCIE SECURITY v4 Lab Workbook *** Output from config line 25.105 ciscoasa(config-subif)# vlan 105 ciscoasa(config-subif)# exit ciscoasa(config)# context CTX1 Creating context 'CTX1'. " config-url flash:/admi. ciscoasa# conf t ciscoasa(config)# int e0/0 ciscoasa(config-if)# no sh ciscoasa(config-if)# int e0/1 ciscoasa(config-if)# no sh ciscoasa(config-if)# int e0/2 ciscoasa(config-if)# no sh ciscoasa(config-if)# int e0/3 ciscoasa(config-if)# no sh ciscoasa(config-if)# int e0/2.CFG WARNING: Could not fetch the URL disk0:/CTX1. It is called “interface sharing” and will be described in more details in the following sections.. Context names are case sensitive. ciscoasa> en Password: ciscoasa# ciscoasa# show mode Security context mode: multiple ciscoasa# It is very important to create contexts with an exact name as it was specified in the task. the best option is to do “sh flash” and check if there is such file Page 182 of 1033 . they will not be operative inside the context and it is very common mistake. If not.. Also. Be careful here as if there was a file on the flash with the same name already. Note that you can allocate the same physical interface to difference contexts.

. (3) ciscoasa(config-ctx)# config-url flash:/CTX2. Done. There is also additional keyword at the end of that command:  visible – all physical properties for that interface will be visible inside the context (“show interface” shows that info)  invisible – only limited info will be displayed using “show interface” command. ciscoasa(config-ctx)# context CTX2 Creating context 'CTX2'.CFG WARNING: Could not fetch the URL disk0:/CTX2. ciscoasa(config-ctx)# allocate-interface e0/0 Outside ciscoasa(config-ctx)# allocate-interface e0/1 Inside ciscoasa(config-ctx)# allocate-interface e0/2.105 DMZ When allocating interfaces to the context you can specify the name for that interface within the context.CCIE SECURITY v4 Lab Workbook already.CFG INFO: Converting flash:/CTX2. Another thing is that the ASA does not write the file to the flash if you do not save the config either within the context (“write mem”) or for all contexts within system mode (“write mem all”).CFG to disk0:/CTX2.CFG INFO: Creating context with default config ciscoasa(config-ctx)# allocate-interface e0/0 Outside ciscoasa(config-ctx)# allocate-interface e0/3 Inside ciscoasa(config-ctx)# exit Step 2 Switchport configuration where ASA DMZ interface is connected. SW3(config)#int f0/12 SW3(config-if)#switchport trunk encapsulation dot1q SW3(config-if)#switchport mode trunk SW3(config-if)#exi SW3(config)#vlan 105 SW3(config-vlan)#exi Verification ciscoasa(config)# sh mode Security context mode: multiple Page 183 of 1033 .. and this is the default. This is NOT nameif! This is just a name for the “physical” interface.

Ethernet0/3 disk0:/CTX2. Inside..105 Mapped Interfaces: DMZ. Ethernet0/3 Mapped Interfaces: Inside. Flags: 0x00000813.CFG Total active Security Contexts: 3 ciscoasa(config)# sh context detail Context "system".105 Ethernet0/0. is a system resource Config URL: startup-config Real Interfaces: Mapped Interfaces: Ethernet0/0.cfg Real Interfaces: Mapped Interfaces: Real IPS Sensors: Mapped IPS Sensors: Class: default. Ethernet0/3..105. Ethernet0/1.CFG Real Interfaces: Ethernet0/0. Outside Real IPS Sensors: Mapped IPS Sensors: Class: default. Ethernet0/1. Flags: 0x00000819. ID: 0 Context "admin". null . is a system resource Config URL: . Virtual254 Class: default. Management0/0. disk0:/CTX1. Ethernet0/2. has been created Config URL: disk0:/CTX1.. has been created Config URL: disk0:/admin. Ethernet0/2.CFG Ethernet0/2.CFG Real Interfaces: Ethernet0/0. Real Interfaces: Mapped Interfaces: Real IPS Sensors: Mapped IPS Sensors: Class: default. ID: 1 Context "CTX1". Flags: 0x00000811. Ethernet0/2. Outside Real IPS Sensors: Mapped IPS Sensors: Class: default. has been created Config URL: disk0:/CTX2.CCIE SECURITY v4 Lab Workbook ciscoasa(config)# sh context Context Name Class *admin default CTX1 default CTX2 default Interfaces URL disk0:/admin. Flags: 0x00000809. ID: 3 Context "null".. ID: 257 Page 184 of 1033 .cfg Ethernet0/0.Ethernet0/1. ID: 2 Context "CTX2". Flags: 0x00000811.

In that case it is wise to limit resources per context.the number of hosts that can connect through the ASA - asdm .TCP/UDP connections between any two hosts - inspects .concurrent address translations Limiting the resources is nothing else like configuration of special class where the above resources are allocated.concurrent telnet sessions - xlates . Here’s the list of resources which can be limited: - mac-address .application inspections rate - hosts . Page 185 of 1033 .the number of MAC addresses allowed in the MAC address table (only on transparent firewall) - conns . ASA by default limits some resources which are allocated to the contexts.concurrent ASDM management sessions - ssh . However.concurrent SSH sessions - syslogs . This class is then assigned to the context using “member <class-name>” command.CCIE SECURITY v4 Lab Workbook Task 2 Configure ASA so that it will assign the following resources to the newly created contexts: Context CTX1 Policy Context CTX2 Policy  ASDM Connections 2 Connections 1000 SSH Sessions 2 Telnet Sessions 1 XLATE Objects 300 ASDM Connections 4 Connections 2000 SSH Sessions 5 Telnet Sessions 1 XLATE Objects 1000 Sharing hardware resources is always risky and may lead to performance issues when one context uses more resources than the others.system logs messages rate - telnet . those limits can be too lax for some organizations and the administrator can change them.

5 sessions. except for the following limits.  SSH sessions . which are by default set to the maximum allowed per context:  Telnet sessions . All resources are set to unlimited.535 entries. ciscoasa(config-class)# context CTX1 ciscoasa(config-ctx)# member CTX1 ciscoasa(config-ctx)# context CTX2 ciscoasa(config-ctx)# member CTX2 ciscociscoasa(config-ctx)# exit Verification ciscoasa(config)# sh run all class class default limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 ! class CTX1 limit-resource ASDM 2 limit-resource Conns 1000 Page 186 of 1033 .5 sessions.CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 1 ASA configuration.  IPSec sessions .  MAC addresses .65. ciscoasa(config)# class CTX1 ciscoasa(config-class)# limit-resource ASDM 2 ciscoasa(config-class)# limit-resource Conns 1000 ciscoasa(config-class)# limit-resource SSH 2 ciscoasa(config-class)# limit-resource Telnet 1 ciscoasa(config-class)# limit-resource xlate 300 ciscoasa(config-class)# class CTX2 ciscoasa(config-class)# limit-resource ASDM 4 ciscoasa(config-class)# limit-resource conn 2000 ciscoasa(config-class)# limit-resource telnet 1 ciscoasa(config-class)# limit-resource xlate 1000 Note that you do not need to configure SSH resources as this number will be inherited from the default class.5 sessions.

CFG Real Interfaces: Ethernet0/0.10/24 Page 187 of 1033 . Ethernet0/3 Mapped Interfaces: Inside. Flags: 0x00000811. ID: 3 Task 3 Configure interfaces for new contexts as follow: Context Interface name Security level IP address CTX1 Inside 100 10.1. has been created Config URL: disk0:/CTX1. ID: 2 ciscociscoasa(config)# sh context detail CTX2 Context "CTX2". Ethernet0/1. Flags: 0x00000811.101. Inside. Outside Real IPS Sensors: Mapped IPS Sensors: Class: CTX2. has been created Config URL: disk0:/CTX2. Outside Real IPS Sensors: Mapped IPS Sensors: Class: CTX1.105 Mapped Interfaces: DMZ. Ethernet0/2.CCIE SECURITY v4 Lab Workbook limit-resource SSH 2 limit-resource Telnet 1 limit-resource Xlates 300 ! class CTX2 limit-resource ASDM 4 limit-resource Conns 2000 limit-resource Telnet 1 limit-resource Xlates 1000 ! ciscoasa(config)# sh class default Class Name Members default All ID Flags 1 0001 ID Flags 2 0000 ID Flags 3 0000 ciscoasa(config)# sh class CTX1 Class Name Members CTX1 1 ciscoasa(config)# sh class CTX2 Class Name Members CTX2 1 ciscociscoasa(config)# sh context detail CTX1 Context "CTX1".CFG Real Interfaces: Ethernet0/0.

The one difference is the administrator needs to go to the respective context’s config mode before entering command.0 ciscoasa/CTX1(config-if)# int DMZ ciscoasa/CTX1(config-if)# nameif DMZ INFO: Security level for "DMZ" set to 0 by default. manually configured logical names are showed instead of that.255.255.255.1. Configuration Complete these steps: Step 1 ASA configuration.0 ciscoasa/CTX2(config-if)# int Outside Page 188 of 1033 .10/24 Outside 40 10.0 ciscoasa/CTX1(config-if)# int Outside ciscoasa/CTX1(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default.11/24 Now it’s time to configure context.102.104. ciscoasa/CTX1(config-if)# security-level 50 ciscoasa/CTX1(config-if)# ip add 10. In our case there are no physical interfaces visible inside the context.105.102. Note that in the context configuration you have access to all configuration command as it is in single config mode.1.1.105.102.255.0 ciscoasa/CTX1(config-if)# changeto context CTX2 ciscoasa/CTX2(config)# int Inside ciscoasa/CTX2(config-if)# nameif Inside INFO: Security level for "Inside" set to 100 by default.1.255. Using command of “changeto context <context-name>” the administrator can move between contexts.1.10 255. ciscoasa/CTX2(config-if)# security-level 80 ciscoasa/CTX2(config-if)# ip add 10.101. ciscoasa(config)# changeto context CTX1 ciscoasa/CTX1(config)# int Inside ciscoasa/CTX1(config-if)# nameif Inside INFO: Security level for "Inside" set to 100 by default. ciscoasa/CTX1(config-if)# ip add 10.10 255.10/24 Inside 80 10.255.104.CCIE SECURITY v4 Lab Workbook CTX2  Outside 0 10.10 255.255.1.10/24 DMZ 50 10.1.10 255.255.1. ciscoasa/CTX1(config-if)# ip add 10. This is done exactly in the same way as it is in a single mode configuration.

102.255.1. Sending 5. Sending 5.1.1.255. Sending 5. ciscoasa/CTX2(config-if)# security-level 40 ciscoasa/CTX2(config-if)# ip add 10.105.2 Type escape sequence to abort. 100-byte ICMP Echos to 10.1 Type escape sequence to abort. round-trip min/avg/max = 1/2/10 ms ciscoasa/CTX1(config)# ping 10. Sending 5. 100-byte ICMP Echos to 10.CCIE SECURITY v4 Lab Workbook ciscoasa/CTX2(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default.11 255.101.5 Type escape sequence to abort. round-trip min/avg/max = 1/1/1 ms ciscoasa/CTX1(config)# ping 10.2 Type escape sequence to abort.5. timeout is 2 seconds: No route to host 10.102.1.101.2.104. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.4 Type escape sequence to abort.1 Page 189 of 1033 . round-trip min/avg/max = 1/2/10 ms ciscoasa/CTX1(config)# changeto context CTX2 ciscoasa/CTX2(config)# ping 10. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).102. Sending 5.1 Type escape sequence to abort.101. round-trip min/avg/max = 1/1/1 ms ciscoasa/CTX2(config)# ping 10. 100-byte ICMP Echos to 10.1.102.101. 100-byte ICMP Echos to 10.104.1.1. 100-byte ICMP Echos to 10. Sending 5.4.0 ciscoasa/CTX2(config-if)# exit Verification ciscoasa/CTX2(config)# changeto context CTX1 ciscoasa/CTX1(config)# ping 10.2.1. round-trip min/avg/max = 1/1/1 ms ciscoasa/CTX2(config)# ping 10. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.1.101.105.102.1. 100-byte ICMP Echos to 10.1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.1.

you’ll see that you are still not able to ping R2.1. However. Page 190 of 1033 . This is because there is no inspection for ICMP enabled or ACL on the outside interface allowing ICMP echo-reply packets back. you cannot ping R2 from R4. Task 4 Ensure that R4 can ping R2 without configuring any access list. after enabling ICMP inspection in the CTX2 context. Let’s do some quick troubleshooting to see the issue.2 Type escape sequence to abort. Configuration Complete these steps: Step 1 ASA configuration. You are not allowed to configure any type of address translation to accomplish this task.  As you can see. ciscoasa(config)# changeto context CTX2 ciscoasa/CTX2(config)# policy-map global_policy ciscoasa/CTX2(config-pmap)# class inspection_default ciscoasa/CTX2(config-pmap-c)# inspect icmp ciscoasa/CTX2(config-pmap-c)# exit ciscoasa/CTX2(config-pmap)# exit Verification What’s the problem? R4#ping 10.CCIE SECURITY v4 Lab Workbook Success rate is 0 percent (0/1) There is no route to this network as this is behind context CTX1.102.

0 abort 0 L2 decode drops 24 packets output. 1556 bytes 0 packets dropped ciscoasa/CTX2(config)# changeto context CTX1 ciscoasa/CTX1(config)# sh int Outside Interface Outside "Outside"..1. 0 underruns 0 output errors. Page 191 of 1033 .0 Traffic Statistics for "Outside": 9 packets input.255. 0 frame. is up.255. 0 interface resets 0 babbles.255..11. is up. As you can see the Outside interface in the contexts inherits MAC address from the physical interface. This is normal behavior and everything should work smooth as long as contexts are not sharing interfaces.e8d9. 0 deferred 0 lost carrier.1. MTU not set IP address unassigned 22 packets input. 556 bytes 0 packets dropped ciscoasa/CTX1(config)# changeto system ciscoasa(config)# sh int e0/0 Interface Ethernet0/0 "". 0 late collisions. subnet mask 255. 0 collisions. 0 runts. DLY 10 usec Auto-Duplex(Full-duplex).. is up. 100-byte ICMP Echos to 10. 0 no carrier input queue (curr/max packets): hardware (1/1) software (0/0) output queue (curr/max packets): hardware (0/1) software (0/0) Ping from R4 does not work. MTU 1500 IP address 10. 0 CRC.CCIE SECURITY v4 Lab Workbook Sending 5.102.6272. 2616 bytes. subnet mask 255. 2488 bytes.. line protocol is up Hardware is i82546GB rev03. line protocol is up MAC address 0019. Take a quick look at the interface in both contexts and in the system context. 0 ignored.2.102.102.e8d9.0 Traffic Statistics for "Outside": 9 packets input. Auto-Speed(100 Mbps) Available for allocation to a context MAC address 0019.1. 0 giants 0 input errors. line protocol is up MAC address 0019.6272.10.e8d9. Success rate is 0 percent (0/5) ciscoasa/CTX2(config)# sh int Outside Interface Outside "Outside". 0 overrun.255. 630 bytes 17 packets output. timeout is 2 seconds: .6272. MTU 1500 IP address 10. 0 no buffer Received 0 broadcasts. 630 bytes 7 packets output. BW 1000 Mbps.

An upstream router cannot route directly to a context without unique MAC addresses. NAT Configuration If you do not have unique MAC addresses. or you can automatically generate MAC addresses using “mac-address auto” command. There are three methods to make it work: Using unique interfaces If only one context is associated with the ingress interface. Unique MAC Addresses If multiple contexts share an interface. We can use an automatic method configuring “mac-address auto” command in the system context. so this method is used to classify packets at all times. The classifier relies on the NAT configuration to determine the subnets in each context. only the destination IP address is used. The ASA lets you assign a different MAC address in each context to the same shared interface. In the case of the global command. the classifier must have knowledge about the subnets located behind each security context. whether it is a shared physical interface or a shared subinterface. As we are not allowed to use any NAT in our solution. the only choice left is to use different MAC addresses for each security context. the security appliance classifies the packet into that context. To use the destination address for classification. All other fields are ignored. In transparent firewall mode. ciscoasa/CTX2(config)# changeto system ciscoasa(config)# mac-address auto Verification ciscoasa(config)# changeto context CTX1 ciscoasa/CTX1(config)# sh int Outside Page 192 of 1033 .CCIE SECURITY v4 Lab Workbook The problem with shared interface is that ASA must be able to properly classify incoming traffic and send it to an appropriate context. unique interfaces for contexts are required. Configuration Complete these steps: Step 2 ASA configuration. the classifier does not need a matching nat command or an active NAT session to classify the packet. then the classifier intercepts the packet and performs a destination IP address lookup. You can set the MAC addresses manually when you configure each interface. The classifier matches the destination IP address to either a static command or a global command. then the classifier uses the interface MAC address.

0 Traffic Statistics for "Outside": 11 packets input.102. Configuration Complete these steps: Step 3 R2 configuration.102.ea58 ARPA FastEthernet0/0 Internet 10.1.1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).0200 ARPA FastEthernet0/0 Internet 10. However.CCIE SECURITY v4 Lab Workbook Interface Outside "Outside". R2 has no information how to route the traffic to R4. 686 bytes 8 packets output.255.1.11 Verification R4#ping 10.1.2. 100-byte ICMP Echos to 10. MTU 1500 IP address 10.102. R2 also sees those addresses in its ARP table. subnet mask 255. 686 bytes 18 packets output. 584 bytes 0 packets dropped ciscoasa/CTX1(config)# changeto context CTX2 ciscoasa/CTX2(config)# sh int Outside Interface Outside "Outside".0300. line protocol is up MAC address 1200.255. R2(config)#ip route 10.0 Traffic Statistics for "Outside": 11 packets input. so we need to add static route. subnet mask 255.102.102. line protocol is up MAC address 1200.11.0000.102.0000.10.2 - 001b. round-trip min/avg/max = 1/2/4 ms Page 193 of 1033 .255.533b.2 Type escape sequence to abort.1.1.10 0 1200. is up. Sending 5.1.255.1. MTU 1500 IP address 10. is up.0200.1.0000.11 0 1200.255.104.255.0300 ARPA FastEthernet0/0 As you can see. ASA uses different MAC addresses for each context.0 10.0000.0 255.102.102. 1584 bytes 0 packets dropped R2#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.

2 Type escape sequence to abort..2. timeout is 2 seconds: . first disable MAC autogeneration and configure simple Dynamic PAT in CTX2 context.. Hence.102. ciscoasa/CTX2(config)# changeto system ciscoasa(config)# no mac-address auto Verification R4#ping 10. Let’s translate all inside IP addresses to the address of the outside interface. Configuration Complete these steps: Step 1 ASA configuration. 100-byte ICMP Echos to 10. Sending 5.1.CCIE SECURITY v4 Lab Workbook Task 5 Disable automatic MAC address generation and accomplish the same using network address translation.1.  OK. it is always good to see how it works with NAT.102. Success rate is 0 percent (0/5) It does not work when there are the same MAC addresses... On ASA ciscoasa(config)# changeto context CTX2 ciscoasa/CTX2(config)# nat (Inside) 1 0 0 ciscoasa/CTX2(config)# global (Outside) 1 interface INFO: Outside interface address added to PAT pool Verification Page 194 of 1033 .

It is recommended to use this interface for management of ASA. 100-byte ICMP Echos to 10.104.8/24 to the management interface of ASA.1.254. r .DNS.102.1.1.4/8 to Outside:10. s .2. 1 most used Flags: D . d .CCIE SECURITY v4 Lab Workbook R4#ping 10. Sending 10000. timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ciscoasa/CTX2(config)# sh xlate detail 1 in use.1.  ASA has dedicated management interface which can be used for management only or in some cases it can be “converted” to the normal interface. Configuration Complete these steps: Step 1 ASA configuration. Authenticate users using local username/password of admin/cisco.11/63477 flags ri Task 6 Assign IP address of 10.102.no random. n .static ICMP PAT from Inside:10.254.dump.dynamic. I .2 rep 10000 Type escape sequence to abort. so it must be allocated to the admin context. If a context is marked as admin context administrators logging onto that context have rights to administer other contexts as well (including system context). ciscoasa/CTX2(config)# changeto system Page 195 of 1033 .identity.portmap.102. i . The admin context is created automatically when an administrator converts ASA to multi-context mode. Each of contexts configured can be set as admin context. Configure following limits for system resources on the admin context: - limit ASDM connections 1 - limit SSH connections 1 - limit TELNET connections 1 Configure SSH and Telnet access to the device from anywhere on management interface.

has been created Config URL: disk0:/admin.255.255.. ciscoasa(config)# class CL-ADMIN ciscoasa(config-class)# limit-resource ASDM 1 ciscoasa(config-class)# limit-resource SSH 1 ciscoasa(config-class)# limit-resource Telnet 1 ciscoasa(config-class)# context admin ciscoasa(config-ctx)# member CL-ADMIN ciscoasa(config-ctx)# changeto context admin ciscoasa/admin(config)# int management0/0 ciscoasa/admin(config-if)# nameif management INFO: Security level for "management" set to 0 by default.cfg WARNING: Could not fetch the URL disk0:/admin.8 255.cfg Real Interfaces: Management0/0 Mapped Interfaces: Management0/0 Real IPS Sensors: Mapped IPS Sensors: Class: CL-ADMIN...0 ciscoasa/admin(config-if)# management-only ciscoasa/admin(config)# username admin password cisco privilege 15 ciscoasa/admin(config)# aaa authentication ssh console LOCAL ciscoasa/admin(config)# aaa authentication telnet console LOCAL ciscoasa/admin(config)# telnet 0 0 management ciscoasa/admin(config)# ssh 0 0 management Verification ciscoasa(config)# sh context detail admin Context "admin".CCIE SECURITY v4 Lab Workbook ciscoasa(config)# admin-context admin ciscoasa(config)# int m0/0 ciscoasa(config-if)# no sh ciscoasa(config)# context admin ciscoasa(config-ctx)# allocate-interface Management0/0 ciscoasa(config-ctx)# config-url disk0:/admin. please wait.cfg INFO: Creating context with default config INFO: Admin context will take some time to come up .254.254. ID: 1 Page 196 of 1033 . ciscoasa/admin(config-if)# security 100 ciscoasa/admin(config-if)# ip add 10. Flags: 0x00000813.

CCIE SECURITY v4 Lab Workbook Page 197 of 1033 .

2. Active/Standby Failover Lab Setup  R1’s F0/0 and ASA1/ASA2 E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1/ASA2 E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1/ASA2 E0/2 interface should be configured in VLAN 104  ASA1 and ASA2 E0/3 interface should be configured in VLAN 254  Configure Telnet on all routers using password “cisco”  Configure static default route on all routers pointing to ASA.2/24 R2 Page 198 of 1033 .2.1/24 F0/0 10.CCIE SECURITY v4 Lab Workbook Lab 1.21.1/24 Lo0 2. IP Addressing Device Interface IP address R1 Lo0 1.1.101.1.1.

4/24 Page 199 of 1033 .1.4.104.4/24 F0/0 10.1.2/24 Lo0 4.4.102.CCIE SECURITY v4 Lab Workbook R4 G0/0 10.

CCIE SECURITY v4 Lab Workbook Task 1 Configure ASA interfaces as follow: Physical Interface Interface name Security level IP address E0/0 IN 80 Pri 10. In case of configuration. This link may have two things to do (1) it must synchronize configuration. Assign a name of LAN_FO and active IP address of 10. Two very important commands are required (1) “failover lan…” which is used for specifying what interface will be used as failover link and (2) “failover interface ip…” which configures IP address of that link (note the IP address is Page 200 of 1033 .11/24 E0/1 OUT 0 Pri 10.10/24 Sby 10.1. In addition to that. All failover configuration is done using “failover…. this link shouldn’t be set up using crossover cable.254.  ASA failover uses a special link which must be configured appropriately to successfully monitor state of primary ASA device. Although. monitor ASA interfaces and send those information to second ASA to continue working if primary ASA fails (2) it may carry stateful information (like state table and translation table) to maintain all connections by second ASA in case of failure.102.1.1.10/24 Sby 10.1.1.10/24 with a standby address of 10. the first task does not require fast interface.101.102.” command. Authenticate the failover control messages using a key of “cisco987”.10/24 Sby 10. Configure host name of ASA-FW. Configure interface E0/3 as the Failover Link.104.11/24 Configure ASA2 device to back up ASA1 firewall in the event of failure. meaning an administrator must enter “no shutdown” command on that interface.254. This interface will be used to transmit failover control messages. This link is a dedicated physical Ethernet interface. the interface used as failover link should be in UP state.11.101.1.11/24 E0/2 DMZ 50 Pri 10. the second may require significant bandwidth of the interface. It is highly recommended to use switch for interconnection with PortFast configured on the switch port.1.104.1. The best practice is to use the fastest ASA interface possible as an amount of data traversing this link may be significant and usually depends on the amount of data traverses all remaining interfaces. No other configuration is required.

The one difference is that secondary device must be marked as secondary unit.255. All you need is to unshut failover interface and configure it in the same way as it was on primary device.10 255. Note that all ASA interfaces must have standby IP addresses configured. ASA-FW(config-if)# ip address 10.11 ASA-FW(config-if)# no shut ASA-FW(config-if)# interface e0/1 ASA-FW(config-if)# nameif IN INFO: Security level for "IN" set to 0 by default. Configuration Complete these steps: Step 1 Primary ASA configuration.0 standby 10.255. ASA-FW(config-if)# security-level 80 ASA-FW(config-if)# ip address 10.11 ASA-FW(config-if)# no shut ASA-FW(config-if)# interface e0/2 Page 201 of 1033 .255.0 standby 10.1.101. The very last configuration command is simple “failover” which enables failover and starts communication between ASAs. It is usually omitted when ASA is already pre-configured and we need to add failover to the existing configuration.255.CCIE SECURITY v4 Lab Workbook configured here. The first ASA must be “marked” as primary unit and second ASA as secondary unit.1. Those standby IP addresses will be used on secondary ASA as all interfaces must send out heartbeat information on their subnet to check if there is standby interface ready on a given subnet.1. ciscoasa(config)# hostname ASA-FW ASA-FW(config)# interface e0/0 ASA-FW(config-if)# nameif OUT INFO: Security level for "OUT" set to 0 by default. After enabling failover. A good practice mandates usage of “encryption” key for securing failover communication. Note that you do not need to configure any IP addresses (except for failover link) on the secondary ASA.10 255.101.1.102.102. not under the physical interface). all configuration should be sent to the second device. Configuration of secondary ASA is similar to that it was on primary unit.

ciscoasa(config)# failover lan unit secondary ciscoasa(config-if)# failover lan interface LAN_FO e0/3 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces ciscoasa(config)# failover interface ip LAN_FO 10.11 ASA-FW(config-subif)# no shut ASA-FW(config-subif)# exit ASA-FW(config)# int e0/3 ASA-FW(config-if)# no sh Do not forget to unshut that interface! ASA-FW(config)# failover lan unit primary ASA-FW(config)# failover lan interface LAN_FO e0/3 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces ASA-FW(config)# failover interface ip LAN_FO 10.1. You must manually unshut the interface for LAN failover.10 255. Detected an Active mate Beginning configuration replication from mate.0 standby 10.0 standby 10.1. ASA-FW(config-subif)# security-level 50 ASA-FW(config-subif)# ip address 10.11 ASA-FW(config)# failover key cisco987 ASA-FW(config)# failover You must enable failover at the endo of the configuration using “failover” command.255.255.10 255.1.104.11 ciscoasa(config)# failover key cisco987 ciscoasa(config)# failover ciscoasa(config)# .10 255.1.255. ciscoasa(config)# int e0/3 ciscoasa(config-if)# no sh Same on the secondary ASA.255.104.254.254.254. ASA-FW(config)# ASA-FW(config)# int e0/0 Page 202 of 1033 .0 standby 10.CCIE SECURITY v4 Lab Workbook ASA-FW(config-subif)# nameif DMZ INFO: Security level for "DMZ" set to 0 by default.1. Step 2 Secondary ASA configuration. End configuration replication from mate.255.254.1.255.

101. Since the ASA does not monitor subinterfaces by default you may see Non-Monitored state very often when using subinterfaces. However.101.1/8.0 there.1/8.1. Mate 8.1.0. Verification On Active ASA ASA-FW(config)# sh failover Failover On Failover unit Primary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 1 seconds.104.11): Normal slot 1: empty Note the IP addresses in the brackets and “normal” state of those interfaces.2(1). Although.11): Normal Interface IN (10.Standby Ready Active time: 291 (sec) slot 0: ASA5510 hw/sw rev (1.CCIE SECURITY v4 Lab Workbook **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit.10): Normal Interface DMZ (10. it is possible to enable commands the config will NOT be synchronized between devices.1. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8.102. a Waiting state means there is a process of communicating between interfaces in the same subnet on both ASA units. Non-Monitored and Normal states. There may be Waiting. If this state is displayed for too long (couple of Page 203 of 1033 . The IP addresses are simply Active and Standby IP address configured on the interface. If you see 0.10): Normal slot 1: empty Other host: Secondary .2(1)) status (Up Sys) Interface OUT (10.1.1.2(1) Last Failover at: 17:08:59 UTC Jul 10 2010 This host: Primary .0.10): Normal Interface IN (10. it means you do not have Standby IP address configured on a particular interface. Note that you cannot configure the ASA using being on the Standby unit. holdtime 15 seconds Interface Poll frequency 5 seconds.104.Active Active time: 105 (sec) slot 0: ASA5510 hw/sw rev (1.1.102. Configurations are no longer synchronized. Also the state may be different.11): Normal Interface DMZ (10.2(1)) status (Up Sys) Interface OUT (10.

Verify that failover took place and everyting is OK in means of verification commands and check if ping is still going on. Perform repeated ping from R1 R1#ping 10. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8. holdtime 15 seconds Interface Poll frequency 5 seconds.102.2 rep 1000 3.CCIE SECURITY v4 Lab Workbook minutes) that means the ASA has communication issues with other ASA device – meaning issues with L2 (switch) in most cases. Enable ICMP inspection on ASA (just to allow ICMP traffic to pass through the ASA) ASA-FW(config)# policy-map global_policy ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# inspect icmp ASA-FW(config-pmap-c)# exit ASA-FW(config-pmap)# exit 2. It is highly recommended to perform failover test after configuration. Enable ICMP inspection to allow ICMP traffic go through the ASA 2. FAILOVER TEST 1. 1. Mate 8.Active Active time: 22 (sec) Page 204 of 1033 .0(4) Last Failover at: 23:14:41 UTC Oct 17 2009 This host: Secondary . Stateful Failover Logical Update Statistics Link : Unconfigured.0(4). On standby ASA enter command “failover active” to become an active device ASA-FW(config)# failover active Switching to Active ASA-FW(config)# sh failover Failover On Failover unit Secondary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 1 seconds. Below is an example test which can easily verify if failover works fine. Start pinging R2 from R1 (Inside to Outside) 3. Make Standby ASA to become Active 4.1.

10): Normal (Waiting) slot 1: empty Other host: Primary .0(4).104.10): Normal (Waiting) Interface IN (10.10): Normal Interface DMZ (10. This may takes a while for interfaces to see each other and update their status.1.102.Standby Ready Active time: 740 (sec) slot 0: ASA5510 hw/sw rev (2.10): Normal Interface IN (10.1.11): Normal Interface DMZ (10.1.0/8.11): Normal Interface IN (10.102.Active Active time: 37 (sec) slot 0: ASA5510 hw/sw rev (2.Standby Ready Active time: 740 (sec) slot 0: ASA5510 hw/sw rev (2. ASA-FW(config)# sh failover Failover On Failover unit Secondary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 1 seconds.1. 4.1.11): Normal Interface DMZ (10.102. Mate 8.0/8.1. holdtime 15 seconds Interface Poll frequency 5 seconds. Do not worry.10): Normal (Waiting) Interface DMZ (10.1.0(4)) status (Up Sys) Interface OUT (10.CCIE SECURITY v4 Lab Workbook slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) Interface OUT (10.0/8.104.101.11): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : Unconfigured. Just wait a bit and run “show failover” command again.104.0(4)) status (Up Sys) Interface OUT (10.0(4) Last Failover at: 23:14:41 UTC Oct 17 2009 This host: Secondary .11): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : Unconfigured. Note that some of monitored interfaces have Waiting status.1.101.101.104.0(4)) status (Up Sys) Interface OUT (10.101.1.10): Normal slot 1: empty Other host: Primary . holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8. Check R1 ping: Page 205 of 1033 .1.1.102.1.11): Normal Interface IN (10.

round-trip min/avg/max = 1/2/4 ms Note that only one ping is lost.102.2.1.CCIE SECURITY v4 Lab Workbook R1#ping 10.  To use Stateful Failover. such as the inside interface (not recommended).1. Task 2 Configure ASA so that it will maintain TCP connections (including HTTP) in the event of active device failure. You have three options for configuring a Stateful Failover link: • You can use a dedicated Ethernet interface for the Stateful Failover link. ASA does not replicate HTTP session information when Stateful Failover is enabled. you must configure a Stateful Failover link to pass all state information. not replicating HTTP sessions increases system performance without causing serious data or connection loss. you can share the failover link. Sending 1000. Page 206 of 1033 . Because HTTP sessions are typically short-lived. Also keep in mind that you can use redundant interfaces along with failover. timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!. and because HTTP clients typically retry failed connection attempts. Use the same interface which is already used for LAN Failover.2 rep 1000 Type escape sequence to abort. The failover is working quite fast. • If you are using LAN-based failover. • You can share a regular data interface.102. By default. 100-byte ICMP Echos to 10.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 99 percent (999/1000).

2(1).2(1) Last Failover at: 17:08:59 UTC Jul 10 2010 This host: Primary .10): Normal Interface DMZ (10.104.2(1)) status (Up Sys) Interface OUT (10.1.102.102.1.1. holdtime 15 seconds Interface Poll frequency 5 seconds.101. ASA-FW(config)# failover link LAN_FO ASA-FW(config)# failover replication http Verification ASA-FW(config)# sh failover Failover On Failover unit Primary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 1 seconds.11): Normal Interface DMZ (10.1.2(1)) status (Up Sys) Interface OUT (10.1.104.CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 1 Active ASA configuration.1/8.10): Normal slot 1: empty Other host: Secondary .1/8. Mate 8.Bulk Sync Active time: 291 (sec) slot 0: ASA5510 hw/sw rev (1.101.10): Normal Interface IN (10.11): Normal Interface IN (10. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum failover replication http Version: Ours 8.Active Active time: 695 (sec) slot 0: ASA5510 hw/sw rev (1.11): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : LAN_FO Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 3 0 3 0 sys cmd 3 0 3 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 Page 207 of 1033 .1.

1.0022 as Standby.10 255.0 My IP Address : 10. This must be manually enabled using “monitorinterface” command. Page 208 of 1033 .254.0011 as Active and 0022. no matter which unit you are logged-in to. Those changes are then replicated to the standby unit. For example.255.254.1. Task 3 Configure ASA so that it will use static MAC address on the outside interface in case standby device boots first.0022.CCIE SECURITY v4 Lab Workbook ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 0 0 0 0 VPN IPSEC upd 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 8 3 Xmit Q: 0 26 36 ASA-FW(config)# sh failover interface interface LAN_FO Ethernet0/3 System IP Address: 10. it does not monitor logical interfaces of subinterfaces.255. you can use the “failover exec” command to enter configuration commands on the correct unit.1. Because configuration commands are replicated from the active unit or context to the standby unit or context.10 Other IP Address : 10.254. There is also a feature called Remote Command Execution which is very useful when making changes to the configuration in failover environment. Use MAC address of 0011. if you are logged-in to the standby unit.11 ASA-FW(config)# sh run all monitor monitor-interface OUT monitor-interface IN monitor-interface DMZ By default ASA monitors only physical interfaces. you can use the “failover exec active” command to send configuration changes to the active unit.0011.

0 overrun. 0 giants 0 input errors. 0 frame. 142508 bytes Page 209 of 1033 .255. the secondary unit will obtain the MAC addresses from the primary unit.1. This change can disrupt network traffic.0022. 0 late collisions.0011 0022. 167906 bytes. Configuration Complete these steps: Step 1 Active ASA configuration. subnet mask 255. Configuring virtual MAC addresses for the interfaces ensures that the secondary unit uses the correct MAC address when it is the active unit. 0 underruns 0 output errors. However. 0 CRC. In A/A failover there is a command “mac address” under failover group.0022 Verification (on Active unit) ASA-FW(config)# sh int out Interface Ethernet0/0 "OUT". it uses the burned-in MAC addresses for its own interfaces.0011. When the primary unit comes online. 0 abort 0 L2 decode drops 1401 packets output.102.0 1440 packets input. 0 runts. MTU 1500 IP address 10.0011. DLY 10 usec Auto-Duplex(Full-duplex). 142518 bytes 1401 packets output.255. BW 1000 Mbps. is up. line protocol is up Hardware is i82546GB rev03. even if it comes online before the primary unit. 0 deferred 0 lost carrier. if both units are not brought online at the same time and the secondary unit boots first and becomes active.10. 0 collisions. ASA-FW(config)# failover mac address e0/0 0011. Auto-Speed(100 Mbps) MAC address 0011.CCIE SECURITY v4 Lab Workbook  MAC addresses for the interfaces on the primary unit are used for the interfaces on the active unit. 0 no carrier input queue (curr/max packets): hardware (0/25) software (0/0) output queue (curr/max packets): hardware (0/3) software (0/0) Traffic Statistics for "OUT": 1400 packets input. 0 ignored. 0 interface resets 0 babbles. This command has no effect when ASA is configured for Active/Active failover. 0 no buffer Received 50 broadcasts.0011. 173626 bytes.

24 bytes/sec 23 bytes/sec 1 minute drop rate. 0 pkts/sec 5 minute input rate 0 pkts/sec. 0 pkts/sec Verification (on Standby unit) ASA-FW(config)# sh int out Interface Ethernet0/0 "OUT".255.2(1). MTU 1500 IP address 10. 0 underruns 0 output errors. 1 minute output rate 0 pkts/sec.2(1) Last Failover at: 17:04:18 UTC Jul 10 2010 This host: Secondary . 0 deferred 0 lost carrier.CCIE SECURITY v4 Lab Workbook 0 packets dropped 1 minute input rate 0 pkts/sec.0 10413 packets input.0022. 0 late collisions. 0 no buffer Received 9 broadcasts. is up. 1 minute output rate 0 pkts/sec. 1231356 bytes. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum failover replication http Version: Ours 8. line protocol is up Hardware is i82546GB rev03. 0 pkts/sec ASA-FW(config)# failover exec mate sh failover Failover On Failover unit Secondary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 1 seconds.0022. holdtime 15 seconds Interface Poll frequency 5 seconds. DLY 10 usec Auto-Duplex(Full-duplex). 1043956 bytes 0 packets dropped 1 minute input rate 0 pkts/sec. 0 giants 0 input errors. 0 runts.11. 0 frame. 0 ignored. 0 CRC. BW 1000 Mbps. 0 no carrier input queue (curr/max packets): hardware (1/5) software (0/0) output queue (curr/max packets): hardware (0/3) software (0/0) Traffic Statistics for "OUT": 10413 packets input. 0 pkts/sec 5 minute input rate 0 pkts/sec.255. 0 interface resets 0 babbles. Auto-Speed(100 Mbps) MAC address 0022. 1043922 bytes 10427 packets output. subnet mask 255. Mate 8. 5 minute output rate 0 pkts/sec. 0 collisions. 20 bytes/sec 20 bytes/sec 5 minute drop rate. 0 overrun.Standby Ready Page 210 of 1033 . 0 abort 0 L2 decode drops 10427 packets output.102. 21 bytes/sec 21 bytes/sec 1 minute drop rate. 5 minute output rate 0 pkts/sec. 20 bytes/sec 20 bytes/sec 5 minute drop rate.1. 1232128 bytes.

101.Active Active time: 855 (sec) slot 0: ASA5510 hw/sw rev (1.1.1.1.102.2(1)) status (Up Sys) Interface OUT (10.1.104.1.104.10): Normal Interface DMZ (10.1.CCIE SECURITY v4 Lab Workbook Active time: 291 (sec) slot 0: ASA5510 hw/sw rev (1.10): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : LAN_FO Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 24 0 24 0 sys cmd 24 0 24 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 0 0 0 0 VPN IPSEC upd 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 5 219 Xmit Q: 0 1 24 Page 211 of 1033 .2(1)) status (Up Sys) Interface OUT (10.101.102.11): Normal Interface IN (10.1/8.1/8.11): Normal Interface DMZ (10.11): Normal slot 1: empty Other host: Primary .10): Normal Interface IN (10.

1.2.104.1.1.22.1/24 F0/0 10.2.4.CCIE SECURITY v4 Lab Workbook Lab 1.4/24 R2 R4 Page 212 of 1033 . Active/Active Failover Lab Setup  R2’s G0/0 and ASA’s’ E0/0 interface should be configured in VLAN 102  R5’s F0/0 and ASA’s’ E0/2 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco”  Configure static default route on all routers pointing to ASA IP Addressing Device Interface IP address R1 Lo0 1.2/24 Lo0 4.102.2/24 G0/0 10.1.101.1/24 Lo0 2.1.4/24 F0/0 10.4.

CCIE SECURITY v4 Lab Workbook R5 Lo0 5.1.5/24 Page 213 of 1033 .5.5/24 F0/0 10.5.105.

On the left appliance. security contexts must be created and appropriate interfaces allocated. both appliances in the failover pair process traffic. The ASA must be converted to multiple mode.12/24 CTX2  In the Active/Active (A/A) implementation of failover.10/24 Outside 0 10.1. Then interfaces must be configured as requested inside respective context. To accomplish this. CTX1 performs an active role and CTX2 a standby role.10/24 DMZ 50 10.101 – Inside E0/1.105. On the right appliance.104 – Inside E0/2 – DMZ Context file: CTX1.1.10/24 Inside 100 10. Configuration Complete these steps: Step 1 Switchport configuration where ASA inside interface is connected to. Configure interfaces for new contexts as follow: Context Interface name Security level IP address CTX1 Inside 100 10. SW3(config-if)#int f0/11 SW3(config-if)#sw tru enca dot Page 214 of 1033 . two contexts are needed.1.102. The configuration required in this task is very similar to the configuration of single ASA device.cfg CTX2.101.102.1. as is depicted in the diagram above.cfg The context configuration should be stored on the Flash memory.CCIE SECURITY v4 Lab Workbook Task 1 Configure ASA1 with a hostname of ASA-FW and the following security contexts: Context name: CTX1 CTX2 Interfaces: E0/0 – Outside E0/0 – Outside E0/1. CTX1 is standby and CTX2 is active.1.104.10/24 Outside 0 10.

CCIE SECURITY v4 Lab Workbook SW3(config-if)#sw mo tru SW3(config)#vlan 101 SW3(config-vlan)#exi SW3(config)#vlan 104 SW3(config-vlan)#exit Step 2 On both ASA devices.. ciscoasa# conf t ciscoasa(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] ! The old running configuration file will be written to flash The admin context configuration will be written to flash The new running configuration file was written to flash Security context mode: multiple *** *** --..104 Page 215 of 1033 . ciscoasa(config)# hostname ASA-FW ASA-FW(config)# int e0/0 ASA-FW(config-if)# no sh ASA-FW(config-if)# int e0/1 ASA-FW(config-if)# no sh ASA-FW(config-if)# int e0/1..101 ASA-FW(config-subif)# vlan 101 ASA-FW(config-subif)# no sh ASA-FW(config-subif)# int e0/1. <…output ommited…> Step 3 ASA1 configuration.SHUTDOWN NOW --*** *** Message to all terminals: *** *** change mode Rebooting.

Note that it is wise to check if there is no file with previous configuration stored on the flash before configuring config URL.cfg 166 1437 Oct 19 2009 18:38:50 old_running. If there is a file with the same name already. Done.cfg WARNING: Could not fetch the URL disk0:/CTX1.. please wait. it will be imported and used inside the context.cfg to disk0:/CTX1. (2) Unfortunately. the above command does not specify when admin context is going to write its configuration. Both things can be done using the following command: ASA-FW(config)# admin-context admin Creating context 'admin'.cfg ASA-FW(config-ctx)# config-url disk0:CTX1.. Done.. we need to specify that manually: ASA-FW(config)# context admin ASA-FW(config-ctx)# config-url disk0:/admin.. Hence.101 ASA-FW(config-ctx)# allocate-interface e0/0 ASA-FW(config-ctx)# allocate-interface e0/2 Page 216 of 1033 . (2) Depends on your previous configuration you may get a message saying: ERROR: Identify admin context first.. you need to create “admin” context first and tell the ASA to use that context for administrative purposes.cfg INFO: Converting disk0:CTX1.ctx INFO: Creating context with default config INFO: Admin context will take some time to come up ..CCIE SECURITY v4 Lab Workbook ASA-FW(config-subif)# vlan 104 ASA-FW(config-subif)# no sh ASA-FW(config-subif)# int e0/2 ASA-FW(config-if)# no sh ASA-FW(config-if)# context CTX1 Creating context 'CTX1'.cfg INFO: Creating context with default config ASA-FW(config-ctx)# allocate-interface e0/1. ASA-FW(config-ctx)# sh disk0: | in cfg|CFG 164 724 Oct 19 2009 18:38:50 admin..ctx WARNING: Could not fetch the URL disk0:/admin. using the 'admincontext' command Then.

104 ASA-FW/CTX2(config-if)# ip add 10.101.255. Done.255.10 255.1. ASA-FW/CTX1(config-if)# security-level 50 ASA-FW/CTX1(config-if)# changeto context CTX2 ASA-FW/CTX2(config)# int e0/1.255. ASA-FW/CTX2(config-if)# int e0/0 ASA-FW/CTX2(config-if)# ip add 10.10 255.10 255. (3) ASA-FW(config-ctx)# config-url disk0:CTX2.cfg to disk0:/CTX2.255.cfg INFO: Creating context with default config ASA-FW(config-ctx)# allocate-interface e0/1. Page 217 of 1033 .255.CCIE SECURITY v4 Lab Workbook ASA-FW(config-ctx)# context CTX2 Creating context 'CTX2'.4 Type escape sequence to abort.1.0 ASA-FW/CTX1(config-if)# nameif Inside INFO: Security level for "Inside" set to 100 by default.102. ASA-FW/CTX2(config-if)# exit Verification ASA-FW/CTX2(config)# ping 10.1.255.1.102.255.104.cfg WARNING: Could not fetch the URL disk0:/CTX2.12 255..0 ASA-FW/CTX1(config-if)# nameif DMZ INFO: Security level for "DMZ" set to 0 by default.255.104 ASA-FW(config-ctx)# allocate-interface e0/0 ASA-FW(config-ctx)# changeto context CTX1 ASA-FW/CTX1(config)# int e0/1.0 ASA-FW/CTX1(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default.255.1.105.0 ASA-FW/CTX2(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default.10 255. ASA-FW/CTX1(config-if)# int e0/2 ASA-FW/CTX1(config-if)# ip add 10.255.1.104.cfg INFO: Converting disk0:CTX2..0 ASA-FW/CTX2(config-if)# nameif Inside INFO: Security level for "Inside" set to 100 by default. ASA-FW/CTX1(config-if)# int e0/0 ASA-FW/CTX1(config-if)# ip add 10.101 ASA-FW/CTX1(config-if)# ip add 10.

102.1.102.10 YES manual up up Ethernet0/2 10.1.102.1.104.101.104 10.105. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).102.104.CCIE SECURITY v4 Lab Workbook Sending 5.2 Type escape sequence to abort.1.1.1. ensure that packet classification is based on MAC addresses.1.101 10.101.2.1.1.1. round-trip min/avg/max = 1/2/10 ms ASA-FW/CTX2(config)# sh int ip brief Interface IP-Address OK? Method Status Protocol Ethernet0/1.5 Type escape sequence to abort. Sending 5.1. round-trip min/avg/max = 1/2/10 ms ASA-FW/CTX1(config)# ping 10.4. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.105. Sending 5. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). Use interface E0/3 as failover Page 218 of 1033 . 100-byte ICMP Echos to 10.1. Sending 5. Sending 5.2 Type escape sequence to abort. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). 100-byte ICMP Echos to 10.10 YES manual up up Ethernet0/0 10.5.1. round-trip min/avg/max = 1/2/10 ms ASA-FW/CTX1(config)# sh int ip brief Interface IP-Address OK? Method Status Protocol Ethernet0/1. round-trip min/avg/max = 1/2/10 ms ASA-FW/CTX1(config)# ping 10.10 YES manual up up Ethernet0/0 10. 100-byte ICMP Echos to 10.1.1 Type escape sequence to abort.102.12 YES manual up up ASA-FW/CTX2(config)# changeto context CTX1 ASA-FW/CTX1(config)# ping 10.10 YES manual up up Task 2 Configure Active/Active failover between ASA1 and ASA2 so that the context CTX1 is active on ASA1 and standby on ASA2 whilst the context CTX2 is active on ASA2 and standby on ASA1.101. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). 100-byte ICMP Echos to 10.2. round-trip min/avg/max = 1/2/10 ms ASA-FW/CTX2(config)# ping 10. As there is a shared interface among both devices.105. 100-byte ICMP Echos to 10.102.

254.g.1. if primary IP address is 10. In Active/Active. Configuration Complete these steps: Step 1 ASA1 configuration.11).1. any failover groups that have the secondary unit as a priority do not become active on the second unit unless the failover group is configured with the "preempt" command or is manually forced using "no failover active" command. When the other unit comes online. Each ASA supports up to two failover groups as there can only be two ASAs in the failover pair. context and current state of the context for better visibility. one context is active while the same context on the other ASA is in standby state. failover is performed on a unit basis.  In Active/Standby failover. Change the command line prompt to show hostname. One unit is active while the other unit is standby.1.10/24 (VLAN 254). If one unit boots before the other. the "secondary" command under failover group 2 gives secondary ASA higher priority for this failover group.10 the standby IP address will be 10. Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simultaneously. All standby IP addresses should be derived from the last octet of primary IP address plus one (e. ASA-FW/CTX1(config)# changeto system ASA-FW(config)# failover group 1 ASA-FW(config-fover-group)# primary ASA-FW(config-fover-group)# preempt ASA-FW(config-fover-group)# failover group 2 ASA-FW(config-fover-group)# secondary ASA-FW(config-fover-group)# preempt Page 219 of 1033 . By default all security contexts are assigned to the failover group 1. both failover groups become active on that unit. However. ASA uses failover groups to manage contexts. You can control the distribution of active contexts between the ASAs by controlling each context's membership in a failover group.1.1. Secure failover transmission with a key of “cisco456”. Within the failover group configuration mode the "primary" command gives the primary ASA higher priority for failover group 1.CCIE SECURITY v4 Lab Workbook LAN and stateful link with IP address of 10.

255.0 standby 10.254.255.102.1.10 255.255.0 standby 10.11 ASA-FW(config)# failover key cisco456 ASA-FW(config)# failover link LAN_FO ASA-FW(config)# failover The failover configuration is exactly the same as it was for Active/Standby failover.255.1.104.1.1.1.12 255.0 standby 10.103.1.0 standby 10.13 ASA-FW(config)# changeto con CTX1 ASA-FW/CTX1(config)# int e0/1.11 ASA-FW/CTX1(config-if)# int e0/2 ASA-FW/CTX1(config-if)# ip add 10.10 255.103.102. Remember that when adding failover to the existing configuration.101.1.104 ASA-FW/CTX2(config-if)# ip add 10.255. you can view the extended prompt Page 220 of 1033 .254.1.102.104.10 255.255.255.255. you must configure standby IP addresses for all interfaces inside the security contexts.1.1.255. ASA-FW(config)# changeto con CTX2 ASA-FW/CTX2(config)# int e0/1.10 255.102.CCIE SECURITY v4 Lab Workbook ASA-FW(config-fover-group)# context CTX1 ASA-FW(config-ctx)# join-failover-group 1 ASA-FW(config-ctx)# context CTX2 ASA-FW(config-ctx)# join-failover-group 2 ASA-FW(config-ctx)# exit ASA-FW(config)# failover lan unit primary ASA-FW(config)# int e0/3 ASA-FW(config-if)# no sh ASA-FW(config)# failover lan interface LAN_FO e0/3 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces ASA-FW(config)# failover interface ip LAN_FO 10.255.1.11 ASA-FW/CTX1(config-if)# changeto system In multiple context mode.255.1.101 ASA-FW/CTX1(config-if)# ip add 10.0 standby 10.11 ASA-FW/CTX2(config-if)# int e0/0 ASA-FW/CTX2(config-if)# ip add 10.101.255.10 255.11 ASA-FW/CTX1(config-if)# int e0/0 ASA-FW/CTX1(config-if)# ip add 10.0 standby 10.

ASA-FW(config)# prompt hostname context priority state ASA-FW/pri/act(config)# Note that in Active/Active failover the ASA automatically generates different MAC addresses on shared interfaces. Creating vlan 254 Page 221 of 1033 . Creating vlan 105 SW4(config-if)#int f0/13 SW4(config-if)#sw mo acc SW4(config-if)#sw acc vl 254 % Access VLAN does not exist. SW3(config)#int f0/13 SW3(config-if)#sw mo acc SW3(config-if)#sw acc vl 254 % Access VLAN does not exist. Creating vlan 102 SW4(config-if)#int f0/11 SW4(config-if)#sw tru enca dot SW4(config-if)#sw mo tru SW4(config-if)#int f0/12 SW4(config-if)#sw mo acc SW4(config-if)#sw acc vl 105 % Access VLAN does not exist. During a failover. Switch(config)#ho SW4 SW4(config)#int f0/10 SW4(config-if)#sw mo acc SW4(config-if)#sw acc vl 102 % Access VLAN does not exist.CCIE SECURITY v4 Lab Workbook when you log in to the system execution space or the admin context. Creating vlan 254 SW3(config-if)#exi Step 3 Switchport configuration where ASA2 failover interface is connected to. you only see the default prompt. The ability to add information to a prompt allows you to see at-a-glance which adaptive security appliance you are logged into when you have multiple modules. Within a non-admin context. Step 2 Switchport configuration where ASA1 failover interface is connected to. this feature is useful when both adaptive security appliances have the same hostname. You do NOT need to configure “mac-address auto” in A/A failover scenario. which is the hostname and the context name.

. (4) Page 222 of 1033 .. Creating context 'CTX1'.0 standby 10.. However.1. the secondary unit contacts the primary unit and copies configuration for all contexts and system execution space.cfg INFO: Creating context with default config INFO: Admin context will take some time to come up .. after configuration replication the secondary ASA “preempts” failover group 2..255..254. After configuring and enabling failover.11 ciscoasa(config)# failover key cisco456 ciscoasa(config)# failover link LAN_FO ciscoasa(config)# failover ciscoasa(config)# . Done INFO: Admin context is required to get the interfaces Creating context 'admin'..CCIE SECURITY v4 Lab Workbook SW4(config-if)#int ran f0/19 . On secondary ASA there is only basic failover configuration required.cfg INFO: Creating context with default config Creating context 'CTX2'. ciscoasa(config)# no failover ciscoasa(config)# failover lan unit secondary ciscoasa(config)# int e0/3 ciscoasa(config-if)# no sh ciscoasa(config-if)# failover lan interface LAN_FO e0/3 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces ciscoasa(config)# failover interface ip LAN_FO 10. (3) WARNING: Skip fetching the URL disk0:/CTX1.255. Done. Done. Detected an Active mate ciscoasa(config)# Removing context 'admin' (1).1.10 255... (2) WARNING: Skip fetching the URL disk0:/admin. please wait. As you can see both failover groups are active on the primary ASA at the beginning.254. Done..24 SW4(config-if-range)#sw tru enca dot SW4(config-if-range)#sw mo tru SW4(config-if-range)#exi SW4(config)#vlan 101 SW4(config-vlan)#exi SW4(config)#vlan 104 SW4(config-vlan)#exi Step 4 ASA2 configuration..

Mate 8. Group 2 preempt mate ASA-FW/sec/stby(config)# Verification ASA-FW/pri/act(config)# sh failover Failover On Failover unit Primary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 1 seconds.1.101.10): Normal CTX2 Interface Inside (10.1.11): Normal (Not-Monitored) Page 223 of 1033 .10): Normal (Not-Monitored) CTX1 Interface Outside (10. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8.2(1).2(1) Group 1 last failover at: 05:37:45 UTC Jul 17 2010 Group 2 last failover at: 05:47:42 UTC Jul 17 2010 This host: Primary Group 1 State: Active Active time: 701 (sec) State: Standby Ready Active time: 597 (sec) Group 2 slot 0: ASA5510 hw/sw rev (1.102.10): Normal CTX1 Interface DMZ (10.1.13): Normal slot 1: empty Other host: Secondary Group 1 State: Standby Ready Active time: 0 (sec) State: Active Active time: 103 (sec) Group 2 slot 0: ASA5510 hw/sw rev (1.102.CCIE SECURITY v4 Lab Workbook WARNING: Skip fetching the URL disk0:/CTX2.105.1/8.2(1)) status (Up Sys) CTX1 Interface Inside (10.101.cfg INFO: Creating context with default config Group 1 Detected Active mate Group 2 Detected Active mate End configuration replication from mate.104. holdtime 15 seconds Interface Poll frequency 5 seconds.1/8.2(1)) status (Up Sys) CTX1 Interface Inside (10.1.1.1.11): Normal (Not-Monitored) CTX2 Interface Outside (10.

102. ASA-FW/pri/act(config)# sh failover group 1 Last Failover at: 05:37:45 UTC Jul 17 2010 This host: Primary State: Active Active time: 829 (sec) CTX1 Interface Inside (10.11): Normal CTX1 Interface DMZ (10.11): Normal (Not-Monitored) CTX1 Interface Outside (10.10): Normal Other host: Secondary State: Standby Ready Active time: 0 (sec) CTX1 Interface Inside (10.102.1.101.102.12): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : LAN_FO Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 15 0 15 0 sys cmd 15 0 15 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 16 Xmit Q: 0 1 16 Note that the status for Inside interface in both contexts is “Normal (NotMonitored)”.11): Normal Stateful Failover Logical Update Statistics Page 224 of 1033 .102.CCIE SECURITY v4 Lab Workbook CTX1 Interface Outside (10.10): Normal (Not-Monitored) CTX1 Interface Outside (10.104.1. This is because by default ASA does not monitor subinterfaces or logical interfaces.105.1.10): Normal (Not-Monitored) CTX2 Interface Outside (10.105. To enable monitoring for those interfaces there should be “monitor-interface Inside” command configured in each of security contexts.1.1.101.11): Normal CTX2 Interface Inside (10.1.11): Normal CTX1 Interface DMZ (10.1.1.1.105.1.10): Normal CTX1 Interface DMZ (10.

1.1.1.12): Normal Stateful Failover Logical Update Statistics Status: Configured.102.0 Traffic Statistics for "Outside": 99 packets input.11 ASA-FW/pri/act(config)# changeto context CTX1 ASA-FW/CTX1/pri/act(config)# sh int e0/0 Interface Ethernet0/0 "Outside".1.1.10 255.255.1.255.254.254.1.CCIE SECURITY v4 Lab Workbook Status: Configured.102.11): Normal (Not-Monitored) CTX2 Interface Outside (10.254.255. subnet mask 255.10): Normal (Not-Monitored) CTX2 Interface Outside (10.10.102. RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0 ASA-FW/pri/act(config)# sh failover group 2 Last Failover at: 05:47:42 UTC Jul 17 2010 This host: Primary State: Standby Ready Active time: 597 (sec) CTX2 Interface Inside (10.10 Other IP Address : 10.104. line protocol is up MAC address 1200. is up.1. MTU 1500 IP address 10.0 My IP Address : 10. RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0 ASA-FW/pri/act(config)# sh failover interface interface LAN_FO Ethernet0/3 System IP Address: 10.a300. 7632 bytes Page 225 of 1033 .255.104.0000.13): Normal Other host: Secondary State: Active Active time: 248 (sec) CTX2 Interface Inside (10.

MTU 1500 IP address 10. Since we are on Primary ASA in CTX2 security context (which is standby). is up.04b6.104. 7872 bytes 81 packets output. line protocol is up MAC address 1200. Page 226 of 1033 .04b5. line protocol is up MAC address 1200. However we can use Remote Command Execution feature to configure remotely Active context on the second device. ASA-FW/CTX2/pri/stby(config-pmap)# ASA-FW/CTX2/pri/stby(config-pmap)# exi **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. subnet mask 255.255.0 Traffic Statistics for "Inside": 12 packets input. to make changes to CTX1 we need to do it manually.104 Interface Ethernet0/1. is up.1. Configurations are no longer synchronized. 6696 bytes 0 packets dropped ASA-FW/CTX1/pri/act(config)# sh int e0/1.101 "Inside".255. MTU 1500 IP address 10. Hence.255. line protocol is up MAC address 1200.255.10. 684 bytes 20 packets output.13.CCIE SECURITY v4 Lab Workbook 72 packets output. Configurations are no longer synchronized. this tool cannot be used for changing security context (“changeto” command does not work).255.0168.102. we cannot configure any commands.104 "Inside".0165. 822 bytes 25 packets output.255. Unfortunately.11.1. ASA-FW/CTX2/pri/stby(config)# policy-map global_policy **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. 920 bytes 0 packets dropped ASA-FW/CTX1/pri/act(config)# changeto context CTX2 ASA-FW/CTX2/pri/stby(config)# sh int e0/0 Interface Ethernet0/0 "Outside". 1060 bytes 0 packets dropped Note: Enable ICMP inspection in both security contexts to ease the verification. subnet mask 255. subnet mask 255.03b0.1. 7268 bytes 0 packets dropped ASA-FW/CTX2/pri/stby(config)# sh int e0/1.0 Traffic Statistics for "Inside": 9 packets input.0 Traffic Statistics for "Outside": 99 packets input. MTU 1500 IP address 10. is up.101.0000.101 Interface Ethernet0/1.

CCIE SECURITY v4 Lab Workbook ASA-FW/CTX2/pri/stby(config)# sh run policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp  Note: No ICMP Inspection ! ASA-FW/CTX2/pri/stby(config)# failover exec mate policy-map global_policy ASA-FW/CTX2/pri/stby(config)# failover exec mate class inspection_default ASA-FW/CTX2/pri/stby(config)# failover exec mate inspect icmp ASA-FW/CTX2/pri/stby(config)# sh run policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp  ICMP Inspection is now enabled (configured on Active and sychronized over the Failover link) Page 227 of 1033 .

102.105.1. Sending 5. round-trip min/avg/max = 1/2/4 ms R1#p 10. 100-byte ICMP Echos to 10.5 Type escape sequence to abort. 100-byte ICMP Echos to 10.1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). Sending 5.102.1.2. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).5. round-trip min/avg/max = 1/2/4 ms Page 228 of 1033 .105.2 Type escape sequence to abort.1.CCIE SECURITY v4 Lab Workbook ! ASA-FW/CTX2/pri/stby(config)# sh failover exec mate Active unit Failover EXEC is at mpf-policy-map-class sub-command mode ASA-FW/CTX2/pri/stby(config)# failover exec mate show run policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! ASA-FW/CTX2/pri/stby(config)# changeto context CTX1 ASA-FW/CTX1/pri/act(config)# policy-map global_policy ASA-FW/CTX1/pri/act(config-pmap)# class inspection_default ASA-FW/CTX1/pri/act(config-pmap-c)# inspect icmp ASA-FW/CTX1/pri/act(config-pmap-c)# exi ASA-FW/CTX1/pri/act(config-pmap)# exi R1#p 10.

100-byte ICMP Echos to 10..1.1.255.1..2. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). timeout is 2 seconds: . R2(config)#ip route 10. 100-byte ICMP Echos to 10.0 255. End with CNTL/Z. FAILOVER TEST: SW23#conf t Enter configuration commands.1.1.102.2 Type escape sequence to abort. Sending 5. Success rate is 0 percent (0/5) Ping on R4 is not successful because there is no route back on R2.255. SW3(config)#int f0/12 SW3(config-if)#shut ASA-FW/CTX1/pri/stby(config)# changeto system ASA-FW/pri/stby(config)# sh failover Failover On Failover unit Primary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 1 seconds.2.102.102.102.1. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Page 229 of 1033 . one per line.104. Sending 5. It has nothing to do with ASA packets classification.. After adding a route back.. Sending 5. round-trip min/avg/max = 1/2/4 ms It is highly recommended to perform failover test after configuration.CCIE SECURITY v4 Lab Workbook R5#p 10. holdtime 15 seconds Interface Poll frequency 5 seconds.102.0 10. 100-byte ICMP Echos to 10.102. the ping in successful. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.2.102.1. The best test in this situation would be shutting down switch port for DMZ interface of CTX1 security context and check if failover “moves” CTX1 over to the secondary ASA.12 R4#p 10.2 Type escape sequence to abort. round-trip min/avg/max = 1/1/4 ms R4#p 10.2 Type escape sequence to abort.

10): Normal (Waiting) CTX2 Interface Inside (10. Page 230 of 1033 .1.102.11): Normal (Not-Monitored) CTX2 Interface Outside (10.105.11): Normal CTX1 Interface DMZ (10.101. Mate 8.10): Normal (Not-Monitored) CTX2 Interface Outside (10.1.1.12): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : LAN_FO Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 139 0 138 0 sys cmd 136 0 136 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 3 0 2 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 138 Xmit Q: 0 1 139 Note that now both security contexts are active on the secondary ASA.1.102.2(1) Group 1 last failover at: 06:03:55 UTC Jul 17 2010 Group 2 last failover at: 05:47:42 UTC Jul 17 2010 This host: Primary Group 1 State: Failed Active time: 1570 (sec) State: Standby Ready Active time: 597 (sec) Group 2 slot 0: ASA5510 hw/sw rev (1.CCIE SECURITY v4 Lab Workbook Version: Ours 8.13): Normal slot 1: empty Other host: Secondary Group 1 State: Active time: 40 (sec) Group 2 State: Active Active time: 1012 (sec) Active slot 0: ASA5510 hw/sw rev (1.105.10): Normal (Not-Monitored) CTX1 Interface Outside (10.1/8.1.10): Normal CTX1 Interface DMZ (10.1.1.11): No Link (Waiting) CTX2 Interface Inside (10.1/8.102.102.2(1).1.101.104.1.11): Normal (Not-Monitored) CTX1 Interface Outside (10.2(1)) status (Up Sys) CTX1 Interface Inside (10.104.2(1)) status (Up Sys) CTX1 Interface Inside (10.1.

1.CCIE SECURITY v4 Lab Workbook We can bring the switch port back up now and see if primary ASA preempts CTX1 context.2(1).10): Normal (Not-Monitored) CTX1 Interface Outside (10.101.1/8.104.2(1)) status (Up Sys) CTX1 Interface Inside (10.11): Normal (Not-Monitored) CTX1 Interface Outside (10.2(1)) status (Up Sys) CTX1 Interface Inside (10.1/8.11): Normal (Waiting) CTX2 Interface Inside (10.11): Normal (Not-Monitored) CTX2 Interface Outside (10. Mate 8. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8.1.1.105.10): Normal (Waiting) CTX2 Interface Inside (10.1.10): Normal (Not-Monitored) Page 231 of 1033 . SW3(config)#int f0/12 SW3(config-if)#no shut ASA-FW/pri/act(config)# Group 1 preempt mate ASA-FW/pri/act(config)# sh failover Failover On Failover unit Primary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 1 seconds.1.11): Normal (Waiting) CTX1 Interface DMZ (10.1.10): Normal (Waiting) CTX1 Interface DMZ (10.102.1.1.102.13): Normal slot 1: empty Other host: Secondary Group 1 State: Standby Ready Active time: 210 (sec) State: Active Active time: 1215 (sec) Group 2 slot 0: ASA5510 hw/sw rev (1. one per line.2(1) Group 1 last failover at: 06:07:48 UTC Jul 17 2010 Group 2 last failover at: 05:47:42 UTC Jul 17 2010 This host: Primary Group 1 State: Active Active time: 1601 (sec) State: Standby Ready Active time: 597 (sec) Group 2 slot 0: ASA5510 hw/sw rev (1.101. holdtime 15 seconds Interface Poll frequency 5 seconds. Bring the switch port back up.1.102. SW3#conf t Enter configuration commands. End with CNTL/Z.104.105.

ASA-FW/pri/act(config)# sh failover Failover On Failover unit Primary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 1 seconds.2(1) Group 1 last failover at: 06:07:48 UTC Jul 17 2010 Group 2 last failover at: 05:47:42 UTC Jul 17 2010 This host: Primary Group 1 State: Active Active time: 1711 (sec) State: Standby Ready Active time: 597 (sec) Group 2 slot 0: ASA5510 hw/sw rev (1.CCIE SECURITY v4 Lab Workbook CTX2 Interface Outside (10.2(1)) status (Up Sys) CTX1 Interface Inside (10.11): Normal (Not-Monitored) Page 232 of 1033 .1.10): Normal CTX1 Interface DMZ (10.10): Normal CTX2 Interface Inside (10.12): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : LAN_FO Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 166 0 165 0 sys cmd 163 0 163 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 3 0 2 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 165 Xmit Q: 0 1 166 You may see “Normal (Waiting)” state for DMZ link for a while. If you see “waiting” state for a long time this may indicate problem with L2 configuration. Wait a bit and re-issue the command again. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8.101.1.1/8.2(1). holdtime 15 seconds Interface Poll frequency 5 seconds. This is because the ASA uses keepalives between the interfaces to detect failure.1.105.104.1.102. Mate 8.102. Check if both interfaces are reachable and switchports are configured correctly.10): Normal (Not-Monitored) CTX1 Interface Outside (10.1.

11): Normal CTX2 Interface Inside (10.CCIE SECURITY v4 Lab Workbook CTX2 Interface Outside (10. ensure that the ASA will perform switchover for context CTX1 if minimum two interfaces fail. Page 233 of 1033 .10): Normal (Not-Monitored) CTX2 Interface Outside (10. Also.102.13): Normal slot 1: empty Other host: Secondary Group 1 State: Standby Ready Active time: 210 (sec) State: Active Active time: 1325 (sec) Group 2 slot 0: ASA5510 hw/sw rev (1.1.104.1.1.105.2(1)) status (Up Sys) CTX1 Interface Inside (10. configure both.1/8.1.11): Normal (Not-Monitored) CTX1 Interface Outside (10.102.1.12): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : LAN_FO Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 188 0 187 0 sys cmd 185 0 185 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 3 0 2 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 187 Xmit Q: 0 1 188 Task 3 To improve failover speed between two ASAs. Configure ASA to monitor all its interfaces.102.1.11): Normal CTX1 Interface DMZ (10.101. Set the hold time to 5sec. unit and interface poll time to exchange hello packets on every 500ms.

Rest of failover commands are configured under the system context. which specifies how often hello messages are sent on the failover link. ASA-FW/pri/act(config)# changeto system ASA-FW/pri/act(config)# failover polltime unit msec 500 holdtime 5 ASA-FW/pri/act(config)# failover group 1 ASA-FW/pri/act(config-fover-group)# interface-policy 2 ASA-FW/pri/act(config-fover-group)# polltime interface msec 500 holdtime 5 ASA-FW/pri/act(config-fover-group)# failover group 2 ASA-FW/pri/act(config-fover-group)# polltime interface msec 500 holdtime 5 ASA-FW/pri/act(config-fover-group)# exi Note that Unit Pooltime and Interface Policy are configured under the failover groups. ASA-FW/pri/act(config)# changeto context CTX1 ASA-FW/CTX1/pri/act(config)# monitor-interface Inside Interface monitoring is configured in each security context and this is only one command related to the failover configured in this place. Configuration Complete these steps: Step 1 Primary ASA configuration. You can also specify those parameters for monitored interfaces. This is because this is the place where the ASA has access to the IP address of the interface. The default is 1 meaning the failover will trigger when only one interface fails. as ASA sends hello packets out of each monitored data interface to monitor interface health. The hold time value specifies the amount of time that ASA will wait (after lost three consecutive hellos) before declaring the peer unit failed and triggering a failover. ASA-FW/CTX1/pri/act(config)# changeto context CTX2 ASA-FW/CTX2/pri/stby(config)# failover exec active monitor- Page 234 of 1033 . Also. decrease the failover unit poll time. there is a default failover policy which specifies a percentage or a number of the interfaces which must failed before ASA triggers a failover.CCIE SECURITY v4 Lab Workbook  If you want failover to occur faster.

105.101.12): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : LAN_FO Ethernet0/3 (up) Page 235 of 1033 .102.102.1.1.105.CCIE SECURITY v4 Lab Workbook interface Inside Verification ASA-FW/CTX2/pri/stby(config)# changeto system ASA-FW/pri/act(config)# sh failover Failover On Failover unit Primary Failover LAN Interface: LAN_FO Ethernet0/3 (up) Unit Poll frequency 500 milliseconds.1.11): Normal CTX2 Interface Inside (10.13): Normal slot 1: empty Other host: Secondary Group 1 State: Standby Ready Active time: 210 (sec) State: Active Active time: 2728 (sec) Group 2 slot 0: ASA5510 hw/sw rev (1. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 5 of 250 maximum Version: Ours 8.11): Normal CTX2 Interface Outside (10.1.1.2(1).1.10): Normal CTX1 Interface Outside (10.102.102.1.101.104. Mate 8.1.1/8.10): Normal CTX1 Interface DMZ (10.11): Normal CTX1 Interface Outside (10.104.1/8.2(1)) status (Up Sys) CTX1 Interface Inside (10.11): Normal CTX1 Interface DMZ (10. holdtime 5 seconds Interface Poll frequency 5 seconds.2(1)) status (Up Sys) CTX1 Interface Inside (10.1.2(1) Group 1 last failover at: 06:07:48 UTC Jul 17 2010 Group 2 last failover at: 05:47:42 UTC Jul 17 2010 This host: Primary Group 1 State: Active Active time: 3114 (sec) State: Standby Ready Active time: 597 (sec) Group 2 slot 0: ASA5510 hw/sw rev (1.1.10): Normal CTX2 Interface Inside (10.10): Normal CTX2 Interface Outside (10.

105.104.102.1.CCIE SECURITY v4 Lab Workbook Stateful Obj xmit xerr rcv rerr General 368 0 367 0 sys cmd 365 0 365 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 3 0 2 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 367 Xmit Q: 0 1 368 ASA-FW/pri/act(config)# changeto context CTX1 ASA-FW/CTX1/pri/act(config)# sh monitor-interface This host: Primary . Page 236 of 1033 .10): Normal Other host: Secondary .13): Normal Other host: Secondary .1.11): Normal Interface Outside (10.102.1.1. You must act proactively and ensure that any asymmetric traffic (including HTTP) caused by redundant ISPs will be handled by the ASA in both contexts.10): Normal Interface Outside (10.102.12): Normal Task 4 You have been noticed by you company’s networking team that they plan to deploy another router on the outside network to connect to another ISP for redundancy and load sharing.105.11): Normal ASA-FW/CTX1/pri/act(config)# changeto context CTX2 ASA-FW/CTX2/pri/stby(config)# sh monitor-interface This host: Primary .104.10): Normal Interface DMZ (10.Standby Ready Interface Inside (10.11): Normal Interface DMZ (10.Active Interface Inside (10.Standby Ready Interface Inside (10.1.1.101.101.102.1.1.Active Interface Inside (10.11): Normal Interface Outside (10.10): Normal Interface Outside (10.1.1.

When an asrgroup is configured on the interface and it receives a packet for which it has no session information. ASA-FW/CTX2/pri/stby(config)# changeto system ASA-FW/pri/act(config)# failover group 1 ASA-FW/pri/act(config-fover-group)# replication http ASA-FW/pri/act(config-fover-group)# failover group 2 ASA-FW/pri/act(config-fover-group)# replication http ASA-FW/pri/act(config-fover-group)# changeto context CTX1 ASA-FW/CTX1/pri/act(config)# interface e0/0 ASA-FW/CTX1/pri/act(config-if)# asr-group 1 ASA-FW/CTX1/pri/act(config-if)# changeto context CTX2 ASA-FW/CTX2/pri/stby(config)# failover exec active interface e0/0 ASA-FW/CTX2/pri/stby(config)# failover exec active asr-group 1 Verification ASA-FW/CTX2/pri/stby(config)# failover exec active sh interface e0/0 detail Interface Ethernet0/0 "Outside".0 Traffic Statistics for "Outside": 4015 packets input. is up.0000. 432772 bytes 4012 packets output. MTU 1500 IP address 10. 432696 bytes 0 packets dropped Control Point Interface States: Interface number is 1 Page 237 of 1033 .255. This means that one unit may receive a return packet for a connection originated through its peer unit. line protocol is up MAC address 1200.255.0400.12. subnet mask 255. instead of being dropped. the packet is dropped. there is a greater chance for asymmetric routing. This is most common when there are two ISPs with BGP and packet can return from a different ISP. it checks the session information for the other interfaces that are in the same ASR Group.1. the Layer 2 header is re-written and the packet is redirected to the other unit.102. Then. This can be prevented on the ASA by using ASR Groups (Asynchronous Routing Groups) configured on the interface inside the context. Because this unit does not have any connection information for this packet. Configuration Complete these steps: Step 1 Primary ASA configuration.CCIE SECURITY v4 Lab Workbook  In Active/Active designs.

442420 bytes 1955 packets dropped Control Point Interface States: Interface number is 2 Interface config status is active Interface state is active Asymmetrical Routing Statistics: Received 0 packets Transmitted 0 packets Dropped 0 packets Page 238 of 1033 . 539738 bytes 4105 packets output. subnet mask 255. MTU 1500 IP address 10.0 Traffic Statistics for "Outside": 6088 packets input.0500.255.0000.102.1. is up.10.255.CCIE SECURITY v4 Lab Workbook Interface config status is active Interface state is active Asymmetrical Routing Statistics: Received 0 packets Transmitted 0 packets Dropped 0 packets ASA-FW/CTX2/pri/stby(config)# changeto context CTX1 ASA-FW/CTX1/pri/act(config)# sh interface e0/0 detail Interface Ethernet0/0 "Outside". line protocol is up MAC address 1200.

1.2/24 F0/0 10.1.23.2/24 R2 Page 239 of 1033 . Redundant Interfaces Lab Setup  R1’s F0/0 and ASA1 E0/0 & E0/1 interfaces should be configured in VLAN 101.  R2’s G0/0 and ASA1 E0/2 & E0/3 interfaces should be configured in VLAN 102  Configure Telnet on all routers using password “cisco”  Configure static default route on all routers pointing to ASA.1/24 Lo0 2.102.1.1.CCIE SECURITY v4 Lab Workbook Lab 1.101.1/24 F0/0 10. IP Addressing Device Interface IP address R1 Lo0 1.2.2.

the MAC address changes to match the MAC address of the interface that is now listed first. security level or IP address. You can use redundant interface for failover link between two ASA devices. There must not be any other logical parameters configured on member interfaces like nameif.1.1.10/24 10. Also remember that there is no preemption between redundant interface members. The redundant interface uses the MAC address of the first physical interface you add. When active interface fails. Ethernet) and have similar parameters configured (i.  A redundant interface is a logical interface made up of two physical interfaces. the redundant interface does not appear to be failed when being monitored for device-level failover. You can assign a MAC address to the redundant interface. A redundant interface is considered in failure state only when both of the underlying physical interfaces fail. E0/3 IP address 10. One physical interface serves as the active interface while the other serves as the standby. speed). Up to eight redundant interface pairs can be configured. E0/1 E0/2. It does not load share across both interfaces at the same time. the standby interface becomes active and starts passing traffic.e.102. There must be switch between the ASAs and the same active link (redundant interface member) must be up on both sides of the link. Those parameters must be first removed before adding physical interface to the redundant pair. If one member fails and then come back. Both member interfaces must be of the same physical type (i. it will not become an active member automatically. If you change the order of the member interfaces in the configuration. which is regardless of the member interface MAC address.e.10/24 nameif Inside Outside Security 100 0 interfaces Configure ASA1 with a hostname of ASA-FW. Be careful because when the active interface fails over to the standby interface.101. duplex. Page 240 of 1033 .CCIE SECURITY v4 Lab Workbook Task 1 Configure the following redundant interfaces on ASA1: Interface name Redundant1 Redundant2 Member physical E0/0.

0 no buffer Received 0 broadcasts. DLY 10 usec Auto-Duplex(Full-duplex). ciscoasa(config)# hostname ASA-FW ASA-FW(config)# int e0/0 ASA-FW(config-if)# no sh ASA-FW(config-if)# int e0/1 ASA-FW(config-if)# no sh ASA-FW(config-if)# int e0/2 ASA-FW(config-if)# no sh ASA-FW(config-if)# int e0/3 ASA-FW(config-if)# no sh ASA-FW(config-if)# interface redundant 1 ASA-FW(config-if)# member-interface e0/0 INFO: security-level and IP address are cleared on Ethernet0/0. MTU 1500 IP address 10. ASA-FW(config-if)# ip add 10.e8d9.10.0 ASA-FW(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default.6272. ASA-FW(config-if)# no sh ASA-FW(config-if)# interface redundant 2 ASA-FW(config-if)# member-interface e0/2 INFO: security-level and IP address are cleared on Ethernet0/2.101. BW 1000 Mbps.255.1.255.255.255.102.0 ASA-FW(config-if)# nameif Inside INFO: Security level for "Inside" set to 100 by default.1. 0 runts.255. is up.CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 1 ASA configuration. line protocol is up Hardware is i82546GB rev03. subnet mask 255. 0 giants Page 241 of 1033 .10 255. Auto-Speed(100 Mbps) MAC address 0019. ASA-FW(config-if)# ip add 10. ASA-FW(config-if)# member-interface e0/1 INFO: security-level and IP address are cleared on Ethernet0/1. ASA-FW(config-if)# no sh ASA-FW(config-if)# exit Verification ASA-FW(config)# sh int red1 Interface Redundant1 "Inside". 0 bytes.0 0 packets input.255.1. ASA-FW(config-if)# member-interface e0/3 INFO: security-level and IP address are cleared on Ethernet0/3.101.10 255.

0 CRC. BW 1000 Mbps. line protocol is up Hardware is i82546GB rev03. Auto-Speed(100 Mbps) Active member of Redundant1 MAC address 0019. 0 bytes.6272. is up. 0 bytes/sec 0 bytes/sec 1 minute drop rate. 0 underruns 0 output errors. 0 ignored. 0 no buffer Received 0 broadcasts. MTU 1500 IP address 10.0 0 packets input.255. 0 CRC. 0 no carrier input queue (curr/max packets): hardware (8/25) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Traffic Statistics for "Inside": 0 packets input.102.6274. 0 bytes. 0 interface resets 0 babbles. 0 pkts/sec Redundancy Information: Member Ethernet0/0(Active). 0 deferred 0 lost carrier. MTU not set IP address unassigned 0 packets input. 0 output reset drops. line protocol is up Hardware is i82546GB rev03. 0 tx hangs input queue (blocks free curr/low): hardware (255/255) output queue (blocks free curr/low): hardware (255/254) ASA-FW(config)# sh int red2 Interface Redundant2 "Outside". 0 collisions. Auto-Speed(100 Mbps) MAC address 0019. DLY 100 usec Auto-Duplex(Full-duplex). 0 pkts/sec 5 minute input rate 0 pkts/sec. 0 overrun. 0 ignored. 1 minute output rate 0 pkts/sec. 0 abort 33 L2 decode drops 0 packets output. 0 giants 0 input errors. Ethernet0/1 Last switchover at 20:50:29 UTC Oct 19 2009 ASA-FW(config)# sh int e0/0 Interface Ethernet0/0 "". 0 frame. 0 bytes 0 packets output. 0 no buffer Received 0 broadcasts. 0 overrun.1. 0 runts. BW 100 Mbps. 0 bytes. 0 abort 0 L2 decode drops 1 packets output. 0 overrun. 5 minute output rate 0 pkts/sec.CCIE SECURITY v4 Lab Workbook 0 input errors. 0 bytes. 64 bytes. 0 ignored. 0 frame.255. 0 bytes/sec 0 bytes/sec 5 minute drop rate. 0 late collisions. 0 giants 0 input errors. 0 underruns 0 output errors. 0 runts.10. 0 collisions. 0 deferred 0 input reset drops.e8d9. 0 abort 358 L2 decode drops 0 packets output. 0 interface resets 0 late collisions. 0 CRC. subnet mask 255. 0 bytes 0 packets dropped 1 minute input rate 0 pkts/sec. 0 underruns Page 242 of 1033 . is up. 0 frame.e8d9. DLY 10 usec Auto-Duplex(Full-duplex).

TEST: SW3(config)#int f0/10 SW3(config-if)#shut SW3(config-if)# ASA-FW(config)# sh int red1 Interface Redundant1 "Inside". 5 minute output rate 0 pkts/sec.101. 0 bytes 0 packets dropped 1 minute input rate 0 pkts/sec. 0 bytes. MTU 1500 IP address 10. 0 giants 0 input errors.10. 0 bytes/sec 0 bytes/sec 1 minute drop rate. is up. 0 ignored. 0 frame. 0 bytes 0 packets output. Ethernet0/3 Last switchover at 20:51:11 UTC Oct 19 2009 See the Active member is by default first member added to the redundant interface pair. DLY 10 usec Auto-Duplex(Full-duplex). 0 late collisions. 0 deferred 0 lost carrier. 0 pkts/sec 5 minute input rate 0 pkts/sec. Auto-Speed(100 Mbps) MAC address 0019.255. it’s time to test. line protocol is up Hardware is i82546GB rev03. 0 bytes Page 243 of 1033 . BW 1000 Mbps.CCIE SECURITY v4 Lab Workbook 0 output errors. 0 runts. 0 deferred 0 lost carrier. 0 collisions. 0 overrun. 0 interface resets 0 babbles. 0 no carrier input queue (curr/max packets): hardware (0/25) software (0/0) output queue (curr/max packets): hardware (0/1) software (0/0) Traffic Statistics for "Inside": 0 packets input. 1 interface resets 0 babbles. 0 CRC. 0 no carrier input queue (curr/max packets): hardware (8/25) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Traffic Statistics for "Outside": 0 packets input.1. 0 collisions.e8d9. subnet mask 255.6272. 0 abort 358 L2 decode drops 1 packets output. 0 underruns 0 output errors. 1 minute output rate 0 pkts/sec. 64 bytes.0 0 packets input. 0 pkts/sec Redundancy Information: Member Ethernet0/2(Active). Shut down switch port where E0/0 interface is connected. 0 no buffer Received 0 broadcasts. 0 bytes/sec 0 bytes/sec 5 minute drop rate. Also note that the MAC address of the redundant interface is inherited from the first member added to the configuration. 0 late collisions. Now.255.

Auto-Speed(100 Mbps) MAC address 0019. 0 underruns 0 output errors. 0 pkts/sec Page 244 of 1033 . 5 minute output rate 0 pkts/sec. 23 bytes/sec 41 bytes/sec 1 minute drop rate. Ethernet0/0 Last switchover at 20:58:09 UTC Oct 19 2009 The second member interface has been promoted to Active state. DLY 10 usec Auto-Duplex(Full-duplex). 0 frame. 0 ignored. 5 minute output rate 0 pkts/sec. is up. 28 bytes 0 packets dropped 1 minute input rate 0 pkts/sec. 0 pkts/sec 5 minute input rate 0 pkts/sec. 0 bytes/sec 0 bytes/sec 5 minute drop rate. 0 runts. 8788 bytes. 0 pkts/sec Redundancy Information: Member Ethernet0/1(Active). 0 collisions. SW3(config)#int f0/10 SW3(config-if)#no sh SW3(config-if)# %LINK-3-UPDOWN: Interface FastEthernet0/10. Note that MAC address has not been changed. This is because it is inherited from the first member in the configuration – not from the Active member! Now. 0 deferred 0 lost carrier.6272.101. line protocol is up Hardware is i82546GB rev03. 4503 bytes 124 packets output. subnet mask 255.255.10. changed state to up SW3(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10. 0 abort 358 L2 decode drops 124 packets output. MTU 1500 IP address 10. 0 CRC. 0 late collisions. 6985 bytes. 0 bytes/sec 0 bytes/sec 1 minute drop rate.e8d9.0 109 packets input.CCIE SECURITY v4 Lab Workbook 1 packets output. 6078 bytes 0 packets dropped 1 minute input rate 0 pkts/sec. 1 minute output rate 0 pkts/sec. 0 overrun.255.1. 1 interface resets 0 babbles. 1 minute output rate 0 pkts/sec. 0 giants 0 input errors. 0 no buffer Received 0 broadcasts. changed state to up ASA-FW(config)# sh int red1 Interface Redundant1 "Inside". 0 pkts/sec 5 minute input rate 0 pkts/sec. 0 no carrier input queue (curr/max packets): hardware (1/25) software (0/0) output queue (curr/max packets): hardware (0/1) software (0/0) Traffic Statistics for "Inside": 109 packets input. bring the switch port back up. BW 1000 Mbps. 0 bytes/sec 0 bytes/sec 5 minute drop rate.

CCIE SECURITY v4 Lab Workbook Redundancy Information: Member Ethernet0/1(Active). 0 overrun. Ethernet0/0 Last switchover at 20:58:09 UTC Oct 19 2009 See that the Active interface did not change. 0 late collisions. BW 1000 Mbps.255. 1 minute output rate 0 pkts/sec. MTU 1500 IP address 10. 4503 bytes 125 packets output. 0 pkts/sec Redundancy Information: Member Ethernet0/0(Active). is up.10. 0 deferred 0 lost carrier. 0 no carrier input queue (curr/max packets): hardware (2/25) software (0/0) output queue (curr/max packets): hardware (0/2) software (0/0) Traffic Statistics for "Inside": 109 packets input. 0 underruns 0 output errors. 5 minute output rate 0 pkts/sec. 0 bytes/sec 0 bytes/sec 1 minute drop rate. 15 bytes/sec 20 bytes/sec 5 minute drop rate. 6106 bytes 0 packets dropped 1 minute input rate 0 pkts/sec. Ethernet0/1 Last switchover at 21:05:15 UTC Oct 19 2009 Page 245 of 1033 . 0 frame.1. 0 giants 0 input errors.101. 0 no buffer Received 1 broadcasts. 1 interface resets 0 babbles. 0 runts. This is because there is no preempt in the redundant interfaces. Active interface in the redundant pair can be changed using command “redundant-interface red1 active-member”. subnet mask 255. 8852 bytes. 0 CRC.e8d9.6272. 0 pkts/sec 5 minute input rate 0 pkts/sec. Auto-Speed(100 Mbps) MAC address 0019. ASA-FW(config)# redundant-interface red1 active-member ethernet0/0 ASA-FW(config)# sh int red1 Interface Redundant1 "Inside". 0 ignored.0 110 packets input.255. 0 collisions. 7049 bytes. line protocol is up Hardware is i82546GB rev03. 0 abort 359 L2 decode drops 125 packets output. DLY 10 usec Auto-Duplex(Full-duplex).

1/24 Lo0 2. Transparent Firewall Lab Setup  R1’s F0/0 and ASA1’s E0/1 interfaces should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interfaces should be configured in VLAN 102  R1’s F0/1 and R4’s F0/1 interfaces should be configured in VLAN 104  Configure Telnet on all routers using password “cisco” IP Addressing Router Interface IP address R1 Lo0 1.1.2.4.CCIE SECURITY v4 Lab Workbook Lab 1.24.100.104.1.4.1.1/24 F0/1 10.4/24 R2 R4 Page 246 of 1033 .100.2/24 F0/0 10.1.1.1/24 F0/0 10.2/24 Lo0 4.2.

4/24 Page 247 of 1033 .CCIE SECURITY v4 Lab Workbook F0/0 10.104.1.

however. IPX or MPLS. a firewall is a routed hop and acts as a default gateway for hosts in the local network. Use interface E0/0 as the Outside and interface E0/1 as the Inside. the ASA in transparent mode differs from the routed mode in the following ways:  Supports only two data interfaces . simply because it is no longer necessary as you can pass DHCP traffic through the ASA using ACL  Quality of Service (QoS)  Multicast .for example Layer 2 traffic like BPDU. but each interface resides on a different broadcast domain (different VLAN is used). packets are bridged based on Layer 2 addresses. but cannot act as DHCP relay. you can use static routes for traffic originated on the ASA.you can use only Inside and Outside. The ASA connects the same network on its inside and outside ports.  Bridges packets from one interface/VLAN to the other . on the other hand. so that the ASA performs secured transparent bridging between the two VLANs. Assign management IP address of 10.  Traditionally.com.the transparent ASA can act as DHCP server.1.CCIE SECURITY v4 Lab Workbook Task 1 Configure the ASA as transparent firewall.there is no routing decision taking place. is a Layer 2 firewall that acts like a "bump in the wire" and it not seen as a router hop to other devices.100. dynamic routing protocols can be allowed to go through the ASA if ACL permits  IPv6  DHCP relay .this IP address is assigned to the entire device and it's used for management purposes and to communicate the ASA with external services like AAA servers or SYSLOG. Configure domain name of MicronicsTraining.  Can pass traffic that cannot be passed by a security appliance in routed mode . A transparent firewall. no DMZ is allowed  Require only one IP address . Set SSH access password to “cisco123”.however. However.10/24 and allow connections via SSH from the inside networks only. allow multicast traffic through the ASA Page 248 of 1033 .you can. In addition to that ASA in transparent mode does not support:  Dynamic Domain Name System (DynDNS)  Dynamic routing protocols . It is very useful and allows us to deploy a firewall in the network without IP readdressing or changing routing domain.

ciscoasa(config)# int e0/0 ciscoasa(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default.255. It does not terminate remote access VPNs but it passes VPN traffic through using ACL. ciscoasa(config-if)# no sh ciscoasa(config-if)# ip add 10. use the "firewall transparent" command in global configuration mode.10 255. this command is located in the system execution space (however.CCIE SECURITY v4 Lab Workbook  Virtual private network (VPN) termination . ciscoasa(config-if)# no sh ciscoasa(config-if)# int e0/1 ciscoasa(config-if)# nameif Inside INFO: Security level for "Inside" set to 100 by default. Configuration Complete these steps: Step 1 ASA configuration. it also appears in each context configuration just for informational purposes).. For multiple context mode. After changing the mode. the ASA clears the configuration because many commands are not supported in the transparent mode.the transparent ASA supports only site-to-site VPN tunnels for management connections. Please wait. Hence.255. ciscoasa(config)# ssh 0 0 inside ciscoasa(config)# passwd cisco123 Page 249 of 1033 .0 ciscoasa(config)# domain-name MicronicsTraining. you can use only one firewall mode for all contexts (no mix of routed and transparent is possible). ciscoasa(config)# firewall transparent Note that to change the firewall type back to Routed you must enter “no firewall transparent” command.1. To set the firewall mode to transparent mode.100.com ciscoasa(config)# crypto key generate rsa INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin..

b0e1 ARPA FastEthernet0/0 Internet 10.100.100.dcf8 40 Note that we see ARP table on the ASA but it is not used for traffic crossing the device.1.7317.1.10 0 0018.1.100. The password of this user is the same as enable password for the device.9368.100.2 Trying 10.10 Password: Type help or '?' for a list of available commands.1.100.100.2 0 0011.1.8031.. The neighbor relationship should be authenticated using key of “bgp123”.1.100. ciscoasa> exit [Connection to 10.1. Open User Access Verification Password: R2>sh users Line User Host(s) Idle 0 con 0 idle 00:00:39 *514 vty 0 idle 00:00:00 10.1.1 Interface User Mode Idle Location Peer Address R2>exit [Connection to 10.1 0012. R1#tel 10.8031.2 0011.1.100.104.100.2 closed by foreign host] R1#sh arp Protocol Address Internet 10.b380 ARPA FastEthernet0/0 Internet 10.b380 40 Inside 10.dcf8 ARPA FastEthernet0/0 ciscoasa(config)# sh arp Outside 10.8031.1 - 0012.CCIE SECURITY v4 Lab Workbook Verification R1#ssh -l pix -c 3des 10.100.1.2 .9368.100.1 Age (min) Internet 10.10 closed by foreign host] There is a built-in username of “pix” which can be use for remote access.1. Page 250 of 1033 .dcf9 ARPA FastEthernet0/1 - Hardware Addr Type Interface 0012..1. Task 2 Configure a BGP neighbor relationship between R1 and R2 in AS 100.

2 password bgp123 Page 251 of 1033 . And here is another issue as the ASA automatically clears all TCP Options and forwards packets to the destination.CCIE SECURITY v4 Lab Workbook  Just like any other routing protocol.1(54787) (RST) Configuration Complete these steps: Step 1 R1 BGP configuration. BGP can be configured for authentication. You can configure MD5 authentication between two BGP peers.1. When you are configuring BGP peers with MD5 authentication that pass through an ASA.1.2 remote-as 100 R1(config-router)#neighbor 10. two things must be done on the ASA to successfully establish BGP peering: • Sequence number randomization for BGP packets must be disabled • TCP option 19 must be allowed in the BGP packets This can be done using so called TCP normalization features.100. destination IP address.100.100.1. The 16-bit hash value is produced using the following items:  the TCP pseudo-header (in the order: source IP address. R1(config)#router bgp 100 R1(config-router)#neighbor 10. Using tcp-map we can specify/match advanced options inside TCP header (it works like class-map but it is designed for TCP) and then in the policy-map we use “set connection” command (instead of “inspect”) to perform an action on our matched traffic. MD5 authentication must be configured with the same password on both BGP peers. the BGP authentication is broken and BGP peers display the following error message on the console: %TCP-6-BADAUTH: No MD5 digest from 10. just to summarize up. known to both peers (BGP password) Then this MD5 hash is send over the BGP peer using TCP Option 19 in the TCP header.100. which means that each packet sent on the TCP connection between the peers is verified. and assuming a checksum of zero  the TCP segment data (if any)  an independently-specified key or password. it is important to disable sequence number randomization because the sequence number is used by BGP peers to calculate the MD5 hash value. So.2(179) to 10.1. and segment length)  the TCP header. zero-padded protocol number. excluding options. Without that configuration on ASA.

100.1. ciscoasa(config)# tcp-map BGPMAP ciscoasa(config-tcp-map)# tcp-options range 19 19 allow ciscoasa(config-tcp-map)# class-map BGP ciscoasa(config-cmap)# match port tcp eq 179 ciscoasa(config-cmap)# policy-map global_policy ciscoasa(config-pmap)# class BGP ciscoasa(config-pmap-c)# set connection random-sequence-number disable ciscoasa(config-pmap-c)# set connection advanced-options BGPMAP ciscoasa(config-pmap-c)# exi ciscoasa(config-pmap)# exi Verification R1(config-router)# %TCP-6-BADAUTH: No MD5 digest from 10.1. main routing table version 1 Neighbor V 10. R2(config)#router bgp 100 R2(config-router)#neighbor 10.1 password bgp123 Step 3 ASA configuration.1.100.2 Up Be careful here as Active state in “show ip bgp summary” means that BGP actively trying to connect to its peer.2(179) to 10. local AS number 100 BGP table version is 1. There must be status of zero or any other number to be sure that BGP works fine.1.2 4 AS MsgRcvd MsgSent 100 0 0 TblVer InQ OutQ Up/Down 0 0 0 never State/PfxRcd Active R1# %BGP-5-ADJCHANGE: neighbor 10.100.1.1 remote-as 100 R2(config-router)#neighbor 10. R1#sh ip bgp summary BGP router identifier 1.1(21762) (RST) R1(config-router)# %TCP-6-BADAUTH: No MD5 digest from 10.100.1.1.1(21762) (RST) R1#sh ip bgp summary BGP router identifier 1.1.2(179) to 10.1.1.100. main routing table version 1 Page 252 of 1033 .1.100.1. local AS number 100 BGP table version is 1.1.CCIE SECURITY v4 Lab Workbook Step 2 R2 BGP configuration.100.1.100.

It should look in the static ARP table for a matching entry and if there is no match it should drop the packet. you can configure the ASA to either forward the packet out all interfaces (flood). This feature prevents malicious users from doing "main-in-the-middle" attack. and source interface in all ARP packets to static entries in the ARP table.1. a host sends an ARP request to its default gateway. the ASA compares the MAC address. so that it is completely transparent to the user. as long as the correct MAC address and the associated IP address are in the static ARP table on the ASA. ARP inspection ensures that attacker cannot send an ARP response with its MAC address. Create a static ARP entry for R1 and R2 Ethernet interfaces. However. When you enable ARP inspection. Thus. For example. • if there is a mismatch between the MAC address. Configuration Complete these steps: Page 253 of 1033 . you can control ARP packets by enabling ARP inspection. the packet is passed through. the attacker can intercept traffic and forward it to the real default gateway. You must configure static ARP entries before enabling ARP inspection.2 4 AS MsgRcvd MsgSent 100 5 5 TblVer InQ OutQ Up/Down 1 0 State/PfxRcd 0 00:01:52 0 Task 3 Configure the ASA so that it examines each ARP packet on the inside and outside interfaces before forwarding the packet. IP address. the ASA drops the packet. • if the ARP packet does not match any entries in the static ARP table.100. The following rules are enforced: • if the IP address.CCIE SECURITY v4 Lab Workbook Neighbor V 10. the IP address. the default gateway router responds with its MAC address. MAC address.  ARP packets are allowed through the transparent ASA in both directions by default without any ACL. and source interface match an ARP entry. or to drop the packet (no-flood). The attacker can send another ARP response to the host with the attacker's MAC address instead of router’s MAC address. or the interface.

ea58 Inside 10.1.1 001b.ce68 – R1#tel 10.1.ea58 ciscoasa(config)# arp-inspection inside enable no-flood ciscoasa(config)# arp-inspection outside enable no-flood Verification ciscoasa(config)# sh arp-inspection interface arp-inspection miss ---------------------------------------------------Outside enabled no-flood Inside enabled no-flood ciscoasa(config)# sh arp Outside 10.533b.533b.100..533b..1. ciscoasa(config)# arp inside 10.100.ea58 (bia 001b.533b. address is 001b. we need to know MAC addresses for both hosts communicating.533b.ce68 (bia 001b.100.CCIE SECURITY v4 Lab Workbook Step 1 Check MAC address of R1.ce68) Step 2 Check MAC address on R2. R2#sh int g0/0 | in bia Hardware is BCM1125 Internal MAC. Step 3 Configure DAI on ASA.1 001b.1.533b.ea58) First. Then we need to configure those MAC addresses on the ASA and enable ARP inspection feature. R1#sh int f0/0 | in bia Hardware is MV96340 Ethernet.2 001b.ce68 ciscoasa(config)# arp outside 10.2 .2 Trying 10.100. Open User Access Verification Password: R2>exit Page 254 of 1033 .533b.1.100.2 001b.100. address is 001b.1.533b.

let’s change MAC address on R1.0011 on interface Inside.2 Trying 10.x for multicast.1. As the OSPF updates are sending between DR and OTHER router using unicast it is needed to allow that traffic as well.0011.2 . Telnet connection does not work after MAC changing.100. % Connection timed out.ce68 R1#conf t Enter configuration commands. remote host not responding Task 4 Remove the static MAC address from R1’s F0/0 interface.100. one per line.0.0.6. The ACL must be applied in both directions (inside and outside) to allow adjacency forming for routing protocols like OSPF or EIGRP..255 for broadcast or 224.CCIE SECURITY v4 Lab Workbook [Connection to 10.2 closed by foreign host] To verify.1.1. Configure R1 and R2 interface to be a part of OSPF Area 0.0.  By default only Layer 3 unicast traffic is passed through the ASA (from the interface with higher security level to the interface with lower security level).0..0011.255.x.0011.255. End with CNTL/Z. R1(config)#int f0/0 R1(config-if)#mac-address 0011. For OSPF you need to permit OSPF traffic (IP protocol 89) destined to the multicast address 224.0011 for IP Address 10.1. Logs on the ASA indicate that ARP inspection blocked the traffic: %ASA-3-322002: ARP inspection check failed for ARP response received from host 0011. Ensure that routers successfully establish OSPF neighbor relationship.100.5 and 224. To permit Layer 3 broadcast or multicast packets through the ASA.100.x.0011 R1(config-if)#^Z R1# %SYS-5-CONFIG_I: Configured from console by console R1#tel 10.1. which is statically bound to MAC Address 001b.533b. OSPF configuration on the routers may be different in real world and hence Page 255 of 1033 . you must configure an ACL with a Layer 3 destination address of 255. This host is advertising MAC Address 0011.

100.1.0. Loading Done R1#sh ip ospf neighbor Page 256 of 1033 .1 host 224.100.2 host 224.6 ciscoasa(config)# access-list INSIDE_IN permit 89 host 10.2 ciscoasa(config)# access-group INSIDE_IN in interface inside Verification Message on R1 %OSPF-5-ADJCHG: Process 1. Nbr 2. R1(config)#int f0/0 R1(config-if)#no mac-address 0011.100.0 0.6 ciscoasa(config)# access-list OUTSIDE_IN permit 89 host 10.0. Thus.0.100.1.2 on FastEthernet0/0 from LOADING to FULL.0. R2(config)#router ospf 1 R2(config-router)#network 0.1.2.0011.0.0.100.0.0.0.0.0.0 area 0 Step 2 Configure OSPF on R2. Configuration Complete these steps: Step 1 Revert MAC addres on R1 and configure OSPF.100.1.0 0.1 ciscoasa(config)# access-group OUTSIDE_IN in interface outside ciscoasa(config)# access-list INSIDE_IN permit 89 host 10. ciscoasa(config)# access-list OUTSIDE_IN permit 89 host 10.100.2.CCIE SECURITY v4 Lab Workbook there must be different ACL entries configured.5 ciscoasa(config)# access-list INSIDE_IN permit 89 host 10. it is recommended to enable logging on the ASA to see what OSPF packets are getting dropped and then build proper ACL base on that information.1.0.0.1.2 host 224.5 ciscoasa(config)# access-list OUTSIDE_IN permit 89 host 10.2 host 10.0 area 0 Step 3 Allow OSPF to go through the ASA.100.1 host 224.0.0011 R1(config-if)#router ospf 1 R1(config-router)#network 0.1 host 10.0.1.1.0.

2 FastEthernet0/0 State Dead Time Address Interface FULL/BDR 00:00:35 10.1.1 eq 179 ciscoasa(config)# access-list INSIDE_IN permit tcp host 10.1.1 host 10.2 4 AS MsgRcvd MsgSent 100 33 37 TblVer 1 InQ OutQ Up/Down 0 0 00:00:43 State/PfxRcd 0 Task 5 Configure ASA so that it translates R1’s F0/0 IP address to the IP address of 10.1.1 FastEthernet0/0 R2#sh ip ospf neighbor Neighbor ID Pri 1.1.2.100. As BGP relation can be establish from both directions.1. Also.1 1 Note that above access-list breaks BGP relationship previously configured as it blocks TCP/179 traffic. Configuration Complete these steps: Step 4 Allow BGP to go through the ASA. local AS number 100 BGP table version is 1.100.1. Ensure that Telnet works from R1 and R4 to R2’s F0/0 interface and the translation takes place.2 eq 179 Verification R1#sh ip bgp summ BGP router identifier 1.100.2 1 State Dead Time Address Interface FULL/DR 00:00:35 10.1. main routing table version 1 Neighbor V 10.100.1. ciscoasa(config)# access-list OUTSIDE_IN permit tcp host 10. there should be access-list entries allowing this.1.1.105.4.100.125.2. Page 257 of 1033 .1.100.2 host 10.100.1. R4’s F0/0 IP address should be translated to the IP address of 10.1.CCIE SECURITY v4 Lab Workbook Neighbor ID Pri 2.1.1.

1.1.100.1.0. Configuration Complete these steps: Step 1 Add default route on R4.100.255.1 ciscoasa(config)# static (in.100.104.100.255.125.1 R2(config)#ip route 10..1 Step 3 Configure ASA.CCIE SECURITY v4 Lab Workbook  The ASA (version 8.4 10.0.255.1.1.1. R2(config)#ip route 10.out) 10. Open User Access Verification Password: R2>sh users Line 0 con 0 User Host(s) Idle idle 00:00:23 Page 258 of 1033 Location .0.1.125.1.255 10.255 10.4 ciscoasa(config)# route inside 10.0 10.1.1. R4(config)#ip route 0.1.104.1 ciscoasa(config)# access-list INSIDE_IN permit tcp any any eq 23 Verification R1#tel 10.1 10.255. you must configure static routing on the ASA to upstream router if there is translation of not directly connected subnet.4 255.105. However.0. ciscoasa(config)# static (in.100.0 and later) in transparent mode allows us to configure NAT for Layer 3 addresses traversing the firewall. This can be done in the same way as it is in routed mode.0 255. Also remember that you cannot configure interface PAT in the transparent mode as the ASA has no IP addresses on the interfaces.1 255.2 .100.0 10.out) 10.255.0 0.2 Trying 10.1.105.1 Step 2 Add static routes on R2.255..104.1.

1.DNS.1.100.104.125..4 Local 10.1. r .105.100.1 Local 10.1 to Outside:10.4 to Outside:10. Open User Access Verification Password: R2>sh users Host(s) Idle 0 con 0 Line idle 00:01:19 *514 vty 0 idle 00:00:00 10.104. s .CCIE SECURITY v4 Lab Workbook *514 vty 0 Interface idle 00:00:00 10.1 Global 10. 2 most used Flags: D .1.1 flags s NAT from Inside:10.125.125.static NAT from Inside:10.105.2 .1.100.2 closed by foreign host] R4#tel 10.1. I .1. d .no random.2 Trying 10.105.2 closed by foreign host] ciscoasa(config)# sh xlate 2 in use.1 User Mode Idle Peer Address R2>exit [Connection to 10.identity.4 flags s Page 259 of 1033 .dump.1.4 Interface User User Mode Idle Location Peer Address R2>exit [Connection to 10.1.1. n .100.1.100.4 ciscoasa(config)# sh xlate detail 2 in use. 2 most used Global 10.portmap.100.1. i .1.dynamic.1..

1/24 Lo0 2.1.4/24 R2 R4 Page 260 of 1033 .2.4.1.4.2/24 F0/0 10.2/24 Lo0 4.1.1.25. Threat Detection Lab Setup  R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks.2.102. IP Addressing Device/Hostname Interface (ifname) IP address R1 Lo0 1.CCIE SECURITY v4 Lab Workbook Lab 1.101.1/24 F0/0 10.

104.4/24 E0/0 (OUT.1.CCIE SECURITY v4 Lab Workbook ASA1/ASA-FW F0/0 10. Security 0) 10.tracks the rate at which threat-related packets are dropped and generates a SYSLOG message when rates exceed their thresholds • Scanning thread detection .101. Security 80) 10.104 (DMZ.1.1.10 /24 Task 1 On ASA configure Threat Detection feature so that it collects information about used protocols and hosts. There are two types of threat detection: • Basic threat detection . Configure this feature to generate SYSLOG message when access-list drops packets at rate of 1000pkt/sec through 20 minutes or at 100pkt/sec burst rate. Those statistics can help you detect activity that might be related to an attack.102. The basic threat detection is enabled by default on the ASA and can slightly affect performance when there are lots of drops. If the attack is discovered block the attacker’s host for 30 minutes. portbased and protocol-based information.10 /24 E0/2.detects network sweeps and scans and optionally takes appropriate preventive action In addition the treat detection feature provides statistics for host-based.1. Security 50) 10. Basic threat detection provides threat-related drop statistics by monitoring the following events: • Access list drops • Bad packet format • Exceeded connection limits • Detection of DoS attacks • Failed basic firewall checks • Detection of suspicious ICMP packets Page 261 of 1033 .  The Threat Detection feature can help an administrator determine the level of severity for packets that are detected and dropped by the ASA. such as denial of service (DoS) attack.104.10 /24 E0/1 (IN.

ports and access lists. You can configure the ASA to collect extensive threat detection statistics for hosts. Configuration Complete these steps: Step 1 ASA configuration. Use "show threat-detection shun" command to view the shunned hosts and release a host from being shunned using "clear threat-detection shun" command.CCIE SECURITY v4 Lab Workbook • Packets failing application inspection • Interface overload • Detection of scanning attacks • Detection of incomplete sessions. The calculated burst rate interval is 1/60 of 1200. which equals 20. protocols. When this is exceeded a SYSLOG message (733100) is generated. You can exempt host IP address from being shunned. Scanning threat detection determines whether a scan is in progress by correlating the host database statistics over a specified host or subnet. You can configure scanning treat detection to perform automatic shunning (blocking a host). the ASA generates SYSLOG message 733101. whichever is higher). The ASA tracks two types of rates for each monitored event: (1) the average event rate over an interval and (2) the burst event rate over a shorter burst interval (which is 1/60th of the average rate interval or 10 seconds. ASA-FW(config)# threat-detection rate acl-drop rate-interval 1200 average-rate 1000 burst-rate 100 ASA-FW(config)# threat-detection scanning-threat shun duration 1800 ASA-FW(config)# threat-detection statistics host ASA-FW(config)# threat-detection statistics protocol Page 262 of 1033 . such as TCP SYN attacks or no data UDP sessions attacks Each of these monitored events has a default rate limit (threshold). which indicates that a host has been identified as a target or an attacker. Statistics for access lists are enabled by default. the average rate is 1000 packet drops per second and the burst rate is 100 drops per second. the ASA terminates connections from hosts identified as attackers and generates SYSLOG message. In our example the rate interval must be 20 minutes (1200 seconds). If the default scanning threat rate threshold is exceeded.

...........101.........1 rep 10000 time 0 Type escape sequence to abort...1....... timeout is 0 seconds: .. 100-byte ICMP Echos to 10.......................1.101... Sending 10000.............1.... <…output ommited…> ASA-FW(config)# sh threat-detection statistics Current monitored hosts:0 Total not monitored hosts:0 Average(eps) Current(eps) Trigger Total events Top Name Id Average(eps) Current(eps) Trigger Total events Top Name Id Average(eps) Current(eps) Trigger Total events Average(eps) Current(eps) Trigger Total events ICMP * 1: tot-ses:3 act-ses:0 1-hour Sent byte: 196 0 0 708600 8-hour Sent byte: 24 738 0 708600 24-hour Sent byte: 8 246 0 708600 1-hour Sent pkts: 1 0 0 7086 8-hour Sent pkts: 0 7 0 7086 24-hour Sent pkts: 0 2 0 7086 Current(eps) Trigger Total events ASA-FW(config)# sh threat-detection rate acl-drop Average(eps) 10-min ACL drop: 16 500 0 10000 20-min ACL drop: 8 0 1 10000 1-hour ACL drop: 2 0 0 10000 ASA-FW(config)# sh threat-detection shun Shunned Host List: Page 263 of 1033 ..CCIE SECURITY v4 Lab Workbook Verification R2#pi 10..

26.1.1.CCIE SECURITY v4 Lab Workbook Lab 1.1/24 F0/0 10. Controlling ICMP and fragmented traffic Lab Setup  R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks.1.2.2/24 R2 Page 264 of 1033 .2. IP Addressing Device/Hostname Interface (ifname) IP address R1 Lo0 1.1/24 Lo0 2.101.

1. but nobody can ping ASA from the outside.10 /24 E0/2.4.104.4. Security 0) 10.1.  ASA controls ICMP messages which are direct to the firewall in the other way than IOS router. ICMP control works in inbound direction only. meaning you can configure what networks/hosts are allowed to send ICMP specified messages and on which ASA interface.102.4/24 E0/0 (OUT. ASA-FW(config)# icmp permit any echo-reply OUT Simply speaking this command permits ICMP Echo Reply packets on outside interface. This means the ASA can send out ICMP Echo Request and will permit ICMP Echo Reply messages only.1. Verification ASA-FW(config)# sh run all icmp icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo-reply OUT Page 265 of 1033 .10 /24 Task 1 Configure ASA so that it can ping all outside networks.101.104. Configuration Complete these steps: Step 1 ASA configuration. however.4/24 F0/0 10. There are special commands available to accept or not ICMP messages on the interfaces.CCIE SECURITY v4 Lab Workbook R4 ASA1/ASA-FW F0/0 10.102.10 /24 E0/1 (IN.2/24 Lo0 4. pings directed to the broadcast address are dropped. Do not use ACL to accomplish this task. By default ASA can be pinged from every side. Security 80) 10. Security 50) 10.1.1.104 (DMZ.

101.1 Type escape sequence to abort.10. round-trip min/avg/max = 1/1/1 ms R2#ping 10..10 Type escape sequence to abort. All other ICMP messages terminating on firewall interfaces should be discarded.102. Sending 5. so you need to configure ACL on the outside to allow that traffic.1.102.102.102. 100-byte ICMP Echos to 10.10 Type escape sequence to abort.1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). Success rate is 0 percent (0/5) R1#ping 10...101.. Sending 5.1. timeout is 2 seconds: .1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). round-trip min/avg/max = 1/1/1 ms Task 2 Ensure that pMTU discovery and traceroute work successfully with the firewall. To make that tool work the ASA must be able to pass that traffic through.2 Type escape sequence to abort.10.1.2. Sending 5. Configuration Complete these steps: Step 1 Verify how traceroute is going through the ASA before any Page 266 of 1033 . round-trip min/avg/max = 1/1/1 ms ASA-FW(config)# ping 10. 100-byte ICMP Echos to 10.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# ping 10.1. Sending 5.1.101.  Traceroute tools uses ICMP time-exceeded and ICMP unreachable messages to determine the hops in the network. 100-byte ICMP Echos to 10. 100-byte ICMP Echos to 10. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.1.101.

102.102.1.2 Type escape sequence to abort. Tracing the route to 10.2 Step 2 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * Configure ASA. ASA-FW(config)# icmp permit any time-exceeded OUT ASA-FW(config)# icmp permit any unreachable OUT ASA-FW(config)# ! ASA-FW(config)# icmp permit any time-exceeded IN ASA-FW(config)# icmp permit any unreachable IN ASA-FW(config)# ! ASA-FW(config)# icmp permit any time-exceeded DMZ ASA-FW(config)# icmp permit any unreachable DMZ ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any unreachable ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any time-exceeded ASA-FW(config)# access-group OUTSIDE_IN in interface OUT Verification R1#traceroute 10.2 0 msec 0 msec * Page 267 of 1033 .1.2 1 10. R1#traceroute 10.1.1.1.102.CCIE SECURITY v4 Lab Workbook configuration. Tracing the route to 10.102.102.2 Type escape sequence to abort.

the ASA accepts up to 24 fragments to reconstruct full IP packet.101. no fragments can be accepted. Configuration Complete these steps: Step 1 ASA configuration. Changing this value to a large number can make the ASA more vulnerable to a DoS attack by fragment flooding. ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any ASA-FW(config)# fragment chain 1 OUT Verification ASA-FW(config)# sh run all fragment fragment size 200 OUT fragment chain 1 OUT fragment timeout 5 OUT no fragment reassembly full OUT fragment size 200 IN fragment chain 24 IN fragment timeout 5 IN no fragment reassembly full IN fragment size 200 DMZ fragment chain 24 DMZ fragment timeout 5 DMZ no fragment reassembly full DMZ R2#ping 10. This means. So.CCIE SECURITY v4 Lab Workbook Task 3 Disable fragment reassembling on the ASA’s outside interface.  By default.1.1 Page 268 of 1033 . There is also limit of packets that can be buffered for reassembly which is 200 by default. the easiest way to prevent packets reassembling on the ASA is to change that value to 1. You can allow ICMP traffic to pass through the ASA to validate the solution.

1.1. .1 size 1600 Type escape sequence to abort. 1600-byte ICMP Echos to 10. R2#ping 10..CCIE SECURITY v4 Lab Workbook Type escape sequence to abort.1.101..1. timeout is 2 seconds: ASA# %ASA-4-209005: Discard IP fragment set with more than 1 elements: dest = 10. Sending 5.2.101.1 size 1600 Type escape sequence to abort. Sending 5.1.1.1.1. 1600-byte ICMP Echos to 10. round-trip min/avg/max = 1/2/4 ms R2#ping 10.101.102.1.101. proto = ICMP.101. 100-byte ICMP Echos to 10. id = 15 Page 269 of 1033 src = 10. Success rate is 0 percent (0/5) ASA-FW(config)# logg con 7 ASA-FW(config)# logg on ASA-FW(config)# %ASA-5-111008: User 'enable_15' executed the 'logging on' command. Sending 5.1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). timeout is 2 seconds: .1..101..

101.1.2/24 Lo0 4.27.102.2.4.1.1.4.2/24 F0/0 10. Time based access control Lab Setup  R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks.1.2.4/24 R2 R4 Page 270 of 1033 .1/24 F0/0 10.CCIE SECURITY v4 Lab Workbook Lab 1.1/24 Lo0 2. IP Addressing Device/Hostname Interface (ifname) IP address R1 Lo0 1.

 Time ranged access lists can be used to control traffic passing ASA in regards to the current time and date on the device. As this feature solely depends on time on the device. you must ensure that the time is current – the best option is to use reliable NTP source of course. Security 50) 10.101. to 31 Dec 2010 at 6 p.m.101.1. Configure ASA to allow telnet and SSH connections to R1’s F0/0 from the outside. starting from 1 Jan 2010 at 8 a. weekends. Configuration Complete these steps: Step 1 ASA configuration.10 /24 Task 1 Your company uses outsourced services for maintaining the network infrastructure.104 (DMZ. Security 0) 10.1.1.10 /24 E0/2. Security 80) 10. etc. Connections should be allowed only during the contract time. However.104. There must be time range object configured first and then it must be attached to specific ACE (Access Control Entry).1 eq 23 time-range Outsourced ASA-FW(config)# access-group OUTSIDE_IN in interface OUT Page 271 of 1033 .4/24 E0/0 (OUT.1. The time range can be defined by one of two types: (1) absolute – the start and the end time and date must be fixed and must describe contiguous range (2) periodic – describes repeatable periods like day-by-day.1.1. ASA-FW(config)# time-range Outsourced ASA-FW(config-time-range)# absolute start 8:00 1 January 2010 end 18:00 31 December 2010 ASA-FW(config-time-range)# access-list OUTSIDE_IN permit tcp any host 10.1 eq 22 time-range Outsourced ASA-FW(config)# access-list OUTSIDE_IN permit tcp any host 10.102. in our case we’re not asked to do so. days of week.101.CCIE SECURITY v4 Lab Workbook ASA1/ASA-FW F0/0 10.104.m.10 /24 E0/1 (IN.

1. ASA-FW(config)# sh clock 22:37:25. denied 0 (deny-flow-max 4096) alert-interval 300 access-list OUTSIDE_IN.101.101. 2 elements access-list OUTSIDE_IN line 1 extended permit tcp any host 10. ASA-FW(config)# sh time-range time-range entry: Outsourced (active) absolute start 08:00 01 January 2010 end 18:00 31 December 2010 used in: IP ACL entry Page 272 of 1033 . Open User Access Verification Password: Password: Password: % Bad passwords [Connection to 10.1.1.101.1 closed by foreign host] R2# ASA-FW(config)# sh access-list access-list cached ACL log flows: total 0..1 eq telnet timerange Outsourced (hitcnt=1) 0x4861ab27 Telnet works fine and there is a hit in the ACL. denied 0 (deny-flow-max 4096) alert-interval 300 access-list OUTSIDE_IN. Check the time on the ASA before testing. 2 elements access-list OUTSIDE_IN line 1 extended permit tcp any host 10.1.1 .101.1 eq telnet timerange Outsourced (hitcnt=0) 0x4861ab27 Note that there are no hits in our ACL.101.169 UTC Fri Jan 22 2010 R2#tel 10.1 Trying 10.1.101.1 eq ssh time-range Outsourced (hitcnt=0) 0xdb76f8a9 access-list OUTSIDE_IN line 2 extended permit tcp any host 10.1 eq ssh time-range Outsourced (hitcnt=0) 0xdb76f8a9 access-list OUTSIDE_IN line 2 extended permit tcp any host 10.CCIE SECURITY v4 Lab Workbook Verification ASA-FW(config)# sh access-list access-list cached ACL log flows: total 0.1.1..101.

ASA-FW(config)# clock set 10:00:00 1 Jun 2011 ASA-FW(config)# sh access-list access-list cached ACL log flows: total 0. thus we need to specify it at the beginning of the ACL. Ensure that other services are not affected by this policy.1 eq telnet timerange Outsourced (hitcnt=0) (inactive) 0x4861ab27 Note that when the configured time range is out of current time on the device.101. % Connection timed out.. Hence.CCIE SECURITY v4 Lab Workbook used in: IP ACL entry Change the clock on the ASA to see the difference.1. 2 elements access-list OUTSIDE_IN line 1 extended permit tcp any host 10.1 should not have any limits. There is also requirement that admin workstation is not getting blocked by this policy.1.1 Trying 10.1.1. However. Page 273 of 1033 . the ACL entry is marked as “inactive” in the output of “show access-list” command. This can be useful in troubleshooting and gives us instant information if our configuration is correct or not.1.0/24) should have access to the Internet (HTTP and HTTPS) only during business hours (9am to 5pm) on workdays (Mon-Fri).1 .101. denied 0 (deny-flow-max 4096) alert-interval 300 access-list OUTSIDE_IN.1 eq ssh time-range Outsourced (hitcnt=0) (inactive) 0xdb76f8a9 access-list OUTSIDE_IN line 2 extended permit tcp any host 10.101.1.  This task clearly states that we should allow traffic in some periodic timeslots only. an administrator from IP address of 1. remote host not responding Task 2 Users in all you internal network (10. Configuration Complete these steps: Step 1 ASA configuration.101.101. R2#tel 10.. the best option here is to use periodic type of time range object.1.

102. It is enough to enable (if not enabled by default) HTTP server on R2 and telnet to it using “telnet 10.2 80” command on R1.1.1.101.1.1 eq ssh time-range Outsourced (hitcnt=0) 0xdb76f8a9 access-list OUTSIDE_IN line 2 extended permit tcp any host 10. ASA-FW(config)# clock set 10:00:00 5 Jun 2010 ASA-FW(config)# sh clock 10:00:03.1. We do not need to use web browser to make the test. Once it is done.1 eq telnet timerange Outsourced (hitcnt=0) 0x4861ab27 access-list INSIDE_IN.1 any ASA-FW(config)# access-list INSIDE_IN permit tcp any any eq 80 time-range Users_Internet ASA-FW(config)# access-list INSIDE_IN permit tcp any any eq 443 time-range Users_Internet ASA-FW(config)# access-list INSIDE_IN deny tcp any any eq 80 ASA-FW(config)# access-list INSIDE_IN deny tcp any any eq 443 ASA-FW(config)# access-list INSIDE_IN permit ip any any ASA-FW(config)# access-group INSIDE_IN in interface IN Verification To verify we can change the clock on the ASA to point to some weekend day.1. we should see that respective ACEs are inactive and Web traffic will be blocked by the next ACEs.1.399 UTC Sat Jun 5 2010 ASA-FW(config)# sh access-list access-list cached ACL log flows: total 0. denied 0 (deny-flow-max 4096) alert-interval 300 access-list OUTSIDE_IN.CCIE SECURITY v4 Lab Workbook ASA-FW(config)# time-range Users_Internet ASA-FW(config-time-range)# periodic weekdays 9:00 to 17:00 ASA-FW(config-time-range)# exi ASA-FW(config)# access-list INSIDE_IN permit ip host 1.101. 2 elements access-list OUTSIDE_IN line 1 extended permit tcp any host 10. 6 elements access-list INSIDE_IN line 1 extended permit ip host 1.1 any (hitcnt=0) 0x0abd7ebf access-list INSIDE_IN line 2 extended permit tcp any any eq www time-range Users_Internet (hitcnt=0) (inactive) 0x49796a57 access-list INSIDE_IN line 3 extended permit tcp any any eq https time-range Users_Internet (hitcnt=0) (inactive) 0x4af8d6f5 access-list INSIDE_IN line 4 extended deny tcp any any eq www (hitcnt=0) 0x83fa0440 access-list INSIDE_IN line 5 extended deny tcp any any eq https (hitcnt=0) 0x28e2c45f access-list INSIDE_IN line 6 extended permit ip any any (hitcnt=0) 0x96858cf8 ASA-FW(config)# Page 274 of 1033 .1.

101..1. Open GET \ HTTP/1. 80 . 80 .102.1. 2 elements access-list OUTSIDE_IN line 1 extended permit tcp any host 10.1.2 80 Trying 10.1 eq ssh time-range Outsourced (hitcnt=0) 0xdb76f8a9 access-list OUTSIDE_IN line 2 extended permit tcp any host 10.2. 23 Jan 2010 01:13:05 GMT Server: cisco-IOS Accept-Ranges: none 400 Bad Request [Connection to 10..1.1 any (hitcnt=2) 0x0abd7ebf access-list INSIDE_IN line 2 extended permit tcp any any eq www time-range Users_Internet (hitcnt=0) (inactive) 0x49796a57 access-list INSIDE_IN line 3 extended permit tcp any any eq https time-range Users_Internet (hitcnt=0) (inactive) 0x4af8d6f5 access-list INSIDE_IN line 4 extended deny tcp any any eq www (hitcnt=1) 0x83fa0440 access-list INSIDE_IN line 5 extended deny tcp any any eq https (hitcnt=0) 0x28e2c45f access-list INSIDE_IN line 6 extended permit ip any any (hitcnt=0) 0x96858cf8 Page 275 of 1033 ..102. 6 elements access-list INSIDE_IN line 1 extended permit ip host 1.1 eq telnet timerange Outsourced (hitcnt=0) 0x4861ab27 access-list INSIDE_IN.2..CCIE SECURITY v4 Lab Workbook R1#tel 10.1 400 Bad Request Date: Sat.2 80 /so lo0 Trying 10. denied 0 (deny-flow-max 4096) alert-interval 300 access-list OUTSIDE_IN.101. % Connection refused by remote host R1#tel 10.102.102.1.1.2 closed by foreign host] ASA-FW(config)# sh access-list access-list cached ACL log flows: total 0.1.102.1.1.

2/24 Lo0 4.1/24 Lo0 2.101.2.4.28.4/24 R2 R4 Page 276 of 1033 .Priority queuing Lab Setup  R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks.4.1.CCIE SECURITY v4 Lab Workbook Lab 1.1.102.1.2/24 F0/0 10.2. QoS .1.1/24 F0/0 10. IP Addressing Device/Hostname Interface (ifname) IP address R1 Lo0 1.

You need to ensure that ASA will prioritize that traffic going to the outside networks. It is important to enable priority queuing on the respective interface before configuring action for class map. Attaching it globally has effect on every interface where priority queuing is enabled.10 /24 E0/1 (IN.101.1. As Voice and business critical application’s traffic is more important than other corporate traffic (like Web traffic) it is recommended to make use from software queue and prioritize some traffic over the other.CCIE SECURITY v4 Lab Workbook ASA1/ASA-FW F0/0 10. Also note that priority queuing is an outbound only solution. Second is a software queue which is configurable (default serviced by FIFO as well). Security 0) 10. ASA-FW(config)# priority-queue OUT ASA-FW(config-priority-queue)# access-list APP extended permit tcp any any range 15000 15200 Page 277 of 1033 .4/24 E0/0 (OUT. We can also use an ACL to mark the traffic. Finally. This is most useful for latency-dependant traffic like Voice or Video.10 /24 E0/2. Voice traffic is usually marked by EF (Expedited Forwarding) bit in the Layer 3 header. Security 50) 10. We can use this information to match the traffic and prioritize it.1. We cannot prioritize inbound traffic.104.102.  Each interface has two levels of queuing available.1. our policy map must be attached globally or on the interface. Security 80) 10. Configuration Complete these steps: Step 1 ASA configuration. Prioritize in software queue will allow important traffic to go sooner to the hardware queue than non-important traffic.1.10 /24 Task 1 Your company extensively uses Cisco IP Phones (traffic marked DSCP EF) and some business critical application (TCP port range 15000 to 15200). One is a hardware queue (called tx-ring) which is serviced by FIFO (First In First Out) method.104.104 (DMZ.

CCIE SECURITY v4 Lab Workbook ASA-FW(config)# class-map APP ASA-FW(config-cmap)# match access-list APP ASA-FW(config-cmap)# class-map VOICE ASA-FW(config-cmap)# match dscp ef ASA-FW(config-cmap)# policy-map LLQ-POLICY ASA-FW(config-pmap)# class VOICE ASA-FW(config-pmap-c)# priority ASA-FW(config-pmap-c)# class APP ASA-FW(config-pmap-c)# priority ASA-FW(config-pmap-c)# service-policy LLQ-POLICY interface OUT Verification ASA-FW(config)# sh service-policy priority Interface OUT: Service-policy: LLQ-POLICY Class-map: VOICE Priority: Interface OUT: aggregate drop 0. aggregate transmit 0 To test our solution. aggregate transmit 0 Class-map: APP Priority: Interface OUT: aggregate drop 0.1 400 Bad Request Date: Wed.2 closed by foreign host] R1# Page 278 of 1033 . 03 Feb 2010 20:34:37 GMT Server: cisco-IOS Accept-Ranges: none 400 Bad Request [Connection to 10. Open GET / HTTP/1.102.2 15000 Trying 10. This traffic coming from R1 towards R2 should be prioritized. we can configure HTTP server on R2 listening on TCP port 15000. 15000 ..1.1.102.1.102.2. R2(config)#ip http port 15000 R2(config)#ip http server R1#tel 10..

256 Priority-Queue Config interface IN current default range queue-limit 0 2048 0 .CCIE SECURITY v4 Lab Workbook ASA-FW(config)# sh service-policy priority Interface OUT: Service-policy: LLQ-POLICY Class-map: VOICE Priority: Interface OUT: aggregate drop 0. aggregate transmit 11 ASA-FW(config)# sh priority-queue config Priority-Queue Config interface OUT current default range queue-limit 2048 2048 0 .2048 tx-ring-limit 80 80 3 .2048 tx-ring-limit -1 80 3 . aggregate transmit 11 Class-map: APP Priority: Interface OUT: aggregate drop 0.256 ASA-FW(config)# sh priority-queue statistics Priority-Queue Statistics interface OUT Queue Type = BE Tail Drops = 0 Reset Drops = 0 Packets Transmit = 15 Packets Enqueued = 0 Current Q Length = 0 Max Q Length = 0 Queue Type = LLQ Tail Drops = 0 Reset Drops = 0 Packets Transmit = 11 Packets Enqueued = 0 Current Q Length = 0 Max Q Length = 0  Best Effort  Low Latency Queuing Page 279 of 1033 .

2/24 F0/0 10.1/24 F0/0 10.101.4/24 R2 R4 Page 280 of 1033 .2.1/24 Lo0 2. IP Addressing Device/Hostname Interface (ifname) IP address R1 Lo0 1.1.29.1.2. QoS – Traffic Policing Lab Setup  R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks.CCIE SECURITY v4 Lab Workbook Lab 1.1.1.2/24 Lo0 4.4.4.102.

Thus. Policing does not buffer packets. If it is configured globally it affects all ASA interfaces. Security 0) 10. Configuration Complete these steps: Step 1 ASA configuration.1. Security 80) 10.101.1.102.10 /24 Task 1 Configure ASA1 so that it limits ICMP traffic on the outside interface. This traffic should be limited to 32kbps in both directions and dropped if this level is exceeded.1. it just drops non-conformed packets.10 /24 E0/2.4/24 E0/0 (OUT. it should be carefully used with TCP traffic (as TCP rapidly slowing down when seeing packets drop) and UDP (as UDP is connectionless and has no mechanisms to confirm that packets reached the destination).104.1. Security 50) 10.10 /24 E0/1 (IN. Policing can be configured in both directions on the interface.104.CCIE SECURITY v4 Lab Workbook ASA1/ASA-FW F0/0 10.104 (DMZ. It clearly states that we should “limit” the traffic (two technologies should come to your mind right now: policing and shaping) and drop packets which are above configured limit (which leaves us with only one solution: policing).  This task requires configuring traffic policing on the ASA. ASA-FW(config)# access-list ICMP permit icmp any any ASA-FW(config)# class-map ICMP ASA-FW(config-cmap)# match access-list ICMP ASA-FW(config-cmap)# policy-map OUT-POLICY ASA-FW(config-pmap)# class ICMP ASA-FW(config-pmap-c)# police input 32000 ASA-FW(config-pmap-c)# police output 32000 ASA-FW(config-pmap-c)# service-policy OUT-POLICY interface OUT Page 281 of 1033 .

!. 0 bytes. exceed 0 bps ASA-FW(config)# Test from R1 R1#pi 10. Sending 10. actions: exceeded 0 packets. bc 1500 bytes conformed 20 packets. exceed 0 bps Output police Interface OUT: cir 32000 bps. Success rate is 50 percent (5/10).102. 0 bytes.102. actions: transmit drop conformed 0 bps. actions: Page 282 of 1033 transmit drop . round-trip min/avg/max = 4/4/4 ms R1# ASA-FW(config)# sh service-policy police Interface OUT: Service-policy: OUT-POLICY Class-map: ICMP Input police Interface OUT: cir 32000 bps. bc 1500 bytes conformed 5 packets. bc 1500 bytes conformed 0 packets.1. 0 bytes. 25580 bytes. actions: transmit drop conformed 144 bps. actions: exceeded 0 packets.!. 7570 bytes.CCIE SECURITY v4 Lab Workbook Verification Reconfigure ASA to allow ICMP traffic ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any ASA-FW(config)# access-group OUTSIDE_IN in interface OUT ASA-FW(config)# sh service-policy police Interface OUT: Service-policy: OUT-POLICY Class-map: ICMP Input police Interface OUT: cir 32000 bps. 0 bytes. actions: exceeded 0 packets. 25580 bytes. timeout is 2 seconds: !. 0 bytes.2.1.!. actions: exceeded 20 packets. exceed 0 bps Output police Interface OUT: cir 32000 bps. bc 1500 bytes conformed 0 packets.2 size 5000 rep 10 Type escape sequence to abort.!. 5000-byte ICMP Echos to 10. actions: transmit drop conformed 0 bps.

0 bytes.101. 0 bytes.1. Test from R2 ASA-FW(config)# clear service-policy interface OUT ASA-FW(config)# sh service-policy police Interface OUT: Service-policy: OUT-POLICY Class-map: ICMP Input police Interface OUT: cir 32000 bps. round-trip min/avg/max = 1/3/4 ms R2# ASA-FW(config)# sh service-policy police Interface OUT: Service-policy: OUT-POLICY Class-map: ICMP Input police Interface OUT: cir 32000 bps.!! Success rate is 80 percent (8/10). 3028 bytes. exceed 0 bps R2#pi 10. timeout is 2 seconds: !!!. 0 bytes. actions: exceeded 0 packets.1. 1500-byte ICMP Echos to 10. exceed 0 bps Output police Interface OUT: cir 32000 bps. actions: exceeded 0 packets.101.!!!. exceed 0 bps Output police Interface OUT: cir 32000 bps. 0 bytes. exceed 488 bps Note that there are packets matched by Input and Output policer. 0 bytes. bc 1500 bytes conformed 0 packets. actions: exceeded 0 packets.CCIE SECURITY v4 Lab Workbook conformed 976 bps. 12112 bytes. actions: transmit drop conformed 0 bps. actions: transmit drop conformed 0 bps. 0 bytes. exceed 552 bps Page 283 of 1033 transmit drop . actions: conformed 2208 bps. We used ICMP packets of 5000 bytes in size. bc 1500 bytes conformed 8 packets. actions: transmit drop conformed 0 bps. so the ASA must fragment that traffic and hence there are 40 packets out instead of 10. bc 1500 bytes conformed 0 packets. actions: exceeded 2 packets. As the policer may work for both directions it matches returning ICMP packets. bc 1500 bytes conformed 0 packets.1 size 1500 rep 10 Type escape sequence to abort. Sending 10.1.

CCIE SECURITY v4 Lab Workbook Page 284 of 1033 .

2/24 Lo0 4.4.2/24 F0/0 10.CCIE SECURITY v4 Lab Workbook Lab 1.1.30.1.4.1/24 F0/0 10.2. IP Addressing Device/Hostname Interface (ifname) IP address R1 Lo0 1.1/24 Lo0 2.2.1.102.101. QoS – Traffic Shaping Lab Setup  R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks.4/24 R2 R4 Page 285 of 1033 .1.

The ASA sets Be=Bc by default.CCIE SECURITY v4 Lab Workbook ASA1/ASA-FW F0/0 10.10 /24 E0/1 (IN.Committed Information Rate (a contracted value to which we should shape our traffic) • Bc – Committed Burst (an amount of bits that can be buffered for later use) • Be – Excessive Burst (an limit of bits that can be buffered) • Tc – Time Interval (usually 1/8 of a second. you have 10Mbps outside connection on the ASA you must ensure that traffic going to the Internet takes no more than 1Mbps (1024kbps with a burst of 10240). To limit the speed on which packets are sending out we can use policing or shaping.4/24 E0/0 (OUT. Policing usually drops excessive packets causing problems with TCP/UDP based applications and services. The Tc is not explicitly configured.104 (DMZ. This results in less packets dropping and smoother traffic flows. This buffer is described by Bc value and the shaper can accommodate no more than Bc+Be data in the buffer. equals 125ms) th Typical shaper sends no more than CIR*Tc in each Tc slot.1. Shaping is more polite and it buffers excessive traffic to send it out later. Although. Also note that Bc and Be are in bytes (CIR/Rate is in bits).1.1.1. Security 80) 10. However.10 /24 E0/2. there can be some Tc without data. Shaping uses four values to calculate the shaper: • CIR .  ASA can only send out data with its full interface speed (this is AIR – Access Information Rate).101.104. rather it is calculated by the following formula Tc=CIR/Bc. Security 0) 10.104.102. Security 50) 10. Configuration Complete these steps: Page 286 of 1033 . so that shaper can use it to send out buffered packets.10 /24 Task 1 Users in the inside network uses ASA to connect to the Internet.

ASA-FW(config)# policy-map SHAPE-POLICY ASA-FW(config-pmap)# class class-default ASA-FW(config-pmap-c)# shape average 1024000 10240 ASA-FW(config-pmap-c)# service-policy SHAPE-POLICY interface OUT Verification Reconfigure ASA to allow ICMP traffic ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any ASA-FW(config)# access-group OUTSIDE_IN in interface OUT ASA-FW(config)# sh service-policy shape Interface OUT: Service-policy: SHAPE-POLICY Class-map: class-default shape (average) cir 1024000. be 10240 Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 R1#pi 10.102.CCIE SECURITY v4 Lab Workbook Step 1 ASA configuration.2 size 1500 rep 1000 Type escape sequence to abort. Sending 1000.1.102. bc 10240. round-trip min/avg/max = 1/11/36 ms Page 287 of 1033 . timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (1000/1000). 1500-byte ICMP Echos to 10.1.2.

Note the average round-trip for sending 1000 ICMP packets from R1 to R2 is 11ms.1.1. 1500-byte ICMP Echos to 10. Let’s do the same for ICMP coming from R2 towards R1. timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (1000/1000).101. be 10240 Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 1000/1500000 As we can see our shaper did match traffic.101. bc 10240.CCIE SECURITY v4 Lab Workbook R1# ASA-FW(config)# sh service-policy shape Interface OUT: Service-policy: SHAPE-POLICY Class-map: class-default shape (average) cir 1024000. However it is quite hard to determine if the shaper did something more than just matched the traffic and send it out. Sending 1000.1 size 1500 rep 1000 Type escape sequence to abort. round-trip min/avg/max = 4/11/12 ms R2# ASA-FW(config)# sh service-policy shape Interface OUT: Service-policy: SHAPE-POLICY Class-map: class-default Page 288 of 1033 . Fortunately. in the lab we can use round-trip values from the ping command output.1. R2#pi 10.

102.102.2 size 1500 rep 1000 Type escape sequence to abort. ASA-FW(config)# no service-policy SHAPE-POLICY interface OUT R1#pi 10.2. be 10240 Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 2000/3000000 The round-trip average value is the same (11 ms) and the number of packets is now 2000. so why do we see packets counter incrementing? This is because in this particular case we use ICMP and there are ICMP returning packets matched by the shaper.1.CCIE SECURITY v4 Lab Workbook shape (average) cir 1024000. Remember that shaping is only an outbound feature. 1500-byte ICMP Echos to 10. Let’s disable shaping and see the difference. It was buffering the packets and send out without any drops.1. Sending 1000. Page 289 of 1033 . bc 10240. timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (1000/1000). round-trip min/avg/max = 1/2/4 ms R1# Now the round-trip average value is 2 ms. This is evidence that shaper did its work previously.

31.101.1.CCIE SECURITY v4 Lab Workbook Lab 1. QoS – Traffic Shaping with Prioritization Lab Setup  R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all devices and advertise their all directly connected networks.1/24 F0/0 10.1.1/24 Lo0 2.2/24 R2 Page 290 of 1033 . IP Addressing Device/Hostname Interface (ifname) IP address R1 Lo0 1.1.2.2.

To configure that.1. Unfortunately.10 /24 Task 1 Configure ASA to enforce QoS policy for outside traffic so that traffic marked with DSCP EF is shaped up to 2Mbps and prioritized.102.1.101.4.2/24 Lo0 4. Configuration Complete these steps: Step 1 ASA configuration. Security 50) 10.1.CCIE SECURITY v4 Lab Workbook R4 ASA1/ASA-FW F0/0 10.10 /24 E0/1 (IN. ASA-FW(config)# priority-queue OUT ASA-FW(config-priority-queue)# class-map VOICE ASA-FW(config-cmap)# match dscp ef ASA-FW(config-cmap)# policy-map VOICE ASA-FW(config-pmap)# class VOICE ASA-FW(config-pmap-c)# priority ASA-FW(config-pmap-c)# policy-map SHAPE-OUTSIDE ASA-FW(config-pmap)# class class-default ASA-FW(config-pmap-c)# shape average 2048000 ASA-FW(config-pmap-c)# service-policy VOICE Page 291 of 1033 .4/24 E0/0 (OUT. This can be done however. by prioritizing traffic inside shaped queue.4.4/24 F0/0 10.104. we cannot configure LLQ (Low Latency Queuing) and shaping on the same interface. we need to nest priority queue (policy map for LLQ) using service-policy command under shaper policy map.104 (DMZ.10 /24 E0/2.1.  In this task we need ensure that our Voice traffic will not get more than 2Mbps and it will be prioritized at the same time.104. All other traffic should be best-effort serviced. Security 80) 10.1. Security 0) 10.102. This will effectively create two sub-queues: (1) priority queue and (2) best effort queue inside shaped parent queue.

be 8192 (pkts output/bytes output) 0/0 (total drops/no-buffer drops) 0/0 Service-policy: VOICE Class-map: VOICE priority Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: class-default Default Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 To test our solution we need to mark some traffic with DSCP EF bit. ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any ASA-FW(config)# access-group OUTSIDE_IN in interface OUT R1(config)#class-map ICMP R1(config-cmap)#match protocol icmp R1(config-cmap)#exi R1(config)#policy-map ICMP-EF R1(config-pmap)#class ICMP Page 292 of 1033 . bc 8192. In addition to that we need to allow ICMP on the ASA either by configuring ACL or ICMP inspection. This can be quickly done on R1 by using MQC.CCIE SECURITY v4 Lab Workbook ASA-FW(config-pmap-c)# service-policy SHAPE-OUTSIDE interface OUT Verification ASA-FW(config)# sh service-policy interface OUT Interface OUT: Service-policy: SHAPE-OUTSIDE Class-map: class-default shape (average) cir 2048000.

1.!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.102.1. 1500-byte ICMP Echos to 10.CCIE SECURITY v4 Lab Workbook R1(config-pmap-c)#set dscp ef R1(config-pmap-c)#exi R1(config-pmap)#exi R1(config)#int f0/0 R1(config-if)#service-policy output ICMP-EF R1#pi 10.102. timeout is 2 seconds: .!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! .!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!. be 8192 (pkts output/bytes output) 986/1479000 (total drops/no-buffer drops) 0/0 Service-policy: VOICE Class-map: VOICE priority Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/28/0 (pkts output/bytes output) 986/1479000 Class-map: class-default Page 293 of 1033 . round-trip min/avg/max = 1/2/8 ms R1# ASA-FW(config)# sh service-policy interface OUT Interface OUT: Service-policy: SHAPE-OUTSIDE Class-map: class-default shape (average) cir 2048000.!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!. Sending 1000.2 size 1500 rep 1000 Type escape sequence to abort.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.2. bc 8192.!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 98 percent (985/1000).

.1.CCIE SECURITY v4 Lab Workbook Default Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 As you can see there are some packets prioritized and no packets in the default class. R1#tel 10. be 8192 (pkts output/bytes output) 1008/1479926 (total drops/no-buffer drops) 0/0 Service-policy: VOICE Class-map: VOICE priority Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/28/0 (pkts output/bytes output) 986/1479000 Class-map: class-default Default Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 Page 294 of 1033 .102. To ensure that only packets with DSCP EF bit set are prioritized. let’s make another test.2 .102. Open User Access Verification Password: R2>exi [Connection to 10.2 Trying 10.1..102. bc 8192.1.2 closed by foreign host] R1# ASA-FW(config)# sh service-policy interface OUT Interface OUT: Service-policy: SHAPE-OUTSIDE Class-map: class-default shape (average) cir 2048000.

CCIE SECURITY v4 Lab Workbook (pkts output/bytes output) 22/926 Page 295 of 1033 .

CCIE SECURITY v4 Lab Workbook Lab 1. SLA Route Tracking Lab Setup  R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102  R5’s F0/0 and ASA’s E0/2 interface should be configured in VLAN 105  R2’s G0/1.102.1.32.2/24 Page 296 of 1033 .1/24 R2 G0/0 10.1.101. R5’s F0/1 and R4’s F0/1 interface should be configured in VLAN 245  Configure Telnet on all routers using password “cisco”  Configure default gateway on R1/R2/R5 pointing to the ASA IP Addressing Device/Hostname Interface (ifname) IP address R1 F0/0 10.

5 /24 F0/1 10. Configure ASA so that it uses R2 as a default gateway as long as its F0/1 interface IP address is reachable.10 /24 E0/1 (Inside. The ASA associates a static route with monitoring target that you define. Security 0) 10.10 /24 ASA1/ASA-FW Task 1 You have installed second connection to the outside networks to achieve redundancy.1. the first route is returned to the routing table and the backup route is removed. Security 0) 10.245.1. Once the target is available again.10 /24 E0/2 (Outside2. To ensure the backup route will not be visible in the routing table along with primary route (two default gateways would force the ASA to load sharing packets) there should be higher AD (Administrative Distance) associated with the backup route.  Static route tracking provides a method for tracking the availability of a static route and for making a backup route available it the primary route fails.2/24 R4 F0/1 10.105.105. the object is considered down. If this target becomes unavailable the ASA removes the route associated with the target from its routing table and start using backup route instead. While the backup route is in use.1.1.101. The SLA (Service Level Agreement) operation monitors the target with periodic ICMP echo requests. If three ICMP packets fail within 10 seconds the ASA should withdraw the static route from its routing table and use IP address of R5’s F0/1 interface as a new default gateway. the SLA monitor operation continues to try to reach the monitoring target. and the associated route for that target is removed from the routing table. Configuration Page 297 of 1033 .245.245.102.4 /24 R5 F0/0 10.1. Security 100) 10. If an echo reply is not received within a specified period of time.1.1.CCIE SECURITY v4 Lab Workbook G0/1 10. A previously configured backup route is used instead of the route that is removed.5 /24 E0/0 (Outside1.

0. Infrastructure Engine-II Entry number: 1 Owner: Tag: Type of operation to perform: echo Target address: 10.102.0.0 is directly connected.0.per-user static route.1.0 255.101. M .OSPF external type 2. U .255. ASA-FW(config)# sla monitor 1 ASA-FW(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.0.IS-IS level-1.0 is directly connected.EGP i . S .OSPF inter area N1 .OSPF external type 1. Outside2 C 10. B . Outside1 ASA-FW(config)# sh sla monitor configuration SA Agent.IS-IS level-2.0.0 10.1.255.ODR P .candidate default.102.0 10.2.105.2 Interface: Outside1 Number of packets: 3 Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Type Of Service parameters: 0x0 Verify data: No Operation frequency (seconds): 10 Page 298 of 1033 .2 track 1 ASA-FW(config)# route outside2 0.mobile.0 0.5 254 Verification ASA-FW(config)# sh route Codes: C .OSPF. O .0.0.OSPF NSSA external type 1.1.periodic downloaded static route Gateway of last resort is 10.0 0.105.BGP D . EX . Outside1 C 10.0 255.255.connected.1.EIGRP. o .255. E .0.0.1. L2 . E2 .0 255.1. ia .102.255. IA . I .EIGRP external.102.0 [1/0] via 10.RIP.IS-IS.0. L1 .0 is directly connected. Inside S* 0.0.IS-IS inter area * .OSPF NSSA external type 2 E1 .0. R .0 C 10. N2 .2 to network 0.CCIE SECURITY v4 Lab Workbook Complete these steps: Step 1 ASA configuration.1.IGRP.2 interface outside1 ASA-FW(config-sla-monitor-echo)# num-packets 3 ASA-FW(config-sla-monitor-echo)# frequency 10 ASA-FW(config-sla-monitor-echo)# exi ASA-FW(config)# sla monitor schedule 1 start-time now life forever ASA-FW(config)# track 1 rtr 1 reachability ASA-FW(config)# route outside1 0.0 0.0.102.1.102.0.255.static.

So the best option here is to configure dynamic NAT on R2 and R5 translating all source IP addresses to their interfaces towards R4. Page 299 of 1033 .667 UTC Sat Jul 17 2010 Latest operation return code: OK RTT Values: RTTAvg: 1 RTTMin: 1 RTTMax: 1 NumOfRTT: 3 RTTSum: 3 RTTSum2: 3 ASA-FW(config)# sh track 1 Track 1 Response Time Reporter 1 reachability Reachability is Up 1 change. last change 00:02:08 Latest operation return code: OK Latest RTT (millisecs) 1 Tracked by: STATIC-IP-ROUTING 0 Test We can test our solution by running traceroute to the R4’s IP address from R1. the default route points to R2. Once we shut R2’s interface down. we need to apply an ACL on both ASA’s outside interfaces allowing ICMP (type 3. In addition to that. As long as R2’s G0/0 IP address is responding on SLA ICMP packets.CCIE SECURITY v4 Lab Workbook Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Enhanced History: ASA-FW(config)# sh sla monitor operational-state Entry number: 1 Modification time: 10:57:46. code 3) back from R4. R4 will need to have a route back to R1. As we can see ASA routes the traffic through R2 as it is in its routing table as default gateway. To make it work.666 UTC Sat Jul 17 2010 Number of Octets Used by this Entry: 1480 Number of operations attempted: 36 Number of operations skipped: 0 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: FALSE Over thresholds occurred: FALSE Latest RTT (milliseconds): 1 Latest operation start time: 11:03:36. the default route is deleted from the routing table and the default route with AD of 254 is used instead.

4 Type escape sequence to abort.245.245. round-trip min/avg/max = 1/2/4 ms R1#trace 10.1.1.4.1.2 0 msec 0 msec 0 msec 2 10.4 4 msec 0 msec * R2(config)#int g0/0 R2(config-if)#sh Page 300 of 1033 . Sending 5.1.CCIE SECURITY v4 Lab Workbook On ASA ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any ASA-FW(config)# access-group OUTSIDE_IN in interface Outside1 ASA-FW(config)# access-group OUTSIDE_IN in interface Outside2 On R2 R2(config)#ip nat inside source list 140 interface g0/1 R2(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0.102. changed state to up R5(config-if)#int f0/1 R5(config-if)#ip nat outside R5(config-if)#exi R1#ping 10.245.1. timeout is 2 seconds: .245.4 1 10.245. 100-byte ICMP Echos to 10.!!!! Success rate is 80 percent (4/5). Tracing the route to 10.4 Type escape sequence to abort.1. changed state to up R2(config)#access-list 140 permit ip any any R2(config)#int g0/0 R2(config-if)#ip nat inside R2(config-if)#int g0/1 R2(config-if)#ip nat outside R2(config-if)#exi On R5 R5(config)#ip nat inside source list 140 interface f0/1 R5(config)#access-list 140 permit ip any any R5(config)#int f0/0 R5(config-if)#ip nat inside %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0.

952 UTC Sun Jul 18 2010 Number of Octets Used by this Entry: 1480 Number of operations attempted: 36 Number of operations skipped: 0 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: TRUE Over thresholds occurred: FALSE Latest RTT (milliseconds): NoConnection/Busy/Timeout Latest operation start time: 09:53:42. R .CCIE SECURITY v4 Lab Workbook R2(config-if)# %LINK-5-CHANGED: Interface GigabitEthernet0/0.0 is directly connected. N2 .245. E .IS-IS level-1.245. IA .OSPF external type 2.EIGRP external. changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0.0 255.0.RIP.0 [254/0] via 10.255.1.255.candidate default.5 to network 0.IS-IS inter area * . M . Outside2 ASA-FW(config)# sh sla monitor operational-state Entry number: 1 Modification time: 09:48:02.105.IGRP.periodic downloaded static route Gateway of last resort is 10.255. EX .255. L1 .1.connected.1.5 0 msec 0 msec 4 msec 2 10.0.1.0 is directly connected.1.245.1.EIGRP. Outside1 C 10.mobile. changed state to down ASA-FW(config)# sh route Codes: C . E2 .0 255.1.255.ODR P .105.1.OSPF external type 1.5.0. L2 .105.105.4 Type escape sequence to abort. S .0.per-user static route.BGP D .0 0.4 1 10.102. Inside S* 0.101. Outside2 C 10.0 is directly connected.OSPF NSSA external type 2 E1 .IS-IS level-2. O .1.0.static.255. o . Tracing the route to 10.OSPF. B . R1#trace 10. I .953 UTC Sun Jul 18 2010 Latest operation return code: Timeout RTT Values: RTTAvg: 0 RTTMin: 0 RTTMax: 0 NumOfRTT: 0 RTTSum: 0 RTTSum2: 0 ASA-FW(config)# clear conn 6 connection(s) deleted.0 C 10. U . ia .0 255.IS-IS.4 0 msec 0 msec * Page 301 of 1033 .OSPF NSSA external type 1.0.OSPF inter area N1 .EGP i .

Page 302 of 1033 .CCIE SECURITY v4 Lab Workbook Because traceroute uses UDP packets. the ASA creates flows in its connections (state) table. so we need to wait at least 2 minutes before checking again (tracerouting from R1) or we can clear connections table manually. UDP has a default timeout of 2 minutes on the ASA.

CCIE SECURITY v4 Lab Workbook

Lab 1.33.

ASA IP Services (DHCP)

Lab Setup
 R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101
 R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102
 R4’s F0/0 and ASA’s E0/2 interface should be configured in VLAN 104

 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.
IP Addressing
Device/Hostname

Interface (ifname)

IP address

Lo0

1.1.1.1/24

F0/0

10.1.101.1/24

Lo0

2.2.2.2/24

F0/0

10.1.102.2/24

Lo0

4.4.4.4/24

R2
R4

Page 303 of 1033

CCIE SECURITY v4 Lab Workbook

ASA1/ASA-FW

F0/0

10.1.104.4/24

E0/0 (OUT, Security 0)

10.1.102.10 /24

E0/1 (IN, Security 80)

10.1.101.10 /24

E0/2.104 (DMZ, Security 50)

10.1.104.10 /24

Task 1
Configure ASA to give out IP addresses for inside hosts automatically using the
following information:
IP address range: 10.1.101.100-10.1.101.200
DNS Server: 10.1.101.5
WINS Server 10.1.101.6
Domain Name: MicronicsTraining.com
Lease time: 8h



The ASA may work as a DHCP server in both routed and transparent mode. It
may serve IP addresses to the hosts on the network (usually inside network),
configure additional DHCP options like DNS/WINS server and configure itself as
a default gateway for the clients.
DHCP lease time is 3600 seconds (1h) by default.
In addition to that, the ASA can serve additional DHCP options for its clients
like different default gateway (useful in transparent mode as the ASA does not
have an IP address and the default gateway usually lays on the other side of the
ASA), TFTP server IP address and so on.
Note that you must enable DHCP server on the ASA after configuring it by using
“dhcpd enable <interface>”

command.

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# dhcpd address 10.1.101.100-10.1.101.200 IN
ASA-FW(config)# dhcpd dns 10.1.101.5

Page 304 of 1033

CCIE SECURITY v4 Lab Workbook

ASA-FW(config)# dhcpd wins 10.1.101.6
ASA-FW(config)# dhcpd domain MicronicsTraining.com
ASA-FW(config)# dhcpd lease 28800
ASA-FW(config)# dhcpd enable IN

Verification
ASA-FW(config)# sh dhcpd state
Context

Configured as DHCP Server

Interface OUT, Not Configured for DHCP
Interface IN, Configured for DHCP SERVER
Interface DMZ, Not Configured for DHCP
ASA-FW(config)# sh dhcpd binding
IP address

Hardware address

Lease expiration

Type

R1(config)#int f0/0
R1(config-if)#ip address dhcp
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.1.101.100,
mask 255.255.255.0, hostname R1

R1#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.1.101.100/24
Broadcast address is 255.255.255.255
Address determined by DHCP
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound

access list is not set

Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled

Page 305 of 1033

CCIE SECURITY v4 Lab Workbook

IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
R1#sh ip dns view
DNS View default parameters:
Logging is off
DNS Resolver settings:
Domain lookup is enabled
Default domain name: MicronicsTraining.com
Domain search list:
Lookup timeout: 3 seconds
Lookup retries: 2
Domain name-servers:
10.1.101.5
DNS Server settings:
Forwarding of queries is enabled
Forwarder timeout: 3 seconds
Forwarder retries: 2
Forwarder addresses:

ASA-FW(config)# sh dhcpd binding
IP address
10.1.101.100

Hardware address
0063.6973.636f.2d30.

Lease expiration
28648 seconds

3031.392e.3330.3130.
2e38.3631.382d.4661.
302f.30
ASA-FW(config)# sh dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Address pools

Automatic bindings

Expired bindings

Page 306 of 1033

Type
Automatic

CCIE SECURITY v4 Lab Workbook

Malformed messages

Message

Received

BOOTREQUEST

DHCPDISCOVER

DHCPREQUEST

DHCPDECLINE

DHCPRELEASE

DHCPINFORM

Message

Sent

BOOTREPLY

DHCPOFFER

DHCPACK

DHCPNAK

Task 2
Clear previous DHCP server configuration on ASA.
There is a DHCP server located on R4. Configure ASA so that it forwards all DHCP
messages coming from inside hosts to that server. The ASA should be a default
gateway for inside network.



The ASA can also be used as DHCP Relay Agent in case the DHCP server is
located on different network. In that mode the ASA relays all DHCP messages to
the configured DHCP server and can set itself as a default gateway in the DHCP
messages returned to the clients.
Note that the DHCP Relay Agent feature is unavailable in transparent firewall
mode as there is no reason to relay DHCP messages in this mode. The ASA
passes DHCP messages natively when working in transparent mode.

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# clear configure dhcpd
ASA-FW(config)# dhcprelay server 10.1.104.4 DMZ
ASA-FW(config)# dhcprelay enable IN
ASA-FW(config)# dhcprelay setroute IN

Page 307 of 1033

CCIE SECURITY v4 Lab Workbook

Verification
ASA-FW(config)# sh dhcprelay state
Context

Configured as DHCP Relay

Interface OUT, Not Configured for DHCP
Interface IN, Configured for DHCP RELAY SERVER
Interface DMZ, Configured for DHCP RELAY
ASA-FW(config)# sh dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Packets Relayed
BOOTREQUEST

DHCPDISCOVER

DHCPREQUEST

DHCPDECLINE

DHCPRELEASE

DHCPINFORM

BOOTREPLY

DHCPOFFER

DHCPACK

DHCPNAK

R1(config)#int f0/0
R1(config-if)#shut
%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#no shut
R1(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.1.101.1,
mask 255.255.255.0, hostname R1

R4#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address

Client-ID/

Lease expiration

Type

Feb 04 2010 09:13 PM

Automatic

Hardware address/
User name
10.1.101.1

0063.6973.636f.2d30.
3031.392e.3330.3130.
2e38.3631.382d.4661.
302f.30

Page 308 of 1033

CCIE SECURITY v4 Lab Workbook

ASA-FW(config)# sh dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Packets Relayed
BOOTREQUEST

DHCPDISCOVER

DHCPREQUEST

DHCPDECLINE

DHCPRELEASE

DHCPINFORM

BOOTREPLY

DHCPOFFER

DHCPACK

DHCPNAK

Page 309 of 1033

CCIE SECURITY v4 Lab Workbook

Lab 1.34. URL filtering and applets blocking

Lab Setup
 R1’s F0/0 and ASA’s E0/1 interface should be configured in VLAN 101.
 R2’s G0/0 and ASA’s E0/0 interface should be configured in VLAN 102
 Websense server’s NIC (installed on ACS) and ASA’s E0/2 interface should
be configured in VLAN 103

 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.
IP Addressing
Device/Hostname

Interface (ifname)

IP address

Lo0

1.1.1.1/24

F0/0

10.1.101.1/24

Lo0

2.2.2.2/24

F0/0

10.1.102.2/24

Page 310 of 1033

CCIE SECURITY v4 Lab Workbook

WebSense

NIC

10.1.103.100/24

ASA1/ASA-FW

E0/0 (Outside, Security 0)

10.1.102.10/24

E0/1 (Inside, Security 100)

10.1.101.10/24

E0/2 (DMZ, Security 50)

10.1.103.10/24

Task 1
Configure ASA to cooperate with WebSense server to filter out URL’s blocked by
WebSense policy. The policy should be enforced for HTTP/HTTPS traffic from every
IP address and in case of WebSense server failure, ASA should pass traffic without
URL filtering.
In addition to that, configure ASA so that it blocks all ActiveX and Java objects
embedded into HTTP packets.
The FTP access should also be blocked for IP addresses from subnet 10.1.10.0/24
except the Administrator’s workstation on 10.1.10.100.



Java applets and ActiveX controls are executable programs that can be
dangerous for end user. Some applets contain hidden code that can destroy
data on the internal network. This can be downloaded when you permit access
to HTTP port 80.
The ASA can prevent users from downloading applets from the websites by
using "filter" command. This can be configured for some users/subnets only
allowing other users downloading applets when surfing the Internet.
In addition to applets filtering, the ASA can filter URLs in conjunction with
Websense and Secure Computing URL-filtering software. It works this way so
that when the ASA receives a request from a user to access a URL, it queries
the URL-filtering server to determine whether to allow, or block, the requested
web page. Before you enable URL filtering, you must designate at least one
server on which the Websense or SmartFilter URL-filtering application is
installed.
Configuring URL-filtering software is out of scope for CCIE Security lab exam,
so in case of such question, the grading script (or person) will probably look
after appropriate commands in the ASA configuration.
The command of "filter url" enables URL filtering and has some additional

Page 311 of 1033

CCIE SECURITY v4 Lab Workbook

options at the end to specify the following:
- this keyword allows outbound traffic when URL server is down

•

allow

•

cgi_truncate

- if question mark is found in the URL, this will remove all

characters after the question mark
- denies oversized URL requests

•

longurl-deny

•

longurl-truncate

- sends only simple URL (e.g. domain.com) to the URL-

filtering server oversized URL is found
The URL filtering features extend web-based URL filtering to HTTPS and FTP as
well. However in case of HTTPS the header is encrypted and the ASA cannot
retrieve URL information. The ASA will send an IP address of the Web server to
the URL-filtering server for checking. For FTP there is an additional option
(interact-block) which prevents users from using interactive FTP sessions.

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA-FW(config)# url-server (DMZ) vendor websense host 10.1.103.100
timeout 30 protocol TCP version 4 connections 5
ASA-FW(config)# filter ftp

except 10.1.10.100 255.255.255.255

0.0.0.0 0.0.0.0
ASA-FW(config)# filter ftp

21 10.1.10.0 255.255.255.0 0.0.0.0

0.0.0.0 interact-block
ASA-FW(config)# filter java
ASA-FW(config)# filter url

80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

allow
ASA-FW(config)# filter ActiveX
ASA-FW(config)# filter https
allow

Verification
ASA-FW(config)# sh url-server statistics
Global Statistics:
-------------------URLs total/allowed/denied

0/0/0

URLs allowed by cache/server

0/0

URLs denied by cache/server

0/0

Page 312 of 1033

80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

CCIE SECURITY v4 Lab Workbook

HTTPSs total/allowed/denied

0/0/0

HTTPSs allowed by cache/server

0/0

HTTPSs denied by cache/server

0/0

FTPs total/allowed/denied

0/0/0

FTPs allowed by cache/server

0/0

FTPs denied by cache/server

0/0

Requests dropped

Server timeouts/retries

0/0

Processed rate average 60s/300s

0/0 requests/second

Denied rate average 60s/300s

0/0 requests/second

Dropped rate average 60s/300s

0/0 requests/second

Server Statistics:
-------------------10.1.103.100

DOWN

Vendor

websense

Port

15868

Requests total/allowed/denied

0/0/0

Server timeouts/retries

0/0

Responses received

Response time average 60s/300s

0/0

URL Packets Sent and Received Stats:
-----------------------------------Message

Sent

Received

STATUS_REQUEST

LOOKUP_REQUEST

LOG_REQUEST

Errors:
------RFC noncompliant GET method

URL buffer update failure

Note that the Websense server is in DOWN state. This is because there is no
Websense software installed on the ACS. In the lab, however, it is possible to
install trial Websense software on the ACS server and check the configuration.

Page 313 of 1033

CCIE SECURITY v4 Lab Workbook

Lab 1.35.

Troubleshooting using Packet
Tracer and Capture tools

 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.
IP Addressing
Device/Hostname

Interface (ifname)

IP address

Lo0

1.1.1.1/24

F0/0

10.1.101.1/24

Lo0

2.2.2.2/24

Page 314 of 1033

CCIE SECURITY v4 Lab Workbook

R4
ASA1/ASA-FW

F0/0

10.1.102.2/24

Lo0

4.4.4.4/24

F0/0

10.1.104.4/24

E0/0 (Outside, Security 0)

10.1.102.10 /24

E0/1 (Inside, Security 100)

10.1.101.10 /24

E0/2 (DMZ, Security 50)

10.1.104.10 /24

Task 1
You are trying to ping R1 from R2’s F0/0 interface. The ping fails. Using available
ASA tools troubleshoot and resolve the issue.
R1#ping 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Troubleshooting
ASA-FW(config)# packet-tracer input Inside icmp 10.1.101.1 0 0 10.1.102.2 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in

id=0xd78c48c0, priority=1, domain=permit, deny=false
hits=22, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Page 315 of 1033

CCIE SECURITY v4 Lab Workbook

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in

10.1.102.0

255.255.255.0

Outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in

id=0xd7c4e720, priority=0, domain=permit-ip-option, deny=true
hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in

id=0xd7cb61f0, priority=66, domain=inspect-icmp-error, deny=false
hits=2, user_data=0xd78c1080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 728, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: Inside

Page 316 of 1033

CCIE SECURITY v4 Lab Workbook

input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Hmm, seems everything is OK. Take a closer look to the above output – this is
ONLY for unidirectional flow. The ICMP packet has flown by Inside and Outside
interface. We need to check the same for returning traffic. Let’s look…

ASA-FW(config)# packet-tracer input Outside icmp 10.1.102.2 8 0 10.1.101.1 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in

10.1.101.0

255.255.255.0

Inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in

id=0x330f848, priority=0, domain=permit, deny=true
hits=6, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop

Page 317 of 1033

CCIE SECURITY v4 Lab Workbook

Drop-reason: (acl-drop) Flow is denied by configured rule
As you can see, the packet has been denied by the ACL (implicit rule). Let’s
confirm that by enabling logging at Debug (7) level.

ASA-FW(config)# logging buffered 7
ASA-FW(config)# logging on
ASA-FW(config)# clear logging buffer

R2#pi 10.1.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASA-FW(config)# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 6 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
User 'enable_15' executed the 'clear logging buffer' command.
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)

Confirmed! Five packets (Echo Requests) have been denied by the outside
interface.
We can also use another tool to check what happened. Capture – is the packet
sniffer on the ASA which can “trace” the packets to see what happened on the
device. Let’s capture traffic on the outside interface with “trace” option
enabled.

ASA-FW(config)# capture ISSUE trace interface outside

Page 318 of 1033

CCIE SECURITY v4 Lab Workbook

R2#pi 10.1.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ASA-FW(config)# sh capture ISSUE trace
5 packets captured
1: 14:22:20.842348 10.1.102.2 > 10.1.101.1: icmp: echo request
2: 14:22:20.854386 10.1.102.2 > 10.1.101.1: icmp: echo request
3: 14:22:20.855073 10.1.102.2 > 10.1.101.1: icmp: echo request
4: 14:22:20.867905 10.1.102.2 > 10.1.101.1: icmp: echo request
5: 14:22:20.885055 10.1.102.2 > 10.1.101.1: icmp: echo request
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in

10.1.101.0

255.255.255.0

Inside

Page 319 of 1033

CCIE SECURITY v4 Lab Workbook

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
5 packets shown
ASA-FW(config)# no capture ISSUE
Similar output as it was for Packet Tracer. Again, we see that the packets have
been dropped by the outside ACL.
However, the main difference between Packet Tracer and Capture is that the
capture sees existing flow but Packet Tracer only injects the packet into the
traffic plane. Capture is more useful as it may show bidirectional flows –
meaning you can check if returning packets are not getting dropped for some
reason.
Let’s look at ping in the other direction, from R1 towards R2. Assuming default
ASA configuration, the Echo Request should pass the ASA as this packet is going
from Inside (100) to Outside (0). However, returning packet, which is Echo
Reply should be dropped due to lack of flow information (there is no inspect
enable for ICMP by default) nor ACL on the outside. Let’s check this out then…

ASA-FW(config)# capture ICMP-I trace detail interface Inside
ASA-FW(config)# capture ICMP-O trace detail interface Outside
ASA-FW(config)# sh capture ICMP-I
1 packet captured
1: 14:41:26.596404 10.1.101.1 > 10.1.102.2: icmp: echo request
1 packet shown
ASA-FW(config)# sh capture ICMP-O
2 packets captured
1: 14:41:26.597259 10.1.101.1 > 10.1.102.2: icmp: echo request
2: 14:41:26.603774 10.1.102.2 > 10.1.101.1: icmp: echo reply
2 packets shown
Huh! See that there are two packets captured on the Outside interface and only
one on the Inside. This should make you suspicious that something is not right

Page 320 of 1033

CCIE SECURITY v4 Lab Workbook

here. The Echo Reply packet should be seen on the Inside interface if
everything works perfect.
Let’s “trace” that capture to see what ASA has done with those packets.
ASA-FW(config)# sh capture ICMP-O trace
2 packets captured
1: 14:41:26.597259 10.1.101.1 > 10.1.102.2: icmp: echo request
2: 14:41:26.603774 10.1.102.2 > 10.1.101.1: icmp: echo reply
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in

id=0x333b008, priority=12, domain=capture, deny=false
hits=1, user_data=0x32f33b0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in

id=0x330f5d8, priority=1, domain=permit, deny=false
hits=168, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in

10.1.101.0

255.255.255.0

Inside

Phase: 5

Page 321 of 1033

 This is because ICMP is stateless

CCIE SECURITY v4 Lab Workbook

Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in

id=0x330f848, priority=0, domain=permit, deny=true
hits=35, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-FW(config)# sh capture
capture ICMP-I type raw-data trace detail interface Inside [Capturing - 212 bytes]
capture ICMP-O type raw-data trace detail interface Outside [Capturing - 342 bytes]
ASA-FW(config)# no cap ICMP-I
ASA-FW(config)# no cap ICMP-O
Again, we see the returning packet has been denied by the ACL. This is because
ICMP is stateless and there is no ICMP inspection enabled on the ASA. To make
it work we should either configure ICMP inspection or permit ICMP echo reply in
the inbound ACL on the Outside interface.
Another useful tool is DEBUG. However it is not recommended to enable it in
production as this may overwhelm your device. A very quick check we can use
here by enabling “debug icmp trace”.

R1#ping 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASA-FW(config)# deb icmp trace
debug icmp trace enabled at level 1
ASA-FW(config)# ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=18
seq=0 len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=18 seq=1 len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=18 seq=2 len=72

Page 322 of 1033

1 ID=19 seq=4 len=72 Page 323 of 1033 .102.1.101.1.1 to Outside:10.2 ID=19 seq=1 len=72 ICMP echo reply from Outside:10.1 to Outside:10.102.101.1.1 ID=19 seq=2 len=72 ICMP echo request from Inside:10.1.102.1 ID=19 seq=3 len=72 ICMP echo request from Inside:10.102.1.1.101.102.1.101.102.1.1 to Outside:10.101.2 ID=18 seq=3 len=72 ICMP echo request from Inside:10.1 ID=19 seq=1 len=72 ICMP echo request from Inside:10.1.1.1.101.2 ID=19 seq=0 len=72 ICMP echo reply from Outside:10.2 to Inside:10. Sending 5. 100-byte ICMP Echos to 10. round-trip min/avg/max = 1/2/4 ms ASA-FW(config)# sh debug debug icmp trace enabled at level 1 ASA-FW(config)# ICMP echo request from Inside:10.1 ID=19 seq=0 len=72 ICMP echo request from Inside:10.102.101.102.1 to Outside:10.102.1.102.CCIE SECURITY v4 Lab Workbook ICMP echo request from Inside:10. ASA-FW(config)# policy-map global_policy ASA-FW(config-pmap)# class inspection_default ASA-FW(config-pmap-c)# inspect icmp ASA-FW(config-pmap-c)# exi ASA-FW(config-pmap)# exi R1#ping 10.1.102.101.1.102.1 to Outside:10.2 ID=18 seq=4 len=72 From the output we see that ICMP packets get routed out of Outside interface but never return back.1 to Outside:10.1.2 to Inside:10.1 to Outside:10.102.101.101. Let’s fix the issue by enabling ICMP inspection.1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).2 Type escape sequence to abort.2 ID=19 seq=4 len=72 ICMP echo reply from Outside:10.102.1.101.1.1.2 ID=19 seq=2 len=72 ICMP echo reply from Outside:10.1.1.2.2 to Inside:10.1.2 to Inside:10.2 to Inside:10.1.2 ID=19 seq=3 len=72 ICMP echo reply from Outside:10.1.1.1.101.

CCIE SECURITY v4 Lab Workbook This page is intentionally left blank. Page 324 of 1033 .

CCSI #33705 Page 325 of 1033 . SP) CCSI #30832 Piotr Matusiak CCIE #19860 (R&S. Security. Security) C|EH.CCIE SECURITY v4 Lab Workbook Advanced CCIE SECURITY v4 LAB WORKBOOK Site-to-Site VPN Narbik Kocharians CCIE #12410 (R&S.

com Page 326 of 1033 .CCIE SECURITY v4 Lab Workbook www.MicronicsTraining.

CCIE SECURITY v4 Lab Workbook Lab 1.2 using the following policy: ISAKMP Policy IPSec Policy Authentication: Pre-shared Encrytpion: ESP-3DES Encryption: 3DES Hash: MD5 Hash: MD5 Proxy ID: 1.1.36.2.1 and 2. Basic Site to Site IPSec VPN Main Mode (IOS-IOS) Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 120  Configure Telnet on all routers using password “cisco”  Configure static routing on R1 and R2 to be able to reach Loopback IP addresses IP Addressing Device Interface IP address R1 Lo0 1.1.2.1  2.2.2.2 DH Group: 2 PSK: cisco123 Page 327 of 1033 .1.12.2/32 R2 Task 1 Configure basic Site to Site IPSec VPN to protect traffic between IP addresses 1.1.1.2.1/32 F0/0 10.1/24 F0/0 10.2/24 Lo0 2.1.1.2.12.1.

The IPSec shared key can be derived by using DH again to ensure PFS (Perfect Forward Secrecy) or by refreshing the shared secret derived from the original DH exchange. It is possible to configure multiple policy statements with different configuration statements. Both peers must authenticate each other and establish shared key. and pre-shared keys (PSK). Configure ISAKMP protection suite (policy) - Specify what size modulus to use for DH calculation (group1: 768bits. ISAKMP and IKE are both used interchangeably. There are three authentication methods available: (1) RSA signatures (PKI). and then negotiate the SA for IPSec. This phase is called Quick Mode. You can use two methods to configure ISAKMP (IKE Phase 1): I. This channel is known as teh ISAKMP SA. Oakley enables you to choose between different well-known DH (Diffie-Hellman) groups. Cisco uses Oakley for the key exchange protocol. group2: 1024bits. authenticated channel. ISAKMP and Oakley create an authenticated. secure tunnel between two entities. and then let the two hosts come to an agreement. IKE Phase 1 . IKE Phase 2 . Inside of ISAKMP. each device must be able to identify its peer.SAs are negotiated on behalf of services such as IPSec that needs keying material.two ISAKMP peers establish a secure. IPSec uses a different shared key from ISAKMP and Oakley. Before IPSec tunnel is established.CCIE SECURITY v4 Lab Workbook  ISAKMP (Internet Security Association and Key Management Protocol) is defined in RFC 2408 and it a framework which defines the following: - procedures to authenticate a communicating peer - how to create and manage SAs (Security Associations) - key generation techniques - threat mitigation (like DoS and replay attacks) ISAKMP does not specify any details of key management or key exchange and is not bound to any key generation technique. group5: 1536bits) Page 328 of 1033 . such as IPSec. Using PSK: 1. The DH protocol is used to agree on a common session key. IKE is a hybrid protocol which establishes a shared security policy and authenticated keys for services that require keys. There are two modes defined by ISAKMP: Main Mode and Aggressive Mode. however these two items are somewhat different. (2) RSA encrypted pseudo-random numbers (NONCES). To configure IKE Phase 1 you need to create ISAKMP policies.

12. Create an extended ACL (determines interesting traffic . Create IPSec transform set .like ISAKMP policies. Request certificate of the CA 3. Configure ISAKMP protection suite (policy) like it is for PSK but specify rsa-sig as the authentication method To configure IPSec (IKE Phase 2) do the following: 1. Configure the ISAKMP pre-shared key (one per peer) II. Page 329 of 1033 .2 Be careful of using leading spaces in pre-shared key value. Enroll certificates for the clien router (certify your keys) 4. Using PKI 1.the traffic that should be protected by IPSec) 2.1. Create an RSA key for the router 2. R1(config)#crypto isakmp policy 10 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)#crypto isakmp key cisco123 address 10. Apply the crypto map to an egress interface Configuration Complete these steps: Step 1 R1 configuration. AES) 2. 3DES. Create crypto map to bind all components together: - Specify peer IP address - Specify SA lifetime (for IPSec SAs) - Specify transform sets - Specify the ACL to match interesting traffic 4.CCIE SECURITY v4 Lab Workbook - Specify a hashing algorithm (MD5 or SHA) - Specify the lifetime of the SA (in seconds) - Specify the authentication method (PSK) - Specify encryption algorithm (DES. transform sets are the setting suites to choose from 3. Remember that the pre-shared key value must be the same at the both side of a IPSEC tunnel. It may complicate seriously your lab exam.

2. R1(config-crypto-map)# set peer 10.2.CCIE SECURITY v4 Lab Workbook R1(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac R1(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.1.1.2 R1(config)#int f0/0 R1(config-if)#crypto map CMAP R1(config-if)#exi R1(config)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON ISAKMP is enabled and working. Step 2 R2 configuration.2 R1(config-crypto-map)# set transform-set TSET R1(config-crypto-map)# match address 120 R1(config-crypto-map)#access-list 120 permit ip host 1. R2(config)#crypto isakmp policy 10 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)#crypto isakmp key cisco123 address 10.1.2.12.1.1. The router will be processing IKE packets (UDP protocol.12.1 R2(config)#int g0/0 R2(config-if)#crypto map CMAP %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Page 330 of 1033 .1 host 2.2 host 1.1 R2(config-crypto-map)# set transform-set TSET R2(config-crypto-map)# match address 120 R2(config-crypto-map)#access-list 120 permit ip host 2. R2(config-crypto-map)# set peer 10.1. port 500) for establishing ISAKMP “auxiliary” tunnel which will be used to negotiate securely parameters of an IPSec tunnel.1.12.2.1 R2(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac R2(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.

no SA means there must be IKE packet send out. remote_proxy= 2.1. flags= 0x0 ISAKMP:(0): SA request profile is (NULL) The router has tried to find any IPSec SA matching outgoing connection but no valid SA has been found in Security Association Database (SADB) on the router. 100-byte ICMP Echos to 2. msg.255.2.1 .255/0/0 (type=1).CCIE SECURITY v4 Lab Workbook Detailed verification on R1 Let’s perform some debuging to see what’s exactly going on during IPSec tunnel establishment.2.12.1/255. Before actually start sending IKE packets to the peer the router first checks if there is any local SA (Security Association) matching that traffic.!!!! Success rate is 80 percent (4/5).1.2.2.12.1. refcount 1 for isakmp_initiator ISAKMP: local port 500.255. remote port 500 ISAKMP: set new node 0 to QM_IDLE Page 331 of 1033 . spi= 0x0(0).2.255.255. To actually see something we need to pass ‘interesting’ traffic (defined by crypto ACL) which will trigger ISAKMP process. The best two debugs are: debug crypto isakmp and debug crypto ipsec.1. protocol= ESP. OK.2/255.2. peer port 500 ISAKMP: New peer created peer = 0x49E25A08 peer_handle = 0x80000003 ISAKMP: Locking peer struct 0x49E25A08.255/0/0 (type=1). (key eng. keysize= 0.2. lifedur= 3600s and 4608000kb. IPSEC(sa_request): . round-trip min/avg/max = 1/3/4 ms R1# The first ICMP packet triggers ISAKMP process as this is our interesting traffic matching our ACL. Note that this check is against IPSec SA not IKE SA.1. remote= 10.1.12. transform= esp-3des esp-md5-hmac (Tunnel).1. ISAKMP: Created a peer struct for 10. timeout is 2 seconds: Packet sent with a source address of 1.2. conn_id= 0.) OUTBOUND local= 10. R1#deb crypto isakmp Crypto ISAKMP debugging is on R1#deb crypto ipsec Crypto IPSEC debugging is on R1#ping 2. Sending 5.2. local_proxy= 1.2 so lo0 Type escape sequence to abort.1.

It must check if there is a key for the peer configured as well. but nothing else has happened yet. The router responding to IKE request is called “the responder”.12. There is a message saying that Aggressive Mode cannot start.12. After that the 1st IKE packet is send out to the peer's IP address on port UDP 500 which is default.1. IKE Main Mode is used so we should expect 6 packets for Phase I. the router checks ISAKMP policy configured and sees that there is PSK (Pre-Shared Key) authentication configured.1. The packet contains locally configured ISAKMP policy (or policies if many) to be chosen by the peer. ISAKMP:(0):insert sa successfully sa = 48C5EC5C ISAKMP:(0):Can not start Aggressive mode. trying Main mode.2 my_port 500 peer_port 500 (I) MM_NO_STATE The router initiating IKE exchange is called “the initiator”. ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID ISAKMP:(0): constructed NAT-T vendor-07 ID ISAKMP:(0): constructed NAT-T vendor-03 ID ISAKMP:(0): constructed NAT-T vendor-02 ID ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC. MM_NO_STATE indicates that ISAKMP SA has been created. The initiator (R1) has sent ISAKMP policy along with vendor specific IDs which are a part of IKE packet payload. The router has started IKE Main Mode (it is a default) ISAKMP:(0):found peer pre-shared key matching 10. however it does not mean that there is some error. it just means that Aggressive Mode is not configured on the local router. ISAKMP will use it to authenticate the peer during one of the last stages of IKE Phase 1.CCIE SECURITY v4 Lab Workbook  IKE Phase 1 (Main Mode) message 1 By default. IKE_SA_REQ_MM ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 ISAKMP:(0): beginning Main Mode exchange ISAKMP:(0): sending packet to 10. Then. Page 332 of 1033 .2 Pre-shared key for remote peer has been found. ISAKMP:(0):Sending an IKE IPv4 Packet.

ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):atts are acceptable.CCIE SECURITY v4 Lab Workbook  IKE Phase 1 (Main Mode) message 2 OK. “atts are acceptable” indicates that ISAKMP policy matches with remote peer. The router matches ISAKMP policy from the packet to one locally configured.1. Remember that comparing the policy that has been obtained from remote peer with locally defined polices starting from the lowest index (number) of policy defined in the running config. seems everything is going smooth.12. If there is a match. message ID = 0 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0):found peer pre-shared key matching 10. Next payload is 0 The router is processing ISAKMP parameters that have been sent as the reply. The received packet contains SA chosen by the peer and some other useful information like Vendor IDs. ISAKMP:(0):Input = IKE_MESG_FROM_PEER. ISAKMP (0): received packet from 10. ISAKMP policy is checked against policies defined locally. Vendor IDs are processed to determine if peer supports e. This is the first place where something could go wrong and this is most common issue when configuring VPNs.g. IKE_MM_EXCH ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 ISAKMP:(0): processing SA payload. Those vendor specific payloads are used to discover NAT along the path and maintain keepalives (DPD). If the policy configured on both routers is not the same. Note that the IKE Main Mode state is still MM_NO_STATE.2 dport 500 sport 500 Global (I) MM_NO_STATE The responder (R2) has responded with IKE packet that contains negotiated ISAKMP policy along with its vendor specific IDs.1. the tunnel establishment process continues.. ISAKMP:(0):Acceptable atts:actual life: 0 Page 333 of 1033 . Dead Peer Detection feature. the crosscheck process fails and the tunnel is down..2 ISAKMP:(0): local preshared key found ISAKMP : Scanning profiles for xauth . we have got a response packet from the peer. NATTraversal.12.

2 my_port 500 peer_port 500 (I) MM_SA_SETUP ISAKMP:(0):Sending an IKE IPv4 Packet.12. ISAKMP:(0): sending packet to 10. ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0):Input = IKE_MESG_INTERNAL. The pre-shared key configured locally for the peer is used in this calculation.2 dport 500 sport 500 Global (I) MM_SA_SETUP ISAKMP:(0):Input = IKE_MESG_FROM_PEER. This is lifetime for ISAKMP SA. The lifetime timer has been started.1. ISAKMP:(0):Input = IKE_MESG_INTERNAL. This message contains KE payload and base on that information both peers can generate a common session key to be used in securing further communication. IKE_PROCESS_COMPLETE ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 IKE Phase 1 (Main Mode) message 4 4th message has been received from the peer. ISAKMP (0): received packet from 10. Note that default value of “lifetime” is used (86400 seconds).CCIE SECURITY v4 Lab Workbook ISAKMP:(0):Acceptable atts:life: 0 ISAKMP:(0):Fill atts in sa vpi_length:4 ISAKMP:(0):Fill atts in sa life_in_seconds:86400 ISAKMP:(0):Returning Actual lifetime: 86400 ISAKMP:(0)::Started lifetime timer: 86400. Page 334 of 1033 .1.12. Note that IPSEC SAs have their own lifetime parameters which may be defined as number of seconds or kilobytes of transmitted traffic. IKE_MM_EXCH ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 “MM_SA_SETUP” idicates that the peers have agreed on parameters for the ISAKMP SA. IKE_PROCESS_MAIN_MODE ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 IKE Phase 1 (Main Mode) message 3 The third message is sent out containing KE (Key Exchange) information for DH (Diffie-Hellman) secure key exchange process. After receiving this message peers can also be able to determine if there is a NAT along the path.

The ISAKMP SA remains unauthenticated. IKE_PROCESS_COMPLETE ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5 Page 335 of 1033 . ISAKMP:(1002):Sending an IKE IPv4 Packet.12.1.12.1. ISAKMP:(1002):Send initial contact ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR ISAKMP (1002): ID payload next-payload : 8 type : 1 address : 10.2 ISAKMP:(1002): processing vendor id payload ISAKMP:(1002): vendor ID is Unity ISAKMP:(1002): processing vendor id payload ISAKMP:(1002): vendor ID is DPD ISAKMP:(1002): processing vendor id payload ISAKMP:(1002): speaking to another IOS box! ISAKMP:received payload type 20 ISAKMP (1002): His hash no match .1 protocol : 17 port : 500 length : 12 ISAKMP:(1002):Total payload length: 12 ISAKMP:(1002): sending packet to 10.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH “MM_KEY_EXCH” indicates that the peers have exchanged Diffie-Hellman public keys and have generated a shared secret.1.this node outside NAT ISAKMP:received payload type 20 ISAKMP (1002): No NAT Found for self or peer ISAKMP:(1002):Input = IKE_MESG_INTERNAL. This information is transmitted under the protection of the common shared secret. Note that the process of authentication has been just started. IKE_PROCESS_MAIN_MODE ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM4 IKE Phase 1 (Main Mode) message 5 Fifth message is used for sending out authentication information the peer. message ID = 0 ISAKMP:(0):found peer pre-shared key matching 10.12. message ID = 0 ISAKMP:(0): processing NONCE payload.CCIE SECURITY v4 Lab Workbook ISAKMP:(0): processing KE payload. ISAKMP:(1002):Input = IKE_MESG_INTERNAL.

12.12.12.1/10.1. ISAKMP:(1002):Input = IKE_MESG_FROM_PEER. ISAKMP:(1002): processing ID payload. It is “MM_KEY_AUTH” which indicates that the ISAKMP SA has been authenticated. IKE_PROCESS_COMPLETE ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Page 336 of 1033 .2 protocol : 17 port : 500 length : 12 ISAKMP:(0):: peer matches *none* of the profiles ISAKMP:(1002): processing HASH payload.12.1.1. Remember that there is also one IKE Main Mode state which is not visible in the debug output.CCIE SECURITY v4 Lab Workbook  IKE Phase 1 (Main Mode) message 6 The peer identity is verified by the local router and SA is established. message ID = 0 ISAKMP (1002): ID payload next-payload : 8 type : 1 address : 10. IKE_PROCESS_MAIN_MODE ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6 ISAKMP:(1002):Input = IKE_MESG_INTERNAL. Note that SA number has been generated and inserted into SADB along with the information relevant to the peer which has been agreed during IKE Main Mode.1. If the router initiated this exchange.12. The peer has been authenticated now. message ID = 0 ISAKMP:(1002):SA authentication status: authenticated ISAKMP:(1002):SA has been authenticated with 10.1. IKE_MM_EXCH ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6 ISAKMP:(1002):Input = IKE_MESG_INTERNAL.2 ISAKMP: Trying to insert a peer 10. and inserted successfully 49E25A08.2/500/. this state transitions immediately to QM_IDLE and a Quick mode exchange begins. ISAKMP (1002): received packet from 10.2 dport 500 sport 500 Global (I) MM_KEY_EXCH Note that the process of peer authentication is still in progress (MM_KEY_EXCH). This message finishes ISAKMP Main Mode (Phase I) and the status is changed to IKE_P1_COMPLETE.

The router sends out the packet containing local Proxy IDs (network/hosts addresses to be protected by the IPSec tunnel) and security policy defined by the Transform Set.1. IKE_INIT_QM ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 ISAKMP:(1002):Input = IKE_MESG_INTERNAL. This is a next place where something can go wrong if the Proxy IDs are different on both sides of the tunnel. ISAKMP:(1002):beginning Quick Mode exchange. ISAKMP:(1002):Node 680665262. It is in a quiescent state. Input = IKE_MESG_INTERNAL. IKE_PHASE1_COMPLETE ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE IKE Phase 2 (Quick Mode) message 2 Second QM message is a response from the peer.2 dport 500 sport 500 Global (I) QM_IDLE The state of IKE is “QM_IDLE”. ISAKMP (1002): received packet from 10. The routers are negotiating parameters for IPSec tunnel which will be used for traffic transmission. message ID = 680665262 ISAKMP:(1002):Checking IPSec proposal 1 ISAKMP: transform 1. These parameters are defined by “crypto ipsec transform-set” command.12.CCIE SECURITY v4 Lab Workbook  IKE Phase 2 (Quick Mode) message 1 Now it’s time for Phase II which is Quick Mode (QM). ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 0x0 0x46 0x50 0x0 ISAKMP:(1002):atts are acceptable.1. It contains IPSec policy chosen by the peer and peer’s proxy ID. message ID = 680665262 ISAKMP:(1002): processing SA payload. M-ID of 680665262 ISAKMP:(1002):QM Initiator gets spi ISAKMP:(1002): sending packet to 10. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. Note that lifetime values of IPSec SA are visible Page 337 of 1033 . This indicates that the ISAKMP SA is idle.2 my_port 500 peer_port 500 (I) QM_IDLE ISAKMP:(1002):Sending an IKE IPv4 Packet. The router cross-checks if its Proxy ID is a mirrored peer’s Proxy ID.12. ISAKMP:(1002): processing HASH payload.

SPI value inserted into the ESP header enables the router to reach parameters and keys which have been dynamicaly agreed during IKE negotiations or session key refreshment in case of lifetime timeout. The SPI value is an index of entities in the router’s SADB.2 protocol : 0 src port : 0 dst port : 0 The local and remote proxy are defined.1. flags= 0x0 Crypto mapdb : proxy_match src addr : 1. spi= 0x0(0).255/0/0 (type=1).1/255.2. protocol= ESP.1. You are able to set it both: globally or in the crypto map entry.1.2.CCIE SECURITY v4 Lab Workbook at this moment. SAs are distingusthed by SPI values which are also used to differentiate many tunnels terminated on the same router.1 dst addr : 2.2. message ID = 680665262 ISAKMP:(1002): processing ID payload. message ID = 680665262 ISAKMP:(1002): processing ID payload.1 to 2.2) has spi 0xC486083C and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes The IPSec SA have been created and inserted in the router’s security associations database (SADB).1 to 10.1. message ID = 680665262 ISAKMP:(1002): Creating IPSec SAs inbound SA from 10.255.255.2.1.2. SPI value is inserted in the ESP header of the packet leaving the router.12.2.12. transform= NONE (Tunnel). conn_id= 0. you may get the following entry in the debug output: IPSEC(initialize_sas): invalid proxy IDs. Page 338 of 1033 .2/255. Remember that the crypto ACL at the both sides of the tunnel must be “mirrored”. (key eng.1) has spi 0xB7629AFD and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 10. msg.2 (f/i) 0/0 (proxy 1. This indicates sources and destinations set in crypto ACL which defines the interesting traffic for the IPSec tunnel.2 to 10.12.1.1. ISAKMP:(1002): processing NONCE payload. lifedur= 0s and 0kb.1.12.1.255.2 to 1.12. IPSEC(validate_proposal_request): proposal part #1 IPSEC(validate_proposal_request): proposal part #1.1.1. “Attr are acceptable” indicates that IPSec parameters defined as IPSec transform-set match at the both sides.2. local_proxy= 1.2. At the second side of the tunnel. remote= 10.1.255/0/0 (type=1).12.1.2. If not.1.1 (f/i) 0/ 0 (proxy 2.255. keysize= 0. remote_proxy= 2.) INBOUND local= 10. Note that two SPI values are generated for one tunnel: one SPI for inbound SA and one SPI for outbound SA.1.

1. ISAKMP:(1002):deleting node 680665262 error FALSE reason "No Error" ISAKMP:(1002):Node 680665262.2 my_port 500 peer_port 500 (I) QM_IDLE ISAKMP:(1002):Sending an IKE IPv4 Packet.1 dst addr : 2.CCIE SECURITY v4 Lab Workbook  IKE Phase 2 (Quick Mode) message 3 The last message finishes QM.1.1. IKE_QM_EXCH ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE IPSEC(key_engine): got a queue event with 1 KMI message(s) Crypto mapdb : proxy_match src addr : 1.1.2. Upon completion of Phase II IPsec session key is derived from new DH shared secret.12. sa_trans= esp-3des esp-md5-hmac .2.2 current outbound sa to SPI C486083C R1# All the negotiations have been completed.12.2.12. sa_trans= esp-3des esp-md5-hmac .12.2 IPSEC(policy_db_add_ident): src 1.2 protocol : 0 src port : 0 dst port : 0 IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.1. ISAKMP:(1002): sending packet to 10.12. sa_conn_id= 2003 sa_lifetime(k/sec)= (4449173/3600) IPSEC(create_sa): sa created.1. sa_proto= 50. This session key will be used for encryption until IPSec timer expires. dest 2. dest_port 0 IPSEC(create_sa): sa created.1. The tunnel is up and ready to pass the traffic.2.1.1. sa_proto= 50. (sa) sa_dest= 10. sa_conn_id= 2004 sa_lifetime(k/sec)= (4449173/3600) IPSEC(update_current_outbound_sa): updated peer 10. Detailed verification on R2 Page 339 of 1033 . (sa) sa_dest= 10. Input = IKE_MESG_FROM_PEER. sa_spi= 0xB7629AFD(3076692733). sa_spi= 0xC486083C(3297118268).1.1.2.2.

ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):atts are acceptable.1.12.12. remote port 500 ISAKMP:(0):insert sa successfully sa = 487BE048 ISAKMP:(0):Input = IKE_MESG_FROM_PEER.1 dport 500 sport 500 Global (N) NEW SA ISAKMP: Created a peer struct for 10. Only the most interesting entires or non-present in debug of the initiator are remarked and commented..1. message ID = 0 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch ISAKMP (0): vendor ID is NAT-T v7 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 ISAKMP:(0):found peer pre-shared key matching 10. It comes from port 500 to the port 500.1. This packet contains ISAKMP policy (or policies) which are configured on remote peer. This debug output presents the IKE negotiation from the responder point of view.1 ISAKMP:(0): local preshared key found ISAKMP : Scanning profiles for xauth . peer port 500 ISAKMP: New peer created peer = 0x48AE852C peer_handle = 0x80000002 ISAKMP: Locking peer struct 0x48AE852C. This process is going until first match. The local router needs to choose one which matches locally configured policy.CCIE SECURITY v4 Lab Workbook  IKE Phase 1 (Main Mode) message 1 First ISAKMP packet hits the router. The transport is UDP.1. so from a security perspective it is important to put more secure policy suites at the beginning (the crypto isakmp policy <ID> determines the order). IKE_MM_EXCH ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 ISAKMP:(0): processing SA payload.12. ISAKMP (0): received packet from 10. Next payload is 0 ISAKMP:(0):Acceptable atts:actual life: 0 ISAKMP:(0):Acceptable atts:life: 0 Page 340 of 1033 .. refcount 1 for crypto_isakmp_process_block ISAKMP: local port 500.

CCIE SECURITY v4 Lab Workbook ISAKMP:(0):Fill atts in sa vpi_length:4 ISAKMP:(0):Fill atts in sa life_in_seconds:86400 ISAKMP:(0):Returning Actual lifetime: 86400 ISAKMP:(0)::Started lifetime timer: 86400. IKE_PROCESS_MAIN_MODE ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1 IKE Phase 1 (Main Mode) message 2 The router sends back ISAKMP packet containing chosen ISAKMP policy.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP ISAKMP:(0):Input = IKE_MESG_FROM_PEER.1 Page 341 of 1033 . This is Diffie-Hellman exchange taking place to generate session key in secure manner. After receiving this packet the routers knows if there is NAT Traversal aware device on the other end and if NAT has been discovered along the path.12. message ID = 0 ISAKMP:(0): processing NONCE payload.1. IKE_MM_EXCH ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 ISAKMP:(0): processing KE payload.12. message ID = 0 ISAKMP:(0):found peer pre-shared key matching 10.12.1. ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch ISAKMP (0): vendor ID is NAT-T v7 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 ISAKMP:(0):Input = IKE_MESG_INTERNAL. ISAKMP:(0):Input = IKE_MESG_INTERNAL. NAT-T). ISAKMP (0): received packet from 10. ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID ISAKMP:(0): sending packet to 10. IKE_PROCESS_COMPLETE ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2 IKE Phase 1 (Main Mode) message 3 Now router receives packet containing KE payload. There are also other payloads attached to that message like Vendor ID (DPD.1 my_port 500 peer_port 500 (R) MM_SA_SETUP ISAKMP:(0):Sending an IKE IPv4 Packet.

1 dport 500 sport 500 Global (R) MM_KEY_EXCH ISAKMP:(1001):Input = IKE_MESG_FROM_PEER. ISAKMP (1001): received packet from 10.12. ISAKMP:(1001): processing vendor id payload ISAKMP:(1001): vendor ID seems Unity/DPD but major 166 mismatch ISAKMP:(1001): vendor ID is XAUTH ISAKMP:received payload type 20 ISAKMP (1001): His hash no match . message ID = 0 ISAKMP (1001): ID payload Page 342 of 1033 .12. ISAKMP:(1001):Input = IKE_MESG_INTERNAL.1.1. IKE_PROCESS_MAIN_MODE ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM3 IKE Phase 1 (Main Mode) message 4 Local router sends out message with its KE payload to finish DH exchange. IKE_PROCESS_COMPLETE ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM4 IKE Phase 1 (Main Mode) message 5 th Peer authentication taking place upon receiving 5 message.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH ISAKMP:(1001):Sending an IKE IPv4 Packet. ISAKMP:(1001):Input = IKE_MESG_INTERNAL.this node outside NAT ISAKMP:received payload type 20 ISAKMP (1001): No NAT Found for self or peer NAT-D payloads exchanged during NAT Discovery process tell the routers at the both ends that no NAT device has been found between the peers.CCIE SECURITY v4 Lab Workbook ISAKMP:(1001): processing vendor id payload ISAKMP:(1001): vendor ID is DPD ISAKMP:(1001): processing vendor id payload ISAKMP:(1001): speaking to another IOS box! Vendor specific IDs in the IKE packet payload tell the router that it is negotiating the ISAKMP SA with IOS router. IKE_MM_EXCH ISAKMP:(1001):Old State = IKE_R_MM4 New State = IKE_R_MM5 ISAKMP:(1001): processing ID payload. ISAKMP:(1001): sending packet to 10.

1/500/. IPSEC(key_engine): got a queue event with 1 KMI message(s) ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR ISAKMP (1001): ID payload next-payload : 8 type : 1 address : 10.1 remote port 500 ISAKMP: Trying to insert a peer 10.12. message ID = 0 ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0.1.12.1 protocol : 17 port : 500 length : 12 ISAKMP:(0):: peer matches *none* of the profiles ISAKMP:(1001): processing HASH payload. and inserted successfully 48AE852C.1.2 remote 10.12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH ISAKMP:(1001):Sending an IKE IPv4 Packet. IKE_PHASE1_COMPLETE ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Page 343 of 1033 .1.12.1 ISAKMP:(1001):SA authentication status: authenticated ISAKMP:(1001): Process initial contact. This message finishes ISAKMP Main Mode (Phase I) and the status is changed to IKE_P1_COMPLETE.1.2/10.12. IKE_PROCESS_MAIN_MODE ISAKMP:(1001):Old State = IKE_R_MM5  New State = IKE_R_MM5 IKE Phase 1 (Main Mode) message 6 The peer identity is verified by the local router and SA is established.12. ISAKMP:(1001):Input = IKE_MESG_INTERNAL.1. ISAKMP:(1001):Input = IKE_MESG_INTERNAL. IKE_PROCESS_COMPLETE ISAKMP:(1001):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE ISAKMP:(1001):Input = IKE_MESG_INTERNAL. sa = 487BE048 ISAKMP:(1001):SA authentication status: authenticated ISAKMP:(1001):SA has been authenticated with 10.12.CCIE SECURITY v4 Lab Workbook next-payload : 8 type : 1 address : 10.2 protocol : 17 port : 500 length : 12 ISAKMP:(1001):Total payload length: 12 ISAKMP:(1001): sending packet to 10.12. message ID = 0.1. bring down existing phase 1 and 2 SA's with local 10.

2. flags= 0x0 Crypto mapdb : proxy_match src addr : 2.12.2. message ID = -584676094 ISAKMP:(1001):QM Responder gets spi ISAKMP:(1001):Node -584676094. local_proxy= 2.255. If there is a match (crypto ACLs are mirrored and the IPSec encryption and authentication algorithms are agreed) the router continues Phase 2.2.1. IKE_QM_EXCH ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE ISAKMP:(1001): Creating IPSec SAs inbound SA from 10.1.CCIE SECURITY v4 Lab Workbook  IKE Phase 2 (Quick Mode) message 1 After completing Phase 1 the router receives first packet for Quick Mode (Phase 2).255/0/0 (type=1). Input = IKE_MESG_FROM_PEER. message ID = -584676094 ISAKMP:(1001):Checking IPSec proposal 1 ISAKMP: transform 1.12. keysize= 0.2.12.) INBOUND local= 10.2.2.2) Page 344 of 1033 0/ 0 .1.2.12.1. message ID = -584676094 ISAKMP:(1001): processing ID payload. lifedur= 0s and 0kb.255. This must be checked against local configuration. message ID = -584676094 ISAKMP:(1001): processing SA payload.12. protocol= ESP. (key eng.1 to 2.1.1/255.1.2 dst addr : 1. remote= 10. IPSEC(validate_proposal_request): proposal part #1 IPSEC(validate_proposal_request): proposal part #1.2/255.1.1 dport 500 sport 500 Global (R) QM_IDLE ISAKMP: set new node -584676094 to QM_IDLE ISAKMP:(1001): processing HASH payload. transform= NONE (Tunnel). The packet contains peer’s Proxy IDs (network/hosts addresses to be protected by the IPSec tunnel) and security policy defined by the Transform Set.1. spi= 0x0(0). message ID = -584676094 ISAKMP:(1001): processing ID payload.1. ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable.255.255.255/0/0 (type=1).1 to 10.1.1 protocol : 0 src port : 0 dst port : 0 ISAKMP:(1001): processing NONCE payload. conn_id= 0.1. msg.2 (f/i) (proxy 1.1. ISAKMP (1001): received packet from 10. remote_proxy= 1.

Page 345 of 1033 .1.1. (sa) sa_dest= 10.CCIE SECURITY v4 Lab Workbook has spi 0xE272C715 and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 10.1. ISAKMP:(1001): sending packet to 10.12.1.1 my_port 500 peer_port 500 (R) QM_IDLE ISAKMP:(1001):Sending an IKE IPv4 Packet. sa_spi= 0x3E8C462(65586274).1 (f/i) 0/0 (proxy 2. This session key will be used for encryption until IPSec timer expires. Input = IKE_MESG_INTERNAL.12. (sa) sa_dest= 10. sa_trans= esp-3des esp-md5-hmac .2.12.1. sa_proto= 50.1.1 protocol : 0 src port : 0 dst port : 0 IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.2 to 10. sa_conn_id= 2002 sa_lifetime(k/sec)= (4595027/3600)  IKE Phase 2 (Quick Mode) message 3 The last message finishes QM. sa_conn_id= 2001 sa_lifetime(k/sec)= (4595027/3600) IPSEC(create_sa): sa created.2 to 1.1.1 IPSEC(policy_db_add_ident): src 2.2. dest 1.1.2.12.1.1. dest_port 0 IPSEC(create_sa): sa created. ISAKMP:(1001):Node -584676094. sa_spi= 0xE272C715(3799172885).2.12.2.2. Upon completion of Phase II IPSec session key is derived from new DH shared secret. IKE_GOT_SPI ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 IPSEC(key_engine): got a queue event with 1 KMI message(s) Crypto mapdb : proxy_match src addr : 2.2.12.2.1.1.1. sa_trans= esp-3des esp-md5-hmac .1) has spi 0x3E8C462 and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes  IKE Phase 2 (Quick Mode) message 2 The local router sends out its Proxy IDs and IPSec policy to the remote peer. sa_proto= 50.1.2 dst addr : 1.

“show crypto ipsec sa” – displays IPSec SAs (inbound and outbound) and gives us information about Proxy IDs and number of packets being encrypted/decrypted.Keepalives.NAT-traversal T .IKE Extended Authentication Page 346 of 1033 .12.1 current outbound sa to SPI 3E8C462 R2# Verification  After establishing IPSec tunnel. D . IPv6 Crypto ISAKMP SA R1#sh crypto isakmp sa detail Codes: C .12. R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.12. the state should give us information what phase or message has generated an error. Input = IKE_MESG_FROM_PEER. There are two useful commands to verify IPSec VPNs: “show crypto isakmp sa” – displays ISAKMMP SA and gives us information about state of the tunnel establishment. This can be easily seen when entering the command “show crypto engine connections active”.1. QM_IDLE state means Quick Mode (Phase 2) has been fininshed.1. Inboud and outbound SA are described by SPI (Security Parameters Index) which is carried in ESP/AH header and allows router to differentiate between IPSec tunnels. If something goes wrong.1. IKE_QM_EXCH ISAKMP:(1001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE IPSEC(key_engine): got a queue event with 1 KMI message(s) IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP IPSEC(key_engine_enable_outbound): enable SA with spi 65586274/50 IPSEC(update_current_outbound_sa): updated peer 10. N .12.2 10.IKE configuration mode.1. Inbound SPI must be the same as Outbound SPI on the peer router.1 dport 500 sport 500 Global (R) QM_IDLE ISAKMP:(1001):deleting node -584676094 error FALSE reason "QM done (await)" ISAKMP:(1001):Node -584676094.cTCP encapsulation. we should see one ISAKMP SA and two IPSec SAs. X .CCIE SECURITY v4 Lab Workbook ISAKMP (1001): received packet from 10.Dead Peer Detection K .1 QM_IDLE conn-id status 1002 ACTIVE This is the normal state of established IKE tunnel.

encrypted and digested (the hash has been made to discover any alterations). local crypto endpt.2 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.CCIE SECURITY v4 Lab Workbook psk .1. The second marked line indicates that incomming packets are: decapsulated (the IPSec header have been extracted). failed: 0 #pkts not decompressed: 0.1. decrypted and hash/digest has been verified.12. ACTIVE 3des md5 psk 2 23:57:08 SW:2 Negotiated ISAKMP policy is visible.1 10.12.2.12. remote crypto endpt.1. #pkts digest: 4 #pkts decaps: 4. This command is useful to figure out which policy has been used for establishing the IKE tunnel when there are several polices matching at the both sides. ip mtu 1500.255/0/0) current_peer 10.1 This command shows information regarding the interfaces and defined crypto.255. PERMIT.12.255.2 port 500 The proxies (source and destination of interesitng traffic) are displayed.255. #pkts encrypt: 4.Preshared key.RSA signature renc .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10.1/255.1. #pkts decompressed: 0 #pkts not compressed: 0. “0/0” after IP address and netmask indicates that IP protocol is transported in the tunnel. rsig .1. protected vrf: (none) local ident (addr/mask/prot/port): (1. ip mtu idb FastEthernet0/0 Page 347 of 1033 .12.1. #pkts decrypt: 4. #pkts compressed: 0.: 10. #pkts compr.} #pkts encaps: 4.2 path mtu 1500.255.255/0/0) remote ident (addr/mask/prot/port): (2.2/255.1.: 10. #pkts verify: 4 Very important output usefull for the IPSec debugging and troubleshooting. flags={origin_is_acl. This indicates that outgoing packets are: encapsulated by ESP.1. local addr 10.2. IPv6 Crypto ISAKMP SA R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: CMAP. #pkts decompress failed: 0 #send errors 1. #recv errors 0 This output is relevant only when compression of IPSec packets is enabled in the transform-set.1.12.

CCIE SECURITY v4 Lab Workbook current outbound spi: 0xC486083C(3297118268) PFS (Y/N): N. inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xC486083C(3297118268) transform: esp-3des esp-md5-hmac . SPI value. sibling_flags 80000046. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4449172/3420) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#sh crypto ipsec sa identity interface: FastEthernet0/0 Crypto map tag: CMAP. This shows the following: used IPSec protocol (ESP).0. } conn id: 2004. connection ID. in use settings ={Tunnel.0.0/0/0) Page 348 of 1033 . flow_id: NETGX:4.1 protected vrf: (none) local ident (addr/mask/prot/port): (0. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4449172/3420) IV size: 8 bytes replay detection support: Y Status: ACTIVE This output contains useful information relevant to unidirectional SA.0. DH group: none If PFS (Perfect Forward Secrecy) has been enabled then the line above indicates that along with configured Diffie-Hellman group. crypto map and lifetime values in second and kilobytes which remains to session key refreshment (tunnel will be terminated instead of key refreshment if no packets need to be transported via tunnel when SA expired). inbound esp sas: spi: 0xB7629AFD(3076692733) transform: esp-3des esp-md5-hmac . flow_id: NETGX:3. sibling_flags 80000046. } conn id: 2003. ESP mode (tunnel or transport).1. used transform-set (encryption algorithm along with hash function).12.0/0.0. local addr 10. in use settings ={Tunnel.

flow_id: NETGX:3. #pkts digest: 4 #pkts decaps: 4.1 . flags={origin_is_acl. #pkts encrypt: 0.255.1. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4449172/3386) IV size: 8 bytes replay detection support: Y Status: ACTIVE R1#sh crypto engine connections active Crypto Engine Connections ID 1002 Type Algorithm IKE MD5+3DES Encrypt Decrypt IP-Address 0 Page 349 of 1033 0 10.1 protocol: ESP spi: 0xB7629AFD(3076692733) transform: esp-3des esp-md5-hmac . crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4449172/3386) IV size: 8 bytes replay detection support: Y Status: ACTIVE fvrf/address: (none)/10. #pkts decompress failed: 0 #send errors 0.1. sibling_flags 80000046.0. flow_id: NETGX:4.1.2. #pkts encrypt: 4. #recv errors 0 protected vrf: (none) local ident (addr/mask/prot/port): (1.1. #pkts decompressed: 0 #pkts not compressed: 0.2. #pkts compr. #pkts decrypt: 0.255.255/0/0) current_peer 10. #pkts digest: 0 #pkts decaps: 0.0/0. } conn id: 2003. failed: 0 #pkts not decompressed: 0.255.1. #pkts verify: 4 #pkts compressed: 0.12.255/0/0) remote ident (addr/mask/prot/port): (2.0.0.1/255.12. #pkts compr. #pkts decompressed: 0 #pkts not compressed: 0. in use settings ={Tunnel.} #pkts encaps: 4. #recv errors 0 R1#sh crypto ipsec sa address fvrf/address: (none)/10.2 port 500 PERMIT. failed: 0 #pkts not decompressed: 0.0.12. #pkts decompress failed: 0 #send errors 1. flags={ident_is_root.255. sibling_flags 80000046. #pkts verify: 0 #pkts compressed: 0. #pkts decrypt: 4.0/0/0) current_peer (none) port 500 DENY.} #pkts encaps: 0.1. in use settings ={Tunnel. } conn id: 2004.CCIE SECURITY v4 Lab Workbook remote ident (addr/mask/prot/port): (0.2 protocol: ESP spi: 0xC486083C(3297118268) transform: esp-3des esp-md5-hmac .12.2/255.

1.1 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.1 2004 IPsec 3DES+MD5 4 0 10.255/0/0) current_peer 10.1.1.2/255.Dead Peer Detection K .2 protected vrf: (none) local ident (addr/mask/prot/port): (2.1.RSA signature renc .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10.1 port 500 Page 350 of 1033 2 23:55:03 .255. D .1 QM_IDLE conn-id status 1002 ACTIVE IPv6 Crypto ISAKMP SA R2#sh crypto isakmp sa detail Codes: C .NAT-traversal T .12.12.1.12.12.Keepalives. Verification performed on R2 (The responder).12.2. R1#sh crypto engine connections dh Number of DH's pregenerated = 2 DH lifetime = 86400 seconds Software Crypto Engine: Conn Status Group Time left 1 Used Group 2 85948 The Diffie-Hellman group and the time that remains to next DH key generation.1.12.255/0/0) remote ident (addr/mask/prot/port): (1.cTCP encapsulation.2 10.2.1/255.IKE Extended Authentication psk . N .255. X .12. rsig .IKE configuration mode.CCIE SECURITY v4 Lab Workbook 2003 IPsec 3DES+MD5 0 4 10.2 10. ACTIVE 3des md5 psk SW:2 IPv6 Crypto ISAKMP SA R2#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: CMAP.12.1.1.255.1.1. R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10. local addr 10.1 One IPSec tunnel has three SA – one of IKE tunnel and two of IPSec tunnel used for traffic encryption.255.Preshared key.

2. in use settings ={Tunnel. sibling_flags 80000046. in use settings ={Tunnel. DH group: none inbound esp sas: spi: 0xC486083C(3297118268) transform: esp-3des esp-md5-hmac . #pkts verify: 4 #pkts compressed: 0. #pkts encrypt: 4. } conn id: 2004.1. ip mtu idb FastEthernet0/0 current outbound spi: 0xB7629AFD(3076692733) PFS (Y/N): N. } conn id: 2003.} #pkts encaps: 4.12.1. #pkts decompressed: 0 #pkts not compressed: 0. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4445162/3287) IV size: 8 bytes replay detection support: Y Page 351 of 1033 .: 10. } conn id: 2003. in use settings ={Tunnel. remote crypto endpt.2 protocol: ESP spi: 0xC486083C(3297118268) transform: esp-3des esp-md5-hmac . crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4445162/3296) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB7629AFD(3076692733) transform: esp-3des esp-md5-hmac .12.12.1. flow_id: NETGX:4. #pkts decrypt: 4. sibling_flags 80000046. flow_id: NETGX:3. #pkts decompress failed: 0 #send errors 0.CCIE SECURITY v4 Lab Workbook PERMIT. ip mtu 1500. failed: 0 #pkts not decompressed: 0. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4445162/3296) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R2#sh crypto ipsec sa address fvrf/address: (none)/10. #pkts compr. #recv errors 0 local crypto endpt.1 path mtu 1500. flow_id: NETGX:3.: 10. sibling_flags 80000046. flags={origin_is_acl. #pkts digest: 4 #pkts decaps: 4.

#pkts decompress failed: 0 #send errors 0. #pkts compr.2.0/0.2 protected vrf: (none) local ident (addr/mask/prot/port): (0. #pkts digest: 0 #pkts decaps: 0. #pkts decrypt: 4.1/255.1. #pkts encrypt: 4.0.0. failed: 0 #pkts not decompressed: 0.12.255/0/0) current_peer 10.0.255.} #pkts encaps: 4.} #pkts encaps: 0.12. #pkts decompress failed: 0 #send errors 0.255.12.0. #pkts encrypt: 0. #pkts verify: 4 #pkts compressed: 0.0/0/0) remote ident (addr/mask/prot/port): (0.0/0/0) current_peer (none) port 500 DENY. sibling_flags 80000046. local addr 10.2.12. #recv errors 0 protected vrf: (none) local ident (addr/mask/prot/port): (2.255/0/0) remote ident (addr/mask/prot/port): (1.2 Page 352 of 1033 . flags={origin_is_acl.2 2003 IPsec 3DES+MD5 0 4 10. #pkts verify: 0 #pkts compressed: 0. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4445162/3287) IV size: 8 bytes replay detection support: Y Status: ACTIVE R2#sh crypto ipsec sa identity interface: FastEthernet0/0 Crypto map tag: CMAP.0.2/255.12.1.255.1.0.0/0.1.1.1. in use settings ={Tunnel.1. #pkts compr.1 protocol: ESP spi: 0xB7629AFD(3076692733) transform: esp-3des esp-md5-hmac . failed: 0 #pkts not decompressed: 0.CCIE SECURITY v4 Lab Workbook Status: ACTIVE fvrf/address: (none)/10.2 2004 IPsec 3DES+MD5 4 0 10. #pkts decompressed: 0 #pkts not compressed: 0.255. flags={ident_is_root.12. } conn id: 2004.1. #pkts decompressed: 0 #pkts not compressed: 0. flow_id: NETGX:4. #pkts digest: 4 #pkts decaps: 4.0.0.1 port 500 PERMIT. #recv errors 0 R2#sh crypto engine connections active Crypto Engine Connections Type Algorithm 1002 ID IKE MD5+3DES Encrypt 0 Decrypt IP-Address 0 10. #pkts decrypt: 0.

1.1.2/24 Lo0 2.2.1.2 using the following policy: ISAKMP Policy IPSec Policy Authentication: Pre-shared Encrytpion: ESP-3DES Encryption: 3DES Hash: MD5 Hash: MD5 Proxy ID: 1.12. Basic Site to Site IPSec VPN Aggressive Mode (IOS-IOS) Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 120  Configure Telnet on all routers using password “cisco”  Configure static routing on R1 and R2 to be able to reach Loopback IP addresses IP Addressing Device Interface IP address R1 Lo0 1.2.1.CCIE SECURITY v4 Lab Workbook Lab 1.1.1.1.2/32 R2 Task 1 Configure basic Site to Site IPSec VPN to protect traffic between IP addresses 1.12.1.2 DH Group: 2 Page 353 of 1033 .1/24 F0/0 10.1 and 2.2.1  2.1/32 F0/0 10.37.2.2.2.

The initiator replies by authenticating the session.1.2. and authenticates the session in the next packet.1.12.1. ID: ID_IPV4). R1(config-crypto-map)#set peer 10. The “client-endpoint” parameter may be the following: ipv4address (the ip address. Negotiation is quicker.1.2 R1(config-crypto-map)#set transform-set TSET R1(config-crypto-map)#match address 120 R1(config-crypto-map)#access-list 120 permit ip host 1. with all data required for the SA passed by the initiator. R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encr 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config)#crypto isakmp peer address 10.2.12. These types of client-endpoint IDs are translated to the corresponding ID type in the Internet Key Exchange (IKE).CCIE SECURITY v4 Lab Workbook Your solution must use only three messages during IKE Phase 1 SA establisment. R1(config-isakmp-peer)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac R1(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.2 Page 354 of 1033 .12. and the initiator and responder ID pass in the clear. ID: ID_USER_FQDN).2 R1(config-isakmp-peer)#set aggressive-mode client-endpoint ipv4address 10.1 host 2.2 R1(config-isakmp-peer)#set aggressive-mode password Aggressive123 The tunnel-password and the client endpoint type ID for IKE Aggressive Mode. ID: ID_FQDN). key material and ID. fqdn (the fully qualified domain name. Peer authentication should use password of “Aggressive123”. user-fqdn (e-mail address.1. Configuration Complete these steps: Step 1 R1 configuration.  Aggressive Mode squeezes the IKE SA negotiation into three packets. The responder sends the proposal.

1 R2(config-isakmp-peer)#set aggressive-mode client-endpoint ipv4address 10.1 R2(config)#int g0/0 R2(config-if)#crypto map CMAP R2(config-if)#exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Verification R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10. R2(config)#crypto isakmp policy 10 R2(config-isakmp)#encr 3des R2(config-isakmp)#hash md5 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#group 2 R2(config)#crypto isakmp peer address 10.1.2.1 R2(config-crypto-map)#set transform-set TSET R2(config-crypto-map)#match address 120 R2(config-crypto-map)#access-list 120 permit ip host 2.2 10.2.1 QM_IDLE conn-id status IPv6 Crypto ISAKMP SA Page 355 of 1033 1001 ACTIVE .12.1.1.1 R2(config-isakmp-peer)#set aggressive-mode password Aggressive123 R2(config-isakmp-peer)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac R2(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.12.1.1.1. R2(config-crypto-map)#set peer 10.CCIE SECURITY v4 Lab Workbook R1(config)#int f0/0 R1(config-if)#crypto map CMAP R1(config-if)#exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Step 2 R2 configuration.12.1.2 host 1.12.12.

#pkts verify: 4 #pkts compressed: 0. in use settings ={Tunnel. #pkts decompressed: 0 #pkts not compressed: 0. R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: CMAP. } conn id: 2001.12. flow_id: NETGX:1. #pkts digest: 4 #pkts decaps: 4.12. in use settings ={Tunnel.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (1. ip mtu idb FastEthernet0/0 current outbound spi: 0xD18E8F5F(3515780959) PFS (Y/N): N. ip mtu 1500.2 port 500 PERMIT.255/0/0) remote ident (addr/mask/prot/port): (2.1. flags={origin_is_acl.1.255. #recv errors 0 local crypto endpt.: 10. #pkts compr. sibling_flags 80000046. sibling_flags 80000046. remote crypto endpt.2 path mtu 1500.1.2/255.: 10. #pkts decrypt: 4.1. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4534905/3541) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD18E8F5F(3515780959) transform: esp-3des esp-md5-hmac .CCIE SECURITY v4 Lab Workbook ISAKMP SA has been negotiated and IKE tunnel is set up and active. #pkts encrypt: 4.1/255.2.12.} #pkts encaps: 4. } conn id: 2002.1. #pkts decompress failed: 0 #send errors 1. local addr 10.255.255/0/0) current_peer 10.1.255. DH group: none inbound esp sas: spi: 0xE40153C8(3825292232) transform: esp-3des esp-md5-hmac .2.255. failed: 0 #pkts not decompressed: 0.12. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4534905/3541) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 356 of 1033 . flow_id: NETGX:2.

The tunnel is up.2 port 500 PERMIT. #pkts encrypt: 0.0.0.0.0/0. flags={ident_is_root. #pkts decompress failed: 0 #send errors 0.255/0/0) current_peer 10. #pkts decompress failed: 0 #send errors 1.1.255.1.12.0. crypto map: CMAP Page 357 of 1033 .0/0/0) remote ident (addr/mask/prot/port): (0.} #pkts encaps: 0. #pkts encrypt: 4.2/255. } conn id: 2002. R1#sh crypto ipsec sa identity interface: FastEthernet0/0 Crypto map tag: CMAP.1/255. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4534905/3520) IV size: 8 bytes replay detection support: Y Status: ACTIVE fvrf/address: (none)/10. in use settings ={Tunnel.12. sibling_flags 80000046. #pkts digest: 0 #pkts decaps: 0. #pkts decompressed: 0 #pkts not compressed: 0. #pkts decompressed: 0 #pkts not compressed: 0. } conn id: 2001. #recv errors 0 R1#sh crypto ipsec sa address fvrf/address: (none)/10. in use settings ={Tunnel. failed: 0 #pkts not decompressed: 0.1.2.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (0.255.CCIE SECURITY v4 Lab Workbook IPSec SAs have been negotiated. #pkts decrypt: 0. #pkts digest: 4 #pkts decaps: 4.1.2.} #pkts encaps: 4. sibling_flags 80000046.12. flow_id: NETGX:2.255. #recv errors 0 protected vrf: (none) local ident (addr/mask/prot/port): (1.255/0/0) remote ident (addr/mask/prot/port): (2.12.0.1 protocol: ESP spi: 0xE40153C8(3825292232) transform: esp-3des esp-md5-hmac . flow_id: NETGX:1. failed: 0 #pkts not decompressed: 0.0/0/0) current_peer (none) port 500 DENY.0. #pkts compr.255.0.1. #pkts verify: 4 #pkts compressed: 0. #pkts verify: 0 #pkts compressed: 0. local addr 10.0/0. #pkts compr. flags={origin_is_acl.0. #pkts decrypt: 4.2 protocol: ESP spi: 0xD18E8F5F(3515780959) transform: esp-3des esp-md5-hmac .

1 R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.1.1.12. N . #pkts verify: 4 #pkts compressed: 0.Dead Peer Detection K .255/0/0) remote ident (addr/mask/prot/port): (1.IKE configuration mode.12.12.1.1. #pkts decrypt: 4.255.1.1.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA R2#sh crypto isakmp sa detail Codes: C . failed: 0 #pkts not decompressed: 0. #pkts compr. #pkts encrypt: 4.RSA signature renc .255.Preshared key. local addr 10. D .Keepalives. #pkts decompress failed: 0 Page 358 of 1033 2 23:52:03 .1/255.cTCP encapsulation.1.NAT-traversal T . X .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.2 protected vrf: (none) local ident (addr/mask/prot/port): (2. ACTIVE 3des md5 psk SW:1 IPv6 Crypto ISAKMP SA R2#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: CMAP.12.2.} #pkts encaps: 4.IKE Extended Authentication psk .1 port 500 PERMIT.1 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.2 10. rsig . #pkts digest: 4 #pkts decaps: 4.12.12.255.1 2002 IPsec 3DES+MD5 4 0 10.1.12.12.1 2001 IPsec 3DES+MD5 0 4 10.255/0/0) current_peer 10. flags={origin_is_acl. #pkts decompressed: 0 #pkts not compressed: 0.2.CCIE SECURITY v4 Lab Workbook sa timing: remaining key lifetime (k/sec): (4534905/3520) IV size: 8 bytes replay detection support: Y Status: ACTIVE R1#sh crypto engine connections active Crypto Engine Connections Type Algorithm 1001 ID IKE MD5+3DES Encrypt 0 Decrypt IP-Address 0 10.12.1.2 10.2/255.255.1.

#pkts decompress failed: 0 Page 359 of 1033 .12.2 protected vrf: (none) local ident (addr/mask/prot/port): (0.0. flow_id: NETGX:2. #pkts compr. flags={ident_is_root.0/0. in use settings ={Tunnel.0.: 10. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4607831/3116) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R2#sh crypto ipsec sa identity interface: FastEthernet0/0 Crypto map tag: CMAP. remote crypto endpt. #recv errors 0 local crypto endpt.1 path mtu 1500.12.12.0/0. sibling_flags 80000046. ip mtu idb FastEthernet0/0 current outbound spi: 0xE40153C8(3825292232) PFS (Y/N): N.0.1. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4607831/3116) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE40153C8(3825292232) transform: esp-3des esp-md5-hmac . ip mtu 1500. local addr 10. #pkts encrypt: 0.0. #pkts digest: 0 #pkts decaps: 0. failed: 0 #pkts not decompressed: 0.: 10. in use settings ={Tunnel. #pkts decrypt: 0.CCIE SECURITY v4 Lab Workbook #send errors 0. #pkts decompressed: 0 #pkts not compressed: 0. } conn id: 2001.0. DH group: none inbound esp sas: spi: 0xD18E8F5F(3515780959) transform: esp-3des esp-md5-hmac . flow_id: NETGX:1.0.2.0.0/0/0) current_peer (none) port 500 DENY. #pkts verify: 0 #pkts compressed: 0.1.0.0/0/0) remote ident (addr/mask/prot/port): (0.1. sibling_flags 80000046.} #pkts encaps: 0. } conn id: 2002.

flow_id: NETGX:1. #pkts decompress failed: 0 #send errors 0.12.255. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4607831/3099) IV size: 8 bytes replay detection support: Y Status: ACTIVE R2#sh crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt IP-Address 1001 IKE MD5+3DES 0 0 10.1.12.255/0/0) remote ident (addr/mask/prot/port): (1.1.2 2001 IPsec 3DES+MD5 0 4 10.CCIE SECURITY v4 Lab Workbook #send errors 0. #recv errors 0 R2#sh crypto ipsec sa address fvrf/address: (none)/10.2 Detailed verification on R1 R1#deb cry isak Page 360 of 1033 .255.255.12.1. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4607831/3099) IV size: 8 bytes replay detection support: Y Status: ACTIVE fvrf/address: (none)/10.2.1. #pkts decrypt: 4.12.2/255.2. #pkts decompressed: 0 #pkts not compressed: 0. in use settings ={Tunnel.1.1.255/0/0) current_peer 10.1/255. in use settings ={Tunnel. #pkts verify: 4 #pkts compressed: 0.1 protocol: ESP spi: 0xE40153C8(3825292232) transform: esp-3des esp-md5-hmac .1.12. #pkts compr. failed: 0 #pkts not decompressed: 0. sibling_flags 80000046.12. } conn id: 2002. flow_id: NETGX:2. #pkts digest: 4 #pkts decaps: 4. flags={origin_is_acl.1. #recv errors 0 protected vrf: (none) local ident (addr/mask/prot/port): (2. } conn id: 2001. sibling_flags 80000046.2 2002 IPsec 3DES+MD5 4 0 10.} #pkts encaps: 4. #pkts encrypt: 4.255.1 port 500 PERMIT.2 protocol: ESP spi: 0xD18E8F5F(3515780959) transform: esp-3des esp-md5-hmac .

12.2.2 so lo0 Type escape sequence to abort.1. conn_id= 0. ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID ISAKMP:(0): constructed NAT-T vendor-07 ID ISAKMP:(0): constructed NAT-T vendor-03 ID ISAKMP:(0): constructed NAT-T vendor-02 ID ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR ISAKMP (0): ID payload next-payload : 13 type : 1 address : 10. msg.255.2.12. flags= 0x0 ISAKMP:(0): SA request profile is (NULL) ISAKMP: Created a peer struct for 10.255/0/0 (type=1).1. refcount 1 for isakmp_initiator ISAKMP: local port 500.CCIE SECURITY v4 Lab Workbook Crypto ISAKMP debugging is on R1#deb cry ips Crypto IPSEC debugging is on R1# R1#ping 2. (key eng.2. Sending 5. keysize= 0.1. round-trip min/avg/max = 1/3/4 ms R1# IPSEC(sa_request): . protocol= ESP.1.!!!! Success rate is 80 percent (4/5).1 .2.255.2. spi= 0x0(0).2.2/255.1.2.255.2 protocol : 17 port : 0 length : 12 ISAKMP:(0):Total payload length: 12 ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC. transform= esp-3des esp-md5-hmac (Tunnel).2.2.1.1/255. peer port 500 ISAKMP: New peer created peer = 0x48AAB8D0 peer_handle = 0x80000004 ISAKMP: Locking peer struct 0x48AAB8D0. local_proxy= 1. 100-byte ICMP Echos to 2.255/0/0 (type=1).12.) OUTBOUND local= 10. remote port 500 ISAKMP: set new node 0 to QM_IDLE ISAKMP:(0):insert sa successfully sa = 49F4F45C ISAKMP:(0):SA has tunnel attributes set. remote= 10. IKE_SA_REQ_AM ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1 ISAKMP:(0): beginning Aggressive Mode exchange ISAKMP:(0): sending packet to 10.1.1. remote_proxy= 2.12. timeout is 2 seconds: Packet sent with a source address of 1.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH Page 361 of 1033 .12. lifedur= 3600s and 4608000kb.255.1.1.

The state of ISAKMP SA is AG_INIT_EXCH which indicates that the peers have done the first exchange in aggressive mode. ISAKMP:(0):Acceptable atts:actual life: 86400 ISAKMP:(0):Acceptable atts:life: 0 ISAKMP:(0):Fill atts in sa vpi_length:4 ISAKMP:(0):Fill atts in sa life_in_seconds:86400 ISAKMP:(0):Returning Actual lifetime: 86400 ISAKMP:(0)::Started lifetime timer: 86400. ISAKMP (0): received packet from 10. ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):atts are acceptable.2 protocol : 0 port : 0 length : 12 ISAKMP:(0):: peer matches *none* of the profiles ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID is Unity ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID is DPD ISAKMP:(0): processing vendor id payload ISAKMP:(0): speaking to another IOS box! ISAKMP:(0):SA using tunnel password as pre-shared key. message ID = 0 ISAKMP:(0): processing ID payload.12. ISAKMP:(0): local preshared key found ISAKMP : Scanning profiles for xauth .1. Next payload is 0 The password configured for the peer as “aggressive-mode password” has been used for the peer authentication.12. ISAKMP:(0):Sending an IKE IPv4 Packet. ISAKMP:(0): processing SA payload.2 dport 500 sport 500 Global (I) AG_INIT_EXCH The remote peer (R2) responds with IKE packet that contains the following: its ISAKMP policy (proposal). Page 362 of 1033 . message ID = 0 ISAKMP (0): ID payload next-payload : 10 type : 1 address : 10. but the SA is not yet authenticated.CCIE SECURITY v4 Lab Workbook IKE Aggressive Mode has been started..1. key material and its ID. ISAKMP proposal has been checked against locally defined ISAKMP policies. The state of ISAKMP SA is still AG_INIT_EXCH..

Input = IKE_MESG_INTERNAL.12.) INBOUND local= 10. msg.2 ISAKMP: Trying to insert a peer 10.2 my_port 500 peer_port 500 (I) QM_IDLE ISAKMP:(1001):Sending an IKE IPv4 Packet. authenticated and insterted into SADB. Phase 1 is completed. IKE_PHASE1_COMPLETE ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE ISAKMP (1001): received packet from 10. ISAKMP:(1001):Send initial contact ISAKMP:(1001): sending packet to 10.1.2 dport 500 sport 500 Global (I) QM_IDLE ISAKMP:(1001): processing HASH payload.1/10. ISAKMP:(1001):Sending an IKE IPv4 Packet.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH The ISAKMP SA has been negotiated.12. and inserted successfully 48AAB8D0. message ID = 1329820426 ISAKMP:(1001): processing SA payload.12. IKE_INIT_QM ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 ISAKMP:(1001):Input = IKE_MESG_INTERNAL.12. ISAKMP:(1001):Node 1329820426. IPSEC(validate_proposal_request): proposal part #1 IPSEC(validate_proposal_request): proposal part #1.1. Page 363 of 1033 . The IKE tunnel is established and ready for IPSec parameters and SAs negotiations.12. The ISAKMP SA state will be transited to QM_IDLE.2/500/. M-ID of 1329820426 ISAKMP:(1001):QM Initiator gets spi ISAKMP:(1001): sending packet to 10. ISAKMP:(1001): processing HASH payload. message ID = 0 ISAKMP:received payload type 20 ISAKMP (1001): His hash no match . IKE_AM_EXCH ISAKMP:(1001):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE ISAKMP:(1001):beginning Quick Mode exchange.2. 0x0 0x46 0x50 0x0 IPSec parameters have been agreed upon. ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 ISAKMP:(1001):atts are acceptable.1.1.1.1.1. message ID = 1329820426 ISAKMP:(1001):Checking IPSec proposal 1 ISAKMP: transform 1.12. ISAKMP:(1001):Input = IKE_MESG_FROM_PEER.12.1. remote= 10.1.CCIE SECURITY v4 Lab Workbook ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0): processing KE payload. message ID = 0 ISAKMP:(0): processing NONCE payload. message ID = 0 ISAKMP:(0):SA using tunnel password as pre-shared key. The peer has been informed that the connection has been authenticated. (key eng.this node outside NAT ISAKMP:received payload type 20 ISAKMP (1001): No NAT Found for self or peer ISAKMP:(1001):SA authentication status: authenticated ISAKMP:(1001):SA has been authenticated with 10.

2. sa_spi= 0xD18E8F5F(3515780959). message ID = 1329820426 ISAKMP:(1001): Creating IPSec SAs inbound SA from 10.1.255.12. sa_trans= esp-3des esp-md5-hmac . sa_conn_id= 2002 sa_lifetime(k/sec)= (4534906/3600) Page 364 of 1033 .1.1.255.1) has spi 0xE40153C8 and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 10.255/0/0 (type=1). sa_proto= 50.1.255/0/0 (type=1).1.1. conn_id= 0.1.12.2. transform= NONE (Tunnel).12.12. protocol= ESP.1.2 IPSEC(policy_db_add_ident): src 1.255.1.1 dst addr : 2.2. lifedur= 0s and 0kb. Input = IKE_MESG_FROM_PEER.2 protocol : 0 src port : 0 dst port : 0 IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.2 to 10.2 to 1.2.1. ISAKMP:(1001):deleting node 1329820426 error FALSE reason "No Error" ISAKMP:(1001):Node 1329820426.1. remote_proxy= 2.1.1.1/255.2 protocol : 0 src port : 0 dst port : 0 ISAKMP:(1001): processing NONCE payload. keysize= 0.2.2. sa_spi= 0xE40153C8(3825292232).2. sa_conn_id= 2001 sa_lifetime(k/sec)= (4534906/3600) IPSEC(create_sa): sa created. (sa) sa_dest= 10.255.1.2.2/255.2.12.1.2.1. sa_trans= esp-3des esp-md5-hmac .2. dest 2.12.2 (f/i) 0/0 (proxy 1. IKE_QM_EXCH ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE IPSEC(key_engine): got a queue event with 1 KMI message(s) Crypto mapdb : proxy_match src addr : 1.1. dest_port 0 IPSEC(create_sa): sa created.1.12.1 dst addr : 2. (sa) sa_dest= 10.1 to 2.2.1. message ID = 1329820426 ISAKMP:(1001): processing ID payload.12.1.2.1 to 10. spi= 0x0(0). sa_proto= 50.1.1.2) has spi 0xD18E8F5F and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes ISAKMP:(1001): sending packet to 10. flags= 0x0 Crypto mapdb : proxy_match src addr : 1.1 (f/i) 0/ 0 (proxy 2.2.2 my_port 500 peer_port 500 (I) QM_IDLE ISAKMP:(1001):Sending an IKE IPv4 Packet.CCIE SECURITY v4 Lab Workbook local_proxy= 1. message ID = 1329820426 ISAKMP:(1001): processing ID payload.

message ID = 0 ISAKMP (0): ID payload next-payload : 13 type : 1 address : 10.1.12.1. Next payload is 0 Page 365 of 1033 .1.. ISAKMP: Created a peer struct for 10. message ID = 0 ISAKMP:(0): processing ID payload. peer port 500 ISAKMP: New peer created peer = 0x49BD96B8 peer_handle = 0x80000003 ISAKMP: Locking peer struct 0x49BD96B8. key material and ID. The payload contains ISAKMP proposal. ESP tunnel has been established. refcount 1 for crypto_isakmp_process_block ISAKMP: local port 500.1. QM_IDLE IKE Phase 2 (Quick Mode) has been completed.1 dport 500 sport 500 Global (N) NEW SA The responder has received the initial IKE packet from the initiator (R1). Detailed verificatin on R2 ISAKMP (0): received packet from 10.1.CCIE SECURITY v4 Lab Workbook IPSEC(update_current_outbound_sa): updated peer 10.2 protocol : 17 port : 0 length : 12 ISAKMP:(0):: peer matches *none* of the profiles ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch ISAKMP (0): vendor ID is NAT-T v7 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 ISAKMP:(0):SA using tunnel password as pre-shared key.2 current outbound sa to SPI D18E8F5F ISAKMP:(1001): no outgoing phase 1 packet to retransmit. remote port 500 ISAKMP:(0):insert sa successfully sa = 48B8E45C ISAKMP:(0): processing SA payload.12.12. ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):atts are acceptable.12.. ISAKMP:(0): local preshared key found ISAKMP : Scanning profiles for xauth .

ISAKMP:(1001):Sending an IKE IPv4 Packet.12.12.CCIE SECURITY v4 Lab Workbook ISAKMP:(0):Acceptable atts:actual life: 0 ISAKMP:(0):Acceptable atts:life: 0 ISAKMP:(0):Fill atts in sa vpi_length:4 ISAKMP:(0):Fill atts in sa life_in_seconds:86400 ISAKMP:(0):Returning Actual lifetime: 86400 ISAKMP:(0)::Started lifetime timer: 86400. The proposal has been processed by the responder and ISAKMP policy has been accepted.1. message ID = 0 ISAKMP:(0): processing NONCE payload.1.2 protocol : 0 port : 0 length : 12 ISAKMP:(1001):Total payload length: 12 ISAKMP:(1001): sending packet to 10. ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch ISAKMP (0): vendor ID is NAT-T v7 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 ISAKMP:(0): processing KE payload. ISAKMP SA state is still AG_INIT_EXCH. ISAKMP:(1001): processing vendor id payload ISAKMP:(1001): vendor ID is DPD ISAKMP:(1001): processing vendor id payload ISAKMP:(1001): vendor ID seems Unity/DPD but major 151 mismatch ISAKMP:(1001): vendor ID is XAUTH ISAKMP:(1001): processing vendor id payload ISAKMP:(1001): claimed IOS but failed authentication ISAKMP:(1001): constructed NAT-T vendor-rfc3947 ID ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR ISAKMP (1001): ID payload next-payload : 10 type : 1 address : 10.1 my_port 500 peer_port 500 (R) AG_INIT_EXCH The reply has been sent to the initiator. message ID = 0 ISAKMP:(0):SA using tunnel password as pre-shared key. ISAKMP:(1001):Input = IKE_MESG_FROM_PEER. IKE_AM_EXCH ISAKMP:(1001):Old State = IKE_READY New State = IKE_R_AM2 Page 366 of 1033 .

IPSEC(key_engine): got a queue event with 1 KMI message(s) ISAKMP (1001): received packet from 10. The ISAKMP SA state has been changed to QM_IDLE.2/10.12.2.12.2/255. sa = 48B8E45C ISAKMP:(1001):SA authentication status: authenticated ISAKMP:(1001):SA has been authenticated with 10. ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0.255.1 ISAKMP:(1001):SA authentication status: authenticated ISAKMP:(1001): Process initial contact.1. SA is negotiated. (key eng.this node outside NAT ISAKMP:received payload type 20 ISAKMP (1001): No NAT Found for self or peer It has been determined by NAT discovery process that there is no NAT between the peers.2.1.12. msg.1.1. bring down existing phase 1 and 2 SA's with local 10. IPSEC(validate_proposal_request): proposal part #1 IPSEC(validate_proposal_request): proposal part #1.) INBOUND local= 10. message ID = 1329820426 ISAKMP:(1001): processing SA payload.1.1. message ID = 1329820426 ISAKMP:(1001):Checking IPSec proposal 1 ISAKMP: transform 1.12.1.12. remote= 10.12.12. IKE_AM_EXCH ISAKMP:(1001):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE IKE Phase 1 completed. ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable.1.1/500/.1 remote port 500 ISAKMP: Trying to insert a peer 10.1.12.2. message ID = 0.12.1.CCIE SECURITY v4 Lab Workbook ISAKMP (1001): received packet from 10.1 dport 500 sport 500 Global (R) AG_INIT_EXCH The responder has got the information that SA has been authenticated ISAKMP:(1001): processing HASH payload.255/0/0 (type=1). and inserted successfully 49BD96B8. local_proxy= 2.2 remote 10. message ID = 0 ISAKMP:received payload type 20 ISAKMP (1001): His hash no match . ISAKMP:(1001):Input = IKE_MESG_FROM_PEER.1 dport 500 sport 500 Global (R) QM_IDLE ISAKMP: set new node 1329820426 to QM_IDLE ISAKMP:(1001): processing HASH payload.255. Page 367 of 1033 .

1.1.2.1) has spi 0xE40153C8 and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes ISAKMP:(1001): sending packet to 10.1.12.1.12.12. dest 1.1 my_port 500 peer_port 500 (R) QM_IDLE ISAKMP:(1001):Sending an IKE IPv4 Packet. sa_trans= esp-3des esp-md5-hmac .1/255.12.1. protocol= ESP.CCIE SECURITY v4 Lab Workbook remote_proxy= 1.2) has spi 0xD18E8F5F and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 10. spi= 0x0(0). message ID = 1329820426 ISAKMP:(1001): processing ID payload.2.1 to 2.1.2. sa_conn_id= 2001 sa_lifetime(k/sec)= (4607832/3600) IPSEC(create_sa): sa created.1 (f/i) 0/0 (proxy 2.2.1. flags= 0x0 Crypto mapdb : proxy_match src addr : 2.255.2 (f/i) 0/ 0 (proxy 1.1 protocol : 0 src port : 0 dst port : 0 ISAKMP:(1001): processing NONCE payload.1. lifedur= 0s and 0kb.1. sa_trans= esp-3des esp-md5-hmac . ISAKMP:(1001):Node 1329820426. IKE_GOT_SPI ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 IPSEC(key_engine): got a queue event with 1 KMI message(s) Crypto mapdb : proxy_match src addr : 2.2.1.12.1.1. IKE_QM_EXCH ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE ISAKMP:(1001): Creating IPSec SAs inbound SA from 10. (sa) sa_dest= 10.12.2 dst addr : 1. dest_port 0 IPSEC(create_sa): sa created.2.1 IPSEC(policy_db_add_ident): src 2.1. Input = IKE_MESG_FROM_PEER. (sa) sa_dest= 10.1.2 dst addr : 1. sa_conn_id= 2002 Page 368 of 1033 . keysize= 0.12.2. sa_spi= 0xE40153C8(3825292232).2.255/0/0 (type=1).1.2. transform= NONE (Tunnel).2 to 1. message ID = 1329820426 ISAKMP:(1001):QM Responder gets spi ISAKMP:(1001):Node 1329820426.2. message ID = 1329820426 ISAKMP:(1001): processing ID payload.1 to 10.1.1.1.255.1.1. sa_proto= 50.1.12.1 protocol : 0 src port : 0 dst port : 0 IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10. conn_id= 0.2.2.1. sa_spi= 0xD18E8F5F(3515780959).2 to 10. Input = IKE_MESG_INTERNAL. sa_proto= 50.

1 dport 500 sport 500 Global (R) QM_IDLE ISAKMP:(1001):deleting node 1329820426 error FALSE reason "QM done (await)" ISAKMP:(1001):Node 1329820426.12.CCIE SECURITY v4 Lab Workbook sa_lifetime(k/sec)= (4607832/3600) ISAKMP:(1001):Input = IKE_MESG_INTERNAL. IKE_QM_EXCH ISAKMP:(1001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE IPSEC(key_engine): got a queue event with 1 KMI message(s) IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP IPSEC(key_engine_enable_outbound): enable SA with spi 3825292232/50 IPSEC(update_current_outbound_sa): updated peer 10.1. Input = IKE_MESG_FROM_PEER.12. Page 369 of 1033 .1. IKE_PHASE1_COMPLETE ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE ISAKMP (1001): received packet from 10.1 current outbound sa to SPI E40153C8 ISAKMP:(1001):purging node 1329820426 The IPSec tunnel has been established.

1/32 F0/0 10.1.1 and 4. Basic Site to Site VPN with NAT (IOS-IOS) Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 120  R2’s G0/1 and R4’s F0/0 interface should be configured in VLAN 240  Configure Telnet on all routers using password “cisco”  Configure RIPv2 on all routers to establish full connectivity IP Addressing Device Interface IP address R1 Lo0 1.1.1.1.1 will be seen on R4 as 10.24.4 using the following policy: ISAKMP Policy IPSec Policy Page 370 of 1033 .4.1.12.4/32 R2 R4 Task 1 Configure static NAT translation on R2 so that IP address of 10.1/24 G0/0 10.4.1.CCIE SECURITY v4 Lab Workbook Lab 1.38.4/24 Lo0 4.1.12.1.24. Configure basic Site to Site IPSec VPN to protect IP traffic between IP addresses 1.1.24.12.4.2/24 F0/0 10.2/24 G0/1 10.4.1.1.

R1(config-crypto-map)#set peer 10.1 10.1 %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0.24.24.1) R2(config)#int g0/0 R2(config-if)#ip nat inside R2(config-if)#int g0/1 R2(config-if)#ip nat outside Step 2 R1 configuration.1.1.1.1.4 DH Group: 2 PSK: cisco123 Configuration Complete these steps: Step 1 R2 configuration.24.1 -> 10.1.12.1.4.1. R2(config)#ip nat inside source static 10.4 From R1’s perspective the peer (R4) is seen as 10.24.1.1  4.24.4 R1(config-crypto-map)#set transform-set TSET R1(config-crypto-map)#match address 140 Page 371 of 1033 .4. R1(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac R1(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encr 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#crypto isakmp key cisco123 address 10. changed state to up Static network address translation (R1’s Fa0/0: 10.1.CCIE SECURITY v4 Lab Workbook Authentication: Pre-shared Encryption: ESP-3DES Encryption: 3DES Hash: MD5 Hash: MD5 Proxy ID: 1.4.12.

1.4 .1 From R4’s perspective the peer (R1) is seen as 10..4.1 (this address R1’s Fa0/0 is translated to by R2) R4(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac R4(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.4 Trying 10.4 host 1.4.4. R4(config)#crypto isakmp policy 10 R4(config-isakmp)#encr 3des R4(config-isakmp)#hash md5 R4(config-isakmp)#authentication pre-share R4(config-isakmp)#group 2 R4(config-isakmp)#crypto isakmp key cisco123 address 10.1.24.1.CCIE SECURITY v4 Lab Workbook R1(config-crypto-map)#access-list 140 permit ip host 1.24.1. Open User Access Verification Page 372 of 1033 .1 R4(config)#int f0/0 R4(config-if)#crypto map CMAP R4(config-if)#exi R4(config)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Verification R1#tel 10.1.24. R4(config-crypto-map)#set peer 10.1.4.4 R1(config)#int f0/0 R1(config-if)#crypto map CMAP R1(config-if)#exi R1(config)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Step 3 R4 configuration.1.1.1 R4(config-crypto-map)#set transform-set TSET R4(config-crypto-map)#match address 140 R4(config-crypto-map)#access-list 140 permit ip ho 4.1.24.24..1 ho 4.

10.CCIE SECURITY v4 Lab Workbook Password: R4>sh users Host(s) Idle 0 con 0 Line User idle 00:01:03 Location *514 vty 0 idle 00:00:00 10.4:4500 10.4.24.1.24.1:500 10.1 10.12.1.24. R2#sh ip nat translations Pro Inside global Inside local Outside local Outside global udp 10.1.1.4:23 --.1:4500 10.1:13083 10.4:23 Outside global 10.1 --- --- Translation is working.4. The NAT-T traffic uses UDP port 4500.4 10.1 QM_IDLE conn-id status IPv6 Crypto ISAKMP SA Page 373 of 1033 1003 ACTIVE .1.24.1.1. During IKE Phase 1 NAT discovery has determined that trafic between the peer is translated.12.24.12.1 . R1#ping 4.1.1.1.4 closed by foreign host] R2#sh ip nat translations Pro Inside global Inside local Outside local tcp 10.24. timeout is 2 seconds: Packet sent with a source address of 1.12.1.12.1:500 10.1.1:4500 10.24.24. Interface User Mode Idle Peer Address R4>exit [Connection to 10.4:500 10.1.1.4.4 so lo0 rep 4 Type escape sequence to abort.1.10.1.24. so that it enforces NAT Traversal.24.1 Translation is working.1. From this moment the peers transmit ESP packets encapsulated into UDP packets.1.4. 100-byte ICMP Echos to 4.24.1.1 --- --- Note that IKE traffic (UDP port 500) has been translated.4:4500 --.1:13083 10.24.1. R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.24.4.24.!!! Success rate is 75 percent (3/4).12. Sending 4.1 10. round-trip min/avg/max = 4/4/4 ms Interesting traffic has started the tunnel negotiation.1.1.4:500 udp 10.

4.1/255. } conn id: 2005.1.CCIE SECURITY v4 Lab Workbook R1#sh crypto isakmp sa detail Codes: C . remote crypto endpt. local addr 10. X . flow_id: NETGX:5. #pkts decompress failed: 0 #send errors 10.RSA signature renc .Preshared key.4 path mtu 1500.4. #pkts compr.24. #recv errors 0 local crypto endpt. rsig . #pkts decompressed: 0 #pkts not compressed: 0.1.255.1.255/0/0) current_peer 10.12.cTCP encapsulation.4 port 4500 PERMIT.IKE configuration mode.1 protected vrf: (none) local ident (addr/mask/prot/port): (1.12. in use settings ={Tunnel UDP-Encaps.1 10.12.255.Dead Peer Detection K . crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4378448/3532) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: Page 374 of 1033 . #pkts verify: 3 #pkts compressed: 0. #pkts decrypt: 3. DH group: none inbound esp sas: spi: 0x65D0096B(1708132715) transform: esp-3des esp-md5-hmac . N . ip mtu 1500. D .24.4 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap. ACTIVE 3des md5 psk 2 23:57:11 N SW:3 IPv6 Crypto ISAKMP SA R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: CMAP.1.255.1.4/255.24.255. ip mtu idb FastEthernet0/0 current outbound spi: 0xE1815114(3783348500) PFS (Y/N): N.NAT-traversal T . #pkts digest: 3 #pkts decaps: 3. #pkts encrypt: 3.1. flags={origin_is_acl.: 10.1.Keepalives.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1003 10. sibling_flags 80000046.: 10.1.} #pkts encaps: 3. failed: 0 #pkts not decompressed: 0.IKE Extended Authentication psk .255/0/0) remote ident (addr/mask/prot/port): (4.1.

0.0/0. #pkts digest: 3 #pkts decaps: 3.4 port 4500 PERMIT.1 protected vrf: (none) local ident (addr/mask/prot/port): (0. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4378448/3532) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#sh crypto ipsec sa identity interface: FastEthernet0/0 Crypto map tag: CMAP. #pkts verify: 0 #pkts compressed: 0. in use settings ={Tunnel UDP-Encaps. #pkts decompress failed: 0 #send errors 0. flags={ident_is_root. #recv errors 0 protected vrf: (none) local ident (addr/mask/prot/port): (1.1. #pkts decompress failed: 0 #send errors 10.0.12.0.1. #pkts decrypt: 3.4.1.255. flags={origin_is_acl. failed: 0 #pkts not decompressed: 0.0. #recv errors 0 R1#sh crypto ipsec sa address fvrf/address: (none)/10. in use settings ={Tunnel UDP-Encaps.0/0/0) current_peer (none) port 500 DENY. sibling_flags 80000046. } conn id: 2006.4/255. flow_id: NETGX:6.4.255.1.} #pkts encaps: 3.1 protocol: ESP spi: 0x65D0096B(1708132715) transform: esp-3des esp-md5-hmac . #pkts compr.1.12.CCIE SECURITY v4 Lab Workbook outbound esp sas: spi: 0xE1815114(3783348500) transform: esp-3des esp-md5-hmac . #pkts verify: 3 #pkts compressed: 0. local addr 10. #pkts compr. } Page 375 of 1033 .} #pkts encaps: 0.0/0.0.255.0.24.1/255.255.0. #pkts decompressed: 0 #pkts not compressed: 0. #pkts decompressed: 0 #pkts not compressed: 0. #pkts encrypt: 0. #pkts digest: 0 #pkts decaps: 0. failed: 0 #pkts not decompressed: 0.255/0/0) current_peer 10.0/0/0) remote ident (addr/mask/prot/port): (0. #pkts decrypt: 0. #pkts encrypt: 3.255/0/0) remote ident (addr/mask/prot/port): (4.0.

24.1 2006 IPsec 3DES+MD5 3 0 10.CCIE SECURITY v4 Lab Workbook conn id: 2005. D .4 10.1 QM_IDLE 1001 ACTIVE Note that R4’s ISAKMP SA is negotiated with translated R1’s IP address.IKE Extended Authentication psk .cTCP encapsulation.12.1 R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1. in use settings ={Tunnel UDP-Encaps.1. flow_id: NETGX:5.IKE configuration mode.12.1.24. rsig .1.12.1 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.24. N . ACTIVE 3des md5 SW:1 IPv6 Crypto ISAKMP SA Page 376 of 1033 psk 2 23:49:57 N . } conn id: 2006. sibling_flags 80000046.RSA signature renc .NAT-traversal T . IPv6 Crypto ISAKMP SA R4#sh crypto isakmp sa detail Codes: C . X .Keepalives.1.4 10.1. flow_id: NETGX:6.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4378448/3510) IV size: 8 bytes replay detection support: Y Status: ACTIVE fvrf/address: (none)/10.24.Dead Peer Detection K .4 protocol: ESP spi: 0xE1815114(3783348500) transform: esp-3des esp-md5-hmac .1.1. sibling_flags 80000046. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4378448/3510) IV size: 8 bytes replay detection support: Y Status: ACTIVE R1#sh crypto engine connections active Crypto Engine Connections Type Algorithm 1003 ID IKE MD5+3DES Encrypt 0 Decrypt IP-Address 0 10.Preshared key.24.1 2005 IPsec 3DES+MD5 0 3 10.

1.255.1 path mtu 1500.4.4 protected vrf: (none) local ident (addr/mask/prot/port): (4.1.24.1.1. DH group: none inbound esp sas: spi: 0xE1815114(3783348500) transform: esp-3des esp-md5-hmac . #pkts encrypt: 3.1/255.: 10.CCIE SECURITY v4 Lab Workbook R4#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: CMAP. flow_id: NETGX:1.24. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4581780/3076) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 377 of 1033 . } conn id: 2001. failed: 0 #pkts not decompressed: 0.255/0/0) current_peer 10. #pkts verify: 3 #pkts compressed: 0.1.1 port 4500 PERMIT. in use settings ={Tunnel UDP-Encaps.255/0/0) remote ident (addr/mask/prot/port): (1. #pkts digest: 3 #pkts decaps: 3.4/255.4.255. ip mtu idb FastEthernet0/0 current outbound spi: 0x65D0096B(1708132715) PFS (Y/N): N.24.: 10. ip mtu 1500. sibling_flags 80000046.255. #pkts compr.1. sibling_flags 80000046. #recv errors 0 local crypto endpt. flow_id: NETGX:2.255. } conn id: 2002.4.} #pkts encaps: 3. flags={origin_is_acl. local addr 10.24. in use settings ={Tunnel UDP-Encaps. #pkts decompressed: 0 #pkts not compressed: 0. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4581780/3076) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x65D0096B(1708132715) transform: esp-3des esp-md5-hmac . remote crypto endpt. #pkts decrypt: 3. #pkts decompress failed: 0 #send errors 0.

ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy Page 378 of 1033 . IKE_SA_REQ_MM ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 ISAKMP:(0): beginning Main Mode exchange ISAKMP:(0): sending packet to 10.4. 100-byte ICMP Echos to 4.1.24.24. IKE_MM_EXCH ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 ISAKMP:(0): processing SA payload. remote port 500 ISAKMP: set new node 0 to QM_IDLE ISAKMP:(0):insert sa successfully sa = 483BFC34 ISAKMP:(0):Can not start Aggressive mode.1.24. peer port 500 ISAKMP: New peer created peer = 0x489472CC peer_handle = 0x8000000A ISAKMP: Locking peer struct 0x489472CC..24.1.4 2001 IPsec 3DES+MD5 0 3 10. message ID = 0 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0):found peer pre-shared key matching 10. Sending 5.4.24.4 my_port 500 peer_port 500 (I) MM_NO_STATE ISAKMP:(0):Sending an IKE IPv4 Packet.1.24.24.4 dport 500 sport 500 Global (I) MM_NO_STATE ISAKMP:(0):Input = IKE_MESG_FROM_PEER..4 ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID ISAKMP:(0): constructed NAT-T vendor-07 ID ISAKMP:(0): constructed NAT-T vendor-03 ID ISAKMP:(0): constructed NAT-T vendor-02 ID ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC.4.4 ISAKMP:(0): local preshared key found ISAKMP : Scanning profiles for xauth .4 2002 IPsec 3DES+MD5 3 0 10. timeout is 2 seconds: Packet sent with a source address of 1.4.1.CCIE SECURITY v4 Lab Workbook R4#sh crypto engine connections active Crypto Engine Connections Type Algorithm 1001 ID IKE MD5+3DES Encrypt 0 Decrypt IP-Address 0 10.1.4 Detailed verification on R1 R1#deb cry isak Crypto ISAKMP debugging is on R1#pi 4.1 ISAKMP:(0): SA request profile is (NULL) ISAKMP: Created a peer struct for 10. refcount 1 for isakmp_initiator ISAKMP: local port 500. ISAKMP:(0):found peer pre-shared key matching 10.4 so lo0 Type escape sequence to abort.24. ISAKMP (0): received packet from 10. trying Main mode.1.1.4.1.1.4.

ISAKMP:(0):Input = IKE_MESG_INTERNAL.24. IKE_PROCESS_COMPLETE ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 ISAKMP (0): received packet from 10.1. message ID = 0 ISAKMP:(0):found peer pre-shared key matching 10. ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0):Input = IKE_MESG_INTERNAL. IKE_MM_EXCH ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 ISAKMP:(0): processing KE payload.24.1.4 my_port 500 peer_port 500 (I) MM_SA_SETUP ISAKMP:(0):Sending an IKE IPv4 Packet.24. It has determined that its IP address is NATed in the path because received hash (NAT-D payload) does not match the localy calculated hash. both nodes inside NAT ISAKMP:received payload type 20 ISAKMP (1005): My hash no match - this node inside NAT R1 has analyzed the results of NAT discovery. message ID = 0 ISAKMP:(0): processing NONCE payload.4 ISAKMP:(1005): processing vendor id payload ISAKMP:(1005): vendor ID is Unity ISAKMP:(1005): processing vendor id payload ISAKMP:(1005): vendor ID is DPD ISAKMP:(1005): processing vendor id payload ISAKMP:(1005): speaking to another IOS box! ISAKMP:received payload type 20 ISAKMP (1005): NAT found.4 dport 500 sport 500 Global (I) MM_SA_SETUP ISAKMP:(0):Input = IKE_MESG_FROM_PEER. IKE_PROCESS_MAIN_MODE ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 ISAKMP:(0): sending packet to 10. round-trip min/avg/max = 1/1/4 ms R1#atts:life: 0 ISAKMP:(0):Fill atts in sa vpi_length:4 ISAKMP:(0):Fill atts in sa life_in_seconds:86400 ISAKMP:(0):Returning Actual lifetime: 86400 ISAKMP:(0)::Started lifetime timer: 86400.1.CCIE SECURITY v4 Lab Workbook ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):atts are acceptable. Next payload is 0 ISAKMP:(0):Acceptable atts:actual life: 0 ISAKMP:(0):Acceptable .!!!! Success rate is 80 percent (4/5). ISAKMP:(1005):Input = IKE_MESG_INTERNAL. IKE_PROCESS_MAIN_MODE ISAKMP:(1005):Old State = IKE_I_MM4 New State = IKE_I_MM4 Page 379 of 1033 .

1 protocol : 17 port : 0 length : 12 ISAKMP:(1005):Total payload length: 12 ISAKMP:(1005): sending packet to 10.1.1.4 ISAKMP:(1005):Setting UDP ENC peer struct 0x49383A9C sa= 0x483BFC34 ISAKMP: Trying to insert a peer 10.24.24. message ID = 0 ISAKMP:(1005):SA authentication status: authenticated ISAKMP:(1005):SA has been authenticated with 10.1. IKE_PROCESS_COMPLETE ISAKMP:(1005):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE ISAKMP:(1005):beginning Quick Mode exchange.1.1.4 my_port 4500 peer_port 4500 (I) QM_IDLE ISAKMP:(1005):Sending an IKE IPv4 Packet. IKE_PROCESS_COMPLETE ISAKMP:(1005):Old State = IKE_I_MM4 New State = IKE_I_MM5 ISAKMP (1005): received packet from 10.12.24.1. IKE_MM_EXCH ISAKMP:(1005):Old State = IKE_I_MM5 New State = IKE_I_MM6 ISAKMP:(1005):Input = IKE_MESG_INTERNAL. message ID = 0 ISAKMP (1005): ID payload next-payload : 8 type : 1 address : 10.4 protocol : 17 port : 0 length : 12 ISAKMP:(0):: peer matches *none* of the profiles ISAKMP:(1005): processing HASH payload.1.12. Page 380 of 1033 .4/4500/. ISAKMP:(1005):Input = IKE_MESG_FROM_PEER.4 dport 4500 sport 4500 Global (I) MM_KEY_EXCH ISAKMP:(1005): processing ID payload.CCIE SECURITY v4 Lab Workbook ISAKMP:(1005):Send initial contact ISAKMP:(1005):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR ISAKMP (1005): ID payload next-payload : 8 type : 1 address : 10.1.24.24.1/10.4 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH Note that from this moment the peers are exchanging the packets using UDP protocol and port 4500 (NAT-T). and inserted successfully 489472CC.24. M-ID of -1428024928 ISAKMP:(1005):QM Initiator gets spi ISAKMP:(1005): sending packet to 10. ISAKMP:(1005):Input = IKE_MESG_INTERNAL. IKE_PROCESS_MAIN_MODE ISAKMP:(1005):Old State = IKE_I_MM6 New State = IKE_I_MM6 ISAKMP:(1005):Input = IKE_MESG_INTERNAL. ISAKMP:(1005):Sending an IKE IPv4 Packet.

4. ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 3 (Tunnel-UDP) Note that this inidactes that tunnel is encaplustated into UDP ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 0x0 0x46 0x50 0x0 ISAKMP:(1005):atts are acceptable.CCIE SECURITY v4 Lab Workbook ISAKMP:(1005):Node -1428024928.1. message ID = -1428024928 ISAKMP:(1005): Creating IPSec SAs inbound SA from 10. message ID = -1428024928 ISAKMP:(1005): processing SA payload.4.1.4.12.1.1 to 4.1 dport 500 sport 500 Global (N) NEW SA ISAKMP: Created a peer struct for 10.1.4 dport 4500 sport 4500 Global (I) QM_IDLE ISAKMP:(1005): processing HASH payload.24.4 to 1. message ID = -1428024928 ISAKMP:(1005): processing ID payload.1.1 (f/i) 0/ 0 (proxy 4. ISAKMP:(1005):deleting node -1428024928 error FALSE reason "No Error" ISAKMP:(1005):Node -1428024928. peer port 500 Page 381 of 1033 .4 (f/i) 0/0 (proxy 1.24.1.1. Input = IKE_MESG_INTERNAL.24. IKE_INIT_QM ISAKMP:(1005):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 ISAKMP:(1005):Input = IKE_MESG_INTERNAL.24. ISAKMP:(1005): processing NONCE payload.1.1) has spi 0xE219E9BB and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 10.1 to 10.1. IKE_QM_EXCH ISAKMP:(1005):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE R1# R1#un all All possible debugging has been turned off Detailed verification on R4 R4#deb cry isak Crypto ISAKMP debugging is on ISAKMP (0): received packet from 10.1.4) has spi 0xE481597 and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes ISAKMP:(1005): sending packet to 10.4 to 10. IKE_PHASE1_COMPLETE ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE ISAKMP (1005): received packet from 10.12.24.1. message ID = -1428024928 ISAKMP:(1005): processing ID payload.1.1. message ID = -1428024928 ISAKMP:(1005):Checking IPSec proposal 1 ISAKMP: transform 1. Input = IKE_MESG_FROM_PEER.4 my_port 4500 peer_port 4500 (I) QM_IDLE ISAKMP:(1005):Sending an IKE IPv4 Packet.24.4.

ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):atts are acceptable. refcount 1 for crypto_isakmp_process_block ISAKMP: local port 500.1 ISAKMP:(0): local preshared key found ISAKMP : Scanning profiles for xauth .CCIE SECURITY v4 Lab Workbook ISAKMP: New peer created peer = 0x49CEE97C peer_handle = 0x80000004 ISAKMP: Locking peer struct 0x49CEE97C. remote port 500 ISAKMP:(0):insert sa successfully sa = 489FDD70 ISAKMP:(0):Input = IKE_MESG_FROM_PEER. IKE_MM_EXCH ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 ISAKMP:(0): processing SA payload.. message ID = 0 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch ISAKMP (0): vendor ID is NAT-T v7 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP:(0): processing vend R4#or id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 ISAKMP:(0):found peer pre-shared key matching 10. ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch ISAKMP (0): vendor ID is NAT-T v7 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 Page 382 of 1033 . Next payload is 0 ISAKMP:(0):Acceptable atts:actual life: 0 ISAKMP:(0):Acceptable atts:life: 0 ISAKMP:(0):Fill atts in sa vpi_length:4 ISAKMP:(0):Fill atts in sa life_in_seconds:86400 ISAKMP:(0):Returning Actual lifetime: 86400 ISAKMP:(0)::Started lifetime timer: 86400.24..1.

IKE_PROCESS_MAIN_MODE ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID ISAKMP:(0): sending packet to 10.24.24.1 protocol : 17 Page 383 of 1033 .1.1. message ID = 0 ISAKMP:(0):found peer pre-shared key matching 10. ISAKMP:(0):Input = IKE_MESG_INTERNAL.1. IKE_PROCESS_MAIN_MODE ISAKMP:(1003):Old State = IKE_R_MM3 New State = IKE_R_MM3 R4 has analyzed the results of NAT discovery.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP ISAKMP:(0):Sending an IKE IPv4 Packet.1.12. ISAKMP:(1003): sending packet to 10. message ID = 0 ISAKMP (1003): ID payload next-payload : 8 type : 1 address : 10.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH ISAKMP:(1003):Sending an IKE IPv4 Packet. ISAKMP:(1003):Input = IKE_MESG_INTERNAL.24.1. message ID = 0 ISAKMP:(0): processing NONCE payload.CCIE SECURITY v4 Lab Workbook ISAKMP:(0):Input = IKE_MESG_INTERNAL.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH ISAKMP:(1003):Input = IKE_MESG_FROM_PEER. IKE_PROCESS_COMPLETE ISAKMP:(1003):Old State = IKE_R_MM3 New State = IKE_R_MM4 ISAKMP (1003): received packet from 10.1 ISAKMP:(1003): processing vendor id payload ISAKMP:(1003): vendor ID is DPD ISAKMP:(1003): processing vendor id payload ISAKMP:(1003): speaking to another IOS box! ISAKMP:(1003): processing vendor id payload ISAKMP:(1003): vendor ID seems Unity/DPD but major 50 mismatch ISAKMP:(1003): vendor ID is XAUTH ISAKMP:received payload type 20 ISAKMP (1003): His hash no match .this node outside NAT ISAKMP:received payload type 20 ISAKMP (1003): His hash no match . IKE_MM_EXCH ISAKMP:(1003):Old State = IKE_R_MM4 New State = IKE_R_MM5 ISAKMP:(1003): processing ID payload. IKE_MM_EXCH ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 ISAKMP:(0): processing KE payload.24.1 dport 500 sport 500 Global (R) MM_SA_SETUP ISAKMP:(0):Input = IKE_MESG_FROM_PEER.24.this node outside NAT ISAKMP:(1003):Input = IKE_MESG_INTERNAL. It has determined that R1’s IP address is NATed in the path because received hash (NAT-D payload) does not match the localy calculated hash. IKE_PROCESS_COMPLETE ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 ISAKMP (0): received packet from 10.

24.1 remote port 4500 ISAKMP: Trying to insert a peer 10. ISAKMP:(1003):Input = IKE_MESG_INTERNAL.1.24.1.1 dport 4500 sport 4500 Global (R) QM_IDLE ISAKMP: set new node -1428024928 to QM_IDLE ISAKMP:(1003): processing HASH payload.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH ISAKMP:(1003):Sending an IKE IPv4 Packet. sa = 489FDD70 ISAKMP:(1003):SA authentication status: authenticated ISAKMP:(1003):SA has been authenticated with 10.1/4500/ ISAKMP:(1003):SA authentication status: authenticated ISAKMP:(1003): Process initial contact.CCIE SECURITY v4 Lab Workbook port : 0 length : 12 ISAKMP:(0):: peer matches *none* of the profiles ISAKMP:(1003): processing HASH payload.1.1. ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 3 (Tunnel-UDP) ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 0x0 0x46 0x50 0x0 Page 384 of 1033 .24. IKE_PROCESS_MAIN_MODE ISAKMP:(1003):Old State = IKE_R_MM5 New State = IKE_R_MM5 ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR ISAKMP (1003): ID payload next-payload : 8 type : 1 address : 10. IKE_PHASE1_COMPLETE ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE ISAKMP (1003): received packet from 10.1.1.24.24.1 ISAKMP:(1003):Detected port floating to port = 4500 ISAKMP: Trying to find existing peer 10.4/10.24. ISAKMP:(1003):Input = IKE_MESG_INTERNAL. message ID = 0 ISAKMP:(1003): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0.1.1.24.24. and inserted successfully 49CEE97C. message ID = -1428024928 ISAKMP:(1003):Checking IPSec proposal 1 ISAKMP: transform 1.4 remote 10.4/10.4 protocol : 17 port : 0 length : 12 ISAKMP:(1003):Total payload length: 12 ISAKMP:(1003): sending packet to 10.24.1.24. IKE_PROCESS_COMPLETE ISAKMP:(1003):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE ISAKMP:(1003):Input = IKE_MESG_INTERNAL. message ID = 0. bring down existing phase 1 and 2 SA's with local 10.1/4500/. message ID = -1428024928 ISAKMP:(1003): processing SA payload.

4.1. Input = IKE_MESG_FROM_PEER.4.CCIE SECURITY v4 Lab Workbook ISAKMP:(1003):atts are acceptable. Input = IKE_MESG_FROM_PEER.24.1.4 to 1.4 to 10.1 my_port 4500 peer_port 4500 (R) QM_IDLE ISAKMP:(1003):Sending an IKE IPv4 Packet.1.1 to 10. Input = IKE_MESG_INTERNAL.1 (f/i) 0/0 (proxy 4. IKE_QM_EXCH ISAKMP:(1003):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE R4# R4#un all All possible debugging has been turned off Page 385 of 1033 .4.24.4) has spi 0xE481597 and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 10.4.1) has spi 0xE219E9BB and conn_id 0 lifetime of 3600 seconds lifetime of 4608000 kilobytes ISAKMP:(1003): sending packet to 10. message ID = -1428024928 ISAKMP:(1003): processing ID payload.1.24.1. ISAKMP:(1003):Node -1428024928. IKE_QM_EXCH ISAKMP:(1003):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE ISAKMP:(1003): Creating IPSec SAs inbound SA from 10.24.1.24. message ID = -1428024928 ISAKMP:(1003):QM Responder gets spi ISAKMP:(1003):Node -1428024928.24. IKE_GOT_SPI ISAKMP:(1003):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 ISAKMP (1003): received packet from 10. ISAKMP:(1003): processing NONCE payload.1.1 dport 4500 sport 4500 Global (R) QM_IDLE ISAKMP:(1003):deleting node -1428024928 error FALSE reason "QM done (await)" ISAKMP:(1003):Node -1428024928.1.1.1.1 to 4. message ID = -1428024928 ISAKMP:(1003): processing ID payload.4 (f/i) 0/ 0 (proxy 1.

R4 and R5 pointing to the respective ASA’s interface  Configure default routing on both ASAs pointing to the respective R2 interface IP Addressing Page 386 of 1033 .CCIE SECURITY v4 Lab Workbook Lab 1. IOS Certificate Authority Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122  R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104  R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco”  Configure default routing on R1.39.

Outside.168.4.4 /24 Lo0 5.10 /24 E0/2. Security 0 192. This feature uses SCEP (Simple Certificate Enrollment Protocol).1.1.1/24 G0/0 192.168.10 /24 E0/1. Inside_US.4. Configuration Complete these steps: Step 1 R1 configuration. It will be used for the automatic certificate enrollment.1. Store all certificates on the flash using PEM 64-base excryption with password of “Cisco_CA”.10 /24 E0/1. Security 100 10.10 /24 E0/0.10 /24 R2 R4 R5 ASA1 ASA2 Task 1 Configure IOS Certificate Authority server on R1. Security 100 10.2.101.CCIE SECURITY v4 Lab Workbook Device Interface / ifname / sec level IP address R1 Lo0 1.1.5.5/24 E0/0. R1(config)#ip http server HTTP server must be enabled. R1(config)#crypto pki server IOS_CA R1(cs-server)#lifetime certificate 1095 Page 387 of 1033 .2/24 G0/1 192.104.101. Inside_CA. Security 0 192.5/24 F0/0 10.1.1/24 F0/0 10. Outside.4 /24 F0/0 10. The server should service all certificate requests automatically.168.105.1.1.2/24 Lo0 4.105. Security 100 10. Inside.168. The server should have self-signed certificate with a lifetime of 5 years and grant certificates to the clients with a lifetime of 3 years.1.1.104.1.2.5.

.pem files: flash:/IOS_CA Database Level: Minimum .. Remember that at the lab exam. keys will be nonexportable.CCIE SECURITY v4 Lab Workbook The lifetime of client certificates (3 years). % Generating 1024 bit RSA keys. %PKI-6-CS_ENABLED: Certificate server now enabled.99 has been enabled % Exporting Certificate Server signing certificate and keys. R1(cs-server)# %Some server settings cannot be changed after CA certificate generation.no cert data written to storage R1#sh flash | in IOS_CA Page 388 of 1033 . R1(cs-server)#exit CA is up after issuing “no shutdown” command. Verification R1#sh crypto pki server Certificate Server IOS_CA: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=IOS_CA CA cert fingerprint: 2CCFEC44 8B1FA216 4B9CA190 024184A0 Granting mode is: auto Last certificate issued serial number: 0x1 CA certificate expiration timer: 21:37:39 UTC Oct 19 2014 CRL NextUpdate timer: 03:37:40 UTC Oct 21 2009 Current primary storage dir: nvram: Current storage dir for ... R1(cs-server)#lifetime ca-certificate 1825 R1(cs-server)#database archive pem password Cisco_CA R1(cs-server)#database url pem flash:/IOS_CA R1(cs-server)#grant auto %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted. R1(cs-server)#no shutdown Certificate server 'no shut' event has been queued for processing.[OK] %SSH-5-ENABLED: SSH 1.

CCIE SECURITY v4 Lab Workbook 22 1714 Oct 20 2009 21:37:42 +00:00 IOS_CA_00001.pem The password-protected certificate store has been created on the router flash. Task 2 To ensure all devices in the network have the same time configure NTP server on R1 with a stratum of 4.1 key 1 Step 4 R2 configuration. The server should authenticate the clients with a password of “Cisco_NTP”. R1(config)#ntp authentication-key 1 md5 Cisco_NTP R1(config)#ntp trusted-key 1 R1(config)#ntp authenticate R1(config)#ntp master 4 Step 2 ASA1 configuration. Step 3 ASA2 configuration. ASA1(config)# ntp authentication-key 1 md5 Cisco_NTP ASA1(config)# ntp authenticate ASA1(config)# ntp trusted-key 1 ASA1(config)# ntp server 10.1. Configuration Complete these steps: Step 1 R1 configuration.101. Configure rest of devices as NTP clients to the R1’s NTP source.101. ASA2(config)# ntp authentication-key 1 md5 Cisco_NTP ASA2(config)# ntp authenticate ASA2(config)# ntp trusted-key 1 ASA2(config)# ntp server 10. R2(config)#ntp authentication-key 1 md5 Cisco_NTP R2(config)#ntp authenticate R2(config)#ntp trusted-key 1 Page 389 of 1033 .1 key 1 ASA1(config)# access-list OUTSIDE_IN permit udp any host 10.101.1.1.1 eq 123 ASA1(config)# access-group OUTSIDE_IN in interface Outside The access from the NTP peers to NTP master (R1).

123 UTC Tue Oct 20 2009) clock offset is 0.0 255. root delay is 0. ~ configured ASA1(config)# sh ntp status Clock is synchronized.255. stratum 4.127. # master (unsynced).1 nominal freq is 99. peer dispersion is 0.168.0 0.105.9984 Hz. Remember.1FB35E7B (21:44:08. precision is 2**6 reference time is ce88af37.1. With this internal address the R1’s clock is synchronized.10 R2(config)#ip route 10. R4(config)#ntp authentication-key 1 md5 Cisco_NTP R4(config)#ntp authenticate R4(config)#ntp trusted-key 1 R4(config)#ntp server 10.255.1.7.10 Step 5 R4 configuration.127.1. This is a internaly created IP address of internal NTP server which instance has been created after issuing “ntp master” command.0 192.00 0. Without doing that the NTP server will be always out of sync.255.1 key 1 Verification R1#sh ntp status Clock is synchronized.10 R2(config)#ip route 10.0 * master (synced).104. .0 192.00 msec root dispersion is 0.0 255.1 ref clock 127.02 msec.7.02 msec Note that R1 (the master) is synchronized with 127.255.1 nominal freq is 250.candidate.7.0 192. reference is 10.101.1. actual freq is 99.736 UTC Tue Oct 20 2009) Page 390 of 1033 .1.2. R5(config)#ntp authentication-key 1 md5 Cisco_NTP R5(config)#ntp authenticate R5(config)#ntp trusted-key 1 R5(config)#ntp server 10.bc6be95a (21:50:47.1. if you would be asked to enable a peer authentication on NTP master than you have to configure an peer ACLs and permit 127.1 key 1 Step 6 R5 configuration.9984 Hz.255.2.CCIE SECURITY v4 Lab Workbook R2(config)#ntp server 10.127.168.1 st when 3 2 poll reach 64 377 delay offset disp 0.0000 Hz. R1#sh ntp associations address *~127.101. precision is 2**18 reference time is CE88ADA8.1 key 1 R2(config)#ip route 10.7.127. stratum 5.127.1.1.101.101.1.101. actual freq is 250.7.1. + selected. reference is 127.0 255.0000 Hz.168.255.0000 msec.

7. reference is 10.1 nominal freq is 99. actual freq is 99. Ref clock field (reference clock) contains an IP address of reference clock of peer. + selected.27 msec root dispersion is 7891. peer dispersion is 3890. reference is 10.0000 Hz.5869 msec. . ASA2(config)# sh ntp status Clock is synchronized.101.1.0000 Hz.1 ref clock 127. # master (unsynced). . stratum 5.1 ref clock 127.1.919 UTC Tue Oct 20 2009) clock offset is 0. + selected.15 msec root dispersion is 15876. root delay is 2.candidate.39971B35 (19:42:39.candidate.1 nominal freq is 250.9984 Hz.31 15875. precision is 2**18 reference time is CE8B342F.33 msec.1 st when 4 50 poll reach 64 7 delay offset disp 1.73 msec ASA2(config)# sh ntp associations address *~10.36 msec.eb59aae0 (22:06:38. root delay is 1.60 7890.397BFBDE (22:02:56. stratum 5.7 * master (synced). root delay is 1.1 ref clock 127. The asterisk indicates that.7 * master (synced). ~ configured R2#sh ntp status Clock is synchronized.1.candidate.02 msec R4#sh ntp associations Page 391 of 1033 .7. * master (synced).101. ~ configured R1 is the NTP master and ASA is synced with it. + selected.224 UTC Tue Oct 20 2009) clock offset is 1.1 st when 4 28 poll reach 64 1 delay offset disp 1.0000 Hz. .69 msec Note that ASA is assiociated with R1.3 0.5964 msec. ASA1(config)# sh ntp associations address *~10. # master (unsynced).9984 Hz. ~ configured R4#sh ntp status Clock is synchronized.127.0000 Hz.02 msec R2#sh ntp associations address *~10. # master (unsynced). precision is 2**6 reference time is ce88b2ee. peer dispersion is 7890. reference is 10. peer dispersion is 15875.5972 msec. stratum 5.8 1.1. Address field contains an IP address of the NTP peer.1 st when 4 11 poll reach 64 3 delay offset disp 1.1.101.0 -0. precision is 2**18 reference time is CE88B210.1. Note that stratum for this peer is 5 (every next NTP peer in the NTP path will results of increased stratum value).98 msec root dispersion is 3891.224 UTC Thu Oct 22 2009) clock offset is 1.36 msec.CCIE SECURITY v4 Lab Workbook clock offset is -0.101. root delay is 0.1 nominal freq is 250.127.101.127.3123 msec.7.62 msec.101.60 3890.77 msec root dispersion is 15876. peer dispersion is 15875. actual freq is 250. actual freq is 250.

ASA1(config-ca-trustpoint)# subject-name CN=ASA1. # master (unsynced).MicronicsTraining.1 Page 392 of 1033 .com ASA1(config-ca-trustpoint)# enrollment url http://10.com ASA1(config)# crypto key generate rsa modulus 1024 WARNING: You have a RSA keypair already defined named <DefaultRSA-Key>. + selected.com Configuration Complete these steps: Step 1 ASA1 configuration.1 st when 4 26 poll reach 64 1 delay offset disp 2.1 nominal freq is 250. Configure domain name of MicronicsTraining.127. ~ configure R5#sh ntp status Clock is synchronized.1 st when 4 24 poll reach 64 7 delay offset disp 2.. Do you really want to replace them? [yes/no]: yes Keypair generation process begin.52 3875.101.12 msec root dispersion is 3877.candidate.0000 Hz.4 * master (synced).CCIE SECURITY v4 Lab Workbook address *~10.59 15875.2 1. * master (synced).101.101. ASA1(config)# domain-name MicronicsTraining.1 ref clock 127.38 msec R5#sh ntp associations address *~10.5238 msec. C=US ASA1(config-ca-trustpoint)# fqdn ASA1. ASA1(config)# crypto ca trustpoint IOS_CA ASA1(config-ca-trustpoint)# id-usage ssl-ipsec The certificate will be used for SSL or IPSec authentication. Ensure that FQDN and certificate attributes like Common Name and Country are used.1 2.7.. actual freq is 250. precision is 2**18 reference time is CE88B28F.1. .0000 Hz.1. ~ configured Task 3 On both ASAs enroll a certificate for IPSec peer authentication. + selected.1. Certificate uses for IPSec authentication should have at least 1024 bytes keys.127.390 UTC Tue Oct 20 2009) clock offset is 2. stratum 5.candidate.1. root delay is 2. peer dispersion is 3875. # master (unsynced).1 ref clock 127.7. Please wait. reference is 10. .93 msec.101.63FAD3D2 (22:05:03.

Authentication of the CA results of the root CA certificate retrieval and writing it in the router’s configuration after the acceptance. % Create a challenge password.1 has been authenticated.2.1 eq 80 SCEP (it uses HTTP protocol) for ASA2 should be allowed. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. Page 393 of 1033 . For security reasons your password will not be saved in the configuration.10 host 10.com ASA2(config)# crypto key generate rsa modulus 1024 WARNING: You have a RSA keypair already defined named <DefaultRSA-Key>.MicronicsTraining. The CA configured at 10. ASA2(config)# domain-name MicronicsTraining.168.1. C=US % The fully-qualified domain name in the certificate will be: ASA1. Password: ******** Re-enter password: ******** % The subject name in the certificate will be: CN=ASA1.101.com % Include the device serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority ASA1(config)# The certificate has been granted by CA! The certificate has been issued automaticaly. Auto enrollment is working ASA1(config)# access-list OUTSIDE_IN permit tcp host 192.101. Please make a note of it.CCIE SECURITY v4 Lab Workbook ASA1(config-ca-trustpoint)# exit ASA1(config)# crypto ca authenticate IOS_CA INFO: Certificate has the following attributes: Fingerprint: 2ccfec44 8b1fa216 4b9ca190 024184a0 Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Step 2 ASA2 configuration.1. ASA1(config)# crypto ca enroll IOS_CA % % Start certificate enrollment ..

1. Page 394 of 1033 .com ASA2(config-ca-trustpoint)# enrollment url http://10. Please make a note of it.. Please wait.MicronicsTraining.com % Include the device serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority ASA2(config)# The certificate has been granted by CA! Verification ASA1(config)# sh crypto ca trustpoints Trustpoint IOS_CA: Subject Name: cn=IOS_CA Serial Number: 01 Certificate configured..MicronicsTraining. % Create a challenge password.CCIE SECURITY v4 Lab Workbook Do you really want to replace them? [yes/no]: yes Keypair generation process begin. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.1 ASA2(config-ca-trustpoint)# exit ASA2(config)# crypto ca authenticate IOS_CA INFO: Certificate has the following attributes: Fingerprint: 2ccfec44 8b1fa216 4b9ca190 024184a0 Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. ASA2(config)# crypto ca enroll IOS_CA % % Start certificate enrollment . For security reasons your password will not be saved in the configuration.101.. Password: ******** Re-enter password: ******** % The subject name in the certificate will be: CN=ASA2. C=US % The fully-qualified domain name in the certificate will be: ASA2. C=US ASA2(config-ca-trustpoint)# fqdn ASA2. ASA2(config)# crypto ca trustpoint IOS_CA ASA2(config-ca-trustpoint)# id-usage ssl-ipsec ASA2(config-ca-trustpoint)# subject-name CN=ASA2.

com cn=ASA1 c=US Validity Date: start date: 22:14:31 UTC Oct 20 2009 end date: 22:14:31 UTC Oct 19 2012 Associated Trustpoints: IOS_CA CA Certificate Status: Available Certificate Serial Number: 01 Certificate Usage: Signature Public Key Type: RSA (1024 bits) Issuer Name: cn=IOS_CA Subject Name: cn=IOS_CA Validity Date: start date: 21:37:39 UTC Oct 20 2009 end date: 21:37:39 UTC Oct 19 2014 Associated Trustpoints: IOS_CA This is the CA root certificate accepted during the trustpoint authentication.1 ASA1(config)# sh crypto ca certificates Certificate Status: Available Certificate Serial Number: 02 Certificate Usage: General Purpose Public Key Type: RSA (1024 bits) Issuer Name: cn=IOS_CA Subject Name: hostname=ASA1.101.1.MicronicsTraining.1 ASA2(config)# sh crypto ca certificates Certificate Status: Available Certificate Serial Number: 03 Page 395 of 1033 .CCIE SECURITY v4 Lab Workbook CEP URL: http://10.1.101. CEP URL: http://10. ASA2(config)# sh crypto ca trustpoints Trustpoint IOS_CA: Subject Name: cn=IOS_CA Serial Number: 01 Certificate configured.

MicronicsTraining.CCIE SECURITY v4 Lab Workbook Certificate Usage: General Purpose Public Key Type: RSA (1024 bits) Issuer Name: cn=IOS_CA Subject Name: hostname=ASA2.com cn=ASA2 c=US Validity Date: start date: 22:19:48 UTC Oct 20 2009 end date: 22:19:48 UTC Oct 19 2012 Associated Trustpoints: IOS_CA CA Certificate Status: Available Certificate Serial Number: 01 Certificate Usage: Signature Public Key Type: RSA (1024 bits) Issuer Name: cn=IOS_CA Subject Name: cn=IOS_CA Validity Date: start date: 21:37:39 UTC Oct 20 2009 end date: 21:37:39 UTC Oct 19 2014 Associated Trustpoints: IOS_CA Page 396 of 1033 .

5. Ensure that only traffic between hosts 1. Site-to-Site IPSec VPN using PKI (ASA-ASA) This lab is based on the previous lab configuration. Use the following setting for building the VPN: ISAKMP Policy: - Authentincation: RSA signatures - Encryption 3DES - Hash MD5 Page 397 of 1033 . Task 1 Configure Site to Site IPSec VPN between ASA1 and ASA2.CCIE SECURITY v4 Lab Workbook Lab 1.1.40. Use Certificate Authority and keys/certificates enrolled in the previous lab.1.1 and 5.5.5 gets encrypted.

2.1. ASA1(config-isakmp-policy)# encry 3des ASA1(config-isakmp-policy)# hash md5 ASA1(config-isakmp-policy)# group 2 ASA1(config-isakmp-policy)# crypto ipsec transform-set TSET esp3des esp-md5-hmac ASA1(config)# crypto map ENCRYPT_OUT 1 match address CRYPTO_ACL ASA1(config)# crypto map ENCRYPT_OUT 1 set peer 192.1 host 5.168.168. ASA1(config-tunnel-ipsec)# crypto isakmp policy 10 ASA1(config-isakmp-policy)# auth rsa-sig For peer authentication based on X509v3 certificates the authentication with RSA signatures has to be enabled in the ISAKMP policy.168.2.2.5.10 ASA1(config)# crypto map ENCRYPT_OUT 1 set pfs group2 The Perfect Forward Secrecy will be used along with 1024bits RSA keys (DH Group 2). The tunnel group has been pointed to valid CA.10 ipsec-attributes ASA1(config-tunnel-ipsec)# trust-point IOS_CA The special arrangements for IPSec on ASA are configured in the tunnel-group configuration. ASA1(config)# crypto isakmp enable outside ASA1(config)# access-list CRYPTO_ACL permit ip host 1.1. This CA will be used for peer authentication.10 type ipsec-l2l ASA1(config)# tunnel-group 192. Configuration Complete these steps: Step 1 ASA1 configuration.5. Page 398 of 1033 .CCIE SECURITY v4 Lab Workbook - DH Group 2 IPSec Policy: - Encryption 3DES - Hash MD5 - Enable PFS.5 ASA1(config)# tunnel-group 192.

100-byte ICMP Echos to 5.1.255.5 so lo0 Type escape sequence to abort.1 255.255.10 ipsec-attributes ASA2(config-tunnel-ipsec)# trust-point IOS_CA ASA2(config-tunnel-ipsec)# crypto isakmp policy 10 ASA2(config-isakmp-policy)# auth rsa-sig ASA2(config-isakmp-policy)# encry 3des ASA2(config-isakmp-policy)# hash md5 ASA2(config-isakmp-policy)# group 2 ASA2(config-isakmp-policy)# crypto ipsec transform-set TSET esp3des esp-md5-hmac ASA2(config)# crypto map ENCRYPT_OUT 1 match address CRYPTO_ACL ASA2(config)# crypto map ENCRYPT_OUT 1 set peer 192.1 .1.1.10 ASA2(config)# crypto map ENCRYPT_OUT 1 set pfs group2 ASA2(config)# crypto map ENCRYPT_OUT 1 set transform-set TSET ASA2(config)# crypto map ENCRYPT_OUT 1 set trustpoint IOS_CA ASA2(config)# crypto map ENCRYPT_OUT interface Outside ASA2(config)# route Inside_US 5.1.5.5.1.!!!! Success rate is 80 percent (4/5).101.5.168. timeout is 2 seconds: Packet sent with a source address of 1.168.5 host 1.1.255 10. Sending 5.5.1 Step 2 ASA2 configuration.168.5.1.1.5 255.5.105. ASA2(config)# crypto isakmp enable outside ASA2(config)# access-list CRYPTO_ACL permit ip host 5.5. round-trip min/avg/max = 1/2/4 ms Page 399 of 1033 .255 10.CCIE SECURITY v4 Lab Workbook ASA1(config)# crypto map ENCRYPT_OUT 1 set transform-set TSET ASA1(config)# crypto map ENCRYPT_OUT 1 set trustpoint IOS_CA ASA1(config)# crypto map ENCRYPT_OUT interface Outside ASA1(config)# route inside 1.255.1.5.5.1.5 Verification R1#ping 5.10 type ipsec-l2l ASA2(config)# tunnel-group 192.1 ASA2(config)# tunnel-group 192.1.255.

2.10 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE IKE tunnel has been established. In this case MM_ACTIVE has the same meaning as QM_IDLE on the router. Global IKE Statistics Active Tunnels: 1 Previous Tunnels: 4 In Octets: 9216 In Packets: 50 In Drop Packets: 3 In Notifys: 27 In P2 Exchanges: 0 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 0 Out Octets: 9724 Out Packets: 53 Out Drop Packets: 0 Out Notifys: 54 Out P2 Exchanges: 4 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 3 Initiator Tunnels: 4 Initiator Fails: 0 Responder Fails: 0 System Capacity Fails: 0 Auth Fails: 0 Decrypt Fails: 0 Hash Valid Fails: 0 No Sa Fails: 0 Global IPSec over TCP Statistics -------------------------------Embryonic connections: 0 Active connections: 0 Previous connections: 0 Inbound packets: 0 Inbound dropped packets: 0 Page 400 of 1033 .168. Also Main Mode state is named differently.CCIE SECURITY v4 Lab Workbook ASA1(config)# sh crypto isakmp Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 192. The ASA distinguishes the role of the device in ISAKMP SA negotiation. Note that command outputs on ASA differ from command output from IOS router.

2. seq num: 1. media mtu 1500 current outbound spi: 5C4F95C0 inbound esp sas: spi: 0x1AC28131 (448954673) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L.255/0/0) remote ident (addr/mask/prot/port): (5.5.5. #pkts digest: 4 #pkts decaps: 4.2. #recv errors: 0 local crypto endpt. #pkts comp failed: 0.10. #pkts decrypt: 4.1 host 5.5/255. #pkts encrypt: 4.255. local addr: 192.1/255.5 local ident (addr/mask/prot/port): (1.10 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE ASA1(config)# sh crypto ipsec sa interface: Outside Crypto map tag: ENCRYPT_OUT.1.10 #pkts encaps: 4.CCIE SECURITY v4 Lab Workbook Outbound packets: 0 Outbound dropped packets: 0 RST packets: 0 Recevied ACK heart-beat packets: 0 Bad headers: 0 Bad trailers: 0 Timer failures: 0 Checksum errors: 0 Internal errors: 0 ASA1(config)# sh crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 192.1. conn_id: 16384. #pre-frag failures: 0. #pkts decompressed: 0 #pkts not compressed: 4.255/0/0) current_peer: 192.1.255.255.: 192. Tunnel.10 path mtu 1500.5.1. #pkts decomp failed: 0 #pre-frag successes: 0. remote crypto endpt. } slot: 0.168.10 access-list CRYPTO_ACL permit ip host 1. PFS Group 2.255.: 192.168.1. ipsec overhead 58. #pkts verify: 4 #pkts compressed: 0.168. #fragments created: 0 #PMTUs sent: 0.5.2.168. #decapsulated frgs needing reassembly: 0 #send errors: 0.168.1. crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (3914999/28641) IV size: 8 bytes replay detection support: Y Anti replay bitmap: Page 401 of 1033 . #PMTUs rcvd: 0.

CCIE SECURITY v4 Lab Workbook 0x00000000 0x0000001F outbound esp sas: spi: 0x5C4F95C0 (1548719552) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L. conn_id: 16384. crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (3914999/28641) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA1(config)# sh vpn-sessiondb Active Session Summary Sessions: Active : Cumulative : Peak Concurrent : Inactive SSL VPN : 0 : 0 : 0 Clientless only : 0 : 0 : 0 With client : 0 : 0 : 0 : Email Proxy : 0 : 0 : 0 IPsec LAN-to-LAN : 1 : 4 : 1 IPsec Remote Access : 0 : 0 : 0 VPN Load Balancing : 0 : 0 : 0 Totals : 1 : 4 0 License Information: IPsec : 250 Configured : 250 Active : 1 Load : 0% SSL VPN : 2 Configured : 2 Active : 0 Load : 0% Active : Cumulative : Peak Concurrent IPsec : 1 : 4 : 1 SSL VPN 0 : 0 : 0 : AnyConnect Mobile : 0 : 0 : 0 Linksys Phone : 0 : 0 : 0 : 1 : 4 Totals Tunnels: Active : Cumulative : Peak Concurrent IKE : 1 : 4 : 1 IPsec : Totals : 1 : 4 : 1 2 : 8 Active NAC Sessions: No NAC sessions to display Active VLAN Mapping Sessions: No VLAN Mapping sessions to display ASA1(config)# sh vpn-sessiondb l2l Page 402 of 1033 . } slot: 0. PFS Group 2. Tunnel.

10 Index : 4 Protocol : IKE IPsec Encryption Bytes Tx Login Time : 10:03:25 UTC Sun Jul 18 2010 Duration : 0h:06m:18s IP Addr : 5.5.5.CCIE SECURITY v4 Lab Workbook Session Type: LAN-to-LAN Connection : 192.168.10 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Global IKE Statistics Active Tunnels: 1 Previous Tunnels: 4 In Octets: 12112 In Packets: 82 In Drop Packets: 3 In Notifys: 55 In P2 Exchanges: 4 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 3 Out Octets: 11028 Out Packets: 71 Out Drop Packets: 0 Out Notifys: 104 Out P2 Exchanges: 0 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 0 Initiator Tunnels: 0 Initiator Fails: 0 Responder Fails: 0 System Capacity Fails: 0 Auth Fails: 0 Decrypt Fails: 0 Hash Valid Fails: 0 No Sa Fails: 0 Global IPSec over TCP Statistics -------------------------------- Page 403 of 1033 .1.2.5 : 3DES Hashing : MD5 : 400 Bytes Rx : 400 ASA2(config)# sh crypto isakmp Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 192.168.

#pkts digest: 4 #pkts decaps: 4.10 #pkts encaps: 4.10 access-list CRYPTO_ACL permit ip host 5.255.255/0/0) remote ident (addr/mask/prot/port): (1. #pkts decompressed: 0 #pkts not compressed: 4.168. #PMTUs rcvd: 0.255.5.5/255.1.2. ipsec overhead 58. #pkts comp failed: 0. #fragments created: 0 #PMTUs sent: 0.2.10.1 local ident (addr/mask/prot/port): (5.168.168.10 Type : L2L Role : responder Rekey : no State : MM_ACTIVE ASA2(config)# sh crypto ipsec sa interface: Outside Crypto map tag: ENCRYPT_OUT. } Page 404 of 1033 .5 host 1.255.: 192. #pkts decomp failed: 0 #pre-frag successes: 0.: 192. #recv errors: 0 local crypto endpt.1.168.1. PFS Group 2.5. Tunnel. #pre-frag failures: 0.1/255.1.10 path mtu 1500. media mtu 1500 current outbound spi: 1AC28131 inbound esp sas: spi: 0x5C4F95C0 (1548719552) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L. seq num: 1. #pkts decrypt: 4.5.1.1.1. #pkts verify: 4 #pkts compressed: 0. remote crypto endpt.255. #pkts encrypt: 4.5.255/0/0) current_peer: 192.168. local addr: 192. #decapsulated frgs needing reassembly: 0 #send errors: 0.CCIE SECURITY v4 Lab Workbook Embryonic connections: 0 Active connections: 0 Previous connections: 0 Inbound packets: 0 Inbound dropped packets: 0 Outbound packets: 0 Outbound dropped packets: 0 RST packets: 0 Recevied ACK heart-beat packets: 0 Bad headers: 0 Bad trailers: 0 Timer failures: 0 Checksum errors: 0 Internal errors: 0 ASA2(config)# sh crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 192.

CCIE SECURITY v4 Lab Workbook slot: 0. } slot: 0. conn_id: 16384. Tunnel. conn_id: 16384. PFS Group 2. crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (4373999/28441) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA2(config)# sh vpn-sessiondb detail Active Session Summary Sessions: Active : Cumulative : Peak Concurrent : Inactive SSL VPN : 0 : 0 : 0 Clientless only : 0 : 0 : 0 With client : 0 : 0 : 0 : Email Proxy : 0 : 0 : 0 IPsec LAN-to-LAN : 1 : 4 : 1 IPsec Remote Access : 0 : 0 : 0 VPN Load Balancing : 0 : 0 : 0 Totals : 1 : 4 0 License Information: IPsec : 250 Configured : 250 Active : 1 Load : 0% SSL VPN : 2 Configured : 2 Active : 0 Load : 0% Active : Cumulative : Peak Concurrent IPsec : 1 : 4 : 1 SSL VPN : 0 : 0 : 0 AnyConnect Mobile : 0 : 0 : 0 Linksys Phone : 0 : 0 : 0 : 1 : 4 Totals Tunnels: Active : Cumulative : Peak Concurrent IKE : 1 : 4 : 1 IPsec : 1 : 4 : 1 Totals : 2 : 8 Active NAC Sessions: No NAC sessions to display Page 405 of 1033 . crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (4373999/28441) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000001F outbound esp sas: spi: 0x1AC28131 (448954673) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L.

2.168.1.2.10.168. constructing NAT-Traversal VID ver 02 payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.10. IKE Peer 192.2. spi 0x0 Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.2.2.168. processing SA payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.168. processing VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.2.10 local Proxy Address 1.10.10.10.168.10. processing VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. IKE Initiator: New Phase 1.5.10.10. Received Fragmentation VID Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10. constructing ISAKMP SA payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. remote Proxy Address 5.2.168.CCIE SECURITY v4 Lab Workbook Active VLAN Mapping Sessions: No VLAN Mapping sessions to display ASA2(config)# sh vpn-sessiondb l2l Session Type: LAN-to-LAN Connection : 192. constructing ke payload Page 406 of 1033 .2.2.2. IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168. Oakley proposal is acceptable Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2. Received NAT-Traversal ver 02 VID Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.168.168.10.1.1.2.1.5. Crypto map (ENCRYPT_OUT) Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168. constructing Fragmentation VID + extended capabilities payload Jul 18 10:03:25 [IKEv1]: IP = 192.5. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Layout of IKE packet payloads presented (the both: sent and received) Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. constructing NAT-Traversal VID ver 03 payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.10.10 Index : 4 Protocol : IKE IPsec Encryption Bytes Tx Login Time : 10:03:25 UTC Sun Jul 18 2010 Duration : 0h:06m:34s IP Addr : 1.168.2.1 : 3DES Hashing : MD5 : 400 Bytes Rx : 400 Verification (detailed) ASA1(config)# deb cry isakmp 9 ASA1(config)# ASA1(config)# Jul 18 10:03:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message.168.10.168.10.2.168. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168 Jul 18 10:03:25 [IKEv1]: IP = 192.1.1. constructing NAT-Traversal VID ver RFC payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. Intf Inside.168.2.2.

10.0. processing VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.2.10. constructing certreq payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.10.168.2.168.168.168.2.10. processing ke payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. constructing VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.0.2.2.2. constructing NAT-Discovery payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.168. Computing hash for ISAKMP Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. constructing RSA signature Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. processing NAT-Discovery payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. Generating keys for Initiator. Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. computing NAT Discovery hash Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10.168.10.2.168.CCIE SECURITY v4 Lab Workbook Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.168.10. Received Altiga/Cisco VPN3000/Cisco ASA GW VID Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.168. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 320 Jul 18 10:03:25 [IKEv1]: IP = 192.10.168.10.168.2.2. computing NAT Discovery hash NAT-D payload has been prepared.2.10.2.10.2.10.2.10.10.10.168. Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1. Send IOS VID Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.2. constructing cert payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.168. processing ISA_KE payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.2.168.168.2.10.10.168. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 320 Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. processing VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. constructing xauth V6 VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.2.168.10.168.168. processing NAT-Discovery payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.2.10.2. processing VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.2. constructing NAT-Discovery payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.10.2.2.10.2. processing nonce payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.. capabilities: 20000001) Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.168.168. computing NAT Discovery hash Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.0. constructing dpd vid payload Page 407 of 1033 .168.2.. constructing ID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. constructing Cisco Unity VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168. processing VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. capabilities: 20000001) Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. computing NAT Discovery hash Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. Received xauth V6 VID Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.168.10.168. Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.2.168.168.10. processing cert request payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.2.2.10. Received Cisco Unity client VID Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.2.2. Constructing ASA spoofing IOS Vendor ID payload (version: 1.168.2.10.10. constructing nonce payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168. Constructing IOS keep alive payload: proposal=32767/32767 sec.0.10.2.168. Jul 18 10:03:25 [IKEv1]: IP = 192.2.2.168.10.

10.168. Deleting any old fragments.2. processing VID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. Keep-alive type for this connection: DPD Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.10. processing cert payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.10.2..2. Starting P1 rekey timer: 73440 seconds. Oakley begin quick mode Jul 18 10:03:25 [IKEv1]: Group = 192. Automatic NAT Detection Status: end is NOT behind a NAT device This Remote end is NOT behind a NAT device NAT Discovery process has been performed.2.2. Trying to find group via IP ADDR.168.10.. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 865 Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. IKE got SPI from key engine: SPI = 0x1ac28131 Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.2.10.10.10.2.2. processing RSA signature Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. IP = 192.2.168.2. IP = 192.168. IP = 192. Processing IOS keep alive payload: proposal=32767/32767 sec. Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168. IP = 192.168.10.10. Jul 18 10:03:25 [IKEv1]: IP = 192.168.168.2.10 Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.10.10. processing ID payload Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192. Trying to find group via OU. Rcv'd fragment from a new fragmentation set.168. The IP address has been chosen.168.2.10.168.10.2. IP = 192. Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168. IP = 192. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 865 Jul 18 10:03:25 [IKEv1]: IP = 192.168. Computing hash for ISAKMP Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.168.10. Successfully assembled an encrypted pkt from rcv'd fragments! Jul 18 10:03:25 [IKEv1]: IP = 192. Trying to find group via IKE ID.168. oakley constucting quick mode Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.10.168..2..168.168.10.2.10..10.CCIE SECURITY v4 Lab Workbook Jul 18 10:03:25 [IKEv1]: IP = 192. No Group found by matching OU(s) from ID payload: Unknown Jul 18 10:03:25 [IKEv1]: IP = 192.2.2.2.10.10. Connection landed on tunnel_group 192.2.2.2.10. The ASA has searched the ID for identify localy configured tunnel group.10.2.168.168.2. peer ID type 9 received (DER_ASN1_DN) Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168. The devices are not behind the NAT. constructing blank hash payload Page 408 of 1033 . IP = 192. PHASE 1 COMPLETED Jul 18 10:03:25 [IKEv1]: IP = 192.168.168.10. No Group found by matching OU(s) from ID payload: Unknown Jul 18 10:03:25 [IKEv1]: IP = 192. Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.10.2.168.2.168.10.2.168.2. Received DPD VID Jul 18 10:03:25 [IKEv1]: IP = 192.168. Jul 18 10:03:25 [IKEv1]: IP = 192..2.2. Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.2.2.2.168.10.10.10.2.10.168.10.10.10.168.168. Jul 18 10:03:25 [IKEv1]: IP = 192.2.10.

IP = 192.2.10. IP = 192.10.5 will be encrypted.10.10.168.2. IP = 192. processing SA payload Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.10. IKE_DECODE SENDING Message (msgid=a0018003) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 320 Jul 18 10:03:25 [IKEv1]: IP = 192. IP = 192.168.1.168.10. constructing IPSec nonce payload Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.2.2.2. IP = 192.5. IP = 192. rule=d79baf10 Page 409 of 1033 . IP = 192.2. processing ke payload Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192. Transmitting Proxy Id: Local host: 1.2. processing ID payload Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.10. loading all IPSEC SAs Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192. processing ISA_KE for PFS in phase 2 Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192. Generating Quick Mode Key! Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192. IP = 192.168.2.10.1 and 5.2.2.10. NP encrypt rule look up for crypto map ENCRYPT_OUT 1 matching ACL CRYPTO_ACL: returned cs_id=d7cf5238.168.168. Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.2.2.168.168.168. IP = 192. The ip protocol between 1.10.168.2.168. IP = 192.10.10.168.10.2. Generating Quick Mode Key! Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.168.2. IP = 192.168.10. IKE_DECODE RECEIVED Message (msgid=a0018003) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 292 Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.10.168.168.5.5.10. rule=d79baf10 Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.2.168.5.168. NP encrypt rule look up for crypto map ENCRYPT_OUT 1 matching ACL CRYPTO_ACL: returned cs_id=d7cf5238.10. processing hash payload Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.1. IP = 192.10. processing nonce payload Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.1.2.2.168.168.2.168.10.168.2.1 Protocol 0 Port 0 Remote host: 5.10. IP = 192.2.2.10.10.2.2.168.168.168.10.168.10.10.10.10.2. constructing qm hash payload Jul 18 10:03:25 [IKEv1]: IP = 192.1. constructing proxy ID Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.10.2.2.2. IP = 192.CCIE SECURITY v4 Lab Workbook Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192. IP = 192.10.168.2.2.168.5 Protocol 0 Port 0 Local and remote proxies.10.10. IP = 192.168.2. IP = 192. IP = 192.168.2.168. constructing IPSec SA payload Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192. constructing pfs ke payload Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.10.10.2.2.168.2.168.168.10.10.2.10. processing ID payload Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.10.10.168.2.

2.2.2.168.10.2.10.168.2.10.168. PHASE 2 COMPLETED (msgid=a0018003) Jul 18 10:03:40 [IKEv1]: IP = 192.2.10.10.10.10.10) Initiator.10.10. Outbound SPI = 0x5c4f95c0 Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192. Sending keepalive of type DPD R-U-THERE-ACK (seq number 0x3990fdb6) Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.10.2. IP = 192.10. IP = 192.10.168.168.168.168.CCIE SECURITY v4 Lab Workbook Jul 18 10:03:25 [IKEv1]: Group = 192. IP = 192. IKE_DECODE SENDING Message (msgid=a0018003) with payloads : HDR + HASH (8) + NONE (0) total length : 72 Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.10. IP = 192.168. Received keepalive of type DPD R-U-THERE (seq number 0x3990fdb6) Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.168.10.10.10.10. IP = 192.2.2.10.2.2.168. IP = 192. constructing blank hash payload Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192. IP = 192.2. constructing qm hash payload Jul 18 10:03:40 [IKEv1]: IP = 192.10.2. processing hash payload Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192. IP = 192.2.168. Jul 18 10:03:25 [IKEv1]: Group = 192. Security negotiation complete for LAN-to-LAN Group (192.168. IKE got a KEY_ADD msg for SA: SPI = 0x5c4f95c0 Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.10.2.2.10. IKE_DECODE SENDING Message (msgid=f34536d8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 ASA1(config)# un all ASA1(config)# Page 410 of 1033 .168.2.168.2.168.2.10. oakley constructing final quick mode Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.2.168.10.168.2.10. IP = 192.168.10. Inbound SPI = 0x1ac28131.168. IP = 192.168.2.10. Pitcher: received KEY_UPDATE.168. IKE_DECODE RECEIVED Message (msgid=30705dbc) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.2.10. Starting P2 rekey timer: 24480 seconds.2.168.168. IP = 192.168. IP = 192. processing notify payload Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.2. spi 0x1ac28131 Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.168.2.

41. Site-to-Site IPSec VPN using PKI (IOS-IOS) This lab is based on previous lab configuration. Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122  R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104  R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco” Page 411 of 1033 .CCIE SECURITY v4 Lab Workbook Lab 1. You need to perform actions from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before going through this lab.

1.105. Security 100 10.101.4. R4 and R5 pointing to the respective ASA’s interface  Configure default routing on both ASAs pointing to the respective R2 interface IP Addressing Device Interface / ifname / sec level IP address R1 Lo0 1.1.4.1.1/24 G0/0 192.5/24 F0/0 10.104. Inside. Security 0 192.4. Security 100 10.10 /24 R2 R4 R5 ASA1 ASA2 Task 1 Configure Site-to-Site IPSec Tunnel between R4 and R5 to encrypt traffic flows going between IP address of 4.168.1/24 F0/0 10.2.1.5.1.5/24 E0/0.10 /24 E0/1.101.5. Inside_CA. Use the following parameters for the tunnel:  ISAKMP Parameters o Authentication: RSA Certificate o Encryption: 3DES o Group: 2 o Hash: MD5  IPSec Parameters o Encryption: ESP/3DES o Authentication: ESP/MD5 Page 412 of 1033 .10 /24 E0/0. Outside.4 /24 F0/0 10.1. Security 100 10.1.1. Security 0 192.2.1.4 /24 Lo0 5.2/24 Lo0 4.168.10 /24 E0/2. Inside_US.5.4 and IP address of 5.10 /24 E0/1. Outside.CCIE SECURITY v4 Lab Workbook  Configure default routing on R1.4.105.1.5.104.168.5.168.2/24 G0/1 192.

com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys..1 eq 80 The SCEP has been allowed through ASA1. Configure domain name of MicronicsTraining. R5(config)#ip domain-name MicronicsTraining.1. The above error indicates that there is a problem with connection to the CA. Configuration Complete these steps: Step 1 R5 configuration.[OK] R5(config)# %SSH-5-ENABLED: SSH 1.MicronicsTraining. keys will be nonexportable.101.99 has been enabled R5(config)#crypto ca trustpoint IOS_CA R5(ca-trustpoint)#usage ike The usage of the certificate has been defined. R5(ca-trustpoint)#subject-name CN=R5.4 host 10.com R5(config)#crypto key generate rsa modulus 1024 The name for the keys will be: R5. The certificate is intended to use for IKE peer authentication. ASA1(config)# access-list OUTSIDE_IN permit tcp host 10..105. Page 413 of 1033 .1.1.101. cert length = 0 %PKI-3-SOCKETSEND: Failed to send out message to CA server.com and ensure that FQDN and Country (US) are included in the certificate request. C=US R5(ca-trustpoint)#enrollment url http://10.1 eq 80 ASA1(config)# access-list OUTSIDE_IN permit tcp host 10.1.104.101. Let’s configure appropriate ACE in access list of OUTSIDE_IN (for R4 and R5) Step 2 ASA1 configuration.1.5 host 10. It seems like ASA is blocking that connection.1 R5(ca-trustpoint)#exit R5(config)#crypto ca authenticate IOS_CA % Error in receiving Certificate Authority certificate: status = FAIL.CCIE SECURITY v4 Lab Workbook Use IOS CA server configured on R1 for certificate enrollment.

R5(config)#crypto ca authenticate IOS_CA Certificate has the following attributes: Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint. For security reasons your password will not be saved in the configuration.MicronicsTraining. % Create a challenge password. C=US % The subject name in the certificate will include: R5. R5(config)#crypto ca enroll IOS_CA % % Start certificate enrollment .CCIE SECURITY v4 Lab Workbook Step 3 Certificate enrollment on R5.. Please make a note of it. R5(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: 05D7E98F E04055D7 AA68622D B48D6C92 CRYPTO_PKI: Certificate Request Fingerprint SHA1: 302D643E 69C6FECF 71984DF1 D29DB5ED C110B64F R5(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority R5(config)#crypto isakmp policy 10 R5(config-isakmp)#encr 3des R5(config-isakmp)#hash md5 R5(config-isakmp)#authentication rsa-sig R5(config-isakmp)#group 2 R5(config-isakmp)#crypto ipsec transform-set TSET esp-3des esp- Page 414 of 1033 . Password: Re-enter password: % The subject name in the certificate will include: CN=R5. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.

com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys. R5(config-crypto-map)#set peer 10.com R4(config)#crypto key generate rsa modulus 1024 The name for the keys will be: R4.441: %SSH-5-ENABLED: SSH 1.101.4..MicronicsTraining.4 R5(config)#crypto map ENCRYPT 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.4.4 R5(config-crypto-map)#set transform-set TSET R5(config-crypto-map)#match address 120 R5(config-crypto-map)#exit R5(config)#int f0/0 R5(config-if)#crypto map ENCRYPT Step 4 Certificate enrollment on R4.. % Create a challenge password. R4(config)#ip domain-name MicronicsTraining.1.5. keys will be nonexportable. For security reasons your password will not be saved Page 415 of 1033 . C=CA R4(ca-trustpoint)#enrollment url http://10..99 has been enabled R4(config)#crypto ca trustpoint IOS_CA R4(ca-trustpoint)#usage ike R4(ca-trustpoint)#subject-name CN=R4.5 host 4.1 R4(ca-trustpoint)#exit R4(config)#crypto ca authenticate IOS_CA Certificate has the following attributes: Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.[OK] R4(config)# Oct 22 19:45:14.1.CCIE SECURITY v4 Lab Workbook md5-hmac R5(cfg-crypto-trans)#exit R5(config)#access-list 120 permit ip host 5.104.5. R4(config)#crypto ca enroll IOS_CA % % Start certificate enrollment .

5 R4(config-crypto-map)#set transform-set TSET R4(config-crypto-map)#match address 120 R4(config-crypto-map)#int f0/0 R4(config-if)#crypto map ENCRYPT %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Step 5 ASA2 configuration. Please make a note of it. C=CA % The subject name in the certificate will include: R4. Page 416 of 1033 .4.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint. R4(config-crypto-map)#set peer 10.5.1.5.5 R4(config)#crypto map ENCRYPT 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.4 host 5.CCIE SECURITY v4 Lab Workbook in the configuration. R4(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: D709C725 A0D9081A D8FA55B4 EAF866C6 CRYPTO_PKI: Certificate Request Fingerprint SHA1: A82A6373 70FEA31E AE3B1933 4965B8C0 41695706 R4(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority R4(config)#crypto isakmp policy 10 R4(config-isakmp)#encr 3des R4(config-isakmp)#hash md5 R4(config-isakmp)#authentication rsa-sig R4(config-isakmp)#group 2 R4(config-isakmp)#crypto ipsec transform-set TSET esp-3des espmd5-hmac R4(cfg-crypto-trans)#access-list 120 permit ip host 4.105.4.MicronicsTraining. Password: Re-enter password: % The subject name in the certificate will include: CN=R4.

flags={origin_is_acl.5.255.5 2002 IPsec 3DES+MD5 4 0 10.1.4 so lo0 Type escape sequence to abort. round-trip min/avg/max = 4/4/4 ms R5#sh cry engine conn act Crypto Engine Connections Type Algorithm Encrypt Decrypt IP-Address 1001 ID IKE MD5+3DES 0 0 10.105.1. ASA2(config)# same-security-traffic permit inter-interface Verification Run ping from R5’s loopback0 towards R4’s loopback0.!!!! Success rate is 80 percent (4/5). 100-byte ICMP Echos to 4.4.4.105. this must be explicitly allowed.4.1.104.1.255. R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.5/255. R5#pi 4.ipsec_sa_request_sent} Page 417 of 1033 .255.255/0/0) remote ident (addr/mask/prot/port): (4.255/0/0) current_peer 10.5 2001 IPsec 3DES+MD5 0 4 10.104. timeout is 2 seconds: Packet sent with a source address of 5.255.1.5. local addr 10.5 QM_IDLE conn-id status 1001 ACTIVE IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: ENCRYPT.4 port 500 PERMIT.1.105.CCIE SECURITY v4 Lab Workbook Since IPSec tunnel needs to be established between two peers which are on different interfaces of ASA but with the same security level of 100.5.4.1.4.4 10.5 protected vrf: (none) local ident (addr/mask/prot/port): (5.105.4.5 .5.4.5 The tunnels have been established.105. Sending 5.4/255.

crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4599543/3585) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xF1BDE182(4055753090) transform: esp-3des esp-md5-hmac . remote crypto endpt. flow_id: NETGX:1. #recv errors 0 local crypto endpt. in use settings ={Tunnel. origin: crypto map R4#sh crypto isakmp sa Page 418 of 1033 . sibling_flags 80000046. sibling_flags 80000046. #pkts decompressed: 0 #pkts not compressed: 0.5.5/500 remote 10.5.: 10. #pkts encrypt: 4. #pkts compr.4 port 500 IKE SA: local 10. failed: 0 #pkts not decompressed: 0.104.: 10. ip mtu idb FastEthernet0/0 current outbound spi: 0xF1BDE182(4055753090) PFS (Y/N): N.104. DH group: none inbound esp sas: spi: 0xF37CEB79(4085050233) transform: esp-3des esp-md5-hmac . #pkts decompress failed: 0 #send errors 1.4 path mtu 1500.1. ip mtu 1500.5 host 4.1.105.105.1.1.CCIE SECURITY v4 Lab Workbook #pkts encaps: 4.4.4 Active SAs: 2. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4599543/3585) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R5#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 10.5. #pkts digest: 4 #pkts decaps: 4. } conn id: 2002. flow_id: NETGX:2.104. in use settings ={Tunnel. #pkts decrypt: 4.1.4/500 Active IPSEC FLOW: permit ip host 5. #pkts verify: 4 #pkts compressed: 0.4. } conn id: 2001.

#pkts encrypt: 4.: 10.4 protected vrf: (none) local ident (addr/mask/prot/port): (4. ip mtu idb FastEthernet0/0 current outbound spi: 0xF37CEB79(4085050233) PFS (Y/N): N. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4417938/3561) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xF37CEB79(4085050233) transform: esp-3des esp-md5-hmac .255.105. failed: 0 #pkts not decompressed: 0. #pkts verify: 4 #pkts compressed: 0. #pkts compr.1.105.CCIE SECURITY v4 Lab Workbook IPv4 Crypto ISAKMP SA dst src state 10.} #pkts encaps: 4.104.5/255. local addr 10.: 10. flow_id: NETGX:8.5 path mtu 1500.255/0/0) remote ident (addr/mask/prot/port): (5. sibling_flags 80000046. remote crypto endpt.4. in use settings ={Tunnel.4. DH group: none inbound esp sas: spi: 0xF1BDE182(4055753090) transform: esp-3des esp-md5-hmac .4/255.5 QM_IDLE conn-id status 1004 ACTIVE IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: ENCRYPT.5. sibling_flags 80000046. ip mtu 1500.104. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4417938/3561) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 419 of 1033 .255. } conn id: 2008. flow_id: NETGX:7.255. } conn id: 2007.4. #pkts decrypt: 4. #pkts decompressed: 0 #pkts not compressed: 0. in use settings ={Tunnel.5 port 500 PERMIT.1. #pkts digest: 4 #pkts decaps: 4.5. #recv errors 0 local crypto endpt.105.4 10. #pkts decompress failed: 0 #send errors 0. flags={origin_is_acl.104.1.1.1.255.1.255/0/0) current_peer 10.

CCIE SECURITY v4 Lab Workbook

outbound ah sas:
outbound pcp sas:
R4#sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 10.1.105.5 port 500
IKE SA: local 10.1.104.4/500 remote 10.1.105.5/500 Active
IPSEC FLOW: permit ip host 4.4.4.4 host 5.5.5.5
Active SAs: 2, origin: crypto map

Page 420 of 1033

CCIE SECURITY v4 Lab Workbook

Lab 1.42. Site-to-Site IPSec VPN using PKI
(Static IP IOS-ASA)

This lab is based on previous lab configuration. You need to perform actions
from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before
going through this lab.
Lab Setup
 R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101
 R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102
 R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122
 R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104
 R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105

 Configure Telnet on all routers using password “cisco”

Page 421 of 1033

CCIE SECURITY v4 Lab Workbook

 Configure default routing on R1, R4 and R5 pointing to the respective ASA’s
interface

 Configure default routing on both ASAs pointing to the respective R2 interface
IP Addressing
Device

Interface / ifname / sec level

IP address

Lo0

1.1.1.1/24

F0/0

10.1.101.1/24

G0/0

192.168.1.2/24

G0/1

192.168.2.2/24

Lo0

4.4.4.4 /24

F0/0

10.1.104.4 /24

Lo0

5.5.5.5/24

F0/0

10.1.105.5/24

E0/0, Outside, Security 0

192.168.1.10 /24

E0/1, Inside, Security 100

10.1.101.10 /24

E0/0, Outside, Security 0

192.168.2.10 /24

E0/1, Inside_US, Security 100

10.1.105.10 /24

E0/2, Inside_CA, Security 100

10.1.104.10 /24

R2
R4
R5
ASA1
ASA2

Task 1
There is Company’s Headquarters in US consists of ASA1 and R1. The Company
has two branch offices: one in US (R5) and other in Canada (R4). All routers use
static IP while connecting to the Internet.
Configure the following Site-to-Site IPSec Tunnels:
Tunnel

SRC

DST

Endpoint

Network Network

R5 – ASA1

5.5.5.5

1.1.1.1

ISAKMP Policy

IPSec Policy

Authentication: RSA

Encryption:

Encryption: 3DES

ESP/3DES

Group: 2

Authentication:

Hash: MD5

ESP/MD5

Page 422 of 1033

CCIE SECURITY v4 Lab Workbook

R4 – ASA1

4.4.4.4

1.1.1.1

Authentication: RSA

Encryption: ESP/DES

Encryption: DES

Authentication:

Group: 2

ESP/SHA

Hash: SHA
Use IOS CA server configured on R1 for certificate enrollment. Configure domain
name of MicronicsTraining.com and ensure that FQDN and Country are included in
the certificate request. Enable Perfect Forward Secrecy feature.
Configuration
Complete these steps:
Step 1

ASA1 configuration.
ASA1(config)# domain-name MicronicsTraining.com
ASA1(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSAKey>.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...

ASA1(config)# crypto ca trustpoint IOS_CA
ASA1(config-ca-trustpoint)# id-usage ssl-ipsec
ASA1(config-ca-trustpoint)# subject-name CN=ASA1, C=US
ASA1(config-ca-trustpoint)# fqdn ASA1.MicronicsTraining.com
ASA1(config-ca-trustpoint)# enrollment url http://10.1.101.1
ASA1(config-ca-trustpoint)# exit
ASA1(config)#

crypto ca authenticate IOS_CA

INFO: Certificate has the following attributes:
Fingerprint:

01973e0c a51f6b10 cb074127 c07c60bc

Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
ASA1(config)# crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide
this
password

the

Administrator

order

revoke

your

certificate.
For security reasons your password will not be saved in the
configuration.
Please make a note of it.

Page 423 of 1033

CCIE SECURITY v4 Lab Workbook

Password: ********
Re-enter password: ********
% The subject name in the certificate will be: CN=ASA1, C=US
%

The

fully-qualified

domain

name

the

certificate

will

be:

ASA1.MicronicsTraining.com
% Include the device serial number in the subject name? [yes/no]:
no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!

ASA1(config)# crypto isakmp enable outside
ASA1(config)# crypto isakmp policy 10
ASA1(config-isakmp-policy)# auth rsa-sig
ASA1(config-isakmp-policy)# enc 3des
ASA1(config-isakmp-policy)# has md5
ASA1(config-isakmp-policy)# gr 2
ASA1(config-isakmp-policy)# crypto isakmp policy 20
ASA1(config-isakmp-policy)# auth rsa-sig
ASA1(config-isakmp-policy)# enc des
ASA1(config-isakmp-policy)# ha sha
ASA1(config-isakmp-policy)# gr 2
ASA1(config-isakmp-policy)# exit
ASA1(config)# tunnel-group 10.1.105.5 type ipsec-l2l
ASA1(config)# tunnel-group 10.1.105.5 ipsec-attr
ASA1(config-tunnel-ipsec)# peer-id-validate nocheck
The “peer-id-validate” command has three options:
*

Required

feature.

Enable
a

the

peer's

IKE

peer

identity

certificate

does

validation

not

provide

sufficient information to perform an identity check, drop
the tunnel.
*

supported

certificate

Enable

the

IKE

peer

identity validation feature. If a peer's certificate does
not provide sufficient information to perform an identity
check, allow the tunnel.
* Do not check = Do not check the peer's identity at all.
Selecting this option disables the feature.
The

default

option

“required”,

meaning

that

the

remote peer does not provide correct identity information
during IKE Phase 1, the tunnel will fail. What does the ASA
do? It checks if peer’s identity (default is an IP address)

Page 424 of 1033

CCIE SECURITY v4 Lab Workbook

is included in certificate’s Subject Alt Name.
Hence, we have two options here:
(1)

Disable this feature on the ASA by issuing “peer-id-

validate nocheck” command
(2)

Send

correct

identity

info

from

peers,

issuing

“crypto isakmp identity dn” command on R4 and R5
ASA1(config-tunnel-ipsec)# trust-point IOS_CA
ASA1(config-tunnel-ipsec)# tunnel-group 10.1.104.4 type ipsec-l2l
ASA1(config)# tunnel-group 10.1.104.4 ipsec-attr
ASA1(config-tunnel-ipsec)# peer-id-validate nocheck
ASA1(config-tunnel-ipsec)# trust-point IOS_CA
ASA1(config-tunnel-ipsec)# exit
ASA1(config)# crypto ipsec transform-set TSET_US esp-3des esp-md5hmac
ASA1(config)# crypto ipsec transform-set TSET_CA esp-des esp-shahmac
ASA1(config)# access-list ACL_US permit ip ho 1.1.1.1 ho 5.5.5.5
ASA1(config)# access-list ACL_CA permit ip ho 1.1.1.1 ho 4.4.4.4
The

crypto

ACLs

that

enable

the

ASA

and

its

peers

traffic encryption thoughout tunnels terminated on ASA’s
outside interface.
ASA1(config)# crypto map ENCRYPT_OUT 1 match address ACL_US
ASA1(config)# crypto map ENCRYPT_OUT 1 set transform TSET_US
ASA1(config)# crypto map ENCRYPT_OUT 1 set trustpoint IOS_CA
ASA1(config)# crypto map ENCRYPT_OUT 1 set peer 10.1.105.5
ASA1(config)# crypto map ENCRYPT_OUT 1 set pfs group2
ASA1(config)# crypto map ENCRYPT_OUT 2 match address ACL_CA
ASA1(config)# crypto map ENCRYPT_OUT 2 set transform TSET_CA
ASA1(config)# crypto map ENCRYPT_OUT 2 set trustpoint IOS_CA
ASA1(config)# crypto map ENCRYPT_OUT 2 set peer 10.1.104.4
ASA1(config)# crypto map ENCRYPT_OUT 2 set pfs group2
ASA1(config)# crypto map ENCRYPT_OUT interface Outside
ASA1(config)# route Inside 1.1.1.1 255.255.255.255 10.1.101.1
ASA1(config)#

access-list

OUTSIDE_IN

permit

tcp

host

10.1.105.5

OUTSIDE_IN

permit

tcp

host

10.1.104.4

host 10.1.101.1 eq 80
ASA1(config)#

access-list

host 10.1.101.1 eq 80
The SCEP from R5 and R4 has been allowed to inside (R1).

Page 425 of 1033

CCIE SECURITY v4 Lab Workbook

Step 2

ASA2 configuration.
We need to take care of ESP traffic going through ASA2 from
both branches. As ESP is not Stateful we either need to
allow it in the outside ACL or just enable inspection.
ASA2(config)# policy-map global_policy
ASA2(config-pmap)# class inspection_default
ASA2(config-pmap-c)# inspect ipsec-pass-thru
ASA2(config-pmap-c)# exit
ASA2(config-pmap)# exit

Step 3

R5 configuration.
R5(config)#ip domain-name MicronicsTraining.com
R5(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R5.MicronicsTraining.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R5(config)#crypto ca trustpoint IOS_CA
R5(ca-trustpoint)#usage ike
R5(ca-trustpoint)#subject-name CN=R5, C=US
R5(ca-trustpoint)#enrollment url http://10.1.101.1
R5(ca-trustpoint)#fqdn R5.MicronicsTraining.com
R5(ca-trustpoint)#exit
R5(config)#crypto ca authenticate IOS_CA
Certificate has the following attributes:
Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC
Fingerprint

SHA1:

24A01750

51D02F6B

9BB419DE

B6F40C72

B9E43EDD
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

R5(config)#crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide
this password to the CA Administrator in order to revoke your
certificate. For security reasons your password will not be saved
in the configuration. Please make a note of it.
Password:
Re-enter password:

Page 426 of 1033

CCIE SECURITY v4 Lab Workbook

% The subject name in the certificate will include: CN=R5, C=US
%

The

subject

name

the

certificate

will

include:

R5.MicronicsTraining.com
% Include the router serial number in the subject name? [yes/no]:
no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate IOS_CA verbose' commandwill show
the fingerprint.
R5(config)#
CRYPTO_PKI:

Certificate Request Fingerprint MD5: CB51F487 829E24AB

160BA244 F0256E9B
CRYPTO_PKI:

Certificate

Request

Fingerprint

SHA1:

362D19EC

4865EC2E 06915FC0 A45A9551 3B7F4A58
R5(config)#
%PKI-6-CERTRET: Certificate received from Certificate Authority

R5(config)#crypto isakmp policy 10
R5(config-isakmp)#encr 3des
R5(config-isakmp)#authentication rsa-sig
R5(config-isakmp)#hash md5
R5(config-isakmp)#group 2
R5(config-isakmp)#crypto ipsec transform-set TSET esp-3des esp-md5hmac
R5(cfg-crypto-trans)#access-list 120 permit ip host 5.5.5.5 host
1.1.1.1
R5(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R5(config-crypto-map)#set peer 192.168.1.10
R5(config-crypto-map)#set transform-set TSET
R5(config-crypto-map)#set pfs group2
R5(config-crypto-map)#match address 120
R5(config-crypto-map)#int f0/0
R5(config-if)#crypto map ENCRYPT
R5(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step 4

R4 configuration.
R4(config)#ip domain-name MicronicsTraining.com
R4(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R4.MicronicsTraining.com

Page 427 of 1033

CCIE SECURITY v4 Lab Workbook

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R4(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled

R4(config)#crypto ca trustpoint IOS_CA
R4(ca-trustpoint)#usage ike
R4(ca-trustpoint)#subject-name CN=R4, C=CA
R4(ca-trustpoint)#enrollment url http://10.1.101.1
R4(ca-trustpoint)#fqdn R4.MicronicsTraining.com
R4(ca-trustpoint)#exit

R4(config)#crypto ca authenticate IOS_CA
Certificate has the following attributes:
Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC
Fingerprint

SHA1:

24A01750

51D02F6B

9BB419DE

B6F40C72

B9E43EDD
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

R4(config)#crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide
this password to the CA Administrator in order to revoke your
certificate. For security reasons your password will not be saved
in the configuration. Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: CN=R4, C=CA
%

The

subject

name

the

certificate

will

include:

R4.MicronicsTraining.com
% Include the router serial number in the subject name? [yes/no]:
no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate IOS_CA verbose' commandwill show
the fingerprint.
R4(config)#
CRYPTO_PKI:

Certificate Request Fingerprint MD5: C37B49A5 39B60647

3928452D CB501CFF

Page 428 of 1033

CCIE SECURITY v4 Lab Workbook

CRYPTO_PKI:

Certificate

Request

Fingerprint

SHA1:

7E096059

984DF493 DC68F185 4325FDDF 5C9D9F7C
R4(config)#
%PKI-6-CERTRET: Certificate received from Certificate Authority

R4(config)#crypto isakmp policy 10
R4(config-isakmp)#encr des
R4(config-isakmp)#ha sha
R4(config-isakmp)#authentication rsa-sig
R4(config-isakmp)#group 2
R4(config-isakmp)#crypto ipsec transform-set TSET esp-des esp-shahmac
R4(cfg-crypto-trans)#access-list 120 permit ip host 4.4.4.4 host
1.1.1.1
R4(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)#set peer 192.168.1.10
R4(config-crypto-map)#set transform-set TSET
R4(config-crypto-map)#set pfs group2
R4(config-crypto-map)#match address 120
R4(config-crypto-map)#int f0/0
R4(config-if)# crypto map ENCRYPT
R4(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Verification
R4#ping 1.1.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst

src

state

192.168.1.10

10.1.104.4

QM_IDLE

conn-id status

IPv6 Crypto ISAKMP SA

Page 429 of 1033

1001 ACTIVE

CCIE SECURITY v4 Lab Workbook

R4#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: ENCRYPT, local addr 10.1.104.4
protected vrf: (none)
local

ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.1.104.4, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF2B4FC1B(4071947291)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xE63FC84A(3862939722)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4405037/3512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF2B4FC1B(4071947291)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4405037/3512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

Page 430 of 1033

CCIE SECURITY v4 Lab Workbook

R4#sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.104.4/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip host 4.4.4.4 host 1.1.1.1
Active SAs: 2, origin: crypto map

R5#ping 1.1.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst

src

state

192.168.1.10

10.1.105.5

QM_IDLE

conn-id status
1002 ACTIVE

IPv6 Crypto ISAKMP SA
R5#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: ENCRYPT, local addr 10.1.105.5
protected vrf: (none)
local

ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)

Page 431 of 1033

CCIE SECURITY v4 Lab Workbook

transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4407895/3499)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x89B0F77C(2310076284)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4407895/3499)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R5#sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.105.5/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip host 5.5.5.5 host 1.1.1.1
Active SAs: 2, origin: crypto map

ASA1(config)# un all
ASA1(config)# sh crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1

IKE Peer: 10.1.105.5
Type

: L2L

Role

: responder

Rekey

: no

State

: MM_ACTIVE

IKE Peer: 10.1.104.4
Type

: L2L

Role

: responder

Rekey

: no

State

: MM_ACTIVE

Page 432 of 1033

CCIE SECURITY v4 Lab Workbook

ASA1(config)# sh crypto ipsec sa
interface: Outside
Crypto map tag: ENCRYPT_OUT, seq num: 2, local addr: 192.168.1.10
access-list ACL_CA permit ip host 1.1.1.1 host 4.4.4.4
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer: 10.1.104.4
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.104.4
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E63FC84A
inbound esp sas:
spi: 0xF2B4FC1B (4071947291)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 24576, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3556)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xE63FC84A (3862939722)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 24576, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3556)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: ENCRYPT_OUT, seq num: 1, local addr: 192.168.1.10
access-list ACL_US permit ip host 1.1.1.1 host 5.5.5.5
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
current_peer: 10.1.105.5
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

Page 433 of 1033

CCIE SECURITY v4 Lab Workbook

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.105.5
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B4192B2C
inbound esp sas:
spi: 0x89B0F77C (2310076284)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3469)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xB4192B2C (3021548332)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3468)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA1(config)# sh vpn-sessiondb
Active Session Summary
Sessions:
Active : Cumulative : Peak Concurrent : Inactive
SSL VPN

0 :

Clientless only

0 :

With client

0 :

Email Proxy

0 :

IPsec LAN-to-LAN

2 :

6 :

IPsec Remote Access

0 :

VPN Load Balancing

0 :

Totals

2 :

License Information:
IPsec

250

Configured :

250

Active :

Load :

SSL VPN :

Configured :

Active :

Load :

Page 434 of 1033

CCIE SECURITY v4 Lab Workbook

Active : Cumulative : Peak Concurrent
IPsec

2 :

6 :

SSL VPN

0 :

AnyConnect Mobile :

0 :

Linksys Phone

0 :

2 :

Totals
Tunnels:

Active : Cumulative : Peak Concurrent
IKE

2 :

IPsec

2 :

Totals :

4 :

6 :

Active NAC Sessions:
No NAC sessions to display
Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display
ASA1(config)# sh vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection

: 10.1.105.5

Index

: 5

Protocol

: IKE IPsec

Encryption

IP Addr

: 5.5.5.5

: 3DES

Hashing

: MD5

Bytes Tx

: 400

Bytes Rx

: 400

: 11:18:19 UTC Sun Jul 18 2010

Duration

: 0h:02m:27s

Connection

: 10.1.104.4

Index

: 6

Protocol

: IKE IPsec

Encryption
Bytes Tx
Login Time

: 11:19:43 UTC Sun Jul 18 2010

Duration

: 0h:01m:03s

IP Addr

: 4.4.4.4

: DES

Hashing

: SHA1

: 400

Bytes Rx

: 400

ASA1(config)#

Verification (detailed)
ASA1(config)# deb cry isak 9
ASA1(config)# Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + NONE (0) total length : 164
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing SA payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Oakley proposal is acceptable
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received NAT-Traversal RFC VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload

Page 435 of 1033

CCIE SECURITY v4 Lab Workbook

Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received NAT-Traversal ver 03 VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received NAT-Traversal ver 02 VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing IKE SA payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, IKE SA Proposal # 1, Transform # 1
acceptable

Matches global IKE entry # 3

Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing ISAKMP SA payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing NAT-Traversal VID ver 02
payload
Jul

11:18:19

[IKEv1

DEBUG]:

10.1.105.5,

constructing

Fragmentation

VID

extended capabilities payload
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=0) with
payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 300
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing ke payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing ISA_KE payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing nonce payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing cert request payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received DPD VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Processing IOS/PIX Vendor ID payload
(version: 1.0.0, capabilities: 00000f6f)
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received xauth V6 VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing NAT-Discovery payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, computing NAT Discovery hash
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing NAT-Discovery payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, computing NAT Discovery hash
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing ke payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing nonce payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing certreq payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing Cisco Unity VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing xauth V6 VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Send IOS VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Constructing ASA spoofing IOS Vendor ID
payload (version: 1.0.0, capabilities: 20000001)
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Send Altiga/Cisco VPN3000/Cisco ASA GW
VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing NAT-Discovery payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, computing NAT Discovery hash
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing NAT-Discovery payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, computing NAT Discovery hash
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Generating keys for Responder...
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=0) with
payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 320

Page 436 of 1033

CCIE SECURITY v4 Lab Workbook

Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + ID (5) + CERT (6) + SIG (9) + NOTIFY (11) + NONE (0) total length :
766
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing ID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing cert payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing RSA signature
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Computing hash for ISAKMP
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing notify payload
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Automatic NAT Detection Status:
end is NOT behind a NAT device

This

Remote

end is NOT behind a NAT device

Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Trying to find group via OU...
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, No Group found by matching OU(s) from ID
payload:

Unknown

Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Trying to find group via IKE ID...
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Trying to find group via IP ADDR...
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Connection landed on tunnel_group 10.1.105.5
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, peer ID type 2
received (FQDN)
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Peer ID check
bypassed
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing ID
payload
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing cert
payload
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing RSA
signature
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Computing hash for
ISAKMP
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Constructing IOS keep alive payload:
proposal=32767/32767 sec.
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing dpd
vid payload
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=0) with
payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE
(0) total length : 818
Jul 18 11:18:19 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, PHASE 1 COMPLETED
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Keep-alive type for this connection: DPD
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Starting P1 rekey
timer: 64800 seconds.
Jul 18 11:18:20 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=64bdc5ed)
with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE
(0) total length : 292
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing hash
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing SA
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing nonce
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing ke
payload

Page 437 of 1033

CCIE SECURITY v4 Lab Workbook

Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing ISA_KE
for PFS in phase 2
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing ID
payload
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Received remote Proxy
Host data in ID Payload:

Address 5.5.5.5, Protocol 0, Port 0

Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing ID
payload
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Received local Proxy Host
data in ID Payload:

Address 1.1.1.1, Protocol 0, Port 0

Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, QM IsRekeyed old sa not
found by addr
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Static Crypto Map check,
checking map = ENCRYPT_OUT, seq = 1...
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Static Crypto Map check,
map ENCRYPT_OUT, seq = 1 is a successful match
Jul

11:18:20

[IKEv1]:

Group

10.1.105.5,

IKE

Remote

Peer

configured for crypto map: ENCRYPT_OUT
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing IPSec SA
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, IPSec SA Proposal #
1, Transform # 1 acceptable

Matches global IPSec SA entry # 1

Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, IKE: requesting SPI!
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, IKE got SPI from
key engine: SPI = 0x89b0f77c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, oakley constucting
quick mode
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing blank
hash payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing IPSec
SA payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing IPSec
nonce payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing pfs ke
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing proxy
ID
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Transmitting Proxy
Id:
Remote host: 5.5.5.5

Protocol 0

Port 0

Local host:

Protocol 0

Port 0

1.1.1.1

Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing qm
hash payload
Jul 18 11:18:20 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=64bdc5ed)
with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE
(0) total length : 292
Jul 18 11:18:20 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=64bdc5ed)
with payloads : HDR + HASH (8) + NONE (0) total length : 48
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing hash
payload

Page 438 of 1033

CCIE SECURITY v4 Lab Workbook

Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, loading all IPSEC
SAs
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Generating Quick
Mode Key!
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, NP encrypt rule
look up for crypto map ENCRYPT_OUT 1 matching ACL ACL_US: returned cs_id=d7cb38c0;
rule=d7c9fc68
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Generating Quick
Mode Key!
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, NP encrypt rule
look up for crypto map ENCRYPT_OUT 1 matching ACL ACL_US: returned cs_id=d7cb38c0;
rule=d7c9fc68
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Security negotiation
complete

for

LAN-to-LAN

Group

(10.1.105.5)

Responder,

Inbound

SPI

0x89b0f77c,

Outbound SPI = 0xb4192b2c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, IKE got a KEY_ADD
msg for SA: SPI = 0xb4192b2c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Pitcher: received
KEY_UPDATE, spi 0x89b0f77c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Starting P2 rekey
timer: 3420 seconds.
Jul

11:18:20

[IKEv1]:

Group

10.1.105.5,

PHASE

COMPLETED

(msgid=64bdc5ed)
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Sending keep-alive
of type DPD R-U-THERE (seq number 0x22ad78e5)
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing blank
hash payload
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing qm
hash payload
Jul 18 11:18:38 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=81cb2dd5)
with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:38 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=6e139995)
with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing hash
payload
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing notify
payload
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Received keep-alive
of type DPD R-U-THERE-ACK (seq number 0x22ad78e5)
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Sending keep-alive
of type DPD R-U-THERE (seq number 0x22ad78e6)
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing blank
hash payload
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing qm
hash payload
Jul 18 11:18:48 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=530ce865)
with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:48 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=11faf851)
with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing hash
payload

Page 439 of 1033

1. processing notify payload Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.1.5.5.5. processing hash payload Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.105. IP = 10. IKE_DECODE SENDING Message (msgid=d1cf7f74) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Jul 18 11:18:58 [IKEv1]: IP = 10.1.105.105.1.105.5.105.5. IP = 10. IP = 10.1. Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x22ad78e6) Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.105.105.105.5.1.105.5. IP = 10.5.1.1.1. Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x22ad78e7) ASA1(config)# un all Page 440 of 1033 .5.1.1.1. processing notify payload Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.105. IKE_DECODE RECEIVED Message (msgid=fcf96857) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.105. Sending keep-alive of type DPD R-U-THERE (seq number 0x22ad78e7) Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.1.5. IP = 10.5.105.5.1.1. IP = 10.5.5.CCIE SECURITY v4 Lab Workbook Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5.105.105.1. IP = 10.5.105.105.5.105.5. IP = 10. constructing blank hash payload Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10. constructing qm hash payload Jul 18 11:18:58 [IKEv1]: IP = 10.1.

CCIE SECURITY v4 Lab Workbook Lab 1. Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122  R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104  R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco” Page 441 of 1033 .43. You need to perform actions from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before going through this lab. Site-to-Site IPSec VPN using PKI (Dynamic IP IOS-ASA) This lab is based on previous lab configuration.

Configure the following Site-to-Site IPSec Tunnels: Tunnel SRC DST Endpoint Network Network R5 – ASA1 5.1.5.10 /24 E0/0.1.1. The Company has two branch offices: one in US (R5) and other in Canada (R4).105.2/24 Lo0 4. To cut leased lines cost you decided to migrate from static IP routers at branches to dynamic IP DSLs.5/24 E0/0.CCIE SECURITY v4 Lab Workbook  Configure default routing on R1. R4 and R5 pointing to the respective ASA’s interface  Configure default routing on both ASAs pointing to the respective R2 interface IP Addressing Device Interface / ifname / sec level IP address R1 Lo0 1.1.2.5.104. Outside. Security 100 10.4.1. Security 100 10.10 /24 R2 R4 R5 ASA1 ASA2 Task 1 There is Company’s Headquarters in US consists of ASA1 and R1.1.105.168.168. Security 0 192.1.1.1 ISAKMP Policy IPSec Policy Authentication: RSA Encryption: Encryption: 3DES ESP/3DES Group: 2 Authentication: Page 442 of 1033 .101.101.5 1. Inside.4.1.5.5/24 F0/0 10.10 /24 E0/1.2/24 G0/1 192.104. Inside_US.4 /24 F0/0 10.168.5. Outside.168.10 /24 E0/2.2. Inside_CA. Security 0 192. Security 100 10.4 /24 Lo0 5.1/24 G0/0 192.1.1.10 /24 E0/1. The IP address of DSL modems in branches is changing every day.1.1/24 F0/0 10.

.1 ASA1(config-ca-trustpoint)# exit ASA1(config)# crypto ca authenticate IOS_CA INFO: Certificate has the following attributes: Fingerprint: 2ccfec44 8b1fa216 4b9ca190 024184a0 Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.com ASA1(config)# crypto key generate rsa modulus 1024 WARNING: You have a RSA keypair already defined named <Default-RSAKey>.1 Hash: MD5 ESP/MD5 Authentication: RSA Encryption: ESP/DES Encryption: DES Authentication: Group: 2 ESP/SHA Hash: SHA Use IOS CA server configured on R1 for certificate enrollment.1. Page 443 of 1033 . ASA1(config)# domain-name MicronicsTraining. Please wait.com ASA1(config-ca-trustpoint)# enrollment url http://10.4 1. ASA1(config)# crypto ca enroll IOS_CA % % Start certificate enrollment . You should assign proper IPSec Profile for every branch peer using Country field in the peer’s Certificate.101. Enable Perfect Forward Secrecy feature. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.1.com and ensure that FQDN and Country are included in the certificate request. Configuration Complete these steps: Step 1 ASA1 configuration. % Create a challenge password. ASA1(config)# crypto ca trustpoint IOS_CA ASA1(config-ca-trustpoint)# id-usage ssl-ipsec ASA1(config-ca-trustpoint)# subject-name CN=ASA1.MicronicsTraining.CCIE SECURITY v4 Lab Workbook R4 – ASA1 4. Do you really want to replace them? [yes/no]: yes Keypair generation process begin. Configure domain name of MicronicsTraining.. C=US ASA1(config-ca-trustpoint)# fqdn ASA1.1.4.4..

CCIE SECURITY v4 Lab Workbook For security reasons your password will not be saved in the configuration.com % Include the device serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority ASA1(config)# The certificate has been granted by CA! ASA1(config)# crypto isakmp enable outside ASA1(config)# crypto isakmp policy 10 ASA1(config-isakmp-policy)# auth rsa-sig ASA1(config-isakmp-policy)# enc 3des ASA1(config-isakmp-policy)# has md5 ASA1(config-isakmp-policy)# gr 2 ASA1(config-isakmp-policy)# crypto isakmp policy 20 ASA1(config-isakmp-policy)# auth rsa-sig ASA1(config-isakmp-policy)# enc des ASA1(config-isakmp-policy)# ha sha ASA1(config-isakmp-policy)# gr 2 ASA1(config-isakmp-policy)# exit ASA1(config)# tunnel-group US_VPN type ipsec-l2l WARNING: L2L tunnel-groups that have names which are not an IP address may only be used if the tunnel authentication method is Digitial Certificates and/or The peer is configured to use Aggressive Mode ASA1(config)# tunnel-group US_VPN ipsec-attr ASA1(config-tunnel-ipsec)# peer-id-validate nocheck ASA1(config-tunnel-ipsec)# trust-point IOS_CA ASA1(config-tunnel-ipsec)# exit ASA1(config)# tunnel-group CA_VPN type ipsec-l2l WARNING: L2L tunnel-groups that have names which are not an IP address may only be used if the tunnel authentication method is Digitial Certificates and/or The peer is configured to use Aggressive Mode ASA1(config)# tunnel-group CA_VPN ipsec-attr ASA1(config-tunnel-ipsec)# peer-id-validate nocheck ASA1(config-tunnel-ipsec)# trust-point IOS_CA ASA1(config-tunnel-ipsec)# exit Page 444 of 1033 . C=US % The fully-qualified domain name in the certificate will be: ASA1. Please make a note of it. Password: ******** Re-enter password: ******** % The subject name in the certificate will be: CN=ASA1.MicronicsTraining.

the ASA uses OU field from the certificate to match (pick) the correct tunnel group.1.5. ASA1(config)# crypto map CRYPTO_OUT 1 ipsec-isakmp dynamic US_VPN ASA1(config)# crypto map CRYPTO_OUT 2 ipsec-isakmp dynamic CA_VPN ASA1(config)# crypto map CRYPTO_OUT interface Outside The crypto map has been attached to the outside interface. ASA1(config)# tunnel-group-map enable rules ASA1(config)# crypto ca certificate map CERT_MAP 10 ASA1(config-ca-cert-map)# subject-name attr C eq US ASA1(config-ca-cert-map)# crypto ca certificate map CERT_MAP 20 ASA1(config-ca-cert-map)# subject-name attr C eq CA ASA1(config-ca-cert-map)# exit ASA1(config)# tunnel-group-map CERT_MAP 10 US_VPN ASA1(config)# tunnel-group-map CERT_MAP 20 CA_VPN The tunnel-group-maps have tied respective crypto maps and certificate maps Page 445 of 1033 that allow to fullfiling the task . we use certificates for authentication. EasyVPN). ASA1(config)# crypto ipsec transform-set TSET_US esp-3des esp-md5hmac ASA1(config)# crypto ipsec transform-set TSET_CA esp-des esp-shahmac ASA1(config)# access-list ACL_US permit ip ho 1. Note that the peer IP addresse has not been specified in the crypto map. This is because our branch routers have dynamic IP addresses and we cannot rely on them.4. we use certificate maps later in the configuration to achive the same.4.CCIE SECURITY v4 Lab Workbook We use named tunnel group (instead of IP address).5 ASA1(config)# access-list ACL_CA permit ip ho 1.4 ASA1(config)# crypto dynamic-map US_VPN 1 match address ACL_US ASA1(config)# crypto dynamic-map US_VPN 1 set transform TSET_US ASA1(config)# crypto dynamic-map US_VPN 1 set pfs group2 ASA1(config)# crypto dynamic-map CA_VPN 2 match address ACL_CA ASA1(config)# crypto dynamic-map CA_VPN 2 set transform TSET_CA ASA1(config)# crypto dynamic-map CA_VPN 2 set pfs group2 This configuration is based on dynamic crypto maps which are used when peer IP address is unknown or other IPSec parameters are intended to be negotiated (i.e.5.1.1 ho 5.1. Hence. By default.1. hoever.1 ho 4.

ASA2(config)# policy-map global_policy ASA2(config-pmap)# class inspection_default ASA2(config-pmap-c)# inspect ipsec-pass-thru ASA2(config-pmap-c)# exit ASA2(config-pmap)# exit Step 3 R5 configuration.[OK] R5(config)#crypto ca trustpoint IOS_CA R5(ca-trustpoint)#usage ike R5(ca-trustpoint)#subject-name CN=R5. R5(config)#ip domain-name MicronicsTraining.1.MicronicsTraining. C=US R5(ca-trustpoint)#enrollment url http://10.101.5 host 10.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys..101.MicronicsTraining. keys will be non-exportable.1 255.com R5(ca-trustpoint)#exit R5(config)#crypto ca authenticate IOS_CA Certificate has the following attributes: Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.255.104..1 R5(ca-trustpoint)#fqdn R5.1.255. % Create a challenge password.1 eq 80 ASA1(config)# access-list OUTSIDE_IN permit tcp host 10. ASA1(config)# route Inside 1.105.1 eq 80 Step 2 ASA2 configuration.4 host 10.1.101. Page 446 of 1033 in order to revoke your .1.1.1.101. R5(config)#crypto ca enroll IOS_CA % % Start certificate enrollment . You will need to verbally provide this password to the CA Administrator certificate.1.com R5(config)#crypto key generate rsa modulus 1024 The name for the keys will be: R5.255 10.1 ASA1(config)# access-list OUTSIDE_IN permit tcp host 10.CCIE SECURITY v4 Lab Workbook requirements (Country field in the certificate must be present and set).1..

Please make a note of it. R5(config-crypto-map)#set peer 192.10 R5(config-crypto-map)#set transform-set TSET R5(config-crypto-map)#set pfs group2 R5(config-crypto-map)#match address 120 R5(config-crypto-map)#int f0/0 R5(config-if)#crypto map ENCRYPT R5(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Page 447 of 1033 .5.5 host 1.1. C=US % The subject name in the certificate will include: R5.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint.1 R5(config)#crypto map ENCRYPT 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.1.5.CCIE SECURITY v4 Lab Workbook For security reasons your password will not be saved in the configuration.168. R5(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: CB51F487 829E24AB 160BA244 F0256E9B CRYPTO_PKI: Certificate Request Fingerprint SHA1: 362D19EC 4865EC2E 06915FC0 A45A9551 3B7F4A58 R5(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority R5(config)#crypto isakmp policy 10 R5(config-isakmp)#encr 3des R5(config-isakmp)#authentication rsa-sig R5(config-isakmp)#hash md5 R5(config-isakmp)#group 2 R5(config-isakmp)#crypto ipsec transform-set TSET esp-3des esp-md5hmac R5(cfg-crypto-trans)#access-list 120 permit ip host 5.MicronicsTraining.1. Password: Re-enter password: % The subject name in the certificate will include: CN=R5.

com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys.MicronicsTraining.99 has been enabled R4(config)#crypto ca trustpoint IOS_CA R4(ca-trustpoint)#usage ike R4(ca-trustpoint)#subject-name CN=R4. R4(config)#ip domain-name MicronicsTraining.MicronicsTraining.[OK] R4(config)# %SSH-5-ENABLED: SSH 1.. Please make a note of it.com R4(ca-trustpoint)#exit R4(config)#crypto ca authenticate IOS_CA Certificate has the following attributes: Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. C=CA R4(ca-trustpoint)#enrollment url http://10. keys will be non-exportable. Password: Re-enter password: % The subject name in the certificate will include: CN=R4.. R4(config)#crypto ca enroll IOS_CA % % Start certificate enrollment . You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. C=CA % The subject name in the certificate will include: R4..101.MicronicsTraining.CCIE SECURITY v4 Lab Workbook Step 4 R4 configuration.com R4(config)#crypto key generate rsa modulus 1024 The name for the keys will be: R4.1 R4(ca-trustpoint)#fqdn R4.1.com % Include the router serial number in the subject name? [yes/no]: Page 448 of 1033 . % Create a challenge password.

R4(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: C37B49A5 39B60647 3928452D CB501CFF CRYPTO_PKI: Certificate Request Fingerprint SHA1: 7E096059 984DF493 DC68F185 4325FDDF 5C9D9F7C R4(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority R4(config)#crypto isakmp policy 10 R4(config-isakmp)#encr des R4(config-isakmp)#ha sha R4(config-isakmp)#authentication rsa-sig R4(config-isakmp)#group 2 R4(config-isakmp)#crypto ipsec transform-set TSET esp-des esp-shahmac R4(cfg-crypto-trans)#access-list 120 permit ip host 4.1 R4(config)#crypto map ENCRYPT 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.1.4 host 1. R4(config-crypto-map)#set peer 192.10 R4(config-crypto-map)#set transform-set TSET R4(config-crypto-map)#set pfs group2 R4(config-crypto-map)#match address 120 R4(config-crypto-map)#int f0/0 R4(config-if)# crypto map ENCRYPT R4(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Verification R4#pin 1. Page 449 of 1033 .1.4.1.168.1.1.CCIE SECURITY v4 Lab Workbook no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint.4.1 so lo0 Type escape sequence to abort.

1.1.10 port 500 IKE SA: local 10.1.4 .1.1 Active SAs: 2.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.Keepalives.4 R4#sh cry sess Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 192.10 Engine-id:Conn-id = ACTIVE des sha rsig 2 23:58:20 SW:1 The peers have been authenticated by using certificates .1. timeout is 2 seconds: Packet sent with a source address of 5.1. IPv6 Crypto ISAKMP SA R4#sh cry eng conn ac Crypto Engine Connections Type Algorithm Encrypt Decrypt IP-Address 1001 ID IKE SHA+DES 0 0 10. “show crypto isakmp sa detail” may be used to determine which ISAKMP policy has been chosen by the peers. D .IKE Extended Authentication psk .1.4/500 remote 192.NAT-traversal T .1. origin: crypto map Page 450 of 1033 .1.4 2001 IPsec DES+SHA 0 4 10.104.4 192.1.1.1 so lo0 Type escape sequence to abort.1.4.1.168.!!!! Success rate is 80 percent (4/5). 100-byte ICMP Echos to 1.CCIE SECURITY v4 Lab Workbook Sending 5.4 host 1.5. X . N . 100-byte ICMP Echos to 1.1.!!!! Success rate is 80 percent (4/5).104.IKE configuration mode.4.cTCP encapsulation. Sending 5.104.168. 1001 10.RSA signature renc .4.Preshared key.5 .10/500 Active IPSEC FLOW: permit ip host 4.4. rsig .4 2002 IPsec DES+SHA 4 0 10.104.5. round-trip min/avg/max = 1/2/4 ms R5#ping 1.168. timeout is 2 seconds: Packet sent with a source address of 4.1.“rsig” indicates that. round-trip min/avg/max = 1/2/4 ms R4#sh cry isak sa det Codes: C .104.1.Dead Peer Detection K .1.1.

#pkts decrypt: 4. flags={origin_is_acl. in use settings ={Tunnel. } conn id: 2001.1. #recv errors 0 local crypto endpt. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4492988/3479) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x21D3F08A(567537802) transform: esp-des esp-sha-hmac .104. #pkts decompress failed: 0 #send errors 1. ip mtu 1500.4. status of the tunnel and definition interesting traffic.1.: 192. failed: 0 #pkts not decompressed: 0.CCIE SECURITY v4 Lab Workbook This command shows the peers.255. } conn id: 2002.255. #pkts digest: 4 #pkts decaps: 4.1/255.10 port 500 PERMIT. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4492988/3479) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: Page 451 of 1033 of .10 path mtu 1500.168.4.255.104. remote crypto endpt.4.168. flow_id: NETGX:1.255.4 protected vrf: (none) local ident (addr/mask/prot/port): (4.} #pkts encaps: 4.255/0/0) current_peer 192. #pkts verify: 4 #pkts compressed: 0. flow_id: NETGX:2. DH group: group2 inbound esp sas: spi: 0x13B6803F(330727487) transform: esp-des esp-sha-hmac . sibling_flags 80000046. local addr 10.1.1. ip mtu idb FastEthernet0/0 current outbound spi: 0x21D3F08A(567537802) PFS (Y/N): Y.1.255/0/0) remote ident (addr/mask/prot/port): (1.: 10. sibling_flags 80000046. #pkts compr. #pkts decompressed: 0 #pkts not compressed: 0. R4#sh cry ips sa interface: FastEthernet0/0 Crypto map tag: ENCRYPT.1. #pkts encrypt: 4. in use settings ={Tunnel.4/255.

5 R5#sh cry sess Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 192.105.168.5.10/500 Active IPSEC FLOW: permit ip host 5.1.cTCP encapsulation.1. #pkts decrypt: 4. #pkts digest: 4 #pkts decaps: 4.1.5/255. origin: crypto map R5#sh cry ips sa interface: FastEthernet0/0 Crypto map tag: ENCRYPT.RSA signature renc .255. X .5.1.105.105.1.Keepalives.10 port 500 IKE SA: local 10.1. rsig .5/500 remote 192. #pkts encrypt: 4. D .Preshared key.10 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.IKE configuration mode. ACTIVE 3des md5 rsig 2 SW:5 IPv6 Crypto ISAKMP SA R5#sh cry eng conn ac Crypto Engine Connections ID Type Algorithm Encrypt Decrypt IP-Address 1005 IKE 2003 IPsec MD5+3DES 0 0 10.5.5 192.1. N .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1005 10. local addr 10.105.1.105.105.CCIE SECURITY v4 Lab Workbook outbound pcp sas: R5#sh cry isak sa det Codes: C .5 3DES+MD5 0 4 10.10 port 500 PERMIT.1.1 Active SAs: 2.NAT-traversal T .1.255.5.168.255/0/0) remote ident (addr/mask/prot/port): (1.255.1. #pkts verify: 4 Page 452 of 1033 23:58:54 .1.5 2004 IPsec 3DES+MD5 4 0 10.} #pkts encaps: 4.Dead Peer Detection K .168.255.168. flags={origin_is_acl.1/255.5 protected vrf: (none) local ident (addr/mask/prot/port): (5.255/0/0) current_peer 192.5 host 1.IKE Extended Authentication psk .1.1.

flow_id: NETGX:3.CCIE SECURITY v4 Lab Workbook #pkts compressed: 0.5. flow_id: NETGX:4.1. ip mtu idb FastEthernet0/0 current outbound spi: 0xF539870C(4114188044) PFS (Y/N): Y. #pkts decompressed: 0 #pkts not compressed: 0. sibling_flags 80000046.4 Type : L2L Role : responder Rekey : no State : MM_ACTIVE IKE Peer: 10.104. ip mtu 1500. in use settings ={Tunnel.5 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Page 453 of 1033 . } conn id: 2004. remote crypto endpt. DH group: group2 inbound esp sas: spi: 0x5FF3F295(1609822869) transform: esp-3des esp-md5-hmac .1. failed: 0 #pkts not decompressed: 0. #recv errors 0 local crypto endpt. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4446487/3522) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: ASA1(config)# sh cry isak Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2 1 2 IKE Peer: 10.105.: 192. #pkts decompress failed: 0 #send errors 1. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4446487/3522) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xF539870C(4114188044) transform: esp-3des esp-md5-hmac .1. #pkts compr. in use settings ={Tunnel.: 10.168.1. } conn id: 2003.10 path mtu 1500. sibling_flags 80000046.105.

CCIE SECURITY v4 Lab Workbook Global IKE Statistics Active Tunnels: 2 Previous Tunnels: 6 In Octets: 73056 In Packets: 501 In Drop Packets: 54 In Notifys: 376 In P2 Exchanges: 6 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 2 Out Octets: 50884 Out Packets: 472 Out Drop Packets: 0 Out Notifys: 768 Out P2 Exchanges: 0 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 2 Initiator Tunnels: 1 Initiator Fails: 1 Responder Fails: 21 System Capacity Fails: 0 Auth Fails: 5 Decrypt Fails: 0 Hash Valid Fails: 1 No Sa Fails: 10 Global IPSec over TCP Statistics -------------------------------Embryonic connections: 0 Active connections: 0 Previous connections: 0 Inbound packets: 0 Inbound dropped packets: 0 Outbound packets: 0 Outbound dropped packets: 0 RST packets: 0 Recevied ACK heart-beat packets: 0 Bad headers: 0 Bad trailers: 0 Timer failures: 0 Checksum errors: 0 Internal errors: 0 ASA1(config)# sh cry isak sa detail Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Page 454 of 1033 .

4. ipsec overhead 58.1. #pkts digest: 4 #pkts decaps: 4. #pkts comp failed: 0. #PMTUs rcvd: 0.1/255.10.255/0/0) remote ident (addr/mask/prot/port): (4. #pkts decomp failed: 0 #pre-frag successes: 0.104.105. #pkts decrypt: 4. PFS Group 2. local addr: 192. #pkts verify: 4 #pkts compressed: 0.: 192.4. #fragments created: 0 #PMTUs sent: 0.4 path mtu 1500. #recv errors: 0 local crypto endpt.255. remote crypto endpt. #pkts encrypt: 4. seq num: 2. #decapsulated frgs needing reassembly: 0 #send errors: 0.1 host 4.1.5 Type : L2L Rekey : no Role : responder State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth Lifetime: 86400 : rsa Lifetime Remaining: 86112 ASA1(config)# sh cry ips sa interface: Outside Crypto map tag: CA_VPN.: 10. crypto-map: CA_VPN sa timing: remaining key lifetime (kB/sec): (4373999/3219) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000001F outbound esp sas: spi: 0x13B6803F (330727487) transform: esp-des esp-sha-hmac no compression Page 455 of 1033 .4 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : des Hash : SHA Auth Lifetime: 86400 : rsa Lifetime Remaining: 86029 2 IKE Peer: 10.1.4.104.255/0/0) current_peer: 10.4 #pkts encaps: 4.1.1.168.1.255. } slot: 0. Tunnel. #pre-frag failures: 0.4.255.1. #pkts decompressed: 0 #pkts not compressed: 4.CCIE SECURITY v4 Lab Workbook Total IKE SA: 2 1 IKE Peer: 10.10 access-list ACL_CA permit ip host 1.168.1.104. media mtu 1500 current outbound spi: 13B6803F inbound esp sas: spi: 0x21D3F08A (567537802) transform: esp-des esp-sha-hmac no compression in use settings ={L2L.4/255.4 local ident (addr/mask/prot/port): (1.1. conn_id: 36864.255.1.

crypto-map: US_VPN sa timing: remaining key lifetime (kB/sec): (4373999/3300) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000001F outbound esp sas: spi: 0x5FF3F295 (1609822869) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L.CCIE SECURITY v4 Lab Workbook in use settings ={L2L.255.168.1. } slot: 0. conn_id: 40960. } slot: 0.10 access-list ACL_US permit ip host 1. #pkts verify: 4 #pkts compressed: 0. crypto-map: US_VPN sa timing: remaining key lifetime (kB/sec): (4373999/3298) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA1(config)# sh vpn-sessiondb l2l Page 456 of 1033 .5.1.5 path mtu 1500. media mtu 1500 current outbound spi: 5FF3F295 inbound esp sas: spi: 0xF539870C (4114188044) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L. seq num: 1. crypto-map: CA_VPN sa timing: remaining key lifetime (kB/sec): (4373999/3219) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: US_VPN.5.1.168.5.105.255/0/0) current_peer: 10. #pkts decrypt: 4.1/255. Tunnel.255/0/0) remote ident (addr/mask/prot/port): (5. #pkts digest: 4 #pkts decaps: 4. #PMTUs rcvd: 0. #pkts decompressed: 0 #pkts not compressed: 4. #pkts encrypt: 4. local addr: 192. Tunnel.255. #fragments created: 0 #PMTUs sent: 0. conn_id: 36864. #pre-frag failures: 0.255. conn_id: 40960.255.1.5/255.105. ipsec overhead 58.1.5 local ident (addr/mask/prot/port): (1. PFS Group 2.5 #pkts encaps: 4. #decapsulated frgs needing reassembly: 0 #send errors: 0. #pkts comp failed: 0. PFS Group 2.1. #pkts decomp failed: 0 #pre-frag successes: 0. remote crypto endpt.1 host 5. #recv errors: 0 local crypto endpt.: 10.5. } slot: 0.10.1.1.: 192. PFS Group 2. Tunnel.

104.1.104. constructing ISAKMP SA payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.4. processing VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. Received NAT-Traversal ver 02 VID Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. processing nonce payload Page 457 of 1033 . constructing Fragmentation VID + extended capabilities payload Jul 23 03:43:19 [IKEv1]: IP = 10.1.1.1.4.4.4.4.104.1.104.4 : DES Hashing : SHA1 Bytes Tx : 400 Bytes Rx : 400 Login Time : 03:43:19 UTC Fri Jul 23 2010 Duration : 0h:06m:34s Connection : US_VPN Index : 10 Protocol : IKE IPsec IP Addr : 5. Received NAT-Traversal RFC VID Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.4.1.4.1.1.4. processing ke payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.CCIE SECURITY v4 Lab Workbook Session Type: LAN-to-LAN Connection : CA_VPN Index : 9 Protocol : IKE IPsec Encryption IP Addr : 4.4.104.104.104.4.1.104.1.4. processing ISA_KE payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.104. processing SA payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.4.104.104.4.4. Transform # 1 acceptable Matches global IKE entry # 5 Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. constructing NAT-Traversal VID ver 02 payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.4.1. Oakley proposal is acceptable Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.5.4.104.1.4.1.4. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 308 Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.5. processing IKE SA payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. IKE SA Proposal # 1.104.4. processing VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.104.1.4. processing VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.4.4.104.1.1.104.104. processing VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Jul 23 03:43:19 [IKEv1]: IP = 10.104.1.104. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 164 Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1. Received NAT-Traversal ver 03 VID Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.5 Encryption : 3DES Hashing : MD5 Bytes Tx : 400 Bytes Rx : 400 Login Time : 03:44:42 UTC Fri Jul 23 2010 Duration : 0h:05m:11s Verification (detailed) ASA1(config)# deb cry isak 20 ASA1(config)# Jul 23 03:43:19 [IKEv1]: IP = 10.

0.1..1.4. computing NAT Discovery hash Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.4.S. len 24 0000: 52342E4D 6963726F 6E696373 54726169 R4...104..1. Send IOS VID Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. capabilities: 20000001) Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. processing VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1. Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10..104.#~"..MicronicsTrai 0010: 6E696E67 2E636F6D ning.1.M.. constructing VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. constructing ke payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10./. Jul 23 03:43:19 [IKEv1]: IP = 10.104.1. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + NOTIFY (11) + NONE (0) total length : 766 Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.A 0020: 63185454 A7E6B250 00BFBF6A 36F1EACD c.4.104...1.4..4.P.104.4.4.. constructing NAT-Discovery payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.gp4.104.|{&i. processing cert payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.0. processing VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.4.1. computing NAT Discovery hash Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.104.. processing NAT-Discovery payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. Processing IOS/PIX Vendor ID payload (version: 1. Computing hash for ISAKMP Jul 23 03:43:19 [IKEv1 DECODE]: Dump of received Signature.4.4..G. Page 458 of 1033 . ID_FQDN ID received.4...5..4.4.1.4. ID_FQDN is written in the certificate used for peer authentication.104.. constructing certreq payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. Received xauth V6 VID Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.1.1.4.1.4..1.4.104. Received DPD VID Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.com Note that ID_FQDN ID type has been received by the ASA.104.104. capabilities: 00000f6f) Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. processing ID payload Jul 23 03:43:19 [IKEv1 DECODE]: IP = 10.j6..4.104.104.~..1.104.104..1.1.. 0030: 849CA235 908F61FA EC4D8BBE 0D7ADBBA . 0010: AF8853FF F4082F91 2D78869C A38BBF41 .1.1.a.104.104.104.4.104. processing VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.4.4..104.1. computing NAT Discovery hash Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. constructing Cisco Unity VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.104.TT.1.104..4.1.1. computing NAT Discovery hash Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10. 0040: 0A83E023 7E22EEB6 677034C2 D17E04ED ..4.0.z. constructing nonce payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10...104...-x.0.1.104.4.4. processing NAT-Discovery payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10..104. Constructing ASA spoofing IOS Vendor ID payload (version: 1.104.. processing RSA signature Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.CCIE SECURITY v4 Lab Workbook Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1..4.1. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 328 Jul 23 03:43:19 [IKEv1]: IP = 10.4.104.4.1.104.4. constructing NAT-Discovery payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.104.104.4.1.. constructing xauth V6 VID payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.104. processing cert request payload Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.4.4.1. len 128: 0000: 31F1AF7C 7B266908 92DFF3AB C547EEAE 1.. Generating keys for Responder.104.

.104.Z.*..104.*... constructing RSA signature Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.4.4. Page 459 of 1033 ..1. peer ID type 2 received (FQDN) Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN..:pu. Constructing IOS keep alive payload: proposal=32767/32767 sec...104....%...C 0030: 29217A90 C9BDC3E3 BAE510EE 9CCEA703 )!z..k..1.&.. This assignement has been based on certificate-map which examines the certificate’s field values... IP = 10.1.1..104. PHASE 1 COMPLETED Phase 1 completed – the Quick Mode has begun..1.<. Computing hash for ISAKMP Jul 23 03:43:19 [IKEv1 DECODE]: Constructed Signature Len: 128 Jul 23 03:43:19 [IKEv1 DECODE]: Constructed Signature: 0000: 09458DE0 978EE65F FA3A7075 14E03532 . IP = 10....' 0070: A5A94979 99F6B8FE 4920B5DA 0C95A677 . constructing cert payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. IP = 10....4. 0060: 532B7B90 4F67F6F4 3C954E8E 2D9E0B66 S+{."..104..104.. IP = 10.104..w Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10..1..!o.*.6T`. IP = 10..1. 0020: 8D042A8B 884D571C D1FED0FB 53271E43 .._.4..104.-.MW. 0060: 7C0F8A22 F4E43654 60CDD30A D16BD027 |.4.104... Automatic NAT Detection Status: end is NOT behind a NAT device This Remote end is NOT behind a NAT device Jul 23 03:43:19 [IKEv1]: IP = 10..CCIE SECURITY v4 Lab Workbook 0050: 97621F26 13A12C1C 1497D0B9 2AE52E03 .4..s.104.4. Trying to find group via cert rules. Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. Jul 23 03:43:19 [IKEv1]: IP = 10. IP = 10....b.Og.. Jul 23 03:43:19 [IKEv1]: IP = 10.N..E.1.S'.. constructing ID payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.4.4.. 0040: 673D0A25 DCE4A48E FF73B4A4 8C0B963F g=.4...N.4..1.1.1.4... processing notify payload Jul 23 03:43:19 [IKEv1]: IP = 10.52 0010: 73AD3FFF 2820C912 4EF30FB1 A48A91F7 s......104.F. constructing dpd vid payload Jul 23 03:43:19 [IKEv1]: IP = 10..1| Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.N..4.I .104. Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN......1.S... IP = 10..4. IP = 10..1. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 818 Jul 23 03:43:19 [IKEv1]: Group = CA_VPN.? 0050: 389C842A 83C2ADB4 1153CACC E3E246C8 8.?. Peer ID check bypassed Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN...1.104..Iy.( ..f 0070: A85A1EEE 216F86A9 1CDF4EFA 81FE317C . Connection landed on tunnel_group CA_VPN “tunnel-group-map” has caused that the connection has been properly assigned to the configured tunnel-group..104. Starting P1 rekey timer: 64800 seconds.104.1...1... IP = 10.4..104.. Keep-alive type for this connection: DPD Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.4.

CCIE SECURITY v4 Lab Workbook Jul 23 03:43:19 [IKEv1 DECODE]: IP = 10. processing ID payload Jul 23 03:43:19 [IKEv1 DECODE]: Group = CA_VPN.104. IP = 10.4.104.4.104.4.1.104.1. IKE got SPI from key engine: SPI = 0x21d3f08a Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.1.1.104.4. IKE: requesting SPI! Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. processing ISA_KE for PFS in phase 2 Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. processing nonce payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.104. Protocol 0.104.4.4.1. constructing blank hash payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.1.1.4. processing ke payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.4.1.1.1. IP = 10. constructing IPSec SA payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.1.104.4 Jul 23 03:43:19 [IKEv1]: Group = CA_VPN. Port 0 Local and remote proxies presented by the remote peer match locally configured proxies. IP = 10.1.4.1.4. Received local Proxy Host data in ID Payload: Address 1. constructing IPSec nonce payload Page 460 of 1033 .1.104.104. IP = 10.4.1.104. IP = 10. ID_IPV4_ADDR ID received 1. processing IPSec SA payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.1.104.1. IP = 10.1. Mismatch: P1 Authentication algorithm in the crypto map entry different from negotiated algorithm for the L2L connection Jul 23 03:43:19 [IKEv1]: Group = CA_VPN.104. IP = 10. processing ID payload Jul 23 03:43:19 [IKEv1 DECODE]: Group = CA_VPN. Protocol 0.104.104. IKE Remote Peer configured for crypto map: CA_VPN Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.104. IP = 10.104.1.4. IKE Responder starting QM: msg id = 9b5f88d8 Jul 23 03:43:19 [IKEv1]: IP = 10.4.4. IP = 10. IP = 10. Transform # 1 acceptable Matches global IPSec SA entry # 2 Jul 23 03:43:19 [IKEv1]: Group = CA_VPN.104. IP = 10. IKE_DECODE RECEIVED Message (msgid=9b5f88d8) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 296 Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. Received remote Proxy Host data in ID Payload: Address 4. IP = 10. Jul 23 03:43:19 [IKEv1]: Group = CA_VPN.4. IPSec SA Proposal # 1. IP = 10.4.4. IP = 10.1.104.4. IP = 10.1. IP = 10.104. IP = 10.4.104.4.4. processing hash payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.4.1. oakley constucting quick mode Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.104.1.4.1.1 Jul 23 03:43:19 [IKEv1]: Group = CA_VPN.104.1. IP = 10.4.4.4. ID_IPV4_ADDR ID received 4. QM IsRekeyed old sa not found by addr Jul 23 03:43:19 [IKEv1]: Group = CA_VPN. IP = 10. processing SA payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. IP = 10.1. Port 0 Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.1.4.104.4.4. IP = 10.1.1. IP = 10.

IKE_DECODE RECEIVED Message (msgid=9b5f88d8) with payloads : HDR + HASH (8) + NONE (0) total length : 52 Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. IP = 10.104.104.4. IP = 10.4. IP = 10.1.104.4. (msgid=9b5f88d8) ASA1(config)# un all Page 461 of 1033 IP = 10.1.1.4.104. constructing proxy ID Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. IKE Responder sending 2nd QM pkt: msg id = 9b5f88d8 Jul 23 03:43:19 [IKEv1]: IP = 10. IP = 10. Security negotiation complete for LAN-to-LAN Group (CA_VPN) Responder.104. loading all IPSEC SAs Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.104. spi 0x21d3f08a Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.4.104.CCIE SECURITY v4 Lab Workbook Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. IP = 10. IKE got a KEY_ADD msg for SA: SPI = 0x13b6803f Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.104.4.1.1.1. IP = 10.4.104.4. Pitcher: received KEY_UPDATE.1.1. IP = 10.1. IP = 10. IP = 10.104.1.104.4.1.1.4. IP = 10. IP = 10. Jul 23 03:43:19 [IKEv1]: Group = CA_VPN. Starting P2 rekey timer: 3420 seconds.4.1. Inbound SPI = 0x21d3f08a.104.1. rule=d7bef8f8 Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.1.1. Generating Quick Mode Key! Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.1.104.4. IP = 10.104. IP = 10.1.104.4.1. Generating Quick Mode Key! Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.1. IP = 10. rule=d7bef8f8 Jul 23 03:43:19 [IKEv1]: Group = CA_VPN.4.4.4.4.104. NP encrypt rule look up for crypto map CA_VPN 2 matching ACL ACL_CA: returned cs_id=d7beba18.4 Protocol 0 Port 0 Local host: Protocol 0 Port 0 1. processing hash payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN.4.1 The ASA has presented its proxy to the remote peer (R4). Transmitting Proxy Id: Remote host: 4.104.104. Outbound SPI = 0x13b6803f Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. constructing pfs ke payload Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN. IKE_DECODE SENDING Message (msgid=9b5f88d8) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 296 Jul 23 03:43:19 [IKEv1]: IP = 10. PHASE 2 COMPLETED . IP = 10. constructing qm hash payload Jul 23 03:43:19 [IKEv1 DECODE]: Group = CA_VPN.4. NP encrypt rule look up for crypto map CA_VPN 2 matching ACL ACL_CA: returned cs_id=d7beba18.4.

Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122  R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104  R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco” Page 462 of 1033 .CCIE SECURITY v4 Lab Workbook Lab 1. Site-to-Site IPSec VPN using PSK (IOS-ASA Hairpinning) This lab is based on previous lab configuration. You need to perform actions from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before going through this lab.44.

4 /24 F0/0 10.1 ISAKMP Policy IPSec Policy Authentication: PSK Encryption: Encryption: 3DES ESP/3DES Group: 2 Authentication: Hash: MD5 ESP/MD5 Key: R5-ASA Page 463 of 1033 .1. Inside_CA.104. R4 and R5 pointing to the respective ASA’s interface  Configure default routing on both ASAs pointing to the respective R2 interface IP Addressing Device Interface / ifname / sec level IP address R1 Lo0 1.101.5. The Company has two branch offices: one in US (R5) and other in Canada (R4).4.1/24 G0/0 192. Security 100 10.1.10 /24 E0/0.5.1. Security 0 192.168.105.105.1.1. Inside.1.1.5 1.1.1/24 F0/0 10.1. Inside_US.CCIE SECURITY v4 Lab Workbook  Configure default routing on R1. Outside.10 /24 E0/1.2. Security 100 10.10 /24 E0/2.10 /24 R2 R4 R5 ASA1 ASA2 Task 1 There is Company’s Headquarters in US consists of ASA1 and R1.168.168. Security 100 10.5/24 E0/0.5.1. Outside. Security 0 192.10 /24 E0/1. Configure the following Site-to-Site IPSec Tunnels: Tunnel SRC DST Endpoint Network Network R5 – ASA1 5.1.2/24 Lo0 4.1.4 /24 Lo0 5.5/24 F0/0 10. All routers have static IP addresses.2/24 G0/1 192.168.2.4.5.101.104.

5.1.5 ASA1(config)# access-list CRYPTO-ACL-R5 extended permit ip host 4.1.4 ipsec-attributes ASA1(config-tunnel-ipsec)# pre-shared-key R4-ASA ASA1(config-tunnel-ipsec)# exi ASA1(config)# access-list CRYPTO-ACL-R5 extended permit ip host 1.105.1.4 host 5.4 type ipsec-l2l ASA1(config)# tunnel-group 10.5 Page 464 of 1033 . ASA1(config)# crypto isakmp enable outside ASA1(config)# crypto isakmp policy 5 ASA1(config-isakmp-policy)# authentication pre-share ASA1(config-isakmp-policy)# encryption 3des ASA1(config-isakmp-policy)# hash md5 ASA1(config-isakmp-policy)# group 2 ASA1(config-isakmp-policy)# crypto isakmp policy 10 ASA1(config-isakmp-policy)# authentication pre-share ASA1(config-isakmp-policy)# encryption des ASA1(config-isakmp-policy)# hash sha ASA1(config-isakmp-policy)# group 2 ASA1(config-isakmp-policy)# exit ASA1(config)# tunnel-group 10.4 1.1. Configuration Complete these steps: Step 1 ASA1 configuration.5.1.4.4.1.5 type ipsec-l2l ASA1(config)# tunnel-group 10.1 host 5.CCIE SECURITY v4 Lab Workbook R4 – ASA1 4.104.5 ipsec-attributes ASA1(config-tunnel-ipsec)# pre-shared-key R5-ASA ASA1(config-tunnel-ipsec)# exi ASA1(config)# tunnel-group 10.1 Authentication: PSK Encryption: ESP/DES Encryption: DES Authentication: Group: 2 ESP/SHA Hash: SHA Key: R4-ASA Configure the above IPSec tunnels and ensure branch networks can communincate between each other using Headquarters’ hub device.1.104.105.5.5.4.4.1.

R5(config)#crypto isakmp policy 10 R5(config-isakmp)#encr 3des R5(config-isakmp)#hash md5 R5(config-isakmp)#authentication pre-share R5(config-isakmp)#group 2 R5(config-isakmp)#crypto isakmp key R5-ASA address 192.1 1 ASA1(config)# same-security-traffic permit intra-interface The capability to route a traffic in and out of the same interface has been enabled Step 2 R5 configuration.4 Additional ACEs allow to communicate IPSec-protected IP addresses of R4 and R5 throughout “hairpinned” tunnels on ASA’s outside interface.5 host 4.4. ASA1(config)# crypto ipsec transform-set ESP-3DES-MD5 esp-3des espmd5-hmac ASA1(config)# crypto ipsec transform-set ESP-DES-SHA esp-des espsha-hmac ASA1(config)# crypto map ENCRYPT_OUT 1 match address CRYPTO-ACL-R5 ASA1(config)# crypto map ENCRYPT_OUT 1 set peer 10.4 Page 465 of 1033 .4.5 host 1.1.168.5.104.5 host 4.101.1.1.1 255.1.5.5.5.4 ASA1(config)# access-list CRYPTO-ACL-R4 extended permit ip host 5.1.1.255.255 10.1 host 4.1.4 ASA1(config)# crypto map ENCRYPT_OUT 2 set transform-set ESP-DESSHA ASA1(config)# crypto map ENCRYPT_OUT interface Outside ASA1(config)# route Inside 1.1.1 R5(config)#access-list 120 permit ip host 5.4.105.5.255.5 ASA1(config)# crypto map ENCRYPT_OUT 1 set transform-set ESP-3DESMD5 ASA1(config)# crypto map ENCRYPT_OUT 2 match address CRYPTO-ACL-R4 ASA1(config)# crypto map ENCRYPT_OUT 2 set peer 10.4.4.4.1.CCIE SECURITY v4 Lab Workbook ASA1(config)# access-list CRYPTO-ACL-R4 extended permit ip host 1.10 R5(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac R5(cfg-crypto-trans)#exi R5(config)#access-list 120 permit ip host 5.5.1.

R4(config)#crypto isakmp policy 30 R4(config-isakmp)#authentication pre-share R4(config-isakmp)#group 2 R4(config-isakmp)#crypto isakmp key R4-ASA address 192.4.1 R4(config)#access-list 120 permit ip host 4.168.1.168.1.4.CCIE SECURITY v4 Lab Workbook R5(config)#crypto map ENCRYPT 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.5. ASA2(config)# policy-map global_policy ASA2(config-pmap)# class inspection_default ASA2(config-pmap-c)# inspect ipsec-pass-thru ASA2(config)# access-list OUTSIDE_IN permit udp host 192.10 R4(config-crypto-map)# set transform-set TSET R4(config-crypto-map)# match address 120 R4(config-crypto-map)#exi R4(config)#int f0/0 R4(config-if)# crypto map ENCRYPT Step 4 ASA2 configuration.10 R5(config-crypto-map)#set transform-set TSET R5(config-crypto-map)#match address 120 R5(config-crypto-map)#exi R5(config)#int f0/0 R5(config-if)#crypto map ENCRYPT %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config-if)#exi Step 3 R4 configuration.105.1.10 eq 500 host 10.4 host 1.5.1.4 host 5.10 eq 500 host 10.4.168.5 R4(config)#crypto map ENCRYPT 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.10 R4(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac R4(cfg-crypto-trans)#access-list 120 permit ip host 4. R4(config-crypto-map)# set peer 192.4 eq 500 ASA2(config)# access-list OUTSIDE_IN permit udp host 192.168.168.1.5 eq 500 ASA2(config)# access-group OUTSIDE_IN in interface outside The above ACL is created to allow IKE tunnel setup from Page 466 of 1033 .1.1.1.1. R5(config-crypto-map)#set peer 192.4.104.

10 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.5.4 Page 467 of 1033 psk 2 23:41:30 .RSA signature renc . round-trip min/avg/max = 4/4/8 ms R4#sh cry isa sa det Codes: C .1. Verification R4#pi 1.5.4 !!!!! Success rate is 100 percent (5/5).5.168.1.4.1. 100-byte ICMP Echos to 1.5 so lo0 Type escape sequence to abort.CCIE SECURITY v4 Lab Workbook ASA1 to R4/R5 because there may be a case where R4 is sending something behind R5 and there is no tunnel between R5 and ASA1 already established. round-trip min/avg/max = 1/3/4 ms R4#pi 5. ACTIVE des sha SW:2 IPv6 Crypto ISAKMP SA R4#sh cry eng conn ac Crypto Engine Connections ID 1002 Type Algorithm IKE SHA+DES Encrypt Decrypt IP-Address 0 0 10.NAT-traversal T .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10. timeout is 2 seconds: Packet sent with a source address of 4.1.5.Dead Peer Detection K . 100-byte ICMP Echos to 5.5. X .4.4.1.Keepalives. rsig . D . N . timeout is 2 seconds: Packet sent with a source address of 4.104.1 so lo0 Type escape sequence to abort.1.4. Sending 5. Sending 5. the ASA1 must be able to establish a tunnel to R5 to handle that traffic. In that case.IKE configuration mode.cTCP encapsulation.1.4 !!!!! Success rate is 100 percent (5/5).1.IKE Extended Authentication psk .Preshared key.4 192.104.

255.168.4. in use settings ={Tunnel.1.4 host 5. ip mtu 1500. R4#sh cry ips sa interface: FastEthernet0/0 Crypto map tag: ENCRYPT. #recv errors 0 local crypto endpt.1 Active SAs: 2.168.4 2005 IPsec DES+SHA 0 5 10. #pkts verify: 5 #pkts compressed: 0. origin: crypto map IPSEC FLOW: permit ip host 4.1.} #pkts encaps: 5. #pkts digest: 5 #pkts decaps: 5.10 port 500 IKE SA: local 10. #pkts decompress failed: 0 #send errors 0. } conn id: 2003.4.: 10. failed: 0 #pkts not decompressed: 0.104. remote crypto endpt.10 port 500 PERMIT. #pkts encrypt: 5.104.104.4/500 remote 192.4.1. ip mtu idb FastEthernet0/0 current outbound spi: 0x880857A4(2282248100) PFS (Y/N): N.255.255.10/500 Active IPSEC FLOW: permit ip host 4. sibling_flags 80000046. #pkts compr.1. #pkts decompressed: 0 #pkts not compressed: 0.4.1.104.104.1.1/255. DH group: none inbound esp sas: spi: 0x55652A60(1432693344) transform: esp-des esp-sha-hmac .5.255/0/0) current_peer 192. origin: crypto map Two active SAs for every IPSec flow mentioned above are visible when cryto sessions have been displayed.104.1.5.1.4 2004 IPsec DES+SHA 5 0 10.1.4.168.1.1.168.4/255. flags={origin_is_acl.4.255/0/0) remote ident (addr/mask/prot/port): (1. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4607369/2454) Page 468 of 1033 . #pkts decrypt: 5.1.: 192.255.4 host 1.5 Active SAs: 2.1. local addr 10.4 2006 IPsec DES+SHA 19 0 10.4 protected vrf: (none) local ident (addr/mask/prot/port): (4. R4#sh cry sess Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 192.10 path mtu 1500.4 Note that two IPSec SAs (inbound and outbound) have been created for every local-remote proxy pair.1.4.104.CCIE SECURITY v4 Lab Workbook 2003 IPsec DES+SHA 0 5 10.1. flow_id: NETGX:3.

4.168.255.5/255.4/32 and 1.: 192.4. #pkts encrypt: 5. } conn id: 2004.5.1.5. sibling_flags 80000046. flags={origin_is_acl.: 10. failed: 0 #pkts not decompressed: 0. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4607369/2454) IV size: 8 bytes replay detection support: Y Status: ACTIVE One pair of SAs have been created for 4.CCIE SECURITY v4 Lab Workbook IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x880857A4(2282248100) transform: esp-des esp-sha-hmac .1.4/255.10 port 500 PERMIT. sibling_flags 80000046.4. ip mtu idb FastEthernet0/0 current outbound spi: 0xAFFA8D8D(2952433037) PFS (Y/N): N. #pkts digest: 5 #pkts decaps: 5. #pkts compr.1/32. #pkts verify: 5 #pkts compressed: 0.4. flow_id: NETGX:5.255/0/0) current_peer 192. outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (4. #recv errors 0 local crypto endpt.255. ip mtu 1500. #pkts decompress failed: 0 #send errors 0.1. remote crypto endpt. #pkts decrypt: 5.168. } conn id: 2005.255. flow_id: NETGX:4. DH group: none inbound esp sas: spi: 0xFC97ED38(4237815096) transform: esp-des esp-sha-hmac .4.255. #pkts decompressed: 0 #pkts not compressed: 0.1.} #pkts encaps: 5.104.1.10 path mtu 1500.255/0/0) remote ident (addr/mask/prot/port): (5. in use settings ={Tunnel. in use settings ={Tunnel. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4587626/2496) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 469 of 1033 .

CCIE SECURITY v4 Lab Workbook inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xAFFA8D8D(2952433037) transform: esp-des esp-sha-hmac .Keepalives.1.1 Active SAs: 0.105. ACTIVE 3des md5 SW:1 IPv6 Crypto ISAKMP SA R5#sh cry sess Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 192.1. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4587624/2496) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: The second pair of SAs have been created for 4.1.5. rsig .1.Preshared key.168.5.5. origin: crypto map R5#sh cry ips sa interface: FastEthernet0/0 Page 470 of 1033 psk 2 23:57:07 . origin: crypto map IPSEC FLOW: permit ip host 5.10 port 500 IKE SA: local 10.IKE Extended Authentication psk . sibling_flags 80000046.168.NAT-traversal T .IKE configuration mode.4. R5#sh cry isak sa det Codes: C .4 Active SAs: 2.RSA signature renc .5.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.5 host 4.4.1.10 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.5/500 remote 192.4.5 192.4/32 and 5.10/500 Active IPSEC FLOW: permit ip host 5.5/32.5 host 1.Dead Peer Detection K . X .1.168.105.4.5. D . N .cTCP encapsulation. in use settings ={Tunnel.5. flow_id: NETGX:6. } conn id: 2006.1.

#pkts decrypt: 5.255.255.4. #pkts verify: 0 #pkts compressed: 0. DH group: none inbound esp sas: spi: 0xD396C0D5(3549872341) Page 471 of 1033 .168. DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (5.255/0/0) remote ident (addr/mask/prot/port): (4.1. remote crypto endpt.1.255.1.5.5. #pkts decrypt: 0.5. #pkts decompressed: 0 #pkts not compressed: 0.255.5. flags={origin_is_acl.: 10. flags={origin_is_acl.: 192. remote crypto endpt.255.255/0/0) current_peer 192.CCIE SECURITY v4 Lab Workbook Crypto map tag: ENCRYPT. ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N. ip mtu idb FastEthernet0/0 current outbound spi: 0x8689FE2F(2257190447) PFS (Y/N): N.1.255/0/0) remote ident (addr/mask/prot/port): (1.5. #pkts compr. ip mtu 1500. #pkts encrypt: 0.1.105.1/255. #pkts decompress failed: 0 #send errors 0.5. #pkts encrypt: 5.10 path mtu 1500.255/0/0) current_peer 192.168.} #pkts encaps: 0.255. #pkts decompressed: 0 #pkts not compressed: 0. #pkts verify: 5 #pkts compressed: 0. ip mtu 1500. #pkts decompress failed: 0 #send errors 0. local addr 10.1.5/255.10 port 500 PERMIT.5 protected vrf: (none) local ident (addr/mask/prot/port): (5.4.105.} #pkts encaps: 5.5/255. #pkts compr.255. #recv errors 0 local crypto endpt.: 10.168.105.10 path mtu 1500.168. failed: 0 #pkts not decompressed: 0.10 port 500 PERMIT.1.4/255. #recv errors 0 local crypto endpt.1.1. #pkts digest: 0  No traffic for that flow yet #pkts decaps: 0. failed: 0 #pkts not decompressed: 0.255.: 192. #pkts digest: 5 #pkts decaps: 5.

sibling_flags 80000046. in use settings ={Tunnel.105.4 Type : L2L Role Rekey : no : responder State : MM_ACTIVE Encrypt : des Hash : SHA Auth Lifetime: 86400 : preshared Lifetime Remaining: 85180 2 IKE Peer: 10.1.CCIE SECURITY v4 Lab Workbook transform: esp-3des esp-md5-hmac .104. flow_id: NETGX:1. in use settings ={Tunnel. sibling_flags 80000046. ASA1(config)# sh cry ips sa interface: Outside Page 472 of 1033 . } conn id: 2002. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4563711/3425) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: ASA1(config)# sh cry isa sa det Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2 1 IKE Peer: 10. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4563711/3425) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8689FE2F(2257190447) transform: esp-3des esp-md5-hmac . } conn id: 2001. flow_id: NETGX:2.1.5 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth Lifetime: 86400 : preshared Lifetime Remaining: 86186 Note that because R4 pinged R5 the ASA1 is an Initiator for the second L2L tunnel.

168.10.1.4 #pkts encaps: 5.104. #pre-frag failures: 0. #pkts decomp failed: 0 #pre-frag successes: 0. Tunnel. } slot: 0.4 local ident (addr/mask/prot/port): (1.168.255/0/0) current_peer: 10.10 access-list CRYPTO-ACL-R4 permit ip host 1.4.4. conn_id: 45056. #pkts encrypt: 5.1.5. #pkts decrypt: 5. #pkts comp failed: 0. local addr: 192.4/255.1.104.255.: 192. crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (4373999/2373) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: ENCRYPT_OUT. remote crypto endpt.255.5 host 4.4/255. seq num: 2.1. #pkts decompressed: 0 #pkts not compressed: 5. #pkts digest: 5 #pkts decaps: 5. #pkts decompressed: 0 Page 473 of 1033 .1.CCIE SECURITY v4 Lab Workbook Crypto map tag: ENCRYPT_OUT. #pkts encrypt: 5.4.4.168. conn_id: 45056.1.255. ipsec overhead 58. #pkts verify: 5 #pkts compressed: 0.5/255. #pkts decrypt: 5.1/255.4. #recv errors: 0 local crypto endpt.4.255/0/0) remote ident (addr/mask/prot/port): (4.4.: 10. crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (4373999/2373) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000003F outbound esp sas: spi: 0x55652A60 (1432693344) transform: esp-des esp-sha-hmac no compression in use settings ={L2L.1.1 host 4. seq num: 2.5.4 local ident (addr/mask/prot/port): (5.255. #PMTUs rcvd: 0.255. local addr: 192. #fragments created: 0 #PMTUs sent: 0. #pkts digest: 5 #pkts decaps: 5. Tunnel.255/0/0) remote ident (addr/mask/prot/port): (4.4 #pkts encaps: 5. #decapsulated frgs needing reassembly: 0 #send errors: 0.4.255.255/0/0) current_peer: 10.1.5. } slot: 0.10 access-list CRYPTO-ACL-R4 permit ip host 5.255.5.4 path mtu 1500.1.104.255.1. media mtu 1500 current outbound spi: 55652A60 inbound esp sas: spi: 0x880857A4 (2282248100) transform: esp-des esp-sha-hmac no compression in use settings ={L2L. #pkts verify: 5 #pkts compressed: 0.

168. #pkts decomp failed: 0 #pre-frag successes: 0.4.255. crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (4373999/2411) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: ENCRYPT_OUT.5/255. #PMTUs rcvd: 0.255.168. #pkts comp failed: 0. media mtu 1500 current outbound spi: D396C0D5 Page 474 of 1033 .10.1.10 access-list CRYPTO-ACL-R5 permit ip host 4. media mtu 1500 current outbound spi: FC97ED38 inbound esp sas: spi: 0xAFFA8D8D (2952433037) transform: esp-des esp-sha-hmac no compression in use settings ={L2L. Tunnel. local addr: 192. } slot: 0. ipsec overhead 58.255.5.4.4 host 5.: 192. #pkts decrypt: 5.1. #fragments created: 0 #PMTUs sent: 0.255/0/0) current_peer: 10.: 10.CCIE SECURITY v4 Lab Workbook #pkts not compressed: 5.1. #decapsulated frgs needing reassembly: 0 #send errors: 0.4 path mtu 1500. #PMTUs rcvd: 0.168. conn_id: 45056.1. ipsec overhead 58. #pkts encrypt: 5. Tunnel. #pkts decompressed: 0 #pkts not compressed: 5.105. #pre-frag failures: 0. remote crypto endpt.255/0/0) remote ident (addr/mask/prot/port): (5. seq num: 1. #pkts verify: 5 #pkts compressed: 0.10.5.5 local ident (addr/mask/prot/port): (4. #recv errors: 0 local crypto endpt.104.4/255.4. crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (4373998/2413) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x000FFFFF outbound esp sas: spi: 0xFC97ED38 (4237815096) transform: esp-des esp-sha-hmac no compression in use settings ={L2L. #fragments created: 0 #PMTUs sent: 0.5.5 #pkts encaps: 5. #pkts decomp failed: 0 #pre-frag successes: 0.: 192.5 path mtu 1500.255. #recv errors: 0 local crypto endpt. #pkts comp failed: 0.4. remote crypto endpt. #pre-frag failures: 0. } slot: 0. #decapsulated frgs needing reassembly: 0 #send errors: 0.1. conn_id: 45056. #pkts digest: 5 #pkts decaps: 5.: 10.5.1.105.

Tunnel.4.4 Index : 11 Protocol : IKE IPsec Encryption IP Addr : 4.105. crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (4373999/3372) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000003F outbound esp sas: spi: 0xD396C0D5 (3549872341) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L.4 : DES Hashing : SHA1 Bytes Tx : 1000 Bytes Rx : 2400 Login Time : 04:12:23 UTC Fri Jul 23 2010 Duration : 0h:20m:54s Connection : 10.1.5 : 3DES Hashing : MD5 Bytes Tx : 500 Bytes Rx : 500 Login Time : 04:29:09 UTC Fri Jul 23 2010 Duration : 0h:04m:08s Page 475 of 1033 .5.5.1.104.5 Index : 12 Protocol : IKE IPsec Encryption IP Addr : 5.4. conn_id: 49152. Tunnel. crypto-map: ENCRYPT_OUT sa timing: remaining key lifetime (kB/sec): (4373999/3372) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA1(config)# sh vpn-sessiondb l2l Session Type: LAN-to-LAN Connection : 10. } slot: 0. } slot: 0. conn_id: 49152.CCIE SECURITY v4 Lab Workbook inbound esp sas: spi: 0x8689FE2F (2257190447) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L.

Site-to-Site IPSec VPN using EasyVPN NEM (IOS-IOS) This lab is based on previous labs configuration.CCIE SECURITY v4 Lab Workbook Lab 1. You need to perform actions from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before going through this lab.45. Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122  R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104  R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco” Page 476 of 1033 .

Use group name of “BRANCH_US” with the password of “cisco123”. Configure a new user name of Page 477 of 1033 . Security 0 192.10 /24 E0/1.5.10 /24 R2 R4 R5 ASA1 ASA2 Task 1 Configure IPSec VPN tunnel between branch routers with the following parameters: Tunnel SRC DST Endpoint Network Network R5 – R4 5. Inside_US.1.5/24 F0/0 10.1. Security 100 10.1. Router R5 should act as EasyVPN Remote and router R4 should be EasyVPN Server. Security 100 10.10 /24 E0/2.1.1.168.2.5.4 ISAKMP Policy IPSec Policy Authentication: PSK Encryption: Encryption: 3DES ESP/3DES Group: 2 Authentication: Hash: SHA ESP/SHA Use Easy VPN to configure the tunnel in network extension mode.1.4 /24 Lo0 5. R4 and R5 pointing to the respective ASA’s interface  Configure default routing on both ASAs pointing to the respective R2 interface IP Addressing Device Interface / ifname / sec level IP address R1 Lo0 1.5/24 E0/0.4.168.2/24 G0/1 192.CCIE SECURITY v4 Lab Workbook  Configure default routing on R1.104.1/24 G0/0 192.101.1. Security 100 10. Inside.5.10 /24 E0/0.5 4.4 /24 F0/0 10.1.168.4.4.104.105.1/24 F0/0 10.2/24 Lo0 4. Security 0 192.101.2.1.10 /24 E0/1.1.5. Inside_CA.105.168.4. Outside. Outside.

Authorization list (network) specifies where session parameters which should be populated to a client are stored. R4(config)#crypto isakmp policy 3 R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)#exit R4(config)#crypto isakmp client configuration group BRANCH_US R4(config-isakmp-group)# key cisco123 R4(config-isakmp-group)#exit This is a configuration item which enables to specify parameters which are populated to the client during “Config Mode”.5) is a special stage of IKE during which client requests configuration parameters for the session that is being negotiated. Config Mode (often called IKE Phase 1. Configuration Complete these steps: Step 1 R4 configuration. The EasyVPN Server populates these parameters to EasyVPN client.CCIE SECURITY v4 Lab Workbook “easy” with password of “vpn123” in R4’s local database and use it for extended authentication. Dynamic crypto map enables to negotiate proper values during tunnel Page 478 of 1033 . R4(config)#username easy password vpn123 R4(config)#aaa new-model R4(config)#aaa authentication login USER-AUTH local R4(config)#aaa authorization network GR-AUTH local AAA on the router must be enabled because EasyVPN feature may use additional peer authentication which is named “XAUTH” (Extended authentication). R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R4(cfg-crypto-trans)#exit R4(config)#crypto dynamic-map DYN-CMAP 10 R4(config-crypto-map)# set transform-set TSET R4(config-crypto-map)#exit The peer IP address and other IPSec parameters are unknown at the moment of crypto map configuration.

R4(config)#crypto map EASY-VPN client authentication list USER-AUTH R4(config)#crypto map EASY-VPN isakmp authorization list GR-AUTH R4(config)#crypto map EASY-VPN 10 ipsec-isakmp dynamic DYN-CMAP R4(config)#interface f0/0 R4(config-if)# crypto map EASY-VPN R4(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Step 2 R5 configuration. R5(config-crypto-ezvpn)# group BRANCH_US key cisco123 EasyVPN group authentication . R5(config)#crypto ipsec client ezvpn EZ R5(config-crypto-ezvpn)# connect auto The connection will be initiated automatically. These credentials have to be entered during every IKE negotaitions. R5(config-crypto-ezvpn)# peer 10. The credential storage in the EasyVPN client configuration have to be exclusively enabled in the EasyVPN Server configuration (save-password command in the group configuration).104.CCIE SECURITY v4 Lab Workbook establishment.it is similar to peer authentication in L2L tunnel negotiations.4 EasyVPN Server IP address. The traffic initiated from the client inside network is not NATed so that it allows to connect to this network from the networks behind the EasyVPN server. R5(config-crypto-ezvpn)#exi R5(config)#int lo0 R5(config-if)# crypto ipsec client ezvpn EZ inside Page 479 of 1033 . R5(config-crypto-ezvpn)# xauth userid mode interactive Interactive entering of the user credential that will be used during Extended Authentication (XAUTH). R5(config-crypto-ezvpn)# mode network-extension NEM (Network Extension Mode) enables EasyVPN client to preserve its IP address as tunnel endpoint. This is a device authentication.1.

These networks may be injected into the server’s routing table when reverse route feature is.0/255. Outside interface is used for IPSec tunnel termination.5 User= Group=BRANCH_US Server_public_addr=10.5.255.1. %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) Client_public_addr=10. This must be explicitly allowed on the ASA.105. R5# EZVPN(EZ): Pending XAuth Request.104.CCIE SECURITY v4 Lab Workbook R5(config-if)#exit R5(config)#int f0/0 R5(config-if)# crypto ipsec client ezvpn EZ outside R5(config-if)# These commands define the inside and outside interfaces of the EasyVPN Client.5.104.1. ASA2(config)# same-security-traffic permit inter-interface Step 4 R5 configuration. Since IPSec tunnel needs to be established between two peers who are on different interfaces of ASA but with the same security level of 100.4 NEM_Remote_Subnets=5. The client informs the server about its inside networks. Note that EasyVPN connection is up.1.5 Step 3 User= Group=BRANCH_US Server_public_addr=10. %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON After a while the following error message appears on R5. Page 480 of 1033 .0 The user and the password have been provided for XAUTH. Please enter the following command: EZVPN: crypto ipsec client ezvpn xauth R5# R5#crypto ipsec client ezvpn xauth Username: easy Password: R5# %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) Client_public_addr=10.255.4 ASA2 configuration.105.1.

IKE configuration mode. ACTIVE 3des sha SW:2 IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0.255.4.0/255. timeout is 2 seconds: Packet sent with a source address of 5. R5 is able to ping R4’s loopback through the IPSec tunnel.4. Sending 5.1.0.105.1.NAT-traversal T . Note that saving XAUTH password is disabled (this is a default setting).4.5 10.Keepalives.104.0.CCIE SECURITY v4 Lab Workbook Verification R5#ping 4.5.4 so lo0 Type escape sequence to abort. R5#sh crypto isakmp sa det Codes: C .0/0/0) remote ident (addr/mask/prot/port): (0. D .Preshared key. round-trip min/avg/max = 4/4/4 ms The connection is established.4 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.0/0.105.0/0/0) Page 481 of 1033 2 23:59:10 CX .255.0.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10. local addr 10. 100-byte ICMP Echos to 4.4.5 !!!!! Success rate is 100 percent (5/5).0.4 EasyVPN session status. N .Dead Peer Detection K .5. rsig .5. R5#sh crypto ipsec client ezvpn Easy VPN Remote Phase: 8 Tunnel name : EZ Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Save Password: Disallowed Current EzVPN Peer: 10.5.104.RSA signature renc .5 protected vrf: (none) local ident (addr/mask/prot/port): (5.1.4.IKE Extended Authentication psk . X .1.cTCP encapsulation.

By default EasyVPN disallow the client to transmit unencrypted traffic apart from established IPSec tunnel. in use settings ={Tunnel. #pkts digest: 5 #pkts decaps: 5. #pkts decompress failed: 0 #send errors 0. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4603441/3543) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB33E0E9(187949289) transform: esp-3des esp-sha-hmac .0. flags={origin_is_acl. #pkts encrypt: 5.104.5. } conn id: 2002. flow_id: NETGX:1. #recv errors 0 local crypto endpt.4 path mtu 1500.1.1.4 port 500 Note that remote proxy identity is 0. ip mtu idb FastEthernet0/0 current outbound spi: 0xB33E0E9(187949289) PFS (Y/N): N.104. sibling_flags 80000046. } conn id: 2001. PERMIT. DH group: none inbound esp sas: spi: 0x428A6416(1116365846) transform: esp-3des esp-sha-hmac . #pkts verify: 5 #pkts compressed: 0. ip mtu 1500. #pkts decompressed: 0 #pkts not compressed: 0. in use settings ={Tunnel. remote crypto endpt. failed: 0 #pkts not decompressed: 0.CCIE SECURITY v4 Lab Workbook current_peer 10.: 10. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4603441/3543) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 482 of 1033 . #pkts decrypt: 5.105. sibling_flags 80000046.} #pkts encaps: 5. #pkts compr.: 10. This may be changed when split-tunnel feature is enabled on the EasyVPN server.0/0 that means “any”.0.1. flow_id: NETGX:2.

255. ACTIVE 3des sha 2 SW:2 IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: EASY-VPN.Preshared key.cTCP encapsulation.0. round-trip min/avg/max = 4/4/8 ms Note that inside network of the client is accessible from the server inside network.0/0/0) current_peer 10.1.1.4 !!!!! Success rate is 100 percent (5/5). X .IKE configuration mode.5.0.5.: 10.0. #pkts encrypt: 10.5 port 500 PERMIT.CCIE SECURITY v4 Lab Workbook R4#pi 5. local addr 10.5 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap. DH group: none inbound esp sas: Page 483 of 1033 23:58:35 CX .104.104. #recv errors 0 local crypto endpt. N . remote crypto endpt. Sending 5.5.NAT-traversal T .5 so lo0 Type escape sequence to abort. 100-byte ICMP Echos to 5.IKE Extended Authentication psk .105.5 path mtu 1500.1.5.4 10. It is an advantage of network-extension mode. failed: 0 #pkts not decompressed: 0.0/0/0) remote ident (addr/mask/prot/port): (5. ip mtu idb FastEthernet0/0 current outbound spi: 0x428A6416(1116365846) PFS (Y/N): N.5.4. #pkts verify: 10 #pkts compressed: 0. #pkts decompressed: 0 #pkts not compressed: 0.RSA signature renc .0/255.104.255. #pkts digest: 10 #pkts decaps: 10.Keepalives.4.105.1. #pkts decrypt: 10.: 10.0/0.0.1. #pkts decompress failed: 0 #send errors 0.Dead Peer Detection K . D . In case of using the “client mode” accessing the inside client network is not feasible due to PAT enabled on the IPSec tunnel endpoint that translates the client inside network. #pkts compr. R4#sh cry isak sa det Codes: C .4 protected vrf: (none) local ident (addr/mask/prot/port): (0. flags={} #pkts encaps: 10.105. ip mtu 1500.5.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10.4.1. timeout is 2 seconds: Packet sent with a source address of 4.5. rsig .

0.0.CCIE SECURITY v4 Lab Workbook spi: 0xB33E0E9(187949289) R4#sh crypto map Crypto Map "EASY-VPN" 10 ipsec-isakmp Dynamic map template tag: DYN-CMAP Crypto Map "EASY-VPN" 65536 ipsec-isakmp Peer = 10.0 0.1.255 dynamic (created from dynamic map DYN-CMAP/10) Note that definition of interesting traffic has been configured dynamically by dynamic-crypto map.5 Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ TSET: { esp-3des esp-sha-hmac } Interfaces using crypto map EASY-VPN: FastEthernet0/0 Page 484 of 1033 } . . Current peer: 10.5.105. Information relevant to the client inside networks is passed to the server during IKE negotiation.1.5 Extended IP access list access-list permit ip any 5.5.105.

Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122  R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104  R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco” Page 485 of 1033 .CCIE SECURITY v4 Lab Workbook Lab 1. You need to perform actions from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before going through this lab.46. Site-to-Site IPSec VPN using EasyVPN NEM (IOS-ASA) This lab is based on previous labs configuration.

168. Security 0 192.10 /24 E0/1.1.1.2. Page 486 of 1033 .10 /24 E0/2.5. Outside.4 /24 Lo0 5.1. R4 and R5 pointing to the respective ASA’s interface  Configure default routing on both ASAs pointing to the respective R2 interface IP Addressing Device Interface / ifname / sec level IP address R1 Lo0 1. Security 100 10.5/24 E0/0.1 DST ISAKMP Policy IPSec Policy 5.4.1. Inside_US.CCIE SECURITY v4 Lab Workbook  Configure default routing on R1.10 /24 E0/0. Use group name of “BRANCHES” with the password of “cisco123”.4.1.10 /24 R2 R4 R5 ASA1 ASA2 Task 1 Configure IPSec VPN tunnel between ASA1 and R5/R4 with the following parameters: Tunnel SRC Endpoint Network Network ASA1 R5/R4 – 1.2/24 G0/1 192.1/24 F0/0 10. Inside.1.104.4 Encryption: 3DES ESP/3DES Group: 2 Authentication: Hash: SHA ESP/SHA Use Easy VPN to configure the tunnel in network extension mode.101. Outside.5/24 F0/0 10.104.105.1. Security 0 192.1.5. Security 100 10.1.10 /24 E0/1.5 Authentication: PSK Encryption: 4.168.168.1.2/24 Lo0 4.1.5.1. Security 100 10.4 /24 F0/0 10.5.1/24 G0/0 192.2.101.105.168.4. Inside_CA. R5 should act as EasyVPN Remote and ASA1 should be an EasyVPN Server.4.

1.1 host 4. Group-policies may be provided from ACS Server.5.1.4.1. Note that from the client perspective the network defined by the ACL in split-tunneling in fact defines a destination of the traffic rather than the source.0 255.1. The traffic may be encrypted if “tunnelspecified” is enabled or the traffic is excluded from encryption if “excludespecified” is enabled. the branch routers should connect using only group credentials.5 ASA1(config)# access-list EZVPN-TRAFFIC permit ip host 1. ASA1(config)# group-policy EZ-POLICY attributes ASA1(config-group-policy)# split-tunnel-policy tunnelspecified ASA1(config-group-policy)# split-tunnel-network-list value ST ASA1(config-group-policy)# nem enable Network Extension Mode has been enabled.1 host 5.255. Configuration Complete these steps: Step 1 ASA1 configuration.CCIE SECURITY v4 Lab Workbook Do not use extended authentication.255.4.1.1. A “tunnelall” option may also be used but encryption of all the traffic is the default.1. Note that this is an internally configured group-policy.1.0 ASA1(config)# group-policy EZ-POLICY internal The group-policy contains parameters that are passed down to the client or such parameters may be requirements that the client have to fullfil before IPSec session is established.0/24. This feature enables the server to define the exceptions of default rule that enforcing full traffic encryption between the client and the server. “split-tunnel-policy” defines the policy which is applied for a traffic chosen by the split-tunnel ACL. The traffic definition is made by an ACL which is tied to group-policy by the command of “split-tunnel-network-list”. Page 487 of 1033 .4 ASA1(config)# access-list ST standard permit 1. ASA1(config)# access-list EZVPN-TRAFFIC permit ip host 1.5. This policy includes also the definition of split tunneling. Note that group-policy definition is based on Attribute-Value pairs. Ensure that branch routers will tunnel traffic only destined to the network of 1.

1 Step 2 ASA2 configuration.255.1.1. ASA2(config)# policy-map global_policy ASA2(config-pmap)# class inspection_default ASA2(config-pmap-c)# inspect ipsec-pass-thru The IPSec-related traffic through ASA2 has been allowed.255 10. R5(config)#crypto ipsec client ezvpn HQ R5(config-crypto-ezvpn)#connect auto R5(config-crypto-ezvpn)#group BRANCHES key cisco123 R5(config-crypto-ezvpn)#mode network-extension Page 488 of 1033 .101.1 255. ASA1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac ASA1(config)# crypto dynamic-map DYN-MAP 5 set transform-set TSET ASA1(config)# crypto map ENCRYPT_OUT 1 ipsec-isakmp dynamic DYN-MAP ASA1(config)# crypto map ENCRYPT_OUT interface Outside ASA1(config)# route Inside 1.CCIE SECURITY v4 Lab Workbook ASA1(config-group-policy)# exit ASA1(config)# isakmp enable Outside ASA1(config)# crypto isakmp policy 1 authentication pre-share ASA1(config)# crypto isakmp policy 1 encryption 3des ASA1(config)# crypto isakmp policy 1 hash sha ASA1(config)# crypto isakmp policy 1 group 2 ASA1(config)# tunnel-group BRANCHES type remote-access ASA1(config)# tunnel-group BRANCHES general-attributes ASA1(config-tunnel-general)# default-group-policy EZ-POLICY ASA1(config-tunnel-general)# exit Tunnel-group for EasyVPN clients has been defined.1. Step 3 R5 configuration. Note that group-policy has been tied to tunnel-group as its general attribute. ASA1(config)# tunnel-group BRANCHES ipsec-attributes ASA1(config-tunnel-ipsec)# pre-shared-key cisco123 ASA1(config-tunnel-ipsec)# isakmp ikev1-user-authentication none ASA1(config-tunnel-ipsec)# exit XAUTH has been disabled (by default ASA requires XAUTH). Only the peer authenticaton will be performed.255.

1.168.4 !!!!! Success rate is 100 percent (5/5). Sending 5.255.1.255.4 User= Server_public_addr=192.10 R4(config-crypto-ezvpn)#exit R4(config)#int f0/0 R4(config-if)#crypto ipsec client ezvpn HQ outside R4(config-if)#int lo0 R4(config-if)#crypto ipsec client ezvpn HQ inside R4(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) Client_public_addr=10.4.1.0/255.5.1. 100-byte ICMP Echos to 1.4.4.10 NEM_Remote_Subnets=5.CCIE SECURITY v4 Lab Workbook R5(config-crypto-ezvpn)#peer 192.10 R5(config-crypto-ezvpn)#int f0/0 R5(config-if)# crypto ipsec client ezvpn HQ outside R5(config-if)#int lo0 R5(config-if)# crypto ipsec client ezvpn HQ inside R5(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) Client_public_addr=10.5 User= Group=BRANCHES Server_public_addr=192.1. R4(config)#crypto ipsec client ezvpn HQ R4(config-crypto-ezvpn)#connect auto R4(config-crypto-ezvpn)#group BRANCHES key cisco123 R4(config-crypto-ezvpn)#mode network-extension R4(config-crypto-ezvpn)#peer 192.0 Verification R4#ping 1.1.104.168.1.1 so lo0 Type escape sequence to abort.1. Step 4 R4 configuration.1.0 The tunnel has been established.1. Note that entering the user and password interactively is no longer needed.105.168.4.255.255.10 NEM_Remote_Subnets=4.0/255. round-trip min/avg/max = 1/3/4 ms Page 489 of 1033 Group=BRANCHES . timeout is 2 seconds: Packet sent with a source address of 4.1.5.168.

4 192.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1003 10.cTCP encapsulation.4. failed: 0 #pkts not decompressed: 0.10 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.168.255.255. N . IPv6 Crypto ISAKMP SA R4#sh cry ips sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0. sibling_flags 80000046. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4483637/28677) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 490 of 1033 . ip mtu idb FastEthernet0/0 current outbound spi: 0x63FABD04(1677376772) PFS (Y/N): N.1.0/255.Keepalives. #recv errors 0 local crypto endpt.1. #pkts compr.1. #pkts digest: 5 #pkts decaps: 5.10 port 500 PERMIT. #pkts verify: 5 #pkts compressed: 0.0/0/0) remote ident (addr/mask/prot/port): (1.: 10.1.0/0/0) current_peer 192.CCIE SECURITY v4 Lab Workbook R4#sh cry isak sa det Codes: C .1. #pkts decompressed: 0 #pkts not compressed: 0. D .0/255. #pkts decompress failed: 0 #send errors 0. rsig . X .104.4.: 192.1.104.Preshared key.1. #pkts decrypt: 5. in use settings ={Tunnel.4 protected vrf: (none) local ident (addr/mask/prot/port): (4. local addr 10. flags={origin_is_acl.IKE configuration mode.Dead Peer Detection K . remote crypto endpt. ACTIVE 3des sha psk 2 23:57:23 C SW:3 Note that authentication by using tunnel-group name and the password is treated as pre-shared ISAKMP peer authentication.4. flow_id: NETGX:5.RSA signature renc .10 path mtu 1500.NAT-traversal T .168.168. } conn id: 2005. #pkts encrypt: 5. ip mtu 1500.} #pkts encaps: 5.255.1.104.255.IKE Extended Authentication psk . DH group: none inbound esp sas: spi: 0xD3631C04(3546487812) transform: esp-3des esp-sha-hmac .

1.1.168.1.1.0 1.10/500 Active IPSEC FLOW: permit ip 4.104.255. } conn id: 2006.4.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 192.1.CCIE SECURITY v4 Lab Workbook inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x63FABD04(1677376772) transform: esp-3des esp-sha-hmac .1.4/500 remote 192.10 port 500 IKE SA: local 10.1.1.4.255.0/255.168. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4483637/28677) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#sh cry sess Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 192.1.0 Mask : 255. in use settings ={Tunnel.0 Active SAs: 2. sibling_flags 80000046.255.10 The client has obtained split-tunnel configuration from the server during Mode Config.255.1.1.1. Protocol value 0x0 means that all IP traffic to 1. origin: crypto map R4#sh crypto ipsec client ezvpn Easy VPN Remote Phase: 8 Tunnel name : HQ Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Save Password: Disallowed Split Tunnel List: 1 Address : 1.1 so lo0 Page 491 of 1033 .255.0/255. R5#ping 1.168. flow_id: NETGX:6.0/24 will be encrypted.

5.1.Dead Peer Detection K .168.1. round-trip min/avg/max = 4/4/4 ms R5#sh cry isa sa det Codes: C . N .5 !!!!! Success rate is 100 percent (5/5).5 192.: 10. DH group: none inbound esp sas: spi: 0xDAA2BC9A(3668098202) transform: esp-3des esp-sha-hmac .5 protected vrf: (none) local ident (addr/mask/prot/port): (5.105.1. #pkts decompress failed: 0 #send errors 0.10 port 500 PERMIT.} #pkts encaps: 5. flow_id: NETGX:5. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4494113/28711) Page 492 of 1033 . ip mtu 1500. #pkts encrypt: 5.: 192.168.255.255.1. 100-byte ICMP Echos to 1.0/255. #recv errors 0 local crypto endpt.5.cTCP encapsulation. #pkts compr. #pkts digest: 5 #pkts decaps: 5. } conn id: 2005.5.IKE configuration mode.105. timeout is 2 seconds: Packet sent with a source address of 5. rsig .CCIE SECURITY v4 Lab Workbook Type escape sequence to abort. #pkts decrypt: 5. flags={origin_is_acl.Keepalives.5.RSA signature renc .IKE Extended Authentication psk .10 path mtu 1500. in use settings ={Tunnel. #pkts decompressed: 0 #pkts not compressed: 0.1.1. X .NAT-traversal T .255.1. remote crypto endpt.1.5. sibling_flags 80000046.255. local addr 10. #pkts verify: 5 #pkts compressed: 0. ACTIVE 3des sha psk 2 23:58:00 C SW:3 IPv6 Crypto ISAKMP SA R5#sh cry ips sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0. ip mtu idb FastEthernet0/0 current outbound spi: 0x8AD193D1(2328990673) PFS (Y/N): N.105.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1003 10.0/255. Sending 5.1. D .Preshared key.10 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.0/0/0) remote ident (addr/mask/prot/port): (1.1. failed: 0 #pkts not decompressed: 0.0/0/0) current_peer 192.1.168.

crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4494113/28711) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R5#sh cry sess Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 192. in use settings ={Tunnel.255.0 Active SAs: 2.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 192.1.CCIE SECURITY v4 Lab Workbook IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8AD193D1(2328990673) transform: esp-3des esp-sha-hmac .168.255.1.1.255.255.10/500 Active IPSEC FLOW: permit ip 5.255.5/500 remote 192.1.168.255. } conn id: 2006.1.10 Page 493 of 1033 .5.1.0 1.1.0 Mask : 255.0/255.168.0/255. sibling_flags 80000046. flow_id: NETGX:6.5.10 port 500 IKE SA: local 10. origin: crypto map R5#sh crypto ipsec client ezvpn Easy VPN Remote Phase: 8 Tunnel name : HQ Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Save Password: Disallowed Split Tunnel List: 1 Address : 1.1.105.

255. conn_id: 73728.: 192. #PMTUs rcvd: 0.1.0/255. #pkts verify: 5 #pkts compressed: 0.0.0/0/0) remote ident (addr/mask/prot/port): (4.CCIE SECURITY v4 Lab Workbook ASA1(config)# sh cry isak sa det Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2 1 IKE Peer: 10. local addr: 192.10 local ident (addr/mask/prot/port): (1. username: BRANCHES dynamic allocated peer ip: 0.0/0/0) current_peer: 10.0.: 10.4. crypto-map: DYN-MAP Page 494 of 1033 .4. Tunnel.255. #decapsulated frgs needing reassembly: 0 #send errors: 0.5 Type : user Role : responder Rekey : no State : AM_ACTIVE Encrypt : 3des Hash : SHA Auth Lifetime: 86400 : preshared Lifetime Remaining: 86245 2 IKE Peer: 10.1. #pkts decrypt: 5.168.1. } slot: 0.255. ipsec overhead 58.104.0/255. #recv errors: 0 local crypto endpt.104.0 #pkts encaps: 5.105.4 path mtu 1500.1. remote crypto endpt.10. seq num: 5. #pkts decomp failed: 0 #pre-frag successes: 0.1. #pkts encrypt: 5.168. #pkts digest: 5 #pkts decaps: 5.1.104.4. #pkts comp failed: 0.4 Type : user Role : responder Rekey : no State : AM_ACTIVE Encrypt : 3des Hash : SHA Auth Lifetime: 86400 : preshared Lifetime Remaining: 86266 Note that ASA plays the role of responder for the both connecton because the tunnels have been initiated from the client side. #pkts decompressed: 0 #pkts not compressed: 5.255. #fragments created: 0 #PMTUs sent: 0.1. ASA1(config)# sh cry ips sa interface: Outside Crypto map tag: DYN-MAP. #pre-frag failures: 0.1. media mtu 1500 current outbound spi: D3631C04 inbound esp sas: spi: 0x63FABD04 (1677376772) transform: esp-3des esp-sha-hmac no compression in use settings ={RA.

} slot: 0.1. Tunnel.1. Tunnel. crypto-map: DYN-MAP Page 495 of 1033 . crypto-map: DYN-MAP sa timing: remaining key lifetime (sec): 28659 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: DYN-MAP.0/255. #pkts decomp failed: 0 #pre-frag successes: 0. username: BRANCHES dynamic allocated peer ip: 0. #fragments created: 0 #PMTUs sent: 0.0 #pkts encaps: 5.1.5 path mtu 1500.5.0/0/0) remote ident (addr/mask/prot/port): (5.: 192.255.5.1.255. local addr: 192. #pkts encrypt: 5. } slot: 0.5. seq num: 5.105. #recv errors: 0 local crypto endpt. #PMTUs rcvd: 0. remote crypto endpt. #pkts comp failed: 0.10 local ident (addr/mask/prot/port): (1. ipsec overhead 58. conn_id: 73728.CCIE SECURITY v4 Lab Workbook sa timing: remaining key lifetime (sec): 28659 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000003F outbound esp sas: spi: 0xD3631C04 (3546487812) transform: esp-3des esp-sha-hmac no compression in use settings ={RA.105. conn_id: 65536.0.1.0/255.: 10.168.0. #decapsulated frgs needing reassembly: 0 #send errors: 0.0/0/0) current_peer: 10. } slot: 0. media mtu 1500 current outbound spi: DAA2BC9A inbound esp sas: spi: 0x8AD193D1 (2328990673) transform: esp-3des esp-sha-hmac no compression in use settings ={RA.255.168. #pkts decrypt: 5.255. #pre-frag failures: 0. #pkts decompressed: 0 #pkts not compressed: 5.1. conn_id: 65536. #pkts digest: 5 #pkts decaps: 5. Tunnel. crypto-map: DYN-MAP sa timing: remaining key lifetime (sec): 28636 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000003F outbound esp sas: spi: 0xDAA2BC9A (3668098202) transform: esp-3des esp-sha-hmac no compression in use settings ={RA.10. #pkts verify: 5 #pkts compressed: 0.

104.4 Protocol : IKE IPsec Page 496 of 1033 .CCIE SECURITY v4 Lab Workbook sa timing: remaining key lifetime (sec): 28635 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA1(config)# sh vpn-sessiondb ra protocol Filter Group : All Total Active Tunnels : 4 Cumulative Tunnels : 29 Protocol Tunnels Percent IKE 2 50% IPsec 2 50% IPsecLAN2LAN 0 0% IPsecLAN2LANOverNatT 0 0% IPsecOverNatT 0 0% IPsecOverTCP 0 0% IPsecOverUDP 0 0% L2TPOverIPsec 0 0% L2TPOverIPsecOverNatT 0 0% Clientless 0 0% Port-Forwarding 0 0% IMAP4S 0 0% POP3S 0 0% SMTPS 0 0% SSL-Tunnel 0 0% DTLS-Tunnel 0 0% Note that vpnsession database indicated that there are four active tunnels: two of IKE and two of IPSec.105.5.0 Public IP : 10. ASA1(config)# sh vpn-sessiondb remote Session Type: IPsec Username : BRANCHES Index : 16 Assigned IP : 5.0 Public IP : 10.1.5.1.4.5 Protocol : IKE IPsec License : IPsec Encryption : 3DES Hashing : SHA1 Bytes Tx : 500 Bytes Rx : 500 Group Policy : EZ-POLICY Tunnel Group : BRANCHES Login Time : 06:09:57 UTC Fri Jul 23 2010 Duration : 0h:03m:26s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Username : BRANCHES Index : 18 Assigned IP : 4.4.

1.5.5.1.1.105.105. IP = 10.105.105.5.1.5.105. Claims to be IOS but failed authentication Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.5.1. processing SA payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.105.105.5. IP = 10.105.5.5. processing VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1140 Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.105. IP = 10.5.CCIE SECURITY v4 Lab Workbook License : IPsec Encryption : 3DES Hashing : SHA1 Bytes Tx : 500 Bytes Rx : 500 Group Policy : EZ-POLICY Tunnel Group : BRANCHES Login Time : 06:10:18 UTC Fri Jul 23 2010 Duration : 0h:03m:05s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Show vpn-sessiondb remote displays information relevat to tunnels established with remote peers.105. Received xauth V6 VID Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1. No valid authentication type found for the tunnel group Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. processing VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5. processing VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.105.105.5.1.1.105.105.1. processing nonce payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.5. processing VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1. processing ke payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10. Received NAT-Traversal ver 03 VID Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.1.105. processing VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.5. Transform # 17 acceptable Matches global IKE entry # 3 Page 497 of 1033 .1.5. processing VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.5. processing ISA_KE payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.5. processing ID payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.5. Note that Network Extension Mode makes inside client network visible.5.5.105.1.1.5.105.5.105.1. Received NAT-Traversal ver 02 VID Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10. processing VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.5. processing VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.105. Verification (detailed) ASA1(config)# deb cry isak 20 Jul 23 06:15:33 [IKEv1]: IP = 10.5. Received DPD VID Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.105.105.5.1.1. Received NAT-Traversal RFC VID Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.105. Received Cisco Unity client VID Jul 23 06:15:33 [IKEv1]: IP = 10.5. Connection landed on tunnel_group BRANCHES Jul 23 06:15:33 [IKEv1]: Group = BRANCHES.1.1. processing IKE SA payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IKE SA Proposal # 1.1.105.

1. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.5. constructing VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105.105.1.105. IP = 10.105.1.1.1. Computing hash for ISAKMP Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.105. IP = 10. IP = 10.105. IP = 10.1. IP = 10.1. computing NAT Discovery hash Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. constructing ke payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. constructing Fragmentation VID + extended capabilities payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. constructing NATDiscovery payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10. constructing NATDiscovery payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. constructing hash payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10.1.1.1. IP = 10. constructing ID payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. constructing dpd vid payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. constructing ISAKMP SA payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440 Jul 23 06:15:33 [IKEv1]: IP = 10.105.5.5. IP = 10.105.5.5. IP = 10. constructing NATTraversal VID ver 02 payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5. Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1. IP = 10..105.5.1. IP = 10.1.5.5.5.105.1. constructing nonce payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. Computing hash for ISAKMP Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. constructing xauth V6 VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105. IP = 10.5.1.1.105. IP = 10.105.5. IP = 10. processing hash payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10. Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jul 23 06:15:33 [IKEv1]: IP = 10.. IP = 10.105. computing NAT Discovery hash Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105.5.1.1.5.5. processing NATDiscovery payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. computing NAT Discovery hash Page 498 of 1033 .5.105.5.105.5. IP = 10.105. Generating keys for Responder.1.105. IP = 10.1.5.1.105.1. IP = 10.5.5.105. IP = 10.105. IP = 10.5.105.1.105. constructing Cisco Unity VID payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1.CCIE SECURITY v4 Lab Workbook Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.

1.1. IKEGetUserAttributes: Browser Proxy Bypass Local = disable The session parameters have been set and prepared for passing them to the client.105. IP = 10.1. MODE_CFG: Received request for DNS server address! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IKEGetUserAttributes: secondary WINS = cleared Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IKEGetUserAttributes: primary WINS = cleared Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. Received unknown transaction mode attribute: 28693 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5. IKEGetUserAttributes: Split Tunneling Policy = Split Network Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. process_attr(): Enter! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.1.5.1.1.5. IP = 10.5.105.5.1. MODE_CFG: Received request for DNS server address! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5. processing NATDiscovery payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10. IP = 10. IKEGetUserAttributes: Browser Proxy Setting = no-modify Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. Note that split-tunnel network list and policy are visible. IP = 10. IP = 10. IP = 10.5.1.105. IP = 10. IP = 10.105. IP = 10. IP = 10.5.5.105.105.105. IP = 10.5.1.105.105. IKEGetUserAttributes: secondary DNS = cleared Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.CCIE SECURITY v4 Lab Workbook Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105. Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.105.1.1. IKE_DECODE RECEIVED Message (msgid=a776bd6d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 380 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5. IP = 10.1.1. IP = 10.5.105. IP = 10.1.1. IP = 10.5.105. Processing cfg Request attributes Jul 23 06:15:33 [IKEv1]: Group = BRANCHES. computing NAT Discovery hash Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10.105.5. IKEGetUserAttributes: IP Compression = disabled Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.1. Received unknown transaction mode attribute: 28692 Jul 23 06:15:33 [IKEv1]: Group = BRANCHES.5.5.105.105. processing notify payload Jul 23 06:15:33 [IKEv1]: Group = BRANCHES.5.105. IP = 10. IP = 10. IKEGetUserAttributes: split tunneling list = ST Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. MODE_CFG: Received request for WINS server address! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105.105.1.1. Jul 23 06:15:33 [IKEv1]: IP = 10.5.105.105.1.5.1.1. IKEGetUserAttributes: primary DNS = cleared Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10. MODE_CFG: Received request for WINS server address! Page 499 of 1033 . Undefined parameters in the group-policy have been marked as “cleared”.1.105. IP = 10.

1.1. MODE_CFG: Received request for Default Domain Name! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. MODE_CFG: Received request for Save PW setting! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105.105. IKE_DECODE SENDING Message (msgid=a776bd6d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 172 Jul 23 06:15:33 [IKEv1 DECODE]: IP = 10.105. MODE_CFG: Received request for Local LAN Include! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. Cert/Trans Exch/RM DSID completed Jul 23 06:15:33 [IKEv1]: Group = BRANCHES. IP = 10. Delay Quick Mode processing.5.1. Cert/Trans Exch/RM DSID in progress Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105. PFS settings and the list of backup peers (EasyVPN servers).105.1. constructing blank hash payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105.5.5. MODE_CFG: Received request for Application Version! Mode Config has been started. Received unknown transaction mode attribute: 28695 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10.1. constructing qm hash payload Jul 23 06:15:33 [IKEv1]: IP = 10.105.5.5. IP = 10.1. sending notify message Page 500 of 1033 .105.5.105.1. IP = 10.1.1.4(24)T2 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1. MODE_CFG: Received request for PFS setting! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.1. IP = 10. The client has requested the following: DNS server.105. allowance for saving the XAUTH password locally on the client.5. IP = 10.1.1. Split tunnel list.5.105.5.105.105.105. allowance for communication with local lan without an encryption.5. IP = 10.1.5. MODE_CFG: Received request for Banner! Jul 23 06:15:33 [IKEv1]: Group = BRANCHES.5. IP = 10.105.5. IP = 10.5. IP = 10.5.105. IP = 10.1. IP = 10. The client has requested a set of parameters which will be passed down from the server. MODE_CFG: Received request for Split DNS! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1. WINS server.5. IP = 10.CCIE SECURITY v4 Lab Workbook Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. MODE_CFG: Received request for backup ip-sec peer list! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1.105. Split tunnel DNS (the DNS server which will be used for inquiring about names through the tunnel). Jul 23 06:15:33 [IKEv1]: Group = BRANCHES. Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1.105. IP = 10. IP = 10. Keep-alive type for this connection: DPD Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. MODE_CFG: Received request for Split Tunnel List! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105. MODE_CFG: Received request for DHCP hostname for DDNS is: R5! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10.5.5. IP = 10. IKE Responder starting QM: msg id = 9196d7a4 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. PHASE 1 COMPLETED Jul 23 06:15:33 [IKEv1]: IP = 10. IP = 10. Client Type: IOS Client Application Version: 12.105.105. Resume Quick Mode processing.1. IP = 10. Starting P1 rekey timer: 82080 seconds.5.5.105.1.1.1.5.

IP = 10. IP = 10.1.5.1.5. Protocol 0.0. processing SA payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105.1. IP = 10.255. IP = 10.255. IP = 10.5.105. IKE_DECODE SENDING Message (msgid=94a8c6f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92 Jul 23 06:15:33 [IKEv1]: IP = 10.5.5.0 Jul 23 06:15:33 [IKEv1]: Group = BRANCHES.0. processing hash payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1.5.5.1.1. Received local IP Proxy Subnet data in ID Payload: Address 1. IKE_DECODE RECEIVED Message (msgid=9196d7a4) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1280 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1.105.255.0.1.105.105.255.5. constructing proxy ID Page 501 of 1033 .1. IP = 10.5. constructing IPSec SA payload Jul 23 06:15:33 [IKEv1]: Group = BRANCHES.5.1. IP = 10.1.0--255. processing nonce payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.105.0 Jul 23 06:15:33 [IKEv1]: Group = BRANCHES.255. processing ID payload Jul 23 06:15:33 [IKEv1 DECODE]: Group = BRANCHES.5. Mask 255. IP = 10.5.0--255.105. Mask 255. constructing blank hash payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. ID_IPV4_ADDR_SUBNET ID received--1.5.1. IP = 10.5.105.105. IP = 10.105.5.1. IPSec SA Proposal # 11. IP = 10. IKE Remote Peer configured for crypto map: DYN-MAP Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5. IP = 10.255. IP = 10. Received remote IP Proxy Subnet data in ID Payload: Address 5.5. Port 0 The client has informed the server about its inside network to establish identity of local and remote IPSec proxy. QM IsRekeyed old sa not found by addr Jul 23 06:15:33 [IKEv1]: Group = BRANCHES.105.1. IKE: requesting SPI! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105. IP = 10.105.5. Protocol 0. oakley constucting quick mode Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105. Jul 23 06:15:33 [IKEv1]: Group = BRANCHES. Transform # 1 acceptable Matches global IPSec SA entry # 5 Jul 23 06:15:33 [IKEv1]: Group = BRANCHES. IP = 10.105. IP = 10.5.105. Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.0. processing ID payload Jul 23 06:15:33 [IKEv1 DECODE]: Group = BRANCHES.1.1. IP = 10.1.5. Port 0 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IKE got SPI from key engine: SPI = 0x592ce8c6 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.1.105.1.5.105.105.1. IP = 10.105.1.105.105.1. ID_IPV4_ADDR_SUBNET ID received--5.255.CCIE SECURITY v4 Lab Workbook Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5.1.255.1.5.1.1.105.105.1.1. IP = 10.5.1. constructing IPSec nonce payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10. constructing blank hash payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10.105. processing IPSec SA payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.5. constructing qm hash payload Jul 23 06:15:33 [IKEv1]: IP = 10. IP = 10. IP = 10.5.

0 Mask 255.1. constructing qm hash payload Jul 23 06:15:33 [IKEv1 DECODE]: Group = BRANCHES. PHASE 2 COMPLETED (msgid=9196d7a4) Jul 23 06:15:34 [IKEv1]: IP = 10. Sending RESPONDER LIFETIME notification to Initiator Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.105.5. processing notify payload Jul 23 06:15:34 [IKEv1 DECODE]: OBSOLETE DESCRIPTOR .105.1.105. IP = 10. Generating Quick Mode Key! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.. loading all IPSEC SAs Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES..5. Pitcher: received KEY_UPDATE.255.5.105. IP = 10. Outbound SPI = 0xf1e42b1c Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1.5. Generating Quick Mode Key! Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10.105.5. IKE_DECODE RECEIVED Message (msgid=9196d7a4) with payloads : HDR + HASH (8) + NONE (0) total length : 52 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.u4. Starting P2 rekey timer: 27360 seconds.1.5.CCIE SECURITY v4 Lab Workbook Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. Inbound SPI = 0x592ce8c6.1. IP = 10. IP = 10.255.5. IP = 10.. IP = 10. IP = 10.105.1.5.105.5. Security negotiation complete for User (BRANCHES) Responder.C Page 502 of 1033 .5.u2.105. Jul 23 06:15:33 [IKEv1]: Group = BRANCHES. IP = 10.105.105.5.1..5.105.105.5.105.0 The server has informed the client about remote and local proxy ID.5. IP = 10.105.1. spi 0x592ce8c6 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1.INDEX 1 Jul 23 06:15:34 [IKEv1 DECODE]: 0000: 00000000 75340003 52352E75 32000A43 .1.5.1. IKE_DECODE RECEIVED Message (msgid=2468295b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 205 Jul 23 06:15:34 [IKEv1 DEBUG]: Group = BRANCHES. IKE_DECODE SENDING Message (msgid=9196d7a4) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196 Jul 23 06:15:33 [IKEv1]: IP = 10. IP = 10. NP encrypt rule look up for crypto map DYN-MAP 5 matching ACL Unknown: returned cs_id=d791a4b0.105.5.105. rule=00000000 Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IKE Responder sending 2nd QM pkt: msg id = 9196d7a4 Jul 23 06:15:33 [IKEv1]: IP = 10. IKE got a KEY_ADD msg for SA: SPI = 0xf1e42b1c Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES.1.255.5. IP = 10.1.1. processing hash payload Jul 23 06:15:34 [IKEv1 DEBUG]: Group = BRANCHES.105.R5..105.5.255.1.1. Transmitting Proxy Id: Remote subnet: 5.0 Protocol 0 Port 0 1.105.1.0 Protocol 0 Port 0 Local subnet: mask 255.1.1. rule=00000000 Jul 23 06:15:33 [IKEv1]: Group = BRANCHES.5. IP = 10.1. Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10. NP encrypt rule look up for crypto map DYN-MAP 5 matching ACL Unknown: returned cs_id=d791a4b0. IP = 10. IP = 10.5. processing hash payload Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES. IP = 10.1.5.1.105.5.

105. The output is pretty long but it’s worth to see it.500: udp 60 16: 06:37:20.47184260 10.168.1.47184350 10.47184320 192.500 > 192.500: udp 92 11: 06:37:20.105.47184320 10.105.1.5.168.1.1.105.500 > 10.500: udp 132 5: 06:37:20. 0080: 3132342D 32342E54 322E6269 6E 124-24.500: udp 1140 2: 06:37:20.500 > 10.168.500: udp 196 14: 06:37:20.500: udp 212 18 packets shown Note: 18 packets has been captured.10.168.10.5..1.T2.1.1. ASA1(config)# sho capture IKE decode 18 packets captured Page 503 of 1033 .63019608u3.1.1.5..10.5.168.500: udp 60 17: 06:37:21..f 0060: 6C617368 3A633238 30306E6D 2D616476 lash:c2800nm-adv 0070: 656E7465 72707269 73656B39 2D6D7A2E enterprisek9-mz.47184350 192.1..1.47185020 10.105.500 > 10.228589568u 0050: 39000836 33303139 36303875 33002E66 9.500 > 192.500 > 192.500: udp 196 15: 06:37:20.105.1.bin ASA1(config)# un all Verification (deep dive) Alternatively you can use ISAKMP capure to get all IKE packets and analize their content.500 > 10.1.47184320 10.500 > 192.47184320 192.47184350 10.500: udp 172 8: 06:37:20.FHK 0020: 30383439 46314241 75300009 32353735 0849F1BAu0.1.1.1.500: udp 1284 13: 06:37:20.1.1.5.5.105.168.10.500 > 192.105.500 > 192.1.1.168.105.10.10. Let’s see what they contain.105.1.2575 0030: 34303039 36753100 09313330 31353835 40096u1.1.1.105.168.500 > 192.1.105.500 > 10.105.10.5.1.CCIE SECURITY v4 Lab Workbook 0010: 6973636F 20323831 31753500 0B46484B isco 2811u5.168.5.1301585 0040: 39327536 00093232 38353839 35363875 92u6.500 > 192.105.1.5.1.47184320 10.500 > 10.168.1.47184320 10.5.1.5.10.10.500: udp 388 6: 06:37:20.500: udp 1284 10: 06:37:20.168.168.500: udp 212 18: 06:37:21.500: udp 388 7: 06:37:20.500 > 192.10.5.10.1.5.168.500: udp 172 9: 06:37:20.47184360 10.5.5.1.5.168.47184350 192.500: udp 132 4: 06:37:20.10.5.500: udp 92 12: 06:37:20.105.47184350 192.500 > 10.168.1.47184360 10.1. ASA1(config)# capture IKE type isakmp interface outside ASA1(config)# sho capture IKE 18 packets captured 1: 06:37:20.10.168.47184350 192.168.10.500: udp 440 3: 06:37:20.10..10.10.105.168.105.105..10.1.47184270 192.500 > 192.1.5.47185020 10.500 > 192.1.

and identity info – see greyed fields.10.CCIE SECURITY v4 Lab Workbook See that R5 sends IKE packet in Aggressive Mode. Remember that the aggressive mode in EasyVPN is used when ISAKMP peer authentication is based on pre-shared-key.47184260 10. It contains almost all required information like SA Proposals. Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Page 504 of 1033 . Key Exchange. Group name. 1: 06:37:20.1.168.5.105.500: udp 1140 ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: 00 00 00 00 00 00 00 00 Next Payload: Security Association Version: 1.500 > 192.1.0 Exchange Type: Aggressive Mode Flags: (none) MessageID: 00000000 Length: 1140 Payload Security Association Next Payload: Vendor ID Reserved: 00 Payload Length: 788 DOI: IPsec Situation:(SIT_IDENTITY_ONLY) Payload Proposal Next Payload: None Reserved: 00 Payload Length: 776 Proposal #: 1 Protocol-Id: PROTO_ISAKMP SPI Size: 0 # of transforms: 20 Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 1 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 128 Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Life Duration (Hex): 00 20 c4 9b This and the next Payload Transforms are ISAKMP policies hardcoded into the EasyVPN client software.

CCIE SECURITY v4 Lab Workbook Transform #: 2 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 128 Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 3 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 192 Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 4 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 192 Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 5 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 256 Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Page 505 of 1033 .

CCIE SECURITY v4 Lab Workbook Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 6 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 256 Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 7 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 128 Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 8 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 128 Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 9 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Page 506 of 1033 .

CCIE SECURITY v4 Lab Workbook Key Length: 192 Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 10 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 192 Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 11 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 256 Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 40 Transform #: 12 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: AES-CBC Key Length: 256 Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Page 507 of 1033 .

CCIE SECURITY v4 Lab Workbook Payload Length: 36 Transform #: 13 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: 3DES-CBC Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 36 Transform #: 14 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: 3DES-CBC Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 36 Transform #: 15 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: DES-CBC Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 36 Transform #: 16 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: DES-CBC Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: XAUTH_INIT_PRESHRD Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Page 508 of 1033 .

CCIE SECURITY v4 Lab Workbook Reserved: 00 Payload Length: 36 Transform #: 17 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: 3DES-CBC Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 36 Transform #: 18 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: 3DES-CBC Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: Transform Reserved: 00 Payload Length: 36 Transform #: 19 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: DES-CBC Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Transform Next Payload: None Reserved: 00 Payload Length: 36 Transform #: 20 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: DES-CBC Hash Algorithm: MD5 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Payload Vendor ID Page 509 of 1033 .

CCIE SECURITY v4 Lab Workbook Next Payload: Vendor ID Reserved: 00 Payload Length: 20 Data (In Hex): 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f Payload Vendor ID Next Payload: Vendor ID Reserved: 00 Payload Length: 20 Data (In Hex): 43 9b 59 f8 ba 67 6c 4c 77 37 ae 22 ea b8 f5 82 Payload Vendor ID Next Payload: Vendor ID Reserved: 00 Payload Length: 20 Data (In Hex): 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 Payload Vendor ID Next Payload: Key Exchange Reserved: 00 Payload Length: 20 Data (In Hex): 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f Payload Key Exchange Next Payload: Nonce Reserved: 00 Payload Length: 132 Data: f0 25 90 d8 3f 81 9c 9a dd 71 3e bb 56 57 24 d0 81 c7 6e 35 8f 66 03 95 4f 57 6f 00 5b 8b 4b fe 12 55 4e af 01 19 5b 11 55 60 fd 19 d7 ae 5a c3 59 75 92 aa 70 bd 13 5b a8 cb d1 a7 60 aa 38 16 74 65 d6 9c 15 ba 4c b3 09 11 93 48 f4 d5 da 43 ed ba b8 38 c0 ab 1e 67 5c c2 33 47 0a 9a 44 90 d2 8d a9 0a f8 a9 8d 63 91 9d e9 09 16 4c 0d 85 7e 92 04 2e fd 43 e4 3e 6d 8c 0a 1b eb 57 2a f9 Payload Nonce Next Payload: Identification Reserved: 00 Payload Length: 24 Data: c6 a1 41 66 13 2b e4 aa 7f 28 a4 69 42 76 bb d2 f6 0f f8 27 The nounces used for key generation are visible at this part of IKE packet. Payload Identification Next Payload: Vendor ID Reserved: 00 Payload Length: 16 ID Type: ID_KEY_ID (11) Page 510 of 1033 .

0 Exchange Type: Aggressive Mode Flags: (none) MessageID: 00000000 Length: 440 Payload Security Association Next Payload: Key Exchange Reserved: 00 Payload Length: 56 DOI: IPsec Situation:(SIT_IDENTITY_ONLY) Payload Proposal Page 511 of 1033 udp 440 .500: ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Security Association Version: 1. Second packet is a response from the EasyVPN Server.10. It contain agreed transform (only one that server agreed to) and data required for Key Exchange..47184270 192.CCIE SECURITY v4 Lab Workbook Protocol ID (UDP/TCP.5.105.168.1..500 > 10. etc. 2: 06:37:20.1.): 17 Port: 0 ID Data: BRANCHES Payload Vendor ID Next Payload: Vendor ID Reserved: 00 Payload Length: 20 Data (In Hex): af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 Payload Vendor ID Next Payload: Vendor ID Reserved: 00 Payload Length: 12 Data (In Hex): 09 00 26 89 df d6 b7 12 Payload Vendor ID Next Payload: Vendor ID Reserved: 00 Payload Length: 20 Data (In Hex): 8d fc 3c f7 4d 00 0b 3f 57 27 fa 9a a4 83 76 02 Payload Vendor ID Next Payload: None Reserved: 00 Payload Length: 20 Data (In Hex): 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 The last part of the packet are as follows: Identification data (the EasyVPN group is visible) and vendor specific IDs which define IPSec features supported by the device.

Payload Identification Next Payload: Hash Reserved: 00 Payload Length: 12 ID Type: IPv4 Address (1) Page 512 of 1033 .CCIE SECURITY v4 Lab Workbook Next Payload: None Reserved: 00 Payload Length: 44 Proposal #: 1 Protocol-Id: PROTO_ISAKMP SPI Size: 0 # of transforms: 1 Payload Transform Next Payload: None Reserved: 00 Payload Length: 36 Transform #: 17 Transform-Id: KEY_IKE Reserved2: 0000 Encryption Algorithm: 3DES-CBC Hash Algorithm: SHA1 Group Description: Group 2 Authentication Method: Preshared key Life Type: seconds Life Duration (Hex): 00 20 c4 9b Chosen ISAKMP policy has been sent as a reply of EasyVPN server Payload Key Exchange Next Payload: Nonce Reserved: 00 Payload Length: 132 Data: 1f 65 76 e3 81 7a 55 1e d8 9d 5b 5e 88 8d d8 d9 ae 69 ba 3a 61 0b 29 4f 54 32 ab fe 02 a9 16 95 05 7a ec 7e c3 7e dd 50 bf 2b 86 8b 33 5f 5f bf 65 ef 8e 49 5c 8f 38 48 cd fa 9a f1 ab 18 c7 4b 0c b5 e8 66 f4 5e 9b dd bb e5 ee 28 c0 2a 8b f3 ea 00 68 71 88 00 65 d6 0e 0f 8d 85 30 23 87 76 ac d9 ca 21 6e 73 8e e7 2e d6 c8 2d d4 f7 69 88 34 8d 11 e9 0e 1b 67 5b f0 20 6a 66 e0 fa 39 41 Payload Nonce Next Payload: Identification Reserved: 00 Payload Length: 24 Data: db f3 19 e4 cb d0 f8 27 47 45 09 11 fe ee dc 12 6e 8f 04 68 Further session key material negotiations.

): 17 Port: 0 ID Data: 192... etc.168.10 Identity of the EasyVPN server.CCIE SECURITY v4 Lab Workbook Protocol ID (UDP/TCP.1. Payload Hash Next Payload: Vendor ID Reserved: 00 Payload Length: 24 Data: 72 a4 56 ac 28 ff 93 c8 f3 de d1 7d 6c fd c6 a7 2e 0a 86 fc Payload Vendor ID Next Payload: Vendor ID Reserved: 00 Payload Length: 20 Data (In Hex): 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00 Payload Vendor ID Next Payload: Vendor ID Reserved: 00 Payload Length: 12 Data (In Hex): 09 00 26 89 df d6 b7 12 Payload Vendor ID Next Payload: Vendor ID Reserved: 00 Payload Length: 20 Data (In Hex): af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 Payload Vendor ID Next Payload: NAT-D Reserved: 00 Payload Length: 20 Data (In Hex): 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f Payload NAT-D Next Payload: NAT-D Reserved: 00 Payload Length: 24 Data: 01 98 6a ce 63 c9 1f 1b 2a 7b 6e bc 2d 84 38 90 3e 65 6c 49 Payload NAT-D Next Payload: Vendor ID Reserved: 00 Payload Length: 24 Data: eb 80 2d 65 2f e0 45 a8 b4 7e 2e 7a 33 b6 0c c2 c0 01 ad 51 Page 513 of 1033 .

10.105.168.0 Exchange Type: Aggressive Mode Flags: (Encryption) MessageID: 00000000 Length: 132 4: 06:37:20.47184320 10.5.1.500 > 192.500: ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.1.500 > 192.1.1.47184320 10.0 Exchange Type: Aggressive Mode Flags: (none) MessageID: 00000000 Length: 132 Payload Hash Next Payload: NAT-D Reserved: 00 Payload Length: 24 Data: a4 66 61 29 f9 a5 26 66 19 00 a4 a1 9c 7f a0 9d b1 3b 59 60 Payload NAT-D Next Payload: NAT-D Reserved: 00 Payload Length: 24 Data: eb 80 2d 65 2f e0 45 a8 b4 7e 2e 7a 33 b6 0c c2 Page 514 of 1033 udp 132 .CCIE SECURITY v4 Lab Workbook NAT Discovery hashes (NAT-D payload) that enable the peer to discover the NAT enabled across the network.500: udp 132 ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.105.168.10. Payload Vendor ID Next Payload: Vendor ID Reserved: 00 Payload Length: 24 Data (In Hex): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 c0 00 00 00 Payload Vendor ID Next Payload: None Reserved: 00 Payload Length: 20 Data (In Hex): 1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00 3: 06:37:20.5.

105.1.1.47184320 10. 6: 06:37:20. but in this case there is an EasyVPN feature which requires Mode Config for the client.5.168.500 > 192.10.0 Exchange Type: Transaction Flags: (none) MessageID: 021567B1 Length: 388 Payload Hash Next Payload: Attributes Reserved: 00 Payload Length: 24 Data: 5d 28 f7 ad fd 6d ac 4a dc 47 94 b5 76 98 ec 3e Page 515 of 1033 udp 388 . Note that config request is sent (required) from the client side.500 > 192.10.0 Exchange Type: Transaction Flags: (Encryption) MessageID: 021567B1 Length: 388 Third packet is the last one for Aggressive Mode.47184320 10.1.5.500: ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.500: udp 388 ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.1.CCIE SECURITY v4 Lab Workbook c0 01 ad 51 Payload NAT-D Next Payload: Notification Reserved: 00 Payload Length: 24 Data: 01 98 6a ce 63 c9 1f 1b 2a 7b 6e bc 2d 84 38 90 3e 65 6c 49 Payload Notification Next Payload: None Reserved: 00 Payload Length: 28 DOI: IPsec Protocol-ID: PROTO_ISAKMP Spi Size: 16 Notify Type: STATUS_INITIAL_CONTACT SPI: 78 3b 9b ea 4d 01 0b 3f dc 15 82 8e fd f2 7f b7 Extra data: 00 00 00 00 5: 06:37:20.105.168.

1.1. 7: 06:37:20.CCIE SECURITY v4 Lab Workbook 07 c8 b8 20 Payload Attributes Next Payload: None Reserved: 00 Payload Length: 328 type: ISAKMP_CFG_REQUEST Reserved: 00 Identifier: 0000 Unknown: (empty) Unknown: (empty) IPv4 DNS: (empty) IPv4 DNS: (empty) IPv4 NBNS (WINS): (empty) IPv4 NBNS (WINS): (empty) Cisco extension: Split Include: (empty) Cisco extension: Split DNS Name: (empty) Cisco extension: Default Domain Name: (empty) Cisco extension: Save PWD: (empty) Cisco extension: Include Local LAN: (empty) Cisco extension: Do PFS: (empty) Cisco extension: Backup Servers: (empty) Application Version: 43 69 73 63 6f 20 49 4f 53 20 53 6f 66 74 77 61 72 65 2c 20 32 38 30 30 20 53 6f 66 74 77 61 72 65 20 28 43 32 38 30 30 4e 4d 2d 41 44 56 45 4e 54 45 52 50 52 49 53 45 4b 39 2d 4d 29 2c 20 56 65 72 73 69 6f 6e 20 31 32 2e 34 28 32 34 29 54 32 2c 20 52 45 4c 45 41 53 45 20 53 4f 46 54 57 41 52 45 20 28 66 63 32 29 0a 54 65 63 68 6e 69 63 61 6c 20 53 75 70 70 6f 72 74 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 63 69 73 63 6f 2e 63 6f 6d 2f 74 65 63 68 73 75 70 70 6f 72 74 0a 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 31 39 38 36 2d 32 30 30 39 20 62 79 20 43 69 73 63 6f 20 53 79 73 74 65 6d 73 2c 20 49 6e 63 2e 0a 43 6f 6d 70 69 6c 65 64 20 4d 6f 6e 20 31 39 2d 4f 63 74 2d 30 39 20 31 37 3a 33 38 20 62 79 20 70 72 6f 64 5f 72 65 6c 5f 74 65 61 6d Cisco extension: Banner: (empty) Unknown: (empty) Cisco extension: Dynamic DNS Hostname: 52 35 Extra data: 00 00 00 00 00 00 00 00 Server agreeds that it supports Client Mode Config and sends out all Mode Config information it has.168.105.47184320 192.10.500: ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Page 516 of 1033 udp 172 .5.500 > 10.

105.105.10.500: ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.1.0 Exchange Type: Transaction Flags: (Encryption) MessageID: 021567B1 Length: 172 9: 06:37:20.168.500 > 192.168.10.CCIE SECURITY v4 Lab Workbook Version: 1.1.0 Exchange Type: Transaction Flags: (none) MessageID: 021567B1 Length: 172 Payload Hash Next Payload: Attributes Reserved: 00 Payload Length: 24 Data: 73 24 60 32 dc 32 33 0c 8f a3 57 1a 98 65 a6 b0 ae 5f b0 ad Payload Attributes Next Payload: None Reserved: 00 Payload Length: 120 type: ISAKMP_CFG_REPLY Reserved: 00 Identifier: 0000 Cisco extension: Save PWD: No Cisco extension: Split Include: 1.5.47184350 10.1.500 > 10.1.47184320 192.500: udp 172 ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.1.1.0 Exchange Type: Quick Mode Flags: (Encryption) MessageID: 1D0E05C1 Length: 1284 Page 517 of 1033 udp 1284 .5.255.0/255.0/0/0/0 Cisco extension: Do PFS: No Application Version: 43 69 73 63 6f 20 53 79 73 74 65 6d 73 2c 20 49 6e 63 20 41 53 41 35 35 31 30 20 56 65 72 73 69 6f 6e 20 38 2e 32 28 31 29 20 62 75 69 6c 74 20 62 79 20 62 75 69 6c 64 65 72 73 20 6f 6e 20 54 75 65 20 30 35 2d 4d 61 79 2d 30 39 20 32 32 3a 34 35 8: 06:37:20.255.

105.500: ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.10.47184350 10.1.500 > 10.0 Exchange Type: Informational Flags: (none) MessageID: 8BA99D99 Length: 92 Payload Hash Next Payload: Notification Reserved: 00 Payload Length: 24 Data: 1b f2 17 e7 41 11 d2 1f 91 6a c1 90 07 3e 80 65 61 08 64 3c Payload Notification Next Payload: None Reserved: 00 Payload Length: 40 DOI: IPsec Protocol-ID: PROTO_ISAKMP Spi Size: 16 Notify Type: STATUS_RESP_LIFETIME SPI: 78 3b 9b ea 4d 01 0b 3f dc 15 82 8e fd f2 7f b7 Data: 80 0b 00 01 00 0c 00 04 00 01 51 80 11: 06:37:20.105.500: udp 92 ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.5.47184350 192.500: udp 92 ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.5.168.1.5.1.10.168.0 Exchange Type: Informational Flags: (Encryption) MessageID: 8BA99D99 Length: 92 Here IKE Phase 2 (Quick Mode) starts.500 > 10.1.CCIE SECURITY v4 Lab Workbook 10: 06:37:20.500 > 192.168. 12: 06:37:20.47184350 192.1.0 Exchange Type: Quick Mode Page 518 of 1033 udp 1284 .105.1.10. Client sends out his SA proposals and Proxy IDs.

CCIE SECURITY v4 Lab Workbook Flags: (none) MessageID: 1D0E05C1 Length: 1284 Payload Hash Next Payload: Security Association Reserved: 00 Payload Length: 24 Data: d9 5e e8 91 75 de f9 af 31 24 e1 12 5f de 51 8c dd 6f d2 88 Payload Security Association Next Payload: Nonce Reserved: 00 Payload Length: 1172 DOI: IPsec Situation:(SIT_IDENTITY_ONLY) Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 56 Proposal #: 1 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: 56 7c 92 a4 Payload Transform Next Payload: None Reserved: 00 Payload Length: 44 Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: SHA1 Key Length: 128 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 56 Proposal #: 2 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: 31 73 c5 d0 Payload Transform Next Payload: None Reserved: 00 Page 519 of 1033 .

CCIE SECURITY v4 Lab Workbook Payload Length: 44 Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: MD5 Key Length: 128 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 56 Proposal #: 3 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: ce 71 a8 5c Payload Transform Next Payload: None Reserved: 00 Payload Length: 44 Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: SHA1 Key Length: 128 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 48 Proposal #: 3 Protocol-Id: PROTO_IPSEC_IPCOMP SPI Size: 4 # of transforms: 1 SPI: 00 00 4b ff Payload Transform Next Payload: None Reserved: 00 Payload Length: 36 Transform #: 1 Transform-Id: IPCOMP_LZS Reserved2: 0000 Encapsulation Mode: Tunnel Page 520 of 1033 .

CCIE SECURITY v4 Lab Workbook Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 56 Proposal #: 4 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: bd dc b8 ab Payload Transform Next Payload: None Reserved: 00 Payload Length: 44 Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: MD5 Key Length: 128 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 48 Proposal #: 4 Protocol-Id: PROTO_IPSEC_IPCOMP SPI Size: 4 # of transforms: 1 SPI: 00 00 fe 00 Payload Transform Next Payload: None Reserved: 00 Payload Length: 36 Transform #: 1 Transform-Id: IPCOMP_LZS Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Payload Proposal Next Payload: Proposal Reserved: 00 Page 521 of 1033 .

CCIE SECURITY v4 Lab Workbook Payload Length: 56 Proposal #: 5 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: 35 06 a3 cb Payload Transform Next Payload: None Reserved: 00 Payload Length: 44 Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: SHA1 Key Length: 192 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 56 Proposal #: 6 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: 90 2c 99 79 Payload Transform Next Payload: None Reserved: 00 Payload Length: 44 Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: MD5 Key Length: 192 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 56 Proposal #: 7 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 Page 522 of 1033 .

CCIE SECURITY v4 Lab Workbook SPI: de 82 91 dd Payload Transform Next Payload: None Reserved: 00 Payload Length: 44 Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: SHA1 Key Length: 256 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 56 Proposal #: 8 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: 03 de d8 0a Payload Transform Next Payload: None Reserved: 00 Payload Length: 44 Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: MD5 Key Length: 256 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 56 Proposal #: 9 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: 40 54 5e 23 Payload Transform Next Payload: None Reserved: 00 Payload Length: 44 Page 523 of 1033 .

CCIE SECURITY v4 Lab Workbook Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: SHA1 Key Length: 256 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 48 Proposal #: 9 Protocol-Id: PROTO_IPSEC_IPCOMP SPI Size: 4 # of transforms: 1 SPI: 00 00 81 e8 Payload Transform Next Payload: None Reserved: 00 Payload Length: 36 Transform #: 1 Transform-Id: IPCOMP_LZS Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 56 Proposal #: 10 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: 3f 55 57 df Payload Transform Next Payload: None Reserved: 00 Payload Length: 44 Transform #: 1 Transform-Id: ESP_AES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Page 524 of 1033 .

CCIE SECURITY v4 Lab Workbook Life Duration (Hex): 00 46 50 00 Authentication Algorithm: MD5 Key Length: 256 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 48 Proposal #: 10 Protocol-Id: PROTO_IPSEC_IPCOMP SPI Size: 4 # of transforms: 1 SPI: 00 00 d8 81 Payload Transform Next Payload: None Reserved: 00 Payload Length: 36 Transform #: 1 Transform-Id: IPCOMP_LZS Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 52 Proposal #: 11 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: e8 49 67 0b Payload Transform Next Payload: None Reserved: 00 Payload Length: 40 Transform #: 1 Transform-Id: ESP_3DES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: SHA1 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 52 Proposal #: 12 Page 525 of 1033 .

CCIE SECURITY v4 Lab Workbook Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: ac 85 7d 5f Payload Transform Next Payload: None Reserved: 00 Payload Length: 40 Transform #: 1 Transform-Id: ESP_3DES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: MD5 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 52 Proposal #: 13 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: 06 32 54 41 Payload Transform Next Payload: None Reserved: 00 Payload Length: 40 Transform #: 1 Transform-Id: ESP_3DES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: SHA1 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 48 Proposal #: 13 Protocol-Id: PROTO_IPSEC_IPCOMP SPI Size: 4 # of transforms: 1 SPI: 00 00 74 a5 Payload Transform Next Payload: None Reserved: 00 Page 526 of 1033 .

CCIE SECURITY v4 Lab Workbook Payload Length: 36 Transform #: 1 Transform-Id: IPCOMP_LZS Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 52 Proposal #: 14 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: e3 5b 48 e2 Payload Transform Next Payload: None Reserved: 00 Payload Length: 40 Transform #: 1 Transform-Id: ESP_3DES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: MD5 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 48 Proposal #: 14 Protocol-Id: PROTO_IPSEC_IPCOMP SPI Size: 4 # of transforms: 1 SPI: 00 00 5a c2 Payload Transform Next Payload: None Reserved: 00 Payload Length: 36 Transform #: 1 Transform-Id: IPCOMP_LZS Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Page 527 of 1033 .

CCIE SECURITY v4 Lab Workbook Life Duration (Hex): 00 46 50 00 Payload Proposal Next Payload: Proposal Reserved: 00 Payload Length: 52 Proposal #: 15 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: 65 75 36 ff Payload Transform Next Payload: None Reserved: 00 Payload Length: 40 Transform #: 1 Transform-Id: ESP_DES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: SHA1 Payload Proposal Next Payload: None Reserved: 00 Payload Length: 52 Proposal #: 16 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 # of transforms: 1 SPI: c0 36 b5 6f Payload Transform Next Payload: None Reserved: 00 Payload Length: 40 Transform #: 1 Transform-Id: ESP_DES Reserved2: 0000 Encapsulation Mode: Tunnel Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Authentication Algorithm: MD5 Payload Nonce Next Payload: Identification Reserved: 00 Payload Length: 24 Data: c9 9c 07 90 28 9c f0 c6 10 54 01 f2 0e fa ba 4e Page 528 of 1033 .

.1.. etc.5.): 0 Port: 0 ID Data: 5.CCIE SECURITY v4 Lab Workbook 37 74 0e 99 Payload Identification Next Payload: Identification Reserved: 00 Payload Length: 16 ID Type: IPv4 Subnet (4) Protocol ID (UDP/TCP.500: ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1..255. 13: 06:37:20.10.255.1.5.47184350 192.255..): 0 Port: 0 ID Data: 1.1.0 Exchange Type: Quick Mode Flags: (none) MessageID: 1D0E05C1 Length: 196 Payload Hash Next Payload: Security Association Reserved: 00 Payload Length: 24 Data: d9 ac 1c 49 2b 2c 55 cc de a0 52 70 5e fc e7 53 60 31 f3 88 Payload Security Association Next Payload: Nonce Reserved: 00 Payload Length: 64 DOI: IPsec Situation:(SIT_IDENTITY_ONLY) Payload Proposal Next Payload: None Reserved: 00 Payload Length: 52 Proposal #: 1 Protocol-Id: PROTO_IPSEC_ESP SPI Size: 4 Page 529 of 1033 udp 196 .0/255.5.500 > 10.1.0 Extra data: 00 00 00 00 The EasyVPN Server responses with chosen SA proposal and it’s Proxy IDs.105.0/255.255.168.0 Payload Identification Next Payload: None Reserved: 00 Payload Length: 16 ID Type: IPv4 Subnet (4) Protocol ID (UDP/TCP. etc.

0 Payload Identification Next Payload: Notification Reserved: 00 Payload Length: 16 ID Type: IPv4 Subnet (4) Protocol ID (UDP/TCP.CCIE SECURITY v4 Lab Workbook # of transforms: 1 SPI: 59 08 47 15 Payload Transform Next Payload: None Reserved: 00 Payload Length: 40 Transform #: 1 Transform-Id: ESP_3DES Reserved2: 0000 Life Type: Seconds Life Duration (Hex): 00 20 c4 9b Life Type: Kilobytes Life Duration (Hex): 00 46 50 00 Encapsulation Mode: Tunnel Authentication Algorithm: SHA1 Payload Nonce Next Payload: Identification Reserved: 00 Payload Length: 24 Data: 38 d5 0b 1f 1e c4 15 93 d2 ea 3c 96 ec 67 ef 28 55 7f 97 6f Payload Identification Next Payload: Identification Reserved: 00 Payload Length: 16 ID Type: IPv4 Subnet (4) Protocol ID (UDP/TCP.5.105.1.500: ISAKMP Header Page 530 of 1033 udp 196 .255.255.5.0/255.1. etc.500 > 10.0/255.255.168.): 0 Port: 0 ID Data: 1.47184350 192.255...1.0 Payload Notification Next Payload: None Reserved: 00 Payload Length: 24 DOI: IPsec Protocol-ID: PROTO_IPSEC_ESP Spi Size: 4 Notify Type: STATUS_RESP_LIFETIME SPI: 59 08 47 15 Data: 80 01 00 01 80 02 70 80 14: 06:37:20.): 0 Port: 0 ID Data: 5.5.10.1... etc.

500 > 192.500: Page 531 of 1033 udp 212 .500: udp 60 ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.1.CCIE SECURITY v4 Lab Workbook Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.1.500 > 192.105.500: udp 60 ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.105.1.10.500: udp 212 ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.5.105.168.0 Exchange Type: Quick Mode Flags: (none) MessageID: 1D0E05C1 Length: 60 Payload Hash Next Payload: None Reserved: 00 Payload Length: 24 Data: 82 7a fe 77 fa 45 4d 45 68 1f c9 d4 3f 99 15 d6 b7 ba 07 53 Extra data: 00 00 00 00 00 00 00 00 17: 06:37:21.10.1.168.1.47184360 10.5.0 Exchange Type: Quick Mode Flags: (Encryption) MessageID: 1D0E05C1 Length: 196 15: 06:37:20.47185020 10.500 > 192.10.168.10.168.47185020 10.0 Exchange Type: Quick Mode Flags: (Encryption) MessageID: 1D0E05C1 Length: 60 16: 06:37:20.5.1.47184360 10.1.5.500 > 192.105.1.0 Exchange Type: Informational Flags: (Encryption) MessageID: DD36CA24 Length: 212 18: 06:37:21.

0 Exchange Type: Informational Flags: (none) MessageID: DD36CA24 Length: 212 Payload Hash Next Payload: Notification Reserved: 00 Payload Length: 24 Data: 0d 61 fc 2a 93 01 d7 a0 11 dd ce b5 67 69 6e 91 60 cd 23 bb Payload Notification Next Payload: None Reserved: 00 Payload Length: 153 DOI: IPsec Protocol-ID: PROTO_ISAKMP Spi Size: 0 Notify Type: Unknown Data: 00 00 00 00 75 34 00 03 52 35 2e 75 32 00 0a 43 69 73 63 6f 20 32 38 31 31 75 35 00 0b 46 48 4b 30 38 34 39 46 31 42 41 75 30 00 09 32 35 37 35 34 30 30 39 36 75 31 00 09 31 33 30 31 35 38 35 39 32 75 36 00 09 32 32 38 35 38 39 35 36 38 75 39 00 08 36 33 30 33 33 33 35 36 75 33 00 2e 66 6c 61 73 68 3a 63 32 38 30 30 6e 6d 2d 61 64 76 65 6e 74 65 72 70 72 69 73 65 6b 39 2d 6d 7a 2e 31 32 34 2d 32 34 2e 54 32 2e 62 69 6e Extra data: 00 00 00 00 00 00 00 18 packets shown Page 532 of 1033 .CCIE SECURITY v4 Lab Workbook ISAKMP Header Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f Responder COOKIE: dc 15 82 8e fd f2 7f b7 Next Payload: Hash Version: 1.

CCIE SECURITY v4 Lab Workbook Lab 1. Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122  R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104  R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco” Page 533 of 1033 . Site-to-Site IPSec VPN using EasyVPN with ISAKMP Profiles (IOS-IOS) This lab is based on previous labs configuration. You need to perform actions from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before going through this lab.47.

4 /24 F0/0 10. Security 100 10.10 /24 E0/0. Outside.1/24 F0/0 10. Security 0 192.5/24 E0/0.5. R5 should act as EasyVPN Remote and R4 should be an EasyVPN Server. R4 and R5 pointing to the respective ASA’s interface  Configure default routing on both ASAs pointing to the respective R2 interface IP Addressing Device Interface / ifname / sec level IP address R1 Lo0 1.1.1.10 /24 E0/2.2.104. Inside_US.1.105.5.104.101.4.1. Outside.1.5 4.5/24 F0/0 10.10 /24 E0/1. You should use ISAKMP profile when configuring EasyVPN Server on R4. Security 0 192.101.4 /24 Lo0 5.4 ISAKMP Policy IPSec Policy Authentication: PSK Encryption: Encryption: 3DES ESP/3DES Group: 2 Authentication: Hash: SHA ESP/SHA Use Easy VPN to configure the tunnel in network extension mode.1.CCIE SECURITY v4 Lab Workbook  Configure default routing on R1. Page 534 of 1033 .2/24 G0/1 192.2.1.5.168. Security 100 10.4.168.168.4.5.1.105.1/24 G0/0 192.1.10 /24 R2 R4 R5 ASA1 ASA2 Task 1 Configure IPSec VPN tunnel between R5 and R4 with the following parameters: Tunnel SRC DST Endpoint Network Network R5 – R4 5. Inside_CA. Use group name of “R5” with the password of “cisco123”. Security 100 10.2/24 Lo0 4.168.10 /24 E0/1.1. Inside.4.

for any connection where the name of the group (R5) is used as the identity then configuration (authorization) for this connection will be processed locally from router’s database. R4(config)#username student5 password student5 R4(config)#aaa new-model R4(config)#aaa authorization network GROUP-AUTH local R4(config)#crypto isakmp policy 1 R4(config-isakmp)#encr 3des R4(config-isakmp)#authentication pre-share R4(config-isakmp)#group 2 R4(config-isakmp)#exit R4(config)#crypto isakmp client configuration group R5 R4(config-isakmp-group)#key cisco123 R4(config-isakmp-group)#exit R4(config)#crypto isakmp profile VPN-CLIENTS % A profile is deemed incomplete until it has match identity statements R4(conf-isa-prof)#match identity group R5 R4(conf-isa-prof)#isakmp authorization list GROUP-AUTH ISAKMP profile allows to specify an ISAKMP parameters when defined identity criteria are matched (e. Page 535 of 1033 . host name. In this case. host domain. user name and user domain).CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 1 R4 configuration. R4(conf-isa-prof)#crypto ipsec transform-set TSET esp-3des esp-shahmac R4(cfg-crypto-trans)#crypto dynamic-map DYN-CMAP 10 R4(config-crypto-map)# set transform-set TSET R4(config-crypto-map)# set isakmp-profile VPN-CLIENTS R4(config)#crypto map ENCRYPT 10 ipsec-isakmp dynamic DYN-CMAP R4(config)#int f0/0 R4(config-if)#crypto map ENCRYPT R4(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Step 2 R5 configuration. group name. ip address.g.

timeout is 2 seconds: Packet sent with a source address of 5. 100-byte ICMP Echos to 4.255. ASA2(config)# same-security-traffic permit inter-interface Verification R5#ping 4. round-trip min/avg/max = 4/4/4 ms R5#sh crypto ipsec client ezvpn Easy VPN Remote Phase: 8 Tunnel name : EZ Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Page 536 of 1033 . Sending 5.CCIE SECURITY v4 Lab Workbook R5(config)#crypto ipsec client ezvpn EZ R5(config-crypto-ezvpn)#connect auto R5(config-crypto-ezvpn)#group R5 key cisco123 R5(config-crypto-ezvpn)#mode network-extension R5(config-crypto-ezvpn)#peer 10.4.4.255.104.0 Step 3 ASA2 configuration.5.0/255.4.5.1.4. Since IPSec tunnel needs to be established between two peers who are on different interfaces of ASA but with the same security level of 100.4 R5(config-crypto-ezvpn)#int f0/0 R5(config-if)# crypto ipsec client ezvpn EZ outside R5(config-if)#int lo0 R5(config-if)# crypto ipsec client ezvpn EZ inside R5(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) Client_public_addr=10.5.5.105.5 User= Group=R5 Server_public_addr=10.5 !!!!! Success rate is 100 percent (5/5).1.1. This must be explicitly allowed on ASA.4.104.4 so lo0 Type escape sequence to abort.4 NEM_Remote_Subnets=5.

#pkts decompressed: 0 #pkts not compressed: 0. N .0.104.1.0/0.1.5. } conn id: 2001.1. in use settings ={Tunnel. flags={origin_is_acl.1. flow_id: NETGX:1.5 10.1.0. #pkts verify: 5 #pkts compressed: 0.4 path mtu 1500.1.4 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.0.104. ACTIVE 3des sha psk 2 23:56:41 C SW:1 IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0.255. #pkts encrypt: 5.5. #recv errors 0 local crypto endpt.IKE Extended Authentication psk .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10. #pkts digest: 5 #pkts decaps: 5.4 R5#sh crypto isakmp sa det Codes: C .} #pkts encaps: 5. #pkts decompress failed: 0 #send errors 0.: 10.0/0/0) remote ident (addr/mask/prot/port): (0. X . #pkts decrypt: 5.0/255. remote crypto endpt.: 10.Keepalives.Dead Peer Detection K .RSA signature renc . failed: 0 #pkts not decompressed: 0.5 protected vrf: (none) local ident (addr/mask/prot/port): (5.0.104.5.4 port 500 PERMIT.cTCP encapsulation. #pkts compr. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4448645/3441) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 537 of 1033 . ip mtu idb FastEthernet0/0 current outbound spi: 0xD4F8B509(3573069065) PFS (Y/N): N.105. sibling_flags 80000046.IKE configuration mode.105. ip mtu 1500.1. D .NAT-traversal T . local addr 10.105. rsig .255.CCIE SECURITY v4 Lab Workbook Save Password: Disallowed Current EzVPN Peer: 10.104. DH group: none inbound esp sas: spi: 0xD5881B72(3582466930) transform: esp-3des esp-sha-hmac .Preshared key.0/0/0) current_peer 10.

1.104. 100-byte ICMP Echos to 5.CCIE SECURITY v4 Lab Workbook inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD4F8B509(3573069065) transform: esp-3des esp-sha-hmac .0/255.Dead Peer Detection K . rsig .0/0/0) Page 538 of 1033 2 23:57:04 C .1.255.5.4. X .4 !!!!! Success rate is 100 percent (5/5).IKE configuration mode.Preshared key.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.0.5.5. D .4 10.5 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap. round-trip min/avg/max = 4/4/4 ms R4#sh crypto isakmp sa det Codes: C .4 protected vrf: (none) local ident (addr/mask/prot/port): (0.IKE Extended Authentication psk .5.5 so lo0 Type escape sequence to abort. } conn id: 2002.cTCP encapsulation.5. in use settings ={Tunnel. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4448645/3441) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#ping 5.1. ACTIVE 3des sha psk SW:1 IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: ENCRYPT. sibling_flags 80000046.NAT-traversal T . timeout is 2 seconds: Packet sent with a source address of 4.104.105. N . local addr 10.5.Keepalives.0.0/0/0) remote ident (addr/mask/prot/port): (5.0.0/0.RSA signature renc .5.255.0. flow_id: NETGX:2. Sending 5.4.

1. failed: 0 #pkts not decompressed: 0.5 dport 500 sport 500 Global (N) NEW SA ISAKMP: Created a peer struct for 10. } conn id: 2002.5 path mtu 1500.CCIE SECURITY v4 Lab Workbook current_peer 10.4.105. ip mtu 1500. ip mtu idb FastEthernet0/0 current outbound spi: 0xD5881B72(3582466930) PFS (Y/N): N.1.1. in use settings ={Tunnel.5. #pkts encrypt: 10. sibling_flags 80000046. flow_id: NETGX:1. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4485964/3420) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Verification (detailed) R4#deb cry isak Crypto ISAKMP debugging is on R4# ISAKMP (0): received packet from 10.1. #pkts digest: 10 #pkts decaps: 10. #recv errors 0 local crypto endpt. peer port 500 ISAKMP: New peer created peer = 0x4A0B08AC peer_handle = 0x80000002 Page 539 of 1033 . } conn id: 2001. #pkts decrypt: 10.105. #pkts verify: 10 #pkts compressed: 0. #pkts compr.1. in use settings ={Tunnel. #pkts decompressed: 0 #pkts not compressed: 0. sibling_flags 80000046. DH group: none inbound esp sas: spi: 0xD4F8B509(3573069065) transform: esp-3des esp-sha-hmac .: 10.: 10.105. crypto map: ENCRYPT sa timing: remaining key lifetime (k/sec): (4485964/3420) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD5881B72(3582466930) transform: esp-3des esp-sha-hmac .104. flags={} #pkts encaps: 10.5 port 500 PERMIT. #pkts decompress failed: 0 #send errors 0. remote crypto endpt. flow_id: NETGX:2.105.

ISAKMP:(0):: peer matches VPN-CLIENTS profile The ISAKMP profile criteria has matched. ISAKMP:(0):Setting client config settings 499D4FAC ISAKMP/xauth: initializing AAA request ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/D R4#PD but major 245 mismatch ISAKMP (0): vendor ID is NAT-T v7 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 ISAKMP : Looking for xauth in profile VPN-CLIENTS ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. message ID = 0 ISAKMP (0): ID payload next-payload : 13 type : 11 group id : R5 protocol : 17 port : 0 length : 10 The group name has been sent by the client as the identity. refcount 1 for crypto_isakmp_process_block ISAKMP: local port 500. remote port 500 ISAKMP:(0):insert sa successfully sa = 499D5A4C ISAKMP:(0): processing SA payload. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared Page 540 of 1033 .CCIE SECURITY v4 Lab Workbook ISAKMP: Locking peer struct 0x4A0B08AC. message ID = 0 ISAKMP:(0): processing ID payload.

Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 256 ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 192 ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds Page 541 of 1033 . Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 256 ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 192 ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable.CCIE SECURITY v4 Lab Workbook ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable.

Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 192 ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 256 ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 256 ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Page 542 of 1033 .CCIE SECURITY v4 Lab Workbook ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 192 ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable.

Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 17 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):atts are acceptable.CCIE SECURITY v4 Lab Workbook ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 15 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Hash algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Acceptable atts:actual life: 86400 ISAKMP:(0):Acceptable atts:life: 0 ISAKMP:(0):Fill atts in sa vpi_length:4 ISAKMP:(0):Fill atts in sa life_in_seconds:2147483 ISAKMP:(0):Returning Actual lifetime: 86400 Page 543 of 1033 . Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 16 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable.

ISAKMP:(1001):Input = IKE_MESG_FROM_AAA.5 dport 500 sport 500 Global (R) AG_INIT_EXCH ISAKMP:(1001): processing HASH payload. message ID = 0 ISAKMP:received payload type 20 ISAKMP (1001): His hash no match .4 protocol : 0 port : 0 length : 12 ISAKMP:(1001):Total payload length: 12 ISAKMP:(1001): sending packet to 10.104.1.5 my_port 500 peer_port 500 (R) AG_INIT_EXCH ISAKMP:(1001):Sending an IKE IPv4 Packet. message ID = 0 ISAKMP:(0): processing NONCE payload.105. message ID = 0 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID is DPD ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch ISAKMP:(0): vendor ID is XAUTH ISAKMP:(0): processing vendor id payload ISAKMP:(0): claimed IOS but failed authentication ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID is Unity ISAKMP:(0):Input = IKE_MESG_FROM_PEER. ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch ISAKMP (0): vendor ID is NAT-T RFC 3947 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch ISAKMP (0): vendor ID is NAT-T v7 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 ISAKMP:(0): processing KE payload.1.CCIE SECURITY v4 Lab Workbook ISAKMP:(0)::Started lifetime timer: 86400.105. IKE_AM_EXCH ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT ISAKMP:(1001): constructed NAT-T vendor-rfc3947 ID ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR ISAKMP (1001): ID payload next-payload : 10 type : 1 address : 10.1.this node outside NAT ISAKMP:received payload type 20 ISAKMP (1001): No NAT Found for self or peer ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1 Page 544 of 1033 . PRESHARED_KEY_REPLY ISAKMP:(1001):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2 ISAKMP (1001): received packet from 10.

1.4/10.5 dport 500 sport 500 Global (R) QM_IDLE ISAKMP: set new node 793798316 to QM_IDLE ISAKMP:(1001):processing transaction payload from 10.104.5 remote port 500 ISAKMP:(1001):returning IP addr to the address pool ISAKMP: Trying to insert a peer 10.1.1. ISAKMP:(1001):purging node 1434551794 ISAKMP: Sending phase 1 responder lifetime 86400 ISAKMP:(1001):Input = IKE_MESG_FROM_PEER.105.5 ISAKMP:(1001):SA authentication status: authenticated ISAKMP:(1001): Process initial contact.5/500/.105.1. ISAKMP:(1001):Returning Actual lifetime: 86400 ISAKMP: set new node 1434551794 to QM_IDLE ISAKMP:(1001):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 1234317488.4 remote 10.1. IKE_AM_EXCH ISAKMP:(1001):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE ISAKMP (1001): received packet from 10. message ID = 793798316 ISAKMP: Config payload REQUEST ISAKMP:(1001):checking request: ISAKMP: MODECFG_CONFIG_URL ISAKMP: MODECFG_CONFIG_VERSION ISAKMP: IP4_DNS ISAKMP: IP4_DNS ISAKMP: IP4_NBNS ISAKMP: IP4_NBNS ISAKMP: SPLIT_INCLUDE ISAKMP: SPLIT_DNS ISAKMP: DEFAULT_DOMAIN ISAKMP: MODECFG_SAVEPWD ISAKMP: INCLUDE_LOCAL_LAN ISAKMP: PFS ISAKMP: BACKUP_SERVER ISAKMP: APPLICATION_VERSION ISAKMP: MODECFG_BANNER ISAKMP: MODECFG_IPSEC_INT_CONF ISAKMP: MODECFG_HOSTNAME The client has requested several parameters. message ID = 0.1.105.105.104.CCIE SECURITY v4 Lab Workbook spi 0. and inserted successfully 4A0B08AC. message ID = 1434551794 ISAKMP:(1001): sending packet to 10.5.105. ISAKMP/author: Author request for group R5successfully sent to AAA Page 545 of 1033 . sa = 499D5A4C ISAKMP:(1001):SA authentication status: authenticated ISAKMP:(1001):SA has been authenticated with 10.1. bring down existing phase 1 and 2 SA's with local 10.5 my_port 500 peer_port 500 (R) QM_IDLE ISAKMP:(1001):Sending an IKE IPv4 Packet.1.105.

4(24)T2. message ID = -618165756 ISAKMP:(1001):Checking IPSec proposal 1 ISAKMP: transform 1. ISAKMP:(1001):Input = IKE_MESG_FROM_PEER.105. Sending empty reply.5 my_port 500 peer_port 500 (R) CONF_ADDR ISAKMP:(1001):Sending an IKE IPv4 Packet. ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. Version 12. RELEASE SOFTWARE (fc2) Technical Support: http://www. ISAKMP:(1001):Input = IKE_MESG_INTERNAL. IKE_AAA_GROUP_ATTR ISAKMP:(1001):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE ISAKMP:FSM error .cisco.5. Inc.5 dport 500 sport 500 Global (R) QM_IDLE ISAKMP: set new node -618165756 to QM_IDLE ISAKMP:(1001): processing HASH payload. IKE_PHASE1_COMPLETE ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE ISAKMP (1001): received packet from 10. Compiled Mon 19-Oct-09 17:38 by prod_rel_team ISAKMP: Sending IPsec Interface Config reply value 0 ISAKMP (1001): Unknown Attr: MODECFG_HOSTNAME (0x700A) ISAKMP:(1001): responding to peer config from 10. ISAKMP:(1001): IPSec policy invalidated proposal with error 256 ISAKMP:(1001):Checking IPSec proposal 2 ISAKMP: transform 1.105. ID = 793798316 ISAKMP: Marking node 793798316 for late deletion ISAKMP:(1001): sending packet to 10. IKE_PHASE1_COMPLETE ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE ISAKMP:(1001):Input = IKE_MESG_INTERNAL.1.com/techsupport Copyright (c) 1986-2009 by Cisco Systems. IKE_CFG_REQUEST ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT ISAKMP:(1001):Receive config attributes requested butconfig attributes not in crypto map. 2800 Software (C2800NMADVENTERPRISEK9-M). ISAKMP:(1001):Talking to a Unity Client ISAKMP:(1001):Input = IKE_MESG_FROM_AAA.Message from AAA grp/user.1. ESP_AES ISAKMP: attributes in transform: Page 546 of 1033 . ISAKMP:(1001):attributes sent in message: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software. message ID = -618165756 ISAKMP:(1001): processing SA payload.1.CCIE SECURITY v4 Lab Workbook The client request has been directed to the router’s AAA process in accordance with AAA authorization list configured in the ISAKMP profile.105.

ISAKMP:(1001): IPSec policy invalidated proposal with error 256 ISAKMP:(1001):Checking IPSec proposal 3 ISAKMP: transform 1. ISAKMP:(1001): IPSec policy invalidated proposal with error 256 Page 547 of 1033 . IPPCP LZS ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. ISAKMP:(1001): IPSec policy invalidated proposal with error 256 ISAKMP:(1001):Checking IPSec proposal 4 ISAKMP: transform 1. ISAKMP:(1001):Checking IPSec proposal 3 ISAKMP:(1001):transform 1.CCIE SECURITY v4 Lab Workbook ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 128 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. IPPCP LZS ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 128 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. ISAKMP:(1001):Checking IPSec proposal 4 ISAKMP:(1001):transform 1.

ISAKMP:(1001): IPSec policy invalidated proposal with error 256 ISAKMP:(1001):Checking IPSec proposal 8 ISAKMP: transform 1. ISAKMP:(1001): IPSec policy invalidated proposal with error 256 ISAKMP:(1001):Checking IPSec proposal 9 ISAKMP: transform 1. ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 192 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable.CCIE SECURITY v4 Lab Workbook ISAKMP:(1001):Checking IPSec proposal 5 ISAKMP: transform 1. ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 256 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. ESP_AES ISAKMP: attributes in transform: Page 548 of 1033 . ISAKMP:(1001): IPSec policy invalidated proposal with error 256 ISAKMP:(1001):Checking IPSec proposal 6 ISAKMP: transform 1. ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 256 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 192 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. ISAKMP:(1001): IPSec policy invalidated proposal with error 256 ISAKMP:(1001):Checking IPSec proposal 7 ISAKMP: transform 1.

Negotiating of IPSec tranform-sets (hardcoded in the client software). ISAKMP:(1001): IPSec policy invalidated proposal with error 256 ISAKMP:(1001):Checking IPSec proposal 11 ISAKMP: transform 1. ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 256 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. ISAKMP:(1001):Checking IPSec proposal 10 ISAKMP:(1001):transform 1.CCIE SECURITY v4 Lab Workbook ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 256 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. ISAKMP:(1001): IPSec policy invalidated proposal with error 256 ISAKMP:(1001):Checking IPSec proposal 10 ISAKMP: transform 1. ISAKMP:(1001):Checking IPSec proposal 9 ISAKMP:(1001):transform 1. ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of ISAKMP: authenticator is HMAC-SHA 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. IPPCP LZS ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable. Page 549 of 1033 . IPPCP LZS ISAKMP: attributes in transform: ISAKMP: encaps is 1 (Tunnel) ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 0x0 0x46 0x50 0x0 ISAKMP:(1001):atts are acceptable.

5.1.5 dport 500 sport 500 Global (R) QM_IDLE ISAKMP:(1001):deleting node -618165756 error FALSE reason "QM done (await)" ISAKMP:(1001):Node -618165756. Input = IKE_MESG_FROM_PEER.5 my_port 500 peer_port 500 (R) QM_IDLE ISAKMP:(1001):Sending an IKE IPv4 Packet. Input = IKE_MESG_FROM_PEER. message ID = -618165756 ISAKMP:(1001): processing ID payload.5.4 (f/i) 0/ 0 (proxy 5.105.1.0.1. message ID = -618165756 ISAKMP:(1001): processing ID payload.1. Input = IKE_MESG_INTERNAL.0) has spi 0xD5881B72 and conn_id 0 lifetime of 2147483 seconds lifetime of 4608000 kilobytes ISAKMP:(1001): sending packet to 10.CCIE SECURITY v4 Lab Workbook ISAKMP:(1001): processing NONCE payload.0.1.5 to 10. IKE_QM_EXCH ISAKMP:(1001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE R4#un all Page 550 of 1033 . message ID = -618165756 ISAKMP:(1001):QM Responder gets spi ISAKMP:(1001):Node -618165756.0 to 5.5 (f/i) 0/0 (proxy 0.5.4 to 10.5.105.105.104.0 to 0.0.0) has spi 0xD4F8B509 and conn_id 0 lifetime of 2147483 seconds lifetime of 4608000 kilobytes outbound SA from 10. IKE_GOT_SPI ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 ISAKMP (1001): received packet from 10. IKE_QM_EXCH ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE ISAKMP:(1001):deleting node 793798316 error FALSE reason "No Error" ISAKMP:(1001): Creating IPSec SAs inbound SA from 10.105.104. ISAKMP:(1001):Node -618165756.0.1.

You need to perform actions from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before going through this lab. R4 and R5 pointing to the respective ASA’s interface Page 551 of 1033 .48. Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122  R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104  R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco”  Configure default routing on R1.CCIE SECURITY v4 Lab Workbook Lab 1. GRE over IPSec This lab is based on previous labs configuration.

105.1/24 F0/0 10.104.1.x/24 as tunnel IP addresses and ensure that information passing the tunnel is encrypted.1.1.168.10 /24 E0/1.5/24 E0/0.168.4 /24 Lo0 5.1.10 /24 E0/0.CCIE SECURITY v4 Lab Workbook  Configure default routing on both ASAs pointing to the respective R2 interface IP Addressing Device Interface / ifname / sec level IP address R1 Lo0 1.168.105.4. Use 192.10 /24 E0/2.1.1.5. Inside.104.1.2. Security 100 10.1.5/24 F0/0 10.2/24 G0/1 192. Security 0 192. Outside. Security 100 10.2. Inside_US. Outside.101.1.101. Inside_CA.168. Security 100 10.10 /24 E0/1. Use the following parameters for IPSec protocol:  ISAKMP Parameters o Authentication: Pre-shared o Group: 1 o Encryption: DES o Hash : SHA o Key: ccie123  IPSec Parameters o Encryption: ESP-DES o Authentication: ESP-SHA-HMAC Page 552 of 1033 .34.2/24 Lo0 4.5.10 /24 R2 R4 R5 ASA1 ASA2 Task 1 Configure GRE tunnel between R5 and R4.168.4.1/24 G0/0 192.4 /24 F0/0 10.1. The tunnel should pass EIGRP AS 34 multicast packets exchanging information about Loopback0 networks. Security 0 192.

104.104. R5(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac R5(cfg-crypto-trans)#exit R5(config)#crypto map GRE-IPSEC 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.104.0 R5(config-if)#tunnel source f0/0 R5(config-if)#tunnel destination 10.1.0.1.4 Definition of GRE tunnel interface (“tunnel mode gre ip” is the default). R5(config-crypto-map)#set peer 10.5 0.0 GRE allows transport of multicast traffic so that it Page 553 of 1033 .104. R5(config-if)#crypto isakmp policy 10 R5(config-isakmp)#authentication pre-share R5(config-isakmp)#exit R5(config)#crypto isakmp key cisco123 address 10.34.0 R5(config-router)#network 5.1. R5(config)#interface Tunnel0 R5(config-if)#ip address 192.0.1.5 0.255.0.168.1.4 R5(config)#access-list 120 permit gre host 10.168. Configuration Complete these steps: Step 1 R5 configuration.5 255.4 R5(config-crypto-map)#set transform-set TSET R5(config-crypto-map)#match address 120 R5(config-crypto-map)#exit R5(config)#int f0/0 R5(config-if)#crypto map GRE-IPSEC R5(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config-if)#router eigrp 34 R5(config-router)#no auto R5(config-router)#network 192.5.34.0.5.CCIE SECURITY v4 Lab Workbook Make appropriate changes on ASA2 firewall to allow connections.255.4 Only the GRE traffic between R5 and R4 will be encrypted.5 host 10.105.

0 Step 3 ASA2 configuration.4.34. Step 2 R4 configuration.0 R4(config-if)#tunnel source f0/0 R4(config-if)#tunnel destination 10.104.0.1.1.5 R4(config-if)#exit R4(config)#crypto isakmp policy 10 R4(config-isakmp)#authentication pre-share R4(config-isakmp)#exit R4(config)#crypto isakmp key cisco123 address 10.0.4. R4(config-crypto-map)#set peer 10.105. Encrypting the GRE that transport mulitcast packets is the best way of securing such traffic.4 host 10.255.34.CCIE SECURITY v4 Lab Workbook enables using of dynamic routing protocols like EIGRP between R5 and R4.4 0. ASA2(config)# policy-map global_policy ASA2(config-pmap)# class inspection_default ASA2(config-pmap-c)# inspect ipsec-pass-thru ASA2(config-pmap-c)# exi ASA2(config-pmap)# exi Page 554 of 1033 .105.168.105.4 0.5 R4(config-crypto-map)#set transform-set TSET R4(config-crypto-map)#match address 120 R4(config-crypto-map)#int f0/0 R4(config-if)#crypto map GRE-IPSEC R4(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config-if)#exit R4(config)#router eigrp 34 R4(config-router)#no auto R4(config-router)#network 192.1. R4(config)#interface Tunnel0 R4(config-if)#ip address 192.0 R4(config-router)#network 4.5 R4(config)#access-list 120 permit gre host 10.168.105.1.0.5 R4(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac R4(cfg-crypto-trans)#exit R4(config)#crypto map GRE-IPSEC 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.0.4 255.1.255.

line protocol is up Hardware is Tunnel Internet address is 192.1. round-trip min/avg/max = 4/4/8 ms R5#sh ip route Codes: C .4. timeout is 2 seconds: Packet sent with a source address of 5.105. su .34.0.IS-IS level-2 ia .CCIE SECURITY v4 Lab Workbook ASA2(config)# same-security-traffic permit inter-interface Verification %DUAL-5-NBRCHANGE: IP-EIGRP(0) 34: Neighbor 192.5. DLY 50000 usec. loopback not set Keepalive not set Page 555 of 1033 .105. M . reliability 255/255.5.OSPF NSSA external type 2 E1 . S . txload 1/255.0.0 4.OSPF inter area N1 .4 so lo0 Type escape sequence to abort.OSPF external type 2 i .0 is directly connected. * . B .0 [90/27008000] via 192. R5#sh int tu0 Tunnel0 is up.10 Routing information related to R4’s network on its loopback has been learnt by EIGRP.1.168.4.105.0/24 is subnetted.IS-IS.RIP.BGP D . 1 subnets C 10.static.4.168.168.0.OSPF NSSA external type 1.5.OSPF.0.10 to network 0.4.0/24 is subnetted. BW 100 Kbit/sec. Loopback0 10.0.4.EIGRP external.34.168.mobile.EIGRP.0/24 is directly connected.34. rxload 1/255 Encapsulation TUNNEL.0 is directly connected.0. Sending 5.0.5. E2 .0.0. 100-byte ICMP Echos to 4.IS-IS summary. P .4. L2 .5/24 MTU 17916 bytes.connected.4. Tunnel0 S* 0.OSPF external type 1.ODR. FastEthernet0/0 C 192. L1 . EX . R .4 (Tunnel0) is up: new adjacency R5# The EIGRP is working between R5 and R4 throuth GRE tunnel. 00:00:30. 1 subnets D 4. R5#ping 4.IS-IS level-1.0. Tunnel0 5. 1 subnets C 5.0/24 is subnetted.per-user static route o . O .IS-IS inter area. U .periodic downloaded static route Gateway of last resort is 10.0/0 [1/0] via 10. IA .candidate default.1. N2 .4.34.5 !!!!! Success rate is 100 percent (5/5).

output 00:00:03. 0 giants. DPD (Dead Peer Detection) IPSec feature should be used instead. 0 CRC.168. If GRE keepalives on IPSec-protected GRE interface are configured then the tunnel will be flapping. 0 frame.34. K3=1. 1900 bytes. 0 interface resets 0 unknown protocol drops 0 output buffer failures. 0 packets/sec 21 packets input.5/32 192. Total output drops: 110 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec.1.168.CCIE SECURITY v4 Lab Workbook Remember that if detection of the IPSec-protected GRE tunnel failure is needed then GRE keepalives must NOT be used. 0 abort 21 packets output. 0 underruns 0 output errors.5/32 Routing Information Sources: Gateway 192. 0 packets/sec 5 minute output rate 0 bits/sec.5. K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 34 EIGRP NSF-aware route hold timer is 240s Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 5. 0 no buffer Received 0 broadcasts. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). K2=0.34. destination 10. 0 output buffers swapped out R5#sh ip protocol Routing Protocol is "eigrp 34" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1.5.5 (FastEthernet0/0). sequencing disabled Checksumming of packets disabled Tunnel TTL 255 Fast tunneling enabled Tunnel transport MTU 1476 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:00:03. K4=0. 1900 bytes.1. 0 ignored.4 Distance 90 Last Update 00:00:45 Distance: internal 90 external 170 Page 556 of 1033 . 0 overrun. 0 collisions.4 Tunnel protocol/transport GRE/IP Key disabled. Tunnel source 10. 0 runts.104. 0 throttles 0 input errors.105.

flags={origin_is_acl.4 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap. #pkts digest: 27 #pkts decaps: 27. R5#sh crypto isakmp sa det Codes: C .255.CCIE SECURITY v4 Lab Workbook Information relevant to the routes learnt and the source of the information are presented. ip mtu 1500.4 port 500 PERMIT.105.255/47/0) Local and remote IPSec proxies. X .IKE Extended Authentication psk . failed: 0 #pkts not decompressed: 0. #pkts decompressed: 0 #pkts not compressed: 0. R5#sh ip eigrp neighbor IP-EIGRP neighbors for process 34 H Address 0 Interface 192.1.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.RSA signature renc . #pkts decompress failed: 0 #send errors 110.1.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.1. #pkts decrypt: 27.4 path mtu 1500.4/255.IKE configuration mode.1.Keepalives. #pkts encrypt: 27.Dead Peer Detection K .NAT-traversal T .5 10.cTCP encapsulation. remote crypto endpt.105.1. #pkts compr.5/255. current_peer 10.104.4 Hold Uptime SRTT (sec) (ms) Tu0 12 00:00:58 11 RTO Q Seq Cnt Num 1434 0 3 R4 is the EIGRP neighour of R5 on the Tunnel0 interface.255/47/0) remote ident (addr/mask/prot/port): (10. ip mtu idb FastEthernet0/0 Page 557 of 1033 .168.104. #pkts verify: 27 #pkts compressed: 0.105.5. #recv errors 0 local crypto endpt.255.255.: 10. rsig .1. D .} #pkts encaps: 27. R5#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: GRE-IPSEC.: 10.104.105.Preshared key. local addr 10.255. ACTIVE des sha psk 1 23:58:52 SW:1 IPv6 Crypto ISAKMP SA ISAKMP SA has been established. Note that only GRE (IP ID 47) is transported through the tunnel.34.104.1. N .1.

round-trip min/avg/max = 4/4/8 ms R4#sh ip route Codes: C .OSPF.5. L1 . } conn id: 2001.IS-IS. su .5 so lo0 Type escape sequence to abort. R . sibling_flags 80000046. sibling_flags 80000046.IS-IS level-1.4. } conn id: 2002.5 (Tunnel0) is up: new adjacency R4# R4#ping 5.RIP.5.IS-IS summary.OSPF external type 2 i .5. B . N2 .static. flow_id: NETGX:1. E2 .IS-IS inter area.4 !!!!! Success rate is 100 percent (5/5). O . S .BGP D .4. 100-byte ICMP Echos to 5. * . P . in use settings ={Tunnel.periodic downloaded static route Page 558 of 1033 .mobile.IS-IS level-2 ia . in use settings ={Tunnel. timeout is 2 seconds: Packet sent with a source address of 4.EIGRP external.ODR.OSPF NSSA external type 2 E1 .5.OSPF NSSA external type 1.CCIE SECURITY v4 Lab Workbook current outbound spi: 0xD7DDE0F5(3621642485) PFS (Y/N): N.OSPF inter area N1 . flow_id: NETGX:2. L2 .connected.per-user static route o .candidate default. Sending 5.34. DH group: none inbound esp sas: spi: 0x3007AC1D(805809181) transform: esp-des esp-sha-hmac . IA . crypto map: GRE-IPSEC sa timing: remaining key lifetime (k/sec): (4545433/3527) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD7DDE0F5(3621642485) transform: esp-des esp-sha-hmac .168.5. M . crypto map: GRE-IPSEC sa timing: remaining key lifetime (k/sec): (4545433/3527) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 34: Neighbor 192. EX .EIGRP.OSPF external type 1. U .

Tunnel0 10.168. 0 runts.0. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes).10 R4#sh int tu0 Tunnel0 is up.0.4 (FastEthernet0/0). line protocol is up Hardware is Tunnel Internet address is 192.1.0/24 is subnetted. 0 overrun. txload 1/255.1.0. K4=0. 0 output buffers swapped out R4#sh ip protocol Routing Protocol is "eigrp 34" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1. 0 abort 41 packets output.104. DLY 50000 usec.0/24 is subnetted.0. 1 subnets C 4.34. FastEthernet0/0 C 192. 0 frame. 1 subnets C 10.5.0. reliability 255/255. 1 subnets D 5.5.0/24 is subnetted.34.104. 0 ignored.5.168. BW 100 Kbit/sec. Loopback0 5. 0 collisions. destination 10. K2=0.1. 0 interface resets 0 unknown protocol drops 0 output buffer failures.0.CCIE SECURITY v4 Lab Workbook Gateway of last resort is 10. 0 throttles 0 input errors.0/24 is directly connected.34.0/0 [1/0] via 10.168. rxload 1/255 Encapsulation TUNNEL. 0 underruns 0 output errors. 0 packets/sec 41 packets input.105.1. K3=1. loopback not set Keepalive not set Tunnel source 10.0 4.0.0 [90/27008000] via 192. 0 no buffer Received 0 broadcasts.104.4.4.5 Tunnel protocol/transport GRE/IP Key disabled.0 is directly connected.104. output 00:00:03. 00:01:34.0. 3780 bytes. 0 packets/sec 5 minute output rate 0 bits/sec.1. Tunnel0 S* 0. K5=0 EIGRP maximum hopcount 100 Page 559 of 1033 . Total output drops: 9 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec.0. sequencing disabled Checksumming of packets disabled Tunnel TTL 255 Fast tunneling enabled Tunnel transport MTU 1476 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:00:04. 0 CRC.0 is directly connected.10 to network 0. 3780 bytes.4/24 MTU 17916 bytes. 0 giants.0.

failed: 0 #pkts not decompressed: 0.255/47/0) remote ident (addr/mask/prot/port): (10.4/32 Routing Information Sources: Gateway Distance 192.Keepalives.4/32 192.5 Last Update 90 00:01:51 Distance: internal 90 external 170 R4#sh ip eigrp neighbor IP-EIGRP neighbors for process 34 H Address 0 Interface 192. X .1.Dead Peer Detection K .104. D . #pkts decompress failed: 0 #send errors 9.4 10.IKE configuration mode.4/255. #pkts decrypt: 45. N . #pkts compr.NAT-traversal T . local addr 10.5 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.34.IKE Extended Authentication psk .1.255.5 Hold Uptime SRTT (sec) (ms) Tu0 13 00:01:59 14 RTO Q Seq Cnt Num 1434 0 3 R4#sh crypto isakmp sa det Codes: C .255. flags={origin_is_acl.104.168.105.4.5/255. ACTIVE des sha psk 1 SW:1 IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: GRE-IPSEC.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.} #pkts encaps: 46.104.CCIE SECURITY v4 Lab Workbook EIGRP maximum metric variance 1 Redistributing: eigrp 34 EIGRP NSF-aware route hold timer is 240s Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 4.168.RSA signature renc .34.Preshared key.168. #pkts decompressed: 0 #pkts not compressed: 0.5 port 500 PERMIT.1.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.34.255/47/0) current_peer 10.105. #pkts verify: 45 #pkts compressed: 0.4.105. #recv errors 0 Page 560 of 1033 23:57:50 . #pkts encrypt: 46.1. #pkts digest: 46 #pkts decaps: 45. rsig .cTCP encapsulation.1.255.1.255.

: 10. crypto map: GRE-IPSEC sa timing: remaining key lifetime (k/sec): (4512546/3466) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x3007AC1D(805809181) transform: esp-des esp-sha-hmac . remote crypto endpt. sibling_flags 80000046.12. } conn id: 2002.168.1.5 path mtu 1500. in use settings ={Tunnel.x/24 as tunnel IP addresses and ensure that information passing the tunnel is encrypted using IPSec Profiles:  ISAKMP Parameters o Authentication: Pre-shared o Group: 1 o Encryption: DES o Hash : SHA o Key: ccie123 Page 561 of 1033 .4. ip mtu 1500. sibling_flags 80000046. crypto map: GRE-IPSEC sa timing: remaining key lifetime (k/sec): (4512546/3466) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Task 2 Configure GRE tunnel between R1 and R2. The tunnel should pass EIGRP AS 12 multicast packets exchanging information about R1’s Loopback0 and R2’s g0/1 networks. flow_id: NETGX:1.105.CCIE SECURITY v4 Lab Workbook local crypto endpt.: 10.104. in use settings ={Tunnel. ip mtu idb FastEthernet0/0 current outbound spi: 0x3007AC1D(805809181) PFS (Y/N): N. Use 192. flow_id: NETGX:2.1. DH group: none inbound esp sas: spi: 0xD7DDE0F5(3621642485) transform: esp-des esp-sha-hmac . } conn id: 2001.

168.2 R1(config-if)#! R1(config-if)#crypto isakmp policy 10 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#exit R1(config)#! R1(config)#crypto isakmp key cisco123 address 192.0 R1(config-router)#network 1.1.1 255.1.168.0 R1(config-if)#tunnel source f0/0 R1(config-if)#tunnel destination 192.255.CCIE SECURITY v4 Lab Workbook  IPSec Parameters o Encryption: ESP-DES o Authentication: ESP-SHA-HMAC Make appropriate changes on ASA1 firewall to allow connections.1.168. R1(config)#int tu0 R1(config-if)#tunnel protection ipsec profile GRE-VPN R1(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)#exi R1(config)#router eigrp 12 R1(config-router)#no auto R1(config-router)#network 192.255. In the next step this profile will be tied to the Tunnel0 interface.168.1. Configuration Complete these steps: Step 1 R1 configuration.0.0. R1(config)#interface Tunnel0 R1(config-if)#ip address 192.0 R1(config-router)#exi Page 562 of 1033 .1 0. The crypto ACL that defines the GRE traffic as interesting is no longer required.12. changed state to up R1(config)#crypto ipsec profile GRE-VPN R1(ipsec-profile)#set transform-set TSET R1(ipsec-profile)#exit IPSec profile has been configured.0.1 0.12.2 R1(config)#! R1(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac R1(cfg-crypto-trans)#exit R1(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.0. GRE profile will define interesting traffic automatically.

168.0 R2(config-if)#tunnel source g0/0 R2(config-if)#tunnel destination 10.1 eq 500 ASA1(config)# access-list OUTSIDE_IN permit esp host 192.255.1 ASA1(config)# access-group OUTSIDE_IN in interface Outside Page 563 of 1033 .2 255.101.168.12.1.255.2 host 10.1.0.0.2.12.1 R2(config)#! R2(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac R2(cfg-crypto-trans)#exit R2(config)#! R2(config)#crypto ipsec profile GRE-VPN R2(ipsec-profile)#set transform-set TSET R2(ipsec-profile)#exit R2(config)#! R2(config)#int tu0 R2(config-if)#tunnel protection ipsec profile GRE-VPN R2(config-if)#exit R2(config)#! R2(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0. R2(config)#interface Tunnel0 R2(config-if)#ip address 192.101.1. changed state to down R2(config)#router eigrp 12 R2(config-router)#no auto R2(config-router)#network 192.0.0 R2(config-router)#exit R2(config)#ip route 10.255.2 0.1 R2(config-if)#! R2(config-if)#crypto isakmp policy 10 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#exit R2(config)#! R2(config)#crypto isakmp key cisco123 address 10.101.1.101.168.1.2 0.0.10 Step 3 ASA1 configuration. ASA1(config)# policy-map global_policy ASA1(config-pmap)# class inspection_default ASA1(config-pmap-c)# inspect ipsec-pass-thru ASA1(config-pmap-c)# exi ASA1(config-pmap)# exi ASA1(config)# access-list OUTSIDE_IN permit udp host 192.168.1 255.168.CCIE SECURITY v4 Lab Workbook Step 2 R2 configuration.2 eq 500 host 10.1.0 R2(config-router)#network 192.168.1.255 192.255.1.101.

#pkts digest: 40 #pkts decaps: 33. 100-byte ICMP Echos to 192.1.1. round-trip min/avg/max = 1/2/4 ms R1#sh cry ips sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.168.255/47/0) remote ident (addr/mask/prot/port): (192.168.Preshared key. #pkts decompress failed: 0 #send errors 11. #pkts encrypt: 40.Dead Peer Detection K . current_peer 192.255.168. X .2.1. failed: 0 #pkts not decompressed: 0.255. #pkts decrypt: 33. Local and remote proxy are available without crypto ACL. N .CCIE SECURITY v4 Lab Workbook Verification %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 192. #pkts compr. Sending 5.2. flags={origin_is_acl.2 Page 564 of 1033 .2 port 500 PERMIT.1.2 (Tunnel0) is up: new adjacency R1# R1#sh cry isak sa det Codes: C .IKE configuration mode.168.12. #pkts verify: 33 #pkts compressed: 0. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.1/255. #recv errors 0 local crypto endpt.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.2/255.168.1. ACTIVE des sha psk 1 23:59:12 SW:1 IPv6 Crypto ISAKMP SA R1#ping 192.: 192.: 10. #pkts decompressed: 0 #pkts not compressed: 0.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.255/47/0) This has been done by IPSec profile.1.1. remote crypto endpt.101.cTCP encapsulation.101.1.Keepalives.2.168.1 192.2 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap. rsig .2 Type escape sequence to abort. local addr 10.101.NAT-traversal T .168.255.255.RSA signature renc . D .101.} #pkts encaps: 40.IKE Extended Authentication psk .

12.0/24 is subnetted.BGP D .0.IS-IS level-1.connected.cTCP encapsulation.0.IKE configuration mode.0 is directly connected.101. N . D . Tunnel0 S* 0.101.0/24 [90/26882560] via 192. E2 .2.12.OSPF inter area N1 .1. ip mtu 1500.2.1 (Tunnel0) is up: new adjacency R2# R2#sh crypto isak sa det Codes: C .101.OSPF NSSA external type 2 E1 .EIGRP.0 is directly connected.NAT-traversal T . L1 .per-user static route o .RIP.IS-IS.168. * .168.2 10.1.static.0.168.0/24 is directly connected.IS-IS inter area.0.OSPF. R . U .mobile. su . Loopback0 10. DH group: none inbound esp sas: spi: 0x7FF28A80(2146601600) R1#sh ip route Codes: C .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 192.Preshared key. Tunnel0 1.Dead Peer Detection K .EIGRP external.101.IKE Extended Authentication psk . S .10 to network 0. L2 .0/0 [1/0] via 10.OSPF external type 2 i . X .0 C 192.CCIE SECURITY v4 Lab Workbook path mtu 1500.OSPF external type 1.0.12.0. FastEthernet0/0 D 192.168.10 R1#sh ip eigrp neighbor IP-EIGRP neighbors for process 12 H Address Interface 0 192.Keepalives.RSA signature renc .1.candidate default. 00:01:40. B . O .1.0. N2 . EX . ACTIVE des SW:1 Page 565 of 1033 sha psk 1 23:57:16 .1. IA .12.1 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.0.0/24 is subnetted. M .2 Tu0 Hold Uptime SRTT (sec) (ms) 14 00:01:51 11 RTO Q Seq Cnt Num 1434 0 3 %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 192. 1 subnets C 10. 1 subnets C 1.168.periodic downloaded static route Gateway of last resort is 10.ODR. rsig .1.OSPF NSSA external type 1. P .IS-IS level-2 ia .IS-IS summary.168.1. ip mtu idb FastEthernet0/0 current outbound spi: 0xE0102732(3759154994) PFS (Y/N): N.

ip mtu 1500. #pkts compr. #pkts verify: 51 #pkts compressed: 0.CCIE SECURITY v4 Lab Workbook IPv6 Crypto ISAKMP SA R2#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. #pkts digest: 58 #pkts decaps: 51. #pkts decrypt: 51. sibling_flags 80000046.1.: 10.168. sibling_flags 80000046. local addr 192. flow_id: Onboard VPN:2.1. in use settings ={Tunnel.2 protected vrf: (none) local ident (addr/mask/prot/port): (192.255.168. #pkts decompress failed: 0 #send errors 1.1. } conn id: 2001.1 port 500 PERMIT. #recv errors 0 local crypto endpt.1.255/47/0) current_peer 10.2/255.1 path mtu 1500. flow_id: Onboard VPN:1.255/47/0) remote ident (addr/mask/prot/port): (10.168. ip mtu idb GigabitEthernet0/0 current outbound spi: 0x7FF28A80(2146601600) PFS (Y/N): N.2.255. remote crypto endpt.1/255.255.1.101.101. } conn id: 2002. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4467999/3431) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x7FF28A80(2146601600) transform: esp-des esp-sha-hmac . #pkts encrypt: 58. in use settings ={Tunnel.} #pkts encaps: 58. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4467999/3431) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: Page 566 of 1033 . failed: 0 #pkts not decompressed: 0.: 192. DH group: none inbound esp sas: spi: 0xE0102732(3759154994) transform: esp-des esp-sha-hmac .1. flags={origin_is_acl.255.101. #pkts decompressed: 0 #pkts not compressed: 0.

101.0/24 is directly connected.168.0.105. 00:02:29.0/24 [1/0] via 192. GigabitEthernet0/1 ASA1(config)# sh access-list access-list cached ACL log flows: total 0.OSPF.168. N2 .10 S 10.OSPF NSSA external type 2 E1 .2 eq isakmp host 10.1/32 [1/0] via 192.0/24 is directly connected.168. denied 0 (deny-flow-max 4096) alert-interval 300 access-list OUTSIDE_IN.1.10 C 192.104.1.IS-IS summary. 2 elements.RIP.EIGRP.0/24 [1/0] via 192. L2 . U . P .0/8 is variably subnetted.per-user static route o .static.168.168. * .IS-IS.1. Tunnel0 1.0.101.1.OSPF NSSA external type 1.2. EX .101.1.1.2. name hash: 0xe01d8199 access-list OUTSIDE_IN line 1 extended permit udp host 192.connected. IA .168.ODR. 4 subnets.0/24 [1/0] via 192.periodic downloaded static route Gateway of last resort is not set C 192.OSPF external type 1.IS-IS level-1. su .0/24 is subnetted.1.CCIE SECURITY v4 Lab Workbook outbound pcp sas: R2#sh ip route Codes: C . GigabitEthernet0/0 C 192.168.12.1 eq isakmp (hitcnt=0) 0xd890bccc  This is 0 because the tunnel was initiated from R1 access-list OUTSIDE_IN line 2 extended permit esp host 192. L1 . 2 masks S 10.IS-IS level-2 ia .BGP D .168.101.OSPF inter area N1 .168.1.0.mobile.1. O . E2 .OSPF external type 2 i .168.IS-IS inter area.EIGRP external.0/24 is directly connected.1 (hitcnt=1) 0x8ff474ec Page 567 of 1033 . Tunnel0 10.1.2. 1 subnets D 1.candidate default.12.10 S 10.1.0. S .10 S 10.1.1. B . R .1.0 [90/27008000] via 192.2 host 10. M .

CCIE SECURITY v4 Lab Workbook Lab 1.1.12.49.168.1/24 F0/0 10. R4 and R5 pointing to the R2 IP Addressing Device Interface IP address R1 Lo0 192.1/24 Page 568 of 1033 .1. DMVPN Phase 1 Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12  R2’s S0/1/0 and R5’s S0/1/0 interface should be configured in a frame-relay point-to-point manner  R2’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay point-to-point manner  Configure Telnet on all routers using password “cisco”  Configure default routing on R1.

Use the following settings when configuring tunnels: • Tunnel Parameters o IP address: 172.1.42 10. where R1 is acting as a Hub.4/24 Lo0 192.24.52 10.12.25.1.5/24 S0/1/0.4.5.1.16.2/24 S0/1/0.24.24 10.CCIE SECURITY v4 Lab Workbook R2 R4 R5 F0/0 10.145.5/24 Task 1 Configure Hub-and-Spoke GRE tunnels between R1. You must use EIGRP dynamic routing protocol to let other spokes know about protected networks.4/24 S0/0/0.1.2/24 Lo0 192.0/24 o IP MTU: 1400 o Tunnel Authentication Key: 12345 • NHRP Parameters o NHRP ID: 12345 o NHRP Authentication key: cisco123 o NHRP Hub: R1 • Routing Protocol Parameters o EIGRP 145 Encrypt the GRE traffic using the following parameters: • ISAKMP Parameters o Authentication: Pre-shared o Encryption: 3DES o Hashing: SHA o DH Group: 2 Page 569 of 1033 .168.2/24 S0/1/0. Traffic originated from every Spoke’s loopback interface should be transmitted securely via the Hub to the other spokes.25 10.1.25.168. R4 and R5.

The answer is: use GRE multipoint type of tunnel. This is NHRP (Next Hop Resolution Protocol) which works like ARP but for layer 3. Now the Hub knows IPSec peers and can build the tunnels with them. but there must be static IP address on the Hub. In DMVPN may have dynamic IP addresses on the spokes.CCIE SECURITY v4 Lab Workbook o Pre-Shared Key: cisco123 • IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC  Dynamic Multipoint Virtual Private Network (DMVPN) has been introduced by Cisco in late 2000. Configuration Complete these steps: Page 570 of 1033 . It is possible however. This technology has been developed to address needs for automatically created VPN tunnels when dynamic IP addresses on the spokes are in use. This is pure Hub-and-Spoke topology where all branches may communicate with each other securely through the Hub. That being said. All it does is building a dynamic database stored on the hub with information about spokes’ IP addresses. The Hub must be connected to many spokes at the same time so there was another issue to solve: how to configure the Hub to not have many Tunnel interfaces (each for Site-to-Site tunnel with spoke). there are three DMVPN mutations called phases:  Phase 1: simple Hub and Spoke topology were dynamic IP addresses on the spokes may be used  Phase 2: Hub and Spoke with Spoke to Spoke direct communication allowed  Phase 3: Hub and Spoke with Spoke to Spoke direct communication allowed with better scalability using NHRP Redirects All above phases will be described in more detail in the next few labs. where we do not need to specify the other end of the tunnel statically. In GRE over IPSec (described in the previous lab) both ends of the connection must have static/unchangeable IP address. to create many GRE Site-to-Site tunnels from company’s branches to the Headquarters. There is also an additional technology used to let the hub know what dynamic IP addresses are in use by the spokes.

If oryginal IP packet size is close to the IP MTU set on real IP interface then adding GRE and IPSec headers may lead to exceeding that value) R1(config-if)#ip nhrp authentication cisco123 R1(config-if)#ip nhrp map multicast dynamic R1(config-if)#ip nhrp network-id 12345 The Hub works as NHS (Next Hop Server). This is because we use GRE multipoint type of the tunnel. Note that in DMVPN we need to configure so-called “wildcard PSK” because there may be many peers.0. we Page 571 of 1033 .1 255.0 R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R1(cfg-crypto-trans)# mode transport The “mode transport” is used for decreasing IPSec packet size (an outer IP header which is present in tunnel mode is not added in the transport mode).0.145.0. GRE header. In DMVPN Phase 1 there is no need for wildcard PSK as there is only Hub to Spoke tunnel.CCIE SECURITY v4 Lab Workbook Step 1 R1 configuration.255. This is why more common sulution in DMVPN is to use certificates and PKI.0. ESP header and outer IPSec IP header. R1(config)#interface Tunnel0 R1(config-if)#ip address 172.0 0. First. The NHRP configuration on the Hub is straight forward. so that we know the peers.16. First we need ISAKMP Policy with pre-shared key configured.255.0 R1(config-if)#ip mtu 1400 Maximum Transmission Unit is decreased to ensure that DMVPN packet would not exceed IP MTU set on non-tunnel IP interfaces – usually a 1500 bytes (When “transport mode” is used then DMVPN packet consists of original IP Packet. R1(cfg-crypto-trans)#crypto ipsec profile DMVPN R1(ipsec-profile)#set transform-set TSET R1(ipsec-profile)#exi There is only one interface Tunnel on every DMVPN router. R1(config)#crypto isakmp policy 1 R1(config-isakmp)#encr 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#crypto isakmp key cisco123 address 0.

R1(config-if)#tunnel source FastEthernet0/0 R1(config-if)#tunnel mode gre multipoint R1(config-if)#tunnel key 12345 R1(config-if)#tunnel protection ipsec profile DMVPN A regular GRE tunnel usually needs source and destination of the tunnel to be specified. The Split Horizon rule says: “information about the routing is never sent back in the direction from which it was received”. The line “ip nhrp map multicast dynamic” simply tells the NHRP server to replicate all multicast traffic to all dynamic entries in the NHRP table (entries with flag “dynamic”).0. This is because there may be many destinations. I recommend to leave that command aside for a while when configuring DMVPN and add it to the configuration once we know the tunnels work fine.255 R1(config-router)#network 192. ISAKMP protocol is enabled and operates on the router. R1(config-if)#no ip split-horizon eigrp 145 Since we use EIGRP between the Hub and the Spokes.16. we must encrypt the traffic.0 R1(config-router)#no auto-summary R1(config-router)#exi Page 572 of 1033 . DMVPN may work without any encryption. However in the GRE multipoint tunnel type.CCIE SECURITY v4 Lab Workbook need NHRP network ID to identify the instance and authenticate key to secure NHRP registration. there is no need for a destination. changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Tunnel0 has changed its state to “UP”. The tunnel has a key for identification purposes. Finally. There is a need for NHRP static mapping on the Hub. The Hub must be able to send down all multicast traffic so that dynamic routing protocols can distribute routes between spokes.0. The actual tunnel destination is derived form NHRP database. we need to disable Split Horizon for that protocol to be able to send routes gathered from one Spoke to the other Spoke.1. as many Spokes are out there. This is done by using IPSec Profile attached to the tunnel. so no worries.145. R1(config)#router eigrp 145 R1(config-router)#network 172. R1(config-if)#exi %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0. as there may be many tunnels on one router and the router must know what tunnel the packet is destined to. This is basic rule for loop prevention.0 0.168.

R5(config)#crypto isakmp policy 1 R5(config-isakmp)# encr 3des R5(config-isakmp)# authentication pre-share R5(config-isakmp)# group 2 R5(config-isakmp)#crypto isakmp key cisco123 address 0.16.145. This is because the Spoke works as NHRP Client to the Hub (NHS).0.5 255. this protocol will be used to carry the info about networks behind the Spokes (or Hub). we need ISAKMP Policy configuration and PSK.0 R5(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R5(cfg-crypto-trans)# mode transport R5(cfg-crypto-trans)#crypto ipsec profile DMVPN R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#exi The tunnel interface configuration is slightly different on the Spoke than on the Hub.16.1. Be careful when configuring it as there is a chance to get into “recursive loop”. We need our Spoke to register in NHS.255. Most of belove commands have been described already. Remember. R5(config)#interface Tunnel0 R5(config-if)# ip address 172.12. Step 2 R5 configuration. so that we need to configure the following:  NHRP authentication key – to authenticate successfully to the NHS  NHRP Network ID – to be authenticated to correct NHS instance  NHRP Holdtime – to tell the NHS for how long Page 573 of 1033 .0 R5(config-if)# ip mtu 1400 R5(config-if)# ip nhrp authentication cisco123 R5(config-if)# ip nhrp map 172. This means we shouldn’t use the same dynamic routing protocol instance for prefixes available over the tunnel and to achieve underlaying connectivity between Hub and Spokes.1 NHRP Client configuration.255. Again.CCIE SECURITY v4 Lab Workbook Finally we need a routing protocol over the tunnel.145.0.0.145.0 0.16.0.1 R5(config-if)# ip nhrp network-id 12345 R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172. R5 is our first Spoke.1 10.

note this is its Private (tunnel) IP address.0 R5(config-router)# no auto-summary R5(config-router)#ex %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.255 R5(config-router)# network 192. Hence.CCIE SECURITY v4 Lab Workbook it should treat the registered spokes’ IP address as valid  NHS – IP address of NHRP Server. Without this the Spoke has no clue how to register to the NHS. %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.12. This is because there is only one tunnel (Spoke to Hub) in DMVPN Phase 1.16.16.5. To resolve this address to the Public (Physical) IP address of the NHS.145.1).0.0 0.0. changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config-if)#exi R5(config)#router eigrp 145 R5(config-router)# network 172.145. Step 3 R4 configuration.1 (Tunnel0) is up: new adjacency R5(config-router)#exi The router has established EIGRP adjancency through the tunnel. Note that the adjancency has been established with the DMVPN hub (172. On the Spoke there is no reason for using GRE multipoint tunnel mode.1.168.16.145. R5(config-if)# tunnel source Serial0/1/0.1 R5(config-if)# tunnel key 12345 R5(config-if)# tunnel protection ipsec profile DMVPN The tunnel configuration is also different. we are obligated to provide both: source and destination of the tunnel. The beauty of this technology is that there is exactly the same configuration on all Spokes! R4(config)#crypto isakmp policy 1 Page 574 of 1033 . we need the last command which is:  NHRP static mapping – to resolve NHS’ Physical IP address This mapping is very important as it causes the Spoke to initiate the GRE tunnel to the Hub.52 R5(config-if)# tunnel destination 10.

candidate default.OSPF external type 1.IS-IS level-2 ia .1 R4(config-if)# ip nhrp network-id 12345 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172.12.1.connected.OSPF NSSA external type 1. U .145. M .0 0.IS-IS inter area.16.0 R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R4(cfg-crypto-trans)# mode transport R4(cfg-crypto-trans)#crypto ipsec profile DMVPN R4(ipsec-profile)# set transform-set TSET R4(ipsec-profile)#exi R4(config)#interface Tunnel0 R4(config-if)# ip address 172. O .CCIE SECURITY v4 Lab Workbook R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)#crypto isakmp key cisco123 address 0. B .42 R4(config-if)# tunnel destination 10. L1 .EIGRP.RIP. S . L2 . E2 .BGP D .4.0 R4(config-if)# ip mtu 1400 R4(config-if)# ip nhrp authentication cisco123 R4(config-if)# ip nhrp map 172.IS-IS summary.per-user static route Page 575 of 1033 .255.0.145.0 R4(config-router)# no auto-summary %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172. changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config-if)#exi R4(config)#router eigrp 145 R4(config-router)# network 172.IS-IS.mobile. R .145.145.0.16.EIGRP external.0.145.255 R4(config-router)# network 192.4 255. IA .0.static.16.1 R4(config-if)# tunnel key 12345 R4(config-if)# tunnel protection ipsec profile DMVPN %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.1 (Tunnel0) is up: new adjacency R4(config-router)#exi Verification R1#sh ip route Codes: C .12.OSPF.255.0.16.OSPF external type 2 i .OSPF NSSA external type 2 E1 .168.16.1 10.0. EX . N2 .0 0.1 R4(config-if)# tunnel source Serial0/0/0.1. * .IS-IS level-1.OSPF inter area N1 . su .

145. 1 subnets C 10.0.24.0/24 is directly connected.16.0. Tunnel0 D 192.0. FastEthernet0/0 C 192.0/24 [90/27008000] via 172.1.16.0/0 [1/0] via 10.0 is directly connected.2 R1#sh ip nhrp 172.16. 1 subnets C 172. 00:00:17.4/32 via 172.0. expire 00:04:51 Type: dynamic.25. R1#sh ip eigrp neighbor IP-EIGRP neighbors for process 145 H Address Interface Hold Uptime SRTT (sec) (ms) RTO Q Seq Cnt Num 1 172.4 172.12.1.16.145.CCIE SECURITY v4 Lab Workbook o .5.0. 10.168.5/32 via 172.168.145.0/24 is subnetted. Flags: unique registered NBMA address: 10.145. Tunnel0 Spokes have sent updates about their networks (loopback interfaces) to the Hub.5 Tu0 11 00:01:16 29 1362 0 3 EIGRP adjacency established with the spokes.16. Now Hub must send that information down to the other Spokes.5 NHRP database displayed on the DMVPN hub. Flags: unique registered NBMA address: 10. P .12. Tunnel0 D 192. expire 00:05:26 Type: dynamic.1.0 is directly connected.168. R1#sh ip eigrp interface IP-EIGRP interfaces for process 145 Xmit Queue Mean Pacing Time Multicast Pending Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Tu0 2 0/0 19 Lo0 0 0/0 0 Interface R1#sh crypto isakmp sa Page 576 of 1033 6/227 0/1 80 0 0 0 .2 to network 0.145.16. The entries in NHRP database on the hub are dynamic (dynamically obtained from the spokes). The Hub may do that as long as Split Horizon rule is disabled for the routing protocol.1. Loopback0 S* 0.145.1.5 Tunnel0 created 00:01:08.0.0/24 [90/27008000] via 172.periodic downloaded static route Gateway of last resort is 10.145.0.5.145.0/24 is subnetted.145.16.16. 00:00:55. Note that “sh ip nhrp” shows mapping between Tunnel0 ip address and ip address of Serial interface which is used for reaching the tunnel endpoint.4.4 Tunnel0 created 00:00:33.16.ODR.0 172.12.1.16.4 Tu0 11 00:00:38 10 1362 0 3 0 172.4.

255/47/0) Local and remote identities used for the tunnel.1.1. #pkts compressed: 0.24.12. remote crypto endpt.1.1.1/255.CCIE SECURITY v4 Lab Workbook IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1. #pkts decompress failed: 0 #send errors 0.: 10.5 QM_IDLE 1001 ACTIVE 10. #pkts decrypt: 19.12. #pkts verify: 19 Note that traffic is going through the tunnel established between the hub (R1) and the spoke (R4).12.1.12. sibling_flags 80000006.255/47/0) remote ident (addr/mask/prot/port): (10. #recv errors 0 local crypto endpt.1 10.255.24. ip mtu 1500.} #pkts encaps: 19.1.255. #pkts compr.1 10. It is automatically achieved by assigning IPSec profile to the tunnel interface (configuring crypto ACLs is no longer needed) current_peer 10.: 10.1. flags={origin_is_acl.12. in use settings ={Transport.4 port 500 PERMIT.4 path mtu 1500.1.24.4 QM_IDLE 1002 ACTIVE IPv6 Crypto ISAKMP SA R1#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.1. Note that GRE protocol is transported in the tunnel (IP protocol 47).1.25. Page 577 of 1033 . local addr 10.1 protected vrf: (none) local ident (addr/mask/prot/port): (10. flow_id: NETGX:3. DH group: none inbound esp sas: spi: 0x2A3D155F(708646239) transform: esp-3des esp-sha-hmac . failed: 0 #pkts not decompressed: 0. #pkts decompressed: 0 #pkts not compressed: 0. ip mtu idb FastEthernet0/0 current outbound spi: 0x97564348(2539012936) PFS (Y/N): N.24. #pkts encrypt: 19. #pkts digest: 19 #pkts decaps: 19. crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4568792/3536) IV size: 8 bytes replay detection support: Y Status: ACTIVE Inbound SPI (Security Parameter Index) has been negotiated.255.255.4/255. } conn id: 2003.

#pkts digest: 34 #pkts decaps: 29. flags={origin_is_acl.255.5 port 500 PERMIT. in use settings ={Transport.5 path mtu 1500. #pkts decompressed: 0 #pkts not compressed: 0.: 10.1. #recv errors 0 local crypto endpt.: 10. ip mtu idb FastEthernet0/0 current outbound spi: 0x423D37C6(1111308230) PFS (Y/N): N. #pkts verify: 29 #pkts compressed: 0.1. current_peer 10.255. #pkts decrypt: 29. #pkts decompress failed: 0 #send errors 0.12. DH group: none inbound esp sas: spi: 0xE65FFF26(3865050918) transform: esp-3des esp-sha-hmac . in use settings ={Transport. remote crypto endpt.12.255/47/0) remote ident (addr/mask/prot/port): (10. crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4492833/3501) IV size: 8 bytes Page 578 of 1033 . sibling_flags 80000006. ip mtu 1500.CCIE SECURITY v4 Lab Workbook inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x97564348(2539012936) transform: esp-3des esp-sha-hmac .255.255. sibling_flags 80000006. } conn id: 2004.1.255/47/0) Local and remote identities used for tunnel established between hub (R1) and one of the spokes (R5).25. flow_id: NETGX:1. } conn id: 2001.} #pkts encaps: 34. #pkts compr.5/255.25. flow_id: NETGX:4.1.1.1/255. crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4568792/3536) IV size: 8 bytes replay detection support: Y Status: ACTIVE Outbound SPI (Security Parameter Index) has been negotiated.1.25. failed: 0 #pkts not decompressed: 0. outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. #pkts encrypt: 34.

R4#sh ip route 192.24.0/0 [1/0] via 10.168.5.OSPF.0.0. metric 28288000.168. IA .candidate default.0/24 Known via "eigrp 145".IS-IS summary. E2 .0/24 is subnetted.1.1.IS-IS level-1.0.16. Tunnel0 C 192.24.EIGRP.16. O . Loopback0 D 192.IS-IS inter area.EIGRP external. U . 00:03:22.mobile.OSPF external type 2 i . Tunnel0 S* 0. } conn id: 2002.connected. S . P . R . M .16. L1 .0 is directly connected.5.0. 00:03:22.42 D 192.168.145. flow_id: NETGX:2. type internal Redistributing via eigrp 145 Page 579 of 1033 . N2 .ODR.IS-IS.168. Serial0/0/0.0 Routing entry for 192.0 172.145.OSPF NSSA external type 2 E1 . 1 subnets C 10. * .OSPF external type 1.1. Tunnel0 10.0 is directly connected. These networks are reachable through the hub (R1) over the DMVPN network.periodic downloaded static route Gateway of last resort is 10. sibling_flags 80000006.1.1.0/24 is directly connected. 1 subnets C 172.0/24 [90/27008000] via 172.static. in use settings ={Transport.0/24 [90/28288000] via 172.16.1.BGP D .0.24. B .CCIE SECURITY v4 Lab Workbook replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x423D37C6(1111308230) transform: esp-3des esp-sha-hmac .OSPF inter area N1 . su .OSPF NSSA external type 1.RIP.145.0.4. L2 . crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4492832/3501) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#sh ip route Codes: C .168.0.per-user static route o .5. distance 90.2 to network 0.2 The networks of R1 and R5 loopbacks are present in the R4’s routing table.IS-IS level-2 ia .0/24 is subnetted. EX .

16.12.5.1 The NHRP database entries displayed.1/255.255/47/0) current_peer 10.168. R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10. This indicates an IP address of next hop which have to be used for reaching 192.1. 00:03:34 ago.255.16.24.145.255.145.1. 00:03:34 ago Routing Descriptor Blocks: * 172. from 172.1.145.0/24. R4#sh ip nhrp 172.1 Tunnel0 The CEF entries displayed for R5 loopback network. This shows the mapping between hub’s tunnel interface IP address and hub’s real interface IP address through which the tunnel endpoint is reachable. minimum MTU 1400 bytes Loading 1/255.1 10.4/255.} #pkts encaps: 67.168.145. IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.12. minimum bandwidth is 100 Kbit Reliability 255/255. Hops 2 R4#sh ip cef 192.1.168.1.1 Tunnel0 created 00:04:04.5.1.1 port 500 PERMIT.1.CCIE SECURITY v4 Lab Workbook Last update from 172.16.16. local addr 10.1.1/32 via 172.4 QM_IDLE conn-id status 1001 ACTIVE This indicates that ISAKMP tunnel is established and active (QM_IDLE means that ISAKMP SA is authenticated and Quick Mode – IPSec Phase 2 is fininshed. Note that NHRP database entries related to the hub are static and never expires (the hub must be always reachable for the spoke and cannot be dynamic).16. never expire Type: static.12.1.4 protected vrf: (none) local ident (addr/mask/prot/port): (10. via Tunnel0 Next hop IP address followed by the information source (R1 – the hub) Route metric is 28288000.24.0 192.5.1 on Tunnel0.255.12.0/24 nexthop 172.24.255.145. traffic share count is 1 Total delay is 105000 microseconds. #pkts encrypt: 67. #pkts digest: 67 Page 580 of 1033 . Flags: NBMA address: 10. flags={origin_is_acl.255/47/0) remote ident (addr/mask/prot/port): (10.16.145.

remote crypto endpt. DH group: none inbound esp sas: spi: 0x97564348(2539012936) transform: esp-3des esp-sha-hmac . Also. #pkts decompressed: 0 #pkts not compressed: 0. crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4571034/3344) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2A3D155F(708646239) transform: esp-3des esp-sha-hmac . #pkts decrypt: 68.168.5. ip mtu 1500.168. sibling_flags 80000006. 100-byte ICMP Echos to 192. packet counters are incrementing as there are routing updates crossing the tunnel.CCIE SECURITY v4 Lab Workbook #pkts decaps: 68.4 !!!!! Page 581 of 1033 . sibling_flags 80000006. failed: 0 #pkts not decompressed: 0. #pkts verify: 68 #pkts compressed: 0.4.24. } conn id: 2002.: 10. crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4571034/3344) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#pi 192. #pkts decompress failed: 0 #send errors 1.5. #pkts compr.42 current outbound spi: 0x2A3D155F(708646239) PFS (Y/N): N. local crypto endpt.: 10. flow_id: NETGX:2.1 path mtu 1500. Sending 5.12. timeout is 2 seconds: Packet sent with a source address of 192.5 so lo0 Type escape sequence to abort.4.1. #recv errors 0 IPSec proxy IDs on the spoke indicates that traffic between tunnel endpoint will be encrypted/decrypted. in use settings ={Transport.5.168. flow_id: NETGX:1. } conn id: 2001.1. in use settings ={Transport. ip mtu idb Serial0/0/0.

0/24 is subnetted.1 Tunnel0 created 00:02:11. Flags: NBMA address: 10.1 10.0.2 R5#sh ip cef 192.0.IS-IS level-1. Flags: Page 582 of 1033 . P .IS-IS summary. This should simulate end-to-end connectivity through the DMVPN network. Tunnel0 S* 0. N2 .OSPF.12.1 The same bunch of commands should be run on the other spoke.168.1.25. Tunnel0 C 192. L2 .52 D 192.0/24 is directly connected.ODR. S .1.0.16.16.periodic downloaded static route Gateway of last resort is 10.1.4.16.0.16.168.1/32 via 172.1. EX .CCIE SECURITY v4 Lab Workbook Success rate is 100 percent (5/5).1.145. IA .2 to network 0. never expire Type: static. 00:02:02.1 Tunnel0 R5#sh ip nhrp 172.1.168.168. su .mobile.16. Loopback0 10.24.25.EIGRP. Tunnel0 D 192. M . R5#sh ip route Codes: C . L1 .EIGRP external.145. U .per-user static route o .IS-IS level-2 ia .145.0/24 nexthop 172.BGP D .1.12. B . R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10. E2 . Serial0/1/0.1/32 via 172.1.16.0 is directly connected.0 172. O .IS-IS.0 192.145.0.25.OSPF inter area N1 .145.OSPF NSSA external type 1.candidate default. R .0/24 [90/27008000] via 172.16.RIP.5. round-trip min/avg/max = 32/34/36 ms Now ping the other spoke using its loopback IP address as source.static.0/24 is subnetted.4 QM_IDLE conn-id status 1001 ACTIVE IPv6 Crypto ISAKMP SA Note: No new ISAKMP SA or NHRP mappings created.OSPF external type 1.OSPF NSSA external type 2 E1 .145.168.145. never expire Type: static. R4#sh ip nhrp 172.connected.0/0 [1/0] via 10.0/24 [90/28288000] via 172.145.16.16. 1 subnets C 10.0. 00:01:24. * . 1 subnets C 172.4.4.IS-IS inter area.1.0.1 Tunnel0 created 00:04:40.OSPF external type 2 i .0 is directly connected.

25.25. #pkts decompressed: 0 #pkts not compressed: 0.5/255. crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4430458/3455) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE65FFF26(3865050918) transform: esp-3des esp-sha-hmac .25. } conn id: 2001. #pkts encrypt: 40. } Page 583 of 1033 .1.1. DH group: none inbound esp sas: spi: 0x423D37C6(1111308230) transform: esp-3des esp-sha-hmac .1 port 500 PERMIT.1. remote crypto endpt.25.: 10.255/47/0) remote ident (addr/mask/prot/port): (10.1.12. ip mtu idb Serial0/1/0. #pkts decompress failed: 0 #send errors 1. in use settings ={Transport.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.255/47/0) current_peer 10.12. #recv errors 0 local crypto endpt. #pkts verify: 46 #pkts compressed: 0.1.1.1 10. local addr 10.52 current outbound spi: 0xE65FFF26(3865050918) PFS (Y/N): N.12.5 QM_IDLE conn-id status 1001 ACTIVE IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.1.1/255.255. ip mtu 1500.5. sibling_flags 80000006. flags={origin_is_acl. #pkts compr.255.CCIE SECURITY v4 Lab Workbook NBMA address: 10.: 10. failed: 0 #pkts not decompressed: 0.1 path mtu 1500. #pkts decrypt: 46.12.1.12.255.255. flow_id: NETGX:1.1.} #pkts encaps: 40. #pkts digest: 40 #pkts decaps: 46.1 R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10. in use settings ={Transport.

168.16.1/32 via 172. crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4430459/3455) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R5#pi 192. 100-byte ICMP Echos to 192. timeout is 2 seconds: Packet sent with a source address of 192.1.145.4.16. flow_id: NETGX:2.12.12.5. never expire Type: static.5 QM_IDLE conn-id status IPv6 Crypto ISAKMP SA R5#sh ip nhrp 172. R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.5 !!!!! Success rate is 100 percent (5/5).1 Page 584 of 1033 1001 ACTIVE .1. sibling_flags 80000006. Flags: NBMA address: 10.25.4.CCIE SECURITY v4 Lab Workbook conn id: 2002.168.145.1 10. Sending 5.1 Tunnel0 created 00:03:01.4. round-trip min/avg/max = 32/35/40 ms Note: No new ISAKMP SA or NHRP mappings created.1.4 so lo0 Type escape sequence to abort.168.

50.CCIE SECURITY v4 Lab Workbook Lab 1. Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12  R2’s S0/1/0 and R5’s S0/1/0 interface should be configured in a frame-relay point-to-point manner  R2’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay point-to-point manner  Configure Telnet on all routers using password “cisco”  Configure default routing on R1. DMVPN Phase 2 (with EIGRP) Depending on IOS software version you may get slightly different command outputs.2(20)T. This is because CEF code has changed in IOS 12. R4 and R5 pointing to the R2 Page 585 of 1033 .

145. where R1 is acting as a Hub.2/24 S0/1/0.1/24 F0/0 10.25 10.5/24 R2 R4 R5 Task 1 Configure Hub-and-Spoke GRE tunnels between R1.42 10.24. R4 and R5.168.25.52 10.2/24 Lo0 192.168.2/24 S0/1/0. You must use EIGRP dynamic routing protocol to let other spokes know about protected networks.1. Use the following settings when configuring tunnels: • Tunnel Parameters o IP address: 172.5/24 S0/1/0.25.24 10.12.5.24.1.1.1.0/24 o IP MTU: 1400 o Tunnel Authentication Key: 12345 • NHRP Parameters o NHRP ID: 12345 o NHRP Authentication key: cisco123 o NHRP Hub: R1 • Routing Protocol Parameters o EIGRP 145 Encrypt the GRE traffic using the following parameters: • ISAKMP Parameters o Authentication: Pre-shared o Encryption: 3DES Page 586 of 1033 .1.CCIE SECURITY v4 Lab Workbook IP Addressing Device Interface IP address R1 Lo0 192.12.4.4/24 Lo0 192.168. Traffic originated from every Spoke’s loopback interface should be transmitted securely directly to the other spokes.4/24 S0/0/0.1.1.16.1/24 F0/0 10.

However.0. The Hub’s configuration for DMVPN Phase 2 is almost the same as for Phase 1. They must be especially configured/tuned to work in most scalable and efficient way. It is useful for companies who have communication between branches and want to lessen the Hub’s overhead.0. R1(config)#crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)#crypto isakmp key cisco123 address 0. This lab describes DMVPN Phase 2 when EIGRP is in use. As most of the commands have been already described in the previous lab.CCIE SECURITY v4 Lab Workbook o Hashing: SHA o DH Group: 2 o Pre-Shared Key: cisco123 • IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC  DMVPN Phase 2 introduces a new feature which is direct Spoke to Spoke communication through the DMVPN network.0.0. there are some disadvantages of using one protocol or another so that I’ll try to describe those in the upcoming labs. Configuration Complete these steps: Step 1 R1 configuration. This is important to understand the difference between routing protocols used in DMVPN solution.0 R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R1(cfg-crypto-trans)# mode transport Page 587 of 1033 .0 0. I will focus on the new commands and on differences between DMVPN Phase 1 and 2.

0. The DMVPN Phase 2 allows for direct Spoke to Spoke communication. changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config)#router eigrp 145 R1(config-router)# network 172.168.255 R1(config-router)# network 192. So that.0 R1(config-if)# ip mtu 1400 R1(config-if)# ip nhrp authentication cisco123 R1(config-if)# ip nhrp map multicast dynamic R1(config-if)# ip nhrp network-id 12345 R1(config-if)# no ip split-horizon eigrp 145 R1(config-if)# no ip next-hop-self eigrp 145 The difference is in routing protocol behavior. In DMVPN Phase 1 the spoke sends all traffic up to the Hub and uses the Hub for Spoke to Spoke communication. R1(config-if)# tunnel source FastEthernet0/0 R1(config-if)# tunnel mode gre multipoint Note that in DMVPN Phase 2 the Hub is in GRE Multipoint mode as it was in Phase 1.16. R1(config-if)# tunnel key 12345 R1(config-if)# tunnel protection ipsec profile DMVPN R1(config-if)#exi %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.CCIE SECURITY v4 Lab Workbook R1(cfg-crypto-trans)#crypto ipsec profile DMVPN R1(ipsec-profile)# set transform-set TSET R1(ipsec-profile)#exi R1(config)#interface Tunnel0 R1(config-if)# ip address 172.145. in DMVPN Phase 2 a spoke must point to the other spoke directly. The EIGRP changes next hop in the routing update when sending it further.0. R5(config)#crypto isakmp policy 1 R5(config-isakmp)# encr 3des Page 588 of 1033 . This is achieved by changing the routing protocol behavior. one spoke must send the traffic to the other spoke using its routing table information.1.16.255.145.0 0. the Hub changes the next hop to itself when sending down the routing updates to the Spokes.1 255. This behavior can be changed by the command “no ip next-hop-self eigrp AS”. Hence. However.255.0 R1(config-router)# no auto-summary R1(config-router)#exi Step 2 R5 configuration.

16.0.1 10.255.0 R5(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R5(cfg-crypto-trans)# mode transport R5(cfg-crypto-trans)#crypto ipsec profile DMVPN R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#exi R5(config)#interface Tunnel0 R5(config-if)# ip address 172.255 R5(config-router)# network 192.0.145.0 0.16.16. This is because on spokes we use GRE Multipoint tunnel type so that we need to tell the router where to send multicast and broadcast traffic.5.16.145.0 R5(config-router)# no auto-summary R5(config-router)#ex %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.255. changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config-if)#exi R5(config)#router eigrp 145 R5(config-router)# network 172.0 0.1.145.52 R5(config-if)# tunnel mode gre multipoint Note that on DMVPN Phase 2 we use GRE multipoint tunnel type as we require many tunnels with many spokes. R5(config-if)# ip nhrp network-id 12345 R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172.12.1.0.1 (Tunnel0) is up: new adjacency R5(config-router)#exi Step 3 R4 configuration.0 R5(config-if)# ip mtu 1400 R5(config-if)# ip nhrp authentication cisco123 R5(config-if)# ip nhrp map 172.16.145.12.145.1 R5(config-if)# ip nhrp map multicast 10.0.5 255. R5(config-if)# tunnel key 12345 R5(config-if)# tunnel protection ipsec profile DMVPN %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.1 R5(config-if)# tunnel source Serial0/1/0.168.CCIE SECURITY v4 Lab Workbook R5(config-isakmp)# authentication pre-share R5(config-isakmp)# group 2 R5(config-isakmp)#crypto isakmp key cisco123 address 0.0. Page 589 of 1033 .1 One additional command on the Spoke is about sending multicast traffic to the Hub.0.

O .0.145. R4(config)#crypto isakmp policy 1 R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)#crypto isakmp key cisco123 address 0.12. EX .OSPF inter area Page 590 of 1033 .16.1.255.145.0.42 R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel key 12345 R4(config-if)# tunnel protection ipsec profile DMVPN %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.BGP D .1 (Tunnel0) is up: new adjacency R4(config-router)#exi Verification R1#sh ip route Codes: C .1 R4(config-if)# ip nhrp map multicast 10.255 R4(config-router)# network 192.145. IA .0.0 0.RIP.12.4 255. R .16.16.16.1 10.145. changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config-if)#exi R4(config)#router eigrp 145 R4(config-router)# network 172.0 R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R4(cfg-crypto-trans)# mode transport R4(cfg-crypto-trans)#crypto ipsec profile DMVPN R4(ipsec-profile)# set transform-set TSET R4(ipsec-profile)#exi R4(config)#interface Tunnel0 R4(config-if)# ip address 172.0 R4(config-if)# ip mtu 1400 R4(config-if)# ip nhrp authentication cisco123 R4(config-if)# ip nhrp map 172.168.0 0.0.4.255.CCIE SECURITY v4 Lab Workbook The DMVPN configuration on all spokes is the same. S .EIGRP external.mobile. M .16.1 R4(config-if)# tunnel source Serial0/0/0.0.0.145.connected.1 R4(config-if)# ip nhrp network-id 12345 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172. B .EIGRP.OSPF.static.0 R4(config-router)# no auto-summary %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.1.

145.0/0 [1/0] via 10.4 Engine-id:Conn-id = 1001 10.Keepalives.0 is directly connected. * . L1 .2 The Hub has routing information about the networks behind the spokes. D .0.1.0.IS-IS level-1.4. Tunnel0 D 192.OSPF external type 1.145.16.1.NAT-traversal X . N2 .16.16.12.candidate default.5.ODR.16.16.12. Tunnel0 10.0/24 [90/297372416] via 172.5. Tunnel0 created 00:00:25.5 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap.12. 1 subnets C 10.OSPF external type 2 i . rsig .24.0/24 is directly connected.Preshared key. expire 00:05:37 Type: dynamic.0 is directly connected.1 10. N .25.4/32 via 172.145.5 The spokes are registered in NHS successfully.Dead Peer Detection K .5.145.0.IS-IS summary. 00:00:14.5/32 via 172.IS-IS level-2 ia .16.1. Flags: unique registered NBMA address: 10. expire 00:05:34 Type: dynamic.IKE configuration mode.16. U . R1#sh crypto ipsec sa Page 591 of 1033 . R1#sh crypto isakmp sa det Codes: C .CCIE SECURITY v4 Lab Workbook N1 .IS-IS inter area.1.0/24 is subnetted.0.1.1.0.145. 1 subnets C 172. E2 .145. Tunnel0 D 192.4.4.1 I-VRF ACTIVE 3des sha psk 2 23:59:19 ACTIVE 3des sha psk 2 23:59:27 SW:2 10. SW:1 IPv6 Crypto ISAKMP SA The Hub set up ISAKMP SA and IPSec SA with both spokes.1.1. Tunnel0 created 00:00:22. 00:00:12.12. R1#sh ip nhrp 172.OSPF NSSA external type 1. P .168.168.4 172.IKE Extended Authentication psk . FastEthernet0/0 C 192. L2 .24.16.periodic downloaded static route Gateway of last resort is 10.0/24 [90/297372416] via 172.0/24 is subnetted.168.OSPF NSSA external type 2 E1 .145.2 to network 0.1.1.12. Flags: unique registered NBMA address: 10. Loopback0 S* 0.25.RSA signature renc .per-user static route o .0.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10.0 172. su .0.IS-IS.

4 path mtu 1500. in use settings ={Transport. } conn id: 2003.4 port 500 PERMIT.1.12. #pkts decompress failed: 0 #send errors 0. This traffic is an EIGRP updates as we have not initiated any traffic yet.255.24. #pkts compr. in use settings ={Transport.: 10.} #pkts encaps: 19. ip mtu 1500.1. remote crypto endpt. #pkts decrypt: 18. #pkts digest: 19 #pkts decaps: 18. flow_id: NETGX:3. failed: 0 #pkts not decompressed: 0.24. #pkts verify: 18 #pkts compressed: 0.CCIE SECURITY v4 Lab Workbook interface: Tunnel0 Crypto map tag: Tunnel0-head-0.4/255.12.255/47/0) remote ident (addr/mask/prot/port): (10.1. #pkts decompressed: 0 #pkts not compressed: 0. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4524622/3565) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) Page 592 of 1033 . flow_id: NETGX:4. #pkts encrypt: 19. } conn id: 2004. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4524624/3565) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x49DC5EAF(1239178927) transform: esp-3des esp-sha-hmac .1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10. local crypto endpt.255. #recv errors 0 The traffic is going through the tunnel between the Hub and the Spoke.1.255.24.255/47/0) current_peer 10.1.255.1/255.1. flags={origin_is_acl. ip mtu idb FastEthernet0/0 current outbound spi: 0x49DC5EAF(1239178927) inbound esp sas: spi: 0xF483377E(4102240126) transform: esp-3des esp-sha-hmac . local addr 10.: 10.12.

255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4411380/3563) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x1FB68E8D(532057741) transform: esp-3des esp-sha-hmac . in use settings ={Transport. remote crypto endpt.1.25.1.145.1. #recv errors 0 The traffic is going through the tunnel between the Hub and the Spoke. ip mtu 1500. flow_id: NETGX:1.255/47/0) current_peer 10. #pkts digest: 17 #pkts decaps: 15.1.12.5 port 500 PERMIT. #pkts decompressed: 0 #pkts not compressed: 0. #pkts encrypt: 17. local crypto endpt.25.CCIE SECURITY v4 Lab Workbook local ident (addr/mask/prot/port): (10.16.} #pkts encaps: 17.255.255.12. flags={origin_is_acl.255. ip mtu idb FastEthernet0/0 current outbound spi: 0x1FB68E8D(532057741) inbound esp sas: spi: 0xE487940A(3834090506) transform: esp-3des esp-sha-hmac . failed: 0 #pkts not decompressed: 0. This traffic is an EIGRP updates as we have not initiated any traffic yet. flow_id: NETGX:2.5 Interface Tu0 Hold Uptime SRTT (sec) (ms) 14 00:00:50 Page 593 of 1033 34 RTO Q Seq Cnt Num 5000 0 3 .1/255.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4411379/3563) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#sh ip eigrp neighbor IP-EIGRP neighbors for process 145 H 1 Address 172. #pkts decrypt: 15. in use settings ={Transport. #pkts compr.255/47/0) remote ident (addr/mask/prot/port): (10.5/255.: 10.: 10.25. } conn id: 2001.1.5 path mtu 1500. #pkts verify: 15 #pkts compressed: 0. } conn id: 2002. #pkts decompress failed: 0 #send errors 0.

145.mobile.25.0. S .0. EX . Hops 2 Page 594 of 1033 . 00:09:17.145.OSPF.RIP.0/24 [90/310172416] via 172. Tunnel0 C 192. This is achieved by configuring “no ip next-hop-self eigrp” command on the Hub. minimum MTU 1400 bytes Loading 1/255. R1#sh ip eigrp interface IP-EIGRP interfaces for process 145 Xmit Queue Mean Pacing Time Multicast Pending Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Tu0 2 0/0 58 Lo0 0 0/0 0 Interface 71/2524 320 0 0 0 0/1 R5#sh ip route Codes: C .168.4. traffic share count is 1 Total delay is 1005000 microseconds.145.IS-IS level-2 ia . R .0/24 is subnetted. Tunnel0 S* 0.OSPF NSSA external type 2 E1 . M . E2 .0.IS-IS summary.2 The Spoke has routing information for the networks behind other spoke and the Hub.145. from 172.1.per-user static route o .ODR.BGP D . su .0.168.1.CCIE SECURITY v4 Lab Workbook 0 172.4.4.0 is directly connected.4 Routing entry for 192. * .145.16.168. Serial0/1/0.0/24 is subnetted.16.25.4. P .168.1.IS-IS inter area.0. Tunnel0 D 192.1.OSPF inter area N1 .16.OSPF external type 1. 00:09:25 ago. L2 .0/24 Known via "eigrp 145".periodic downloaded static route Gateway of last resort is 10.0.static.connected.5.52 D 192. Loopback0 10. B .EIGRP external.145.1.16.candidate default.2 to network 0.4 on Tunnel0.4. L1 .0 172. R5#sh ip route 192.1.168. 1 subnets C 10. Note that in DMVPN Phase 2 the Spoke must point to the other Spoke (not the Hub).EIGRP. IA .OSPF NSSA external type 1. via Tunnel0 Route metric is 310172416.145. distance 90. 1 subnets C 172. metric 310172416. 00:09:25 ago Routing Descriptor Blocks: * 172. 00:09:17.0. type internal Redistributing via eigrp 145 Last update from 172.0/0 [1/0] via 10.0/24 is directly connected.16.OSPF external type 2 i .25.IS-IS level-1. O .16. minimum bandwidth is 9 Kbit Reliability 255/255. U .0 is directly connected. N2 .16.0/24 [90/297372416] via 172.16.IS-IS.4 Tu0 11 00:00:50 83 5000 0 3 EIGRP neighbor adjacency is established with both spokes via the tunnel.

1.1. never expire Type: static.25. cached adjacency to Serial0/1/0. 0 bytes via Tunnel0.2.168.CCIE SECURITY v4 Lab Workbook Detailed view of the prefix indicates that R5 got routing information from the Hub but has next hop of R4.RSA signature renc .Dead Peer Detection K .0/24. connected 0 packets.0.52 0 packets. This is because the router has no clue how to get to that address (what physical interface use to route the traffic out). attached.16.Keepalives.0/0. Tunnel0 created 00:10:24.NAT-traversal X .1.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.0.4 0.52 via 10. version 18. but it also shows that this entry is “invalid”.25. R5#sh ip nhrp 172. ACTIVE 3des sha Page 595 of 1033 psk 2 23:56:35 .12. epoch 0.4. Serial0/1/0.16.16.4 172. epoch 0 0 packets. R5#sh crypto isakmp sa det Codes: C .24.4.Preshared key.1. R5#sh ip cef 192.145.16. Tunnel0 invalid adjacency When CEF is enabled (enabled by default on every router) the router uses CEF database (called FIB) to “switch” the packets.145.16. Tunnel0.1. rsig . epoch 0.168. N .5 10.1 I-VRF Status Encr Hash Auth DH Lifetime Cap. The FIB is built up based on the information from the routing table (RIB).12. Flags: used NBMA address: 10. R5#sh ip cef 10.2.0/24.1.4 192. D .145.145.IKE configuration mode.145.145.1.1 NHRP has only static entry for the Hub. The CEF database indicates that next hop router for that prefix is R4. version 17.25. 0 dependencies valid punt adjacency Note that there are valid CEF entries for logical and physical tunnel endpoint. 0 dependencies.4. 0 bytes via 172.1. version 20.0/24 valid cached adjacency R5#sh ip cef 172.4.25. recursive next hop 10.16.IKE Extended Authentication psk . This entry is used to register the spoke to the NHS. 0 bytes via 10.1/32 via 172. 0 dependencies next hop 172.

12.255/47/0) current_peer 10. local crypto endpt.5. ip mtu idb Serial0/1/0. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4482145/3389) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 596 of 1033 .255. local addr 10.25. #pkts verify: 56 #pkts compressed: 0. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4482147/3389) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE487940A(3834090506) transform: esp-3des esp-sha-hmac .255.: 10.1. #pkts compr. in use settings ={Transport.1. #pkts decrypt: 56. flow_id: NETGX:1. #pkts digest: 67 #pkts decaps: 56.255/47/0) remote ident (addr/mask/prot/port): (10.} #pkts encaps: 67. remote crypto endpt.5 protected vrf: (none) local ident (addr/mask/prot/port): (10. } conn id: 2001.1.12.255. #recv errors 0 The spoke has ISKAMP SA and IPSec SA with the Hub.25.1 path mtu 1500.CCIE SECURITY v4 Lab Workbook Engine-id:Conn-id = SW:1 IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. #pkts decompressed: 0 #pkts not compressed: 0.5/255. failed: 0 #pkts not decompressed: 0.52 current outbound spi: 0xE487940A(3834090506) inbound esp sas: spi: 0x1FB68E8D(532057741) transform: esp-3des esp-sha-hmac .1.1.25.1 port 500 PERMIT.12. in use settings ={Transport. #pkts decompress failed: 0 #send errors 20. It does not have any tunnels with the other spoke yet.: 10.255. flags={origin_is_acl.1/255. #pkts encrypt: 67.1. flow_id: NETGX:2. } conn id: 2002. ip mtu 1500.

4 192.4 Now after the ping.4.168. never expire Type: static.145. Tunnel0. Flags: router used NBMA address: 10.145.24.16.4. 100-byte ICMP Echos to 192.1/32 via 172.0/24.4.4.5.145.4.4.4 so lo0 Type escape sequence to abort. R5#sh ip nhrp 172.4/32 via 172.1.4 so lo0 Type escape sequence to abort.12. Sending 5. version 20.4(5) Tunnel0 0 packets.1. round-trip min/avg/max = 32/42/52 ms R5#ping 192.5. Tunnel0 valid adjacency Note that CEF entry is valid now. Tunnel0 created 00:05:05. timeout is 2 seconds: Packet sent with a source address of 192.5 !!!!! Success rate is 100 percent (5/5).1 172. Flags: used NBMA address: 10. epoch 0 0 packets.16.5 !!!!! Success rate is 100 percent (5/5).CCIE SECURITY v4 Lab Workbook outbound ah sas: outbound pcp sas: R5#ping 192.168. round-trip min/avg/max = 32/32/36 ms The ping to the network behind R4 is successful.145. there are dynamic NHRP mappings and additional spoke-tospoke IPSec SA.168.168.16.145. Sending 5.16.4.168.4. 0 bytes via 172.16.4. expire 00:05:50 Type: dynamic.145. R5#sh ip cef 192.168.1.168.4. timeout is 2 seconds: Packet sent with a source address of 192.168.16.16. 100-byte ICMP Echos to 192. 0 bytes 4500000000000000FF2F76C40A011905 0A0118042000080000003039 Tun endpt never Epoch: 0 Page 597 of 1033 . 0 dependencies next hop 172.4.145. Tunnel0 created 00:00:10. R5#sh adjacency tun0 det Protocol Interface Address IP 172.

1.255/47/0) remote ident (addr/mask/prot/port): (10. local addr 10.1. rsig .5 10.4 QM_IDLE 1002 0 ACTIVE IPv6 Crypto ISAKMP SA The R5 has ISAKMP SA with R4 established.1. #pkts encrypt: 99.Dead Peer Detection K .IKE Extended Authentication psk .255.1/255.255.255. flags={origin_is_acl.1 10.} #pkts encaps: 99.25.255.16. #pkts verify: 82 #pkts compressed: 0.25.Preshared key.1.1 port 500 PERMIT.25.24.1 Engine-id:Conn-id = 1002 10.1.1.12.IKE configuration mode. N .1.4 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap. #pkts decrypt: 82.12.24.1. R5#sh crypto isakmp sa det Codes: C .CCIE SECURITY v4 Lab Workbook IP Tunnel0 172.1. Note that R4 is an Initiator of this tunnel.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.25. #pkts digest: 99 #pkts decaps: 82.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.25. #pkts decompress failed: 0 Page 598 of 1033 .1.12.1(5) 0 packets.5 10.255/47/0) current_peer 10. #pkts compr.1.Keepalives. D .12.25. 0 bytes 4500000000000000FF2F82C70A011905 0A010C012000080000003039 Tun endpt never Epoch: 0 R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10. #pkts decompressed: 0 #pkts not compressed: 0.5/255.5 I-VRF ACTIVE 3des sha psk 2 23:55:04 ACTIVE 3des sha psk 2 23:58:46 SW:1 10. failed: 0 #pkts not decompressed: 0.5 QM_IDLE 1001 0 ACTIVE 10.145.1.NAT-traversal X .RSA signature renc . SW:2 IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.

5.1. remote crypto endpt.255.25.255.24. #pkts encrypt: 5. #pkts decompressed: 0 #pkts not compressed: 0. #recv errors 0 This is IPSec SA with R4. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4482141/3300) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. failed: 0 #pkts not decompressed: 0.: 10.1. remote crypto endpt. in use settings ={Transport. flow_id: NETGX:2. in use settings ={Transport. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4482143/3300) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE487940A(3834090506) transform: esp-3des esp-sha-hmac . #recv errors 0 local crypto endpt. This is because the tunnel between R5 and R4 is takes some time to come up. Note that for 10 pings sent only 5-6 of them have been encrypted.24.255.} #pkts encaps: 5.4 Page 599 of 1033 .1. flow_id: NETGX:1. local crypto endpt. #pkts verify: 6 #pkts compressed: 0.5. } conn id: 2001.255/47/0) current_peer 10. ip mtu 1500.: 10.25. #pkts digest: 5 #pkts decaps: 6.1.1. #pkts decompress failed: 0 #send errors 0.1.: 10.1 path mtu 1500.: 10. } conn id: 2002.25.4 port 500 PERMIT.255. ip mtu idb Serial0/1/0.12. flags={origin_is_acl.CCIE SECURITY v4 Lab Workbook #send errors 20.24.5/255.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts decrypt: 6.1. #pkts compr.4/255.52 current outbound spi: 0xE487940A(3834090506) inbound esp sas: spi: 0x1FB68E8D(532057741) transform: esp-3des esp-sha-hmac .

S .0/24 [90/297372416] via 172. U .connected. flow_id: NETGX:3.145. O . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4475056/3522) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x541C9A19(1411160601) transform: esp-3des esp-sha-hmac .4. M . su .24.IS-IS. IA .IS-IS level-2 ia . } conn id: 2004.1.OSPF external type 1.2 to network 0. R .EIGRP external.0 is directly connected.periodic downloaded static route Gateway of last resort is 10.16. ip mtu 1500.5. E2 .CCIE SECURITY v4 Lab Workbook path mtu 1500. in use settings ={Transport. L1 .0. Tunnel0 C 192. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4475056/3522) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#sh ip route Codes: C .0 172. } conn id: 2003. P .1.1.0.0.RIP.0. 1 subnets C 172. Serial0/0/0. EX . in use settings ={Transport. Tunnel0 10. Loopback0 D 192.0 is directly connected.0.168. L2 .per-user static route o . N2 .0/24 is subnetted. 00:05:12. B .EIGRP.145.IS-IS summary. * .1.52 current outbound spi: 0x541C9A19(1411160601) inbound esp sas: spi: 0xD15B10C(219525388) transform: esp-3des esp-sha-hmac .168.42 D 192.OSPF NSSA external type 1.145.BGP D . Tunnel0 S* 0.ODR.2 Page 600 of 1033 .0/24 is directly connected.0/24 is subnetted.candidate default. 00:05:12.16.1.IS-IS level-1.16.24.0.OSPF inter area N1 .IS-IS inter area.0/0 [1/0] via 10.5.24.OSPF external type 2 i .OSPF NSSA external type 2 E1 .OSPF.0.168. ip mtu idb Serial0/1/0. 1 subnets C 10.static.0/24 [90/310172416] via 172. flow_id: NETGX:4.mobile.16.

Tunnel0 created 00:06:29.145.1/32 via 172.5 192.4 I-VRF Status Encr Hash Auth DH Lifetime Cap. D .145.1.RSA signature renc .IKE Extended Authentication psk .16.5.Preshared key.1.12. distance 90. R4#sh ip route 192. from 172.4 (no-socket) 172. N . version 20.145. 00:05:18 ago.5. expire 00:04:00 Type: dynamic. 0 bytes via 172. never expire Type: static. Tunnel0.12.145.4. via Tunnel0 Route metric is 310172416.16. Tunnel0 created 00:01:59.5 Engine-id:Conn-id = 1001 10. ACTIVE 3des sha psk 2 23:57:52 ACTIVE 3des sha psk 2 23:54:13 SW:2 10.5.5 R4#sh crypto isakmp sa det Codes: C . Flags: used NBMA address: 10. Tunnel0 valid adjacency The CEF is valid as it has been already resolved during tunnel set up process between R5 and R4.4/32 via 172.5.0/24.1.168.24.5 Routing entry for 192. 00:05:18 ago Routing Descriptor Blocks: * 172.24. minimum MTU 1400 bytes Loading 1/255. expire 00:04:00 Type: dynamic.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10.5 on Tunnel0. traffic share count is 1 Total delay is 1005000 microseconds. Tunnel0 created 00:01:59. rsig .16.168.24.145. Hops 2 R4#sh ip cef 192. Flags: router unique local NBMA address: 10.168.IKE configuration mode.145.168.25.145.1.Keepalives.1.145.1 Page 601 of 1033 . minimum bandwidth is 9 Kbit Reliability 255/255.5.16. 0 dependencies next hop 172.Dead Peer Detection K .1. Flags: router implicit NBMA address: 10. metric 310172416.16.145.16.NAT-traversal X . epoch 0 0 packets. type internal Redistributing via eigrp 145 Last update from 172.1.145. R4#sh ip nhrp 172.16.1 172.145.25.1.16.5.16.1.5.0/24 Known via "eigrp 145".16.CCIE SECURITY v4 Lab Workbook R4 has routing information for the networks behind R5 and R1.16.5/32 via 172.4 10.5.

flow_id: NETGX:1.255. in use settings ={Transport. #pkts compr.255.1.24. #pkts verify: 96 #pkts compressed: 0. #pkts encrypt: 94. failed: 0 #pkts not decompressed: 0.42 current outbound spi: 0xF483377E(4102240126) inbound esp sas: spi: 0x49DC5EAF(1239178927) transform: esp-3des esp-sha-hmac . flags={origin_is_acl.255. flow_id: NETGX:2.1/255. #pkts digest: 94 #pkts decaps: 96.12.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts decompressed: 0 #pkts not compressed: 0.} #pkts encaps: 94.4. } conn id: 2002.1 port 500 PERMIT. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4394861/3249) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xF483377E(4102240126) transform: esp-3des esp-sha-hmac .: 10.255.1.1.12.1.CCIE SECURITY v4 Lab Workbook Engine-id:Conn-id = SW:1 IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. #pkts decompress failed: 0 #send errors 13.24. remote crypto endpt. ip mtu 1500.: 10.24. ip mtu idb Serial0/0/0.255/47/0) current_peer 10.1. #pkts decrypt: 96.1 path mtu 1500. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4394863/3249) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: Page 602 of 1033 .4 protected vrf: (none) local ident (addr/mask/prot/port): (10. #recv errors 0 local crypto endpt.4/255. } conn id: 2001. local addr 10. in use settings ={Transport.12.1.

255/47/0) remote ident (addr/mask/prot/port): (10. remote crypto endpt.} #pkts encaps: 6. Note that the packet counters are not incrementing as there is no support for dynamic routing protocol between the spokes in DMVPN.4/255.5 path mtu 1500. #pkts decompress failed: 0 #send errors 0.255. } conn id: 2005. #pkts decrypt: 5. } conn id: 2006. #recv errors 0 The IPSec SA is already established between R4 and R5.5/255.24. #pkts digest: 6 #pkts decaps: 5.1.25.255. ip mtu idb Serial0/0/0.1. in use settings ={Transport. #pkts decompressed: 0 #pkts not compressed: 0. ip mtu 1500. in use settings ={Transport. failed: 0 #pkts not decompressed: 0. local crypto endpt.24.CCIE SECURITY v4 Lab Workbook outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4539686/3468) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 603 of 1033 .255.1. #pkts encrypt: 6.: 10.42 current outbound spi: 0xD15B10C(219525388) inbound esp sas: spi: 0x541C9A19(1411160601) transform: esp-3des esp-sha-hmac .255/47/0) current_peer 10.1. flow_id: NETGX:6.: 10. flow_id: NETGX:5.255. #pkts compr.25. flags={origin_is_acl. #pkts verify: 5 #pkts compressed: 0.25.1.5 port 500 PERMIT. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4539686/3468) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD15B10C(219525388) transform: esp-3des esp-sha-hmac .4.

2/24 S0/1/0 10.4/24 S0/0/0 10.5/24 S0/1/0 10.4/24 Lo0 192.245. Lab Setup  R2’s S0/1/0.1.2(20)T.4. DMVPN Phase 2 (with OSPF) Depending on IOS software version you may get slightly different command outputs.168. This is because CEF code has changed in IOS 12.168.245.CCIE SECURITY v4 Lab Workbook Lab 1.5.2. R4’s S0/0/0 and R5’s S0/1/0 interfaces should be configured in a frame-relay manner using physical interfaces  Configure Telnet on all routers using password “cisco” IP Addressing Device Interface IP address R2 Lo0 192.1.1.5/24 R4 R5 Page 604 of 1033 .51.2/24 Lo0 192.168.245.

where R2 is acting as a Hub.0/24 o IP MTU: 1400 o Tunnel Authentication Key: 123 • NHRP Parameters o NHRP ID: 123 o NHRP Authentication key: cisco123 o NHRP Hub: R2 • Routing Protocol Parameters o OSPF Area 0 Encrypt the GRE traffic using the following parameters: • ISAKMP Parameters o Authentication: Pre-shared o Encryption: 3DES o Hashing: SHA o DH Group: 2 o Pre-Shared Key: cisco123 • IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC Page 605 of 1033 . Use the following settings when configuring tunnels: • Tunnel Parameters o IP address: 172.245.CCIE SECURITY v4 Lab Workbook Task 1 Configure Hub-and-Spoke GRE tunnels between R2. Traffic originated from every Spoke’s loopback interface should be transmitted securely directly to the other spokes. You are not allowed to use NHRP Redirects to accomplish this task. You must use OSPF dynamic routing protocol to let other spokes know about protected networks.16. R4 and R5.

Here it is achieved by tuning OSPF network type.0.0.245. This is because OSPF elects DR/BDR on broadcast networks like Ethernet. Every router in that network sends routing information to DR/BDR Page 606 of 1033 . changed state to up R2(config-if)# ip ospf priority 255 R2(config-if)# ip ospf network broadcast We need to know that OSPF does not change next hop when operating in “broadcast” type network.CCIE SECURITY v4 Lab Workbook  DMVPN Phase 2 with OSPF is very similar to Phase 2 with EIGRP.255.16.0.2 255. We need to configure OSPF in a special way to ensure the spokes has next hop pointing to the other spokes not a Hub.0. Configuration Complete these steps: Step 1 R2 configuration. R2(config)#crypto isakmp policy 10 R2(config-isakmp)# encr 3des R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)#crypto isakmp key cisco123 address 0.255.0 R2(config-if)# ip mtu 1400 R2(config-if)# ip nhrp authentication cisco123 R2(config-if)# ip nhrp map multicast dynamic R2(config-if)# ip nhrp network-id 123 R2(config-if)# tunnel source s0/1/0 R2(config-if)# tunnel mode gre multipoint R2(config-if)# tunnel key 123 R2(config-if)# tunnel protection ipsec profile DMVPN R2(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.0 R2(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R2(cfg-crypto-trans)# mode transport R2(cfg-crypto-trans)#crypto ipsec profile DMVPN R2(ipsec-profile)# set transform-set TSET R2(ipsec-profile)#exi R2(config)#interface Tunnel0 R2(config-if)# ip address 172.0 0. In EIGRP it was achieved by the command of “no ip next-hop-self eigrp” on the Hub.

2 R5(config-if)# ip nhrp network-id 123 R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172.0.245.16. We use OSPF priorities to do that.1.16.5 255.255.0 R5(config-if)# ip mtu 1400 R5(config-if)# ip nhrp authentication cisco123 R5(config-if)# ip nhrp map 172. R5(config)#crypto isakmp policy 10 R5(config-isakmp)# encr 3des R5(config-isakmp)# authentication pre-share R5(config-isakmp)# group 2 R5(config-isakmp)#crypto isakmp key cisco123 address 0.0.245. all routers are connected to the same media on broadcast networks.2 R5(config-if)# tunnel source Serial0/1/0 R5(config-if)# tunnel mode gre multipoint Page 607 of 1033 . Since.0. R2(config-if)# exit R2(config)#router ospf 1 R2(config-router)#router-id 172.16. Practically.16.0 R5(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R5(cfg-crypto-trans)# mode transport R5(cfg-crypto-trans)#crypto ipsec profile DMVPN R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#exi R5(config)#interface Tunnel0 R5(config-if)# ip address 172.245.0.0. The priority of 255 is the highest and 0 is the lowest. Thus.245.2 10.2 R2(config-router)#network 172.2.0. there is no reason to change the next hop in the advertisements. the OSPF must elect DR/BDR and all routers must have adjacency with DR/BDR router we need to ensure this role will be taken by the Hub. Since.2 R5(config-if)# ip nhrp map multicast 10.245.0 area 0 R2(config-router)#exi Step 2 R5 configuration.0.0 0.1. having priority of 0 disables the router from election process. This protocol behavior perfectly suits in this situation.168.255. it is assumed that they have access to each other.245.16.0.245. we set 255 on the Hub and 0 on the Spokes.2 0.CCIE SECURITY v4 Lab Workbook and then that router advertises that information to other routers.0 area 0 R2(config-router)#network 192. Hence.2 0. Another thing is that we still have Hub and Spoke physical topology.

0 area 0 R5(config-router)#exi Step 3 R4 configuration.0 0.16.2 R4(config-if)# ip nhrp map multicast 10.5 0.2 R4(config-if)# ip nhrp network-id 123 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172.245.0.CCIE SECURITY v4 Lab Workbook R5(config-if)# tunnel key 123 R5(config-if)# tunnel protection ipsec profile DMVPN R5(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.2 on Tunnel0 from LOADING to FULL.5 0.16.0 area 0 R5(config-router)# %OSPF-5-ADJCHG: Process 1.245.16.5 R5(config-router)#net 172.245. The priority disables the router participation in DR/BDR election.245.245.1. R4(config)#crypto isakmp policy 10 R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)#crypto isakmp key cisco123 address 0.1. changed state to up R5(config-if)#ip ospf priority 0 R5(config-if)#ip ospf network broadcast R5(config-if)#exi No changes on the Spokes but OSPF network type and priority of 0.0.16.16.2 R4(config-if)# tunnel source Serial0/0/0 Page 608 of 1033 .245.4 255. Loading Done R5(config-router)#net 192.16.0. R5(config)#router ospf 1 R5(config-router)#router-id 172.0.0.0.255.168.5.245.0.255.2 10.0.0 R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R4(cfg-crypto-trans)# mode transport R4(cfg-crypto-trans)#crypto ipsec profile DMVPN R4(ipsec-profile)# set transform-set TSET R4(ipsec-profile)#exi R4(config)#interface Tunnel0 R4(config-if)# ip address 172.245.0 R4(config-if)# ip mtu 1400 R4(config-if)# ip nhrp authentication cisco123 R4(config-if)# ip nhrp map 172. Nbr 172.

EIGRP.0.0. S . E2 .mobile. B .0.4 Tunnel0 172.4 R4(config-router)#net 172.0.ODR. O .CCIE SECURITY v4 Lab Workbook R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel key 123 R4(config-if)# tunnel protection ipsec profile DMVPN R4(config-router)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.16. IA .0 area 0 R4(config-router)#net 192. U .connected.5 Tunnel0 The Hub has OSPF adjacencies with the Spokes. * .IS-IS level-1.16.0 is directly connected.0 area 0 R4(config-router)#exi %OSPF-5-ADJCHG: Process 1.IS-IS level-2 ia .16.245.245. M .BGP D . N2 .245.245.OSPF NSSA external type 1.16.static.IS-IS.4 0. changed state to up R4(config-router)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config-if)# ip ospf priority 0 R4(config-if)# ip ospf network broadcast R4(config-if)# exi No changes on the Spokes but OSPF network type and priority of 0.16.IS-IS inter area. Loading Done Verification R2#sh ip ospf neighbor Neighbor ID State Dead Time Address Interface 172.IS-IS summary. Note that the Spokes have DROTHER roles in the network – menaing they are not DR/BDR.16.OSPF NSSA external type 2 E1 .per-user static route o .OSPF external type 1.0/24 is subnetted.0.245.16. R . R4(config)#router ospf 1 R4(config-router)#router-id 172.4 Pri 0 FULL/DROTHER 00:00:39 172.4.16.OSPF external type 2 i . Tunnel0 Page 609 of 1033 . L1 .RIP. P . su .245.periodic downloaded static route Gateway of last resort is not set 172. Nbr 172. L2 .4 0. R2#sh ip route Codes: C .5 0 FULL/DROTHER 00:00:34 172.EIGRP external.245.OSPF inter area N1 .2 on Tunnel0 from LOADING to FULL. The priority disables the router participation in DR/BDR election.168. EX .245.16.candidate default.OSPF. 1 subnets C 172.

168.0/32 is subnetted. Tunnel0 10.5 The Hub works as NHS in the network and has spokes registered.5.2 10.Dead Peer Detection K .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10.168.4.0.1.1.Keepalives.16.Preshared key.0.1.1.16.1.4/500 Active IPSEC FLOW: permit 47 host 10. Tunnel0 created 00:03:47.245.0/32 is subnetted.1.16. origin: crypto map Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.1.4 [110/11112] via 172.16.1.245.5/500 Active IPSEC FLOW: permit 47 host 10. R2#sh crypto session Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.5. R2#sh ip nhrp 172.245.245.4/32 via 172. Serial0/1/0 C 192.245. 1 subnets O 192.5/32 via 172.245.1.4.168.IKE Extended Authentication psk .168.245.245. 1 subnets O 192.16.1.245.245.4 172. origin: crypto map R2#sh crypto isakmp sa det Codes: C .1.245.245.245.245.NAT-traversal X . 00:00:43.245.4 Active SAs: 2.245.245. rsig .1. Tunnel0 192.4 port 500 IKE SA: local 10.2/500 remote 10.245. 00:01:01. D . ACTIVE 3des sha psk 2 23:55:55 ACTIVE 3des sha psk 2 23:55:04 SW:2 10.5 [110/11112] via 172.245.2 host 10.1.2.5.2/500 remote 10.2 host 10.5 Page 610 of 1033 .1. expire 00:05:21 Type: dynamic. N .16.CCIE SECURITY v4 Lab Workbook 192. expire 00:04:11 Type: dynamic.245.4.5 port 500 IKE SA: local 10. 1 subnets C 10.245.1.1.4 Engine-id:Conn-id = 1001 10.0/24 is subnetted.5 Active SAs: 2.IKE configuration mode.4.0 is directly connected. Tunnel0 created 00:04:38.245.168.RSA signature renc . Flags: unique registered NBMA address: 10.5.245. Flags: unique registered NBMA address: 10. Loopback0 The Hub has routing information for networks behind the Spokes.1.0/24 is directly connected.2 I-VRF Status Encr Hash Auth DH Lifetime Cap.

245.2. local addr 10. } conn id: 2004. ip mtu idb Serial0/1/0 current outbound spi: 0xD3CA593(222078355) inbound esp sas: spi: 0xB000E51C(2952848668) transform: esp-3des esp-sha-hmac .255/47/0) remote ident (addr/mask/prot/port): (10.CCIE SECURITY v4 Lab Workbook Engine-id:Conn-id = SW:1 IPv6 Crypto ISAKMP SA For the crypto part. #pkts compr. #pkts encrypt: 48.245. #pkts digest: 48 #pkts decaps: 43.255.2 protected vrf: (none) local ident (addr/mask/prot/port): (10. failed: 0 #pkts not decompressed: 0. #pkts decrypt: 43. R2#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.255.: 10. #recv errors 0 local crypto endpt.245. #pkts decompress failed: 0 #send errors 0. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4507274/3349) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 611 of 1033 .245. in use settings ={Transport.2/255.1. flags={origin_is_acl. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4507274/3349) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD3CA593(222078355) transform: esp-3des esp-sha-hmac . #pkts verify: 43 #pkts compressed: 0. in use settings ={Transport. #pkts decompressed: 0 #pkts not compressed: 0.245.1.: 10.255.1.255.4/255.1.255/47/0) current_peer 10. } conn id: 2003.1.4 path mtu 1500. flow_id: Onboard VPN:4.1.4 port 500 PERMIT. remote crypto endpt. the Hub has IPSec tunnels (encrypting GRE) between all spokes. flow_id: Onboard VPN:3. ip mtu 1500.} #pkts encaps: 48.245.

#pkts decrypt: 38.245. ip mtu 1500.245.5 path mtu 1500.245.255. #pkts decompress failed: 0 #send errors 0. flow_id: Onboard VPN:1.2/255. #pkts digest: 52 #pkts decaps: 38. #pkts encrypt: 52.1.: 10. #pkts compr.245.1. ip mtu idb Serial0/1/0 current outbound spi: 0x558438AB(1434728619) inbound esp sas: spi: 0x83D966D1(2212062929) transform: esp-3des esp-sha-hmac .1. flags={origin_is_acl.245. #pkts decompressed: 0 #pkts not compressed: 0.5/255.5 port 500 PERMIT. in use settings ={Transport.CCIE SECURITY v4 Lab Workbook outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. #pkts verify: 38 #pkts compressed: 0.255/47/0) current_peer 10.255. flow_id: Onboard VPN:2.: 10. #recv errors 0 local crypto endpt. } conn id: 2001. remote crypto endpt.255.} #pkts encaps: 52.1. failed: 0 #pkts not decompressed: 0. in use settings ={Transport.255.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4449169/3298) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 612 of 1033 . } conn id: 2002. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4449171/3298) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x558438AB(1434728619) transform: esp-3des esp-sha-hmac .255/47/0) remote ident (addr/mask/prot/port): (10.2.

* .2 255 FULL/DR 00:00:34 172.168.16.16.168.5. type intra area Last update from 172. O .OSPF external type 1.connected.EIGRP. from 172. R . version 21.CCIE SECURITY v4 Lab Workbook R4#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172. L2 .5.168. B . 00:01:47.IS-IS.168.168. 0 dependencies next hop 172.0/32 is subnetted. R4#sh ip route 192.0.5.4. Tunnel0 invalid adjacency Same situation here.per-user static route o .candidate default. E2 .RIP.0.245.5 on Tunnel0.0 is directly connected.245.16.245.2 Tunnel0 The spoke has OSPF adjacency with the Hub.mobile.OSPF inter area N1 .16.5 Routing entry for 192.0/32 is subnetted. 00:02:11 ago Routing Descriptor Blocks: * 172.245.168.OSPF NSSA external type 1.245.168. 1 subnets C 10.0/24 is subnetted.245.5 192. M . Tunnel0 192. U . Loopback0 192. EX .0.5.16.IS-IS level-2 ia . S . distance 110.5.245.1.245.0/24 is subnetted. the router has no information about physical interface to route the packet out for that network.2.OSPF external type 2 i . metric 11112. IA .245.5.IS-IS summary. su . R4#sh ip route Codes: C .16. via Tunnel0 Route metric is 11112.OSPF NSSA external type 2 E1 . 00:02:11 ago.5/32 Known via "ospf 1".5.BGP D . Page 613 of 1033 . Tunnel0 Routing to the network behind other spokes should be pointed to the other spoke’s IP address.168.5.16.0/24 is directly connected. L1 .16.ODR. N2 .16.2. 0 bytes via 172. 1 subnets O 192. 00:02:15.245. Tunnel0 10.5/32. 1 subnets C C 172. Tunnel0.16.EIGRP external.245.IS-IS level-1. traffic share count is 1 R4#sh ip cef 192.5.OSPF.5.16.5 [110/11112] via 172.2 [110/11112] via 172.static. P . Serial0/0/0 192. Note that the Hub is DR (Designated Router).periodic downloaded static route Gateway of last resort is not set 172.168.IS-IS inter area. 1 subnets O 192.5.0 is directly connected.2. This is achieved by changing OPSF network type to “broadcast”. epoch 0 0 packets.

16. connected 0 packets. 0 dependencies valid punt adjacency R4#sh ip nhrp 172. epoch 0 0 packets.16. epoch 0.168. origin: crypto map The router has IPSec tunnel to the Hub only. 0 bytes via 172.16. version 22.5.168.245.245.5.245. Flags: used Page 614 of 1033 .16.16.5/32. Tunnel0 created 00:05:35.5.5 so lo0 Type escape sequence to abort.168.245.245. Flags: used NBMA address: 10.2 R4#sh crypto session Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10. round-trip min/avg/max = 36/47/56 ms Ping to the network behind the other spoke is successful.245.5/32.168.5. R4#ping 192.16.5.245.16. After that the CEF entry is “valid” and the packets can be CEF-switched.2 port 500 IKE SA: local 10.5 172. Tunnel0 created 00:06:08.5 192.245.4. version 15.2/32 via 172.245. Tunnel0 valid adjacency R4#sh ip nhrp 172.CCIE SECURITY v4 Lab Workbook R4#sh ip cef 172.2 Active SAs: 2.2/500 Active IPSEC FLOW: permit 47 host 10. 0 bytes via Tunnel0. Sending 5. timeout is 2 seconds: Packet sent with a source address of 192. connected 0 packets. version 21. never expire Type: static.245.16.1.245. Tunnel0.245.245. 0 dependencies next hop 172.4/500 remote 10.245. 100-byte ICMP Echos to 192.16.2/32 via 172.5.1. never expire Type: static.1. Tunnel0 valid adjacency R4#sh ip cef 172.1.5.245.4 host 10.16. attached. R4#sh ip cef 192. 0 bytes via 172.2.245. Tunnel0.16.16.5.245.5.1.245.4 !!!!! Success rate is 100 percent (5/5).0/24. epoch 0.1. 0 dependencies next hop 172.2.5 172.168.

1.4/32 via 172.2/500 Active IPSEC FLOW: permit 47 host 10.245.5 Active SAs: 4.4 10.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10. D . Tunnel0 created 00:00:17.4 (no-socket) 172.1. SW:2 10.1.1.5/500 Active IPSEC FLOW: permit 47 host 10.1.245.245.IKE configuration mode.4.1.1.245.1.Keepalives. rsig . N .245.5 Engine-id:Conn-id = 1001 I-VRF SW:1 Page 615 of 1033 .4 ACTIVE 3des sha psk 2 23:59:23 ACTIVE 3des sha psk 2 23:59:23 ACTIVE 3des sha psk 2 23:53:33 SW:3 10.1.245.245. R4#sh crypto isakmp sa det Codes: C . Tunnel0 created 00:00:18.5 Engine-id:Conn-id = 1003 10.245.245.IKE Extended Authentication psk .245.16.245.1. origin: crypto map Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.5 port 500 IKE SA: local 10. R4#sh crypto session Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.2 Active SAs: 2.4 host 10.245.245. expire 00:05:43 Type: dynamic.1.1.245.1.245.1.245.16.4 host 10. Flags: router unique local NBMA address: 10.2 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap.1.CCIE SECURITY v4 Lab Workbook NBMA address: 10.5 The router got NHRP information from the other spoke so that it can validate CEF entry and use it to switch the packets.245.5/32 via 172.5.4 10.245. Flags: router used NBMA address: 10.245.245.1.1.1.2 port 500 IKE SA: local 10.1.245. expire 00:05:43 Type: dynamic.5/500 Active IKE SA: local 10.1.245.16.1.Preshared key.245.4/500 remote 10.16.4/500 remote 10.RSA signature renc .245. origin: crypto map The direct IPSec tunnel has been built between the spokes.NAT-traversal X .245.Dead Peer Detection K .4/500 remote 10.2 172.

245. #pkts decompressed: 0 #pkts not compressed: 0.2 path mtu 1500.255/47/0) current_peer 10.1.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.: 10. ip mtu idb Serial0/0/0 current outbound spi: 0xB000E51C(2952848668) inbound esp sas: spi: 0xD3CA593(222078355) transform: esp-3des esp-sha-hmac .245. flags={origin_is_acl.1.245. #pkts decrypt: 70.: 10.2 port 500 PERMIT.255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4438380/3207) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 616 of 1033 .245.} #pkts encaps: 65.1. local addr 10.4/255. #pkts decompress failed: 0 #send errors 0. #recv errors 0 local crypto endpt. #pkts encrypt: 65. failed: 0 #pkts not decompressed: 0. in use settings ={Transport. #pkts verify: 70 #pkts compressed: 0. remote crypto endpt.245. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4438379/3207) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB000E51C(2952848668) transform: esp-3des esp-sha-hmac . #pkts compr. flow_id: NETGX:1. } conn id: 2001.255. in use settings ={Transport.1.255/47/0) remote ident (addr/mask/prot/port): (10.1.4. } conn id: 2002.2/255. flow_id: NETGX:2.255.CCIE SECURITY v4 Lab Workbook IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.255.1. #pkts digest: 65 #pkts decaps: 70. ip mtu 1500.245.

#pkts verify: 2 #pkts compressed: 0.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4388330/3558) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 617 of 1033 .1. Then.5 path mtu 1500.1. remote crypto endpt. } conn id: 2003.245. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4388330/3558) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x723E68C3(1916692675) transform: esp-3des esp-sha-hmac . rest of the packets used the encrypted tunnel.245. #pkts encrypt: 2.245. ip mtu 1500. #pkts compr.245.255. #recv errors 0 Note that only 2 packets out of 5 has been encrypted/decrypted. in use settings ={Transport.} #pkts encaps: 2.1.255/47/0) current_peer 10.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts digest: 2 #pkts decaps: 2. flow_id: NETGX:3. when the direct tunnel came up.1. } conn id: 2004. Those packets has been sent to the other spoke through the Hub in the first step. in use settings ={Transport.4.255. #pkts decompressed: 0 #pkts not compressed: 0. failed: 0 #pkts not decompressed: 0. #pkts decrypt: 2.CCIE SECURITY v4 Lab Workbook protected vrf: (none) local ident (addr/mask/prot/port): (10. local crypto endpt.5/255. #pkts decompress failed: 0 #send errors 1.245.: 10. ip mtu idb Serial0/0/0 current outbound spi: 0x723E68C3(1916692675) inbound esp sas: spi: 0x8C779DEA(2356649450) transform: esp-3des esp-sha-hmac .255.: 10.4/255. flags={origin_is_acl. This does not mean 3 packets has lost.5 port 500 PERMIT. flow_id: NETGX:4.255.

2.0. D .245.0 is directly connected.Dead Peer Detection K . P .4 172.245. Loopback0 10.16. expire 00:04:37 Type: dynamic.16.4. expire 00:04:37 Type: dynamic.16.1. 0 bytes via 172.0/32 is subnetted. Serial0/1/0 192.4.OSPF external type 1.4. Tunnel0 created 00:01:24.OSPF NSSA external type 2 E1 .NAT-traversal X . rsig .245.16.16. S .168.245.245.OSPF NSSA external type 1.16. 1 subnets C 172.candidate default.168.245. su . 1 subnets O C 192.168.0/24 is subnetted.168.IS-IS level-2 ia .0/24 is subnetted.245. EX . Same for NHRP entries below. version 17. Tunnel0 created 00:01:23. 00:04:28.ODR. Flags: used NBMA address: 10.5/32 via 172. R .EIGRP external.245.16.RSA encryption Page 618 of 1033 .IS-IS summary.168.IS-IS. Tunnel0.0 is directly connected.16.BGP D .4. Tunnel0 created 00:08:04. N2 . L2 . Tunnel0 valid adjacency CEF entry is “valid” because it was validated by the tunnel establishment process between R4 and R5.0/24 is directly connected.4/32.per-user static route o .RIP.5 (no-socket) R5#sh crypto isakmp sa det Codes: C .4 192.245. B .RSA signature renc . 1 subnets O 192. N .2.16.2. O . R5#sh ip cef 192.4.0.OSPF external type 2 i . never expire Type: static.168.IS-IS inter area. Flags: router unique local NBMA address: 10. Tunnel0 Same on the other spoke – the routing points to the remote spoke.245.1. R5#sh ip nhrp 172.CCIE SECURITY v4 Lab Workbook R5#sh ip route Codes: C .245.OSPF.Preshared key.4. epoch 0 0 packets.IKE configuration mode.0/32 is subnetted.16. 1 subnets C 10. * .IKE Extended Authentication psk .Keepalives. Tunnel0 192.4. IA .0.168.4 [110/11112] via 172.16.5.OSPF inter area N1 .mobile. 0 dependencies next hop 172.4/32 via 172. M .2 [110/11112] via 172.245.IS-IS level-1. U .2 172.periodic downloaded static route Gateway of last resort is not set 172.16.245.1.EIGRP.4.5.245.245.static.2. E2 . Flags: router NBMA address: 10.1. 00:04:18. Tunnel0 192. L1 .connected.2/32 via 172.

2 port 500 PERMIT.245.245.245.5 10.2 Engine-id:Conn-id = 1003 I-VRF SW:3 IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.1. #pkts verify: 80 #pkts compressed: 0. } conn id: 2001.4 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap. #pkts compr.1.255.255.245. flow_id: NETGX:1.2 path mtu 1500.245. SW:2 10.1.1.1.245. in use settings ={Transport.2/255.1.5.245.5 10. failed: 0 #pkts not decompressed: 0.5/255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4486614/3104) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: Page 619 of 1033 . ip mtu idb Serial0/1/0 current outbound spi: 0x83D966D1(2212062929) inbound esp sas: spi: 0x558438AB(1434728619) transform: esp-3des esp-sha-hmac .1. #pkts encrypt: 67.245.245.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.255.255/47/0) current_peer 10.245.CCIE SECURITY v4 Lab Workbook IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10.245.5 ACTIVE 3des sha psk 2 23:58:30 ACTIVE 3des sha psk 2 23:51:49 ACTIVE 3des sha psk 2 23:58:30 SW:1 10.245. #pkts decompressed: 0 #pkts not compressed: 0.1. #pkts decrypt: 80. #recv errors 0 local crypto endpt. ip mtu 1500.255.1.1. local addr 10.255/47/0) remote ident (addr/mask/prot/port): (10. remote crypto endpt.1.} #pkts encaps: 67.: 10. #pkts digest: 67 #pkts decaps: 80. #pkts decompress failed: 0 #send errors 0. flags={origin_is_acl.1.: 10.4 Engine-id:Conn-id = 1001 10.

#pkts encrypt: 2. #recv errors 0 Tunnel between spokes works! local crypto endpt. remote crypto endpt.: 10.245. in use settings ={Transport. ip mtu idb Serial0/1/0 current outbound spi: 0x8C779DEA(2356649450) inbound esp sas: spi: 0x723E68C3(1916692675) transform: esp-3des esp-sha-hmac . ip mtu 1500.4 path mtu 1500.4/255.1.245. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4486616/3104) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. } conn id: 2006.245. flags={origin_is_acl.255.} #pkts encaps: 2. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4422335/3505) Page 620 of 1033 . #pkts digest: 2 #pkts decaps: 2.255/47/0) current_peer 10.255. #pkts verify: 2 #pkts compressed: 0.255.245.4 port 500 PERMIT. #pkts compr.255/47/0) remote ident (addr/mask/prot/port): (10.1. flow_id: NETGX:2.CCIE SECURITY v4 Lab Workbook spi: 0x83D966D1(2212062929) transform: esp-3des esp-sha-hmac .1. flow_id: NETGX:6.1.5.1.: 10. failed: 0 #pkts not decompressed: 0. #pkts decompress failed: 0 #send errors 1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4422335/3505) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8C779DEA(2356649450) transform: esp-3des esp-sha-hmac . #pkts decrypt: 2. } conn id: 2002.245.255. } conn id: 2005. in use settings ={Transport. flow_id: NETGX:5. in use settings ={Transport. #pkts decompressed: 0 #pkts not compressed: 0.5/255.

5 protected vrf: (none) local ident (addr/mask/prot/port): (10. } conn id: 2001.4 so lo0 Type escape sequence to abort. #pkts encrypt: 71.255.168.168.245.4.245.} #pkts encaps: 71.1.4.CCIE SECURITY v4 Lab Workbook IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R5#ping 192. #pkts decompressed: 0 #pkts not compressed: 0.1. #pkts digest: 71 #pkts decaps: 85. local addr 10. ip mtu idb Serial0/1/0 current outbound spi: 0x83D966D1(2212062929) inbound esp sas: spi: 0x558438AB(1434728619) transform: esp-3des esp-sha-hmac .1.5.5/255.5.: 10. Sending 5. timeout is 2 seconds: Packet sent with a source address of 192. round-trip min/avg/max = 32/32/36 ms Try to ping to see if the tunnel statistics are incrementing. #pkts decrypt: 85.255.245.168. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4486613/3059) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: Page 621 of 1033 . #pkts decompress failed: 0 #send errors 0.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts verify: 85 #pkts compressed: 0.255/47/0) current_peer 10. in use settings ={Transport.5 !!!!! Success rate is 100 percent (5/5).: 10.255.1.2 path mtu 1500.245. remote crypto endpt.2 port 500 PERMIT. failed: 0 #pkts not decompressed: 0.1. flow_id: NETGX:1.245.255. 100-byte ICMP Echos to 192. #pkts compr.2/255. R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.4.245. #recv errors 0 local crypto endpt. flags={origin_is_acl.1. ip mtu 1500.

crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4486615/3059) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. in use settings ={Transport.1.245.4/255.} #pkts encaps: 7. flags={origin_is_acl. #pkts verify: 7 #pkts compressed: 0. local crypto endpt.245. } conn id: 2002.245. #pkts decrypt: 7. #recv errors 0 See 5 more packets encrypted/decrypted. #pkts compr.CCIE SECURITY v4 Lab Workbook inbound pcp sas: outbound esp sas: spi: 0x83D966D1(2212062929) transform: esp-3des esp-sha-hmac .1. } conn id: 2005.245.255.: 10. #pkts encrypt: 7. failed: 0 #pkts not decompressed: 0. ip mtu 1500.1.1. #pkts decompress failed: 0 #send errors 1.255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4422334/3459) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8C779DEA(2356649450) transform: esp-3des esp-sha-hmac .255/47/0) current_peer 10.5. ip mtu idb Serial0/1/0 current outbound spi: 0x8C779DEA(2356649450) inbound esp sas: spi: 0x723E68C3(1916692675) transform: esp-3des esp-sha-hmac .1. in use settings ={Transport. flow_id: NETGX:5. flow_id: NETGX:2.255.4 port 500 PERMIT.255/47/0) remote ident (addr/mask/prot/port): (10.: 10. Page 622 of 1033 .245. #pkts digest: 7 #pkts decaps: 7. remote crypto endpt.4 path mtu 1500. #pkts decompressed: 0 #pkts not compressed: 0.5/255.255.

flow_id: NETGX:6. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4422334/3459) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 623 of 1033 .CCIE SECURITY v4 Lab Workbook in use settings ={Transport. } conn id: 2006.

1.4/24 Lo0 192.CCIE SECURITY v4 Lab Workbook Lab 1.2/24 Lo0 192.1.5/24 S0/1/0 10.168.2. This is because CEF code has changed in IOS 12.1. DMVPN Phase 3 (with EIGRP) Depending on IOS software version you may get slightly different command outputs.52.2(20)T.5.245.5/24 R4 R5 Page 624 of 1033 .2/24 S0/1/0 10.168.168. R4’s S0/0/0 and R5’s S0/1/0 interfaces should be configured in a frame-relay manner using physical interfaces  Configure Telnet on all routers using password “cisco” IP Addressing Device Interface IP address R2 Lo0 192.4/24 S0/0/0 10.245.245.4. Lab Setup  R2’s S0/1/0.

245.CCIE SECURITY v4 Lab Workbook Task 1 Configure Hub-and-Spoke GRE tunnels between R2.16. R4 and R5. where R2 is acting as a Hub.0/24 o IP MTU: 1400 o Tunnel Authentication Key: 123 • NHRP Parameters o NHRP ID: 123 o NHRP Authentication key: cisco123 o NHRP Hub: R2 • Routing Protocol Parameters o EIGRP AS 245 Encrypt the GRE traffic using the following parameters: • ISAKMP Parameters o Authentication: Pre-shared o Encryption: 3DES o Hashing: SHA o DH Group: 2 o Pre-Shared Key: cisco123 • IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC Page 625 of 1033 . Traffic originated from every Spoke’s loopback interface should be transmitted securely directly to the other spokes. Use the following settings when configuring tunnels: • Tunnel Parameters o IP address: 172. You must ensure that every traffic is CEF switched. You must use EIGRP dynamic routing protocol to let other spokes know about protected networks.

0 0.0 R2(config-if)# ip mtu 1400 R2(config-if)# ip nhrp authentication cisco123 R2(config-if)# ip nhrp map multicast dynamic R2(config-if)# ip nhrp network-id 123 Page 626 of 1033 . all prefixes must be distributed to all spokes to be able to set up direct spoke to spoke tunnels.0 R2(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R2(cfg-crypto-trans)# mode transport R2(cfg-crypto-trans)#crypto ipsec profile DMVPN R2(ipsec-profile)# set transform-set TSET R2(ipsec-profile)#exi R2(config)#int Tunnel0 R2(config-if)# ip address 172.0.0. R2(config)#crypto isakmp policy 10 R2(config-isakmp)# encr 3des R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)#crypto isakmp key cisco123 address 0.0. Configuration Complete these steps: Step 1 R2 configuration.255. DMVPN Phase 3 uses two NHRP “hacks” to make it happen: - NHRP Redirect – a new messages send from the Hub to the Spoke to let the Spoke know that there is a better path to the other spoke than through the Hub - NHRP Shortcut – a new way of changing (overwriting) CEF information on the Spoke In DMVPN Phase 3 all Spokes must point to the Hub for the networks behind the other spokes (just like it was in Phase 1). OSPF single area. It was introduced by Cisco to fix some disadvantages of Phase 2 like: - Scalability: Phase 2 allows Hubs daisy-chaining. - Performance: Phase 2 sends first packets through the Hub using process-switching (not CEF) causing CPU spikes.0.2 255.16.245.CCIE SECURITY v4 Lab Workbook  DMVPN Phase 3 is the latest method of configuration.255. limited number of hubs due to OSPF DR/BDR election - Scalability: Phase 2 does not allow route summarization on the Hub.

16.0.255.1.245. R2(config-if)# exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config)#router eigrp 245 R2(config-router)#no auto R2(config-router)#net 172.245.2 10.245.0 R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R4(cfg-crypto-trans)# mode transport R4(cfg-crypto-trans)#crypto ipsec profile DMVPN R4(ipsec-profile)# set transform-set TSET R4(ipsec-profile)#exi R4(config)#int Tunnel0 R4(config-if)# ip address 172.0.2.245.0.4 255.0.16.0. All it does is enforces the spoke to trigger an NHRP resolution request to IP destination.0.0 R2(config-router)#exi Step 2 R4 configuration.0 R2(config-router)#net 192. The “ip nhrp redirect” command should be configured on the Hub only! R2(config-if)# tunnel source s0/1/0 R2(config-if)# tunnel mode gre multipoint R2(config-if)# tunnel key 123 R2(config-if)# tunnel protection ipsec profile DMVPN R2(config-if)# no ip split-horizon eigrp 245 Note that we do not need “no ip next-hop-self eigrp” command in the DMVPN Pahse 3.CCIE SECURITY v4 Lab Workbook R2(config-if)# ip nhrp redirect NHRP Redirect is a special NHRP message sent by the Hub to the spoke to tell the spoke that there is a better path to the remote spoke than through the Hub.2 0.0.2 Page 627 of 1033 .0 R4(config-if)# ip mtu 1400 R4(config-if)# ip nhrp authentication cisco123 R4(config-if)# ip nhrp map 172. R4(config)#crypto isakmp policy 10 R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)#crypto isakmp key cisco123 address 0.255.0 0.0.168.16.2 0.

255.CCIE SECURITY v4 Lab Workbook R4(config-if)# ip nhrp map multicast 10.245.5 255.0 Page 628 of 1033 . This will work together with NHRP Redirect on the Hub to send a new Resolution Request NHRP message and overwrite CEF entry to use direct spoke to spoke tunnel instead of the Hub.4 0.4 0.2 R4(config-if)# ip nhrp network-id 123 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172.0.245. R5(config)#crypto isakmp policy 10 R5(config-isakmp)# encr 3des R5(config-isakmp)# authentication pre-share R5(config-isakmp)# group 2 R5(config-isakmp)#crypto isakmp key cisco123 address 0.0.0.255. changed state to up R4(config-if)#router eigrp 245 R4(config-router)#no auto R4(config-router)#net 172.16.16.16.245. This command should be configured on spokes only.2 R4(config-if)# ip nhrp shortcut The only difference on the spoke is that the spoke has NHRP Shortcut configured.0. R4(config-if)# tunnel source Serial0/0/0 R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel key 123 R4(config-if)# tunnel protection ipsec profile DMVPN R4(config-router)#exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.0 R5(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R5(cfg-crypto-trans)# mode transport R5(cfg-crypto-trans)#crypto ipsec profile DMVPN R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#exi R5(config)#int Tunnel0 R5(config-if)# ip address 172.2 (Tunnel0) is up: new adjacency Step 3 R5 configuration.0 R4(config-router)#net 192.0.16. Same configuration on all spokes.4.0 0.245.168.245.0 R4(config-router)#exi %DUAL-5-NBRCHANGE: IP-EIGRP(0) 245: Neighbor 172.0.1.0.0.

2 10.0 R5(config-router)#exi R5(config)# %DUAL-5-NBRCHANGE: IP-EIGRP(0) 245: Neighbor 172.245. changed state to up R5(config-if)#router eigrp 245 R5(config-router)#no auto R5(config-router)#net 172.245.16.1.2 R5(config-if)# ip nhrp map multicast 10. R2#sh ip route Page 629 of 1033 148 0 0 0 .2 R5(config-if)# ip nhrp network-id 123 R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172.CCIE SECURITY v4 Lab Workbook R5(config-if)# ip mtu 1400 R5(config-if)# ip nhrp authentication cisco123 R5(config-if)# ip nhrp map 172.16.1.5 Tu0 10 00:04:57 1608 5000 0 3 0 172.245.16.16.2 R5(config-if)# ip nhrp shortcut R5(config-if)# tunnel source Serial0/1/0 R5(config-if)# tunnel mode gre multipoint R5(config-if)# tunnel key 123 R5(config-if)# tunnel protection ipsec profile DMVPN R5(config-if)# exi R5(config)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.245.245.16.0.0.0.245.5.0 R5(config-router)#net 192.2 (Tunnel0) is up: new adjacency Verification R2#sh ip eigr neighbors IP-EIGRP neighbors for process 245 H Address Interface Hold Uptime SRTT (sec) (ms) RTO Q Seq Cnt Num 1 172.16.0.4 Tu0 11 00:05:48 1362 0 4 51 R2#sh ip eigr interfaces IP-EIGRP interfaces for process 245 Interface Xmit Queue Mean Pacing Time Multicast Pending SRTT Un/Reliable Flow Timer Routes Peers Un/Reliable Tu0 2 0/0 829 Lo0 0 0/0 0 6/227 0/1 The Hub has neighbor adjacencies with the spokes.245.245.5 0.168.5 0.

1. L2 . D .16.0.16. M .IS-IS level-2 ia .5/32 via 172. * .245.245. Tunnel0 D 192.2 host 10. R2#sh crypto session Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.4 172.4. su .5. N2 .245.0/24 is subnetted.0/24 [90/27008000] via 172.IS-IS summary. Loopback0 Routing information for network behind the spokes is on the Hub.EIGRP.Dead Peer Detection Page 630 of 1033 . 00:06:53.245.5 The Spokes are registered in the NHRP database successfully. Flags: unique registered NBMA address: 10.static.5/500 Active IPSEC FLOW: permit 47 host 10.OSPF. R . R2#sh ip nhrp 172.IS-IS level-1.245.0 is directly connected.245.OSPF NSSA external type 2 E1 . origin: crypto map R2#sh crypto isakmp sa det Codes: C .16.5.CCIE SECURITY v4 Lab Workbook Codes: C .1. 00:00:07.IS-IS inter area.4/500 Active IPSEC FLOW: permit 47 host 10.168.168.1.245.168.IS-IS.candidate default.EIGRP external.5 Tunnel0 created 00:06:11.BGP D .245.1. IA . expire 00:05:48 Type: dynamic.1.245.mobile.5 port 500 IKE SA: local 10.1.0.2 host 10. E2 .245. O .245.245.245. B .245.1.16.2/500 remote 10.connected.0 is directly connected.1.16.IKE configuration mode.16.periodic downloaded static route Gateway of last resort is not set 172.0/24 is subnetted.4.4/32 via 172.1.OSPF NSSA external type 1.16. 1 subnets C 172. origin: crypto map Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.245.4 port 500 IKE SA: local 10. Tunnel0 10. Tunnel0 D 192. expire 00:04:21 Type: dynamic.1. S .245. 1 subnets C C 10.0/24 [90/27008000] via 172.0/24 is directly connected.1. Flags: unique registered used NBMA address: 10.2.2/500 remote 10.OSPF inter area N1 .245.16.1.RIP.4 Active SAs: 2. L1 . U .OSPF external type 2 i . EX .per-user static route o . P . Serial0/1/0 192.4 Tunnel0 created 00:07:38.OSPF external type 1.ODR.0.245.245.1.5 Active SAs: 2.245.

255.1.} #pkts encaps: 118.IKE Extended Authentication psk . ip mtu 1500.245.245. #recv errors 0 local crypto endpt.245. failed: 0 #pkts not decompressed: 0.2. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4495822/3124) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 631 of 1033 .: 10.5 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap.Preshared key.4 port 500 PERMIT. remote crypto endpt.1.2 10. SW:2 IPv6 Crypto ISAKMP SA The Hub has ISAKMP SA and IPSec SA with the spokes.245.Keepalives.1.1.1. #pkts decrypt: 108.255/47/0) current_peer 10.1.CCIE SECURITY v4 Lab Workbook K .245.255.RSA signature renc . } conn id: 2001. flags={origin_is_acl.255.cTCP encapsulation.245.4 path mtu 1500. This is to encrypt GRE tunnel traffic.4 Engine-id:Conn-id = 1002 10.1.2 I-VRF ACTIVE 3des sha psk 2 23:52:08 ACTIVE 3des sha psk 2 23:53:35 SW:1 10. local addr 10. R2#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. X . in use settings ={Transport. N .4/255.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts digest: 118 #pkts decaps: 108.1.1. DH group: none inbound esp sas: spi: 0x9B622E0(162931424) transform: esp-3des esp-sha-hmac .2/255.245. #pkts compr. ip mtu idb Serial0/1/0 current outbound spi: 0x655C5AD2(1700551378) PFS (Y/N): N. #pkts verify: 108 #pkts compressed: 0. flow_id: Onboard VPN:1.: 10. #pkts decompress failed: 0 #send errors 0.255.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.245.245. #pkts encrypt: 118.NAT-traversal T . sibling_flags 80000006.245. #pkts decompressed: 0 #pkts not compressed: 0. rsig .1.

255. } conn id: 2003.1. #pkts decompress failed: 0 #send errors 0.1. in use settings ={Transport.5 path mtu 1500. #pkts verify: 97 #pkts compressed: 0.255. #pkts compr. sibling_flags 80000006.: 10.255/47/0) remote ident (addr/mask/prot/port): (10.245. DH group: none inbound esp sas: spi: 0x2CB7F3F4(750253044) transform: esp-3des esp-sha-hmac . remote crypto endpt. ip mtu idb Serial0/1/0 current outbound spi: 0xD73908D9(3610839257) PFS (Y/N): N. #pkts decrypt: 97.2.255/47/0) current_peer 10. } conn id: 2002.245.2/255. #pkts digest: 95 #pkts decaps: 97.1. flags={origin_is_acl.5 port 500 PERMIT.} #pkts encaps: 95. flow_id: Onboard VPN:3. failed: 0 #pkts not decompressed: 0. sibling_flags 80000006. #pkts decompressed: 0 #pkts not compressed: 0. flow_id: Onboard VPN:2.1.255.245.1. in use settings ={Transport.5/255. #pkts encrypt: 95. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4587098/3210) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: Page 632 of 1033 . ip mtu 1500.245.: 10. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4495820/3124) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.245. #recv errors 0 local crypto endpt.CCIE SECURITY v4 Lab Workbook inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x655C5AD2(1700551378) transform: esp-3des esp-sha-hmac .255.

L1 . 0 bytes Page 633 of 1033 .2.CCIE SECURITY v4 Lab Workbook outbound esp sas: spi: 0xD73908D9(3610839257) transform: esp-3des esp-sha-hmac . O .5.16.4. 00:01:10. U . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4587098/3210) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#sh ip eigrp neighbors IP-EIGRP neighbors for process 245 H Address Interface 0 172.168.1.2. version 25.245.ODR.IS-IS level-1.0/24 [90/298652416] via 172. Serial0/0/0 192.0 192.245. B .168.0. EX .BGP D .OSPF external type 2 i . P .0/24 [90/297372416] via 172.per-user static route o . M .OSPF NSSA external type 2 E1 . IA .OSPF NSSA external type 1.periodic downloaded static route Gateway of last resort is not set 172.168.0 is directly connected. sibling_flags 80000006.IS-IS level-2 ia .OSPF. S . 1 subnets C 172. epoch 0 0 packets.static.5.16.OSPF external type 1. in use settings ={Transport. Tunnel0 C 192.168. Loopback0 D 192.245.connected.16.EIGRP external. 1 subnets C D 10.0/24 is subnetted. R4#sh ip cef 192.168.OSPF inter area N1 .0. su . R .16.2.245.IS-IS summary.5. * .mobile. 00:07:57.EIGRP.16. L2 . N2 . Tunnel0 The routing information for remote network is pointing to the Hub’s IP address. flow_id: Onboard VPN:4. R4#sh ip route Codes: C .0/24 is subnetted. Tunnel0 10.IS-IS.candidate default.0.0/24.245. E2 .IS-IS inter area.RIP.0 is directly connected.0/24 is directly connected.2 Tu0 Hold Uptime SRTT (sec) (ms) 13 00:07:47 12 RTO Q Seq Cnt Num 5000 0 7 The Spoke has neighbor adjacency with the Hub. } conn id: 2004.

255.255/47/0) current_peer 10.245.1. local addr 10. never expire Type: static.: 10.2 port 500 PERMIT. 0 dependencies next hop 172. #pkts decrypt: 137.1. #pkts decompress failed: 0 #send errors 0. Tunnel0 valid adjacency The CEF entry is valid as the spoke has all information how to reach Hubs physical IP address.0/24.245.4 QM_IDLE conn-id slot status 1001 0 ACTIVE IPv6 Crypto ISAKMP SA The ISKAMP SA and IPSec SAs are built up with the Hub only.4.2. This entry is used in NHRP registration process. #pkts digest: 128 #pkts decaps: 137. R4#sh ip nhrp 172.168.5. R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. 0 bytes via 172.16.2 There is a static entry in the NHRP database on the spoke. Tunnel0 valid adjacency R4#sh ip cef 192.245. Tunnel0.245.2.1.2 path mtu 1500.245.2.2/32 via 172. #pkts encrypt: 128.245.245.5 192.16.168.255/47/0) remote ident (addr/mask/prot/port): (10. 0 dependencies next hop 172.255.1.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.245. ip mtu 1500.: 10.245.2 10. version 25.1. flags={origin_is_acl. R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.1.5.2.245.245. #pkts verify: 137 #pkts compressed: 0.16.1. epoch 0 0 packets.255. remote crypto endpt. #recv errors 0 local crypto endpt. #pkts compr.16.1.4/255.1.245. Tunnel0 created 00:09:05. Tunnel0. failed: 0 #pkts not decompressed: 0.16.2/255.} #pkts encaps: 128.255. There are no spoke to Spoke IPSec tunnels yet. #pkts decompressed: 0 #pkts not compressed: 0. ip mtu idb Serial0/0/0 Page 634 of 1033 .245.245.CCIE SECURITY v4 Lab Workbook via 172.16.245.2. Flags: used NBMA address: 10.

16.2. Tunnel0 valid adjacency R4#sh ip nhrp 172.5.245. version 25. } conn id: 2001. R4#sh ip cef 192.0 192.245.4.16.0/24.16. in use settings ={Transport.245.168.168. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4388606/3040) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x9B622E0(162931424) transform: esp-3des esp-sha-hmac . flow_id: NETGX:2. Flags: used NBMA address: 10. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4388607/3040) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#ping 192.5. never expire Type: static. timeout is 2 seconds: Packet sent with a source address of 192. in use settings ={Transport.2. flow_id: NETGX:1. round-trip min/avg/max = 36/43/56 ms Test by pinging the network behind the other spoke. } conn id: 2002.5. Sending 5.245.5 so lo0 Type escape sequence to abort.1.5. 100-byte ICMP Echos to 192. epoch 0 0 packets. Tunnel0.245.16.CCIE SECURITY v4 Lab Workbook current outbound spi: 0x9B622E0(162931424) inbound esp sas: spi: 0x655C5AD2(1700551378) transform: esp-3des esp-sha-hmac .2 Page 635 of 1033 . 0 dependencies next hop 172.4 !!!!! Success rate is 100 percent (5/5).2/32 via 172.2.5. Tunnel0 created 00:09:48.168. 0 bytes via 172.168.168.

1.245. in use settings ={Transport. Tunnel0 created 00:00:15.1.5 The NHRP datatbase shows new dynamic entries for the remote spoke and the “local” entry for R4 which is created when sending an NHRP resolution reply.4/255. R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.: 10.245.4.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.245.245. Tunnel0 created 00:00:14.255. ip mtu idb Serial0/0/0 current outbound spi: 0x9B622E0(162931424) inbound esp sas: spi: 0x655C5AD2(1700551378) transform: esp-3des esp-sha-hmac .168.4. remote crypto endpt.245.4 10.245. failed: 0 #pkts not decompressed: 0. expire 00:05:46 Type: dynamic. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4388602/2954) IV size: 8 bytes Page 636 of 1033 .4 QM_IDLE 1003 0 ACTIVE 10.245.16. #pkts digest: 154 #pkts decaps: 165.245.1. #pkts decompressed: 0 #pkts not compressed: 0.245.1.255/47/0) current_peer 10.245.16. Flags: router unique local NBMA address: 10.245.2 10. flags={origin_is_acl. Tunnel0 created 00:00:13.245.1.245.2/255.5 10.5 192.245. #pkts verify: 165 #pkts compressed: 0.245.16.255.1.5 QM_IDLE 1002 10.5. #recv errors 0 local crypto endpt.2 port 500 PERMIT.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts decompress failed: 0 #send errors 0. flow_id: NETGX:1. #pkts decrypt: 165.245.5.1. expire 00:05:46 Type: dynamic.1.1.1. local addr 10.245.255.CCIE SECURITY v4 Lab Workbook 172.2 path mtu 1500.4.16.1.255.168. } conn id: 2001. #pkts encrypt: 154.245.0/24 via 172.} #pkts encaps: 154. ip mtu 1500. expire 00:05:46 Type: dynamic.5/32 via 172.4 QM_IDLE 1001 0 ACTIVE 0 ACTIVE IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.1.: 10.1. #pkts compr.0/24 via 172. Flags: router NBMA address: 10.4 (no-socket) 192.5. Flags: router implicit used NBMA address: 10.1.245.

1. #pkts decrypt: 1.245. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4384325/3528) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: Page 637 of 1033 . flags={origin_is_acl. ip mtu idb Serial0/0/0 current outbound spi: 0x3CAEA65A(1018078810) inbound esp sas: spi: 0xD962CE1F(3647131167) transform: esp-3des esp-sha-hmac .: 10. in use settings ={Transport.5 port 500 PERMIT.245.255. #pkts compr. #pkts decompressed: 0 #pkts not compressed: 0.245.245.} #pkts encaps: 1.245. Rest of the packets has been sent through the Hub.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts digest: 1 #pkts decaps: 1. failed: 0 #pkts not decompressed: 0.255.5/255.4/255.5 path mtu 1500.255.1.4.1. #pkts verify: 1 #pkts compressed: 0.1. #pkts encrypt: 1. } conn id: 2005. ip mtu 1500. } conn id: 2002. in use settings ={Transport.255/47/0) current_peer 10. flow_id: NETGX:2.: 10. #recv errors 0 Note that only one ICMP packet out of 5 has been sent through the direst Spoketo-Spoke tunnel.255. remote crypto endpt.CCIE SECURITY v4 Lab Workbook replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x9B622E0(162931424) transform: esp-3des esp-sha-hmac .1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4388604/2954) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. flow_id: NETGX:5. local crypto endpt. #pkts decompress failed: 0 #send errors 1.

Tunnel0 D 192.EIGRP external.168. epoch 0 0 packets.245.OSPF NSSA external type 1.OSPF.connected.245.168. R5#sh ip cef 192.IS-IS.1.16. Tunnel0 The spoke has routing information for remote networks pointing to the Hub. Serial0/1/0 192. U . * .CCIE SECURITY v4 Lab Workbook inbound pcp sas: outbound esp sas: spi: 0x3CAEA65A(1018078810) transform: esp-3des esp-sha-hmac . M .16.OSPF NSSA external type 2 E1 . in use settings ={Transport. 0 bytes via 172.4.0/24 [90/297372416] via 172.EIGRP.245.0 192.0. L2 . 0 dependencies Page 638 of 1033 .0/24 is subnetted. S . su .RIP.4.2. Loopback0 10. 1 subnets C D 10.2. } conn id: 2006.0/24 is subnetted.16.OSPF external type 2 i .16.0/24 is directly connected. R .5. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4384325/3528) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Same information on the other spoke.IS-IS summary. 00:09:50.mobile.168.16. O . 00:09:50.0 is directly connected.4. N2 .0.candidate default.periodic downloaded static route Gateway of last resort is not set 172.245.BGP D .IS-IS inter area.static.per-user static route o . E2 .0 is directly connected.0/24 [90/298652416] via 172.OSPF external type 1. R5#sh ip eigrp neighbors IP-EIGRP neighbors for process 245 H 0 Address 172. 1 subnets C 172.ODR.IS-IS level-1.2. Tunnel0 C 192. IA . Tunnel0.2 Interface Tu0 Hold Uptime SRTT (sec) (ms) 12 00:09:43 20 RTO Q Seq Cnt Num 5000 0 7 R5#sh ip route Codes: C . flow_id: NETGX:6. B . version 21.168.245. P .OSPF inter area N1 . EX . L1 .168.2.16.IS-IS level-2 ia .245.0.0/24.

255.2/32 via 172.245.245. D . N .245.1.16.245.4.1.1. Tunnel0 created 00:10:09.Keepalives.RSA signature renc .Dead Peer Detection K .255/47/0) current_peer 10.168.245.245. local addr 10.1.1.1.245.1.1. Flags: router unique local NBMA address: 10. R5#sh crypto isakmp sa det Codes: C .255/47/0) remote ident (addr/mask/prot/port): (10.1. never expire Type: static.IKE Extended Authentication psk .1.2 172.4 192.NAT-traversal X .245.168. SW:1 10. Flags: used NBMA address: 10.245.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.5 10.245.245.245.245. expire 00:03:59 Type: dynamic.245.255.245.1.Preshared key.4.} Page 639 of 1033 .245.1. Tunnel0 created 00:02:01. Tunnel0 created 00:02:00.4 192.16.2/255.16. Flags: router implicit NBMA address: 10.1.5 10.4.5 ACTIVE 3des sha psk 2 23:49:44 ACTIVE 3des sha psk 2 23:57:51 ACTIVE 3des sha psk 2 23:57:51 SW:3 10.16.1. expire 00:03:59 Type: dynamic.255.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.2 port 500 PERMIT.245. Tunnel0 valid adjacency R5#sh ip nhrp 172.CCIE SECURITY v4 Lab Workbook next hop 172.16.5 (no-socket) NHRP entries has been resolved and cached already.255.4 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap.4 Engine-id:Conn-id = 1002 I-VRF SW:2 IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.0/24 via 172.245.0/24 via 172.245. rsig .5. Tunnel0 created 00:02:02.2 Engine-id:Conn-id = 1003 10.5. Flags: router NBMA address: 10.245.5/255.2. flags={origin_is_acl.16.2.4/32 via 172.245.16. expire 00:03:59 Type: dynamic.IKE configuration mode.

#pkts encrypt: 1.255.245. #pkts encrypt: 156. flow_id: NETGX:2. failed: 0 #pkts not decompressed: 0. #recv errors 0 local crypto endpt.5.245. #pkts compr. #pkts compr. #pkts decompress failed: 0 #send errors 0.2 path mtu 1500.255/47/0) remote ident (addr/mask/prot/port): (10.255/47/0) current_peer 10.245. flags={origin_is_acl. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4475924/2980) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.1.} #pkts encaps: 1. #pkts decrypt: 155.CCIE SECURITY v4 Lab Workbook #pkts encaps: 156. flow_id: NETGX:1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4475924/2980) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2CB7F3F4(750253044) transform: esp-3des esp-sha-hmac .255.1. #pkts decompressed: 0 #pkts not compressed: 0. #pkts verify: 155 #pkts compressed: 0. #recv errors 0 Page 640 of 1033 .4 port 500 PERMIT.245.255.1. } conn id: 2002. ip mtu 1500.: 10.245.255. #pkts decrypt: 1. in use settings ={Transport.4/255. #pkts digest: 1 #pkts decaps: 1. remote crypto endpt. #pkts decompressed: 0 #pkts not compressed: 0. #pkts digest: 156 #pkts decaps: 155.: 10. #pkts decompress failed: 0 #send errors 1. in use settings ={Transport.1. failed: 0 #pkts not decompressed: 0. #pkts verify: 1 #pkts compressed: 0.1. ip mtu idb Serial0/1/0 current outbound spi: 0x2CB7F3F4(750253044) inbound esp sas: spi: 0xD73908D9(3610839257) transform: esp-3des esp-sha-hmac .5/255. } conn id: 2001.

168. timeout is 2 seconds: Packet sent with a source address of 192.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.168.4. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4564186/3468) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R5#ping 192.5 !!!!! Success rate is 100 percent (5/5). flow_id: NETGX:3.4 so lo0 Type escape sequence to abort.255/47/0) Page 641 of 1033 .245. ip mtu 1500.1. round-trip min/avg/max = 32/32/36 ms Let’s ping to see if the traffic goes through the tunnel. in use settings ={Transport.245.245. local addr 10. in use settings ={Transport.4. remote crypto endpt. R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. ip mtu idb Serial0/1/0 current outbound spi: 0xD962CE1F(3647131167) inbound esp sas: spi: 0x3CAEA65A(1018078810) transform: esp-3des esp-sha-hmac .1. Sending 5.1.: 10. flow_id: NETGX:4.255. local crypto endpt. } conn id: 2004.: 10.5.1.CCIE SECURITY v4 Lab Workbook The IPSec SA is built and used for encrypting packets between the spokes.4.168.5.5/255.255.4 path mtu 1500.245. 100-byte ICMP Echos to 192. } conn id: 2003. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4564186/3468) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD962CE1F(3647131167) transform: esp-3des esp-sha-hmac .

2 port 500 PERMIT.255.1.} #pkts encaps: 6.1.245.2/255.245.5.4 port 500 PERMIT.245. in use settings ={Transport. } conn id: 2001.1.: 10.255/47/0) current_peer 10.255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4475923/2962) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2CB7F3F4(750253044) transform: esp-3des esp-sha-hmac .1. #pkts digest: 160 #pkts decaps: 158.255. #recv errors 0 local crypto endpt.255.CCIE SECURITY v4 Lab Workbook remote ident (addr/mask/prot/port): (10.255/47/0) current_peer 10.245. #pkts verify: 6 #pkts compressed: 0. in use settings ={Transport. #pkts decompressed: 0 #pkts not compressed: 0. ip mtu 1500. #pkts verify: 158 #pkts compressed: 0. #pkts decrypt: 6.245.255.1.4/255.1. #pkts encrypt: 6. #pkts decompress failed: 0 #send errors 0. flags={origin_is_acl. #pkts decompressed: 0 #pkts not compressed: 0. #pkts decrypt: 158.2 path mtu 1500. failed: 0 #pkts not decompressed: 0.255/47/0) remote ident (addr/mask/prot/port): (10. failed: 0 Page 642 of 1033 . #pkts digest: 6 #pkts decaps: 6.245.} #pkts encaps: 160. remote crypto endpt. #pkts compr.245. #pkts compr. flags={origin_is_acl.1. } conn id: 2002.255. ip mtu idb Serial0/1/0 current outbound spi: 0x2CB7F3F4(750253044) inbound esp sas: spi: 0xD73908D9(3610839257) transform: esp-3des esp-sha-hmac .5/255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4475923/2962) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. #pkts encrypt: 160.: 10. flow_id: NETGX:1. flow_id: NETGX:2.

1. in use settings ={Transport. the traffic is crossing the tunnel as we see 5 more packets encrypted/decrypted. } conn id: 2003.1.: 10. #recv errors 0 Yes. remote crypto endpt. ip mtu idb Serial0/1/0 current outbound spi: 0xD962CE1F(3647131167) inbound esp sas: spi: 0x3CAEA65A(1018078810) transform: esp-3des esp-sha-hmac .CCIE SECURITY v4 Lab Workbook #pkts not decompressed: 0.245.: 10. } conn id: 2004. flow_id: NETGX:4.5. flow_id: NETGX:3. #pkts decompress failed: 0 #send errors 1. in use settings ={Transport. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4564186/3449) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD962CE1F(3647131167) transform: esp-3des esp-sha-hmac .245. local crypto endpt.4 path mtu 1500. ip mtu 1500. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4564186/3449) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 643 of 1033 .

Lab Setup  R2’s S0/1/0.4. This is because CEF code has changed in IOS 12.168.2.1.168. DMVPN Phase 3 (with OSPF) Depending on IOS software version you may get slightly different command outputs.5/24 S0/1/0 10.2(20)T.168.2/24 Lo0 192.1.53.1.5.5/24 R4 R5 Page 644 of 1033 .4/24 S0/0/0 10. R4’s S0/0/0 and R5’s S0/1/0 interfaces should be configured in a frame-relay manner using physical interfaces  Configure Telnet on all routers using password “cisco” IP Addressing Device Interface IP address R2 Lo0 192.CCIE SECURITY v4 Lab Workbook Lab 1.245.245.245.4/24 Lo0 192.2/24 S0/1/0 10.

where R2 is acting as a Hub. R4 and R5.0/24 o IP MTU: 1400 o Tunnel Authentication Key: 123 • NHRP Parameters o NHRP ID: 123 o NHRP Authentication key: cisco123 o NHRP Hub: R2 • Routing Protocol Parameters o OSPF Area 0 Encrypt the GRE traffic using the following parameters: • ISAKMP Parameters o Authentication: Pre-shared o Encryption: 3DES o Hashing: SHA o DH Group: 2 o Pre-Shared Key: cisco123 • IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC Page 645 of 1033 . You must use OSPF dynamic routing protocol to let other spokes know about protected networks.245. Traffic originated from every Spoke’s loopback interface should be transmitted securely directly to the other spokes.CCIE SECURITY v4 Lab Workbook Task 1 Configure Hub-and-Spoke GRE tunnels between R2. Use the following settings when configuring tunnels: • Tunnel Parameters o IP address: 172.16. You must ensure that every traffic is CEF switched.

R2(config)#crypto isakmp policy 10 R2(config-isakmp)# encr 3des R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)#crypto isakmp key cisco123 address 0. Configuration Complete these steps: Step 1 R2 configuration.0.0 R2(config-if)# ip mtu 1400 R2(config-if)# ip nhrp authentication cisco123 R2(config-if)# ip nhrp map multicast dynamic R2(config-if)# ip nhrp network-id 123 R2(config-if)# ip nhrp redirect This is DMVPN Phase 3.255.255.0. We need to have ‘point-tomultipoint” OSPF network type in DMVPN Phase 3 to Page 646 of 1033 .2 255. To achieve that the OSPF network type must be changed to point-to-multipoint as this type has no DR/BDR election process and changes next hop when advertising the routes further.0.245.16. so do not forget of NHRP Redirect. In DMVPN Phase 3 we need to care of OSPF network type to ensure the Spokes point to the Hub’s IP address for remote networks.0 0.0 R2(config)#crypto ipsec transform-set TSET esp-3des espsha-hmac R2(cfg-crypto-trans)# mode transport R2(cfg-crypto-trans)#crypto ipsec profile DMVPN R2(ipsec-profile)# set transform-set TSET R2(ipsec-profile)#exi R2(config)#int Tunnel0 R2(config-if)# ip address 172.0. R2(config-if)# tunnel source s0/1/0 R2(config-if)# tunnel mode gre multipoint R2(config-if)# tunnel key 123 R2(config-if)# tunnel protection ipsec profile DMVPN R2(config-if)# ip ospf network point-to-multipoint Here’s the change.CCIE SECURITY v4 Lab Workbook  OSPF is always tricky when used in DMVPN scenarios.

0 R4(config-if)# ip mtu 1400 R4(config-if)# ip nhrp authentication cisco123 R4(config-if)# ip nhrp map 172.1. This will allow the Hub sending summarizing routes to the spokes. R4(config)#crypto isakmp policy 10 R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)#crypto isakmp key cisco123 address 0. Note that we do not configure OSPF priorities as there is no DR/BDR election process in OSPF pointto-multipoint network type.245.0 area 0 R2(config-router)#network 192.2 R4(config-if)# ip nhrp shortcut NHRP Shortcut should be enabled on spokes in DMVPN Phase 3.245.2 R2(config-router)#network 172.CCIE SECURITY v4 Lab Workbook make it work.0 R4(config)#crypto ipsec transform-set TSET esp-3des espsha-hmac R4(cfg-crypto-trans)# mode transport R4(cfg-crypto-trans)#crypto ipsec profile DMVPN R4(ipsec-profile)# set transform-set TSET R4(ipsec-profile)#exi R4(config)#int Tunnel0 R4(config-if)# ip address 172. Page 647 of 1033 .16.245.255.2 10.245.0. R2(config-if)# exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config)#router ospf 1 R2(config-router)#router-id 172.255.2 R4(config-if)# ip nhrp map multicast 10.0 0.0.245.0 area 0 R2(config-router)#exi Step 2 R4 configuration.16.0.2 0.16. This is also very important in more advanced scenarios when we’d need more hubs in the DMVPN Phase 3 network.0.0. as the spokes must contact the Hub in the first step to route the packets to the remote network.245.2 R4(config-if)# ip nhrp network-id 123 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172.245.2.16.0.4 255.2 0.0.1.168.0.16.

changed state to up R4(config)#router ospf 1 R4(config-router)#router-id 172.0 area 0 R4(config-router)#exi R4(config)# %OSPF-5-ADJCHG: Process 1.0 R5(config-if)# ip mtu 1400 R5(config-if)# ip nhrp authentication cisco123 R5(config-if)# ip nhrp map 172.2 R5(config-if)# ip nhrp shortcut Page 648 of 1033 .2 R5(config-if)# ip nhrp network-id 123 R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172.0.0 area 0 R4(config-router)#network 192.4 0.16.2 10.245.16.245.245.245.245.CCIE SECURITY v4 Lab Workbook R4(config-if)# tunnel source Serial0/0/0 R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel key 123 R4(config-if)# tunnel protection ipsec profile DMVPN R4(config-if)# ip ospf network point-to-multipoint Same on the spokes – OSPF point-to-multipoint network type. R5(config)#crypto isakmp policy 10 R5(config-isakmp)# encr 3des R5(config-isakmp)# authentication pre-share R5(config-isakmp)# group 2 R5(config-isakmp)#crypto isakmp key cisco123 address 0.4.245.0.0.16.1.245.0.0 0.0 R5(config)#crypto ipsec transform-set TSET esp-3des espsha-hmac R5(cfg-crypto-trans)# mode transport R5(cfg-crypto-trans)#crypto ipsec profile DMVPN R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#exi R5(config)#int Tunnel0 R5(config-if)# ip address 172.1. R4(config-router)#exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.255.255.16.2 on Tunnel0 from LOADING to FULL.16.245.4 R4(config-router)#network 172.4 0.0.16. Nbr 172.0.168. Loading Done Step 3 R5 configuration.0.0.5 255.2 R5(config-if)# ip nhrp map multicast 10.

16. changed state to up R5(config)#router ospf 1 R5(config-router)#router-id 172. Nbr 172.16.5. Cost: 1000 Transmit Delay is 1 sec.5 0 FULL/ - 00:01:59 172.5 Tunnel0 172.245. Router ID 172.0 area 0 R5(config-router)#exi R5(config)# %OSPF-5-ADJCHG: Process 1.2.0.2/24.CCIE SECURITY v4 Lab Workbook R5(config-if)# tunnel source Serial0/1/0 R5(config-if)# tunnel mode gre multipoint R5(config-if)# tunnel key 123 R5(config-if)# tunnel protection ipsec profile DMVPN R5(config-if)# ip ospf network point-to-multipoint Same on the spokes – OSPF point-to-multipoint network type.245.16.16.16. Area 0 Process ID 1.168. Loading Done Verification R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172. Area 0 Process ID 1.16.245.2 on Tunnel0 from LOADING to FULL.0.2. State POINT_TO_MULTIPOINT Timer intervals configured. Wait 120.16. Network Type LOOPBACK. Retransmit 5 oob-resync timeout 120 Hello due in 00:00:24 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled Page 649 of 1033 .245. line protocol is up Internet Address 192.2.245. Dead 120.168.16.0.245.5 0.245.245.245. Hello 30. R5(config-if)# exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0. Cost: 1 Loopback interface is treated as a stub Host Tunnel0 is up.245. line protocol is up Internet Address 172.2/24. R2#sh ip ospf interface Loopback0 is up.16.5 R5(config-router)#network 172. Network Type POINT_TO_MULTIPOINT.16.5 0.4 Tunnel0 The Hub has neighbor adjacency with the spokes. Router ID 172.4 0 FULL/ - 00:01:49 172.0.0 area 0 R5(config-router)#network 192.

245.245.ODR. maximum is 1 Last flood scan time is 0 msec.16.mobile.4. S .4 172. Tunnel0 192.16.0/24 is directly connected.168. Tunnel0 10. 1 subnets O 192.245.168.16.2.245.245. B . L1 .4 [110/1001] via 172.4.OSPF external type 2 i .0.IS-IS summary.OSPF NSSA external type 1. P .EIGRP external.245.16. Tunnel0 192.16.245.IS-IS level-1. Flags: unique registered NBMA address: 10.IS-IS level-2 ia . To change that.0 is directly connected.5/32 via 172.16.RIP. M .16.245.245.0. expire 00:04:48 Type: dynamic. E2 .168.16. maximum is 0 msec Neighbor Count is 2.OSPF inter area N1 . 00:02:39.168.245.16.4.16.245. 00:00:53.5 Tunnel0 created 00:01:45. 2 masks C 172.IS-IS.periodic downloaded static route Gateway of last resort is not set 172. configure “ip ospf network point-to-point” on the loopback interfaces. Tunnel0 O 172.OSPF external type 1.4 Tunnel0 created 00:03:10.245.5.4 Suppress hello for 0 neighbor(s) The network type on the Hub is Point-to-Multipoint R2#sh ip route Codes: C .245.0. 00:00:43.CCIE SECURITY v4 Lab Workbook IETF NSF helper support enabled Index 1/1.16.5 Both spokes are redistered in NHS successfully. Page 650 of 1033 .245.5.0/16 is variably subnetted.BGP D .16.4/32 via 172. U . Tunnel0 O 172. R .IS-IS inter area. Adjacent neighbor count is 2 Adjacent with neighbor 172.4.0/24 is subnetted. Note that those networks are “host” prefixes.1. N2 . expire 00:04:14 Type: dynamic.16.per-user static route o . 00:01:22. R2#sh ip nhrp 172.5. This is because the loopback interfaces has OSPF “loopback” type and thus.16. Flags: unique registered NBMA address: 10.candidate default.connected.5 [110/1001] via 172.1.4/32 [110/1000] via 172.EIGRP.OSPF NSSA external type 2 E1 .5/32 [110/1000] via 172. Loopback0 The Hub has remote networks in its routing table. Serial0/1/0 192.5. flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1.245. 1 subnets O 192.5 Adjacent with neighbor 172.static.0/32 is subnetted.245.1. IA .OSPF. * . 3 subnets. su . EX . O . 1 subnets C C 10. they are advertised as “host” routes.0/24 is directly connected. L2 .168.0/32 is subnetted.

in use settings ={Transport.5 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap.4 port 500 PERMIT.255/47/0) current_peer 10.245. local addr 10.4/255.245.245.} #pkts encaps: 26.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.1.255.245. N .2 10. ip mtu idb Serial0/1/0 current outbound spi: 0xD90CFFE(227594238) PFS (Y/N): N.1. X .245. D . #pkts decrypt: 20.255. ip mtu 1500. #pkts verify: 20 #pkts compressed: 0.1.255/47/0) remote ident (addr/mask/prot/port): (10.IKE Extended Authentication psk .1.1. DH group: none inbound esp sas: spi: 0x6E5FC564(1851770212) transform: esp-3des esp-sha-hmac .245. #recv errors 0 local crypto endpt. R2#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. #pkts encrypt: 26. sibling_flags 80000006.1.IKE configuration mode.Preshared key.cTCP encapsulation.245.245.1. failed: 0 #pkts not decompressed: 0. rsig . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4393718/3399) IV size: 8 bytes Page 651 of 1033 .2/255.245.: 10.2 protected vrf: (none) local ident (addr/mask/prot/port): (10. #pkts decompress failed: 0 #send errors 0.1.: 10.1.Dead Peer Detection K .CCIE SECURITY v4 Lab Workbook R2#sh crypto isakmp sa det Codes: C . remote crypto endpt.245. flags={origin_is_acl.4 Engine-id:Conn-id = 1002 10. } conn id: 2001.4 path mtu 1500.Keepalives.NAT-traversal T .2. #pkts compr.1.RSA signature renc .255. flow_id: Onboard VPN:1. SW:2 IPv6 Crypto ISAKMP SA The Hub has ISAKMP SA and IPSec SA established with the spokes. #pkts decompressed: 0 #pkts not compressed: 0.2 I-VRF ACTIVE 3des sha psk 2 23:56:43 ACTIVE 3des sha psk 2 23:58:08 SW:1 10.255. #pkts digest: 26 #pkts decaps: 20.

245. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4393717/3399) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1. sibling_flags 80000006. in use settings ={Transport.245.CCIE SECURITY v4 Lab Workbook replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD90CFFE(227594238) transform: esp-3des esp-sha-hmac . #pkts decompress failed: 0 #send errors 0. ip mtu 1500. } conn id: 2003.2/255. #pkts verify: 17 #pkts compressed: 0.255. #recv errors 0 local crypto endpt.1. #pkts decompressed: 0 #pkts not compressed: 0.245. flow_id: Onboard VPN:3. sibling_flags 80000006.5 port 500 PERMIT.255/47/0) current_peer 10. in use settings ={Transport. } conn id: 2002. ip mtu idb Serial0/1/0 current outbound spi: 0xC52C4105(3308011781) PFS (Y/N): N. #pkts encrypt: 22. flow_id: Onboard VPN:2.2.245.5 path mtu 1500.: 10.245. #pkts compr. DH group: none inbound esp sas: spi: 0xFAEAE72E(4209698606) transform: esp-3des esp-sha-hmac .1.: 10.} #pkts encaps: 22. failed: 0 #pkts not decompressed: 0. #pkts digest: 22 #pkts decaps: 17. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4388665/3484) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: Page 652 of 1033 .255/47/0) remote ident (addr/mask/prot/port): (10.1. flags={origin_is_acl.255.5/255.255. #pkts decrypt: 17.255. remote crypto endpt.

4. Hello 30.2 Tunnel0 The spoke has neighbor adjacency with the Hub.CCIE SECURITY v4 Lab Workbook inbound pcp sas: outbound esp sas: spi: 0xC52C4105(3308011781) transform: esp-3des esp-sha-hmac . Router ID 172.16. R4#sh ip ospf interface Loopback0 is up. line protocol is up Internet Address 192.245. Wait 120.4.168. Network Type LOOPBACK. Area 0 Process ID 1.16. Network Type POINT_TO_MULTIPOINT.2 Suppress hello for 0 neighbor(s) Page 653 of 1033 . Dead 120. Note the Hub is NOT DR/BDR in this case.245.4.16.245.245. Area 0 Process ID 1. } conn id: 2004.4/24.16. Cost: 11111 Transmit Delay is 1 sec. in use settings ={Transport. flow_id: Onboard VPN:4.245.4/24.2 Pri State 0 FULL/ - Dead Time Address Interface 00:01:44 172.16. Router ID 172. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4388664/3484) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#sh ip ospf neighbor Neighbor ID 172.16. Adjacent neighbor count is 1 Adjacent with neighbor 172. maximum is 1 Last flood scan time is 0 msec. sibling_flags 80000006. maximum is 0 msec Neighbor Count is 1. Cost: 1 Loopback interface is treated as a stub Host Tunnel0 is up. flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1.245. line protocol is up Internet Address 172. State POINT_TO_MULTIPOINT Timer intervals configured. Retransmit 5 oob-resync timeout 120 Hello due in 00:00:24 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1.

Tunnel0 created 00:04:05.IS-IS inter area.2/32 via 172.0/16 is variably subnetted. 2 masks C 172. Tunnel0 The Spoke has routing to the networks behind other spokes via the Hub.IKE Extended Authentication psk . R4#sh ip route Codes: C .16.2.5 [110/12112] via 172.245.2/32 [110/11111] via 172.16.candidate default. 00:03:23.IS-IS. 0 dependencies next hop 172.0/24 is subnetted. Tunnel0 valid adjacency CEF entry is “valid” as the spoke has all information about how to get to the hub. Tunnel0. Tunnel0 10. Tunnel0 O 172.2.168.245.2.245.EIGRP external. EX .245.OSPF.5/32 [110/12111] via 172.5. M . Flags: used NBMA address: 10. IA .0/32 is subnetted. N .4.OSPF inter area N1 .16.245.RSA encryption IPv4 Crypto ISAKMP SA Page 654 of 1033 .245. 1 subnets C 10.IS-IS summary.168.2 [110/11112] via 172. Serial0/0/0 192.OSPF external type 2 i . * .0. su . L2 .OSPF NSSA external type 1.0/24 is directly connected.16.static.16.168.EIGRP.0 is directly connected.IS-IS level-2 ia .IKE configuration mode.2.245.OSPF external type 1. This is achieved by configured OSPF network type. 3 subnets.periodic downloaded static route Gateway of last resort is not set 172. 0 bytes via 172. Loopback0 192. O .2 R4#sh crypto isakmp sa det Codes: C . E2 . L1 . never expire Type: static.Dead Peer Detection K .CCIE SECURITY v4 Lab Workbook OSPF network type “point-to-multipoint” is configured.Keepalives.245.16. D .ODR.per-user static route o .2.BGP D .245. S .16.168.168. N2 .1. Tunnel0 C 192. 1 subnets O 192.NAT-traversal X .16.2. version 25.168.245.connected.OSPF NSSA external type 2 E1 .0/32 is subnetted.2.0/24 is directly connected. Tunnel0 O 172. 00:01:48. U .RIP.2.5.245.5. 1 subnets O 192. R .Preshared key. R4#sh ip nhrp 172.mobile.245.0.2.16.0.16.5.IS-IS level-1.245. rsig . 00:02:05.168.16.1. R4#sh ip cef 192. 00:01:27. epoch 0 0 packets.5 192. B .5/32.16. P .RSA signature renc .

255/47/0) current_peer 10.1. #pkts verify: 29 #pkts compressed: 0.1.245.245.245. flags={origin_is_acl. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4481079/3341) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6E5FC564(1851770212) transform: esp-3des esp-sha-hmac . #pkts compr.255.255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4481080/3341) Page 655 of 1033 . ip mtu 1500.245.1.245. #pkts decrypt: 29.2 port 500 PERMIT.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.4 10. #pkts digest: 23 #pkts decaps: 29.4/255.2/255.: 10. #pkts decompressed: 0 #pkts not compressed: 0.1.1. ip mtu idb Serial0/0/0 current outbound spi: 0x6E5FC564(1851770212) inbound esp sas: spi: 0xD90CFFE(227594238) transform: esp-3des esp-sha-hmac .: 10.CCIE SECURITY v4 Lab Workbook C-id Local Remote 1001 10. #pkts encrypt: 23.1. } conn id: 2002. failed: 0 #pkts not decompressed: 0.1.1.} #pkts encaps: 23. #recv errors 0 local crypto endpt. in use settings ={Transport.255. flow_id: NETGX:2. flow_id: NETGX:1.245. ACTIVE 3des sha psk 2 23:55:48 SW:1 IPv6 Crypto ISAKMP SA There is ISAKMP SA and IPSec SA established with the Hub only.2 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.255/47/0) remote ident (addr/mask/prot/port): (10. } conn id: 2001.245.2 path mtu 1500.4. remote crypto endpt.255.245. #pkts decompress failed: 0 #send errors 0. There are no SAs with other spoke yet. local addr 10. in use settings ={Transport. R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.

245. epoch 0 0 packets.5 NHRP has added dynamic entries for the other spoke.2/32 via 172.5.245. Flags: router unique local NBMA address: 10.Keepalives.RSA encryption IPv4 Crypto ISAKMP SA Page 656 of 1033 .16.245.16. Tunnel0 created 00:00:20.245.16.2. version 25.245.16.IKE Extended Authentication psk .168. expire 00:05:39 Type: dynamic. expire 00:05:39 Type: dynamic.16.0/24 via 172.1. Flags: used NBMA address: 10. 100-byte ICMP Echos to 192. Flags: router NBMA address: 10.16. Tunnel0. 0 bytes via 172.245.5.2 172.245. rsig .168.5.245.1. Sending 5.245.Preshared key.RSA signature renc .5.NAT-traversal X . Flags: router implicit NBMA address: 10. Remember to source that ping from the network behind the spoke.168. timeout is 2 seconds: Packet sent with a source address of 192.5.4.245.5.IKE configuration mode.168.4 (no-socket) 192. Tunnel0 created 00:00:21. never expire Type: static.4. Tunnel0 valid adjacency R4#sh crypto isakmp sa det Codes: C . expire 00:05:39 Type: dynamic.5 192.4.5/32.168.5 192. D . R4#sh ip nhrp 172.5/32 via 172.5. Tunnel0 created 00:00:20.1.168.2.1.Dead Peer Detection K .0/24 via 172. N .4 !!!!! Success rate is 100 percent (5/5).245.16. R4#sh ip cef 192.5.245. Tunnel0 created 00:04:52. round-trip min/avg/max = 32/43/60 ms Test by pinging the remote network.2.5 so lo0 Type escape sequence to abort.168.16. 0 dependencies next hop 172.CCIE SECURITY v4 Lab Workbook IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#ping 192.

245.245.1. #pkts digest: 32 #pkts decaps: 39.1. ip mtu idb Serial0/0/0 current outbound spi: 0x6E5FC564(1851770212) inbound esp sas: spi: 0xD90CFFE(227594238) transform: esp-3des esp-sha-hmac . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4481078/3289) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: Page 657 of 1033 .255.4 10.255.245.1.: 10.1.1.4 ACTIVE 3des sha psk 2 23:59:25 ACTIVE 3des sha psk 2 23:54:53 ACTIVE 3des sha psk 2 23:59:25 SW:1 10.2 path mtu 1500.1.5 Engine-id:Conn-id = 1001 10.2 port 500 PERMIT.255/47/0) remote ident (addr/mask/prot/port): (10.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.245. flow_id: NETGX:1.245. #pkts decompress failed: 0 #send errors 0. ip mtu 1500.5 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap. #recv errors 0 local crypto endpt.245. failed: 0 #pkts not decompressed: 0. remote crypto endpt. local addr 10.CCIE SECURITY v4 Lab Workbook C-id Local Remote 1003 10.4/255. #pkts decrypt: 39. in use settings ={Transport. flags={origin_is_acl.1. SW:3 10.255.1.1.1.} #pkts encaps: 32.: 10. #pkts verify: 39 #pkts compressed: 0.245.255/47/0) current_peer 10.2/255.4.4 10.2 Engine-id:Conn-id = 1002 I-VRF SW:2 IPv6 Crypto ISAKMP SA The ISAKMP and IPSec SAs has been negotiated with the other spoke.245.245.245.1. #pkts compr. #pkts encrypt: 32. R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.1. #pkts decompressed: 0 #pkts not compressed: 0.245.245. } conn id: 2001.255.

#pkts decrypt: 0.5 path mtu 1500. ip mtu 1500. flow_id: NETGX:2. #pkts decompress failed: 0 #send errors 0. #pkts digest: 0 #pkts decaps: 0. #pkts encrypt: 0.5/255.1. failed: 0 #pkts not decompressed: 0.: 10.245.255/47/0) current_peer 10.255. } conn id: 2002. #pkts decompressed: 0 #pkts not compressed: 0.245. #pkts verify: 0 #pkts compressed: 0.4. next packets should use the direct Spoke-to-Spoke tunnel.1. flow_id: NETGX:7.} #pkts encaps: 0.255. #recv errors 0 Note that this time no packets have been sent through the direct tunnel. flow_id: NETGX:3. in use settings ={Transport. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4474527/3591) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 658 of 1033 . } conn id: 2007.245. in use settings ={Transport. local crypto endpt.CCIE SECURITY v4 Lab Workbook spi: 0x6E5FC564(1851770212) transform: esp-3des esp-sha-hmac .255/47/0) remote ident (addr/mask/prot/port): (10. remote crypto endpt.: 10.1. ip mtu idb Serial0/0/0 current outbound spi: 0xB8BE4200(3099476480) inbound esp sas: spi: 0x7ACB8793(2060158867) transform: esp-3des esp-sha-hmac .4/255. flags={origin_is_acl.255. All packets have been sent through the Hub. However.245.245. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4481079/3289) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. } conn id: 2003.5 port 500 PERMIT.255.1.1. in use settings ={Transport. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4472866/3561) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0x4CD42BBF(1288973247) transform: esp-3des esp-sha-hmac . #pkts compr.

CCIE SECURITY v4 Lab Workbook inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x81623FED(2170699757) transform: esp-3des esp-sha-hmac .168.168. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4472866/3561) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0xB8BE4200(3099476480) transform: esp-3des esp-sha-hmac . timeout is 2 seconds: Packet sent with a source address of 192.5.245.4/255. flow_id: NETGX:4.255.4. } conn id: 2008. failed: 0 #pkts not decompressed: 0. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4474527/3591) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#ping 192. #pkts encrypt: 33.} #pkts encaps: 33. flags={origin_is_acl. #pkts decompress failed: 0 Page 659 of 1033 . in use settings ={Transport.245.1. #pkts verify: 40 #pkts compressed: 0. flow_id: NETGX:8. 100-byte ICMP Echos to 192. Sending 5.5.1. #pkts compr.2 port 500 PERMIT.1.4 protected vrf: (none) local ident (addr/mask/prot/port): (10. #pkts decrypt: 40. round-trip min/avg/max = 32/32/36 ms Try to ping again.255. #pkts digest: 33 #pkts decaps: 40.4 !!!!! Success rate is 100 percent (5/5).2/255.255.255/47/0) current_peer 10.255.245.245. local addr 10.1. in use settings ={Transport.255/47/0) remote ident (addr/mask/prot/port): (10.168. #pkts decompressed: 0 #pkts not compressed: 0. R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.5 so lo0 Type escape sequence to abort. } conn id: 2004.5.

} conn id: 2001.} #pkts encaps: 5.255.245.255. #pkts verify: 5 #pkts compressed: 0.4.1. remote crypto endpt. #pkts decompressed: 0 #pkts not compressed: 0.255.: 10.CCIE SECURITY v4 Lab Workbook #send errors 0.245. in use settings ={Transport. #pkts digest: 5 #pkts decaps: 5.1. remote crypto endpt. ip mtu idb Serial0/0/0 current outbound spi: 0x6E5FC564(1851770212) inbound esp sas: spi: 0xD90CFFE(227594238) transform: esp-3des esp-sha-hmac .2 path mtu 1500. #pkts decompress failed: 0 #send errors 0. failed: 0 #pkts not decompressed: 0. ip mtu 1500.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts decrypt: 5.245.: 10. #pkts encrypt: 5.5 path mtu 1500. #pkts compr. #recv errors 0 local crypto endpt.255/47/0) current_peer 10. flags={origin_is_acl.245.1.245.: 10. ip mtu idb Serial0/0/0 current outbound spi: 0xB8BE4200(3099476480) See that all ICMP packets have been sent through the spoke-to-spoke tunnel. flow_id: NETGX:1.4/255.245. #recv errors 0 local crypto endpt.4. } conn id: 2002.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4481078/3266) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6E5FC564(1851770212) transform: esp-3des esp-sha-hmac . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4481079/3266) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.255.1. Page 660 of 1033 .5/255.: 10.1.245. in use settings ={Transport.5 port 500 PERMIT.1. ip mtu 1500. flow_id: NETGX:2.

CCIE SECURITY v4 Lab Workbook inbound esp sas: spi: 0x4CD42BBF(1288973247) transform: esp-3des esp-sha-hmac . Cost: 1 Loopback interface is treated as a stub Host Tunnel0 is up. line protocol is up Internet Address 172. Router ID 172.5/24. in use settings ={Transport. } conn id: 2007.16.5.5. R5#sh ip ospf neighbor Neighbor ID 172. Cost: 11111 Transmit Delay is 1 sec. in use settings ={Transport. flow_id: NETGX:8.245. Retransmit 5 oob-resync timeout 120 Hello due in 00:00:23 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Page 661 of 1033 .16.245. State POINT_TO_MULTIPOINT Timer intervals configured. Dead 120. Wait 120.245. } conn id: 2008. Area 0 Process ID 1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4474526/3568) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Same bunch of command on the other spoke.245.16. Area 0 Process ID 1. flow_id: NETGX:7.16.16. Network Type POINT_TO_MULTIPOINT. line protocol is up Internet Address 192.5/24. Hello 30.2 Pri State 0 FULL/ - Dead Time Address Interface 00:01:39 172.168. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4474526/3568) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB8BE4200(3099476480) transform: esp-3des esp-sha-hmac .245. Router ID 172.5. Network Type LOOPBACK.2 Tunnel0 R5#sh ip ospf interface Loopback0 is up.

1.2 172.4. Tunnel0.168.245. su .2.245.0/16 is variably subnetted. 0 bytes via 172.245.16.1. expire 00:04:03 Type: dynamic.per-user static route o . flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1.16.245.16.0/32 is subnetted. 1 subnets O C 192.5. never expire Type: static.mobile. R .2 Suppress hello for 0 neighbor(s) R5#sh ip route Codes: C . 00:04:34.4 192.2.16.1. EX .RIP. Tunnel0 192. Loopback0 10.1. version 21.EIGRP.16. U . 1 subnets O 192.245.168. Tunnel0 192. Tunnel0 created 00:01:56.168.IS-IS inter area.16.4/32. 1 subnets C 10. maximum is 1 Last flood scan time is 0 msec.0.5.245.16. 00:04:04.CCIE SECURITY v4 Lab Workbook Index 1/1. M . Tunnel0 valid adjacency R5#sh ip nhrp 172.IS-IS summary. Tunnel0 R5#sh ip cef 192.16.245.245.168.16.2. N2 . Tunnel0 created 00:01:56.0/24 is directly connected.4 192.4/32 via 172.16.EIGRP external.OSPF NSSA external type 2 E1 . Tunnel0 created 00:01:56.OSPF NSSA external type 1.connected. IA . Tunnel0 created 00:05:03.5.periodic downloaded static route Gateway of last resort is not set 172. Serial0/1/0 192. S . L1 .OSPF inter area N1 .4.4. L2 .0 is directly connected.OSPF external type 1.2.0/24 via 172.245. maximum is 0 msec Neighbor Count is 1.245. Adjacent neighbor count is 1 Adjacent with neighbor 172.1. expire 00:04:03 Type: dynamic.OSPF external type 2 i .0/24 is directly connected. expire 00:04:03 Type: dynamic.16.4/32 [110/12111] via 172.16.4 192.2.0/24 is subnetted.static.0.5 Page 662 of 1033 .168.245. 2 masks C 172.16.candidate default.245.245.245. P .16. 00:04:34.16. Flags: used NBMA address: 10.4.168.ODR. 3 subnets.16. B .4.BGP D .4 [110/12112] via 172.245. E2 .245.2/32 [110/11111] via 172.IS-IS level-2 ia . epoch 0 0 packets.245.0/24 via 172.2 [110/11112] via 172.2.245.245.IS-IS. Tunnel0 O 172.168.2/32 via 172.245.168.OSPF.0/32 is subnetted.2.4.168. Flags: router implicit NBMA address: 10. * . 00:04:15.2. Tunnel0 O 172.16.2. Flags: router NBMA address: 10.4. Flags: router unique local NBMA address: 10.IS-IS level-1.245. O . 0 dependencies next hop 172.0.

CCIE SECURITY v4 Lab Workbook (no-socket) R5#sh crypto isakmp sa det Codes: C .245. #pkts verify: 39 #pkts compressed: 0. #pkts decompress failed: 0 #send errors 0.1.Preshared key.245.245.245.5. in use settings ={Transport.245.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.IKE configuration mode.1. } conn id: 2001. flow_id: NETGX:1. N . #pkts compr. failed: 0 #pkts not decompressed: 0. remote crypto endpt.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10. #pkts encrypt: 33.255/47/0) remote ident (addr/mask/prot/port): (10.1. D .245.245.1.} #pkts encaps: 33.Keepalives.245. local addr 10. #pkts digest: 33 #pkts decaps: 39. ip mtu 1500.NAT-traversal X .2 port 500 PERMIT.4 Engine-id:Conn-id = 1002 I-VRF SW:2 IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. #pkts decrypt: 39. #pkts decompressed: 0 #pkts not compressed: 0.1.1.245.1.5 10.5/255.2/255.255.255.245.5 ACTIVE 3des sha psk 2 23:54:50 ACTIVE 3des sha psk 2 23:57:57 ACTIVE 3des sha psk 2 23:57:57 SW:3 10. rsig .255. ip mtu idb Serial0/1/0 current outbound spi: 0xFAEAE72E(4209698606) inbound esp sas: spi: 0xC52C4105(3308011781) transform: esp-3des esp-sha-hmac .5 10.4 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap.255.245. flags={origin_is_acl.: 10.2 path mtu 1500.245. SW:1 10.255/47/0) current_peer 10.IKE Extended Authentication psk .1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4522359/3286) IV size: 8 bytes Page 663 of 1033 .RSA signature renc . #recv errors 0 local crypto endpt.: 10.1.1.Dead Peer Detection K .1.2 Engine-id:Conn-id = 1003 10.1.

255.1.245. ip mtu 1500.245. flow_id: NETGX:2.} #pkts encaps: 5.4 port 500 PERMIT.1.1.255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4522360/3286) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4551728/3503) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: Page 664 of 1033 .: 10. #pkts decrypt: 5. flow_id: NETGX:7.255/47/0) remote ident (addr/mask/prot/port): (10.245.: 10.4 path mtu 1500. } conn id: 2002. #recv errors 0 Those are packets sent from R4. #pkts decompressed: 0 #pkts not compressed: 0. in use settings ={Transport.1.245.4/255. #pkts compr. #pkts digest: 5 #pkts decaps: 5. flags={origin_is_acl. ip mtu idb Serial0/1/0 current outbound spi: 0x4CD42BBF(1288973247) inbound esp sas: spi: 0xB8BE4200(3099476480) transform: esp-3des esp-sha-hmac . #pkts encrypt: 5.1.5/255. #pkts decompress failed: 0 #send errors 0. local crypto endpt. in use settings ={Transport.255. #pkts verify: 5 #pkts compressed: 0. failed: 0 #pkts not decompressed: 0.5.CCIE SECURITY v4 Lab Workbook replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xFAEAE72E(4209698606) transform: esp-3des esp-sha-hmac . remote crypto endpt.255.255/47/0) current_peer 10. } conn id: 2007.245.

255. flags={origin_is_acl. in use settings ={Transport.2/255.245.} #pkts encaps: 33. round-trip min/avg/max = 32/32/36 ms Try to ping R4’s network to see if the packets get encrypted/decrypted.245.168.CCIE SECURITY v4 Lab Workbook inbound pcp sas: outbound esp sas: spi: 0x4CD42BBF(1288973247) transform: esp-3des esp-sha-hmac .245.255.255/47/0) current_peer 10. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4551728/3503) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R5#ping 192.: 10. #pkts digest: 33 #pkts decaps: 40. flow_id: NETGX:8.1.255/47/0) remote ident (addr/mask/prot/port): (10.1.245.5 protected vrf: (none) local ident (addr/mask/prot/port): (10. #pkts encrypt: 33. #pkts decompress failed: 0 #send errors 0.5.4. #recv errors 0 local crypto endpt. 100-byte ICMP Echos to 192. #pkts decrypt: 40. in use settings ={Transport.: 10.4. ip mtu idb Serial0/1/0 current outbound spi: 0xFAEAE72E(4209698606) inbound esp sas: spi: 0xC52C4105(3308011781) transform: esp-3des esp-sha-hmac .5 !!!!! Success rate is 100 percent (5/5).5/255. #pkts decompressed: 0 #pkts not compressed: 0. } Page 665 of 1033 .245.4. ip mtu 1500. remote crypto endpt.2 port 500 PERMIT.4 so lo0 Type escape sequence to abort.1. Sending 5.168. timeout is 2 seconds: Packet sent with a source address of 192. R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.5. #pkts compr.255. #pkts verify: 40 #pkts compressed: 0.2 path mtu 1500.255.1.245. local addr 10. failed: 0 #pkts not decompressed: 0.1.168. } conn id: 2008.1.

1. in use settings ={Transport.} #pkts encaps: 10.5/255. flow_id: NETGX:2. failed: 0 #pkts not decompressed: 0.245. #recv errors 0 Seems everything is working! local crypto endpt.4 port 500 PERMIT.255.: 10. #pkts decrypt: 10. flow_id: NETGX:1. #pkts decompressed: 0 #pkts not compressed: 0.245. flags={origin_is_acl. remote crypto endpt.4 path mtu 1500. ip mtu 1500. #pkts digest: 10 #pkts decaps: 10. flow_id: NETGX:7.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts encrypt: 10.245.245. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4522358/3268) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xFAEAE72E(4209698606) transform: esp-3des esp-sha-hmac .255. #pkts compr. ip mtu idb Serial0/1/0 current outbound spi: 0x4CD42BBF(1288973247) inbound esp sas: spi: 0xB8BE4200(3099476480) transform: esp-3des esp-sha-hmac . } conn id: 2007.1.1. } conn id: 2002. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4551727/3485) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 666 of 1033 .245.5.: 10.1.4/255. in use settings ={Transport. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4522360/3268) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.255. #pkts decompress failed: 0 #send errors 0.1. #pkts verify: 10 #pkts compressed: 0.255/47/0) current_peer 10.CCIE SECURITY v4 Lab Workbook conn id: 2001.255.

in use settings ={Transport. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4551727/3485) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 667 of 1033 .CCIE SECURITY v4 Lab Workbook inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4CD42BBF(1288973247) transform: esp-3des esp-sha-hmac . flow_id: NETGX:8. } conn id: 2008.

R4 and R5 pointing to the R6 Page 668 of 1033 .CCIE SECURITY v4 Lab Workbook Lab 1.2(20)T.54. Lab Setup  R1’s F0/0 and R6’s F0/0 interface should be configured in VLAN 16  R1’s F0/1 and R2’s G0/1 interface should be configured in VLAN 12  R2’s G0/0 and R6’s F0/1 interface should be configured in VLAN 26  R6’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay point-to-point manner.  R6’s S0/1/0 and R5’s S0/1/0 interface should be configured in a frame-relay point-to-point manner. R2.  Configure Telnet on all routers using password “cisco”  Configure default routing on R1. This is because CEF code has changed in IOS 12. DMVPN Phase 2 Dual Hub (Single Cloud) Depending on IOS software version you may get slightly different command outputs.

1.1. where R1 and R2 are acting as Hubs.0/24 o IP MTU: 1400 o Tunnel Authentication Key: 145 • NHRP Parameters o NHRP ID: 145 o NHRP Authentication key: cisco123 o NHRP Hub: R1 Page 669 of 1033 .168.26.4/24 S0/0/0.168.5/24 S0/1/0.168.6/24 S0/1/0. Use the following settings when configuring tunnels: • Tunnel Parameters o IP address: 172.1.6/24 F0/1 10.1/24 F0/1 192.6/24 R2 R4 R5 R6 Task 1 Configure Hub-and-Spoke GRE tunnels between R1. Traffic originated from every Spoke’s loopback interface and Hub’s F0/1 (G0/1) interface should be transmitted securely directly to the other spokes. High availability must be achieved by configuring two NHS on the spokes.16. R2.5.56 10.2/24 G0/1 192.12.16.65.26.5/24 F0/0 10.1.1.65.65 10.46 10.64.64 10.168.4/24 Lo0 192. You must use EIGRP dynamic routing protocol to let other spokes know about protected networks. R4 and R5.1.2/24 Lo0 192.4.64.6/24 S0/1/0.CCIE SECURITY v4 Lab Workbook IP Addressing Device Interface IP address R1 F0/0 10.12.1.1/24 G0/0 10.145.1.16.

The idea in this case is to have a single DMVPN "cloud" with all hubs (two in this case) and all spokes connected to this single subnet ("cloud"). Dual DMVPN networks with each spoke having two GRE tunnel interfaces (either point-to-point or multipoint) and each GRE tunnel connected to a different hub router. for redundancy. The dynamic routing protocol will not run over the dynamic IPsec+mGRE links between spokes. Dual Hub . There are two ways to configure dual hub DMVPNs: 1. but it does not give you as much control over the routing across the DMVPN as the dual hub with dual DMVPNs layout does.Single DMVPN Layout The dual hub with a single DMVPN layout is fairly easy to set up. A single DMVPN network with each spoke using a single multipoint GRE tunnel interface and pointing to two different hubs as its Next-HopServer (NHS). the hub routers will only have a single multipoint GRE tunnel interface. Since the spoke routers are routing neighbors with the hub routers over the same mGRE tunnel interface. you cannot use link or interfaces Page 670 of 1033 . The static NHRP mappings from the spokes to the hubs define the static IPsec+mGRE links over which the dynamic routing protocol will run. The hub routers will only have a single multipoint GRE tunnel interface.CCIE SECURITY v4 Lab Workbook • Routing Protocol Parameters o EIGRP 145 Encrypt the GRE traffic using the following parameters: • ISAKMP Parameters o Authentication: Pre-shared o Encryption: 3DES o Hashing: SHA o DH Group: 2 o Pre-Shared Key: cisco123 • IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC  With a few additional configuration lines to the spoke routers you can set up dual (or multiple) hub routers. 2. Again.

then techniques internal to the configuration of the routing protocol must be used.16. If this preference is needed. R1(config-if)# tunnel source FastEthernet0/0 R1(config-if)# tunnel mode gre multipoint R1(config-if)# tunnel key 145 R1(config-if)# tunnel protection ipsec profile DMVPN R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.0 R1(config-if)# ip mtu 1400 R1(config-if)# ip nhrp authentication cisco145 R1(config-if)# ip nhrp map multicast dynamic R1(config-if)# ip nhrp network-id 145 R1(config-if)# no ip split-horizon eigrp 145 R1(config-if)# no ip next-hop-self eigrp 145 This is DMVPN Phase 2 with EIGRP scenario so that we need to turn off Split Horizon and next hop changing on the Hub.0 R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R1(cfg-crypto-trans)# mode transport R1(cfg-crypto-trans)#crypto ipsec profile DMVPN R1(ipsec-profile)# set transform-set TSET There is only one Tunnel interface (GRE multipoint type) on each Hub.0 0.CCIE SECURITY v4 Lab Workbook differences (like metric. R1(ipsec-profile)#interface Tunnel0 R1(config-if)# ip address 172.255. For this reason. R1(config)#crypto isakmp policy 10 R1(config-isakmp)# encr 3des R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)#crypto isakmp key cisco123 address 0. or bandwidth) to modify the dynamic routing protocol metrics to prefer one hub over the other hub when they are both up.0. Configuration Complete these steps: Step 1 R1 configuration. cost.0.0. it may be better to use EIGRP rather than OSPF for the dynamic routing protocol.1 255. changed state to up R1(config-if)# exi Page 671 of 1033 .0.145.255. delay.

0.255.145.0.0.12.16. R2(config)#interface Tunnel0 R2(config-if)# ip address 172. changed state to up Page 672 of 1033 .145.0 R2(config-if)# ip mtu 1400 R2(config-if)# ip nhrp authentication cisco145 R2(config-if)# ip nhrp map multicast dynamic R2(config-if)# ip nhrp network-id 145 R2(config-if)# no ip split-horizon eigrp 145 R2(config-if)# no ip next-hop-self eigrp 145 This is DMVPN Phase 2 with EIGRP scenario so that we need to turn off Split Horizon and next hop changing on the Hub.16.1 0. R2(config-if)# tunnel source GigabitEthernet0/0 R2(config-if)# tunnel mode gre multipoint R2(config-if)# tunnel key 145 R2(config-if)# tunnel protection ipsec profile DMVPN R2(config-if)# exi R2(config)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.0.0 R2(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R2(cfg-crypto-trans)# mode transport R2(cfg-crypto-trans)#crypto ipsec profile DMVPN R2(ipsec-profile)# set transform-set TSET R2(ipsec-profile)#exi There is only one Tunnel interface (GRE multipoint type) on each Hub.CCIE SECURITY v4 Lab Workbook %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config)#router eigrp 145 R1(config-router)# network 172.0. R2(config)#crypto isakmp policy 10 R2(config-isakmp)# encr 3des R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)#crypto isakmp key cisco123 address 0.168.1 0.0.0.0 R1(config-router)# network 192.0 R1(config-router)# no auto-summary R1(config-router)# exi Step 2 R2 configuration.255.0 0.0.2 255.

16.0 R2(config-router)# network 192.16.1.2 10.255.0 R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R4(cfg-crypto-trans)# mode transport R4(cfg-crypto-trans)#crypto ipsec profile DMVPN R4(ipsec-profile)# set transform-set TSET Note that all tunnels are in teh same subnet! R4(ipsec-profile)#interface Tunnel0 R4(config-if)# ip address 172.CCIE SECURITY v4 Lab Workbook R2(config)#router eigrp 145 R2(config-router)# no auto-summary R2(config-router)# network 172.1.16.1 (FastEthernet0/1) is up: new adjacency Step 3 R4 configuration. R4(config-if)# ip nhrp network-id 145 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172.2 Since we use two NHSes we need two static mappings on the spoke.26.145.0.0.145.1 R4(config-if)# ip nhrp nhs 172.0.0. R4(config-if)# tunnel source Serial0/0/0.0 R2(config-router)# exi R2(config)# %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 192.2 0.2 0. When one NHS is down the spoke always has another NHS to use.1.1.46 R4(config-if)# tunnel mode gre multipoint Page 673 of 1033 .2 R4(config-if)# ip nhrp map multicast 10.0 R4(config-if)# ip mtu 1400 R4(config-if)# ip nhrp authentication cisco145 R4(config-if)# ip nhrp map 172.12. R4(config)#crypto isakmp policy 1 R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)#crypto isakmp key cisco123 address 0.0.145.145.1 R4(config-if)# ip nhrp map 172. The spoke tries to register in both NHSes.145.16.1 R4(config-if)# ip nhrp map multicast 10.16.255.26.16.4 255. but two NHSes specified in the configuration.168.0.168.0.0.1 10.145.2 The spoke has only one multipoint tunnel.16.12.0 0.16.

16. changed state to up R4(config)#router eigrp 145 R4(config-router)# no auto-summary R4(config-router)# network 172.145.16.0.2 (Tunnel0) is up: new adjacency Note that two EIGRP adjacencies are built. R5(config)#crypto isakmp policy 1 R5(config-isakmp)# encr 3des R5(config-isakmp)# authentication pre-share R5(config-isakmp)# group 2 R5(config-isakmp)#crypto isakmp key cisco123 address 0.1 R5(config-if)# ip nhrp map 172.0.0 R4(config-router)# exi %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.145.16.0.1.5 255.0 R5(config-if)# ip mtu 1400 R5(config-if)# ip nhrp authentication cisco145 R5(config-if)# ip nhrp map 172.2 10.145.0 0.0 R4(config-router)# network 192.1.0 R5(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R5(cfg-crypto-trans)# mode transport R5(cfg-crypto-trans)#crypto ipsec profile DMVPN R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#interface Tunnel0 R5(config-if)# ip address 172.4 0.2 Since we use two NHSes we need two static mappings on the spoke.0.1 10.26.1.16.1 (Tunnel0) is up: new adjacency R4(config)# %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.0.2 R5(config-if)# ip nhrp map multicast 10.145.0.255.16.16.CCIE SECURITY v4 Lab Workbook R4(config-if)# tunnel key 145 R4(config-if)# tunnel protection ipsec profile DMVPN R4(config-if)# exi R4(config)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.16.168. Step 4 R5 configuration.26.0.1.0.16.4.145.4 0.145. R5(config-if)# ip nhrp network-id 145 Page 674 of 1033 .255.1 R5(config-if)# ip nhrp map multicast 10.

R5(config-if)# tunnel source Serial0/1/0. This is because we advertise a common network behind both Hubs to be accessible to the Spokes.168.5 0.16.16.16.CCIE SECURITY v4 Lab Workbook R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172. The spoke tries to register in both NHSes.56 R5(config-if)# tunnel mode gre multipoint R5(config-if)# tunnel key 145 R5(config-if)# tunnel protection ipsec profile DMVPN R5(config-if)# exi R5(config)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.5 0.145.16.16. but two NHSes specified in the configuration.145. When one NHS is down the spoke always has another NHS to use.0.145.0. Page 675 of 1033 .5.168.4 0 192.145.16.0.2 The spoke has only one multipoint tunnel. changed state to up R5(config)#router eigrp 145 R5(config-router)# no auto-summary R5(config-router)# network 172.16.145. Verification R1#sh ip eigrp neighbors IP-EIGRP neighbors for process 145 H Address Interface 2 172.5 Tu0 1 172.1 R5(config-if)# ip nhrp nhs 172. Two of them are spokes and one is the other Hub.145.0 R5(config-router)# exi %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.1 (Tunnel0) is up: new adjacency Note that two EIGRP adjacencies are built.0 R5(config-router)# network 192.0.2 Hold Uptime SRTT (sec) (ms) RTO Q Seq Cnt Num 11 00:00:53 183 5000 0 6 Tu0 13 00:03:07 107 5000 0 10 Fa0/1 11 00:06:33 1 200 0 16 The hub has three EIGRP neighbors.145.12.2 (Tunnel0) is up: new adjacency R5(config)# %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.

via FastEthernet0/1 Page 676 of 1033 .CCIE SECURITY v4 Lab Workbook R1#sh ip eigrp interfaces IP-EIGRP interfaces for process 145 Xmit Queue Mean Pacing Time Multicast Pending Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Tu0 2 0/0 145 Fa0/1 1 0/0 1 Interface 71/2524 568 0 50 0 0/1 R1#sh ip route Codes: C . E2 .2 on FastEthernet0/1. R1#sh int f0/1 | in BW MTU 1500 bytes.168.OSPF.168.168.IS-IS level-1. L2 .168.6 Note that R1 sees remote networks behind the Spokes through R2.ODR. 1 subnets C 172.16.OSPF NSSA external type 1. BW 100000 Kbit/sec. FastEthernet0/0 0.0/0 [1/0] via 10.1.4.0.periodic downloaded static route Gateway of last resort is 10.2. * . S . U .0/24 [90/27010560] via 192. from 192. DLY 500000 usec.0 is directly connected.168. This is certainly not the best path and need to be manually changed as described in the next lab.6 to network 0.OSPF NSSA external type 2 E1 .OSPF external type 1.0/24 Known via "eigrp 145".IS-IS inter area.12. 00:00:14 ago Routing Descriptor Blocks: * 192.static. This is expected as EIGRP metric is better for that path.2. L1 . su . P .0. Tunnel0 D 192.0/24 is directly connected.12. However.0 C 192. FastEthernet0/1 D 192.0.0/24 is subnetted.0/24 is subnetted.168.per-user static route o .0. IA .candidate default.12.168. This is why we see better metric to the network behind the spokes through the R2.mobile. 00:03:18.4.OSPF inter area N1 .RIP.12.16. DLY 100 usec. O . FastEthernet0/1 10.168. B . M . the default values on the FastEthernet interface are much better: 100000Kb/s and 100usec.1.EIGRP external.0. FastEthernet0/1 172.0 is directly connected. distance 90. EX .16.5. R .168.4.0 Routing entry for 192. type internal Redistributing via eigrp 145 Last update from 192.IS-IS summary.2.BGP D .1.12.0/24 [90/27010560] via 192. BW 9 Kbit/sec. See the below output: R1#sh int tu0 | in BW MTU 1514 bytes.IS-IS level-2 ia .connected.IS-IS.16. 00:01:03.EIGRP. metric 27010560.2. Note that the default bandwidth and delay of Tunnel interface is 9Kb/s and 500000usec.0.OSPF external type 2 i .16. 1 subnets C S* 10.145.168.0.12. N2 . R1#sh ip route 192. 00:00:14 ago.

Flags: unique registered NBMA address: 10. #pkts compr.16.5/32 via 172.5.16.16.145.1/255.64.5 First Hub has both Spokes registered via NHRP.255. D .1. N . expire 00:04:46 Type: dynamic.1.1.1.255/47/0) remote ident (addr/mask/prot/port): (10.IKE Extended Authentication psk .255. #pkts decompressed: 0 #pkts not compressed: 0. local addr 10. #pkts decrypt: 65.1.4/255. rsig .Keepalives. #pkts digest: 64 #pkts decaps: 65. R1#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.4/32 via 172. #pkts verify: 65 #pkts compressed: 0. Hops 2 R1#sh ip nhrp 172.4 172. flags={origin_is_acl.1 10.NAT-traversal X .16.64.16.CCIE SECURITY v4 Lab Workbook Route metric is 27010560. #pkts encrypt: 64.65.255.16.1. Tunnel0 created 00:03:26.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.Preshared key. minimum MTU 1400 bytes Loading 1/255.145. Flags: unique registered NBMA address: 10.4 Engine-id:Conn-id = 1002 10.145. expire 00:05:41 Type: dynamic. minimum bandwidth is 100 Kbit Reliability 255/255.RSA signature renc . No IPSec between the Hubs.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.IKE configuration mode.4 port 500 PERMIT. failed: 0 Page 677 of 1033 .4.255. Tunnel0 created 00:01:13.1. R1#sh crypto isakmp sa det Codes: C .1 I-VRF ACTIVE 3des sha psk 2 23:56:28 ACTIVE 3des sha psk 2 23:58:40 SW:1 10.64.16.65.1.Dead Peer Detection K .255/47/0) current_peer 10.1.1.16.145.5 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap. SW:2 IPv6 Crypto ISAKMP SA R1 has ISAKMP SA and IPSec SAs set up with both spokes.} #pkts encaps: 64.64. traffic share count is 1 Total delay is 55100 microseconds.

255.: 10.16. #pkts decompressed: 0 #pkts not compressed: 0.} #pkts encaps: 26. } conn id: 2002.1.: 10. #recv errors 0 local crypto endpt. ip mtu idb FastEthernet0/0 current outbound spi: 0x56A0EB85(1453386629) inbound esp sas: spi: 0xEFBE50D1(4022227153) transform: esp-3des esp-sha-hmac .1. in use settings ={Transport. #recv errors 0 local crypto endpt. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4446287/3383) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x56A0EB85(1453386629) transform: esp-3des esp-sha-hmac .CCIE SECURITY v4 Lab Workbook #pkts not decompressed: 0.1.255/47/0) remote ident (addr/mask/prot/port): (10.255. #pkts encrypt: 26. ip mtu 1500. #pkts verify: 30 #pkts compressed: 0.255.65.1. #pkts digest: 26 #pkts decaps: 30. } conn id: 2001.: 10.65. flow_id: NETGX:2. #pkts decompress failed: 0 #send errors 0.1.5 path mtu 1500. flow_id: NETGX:1.5 port 500 PERMIT. failed: 0 #pkts not decompressed: 0.255.16.65.1. #pkts decrypt: 30.: 10.4 path mtu 1500.1/255. #pkts decompress failed: 0 #send errors 0. remote crypto endpt. #pkts compr.5/255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4446287/3383) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.16.64. ip mtu 1500. ip mtu idb FastEthernet0/0 current outbound spi: 0xFAC2EC42(4207078466) Page 678 of 1033 .255/47/0) current_peer 10.1. remote crypto endpt.1. flags={origin_is_acl.1. in use settings ={Transport.

145.EIGRP external.mobile.EIGRP.OSPF. R .1 Interface Tu0 Hold Uptime SRTT (sec) (ms) RTO Q Seq Cnt Num 11 00:01:39 135 1362 0 7 Tu0 14 00:03:52 160 1362 0 10 Gi0/1 13 00:07:19 1 200 0 16 The second Hub has neighbor adjacencies with two Spokes and the first Hub. flow_id: NETGX:4. IA . flow_id: NETGX:3.5 1 172. S . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4579213/3515) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xFAC2EC42(4207078466) transform: esp-3des esp-sha-hmac .16.RIP. R2#sh ip eigrp interfaces IP-EIGRP interfaces for process 145 Xmit Queue Mean Pacing Time Multicast Pending Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Tu0 2 0/0 147 Gi0/1 1 0/0 1 Interface 6/227 348 0 50 0 0/1 R2#sh ip route Codes: C .CCIE SECURITY v4 Lab Workbook inbound esp sas: spi: 0xD892939A(3633484698) transform: esp-3des esp-sha-hmac .static. B . in use settings ={Transport.OSPF inter area Page 679 of 1033 . O . M .168.16.145.connected. } conn id: 2004.4 0 192.BGP D . EX . } conn id: 2003.12. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4579213/3515) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R2#sh ip eigrp neighbors IP-EIGRP neighbors for process 145 H Address 2 172. in use settings ={Transport.

CCIE SECURITY v4 Lab Workbook N1 .0. P .145. 1 subnets C 10.26.168. SW:2 IPv6 Crypto ISAKMP SA ISAKMP SA and IPSec SAs are built with both Spokes.Dead Peer Detection K .RSA signature renc .16.5/32 via 172.145.4 Tunnel0 created 00:04:09.1.0 C 192. 1 subnets C 172.0/0 [1/0] via 10.145.4/32 via 172.IS-IS level-2 ia . E2 . su .OSPF NSSA external type 2 E1 . Tunnel0 D 192.145.145. expire 00:04:57 Type: dynamic.OSPF external type 1. 00:04:03. 00:01:49.1.4 Engine-id:Conn-id = 1002 10.IS-IS summary.64.cTCP encapsulation.16.IS-IS. expire 00:04:02 Type: dynamic. GigabitEthernet0/1 172.5.candidate default.65. Flags: unique registered NBMA address: 10.16.4.0 is directly connected.0/24 is directly connected.IKE Extended Authentication psk .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10. R2#sh ip nhrp 172.26. rsig .168.Keepalives.65.5 R2 has both Spokes registered in the NHS.ODR. Tunnel0 10.1. D .64. L1 .4 172.16.1.0/24 is subnetted.6 to network 0. L2 .OSPF external type 2 i . * .1.16.1.0/24 [90/27008000] via 172.145.0. Flags: unique registered NBMA address: 10.NAT-traversal T .0. Page 680 of 1033 . GigabitEthernet0/0 S* 0.0/24 is subnetted.2 10. Tunnel0 D 192.periodic downloaded static route Gateway of last resort is 10.1.per-user static route o .5 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap.16.1.16.168.0.1. N2 .12.0.0 is directly connected. R2#sh crypto isakmp sa det Codes: C .26.Preshared key.IS-IS level-1.5 Tunnel0 created 00:01:57.0.26. X .26.6 Since it has better metric to the remote networks than R1 it sees them by the Tunnel interface.16. U .0.0/24 [90/27008000] via 172. N .5.IS-IS inter area.4.2 I-VRF ACTIVE 3des sha psk 2 23:55:44 ACTIVE 3des sha psk 2 23:57:56 SW:1 10.IKE configuration mode.145.OSPF NSSA external type 1.

255. flow_id: Onboard VPN:2. #pkts compr.26. #pkts digest: 75 #pkts decaps: 74.2/255.255.1.2. #pkts encrypt: 75.64.255.CCIE SECURITY v4 Lab Workbook R2#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. sibling_flags 80000006.1. sibling_flags 80000006. flow_id: Onboard VPN:1. #pkts decrypt: 74.4 path mtu 1500. ip mtu 1500.255/47/0) current_peer 10.4/255. #pkts verify: 74 #pkts compressed: 0.26.255. remote crypto endpt. #pkts decompressed: 0 #pkts not compressed: 0.: 10. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4411125/3339) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: Page 681 of 1033 .1. } conn id: 2001. flags={origin_is_acl. ip mtu idb GigabitEthernet0/0 current outbound spi: 0x790BF682(2030827138) PFS (Y/N): N. failed: 0 #pkts not decompressed: 0. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4411126/3339) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x790BF682(2030827138) transform: esp-3des esp-sha-hmac .1. #pkts decompress failed: 0 #send errors 0.1.: 10. local addr 10.2 protected vrf: (none) local ident (addr/mask/prot/port): (10. } conn id: 2002.26.255/47/0) remote ident (addr/mask/prot/port): (10.64.64. #recv errors 0 local crypto endpt.1.} #pkts encaps: 75. in use settings ={Transport.4 port 500 PERMIT. DH group: none inbound esp sas: spi: 0x4D4D0F27(1296895783) transform: esp-3des esp-sha-hmac . in use settings ={Transport.

1.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4516057/3471) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 682 of 1033 . DH group: none inbound esp sas: spi: 0x3454DCB6(877976758) transform: esp-3des esp-sha-hmac . #pkts compr.1. remote crypto endpt. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4516057/3471) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x73CE7CBE(1942912190) transform: esp-3des esp-sha-hmac .26. #pkts digest: 41 #pkts decaps: 41. failed: 0 #pkts not decompressed: 0.5/255.65.2. } conn id: 2003. #recv errors 0 local crypto endpt. ip mtu idb GigabitEthernet0/0 current outbound spi: 0x73CE7CBE(1942912190) PFS (Y/N): N. in use settings ={Transport. in use settings ={Transport.65.: 10.255. #pkts decrypt: 41. #pkts decompressed: 0 #pkts not compressed: 0. } conn id: 2004. flow_id: Onboard VPN:4.26. flags={origin_is_acl.5 path mtu 1500. #pkts verify: 41 #pkts compressed: 0.1.255.: 10. flow_id: Onboard VPN:3. sibling_flags 80000006. #pkts encrypt: 41.255/47/0) current_peer 10.} #pkts encaps: 41. #pkts decompress failed: 0 #send errors 0.255/47/0) remote ident (addr/mask/prot/port): (10.5 port 500 PERMIT.1.255. ip mtu 1500. sibling_flags 80000006.65.CCIE SECURITY v4 Lab Workbook outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.2/255.255.

0.0 is directly connected.0 is directly connected. This is because of “no ip next-hop-self eigrp” command configured on the Hubs. 00:04:44. L1 . O .16. R4#sh ip nhrp 172. Flags: used NBMA address: 10.16.1.1.168. 0 bytes via 172. E2 .0/24. su .0/24 [90/298652416] via 172.1.1. 1 subnets C 172.EIGRP external.candidate default.145.connected.145.BGP D .IS-IS.1/32 via 172.16.CCIE SECURITY v4 Lab Workbook R4#sh ip eigrp neighbors IP-EIGRP neighbors for process 145 H Address Interface Hold Uptime SRTT (sec) (ms) RTO Q Seq Cnt Num 1 172. S . version 25.ODR.12.0/24 is directly connected. R4#sh ip cef 192.145.16.168. M .168.16.0.2.0.0/24 is subnetted.IS-IS summary.EIGRP. * .IS-IS level-2 ia . Tunnel0 [90/297246976] via 172.6 to network 0.64. R .periodic downloaded static route Gateway of last resort is 10.16.RIP.OSPF.static.0/24 is subnetted.0. P .46 0.145. L2 . Tunnel0 created 00:08:20. Tunnel0 C 192.0.1.1 Tu0 12 00:04:38 71 5000 0 15 R4 is the Spoke.16. U . never expire Type: static.5. Tunnel0 invalid adjacency The CEF entry is “invalid” as the router has no clue how to route the packet out (what physical interface to use). epoch 0 0 packets.0 D 192.168.OSPF external type 1.5.5.IS-IS inter area. Serial0/0/0.16. Tunnel0 created 00:08:20. IA . never expire Type: static.OSPF inter area N1 . B .64. It has EIGRP adjacencies with both Hubs.26. 1 subnets C S* 10.2. The network behind the Hubs is accessible equally via both Hubs.5.0/0 [1/0] via 10.145.64.5.per-user static route o . 00:02:29.OSPF NSSA external type 1.145.0.168. Loopback0 D 192.2 Page 683 of 1033 .16.145.mobile. 00:04:44.1 172. Tunnel0.145.0/24 [90/297246976] via 172.16.145.1.145. N2 .0.2 Tu0 13 00:04:38 22 5000 0 15 0 172.6 The Spoke sees the network behind other Spoke (R5) through R5. 0 dependencies next hop 172.145.OSPF external type 2 i .5.IS-IS level-1. Tunnel0 172.1. R4#sh ip route Codes: C .0 192.16.16. Tunnel0 10.2/32 via 172. EX .OSPF NSSA external type 2 E1 . Flags: used NBMA address: 10.145.4.16.16.

R4#sh crypto isakmp sa det Codes: C .Dead Peer Detection K . #pkts encrypt: 93.Preshared key.1/255.1.1 path mtu 1500.1.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.IKE Extended Authentication psk . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4551007/3258) Page 684 of 1033 . N .1. rsig . #recv errors 0 local crypto endpt.4. ip mtu idb Serial0/0/0.255/47/0) current_peer 10.IKE configuration mode.16. local addr 10.16.16.4 10. } conn id: 2003.255.1. D .255.4 I-VRF ACTIVE 3des sha psk 2 23:54:24 ACTIVE 3des sha psk 2 23:54:24 SW:1 10.} #pkts encaps: 93.255/47/0) remote ident (addr/mask/prot/port): (10.1 port 500 PERMIT. failed: 0 #pkts not decompressed: 0. in use settings ={Transport. flags={origin_is_acl. #pkts compr. flow_id: NETGX:3.255. #pkts decrypt: 92.64. #pkts decompressed: 0 #pkts not compressed: 0.1 Engine-id:Conn-id = Status Encr Hash Auth DH Lifetime Cap.NAT-traversal X .46 current outbound spi: 0xEFBE50D1(4022227153) inbound esp sas: spi: 0x56A0EB85(1453386629) transform: esp-3des esp-sha-hmac .64.16.2 Engine-id:Conn-id = 1002 10.255. SW:2 IPv6 Crypto ISAKMP SA The spoke has ISAKMP Sa and IPSec SAs set up with both Hubs.1.Keepalives.: 10.1.26. #pkts decompress failed: 0 #send errors 4.1.64. #pkts verify: 92 #pkts compressed: 0.64.1.64. #pkts digest: 93 #pkts decaps: 92. R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. remote crypto endpt.RSA signature renc .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.1.1.4/255.CCIE SECURITY v4 Lab Workbook Static NHRP entries are configured on the spoke to make registration happen in the NHSes.: 10. ip mtu 1500.

1.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts compr.4.1. #pkts decrypt: 94.64.: 10.26.4/255. ip mtu 1500.1.1.64. } conn id: 2004. flow_id: NETGX:4.: 10. #pkts decompressed: 0 #pkts not compressed: 0.255.26.255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4551007/3258) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. flags={origin_is_acl.CCIE SECURITY v4 Lab Workbook IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEFBE50D1(4022227153) transform: esp-3des esp-sha-hmac . #recv errors 0 local crypto endpt. in use settings ={Transport.2 path mtu 1500. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590970/3258) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: Page 685 of 1033 . flow_id: NETGX:1. in use settings ={Transport.255. #pkts digest: 92 #pkts decaps: 94.255/47/0) current_peer 10. failed: 0 #pkts not decompressed: 0. } conn id: 2001.46 current outbound spi: 0x4D4D0F27(1296895783) inbound esp sas: spi: 0x790BF682(2030827138) transform: esp-3des esp-sha-hmac . remote crypto endpt.1. #pkts encrypt: 92.26.2 port 500 PERMIT. #pkts decompress failed: 0 #send errors 3. ip mtu idb Serial0/0/0.255. #pkts verify: 94 #pkts compressed: 0.} #pkts encaps: 92.2/255.

0 192. expire 00:05:51 Type: dynamic. Flags: router NBMA address: 10.16.16.26. R4#sh ip cef 192.2/32 via 172. } conn id: 2002.4/32 via 172. 100-byte ICMP Echos to 192.145.5.64.4 !!!!! Success rate is 100 percent (5/5). never expire Type: static.5.145. Tunnel0 created 00:00:09. Flags: router unique local NBMA address: 10.5 so lo0 Type escape sequence to abort.4.168.145.0/24.168. timeout is 2 seconds: Packet sent with a source address of 192. Tunnel0.16.5.CCIE SECURITY v4 Lab Workbook outbound esp sas: spi: 0x4D4D0F27(1296895783) transform: esp-3des esp-sha-hmac . R4#sh ip nhrp 172.5. 0 bytes via 172. round-trip min/avg/max = 84/96/108 ms Test it by pinging the remote network behind the other Spoke.5.145.5/32 via 172.168. expire 00:05:51 Type: dynamic.145.5 Page 686 of 1033 .1.16.2 172. 0 dependencies next hop 172. epoch 0 0 packets.1 172.16. never expire Type: static. flow_id: NETGX:2.16. in use settings ={Transport.145.1.16.1/32 via 172. Tunnel0 created 00:08:55.65.16.5. version 25. Sending 5.145.4. Tunnel0 valid adjacency The CEF entry is “valid” now.5.16.16. so that the router can use it to switch the packets through the direct spoke-to-spoke tunnel.1.4 (no-socket) 172. Tunnel0 created 00:00:10. The ping is successful.168. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590971/3258) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4# ping 192.1.145.5. Flags: used NBMA address: 10.16. Flags: used NBMA address: 10.168.2.145.145. Tunnel0 created 00:08:55.1.

4/255. ip mtu 1500.CCIE SECURITY v4 Lab Workbook NHRP cache now has an entry for the other spoke.65.64.} #pkts encaps: 106.4 QM_IDLE 1004 0 ACTIVE 10.1.16.1 10. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4551006/3225) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEFBE50D1(4022227153) Page 687 of 1033 . in use settings ={Transport.1. #pkts decrypt: 100.1.4 QM_IDLE 1001 0 ACTIVE 10.16. flags={origin_is_acl. } conn id: 2003. ip mtu idb Serial0/0/0.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.1.: 10.1.64.255/47/0) current_peer 10. remote crypto endpt.64. #pkts decompressed: 0 #pkts not compressed: 0.64.1.1.255.5 10.26.1.1/255.255.1 path mtu 1500.1.16.255.4 QM_IDLE 1002 0 ACTIVE IPv6 Crypto ISAKMP SA The Spoke has new ISAKMP SA and IPSec SAs negotiated with the other Spoke. R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.64.5 QM_IDLE 1003 0 ACTIVE 10. R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10. #pkts decompress failed: 0 #send errors 4. flow_id: NETGX:3.46 current outbound spi: 0xEFBE50D1(4022227153) inbound esp sas: spi: 0x56A0EB85(1453386629) transform: esp-3des esp-sha-hmac . local addr 10.64.: 10.65.64. failed: 0 #pkts not decompressed: 0.1.4 10. #pkts compr. #pkts encrypt: 106.1.2 10. #pkts verify: 100 #pkts compressed: 0.4.1 port 500 PERMIT. #pkts digest: 106 #pkts decaps: 100.255.16. #recv errors 0 local crypto endpt.1.255/47/0) remote ident (addr/mask/prot/port): (10.

flow_id: NETGX:1.1. in use settings ={Transport. ip mtu idb Serial0/0/0. } conn id: 2004. #pkts encrypt: 99. #pkts digest: 99 #pkts decaps: 106. #recv errors 0 local crypto endpt.26. #pkts decrypt: 106.1. #pkts verify: 106 #pkts compressed: 0. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590970/3225) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 688 of 1033 . } conn id: 2001.CCIE SECURITY v4 Lab Workbook transform: esp-3des esp-sha-hmac .255. #pkts compr.2 path mtu 1500. #pkts decompress failed: 0 #send errors 3.1.255.1. flow_id: NETGX:4.4/255. flags={origin_is_acl.: 10.26.64. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4590968/3225) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4D4D0F27(1296895783) transform: esp-3des esp-sha-hmac .26. failed: 0 #pkts not decompressed: 0.255/47/0) remote ident (addr/mask/prot/port): (10.46 current outbound spi: 0x4D4D0F27(1296895783) inbound esp sas: spi: 0x790BF682(2030827138) transform: esp-3des esp-sha-hmac .255.255/47/0) current_peer 10.: 10.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4551006/3225) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. ip mtu 1500. } conn id: 2002.64. flow_id: NETGX:2.4.2/255.} #pkts encaps: 99. in use settings ={Transport.2 port 500 PERMIT. remote crypto endpt. in use settings ={Transport.255. #pkts decompressed: 0 #pkts not compressed: 0.

5/255. flow_id: NETGX:6.46 current outbound spi: 0xA576BA01(2776021505) inbound esp sas: spi: 0xBBA03823(3147839523) transform: esp-3des esp-sha-hmac .255.255/47/0) current_peer 10. #pkts verify: 2 #pkts compressed: 0. #pkts decompressed: 0 #pkts not compressed: 0.64. flow_id: NETGX:7. remote crypto endpt. in use settings ={Transport.1. ip mtu idb Serial0/0/0.64. #recv errors 0 Two packets out of 5 have been sent through the tunnel.65. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4403135/3579) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xA576BA01(2776021505) transform: esp-3des esp-sha-hmac .4.4/255. } conn id: 2005. flow_id: NETGX:5.255.: 10.255.65.5 port 500 PERMIT.1. } conn id: 2006. #pkts decompress failed: 0 #send errors 1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4584005/3578) Page 689 of 1033 . #pkts encrypt: 2.} #pkts encaps: 2. #pkts compr.1. in use settings ={Transport.1.255. in use settings ={Transport. ip mtu 1500.: 10.65. local crypto endpt.1.5 path mtu 1500.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts decrypt: 2. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4584005/3578) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0x28F30861(687016033) transform: esp-3des esp-sha-hmac .CCIE SECURITY v4 Lab Workbook outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. failed: 0 #pkts not decompressed: 0. } conn id: 2007. #pkts digest: 2 #pkts decaps: 2. flags={origin_is_acl.

Loopback0 10. EX .0/24 is subnetted. metric 298652416.0 D 192. in use settings ={Transport.EIGRP.OSPF external type 2 i .0.0.IS-IS summary. 00:04:33. Tunnel0 D 192. su .0.56 0.0 Routing entry for 192.0 is directly connected.65.OSPF external type 1.IS-IS level-1. } conn id: 2008. 1 subnets C 172.65. 00:04:33.16. L2 . R .0/24 Known via "eigrp 145".2.16.16.1. flow_id: NETGX:8.16.0. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4403135/3579) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Same bunch of commands on the other Spoke.4. Serial0/1/0.OSPF.0.IS-IS level-2 ia . R5#sh ip eigrp neighbors IP-EIGRP neighbors for process 145 H Address Interface Hold Uptime SRTT (sec) (ms) RTO Q Seq Cnt Num 1 172.145.16.0.static.168.1 Tu0 10 00:04:23 69 5000 0 15 0 172.per-user static route o .candidate default.4.0/24 is subnetted.168. IA .168.IS-IS inter area. 1 subnets C S* 10.2 Tu0 13 00:04:23 842 5000 0 15 R5#sh ip route Codes: C .4. E2 .ODR.12.145.145.65. Tunnel0 [90/297246976] via 172.145.OSPF inter area N1 .mobile.periodic downloaded static route Gateway of last resort is 10. M . Tunnel0 172.IS-IS. P .1.EIGRP external.1.4.OSPF NSSA external type 2 E1 .0 is directly connected. Tunnel0 C 192.168.16.145. 00:04:33.145.0/24 is directly connected.6 to network 0.1. N2 .0/24 [90/298652416] via 172. S . * . O .0.16.168.RIP.CCIE SECURITY v4 Lab Workbook IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0x1659D9A5(374987173) transform: esp-3des esp-sha-hmac . L1 . B . U .5.6 R5#sh ip route 192.BGP D .OSPF NSSA external type 1.0/24 [90/297246976] via 172. distance 90.0/0 [1/0] via 10.connected. type internal Page 690 of 1033 .

4.1. the router has NHRP mappings and CEF entry which are used to move the packets through that tunnel. version 23.1.65. Flags: router NBMA address: 10.26.CCIE SECURITY v4 Lab Workbook Redistributing via eigrp 145 Last update from 172. never expire Type: static. 0 bytes via 172.1.16. Tunnel0 created 00:01:06.2 10. Flags: used NBMA address: 10.1 172.1. via Tunnel0 Route metric is 298652416.4.5 QM_IDLE 1001 0 ACTIVE 10. Tunnel0 created 00:04:48.0 192.16.5 QM_IDLE 1002 0 ACTIVE IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. Tunnel0 created 00:01:06. Flags: used NBMA address: 10.16.5 protected vrf: (none) Page 691 of 1033 .168. local addr 10.4. 00:04:38 ago Routing Descriptor Blocks: * 172.26. Hops 2 R5#sh ip nhrp 172.145.5/32 via 172.145.16. minimum bandwidth is 9 Kbit Reliability 255/255.145.16.2. R5#sh ip cef 192.1.145.16.5 (no-socket) Since we have already built up the direct spoke-to-spoke tunnel.1 10.2/32 via 172.168. epoch 0 0 packets.1.4 QM_IDLE conn-id slot status 1003 0 ACTIVE 10. expire 00:04:54 Type: dynamic.1.16. from 172. traffic share count is 1 Total delay is 555000 microseconds.16.5. expire 00:04:54 Type: dynamic.1. never expire Type: static.4 10.1.16.1/32 via 172.145. Tunnel0 valid adjacency R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10. minimum MTU 1400 bytes Loading 28/255.4.1.16.16.5 QM_IDLE 1004 0 ACTIVE 10.145. 0 dependencies next hop 172.16.64.16.5 10. Flags: router unique local NBMA address: 10.0/24.2 172.2.65.64.1.145.145. Tunnel0.4 on Tunnel0.1.4.1.65.4.65.145.65.65.1.4/32 via 172.145.145.4 172.16. 00:04:38 ago.64.145. Tunnel0 created 00:04:48.145.16.

5/255.16. #pkts digest: 79 #pkts decaps: 84. remote crypto endpt.1. #pkts decrypt: 76.255/47/0) remote ident (addr/mask/prot/port): (10.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4605793/3299) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD892939A(3633484698) transform: esp-3des esp-sha-hmac . #pkts decompressed: 0 #pkts not compressed: 0.: 10. #pkts digest: 84 #pkts decaps: 76.65.26. flow_id: NETGX:3. #pkts decrypt: 84.255.16.1. in use settings ={Transport.1.65.26.1. #pkts verify: 84 #pkts compressed: 0.CCIE SECURITY v4 Lab Workbook local ident (addr/mask/prot/port): (10.255/47/0) current_peer 10.255.255/47/0) current_peer 10. } conn id: 2003.16.1/255. ip mtu idb Serial0/1/0.65.255. #pkts encrypt: 79.255/47/0) remote ident (addr/mask/prot/port): (10.1. #pkts compr.2 port 500 PERMIT. ip mtu 1500. failed: 0 #pkts not decompressed: 0.: 10.1 port 500 PERMIT.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4605792/3299) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.255. #pkts decompressed: 0 Page 692 of 1033 . #pkts encrypt: 84.} #pkts encaps: 79. #pkts verify: 76 #pkts compressed: 0. in use settings ={Transport.} #pkts encaps: 84. flow_id: NETGX:4.255.1.255. } conn id: 2004.1 path mtu 1500.5/255.5.56 current outbound spi: 0xD892939A(3633484698) inbound esp sas: spi: 0xFAC2EC42(4207078466) transform: esp-3des esp-sha-hmac .2/255. #recv errors 0 local crypto endpt.255.255. flags={origin_is_acl. flags={origin_is_acl. #pkts decompress failed: 0 #send errors 0.

65. failed: 0 #pkts not decompressed: 0.5.4 Page 693 of 1033 .1. #pkts compr.4/255.65.255/47/0) current_peer 10. failed: 0 #pkts not decompressed: 0. in use settings ={Transport. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4455805/3299) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.: 10.: 10. flow_id: NETGX:1. local crypto endpt.64.1.1. #pkts decompress failed: 0 #send errors 1.255.5. #pkts decompress failed: 0 #send errors 0. remote crypto endpt. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4455804/3299) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x3454DCB6(877976758) transform: esp-3des esp-sha-hmac .1.26.1.1.255.1.255. #pkts compr.56 current outbound spi: 0x3454DCB6(877976758) inbound esp sas: spi: 0x73CE7CBE(1942912190) transform: esp-3des esp-sha-hmac . flow_id: NETGX:2.: 10. #pkts digest: 2 #pkts decaps: 2. ip mtu 1500. #pkts encrypt: 2.CCIE SECURITY v4 Lab Workbook #pkts not compressed: 0. in use settings ={Transport. remote crypto endpt. #recv errors 0 Note that only two packets has been sent. } conn id: 2002.4 port 500 PERMIT.64. #recv errors 0 local crypto endpt.255/47/0) remote ident (addr/mask/prot/port): (10. ip mtu idb Serial0/1/0.65. #pkts verify: 2 #pkts compressed: 0. #pkts decrypt: 2.5/255. #pkts decompressed: 0 #pkts not compressed: 0.} #pkts encaps: 2. } conn id: 2001.255. flags={origin_is_acl.2 path mtu 1500.64.: 10.

ip mtu 1500.16. R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. ip mtu idb Serial0/1/0. flow_id: NETGX:8. 100-byte ICMP Echos to 192.1.1 port 500 PERMIT.255/47/0) remote ident (addr/mask/prot/port): (10.1.CCIE SECURITY v4 Lab Workbook path mtu 1500. flow_id: NETGX:7.4.5 !!!!! Success rate is 100 percent (5/5).168. in use settings ={Transport.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4493287/3520) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R5#ping 192. in use settings ={Transport. local addr 10. Sending 5.1. } conn id: 2007.65.4.255.5 protected vrf: (none) local ident (addr/mask/prot/port): (10. timeout is 2 seconds: Packet sent with a source address of 192.1/255.255.5.} Page 694 of 1033 . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4493287/3520) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xBBA03823(3147839523) transform: esp-3des esp-sha-hmac .65. flags={origin_is_acl. } conn id: 2008.5/255.168.56 current outbound spi: 0xBBA03823(3147839523) inbound esp sas: spi: 0xA576BA01(2776021505) transform: esp-3des esp-sha-hmac .168.255.255/47/0) current_peer 10. round-trip min/avg/max = 76/78/80 ms Let’s ping and generate some traffic.16.4 so lo0 Type escape sequence to abort.4.255.

255.1.56 current outbound spi: 0xD892939A(3633484698) inbound esp sas: spi: 0xFAC2EC42(4207078466) transform: esp-3des esp-sha-hmac . in use settings ={Transport.1.16. #pkts encrypt: 89. #pkts verify: 89 #pkts compressed: 0. } conn id: 2003. #pkts digest: 89 #pkts decaps: 80. flags={origin_is_acl. } conn id: 2004.2/255. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4605792/3278) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1 path mtu 1500. #recv errors 0 local crypto endpt. failed: 0 #pkts not decompressed: 0.255. #pkts decrypt: 89.26.65.255.: 10.255. #pkts decompressed: 0 #pkts not compressed: 0. in use settings ={Transport. #pkts compr. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4605793/3278) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD892939A(3633484698) transform: esp-3des esp-sha-hmac . flow_id: NETGX:4.5.26. #pkts decompress failed: 0 #send errors 0. ip mtu idb Serial0/1/0. failed: 0 #pkts not decompressed: 0. ip mtu 1500. #pkts compr.1.} #pkts encaps: 84.1.2 port 500 PERMIT.255/47/0) current_peer 10. #pkts decrypt: 80. flow_id: NETGX:3.CCIE SECURITY v4 Lab Workbook #pkts encaps: 89. #pkts encrypt: 84.65. remote crypto endpt. #pkts decompressed: 0 #pkts not compressed: 0. #recv errors 0 Page 695 of 1033 . #pkts digest: 84 #pkts decaps: 89.: 10.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts verify: 80 #pkts compressed: 0. #pkts decompress failed: 0 #send errors 0.5/255.

flow_id: NETGX:1.255. #pkts decompress failed: 0 #send errors 1. remote crypto endpt.CCIE SECURITY v4 Lab Workbook local crypto endpt.5. } conn id: 2002. #pkts verify: 7 #pkts compressed: 0.1.5/255.4 port 500 PERMIT.255.64. #pkts compr. #pkts digest: 7 #pkts decaps: 7.65.: 10.255. in use settings ={Transport.64.1.255.4/255. } conn id: 2001.1. ip mtu 1500. flags={origin_is_acl.1. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4455805/3278) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.56 current outbound spi: 0xBBA03823(3147839523) inbound esp sas: Page 696 of 1033 .1.5.65.26.255/47/0) current_peer 10.255/47/0) remote ident (addr/mask/prot/port): (10. ip mtu idb Serial0/1/0.1.: 10. remote crypto endpt.} #pkts encaps: 7.2 path mtu 1500. flow_id: NETGX:2.64. ip mtu idb Serial0/1/0.65. ip mtu 1500.4 path mtu 1500. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4455804/3278) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x3454DCB6(877976758) transform: esp-3des esp-sha-hmac .1.: 10.56 current outbound spi: 0x3454DCB6(877976758) inbound esp sas: spi: 0x73CE7CBE(1942912190) transform: esp-3des esp-sha-hmac . #pkts decrypt: 7. #recv errors 0 See the ICMP packets are crossing the tunnel. failed: 0 #pkts not decompressed: 0. #pkts encrypt: 7. #pkts decompressed: 0 #pkts not compressed: 0. in use settings ={Transport. local crypto endpt.: 10.

} conn id: 2007. in use settings ={Transport. } conn id: 2008. flow_id: NETGX:8. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4493286/3499) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 697 of 1033 . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4493286/3499) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xBBA03823(3147839523) transform: esp-3des esp-sha-hmac . flow_id: NETGX:7.CCIE SECURITY v4 Lab Workbook spi: 0xA576BA01(2776021505) transform: esp-3des esp-sha-hmac . in use settings ={Transport.

2(20)T.  R6’s S0/1/0 and R5’s S0/1/0 interface should be configured in a frame-relay point-to-point manner. This is because CEF code has changed in IOS 12. R4 and R5 pointing to the R6 Page 698 of 1033 .CCIE SECURITY v4 Lab Workbook Lab 1. R2.55.  Configure Telnet on all routers using password “cisco”  Configure default routing on R1. DMVPN Phase 2 Dual Hub (Dual Cloud) Depending on IOS software version you may get slightly different command outputs. Lab Setup  R1’s F0/0 and R6’s F0/0 interface should be configured in VLAN 16  R1’s F0/1 and R2’s G0/1 interface should be configured in VLAN 12  R2’s G0/0 and R6’s F0/1 interface should be configured in VLAN 26  R6’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay point-to-point manner.

1.64.1.6/24 R2 R4 R5 R6 Task 1 Configure Hub-and-Spoke GRE tunnels between R1. where R1 and R2 are acting as Hubs.64 10.6/24 F0/1 10.65.1.5/24 F0/0 10.12.64.168.168.CCIE SECURITY v4 Lab Workbook IP Addressing Device Interface IP address R1 F0/0 10.12.6/24 S0/1/0. R4 and R5.6/24 S0/1/0.168. where tunnel to R1 has better preference than R2.2/24 Lo0 192.1/24 G0/0 10.168.4/24 S0/0/0.16. Use the following settings when configuring tunnels: DMVPN Cloud 1 DMVPN Cloud 2 Topology Topology • Hub: R1 • Hub: R2 • Spokes: R4.1. R2.1.65.4. You must use EIGRP dynamic routing protocol to let other spokes know about protected networks. High availability must be achieved by configuring two DMVPN clouds.56 10.46 10.16.26.1/24 F0/1 192.4/24 Lo0 192. meaning each spoke has two connections.26. one for each hub.1.65 10.1. Traffic originated from every Spoke’s loopback interface should be transmitted securely directly to the other spokes.1. R5 Page 699 of 1033 .5. R5 • Spokes: R4.5/24 S0/1/0.2/24 G0/1 192.

0/24 • IP address: 172.16.CCIE SECURITY v4 Lab Workbook Tunnel Parameters Tunnel Parameters • IP address: 172.145. Each hub (two in this case) is connected to one DMVPN subnet ("cloud") and the spokes are connected to both DMVPN subnets ("clouds"). The idea is to have a two separate DMVPN "clouds". but it does give you better control of the routing across the DMVPN.16.0/24 • IP MTU: 1400 • IP MTU: 1400 • Tunnel Authentication Key: 145 • Tunnel Authentication Key: 245 NHRP Parameters NHRP Parameters • NHRP ID: 145 • NHRP ID: 245 • NHRP Authentication key: cisco145 • NHRP Authentication key: cisco245 • NHRP Hub: R1 • NHRP Hub: R2 Routing Protocol Parameters Routing Protocol Parameters • EIGRP AS 1 • EIGRP AS 1 • Delay 1000 • Delay 2000 Encrypt the GRE traffic using the following parameters: • ISAKMP Parameters o Authentication: Pre-shared o Encryption: 3DES o Hashing: SHA o DH Group: 2 o Pre-Shared Key: cisco123 • IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC  The dual hub with dual DMVPN layout is slightly more difficult to set up. you can use interface configuration differences (such as bandwidth. Page 700 of 1033 .245. Since the spoke routers are routing neighbors with both hub routers over the two GRE tunnel interfaces. cost and delay) to modify the dynamic routing protocol metrics to prefer one hub over the other hub when they are both up.

0.0 R1(config-router)# no auto-summary R1(config-router)# exi Page 701 of 1033 .12.0.255.0.16.1 0. Almost nothing has changed on the first Hub in comparison to DMVPN Single Cloud scenario described in the previous lab.0.1 0.145.0. This is because we create two “clouds” which must be separated.168.145. changed state to up R1(config-if)# exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config)#router eigrp 1 R1(config-router)# network 172.0.0 R1(config-router)# network 192. R1(config)#crypto isakmp policy 10 R1(config-isakmp)# encr 3des R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)#crypto isakmp key cisco123 address 0.255.0.0 R1(config-if)# ip mtu 1400 R1(config-if)# ip nhrp authentication cisco145 R1(config-if)# ip nhrp map multicast dynamic R1(config-if)# ip nhrp network-id 145 R1(config-if)# no ip split-horizon eigrp 1 R1(config-if)# no ip next-hop-self eigrp 1 R1(config-if)# tunnel source FastEthernet0/0 R1(config-if)# tunnel mode gre multipoint R1(config-if)# tunnel key 145 R1(config-if)# tunnel protection ipsec profile DMVPN R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 1 R1 configuration.16.0 0.1 255.0.0 R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R1(cfg-crypto-trans)# mode transport R1(cfg-crypto-trans)#crypto ipsec profile DMVPN R1(ipsec-profile)# set transform-set TSET R1(ipsec-profile)#interface Tunnel0 R1(config-if)# ip address 172. The one difference here is to use different IP subnets for Tunnel interface on both Hubs.

2 0.0 R2(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R2(cfg-crypto-trans)# mode transport R2(cfg-crypto-trans)#crypto ipsec profile DMVPN R2(ipsec-profile)# set transform-set TSET R2(ipsec-profile)#exi R2(config)#interface Tunnel0 R2(config-if)# ip address 172.CCIE SECURITY v4 Lab Workbook Note that we used EIGRP AS 1 which will be “shared” between both DMVPN clouds.0.0.12.12.255.1 (GigabitEthernet0/1) is up: new adjacency Page 702 of 1033 .0.0 R2(config-router)# network 192. R2(config)#crypto isakmp policy 1 R2(config-isakmp)# encr 3des R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)#crypto isakmp key cisco123 address 0.0.0. This may be achieved by configuring two EIGRP Autonomous Systems as well. Step 2 R2 configuration.168.245.0 R2(config-if)# no ip redirects R2(config-if)# ip mtu 1400 R2(config-if)# no ip next-hop-self eigrp 1 R2(config-if)# no ip split-horizon eigrp 1 R2(config-if)# ip nhrp authentication cisco245 R2(config-if)# ip nhrp map multicast dynamic R2(config-if)# ip nhrp network-id 245 R2(config-if)# tunnel source FastEthernet0/0 R2(config-if)# tunnel mode gre multipoint R2(config-if)# tunnel key 245 R2(config-if)# tunnel protection ipsec profile DMVPN R2(config-if)# exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config)#router eigrp 1 R2(config-router)# no auto-summary R2(config-router)# network 172. This is because we create two “clouds” which must be separated.168.0 0.0.2 255. Almost nothing has changed on the second Hub in comparison to DMVPN Single Cloud scenario described in the previous lab.255.245. The one difference here is to use different IP subnets for Tunnel interface on both Hubs.16.16.0 R2(config-router)# %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.0.0.2 0.

1 R4(config-if)# tunnel source Serial0/0/0. Step 3 R4 configuration. Although.145. This means the one profile is used to secure two tunnel interfaces.16.16. the tunnel key can separate the traffic at GRE level. This is to separate the traffic (as it is terminated on the same Hub).145.0.0 R4(config-if)# ip mtu 1400 R4(config-if)# ip nhrp authentication cisco145 R4(config-if)# ip nhrp map 172. R4(config)#interface Tunnel1 R4(config-if)# ip address 172.46 R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel key 145 R4(config-if)# tunnel protection ipsec profile DMVPN shared Note that we need different NHRP ID and Tunnel Keys for both clouds.1. Page 703 of 1033 . The second Hub has built neighbor relationship with the first Hub. there must be “shared” keyword added on the spokes. R4(config)#crypto isakmp policy 1 R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)#crypto isakmp key cisco123 address 0. Hence.0.4 255. This may be achieved by configuring two EIGRP Autonomous Systems as well. the second cloud will be using R2 as a Hub.16.0.1.0.0 R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R4(cfg-crypto-trans)# mode transport R4(cfg-crypto-trans)#crypto ipsec profile DMVPN R4(ipsec-profile)# set transform-set TSET On the spokes we need two Tunnel interfaces: one for each DMVPN cloud.16.1 10.255.255.1 R4(config-if)# ip nhrp network-id 145 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172.0 0.CCIE SECURITY v4 Lab Workbook R2(config-router)#exi Note that we used EIGRP AS 1 which will be “shared” between both DMVPN clouds. The first cloud will be using R1 as a Hub.16.145.1 R4(config-if)# ip nhrp map multicast 10. the IPSec Profile is “shared” in this case.

0 R4(config-router)# network 172.0.4 0.16.4 0.4.0.145. R4(config)#router eigrp 1 R4(config-router)# network 172.0 R4(config-router)# no auto-summary %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.0.46 R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel key 245 R4(config-if)# tunnel protection ipsec profile DMVPN shared R4(config-if)# exi Note that we need different NHRP ID and Tunnel Keys for both clouds.1 (Tunnel1) is up: new adjacency %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.2 R4(config-if)# ip nhrp network-id 245 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172. the tunnel key can separate the traffic at GRE level.16.0.2 R4(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config-if)# tunnel source Serial0/0/0.4 0. Hence.16.16.1.0. This is to separate the traffic (as it is terminated on the same Hub).0 R4(config-if)# ip mtu 1400 R4(config-if)# ip nhrp authentication cisco245 R4(config-if)# ip nhrp map 172.255.0 R4(config-router)# network 192.0.4 255.0 0. Although.245.1.2 (Tunnel2) is up: new adjacency R4(config-router)#exi Step 4 R5 configuration.168.26.16.0.0.2 R4(config-if)# ip nhrp map multicast 10.0. This means the one profile is used to secure two tunnel interfaces.245. the IPSec Profile is “shared” in this case.245.145. there must be “shared” keyword added on the spokes.2 10.0.245. R5(config)#crypto isakmp policy 1 R5(config-isakmp)# encr 3des R5(config-isakmp)# authentication pre-share R5(config-isakmp)# group 2 R5(config-isakmp)#crypto isakmp key cisco123 address 0.16.CCIE SECURITY v4 Lab Workbook R4(config-if)# exi R4(config)#interface Tunnel2 R4(config-if)# ip address 172.26.255.245.0 R5(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R5(cfg-crypto-trans)# mode transport Page 704 of 1033 .16.

2 R5(config-if)# ip nhrp network-id 245 R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172. This is to separate the traffic (as it is terminated on the same Hub).0 R5(config-if)# ip mtu 1400 R5(config-if)# ip nhrp authentication cisco245 R5(config-if)# ip nhrp map 172.16.2 R5(config-if)# tunnel source Serial0/1/0. the IPSec Profile is “shared” in this case. there must be “shared” keyword added on Page 705 of 1033 .1.16. Hence. R5(config-if)# exi R5(config)#interface Tunnel2 R5(config-if)# ip address 172. This means the one profile is used to secure two tunnel interfaces. Although. This means the one profile is used to secure two tunnel interfaces. Although.16.0 R5(config-if)# ip mtu 1400 R5(config-if)# ip nhrp authentication cisco145 R5(config-if)# ip nhrp map 172.245.255.56 R5(config-if)# tunnel mode gre multipoint R5(config-if)# tunnel key 145 R5(config-if)# tunnel protection ipsec profile DMVPN shared Note that we need different NHRP ID and Tunnel Keys for both clouds. Hence.1.1.1 R5(config-if)# tunnel source Serial0/1/0.2 R5(config-if)# ip nhrp map multicast 10.1 10.5 255.1.16.145.2 10.16.145.16.255.16.1 R5(config-if)# ip nhrp network-id 145 R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172.CCIE SECURITY v4 Lab Workbook R5(cfg-crypto-trans)#crypto ipsec profile DMVPN R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#exi R5(config)#interface Tunnel1 R5(config-if)# ip address 172.245.255.26. This is to separate the traffic (as it is terminated on the same Hub).16. the IPSec Profile is “shared” in this case.5 255. the tunnel key can separate the traffic at GRE level.1 R5(config-if)# ip nhrp map multicast 10. the tunnel key can separate the traffic at GRE level.245. there must be “shared” keyword added on the spokes.255.145.26.56 R5(config-if)# tunnel mode gre multipoint R5(config-if)# tunnel key 245 R5(config-if)# tunnel protection ipsec profile DMVPN shared Note that we need different NHRP ID and Tunnel Keys for both clouds.

145.16. R4#sh ip route 192.145.0/24 Known via "eigrp 1".0 D 192.0.12.5.168.64. N2 .245.2 (Tunnel2) is up: new adjacency R5(config-router)#exi Note that we have not configured “delay” parameters yet.16. U .static. IA . 1 subnets C S* 10.0 Routing entry for 192.16. L2 .OSPF inter area N1 . P .1 (Tunnel1) is up: new adjacency %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.OSPF NSSA external type 2 E1 .16. E2 .1.168.16.0.0.5.64.EIGRP external. O .64.4.OSPF external type 2 i .0/24 is subnetted.EIGRP.5.168.CCIE SECURITY v4 Lab Workbook the spokes.0 R5(config-router)# network 172.IS-IS level-1.6 See that network 192.245. S .0. Serial0/0/0. distance 90.145.0 is directly connected.per-user static route o .BGP D .OSPF. This is just to show you what happen and how to troubleshoot that issues.0/24 is subnetted.0. Tunnel1 172.0.168.0/24 [90/298652416] via 172.245.ODR.IS-IS.connected.periodic downloaded static route Gateway of last resort is 10.IS-IS inter area.5 0.0 R5(config-router)# no auto-summary R5(config-router)# %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16. Why is that? Let’s see what EIGRP tells us.16.5 0.46 0. metric 298652416.16.0.5 0.0/24 [90/297246976] via 172.0 is directly connected. 00:10:28.IS-IS level-2 ia .OSPF NSSA external type 1.OSPF external type 1. Tunnel2 [90/297246976] via 172.245. B .168. Tunnel1 C 172. 00:09:03.0.0 is directly connected.mobile.2.145.RIP. EX . L1 .1.0.16.0 R5(config-router)# network 192.0/24 is directly connected.0.0/24 is accessible through R2 (Tunnel2) only.5. Loopback0 D 192.0. Tunnel2 10. Verification R4#sh ip route Codes: C .1. Tunnel2 C 192. type internal Redistributing via eigrp 1 Page 706 of 1033 .1. R5(config)#router eigrp 1 R5(config-router)# network 172. su . M . R .168.IS-IS summary. * . 2 subnets C 172.0. 00:10:28.245.16.168.5.candidate default.6 to network 0.0.0/0 [1/0] via 10.5.

5 (Tunnel2). 00:09:17 ago.0/24 State is Passive.168.168.2.2 on FastEthernet0/1.168.5. from 192.5.16.16.12.5 on Tunnel2.16. minimum bandwidth is 100 Kbit Reliability 255/255.0 IP-EIGRP (AS 1): Topology entry for 192. minimum MTU 1400 bytes Loading 1/255. the EIGRP does not use that parameter for metric calculation it indicates that the path is longer. type internal Redistributing via eigrp 1 Last update from 192. 00:09:17 ago Routing Descriptor Blocks: * 172.245. 00:17:44 ago Routing Descriptor Blocks: * 192.16. however it only installs the first one in the routing table.145.245. FD is 298652416 Routing Descriptor Blocks: 172.168. Although. from 172.12. via FastEthernet0/1 Route metric is 27010560.5.5.5.245. distance 90.168.CCIE SECURITY v4 Lab Workbook Last update from 172. traffic share count is 1 Total delay is 555000 microseconds. Send flag is 0x0 Composite metric is (298652416/27008000). minimum bandwidth is 9 Kbit Reliability 255/255.245.1. Query origin flag is 1.168. 00:17:44 ago. from 172.2. Let’s take a look at R1: R1#sh ip route 192.245. from 172. See the Delay parameter. Hops 2 R4#sh ip eigrp topology 192.0/24. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 555100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 3 EIGRP topology table contains both paths to 192. via Tunnel2 Route metric is 298652416.0 Routing entry for 192. minimum MTU 1400 bytes Loading 1/255. Hops 2 Page 707 of 1033 . Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 555000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 2 172.1 (Tunnel1).16. metric 27010560. See also Hop parameter which is again higher for the second path.2.168.168.0/24 Known via "eigrp 1".16. Send flag is 0x0 Composite metric is (298654976/27010560).16. traffic share count is 1 Total delay is 55100 microseconds.145.2.12. it is higher for the second path (through Tunnel1).5. 1 Successor(s).

Hops 1 R4#sh int tu1 | in BW MTU 1514 bytes.OSPF NSSA external type 2 E1 .IS-IS inter area.16.0.0/24 is directly connected.145. Serial0/1/0.245.1.12. L1 . BW 9 Kbit/sec.245.IS-IS level-1.0.245.OSPF. minimum bandwidth is 9 Kbit Reliability 255/255.16.static.12. from 172. B . via Tunnel2 Route metric is 297246976.5.16.0.4.0/24 through R2.65. type internal Redistributing via eigrp 1 Last update from 172.per-user static route o .0/0 [1/0] via 10.4.OSPF NSSA external type 1.ODR. R4#sh int tu2 | in BW MTU 1514 bytes. 00:11:00 ago.245. 00:11:00 ago Routing Descriptor Blocks: 172.4.245.56 0. 00:11:00 ago. Tunnel2 [90/297246976] via 172.2.1.0/24 [90/298652416] via 172. 1 subnets C S* 10. su . 2 subnets C C 172.2.0 is directly connected. Hence. O .0 Page 708 of 1033 . via Tunnel1 Route metric is 297246976.1. minimum MTU 1400 bytes Loading 1/255. R4#sh ip route 192. R5#sh ip route Codes: C .IS-IS.0/24 [90/297246976] via 172. not through its Tunnel interface.168. 00:10:31. Tunnel2 C 192.0 is directly connected.mobile. BW 9 Kbit/sec.16.0. traffic share count is 1 Total delay is 500100 microseconds. traffic share count is 1 Total delay is 500100 microseconds.168. R .0 Routing entry for 192.0/24 is subnetted.1.0/24 Known via "eigrp 1".16. minimum bandwidth is 9 Kbit Reliability 255/255.candidate default. IA . 00:10:31. Tunnel1 172.0. * .IS-IS summary.2 on Tunnel2. from 172. EX . N2 .EIGRP external.IS-IS level-2 ia .EIGRP. Tunnel2 D 192.0 is directly connected.OSPF external type 2 i .2.0. distance 90.168.16.1.16. the metric on R4 is higher as the packet must traverse 3 hops to reach the destination.OSPF inter area N1 .168. E2 . metric 297246976. M .168.245.168. U . P .168. Hops 1 * 172.connected. minimum MTU 1400 bytes Loading 1/255. Tunnel1 172.16.65.12.65.OSPF external type 1.145.145.16.0.5.BGP D .1.6 R5#sh ip route 192.CCIE SECURITY v4 Lab Workbook The R1 sees 192. 00:10:31. L2 . Loopback0 10.16. S . DLY 500000 usec.145.RIP.periodic downloaded static route Gateway of last resort is 10.0 D 192.0/24 is subnetted.6 to network 0.16. DLY 500000 usec.

245. 00:11:00 ago.245.2 on Tunnel2.2. metric 298652416. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 555100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 3 R5#sh ip route 192. minimum bandwidth is 9 Kbit Reliability 255/255.CCIE SECURITY v4 Lab Workbook Routing entry for 192.145. The 192.245. type internal Redistributing via eigrp 1 Last update from 172.2.16. from 172.16.1. from 172.1.0/24 Known via "eigrp 1".245. via Tunnel1 Route metric is 297246976.16.4. minimum MTU 1400 bytes Loading 1/255.12. from 172.16.4. via Tunnel2 Route metric is 297246976.145.245.16.16.4 (Tunnel2). metric 297246976.1. distance 90.245. from 172. Send flag is 0x0 Composite metric is (298652416/27008000).145. Send flag is 0x0 Composite metric is (298654976/27010560).16. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 555000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 2 172.168. distance 90. type internal Redistributing via eigrp 1 Last update from 172. FD is 298652416 Routing Descriptor Blocks: 172. 00:11:00 ago Routing Descriptor Blocks: 172.168.12.16.0/24 is accessible through Tunnel2 interface rather that Tunnel1.4.2. Hops 1 * 172.168.168.0 Routing entry for 192. R5#sh ip eigrp topology 192. minimum bandwidth is 9 Kbit Reliability 255/255.1 (Tunnel1). minimum MTU 1400 bytes Loading 1/255.168. 00:10:39 ago. 00:11:00 ago. Query origin flag is 1. traffic share count is 1 Total delay is 500100 microseconds. 00:10:39 ago Routing Descriptor Blocks: * 172.0/24 State is Passive.168. traffic share count is 1 Total delay is 500100 microseconds.16.16.16.145. 1 Successor(s).4 on Tunnel2. minimum bandwidth is 9 Kbit Page 709 of 1033 .245. Hops 2 Same situation here.245.4.0/24 Known via "eigrp 1".2.0 IP-EIGRP (AS 1): Topology entry for 192.16. from 172. via Tunnel2 Route metric is 298652416. traffic share count is 1 Total delay is 555000 microseconds.4.

R4(config)#interface Tunnel1 R4(config-if)#delay 1000 R4(config-if)#exi R4(config)#interface Tunnel2 R4(config-if)#delay 2000 R4(config-if)#exi Step 8 R5 configuration. It affects EIGRP protocol algorithm so that the better path will always be through R1 (as long as R1 is up and running). This means the minimum bandwidth on the path is taken for metric calculation. Hops 1 R5#sh int tu1 | in BW MTU 1514 bytes. Configuration To optimize that we need to reconfigure Delay parameter on tunnel interfaces. Page 710 of 1033 . Complete these steps: Step 5 R1 configuration. BW 9 Kbit/sec. minimum MTU 1400 bytes Loading 1/255. Delay is cumulative so that less delay on one interface affects every EIGRP router. We could also affect EIGRP decision by reconfiguring Bandwidth parameters but this should be done on every interface as BW parameter is NOT cumulative. BW 9 Kbit/sec. R2(config)#interface Tunnel0 R2(config-if)#delay 2000 R2(config-if)#exi Step 7 R4 configuration.CCIE SECURITY v4 Lab Workbook Reliability 255/255. DLY 500000 usec. R1(config)#interface Tunnel0 R1(config-if)#delay 1000 R1(config-if)#exi Step 6 R2 configuration. R5#sh int tu2 | in BW MTU 1514 bytes. DLY 500000 usec.

16. * .OSPF external type 1. B .0 is directly connected. L1 . IA . Page 711 of 1033 . 00:11:37. S .0/24 [90/284828416] via 172.OSPF NSSA external type 2 E1 .16.16.65.168.0/0 [1/0] via 10. FastEthernet0/0 0. R1#sh ip nhrp 172.168.16.0.0/24 [90/284828416] via 172. Tunnel0 created 00:13:12.16. Flags: unique registered NBMA address: 10.0.1. 1 subnets C S* 10.145.IS-IS inter area.periodic downloaded static route Gateway of last resort is 10.16.4.12.145. O .1.6 Now both spokes are accessible through the tunnel interface (not through R2).16. Tunnel0 10.16. R .OSPF.1. FastEthernet0/1 D 192.0/24 is subnetted.candidate default. Tunnel0 D 192.16.0 is directly connected.ODR.168.12. EX .IS-IS level-1.0 C 192. Tunnel0 D 172.connected.4.EIGRP.245.5.16.5 Both spokes are registered in NHS.0. 2 subnets C 172.0 [90/284958976] via 192.BGP D .CCIE SECURITY v4 Lab Workbook R5(config)#interface Tunnel1 R5(config-if)#delay 1000 R5(config-if)#exi R5(config)#interface Tunnel2 R5(config-if)#delay 2000 R5(config-if)#exi Verification R1#sh ip ro Codes: C .RIP.1.4. expire 00:04:46 Type: dynamic. expire 00:04:30 Type: dynamic.6 to network 0.IS-IS. U .IS-IS level-2 ia .16. P .EIGRP external.145. M .0.OSPF NSSA external type 1.1.16.0.2.145.IS-IS summary.5. L2 .64. N2 . 00:11:23. E2 .168. Flags: unique registered NBMA address: 10. Tunnel0 created 00:13:08.mobile.0.static.145. FastEthernet0/1 172.5.per-user static route o . 00:11:37.4/32 via 172.0/24 is subnetted.0/24 is directly connected.4 172.0.145.OSPF external type 2 i .5/32 via 172.145. su .OSPF inter area N1 .

1 10.16.: 10. flow_id: NETGX:4.64. local addr 10. #recv errors 0 local crypto endpt.4 path mtu 1500. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4454946/2801) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE5EB2CDE(3857394910) transform: esp-3des esp-sha-hmac .1. } conn id: 2004.16. #pkts decrypt: 188.64.CCIE SECURITY v4 Lab Workbook R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.255. in use settings ={Transport. } conn id: 2003. in use settings ={Transport.16. #pkts verify: 188 #pkts compressed: 0.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.255.5 QM_IDLE conn-id slot status 1001 0 ACTIVE 10.1. #pkts compr. #pkts decompress failed: 0 #send errors 0. #pkts decompressed: 0 #pkts not compressed: 0. remote crypto endpt.1.: 10. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4454946/2801) Page 712 of 1033 .4 port 500 PERMIT.64.1.255.255/47/0) remote ident (addr/mask/prot/port): (10.255. ip mtu 1500.16.1.4/255. #pkts digest: 185 #pkts decaps: 188. flow_id: NETGX:3.} #pkts encaps: 185. R1#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.1.1/255.1 10.65.1. flags={origin_is_acl.1. #pkts encrypt: 185.16.1.4 QM_IDLE 1002 0 ACTIVE IPv6 Crypto ISAKMP SA The Hub has ISAKMP SA and IPSec SAs set up with the spokes. ip mtu idb FastEthernet0/0 current outbound spi: 0xE5EB2CDE(3857394910) inbound esp sas: spi: 0x84A95ADB(2225691355) transform: esp-3des esp-sha-hmac .1.255/47/0) current_peer 10.64.1. failed: 0 #pkts not decompressed: 0.

#pkts decrypt: 190.255.: 10.255/47/0) remote ident (addr/mask/prot/port): (10.5 path mtu 1500. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4407002/2796) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 713 of 1033 .65.1.255. #pkts digest: 189 #pkts decaps: 190.1.16. } conn id: 2001. } conn id: 2002. #pkts decompress failed: 0 #send errors 0.1. #pkts verify: 190 #pkts compressed: 0.65. in use settings ={Transport. flags={origin_is_acl.255.1. ip mtu 1500.5/255. failed: 0 #pkts not decompressed: 0.255/47/0) current_peer 10.} #pkts encaps: 189. #pkts compr.: 10.1. #recv errors 0 local crypto endpt.5 port 500 PERMIT.1. flow_id: NETGX:1. flow_id: NETGX:2.CCIE SECURITY v4 Lab Workbook IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.16. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4407002/2796) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x34369DE1(875994593) transform: esp-3des esp-sha-hmac . ip mtu idb FastEthernet0/0 current outbound spi: 0x34369DE1(875994593) inbound esp sas: spi: 0x2E6FCA3E(779078206) transform: esp-3des esp-sha-hmac . in use settings ={Transport. #pkts decompressed: 0 #pkts not compressed: 0. #pkts encrypt: 189.1/255.255.65. remote crypto endpt.

static.0 C 192.5. 00:13:06. L1 .26.ODR. U . R2#sh ip eigr top 192. P .BGP D .5 (Tunnel0). GigabitEthernet0/0 0.145.per-user static route o .RIP.0. 00:13:06.OSPF.mobile.26.1.0/24 is subnetted.1.1.OSPF NSSA external type 2 E1 . E2 . R .0.6 Now the second Hub is less preffered.4. 1 Successor(s).0/24 is subnetted.CCIE SECURITY v4 Lab Workbook R2#sh ip route Codes: C .IS-IS summary.168.168.0/24 is directly connected.1.0.OSPF inter area N1 . FD is 284830976 Routing Descriptor Blocks: 192. M .5. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 45000 microseconds Reliability is 255/255 Load is 28/255 Page 714 of 1033 .0 is directly connected. GigabitEthernet0/1 [90/284830976] via 192.IS-IS level-1. from 192.IS-IS.1 (GigabitEthernet0/1).0 IP-EIGRP (AS 1): Topology entry for 192.26.0/24 D 192.168.16.0.periodic downloaded static route Gateway of last resort is 10. 1 subnets C S* 10.4.4.168. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 15100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 2 172.168.12.168.16.6 to network 0. GigabitEthernet0/1 D 192. su .168. It has networks behind the spokes accessible via R1.OSPF NSSA external type 1.16.12.1.0. This is because EIGRP metric was affected and recalculated. * . Send flag is 0x0 Composite metric is (284830976/284828416). B .245.16.245.EIGRP. Send flag is 0x0 Composite metric is (285596416/285084416). L2 .245.EIGRP external.0 is directly connected. 00:13:06. 2 subnets D 172.12.168. EX .0/0 [1/0] via 10.OSPF external type 2 i .12.0/24 State is Passive. GigabitEthernet0/1 172. O . from 172. Tunnel0 [90/284702976] via 192.0/24 [90/284830976] via 192.12. IA . Query origin flag is 1.1.candidate default.0.168.IS-IS inter area. S .12.0 C 172. GigabitEthernet0/1 10. N2 .connected.168.16.OSPF external type 1.0.IS-IS level-2 ia .1.

4 port 500 PERMIT.4.26.16. R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.16.5.16.245.26.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.245.26.64.255/47/0) remote ident (addr/mask/prot/port): (10. expire 00:05:50 Type: dynamic.1. #pkts verify: 193 #pkts compressed: 0. Send flag is 0x0 Composite metric is (285084416/128256).4 (Tunnel0).1.255.65.1.64.1.255.2 10.} #pkts encaps: 194. #recv errors 0 Page 715 of 1033 . Tunnel0 created 00:13:22.4 172. #pkts encrypt: 194.5 Both spokes are registered in the NHS.65.5 QM_IDLE 1002 0 ACTIVE 10. #pkts compr. #pkts decrypt: 193.2 10.1.4 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA It also maintains ISAKMP SA nad IPSec SAs with the spokes. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 25000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 1 R2#sh ip nhrp 172. from 172.245. flags={origin_is_acl.2/255.255.5/32 via 172. failed: 0 #pkts not decompressed: 0. Tunnel0 created 00:13:28.16.64.16. #pkts decompressed: 0 #pkts not compressed: 0. #pkts digest: 194 #pkts decaps: 193.CCIE SECURITY v4 Lab Workbook Minimum MTU is 1400 Hop count is 3 172. Flags: unique registered used NBMA address: 10. R2#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.245. Flags: unique registered used NBMA address: 10.1.1.245.245.255.1. local addr 10.255/47/0) current_peer 10.64.1.4/32 via 172. expire 00:05:56 Type: dynamic.4/255.16.26. #pkts decompress failed: 0 #send errors 1.1.4.

#pkts digest: 189 #pkts decaps: 191. flags={origin_is_acl.: 10. } conn id: 2004. remote crypto endpt.1. #pkts verify: 191 #pkts compressed: 0.255. #pkts decompress failed: 0 #send errors 1. } conn id: 2003. #pkts decompressed: 0 #pkts not compressed: 0.1. ip mtu idb GigabitEthernet0/0 current outbound spi: 0xE70EAE04(3876498948) inbound esp sas: spi: 0xE97C1EE8(3917225704) transform: esp-3des esp-sha-hmac .} #pkts encaps: 189.1.2. failed: 0 #pkts not decompressed: 0.255/47/0) remote ident (addr/mask/prot/port): (10.5/255. ip mtu 1500.65.: 10.26. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4411618/2779) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6A0C9367(1779209063) transform: esp-3des esp-sha-hmac .1.1. #recv errors 0 local crypto endpt.: 10.64. in use settings ={Transport.5 port 500 PERMIT.255.2. #pkts decrypt: 191.CCIE SECURITY v4 Lab Workbook local crypto endpt. Page 716 of 1033 .65. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4411618/2779) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.26.1.1.5 path mtu 1500.: 10.255/47/0) current_peer 10. #pkts compr.65. #pkts encrypt: 189.2/255. ip mtu idb GigabitEthernet0/0 current outbound spi: 0x6A0C9367(1779209063) inbound esp sas: spi: 0x77BC473A(2008827706) transform: esp-3des esp-sha-hmac . flow_id: Onboard VPN:4. remote crypto endpt.255.26. flow_id: Onboard VPN:3.4 path mtu 1500. in use settings ={Transport.255. ip mtu 1500.

0/24 is subnetted.mobile.IS-IS level-2 ia .0.16.168. R4#sh ip eigrp topology 192. B .IS-IS inter area.0 Page 717 of 1033 . crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4433019/2785) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#sh ip route Codes: C .5.0 is directly connected.0.BGP D .145.0/24 network and it points to R5 for 192.5. 00:13:53. S .static. * .16. 2 subnets C C 172.145.6 The Spoke preffers R1 for 192.168.168. U .5.OSPF. Tunnel1 172.candidate default. M . Tunnel2 C 192. Serial0/0/0. in use settings ={Transport.connected.per-user static route o .168. IA .245.0 is directly connected.145.0. su .0/24 is directly connected.0. P .IS-IS. O .0/24 is subnetted.0.4.0. flow_id: Onboard VPN:8.16.0.EIGRP. N2 .0 D 192.IS-IS level-1.64.RIP.0/24 network. E2 .0/0 [1/0] via 10. } conn id: 2007.168.1.OSPF NSSA external type 2 E1 .IS-IS summary.1.5. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4433019/2785) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE70EAE04(3876498948) transform: esp-3des esp-sha-hmac . Loopback0 D 192. Tunnel1 172.OSPF inter area N1 . L1 . 00:13:53.16.1.0/24 [90/285084416] via 172.0 is directly connected.64.OSPF external type 2 i .periodic downloaded static route Gateway of last resort is 10.1.12.EIGRP external.64.CCIE SECURITY v4 Lab Workbook in use settings ={Transport.46 0. Tunnel1 10. flow_id: Onboard VPN:7.12. } conn id: 2008.0/24 [90/284702976] via 172. R .OSPF external type 1.168.ODR. EX .OSPF NSSA external type 1.6 to network 0. L2 . 1 subnets C S* 10.16.

1 172.16.5.5 (Tunnel1).245.168.2 10.CCIE SECURITY v4 Lab Workbook IP-EIGRP (AS 1): Topology entry for 192. Tunnel1 created 00:15:16. FD is 285084416 Routing Descriptor Blocks: 172.1.145. never expire Type: static.64. Query origin flag is 1.5. version 25.0/24 State is Passive.16.145.64. R4#sh ip cef 192. Send flag is 0x0 Composite metric is (285084416/284828416). 0 dependencies next hop 172.0 192. Tunnel1 invalid adjacency CEF entry is invalid as expected in DMVPN Phase 2.16.1.5. Flags: used NBMA address: 10. from 172.1.245.2/32 via 172.145.0/24.16.145.168.1.4 QM_IDLE 1002 0 ACTIVE 10.2.16. from 172. Tunnel1.1.5. never expire Type: static.1/32 via 172.16.26.16. 1 Successor(s).16. Send flag is 0x0 Composite metric is (285342976/284830976).1. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 25000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 2 172.1.145.1 10.26.16.2.2 (Tunnel2). epoch 0 0 packets. Tunnel2 created 00:15:16.245.1. Flags: used NBMA address: 10.168.16.145. 0 bytes via 172.2 It has static NHRP entries to reachand register in both NHSes. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 35100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 3 R4#sh ip nhrp 172.245. R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.4 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA Page 718 of 1033 .5.16.16.

1 path mtu 1500. local addr 10.255. remote crypto endpt. flow_id: NETGX:2.16. #pkts encrypt: 214. #pkts compr. #pkts verify: 210 #pkts compressed: 0.46 current outbound spi: 0x84A95ADB(2225691355) inbound esp sas: spi: 0xE5EB2CDE(3857394910) transform: esp-3des esp-sha-hmac . in use settings ={Transport.: 10. No IPSec tunnel with the other spoke yet.64. failed: 0 #pkts not decompressed: 0.1.16.255. R4#sh crypto ipsec sa interface: Tunnel1 Crypto map tag: DMVPN-head-1.1/255.: 10.64.255. #pkts digest: 214 #pkts decaps: 210.1.1. ip mtu idb Serial0/0/0. flags={origin_is_acl. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4463855/2688) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 719 of 1033 .255/47/0) remote ident (addr/mask/prot/port): (10.} #pkts encaps: 214.4/255. in use settings ={Transport.16.1.255/47/0) current_peer 10. } conn id: 2002. #pkts decrypt: 210. #recv errors 0 local crypto endpt.255.4.1 port 500 PERMIT.CCIE SECURITY v4 Lab Workbook ISKAMP SA and IPSec SAs are set up with both Hubs. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4463855/2688) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x84A95ADB(2225691355) transform: esp-3des esp-sha-hmac .4 protected vrf: (none) local ident (addr/mask/prot/port): (10. #pkts decompress failed: 0 #send errors 6.1. flow_id: NETGX:1.1. ip mtu 1500. #pkts decompressed: 0 #pkts not compressed: 0. } conn id: 2001.64.

64.1.2 port 500 PERMIT.1.1/255. ip mtu idb Serial0/0/0.2 path mtu 1500.: 10.255.255/47/0) current_peer 10.16. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4503000/2708) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Tunnel2 Crypto map tag: DMVPN-head-1. #pkts verify: 210 #pkts compressed: 0. remote crypto endpt. #pkts digest: 209 #pkts decaps: 210. #pkts decompress failed: 0 #send errors 12.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.1. ip mtu 1500.CCIE SECURITY v4 Lab Workbook protected vrf: (none) local ident (addr/mask/prot/port): (10. flags={origin_is_acl. #pkts compr.1. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4503000/2708) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x77BC473A(2008827706) transform: esp-3des esp-sha-hmac .26. in use settings ={Transport.255/47/0) Page 720 of 1033 .46 current outbound spi: 0x77BC473A(2008827706) inbound esp sas: spi: 0x6A0C9367(1779209063) transform: esp-3des esp-sha-hmac .255.64.4.1. local addr 10. flow_id: NETGX:5.2/255.255/47/0) remote ident (addr/mask/prot/port): (10.255. #pkts decrypt: 210.26. #pkts decompressed: 0 #pkts not compressed: 0.255.255.255. in use settings ={Transport.1. } conn id: 2005. flow_id: NETGX:6.255.4/255.26.255. } conn id: 2006.64.} #pkts encaps: 209.: 10.1. #recv errors 0 local crypto endpt. #pkts encrypt: 209.1.4/255. failed: 0 #pkts not decompressed: 0.255/47/0) remote ident (addr/mask/prot/port): (10.64.

in use settings ={Transport. #pkts compr. } conn id: 2001. } conn id: 2002. #pkts decompressed: 0 #pkts not compressed: 0.} #pkts encaps: 209. flow_id: NETGX:2.4/255.} #pkts encaps: 214. #pkts digest: 214 #pkts decaps: 210. failed: 0 #pkts not decompressed: 0. ip mtu idb Serial0/0/0.1. #pkts encrypt: 214.64. #pkts decompressed: 0 #pkts not compressed: 0.26.16.1.4.2 port 500 PERMIT. #pkts verify: 210 #pkts compressed: 0.255.1. #pkts decompress failed: 0 #send errors 6. #pkts compr.1 port 500 PERMIT.64. #recv errors 0 local crypto endpt. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4463855/2688) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.255/47/0) current_peer 10. #pkts decrypt: 210.46 current outbound spi: 0x84A95ADB(2225691355) inbound esp sas: spi: 0xE5EB2CDE(3857394910) transform: esp-3des esp-sha-hmac . #pkts decrypt: 210.1 path mtu 1500.255.CCIE SECURITY v4 Lab Workbook current_peer 10. failed: 0 #pkts not decompressed: 0.: 10.1. #pkts digest: 209 #pkts decaps: 210. #pkts verify: 210 #pkts compressed: 0.26.255/47/0) remote ident (addr/mask/prot/port): (10.2/255. in use settings ={Transport. flags={origin_is_acl.1. #pkts decompress failed: 0 Page 721 of 1033 .255. flags={origin_is_acl. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4463855/2688) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x84A95ADB(2225691355) transform: esp-3des esp-sha-hmac . remote crypto endpt.16. #pkts encrypt: 209. ip mtu 1500. flow_id: NETGX:1.1.: 10.255.

flow_id: NETGX:6.26. remote crypto endpt. #recv errors 0 local crypto endpt. } conn id: 2005.5.: 10.CCIE SECURITY v4 Lab Workbook #send errors 12.5.4. This is the exact moment when the traffic switched over to the direct spoke-to-spoke tunnel. ip mtu 1500.5.4 !!!!. ip mtu idb Serial0/0/0. 0 bytes Page 722 of 1033 . 100-byte ICMP Echos to 192.0/24. Sending 10. R4#sh ip cef 192.0 192.5.168.2 path mtu 1500.168.168. version 25. timeout is 2 seconds: Packet sent with a source address of 192.5.46 current outbound spi: 0x77BC473A(2008827706) inbound esp sas: spi: 0x6A0C9367(1779209063) transform: esp-3des esp-sha-hmac . flow_id: NETGX:5. in use settings ={Transport.1.5 so lo0 rep 10 Type escape sequence to abort.168.!!!!! Success rate is 90 percent (9/10). } conn id: 2006. round-trip min/avg/max = 76/92/120 ms Ping between the spokes is successful. epoch 0 0 packets. Note that there is one packet missed in the middle of the ping. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4503000/2708) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x77BC473A(2008827706) transform: esp-3des esp-sha-hmac .168.: 10. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4503000/2708) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#ping 192.4.1. in use settings ={Transport.64.

4 10.1. R4#sh crypto ipsec sa interface: Tunnel1 Crypto map tag: DMVPN-head-1. Tunnel1 valid adjacency CEF entry is valid now.1 172.64.16.145.5/32 via 172.65. 0 dependencies next hop 172.1.4 QM_IDLE 1002 0 ACTIVE 10. #pkts digest: 242 #pkts decaps: 239. #pkts decompress failed: 0 Page 723 of 1033 .255.4.1.5 10. Flags: router unique local NBMA address: 10. #pkts encrypt: 242. #pkts decrypt: 239.245.4 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA ISAKMP SA and IPSec SAs are negotiated between the spokes. failed: 0 #pkts not decompressed: 0. flags={origin_is_acl.16.4/255.} #pkts encaps: 242.1.4 (no-socket) 172.1.16.16.255/47/0) current_peer 10.1/32 via 172.26.1. Flags: used NBMA address: 10. Tunnel1 created 00:16:51. Tunnel1 created 00:00:54.1.1 10.CCIE SECURITY v4 Lab Workbook via 172. #pkts decompressed: 0 #pkts not compressed: 0.16.64.64.255.16. expire 00:05:07 Type: dynamic.5.16.2. Tunnel1 created 00:00:54.1 port 500 PERMIT. Tunnel2 created 00:16:51.1.2 NHRP database has information about other spoke.16.64.1.255/47/0) remote ident (addr/mask/prot/port): (10.16.2/32 via 172.145.1.5 QM_IDLE 1003 0 ACTIVE 10.64. never expire Type: static.1.255.245.145. Flags: router NBMA address: 10.5.64.255.65.1.4/32 via 172.26. expire 00:05:07 Type: dynamic.145.5. #pkts compr. #pkts verify: 239 #pkts compressed: 0.1.1. Tunnel1.145.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.16. R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.1. Flags: used NBMA address: 10. local addr 10.65.1.1.145.16.16.16.145.2 10.5 172.16.64.145. R4#sh ip nhrp 172.4 QM_IDLE 1004 0 ACTIVE 10. never expire Type: static.1/255.

in use settings ={Transport.1.255. ip mtu 1500. remote crypto endpt. #recv errors 0 local crypto endpt.1.26.64.26.4. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4463851/2592) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.1. #pkts decrypt: 232. #pkts decompressed: 0 #pkts not compressed: 0. failed: 0 #pkts not decompressed: 0. flags={origin_is_acl.1.16.255/47/0) remote ident (addr/mask/prot/port): (10. } conn id: 2001.1.: 10.64. in use settings ={Transport.26.1. flow_id: NETGX:1.255.: 10. ip mtu 1500. #pkts compr.} #pkts encaps: 230.46 current outbound spi: 0x77BC473A(2008827706) inbound esp sas: Page 724 of 1033 .2 port 500 PERMIT.1.2/255.255.4.: 10.: 10. #pkts verify: 232 #pkts compressed: 0.1 path mtu 1500. flow_id: NETGX:2.255/47/0) current_peer 10.4/255. ip mtu idb Serial0/0/0. #recv errors 0 local crypto endpt.46 current outbound spi: 0x84A95ADB(2225691355) inbound esp sas: spi: 0xE5EB2CDE(3857394910) transform: esp-3des esp-sha-hmac . #pkts encrypt: 230.255. remote crypto endpt.64.2 path mtu 1500.CCIE SECURITY v4 Lab Workbook #send errors 6. #pkts digest: 230 #pkts decaps: 232. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4463851/2592) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x84A95ADB(2225691355) transform: esp-3des esp-sha-hmac . #pkts decompress failed: 0 #send errors 12. ip mtu idb Serial0/0/0. } conn id: 2002.

in use settings ={Transport. failed: 0 #pkts not decompressed: 0.: 10. ip mtu idb Serial0/0/0. } conn id: 2005.255.255. #pkts digest: 5 #pkts decaps: 5.1.1.64. in use settings ={Transport.CCIE SECURITY v4 Lab Workbook spi: 0x6A0C9367(1779209063) transform: esp-3des esp-sha-hmac .} #pkts encaps: 5. } conn id: 2009. #pkts decompress failed: 0 #send errors 2.1. #pkts decrypt: 5. } conn id: 2006. in use settings ={Transport.4/255.1. ip mtu 1500.65.255/47/0) current_peer 10. flow_id: NETGX:5. flow_id: NETGX:9. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4443171/3529) IV size: 8 bytes replay detection support: Y Page 725 of 1033 . #pkts encrypt: 5. #pkts compr.5 path mtu 1500. remote crypto endpt. #pkts decompressed: 0 #pkts not compressed: 0.: 10. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4502997/2612) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x77BC473A(2008827706) transform: esp-3des esp-sha-hmac .255.65. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4502998/2612) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. #pkts verify: 5 #pkts compressed: 0.46 current outbound spi: 0xBEABEE07(3198938631) inbound esp sas: spi: 0xB554FCF8(3042245880) transform: esp-3des esp-sha-hmac .1. flow_id: NETGX:6.64. #recv errors 0 local crypto endpt.65.5 port 500 PERMIT.5/255. flags={origin_is_acl.4.255/47/0) remote ident (addr/mask/prot/port): (10.255.

1. in use settings ={Transport. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4463851/2592) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: Page 726 of 1033 .1/255.255. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4443171/3529) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Tunnel2 Crypto map tag: DMVPN-head-1. #recv errors 0 local crypto endpt.64.64. #pkts digest: 242 #pkts decaps: 239. ip mtu 1500.1.1 path mtu 1500.1. failed: 0 #pkts not decompressed: 0. ip mtu idb Serial0/0/0. local addr 10. #pkts decrypt: 239. flags={origin_is_acl.4/255.4.} #pkts encaps: 242.1.16.255/47/0) current_peer 10.255/47/0) remote ident (addr/mask/prot/port): (10.1.CCIE SECURITY v4 Lab Workbook Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xBEABEE07(3198938631) transform: esp-3des esp-sha-hmac .: 10. #pkts verify: 239 #pkts compressed: 0.46 current outbound spi: 0x84A95ADB(2225691355) inbound esp sas: spi: 0xE5EB2CDE(3857394910) transform: esp-3des esp-sha-hmac . #pkts compr.64. } conn id: 2010.1.: 10.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.255.1 port 500 PERMIT. in use settings ={Transport.16. flow_id: NETGX:1. } conn id: 2001.16.255.255. #pkts decompress failed: 0 #send errors 6. remote crypto endpt. #pkts encrypt: 242. #pkts decompressed: 0 #pkts not compressed: 0. flow_id: NETGX:10.

flags={origin_is_acl.1.2 port 500 PERMIT.255. } conn id: 2006.64.} #pkts encaps: 230.255/47/0) current_peer 10.255. in use settings ={Transport.: 10.64. #recv errors 0 local crypto endpt. ip mtu idb Serial0/0/0.1.255/47/0) remote ident (addr/mask/prot/port): (10. flow_id: NETGX:5.1.26. flow_id: NETGX:2. #pkts decompressed: 0 #pkts not compressed: 0.1. #pkts digest: 230 #pkts decaps: 232. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4502997/2612) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x77BC473A(2008827706) transform: esp-3des esp-sha-hmac . flow_id: NETGX:6. } conn id: 2005. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4463851/2592) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.2 path mtu 1500. } conn id: 2002. remote crypto endpt. failed: 0 #pkts not decompressed: 0. crypto map: DMVPN-head-1 Page 727 of 1033 .CCIE SECURITY v4 Lab Workbook inbound pcp sas: outbound esp sas: spi: 0x84A95ADB(2225691355) transform: esp-3des esp-sha-hmac .255.: 10.46 current outbound spi: 0x77BC473A(2008827706) inbound esp sas: spi: 0x6A0C9367(1779209063) transform: esp-3des esp-sha-hmac . #pkts compr. in use settings ={Transport.26.4. #pkts decompress failed: 0 #send errors 12.2/255.255.26. #pkts verify: 232 #pkts compressed: 0.4/255.1. #pkts decrypt: 232. in use settings ={Transport. #pkts encrypt: 230. ip mtu 1500.

ip mtu 1500.255.4.} #pkts encaps: 5. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4443171/3529) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xBEABEE07(3198938631) transform: esp-3des esp-sha-hmac . #pkts decrypt: 5.: 10. flags={origin_is_acl.46 current outbound spi: 0xBEABEE07(3198938631) inbound esp sas: spi: 0xB554FCF8(3042245880) transform: esp-3des esp-sha-hmac .255/47/0) current_peer 10. flow_id: NETGX:9.64.5 path mtu 1500. in use settings ={Transport.1.65.1.255. ip mtu idb Serial0/0/0. in use settings ={Transport. #pkts encrypt: 5.255.65.CCIE SECURITY v4 Lab Workbook sa timing: remaining key lifetime (k/sec): (4502998/2612) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10. #pkts digest: 5 #pkts decaps: 5. #pkts verify: 5 #pkts compressed: 0.: 10.1.1. failed: 0 #pkts not decompressed: 0. #pkts decompressed: 0 #pkts not compressed: 0. } conn id: 2009. #pkts compr.255.5/255.64. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4443171/3529) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: Page 728 of 1033 . } conn id: 2010.5 port 500 PERMIT.255/47/0) remote ident (addr/mask/prot/port): (10. flow_id: NETGX:10. remote crypto endpt. #recv errors 0 local crypto endpt.1. #pkts decompress failed: 0 #send errors 2.65.4/255.

4. EX .1.IS-IS inter area. Tunnel1 C 172.0/24 State is Passive.145.16.OSPF external type 1. U .16.168. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 35100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 3 Page 729 of 1033 .4.0.245. 1 Successor(s).BGP D .168.0/0 [1/0] via 10.CCIE SECURITY v4 Lab Workbook outbound pcp sas: Same bunch of commands on the other spoke.0.2.0.0/24 is directly connected.65.0.6 to network 0. Tunnel1 C 192.periodic downloaded static route Gateway of last resort is 10.16. Tunnel1 172.0 IP-EIGRP (AS 1): Topology entry for 192.0 is directly connected.static.65. R . P .RIP.145.1. Send flag is 0x0 Composite metric is (285342976/284830976). N2 . Serial0/1/0.168.0.0 D 192.4. 00:17:10.0/24 [90/285084416] via 172. Tunnel2 D 192.145. Send flag is 0x0 Composite metric is (285084416/284828416).65.0/24 [90/284702976] via 172.IS-IS summary.0 is directly connected.IS-IS.145.EIGRP external. L2 . 2 subnets C 172.0/24 is subnetted. R5#sh ip route Codes: C . M . Query origin flag is 1. 1 subnets C S* 10. S .IS-IS level-1. IA .1.5. O .per-user static route o . from 172.0.16. L1 .16.EIGRP. Route is Internal Vector metric: Minimum bandwidth is 9 Kbit Total delay is 25000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1400 Hop count is 2 172.mobile.0 is directly connected.OSPF NSSA external type 2 E1 .0.OSPF external type 2 i .168.245.0/24 is subnetted.16. su .4 (Tunnel1).56 0. from 172.168. * .4.245.OSPF inter area N1 . Loopback0 10. B .12.IS-IS level-2 ia .OSPF NSSA external type 1. FD is 285084416 Routing Descriptor Blocks: 172.candidate default.16.OSPF.16. E2 .1.1.145.2 (Tunnel2).16.ODR.6 R5#sh ip eigrp topology 192. 00:17:10.connected.

Flags: used NBMA address: 10.145.1. R5#sh ip nhrp 172.64.64.255/47/0) current_peer 10.4.255.1.168.4/32 via 172.65.1. 0 dependencies next hop 172. Flags: used NBMA address: 10. failed: 0 #pkts not decompressed: 0. #pkts compr.145.1. Tunnel1 valid adjacency CEF entry is valid and NHRP database has information about R4.65. never expire Type: static.64.1.1/32 via 172.65.2/32 via 172. Flags: router unique local NBMA address: 10.145. expire 00:03:39 Type: dynamic. Tunnel1.1 172.4/255. never expire Type: static.5.16. #pkts digest: 5 #pkts decaps: 5.16.16.64.5 QM_IDLE 1001 0 ACTIVE 10.} #pkts encaps: 5.1.5 (no-socket) 172.16.4 172.4 10. Tunnel1 created 00:02:21.145.1.4.245. Flags: router NBMA address: 10.0 192.1.0/24.1 10.4.4 interface: Tunnel2 Crypto map tag: DMVPN-head-1. expire 00:03:39 Type: dynamic.1.1. Tunnel1 created 00:02:22.1.26.4.255/47/0) remote ident (addr/mask/prot/port): (10.65.65.1.145. Tunnel1 created 00:18:03.16.1.1.4 QM_IDLE conn-id slot status 1003 0 ACTIVE 10.16.16.CCIE SECURITY v4 Lab Workbook R5#sh ip cef 192.16.16.5/255. #pkts decrypt: 5. #pkts verify: 5 #pkts compressed: 0.245. #pkts encrypt: 5.255.145. flags={origin_is_acl.145.255.2 10.16. local addr 10.2 R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.16.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.5 QM_IDLE 1004 0 ACTIVE IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa peer 10.16.1.4 port 500 PERMIT.65.5/32 via 172.168. version 25.26.1.145.1.255.5 10.2. Tunnel2 created 00:18:12. epoch 0 0 packets.4. 0 bytes via 172. #pkts decompressed: 0 #pkts not compressed: 0.5 QM_IDLE 1002 0 ACTIVE 10.1.64.65.64. #pkts decompress failed: 0 Page 730 of 1033 .

#pkts decompress failed: 0 #send errors 1. flow_id: NETGX:8.65.255.64.255/47/0) remote ident (addr/mask/prot/port): (10.: 10.4 port 500 PERMIT. #pkts digest: 5 #pkts decaps: 5. ip mtu 1500. remote crypto endpt.255.56 current outbound spi: 0xB554FCF8(3042245880) inbound esp sas: spi: 0xBEABEE07(3198938631) transform: esp-3des esp-sha-hmac . ip mtu idb Serial0/1/0.4 path mtu 1500. } conn id: 2007.56 Page 731 of 1033 .1.1.65. flags={origin_is_acl. local addr 10.: 10.1.1. #pkts decrypt: 5.65. in use settings ={Transport.4/255.65. #recv errors 0 local crypto endpt.: 10.255.5.1. #pkts encrypt: 5. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4476782/3441) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB554FCF8(3042245880) transform: esp-3des esp-sha-hmac .CCIE SECURITY v4 Lab Workbook #send errors 1. ip mtu idb Serial0/1/0. } conn id: 2008.4 path mtu 1500. remote crypto endpt.1. #pkts decompressed: 0 #pkts not compressed: 0.5. #recv errors 0 local crypto endpt. ip mtu 1500.5/255.64.: 10. in use settings ={Transport.1.64.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.255/47/0) current_peer 10.255. #pkts compr. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4476782/3441) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Tunnel1 Crypto map tag: DMVPN-head-1. flow_id: NETGX:7. failed: 0 #pkts not decompressed: 0.} #pkts encaps: 5. #pkts verify: 5 #pkts compressed: 0.64.

255.4 so lo0 Type escape sequence to abort.5 protected vrf: (none) local ident (addr/mask/prot/port): (10. flow_id: NETGX:8. round-trip min/avg/max = 76/79/80 ms R5#sh crypto ipsec sa peer 10.5. } conn id: 2008. in use settings ={Transport.168.168.1.4/255.1. R5#ping 192. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4476782/3441) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB554FCF8(3042245880) transform: esp-3des esp-sha-hmac .255. flags={origin_is_acl.4. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4476782/3441) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Once again ping the remote spoke to see it the traffic get encrypted.1.4.255.255/47/0) remote ident (addr/mask/prot/port): (10.65.5/255. 100-byte ICMP Echos to 192.255.64.} Page 732 of 1033 .65.168. } conn id: 2007.4 port 500 PERMIT.4.5 !!!!! Success rate is 100 percent (5/5).CCIE SECURITY v4 Lab Workbook current outbound spi: 0xB554FCF8(3042245880) inbound esp sas: spi: 0xBEABEE07(3198938631) transform: esp-3des esp-sha-hmac .255/47/0) current_peer 10.1. flow_id: NETGX:7.64. in use settings ={Transport.1. timeout is 2 seconds: Packet sent with a source address of 192. local addr 10.4 interface: Tunnel2 Crypto map tag: DMVPN-head-1. Sending 5.64.

65.255/47/0) current_peer 10. flags={origin_is_acl.1. #recv errors 0 local crypto endpt.1.5 protected vrf: (none) local ident (addr/mask/prot/port): (10. local addr 10.5.255.65.64.65.255. remote crypto endpt. } conn id: 2007.1.255. } conn id: 2008. #pkts compr. #pkts digest: 10 #pkts decaps: 10. #pkts decompress failed: 0 #send errors 1.64. failed: 0 Page 733 of 1033 . crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4476781/3413) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB554FCF8(3042245880) transform: esp-3des esp-sha-hmac . crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4476781/3413) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Tunnel1 Crypto map tag: DMVPN-head-1. flow_id: NETGX:8. #pkts encrypt: 10.1.4 path mtu 1500.: 10. #pkts decompressed: 0 #pkts not compressed: 0.64.4 port 500 PERMIT.255.5/255. #pkts decrypt: 10. #pkts verify: 10 #pkts compressed: 0.4/255. #pkts decrypt: 10.1. in use settings ={Transport. #pkts compr. #pkts digest: 10 #pkts decaps: 10. in use settings ={Transport.CCIE SECURITY v4 Lab Workbook #pkts encaps: 10.1. #pkts decompressed: 0 #pkts not compressed: 0. #pkts verify: 10 #pkts compressed: 0. ip mtu idb Serial0/1/0.255/47/0) remote ident (addr/mask/prot/port): (10. #pkts encrypt: 10. ip mtu 1500.} #pkts encaps: 10. failed: 0 #pkts not decompressed: 0. flow_id: NETGX:7.: 10.56 current outbound spi: 0xB554FCF8(3042245880) inbound esp sas: spi: 0xBEABEE07(3198938631) transform: esp-3des esp-sha-hmac .

1.4 path mtu 1500.CCIE SECURITY v4 Lab Workbook #pkts not decompressed: 0.145. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4476781/3413) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: TEST: shutdown R1’s tunnel0 interface The best test in this scenario is to shutdown R1’s tunnel0 interface and see if everything is working fine.65.16. } conn id: 2008. #pkts decompress failed: 0 #send errors 1.16.: 10.5 (Tunnel0) is down: interface down %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172. #recv errors 0 local crypto endpt.1. in use settings ={Transport.5.64. ip mtu idb Serial0/1/0. in use settings ={Transport. } conn id: 2007. remote crypto endpt. flow_id: NETGX:7. flow_id: NETGX:8.4 (Tunnel0) is down: interface down Page 734 of 1033 . ip mtu 1500.56 current outbound spi: 0xB554FCF8(3042245880) inbound esp sas: spi: 0xBEABEE07(3198938631) transform: esp-3des esp-sha-hmac .: 10.145. R1(config)#int tu0 R1(config-if)#shut R1(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF R1(config-if)# %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4476781/3413) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB554FCF8(3042245880) transform: esp-3des esp-sha-hmac .

IS-IS level-1.16. Sending 10. Tunnel2 C 192. N2 . Flags: used NBMA address: 10. as the old entries has been flushed.0.2 No dynamic entries.1.16. S . su . version 28.1.16. M .168.168. R . IA . R4#sh ip nhrp 172.connected.26. Loopback0 D 192.IS-IS summary.0/24 is subnetted.5. 00:01:32.candidate default.0. E2 .per-user static route o .245.16. 100-byte ICMP Echos to 192.0 is directly connected. changed state to down R4#sh ip route Codes: C .CCIE SECURITY v4 Lab Workbook R1(config-if)# %LINK-5-CHANGED: Interface Tunnel0.0/24 [90/284958976] via 172. as the next hop changed.16.12. Serial0/0/0. R4#sh ip cef 192.IS-IS level-2 ia .46 0.16. the Tunnel2 (to the second Hub) is preffered.0/24 is subnetted.145. Tunnel2 10.245.1.2.0/24.168.168.BGP D .0.5. 0 bytes via 172.245.4. never expire Type: static. O .245.static.0.245.IS-IS.16. Tunnel1 created 00:23:27.0/24 [90/285596416] via 172. Tunnel2.0 is directly connected. Tunnel2 invalid adjacency The CEF entry is invalid again.0 D 192.5 so lo0 rep 10 Type escape sequence to abort.0.0/0 [1/0] via 10. timeout is 2 seconds: Page 735 of 1033 . L1 . * .168.1 172.1/32 via 172.OSPF.245. L2 .16.5.5.0 is directly connected.IS-IS inter area. Tunnel2 created 00:23:27.16.1.mobile. Tunnel1 C 172.0.periodic downloaded static route Gateway of last resort is 10.OSPF NSSA external type 2 E1 .6 Now.64.0 192.16.168.2. never expire Type: static.5.0. Flags: used NBMA address: 10.16.1. changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.64.6 to network 0.145. epoch 0 0 packets. Tunnel2 172.168.OSPF NSSA external type 1.245.OSPF inter area N1 .2/32 via 172. 0 dependencies next hop 172.EIGRP external.OSPF external type 1. 1 subnets C S* 10.OSPF external type 2 i . 00:01:32.EIGRP.ODR.16. EX .64. 2 subnets C 172.RIP. P .5.5. R4#ping 192. B .1.5. U .5.0/24 is directly connected.145.

1.5 port 500 PERMIT.5 interface: Tunnel1 Crypto map tag: DMVPN-head-1. #recv errors 0 local crypto endpt. R4#sh crypto ipsec sa peer 10.46 current outbound spi: 0xD165CD2A(3513109802) inbound esp sas: spi: 0x25118EF2(621907698) transform: esp-3des esp-sha-hmac .!!!!! Success rate is 90 percent (9/10). #pkts digest: 5 #pkts decaps: 5.26. remote crypto endpt.255/47/0) current_peer 10. failed: 0 #pkts not decompressed: 0.: 10. #pkts decrypt: 5. } conn id: 2011.1 10.1.5 QM_IDLE 1005 0 ACTIVE 10.4 10.1.65.4 MM_NO_STATE 0 0 ACTIVE 10.255.1.2 10.5 path mtu 1500.1. #pkts verify: 5 #pkts compressed: 0.65.1. flow_id: NETGX:11. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4464565/3577) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0xAAB232EA(2863805162) Page 736 of 1033 . local addr 10.4 MM_NO_STATE 0 0 ACTIVE (deleted) IPv6 Crypto ISAKMP SA The R4 tries to set up an IPSec tunnel with R1 (which is down).1.64.4/255.1.4. #pkts encrypt: 5.255.} #pkts encaps: 5. flags={origin_is_acl.16.1.255.4 QM_IDLE conn-id slot status 1006 0 ACTIVE 10. ip mtu idb Serial0/0/0.: 10.1.64.64.1.4 !!!!.64.CCIE SECURITY v4 Lab Workbook Packet sent with a source address of 192.65.255/47/0) remote ident (addr/mask/prot/port): (10.4 protected vrf: (none) local ident (addr/mask/prot/port): (10. ip mtu 1500.1 10.1.64. R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.168.255.65.1.4. #pkts decompressed: 0 #pkts not compressed: 0.64.5/255.1.5 10.65.1.64. #pkts decompress failed: 0 #send errors 2.1. in use settings ={Transport.1.4 QM_IDLE 1002 0 ACTIVE 10.16. #pkts compr.64.65. round-trip min/avg/max = 76/90/112 ms Ping is successful.

1.5/255. } conn id: 2013.5 path mtu 1500. } conn id: 2014. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4514894/3577) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Tunnel2 Crypto map tag: DMVPN-head-1.65. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4464565/3577) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0xD165CD2A(3513109802) transform: esp-3des esp-sha-hmac .65.65.4/255. in use settings ={Transport.1.255/47/0) current_peer 10. #pkts decrypt: 5.1. in use settings ={Transport.} #pkts encaps: 5.255. flow_id: NETGX:14. local addr 10.255/47/0) remote ident (addr/mask/prot/port): (10. remote crypto endpt. ip mtu 1500. #pkts compr.255.1.64.1.255.: 10.64.: 10. flags={origin_is_acl.5 port 500 PERMIT. in use settings ={Transport. #recv errors 0 local crypto endpt. #pkts digest: 5 #pkts decaps: 5. #pkts encrypt: 5. failed: 0 #pkts not decompressed: 0. } conn id: 2012. ip mtu idb Serial0/0/0.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.4. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4514894/3577) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB43D28C4(3023907012) transform: esp-3des esp-sha-hmac .1.46 Page 737 of 1033 . #pkts decompress failed: 0 #send errors 2. flow_id: NETGX:12. flow_id: NETGX:13. #pkts verify: 5 #pkts compressed: 0.64.CCIE SECURITY v4 Lab Workbook transform: esp-3des esp-sha-hmac . #pkts decompressed: 0 #pkts not compressed: 0.255.

crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4464565/3577) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0xD165CD2A(3513109802) transform: esp-3des esp-sha-hmac . flow_id: NETGX:13. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4514894/3577) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB43D28C4(3023907012) transform: esp-3des esp-sha-hmac . flow_id: NETGX:14. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4514894/3577) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 738 of 1033 . in use settings ={Transport. in use settings ={Transport. flow_id: NETGX:11. } conn id: 2011. } conn id: 2012. } conn id: 2013.CCIE SECURITY v4 Lab Workbook current outbound spi: 0xD165CD2A(3513109802) inbound esp sas: spi: 0x25118EF2(621907698) transform: esp-3des esp-sha-hmac . in use settings ={Transport. flow_id: NETGX:12. } conn id: 2014. crypto map: DMVPN-head-1 sa timing: remaining key lifetime (k/sec): (4464565/3577) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0xAAB232EA(2863805162) transform: esp-3des esp-sha-hmac . in use settings ={Transport.

1.168.1/24 F0/0 10.1/24 Page 739 of 1033 .1. GET VPN (PSK) Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12  R2’s S0/1/0 and R5’s S0/1/0 interface should be configured in a frame-relay point-to-point manner  R2’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay point-to-point manner  Configure Telnet on all routers using password “cisco”  Configure default routing on R1. R4 and R5 pointing to the R2 IP Addressing Device Interface IP address R1 Lo0 192.12.56.CCIE SECURITY v4 Lab Workbook Lab 1.

1.12.24.25.0.0/16.168.com Authorization: Only R5 and R4 GM routers IPSec SA: Time-based anti replay window: 64 Policy: 192.1. do not encrypt GDOI Encryption: AES-128 Integrity: SHA ISAKMP Policy Authentication: PSK Encryption: DES Hashing: SHA Pre-shared key: GETVPN-R5 (for R5).0/16 networks (LANs behind R4 and R5). every 10 seconds RSA key name R1.24 10.2/24 S0/1/0.1.5/24 Task 1 Configure GET VPN solution for traffic going between 192. R1 must be used as Key Server and R5 and R4 are Group Members.5/24 S0/1/0.2/24 Lo0 192.168.1.1.168.micronicstraining.CCIE SECURITY v4 Lab Workbook R2 R4 R5 F0/0 10.52 10.24. GETVPN-R4 (for R4) Page 740 of 1033 .25 10.0.168.4.12.2/24 S0/1/0.1 Rekey: Unicast 2 retransmits. Use the following parameters for KS configuration: Group name: GETVPN Server: Identity 1 IP address 10.1.4/24 Lo0 192.4/24 S0/0/0.25.5.42 10.

Typical GET deployment consists a router called Key Server (KS) and a couple of routers called Group Members (GMs). what key is used by the encryption algorithm) and just encrypt every packet conforming its policy and sends it out to the network using ESP (Encapsulated Security Payload). Configuration Complete these steps: Step 1 R1 configuration. The KS must send out a new TEK (and KEK) before TEK is expired (default is 3600 seconds). Remember that to generate new RSA keys you must have Hostname and Domain-name configured on the router. The most important function of KS is generation of encryption keys. Note that it uses original IP addresses to route the packet out (this is called IP Header Preservation mechanism). R1(config)#ip domain-name micronicstraining.com R1(config)#crypto key generate rsa modulus 1024 Page 741 of 1033 . First we need RSA keys to be used by our KS for Rekey process. This ISAKMP uses GDOI messages (think of this like a mutation of IKE) to build SA and encrypt GM registration. Every GM has the policy (what to encrypt. what encryption algorithm to use.168. It does this in so-called Rekey phase. maintain and send a “policy” to GMs.  GET VPN is a technology used to encrypt traffic going through unsecured networks.0/24 and 192.5. The policy is an information what traffic should be encrypted by GM and what encryption algorithms must be used. hence the packet can be routed towards every other router in the network as long as the routing table has such information. This phase is authenticated and secured by ISAKMP SA which is established between KS and GM. The GDOI uses UDP/848 instead of UDP/500 like IKE does. The RSA keys are used to authenticated the KS to GM in the Rekey process.168. It laverages IPSec protocol suite to enforce Integrity and Confidentiality of data.4.CCIE SECURITY v4 Lab Workbook Do not encrypt SSH traffic between 192. This exception must be configured on GMs only.0/24 networks. The KS is used to create. There are two keys used: TEK – Transport Encryption Key – used by GM to encrypt the data KEK – Key Encryption Key – used to encrypt information between KS and GM A very important aspect of GET is that it does not set up any IPSec tunnels between GMs! It is NOT like DMVPN.

5 R1(config)#crypto isakmp key GETVPN-R4 address 10. R1(ipsec-profile)#crypto gdoi group GETVPN R1(config-gdoi-group)# identity number 1 R1(config-gdoi-group)# server local %CRYPTO-6-GDOI_ON_OFF: GDOI is ON Here we need to specify Rekey parameters..com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys. R1(config)#crypto isakmp policy 10 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# exi R1(config)#crypto isakmp key GETVPN-R5 address 10.4 The IPSec paramaters must be configured on KS.25. then we can enable multicast Rekey and the KS generates only one packet and sends it down to all GMs at one time Page 742 of 1033 . Pre-shared key must be specified on both KS and GM to be able to authenticate.1.24. This will be used to establish ISAKMP SA to secure further GDOI messages. To do that we need to specify The Group. just like in regular IPSec configuration. R1(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac R1(cfg-crypto-trans)#crypto ipsec profile GETVPN-PROF R1(ipsec-profile)# set transform-set TSET Now it’s time to configure KS.CCIE SECURITY v4 Lab Workbook The name for the keys will be: R1. The KS sends down a Rekey packet to every GM it knows of. One KS may have many groups and each group may have different security policy.micronicstraining.99 has been enabled Then we need ISAKMP paramaters.[OK] R1(config)# %SSH-5-ENABLED: SSH 1. Thise parameters are not used by KS itself..1. The Rekey phase can be performed in two ways: - Unicast Rekey – when we do not have multicast support in our infrastructure (may be a case when ISP does not support multicast in its IP VPN cloud). The IPSec profile tells the GM what encryption algorithm use. keys will be non-exportable. - Multicast Rekey – when we have multicast ready infrastructure. They are part of policy that will be send down to the GMs.

you need to specify a standard ACL with GM’s IP addresses. R1(gdoi-local-server)# authorization address ipv4 GM-LIST Now it’s time to configure policy for our GMs. we need another ACL (extended this time).1.5 R1(config-std-nacl)# permit 10.0. R1(config)#ip access-list extended LAN-LIST R1(config-ext-nacl)# deny udp any eq 848 any eq 848 R1(config-ext-nacl)# permit ip 192.1. Note that we must exclude GDOI (UDP/848) from this policy as there is not much sense to encrypt something already encrypted.0.255 R1(config-ext-nacl)#exi Step 2 R5 configuration.com R1(gdoi-local-server)# rekey retransmit 10 number 2 R1(gdoi-local-server)# rekey transport unicast By default every GM can register to KS as long as it has correct PSK configured (or valid Certificate in case of PKI). To authorize GMs to be able to register in this group on KS.168. We can also specify window size for Time-based AntiReplay protection.0 0.12.255 192. This parameter must as well be send don to the GMs as KS may be run on different IP address (like Loopback).micronicstraining.255.168.255. Our ACL is named GM-LIST.1.0 0.CCIE SECURITY v4 Lab Workbook R1(gdoi-local-server)# rekey authentication mypubkey rsa R1. To tell the GMs what packets they should encrypt. R1(gdoi-local-server)# sa ipsec 1 R1(gdoi-sa-ipsec)# profile GETVPN-PROF R1(gdoi-sa-ipsec)# match address ipv4 LAN-LIST R1(gdoi-sa-ipsec)# replay counter window-size 64 R1(gdoi-sa-ipsec)# address ipv4 10. Our ACL is named LANLIST. Page 743 of 1033 .0. R1(gdoi-local-server)#exi R1(config-gdoi-group)#exi R1(config)#ip access-list standard GM-LIST R1(config-std-nacl)# permit 10.0.25. Encryption policy is created by IPSec Profile configured earlier.1 R1(gdoi-local-server)# %GDOI-5-KS_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey.24. The last parameter important is KS’s IP address.4 R1(config-std-nacl)#exi Here’s our “policy ACL”.

255 192.(optional) ACL to exclude some traffic from encryption .168.0/24 AND 192.0.12.4.4.CCIE SECURITY v4 Lab Workbook R5 is our first GM.0.168.4. we cannot PERMIT it to be encrypted.0 0. the concatenated policy looks like follow: - Denied traffic on KS - Permitted traffic on KS - Denied traffic on GM We can only DENY (exclude) the traffic on GM.168.0.0 0.0 0.the Group to which the GM needs to be registered to .0 0. R5(config)#ip access-list extended DO-NOT-ENCRYPT R5(config-ext-nacl)#deny tcp 192. but there are some situations when we need to exclude some flows from encryption.0 0.0.0.5.0.5.168.0.0 0.168.168.0.168.1 R5(config)#crypto gdoi group GETVPN R5(config-gdoi-group)# identity number 1 R5(config-gdoi-group)# server address ipv4 10.1 R5(config-gdoi-group)# exi This ACL is optional.0.0.255 eq 22 R5(config-ext-nacl)#deny tcp 192.12.0.4. R5(config-crypto-map)# set group GETVPN R5(config-crypto-map)# match address DO-NOT-ENCRYPT R5(config-crypto-map)# exi Page 744 of 1033 . We need the following to be configured on every GM: .0.ISAKMP policy and pre-shared key (in case of PSK) .255 eq 22 R5(config-ext-nacl)#deny tcp 192.5.crypto map type GDOI R5(config)#crypto isakmp policy 10 R5(config-isakmp)# authentication pre-share R5(config-isakmp)# exi R5(config)#crypto isakmp key GETVPN-R5 address 10.0/24 networks.0.255 192.255 eq 22 192.0 0. In general we should configure our policy on KS only.0.1.0 0.5.168.255 R5(config-ext-nacl)#exi R5(config)#crypto map CMAP-GETVPN 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured.168.255 R5(config-ext-nacl)#deny tcp 192.4.5.1.0. we were asked for excluding SSH traffic between 192. To display that concatenated policy use “sh crypto gdoi gm acl” command on GM. When policy is configured on both KS and GM.0.168. Like here.255 eq 22 192.

255 eq 22 R4(config-ext-nacl)#deny tcp 192.255 R4(config-ext-nacl)#crypto map CMAP-GETVPN 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured.168.255 R4(config-ext-nacl)#deny tcp 192.0.5.5.168. %GDOI-5-GM_REGS_COMPL: Registration to KS 10.255 192.0 0.12.0 0.52 R5(config-subif)# crypto map CMAP-GETVPN R5(config-subif)# exi R5(config)# %CRYPTO-5-GM_REGSTER: Start registration to KS 10.12.0 0.168.0 0.5.255 eq 22 R4(config-ext-nacl)#deny tcp 192.0.12.5.168.25.0 0.25.1 R4(config)#crypto gdoi group GETVPN R4(config-gdoi-group)# identity number 1 R4(config-gdoi-group)# server address ipv4 10.0. R4(config-crypto-map)# set group GETVPN R4(config-crypto-map)# match address DO-NOT-ENCRYPT R4(config-crypto-map)# exi Page 745 of 1033 .1.0 0.0.5 R5(config)# %CRYPTO-6-GDOI_ON_OFF: GDOI is ON R5(config)# %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey.1 complete for group GETVPN using address 10.255 eq 22 192.4.1. They indicate that GM has started registration process with KS and registered successfully.255 192.CCIE SECURITY v4 Lab Workbook R5(config)#int s0/1/0.1 R4(config-gdoi-group)# exi R4(config)#ip access-list extended DO-NOT-ENCRYPT R4(config-ext-nacl)#deny tcp 192.1.168.0 0.1.0 0.0. R4(config)#crypto isakmp policy 10 R4(config-isakmp)# authentication pre-share R4(config-isakmp)# exi R4(config)#crypto isakmp key GETVPN-R4 address 10.5 See above SYSLOG messages.1.12.0.0.168.168.4. Step 3 R4 configuration.4. Same configuration for next GM.0.0.0.4.0.255 eq 22 192.168.0.1.0.1 for group GETVPN using address 10.0.0.0.

1 (handle: 2147483650): # of teks : 1 Seq num : 0 KEK POLICY (transport type : Unicast) spi : 0x76749A6D99B3C0A3827FA26F1558ED63 Page 746 of 1033 . %GDOI-5-GM_REGS_COMPL: Registration to KS 10.12.12.12.1.1.1 complete for group GETVPN using address 10.42 R4(config-subif)# crypto map CMAP-GETVPN R4(config-subif)# exi %CRYPTO-5-GM_REGSTER: Start registration to KS 10.4 Verification R1#sh crypto gdoi group GETVPN Group Name : GETVPN (Unicast) Group Identity : 1 Group Members : 2 IPSec SA Direction : Both Active Group Server : Local Group Rekey Lifetime : 86400 secs Group Rekey Remaining Lifetime Rekey Retransmit Period : 86361 secs : 10 secs Rekey Retransmit Attempts: 2 Group Retransmit Remaining Lifetime IPSec SA Number : 0 secs : 1 IPSec SA Rekey Lifetime: 3600 secs Profile Name : GETVPN-PROF Replay method : Count Based Replay Window Size : 64 SA Rekey Remaining Lifetime ACL Configured Group Server list : 3562 secs : access-list LAN-LIST : Local R1#sh crypto gdoi ks policy Key Server Policy: For group GETVPN (handle: 2147483650) server 10.1 for group GETVPN using address 10.1.1.24.CCIE SECURITY v4 Lab Workbook R4(config)#int s0/0/0.4 R4(config)# %CRYPTO-6-GDOI_ON_OFF: GDOI is ON R4(config)# %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey.1.24.

24.com : 162 TEK POLICY (encaps : ENCAPS_TUNNEL) spi : 0xAF4FA6F8 access-list : LAN-LIST # of transforms : 0 transform : ESP_AES hmac alg : HMAC_AUTH_SHA alg key size : 16 sig key size : 20 orig life(sec) : 3600 remaining life(sec) : 3556 tek life(sec) : 3600 elapsed time(sec) : 44 antireplay window size: 64 See both keys: TEK and KEK.0 0. R1#sh crypto gdoi ks acl Group Name: GETVPN Configured ACL: access-list LAN-LIST deny udp any port = 848 any port = 848 access-list LAN-LIST permit ip 192. default enrytpion algorithm 3DES TEK – for traffic encryption between GMs.CCIE SECURITY v4 Lab Workbook management alg : disabled encrypt alg : 3DES crypto iv length : 8 key size : 24 orig life(sec): 86400 remaining life(sec): 86355 sig hash algorithm : enabled sig key length sig size : 128 sig key name : R1.255.168. encryption elgorith depends on configured policy (no defaults).1.255.168.1. KEK – for Rekey encryption.0.0.1 Rekeys sent : 0 Rekeys retries : 0 Rekey Acks Rcvd : 0 Rekey Acks missed : 0 Sent seq num : 0 0 0 0 Rcvd seq num : 0 0 0 0 Group Member ID : 10. default lifetime 1 hour.0.255 Here’s the ACL which tells the GMs what traffic they should encrypt.12. R1#sh crypto gdoi ks members Group Member Information : Number of rekeys sent for group GETVPN : 1 Group Member ID : 10.0.1.micronicstraining.4 Group ID : 1 Group Name : GETVPN Key Server ID : 10.25.255 192. default lifetime 24 hours.5 Page 747 of 1033 .0 0.

12.1 10.12.5 GDOI_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA Note that ISAKMP SA is established between KS and GMs only. The same bunch of commands are on GMs.1.12. the GDOI protocol uses it for GM Registration and Rekey. There is no ISAKMP SA between GMs.CCIE SECURITY v4 Lab Workbook Group ID : 1 Group Name : GETVPN Key Server ID : 10.1. All is done using ISAKMP SA.25. One member can register to two groups at the same time.4 GDOI_IDLE 1002 ACTIVE 10. Page 748 of 1033 .1.1.24. After IKE Phase 1 establishes the SA.1 Rekeys sent : 0 Rekeys retries : 0 Rekey Acks Rcvd : 0 Rekey Acks missed : 0 Sent seq num : 0 0 0 0 Rcvd seq num : 0 0 0 0 Registered members on KS. Keep in mind you may have thousands of members registered to different groups. R1#sh crypto ipsec sa No SAs found There are no IPSec SA between KS and GMs.1.1 10. It is very important for Unicast Rekey that KS will retransmit Rekey message if it didn’t receive ACK from the GM. R1#sh crypto gdoi ks rekey Group GETVPN (Unicast) Number of Rekeys sent : 1 Number of Rekeys retransmitted : 0 KEK rekey lifetime (sec) : 86400 Remaining lifetime (sec) : 86335 Retransmit period : 10 Number of retransmissions : 2 IPSec SA 1 : 3600 lifetime (sec) Remaining lifetime (sec) : 3536 We have configured that for Rekey phase. R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.

0.0.168.1 1004 827FA26F 76749A6D Current : --- --- --- --- --- Previous: --- --- --- --- --- New : 10.0.0 0.0.168.0 0.0.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.255.4. R4#sh crypto gdoi gm rekey Group GETVPN (Unicast) Number of Rekeys received (cumulative) : 0 Number of Rekeys received after registration : 0 Number of Rekey Acks sent : 0 Rekey (KEK) SA information : dst my-cookie his-cookie 10.0 0.0.5.1.168.12.0.168.0.168.255 access-list DO-NOT-ENCRYPT deny tcp 192.CCIE SECURITY v4 Lab Workbook R4#sh crypto gdoi gm Group Member Information For Group GETVPN: IPSec SA Direction : Both ACL Received From KS : gdoi_group_GETVPN_temp_acl Last rekey seq num : 0 Re-register Remaining time : 3389 secs Retry Timer :NOT RUNNING R4#sh crypto gdoi gm acl Group Name: GETVPN ACL Downloaded From KS 10.255.0.12.0 0.0.255 port = 22 access-list DO-NOT-ENCRYPT deny tcp 192.255 ACL Configured Locally: Map Name: CMAP-GETVPN access-list DO-NOT-ENCRYPT deny tcp 192.168.0.255 port = 22 192.168.0 0.0 0.0.4 src conn-id R4#sh crypto gdoi group GETVPN Group Name : GETVPN Group Identity : 1 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 10.0.168.255 192.24.1.168.255 port = 22 192.0 0.0.5.4.168.0.0 0.5.1 Page 749 of 1033 .255 port = 22 access-list DO-NOT-ENCRYPT deny tcp 192.4.1.4.5.255 192.255 Here’s the current Policy on GM.0.0.1. See this is concatenated ACL (KS ACL + GM ACL).12.0.0 0.255 192.0 0.0.0.

Page 750 of 1033 . D .255.168.cTCP encapsulation.4 GDOI_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA GM maintains ISAKMP SA with KS only! R4#sh crypto isakmp sa det Codes: C .IKE Extended Authentication psk .1.1. X .1.Preshared key.255 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 86394 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1024 TEK POLICY for the current KS-Policy ACEs Downloaded: Serial0/0/0.255.0.12.1 GM Reregisters in : 3371 secs Rekey Received(hh:mm:ss) : 00:15:45 Rekeys received Cumulative : 0 After registration : 0 Rekey Acks sent : 0 ACL Downloaded From KS 10.42: IPsec SA: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3494) Anti-Replay : Disabled R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10. N .0.CCIE SECURITY v4 Lab Workbook Group Server list : 10. rsig .24.Keepalives.1.0.1 10.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.Dead Peer Detection K .12.RSA signature renc .NAT-traversal T .168.255 192.0.0 0.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.IKE configuration mode.0 0.12.

0/255.24.4.0/255. remote crypto endpt. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3474) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac . DH group: none inbound esp sas: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac .1. #pkts compr. there are as many Proxy IDs as permit ACEs in ACL downloaded from the KS. #pkts digest: 0 #pkts decaps: 0. #pkts decompressed: 0 #pkts not compressed: 0.1. ip mtu 1500.12.168. in use settings ={Tunnel.: 10. flags={origin_is_acl.24. in use settings ={Tunnel. flow_id: NETGX:7.0 port 848 PERMIT. #recv errors 0 local crypto endpt.255. #pkts encrypt: 0. #pkts verify: 0 #pkts compressed: 0.0.0/0/0) current_peer 0.4 10. #pkts decrypt: 0. ip mtu idb Serial0/0/0. failed: 0 #pkts not decompressed: 0.0.0.4 protected vrf: (none) local ident (addr/mask/prot/port): (192.CCIE SECURITY v4 Lab Workbook 1001 10.0. Hence.} #pkts encaps: 0. #pkts decompress failed: 0 #send errors 0. This is built upon policy received from KS.255.24.0. local addr 10. } Page 751 of 1033 .: 0.1.0 path mtu 1500.0/0/0) remote ident (addr/mask/prot/port): (192. Note that there is NO peer! R4#sh crypto ipsec sa interface: Serial0/0/0. } conn id: 2007. sibling_flags 80000040.42 Crypto map tag: CMAP-GETVPN.0.0.42 current outbound spi: 0xAF4FA6F8(2941232888) PFS (Y/N): N.168.1 Engine-id:Conn-id = ACTIVE des sha psk 1 23:43:50 SW:1 IPv6 Crypto ISAKMP SA The below is IPSec SA.0.1.

.connected.ODR. * . R4#ping 192. B .42 Crypto map tag: CMAP-GETVPN.CCIE SECURITY v4 Lab Workbook conn id: 2008. 1 subnets C 10. L1 .24.5. This is because every GM understands that SPI (it is configured on KS and sends down to all GMs).0/255.0.periodic downloaded static route Gateway of last resort is 10.4.per-user static route o .candidate default. Success rate is 0 percent (0/5) Unsuccessful! Why? Let’s look at crypto.0/24 is subnetted.IS-IS summary.24. Loopback0 10.0.. S . P ..IS-IS level-1.24.168.0.168.0.0. there is only default route configured on GM.OSPF inter area N1 .168. R4#sh crypto ipsec sa interface: Serial0/0/0.RIP.0 C 192.2 See.. Let’s try to ping network behind R5 and source the trffic from Lo0.5.0/0 [1/0] via 10.1. U . Serial0/0/0. O .168. R4#sh ip route Codes: C .0.255.0.1. 100-byte ICMP Echos to 192.IS-IS.0/24 is directly connected.OSPF NSSA external type 2 E1 .1.OSPF NSSA external type 1.BGP D .EIGRP external. EX . sibling_flags 80000040. N2 .0/0/0) Page 752 of 1033 .1.42 S* 0.OSPF external type 2 i .static. Sending 5. IA .168. E2 .5. local addr 10.4.24.OSPF. su . crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3474) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Note the Inbound and Outbound SPI is the same.4 protected vrf: (none) local ident (addr/mask/prot/port): (192.4 . M .OSPF external type 1.2 to network 0.EIGRP.5 so lo0 Type escape sequence to abort.0.mobile.IS-IS inter area. flow_id: NETGX:8.0 is directly connected.IS-IS level-2 ia . L2 . R . timeout is 2 seconds: Packet sent with a source address of 192.

the problem must lay somewhere else. sibling_flags 80000040.0 port 848 PERMIT. flags={origin_is_acl. } conn id: 2007.CCIE SECURITY v4 Lab Workbook remote ident (addr/mask/prot/port): (192.0. flow_id: NETGX:7. flow_id: NETGX:8. Hence. #pkts verify: 0 #pkts compressed: 0. ip mtu 1500. #pkts encrypt: 5. sibling_flags 80000040.0/0/0) current_peer 0. in use settings ={Tunnel.0. in use settings ={Tunnel.0.168.255. #pkts digest: 5 #pkts decaps: 0. #pkts decompress failed: 0 #send errors 0. remote crypto endpt. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3434) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Seems like ICMP packets have been encrypted and sent out. Let’s look at R2 if there are correct routes to that networks and add the missing routes. failed: 0 #pkts not decompressed: 0. ip mtu idb Serial0/0/0. } conn id: 2008. #pkts compr. DH group: none inbound esp sas: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac . #pkts decrypt: 0. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3434) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac .} #pkts encaps: 5.1.0/255.0 path mtu 1500.: 0.0. Since GET VPN uses IP Header Preservation mechnanism.42 current outbound spi: 0xAF4FA6F8(2941232888) PFS (Y/N): N.0.0.: 10.4.24. the original source and destination IP addresses are not changed (there is no tunneling). #recv errors 0 local crypto endpt. #pkts decompressed: 0 #pkts not compressed: 0. Page 753 of 1033 .

0 255.5.0.4 !!!!! Success rate is 100 percent (5/5). #pkts verify: 5 #pkts compressed: 0.5 R4#ping 192.24. #pkts decompress failed: 0 #send errors 0.168. R2(config)#ip route 192. 100-byte ICMP Echos to 192.: 10. #pkts digest: 10 #pkts decaps: 5.42 Crypto map tag: CMAP-GETVPN. R4#sh crypto ipsec sa interface: Serial0/0/0.255.25.0.1.0.0. sibling_flags 80000040.255.5.5 so lo0 Type escape sequence to abort.255. one per line.0 255. End with CNTL/Z. in use settings ={Tunnel.0.5.0/255.4.4.4 protected vrf: (none) local ident (addr/mask/prot/port): (192.1.0/0/0) remote ident (addr/mask/prot/port): (192.0/255. DH group: none inbound esp sas: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac . round-trip min/avg/max = 32/32/36 ms Success! Let’s look at crypto again. #pkts decompressed: 0 #pkts not compressed: 0. timeout is 2 seconds: Packet sent with a source address of 192.4 R2(config)#ip route 192.168.255.0. #pkts compr.168.42 current outbound spi: 0xAF4FA6F8(2941232888) PFS (Y/N): N.1.168. } conn id: 2007. failed: 0 #pkts not decompressed: 0.0.24. flow_id: NETGX:7.168. ip mtu idb Serial0/0/0.255.168.168. ip mtu 1500.5.4. Sending 5.0 10.24.0.0 path mtu 1500.: 0.0/0/0) current_peer 0.1.CCIE SECURITY v4 Lab Workbook R2#conf t Enter configuration commands. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3372) IV size: 16 bytes replay detection support: Y Status: ACTIVE Page 754 of 1033 .255.} #pkts encaps: 10. flags={origin_is_acl. remote crypto endpt. #recv errors 0 local crypto endpt. #pkts decrypt: 5. #pkts encrypt: 10. local addr 10.0 10.0 port 848 PERMIT.

The same bunch of commands for GDOI.255 port = 22 access-list DO-NOT-ENCRYPT deny tcp 192.255 port = 22 192.0.0.168.0.255 192.5.12.168.0 0. flow_id: NETGX:8.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.0.0.0.255 access-list DO-NOT-ENCRYPT deny tcp 192.168.255 port = 22 192.255 192.0.0.4. sibling_flags 80000040.0 0.168.0.255. R5#sh crypto gdoi gm Group Member Information For Group GETVPN: IPSec SA Direction : Both ACL Received From KS : gdoi_group_GETVPN_temp_acl Last rekey seq num : 0 Re-register Remaining time : 3222 secs Retry Timer :NOT RUNNING R5#sh crypto gdoi gm acl Group Name: GETVPN ACL Downloaded From KS 10.4.0.168.168.0.0.255 port = 22 access-list DO-NOT-ENCRYPT deny tcp 192. } conn id: 2008. in use settings ={Tunnel.5. Now take a look at R5.4.5.0 0.0.168.1.0 0.0 0.168.0. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3372) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: All packets have been encrypted and decrypted.4.0.0.168.0 0.168.0.255 ACL Configured Locally: Map Name: CMAP-GETVPN access-list DO-NOT-ENCRYPT deny tcp 192.0.0 0.0.0 0.255 192.0 0.255 R5#sh crypto gdoi gm rekey Group GETVPN (Unicast) Page 755 of 1033 .255.0 0.0.CCIE SECURITY v4 Lab Workbook inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac .5.

IKE configuration mode.0 0.255 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 86400 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1024 TEK POLICY for the current KS-Policy ACEs Downloaded: Serial0/1/0.1.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.0.12.0.0.12.12.255 192.25.168.1 Group Server list : 10.1 GM Reregisters in : 3206 secs Rekey Received(hh:mm:ss) : 00:18:14 Rekeys received Cumulative : 0 After registration : 0 Rekey Acks sent : 0 ACL Downloaded From KS 10.168.Dead Peer Detection Page 756 of 1033 .1.1.52: IPsec SA: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3344) Anti-Replay : Disabled R5#sh crypto isakmp sa det Codes: C .255.1.0.0 0.5 conn-id R5#sh crypto gdoi group GETVPN Group Name : GETVPN Group Identity : 1 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 10. D .1.12.1 1004 827FA26F 76749A6D Current : --- --- --- --- --- Previous: --- --- --- --- --- New src : 10.CCIE SECURITY v4 Lab Workbook Number of Rekeys received (cumulative) : 0 Number of Rekeys received after registration : 0 Number of Rekey Acks sent : 0 Rekey (KEK) SA information : dst my-cookie his-cookie 10.255.

1.RSA signature renc . X . failed: 0 #pkts not decompressed: 0.25.cTCP encapsulation.255. DH group: none inbound esp sas: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac . crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3331) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: Page 757 of 1033 .: 0.0. ip mtu 1500.1. flow_id: NETGX:7. #pkts decompressed: 0 #pkts not compressed: 0.1.25.1 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.0. #pkts verify: 5 #pkts compressed: 0.168. #pkts encrypt: 5.168.1.0/255.0. in use settings ={Tunnel. #pkts digest: 5 #pkts decaps: 5. } conn id: 2007.25.5.NAT-traversal T .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.} #pkts encaps: 5.0/255.Preshared key.0/0/0) remote ident (addr/mask/prot/port): (192. N .255.Keepalives. local addr 10. ACTIVE des sha psk 1 23:40:56 SW:1 IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Serial0/1/0. #recv errors 0 local crypto endpt.CCIE SECURITY v4 Lab Workbook K . rsig .0/0/0) current_peer 0.5 protected vrf: (none) local ident (addr/mask/prot/port): (192.12.52 current outbound spi: 0xAF4FA6F8(2941232888) PFS (Y/N): N.5 10. #pkts decompress failed: 0 #send errors 0.IKE Extended Authentication psk . flags={origin_is_acl.0.: 10. #pkts decrypt: 5.0.52 Crypto map tag: CMAP-GETVPN.0. ip mtu idb Serial0/1/0. #pkts compr.0. sibling_flags 80000040. remote crypto endpt.0 port 848 PERMIT.0.0 path mtu 1500.

.com R5(config)#crypto key generate rsa mod 1024 The name for the keys will be: R5. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3331) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Test To verify the policy configured on GMs.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys.168.0/24 networks.[4-5].com Page 758 of 1033 . R4(config)#ip ssh source-interface lo0 R4(config)#ip domain-name micronicstraining. Note that you must test SSH traffic between 192. so you need to inform the routers what interface use as SSH source. keys will be non-exportable. we need to enable SSH server on R4 and R5 and configure local user database. R5(config)#ip domain-name micronicstraining. } conn id: 2008. in use settings ={Tunnel.99 has been enabled R4(config)#line vty 0 4 R4(config-line)#login local R5(config)#username student password student123 R5(config)#line vty 0 4 R5(config-line)#login local R5(config-line)#exit R5(config)#ip ssh source-interface lo0 Please create RSA keys (of atleast 768 bits size) to enable SSH v2.com R4(config)#cry key gen rsa mod 1024 The name for the keys will be: R4.. flow_id: NETGX:8.micronicstraining.micronicstraining. sibling_flags 80000040.CCIE SECURITY v4 Lab Workbook outbound esp sas: spi: 0xAF4FA6F8(2941232888) transform: esp-aes esp-sha-hmac .[OK] R4(config)# %SSH-5-ENABLED: SSH 1.

: 0. keys will be non-exportable.0/0/0) #pkts encaps: 57. Same test on R4: Page 759 of 1033 .255.168. remote crypto endpt. local addr 10.0 No encryption counters incremented!!! This is because SSH between those networks is excluded from encryption.168.5.5 local ident (addr/mask/prot/port): (192.0/255.0/0/0) remote ident (addr/mask/prot/port): (192. #pkts verify: 82 local crypto endpt.1.0.255.25.25.0.1.0.4 closed by foreign host] Check the encryption/decryption counters.25.25.0.CCIE SECURITY v4 Lab Workbook % The key modulus size is 1024 bits % Generating 1024 bit RSA keys.: 10.: 0. #pkts digest: 57 #pkts decaps: 82.168.0.0.0.0 Connect to r4 using SSH to generate the traffic. #pkts verify: 82 local crypto endpt.4. remote crypto endpt.255.0.99 has been enabled R5(config)#end First..0/255.5.168. #pkts encrypt: 57.0/0/0) remote ident (addr/mask/prot/port): (192. #pkts encrypt: 57.0/255. #pkts decrypt: 82.[OK] R5(config)# %SSH-5-ENABLED: SSH 1.: 10. #pkts digest: 57 #pkts decaps: 82.0.0/255. check the encryption/decryption counters. R5#sh cry ips sa | in local|remot|enca|deca Crypto map tag: CMAP-GETVPN. #pkts decrypt: 82.0/0/0) #pkts encaps: 57. R5#sh cry ips sa | in local|remot|enca|deca Crypto map tag: CMAP-GETVPN.5. local addr 10.168.4.0.168.4 Password: R4>sh users Line User 0 con 0 *514 vty 0 student Interface User Host(s) Idle idle 00:03:29 idle 00:00:00 192..1.255.0.5 Mode Idle Location Peer Address R4>exit [Connection to 192. R5#ssh -l student 192.1.168.5 local ident (addr/mask/prot/port): (192.0.

: 0. round-trip min/avg/max = 32/32/32 ms R4#sh cry ips sa | in local|remot|enca|deca Crypto map tag: CMAP-GETVPN.0/255.168.5.: 10.0/0/0) #pkts encaps: 92. local addr 10.1.4 local ident (addr/mask/prot/port): (192.0 R4#ssh -l student 192.168. Sending 5.5.0.255.168.0/0/0) #pkts encaps: 87.0.4 User Mode Idle Location Peer Address R5>exit [Connection to 192.0/255.168.4.0/255.4 local ident (addr/mask/prot/port): (192. #pkts digest: 92 #pkts decaps: 62.0.0 Conters have been incremented by 5 packets! Page 760 of 1033 .: 10.0/0/0) remote ident (addr/mask/prot/port): (192. local addr 10.168.0/0/0) remote ident (addr/mask/prot/port): (192.5.168.0.0. #pkts decrypt: 57. local addr 10.0.24.4. remote crypto endpt.255.5 so lo0 Type escape sequence to abort.0/255.0. #pkts digest: 87 #pkts decaps: 57. #pkts decrypt: 62.168.5 Password: R5>sh users Line User 0 con 0 *514 vty 0 student Interface Host(s) Idle idle 00:01:00 idle 00:00:00 192.0. #pkts decrypt: 57.255.0. #pkts verify: 62 local crypto endpt. timeout is 2 seconds: Packet sent with a source address of 192.4 !!!!! Success rate is 100 percent (5/5).: 0. remote crypto endpt.0. #pkts digest: 87 #pkts decaps: 57.168.5.0/255.255.1.24.1.0.1.: 0.0. #pkts encrypt: 87.5 closed by foreign host] R4#sh cry ips sa | in local|remot|enca|deca Crypto map tag: CMAP-GETVPN.255.0.24.: 10.0.24.0/255.168.1. #pkts encrypt: 87.255. remote crypto endpt. 100-byte ICMP Echos to 192.0/0/0) remote ident (addr/mask/prot/port): (192.24.0.4.0/0/0) #pkts encaps: 87.24. R4#ping 192.4. #pkts encrypt: 92.168.0.CCIE SECURITY v4 Lab Workbook R4#sh cry ips sa | in local|remot|enca|deca Crypto map tag: CMAP-GETVPN.1.5.0.168. #pkts verify: 57 local crypto endpt.0.0 No encryption counters incremented!! Let’s verify by doing ping.4.4 local ident (addr/mask/prot/port): (192.168. #pkts verify: 57 local crypto endpt.

1.1/24 Page 761 of 1033 .12. R4 and R5 pointing to the R2 IP Addressing Device Interface IP address R1 Lo0 192. GET VPN (PKI) Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12  R2’s S0/1/0 and R5’s S0/1/0 interface should be configured in a frame-relay point-to-point manner  R2’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay point-to-point manner  Configure Telnet on all routers using password “cisco”  Configure default routing on R1.57.CCIE SECURITY v4 Lab Workbook Lab 1.1.168.1/24 F0/0 10.

4/24 S0/0/0.1 Rekey: Unicast No retransmits Lifetime 400 seconds RSA key name KS-KEYS Authorization: Only R5 and R4 GM routers IPSec SA: Time-based anti replay window: 64 Policy: 192.0/16.CCIE SECURITY v4 Lab Workbook R2 R4 R5 F0/0 10.24.0/16 networks (LANs behind R5 and R4).0.25.168.4/24 Lo0 192.2/24 S0/1/0.0.1. R1 must be used as Key Server and R5 and R4 are Group Members. Use the following parameters for KS configuration: Group name: GETVPN Server: Identity 1 IP address 10.1.42 10.168.12.1.2/24 S0/1/0.168. It will be used for enrolling certificates for GET VPN Group Members.25.4.24 10.5/24 S0/1/0.52 10.12.5.5/24 Task 1 Configure NTP server with MD5 authentication (cisco123) and CA server on R1.1. do not encrypt GDOI Encryption: AES-128 Integrity: SHA ISAKMP Policy Authentication: Certificates Encryption: DES Hashing: SHA Page 762 of 1033 . Configure GET VPN solution for traffic going between 192.168.1.1.25 10.24.2/24 Lo0 192.

we’re asked for certificate authentication between KS and GMs. R5(config)#ntp authentication-key 1 md5 cisco123 R5(config)#ntp trusted-key 1 R5(config)#ntp authenticate R5(config)#ntp server 10.CCIE SECURITY v4 Lab Workbook Do not encrypt TELNET traffic between 192.12. we need to be careful about time so that we are asked to configure NTP server on R1 and NTP clients on R4 and R5.12.1.168.168.0/24 and 192. Here.4. Hence. This exception must be configured on GMs. When certificates are in use.4.  This lab is very similar to the previous one. R4(config)#ntp authentication-key 1 md5 cisco123 R4(config)#ntp trusted-key 1 R4(config)#ntp authenticate R4(config)#ntp server 10. R1(config)#ntp master 4 R1(config)#ntp authentication-key 1 md5 cisco123 R1(config)#ntp trusted-key 1 R1(config)#ntp authenticate Step 2 Configure R5 as NTP client to R1.5. Configuration Complete these steps: Step 1 Configure R1 as NTP server.1 key 1 Step 4 Configure CA and KS n R1.1. Note that since the R1 must work as KS it must have its own certificate as well.0/24 networks. R1(config)#do sh ntp status Page 763 of 1033 . The CA configuration has been described in details in the lab 2. we need to create trustpoint on R1 and enroll a certificate as we do on every other router.1 key 1 Step 3 Configure R4 as NTP client to R1. R1 must work as Certificate Authority to give out the certificates to all routers.

com R1(config)#crypto key generate rsa mod 1024 label KS-KEYS exportable The name for the keys will be: KS-KEYS % The key modulus size is 1024 bits % Generating 1024 bit RSA keys.1 nominal freq is 250. R1(cs-server)#exi Here’s the trustpoint to enroll the certificate from CA installed on R1. reference is 127. keys will be exportable. You need to move the % existing database to the new location. precision is 2**18 reference time is CEA97CF5.168 UTC Sat Nov 14 2009) clock offset is 0.7.[OK] R1(config)# %SSH-5-ENABLED: SSH 1.. root delay is 0... R1(cs-server)# %PKI-6-CS_ENABLED: Certificate server now enabled.. peer dispersion is 0.02 msec.CCIE SECURITY v4 Lab Workbook Clock is synchronized. % Please enter a passphrase to protect the private key % or type Return to exit Password: Re-enter password: % Generating 1024 bit RSA keys. R1(config)#crypto ca trustpoint R1-IOS-CA Page 764 of 1033 . R1(cs-server)#database level minimum R1(cs-server)#grant auto R1(cs-server)# %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.00 msec root dispersion is 0.127. % Certificate Server enabled. R1(cs-server)#no shut %Some server settings cannot be changed after CA certificate generation.0000 Hz.[OK] % Exporting Certificate Server signing certificate and keys.0000 Hz. actual freq is 250... keys will be non-exportable.99 has been enabled R1(config)#ip http server R1(config)#crypto pki server IOS-CA R1(cs-server)#database url nvram: % Server database url was changed.02 msec R1(config)#ip domain-name micronicstraining. stratum 4.0000 msec.2B02C9E8 (19:01:09.

. Another thing is that we do not configure ISAKMP Keys since Page 765 of 1033 . The one difference is in ISAKMP policy. We do not need to specify RSA-SIG as it is enabled by default.1:80 R1(ca-trustpoint)#revocation-check none R1(ca-trustpoint)#exi R1(config)#crypto ca authenticate R1-IOS-CA Certificate has the following attributes: Fingerprint MD5: 1EDBC58C C0EC6E6A 30277787 757F752B Fingerprint SHA1: AC5AAD4E 6F972239 CD46EE23 45265D7A A756B2C5 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.CCIE SECURITY v4 Lab Workbook R1(ca-trustpoint)#enrollment url http://10. R1(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: BAFB1982 AD56FE4E 7A13792F A30D12FF CRYPTO_PKI: Certificate Request Fingerprint SHA1: D4D7E9C1 58521229 DABAAD4B 88A19A2B 2A5CFB27 R1(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority The configuration is very similar to that presented in the previous lab. Please make a note of it.1.micronicstraining. R1(config)#crypto ca enroll R1-IOS-CA % % Start certificate enrollment . % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. Password: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: % The subject name in the certificate will include: R1.12. For security reasons your password will not be saved in the configuration.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R1-IOS-CA verbose' commandwill show the fingerprint.

0.0 0.255 R1(config-ext-nacl)#exi R1(config)#crypto gdoi group GETVPN R1(config-gdoi-group)# identity number 1 R1(config-gdoi-group)# server local R1(gdoi-local-server)# %CRYPTO-6-GDOI_ON_OFF: GDOI is ON R1(gdoi-local-server)# rekey lifetime seconds 400 R1(gdoi-local-server)# no rekey retransmit R1(gdoi-local-server)# rekey authentication mypubkey rsa KS-KEYS R1(gdoi-local-server)# rekey transport unicast R1(gdoi-local-server)# authorization address ipv4 GM-LIST R1(gdoi-local-server)# %GDOI-5-KS_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey. Before configuring GM.1.255.CCIE SECURITY v4 Lab Workbook we do not use PSK anymore.25.1 Page 766 of 1033 . reference is 10. ensure the time is synchronized.255.12. R5(config)#do sh ntp status Clock is synchronized.168. R1(gdoi-local-server)# sa ipsec 1 R1(gdoi-sa-ipsec)# profile GETVPN-PROF R1(gdoi-sa-ipsec)# match address ipv4 LAN-LIST R1(gdoi-sa-ipsec)# replay counter window-size 64 R1(gdoi-sa-ipsec)# address ipv4 10.1.0.1 R1(gdoi-local-server)#exi R1(config-gdoi-group)#exi Step 5 Configure R5 as GM. stratum 5.0 0.5 R1(config-std-nacl)# permit 10. R1(config)#crypto isakmp policy 10 R1(config-isakmp)# authentication rsa-sig R1(config-isakmp)# exi R1(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac R1(cfg-crypto-trans)#exi R1(config)#crypto ipsec profile GETVPN-PROF R1(ipsec-profile)# set transform-set TSET R1(ipsec-profile)#exi R1(config)#ip access-list standard GM-LIST R1(config-std-nacl)# permit 10.255 192.1.24.0.1.4 R1(config-std-nacl)# exi R1(config)#ip access-list extended LAN-LIST R1(config-ext-nacl)# deny udp any eq 848 any eq 848 R1(config-ext-nacl)# permit ip 192.0.12.168.

4F5E1788 (19:07:47. The keys will be automatically generated during the enrollment process.0000 Hz. Once we have the CA certificate. peer dispersion is 0.0428 msec. You do not need to generate RSA keys.5 has been enabled %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: % The subject name in the certificate will include: R5 Page 767 of 1033 .63 msec root dispersion is 5. R5(config)#crypto ca trustpoint R1-IOS-CA R5(ca-trustpoint)#enrollment url http://10.CCIE SECURITY v4 Lab Workbook nominal freq is 250.12. R5(config)#crypto ca authenticate R1-IOS-CA Certificate has the following attributes: Fingerprint MD5: 1EDBC58C C0EC6E6A 30277787 757F752B Fingerprint SHA1: AC5AAD4E 6F972239 CD46EE23 45265D7A A756B2C5 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.94 msec. For security reasons your password will not be saved in the configuration.85 msec You need a trustpoint to be able to enroll the certificate form CA. actual freq is 250. we can request a certificate for the router itself. Please make a note of it.0001 Hz. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. precision is 2**18 reference time is CEA97E83.310 UTC Sat Nov 14 2009) clock offset is -5. R5(config)#crypto ca enroll R1-IOS-CA % % Start certificate enrollment . root delay is 56. % Create a challenge password.. Password: RSA key size needs to be atleast 768 bits for ssh version 2 %SSH-5-ENABLED: SSH 1. we need to download CA certificate.1.1:80 R5(ca-trustpoint)#revocation-check none R5(ca-trustpoint)#exi Whe the trustpoint is ready.

5.255 R5(config-ext-nacl)# deny tcp 192.0 0.1.0 0.0 0.0.4.255 192.0.168.0.5 Page 768 of 1033 .1.CCIE SECURITY v4 Lab Workbook % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R1-IOS-CA verbose' commandwill show the fingerprint.0.0 0.1 R5(config-gdoi-group)#exi R5(config)#ip access-list extended DO-NOT-ENCRYPT R5(config-ext-nacl)# deny tcp 192.12.0.0.0.0.168.12.5.0.0. R5(config-crypto-map)# set group GETVPN R5(config-crypto-map)# match address DO-NOT-ENCRYPT R5(config-crypto-map)#exi R5(config)#int s0/1/0. R5(config)#crypto isakmp policy 10 R5(config-isakmp)# authentication rsa-sig R5(config-isakmp)#exi R5(config)#crypto gdoi group GETVPN R5(config-gdoi-group)# identity number 1 R5(config-gdoi-group)# server address ipv4 10.255 192.0.168.1 for group GETVPN using address 10.5.0 0.0. R5(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: C9AFC720 731E7669 48B60A5C 66A96152 CRYPTO_PKI: Certificate Request Fingerprint SHA1: 6384402D 15D72B7D 8E733C1A C6151667 B9E74C77 R5(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority GM configuration is very similar to that presented in previous lab.255 eq telnet 192.255 eq telnet 192.25.1.0 0.168.0.0.0.4. except authentication method.5.0 0.168.255 eq telnet R5(config-ext-nacl)# deny tcp 192.4.0 0.4.255 R5(config-ext-nacl)# deny tcp 192.168.168.0.52 R5(config-subif)#crypto map CMAP-GETVPN R5(config-subif)# %CRYPTO-5-GM_REGSTER: Start registration to KS 10.255 eq telnet R5(config-ext-nacl)#exi R5(config)#crypto map CMAP-GETVPN 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured.168.

Please make a note of it.05 msec R4(config)#crypto ca trustpoint R1-IOS-CA R4(ca-trustpoint)#enrollment url http://10.1 nominal freq is 250.9996 Hz.12. R4(config)#do sh ntp status Clock is synchronized. root delay is 56.25.1. % Create a challenge password.1 complete for group GETVPN using address 10.658 UTC Sat Nov 14 2009) clock offset is 6. Password: Page 769 of 1033 . %GDOI-5-GM_REGS_COMPL: Registration to KS 10.6896 msec. peer dispersion is 0.0000 Hz. For security reasons your password will not be saved in the configuration.1.A89DB4CF (19:21:45.. precision is 2**18 reference time is CEA981C9.12. R4(config)#cry ca enr R1-IOS-CA % % Start certificate enrollment .12.76 msec.CCIE SECURITY v4 Lab Workbook R5(config-subif)# %CRYPTO-6-GDOI_ON_OFF: GDOI is ON R5(config-subif)#exi %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey.1:80 R4(ca-trustpoint)#revocation-check none R4(ca-trustpoint)#exi R4(config)#crypto ca authenticate R1-IOS-CA Certificate has the following attributes: Fingerprint MD5: 1EDBC58C C0EC6E6A 30277787 757F752B Fingerprint SHA1: AC5AAD4E 6F972239 CD46EE23 45265D7A A756B2C5 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Same bunch of commands on second GM.52 msec root dispersion is 6. actual freq is 249. stratum 5.1. Step 6 Configure R4 as GM. reference is 10.5 See that R5 has sent registration request and registered successfully.1. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.

0.255 eq telnet 192.4.0 0.255 eq telnet R4(config-ext-nacl)# deny tcp 192.255 R4(config-ext-nacl)# deny tcp 192.CCIE SECURITY v4 Lab Workbook RSA key size needs to be atleast 768 bits for ssh version 2 %SSH-5-ENABLED: SSH 1.168.5.5.0.255 R4(config-ext-nacl)# deny tcp 192.0.0.168.0. R4(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: 9B4F4499 CC69D4F5 686DF42C 93D66C71 CRYPTO_PKI: Certificate Request Fingerprint SHA1: A53AE9D9 B2EF40C3 BC54FBC1 7FDB65B5 66A4A88E R4(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority R4(config)#crypto isakmp policy 10 R4(config-isakmp)# authentication rsa-sig R4(config-isakmp)#exi R4(config)#crypto gdoi group GETVPN R4(config-gdoi-group)# identity number 1 R4(config-gdoi-group)# server address ipv4 10.5.5.0 0.12.255 eq telnet R4(config-ext-nacl)#exi R4(config)#crypto map CMAP-GETVPN 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured.1.0.0.42 R4(config-subif)#crypto map CMAP-GETVPN Page 770 of 1033 .4.0 0.0.0.0 0.0 0.0.4.0.255 eq telnet 192.168.0.0 0.168.168.0.0 0.168.4.255 192.0.168. R4(config-crypto-map)# set group GETVPN R4(config-crypto-map)# match address DO-NOT-ENCRYPT R4(config-crypto-map)#exi R4(config)#int s0/0/0.0.1 R4(config-gdoi-group)#exi R4(config)#ip access-list extended DO-NOT-ENCRYPT R4(config-ext-nacl)# deny tcp 192.5 has been enabled %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: % The subject name in the certificate will include: R4 % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R1-IOS-CA verbose' commandwill show the fingerprint.0.255 192.0 0.168.

12.4 Group ID : 1 Group Name : GETVPN Key Server ID : 10.5 Group ID : 1 Group Name : GETVPN Key Server ID : 10. %GDOI-5-GM_REGS_COMPL: Registration to KS 10.1.24. R1#sh crypto gdoi ks members Group Member Information : Number of rekeys sent for group GETVPN : 1 Group Member ID : 10.12.1.1.1.1 complete for group GETVPN using address 10.25.4 %CRYPTO-6-GDOI_ON_OFF: GDOI is ON R4(config-subif)#exi R4(config)# %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey.1. R1#sh crypto gdoi ks Page 771 of 1033 .1.24.4 Verification On KS check what GMs have been registered.CCIE SECURITY v4 Lab Workbook R4(config-subif)# %CRYPTO-5-GM_REGSTER: Start registration to KS 10.1 Rekeys sent : 0 Rekeys retries : 0 Rekey Acks Rcvd : 0 Rekey Acks missed : 0 Sent seq num : 0 0 0 0 Rcvd seq num : 0 0 0 0 What group is configured on KS and what’s the policy.24.1.12.1 Rekeys sent : 0 Rekeys retries : 0 Rekey Acks Rcvd : 0 Rekey Acks missed : 0 Sent seq num : 0 0 0 0 Rcvd seq num : 0 0 0 0 Group Member ID : 10.1 for group GETVPN using address 10.12.1.

0.0.255 R1#sh crypto gdoi ks policy Key Server Policy: For group GETVPN (handle: 2147483650) server 10.255.255.0.12.0 0.168.168.0 0.1.0.CCIE SECURITY v4 Lab Workbook Total group members registered to this box: 2 Key Server Information For Group GETVPN: Group Name : GETVPN Group Identity : 1 Group Members : 2 IPSec SA Direction : Both ACL Configured: access-list LAN-LIST R1#sh crypto gdoi ks acl Group Name: GETVPN Configured ACL: access-list LAN-LIST deny udp any port = 848 any port = 848 access-list LAN-LIST permit ip 192.255 192.1 (handle: 2147483650): # of teks : 1 Seq num : 0 KEK POLICY (transport type : Unicast) spi : 0x9B0C69C0246B33C2A011A4E8A0C41ED5 management alg : disabled encrypt alg : 3DES crypto iv length : 8 key size : 24 orig life(sec): 400 remaining life(sec): 365 sig hash algorithm : enabled sig size : 128 sig key name : KS-KEYS sig key length : 162 TEK POLICY (encaps : ENCAPS_TUNNEL) spi : 0x325AC16C access-list : LAN-LIST # of transforms : 0 transform : ESP_AES hmac alg : HMAC_AUTH_SHA alg key size : 16 sig key size : 20 orig life(sec) : 3600 remaining life(sec) : 3566 tek life(sec) : 3600 elapsed time(sec) : 34 antireplay window size: 64 R1#sh crypto gdoi ks rekey Group GETVPN (Unicast) Number of Rekeys sent : 0 Number of Rekeys retransmitted : 0 KEK rekey lifetime (sec) : 400 Remaining lifetime (sec) : 355 Retransmit period : 0 Number of retransmissions : 0 IPSec SA 1 : 3600 lifetime (sec) Page 772 of 1033 .

0.5.24.1. R5#sh crypto gdoi gm Group Member Information For Group GETVPN: IPSec SA Direction : Both ACL Received From KS : gdoi_group_GETVPN_temp_acl Last rekey seq num : 0 Re-register Remaining time : 3412 secs  default is 3600 secs (1 hour) Retry Timer :NOT RUNNING R5#sh crypto gdoi gm acl Group Name: GETVPN ACL Downloaded From KS 10.0.4.1 10.0 0.255 192.168.0.0 0.168.255 port = 23 access-list DO-NOT-ENCRYPT deny tcp 192.0.255 port = 23 192.0 0.1.255 R5#sh crypto gdoi gm rekey Group GETVPN (Unicast) Page 773 of 1033 .CCIE SECURITY v4 Lab Workbook Remaining lifetime (sec) : 3556 R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.0.0.1.5.1 10.5 GDOI_IDLE conn-id status 1001 ACTIVE 10. The IPSec SAs are only on GMs.12.0.0.0.0.0 0.1.0.0.168.0.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.12.255.25.255 ACL Configured Locally: Map Name: CMAP-GETVPN access-list DO-NOT-ENCRYPT deny tcp 192.0 0.0.4.0.5.255 192.0 0.1.168.0.168.255 port = 23 access-list DO-NOT-ENCRYPT deny tcp 192.0.168.168.0 0.4.255 access-list DO-NOT-ENCRYPT deny tcp 192.0.255.0.168.0.0 0.255 192.4 GDOI_IDLE 1002 ACTIVE IPv6 Crypto ISAKMP SA ISAKMP Sa has been established between KS and GMs. R1#sh crypto ipsec sa No SAs found Note that there is no IPSec SA between KS and GM.5.12.0 0.4.168.0 0.168.255 port = 23 192.

0.0.0/255.255.25.0/0/0) remote ident (addr/mask/prot/port): (192. ip mtu idb Serial0/1/0.25.1 GDOI_REKEY 1005 ACTIVE IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Serial0/1/0.1.5 conn-id R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10. #pkts verify: 0 #pkts compressed: 0.0 path mtu 1500. in use settings ={Tunnel.12.} #pkts encaps: 0. ip mtu 1500.0. remote crypto endpt.52 Crypto map tag: CMAP-GETVPN. } conn id: 2011. #recv errors 0 local crypto endpt.0.5 protected vrf: (none) local ident (addr/mask/prot/port): (192.: 0.1. DH group: none inbound esp sas: spi: 0x325AC16C(844808556) transform: esp-aes esp-sha-hmac .1.0.1.0.0 port 848 PERMIT.0. #pkts decompress failed: 0 #send errors 0.168.0.255. #pkts compr.1 10. #pkts decompressed: 0 #pkts not compressed: 0.1. #pkts encrypt: 0.: 10. #pkts digest: 0 #pkts decaps: 0.0/255.52 current outbound spi: 0x325AC16C(844808556) PFS (Y/N): N.CCIE SECURITY v4 Lab Workbook Number of Rekeys received (cumulative) : 0 Number of Rekeys received after registration : 0 Number of Rekey Acks sent : 0 Rekey (KEK) SA information : dst my-cookie his-cookie 10.0/0/0)  there is no peer IP address current_peer 0.12.1. flags={origin_is_acl.168.12. sibling_flags 80000040.5 GDOI_IDLE 1001 ACTIVE 10.1. local addr 10. failed: 0 #pkts not decompressed: 0.5. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3499) IV size: 16 bytes replay detection support: Y Page 774 of 1033 .25. flow_id: NETGX:11.1.1 1005 A011A4E8 9B0C69C0 Current : --- --- --- --- --- Previous: --- --- --- --- --- New src : 10.5 10. #pkts decrypt: 0.25.25.

5. N2 .: 0.5 .OSPF NSSA external type 2 E1 . R .168. P .255. E2 . } conn id: 2012. However.IS-IS.IS-IS level-1. L2 .25.0.EIGRP external.168. M .. Success rate is 0 percent (0/5) R5#sh crypto ipsec sa | inc loca|remot|enca|deca Crypto map tag: CMAP-GETVPN.static.ODR. * .: 10.mobile.4.5 local ident (addr/mask/prot/port): (192. timeout is 2 seconds: Packet sent with a source address of 192.CCIE SECURITY v4 Lab Workbook Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x325AC16C(844808556) transform: esp-aes esp-sha-hmac . #pkts decrypt: 0. IA .0/0/0) remote ident (addr/mask/prot/port): (192.4. #pkts encrypt: 5.IS-IS summary. #pkts verify: 0 local crypto endpt.. L1 .0 Note that ping is unsuccessful.OSPF NSSA external type 1..connected.RIP.168.0/255.0.IS-IS inter area.0. #pkts digest: 5 #pkts decaps: 0. remote crypto endpt.EIGRP. U .0/255. sibling_flags 80000040. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3499) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R5#ping 192.25. It means somewhere on the way to R4 packets are dropped. S . packets are leaving the router and get encrypted..168.per-user static route o .0.OSPF external type 1.5.OSPF external type 2 i . flow_id: NETGX:12. local addr 10.168.BGP D .OSPF inter area N1 . R2#sh ip ro Codes: C .4. in use settings ={Tunnel.0/0/0) #pkts encaps: 5. 100-byte ICMP Echos to 192.4 so lo0 Type escape sequence to abort. Sending 5. B . EX .0.candidate default.periodic downloaded static route Gateway of last resort is not set Page 775 of 1033 .255.OSPF.1.1. su .0. Take a look at R2.IS-IS level-2 ia . O .

0. one per line. Serial0/1/0. local addr 10.168.168.4 R2(config)#ip route 192.168.0/24 is subnetted.0.25 C 10. GigabitEthernet0/0 C 10.0 10.4.0 is directly connected.168.255.1.0 is directly connected. remote crypto endpt.168.5 !!!!! Success rate is 100 percent (5/5).255.0.5 local ident (addr/mask/prot/port): (192. round-trip min/avg/max = 32/32/32 ms R5#sh crypto ipsec sa | inc loca|remot|enca|deca Crypto map tag: CMAP-GETVPN. R2(config)#ip route 192.1 GM Reregisters in : 3251 secs Rekey Received(hh:mm:ss) : 00:05:08 Page 776 of 1033 .1.0 255.1 Group Server list : 10.4.12.25.4.5.0/24 and 192. #pkts encrypt: 10.25. #pkts decrypt: 5.24.255.0/255.0/0/0) remote ident (addr/mask/prot/port): (192.1.25.CCIE SECURITY v4 Lab Workbook 10.0.1.4. R4#sh crypto gdoi GROUP INFORMATION Group Name : GETVPN Group Identity : 1 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 10.5 R2(config)#exi R5#ping 192. Sending 5.0.168. End with CNTL/Z.24 See.1.0.0/255. no routing to 192. Serial0/1/0.0/0/0) #pkts encaps: 10.1.1.0 is directly connected.0. R2#conf t Enter configuration commands.0/24 networks. Those routes are necessary as GET VPN uses IPSec tunnel mode with IP header preservation. #pkts digest: 10 #pkts decaps: 5.0. so the original IP header is used to route packets.168.255.4.0 10.5. 100-byte ICMP Echos to 192.0 255.24.5. 3 subnets C 10. timeout is 2 seconds: Packet sent with a source address of 192.1.: 0. Same bunch of commands on the second GM.255.25.168.4 so lo0 Type escape sequence to abort.255.168.12.: 10.1.5. #pkts verify: 5 local crypto endpt.0 Now all packets get encrypted and decrypted.12.

CCIE SECURITY v4 Lab Workbook Rekeys received Cumulative : 0 After registration : 0 Rekey Acks sent : 0 ACL Downloaded From KS 10.0.255.0.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.255 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 394 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1024 TEK POLICY for the current KS-Policy ACEs Downloaded: Serial0/0/0.24.255. Disable CEF switching on R2 to see packets going through the router.1.1.0.168.255 192. 1.24 R2(config-subif)#no ip route-cache Page 777 of 1033 .4 src conn-id TEST: Telnet from R5’s loopback interface to R4’s loobpack interface.0.12.1 1005 A011A4E8 9B0C69C0 Current : --- --- --- --- --- Previous: --- --- --- --- --- New : 10.0 0.0 0.12.1.42: IPsec SA: spi: 0x325AC16C(844808556) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3381) Anti-Replay : Disabled R4#sh crypto gdoi gm rekey Group GETVPN (Unicast) Number of Rekeys received (cumulative) : 0 Number of Rekeys received after registration : 0 Number of Rekey Acks sent : 0 Rekey (KEK) SA information : dst my-cookie his-cookie 10.25 R2(config-subif)#no ip route-cache R2(config-subif)#int s0/1/0. R2(config)#int s0/1/0.168.

xml disabled.5..168.4 /so lo0 Trying 192..5 Interface User User Mode Idle Location Peer Address R4>exit [Connection to 192. Telnet from R5’s loopback0 to R4’s loopback0. 564 messages logged.CCIE SECURITY v4 Lab Workbook R2(config-subif)#exi 2.4. R2(config)#access-list 123 permit tcp any any eq telnet R2(config)#access-list 123 permit tcp any eq telnet any R2(config)#do deb ip pac det 123 IP packet debugging is on (detailed) for access list 123 R2(config)#logg buffered 7 R2(config)#logg on R2(config)#do clear logg Clear logging buffer [confirm] R2(config)# 3. 0 flushes. No Inactive Message Discriminator. xml disabled. 0 overruns.4 .168.4. filtering disabled) No Active Message Discriminator. R2#sh logg Syslog logging: enabled (12 messages dropped. Console logging: level debugging.4. Back to R2 to see if any packets have been captured.168.4 closed by foreign host] 4. Enable debugging for all TELNET packets.168. Log to the buffer. R5#tel 192. 1 messages rate-limited. filtering disabled Page 778 of 1033 . Open User Access Verification Password: R4>sh users Line Host(s) Idle 0 con 0 idle 00:06:21 *514 vty 0 idle 00:00:00 192.

24).4 (Serial0/1/0.4 (Serial0/0/0.24). ack=1588224467.168.4. routed via FIB IP: s=192. Note the TELNET traffic is not encrypted (as there is port 23 seen in the capture). win=5768 ACK PSH IP: tableid=0. g=10. xml disabled. Page 779 of 1033 . s=192. xml disabled. filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. 516 messages logged.5 (Serial0/1/0.168. win=4078 ACK PSH < output omitted > See the source and destination IP addresses. len 41. forward TCP src=56259. g=10.5. ack=5056452141.25).5.4.25. d=192. dst=56259. seq=1588224466.1.5.4.25).24.5 (Serial0/0/0.168. seq=5056452141.1. ESM: 0 messages dropped Trap logging: level informational. dst=23.25).5 (Serial0/1/0. 55 message lines logged Log Buffer (4096 bytes): IP: s=192.168. forward TCP src=23.CCIE SECURITY v4 Lab Workbook Monitor logging: level debugging.24).5.4 (Serial0/1/0.168.168. filtering disabled Buffer logging: level debugging. 0 messages logged. d=192.4. d=192. len 41.

 R2’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay point-to-point manner.  Configure Telnet on all routers using password “cisco”  Configure RIP version 2 dynamic routing on all routers (all directly connected interfaces).1. IP Addressing Device Interface IP address R1 Lo0 1.1. GET VPN COOP (PKI) Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12  R2’s G0/1 and R5’s F0/0 interface should be configured in VLAN 25  R2’s S0/1/0 and R6’s S0/1/0 interface should be configured in a frame-relay point-to-point manner.1/24 Page 780 of 1033 .CCIE SECURITY v4 Lab Workbook Lab 1.58.

Use the following parameters for KS configuration: Group name: GETVPN Server: Identity 1 Primary KS IP address: 1.2/24 S0/1/0. R1 and R5 must be used as Key Servers and R6 and R4 are Group Members.26 10.4/24 Lo0 5.2/24 Lo0 192.1.2/24 S0/1/0.1.26.168.6/24 Task 1 Configure NTP server with MD5 authentication (cisco123) and CA server on R1.5.6/24 S0/1/0.24 10.1.6.1. Configure GET VPN solution for traffic going between 192. every 10 seconds Lifetime 400 seconds RSA key name KS-KEYS Authorization: Only R6 and R4 GM routers IPSec SA: Time-based anti replay window 64 Page 781 of 1033 .5.25.5 Rekey: Unicast 3 retransmits.1.168.12.2/24 G0/1 10.5/24 F0/0 10.24.5.1.0/16 networks (LANs behind R6 and R4).1/24 G0/0 10.CCIE SECURITY v4 Lab Workbook R2 R4 R5 R6 F0/0 10.42 10.1.1.5/24 Lo0 192.168.26.5. Enable COOP protocol and ensure that R1 becomes Primary KS.12.62 10.4.1.24.1 Secondary KS IP address: 5.4/24 S0/0/0.25. It will be used for enrolling certificates for GET VPN Group Members.0.1.

0/24 and 192. members of one KS couldn’t send packets to members of second KS. If KS is down a new TEK cannot be delivered to GMs on time and when TEK’s lifetime is over the GMs start dropping packets. If more than one Key Servers have the same highest priority.6.168.  When desiging and deploying GET VPN solution it is obvious that the Key Server is the most important component as it creates and maintains security policy for all GMs. keys (TEK. KEK).168. In order to aid this process a priority number should be configured in each KS. To resolve that issue. it is not enough to just set up another KS as it would give out diffeternt TEK to its members. Cisco developed a new protocol called COOP (COOPerative KS protocol). Although all Key Servers accept registration from GMs. However. Election process will be repeated whenever the existing primary KS goes down. do not encrypt GDOI Encryption: AES-128 Integrity: SHA ISAKMP Policy Authentication: Certificates Encryption: DES Hashing: SHA Do not encrypt TELNET traffic between 192.CCIE SECURITY v4 Lab Workbook Policy: 192.4. more KS servers should be deployed.0/16. only one KS will be responsible for the rekey operation. pseudotime (for Time-based anti-replay protection). then the one with highest IP address will be selected. This exception must be configured on GMs. election process will not be triggered even if the new KS has a higher priority than the existing primary. Configuration Complete these steps: Page 782 of 1033 .0. This KS is called the Primary KS. policy (ACL). This protocol is designed to synchronize both KS in terms of GMs info.0/24 networks. The Primary KS is decided through an election process among all the co-operative Key Servers. To address that issue.168. Thus. It should be noted that when a new KS joins the group.

precision is 2**18 reference time is CEA9949F. R1(config)#ntp master 4 R1(config)#ntp authentication-key 1 md5 cisco123 R1(config)#ntp trusted-key 1 R1(config)#ntp authenticate Step 2 Configure R5 as NTP client to R1.CCIE SECURITY v4 Lab Workbook Step 1 Configure R1 as NTP server.000 0.LOCL.127.02 msec R1(config)#do sh ntp asso address offset ref clock st when 3 10 poll reach delay disp *~127. R1(config)#do sh ntp status Clock is synchronized. actual freq is 250.000 187. ~ Page 783 of 1033 .1 key 1 Step 4 Configure R6 as NTP client to R1.1.12. . x falseticker.12.1 nominal freq is 250. R6(config)#ntp authentication-key 1 md5 cisco123 R6(config)#ntp trusted-key 1 R6(config)#ntp authenticate R6(config)#ntp server 10.0000 Hz.1. stratum 4. 16 77 0. root delay is 0.72 * sys.peer. reference is 127.1. # selected.859 UTC Sat Nov 14 2009) clock offset is 0.12.00 msec root dispersion is 0.1 key 1 Step 5 Configure CA and KS n R1.1 key 1 Step 3 Configure R4 as NTP client to R1.02 msec. peer dispersion is 0.7.127. R4(config)#ntp authentication-key 1 md5 cisco123 R4(config)#ntp trusted-key 1 R4(config)#ntp authenticate R4(config)#ntp server 10.DC28907D (20:42:07.1 .0000 msec.0000 Hz.1.outlyer. + candidate. R5(config)#ntp authentication-key 1 md5 cisco123 R5(config)#ntp trusted-key 1 R5(config)#ntp authenticate R5(config)#ntp server 10.

You need to move the % existing database to the new location. when there are more than one KS in the network. Hence.. % Certificate Server enabled..CCIE SECURITY v4 Lab Workbook configured R1 must have RSA keys for Rekey authentication. all KS must look the same for all GMs.. R1(cs-server)#crypto ca trustpoint R1-IOS-CA R1(ca-trustpoint)# enrollment url http://10... Keep in mind that you need to mark new RSA keys as “exportable” to be able to export them and import on another KS. keys will be exportable. we need to have the same RSA keys on both KSes.12. keys will be non-exportable.1:80 R1(ca-trustpoint)# revocation-check none R1(ca-trustpoint)#exi Page 784 of 1033 .com R1(config)#crypto key generate rsa mod 1024 label KS-KEYS exportable The name for the keys will be: KS-KEYS % The key modulus size is 1024 bits % Generating 1024 bit RSA keys.99 has been enabled R1(config)#ip http server R1(config)#crypto pki server IOS-CA R1(cs-server)#database url nvram: % Server database url was changed. R1(cs-server)#no shut %Some server settings cannot be changed after CA certificate generation. R1(cs-server)#database level minimum R1(cs-server)#grant auto R1(cs-server)# %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted. R1(cs-server)# %PKI-6-CS_ENABLED: Certificate server now enabled.[OK] R1(config)# %SSH-5-ENABLED: SSH 1. R1(config)#ip domain-name micronicstraining. However.[OK] % Exporting Certificate Server signing certificate and keys. % Please enter a passphrase to protect the private key % or type Return to exit Password: Re-enter password: % Generating 1024 bit RSA keys.1..

You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration.micronicstraining. % Create a challenge password. R1(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: E37524AF 52D5C9E7 AE626E90 C113B2F7 CRYPTO_PKI: Certificate Request Fingerprint SHA1: 424B180D C8858DB2 CE02D530 1D29388E B7759993 R1(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority Configure RSA-SIG authentication for ISAKMP. R1(config)#cry ca enr R1-IOS-CA % % Start certificate enrollment . Password: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: % The subject name in the certificate will include: R1. Please make a note of it.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R1-IOS-CA verbose' commandwill show the fingerprint..CCIE SECURITY v4 Lab Workbook R1(config)#cry ca auth R1-IOS-CA Certificate has the following attributes: Fingerprint MD5: 4C94A45D 5200C2CF 99D4804C 34C1F733 Fingerprint SHA1: BDE3C493 3A9A0B17 9A0AA601 3C7819DB 96F4220C % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. R1(config)#crypto isakmp policy 10 R1(config-isakmp)# authentication rsa-sig R1(config-isakmp)#exi R1(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac R1(cfg-crypto-trans)#exi Page 785 of 1033 .

1. This IP address must be accessible on the network.168.0.1.CCIE SECURITY v4 Lab Workbook R1(config)#crypto ipsec profile GETVPN-PROF R1(ipsec-profile)# set transform-set TSET R1(ipsec-profile)#exi R1(config)#ip access-list standard GM-LIST R1(config-std-nacl)# permit 10.5 R1(gdoi-coop-ks-config)# %GDOI-5-COOP_KS_ADD: 5.5. W need to specify the peer which is other KS.0.5.1. default is 1).168.26. We need to specify the priority of the KS (1-255.4 R1(config-std-nacl)#exi R1(config)#ip access-list extended LAN-LIST R1(config-ext-nacl)# deny udp any eq 848 any eq 848 R1(config-ext-nacl)# permit ip 192.1 Here’s the COOP configuration.255 192.255 R1(config-ext-nacl)#exi R1(config)#crypto gdoi group GETVPN R1(config-gdoi-group)# identity number 1 R1(config-gdoi-group)# server local R1(gdoi-local-server)# rekey lifetime seconds 400 R1(gdoi-local-server)# rekey retransmit 10 number 3 R1(gdoi-local-server)# rekey authentication mypubkey rsa KS-KEYS R1(gdoi-local-server)# rekey transport unicast R1(gdoi-local-server)# authorization address ipv4 GM-LIST R1(gdoi-local-server)# %CRYPTO-6-GDOI_ON_OFF: GDOI is ON R1(gdoi-local-server)# %GDOI-5-KS_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey. The KS with higher priority wins.0.1.0 0.255.0.255. R1(gdoi-local-server)# redundancy R1(gdoi-coop-ks-config)# local priority 100 R1(gdoi-coop-ks-config)# peer address ipv4 5.6 R1(config-std-nacl)# permit 10.24.0 0.5.5. R1(gdoi-local-server)# sa ipsec 1 R1(gdoi-sa-ipsec)# profile GETVPN-PROF R1(gdoi-sa-ipsec)# match address ipv4 LAN-LIST R1(gdoi-sa-ipsec)# R1(gdoi-sa-ipsec)# replay counter window-size 64 address ipv4 1.5 added as COOP Key Server in group GETVPN. R1(gdoi-coop-ks-config)#exi R1(gdoi-local-server)#exi R1(config-gdoi-group)#exi Page 786 of 1033 .

-----BEGIN PUBLIC KEY----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmct4j/ecT1PumBNG1fWPMm1RE /Rt/gT1WdhRDWwKmt8ftVFMU6rqjwjUqhn7hLRPortnBGS14t4UjK6IXzPLuxUbI pgAlPn+PldDbpbgZP4Iv9VDp7xbU+9AVVkZpnYZLjo6aGQxBvHuLPA1S31+jSgXw tDkjpNA1w48fHDAgYwIDAQAB -----END PUBLIC KEY----% Enter PEM-formatted encrypted private General Purpose key. % End with a blank line or "quit" on a line by itself. R1(config)#crypto key export rsa KS-KEYS pem terminal 3des cisco123 % Key name: KS-KEYS Usage: General Purpose Key Key data: -----BEGIN PUBLIC KEY----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmct4j/ecT1PumBNG1fWPMm1RE /Rt/gT1WdhRDWwKmt8ftVFMU6rqjwjUqhn7hLRPortnBGS14t4UjK6IXzPLuxUbI pgAlPn+PldDbpbgZP4Iv9VDp7xbU+9AVVkZpnYZLjo6aGQxBvHuLPA1S31+jSgXw tDkjpNA1w48fHDAgYwIDAQAB -----END PUBLIC KEY---------BEGIN RSA PRIVATE KEY----Proc-Type: 4. Page 787 of 1033 . R5(config)#crypto key import rsa KS-KEYS pem exportable terminal cisco123 % Enter PEM-formatted public General Purpose key or certificate.ENCRYPTED DEK-Info: DES-EDE3-CBC.4C0424B43DE3EAC5 PjSOnv50zJZWwAUA5vTRRdRffJmi5cn9yH+eTLSg1A5GilKXmT5UhKucVMzHb1ep XMaBacqt6QiJnib/MEHQAyjrbKSg5Ayvp1hTap+Vw/reOyMJovrDcCRmt3hzynz9 r/LXN/ykNKWeQvCr+YFglzMtptdEwQfhBA1P4eSMLCozP/r8Sd+oABMBIh4Im8kZ Z3skBIKUT8CiNTmKDA3B/QMe2F1bcEeaA7r0CvoMQNWG9kLwhyQnnZzMjIPZ/yG8 4RrxmpWxrL3VOnAbAXxYu/fe597JKQEcp3XnURYnNHsh4dIphemlAAegPRHLCJQR pd2an5I/Q4vAuVLaXgRRCuwe75fLUSZtk8UKAJXS3ZiOKbuABQ5QiLFS+S9Unnb2 1MLe3szgMKg6eyswYTFCXRNLauEyNhA4PMSxxLCPDeDaQr4XilB/iKMXy6ROMUhQ OenT1u3vhjUzqxX+b/2IWYARvlY+rKahA4XkRhXwctsYB2Gs9a+dvuC+nl9JI5ys zv++hUvrxAPlxfi/YM9tVMN91Rd8kZamIPwGFHgMk7wMwqwmdLljD2Qs+2wa8AtM q+TvgQNUtqq9il0YHcRDZEiA5NWyNvcFFZKGn/+EqlalSX5VAKfnvdnQEY5RNcN9 BUpP7mLApWOBvAZz7vHC7/ZYaPeHtpabPaEvcqTXGc5mah6HLyPS0YhjWXs3XwRz 1czJ+cnBo6YXkvvTo4HefIfnnZHO+it8Y/chbny+/aVw1/fcdbWQ8l37XL+b6jzG sdHa5IyBbs+kIeNELJTg9W1NLNaxEUhXjTh525CEXnU= -----END RSA PRIVATE KEY----- Step 6 Configure R5 as secondary KS.CCIE SECURITY v4 Lab Workbook Export RSA self-signed keys for using them on the second KS. As the RSA keys for Rekey must be the same you must first import KS-KEYS on R5.

.com R5(config)#crypto ca trustpoint R1-IOS-CA R5(ca-trustpoint)# enrollment url http://10.12.ENCRYPTED DEK-Info: DES-EDE3-CBC.1:80 R5(ca-trustpoint)# revocation-check none R5(ca-trustpoint)#exi R5(config)#cry ca auth R1-IOS-CA Certificate has the following attributes: Fingerprint MD5: 4C94A45D 5200C2CF 99D4804C 34C1F733 Fingerprint SHA1: BDE3C493 3A9A0B17 9A0AA601 3C7819DB 96F4220C % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. R5(config)# %SSH-5-ENABLED: SSH 1.1. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Page 788 of 1033 .4C0424B43DE3EAC5 PjSOnv50zJZWwAUA5vTRRdRffJmi5cn9yH+eTLSg1A5GilKXmT5UhKucVMzHb1ep XMaBacqt6QiJnib/MEHQAyjrbKSg5Ayvp1hTap+Vw/reOyMJovrDcCRmt3hzynz9 r/LXN/ykNKWeQvCr+YFglzMtptdEwQfhBA1P4eSMLCozP/r8Sd+oABMBIh4Im8kZ Z3skBIKUT8CiNTmKDA3B/QMe2F1bcEeaA7r0CvoMQNWG9kLwhyQnnZzMjIPZ/yG8 4RrxmpWxrL3VOnAbAXxYu/fe597JKQEcp3XnURYnNHsh4dIphemlAAegPRHLCJQR pd2an5I/Q4vAuVLaXgRRCuwe75fLUSZtk8UKAJXS3ZiOKbuABQ5QiLFS+S9Unnb2 1MLe3szgMKg6eyswYTFCXRNLauEyNhA4PMSxxLCPDeDaQr4XilB/iKMXy6ROMUhQ OenT1u3vhjUzqxX+b/2IWYARvlY+rKahA4XkRhXwctsYB2Gs9a+dvuC+nl9JI5ys zv++hUvrxAPlxfi/YM9tVMN91Rd8kZamIPwGFHgMk7wMwqwmdLljD2Qs+2wa8AtM q+TvgQNUtqq9il0YHcRDZEiA5NWyNvcFFZKGn/+EqlalSX5VAKfnvdnQEY5RNcN9 BUpP7mLApWOBvAZz7vHC7/ZYaPeHtpabPaEvcqTXGc5mah6HLyPS0YhjWXs3XwRz 1czJ+cnBo6YXkvvTo4HefIfnnZHO+it8Y/chbny+/aVw1/fcdbWQ8l37XL+b6jzG sdHa5IyBbs+kIeNELJTg9W1NLNaxEUhXjTh525CEXnU= -----END RSA PRIVATE KEY----quit % Key pair import succeeded.CCIE SECURITY v4 Lab Workbook % End with "quit" on a line by itself. -----BEGIN RSA PRIVATE KEY----Proc-Type: 4. R5(config)#cry ca enr R1-IOS-CA % % Start certificate enrollment .99 has been enabled R5(config)#ip domain-name micronicstraining.

6 R5(config-std-nacl)# permit 10.0 0.0 0. R5(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: B9ED0BDD 1450D537 91494EAD 94409D25 CRYPTO_PKI: Certificate Request Fingerprint SHA1: 40380C2E F606F036 A678EAA9 1989B2AB 32EF79B1 R5(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority R5(config)#crypto isakmp policy 10 R5(config-isakmp)# authentication rsa-sig R5(config-isakmp)#exi R5(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac R5(cfg-crypto-trans)#exi R5(config)#crypto ipsec profile GETVPN-PROF R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#exi R5(config)#ip access-list standard GM-LIST R5(config-std-nacl)# permit 10.micronicstraining.26.0.0.168.255.4 R5(config-std-nacl)#exi R5(config)#ip access-list extended LAN-LIST R5(config-ext-nacl)# deny udp any eq 848 any eq 848 R5(config-ext-nacl)# permit ip 192.0.168.255 R5(config-ext-nacl)#exi R5(config)#crypto gdoi group GETVPN R5(config-gdoi-group)# identity number 1 R5(config-gdoi-group)# server local R5(gdoi-local-server)# %CRYPTO-6-GDOI_ON_OFF: GDOI is ON Page 789 of 1033 .com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R1-IOS-CA verbose' command will show the fingerprint.1. Password: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: % The subject name in the certificate will include: R5.1.CCIE SECURITY v4 Lab Workbook Please make a note of it.255 192.255.24.0.

1 added as COOP Key Server in group GETVPN. R5(gdoi-local-server)# %GDOI-4-COOP_KS_UNAUTH: Contact from unauthorized KS 1.1:80 Page 790 of 1033 .1. R5(gdoi-local-server)# sa ipsec 1 R5(gdoi-sa-ipsec)# profile GETVPN-PROF R5(gdoi-sa-ipsec)# match address ipv4 LAN-LIST R5(gdoi-sa-ipsec)# replay counter window-size 64 R5(gdoi-sa-ipsec)#exi R5(gdoi-local-server)# address ipv4 5.5.5 COOP configuration on R5 – this KS has lower priority so that it will become Secondary KS.1. so this message is displayed.1 in group GETVPN at local address 5.1 in group GETVPN transitioned to Primary (Previous Primary = NONE) Note that the above message says that KS 1. Step 7 Configure R6 as GM.CCIE SECURITY v4 Lab Workbook R5(gdoi-local-server)# rekey lifetime seconds 400 R5(gdoi-local-server)# rekey retransmit 10 number 3 R5(gdoi-local-server)# rekey authentication mypubkey rsa KS-KEYS R5(gdoi-local-server)# rekey transport unicast R5(gdoi-local-server)# authorization address ipv4 GM-LIST R5(gdoi-local-server)# %GDOI-5-KS_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey.5.1. R5(gdoi-local-server)# redundancy R5(gdoi-coop-ks-config)# local priority 50 R5(gdoi-coop-ks-config)# peer address ipv4 1. R6(config)#crypto ca trustpoint R1-IOS-CA R6(ca-trustpoint)#enrollment url http://10.1.1.1.1.5.1.1.5 (Possible MISCONFIG of peer/local address) No COOP configuration on R5 yet.1 has became Primary KS.1.12.1.5.1 R5(gdoi-coop-ks-config)# %GDOI-5-COOP_KS_ADD: 1. %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GETVPN (Previous Primary = NONE) R5(gdoi-coop-ks-config)#exi R5(gdoi-local-server)#exi R5(config-gdoi-group)#exi R5(config)# %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 1.

R6(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: 5EBA522C FFA2108C 7ACEB4AD 28F16066 CRYPTO_PKI: Certificate Request Fingerprint SHA1: E10B1672 6EC20657 169EC6D1 109F612E 64BD8EE0 R6(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority R6(config)#crypto isakmp policy 10 R6(config-isakmp)# authentication rsa-sig R6(config-isakmp)#exi Page 791 of 1033 . Please make a note of it. R6(config)#cry ca enr R1-IOS-CA % % Start certificate enrollment . Password: RSA key size needs to be atleast 768 bits for ssh version 2 %SSH-5-ENABLED: SSH 1. For security reasons your password will not be saved in the configuration.. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.CCIE SECURITY v4 Lab Workbook R6(ca-trustpoint)#revocation-check none R6(ca-trustpoint)#exi R6(config)#cry ca auth R1-IOS-CA Certificate has the following attributes: Fingerprint MD5: 4C94A45D 5200C2CF 99D4804C 64C1F766 Fingerprint SHA1: BDE6C496 6A9A0B17 9A0AA601 6C7819DB 96F4220C % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.5 has been enabled %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: % The subject name in the certificate will include: R6 % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R1-IOS-CA verbose' commandwill show the fingerprint.

0.0.0. R6(config-crypto-map)# set group GETVPN R6(config-crypto-map)# match address DO-NOT-ENCRYPT R6(config-crypto-map)#exi R6(config)#int s0/1/0.26.6.1.4.0 0.5.0.168.1.1 for group GETVPN using address 10.1.168.12.1 complete for group GETVPN using address 10.0 0.1. Step 8 Configure R4 as GM.168.26.62 R6(config-subif)#crypto map CMAP-GETVPN R6(config-subif)# %CRYPTO-5-GM_REGSTER: Start registration to KS 1.6 R6(config-subif)#exi %CRYPTO-6-GDOI_ON_OFF: GDOI is ON R6(config)# %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey.0.0.4.0.255 eq telnet 192.0.255 R6(config-ext-nacl)#exi R6(config)#crypto map CMAP-GETVPN 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured.0 0.1:80 R4(ca-trustpoint)#revocation-check none R4(ca-trustpoint)#exi R4(config)#cry ca auth R1-IOS-CA Certificate has the following attributes: Fingerprint MD5: 4C94A45D 5200C2CF 99D4804C 34C1F733 Fingerprint SHA1: BDE3C493 3A9A0B17 9A0AA601 3C7819DB Page 792 of 1033 .255 R6(config-ext-nacl)#deny tcp 192.0.0.4.0 0.255 eq telnet 192.6.5.0 0.0.6 GM has successfully registered to the Primary KS.1.1.0.168.168.CCIE SECURITY v4 Lab Workbook R6(config)#crypto gdoi group GETVPN R6(config-gdoi-group)# identity number 1 R6(config-gdoi-group)# server address ipv4 1.255 192.0.0.168.0.0 0.4.0.255 192.6.1.1 R6(config-gdoi-group)# server address ipv4 5. %GDOI-5-GM_REGS_COMPL: Registration to KS 1.1.255 eq telnet R6(config-ext-nacl)#deny tcp 192.168.5 R6(config-gdoi-group)#exi R6(config)#ip access-list extended DO-NOT-ENCRYPT R6(config-ext-nacl)#deny tcp 192.168.255 eq telnet R6(config-ext-nacl)#deny tcp 192.1.6.0 0. R4(config)#crypto ca trustpoint R1-IOS-CA R4(ca-trustpoint)#enrollment url http://10.0 0.

Please make a note of it.5 has been enabled %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: % The subject name in the certificate will include: R4 % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R1-IOS-CA verbose' commandwill show the fingerprint. Password: RSA key size needs to be atleast 768 bits for ssh version 2 %SSH-5-ENABLED: SSH 1. For security reasons your password will not be saved in the configuration.1.5 R4(config-gdoi-group)#exi R4(config)#ip access-list extended DO-NOT-ENCRYPT Page 793 of 1033 .CCIE SECURITY v4 Lab Workbook 96F4220C % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. R4(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: 4F88B593 4469B0CE 91C579DB D454D96A CRYPTO_PKI: Certificate Request Fingerprint SHA1: A3A48B4C EC2BE242 50EF7B22 31ED7CEB EE5744AA R4(config)# %PKI-6-CERTRET: Certificate received from Certificate Authority R4(config)#crypto isakmp policy 10 R4(config-isakmp)# authentication rsa-sig R4(config-isakmp)#exi R4(config)#crypto gdoi group GETVPN R4(config-gdoi-group)# identity number 1 R4(config-gdoi-group)# server address ipv4 1.1 R4(config-gdoi-group)# server address ipv4 5.5.. % Create a challenge password. R4(config)#cry ca enr R1-IOS-CA % % Start certificate enrollment .1. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.5.

1.168.4.0 0.1 for group GETVPN using address 10.255 192.0 0.42 R4(config-subif)#crypto map CMAP-GETVPN R4(config-subif)# %CRYPTO-5-GM_REGSTER: Start registration to KS 1.0.168.1.168.0 0.0 0.0 0.4 GM has successfully registered to the Primary KS.1.0 0.1.255 eq telnet 192.168.24.0.168.168.6.0.1 Local Priority : 100 Local KS Status : Alive Page 794 of 1033 .1. R4(config-crypto-map)# set group GETVPN R4(config-crypto-map)# match address DO-NOT-ENCRYPT R4(config-crypto-map)#exi R4(config)#int s0/0/0.0.4.4.0.0 0.6.255 eq telnet R4(config-ext-nacl)#deny tcp 192.24.0.4. Verification R1#sh crypto gdoi ks Total group members registered to this box: 2 Key Server Information For Group GETVPN: Group Name : GETVPN Group Identity : 1 Group Members : 2 IPSec SA Direction : Both ACL Configured: access-list LAN-LIST Redundancy : Configured Local Address : 1.0.0 0.255 eq telnet R4(config-ext-nacl)#deny tcp 192.168.0.6.1.255 eq telnet 192.0.4 %CRYPTO-6-GDOI_ON_OFF: GDOI is ON R4(config-subif)#exi %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN transitioned to Unicast Rekey. %GDOI-5-GM_REGS_COMPL: Registration to KS 1.CCIE SECURITY v4 Lab Workbook R4(config-ext-nacl)#deny tcp 192.0.0.0.255 R4(config-ext-nacl)#deny tcp 192.255 R4(config-ext-nacl)#exi R4(config)#crypto map CMAP-GETVPN 10 gdoi % NOTE: This new crypto map will remain disabled until a valid group has been configured.168.1 complete for group GETVPN using address 10.1.0.255 192.0.0.0.1.6.

Hence.1. Peer KS Status: Alive Antireplay Sequence Number: 3 IKE status: Established Counters: Ann msgs sent: 7 Ann msgs sent with reply request: 1 Ann msgs recv: 1 Ann msgs recv with reply request: 1 Packet sent drops: 1 Packet Recv drops: 0 Total bytes sent: 3713 Total bytes recv: 591 Note that COOP laverages ISAKMP SA to securely transfer all information.5 Peer Priority: 50 Peer KS Role: Secondary .24. Local Key Server handle: 2147483650 Local Address: 1.1.1 Local Priority: 100 Local KS Role: Primary . Local KS Status: Alive Primary Timers: Primary Refresh Policy Time: 20 Remaining Time: 10 Antireplay Sequence Number: 9 Peer Sessions: Session 1: Server handle: 2147483651 Peer Address: 5.5.1.1. R1#sh crypto gdoi ks members Group Member Information : Number of rekeys sent for group GETVPN : 1 Group Member ID : 10.1.5.4 Group ID : 1 Group Name : GETVPN Key Server ID : 1.CCIE SECURITY v4 Lab Workbook Local KS Role : Primary R1#sh crypto gdoi ks coop Crypto Gdoi Group Name :GETVPN Group handle: 2147483650.1 Rekeys sent : 0 Rekeys retries : 0 Rekey Acks Rcvd : 0 Page 795 of 1033 . when you use PSK for authentication you must remember to configure pre-shared key for Peer KS.

5 (handle: 2147483651): R1#sh crypto gdoi ks rekey Group GETVPN (Unicast) Number of Rekeys sent : 1 Number of Rekeys retransmitted : 0 KEK rekey lifetime (sec) : 400 Remaining lifetime (sec) Retransmit period : 284 : 10 Page 796 of 1033 .1.26.1.CCIE SECURITY v4 Lab Workbook Rekey Acks missed : 0 Sent seq num : 0 0 0 0 Rcvd seq num : 0 0 0 0 Group Member ID : 10.1 Rekeys sent : 0 Rekeys retries : 0 Rekey Acks Rcvd : 0 Rekey Acks missed : 0 Sent seq num : 0 0 0 0 Rcvd seq num : 0 0 0 0 R1#sh crypto gdoi ks policy Key Server Policy: For group GETVPN (handle: 2147483650) server 1.1.1 (handle: 2147483650): # of teks : 1 Seq num : 0 KEK POLICY (transport type : Unicast) spi : 0x3A67598E27379BA8F7613793A7A03C2F management alg : disabled encrypt alg : 3DES crypto iv length : 8 key size : 24 orig life(sec): 400 remaining life(sec): 294 sig hash algorithm : enabled sig size : 128 sig key name : KS-KEYS sig key length : 162 TEK POLICY (encaps : ENCAPS_TUNNEL) spi : 0xA175D05E access-list : LAN-LIST # of transforms : 0 transform : ESP_AES hmac alg : HMAC_AUTH_SHA alg key size : 16 sig key size : 20 orig life(sec) : 3600 remaining life(sec) : 3495 tek life(sec) : 3600 elapsed time(sec) : 105 antireplay window size: 64 For group GETVPN (handle: 2147483650) server 5.5.5.6 Group ID : 1 Group Name : GETVPN Key Server ID : 1.1.1.

26.com Validity Date: start date: 04:58:59 UTC Jul 31 2010 end date: 04:58:59 UTC Jul 31 2011 Associated Trustpoints: R1-IOS-CA CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=IOS-CA Subject: cn=IOS-CA Validity Date: Page 797 of 1033 .1.1.24.com hostname=R1.5.micronicstraining.micronicstraining.CCIE SECURITY v4 Lab Workbook Number of retransmissions : 3 IPSec SA 1 : 3600 lifetime (sec) Remaining lifetime (sec) : 3485 R1#sh crypto gdoi ks replay Anti-replay Information For Group GETVPN: Timebased Replay: is not enabled R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 1.1. R1#sh crypto ipsec sa No SAs found R1#sh crypto ca certificates Certificate Status: Available Certificate Serial Number (hex): 02 Certificate Usage: General Purpose Issuer: cn=IOS-CA Subject: Name: R1.1.4 GDOI_IDLE conn-id status 1007 ACTIVE 1.1 10.1.1 GDOI_IDLE 1005 ACTIVE IPv6 Crypto ISAKMP SA See an additional ISAKMP SA between KSes.1.5 1.1.1.1 10.6 GDOI_IDLE 1006 ACTIVE 5.5.

1. Local KS Status: Alive Secondary Timers: Sec Primary Periodic Time: 30 Remaining Time: 28. Peer KS Status: Alive Antireplay Sequence Number: 12 IKE status: Established Counters: Ann msgs sent: 1 Page 798 of 1033 . Retries: 0 Invalid ANN PST recvd: 0 New GM Temporary Blocking Enforced?: No Antireplay Sequence Number: 4 Peer Sessions: Session 1: Server handle: 2147483651 Peer Address: 1.5.5.5 Local Priority: 50 Local KS Role: Secondary .5.5 Local Priority : 50 Local KS Status : Alive Local KS Role : Secondary Note the secondary KS has 2 members registered! This info has been sent from Primary KS – no GMs has registered directly to that KS. Local Key Server handle: 2147483650 Local Address: 5.1.5. R5#sh crypto gdoi ks coop Crypto Gdoi Group Name :GETVPN Group handle: 2147483650.CCIE SECURITY v4 Lab Workbook start date: 04:57:49 UTC Jul 31 2010 end date: 04:57:49 UTC Jul 30 2013 Associated Trustpoints: R1-IOS-CA IOS-CA R5#sh crypto gdoi ks Total group members registered to this box: 2 Key Server Information For Group GETVPN: Group Name : GETVPN Group Identity : 1 Group Members : 2 IPSec SA Direction : Both ACL Configured: access-list LAN-LIST Redundancy : Configured Local Address : 5.1 Peer Priority: 100 Peer KS Role: Primary .

1.6 Group ID : 1 Group Name : GETVPN Key Server ID : 1.1.1.1 Rekeys sent : 0 Rekeys retries : 0 Rekey Acks Rcvd : 0 Rekey Acks missed : 0 Sent seq num : 0 0 0 0 Rcvd seq num : 0 0 0 0 Group Member ID : 10.26.24.1.1.CCIE SECURITY v4 Lab Workbook Ann msgs sent with reply request: 1 Ann msgs recv: 11 Ann msgs recv with reply request: 1 Packet sent drops: 2 Packet Recv drops: 0 Total bytes sent: 591 Total bytes recv: 5821 R5#sh crypto gdoi ks members Group Member Information : Number of rekeys sent for group GETVPN : 0 Group Member ID : 10.4 Group ID : 1 Group Name : GETVPN Key Server ID : 1.1 Rekeys sent : 0 Rekeys retries : 0 Rekey Acks Rcvd : 0 Rekey Acks missed : 0 Sent seq num : 0 0 0 0 Rcvd seq num : 0 0 0 0 R5#sh crypto gdoi ks replay Anti-replay Information For Group GETVPN: Timebased Replay: is not enabled R5#sh crypto gdoi ks rekey Group GETVPN (Unicast) Number of Rekeys sent : 0 Number of Rekeys retransmitted : 0 KEK rekey lifetime (sec) : 400 Remaining lifetime (sec) : 222 Page 799 of 1033 .1.

R5#sh crypto gdoi group GETVPN Group Name : GETVPN (Unicast) Group Identity : 1 Group Members : 2 IPSec SA Direction : Both Active Group Server : Local Redundancy : Configured Local Address : 5.5.5 (handle: 2147483650): For group GETVPN (handle: 2147483650) server 1.5.1.5.5.1.1 (handle: 2147483651): # of teks : 1 Seq num : 0 KEK POLICY (transport type : Unicast) spi : 0x3A67598E27379BA8F7613793A7A03C2F management alg : disabled encrypt alg : 3DES crypto iv length : 8 key size : 24 orig life(sec): 400 remaining life(sec): 215 sig hash algorithm : enabled sig size : 128 sig key name : KS-KEYS sig key length : 162 TEK POLICY (encaps : ENCAPS_TUNNEL) spi : 0xA175D05E access-list : LAN-LIST # of transforms : 0 transform : ESP_AES hmac alg : HMAC_AUTH_SHA alg key size : 16 sig key size : 20 orig life(sec) : 3600 remaining life(sec) : 3416 tek life(sec) : 3600 elapsed time(sec) : 184 antireplay window size: 64 Compare the policy on the Secondary KS – it is exactly the same as it is on the Primary KS.CCIE SECURITY v4 Lab Workbook Retransmit period : 10 Number of retransmissions : 3 IPSec SA 1 : 3600 lifetime (sec) Remaining lifetime (sec) : 3423 R5#sh crypto gdoi ks policy Key Server Policy: For group GETVPN (handle: 2147483650) server 5.5 Local Priority : 50 Local KS Status : Alive Local KS Role : Secondary Group Rekey Lifetime : 400 secs Group Rekey Remaining Lifetime Rekey Retransmit Period : 207 secs : 10 secs Rekey Retransmit Attempts: 3 Page 800 of 1033 .

5.1. R5#sh crypto ipsec sa No SAs found R5#sh crypto ca certificates Certificate Status: Available Certificate Serial Number (hex): 03 Certificate Usage: General Purpose Issuer: cn=IOS-CA Subject: Name: R5.micronicstraining.1.1.5.6 GDOI_IDLE 1003 ACTIVE IPv6 Crypto ISAKMP SA See that Secondary KS has ISAKMP SA for every GM.5.5.1.5 1.24.CCIE SECURITY v4 Lab Workbook Group Retransmit Remaining Lifetime IPSec SA Number : 0 secs : 1 IPSec SA Rekey Lifetime: 3600 secs Profile Name : GETVPN-PROF Replay method : Count Based Replay Window Size : 64 SA Rekey Remaining Lifetime ACL Configured Group Server list : 3408 secs : access-list LAN-LIST : Local R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 5.5 10.5 10.1 GDOI_IDLE 1002 ACTIVE 5.com hostname=R5.26.5.5.4 GDOI_IDLE conn-id status 1004 ACTIVE 5.com Validity Date: start date: 05:01:24 UTC Jul 31 2010 end date: 05:01:24 UTC Jul 31 2011 Associated Trustpoints: R1-IOS-CA CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Page 801 of 1033 .micronicstraining.

0.0.4.255 port = 23 access-list DO-NOT-ENCRYPT deny tcp 192.0 0.255.1.0 0.0 0.0.0.6.255 port = 23 access-list DO-NOT-ENCRYPT deny tcp 192.0.4 src conn-id my-cookie his-cookie 1.0.255 R4#sh crypto gdoi gm rekey Group GETVPN (Unicast) Number of Rekeys received (cumulative) : 0 Number of Rekeys received after registration : 0 Number of Rekey Acks sent : 0 Rekey (KEK) SA information : dst New : 10.255 ACL Configured Locally: Map Name: CMAP-GETVPN access-list DO-NOT-ENCRYPT deny tcp 192.1.0 0.168.6.0.1 1007 F7613793 3A67598E Current : --- --- --- --- --- Previous: --- --- --- --- --- Page 802 of 1033 .0.168.168.0.0.255 192.0 0.168.0.0.4.0 0.0.1.0 0.6.168.168.0.6.24.0.255 port = 23 192.0.168.0 0.255 port = 23 192.0. R4#sh crypto gdoi gm Group Member Information For Group GETVPN: IPSec SA Direction : Both ACL Received From KS : gdoi_group_GETVPN_temp_acl Last rekey seq num : 0 Re-register Remaining time : 3206 secs Retry Timer :NOT RUNNING R4#sh crypto gdoi gm acl Group Name: GETVPN ACL Downloaded From KS 1.0 0.168.4.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.0.0.0.0 0.168.4.255 192.255.1.168.CCIE SECURITY v4 Lab Workbook Issuer: cn=IOS-CA Subject: cn=IOS-CA Validity Date: start date: 04:57:49 UTC Jul 31 2010 end date: 04:57:49 UTC Jul 30 2013 Associated Trustpoints: R1-IOS-CA On GM we should see that it has been registered to Primary KS only.255 192.1.255 access-list DO-NOT-ENCRYPT deny tcp 192.

255 192.1.24.0.1.1 5.CCIE SECURITY v4 Lab Workbook R4#sh crypto gdoi gm replay Anti-replay Information For Group GETVPN: Timebased Replay: is not enabled R4#sh crypto gdoi group GETVPN Group Name : GETVPN Group Identity : 1 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 1.1.1.1 GDOI_REKEY conn-id status Page 803 of 1033 1007 ACTIVE .255 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 330 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1024 TEK POLICY for the current KS-Policy ACEs Downloaded: Serial0/0/0.0.168.1.4 1.255.255.0 0.168.1.42: IPsec SA: spi: 0xA175D05E(2708852830) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3360) Anti-Replay : Disabled R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.5.0.0.0 0.5.1.1.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.5 GM Reregisters in : 3187 secs Rekey Received(hh:mm:ss) : 00:08:49 Rekeys received Cumulative : 0 After registration : 0 Rekey Acks sent : 0 ACL Downloaded From KS 1.1 Group Server list : 1.1.

24.0 port 848 PERMIT.42 current outbound spi: 0xA175D05E(2708852830) PFS (Y/N): N. R4#sh crypto ipsec sa interface: Serial0/0/0. } conn id: 2009. } Page 804 of 1033 .4 GDOI_IDLE 1004 ACTIVE IPv6 Crypto ISAKMP SA R4 does maintain ISKAMP SA with Primary and Secondary KS.0. sibling_flags 80000040.0.0 path mtu 1500. #recv errors 0 local crypto endpt. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3346) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xA175D05E(2708852830) transform: esp-aes esp-sha-hmac . #pkts decrypt: 0.1 10.1.168.0/255.42 Crypto map tag: CMAP-GETVPN.4 protected vrf: (none) local ident (addr/mask/prot/port): (192. remote crypto endpt. DH group: none inbound esp sas: spi: 0xA175D05E(2708852830) transform: esp-aes esp-sha-hmac .4 GDOI_IDLE 1006 ACTIVE 5. flags={origin_is_acl.: 0.0/0/0) remote ident (addr/mask/prot/port): (192. #pkts encrypt: 0. failed: 0 #pkts not decompressed: 0. #pkts verify: 0 #pkts compressed: 0.0.24.0. #pkts decompress failed: 0 #send errors 0.4.} #pkts encaps: 0. #pkts digest: 0 #pkts decaps: 0.1.0. #pkts decompressed: 0 #pkts not compressed: 0.0/0/0) current_peer 0. This is because in case of Primary KS failure the KS does not need to renegotiate IKE Phase 1 to send Rekey messages.0.: 10. in use settings ={Tunnel.24.24.0.5 10.5.168.5.1. ip mtu idb Serial0/0/0. ip mtu 1500.255.0.0/255.CCIE SECURITY v4 Lab Workbook 1. local addr 10. #pkts compr.255. flow_id: NETGX:9.1.1. in use settings ={Tunnel.1.

6.6 .1.168. R4#sh crypto ipsec sa | inc loca|remot|enca|deca Crypto map tag: CMAP-GETVPN.4 !!!!! Success rate is 100 percent (5/5).. Let’s try TELNET.0.168.0.0/0/0) remote ident (addr/mask/prot/port): (192.255.255.6.0/0/0) remote ident (addr/mask/prot/port): (192.24.4.6.168.0 Counters has incremented.6.255. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3346) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#ping 192. timeout is 2 seconds: Packet sent with a source address of 192.168..255. It should be excluded from encryption. #pkts verify: 5 Page 805 of 1033 .0. sibling_flags 80000040.1.0. #pkts decrypt: 5.24.: 10.: 0.0/255. Sending 5.CCIE SECURITY v4 Lab Workbook conn id: 2010.6 /so lo0 Trying 192. flow_id: NETGX:10.4.0/255.6. Open User Access Verification Password: R6>exit [Connection to 192. local addr 10. R4#tel 192.168.168.168. #pkts decrypt: 5.4 local ident (addr/mask/prot/port): (192. local addr 10. remote crypto endpt.0.0/255.0. #pkts encrypt: 5. 100-byte ICMP Echos to 192.0/0/0) #pkts encaps: 5. #pkts encrypt: 5.0. #pkts verify: 5 local crypto endpt.4 local ident (addr/mask/prot/port): (192.6 closed by foreign host] R4#sh crypto ipsec sa | inc loca|remot|enca|deca Crypto map tag: CMAP-GETVPN. round-trip min/avg/max = 120/121/124 ms Ping works fine because there is RIPv2 enabled in the network so that R2 knows about all networks.24.0/0/0) #pkts encaps: 5. #pkts digest: 5 #pkts decaps: 5. #pkts digest: 5 #pkts decaps: 5.0.168.6.168.1.0.0/255.168.0.6 so lo0 Type escape sequence to abort.

R6#sh crypto gdoi gm Group Member Information For Group GETVPN: IPSec SA Direction : Both ACL Received From KS : gdoi_group_GETVPN_temp_acl Last rekey seq num : 0 Re-register Remaining time : 3159 secs Retry Timer :NOT RUNNING R6#sh crypto gdoi gm acl Group Name: GETVPN ACL Downloaded From KS 1.0.: 0.0 No counters are incremented! That’s good.255.0.0.1.168.0.0.CCIE SECURITY v4 Lab Workbook local crypto endpt.255.255 ACL Configured Locally: Map Name: CMAP-GETVPN Page 806 of 1033 .168.0.4.: 10. remote crypto endpt. R4#sh crypto ca certificates Certificate Status: Available Certificate Serial Number (hex): 05 Certificate Usage: General Purpose Issuer: cn=IOS-CA Subject: Name: R4 hostname=R4 Validity Date: start date: 05:06:53 UTC Jul 31 2010 end date: 05:06:53 UTC Jul 31 2011 Associated Trustpoints: R1-IOS-CA CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=IOS-CA Subject: cn=IOS-CA Validity Date: start date: 04:57:49 UTC Jul 31 2010 end date: 04:57:49 UTC Jul 30 2013 Associated Trustpoints: R1-IOS-CA Same bunch of commands on R6.0 0.0 0.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.1.255 192.24.1.

1 1007 F7613793 3A67598E Current : --- --- --- --- --- Previous: --- --- --- --- --- New src : 10.255 port = 23 192.4.168.255 port = 23 access-list DO-NOT-ENCRYPT deny tcp 192.6 conn-id R6#sh crypto gdoi group GETVPN Group Name : GETVPN Group Identity : 1 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 1.4.0.0 0.0 0.0.0 0.0 0.168.1.255.0.4.0 0.1.0.4.6.1.0.1.168.1: access-list deny udp any port = 848 any port = 848 access-list permit ip 192.6.0.0.0 0.1 Group Server list : 1.1.255 port = 23 192.255 R6#sh crypto gdoi gm rekey Group GETVPN (Unicast) Number of Rekeys received (cumulative) : 0 Number of Rekeys received after registration : 0 Number of Rekey Acks sent : 0 Rekey (KEK) SA information : dst my-cookie his-cookie 1.255.5.0.6.0 0.1.168.1 5.255 192.0.0 0.255 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 344 Encrypt Algorithm : 3DES Key Size : 192 Page 807 of 1033 .26.255 port = 23 access-list DO-NOT-ENCRYPT deny tcp 192.168.168.168.255 access-list DO-NOT-ENCRYPT deny tcp 192.168.0.6.0.0.0.0.0.0 0.0.0.0 0.5.CCIE SECURITY v4 Lab Workbook access-list DO-NOT-ENCRYPT deny tcp 192.0.1.1.255 192.1.168.5 GM Reregisters in : 3144 secs Rekey Received(hh:mm:ss) : 00:10:37 Rekeys received Cumulative : 0 After registration : 0 Rekey Acks sent : 0 ACL Downloaded From KS 1.168.0.0.255 192.

failed: 0 #pkts not decompressed: 0.62 Crypto map tag: CMAP-GETVPN. #pkts compr.1.26. #pkts digest: 5 #pkts decaps: 5.1 10.0/0/0) current_peer 0.26.6 GDOI_IDLE 1004 ACTIVE IPv6 Crypto ISAKMP SA R6#sh crypto ipsec sa interface: Serial0/1/0.1.0.} #pkts encaps: 5.1.1 GDOI_REKEY 1007 ACTIVE 1.255.0 path mtu 1500. #pkts verify: 5 #pkts compressed: 0.6 GDOI_IDLE 1006 ACTIVE 5.168.0.1. #pkts decompress failed: 0 #send errors 0.0/255.26.5.0.1. ip mtu 1500.: 10.6.6 protected vrf: (none) local ident (addr/mask/prot/port): (192.0.1.1.26. remote crypto endpt. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3240) Page 808 of 1033 .0. #recv errors 0 local crypto endpt. local addr 10.0.255. #pkts decompressed: 0 #pkts not compressed: 0.168. in use settings ={Tunnel. flow_id: NETGX:9. DH group: none inbound esp sas: spi: 0xA175D05E(2708852830) transform: esp-aes esp-sha-hmac .1.0/255.62 current outbound spi: 0xA175D05E(2708852830) PFS (Y/N): N.5 10.0. flags={origin_is_acl. #pkts decrypt: 5. } conn id: 2009.0.0 port 848 PERMIT.1. sibling_flags 80000040. ip mtu idb Serial0/1/0. #pkts encrypt: 5.26.0/0/0) remote ident (addr/mask/prot/port): (192.CCIE SECURITY v4 Lab Workbook Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1024 TEK POLICY for the current KS-Policy ACEs Downloaded: Serial0/1/0.: 0.5.62: IPsec SA: spi: 0xA175D05E(2708852830) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3252) Anti-Replay : Disabled R6#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.6 1.

This SPI is exactly the same on every GM. R6#sh crypto ca certificates Certificate Status: Available Certificate Serial Number (hex): 04 Certificate Usage: General Purpose Issuer: cn=IOS-CA Subject: Name: R6 hostname=R6 Validity Date: start date: 05:05:54 UTC Jul 31 2010 end date: 05:05:54 UTC Jul 31 2011 Associated Trustpoints: R1-IOS-CA CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=IOS-CA Subject: cn=IOS-CA Validity Date: Page 809 of 1033 . in use settings ={Tunnel. flow_id: NETGX:10.CCIE SECURITY v4 Lab Workbook IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xA175D05E(2708852830) transform: esp-aes esp-sha-hmac . sibling_flags 80000040. } conn id: 2010. crypto map: CMAPGETVPN sa timing: remaining key lifetime (sec): (3240) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Same SPI number for Inbound and Outbound.

CCIE SECURITY v4 Lab Workbook start date: 04:57:49 UTC Jul 31 2010 end date: 04:57:49 UTC Jul 30 2013 Associated Trustpoints: R1-IOS-CA Page 810 of 1033 .

Page 811 of 1033 .CCIE SECURITY v4 Lab Workbook This page is intentionally left blank.

SP) CCSI #30832 Piotr Matusiak CCIE #19860 (R&S. CCSI #33705 Page 812 of 1033 . Security.CCIE SECURITY v4 Lab Workbook Advanced CCIE SECURITY v4 LAB WORKBOOK Remote Access VPN Narbik Kocharians CCIE #12410 (R&S. Security) C|EH.

com Page 813 of 1033 .CCIE SECURITY v4 Lab Workbook www.MicronicsTraining.

Configure the following ISAKMP and IPSec Policies:  ISAKMP Parameters o Authentication: Pre-shared o Group: 2 Page 814 of 1033 .2/24 Lo0 4.1.com as a domain name. Enable AAA on the router and configure network authorization based on the local database.24. Configuring Remote Access IPSec VPN using EasyVPN (IOS to IOS) Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12  R2’s G0/1 and R4’s F0/0 interface should be configured in VLAN 24  Configure Telnet on all routers using password “cisco”  Configure default routing on R1 and R4 pointing to the R2 IP Addressing Device Interface IP address R1 Lo0 1.1.59.1/24 G0/0 10.12.4/24 R2 R4 Task 1 Configure R4 as the EasyVPN Server.1.1. Use MicronicsTraining.4.1/24 F0/0 10.1.24.1.12.4.2/24 G0/1 10.4/24 F0/0 10.CCIE SECURITY v4 Lab Workbook Lab 1.

domain name. In EasyVPN the Client does not need to configure any ISAKMP or IPSec parameters.168.com Pool = VPN_POOL Use dynamic crypto map and configure it to inject route information from connected VPN Clients into the routing table. there was another security Page 815 of 1033 . so that the group name is sent to the EasyVPN Server in the very first message. The group name is not encrypted so that it is easy to sniff.25.CCIE SECURITY v4 Lab Workbook o Encryption: 3DES  IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-MD5-HMAC Configure IP address pool named VPN_POOL and give out IP addresses from the range of 192. only a single Diffie-Hellman group may be specified in the proposal.1. Create ISAKMP client group of SALES and allow VPN connections for Sales Department with the following parameters: Key = cisco123 DNS address = 10. This technology has been developed for Cisco IPSec Client and so-called hardware clients i. Easy VPN uses IKE Aggressive mode for connection.5 WINS address = 10.  Easy VPN is a Cisco way of doing Remote Access VPNs. Configure R1 as EasyVPN Remote and connect to the R4 using automatic Client Mode. IP address pool. Because the first aggressive mode packet contains the Diffie-Hellman public value. ASA 5505 or IOS routers. Hence. Each client must however supply EasyVPN Group name and password to be used for authentication and policy configuration.168. etc.1 to 192.10. The idea behind it is to configure Secure Gateway (the device which terminates Remote Access VPNs) and minimize configuration burden on the Client. all those parameters are negotiated during the connection.e.12. The EasyVPN Server must use Diffie-Hellman Group 2 to be able to negotiate parameters with the client. The policy is a bunch of attributes that may be sent down to the clients during the connection.12.6 Domain Name = MicronicsTraining.25.1. Those attributes/parameters include DNS/WINS server.

R4(config)#crypto isakmp client configuration group SALES R4(config-isakmp-group)#key cisco123 R4(config-isakmp-group)#dns 10.5 must be configured on the EasyVPN Server.1. First configure AAA to allow ISAKMP key lookup in the local routers database.12.168.168.com R4(config-isakmp-group)#pool VPN_POOL Page 816 of 1033 . R4(config)#aaa new-model R4(config)#aaa authorization network VPN_AUTH local R4(config)#ip domain-name MicronicsTraining.CCIE SECURITY v4 Lab Workbook mechanism configured called Extended Authentication (XAuth for short).10 EasyVPN group with all parameters used in IKE Phase 1.5 R4(config-isakmp-group)#wins 10. Configuration Complete these steps: Step 1 R4 configuration. R4(config)#ip local pool VPN_POOL 192.1 192. The client will use the group name and the password during connection. This is required for EasyVPN only.25.12.1. The client will get next free IP address from the pool and use it on its VPNC interface.25. The very first ISAKMP packet will contain group name so that it will land in the correct group on the server. This phase is already secured by ISAKMP SA so that all information is encrypted.com Configure ISAKMP policy with DH Group 2.5. R4(config)#crypto isakmp policy 10 R4(config-isakmp)# auth pre-share R4(config-isakmp)# gr 2 R4(config-isakmp)# enc 3des R4(config-isakmp)#exi R4(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac R4(cfg-crypto-trans)#exi A pool of IP addresses for remote clients must be configured on the router. It is not required for Site-to-Site VPNs.6 R4(config-isakmp-group)#domain MicronicsTraining. This requires supplying additional user credentials during IKE Phase 1.

Client configuration is minimal by design. the EasyVPN Client gets an IP address from the server but all traffic from this client is translated (PAT) to that address.CCIE SECURITY v4 Lab Workbook R4(config-isakmp-group)#exi The Remote Access networks are Hub-and-Spoke by design. The Cisco IPSec Client asks the server for a bunch of attributes during IKE Phase 1. The client’s IP address (not assigned by the server) must be routable in the company’s network. • Network Extension Plus – similar to the previous one but in Page 817 of 1033 . a dynamic crypto map has been introduced. This is because only regular (static) crypto map can be attached to the interface. One of those attributes is IP address.5 so that the server must “respond” to that request. the regular crypto map cannot be used in this case. R4(config)#int f0/0 R4(config-if)#crypto map VPN R4(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config-if)#exi Step 2 R1 configuration. To address that. the mode is secure and is appropriate for most remote access clients • Network Extension – the client works like it is a part of the company’s network. It specifies IPSec policy and is attached to regular crypto map. specify the password and EasyVPN server’s IP address. There are three modes: • Client – default option. R4(config)#crypto dynamic-map DYNMAP 10 R4(config-crypto-map)#set transform-set TSET R4(config-crypto-map)#reverse-route R4(config-crypto-map)#exi We need to configure the crypto map so that it may consult local database for pre shared keys. The second command is to send out an IP address to the client. R4(config)#crypto map VPN isakmp authorization list VPN_AUTH R4(config)#crypto map VPN client configuration address respond R4(config)#crypto map VPN 10 ipsec-isakmp dynamic DYNMAP Finally we need to attach dynamic crypto map to static crypto map and then to the interface. Hence. It is even more minimalistic when using software IPSec Client. All we need is to configure EasyVPN Group.

It is for NAT as the EasyVPN is in Client mode. Like NAT there must be Inside interface and Outside interface.25. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0. Verification R1#sh int lo10000 Loopback10000 is up. line protocol is up Hardware is Loopback Description: *** Internally created by EzVPN *** Internet address is 192.1 User= Group=SALES Server_public_addr=10. This IP address may be used for management purposes.1 R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000.168.1.24.168.24.4 R1(config-crypto-ezvpn)#connect auto R1(config-crypto-ezvpn)#mode client EasyVPN on hardware clients must be attached to the interfaces. There are three connection methods: • Auto – means that the client initiates the tunnel setup as • Manual – the client waits for a command to set up the • ACL – tunnel will be initiated as soon as interesting soon as the EasyVPN is enabled on the interfaces. R1(config-crypto-ezvpn)#int loopback0 R1(config-if)#crypto ipsec client ezvpn EZ inside R1(config-if)#int f0/0 R1(config-if)#crypto ipsec client ezvpn EZ outside R1(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)# %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) Client_public_addr=10.12.1.CCIE SECURITY v4 Lab Workbook this case the client gets an IP address from the server and assigns it to its loopback interface. Traffic coming from the Inside to the Outside triggers EasyVPN tunnel. changed state to up See that NVI0 interface.1/32 Page 818 of 1033 .4 Assigned_client_addr=192.25.1. tunnel traffic (ACL) is seen on the network R1(config)#crypto ipsec client ezvpn EZ R1(config-crypto-ezvpn)#group SALES key cisco123 R1(config-crypto-ezvpn)#peer 10.

Sending 5. 0 packets/sec 0 packets input. 0 no buffer Received 0 broadcasts. Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec. timeout is 2 seconds: U. 0 bytes.4.1. 0 giants. reliability 255/255. 0 interface resets 0 unknown protocol drops 0 output buffer failures. 100-byte ICMP Echos to 4.U Success rate is 0 percent (0/5) Page 819 of 1033 . BW 8000000 Kbit/sec. 0 CRC. 0 overrun.1.4. txload 1/255.1. R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10. rxload 1/255 Encapsulation LOOPBACK.24. 0 abort 0 packets output. 0 output buffers swapped out R1#sh crypto ipsec client ezvpn Easy VPN Remote Phase: 8 Tunnel name : EZ Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Address: 192. 0 ignored. 0 underruns 0 output errors.4 10.168.255 DNS Primary: 10.24. 0 runts. output never.4.1. loopback not set Last input never.4 Type escape sequence to abort.CCIE SECURITY v4 Lab Workbook MTU 1514 bytes.255. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). 0 packets/sec 5 minute output rate 0 bits/sec. 0 frame.1 (applied on Loopback10000) Mask: 255. 0 collisions.12.12.4.255.1 QM_IDLE conn-id status 1001 ACTIVE IPv6 Crypto ISAKMP SA R1#ping 4.U.25. DLY 5000 usec.com Save Password: Disallowed Current EzVPN Peer: 10.6 Default Domain: MicronicsTraining.5 NBMS/WINS Primary: 10.1.12. 0 throttles 0 input errors.4 All parameters have been downloaded from the server.4. 0 bytes.

#pkts encrypt: 5.0.1.1/255. sibling_flags 80000046. flags={origin_is_acl.255. flow_id: NETGX:1. Note the Proxy IDs.4. R1#ping 4. #pkts compr. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4481002/3479) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: Page 820 of 1033 . DH group: none inbound esp sas: spi: 0x122946D2(304694994) transform: esp-3des esp-md5-hmac .} #pkts encaps: 5.24.CCIE SECURITY v4 Lab Workbook The ping is unsuccessful.0/0. local addr 10.1.: 10.0/0/0) current_peer 10.0. Sending 5. All from client’s IP address towards any network will be encrypted.1. round-trip min/avg/max = 4/4/8 ms R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0.1. in use settings ={Tunnel.25.4. ip mtu 1500. #pkts decompress failed: 0 #send errors 0. This is because the traffic must come from Inside interface (Loopback0). #pkts verify: 5 #pkts compressed: 0. timeout is 2 seconds: Packet sent with a source address of 1.168.0. } conn id: 2001. #pkts decompressed: 0 #pkts not compressed: 0. #recv errors 0 The packets have been encrypted/decrypted.0.4.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.1 !!!!! Success rate is 100 percent (5/5).255. remote crypto endpt.4 path mtu 1500.1.: 10.255/0/0) remote ident (addr/mask/prot/port): (0.1.4. 100-byte ICMP Echos to 4.4 so lo0 Type escape sequence to abort. #pkts digest: 5 #pkts decaps: 5.1. local crypto endpt.4 port 500 PERMIT.4. ip mtu idb FastEthernet0/0 current outbound spi: 0x5C5F537B(1549751163) PFS (Y/N): N. #pkts decrypt: 5.12.12.24. failed: 0 #pkts not decompressed: 0.

1 subnets C 192.per-user static route o . E2 .25.2 There is a new interface on the router.12.25.0/0 [1/0] via 10.candidate default.1.static.1.mobile.IS-IS inter area. in use settings ={Tunnel. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4481002/3479) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#sh ip route Codes: C . 1 subnets C 1.1.12.1. sibling_flags 80000046.IS-IS level-2 ia . O .1. 1 subnets C S* 10.OSPF.2 to network 0.OSPF inter area N1 . R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.0.BGP D . L2 .EIGRP external. flow_id: NETGX:2. IA .OSPF external type 2 i .periodic downloaded static route Gateway of last resort is 10.0/32 is subnetted. P .0.4 Page 821 of 1033 1001 ACTIVE . local addr 10.RIP.0/24 is subnetted. FastEthernet0/0 0.EIGRP.ODR. Loopback10000 10.connected.1. M .24. R .OSPF NSSA external type 2 E1 .OSPF external type 1.CCIE SECURITY v4 Lab Workbook outbound esp sas: spi: 0x5C5F537B(1549751163) transform: esp-3des esp-md5-hmac . * .0.12. This interface is used for NAT. U .0/24 is subnetted.0 1. B .1. Loopback0 192.1 is directly connected.0 is directly connected. L1 .IS-IS.0.0.0 is directly connected.IS-IS level-1.0.1 QM_IDLE conn-id status IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: VPN.4 10.1. S .24.12.0. N2 .IS-IS summary.168.168. EX .OSPF NSSA external type 1. } conn id: 2002. su .0.

in use settings ={Tunnel.OSPF. failed: 0 #pkts not decompressed: 0.255.OSPF NSSA external type 2 Page 822 of 1033 .OSPF inter area N1 . flow_id: NETGX:2.0.OSPF NSSA external type 1. } conn id: 2001. EX . } conn id: 2002.: 10. #recv errors 0 local crypto endpt.RIP. N2 . crypto map: VPN sa timing: remaining key lifetime (k/sec): (4547943/3455) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#sh ip route Codes: C .: 10. sibling_flags 80000046. in use settings ={Tunnel.EIGRP external. #pkts digest: 5 #pkts decaps: 5.255.mobile.0. DH group: none inbound esp sas: spi: 0x5C5F537B(1549751163) transform: esp-3des esp-md5-hmac .1.BGP D . ip mtu idb FastEthernet0/0 current outbound spi: 0x122946D2(304694994) PFS (Y/N): N. M . ip mtu 1500.1 path mtu 1500. flags={} #pkts encaps: 5. flow_id: NETGX:1.24.12. #pkts decrypt: 5.1/255.CCIE SECURITY v4 Lab Workbook protected vrf: (none) local ident (addr/mask/prot/port): (0. O .static. crypto map: VPN sa timing: remaining key lifetime (k/sec): (4547943/3455) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x122946D2(304694994) transform: esp-3des esp-md5-hmac .168.12. sibling_flags 80000046. remote crypto endpt. IA .255/0/0) current_peer 10.0/0.connected.0/0/0) remote ident (addr/mask/prot/port): (192.1 port 500 PERMIT.0. #pkts decompress failed: 0 #send errors 0. #pkts encrypt: 5. #pkts decompressed: 0 #pkts not compressed: 0. #pkts verify: 5 #pkts compressed: 0.0. S . #pkts compr.4.1. B . R .25.EIGRP.1.

25.0.0/0 [1/0] via 10.25.1.25. Loopback0 10. L1 .1.1 4.168.0.1 [1/0] via 10.2 There is a “dynamic” static route on the server.24.24. FastEthernet0/0 0. * .0.25.candidate default. This is necessary for R4 to know how to route packets to that network.IS-IS summary.12. This static route may be redistributed to you dynamic routing protocol to let the client access rest of your network.OSPF external type 1.0/24 is subnetted.1 Trying 192.0 is directly connected.168. connection to the clients behind R1 (if any) cannot be established..0.0.2 to network 0.24.0 is directly connected. This has been described in detail in the lab for RRI.4. 1 subnets C S* 10.. L2 .0.IS-IS level-1.OSPF external type 2 i .CCIE SECURITY v4 Lab Workbook E1 .0/24 is subnetted.IS-IS inter area. This is because of PAT performed on R1.0. U .IS-IS level-2 ia .168. P .168. 1 subnets S 192.1 . 1 subnets C 4.168.1 closed by foreign host] Note that we can connect to the R1 form R4 using this IP address.1. This static route is automatically created for every client.ODR.periodic downloaded static route Gateway of last resort is 10. E2 .1.1.per-user static route o . However. R4#tel 192.IS-IS. su .0.24.0/32 is subnetted.4.4 Interface User User Mode Idle Location Peer Address R1>exit [Connection to 192. Page 823 of 1033 .25.0 192. Open User Access Verification Password: R1>sh users Line Host(s) Idle 0 con 0 idle 00:00:45 *514 vty 0 idle 00:00:00 10.

1.1.CCIE SECURITY v4 Lab Workbook Lab 1. Outside.1.101. Security 100 10.1/24 G0/0 192.168.101. Inside.2.168.2/24 E0/0.60.10/24 E0/1.10/24 R2 ASA1 Page 824 of 1033 .1.2/24 Lo0 2.2. Security 0 192. Configuring Remote Access IPSec VPN using EasyVPN (IOS to ASA) Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  Configure Telnet on all routers using password “cisco”  Configure default routing on R1 and R2 pointing to the respective ASA interface  Configure default routing on ASA1 to the R2 IP Addressing Device Interface IP address R1 Lo0 1.1.1/24 F0/0 10.1.

CCIE SECURITY v4 Lab Workbook Task 1 Configure ASA1 as the EasyVPN Server. First of all. Users connecting to the ASA1 should be authenticated using local database with a username of “salesman” and password of “sales123’.10. Configuration Complete these steps: Step 1 ASA configuration.168. The Tunnel Group term has been taken from VPN Concentrator and is called Connection Profile in the ASDM. The ASA uses so-called Tunnel Groups and Group Policies to configure EasyVPN Server.  Cisco ASA is secure gateway by design.25. It is created to terminate Site-to-Site and Remote Access VPNs. Page 825 of 1033 .168.25. Create ISAKMP client group of SALES and allow VPN connections for Sales Department with the following parameters: Key = cisco123 Pool = VPN_POOL Configure R2 as EasyVPN Remote and connect to the ASA1 using Client Mode. remember that the ASA has NO ISAKMP enabled by default! We are asked to enable user authentication (xauth) so that we need a user account in the local database on the ASA. However. the configuration is slightly different than on IOS.1 to 192. Configure the following ISAKMP and IPSec Policies:  ISAKMP Parameters o Authentication: Pre-shared o Group: 2 o Encryption: 3DES o Hash : SHA  IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC Configure IP address pool named VPN_POOL and give out IP addresses from the range of 192.

Alternatively we can configure every parameter in a new line as showed below.25. There are also “ipsecattributes” which are related to IPSec. In our case we need to specify at least one general attribute.1. we need to configure dynamic crypto map first to specify the IPSec parameters (transform set) and then assign it to static crypto map. Remember to configure DH Group 2 or higher. which is IP address pool. ASA1(config)# tunnel-group SALES type remote-access ASA1(config)# tunnel-group SALES general-attributes ASA1(config-tunnel-general)# address-pool VPN_POOL ASA1(config-tunnel-general)# exit ASA1(config)# tunnel-group SALES ipsec-attributes ASA1(config-tunnel-ipsec)# pre-shared-key cisco123 ASA1(config-tunnel-ipsec)# exi Do you remember that there must be dynamic crypto map used for Remote Access VPNs? Hence.25.1. etc. The static crypto map can be applied to the interface. The type must be specified at the beginning as this defines a list of attributes available for configuration. configure a pool of IP addresses to be given out to the clients. All IKE Phase 1.255.255.0 There are two types of Tunnel Group: (1) remote-access and ipsec-l2l.5 attributes can be configured under Group Policy which can be specified under “general-attributes”.1-10. Trustpoint.CCIE SECURITY v4 Lab Workbook ASA1(config)# username salesman password sales123 ASA1(config)# isakmp enable Outside ISAKMP Policy is configured in the same way as it is in IOS. ASA1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac ASA1(config)# crypto dynamic-map DYN-MAP 5 set transform-set TSET ASA1(config)# crypto map ENCRYPT_OUT 1 ipsec-isakmp dynamic DYN-MAP Page 826 of 1033 . like PSK. ASA1(config)# crypto isakmp policy 1 authentication pre-share ASA1(config)# crypto isakmp policy 1 encryption 3des ASA1(config)# crypto isakmp policy 1 hash sha ASA1(config)# crypto isakmp policy 1 group 2 Next. ASA1(config)# ip local pool VPN_POOL 10.10 mask 255.

101.1.2 User= Group=SALES Server_public_addr=192. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0.1.1 255.1. EasyVPN Client (officially called Cisco EasyVPN Remote) configuration is straight forward and has been described in the previous lab. R2(config)#crypto ipsec client ezvpn EZ R2(config-crypto-ezvpn)#group SALES key cisco123 R2(config-crypto-ezvpn)#peer 192.1.1 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000.255 10.25.168.CCIE SECURITY v4 Lab Workbook ASA1(config)# crypto map ENCRYPT_OUT interface Outside ASA1(config)# route Inside 1. Please enter the following command: EZVPN: crypto ipsec client ezvpn xauth This message appears only then there is “auto” connection configured on the EasyVPN Remote. changed state to up After successful authentication. the client gets an IP Page 827 of 1033 .255. You must use the following command and provide username and password for XAUTH authentication.10 R2(config-crypto-ezvpn)#connect auto R2(config-crypto-ezvpn)#mode client R2(config-crypto-ezvpn)#int loopback0 R2(config-if)#crypto ipsec client ezvpn EZ inside R2(config-if)#int g0/0 R2(config-if)#crypto ipsec client ezvpn EZ outside R2(config-if)#end %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON As soon as you apply the crypto map on the interface you’ll notice the following message on the console: EZVPN(EZ): Pending XAuth Request.168.10 Assigned_client_addr=10.1 Step 2 R2 configuration.168. R2#crypto ipsec client ezvpn xauth Username: salesman Password: R2# %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) Client_public_addr=192.1.255.1.1.

0/24 is subnetted. M . R .CCIE SECURITY v4 Lab Workbook address from the pool and brings up its logical interfaces.IS-IS level-2 ia .1 is directly connected.1 so lo0 Type escape sequence to abort. O .IS-IS summary. * .0.0.1.OSPF external type 2 i .255.EIGRP.25.EIGRP external.1.1. R2#sh crypto ipsec client ezvpn Easy VPN Remote Phase: 8 Tunnel name : EZ Inside interface list: Loopback0 Outside interface: GigabitEthernet0/0 Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Address: 10. EX .OSPF NSSA external type 2 E1 . the traffic going between inside and outside interface will be encrypted.1.0.OSPF inter area N1 .25.0 2.IS-IS. S .periodic downloaded static route Gateway of last resort is 192. su .ODR. IA . L2 .0/24 is directly connected.IS-IS inter area. round-trip min/avg/max = 1/2/4 ms R2#sh ip route Codes: C .OSPF.1.0 is directly connected.255 Page 828 of 1033 . From now on.0/32 is subnetted.candidate default.2.connected. Thus.0. U .10 The ping is successful. B . Loopback0 10.BGP D .0.1.1.OSPF external type 1.168. 1 subnets C 10.168.2.mobile.0. E2 . Verification R2#pi 1.10 to network 0. all traffic to the other networks will be sending out using this next hop. P .1.168.0.RIP.0.1 (applied on Loopback10000) Mask: 255.static. GigabitEthernet0/0 S* 0. 100-byte ICMP Echos to 1. timeout is 2 seconds: Packet sent with a source address of 2. 1 subnets C 2.255.2. Note that the client has only default route configured.1. N2 .2 !!!!! Success rate is 100 percent (5/5).1. Sending 5.OSPF NSSA external type 1.2.per-user static route o . L1 .0/0 [1/0] via 192.IS-IS level-1. Loopback10000 C 192.

255.2 QM_IDLE conn-id status 1001 ACTIVE IPv6 Crypto ISAKMP SA R2#sh crypto ipsec sa interface: GigabitEthernet0/0 Crypto map tag: GigabitEthernet0/0-head-0.10 port 500 PERMIT.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.255.168. local crypto endpt.1/255.168. #pkts verify: 5 #pkts compressed: 0.1. flow_id: Onboard VPN:1.0/0.} #pkts encaps: 5. Note that proxy IDs are for any destination – this is because by default the EasyVPN Remote will encrypt all traffic. #pkts compr. sibling_flags 80000046.0/0/0) current_peer 192. failed: 0 #pkts not decompressed: 0.168. crypto map: GigabitEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4442797/28679) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: Page 829 of 1033 .0. local addr 192.CCIE SECURITY v4 Lab Workbook Save Password: Disallowed Current EzVPN Peer: 192.10 192. remote crypto endpt.168.10 path mtu 1500.0. You must use Split-Tunneling feature to change that behavior. #pkts decompress failed: 0 #send errors 0.1.1.: 192. } conn id: 2001. flags={origin_is_acl. #recv errors 0 Traffic has been encrypted.10 R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state 192.1. ip mtu 1500. in use settings ={Tunnel. #pkts encrypt: 5. #pkts digest: 5 #pkts decaps: 5.1.255/0/0) remote ident (addr/mask/prot/port): (0. ip mtu idb GigabitEthernet0/0 current outbound spi: 0xA422A55(172108373) PFS (Y/N): N.2. DH group: none inbound esp sas: spi: 0xB7ED79A2(3085793698) transform: esp-3des esp-sha-hmac . #pkts decrypt: 5.1. #pkts decompressed: 0 #pkts not compressed: 0.1.25.0.168.0.168.1.168.: 192.

R . sibling_flags 80000046. in use settings ={Tunnel.1.1 255.RIP.OSPF external type 1.168. E2 . IA .1.2 to network 0.static.101.1. E . O .255.0 S 1.0. ASA1(config)# sh route Codes: C . flow_id: Onboard VPN:2.EIGRP external.OSPF inter area N1 .EGP i .1.0 is directly connected.EIGRP. B .255. } conn id: 2002. L2 . L1 .255. Outside C 10. S .candidate default.CCIE SECURITY v4 Lab Workbook inbound pcp sas: outbound esp sas: spi: 0xA422A55(172108373) transform: esp-3des esp-sha-hmac .periodic downloaded static route Gateway of last resort is 192. N2 .25.IS-IS level-1.mobile. Note that in EasyVPN we use Aggressive Mode when PSK is used for authentication.OSPF NSSA external type 2 E1 .1.per-user static route. Inside Page 830 of 1033 .255 [1/0] via 192.connected.101.2.ODR P .0 255.1. U .255.IGRP.2 Type : user Role : responder Rekey : no State : AM_ACTIVE Encrypt : 3des Hash : SHA Auth Lifetime: 86400 : preshared Lifetime Remaining: 86363 The ASA is a headend of the EasyVPN so that it acts as “responder” for the clients.OSPF external type 2.1 255.IS-IS level-2.OSPF NSSA external type 1.255.BGP D .168.0.255.168.255 [1/0] via 10.IS-IS.OSPF. I .1. EX .1. Inside S 10.1. o . M .IS-IS inter area * . crypto map: GigabitEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4442797/28679) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: ASA1(config)# sh crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 192. ia .

#pkts comp failed: 0. #pkts verify: 5 #pkts compressed: 0.0 [1/0] via 192. crypto-map: DYN-MAP sa timing: remaining key lifetime (sec): 28644 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000003F outbound esp sas: spi: 0xB7ED79A2 (3085793698) transform: esp-3des esp-sha-hmac no compression Page 831 of 1033 .0.0.255. Outside S* 0.168.2.1.1.CCIE SECURITY v4 Lab Workbook C 192.0. seq num: 5. #pkts invalid len (rcv): 0 #pkts invalid pad (rcv): 0. #pkts verify failed: 0 #pkts invalid identity (rcv): 0. remote crypto endpt.2.10 local ident (addr/mask/prot/port): (0.0/0/0) remote ident (addr/mask/prot/port): (10. username: salesman dynamic allocated peer ip: 10.0. Tunnel.0.1. ASA1(config)# sh crypto ipsec sa detail interface: Outside Crypto map tag: DYN-MAP. local addr: 192.1/255. #pkts digest: 5 #pkts decaps: 5. #fragments created: 0 #PMTUs sent: 0. #pkts invalid ip version (rcv): 0.0 0.0.: 192.0.168.1 #pkts encaps: 5. #PMTUs rcvd: 0.1.25.0. #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0.0/0.10.255. #pkts decompressed: 0 #pkts not compressed: 5.25. #pkts decomp failed: 0 #pre-frag successes: 0.1.168. #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0. #pre-frag failures: 0.1. Outside The ASA has static route injected to its routing table by EASYVPN Server. #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0. conn_id: 4096.168.1.0 is directly connected. media mtu 1500 current outbound spi: B7ED79A2 inbound esp sas: spi: 0x0A422A55 (172108373) transform: esp-3des esp-sha-hmac no compression in use settings ={RA.168. #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0. #pkts decrypt: 5. #decapsulated frgs needing reassembly: 0 #pkts no sa (send): 0. #pkts encrypt: 5. When client is disconnected.168. } slot: 0.: 192. #pkts replay rollover (send): 0.1.2 path mtu 1500.255/0/0) current_peer: 192.255.255.0 255. the route is withdrawn from the routing table. ipsec overhead 58. This route is there to reach remote client. #pkts internal err (rcv): 0 local crypto endpt.

CCIE SECURITY v4 Lab Workbook in use settings ={RA. conn_id: 4096. Tunnel. } slot: 0. crypto-map: DYN-MAP sa timing: remaining key lifetime (sec): 28644 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Page 832 of 1033 .

R4 and R5 pointing to the respective ASA’s interface  Configure default routing on both ASAs pointing to the respective R2 interface Page 833 of 1033 . Configuring RA VPN using Cisco VPN Client and ASA (PSK) Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R2’s G0/1 and ASA2’s E0/0 interface should be configured in VLAN 122  R4’s F0/0 and ASA2’s E0/2 interface should be configured in VLAN 104  R5’s F0/0 and ASA2’s E0/1 interface should be configured in VLAN 105  Configure Telnet on all routers using password “cisco”  Configure default routing on R1.61.CCIE SECURITY v4 Lab Workbook Lab 1.

1.10 /24 R2 R4 R5 ASA1 ASA2 Task 1 Configure ASA1 as the EasyVPN Server. Outside.1. Inside_CA.4 /24 F0/0 10. Security 100 10.10 /24 E0/1.CCIE SECURITY v4 Lab Workbook IP Addressing Device Interface / ifname / sec level IP address R1 Lo0 1. Outside.10 /24 E0/0.168.1.104. Security 0 192.5.10 /24 E0/2.1/24 G0/0 192. Place Test PC with Cisco VPN Client software into VLAN 122 and use it for remote access connections.1.104.101.1/24 F0/0 10.1.1.105.10 /24 E0/1.1.168.168.2/24 G0/1 192.4.5/24 E0/0.5/24 F0/0 10.2.105.168.101.4 /24 Lo0 5.5. Security 100 10.1.1.1.2. Inside_US. Configure the following ISAKMP and IPSec Policies:  ISAKMP Parameters o Authentication: Pre-shared o Group: 2 o Encryption: 3DES o Hash : SHA  IPSec Parameters o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC o PFS Group 2 Page 834 of 1033 .4.2/24 Lo0 4. Security 0 192. Security 100 10. Inside.

1.com User’s traffic destined to an IP address of 1. This is typical remote access design where many clients accessing a headend and terminating IPSec tunnels to have access to corporate network.6 DNS: 10.1.0/24.21.1.1. ASA1(config)# crypto isakmp enable outside Remember. Step 2 ASA1 configuration.254 mask Page 835 of 1033 .1-10.101.CCIE SECURITY v4 Lab Workbook User named “remoteuser” with a password of ‘user123’ should be able to authenticate to the SALES group and get an IP address from the pool of 192. SW3(config)#int f0/15 SW3(config-if)#switchport mode access SW3(config-if)#switchport access vlan 122 We’re placing WinXP client in VLAN 122.21. all other traffic should be sent out clear.1. ASA1(config)# crypto isakmp policy 10 ASA1(config-isakmp-policy)# auth pre-share ASA1(config-isakmp-policy)# encr 3des ASA1(config-isakmp-policy)# hash sha ASA1(config-isakmp-policy)# group 2 ASA1(config-isakmp-policy)# exit ASA1(config)# ip local pool VPN-CLIENTS 10.168. The user should get the following additional attributes from the VPN Server: WINS: 10.1 should be encrypted. you must explicitly enable ISAKMP on the ASA to be able to terminate the IPSec tunnel.21.1. Configuration Complete these steps: Step 1 Switchport configuration where Windows host is connected to.  The most common EasyVPN deployment is with Cisco IPSec software client.5 Domain: micronicstraining.101.

101. This Group Policy can be an “internal” or “external”.5 ASA1(config-group-policy)# wins-server value 10. Here we can assign a new Group Policy which may be “shared” between different tunnel groups.1 address only so that we need to configure Split Tunneling feature.0 ASA1(config)# access-list ST permit host 1.255. ASA1(config-group-policy)# exit ASA1(config)# tunnel-group SALES type remote-access ASA1(config)# tunnel-group SALES ipsec-attributes ASA1(config-tunnel-ipsec)# pre-shared-key cisco123 ASA1(config-tunnel-ipsec)# exit IPSec attributes are an authentication configuration in most cases. The Group Policy is then attached under a Tunnel Group or user profile. meaning can be configured on the ASA or on ACS. ASA1(config)# group-policy SALES-POLICY internal ASA1(config)# group-policy SALES-POLICY attributes ASA1(config-group-policy)# vpn-tunnel-protocol ipsec ASA1(config-group-policy)# dns-server value 10. We must change Split Tunnel Policy to “tunnelspecified” to make it work. domain name and split tunneling. ASA1(config)# tunnel-group SALES general-attributes ASA1(config-tunnel-general)# default-group-policy SALES-POLICY ASA1(config-tunnel-general)# address-pool VPN-CLIENTS ASA1(config-tunnel-general)# exit General attributes are used for client configuration. ASA1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac Page 836 of 1033 .1.1. We need to define that using standard ACL.1. Here we use PSK. That policy usually specified all Phase 1.255.101.6 ASA1(config-group-policy)# default-domain value micronicstraining.1. we are asked to tunnel traffic to 1.1.com ASA1(config-group-policy)# split-tunnel-policy tunnelspecified ASA1(config-group-policy)# split-tunnel-network-list value ST The Group Policy is a container for different attributes which will be shared between different tunnel groups or users.1.CCIE SECURITY v4 Lab Workbook 255.5 configuration attributes like DNS server. This is the best way to configure that.1 In the task. The Split Tunneling ACL is used to specify Tunnel Network List.

255. 1.2.255 10.CCIE SECURITY v4 Lab Workbook ASA1(config)# crypto dynamic-map DYN-CMAP 10 set pfs group2 ASA1(config)# crypto dynamic-map DYN-CMAP 10 set transform-set TSET ASA1(config)# crypto map ENCRYPT_OUT 10 ipsec-isakmp dynamic DYNCMAP ASA1(config)# crypto map ENCRYPT_OUT interface Outside ASA1(config)# username remoteuser password user123 ASA1(config)# username remoteuser attributes ASA1(config-username)# vpn-group-policy SALES-POLICY ASA1(config-username)# exit ASA1(config)# route inside 1.1.1.2. Assign IP address of 192. Step 3 VPN Client configuration.255.101.1.168.2 2.255.1.0 mask 255. Page 837 of 1033 .1.1 This static route is required for ASA to access 1.255.0 192.200/24 to Client workstation and add a static route route add 192.168.1 255. the Group Name (Tunnel Group name) and password.1 network.1.168. Configure Cisco VPN Client software All we need is to specify and IP address fo the EasyVPN Server.

We need to authenticate with user’s credentials.1/32 route. Verify on the client (connect to the VPN Server) Here is our XAUTH phase.1.1. Page 838 of 1033 . After connection we see the Statistics and split tunneling.CCIE SECURITY v4 Lab Workbook Verification 1. The IPSec client only secures 1.

CCIE SECURITY v4 Lab Workbook

We can test by pinging the 1.1.1.1 address.

See the encryption/decryption counters incremented.

Verify on ASA

Page 839 of 1033

CCIE SECURITY v4 Lab Workbook

ASA1(config)# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1

IKE Peer: 192.168.2.200
Type

: user

Role

: responder

Rekey

: no

State

: AM_ACTIVE

ASA1(config)# sh crypto ipsec sa
interface: Outside
Crypto map tag: DYN-CMAP, seq num: 10, local addr: 192.168.1.10
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.21.1/255.255.255.255/0/0)
current_peer: 192.168.2.200, username: remoteuser
dynamic allocated peer ip: 10.1.21.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
On the ASA we see that it has terminated the tunnel (using Aggressive Mode) and
received the traffic.
local crypto endpt.: 192.168.1.10, remote crypto endpt.: 192.168.2.200
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: FBB1C55E
inbound esp sas:
spi: 0x2A6A2E30 (711601712)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: DYN-CMAP
sa timing: remaining key lifetime (sec): 28633
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xFBB1C55E (4222731614)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }

Page 840 of 1033

CCIE SECURITY v4 Lab Workbook

slot: 0, conn_id: 12288, crypto-map: DYN-CMAP
sa timing: remaining key lifetime (sec): 28633
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA1(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
S

1.1.1.1 255.255.255.255 [1/0] via 10.1.101.1, Inside

10.1.21.1 255.255.255.255 [1/0] via 192.168.1.2, Outside

10.1.101.0 255.255.255.0 is directly connected, Inside

192.168.1.0 255.255.255.0 is directly connected, Outside

0.0.0.0 0.0.0.0 [1/0] via 192.168.1.2, Outside
There is a static route for the client injected into ASA’s routing table.

ASA1(config)# sh vpn-sessiondb detail
Active Session Summary
Sessions:
Active : Cumulative : Peak Concurrent : Inactive
SSL VPN

0 :

Clientless only

0 :

With client

0 :

Email Proxy

0 :

IPsec LAN-to-LAN

0 :

IPsec Remote Access

1 :

2 :

VPN Load Balancing

0 :

Totals

1 :

License Information:
IPsec

250

Configured :

250

Active :

Load :

SSL VPN :

100

Configured :

100

Active :

Load :

Active : Cumulative : Peak Concurrent
IPsec

1 :

3 :

SSL VPN

0 :

AnyConnect Mobile :

0 :

Linksys Phone

0 :

Page 841 of 1033

CCIE SECURITY v4 Lab Workbook

Totals

1 :

Tunnels:
Active : Cumulative : Peak Concurrent
IKE

1 :

2 :

IPsec

1 :

2 :

Totals :

2 :

Active NAC Sessions:
No NAC sessions to display
Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display

ASA1(config)# sh vpn-sessiondb remote
Session Type: IPsec
Username

: remoteuser

Index

: 3

Assigned IP

: 10.1.21.1

Public IP

: 192.168.2.200

Protocol

: IKE IPsec

License

: IPsec

Encryption

: 3DES

Hashing

: SHA1

Bytes Tx

: 240

Bytes Rx

: 240

Group Policy : SALES-POLICY

Tunnel Group : SALES

: 22:47:22 UTC Mon Oct 26 2009

Duration

: 0h:03m:45s

NAC Result

: Unknown

VLAN Mapping : N/A

VLAN

: none

To see EasyVPN information you must use “show vpn-sessiondb remote” command. There
is an information about Group Policy and Tunnel Group which have been used for that
client.

Page 842 of 1033

CCIE SECURITY v4 Lab Workbook

Lab 1.62.

Configuring RA VPN using Cisco
VPN Client and ASA (PKI)

 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the respective ASA’s
interface

 Configure default routing on both ASAs pointing to the respective R2 interface
Page 843 of 1033

CCIE SECURITY v4 Lab Workbook

IP Addressing
Device

Interface / ifname / sec level

IP address

Lo0

1.1.1.1/24

F0/0

10.1.101.1/24

G0/0

192.168.1.2/24

G0/1

192.168.2.2/24

Lo0

4.4.4.4 /24

F0/0

10.1.104.4 /24

Lo0

5.5.5.5/24

F0/0

10.1.105.5/24

E0/0, Outside, Security 0

192.168.1.10 /24

E0/1, Inside, Security 100

10.1.101.10 /24

E0/0, Outside, Security 0

192.168.2.10 /24

E0/1, Inside_US, Security 100

10.1.105.10 /24

E0/2, Inside_CA, Security 100

10.1.104.10 /24

R2
R4
R5
ASA1
ASA2

Task 1
Configure IOS Certificate Authority server on R1. The server should have self-signed
certificate with a lifetime of 5 years and be able to grant certificates to the clients with
a lifetime of 3 years. Store all certificates on the flash using PEM 64-base excryption
with password of “Cisco_CA”. The server should service all certificate requests
automatically.



The EasyVPN remote access is very popular these days. However, using preshared key for authentication is not the best way to secure access to the
company’s network. Hence, in most cases we should use PKI and certificates
for group authentication.
Using certificates is very flexible so that we can provide different network
access and different security polices depending on some fields in the user’s
certificate.

Page 844 of 1033

CCIE SECURITY v4 Lab Workbook

Configuration
Complete these steps:
Step 1

R1 configuration.
Configuration of IOS CA has been described in
section 2 already.
R1(config)#ip http server
R1(config)#crypto pki server IOS_CA
R1(cs-server)#lifetime certificate 1095
R1(cs-server)#lifetime ca-certificate 1825
R1(cs-server)#database archive pem password Cisco_CA
R1(cs-server)#database url pem flash:/IOS_CA
R1(cs-server)#grant auto
%PKI-6-CS_GRANT_AUTO: All enrollment requests will be
automatically granted.
R1(cs-server)#no shutdown
Certificate server 'no shut' event has been queued for
processing.
R1(cs-server)#
%Some server settings cannot be changed after CA
certificate generation.
% Generating 1024 bit RSA keys, keys will be nonexportable...[OK]
%SSH-5-ENABLED: SSH 1.99 has been enabled
% Exporting Certificate Server signing certificate and
keys...
%PKI-6-CS_ENABLED: Certificate server now enabled.
R1(cs-server)#exit

Verification
R1#sh crypto pki server
Certificate Server IOS_CA:
Status: enabled
State: enabled
Server's configuration is locked

(enter "shut" to unlock it)

Issuer name: CN=IOS_CA
CA cert fingerprint: 2CCFEC44 8B1FA216 4B9CA190 024184A0
Granting mode is: auto
Last certificate issued serial number: 0x1
CA certificate expiration timer: 21:37:39 UTC Oct 19 2014

Page 845 of 1033

CCIE SECURITY v4 Lab Workbook

CRL NextUpdate timer: 03:37:40 UTC Oct 21 2009
Current primary storage dir: nvram:
Current storage dir for .pem files: flash:/IOS_CA
Database Level: Minimum - no cert data written to storage

R1#sh flash | in IOS_CA
22

1714 Oct 20 2009 21:37:42 +00:00 IOS_CA_00001.pem

Task 2
To ensure R1 and ASA1 have the same time configure NTP server on R1 with a
stratum of 4. The server should authenticate the clients with a password of
“Cisco_NTP”.
Configure devices as NTP clients to the R1’s NTP source.



Time is very important factor when using certificates. This is because a
certificate has a lifetime and its validation is based on the time. Hence, we need
to be sure the time is accurate on every device which has certificates (or
request certificates).
The best option to synchronize the time in the network is to use NTP server on
one of the routers and configure all other systems as a clients.

Configuration
Complete these steps:
Step 1

R1 NTP Server configuration.
R1(config)#ntp authentication-key 1 md5 Cisco_NTP
R1(config)#ntp trusted-key 1
R1(config)#ntp authenticate
R1(config)#ntp master 4

Step 2

ASA as NTP client.
ASA1(config)# ntp authentication-key 1 md5 Cisco_NTP
ASA1(config)# ntp authenticate
ASA1(config)# ntp trusted-key 1
ASA1(config)# ntp server 10.1.101.1 key 1

Page 846 of 1033

CCIE SECURITY v4 Lab Workbook

Verification
R1#sh ntp status
Clock is synchronized, stratum 4, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CE9B2538.42900269 (21:55:04.260 UTC Tue Nov 3 2009)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
R1#sh ntp ass
R1#sh ntp associations
address
*~127.127.7.1

ref clock
127.127.7.1

when

poll reach
64

377

delay

offset

disp

0.0

0.00

0.0

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

ASA1(config)# sh ntp status
Clock is synchronized, stratum 5, reference is 10.1.101.1
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is ce9b256c.dff18b1c (21:55:56.874 UTC Tue Nov 3 2009)
clock offset is -0.8338 msec, root delay is 0.98 msec
root dispersion is 15891.49 msec, peer dispersion is 15890.63 msec
ASA1(config)# sh ntp associations
address
*~10.1.101.1

ref clock
127.127.7.1

when

poll reach
64

delay

offset

disp

1.0

-0.83

15890.

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Task 3
On ASA1 enroll a certificate for IPSec peer authentication. Ensure that FQDN and
certificate attributes like Common Name (ASA1) and Country (US) are used.
Certificate uses for IPSec authentication should have at least 1024 bits keys.

Configuration
Complete these steps:
Step 1

ASA configuration.
ASA1(config)# domain-name MicronicsTraining.com
ASA1(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSAKey>.

Page 847 of 1033

CCIE SECURITY v4 Lab Workbook

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
Every device must have a key pair generated before it can
“ask” for signing. To generate keys we need to have
hostname and domain name configured.
ASA1(config)# crypto ca trustpoint IOS_CA
ASA1(config-ca-trustpoint)# id-usage ssl-ipsec
ASA1(config-ca-trustpoint)# subject-name CN=ASA1, C=US
ASA1(config-ca-trustpoint)# fqdn ASA1.MicronicsTraining.com
ASA1(config-ca-trustpoint)# enrollment url http://10.1.101.1
ASA1(config-ca-trustpoint)# exit
A trustpoint is an object which is used for connection with
a Certificate Authority (CA). It is used when a device
wants its key to be signed or when a certificate must be
validated.
After configuring a trustpoint we need to first get a
certificate of the CA and then ask for signing device’s
key.

ASA1(config)# crypto ca authenticate IOS_CA
INFO: Certificate has the following attributes:
Fingerprint:

2ccfec44 8b1fa216 4b9ca190 024184a0

Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
This is CA certificate which must be stored in device
configuration to validate other certificates signed by this
CA.
ASA1(config)# crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide
this
password to the CA Administrator in order to revoke your
certificate.
For security reasons your password will not be saved in the
configuration.
Please make a note of it.
Password: ********
Re-enter password: ********
% The subject name in the certificate will be: CN=ASA1, C=US
% The fully-qualified domain name in the certificate will be:
ASA1.MicronicsTraining.com

Page 848 of 1033

CCIE SECURITY v4 Lab Workbook

% Include the device serial number in the subject name? [yes/no]:
no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!
Note that above information has been inherited from the
trustpoint’s configuration and the certificate has been
granted to the ASA.
ASA1(config)# access-list OUTSIDE_IN permit tcp host 192.168.2.200
host 10.1.101.1 eq 80
ASA1(config)# access-group OUTSIDE_IN in interface Outside
The above ACL must be configured on the ASA to allow
certificate enrollment by the client.

Verification
ASA1(config)# sh crypto ca trustpoints
Trustpoint IOS_CA:
Subject Name:
cn=IOS_CA
Serial Number: 01
Certificate configured.
CEP URL: http://10.1.101.1

ASA1(config)# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=IOS_CA
Subject Name:
hostname=ASA1.MicronicsTraining.com
cn=ASA1
c=US
Validity Date:
start date: 22:14:31 UTC Oct 20 2009
end

date: 22:14:31 UTC Oct 19 2012

Associated Trustpoints: IOS_CA

Page 849 of 1033

CCIE SECURITY v4 Lab Workbook

CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=IOS_CA
Subject Name:
cn=IOS_CA
Validity Date:
start date: 21:37:39 UTC Oct 20 2009
end

date: 21:37:39 UTC Oct 19 2014

Associated Trustpoints: IOS_CA
Both certificates are in ASA configuration. The first certificate is a device’s
certificate which is valid for 3 years. The ASA must have CA certificate as
well to validate its certificate and any other certificates signed by this CA.

Task 3
Configure ASA1 as the EasyVPN Server. Place Test PC with Cisco VPN Client
software into VLAN 122 and use it for remote access connections. Configure the
following ISAKMP and IPSec Policies:


ISAKMP Parameters
o Authentication: Pre-shared
o Group: 2
o Encryption: 3DES
o Hash : SHA



IPSec Parameters
o Encryption: ESP-3DES
o Authentication: ESP-SHA-HMAC

User named “salesman” with a password of ‘sales123’ should be able to authenticate
to the Sales group and get an IP address from the pool of 192.168.25.1 –
192.168.25.10.
User’s traffic destined to the network 1.1.1.0/24 should be encrypted; all other traffic
should be sent out clear.

Configuration
Complete these steps:
Step 1

Place Test PC in VLAN 122.

Page 850 of 1033

CCIE SECURITY v4 Lab Workbook

SW3(config)#int f0/15
SW3(config-if)#sw mo acc
SW3(config-if)#sw acc vl 122

Step 2

ASA1 configuration.
ASA1(config)# isakmp enable Outside
ASA1(config)# crypto isakmp policy 1 authentication rsa-sig
ASA1(config)# crypto isakmp policy 1 encryption 3des
ASA1(config)# crypto isakmp policy 1 hash sha
ASA1(config)# crypto isakmp policy 1 group 2
There is one change in the configuration comparing to the
PSK authentication. Now we need to enable certificate’s
authentication (rsa-sig) in the ISAKMP policy.
ASA1(config)# tunnel-group SALES type remote-access
ASA1(config)# ip local pool VPN_POOL 10.1.25.1-10.1.25.10 mask
255.255.255.0
ASA1(config)# access-list ST standard permit 1.1.1.0 255.255.255.0
ASA1(config)# group-policy RA-POLICY internal
ASA1(config)# group-policy RA-POLICY attributes
ASA1(config-group-policy)# split-tunnel-policy tunnelspecified
ASA1(config-group-policy)# split-tunnel-network-list value ST
ASA1(config)# tunnel-group Sales general-attributes
ASA1(config-tunnel-general)# address-pool VPN_POOL
ASA1(config-tunnel-general)# default-group-policy RA-POLICY
ASA1(config-tunnel-general)# exit
ASA1(config)# tunnel-group Sales ipsec-attributes
ASA1(config-tunnel-ipsec)# trust-point IOS_CA
ASA1(config-tunnel-ipsec)# exi
In order to validate client’s certificate we need to
specify the trustpoint used to do that.
ASA1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac
ASA1(config)# crypto dynamic-map DYN-MAP 5 set transform-set TSET
ASA1(config)# crypto map ENCRYPT_OUT 1 ipsec-isakmp dynamic DYN-MAP
ASA1(config)# crypto map ENCRYPT_OUT interface Outside
ASA1(config)# username salesman password sales123 privilege 0
ASA1(config)# route inside 1.1.1.1 255.255.255.255 10.1.101.1

Page 851 of 1033

CCIE SECURITY v4 Lab Workbook

Verification
On VPN Client
1.

Assign IP address of 192.168.2.200/24 to Client workstation and add a static routes

route add 192.168.1.0 mask 255.255.255.0 192.168.2.2
route add 10.1.101.1 mask 255.255.255.255 192.168.2.2

Request a certificate from R1. Click on Certificates tab and then on Enroll button.
Requesting a new certificate for EasyVPN Client requires providing some information
which will be used to generate keys and signing request on the client.
The client uses SCEP (Simple Certificate Enrollment Protocol) for certificate
enrollment. In case of IOS CA the SCEP URL is the following: http://<IOS-CA-IPADDR>/cgi-bin/pkiclient.exe

Click Next
Ensure you provide as much information as you can as that information can be
useful for client recognition on the secure gateway. The Name (CN – Common
Name) and Department (OU – Organizational Unit) are required. The ASA will land
the connection in the Tunnel Group of the same name as OU in the certificate
(it is case sensitive)!

Page 852 of 1033

CCIE SECURITY v4 Lab Workbook

Click on the certificate to see its details:

If you see the following error, make sure you have time synchronized between R1 and Client’s
workstation. Then try again.

Page 853 of 1033

CCIE SECURITY v4 Lab Workbook

Configure Cisco VPN Client software. Make sure you choose Certificate Authentication.

We must create a new connection in the VPN client. The connection should have
IP address of the ASA and certificate for authentication specified.

Connect to the VPN Server and authenticate the user.

Page 854 of 1033

CCIE SECURITY v4 Lab Workbook

Note that in case of certificate authentication we still have XAUTH enabled.
This means we’ll be asked for user credentials to set up the tunnel. There is
no way to authenticate the user using a certificate.

C:\>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=19ms TTL=255
Reply from 1.1.1.1: bytes=32 time=2ms TTL=255
Reply from 1.1.1.1: bytes=32 time=1ms TTL=255
Reply from 1.1.1.1: bytes=32 time=1ms TTL=255
Ping statistics for 1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 19ms, Average = 5ms

Page 855 of 1033

CCIE SECURITY v4 Lab Workbook

Traffic to the address of 1.1.1.1 is getting encrypted/decrypted. Note that
Bypassed counted is incrementing meaning there are some packets not encrypted –
this is because of Split Tunneling used.

On ASA
ASA1(config)# sh crypto isakmp sa detail
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1

IKE Peer: 192.168.2.200
Type

: user

Role

: responder

Rekey

: no

State

: MM_ACTIVE

Encrypt : 3des

Hash

: SHA

Auth

Lifetime: 86400

: rsa

Lifetime Remaining: 86120
Note the very important information. When certificate authentication is used
the ISAKMP is using Main Mode instead of Aggressive Mode.

ASA1(config)# sh crypto ipsec sa
interface: Outside
Crypto map tag: DYN-MAP, seq num: 5, local addr: 192.168.1.10
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.25.1/255.255.255.255/0/0)
current_peer: 192.168.2.200, username: salesman
dynamic allocated peer ip: 10.1.25.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
Packets are getting encrypted/decrypted on the ASA.
local crypto endpt.: 192.168.1.10, remote crypto endpt.: 192.168.2.200
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F0F7B35C
inbound esp sas:
spi: 0x1091008C (277938316)
transform: esp-3des esp-sha-hmac no compression

Page 856 of 1033

CCIE SECURITY v4 Lab Workbook

in use settings ={RA, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: DYN-MAP
sa timing: remaining key lifetime (sec): 28500
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xF0F7B35C (4042765148)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: DYN-MAP
sa timing: remaining key lifetime (sec): 28500
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA1(config)# sh vpn-sessiondb remote
Session Type: IPsec
Username

: salesman

Index

: 4

Assigned IP

: 10.1.25.1

Public IP

: 192.168.2.200

Protocol

: IKE IPsec

License

: IPsec

Encryption

: 3DES

Hashing

: SHA1

Bytes Tx

: 240

Bytes Rx

: 240

Group Policy : RA-POLICY

Tunnel Group : Sales

: 07:42:50 UTC Sat Jul 31 2010

Duration

: 0h:05m:49s

NAC Result

: Unknown

VLAN Mapping : N/A

VLAN

: none

Note that tunnel group of “Sales” has been chosen. This is because the client’s
certificate has OU=Sales.

1.1.1.1 255.255.255.255 [1/0] via 10.1.101.1, Inside

Page 857 of 1033

CCIE SECURITY v4 Lab Workbook

10.1.25.1 255.255.255.255 [1/0] via 192.168.1.2, Outside

10.1.101.0 255.255.255.0 is directly connected, Inside

192.168.1.0 255.255.255.0 is directly connected, Outside

0.0.0.0 0.0.0.0 [1/0] via 192.168.1.2, Outside
The static route to the client’s IP address is injected into the ASA’s routing
table.

Verification (detailed)
ASA1(config)# deb cry isak 50
ASA1(config)#
Jul 31 07:42:50 [IKEv1]: IP = 192.168.2.200, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + NONE (0) total length : 1144
The ASA has received first ISAKMP packet containing ISAKMP policies from the
client.
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, processing SA payload
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, Oakley proposal is acceptable
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, processing VID payload
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, Received xauth V6 VID
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, processing VID payload
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, Received DPD VID
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, processing VID payload
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, Received Fragmentation VID
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, IKE Peer included IKE fragmentation
capability flags:

Main Mode:

True

Aggressive Mode:

False

The mode is the Main Mode.
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, processing VID payload
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, Received NAT-Traversal ver 02 VID
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, processing VID payload
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, Received Cisco Unity client VID
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, processing IKE SA payload
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, IKE SA Proposal # 1, Transform # 21
acceptable

Matches global IKE entry # 1

Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, constructing ISAKMP SA payload
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, constructing NAT-Traversal VID ver
02 payload
Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.200, constructing Fragmentation VID +
extended capabilities payload
Jul 31 07:42:50 [IKEv1]: IP = 192.168.2.200, IKE_DECODE SENDING Message (msgid=0) with
payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 31 07:42:50 [IKEv1]: IP = 192.168.2.200, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR
(13) + NONE (0) total length : 272

Page 858 of 1033

2. Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.2.0.2.168.200.168.200.2.2. Rcv'd fragment from a new fragmentation set.200.2.200. Successfully assembled an encrypted pkt from rcv'd fragments! Jul 31 07:42:50 [IKEv1]: IP = 192.2. Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. constructing Cisco Unity VID payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. Constructing ASA spoofing IOS Vendor ID payload (version: 1.168.0. processing NAT-Discovery payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.2.200.2.200. processing NAT-Discovery payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. computing NAT Discovery hash Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.200.2.168.200. Note the size of the message (1272 bytes) – it’s huge comparing to the other messages.2. Send IOS VID Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.168. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + CERT_REQ (7) + SIG (9) + NOTIFY (11) + NONE (0) total length : 1272 The ASA received a message with Identification information from the client.2.200.168.200.168.200.200.2.0.168.2.168.2.2. Generating keys for Responder.2. processing VID payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. processing VID payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 328 The ASA sent a message to the client with its keying material.200.CCIE SECURITY v4 Lab Workbook The ASA sent a message with accepted proposal and received a packet with keying material from the client.200.168.200. computing NAT Discovery hash Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2.2.200.200.200.200. constructing NAT-Discovery payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.200.200. constructing NAT-Discovery payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.200.168.2. constructing xauth V6 VID payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.168..2. processing ke payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.200. processing nonce payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. Jul 31 07:42:50 [IKEv1]: IP = 192.200.168. capabilities: 00000408) Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.200.200.168. capabilities: 20000001) Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192..200.168.168.168.168. Processing IOS/PIX Vendor ID payload (version: 1.168. processing ID payload Page 859 of 1033 . computing NAT Discovery hash Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.200.2.200. constructing certreq payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. Deleting any old fragments. This is because this message contains peer’s certificate which will be used for authentication.2.168.168.2. Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. constructing ke payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. constructing nonce payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.2.2.2. processing ISA_KE payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.2. constructing VID payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.200.2. Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. computing NAT Discovery hash Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.0.168. Received Cisco Unity client VID Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.168.

.".168.. len 256: 0000: 3A4A4EAF FD057478 46460649 6B20C527 :JN.200. Jul 31 07:42:50 [IKEv1 DEBUG]: Group = Sales.2..6.9r.. Computing hash for ISAKMP Page 860 of 1033 .1 0040: 0E300C06 0355040B 13055361 6C657331 ...2.200..2.g. This is a default behavior.2.200.Ik .........r....3.jK. IP = 192...com Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192..168.@. 0040: D3A528C5 06729150 375221B7 04512A63 ..U.(.. Automatic NAT Detection Status: end is NOT behind a NAT device This Remote end is NOT behind a NAT device Jul 31 07:42:50 [IKEv1]: IP = 192.Up.. IP = 192.200... 0070: 01090116 1B70696F 7472406D 6963726F .| 0020: 4EEF228C CB679323 7BFC3B43 A5557004 N. 0030: 22CA29CD 19740247 29530E69 AD09EDF7 "........G..U. Connection landed on tunnel_group Sales The tunnel group has been chosen based on OU in the certificate.200.P7R!.168. Trying to find group via OU. Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192..."._..2.200.200.*..2.CCIE SECURITY v4 Lab Workbook Jul 31 07:42:50 [IKEv1 DECODE]: IP = 192..2."..168.....T....k.. processing cert request payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192. Computing hash for ISAKMP Jul 31 07:42:50 [IKEv1 DECODE]: Dump of received Signature..|.168.).G)S.0.G...200.R.?.0.6.t..#{. DER_ASN1_DN ID received. IP = 192.168... processing notify payload Jul 31 07:42:50 [IKEv1]: IP = 192. 0080: DC161756 85BE54B6 1D5FF896 22E740A9 .....(.Micronic 0030: 73205472 61696E69 6E672049 6E632E31 s Training Inc.V....txFF. 00A0: 446A6D62 C64794FD FD57A36A 4BC79319 Djmb.. 00B0: 9EE2B9A5 7CFA1B12 B136E228 C6B19D14 .-t.. peer ID type 9 received (DER_ASN1_DN) Jul 31 07:42:50 [IKEv1 DEBUG]: Group = Sales.U.... constructing cert payload Jul 31 07:42:50 [IKEv1 DEBUG]: Group = Sales..200..0.Remote 0060: 55736572 312A3028 06092A86 4886F70D User1*0(. 0060: 8272474D A1528EE5 5A0D2CA8 39837FCB ..W.CA1 0 0020: 1E060355 040A1317 4D696372 6F6E6963 .2...U.... IP = 192..0...2.168.._.2.168..1.. Jul 31 07:42:50 [IKEv1]: IP = 192...168.168. len 144 0000: 30818D31 0B300906 03550406 13025553 0.200. 0070: EDBEC28B 47F91C39 72062D74 C4CAB28B .9.168...2.. processing RSA signature Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.^.rGM.US 0010: 310B3009 06035504 08130243 41312030 1.LA..1. constructing RSA signature Jul 31 07:42:50 [IKEv1 DEBUG]: Group = Sales...168. 0090: 3992DAE8 F43682A3 BFE85FAC 6B92B71E 9.i.200.168...168.....C..U.Sales1 0050: 13301106 03550403 130A5265 6D6F7465 ..Z.}.2. constructing ID payload Jul 31 07:42:50 [IKEv1 DEBUG]: Group = Sales. 00C0: 337ED613 22DD8187 3~.200. IP = 192.2.2....H.200.' 0010: AAFBE23F 918B3102 8C04E6FB 3305F07C ..piotr@micro 0080: 6E696373 74726169 6E696E67 2E636F6D nicstraining. processing cert payload Jul 31 07:42:50 [IKEv1 DEBUG]: IP = 192.200.W..Q*c 0050: 04ACCD4C 4119885E A0578794 B07DFBAF .

:.o1..200.200.2. IKE_DECODE RECEIVED Message (msgid=5a278fca) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88 The ASA starts Phase 1.. 0060: 12F388C6 29E8D02C 2B574B37 DCDFC80C .200.168.x.\.200.. IP = 192.200.2.. IP = 192.168. constructing qm hash payload Jul 31 07:42:51 [IKEv1]: IP = 192. Username = salesman. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + VENDOR (13) + NONE (0) total length : 853 Jul 31 07:42:51 [IKEv1 DEBUG]: Group = Sales.... 0010: 04AE90D2 DA211A5C A1208678 ADA7218B ..+WK7.... Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales.!. The ASA sends out first packet asking for user’s credentials.168.. 0040: 50342BD9 EB89E012 87DE0405 AE3E7B34 P4+..<...2..168.. Username = salesman..2.. . IP = 192.2. IP = 192.jW.. IP = 192.!.2.168. IP = 192. 0030: 44C21CB2 D5D67163 AE1B91CB C1C1F3C7 D. IKEGetUserAttributes: IP Compression = disabled Page 861 of 1033 . IP = 192..2..2. Processing MODE_CFG Reply attributes.>{4 0050: E66F31E9 31EA0087 25772895 AB85ACA7 .200. Username = salesman. 0020: 44348C24 C301D12C B8B52560 CA3A87C8 D4.. IKEGetUserAttributes: secondary DNS = cleared Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales..168... IKE_DECODE SENDING Message (msgid=5a278fca) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72 Jul 31 07:42:56 [IKEv1]: IP = 192. IKEGetUserAttributes: split tunneling list = ST Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales.2..200.2..168. IP = 192...168.168. Jul 31 07:42:51 [IKEv1 DEBUG]: Group = Sales.Ar.200. Username = salesman.. 0070: DA1F09B2 2BB3F891 F0F4856A 57CEE4C8 .200.168.. IP = 192.+. Username = salesman. IP = 192.. Jul 31 07:42:50 [IKEv1 DEBUG]: Group = Sales.CCIE SECURITY v4 Lab Workbook Jul 31 07:42:50 [IKEv1 DECODE]: Constructed Signature Len: 128 Jul 31 07:42:50 [IKEv1 DECODE]: Constructed Signature: 0000: 38033BC3 BAD78D0A 2193953C BB41722C 8..$.200...2.... process_attr(): Enter! Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales... The client replies with “salesman” username as showed below.168...200..2..2. IKEGetUserAttributes: secondary WINS = cleared Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales.5 – Configuration Mode.....2..168..).200.. IP = 192..200.!.. constructing dpd vid payload Jul 31 07:42:50 [IKEv1]: IP = 192.%w(.168..... constructing blank hash payload The ASA sent a final message (#6) to the client containing its certificate.%`.1.200. IKEGetUserAttributes: primary WINS = cleared Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales. IKEGetUserAttributes: primary DNS = cleared Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales. Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales....168. Username = salesman..qc.

168.200. IP = 192.168. MODE_CFG: Received request for Banner! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. Username = salesman. IP = 192. IP = 192.2.2.200.168.200. IKEGetUserAttributes: Split Tunneling Policy = Split Network Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales.2.2.2.200.168. IKEGetUserAttributes: Browser Proxy Bypass Local = disable The client sent a bunch of attributes it wants to get from the server.2. IP = 192.2. IP = 192.168. IP = 192.168. IKE_DECODE RECEIVED Message (msgid=51d17a8e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60 Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales.2.168.168.2. Received unsupported transaction mode attribute: 5 Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192. IP = 192. process_attr(): Enter! Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales. Username = salesman.168. IP = 192. Username = salesman.200. Username = salesman. IKE_DECODE SENDING Message (msgid=51d17a8e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64 Jul 31 07:42:56 [IKEv1]: IP = 192. constructing qm hash payload Jul 31 07:42:56 [IKEv1]: IP = 192.200. User has been authenticated by the server. MODE_CFG: Received request for IPV4 net mask! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. Username = salesman.2.2.200.168. IP = 192. Username = salesman.2.200.2. Username = salesman. IP = 192. User (salesman) authenticated.168. process_attr(): Enter! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192.200. Username = salesman.200. The server prepares a reply message with all attributes it has configured for that group/user. Processing cfg ACK attributes Jul 31 07:42:57 [IKEv1]: IP = 192.2. Username = salesman.200. Username = salesman.168. IP = 192.200.168. MODE_CFG: Received request for Save PW setting! Page 862 of 1033 . IP = 192.168. Username = salesman.2. IP = 192. Processing cfg Request attributes Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168. Jul 31 07:42:56 [IKEv1]: Group = Sales. Username = salesman.2.168. IP = 192.168.CCIE SECURITY v4 Lab Workbook Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales. MODE_CFG: Received request for WINS server address! Jul 31 07:42:57 [IKEv1]: Group = Sales.2. MODE_CFG: Received request for IPV4 address! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.200. MODE_CFG: Received request for DNS server address! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.200.200.2.168.200. Username = salesman.200. IKEGetUserAttributes: Browser Proxy Setting = no-modify Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales.200. Username = salesman.168. Username = salesman.2. Username = salesman. Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales. constructing blank hash payload Jul 31 07:42:56 [IKEv1 DEBUG]: Group = Sales. IKE_DECODE RECEIVED Message (msgid=ee87f4da) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 188 Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2.200. Username = salesman. IP = 192.200.168.

2. Username = salesman. IP = 192.168.2. MODE_CFG: Received request for UDP Port! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.200. IP = 192. IP = 192. IP = 192. IP = 192.1. IP = 192.2.168. Username = salesman. constructing blank hash payload Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.1. IKE_DECODE SENDING Message (msgid=ee87f4da) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 192 Jul 31 07:42:57 [IKEv1 DECODE]: IP = 192. MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. Assigned private IP address 10.168. Username = salesman.25. Username = salesman.168.2. Send Cisco Smartcard Removal Disconnect enable!! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IKE Responder starting QM: msg id = 812a9a29 Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168. MODE_CFG: Received request for Default Domain Name! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168.2. IP = 192.2. Username = salesman.200. Cert/Trans Exch/RM DSID completed Page 863 of 1033 .200.2.200.168.200. IP = 192. constructing qm hash payload Jul 31 07:42:57 [IKEv1]: IP = 192.0300 Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2. Delay Quick Mode processing. IP = 192.168.200.2. Send Client Browser Proxy Attributes! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2.2. IP = 192. Username = salesman. MODE_CFG: Received request for backup ip-sec peer list! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. Username = salesman.168.200. MODE_CFG: Received request for DHCP hostname for DDNS is: XP! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168. IP = 192.25.168.0. IP = 192.1) prior to initiating Mode Cfg (XAuth enabled) Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192. Browser Proxy set to No-Modify. Username = salesman. Username = salesman. IP = 192.200.200. MODE_CFG: Received request for Split Tunnel List! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. Obtained IP addr (10.200.0) to remote client Jul 31 07:42:57 [IKEv1]: Group = Sales.200.2. MODE_CFG: Received request for PFS setting! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2.2.200.255.200. Cert/Trans Exch/RM DSID in progress Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.200.200.2. MODE_CFG: Received request for Split DNS! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192.2.200. IP = 192.168. MODE_CFG: Received request for Application Version! Jul 31 07:42:57 [IKEv1]: Group = Sales.168. Username = salesman. Username = salesman. Username = salesman.2. Username = salesman.200.2. IP = 192.168.200.2. Username = salesman. IP = 192.168.2.168. Username = salesman. Client Type: WinNT Client Application Version: 5.2. Username = salesman.168.2.168.168. Username = salesman. MODE_CFG: Received request for FWTYPE! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192. Username = salesman. Username = salesman. Browser Proxy data will NOT be included in the mode-cfg reply Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2.200.200. Username = salesman.255.200. Username = salesman. IP = 192.168.168.168. Sending subnet mask (255.200.04. IP = 192. Username = salesman. Resume Quick Mode processing.200.1 to remote user Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192.168.2.168.CCIE SECURITY v4 Lab Workbook Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. MODE_CFG: Received request for Client Browser Proxy Setting! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.200.

168. processing SA payload Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. ID_IPV4_ADDR ID received 10.168.2. IKE_DECODE SENDING Message (msgid=5cdcd9de) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92 Jul 31 07:42:57 [IKEv1]: IP = 192.168.0. Username = salesman. IP = 192.2. Username = salesman. ID_IPV4_ADDR_SUBNET ID received--0.0. IP = 192. Keep-alive type for this connection: DPD Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192.168.0. IP = 192.25. Username = salesman. Username = salesman. processing hash payload Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2. IP = 192.200. IP = 192. processing nonce payload Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168.200.2. Port 0 Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168.2. Username = salesman.0.2.200. Port 0 Jul 31 07:42:57 [IKEv1]: Group = Sales.168. Username = salesman.168.168.200.200.200.200.200. IP = 192. Username = salesman.2.25.0.CCIE SECURITY v4 Lab Workbook Jul 31 07:42:57 [IKEv1]: Group = Sales. IP = 192. IP = 192. Username = salesman. IP = 192.2. sending notify message Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168.2. IKE Remote Peer configured for crypto map: DYN-MAP Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.200.168.200. Mask 0.0. Username = salesman.168.168. QM IsRekeyed old sa not found by addr Jul 31 07:42:57 [IKEv1]: Group = Sales.168.200. IP = 192.200. Starting P1 rekey timer: 82080 seconds. Protocol 0.0 Jul 31 07:42:57 [IKEv1]: Group = Sales.168. IP = 192.2.2. PHASE 1 COMPLETED Jul 31 07:42:57 [IKEv1]: IP = 192. IP = 192.168. Username = salesman.1 Jul 31 07:42:57 [IKEv1]: Group = Sales.0.2.0. IP = 192.200. Received remote Proxy Host data in ID Payload: Address 10. Protocol 0. Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. The goal here is to negotiate IPSec policy and Proxy IDs.168.168. constructing qm hash payload Jul 31 07:42:57 [IKEv1]: IP = 192. IP = 192. Username = salesman.2.168. Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. processing ID payload Jul 31 07:42:57 [IKEv1 DECODE]: Group = Sales.2. Received local IP Proxy Subnet data in ID Payload: Address 0. constructing blank hash payload Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168.1.200. Username = salesman.2. processing ID payload Jul 31 07:42:57 [IKEv1 DECODE]: Group = Sales.0.168. Username = salesman.2.0.200. processing IPSec SA payload Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. Username = salesman.200. IP = 192.200.1. IPSec SA Proposal # 12. IKE_DECODE RECEIVED Message (msgid=812a9a29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026 Here’s IKE Phase 2 (Quick mode) started.0--0.2.200.200.2. Page 864 of 1033 Matches global IPSec SA entry # 5 .2.200. Username = salesman.2. Username = salesman. Transform # 1 acceptable IPSec policy has been agreed. Username = salesman.2. IP = 192.200.1. Username = salesman. IP = 192.

Username = salesman.200.200. Username = salesman. Username = salesman.0 Port 0 Port 0 Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192.168. IP = 192. oakley constucting quick mode Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2.200. NP encrypt rule look up for crypto map DYN-MAP 5 matching ACL Unknown: returned cs_id=d78ee498.200.2.168.168.168.2. IP = 192. NP encrypt rule look up for crypto map DYN-MAP 5 matching ACL Unknown: returned cs_id=d78ee498. Username = salesman.25. Inbound SPI = 0x1091008c.200.2. IP = 192.0 Protocol 0 0. Username = salesman.200. IP = 192. IP = 192.168.200.2.168.2.168.168. IP = 192.2.200. Username = salesman. IP = 192.0. Username = salesman. IP = 192. . IKE_DECODE RECEIVED Message (msgid=812a9a29) with payloads : HDR + HASH (8) + NONE (0) total length : 52 Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2. rule=00000000 Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2. constructing proxy ID Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. Username = salesman.2.1 Protocol 0 Local subnet: mask 0.200.200. IP = 192.2. constructing qm hash payload Jul 31 07:42:57 [IKEv1 DECODE]: Group = Sales. Username = salesman. constructing blank hash payload Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2. IKE: requesting SPI! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.200. IKE Responder sending 2nd QM pkt: msg id = 812a9a29 Jul 31 07:42:57 [IKEv1]: IP = 192. Username = salesman. IKE got SPI from key engine: SPI = 0x1091008c Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2. Username = salesman.168.200. Security negotiation complete for User (salesman) Outbound SPI = 0xf0f7b35c IPSec negotiation is complete.168.168. Generating Quick Mode Key! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2.0. IP = 192.200. IP = 192. Username = salesman. IP = 192.0.2.168. loading all IPSEC SAs Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.1. IP = 192.168. constructing IPSec SA payload Jul 31 07:42:57 [IKEv1]: Group = Sales. Username = salesman.200.200. constructing IPSec nonce payload Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IKE_DECODE SENDING Message (msgid=812a9a29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 180 Jul 31 07:42:57 [IKEv1]: IP = 192. Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.2.200. IP = 192.2. Page 865 of 1033 Responder. Username = salesman.2. IP = 192.2. processing hash payload Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192.200.CCIE SECURITY v4 Lab Workbook Jul 31 07:42:57 [IKEv1]: Group = Sales.2.168. Username = salesman. Transmitting Proxy Id: Remote host: 10. Sending RESPONDER LIFETIME notification to Initiator Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales. IP = 192.168. Username = salesman.168.168. Username = salesman.168.200.200. IP = 192.0.2.200. rule=00000000 Jul 31 07:42:57 [IKEv1]: Group = Sales.200.168. Generating Quick Mode Key! Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168.168. Username = salesman. Username = salesman.

IP = 192. Adding static route for client address: 10.2.CCIE SECURITY v4 Lab Workbook Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.200.168. Username = salesman.2. Username = salesman. Username = salesman. IP = 192. Jul 31 07:42:57 [IKEv1]: Group = Sales.1.2.2.200.168. Username = salesman. IKE got a KEY_ADD msg for SA: SPI = 0xf0f7b35c Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.168. PHASE 2 COMPLETED (msgid=812a9a29) ASA1(config)# un all ASA1(config)# Page 866 of 1033 .168. IP = 192.2. Starting P2 rekey timer: 27360 seconds. Pitcher: received KEY_UPDATE.25.200.200.200. Username = salesman.168.1 Jul 31 07:42:57 [IKEv1]: Group = Sales. IP = 192. IP = 192. spi 0x1091008c Jul 31 07:42:57 [IKEv1 DEBUG]: Group = Sales.

1. Configuring SSL VPN (IOS) Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12  R2’s G0/1 and R4’s F0/0 interface should be configured in VLAN 24  R1’s F0/1 and VPN Client PC (SW3 – F0/15) should be in VLAN 100  Configure Telnet on all routers using password “cisco”  Configure default routing on R1 and R4 pointing to the R2 IP Addressing Device Interface IP address R1 F0/0 10.1.1/24 R2 G0/0 10.2/24 G0/1 10.com • State: CA Page 867 of 1033 .24.1.24.CCIE SECURITY v4 Lab Workbook Lab 1.2/24 R4 F0/0 10.12.4/24 PC NIC 10.1.63. Use self signed SSL certificate for server’s authentication and data security with the following parameters: • Organization: micronicstrainig. The user named “student1” with a password of “student123” should see an URL named “R4-Config” located under “Device Configuration” section.12.200/24 Task 1 Configure Clientless SSL VPN on R2 so that it allows users accessing R4’s HTTP server after successful authentication using local user database located on R2.100.1.

You may need to enable HTTP server on R4 and configure local administrator account (admin/admin123) to verify this task.).  SSL VPN is a basic service which can be enabled on the IOS router to make your corporate resources be accessible for remote users without using any sophisticated client software. After successful authentication. The SSL VPN is an access method uses SSL certificates for authentication and security mechanisms built into SSL. Configuration Complete these steps: Step 1 R2 configuration. Maximum of 10 users should be able to use this connection method at one time. etc. Firefox. other services available through the web browser (like web accessible management software or application). the user has access to the portal where he/she can see some links to corporate resources. Page 868 of 1033 . All the client need is a web browser (Internet Explorer. The user can also surf the Internet via this gateway.CCIE SECURITY v4 Lab Workbook • Country: US • No IP address and serial number included • RSA Keys name: MY-KEYS • RSA Keys length: 1024 bits R2 should accept HTTP connections on its G0/0 interface and redirect them to SSL default port. User connected to the WebVPN shouldn’t be able to enter custom URLs and see “real” URLs when connecting to R4. It leverages the same mechanism like we use for web surfing and thus it is called Clientless Mode. This authentication can be against local user database configured on the router itself or against remote database (via ACS or LDAP server). Those resources can be for example: files on remote server. R2(config)#aaa new-model R2(config)#aaa authentication login AUTH-LOCAL local We are asked for SSL VPN user authentication via local user database. The user connects to the IP address of your IOS router and authenticates on the website presented to him. so that we need to enable AAA and tell the router it should look for users in its local database.

R2(config)#webvpn gateway SSL-GATEWAY Page 869 of 1033 . C=US R2(ca-trustpoint)# ip-address none R2(ca-trustpoint)# enrollment selfsigned R2(ca-trustpoint)# serial-number none R2(ca-trustpoint)# exit However. Issue "write memory" to save new certificate R2(config)#crypto ca trustpoint SELF-CA R2(ca-trustpoint)# rsakeypair MY-KEYS 1024 R2(ca-trustpoint)# subject-name O=MicronicsTrainnig. R2(config)#crypto ca enroll SELF-CA The router has already generated a Self Signed Certificate for trustpoint TP-self-signed-2253035440.. Once we enable it.CCIE SECURITY v4 Lab Workbook R2(config)#ip http server R2(config)#ip http secure-server % Generating 1024 bit RSA keys. We were requested to configure named keys and use special fields in the certificate.[OK] SSL VPN must have HTTPS server enabled on the router. R2(config)# %SSH-5-ENABLED: SSH 1.99 has been enabled R2(config)# %PKI-4-NOAUTOSAVE: Configuration was modified. If you continue the existing trustpoint and Self Signed Certificate will be deleted. keys will be non-exportable. To do that we use the same command as for enrolling from remote CA server. Note that there is already created trustpoint which has generated a self signed certificate. Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes Generate Self Signed Router Certificate? [yes/no]: yes %CRYPTO-6-AUTOGEN: Generated new 1024 bit key pair Router Self Signed Certificate successfully created We need to request self signed certificate from our local trustpoint. the router generates self signed SSL certificate. This trustpoint should be overwritten by our custom trustpoint. This will also create a trustpoint in the routers configuration.. for SSL VPN we need to have our custom trustpoint to generate self signed certificate and use it for securing sessions.com. ST=CA.

R2(config)#webvpn context SSL-CONTEXT R2(config-webvpn-context)# aaa authentication list AUTH-LOCAL R2(config-webvpn-context)# gateway SSL-GATEWAY R2(config-webvpn-context)# max-users 10 R2(config-webvpn-context)# url-list Device-Configuration R2(config-webvpn-url)# heading "Device Configuration" R2(config-webvpn-url)# url-text R4-Config url-value http://10.1. R4(config)#ip http server Page 870 of 1033 . The user establishes SSL VPN to the router and sees a website prepared by the administrator and used for connections to the corporate network. The gateway specifies general network properties like IP address and port of the server.12.1. R2(config-webvpn-context)# policy group SSL-POLICY R2(config-webvpn-group)# mask-urls R2(config-webvpn-group)# hide-url-bar R2(config-webvpn-group)# url-list Device-Configuration R2(config-webvpn-group)# exit R2(config-webvpn-context)# default-group-policy SSL-POLICY R2(config-webvpn-context)# inservice R2(config-webvpn-context)# exit The SSL VPN context and gateway must be enabled using “inservice” command. Policy describes what a user may see on the portal. Do not forget that! R2(config)#username student1 password student123 R2(config)#ip route 10.24.100. associated trustpoint for certificate use and port redirection feature.1 Step 2 R4 configuration.12.255.CCIE SECURITY v4 Lab Workbook R2(config-webvpn-gateway)# ip address 10.4 R2(config-webvpn-url)# exit A context specifies a “portal” view for users connecting to the device.0 10.0 255. One is a gateway and another is a context.1. The context must have an associated gateway and a policy.255.1.2 port 443 R2(config-webvpn-gateway)# http-redirect port 80 R2(config-webvpn-gateway)# ssl trustpoint SELF-CA R2(config-webvpn-gateway)# inservice R2(config-webvpn-gateway)# exit The SSL VPN solution has two parts of the configuration.

100. .255.12.100. If no default route is used.1. . Lost = 0 (0% loss). .1. Run web browser and type in the address bar: http://10. : 10. 1.1: bytes=32 time=2ms TTL=255 Reply from 10. . Click Yes to accept the certificate. Ethernet adapter Rack: Connection-specific DNS Suffix . .1. .1.1 with 32 bytes of data: Reply from 10.255. configure static route. . Verification: On PC connect to R2 using SSL enabled web browser. Check if you have connectivity.1: bytes=32 time<1ms TTL=255 Reply from 10. . . .100. . Page 871 of 1033 . The SSL certificate warning window should appear. . . .0 10.1. .0 Default Gateway .CCIE SECURITY v4 Lab Workbook R4(config)#ip http authentication local R4(config)#username admin privilege 15 password admin123 To be able to verify our task we need to enable HTTP server on R4 and use local database authentication. Received = 4.100. .100. .200 Subnet Mask . . . Maximum = 2ms.255.2. : IP Address. : 255. Approximate round trip times in milli-seconds: Minimum = 0ms. .1 c:\>ping 10.1.100.1. . Average = 0ms 2. .100. : c:\>route add 10.1: bytes=32 time<1ms TTL=255 Ping statistics for 10.1. .100.1. .1.100. . .1 Pinging 10. .255.1: Packets: Sent = 4.12. . .1: bytes=32 time<1ms TTL=255 Reply from 10.1.0 mask 255.

Page 872 of 1033 . WebVPN website should be loaded. 4.CCIE SECURITY v4 Lab Workbook 3. Use your credentials to log in. Click on it to connect to the R4’s web management GUI. After succesfullogin you should see configured bookmark.

log in using administrator (priv 15) account.CCIE SECURITY v4 Lab Workbook 5. 6. It works! Page 873 of 1033 . As R4 management interface requires admin privileges.

CCIE SECURITY v4 Lab Workbook Task 2 Add Thin Client WebVPN option to the previous configuration so that authenticated users will be forwarded to R4 router when connecting to their local ports: Local Port Remote Port (on R4) Description 2200 22 SSH to R4 2300 23 TELNET to R4 The Java plugin must run automatically after user’s logon. What if we have an application installed on our local system which must connect to the other ports than HTTP/HTTPS? Such application must be “tunneled” somehow through our SSL VPN. Configuration Complete these steps: Page 874 of 1033 . in the previous task we configured basic access to the “application” accessed by the web browser. However. We will use two applications to show how it works: TELNET and SSH client. The main advantage of it is that the user does not need administrative privileges on the system to run the plug-in.  Using SSL VPN we can access corporate resources in a secure way. This can be done using a feature called Port Forwarding and available in SSL VPN by some JAVA plug-in runs on our web browser.

24.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys.99 has been enabled R4(config)#line vty 0 4 R4(config-line)#login local We’ll need SSH server on R4 for verification purposes.1. This is configured by enabling a «container» for our applications.micronicstraining. To enable it there must be hostname/domain-name configured and RSA keys generated.. Page 875 of 1033 . We can specify the JAVA plug-in behavior – it may run automatically when client gets access to the portal or may be run manually. We need to enable it by associating it with our Policy. R2(config)#webvpn context SSL-CONTEXT R2(config-webvpn-context)#port-forward Applications-List R2(config-webvpn-port-fwd)#local-port 2200 remote-server 10.4 remote-port 23 description "TELNET on R4" We need to add Port Forwarding feature to our context.0. R2(config-webvpn-port-fwd)#exit R2(config-webvpn-context)#policy group SSL-POLICY R2(config-webvpn-group)#port-forward Applications-List autodownload R2(config-webvpn-group)#exit R2(config-webvpn-context)#exit Configuring the Port Forward application list is not enough.com R4(config)#crypto key generate rsa modulus 1024 The name for the keys will be: R4. The policy is already associated with the context..24. This feature runs JAVA plug-in on the client and start listening on a local port and loopback IP address of 127. Step 2 R4 configuration.[OK] R4(config)# %SSH-5-ENABLED: SSH 1.4 remote-port 22 description "SSH on R4" R2(config-webvpn-port-fwd)#local-port 2300 remote-server 10. keys will be non-exportable.1.1. R4(config)#ip domain-name micronicstraining.0.CCIE SECURITY v4 Lab Workbook Step 1 R2 configuration. This port is then redirected by the plug-in to the real IP/port on the corporate network.

12. 2. Depends on your browser security level configuration you should accept some security warnings regarding running an unsigned applets. WebVPN website should be loaded. 1. Use your credentials to log in.CCIE SECURITY v4 Lab Workbook Verification: Connect using SSL web browser from PC to R2. The SSL certificate warning window should appear. Page 876 of 1033 . Run web browser and type in the address bar: http://10.2. Click Yes to accept the certificate. 3.1. After successful login you should see configured bookmark and Port Forwarding Java applet should automatically start.

1 and port 2300.0.0. Note that source IP address of this connection is R2’s interface (10.1 and port 2200. Do the same for SSH connection to the IP address of 127. Telnet using your favorite terminal software to the IP address of 127.0. Page 877 of 1033 .24.2). You should be tunneled to the R4.1.0.CCIE SECURITY v4 Lab Workbook 4.

CCIE SECURITY v4 Lab Workbook 5. Check Java applet window and see there are packets tunneled for both connections. Page 878 of 1033 .

60.CCIE SECURITY v4 Lab Workbook Task 3 Configure full SSL VPN client on the R2 router. it is called Full Client mode or Tunnel Mode. Rest of user’s traffic should be sent out without any encryption.0.10 – 192.4 eq 22 R2(config-ext-nacl)# exit This is an ACL specifying what traffic will tunneled by tha SVC.0.0. After tunnel set up the user should be able to connect R4’s F0/0 interface using SSH and TELNET natively. The SVC works similar to the IPSec client but the SVC uses SSL for securing the connection. Hence.1.2.24.2. This is not a split tunnel list! This is Page 879 of 1033 . User’s workstation should get IP address form a pool of 192. R2(config)#webvpn install svc flash:sslclient-win- 1. We also need full client software (called SVC – SSL VPN Client) installed on the router to make it available to the client for download.1.4 eq telnet R2(config-ext-nacl)# permit tcp 192.2. To use it with SSL VPN we must install it first. Configuration Complete these steps: Step 1 R2 configuration. To make it happen we need full SSL Client software installed on the client’s machine.24.4.168.pkg) is located on the Flash memory.0.pkg SSLVPN Package SSL-VPN-Client : installed successfully The SVC software image must be already on the flash.176.0 0.  Now.2. The SSL VPN Client package (sslclient-win-1. what if we have an application which has this server IP address embedded in the code? That application must connect directly to its server.0 0. To run and install this software the client must have administrative privileges on the system.1.176.168.4.1.255 host 10.168.255 host 10.168. R2(config)#ip access-list extended SSL-VPN-ACL R2(config-ext-nacl)# permit tcp 192. User should be able manually run Tunnel connection after successful authentication to WebVPN.

168. The SSL certificate warning window should appear. R2(config)#ip local pool SSL-VPN-POOL 192.24. which is configured without any ACL.CCIE SECURITY v4 Lab Workbook an ACL applied on the tunnel to make only certain services available for a client.12.168. R2(config-webvpn-group)# functions svc-enabled R2(config-webvpn-group)# svc address-pool SSL-VPN-POOL We need to enable SVC in the policy and specify the IP address pool to be given out to the client. The same for Split Tunnel list.2. 1.1.60 This is a pool of IP addresses for a client.2. Run web browser and type in the address bar: http://10.1. R2(config-webvpn-group)# exit R2(config-webvpn-context)# exit Verification: Connect using SSL web browser from PC to R2.0 The tunnel policy must be configured under the Policy Group.0 255. Just like it is with IPSec client.10 192. Page 880 of 1033 .255.255. Click Yes to accept the certificate. R2(config)#webvpn context SSL-CONTEXT R2(config-webvpn-context)# policy group SSL-POLICY R2(config-webvpn-group)# filter tunnel SSL-VPN-ACL R2(config-webvpn-group)# svc split include 10.2. the full client software must get an IP address to use during the connections.

Click Start button. Use your credentials to log in.CCIE SECURITY v4 Lab Workbook 2. 3. WebVPN website should be loaded. Page 881 of 1033 . After successful log in you should see Tunnel Connection (SVC) available.

Page 882 of 1033 . 5. You must have administrator right to be able to install the applet 6. the SSL VPN Client runs and establishes the tunnel. After successful installation.CCIE SECURITY v4 Lab Workbook 4. Allow running of ActiveX applet in your web browser and install it.

CCIE SECURITY v4 Lab Workbook Page 883 of 1033 .

Page 884 of 1033 . The user named “student1” with a password of “student123” should be able to enter custom URL to go to R2.100.10 /24 E0/1 10.1.1.1.2 /24 PC NIC 10.1 /24 F0/1 10.10 /24 R2 F0/0 10.1.1.200 /24 ASA1 Task 1 Configure Clientless SSL VPN on ASA1 so that it allows users accessing R2’s HTTP server after successful authentication using local user database located on the ASA.110.110.100.64.120. Configuring SSL VPN (ASA) Lab Setup  R1’s F0/0 and ASA1’s E0/0 interface should be configured in VLAN 110  R2’s G0/0 and ASA1’s E0/1 interface should be configured in VLAN 120  R1’s F0/1 and VPN Client PC (SW3 – F0/15) should be in VLAN 100  Configure Telnet on all routers using password “cisco”  Configure default routing on R1 and R2 pointing to the ASA IP Addressing Device Interface IP address R1 F0/0 10.1. You may need to enable HTTP server on R2 and configure local administrator account (admin/admin123) to verify this task.CCIE SECURITY v4 Lab Workbook Lab 1.1 /24 E0/0 10.120.

1 Step 3 R2 configuration.1. All SSL VPN headend configuration we perform under “webvpn” mode.CCIE SECURITY v4 Lab Workbook  Same SSL VPN functionality is available on the ASA. The configuration on the ASA is much simpler than on IOS. Configuration Complete these steps: Step 1 ASA1 configuration.0 mask 255. The Group Policy may be internal (configured on the ASA) or external (configured on the ACS).110. We just configure everything using “webvpn” configuration mode and group policy to specify all user properties. route add 10.0 10.255. R2(config)#ip http server R2(config)#ip http authentication local R2(config)#username admin privilege 15 password admin123 R2(config)#line vty 0 4 Page 885 of 1033 .255. We do not use gateways and contexts here. First we need enable it on an interface (usually on the outside interface). The functionality is pretty the same comparing to the IOS. ASA1(config-webvpn)# group-policy CL-SSL-VPN-GP internal ASA1(config)# group-policy CL-SSL-VPN-GP attributes ASA1(config-group-policy)# vpn-tunnel-protocol webvpn ASA1(config-group-policy)# exit The client connection (what does he/she see after connecting to the ASA) is performed under Group Policy which is associated with a user account. ASA1(config)# username student1 pass student123 ASA1(config)# username student1 attributes ASA1(config-username)# vpn-group-policy CL-SSL-VPN-GP ASA1(config-username)# exi Step 2 Configure static route on client PC. ASA1(config)# webvpn ASA1(config-webvpn)# enable outside INFO: WebVPN and DTLS are enabled on 'outside'.100.1.

Use your credentials to log in. (Optional) If R2 has no internal HTTP server software (depends on IOS version). WebVPN website should be loaded.956 secs (291 bytes/sec) You can access that file by going to http://10. 3.120. Click Yes to accept the certificate. Page 886 of 1033 .CCIE SECURITY v4 Lab Workbook R2(config-line)#login local R2(config)#end We need to enable HTTP server on R2 to verify this task.1.txt]? 1152 bytes copied in 3.txt Destination filename [run.10.1. Run web browser and type in the address bar: https://10. Verification 1.txt (see step 4). The SSL certificate warning window should appear. 2. you can store some file on the flash memory and then try to access it using SSL VPN terminated on the ASA R2#copy run flash:run.110.2/flash:run.

Enter the custom URL to access the file stored on R2 (or R2’s Web Server page if existed). You need to first authenticate as an admin user to R2 Page 887 of 1033 .1.txt. just enter 10.1.2/flash:run. To access R2’s Web Server. To access file on R2’s flash you need to enter 10.2 and click on Browse.CCIE SECURITY v4 Lab Workbook 4. 5.120.120.

CCIE SECURITY v4 Lab Workbook 6. The file is loaded (or Web Server’s start page is loaded). It works! OR Page 888 of 1033 .

1.200 Protocol : Clientless Index Page 889 of 1033 : 14 .CCIE SECURITY v4 Lab Workbook ASA1(config)# sh webvpn statistics Total number of objects served 242 html 95 js 83 css 0 vb 0 java archive 7 java class 0 image 17 undetermined 40 ASA1(config)# sh crypto protocol statistics ssl [SSL statistics] Encrypt packet requests: 8636 Encapsulate packet requests: 8636 Decrypt packet requests: 4755 Decapsulate packet requests: 4755 HMAC calculation requests: 13391 SA creation requests: 145 SA rekey requests: 0 SA deletion requests: 145 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 ASA1(config)# sh vpn-sessiondb webvpn Session Type: WebVPN Username : student1 Public IP : 10.100.

the user “student1” has group policy attached to his profile. There was a default tunnel group used for terminating this connection. Configuration Complete these steps: Step 1 ASA configuration. Task 2 Add Port Forwarding feature to the previous configuration so that authenticated users will be forwarded to R2 router when connecting to their local ports: Local Port Remote Port (on R2) Description 2200 22 SSH to R2 2300 23 TELNET to R2 In addition to that.120. allow the user to run “telnet.120. However.2 22 SSH to R2 ASA1(config-webvpn)# port-forward Devices 2300 10. here is another feature called Smart Tunneling which “certifies” an application to be able to tunnel traffic through the SSL VPN no matter what IP address or port the traffic is destined to. However. Disable file browsing over the network.CCIE SECURITY v4 Lab Workbook License : SSL VPN Encryption : RC4 Bytes Tx : 66668 Group Policy : CL-SSL-VPN-GP Hashing : SHA1 Bytes Rx : 16035 Tunnel Group : DefaultWEBVPNGroup Login Time : 09:51:04 UTC Sat Jul 31 2010 Duration : 0h:00m:20s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Note that we are using Clientless mode.exe” application natively (directly connecting to R2’s real IP address).2 23 TELNET to R2 Page 890 of 1033 . ASA1(config)# webvpn ASA1(config-webvpn)# port-forward Devices 2200 10.1.1.  The same feature of Port Forwarding is available on the ASA.

ASA1(config-webvpn)# smart-tunnel list Applications TELNET "telnet. Click Yes to accept the certificate. both features must be enabled under Group Policy to be accessible to the user.1. WebVPN website should be loaded.110.exe" ASA1(config-webvpn)# group-policy CL-SSL-VPN-GP attributes ASA1(config-group-policy)# webvpn ASA1(config-group-webvpn)# smart-tunnel enable Applications ASA1(config-group-webvpn)# port-forward enable Devices ASA1(config-group-webvpn)# file-entry disable ASA1(config-group-webvpn)# file-browsing disable Here we need enable Port Forwarding and Smart Tunneling. Verification 1. Page 891 of 1033 . The SSL certificate warning window should appear. 2. In addition to that we have been asked to disable File Browsing on the network. Run web browser and type in the address bar: https://10.10. However.CCIE SECURITY v4 Lab Workbook Configuration of Port Forwarding and Smart Tunneling is performed under “webvpn” mode. Use your credentials to log in.

click on Start Application button to run java-based Port Forwarding.0. 4. You should use local loopback IP address (127.0. After successful authentication. 5. Java applet is running and starts listening on specified ports. Page 892 of 1033 .1) and port 2300 to be forwarded to R2 on port 23.CCIE SECURITY v4 Lab Workbook 3. You can connect to R2’s using your favorite terminal software.

CCIE SECURITY v4 Lab Workbook Page 893 of 1033 .

7. Page 894 of 1033 . Now. Try to connect directly to R2 using telnet. See the counters incrementing.CCIE SECURITY v4 Lab Workbook 6. click on Start Smart Tunnel button.

CCIE SECURITY v4 Lab Workbook 8. Page 895 of 1033 . Click on Details button to see that counters for this connection are increasing. then enter “telnet 10.2” to connect directly to R2.120.1.exe application. Go to Start  Run. 9. You can connect to R2’s IP address natively using telnet.

CCIE SECURITY v4 Lab Workbook Page 896 of 1033 .

2.1.2. AnyConnect 3.11.2/24 NIC 100.2.1.1.CCIE SECURITY v4 Lab Workbook Lab 1.2.22/24 R2 PC Page 897 of 1033 .2/24 G0/0 100.1/24 Lo0 2.65.2.1/24 F0/0 10.2.0 Basic Setup Lab Setup  R1’s F0/0 and ASA84 E0/1 interface should be configured in VLAN 10  R2’s G0/0 and ASA84 E0/0 interface should be configured in VLAN 20  Configure Telnet on all routers using password “cisco”  Configure default routes on R1/R2 to point to ASA and static routes to reach router’s loopbacks IP Addressing Device Interface IP address R1 Lo0 1.

pkg ASA84(config-webvpn)# anyconnect enable ASA84(config-webvpn)# exi ASA84(config)# username ccie password ccie123 ASA84(config)# ip local pool VPN-POOL 192. the user should be able to setup a full DTLS tunnel authenticating to the group CCIE with username/password of ccie/ccie123.1.1-192.0. ASA84(config-webvpn)# anyconnect image disk0:/anyconnect-win3. Then.2052-k9.0 on the ASA so that it is possible to login on the Portal and download AnyConnect client.15.254 ASA84(config)# group-policy CCIE internal ASA84(config)# group-policy CCIE attributes ASA84(config-group-policy)# vpn-tunnel-protocol ssl-client sslclientless ASA84(config-group-policy)# address-pools value VPN-POOL ASA84(config-group-policy)# exi ASA84(config)# tunnel-group CCIE type remote-access ASA84(config)# tunnel-group CCIE general-attributes ASA84(config-tunnel-general)# default-group-policy CCIE ASA84(config-tunnel-general)# ex ASA84(config)# tunnel-group CCIE webvpn-attributes ASA84(config-tunnel-webvpn)# group-alias CCIE ASA84(config-tunnel-webvpn)# ex ASA84(config)# webvpn ASA84(config-webvpn)# tunnel-group-list enable ASA84(config-webvpn)# exi Page 898 of 1033 .2.1 – 254.10/24 E0/1 10.10/24 Task 1 Configure AnyConnect 3.CCIE SECURITY v4 Lab Workbook ASA84 E0/0 100.168.15.1.168.2. ASA84(config)# webvpn ASA84(config-webvpn)# enable outside INFO: WebVPN and DTLS are enabled on 'outside'. Give out to the client an IP adress from the pool 192.15. Configuration Complete these steps: Step 1 ASA configuration.168.

10. Go to the PORTAL using the address https://100. accept the certificate and authenticate to the group CCIE.2.2.CCIE SECURITY v4 Lab Workbook Step 2 Client PC configuration. Then go to the AnyConnect tab (on the left pane) and click on Start Page 899 of 1033 .

CCIE SECURITY v4 Lab Workbook AnyConnect link. Page 900 of 1033 . This is useful to not see warning messages. Note that this site was added to trusted Sites in IE.

download the installer and maunally install it. Then you must click on the link. Page 901 of 1033 .CCIE SECURITY v4 Lab Workbook The web installation can be unsuccesful for Windows XP OS.

CCIE SECURITY v4 Lab Workbook Page 902 of 1033 .

CCIE SECURITY v4 Lab Workbook Page 903 of 1033 .

Click Connect button The above message is displayed when ASA uses it’s default Identity Certificate generated based on ASA’s IP address. the AnyConnect displays an error message. It is not required to have DNS but it may help. Notice that if you do not have correct DNS configuration on the host. This certificate is self-signed and can be Page 904 of 1033 installed in Windows local store. .CCIE SECURITY v4 Lab Workbook Run Cisco Anyconnect Secure Mobility Client from the Windows Start Menu.

Verification Anyconnect has connected successfuly. Page 905 of 1033 .. button to see more details. enroll for an external PKI certificate and use command ‘ssl trust-point <TRUSTPOINT-NAME>’ to specify what Identity certificate use for SSL connections.CCIE SECURITY v4 Lab Workbook However.. Provide a username and password for the CCIE group and hit OK. Better. so it is not worth to store it. this certificate will be regenerated every ASA restart. You can click on Advanced.

CCIE SECURITY v4 Lab Workbook Try to ping IP address behind the ASA. Below is the debug taken on the ASA during the connection. The following commands will display only useful information on the console: logging enable logging class auth console debugging logging class webvpn console debugging logging class ssl console debugging Page 906 of 1033 . Why? (for the answer go to the next task). Note that you can ping R1’s f0/0 interface but not Loppback. It is very useful to use logging filtering feature to just display what’s really important.

22/1072 proposes the following 6 cipher(s)..CCIE SECURITY v4 Lab Workbook logging class svc console debugging %ASA-6-725001: Starting SSL handshake with client outside:100.2.2.22> First TCP SVC connection established for SVC session.22> Address <192. %ASA-7-725011: Cipher[1] : RC4-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA %ASA-7-725011: Cipher[4] : DES-CBC3-SHA %ASA-7-725008: SSL client outside:100. %ASA-7-725010: Device supports the following 4 cipher(s).2.07059' Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.2..2..input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.2.07059' Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3. LOGIN: '1075410852' webvpn_cstp_parse_request_field() .07059' webvpn_cstp_parse_request_field() .15.0.168.22/1072 %ASA-6-725002: Device completed SSL handshake with client outside:100.22> TCP SVC connection established without compression %ASA-4-722051: Group <CCIE> User <ccie> IP <100. INDEX: '24576'.input: 'Host: asa84.cisco..2.2.2..2...2. %ASA-6-722022: Group <CCIE> User <ccie> IP <100.cisco.input: 'Cookie: webvpn=369230436@24576@1075410852@427A1A2DFBFE94AE61D7BF5BC6EC169EC0E4BA1E' Processing CSTP header line: 'Cookie: webvpn=369230436@24576@1075410852@427A1A2DFBFE94AE61D7BF5BC6EC169EC0E4BA1E' Found WebVPN cookie: 'webvpn=369230436@24576@1075410852@427A1A2DFBFE94AE61D7BF5BC6EC169EC0E4BA1E' WebVPN Cookie: 'webvpn=369230436@24576@1075410852@427A1A2DFBFE94AE61D7BF5BC6EC169EC0E4BA1E' IPADDR: '369230436'. %ASA-7-725011: Cipher[1] : AES256-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : DES-CBC3-SHA %ASA-7-725011: Cipher[4] : RC4-SHA %ASA-7-725011: Cipher[5] : RC4-MD5 %ASA-7-725011: Cipher[6] : DES-CBC-SHA %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:100.input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3...1' webvpn_cstp_parse_request_field() .2.1> assigned to session webvpn_rx_data_tunnel_connect CSTP state = HEADER_PROCESSING http_parse_cstp_method() .0.2.2.com' Processing CSTP header line: 'Host: asa84.0.input: 'X-CSTP-Version: 1' Processing CSTP header line: 'X-CSTP-Version: 1' Page 907 of 1033 ..com' webvpn_cstp_parse_request_field() .22/1072 %ASA-5-722033: Group <CCIE> User <ccie> IP <100.22/1072 for TLSv1 session.

CCIE SECURITY v4 Lab Workbook Setting version to '1' webvpn_cstp_parse_request_field() ...15.input: 'X-CSTP-Address-Type: IPv4' Processing CSTP header line: 'X-CSTP-Address-Type: IPv4' webvpn_cstp_parse_request_field() .. Inc..deflate' Processing CSTP header line: 'X-CSTP-Accept-Encoding: lzs. 0xa92b1640.0 CSTP state = WAIT_FOR_ADDRESS webvpn_cstp_accept_address: 192.168.......input: 'X-DTLS-Master-Secret: AD9F29FCBB9A377D9EC677B49948B78A342BF2DE7F950FD9D0775A4A8F43D4FE3F43A8BBF41C97959A0AE8B CB618678E' Processing CSTP header line: 'X-DTLS-Master-Secret: AD9F29FCBB9A377D9EC677B49948B78A342BF2DE7F950FD9D0775A4A8F43D4FE3F43A8BBF41C97959A0AE8B CB618678E' webvpn_cstp_parse_request_field() ..deflate' webvpn_cstp_parse_request_field() .input: 'X-CSTP-MTU: 1406' Processing CSTP header line: 'X-CSTP-MTU: 1406' webvpn_cstp_parse_request_field() . Inc. TRUE) webvpn_svc_np_setup SVC ACL Name: NULL SVC ACL ID: -1 SVC ACL ID: -1 vpn_put_uauth success! SVC IPv6 ACL Name: NULL SVC IPv6 ACL ID: -1 SVC: adding to sessmgmt SVC: Sending response Sending X-CSTP-FW-RULE msgs: Start Sending X-CSTP-FW-RULE msgs: Done Sending X-CSTP-Quarantine: false Sending X-CSTP-Disable-Always-On-VPN: false Unable to initiate NAC.0.input: 'X-CSTP-Hostname: changeme1' Processing CSTP header line: 'X-CSTP-Hostname: changeme1' Setting hostname to: 'changeme1' webvpn_cstp_parse_request_field() ..' Processing CSTP header line: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems.255...input: 'X-DTLS-Accept-Encoding: lzs' Processing CSTL header line: 'X-DTLS-Accept-Encoding: lzs' webvpn_cstp_parse_request_field() ..0 CSTP state = HAVE_ADDRESS SVC: NP setup np_svc_create_session(0x6000.255.input: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems.. NAC might not be enabled or invalid policy Page 908 of 1033 .' Validating address: 0.1/255.0.input: 'X-CSTP-Accept-Encoding: lzs.input: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA' Processing CSTP header line: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3SHA:DES-CBC-SHA' webvpn_cstp_parse_request_field() .

%ASA-6-722022: Group <CCIE> User <ccie> IP <100.2.1.22/1077 for DTLSv1 session.1.2.22> UDP SVC connection established without compression webvpn_rx_data_cstp webvpn_rx_data_cstp: got internal message Unable to initiate NAC.1 eq 23 ASA84(config)# group-policy CCIE attributes ASA84(config-group-policy)# vpn-filter value CCIE-FILTER ASA84(config-group-policy)# banner value Welcome to the Micronics Training network! Please behave.1 ASA84(config)# access-list CCIE-FILTER permit tcp any host 10.2. ASA84(config)# access-list CCIE-FILTER permit icmp any host 1. All user traffic should go to the VPN tunnel and should be able to reach all internal hosts.2.2. ASA84(config-group-policy)# exi ASA84(config)# route inside 0 0 10.2.1. NAC might not be enabled or invalid policy Task 2 Configure AnyConnect so that you can ping R1’s loopback IP address (only ICMP is allowed) and you can TELNET only to R1’s f0/0 IP address.2. Configuration Complete these steps: Step 1 ASA configuration.2.1.2.1 tunneled Verification // Banner message is displayed.22/1077 request to resume previous session. Configure Login Message for the users with a text of ‘Welcome to the Micronics Training network! Please behave. %ASA-6-725002: Device completed SSL handshake with client outside:100.1.22/1077 %ASA-5-722033: Group <CCIE> User <ccie> IP <100. %ASA-6-725003: SSL client outside:100.2.’ Do not configure any dynamic routing protocol to accomplish this task.CCIE SECURITY v4 Lab Workbook CSTP state = CONNECTED %ASA-6-725001: Starting SSL handshake with client outside:100. Page 909 of 1033 .1.22> First UDP SVC connection established for SVC session.

1 Page 910 of 1033 .1.1.1.CCIE SECURITY v4 Lab Workbook // All user traffic is going through the tunnel // can ping 1.1. cannot ping 10.1 // can telnet to 10.1.1.1.

Configure the AnyConnect client so that the user can ping it’s local network devices (i. Do not brake any previous tasks.e.168.22 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : RC4 AES128 Hashing : none SHA1 Bytes Tx : 10910 Bytes Rx : 4860 Group Policy : CCIE Tunnel Group : CCIE Login Time : 22:32:19 UTC Thu Jan 29 2004 Duration : 0h:04m:27s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none ASA84(config)# sh uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 0 remote access VPN user 'ccie' at 192.2. 100.2.CCIE SECURITY v4 Lab Workbook ASA84(config)# sh vpn-sessiondb anyconnect Session Type: AnyConnect Username : ccie Index : 9 Assigned IP : 192. authenticated access-list CCIE-FILTER (*) Task 3 Configure ASA device so that all internal users (behind ASA’s Inside interface) are able to reach the Internet by translating their IP addresses to the ASA’s Outside IP address.2.1. Page 911 of 1033 .168.2).15.15.2.1 Public IP : 100.

Note the following SYSLOG message indicating the issue: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows.1. traffic returning to the AnyConnect VPN user.0.0 0.15. You must exclude VPN traffic from translation.1 ASA84(config)# group-policy CCIE attributes ASA84(config-group-policy)# split-tunnel-network-list value ST ASA84(config-group-policy)# split-tunnel-policy tunnelspecified ASA84(config-group-policy)# exi Verification // reconnect to the ASA and check AnyConnect routing table Page 912 of 1033 .255.255.168. but.1. still cannot ping IPs in local subnet.0.1.1/1139(LOCAL\ccie) dst inside:10.168.1/23 denied due to NAT reverse path failure ASA84(config)# object network VPN-POOL ASA84(config-network-object)# subnet 192.outside) source static ANYNET ANYNET destination static VPN-POOL VPN-POOL Now.15. we can connect to to network behind the ASA as returning traffic is NOT subjected to the NAT.1. To make it work we need to configure Split Tunneling feature for AnyConnect.0 ASA84(config-network-object)# nat (inside.0. ASA84(config)# access-list ST standard permit host 10. Also.outside) dynamic interface ASA84(config-network-object)# exi Note that after configuring this. Connection for tcp src outside:192.CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 1 ASA configuration. all Inside traffic will be translated when going out through Outside interface.0.1 ASA84(config)# access-list ST standard permit host 1.0 255.1. ASA84(config)# object network ANYNET ASA84(config-network-object)# subnet 0.0 ASA84(config-network-object)# exi ASA84(config)# nat (inside.1.

CCIE SECURITY v4 Lab Workbook // try to ping local IP address Page 913 of 1033 .

AnyConnect 3.1/24 F0/0 10.1.66.2.1/24 Lo0 2.2.0 Advanced Features Lab Setup  R1’s F0/0 and ASA84 E0/1 interface should be configured in VLAN 10  R2’s G0/0 and ASA84 E0/0 interface should be configured in VLAN 20  Configure Telnet on all routers using password “cisco”  Configure default routes on R1/R2 to point to ASA and static routes to reach router’s loopbacks IP Addressing Device Interface IP address R1 Lo0 1.1.2.2/24 G0/0 100.CCIE SECURITY v4 Lab Workbook Lab 1.11.2/24 R2 Page 914 of 1033 .2.1.

1.2.2.10/24 Before you start This lab is based on the previous configuration.1.2.com 100.10/24 E0/1 10. Use WinXP PC as a management station.CCIE SECURITY v4 Lab Workbook PC NIC 100.2.cisco.10 dns-server 10.2.0 /24 domain-name cisco.1.2. Create administrator account with the credentials of admin/admin123. Generate self-signed Identity Certificate for ASA with the following Subject Name: • Common Name=asa84.1.2. You can use DNS/DHCP Servers configured on R1 and R2 to accomplish this task.10 ip dns server ip dns server ! ! Reconfigure WinXP PC to assign IP address automatically. Do not erase the config! Task 1 Configure DNS and DHCP Server on R1 and R2 for their local networks as follows: R1 R2 ! ! ip dhcp pool VLAN10 ip dhcp pool VLAN20 network 10. VLAN 20).local domain-name cisco.0 /24 network 100.2.1.cisco.com 100.1.10 default-router 100.1.2.0 so that the user cannot disconnect the VPN tunnel and the AnyConnect automatically tries to connect to the ASA headend whenever it is in Outside network (behind ASA’s Outside interface.com • Organization=Cisco • Organizational Unit=CCIE Use that newly created certificate for SSL.2.com default-router 10.1 dns-server 100.10 ip host asa84.2.local ip domain name cisco.2.2 ! ! ip domain lookup ip domain lookup ip domain name cisco. Configuration Complete these steps: Page 915 of 1033 .cisco.22/24 ASA84 E0/0 100. Configure AnyConnect 3.1.2.com ip host asa84.2.

ASA84(config)# http server enable ASA84(config)# http 100. First generate keys and create Identity Certificate for SSL ASA84(config)# crypto key generate rsa label KEYS modulus 1024 <key generation process omitted> ASA84(config)# crypto ca trustpoint SSL-TRUST ASA84(config-ca-trustpoint)# enrollment self ASA84(config-ca-trustpoint)# subject-name CN=asa84.com.255.2.22 255.cisco.CCIE SECURITY v4 Lab Workbook Step 1 Configure interface on client PC to obtain an IP address from DHCP.O=cisco ASA84(config-ca-trustpoint)# keypair KEYS ASA84(config)# crypto ca enroll SSL-TRUST <enrollment process omitted> ASA84(config)# ssl trust-point SSL-TRUST You must then configure ASDM access.2. To configure advanced Anyconnect Features like Always-On or customize user experience of AnyConnect Client you must use ASDM and Profile Editor.OU=ccie.255.255 outside ASA84(config)# username admin password admin123 priv 15 Page 916 of 1033 . Step 2 ASA CLI configuration.

CCIE SECURITY v4 Lab Workbook Step 3 ASA ASDM configuration.2.10/admin Click on Install ASDM Launcher and Run ASDM.2. authenticate as admin and run installer. Page 917 of 1033 . Go to https://100.

CCIE SECURITY v4 Lab Workbook Go to Configuration --> Remote Access VPN --> AnyConnect Client Profile. Page 918 of 1033 . Check the option to enable Always ON VPN feature. Click Add button and create new profile. Using this you can see what commands are required on CLI to configure a particular feature. To enable command preview go to Tools --> Preferences and check ‘Preview commands before sending them to the device’ option. Note that ASDM has a very nice feature that shows all commands generated by the ASDM and send to the ASA device. Name the new profile ‘ccie’ and assign it to the group CCIE.

local o Trusted DNS Servers = 10. Click on Edit button to configure AC3 Profile and go to Preferences (Part 2) section.1. Configure it as follows: • • Check Automatic VPN Policy o Trusted Network Policy = Disconnect o Untrusted Network Policy = Connect o Trusted DNS Domains = cisco.1. You should see commands preview if this option is enabled.CCIE SECURITY v4 Lab Workbook Click OK and then Apply. Click Send button.1 Check Always On o Uncheck Allow VPN Disconnect Page 919 of 1033 .

cisco. Now when connecting to the ASA headend. Page 920 of 1033 .com Click OK and then Apply the settings.cisco.CCIE SECURITY v4 Lab Workbook Go to Server List and Add new server with the following information: • Host Display Name (required) = asa84.xml) to the client and apply all options configured on it.com • FQDN or IP Address = asa84. the Anyconnect Client will download the Profile config file (ccie.

com and DNS server is R2.com (the FQDN should be resolved against R2 DNS server).CCIE SECURITY v4 Lab Workbook The profile is stored on Windows XP in the folder C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile Verification Now go to the WinXP PC and connect to asa84. Page 921 of 1033 .cisco. Note that after connecting the Disconnect button is greyed out. Note that the host is in domain cisco.

Change the VLAN assignment. Re-enable NIC. Note that the AC3 tries to reconnect automatically. Now the WinXP PC is in VLAN20 and gets all network settings from R2.CCIE SECURITY v4 Lab Workbook Let’s make a test. SW3(config)#int g1/0/15 SW3(config-if)#sw acc vl 10 Page 922 of 1033 . Try to disable NIC and reassign the switchport to VLAN 10 and re-enable NIC.

Page 923 of 1033 . change VLAN on port. The AC3 automatically reconnect to the ASA. Enable NIC.CCIE SECURITY v4 Lab Workbook After a while the AC3 realized based on DNS settings that it is now in Trusted Network and there is no need for VPN setup. Let’s revert to correct VLAN (20). Disable NIC. This feature is called TND – Trusted Network Detection.

1/24 E0/0 112.200.100.1.1.1.100/24 ACS NIC 10.1.100.2/24 PC NIC 10.10/24 E0/1 112.200.2/24 G0/1 10.1. EasyVPN Server on ASA with LDAP authentication Lab Setup  R1’s F0/0 and ASA1’s E0/0 interface should be configured in VLAN 110  R2’s G0/0 and ASA1’s E0/1 interface should be configured in VLAN 120  R1’s F0/1 and VPN Client PC (SW3 – F0/15) should be in VLAN 100  R2’s G0/1 and ACS server (SW3 – F0/14) should be in VLAN 200  Configure Telnet on all routers using password “cisco”  Configure default routing on R1 and R2 pointing to the ASA IP Addressing Device Interface IP address R1 F0/0 112.100.10/24 G0/0 112. Page 924 of 1033 .1.200.1.100/24 ASA1 R2 Task 1 Configure EasyVPN Server on ASA and authenticate user “student” with a password of “cisco123!” to LDAP server (Microsoft AD) configured on the ACS server.1/24 F0/1 10.67.100.1.200.CCIE SECURITY v4 Lab Workbook Lab 1.

200.com • LDAP administrator name/password: Administrator/cisco123! • LDAP user container name: Users • Domain name: micronicstraining.1. One of the most popular user dB is an LDAP database.1 – 10.254 addresses.100 • LDAP DN: micronicstraining. If AD user has no dial in permission (FALSE) set the SimultaneousLogins to 0.com Use the following ISAKMP parameters:  Phase 1: o Authentication: PSK o Encryption: 3DES o Hashing: MD5 o Group: 2  Phase 2: o Encryption: 3DES o Hashing: MD5 The user should get an IP address from a pool of 10.21.1. Configure TestPC with software VPN Client to connect to the EasyVPN server. The group should use internal policy so that it assigns an IP address from the pool and tells the VPN client to encrypt traffic to the network 10.  An EasyVPN user can be authenticates against different user databases. The Active Directory stores a lot of different user attributes so that we can use Page 925 of 1033 .21. Active Directory connection properties: • Server IP: 10.200.CCIE SECURITY v4 Lab Workbook Configure LDAP mapping so that Active Directory user’s “Dial in” permission (“msNPAllowDialin” LDAP attribute) will affect Simultaneous-Logins ASA EasyVPN parameter. Configure RIP version 2 between ASA1 and R2 and make sure the correct route back to VPN Client is injected to R2’s routing table.0/24 only. The most common LDAP database is Microsoft’s Active Directory which is often used by the companies. EasyVPN group named “SALES” with a password of “cisco123” should be configured on the ASA. if he/she has dial in permission (TRUE) set the Simultaneous-Logins to 1.1.1.

CCIE SECURITY v4 Lab Workbook them in EasyVPN scenario. A user account is often described like DN from the certificate. For example.DC=micronicstraining.0 255.com”.CN=IT.21.1-10. For example: CN=User1. Another thing is how to connect to the LDAP database? The structure of the LDAP database is like a X.1. ASA(config)# crypto isakmp enable outside ASA(config)# crypto isakmp policy 10 ASA(config-isakmp-policy)# auth pre-share ASA(config-isakmp-policy)# encr 3des ASA(config-isakmp-policy)# hash md5 ASA(config-isakmp-policy)# group 2 ASA(config-isakmp-policy)# exi ASA(config)# ip local pool EZVPN-POOL 10. Configuration Complete these steps: Step 1 ASA configuration.com.255. EasyVPN config mode attributes are incompatible with LDAP attributes. The ASA has native LDAP support – this means it can directly contact LDAP server and ask for user properties.0 ASA(config)# ldap attribute-map LDAP-MAP ASA(config-ldap-attribute-map)# map-name msNPAllowDialin Simultaneous-Logins ASA(config-ldap-attribute-map)# map-value msNPAllowDialin FALSE 0 ASA(config-ldap-attribute-map)# map-value msNPAllowDialin TRUE 1 ASA(config-ldap-attribute-map)# exi Page 926 of 1033 .255.200. This defines if the particular user may or may not Dial In to the network.254 ASA(config)# access-list ST standard permit 10.21. The LDAP database has its own structure so we need to know that structure to find appropriate fields and values in the database.1. In the previous versions of the ASA there must be ACS server configured with external LDAP database to make it happen. we need to map those attributes to the EasyVPN attributes.1. We can use that attribute in our policy.DC=com means that there is a user named “User1” with an Organizational Unit container named “IT” in the Active Directory database for a domain of “micronicstraining. To be able to use LDAP user attributes.509 certificate. each AD user has Dial In permission configured.

we can decide a number of simultaneous logins for each of these values. This EasyVPN attribute is responsible for configuring how many simultaneous logins can be accepted by the ASA for a particular group/user.200.DC=micronicstraining.1. ASA(config-tunnel-general)# tunnel-group SALES ipsec-attributes ASA(config-tunnel-ipsec)# pre-shared-key cisco123 ASA(config-tunnel-ipsec)# ex ASA(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac Page 927 of 1033 .100 ASA(config-aaa-server-host)# ldap-base-dn DC=micronicstraining. We need to assign LDAP mapping configured previously to the LDAP server. ASA(config)# aaa-server LDAP-SVR protocol ldap ASA(config-aaa-server-group)# aaa-server LDAP-SVR (inside) host 10. The authentication for that server must be provided using DN notation. ASA(config)# group-policy SALES-POLICY internal ASA(config)# group-policy SALES-POLICY attributes ASA(config-group-policy)# vpn-tunnel-protocol IPSec ASA(config-group-policy)# address-pools value EZVPN-POOL ASA(config-group-policy)# split-tunnel-policy tunnelspecified ASA(config-group-policy)# split-tunnel-network-list value ST ASA(config-group-policy)# ex ASA(config)# tunnel-group SALES type remote-access ASA(config)# tunnel-group SALES general-attributes ASA(config-tunnel-general)# authentication-server-group LDAP-SVR ASA(config-tunnel-general)# default-group-policy SALES-POLICY Under the tunnel group we need to specify our LDAP server as an authentication method for users.CCIE SECURITY v4 Lab Workbook We need to map LDAP attributes to the corresponding EasyVPN attributes.CN=Users. As we know that the “msNPAllowDialin” attribute can have a value of TRUE or FALSE. In this example we’re mapping LDAP attribute named “msNPAllowDialin” to the EasyVPN attribute named Simultaneous-Logins.DC=com ASA(config-aaa-server-host)# ldap-scope subtree ASA(config-aaa-server-host)# ldap-login-dn CN=Administrator.DC=com ASA(config-aaa-server-host)# ldap-login-password cisco123! ASA(config-aaa-server-host)# server-type microsoft ASA(config-aaa-server-host)# ldap-attribute-map LDAP-MAP ASA(config-aaa-server-host)# exi The LDAP server access is configured on the ASA as for any other AAA server. This time the protocol used is not RADIUS/TACACS+ but LDAP.

Install and pre-configure Active Directory on the ACS server by running “dcpromo” command.0 255.1.255.0.100.200.255. (optional) These steps are optional and depend on your Active Directory existence and configuration. Hit the Next button. R2(config)#router rip R2(config-router)#ver 2 R2(config-router)#no aut R2(config-router)#net 112.0.200.1. Page 928 of 1033 .1.0 ASA(config-router)# redistribute static ASA(config-router)# exi Step 2 R2 configuration.1 ASA(config)# route inside 10.0.CCIE SECURITY v4 Lab Workbook ASA(config)# crypto dynamic-map DYN-CMAP 10 set transform-set TS ASA(config)# crypto dynamic-map DYN-CMAP 10 set reverse-route ASA(config)# crypto map Ezee 100 ipsec-isakmp dynamic DYN-CMAP ASA(config)# crypto map Ezee interface outside ASA(config)# route outside 0 0 112.0 112. The configuration wizard will run.0.2 ASA(config)# router rip ASA(config-router)# ver 2 ASA(config-router)# no aut ASA(config-router)# passive-interface default ASA(config-router)# no passive-interface inside ASA(config-router)# network 112.0 R2(config-router)#exi Step 3 Optionally install Actice Diectory as an LDAP server.

CCIE SECURITY v4 Lab Workbook Hit the Next button again. Page 929 of 1033 . Select “Domain in a new forest” and hit Next. Select “Domain controller for a new domain” and hit Next.

Leave a default setting for paths. Hit Next. Leave a default name for NetBIOS domain name. Hit Next.CCIE SECURITY v4 Lab Workbook Enter “micronicstraining.com” as a name for a new domain and hit Next. Page 930 of 1033 .

Hit Next.CCIE SECURITY v4 Lab Workbook Leave a default path for SYSVOL folder. Select permissions compatible with Windows 200 and Windows 2003. This step can be a bit different depending on your DNS configuration. Select option to NOT configure DNS. Hit Next. Hit Next. Page 931 of 1033 .

The wizard is finished and is installing and configuring Active Directory. It may take some time.CCIE SECURITY v4 Lab Workbook Enter some password for AD restore mode. Page 932 of 1033 . Hit Next on summary page. Be patient. Hit Next.

go to Start  Administrative Tools  AD Users and Computers and select Users container. Hit Finish.CCIE SECURITY v4 Lab Workbook It displays some summary upon completing the task. Page 933 of 1033 . After restarting the system. The system must be restarted after AD installation.

And hit Next.CCIE SECURITY v4 Lab Workbook Click on “Create a new user in the current container” icon and enter the following settings for a “student” user. Enter password of “student123!” for the user. Page 934 of 1033 .

CCIE SECURITY v4 Lab Workbook Click finish to create new user. Page 935 of 1033 . Select Allow access option and hit OK. Double click the new user and go to Dial-in tab.

Page 936 of 1033 . Authenticate using “student” user credentials.CCIE SECURITY v4 Lab Workbook Verification Go to TestPC and configure new connection to the EasyVPN Server.

2: bytes=32 time=140ms TTL=255 Ping statistics for 112.200. Lost = 0 (0% loss). Page 937 of 1033 .1. Approximate round trip times in milli-seconds: Minimum = 64ms.CCIE SECURITY v4 Lab Workbook Ping R2 to see if the traffic goes through the tunnel. Maximum = 140ms.200.1. C:\>ping 112.2: bytes=32 time=127ms TTL=255 Reply from 112.1. Average = 110ms See the Statistics after the connection.200.2: bytes=32 time=64ms TTL=255 Reply from 112.200. Received = 4.1.200. See if there is a correct split tunneling configured.2: bytes=32 time=110ms TTL=255 Reply from 112.1.1.200.200.1.2: Packets: Sent = 4.2 with 32 bytes of data: Reply from 112.2 Pinging 112.

1. seq num: 10.10 local ident (addr/mask/prot/port): (0. #PMTUs rcvd: 0. local addr: 112.0.1.255.10. #pkts decompressed: 0 #pkts not compressed: 4. #fragments created: 0 #PMTUs sent: 0.100 Type : user Role : responder Rekey : no State : AM_ACTIVE Encrypt : 3des Hash : MD5 Auth Lifetime: 86400 : preshared Lifetime Remaining: 86321 ASA# sh cry ips sa interface: outside Crypto map tag: DYN-CMAP.100.1/255.100.255.1. #pkts decomp failed: 0 #pre-frag successes: 0. #pre-frag failures: 0. #pkts digest: 4 #pkts decaps: 4. #pkts verify: 4 #pkts compressed: 0.100.100 path mtu 1500. #pkts encrypt: 4.0.: 10.100. #decapsulated frgs needing reassembly: 0 #send errors: 0.21.0/0/0) remote ident (addr/mask/prot/port): (10.100. media mtu 1500 current outbound spi: 71387A50 Page 938 of 1033 .0/0. #pkts decrypt: 4.21. remote crypto endpt.: 112.1.CCIE SECURITY v4 Lab Workbook ASA# sh cryp isak sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10. ipsec overhead 58.1.1.0.100. username: student dynamic allocated peer ip: 10. #recv errors: 0 Packets are getting encrypted/decrypted by the ASA local crypto endpt.1 #pkts encaps: 4. #pkts comp failed: 0.255/0/0) current_peer: 10.1.0.

crypto-map: DYN-CMAP sa timing: remaining key lifetime (sec): 28720 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA# sh vpn-sessiondb remote Session Type: IPsec Username : student Index : 5 Assigned IP : 10.1.1.100. Last transaction at unknown Number of pending requests 0 Average round trip time 0ms Number of authentication requests 7 Page 939 of 1033 .1.200. conn_id: 20480.CCIE SECURITY v4 Lab Workbook inbound esp sas: spi: 0x082E7C0B (137264139) transform: esp-3des esp-md5-hmac no compression in use settings ={RA. Tunnel. ASA# sh aaa-server protocol ldap Server Group: LDAP-SVR Server Protocol: ldap Server Address: 10. crypto-map: DYN-CMAP sa timing: remaining key lifetime (sec): 28720 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000001F outbound esp sas: spi: 0x71387A50 (1899526736) transform: esp-3des esp-md5-hmac no compression in use settings ={RA. } slot: 0.100 Server port: 0 Server status: ACTIVE.1 Public IP : 10. Tunnel.100 Protocol : IKE IPsec License : IPsec Encryption : 3DES Hashing : MD5 Bytes Tx : 240 Bytes Rx : 240 Group Policy : SALES-POLICY Tunnel Group : SALES Login Time : 19:07:55 UTC Mon Jun 21 2010 Duration : 0h:01m:23s NAC Result : Unknown VLAN Mapping : N/A VLAN : none The user has been authenticated against LDAP server and got attributes based on SALES-POLICY. conn_id: 20480.21. } slot: 0.

255.0.0.0. outside There is a static route in the ASA’s routing table for the connected user. R .200.255. E . 112. o .2.0 auto-summary 10.0. B .0.IS-IS level-1.0 255. Ethernet0 112.255.100.0 255.0.200.static.1.OSPF NSSA external type 2 E1 .candidate default.0.0 is directly connected.0.0 255.1.0. outside C 112.0.1.RIP. R2#sh ip rou Page 940 of 1033 .per-user static route.0.255.CCIE SECURITY v4 Lab Workbook Number of authorization requests 0 Number of accounting requests 0 Number of retransmissions 0 Number of accepts 4 Number of rejects 0 Number of challenges 0 Number of malformed responses 0 Number of bad authenticators 0 Number of timeouts 3 Number of unrecognized responses 0 The LDAP server is active and has been consulted for authentication.0 C 112.0.0.255.0 auto-summary 0.IGRP.0 auto-summary 112.1. ASA(config)# sh rip database 0.100.1.1 255.BGP D .1.0 255.EIGRP. inside S 10.255.0.0. M . ASA# sh route Codes: C . ia .0 directly connected.periodic downloaded static route Gateway of last resort is 112.255. O .0 0.100.255 redistributed [1] via 0.1 to network 0.1.OSPF external type 1.0 redistributed [1] via 0.EGP i .0.EIGRP external. L1 .0. Ethernet1 ASA(config)# The static route has been redistributed into the RIP domain.255.200. outside S 10.0.0 0.0 255.0.IS-IS.255.200.0 255.0.0 redistributed [1] via 0.0.connected.100.255.255. 10.OSPF inter area N1 .0.1. U .OSPF external type 2.1 255.0.1.0 is directly connected. 10.0 directly connected.255 [1/0] via 112.255.0.255. I . inside S* 0.200.0.mobile.0.1. L2 .0.100.ODR P .0. S .0 255.255.1. E2 .0 [1/0] via 112.21.21. EX .255.0 255.OSPF.0.0.0 0.OSPF NSSA external type 1.1.IS-IS inter area * .1.IS-IS level-2.1.0.255.0 [1/0] via 112. IA . N2 .

100. Received Fragmentation VID Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.OSPF NSSA external type 1.10 The prefix is visible on R2 now.100.200.0.connected.0.100. 2 masks R C S* 10. R .100.100. IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.0/0 [1/0] via 112.IS-IS level-2 ia . U .200.1.0/24 is subnetted.1.0 is directly connected.1.1.21. GigabitEthernet0/0 C 112. processing ISA_KE payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.CCIE SECURITY v4 Lab Workbook *Jun 21 22:04:44. O .OSPF external type 1.1.200.100. B .1.0/8 is variably subnetted.1.IS-IS.per-user static route o .1. processing ke payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.100.IS-IS summary.100.100.0. 2 subnets R 112.10.1.EIGRP external.100.100.100.1.100. processing VID payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.100.OSPF inter area N1 . GigabitEthernet0/0 10. P . su .100.1. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849 Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.1.ODR. M .167: %SYS-5-CONFIG_I: Configured from console by console R2#sh ip rou Codes: C . processing VID payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.200.EIGRP.1.100.100.periodic downloaded static route Gateway of last resort is 112.100.0 112.200. Received DPD VID Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.100.1. processing VID payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.OSPF.1. processing VID payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.100.1. Jun 21 19:07:54 [IKEv1]: IP = 10.0.100.IS-IS inter area.1.200. 2 subnets.10.1.candidate default.0. The connection is matching correct tunnel group. processing nonce payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.100.1.10 to network 0. GigabitEthernet0/1 0. GigabitEthernet0/0 10.0 [120/1] via 112.1. processing ID payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.100.1.100.mobile. Received xauth V6 VID Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.0. E2 .static.100.OSPF external type 2 i .BGP D .100. L2 . N2 . 00:00:04.100.0. * .100.0/24 is directly connected. S .100. L1 . processing SA payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10.RIP.1/32 [120/1] via 112. IA .OSPF NSSA external type 2 E1 .100.0. 00:00:04. Verification (detailed) ASA# sh deb debug ldap enabled at level 9 debug crypto isakmp enabled at level 9 The first packet of Aggressive Mode contains group name.100.1.IS-IS level-1. EX . Received NAT-Traversal ver 02 VID Page 941 of 1033 .1.

100. IP = 10. constructing xauth V6 VID payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. Generating keys for Responder.100. IP = 10. IP = 10.100.100. constructing hash payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100. IP = 10.100.1.1. Received Cisco Unity client VID Jun 21 19:07:54 [IKEv1]: IP = 10.1. Transform # 10 acceptable Matches global IKE entry # 1 Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100.1. constructing ISAKMP SA payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. IP = 10.100. constructing NATTraversal VID ver 02 payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100. IP = 10.1.100. constructing ID payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. constructing nonce payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100. computing NAT Discovery hash Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. constructing Fragmentation VID + extended capabilities payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100. IP = 10.1.100.1.100.1. IP = 10.100.1. processing VID payload Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10. IP = 10. IP = 10.1.100.100.1.1.100.100.1.100. IP = 10. computing NAT Discovery hash Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100. IP = 10.100. IP = 10. constructing dpd vid payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. IP = 10.100..1.1.100. Computing hash for ISAKMP Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. IP = 10. IP = 10. IKE SA Proposal # 1.100.100. Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jun 21 19:07:55 [IKEv1]: IP = 10. Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100.1. constructing ke payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.1.1.100. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 156 Page 942 of 1033 .100.1.100.100.1.100.100. constructing NATDiscovery payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. Connection landed on tunnel_group SALES Jun 21 19:07:54 [IKEv1 DEBUG]: Group = SALES.100. IP = 10.100.100. processing IKE SA payload Jun 21 19:07:54 [IKEv1 DEBUG]: Group = SALES. constructing Cisco Unity VID payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428 Jun 21 19:07:55 [IKEv1]: IP = 10.100.100..100.100.1.100.100. IP = 10.1.100.100.1. IP = 10.100.100. IP = 10.CCIE SECURITY v4 Lab Workbook Jun 21 19:07:54 [IKEv1 DEBUG]: IP = 10. constructing VID payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100.1.100.100. constructing NATDiscovery payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.1.100.

1. IKE_DECODE RECEIVED Message (msgid=f715d9ad) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.1.100.200.100.100.1.1.0. IP = 10.1.1.100.100.100.1.100.100. IP = 10.1. Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. Processing IOS/PIX Vendor ID payload (version: 1. [10] Session Start [10] New request Session.100:389 [10] Connect to LDAP server: ldap://10. IP = 10.100. Received Cisco Unity client VID Jun 21 19:07:55 [IKEv1]: Group = SALES. IP = 10.1.100. Computing hash for ISAKMP Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. LDAP connection must verify the user credentials and send back all user’s attributes.1.100.100.100. processing NATDiscovery payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100.100. process_attr(): Enter! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.CCIE SECURITY v4 Lab Workbook Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. computing NAT Discovery hash Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. IP = 10. context 0x4792f78.100. reqType = 1 [10] Fiber started [10] Creating LDAP context with uri=ldap://10. IP = 10.1.100.100.100:389.200. IP = 10.1. IP = 10.1.100.100. IP = 10. processing VID payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. processing hash payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. IP = 10. Processing MODE_CFG Reply attributes. status = Successful [10] supportedLDAPVersion: value = 3 [10] supportedLDAPVersion: value = 2 [10] Binding as administrator [10] Performing Simple authentication for Administrator to 10. constructing qm hash payload Jun 21 19:07:55 [IKEv1]: IP = 10.100.100.1.100.1. IP = 10.100.DC=COM] Filter = [sAMAccountName=student] Page 943 of 1033 . IP = 10.100.100.100.100. IKE_DECODE SENDING Message (msgid=f715d9ad) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68 Jun 21 19:07:56 [IKEv1]: IP = 10.100. processing notify payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.200. IP = 10. IP = 10. capabilities: 00000408) Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.1. computing NAT Discovery hash Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.1.1.0.100.100. IP = 10.100 [10] LDAP Search: Base DN = [DC=MICRONICSTRAINING.1.100.1. constructing blank hash payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100.1. processing VID payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES. IP = 10.100. processing NATDiscovery payload Jun 21 19:07:55 [IKEv1 DEBUG]: Group = SALES.100.

200.CN=Users. [10] accountExpires: value = 9223372036854775807 [10] logonCount: value = 0 [10] sAMAccountName: value = student [10] sAMAccountType: value = 805306368 d.100 [10] Reading password policy for student.CN=Users..CN=Schema.L{[email protected]=com] [10] Talking to Active Directory server 10...h9"j.DC=micronicstraining. [10] userAccountControl: value = 512 [10] badPwdCount: value = 0 [10] codePage: value = 0 [10] countryCode: value = 0 [10] badPasswordTime: value = 0 [10] lastLogoff: value = 0 [10] lastLogon: value = 0 [10] pwdLastSet: value = 129216559364531250 [10] primaryGroupID: value = 513 [10] userParameters: value = m: [10] objectSid: value = ....0Z [10] whenChanged: value = 20100622045305.OLT~/XR.DC=com [10] msNPAllowDialin: value = TRUE [10] mapped to Simultaneous-Logins: value = 1 [10] Fiber exit Tx=693 bytes Rx=2654 bytes..200.CN=Users.DC=com [10] Read bad password count 0 [10] Binding as user [10] Performing Simple authentication for student to 10..DC=micronicstraining...1.com [10] objectCategory: value = CN=Person.CN=Configuration. [10] userPrincipalName: value = [email protected]=micronicstraining.DC=micronicstraining.100 [10] Retrieved User Attributes: [10] objectClass: value = top [10] objectClass: value = person [10] objectClass: value = organizationalPerson [10] objectClass: value = user [10] cn: value = student [10] givenName: value = student [10] distinguishedName: value = CN=student..1.0Z [10] displayName: value = student [10] uSNCreated: value = 13790 [10] uSNChanged: value = 13799 [10] name: value = student [10] objectGUID: value = .CCIE SECURITY v4 Lab Workbook Scope = [SUBTREE] [10] User DN = [CN=student..DC=com [10] instanceType: value = 4 [10] whenCreated: value = 20100622045216.200... dn:CN=student..n.100 [10] Processing LDAP response for user student [10] Checking password policy [10] Authentication successful for student to 10...b.1. status=1 [10] Session End Page 944 of 1033 .

100. IKE_DECODE RECEIVED Message (msgid=4a727d34) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 56 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. Username = student.100.1.1.100. IP = 10. IP = 10.1.100.100.100. MODE_CFG: Received request for DNS server address! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student.100. Username = student.1.100.1. User (student) authenticated.100. Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.1.1. IKEGetUserAttributes: Browser Proxy Bypass Local = disable Jun 21 19:07:56 [IKEv1]: Group = SALES.100.1. IP = 10. constructing qm hash payload Jun 21 19:07:56 [IKEv1]: IP = 10.100.100.100. Processing cfg ACK attributes Jun 21 19:07:56 [IKEv1]: IP = 10.100. IP = 10.1.100.100.CCIE SECURITY v4 Lab Workbook Seems the correct user’s attribute is matched and mapped to Simultaneous-Logins EasyVPN attribute. IP = 10.100.1.1.1. IP = 10.1.100. IKE_DECODE RECEIVED Message (msgid=535785e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 177 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.1. Username = student. MODE_CFG: Received request for IPV4 net mask! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100. MODE_CFG: Received request for IPV4 address! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. IP = 10. process_attr(): Enter! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student.100. Username = student.1. Username = student.100. IP = 10. IKEGetUserAttributes: primary DNS = cleared Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student. Username = student.100. IP = 10. IP = 10.100. Username = student. IKEGetUserAttributes: primary WINS = cleared Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100.100. Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.1.100. Username = student. IP = 10.100. Username = student. Username = student.1. IP = 10. MODE_CFG: Received request for WINS server address! Page 945 of 1033 . IKE_DECODE SENDING Message (msgid=4a727d34) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60 Jun 21 19:07:56 [IKEv1]: IP = 10. IKEGetUserAttributes: Browser Proxy Setting = no-modify Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. IKEGetUserAttributes: secondary DNS = cleared Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100. process_attr(): Enter! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. Username = student.100.1. IP = 10. IP = 10. Username = student. Username = student. Username = student. IP = 10.1. Username = student. IP = 10.100.100.1. IP = 10. IKEGetUserAttributes: Split Tunneling Policy = Split Network Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student.1. Username = student.1. IP = 10.1. IKEGetUserAttributes: secondary WINS = cleared Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Processing cfg Request attributes Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100. IKEGetUserAttributes: IP Compression = disabled Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. IP = 10.100. IP = 10. IKEGetUserAttributes: split tunneling list = ST Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. constructing blank hash payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100.100.

100. Send Client Browser Proxy Attributes! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. IP = 10.100.1. Username = student.100. IP = 10.100. Username = student. Username = student.1. IP = 10.1.100. Username = student. Username = student. IP = 10. IP = 10.100.100.1. Username = student. IP = 10. Assigned private IP address 10.1. Username = student. Username = student. Username = student.CCIE SECURITY v4 Lab Workbook Jun 21 19:07:56 [IKEv1]: Group = SALES. IP = 10. IP = 10.1.100.0.100. MODE_CFG: Received request for Split DNS! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student. Browser Proxy set to No-Modify.1.100.100. Received unsupported transaction mode attribute: 5 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student. IP = 10. MODE_CFG: Received request for Banner! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. MODE_CFG: Received request for Save PW setting! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.1.1.100.100.100. IP = 10.1.100.05. IP = 10. Resume Quick Mode processing. IKE_DECODE SENDING Message (msgid=535785e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 180 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. MODE_CFG: Received request for Default Domain Name! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. Username = student. Username = student.1.1.1. IP = 10.1.100. constructing qm hash payload Jun 21 19:07:56 [IKEv1]: IP = 10.100.21.100.100. Username = student. IP = 10. Browser Proxy data will NOT be included in the mode-cfg reply Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100. IP = 10.1.100.1. MODE_CFG: Received request for FWTYPE! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. Cert/Trans Exch/RM DSID in progress Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student. Client Type: WinNT Client Application Version: 5. MODE_CFG: Received request for UDP Port! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100.100.100.1. IP = 10.1. IP = 10.1. Username = student.1. Username = student. MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. constructing blank hash payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. MODE_CFG: Received request for Application Version! Jun 21 19:07:56 [IKEv1]: Group = SALES. IP = 10. IP = 10.1.100.100. MODE_CFG: Received request for backup ip-sec peer list! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student.100.1. Username = student. IP = 10. Username = student.100.1. Username = student.100. MODE_CFG: Received request for Split Tunnel List! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. MODE_CFG: Received request for Client Browser Proxy Setting! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. Username = student.100. IP = 10. Username = student.100. IP = 10.100.1.100.100.100.1.100. MODE_CFG: Received request for PFS setting! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.21.100.100. MODE_CFG: Received request for DHCP hostname for DDNS is: acs-lab! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.1.0290 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. IP = 10. Obtained IP addr (10. Cert/Trans Exch/RM DSID completed Page 946 of 1033 . IP = 10.100.1) prior to initiating Mode Cfg (XAuth enabled) Jun 21 19:07:56 [IKEv1]: Group = SALES.1 to remote user Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.1. Delay Quick Mode processing. Username = student. Send Cisco Smartcard Removal Disconnect enable!! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100. IP = 10.

100. Username = student.1.1. IP = 10.100.100. Username = student. Protocol 0.100.1.100. processing IPSec SA payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. processing ID payload Jun 21 19:07:56 [IKEv1]: Group = SALES. processing hash payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student.100.100.100. IP = 10.1. IP = 10.1. oakley constucting quick mode Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. processing nonce payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100. processing SA payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. QM IsRekeyed old sa not found by addr Jun 21 19:07:56 [IKEv1]: Group = SALES.CCIE SECURITY v4 Lab Workbook Jun 21 19:07:56 [IKEv1]: Group = SALES.100.0.1.100.100.1. Mask 0.100.1.1. Username = student.100. IPSec SA Proposal # 11. Port 0 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100. IP = 10.100.0. IP = 10. Username = student.100. IP = 10. IKE: requesting SPI! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student.100. Username = student.1. constructing blank hash payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. IP = 10. IKE Remote Peer configured for crypto map: DYN-CMAP Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. IP = 10. Username = student.100. IP = 10. Keep-alive type for this connection: DPD Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.1. Received remote Proxy Host data in ID Payload: Address 10.100. Username = student.100.0.100. Username = student.100. IP = 10.0. constructing qm hash payload Jun 21 19:07:56 [IKEv1]: IP = 10.100.1. IKE got SPI from key engine: SPI = 0x082e7c0b Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student.1. IP = 10.1. IP = 10.100. processing ID payload Jun 21 19:07:56 [IKEv1]: Group = SALES.1.100. IKE_DECODE RECEIVED Message (msgid=e4373f07) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1022 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds Page 947 of 1033 .100.0. Username = student. IKE_DECODE SENDING Message (msgid=291ddb51) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88 Jun 21 19:07:56 [IKEv1]: IP = 10. IP = 10. Username = student. Username = student. IP = 10.1.100. Transform # 1 acceptable Matches global IPSec SA entry # 10 Jun 21 19:07:56 [IKEv1]: Group = SALES. Username = student. IP = 10.1.100. Username = student. Username = student.100.100. Username = student. PHASE 1 COMPLETED Jun 21 19:07:56 [IKEv1]: IP = 10.100.1. Port 0 Jun 21 19:07:56 [IKEv1]: Group = SALES.1. IP = 10.100.100. constructing IPSec SA payload Jun 21 19:07:56 [IKEv1]: Group = SALES.100.1.1. constructing blank hash payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. IP = 10. Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Protocol 0. IP = 10.1.1. Starting P1 rekey timer: 82080 seconds.21.100. IP = 10.100.100.100.100.0.100. sending notify message Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.1. Username = student. Received local IP Proxy Subnet data in ID Payload: Address 0. Username = student.100. IP = 10.100. IP = 10.1.1. Username = student.100. Username = student. IP = 10.100.1.

1. constructing qm hash payload Jun 21 19:07:56 [IKEv1]: IP = 10.100. IP = 10.100. Pitcher: received KEY_UPDATE. IP = 10. Adding static route for client address: 10. Outbound SPI = 0x71387a50 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student. IP = 10.21.100.100.100. Username = student. Security negotiation complete for User (student) Responder. Inbound SPI = 0x082e7c0b.100.100.100.100. Username = student. Sending RESPONDER LIFETIME notification to Initiator Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.0.100. Username = student.0. IP = 10. IKE_DECODE RECEIVED Message (msgid=e4373f07) with payloads : HDR + HASH (8) + NONE (0) total length : 48 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. IP = 10.100. IP = 10.0.100.100.100.100. IP = 10. Username = student.100. IP = 10. IKE got a KEY_ADD msg for SA: SPI = 0x71387a50 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. constructing IPSec nonce payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Jun 21 19:07:56 [IKEv1]: Group = SALES. Generating Quick Mode Key! Jun 21 19:07:56 [IKEv1]: Group = SALES.0 Protocol 0 0.100. spi 0x82e7c0b Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.100.0.1. Username = student. IP = 10. Generating Quick Mode Key! Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.1.1.1. Username = student.1. Username = student.1.1.1. IP = 10.100.100. Transmitting Proxy Id: Remote host: 10. Username = student.1. Starting P2 rekey timer: 27360 seconds.1.100.1 Protocol 0 Local subnet: mask 0.1.100.100.0 Port 0 Port 0 Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. IP = 10.1. PHASE 2 COMPLETED (msgid=e4373f07) ASA# un all ASA# Page 948 of 1033 .100. Username = student.100. IKE_DECODE SENDING Message (msgid=e4373f07) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 176 Jun 21 19:07:56 [IKEv1]: IP = 10.1. Username = student.100.21. Username = student. IP = 10.100.100. Username = student.1.1.1. IP = 10. IP = 10.1 Jun 21 19:07:56 [IKEv1]: Group = SALES. Username = student.1.1. loading all IPSEC SAs Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100.CCIE SECURITY v4 Lab Workbook Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES.100. constructing proxy ID Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. processing hash payload Jun 21 19:07:56 [IKEv1 DEBUG]: Group = SALES. Username = student. IP = 10.100.

1. processing ISA_KE payload Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.1.100. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849 Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.100.100.100.100.100.100.1.100.1. processing nonce payload Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.CCIE SECURITY v4 Lab Workbook Test To test.100.100. processing VID payload Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.100.1.100.100. Received DPD VID Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.100.1.1. processing VID payload Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.1. processing SA payload Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10. ASA# deb crypto isakmp 9 ASA# deb ldap 9 debug ldap enabled at level 9 Jun 21 19:11:41 [IKEv1]: IP = 10.100. let’s disable Dial-in permission for the “student” username and connect again.100. processing VID payload Page 949 of 1033 .100.100. The connection failed and the Xauth login window keeps displaying. Received xauth V6 VID Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.100. processing ke payload Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.1. processing ID payload Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.1.100.1.100.100.

Computing hash for ISAKMP Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.1.1.100.100.100. IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + Page 950 of 1033 . Received Cisco Unity client VID Jun 21 19:11:41 [IKEv1]: IP = 10. IP = 10. IP = 10. computing NAT Discovery hash Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.1.100. IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.100.100.1. IP = 10.CCIE SECURITY v4 Lab Workbook Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10. constructing dpd vid payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. constructing Fragmentation VID + extended capabilities payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.1.100. IP = 10. IP = 10.100.1.100. constructing NATDiscovery payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.100.100.1.100.100. IP = 10.100.1. constructing xauth V6 VID payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. IP = 10.100. constructing hash payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. constructing Cisco Unity VID payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.1.100. Received NAT-Traversal ver 02 VID Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.100. IP = 10.100.100.100.100.100.1.100.1. Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jun 21 19:11:41 [IKEv1]: IP = 10. IP = 10.100. IP = 10.1.1. IP = 10.100.100.. Connection landed on tunnel_group SALES Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. IP = 10.100.100.100.1.100.1. Received Fragmentation VID Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.1.100.1. IKE SA Proposal # 1. IP = 10.1.100. IP = 10.100.100..100.1. IP = 10.1. constructing ke payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.1. Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.100. constructing nonce payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. processing IKE SA payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.1.100. Transform # 10 acceptable Matches global IKE entry # 1 Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. IP = 10. constructing NATTraversal VID ver 02 payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.1. computing NAT Discovery hash Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. IP = 10. processing VID payload Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10. processing VID payload Jun 21 19:11:41 [IKEv1 DEBUG]: IP = 10.1.100. constructing ISAKMP SA payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.1. constructing VID payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.100.100.100.100.1.100.100.100.1. IP = 10.100.100.100. IP = 10. constructing ID payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.1. IP = 10. constructing NATDiscovery payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. Generating keys for Responder.

100.100. IP = 10.1. capabilities: 00000408) Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. Computing hash for ISAKMP Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.100:389 [12] Connect to LDAP server: ldap://10.100 [12] LDAP Search: Page 951 of 1033 .100. IKE_DECODE RECEIVED Message (msgid=9f26ceb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86 Jun 21 19:11:43 [IKEv1 DEBUG]: Group = SALES. [12] Session Start [12] New request Session.100.1.1. processing VID payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100. IP = 10.100. IP = 10. IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 156 Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.100.100. IP = 10. computing NAT Discovery hash Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. IP = 10. status = Successful [12] supportedLDAPVersion: value = 3 [12] supportedLDAPVersion: value = 2 [12] Binding as administrator [12] Performing Simple authentication for Administrator to 10.1.100. processing NATDiscovery payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. IP = 10.100:389.100.100.0. IKE_DECODE SENDING Message (msgid=9f26ceb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68 Jun 21 19:11:43 [IKEv1]: IP = 10.1.1. IP = 10. IP = 10.1.100. Processing MODE_CFG Reply attributes.200. IP = 10.100.1.1.1.200.200.100.0.100.100. processing notify payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.100.CCIE SECURITY v4 Lab Workbook VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428 Jun 21 19:11:41 [IKEv1]: IP = 10. processing hash payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.1.1.100.100. IP = 10. processing VID payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. IP = 10. processing NATDiscovery payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES. reqType = 1 [12] Fiber started [12] Creating LDAP context with uri=ldap://10. Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.1.100.1.1.100. IP = 10.100. IP = 10.1.100.100.100.1.100.100. process_attr(): Enter! Jun 21 19:11:43 [IKEv1 DEBUG]: Group = SALES. context 0x4792f78.100. constructing blank hash payload Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.100.100.100. computing NAT Discovery hash Jun 21 19:11:41 [IKEv1 DEBUG]: Group = SALES.1.1. IP = 10.100.1. constructing qm hash payload Jun 21 19:11:41 [IKEv1]: IP = 10. IP = 10.100.1. Received Cisco Unity client VID Jun 21 19:11:41 [IKEv1]: Group = SALES.100. IP = 10.1. Processing IOS/PIX Vendor ID payload (version: 1.

.1.. Page 952 of 1033 ..CN=Users. [12] userAccountControl: value = 512 [12] badPwdCount: value = 0 [12] codePage: value = 0 [12] countryCode: value = 0 [12] badPasswordTime: value = 0 [12] lastLogoff: value = 0 [12] lastLogon: value = 0 [12] pwdLastSet: value = 129216559364531250 [12] primaryGroupID: value = 513 [12] userParameters: value = m: [12] objectSid: value = .CCIE SECURITY v4 Lab Workbook Base DN = [DC=MICRONICSTRAINING.0Z [12] whenChanged: value = 20100622050649.. CN=Person.CN=Configuration. [12] accountExpires: value = 9223372036854775807 [12] logonCount: value = 0 [12] sAMAccountName: value = student [12] sAMAccountType: value = 805306368 [12] userPrincipalName: value = student@micronicstraining.. dn:[email protected]=micronicstraining...DC=micronicstraining..DC=com] [12] Talking to Active Directory server 10..DC=com [12] instanceType: value = 4 [12] whenCreated: value = 20100622045216.....100 [12] Processing LDAP response for user student [12] Checking password policy [12] Authentication successful for student to 10.n.DC=com [12] [12] msNPAllowDialin: value = FALSE mapped to Simultaneous-Logins: value = 0 This time the attribute has FALSE value so that it is mapped to zero..CN=Users.CN=Users.100 [12] Retrieved User Attributes: [12] objectClass: value = top [12] objectClass: value = person [12] objectClass: value = organizationalPerson [12] objectClass: value = user [12] cn: value = student [12] givenName: value = student [12] distinguishedName: value = CN=student.CN=Schema..DC=micronicstraining.DC=COM] Filter = [sAMAccountName=student] Scope = [SUBTREE] [12] User DN = [CN=student.1...100 [12] Reading password policy for student.h9"j.L{..com [12] objectCategory: value = d.0Z [12] displayName: value = student [12] uSNCreated: value = 13790 [12] uSNChanged: value = 13817 [12] name: value = student [12] objectGUID: value = .b.DC=micronicstraining.200.200.1.200.OLT~/XR.DC=com [12] Read bad password count 0 [12] Binding as user [12] Performing Simple authentication for student to 10.

100. IP = 10.1.1.1. Error processing payload: Payload ID: 14 Jun 21 19:11:47 [IKEv1 DEBUG]: Group = SALES.1.100. Username = student. Error: Unable to remove PeerTblEntry Jun 21 19:11:47 [IKEv1]: IP = 10. refcnt 0. EV_START_TM-->AM_TM_INIT_XAUTH. Username = student.100.100. status=1 [12] Session End Jun 21 19:11:43 [IKEv1 DEBUG]: Group = SALES. IP = 10. Username = student. EV_START_TM-->AM_PROC_MSG3.1.100. NullEvent Jun 21 19:11:47 [IKEv1 DEBUG]: Group = SALES. IKE TM V6 FSM error history (struct &0x48036d8) <state>. EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H.1.1. Removing peer from peer table failed.1. EV_VALIDATE_MSG-->TM_WAIT_REPLY.100. IP = 10. IKE_DECODE SENDING Message (msgid=52a01bc8) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76 Jun 21 19:11:47 [IKEv1]: Group = SALES. Username = student. constructing blank hash payload Jun 21 19:11:43 [IKEv1 DEBUG]: Group = SALES.100.100. NullEvent->AM_TM_INIT_XAUTH_V6H. IKE_DECODE RECEIVED Message (msgid=91334584) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64 Jun 21 19:11:47 [IKEv1 DEBUG]: Group = SALES.100. IP = 10.100. IP = 10. EV_ERROR-->AM_TM_INIT_XAUTH_V6H.100. process_attr(): Enter! Jun 21 19:11:47 [IKEv1 DEBUG]: Group = SALES.100.1. sending delete/delete with reason message Jun 21 19:11:47 [IKEv1 DEBUG]: Group = SALES.100. Username = student.100.1.100.1.100.100. constructing blank hash payload Jun 21 19:11:47 [IKEv1 DEBUG]: Group = SALES. IP = 10. Username = student. EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H. EV_COMP_HASH-->TM_WAIT_REPLY. IP = 10. <event>: AM_DONE.100. IP = 10. <event>: TM_DONE.100.100.1.100.1. Processing MODE_CFG Reply attributes. IKE_DECODE SENDING Message (msgid=91334584) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 93 Jun 21 19:11:47 [IKEv1]: IP = 10.100. Username = student. Jun 21 19:11:47 [IKEv1]: Group = SALES. IP = 10. Username = student.CCIE SECURITY v4 Lab Workbook [12] Fiber exit Tx=693 bytes Rx=2655 bytes. constructing qm hash payload Jun 21 19:11:47 [IKEv1]: IP = 10.100. dropping Page 953 of 1033 . EV_ERROR-- >TM_WAIT_REPLY. constructing IKE delete payload Jun 21 19:11:47 [IKEv1 DEBUG]: Group = SALES.1.100. Username = student. IP = 10. IKE AM Responder FSM error history (struct &0x49253a8) <state>.100.100. tuncnt 0 The user authentication has been terminated due to Simultaneous Logins = 0 Jun 21 19:11:47 [IKEv1 DEBUG]: Group = SALES.100. Username = student. IP = 10. NullEvent->AM_TM_INIT_XAUTH_V6H.1. Received encrypted packet with no matching SA.100. IKE SA AM:ee83af8c terminating: flags 0x0105c001. EV_TEST_TM_H6 Jun 21 19:11:47 [IKEv1 DEBUG]: Group = SALES. EV_HASH_OK-->TM_WAIT_REPLY.100. constructing qm hash payload Jun 21 19:11:43 [IKEv1]: IP = 10. EV_DECRYPT_OK-->TM_WAIT_REPLY.100. IP = 10. no match! Jun 21 19:11:47 [IKEv1]: Group = SALES. Username = student. Username = student.1.100.100.100. IP = 10. IP = 10.100.1. EV_PROC_MSG-->TM_WAIT_REPLY. NullEvent->TM_WAIT_REPLY.100.100.1. Username = student. Username = student.

CCIE SECURITY v4 Lab Workbook This page is intentionally left blank. Page 954 of 1033 .

Security. SP) CCSI #30832 Piotr Matusiak CCIE #19860 (R&S. Security) C|EH.CCIE SECURITY v4 Lab Workbook Advanced CCIE SECURITY v4 LAB WORKBOOK Advanced VPN Features Narbik Kocharians CCIE #12410 (R&S. CCSI #33705 Page 955 of 1033 .

com Page 956 of 1033 .CCIE SECURITY v4 Lab Workbook www.MicronicsTraining.

125.1.0/24 and 4.125.1.1.5/24 R2 R4 R5 Task 1 Configure Site to Site IPSec VPN between R1 and R2-R5 pair to protect traffic going between networks 1.1/24 Lo0 1. The R1 must be configured to establish IKE with a VIP address of R2/R5 HA pair.0/24.1/24 G0/0 10.1.1.4/24 Lo0 4.1.1.68.4. R2’s G0/0 and R5’s F0/0 interface should be configured in VLAN 125  R2’s G0/1.4.125.245.245.4. Use 254 in the 4th octet of VIP address Page 957 of 1033 .4/24 F0/0 10.1.245.1. IPSec Stateful Failover Lab Setup  R1’s F0/0.2/24 F0/1 10.1.2/24 G0/1 10.CCIE SECURITY v4 Lab Workbook Lab 1.4. R5’s F0/1 and R4’s F0/1 interface should be configured in VLAN 245  Configure Telnet on all routers using password “cisco” IP Addressing Device Interface IP address R1 F0/0 10.5/24 F0/1 10.

There is also a need for “standby name” command which is used later to configure SSO and crypto map redundancy. states. SSO feature uses Inter-Process Communication (IPC) and Stream Control Transmission Protocol (SCTP) as the transport protocol to send all IPSec information to the backup router. If we need to use two standby groups for two interface pairs (one for outside and one for inside interfaces) we need to ensure that both HSRP group will become unavailable in case of one interface failure. HSRP is configured on two routers and enables Virtual IP address (VIP) to be used as a tunnel endpoint.) are exchanged between R2 and R5 using Stream Control Transmission Protocol (SCTP) as the transport protocol.CCIE SECURITY v4 Lab Workbook and enable tracking of all interfaces. This can be done by enabling interface tracking feature. Use the following ISAKMP parameters:  Phase 1: o Authentication: PSK o Encryption: DES o Hashing: SHA o Group: 1 o Key: cisco123  Phase 2: o Encryption: 3DES o Hashing: SHA  Stateful Failover for IPSec is designed to work in conjunction with Stateful Switchover (SSO) and Hot Standby Router Protocol (HSRP). Page 958 of 1033 . Ensure that all IPSec information (sessions. The configuration is straight forward and requires configuring “standby” properties on the interface pair (on two different routers). R2 should be Active HSRP peer. SSO is necessary for IPsec and IKE to learn about the redundancy state of the network and to synchronize its internal application state with its redundant peers. Using HSRP and SSO we can configure Stateful IPSec solution with High Availability as all IPSec dynamic information is send over to the backup router and used in case of primary router failure. This should be transparent for the user as no tunnel re-negotiation should occur. etc.

245.254 R2(config-if)#standby 2 preempt R2(config-if)#standby 2 track g0/0 %HSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 2 state Standby -> Active R2(config-if)#exi R2(config)#crypto isakmp policy 10 R2(config-isakmp)#auth pre R2(config-isakmp)#exi R2(config)#crypto isakmp key cisco123 address 10. R2(config)#int g0/0 R2(config-if)#standby 1 ip 10.1.255 1. R2(config)#int g0/1 R2(config-if)#standby 2 ip 10.255 R2(config)#crypto ipsec transform-set TSET esp-3des esp-sha R2(cfg-crypto-trans)#exi R2(config)# crypto map CMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.254 R2(config-if)#standby 1 preempt R2(config-if)#standby 1 name VPN-HA R2(config-if)#standby 1 track g0/1 R2(config-if)# %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Active R2(config-if)#exi This is configuration of the “outside” interface. R2(config-crypto-map)#set transform-set TSET R2(config-crypto-map)#match address 120 Page 959 of 1033 .0.1.4.CCIE SECURITY v4 Lab Workbook Configuration Complete these steps: Step 1 R2 IPSec configuration.4.0.0 0.1.1.125. We should track our “inside” interface to make sure that whole router will become unavailable in case of only one interface failure.125.1.0.0.1 R2(config)#access-list 120 permit ip 4. The HSRP has priority of 100 by default so we need to ensure that the other router has lower priority. meaning the interface where IPSec tunnel will be terminated on.0 0. Finally there must be a name for HSRP group which will be used later in the crypto and SSO configuration.

1.255. R5(config)#int f0/0 R5(config-if)#standby 1 ip 10.4.CCIE SECURITY v4 Lab Workbook R2(config-crypto-map)#reverse-route R2(config-crypto-map)#exi Crypto configuration is a standard config for typical Site to Site IPSec VPN.4 Step 2 R5 IPSec configuration. at the same time.255.245.245.1.4.1. for vip 10.1.254 R5(config-if)#standby 1 priority 90 One difference is on the backup router the HSRP priority must be lower than on primary router.  “stateful” – enables IPSec state information to be sent over to the other device using SSO. ensures that stateless (without “stateful” keyword) HSRP failover is facilitated between an active and standby device that belongs to the same standby group. The same configuration must be done on both routers.0 255. R5(config-if)#standby 1 preempt R5(config-if)#standby 1 name VPN-HA R5(config-if)#standby 1 track f0/1 R5(config-if)#exi R5(config)#int f0/1 R5(config-if)#standby 2 ip 10.0 10.125. R2(config)#ip route 4. R2(config)#int g0/0 R2(config-if)#crypto map CMAP redundancy VPN-HA stateful R2(config-if)# %CRYPTO-5-IKE_SA_HA_STATUS: IKE sa's if any.254 will change from STANDBY to ACTIVE R2(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON The crypto map is attached to the “outside” interface with two additional keywords:  “redundancy <HSRP-Gr-Name>” – binds the standby IP address as the local tunnel endpoint and.125.254 R5(config-if)#standby 2 preempt R5(config-if)#standby 2 priority 90 R5(config-if)#standby track f0/0 R5(config-if)#exi Page 960 of 1033 .

255 R5(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R5(cfg-crypto-trans)#exi R5(config)# %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby R5(config)# crypto map CMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.4.0 0.1.0 255.1.4.0.255 1.2 R2(config-ipc-local-sctp)#ex Page 961 of 1033 .1.125.1.0 10.1 R5(config)#access-list 120 permit ip 4.0 0.CCIE SECURITY v4 Lab Workbook R5(config)#crypto isakmp policy 10 R5(config-isakmp)# authentication pre-share R5(config-isakmp)#exi R5(config)#crypto isakmp key cisco123 address 10.125.255.1. The SCTP protocol uses TCP as a transport with source and destination ip/port configurable.125. for vip 10.4 Step 3 R2 IPSec HA configuration.4.1. The SSO configuration must have HSRP group name used to be able to notice other device that primary device has failed.0.254 will change from STANDBY to ACTIVE R5(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config)#ip route 4. R5(config-crypto-map)#set transform-set TSET R5(config-crypto-map)#match address 120 R5(config-crypto-map)#reverse-route R5(config-crypto-map)#exi R5(config)#int f0/0 R5(config-if)#crypto map CMAP redundancy VPN-HA stateful R5(config-if)# %CRYPTO-5-IKE_SA_HA_STATUS: IKE sa's if any. R2(config)#redundancy inter-device R2(config-red-interdevice)#scheme standby VPN-HA R2(config-red-interdevice)#exi R2(config)#ipc zone default R2(config-ipczone)#association 1 R2(config-ipczone-assoc)#protocol sctp R2(config-ipc-protocol-sctp)#local-port 12345 R2(config-ipc-local-sctp)#local-ip 10.4.0.0.255.245.

5 R2(config-ipc-remote-sctp)#exi R2(config-ipc-protocol-sctp)#exi R2(config-ipczone-assoc)#exi R2(config-ipczone)#exi Step 4 R5 IPSec HA configuration. [OK] R5#relo Proceed with reload? [confirm] After R5 reloading (do not forget to save your config) Page 962 of 1033 .1.125. enabling SSO requires device reboot to be operational. R5(config)#redundancy inter-device R5(config-red-interdevice)#scheme standby VPN-HA % Standby scheme configuration cannot be processed now group VPN-HA is not in active state R5(config-red-interdevice)#exi R5(config)#ipc zone default R5(config-ipczone)#association 1 R5(config-ipczone-assoc)#protocol sctp R5(config-ipc-protocol-sctp)#local-port 12345 R5(config-ipc-local-sctp)#local-ip 10.1.CCIE SECURITY v4 Lab Workbook R2(config-ipc-protocol-sctp)#remote-port 12345 R2(config-ipc-remote-sctp)#remote-ip 10.125.. R5#wr Building configuration.125..5 R5(config-ipc-local-sctp)#ex R5(config-ipc-protocol-sctp)#remote-port 12345 R5(config-ipc-remote-sctp)#remote-ip 10.1.2 R5(config-ipc-remote-sctp)#exi R5(config-ipc-protocol-sctp)#exi R5(config-ipczone-assoc)#exi R5(config-ipczone)#exi Quick Verification R5#sh redundancy inter-device Redundancy inter-device state: RF_INTERDEV_STATE_INIT Pending Scheme: Standby (Will not take effect until next reload) Pending Groupname: VPN-HA Scheme: <NOT CONFIGURED> Peer present: UNKNOWN Security: Not configured Unfortunately.

Now.1.1.254 R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha R1(cfg-crypto-trans)#exi R1(config)#access-list 120 permit ip 1.125.0.1.0 0.255 4. R1(config-crypto-map)#set transform-set TSET R1(config-crypto-map)#match address 120 R1(config-crypto-map)#set peer 10.0.125. Configuration Complete these steps: Step 5 R1 IPSec configuration.1. R1(config)#crypto isakmp policy 10 R1(config-isakmp)#auth pre R1(config-isakmp)#exi R1(config)#crypto isakmp key cisco123 address 10.255 R1(config)#crypto map CMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. the SSO monitors HSRP group and sends IPSec information between devices.0.CCIE SECURITY v4 Lab Workbook R5#sh redundancy inter-device Redundancy inter-device state: RF_INTERDEV_STATE_STDBY Scheme: Standby Groupname: VPN-HA Group State: Standby Peer present: RF_INTERDEV_PEER_COMM Security: Not configured R2#sh redundancy inter-device Redundancy inter-device state: RF_INTERDEV_STATE_ACT Scheme: Standby Groupname: VPN-HA Group State: Active Peer present: RF_INTERDEV_PEER_COMM Security: Not configured After reload.0.4.254 R1(config-crypto-map)#exi R1(config)#int f0/0 R1(config-if)#crypto map CMAP R1(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Page 963 of 1033 .4.0 0. we need to configure R1 to be able to set up IPSec tunnel and verify our solution.

4.125. timeout is 2 seconds: Packet sent with a source address of 1.0.1. #pkts decompressed: 0 #pkts not compressed: 0.ipsec_sa_request_sent} #pkts encaps: 4.125. #pkts encrypt: 4.0/255.: 10.1.254 path mtu 1500. DH group: none Page 964 of 1033 .0/0/0) remote ident (addr/mask/prot/port): (4. Sending 5.1. #pkts decrypt: 4.254 Step 7 R1 routing.254 Verification R1#pi 4.255.!!!! Success rate is 80 percent (4/5). #pkts decompress failed: 0 #send errors 1.0. local addr 10.0.4.125.245.0 0. round-trip min/avg/max = 1/3/4 ms We need some interesting traffic to trigger our IPSec VPN.4. #pkts compr.4.255.255.1. #pkts digest: 4 #pkts decaps: 4. R1#sh cryp ips sa interface: FastEthernet0/0 Crypto map tag: CMAP.4.0 10.4.4 so lo0 Type escape sequence to abort.1. ip mtu 1500.1 protected vrf: (none) local ident (addr/mask/prot/port): (1.254 port 500 PERMIT. flags={origin_is_acl.1.1.0.1.125.125. failed: 0 #pkts not decompressed: 0. #pkts verify: 4 #pkts compressed: 0.1 .0 0.0.255. local crypto endpt.0/0/0) current_peer 10.0.0. 100-byte ICMP Echos to 4. #recv errors 0 The traffic has been encrypted/decrypted.: 10.1.0. Note that peer IP address is the HSRP VIP.0/255.4. R4(config)#ip route 0. remote crypto endpt.0 10.CCIE SECURITY v4 Lab Workbook Step 6 R4 routing. R1(config)#ip route 0. ip mtu idb FastEthernet0/0 current outbound spi: 0xE757BC0F(3881286671) PFS (Y/N): N. Let’s make a ping between R1 and R4.1.1.

RSA signature renc . crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4524905/3588) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#sh cry isakmp sa det Codes: C .Dead Peer Detection K .CCIE SECURITY v4 Lab Workbook inbound esp sas: spi: 0xAB00724C(2868933196) transform: esp-3des esp-sha-hmac . in use settings ={Tunnel. N .1.IKE Extended Authentication psk .1 10. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4524905/3588) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE757BC0F(3881286671) transform: esp-3des esp-sha-hmac .NAT-traversal T . sibling_flags 80000046. in use settings ={Tunnel. X .125.cTCP encapsulation. flow_id: NETGX:2. flow_id: NETGX:1. ACTIVE des SW:1 IPv6 Crypto ISAKMP SA R2#sh redundancy inter-device Redundancy inter-device state: RF_INTERDEV_STATE_ACT Scheme: Standby Groupname: VPN-HA Group State: Active Peer present: RF_INTERDEV_PEER_COMM Security: Not configured Page 965 of 1033 sha psk 1 23:59:35 .254 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.Keepalives. } conn id: 2002.125.Preshared key. } conn id: 2001. sibling_flags 80000046.1. rsig .IKE configuration mode. D .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.

sibling_flags 80000046. DH group: none inbound esp sas: spi: 0xE757BC0F(3881286671) transform: esp-3des esp-sha-hmac .255.: 10.255.125.125.1. in use settings ={Tunnel.0/255.255. ip mtu 1500.0/255.1 port 500 PERMIT.4. remote crypto endpt.1 path mtu 1500. local crypto endpt. we see traffic is going through the tunnel. flow_id: Onboard VPN:1. #pkts decompress failed: 0 #send errors 0. local addr 10.0/0/0) remote ident (addr/mask/prot/port): (1. #pkts decrypt: 4.0/0/0) current_peer 10.125. flags={} #pkts encaps: 4.255. failed: 0 #pkts not decompressed: 0. ip mtu idb GigabitEthernet0/0 current outbound spi: 0xAB00724C(2868933196) PFS (Y/N): N. #pkts verify: 4 #pkts compressed: 0.4.1.254. #pkts decompressed: 0 #pkts not compressed: 0. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4438095/3562) HA KB life last checkpointed at (k): (4438096) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xAB00724C(2868933196) transform: esp-3des esp-sha-hmac . #pkts digest: 4 #pkts decaps: 4. crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4438095/3562) HA KB life last checkpointed at (k): (4438096) IV size: 8 bytes replay detection support: Y Status: ACTIVE Page 966 of 1033 . #pkts compr.1. } conn id: 2001. #recv errors 0 Same on R2. in use settings ={Tunnel.1.CCIE SECURITY v4 Lab Workbook R2#sh crypto ipsec sa interface: GigabitEthernet0/0 Crypto map tag: CMAP. #pkts encrypt: 4. flow_id: Onboard VPN:2.125. sibling_flags 80000046.254 protected vrf: (none) local ident (addr/mask/prot/port): (4. } conn id: 2002.1.1.: 10.

1.0 Active SAs: 2.CCIE SECURITY v4 Lab Workbook outbound ah sas: outbound pcp sas: R2#show crypto ha IKE VIP: 10.1.255.1/500 Active IPSEC FLOW: permit ip 4.254 Note that IKE is using HSRP VIP address.4.255. origin: dynamic crypto map R5#sh redundancy inter-device Redundancy inter-device state: RF_INTERDEV_STATE_STDBY Scheme: Standby Groupname: VPN-HA Group State: Standby Peer present: RF_INTERDEV_PEER_COMM Security: Not configured Page 967 of 1033 .1.0/255.254/500 remote 10.0/255.125.4.125.254 stamp: 9E 08 4C 2E 83 07 FE 77 91 F8 29 1F 6C 9B F9 88 IPSec VIP: 10. R2#show redundancy states my state = 13 -ACTIVE peer state = 8 -STANDBY HOT Mode = Duplex Unit ID = 0 Maintenance Mode = Disabled Manual Swact = Enabled Communications = Up client count = 12 client_notification_TMR = 30000 milliseconds RF debug mask = 0x0 R2#show redundancy inter Redundancy inter-device state: RF_INTERDEV_STATE_ACT Scheme: Standby Groupname: VPN-HA Group State: Active Peer present: RF_INTERDEV_PEER_COMM Security: Not configured R2#show crypto session Crypto session current status Interface: GigabitEthernet0/0 Session status: UP-ACTIVE Peer: 10.1 port 500 IKE SA: local 10.1.0 1.255.1.125.1.1. This is due to “redundancy” keyword in the crypto map.125.125.255.

1.Preshared key.125.CCIE SECURITY v4 Lab Workbook R5#show redundancy states my state = 8 -STANDBY HOT peer state = 13 -ACTIVE Mode = Duplex Unit ID = 0 Maintenance Mode = Disabled Manual Swact = Enabled Communications = Up client count = 12 client_notification_TMR = 30000 milliseconds RF debug mask = 0x0 R5#show crypto isakmp sa det Codes: C . STDBY des sha SW:1 IPv6 Crypto ISAKMP SA R5#show crypto ipsec sa No active IPSec SAs R5#show crypto ha IKE VIP: 10. rsig .cTCP encapsulation.1 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.1/500 Active R5# Page 968 of 1033 psk 1 23:58:02 .125.1.254 R5#show crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-IDLE-STANDBY Peer: 10.NAT-traversal T . D .Dead Peer Detection K .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10.1 port 500 IKE SA: local 10.125.IKE configuration mode.Keepalives.254 10.254 stamp: 9E 08 4C 2E 83 07 FE 77 91 F8 29 1F 6C 9B F9 88 IPSec VIP: 10.RSA signature renc .1.IKE Extended Authentication psk .254/500 remote 10.125.1.125. N . X .1.1.1.125.125.

Only specified HW support that feature.extract keys' Page 969 of 1033 . %CRYPTO_HA_IPSEC-4-CRYPTO_HA_NOT_SUPPORTED_BY_HW: Crypto hardware is enabled and it does not support HA operation 'IPSec .CCIE SECURITY v4 Lab Workbook Note: You may get the following error message which indicated your hardware does not support IPSec HA.

12.1/32 F0/0 10.1.2.2/24 Lo0 2.69. Use the following ISAKMP parameters:  Phase 1: o Authentication: PSK o Encryption: DES o Hashing: SHA o Group: 1 o Key: cisco123  Phase 2: o Encryption: 3DES o Hashing: SHA Page 970 of 1033 . IPSec Static VTI Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 120  Configure Telnet on all routers using password “cisco” IP Addressing Device Interface IP address R1 Lo0 1.CCIE SECURITY v4 Lab Workbook Lab 1.2/32 R2 Task 1 Configure IPSec VPN between R1 and R2 using Static VTI interface.1.1.1/24 G0/0 10.2.1.12.

CCIE SECURITY v4 Lab Workbook Use IP addresses of 192. and (2) using IPSec profiles and applying tunnel protection command on the tunnel interface. Static VTI addresses most of the issues with GRE and IPSec. GRE alone it is not secure. In addition to that we got into trouble with MTU size and fragmentation as GRE + IPSec may add something between 56 and 76 bytes to the packet.168.  Static Virtual Tunnel Interface (sVTI) has been developed as a successor for GRE over IPSec. However.0.2 Page 971 of 1033 . GRE itself is very popular because it carries multicast traffic over the network and has small overhead and performance impact.12. That’s why we use IPSec to secure GRE traffic.1. This is nothing more than tunnel interface with IPSec encapsulation.168.0 as source and destination)  features like NAT or QoS are natively supported on the VTI interface like on any other physical interface Configuration Complete these steps: Step 1 R1 configuration. There are two ways to do that: (1) using crypto map and specifying GRE as an interesting traffic in a crypto ACL.1 and 192. R1(config)#crypto isakmp policy 10 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#exi R1(config)#crypto isakmp key cisco123 address 10. Ensure that all traffic destined to unknown networks will be routed through the VPN tunnel.12.0. IOS encrypts all traffic sourced from tunnel interface (IPSec SA has 0.12.2 for tunnel addressing for R1 and R2 respectively. What does it mean for us?  it carries multicast traffic natively  there is no GRE involved so no additional overhead (the MTU for VTI is set to 1442 by IOS)  no need for crypto map on physical interface  no need for crypto ACL .

All we need is IPSec Profile attached to the tunnel and an appropriate routing pointing through the tunnel.2 R1(config-if)#tunnel mode ipsec ipv4 R1(config-if)#tunnel protection ipsec profile SVTI R1(config-if)# Interface Tunnel is configured in the same way as for GRE except on command.1.0. We must change tunnel mode to be IPSec (by default tunnel mode is GRE).255.1 R2(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R2(cfg-crypto-trans)#exi R2(config)#crypto ipsec profile SVTI R2(ipsec-profile)#set transform-set TSET R2(ipsec-profile)#exi R2(config)#interface Tunnel0 R2(config-if)#ip address 192.168.255.12.255.0 0.12.0.CCIE SECURITY v4 Lab Workbook R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R1(cfg-crypto-trans)#exi R1(config)#crypto ipsec profile SVTI R1(ipsec-profile)#set transform-set TSET R1(ipsec-profile)#exi R1(config)#interface Tunnel0 R1(config-if)#ip address 192. %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0. changed state to down R1(config-if)#exi R1(config)#ip route 0.2 Note that we did not configure Crypto ACL.0 R1(config-if)#tunnel source FastEthernet0/0 R1(config-if)#tunnel destination 10.1. R2(config)#crypto isakmp policy 10 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#exi R2(config)#crypto isakmp key cisco123 address 10.0 192.12. That’s it. Step 2 R2 configuration.2 255.0.0.1 255.168.168.12.0 Page 972 of 1033 .255.12.

1.1.1 10.cTCP encapsulation. X .1 !!!!! Success rate is 100 percent (5/5).2. timeout is 2 seconds: Packet sent with a source address of 1.0.0.1 R2(config-if)#tunnel mode ipsec ipv4 R2(config-if)#tunnel protection ipsec profile SVTI R2(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.12.0/0/0) remote ident (addr/mask/prot/port): (0. D .IKE configuration mode.2.IKE Extended Authentication psk .0.2.0/0.0. round-trip min/avg/max = 1/2/4 ms Ping is successful.2 so lo0 Type escape sequence to abort.168.1 protected vrf: (none) local ident (addr/mask/prot/port): (0.12. Sending 5.1 Verification R1#ping 2.0/0/0) Page 973 of 1033 psk 1 23:58:22 .0.0.Preshared key.2. changed state to up R2(config-if)#exi R2(config)#ip route 0.Keepalives. 100-byte ICMP Echos to 2.0 192.0/0.1.0 0.1.2 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap. rsig .12.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1003 10.0.0.1. N . R1#sh cryp isa sa det Codes: C .2.Dead Peer Detection K .0.0. ACTIVE des sha SW:3 IPv6 Crypto ISAKMP SA R1#sh cryp ips sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0.12.CCIE SECURITY v4 Lab Workbook R2(config-if)#tunnel source GigabitEthernet0/0 R2(config-if)#tunnel destination 10.1.NAT-traversal T .0. local addr 10.RSA signature renc .12.0.

in use settings ={Tunnel. crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4477670/3492) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#sh ip route Codes: C .1.12. S . This is equivalent to the Crypto ACL of “permit ip any any”. Note the PROXY IDs – 0/0 means all packets from every source to every destination will be encrypted. local crypto endpt. #pkts decompressed: 0 #pkts not compressed: 0.12. crypto map: Tunnel0head-0 sa timing: remaining key lifetime (k/sec): (4477670/3492) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xA9FBBAF(178240431) transform: esp-3des esp-sha-hmac . #pkts encrypt: 5.} #pkts encaps: 5. #pkts verify: 5 #pkts compressed: 0. } conn id: 2010.: 10. flow_id: NETGX:9. #pkts decrypt: 5. sibling_flags 80000046.CCIE SECURITY v4 Lab Workbook current_peer 10. ip mtu idb FastEthernet0/0 current outbound spi: 0xA9FBBAF(178240431) PFS (Y/N): N. M . #pkts compr. #pkts decompress failed: 0 #send errors 0.BGP Page 974 of 1033 .1.1.2 path mtu 1500.: 10.2 port 500 PERMIT.connected.12.RIP.static. #pkts digest: 5 #pkts decaps: 5. flow_id: NETGX:10. B .1. failed: 0 #pkts not decompressed: 0. DH group: none inbound esp sas: spi: 0x3DACD141(1034735937) transform: esp-3des esp-sha-hmac . remote crypto endpt. ip mtu 1500. } conn id: 2009. in use settings ={Tunnel. flags={origin_is_acl. sibling_flags 80000046. #recv errors 0 ICMP packets have been encrypted/decrypted. R .mobile.

CCIE SECURITY v4 Lab Workbook D . 0 no buffer Received 0 broadcasts.0. output never.12. Hence.12. 1920 bytes.0/0 [1/0] via 192.12.EIGRP external. P .12.12.IS-IS inter area. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes).168.IS-IS. FastEthernet0/0 0.1/24 MTU 17883 bytes.EIGRP. 500 bytes.12. 0 runts.168. 0 overrun.OSPF.12. N2 .0/24 is subnetted. DLY 50000 usec.1.periodic downloaded static route Gateway of last resort is 192.OSPF external type 2 i . txload 1/255. E2 . 0 ignored.168. * .168.0. 0 abort 20 packets output. rxload 1/255 Encapsulation TUNNEL.per-user static route o .OSPF NSSA external type 1.2 to network 0.0. U . EX . BW 100 Kbit/sec.0/32 is subnetted. Tunnel0 1.1. line protocol is up Hardware is Tunnel Internet address is 192. 0 interface resets 0 unknown protocol drops 0 output buffer failures. 1 subnets C S* 10.0.1.0.0 is directly connected.0 C 192. 0 throttles 0 input errors. L2 .IS-IS level-1.1.2 Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1443 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "SVTI") Last input never.1 is directly connected. 0 underruns 0 output errors.IS-IS level-2 ia . 0 collisions. IA . 0 packets/sec 5 packets input. 0 output buffers swapped out R2#sh cry isak sa det Page 975 of 1033 . 0 frame. Loopback0 10.OSPF external type 1. su . destination 10.IS-IS summary.2 The default routing is pointing to the other end of the tunnel. Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec.1 (FastEthernet0/0).OSPF NSSA external type 2 E1 . 0 CRC.0/24 is directly connected.1. reliability 255/255.candidate default.0. 0 giants. L1 . R1#sh int tu0 Tunnel0 is up.OSPF inter area N1 .ODR.0.0. 1 subnets C 1. O . 0 packets/sec 5 minute output rate 0 bits/sec. packets must go through the tunnel in order to reach remote networks. loopback not set Keepalive not set Tunnel source 10.

Keepalives.0.} #pkts encaps: 5.12.: 10.0/0. DH group: none inbound esp sas: spi: 0xA9FBBAF(178240431) transform: esp-3des esp-sha-hmac . D .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1002 10.12.2 protected vrf: (none) local ident (addr/mask/prot/port): (0. N . rsig .12.0.NAT-traversal T . #pkts decompress failed: 0 #send errors 0. ACTIVE des sha psk 1 23:56:46 SW:2 IPv6 Crypto ISAKMP SA R2#sh cryp ips sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0. #pkts digest: 5 #pkts decaps: 5. remote crypto endpt.1 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap. #pkts decompressed: 0 #pkts not compressed: 0. failed: 0 #pkts not decompressed: 0.0.: 10.1. ip mtu idb GigabitEthernet0/0 current outbound spi: 0x3DACD141(1034735937) PFS (Y/N): N. flow_id: Onboard VPN:7. #pkts decrypt: 5.1.cTCP encapsulation.12.0/0.2. sibling_flags 80000046.2 10. X .0.0.1 path mtu 1500.0.0.0/0/0) current_peer 10. #pkts verify: 5 #pkts compressed: 0. ip mtu 1500. in use settings ={Tunnel.12.IKE configuration mode.0/0/0) remote ident (addr/mask/prot/port): (0.1 port 500 PERMIT.1.0.IKE Extended Authentication psk . #recv errors 0 local crypto endpt.1. } conn id: 2007.Dead Peer Detection K . local addr 10.RSA signature renc .CCIE SECURITY v4 Lab Workbook Codes: C .1.1. #pkts compr. flags={origin_is_acl. #pkts encrypt: 5.Preshared key.12. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4550510/3402) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: Page 976 of 1033 .

0.1 Page 977 of 1033 . } conn id: 2008.2 R2#sh ip route Codes: C .0.0.ODR. U . EX .0.12.0/0 [1/0] via 192. S .12.0. B .OSPF external type 1.0.0.OSPF external type 2 i .0/24 is subnetted.0.12.1.periodic downloaded static route Gateway of last resort is 192.CCIE SECURITY v4 Lab Workbook outbound esp sas: spi: 0x3DACD141(1034735937) transform: esp-3des esp-sha-hmac .IS-IS inter area.1. R .0/0.IS-IS summary.12.1. L2 .IS-IS. 1 subnets C S* 10.IS-IS level-1.IS-IS level-2 ia .0.1.12. E2 .static.mobile. M .EIGRP external. 1 subnets C 2.0.OSPF.1.0.1/500 Active IPSEC FLOW: permit ip 0.168. * .1.0 Active SAs: 2. IA .0/32 is subnetted. in use settings ={Tunnel.12.OSPF inter area N1 . O .0 is directly connected.12. su .0.0/24 is directly connected.0.0 C 192.12.168.12.12.RIP.2 2007 IPsec 3DES+SHA 0 5 10.0/0.connected.1 port 500 IKE SA: local 10. GigabitEthernet0/0 0.2 2008 IPsec 3DES+SHA 5 0 10. crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4550510/3402) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R2#sh cryp sess Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10. Loopback0 10.1. sibling_flags 80000046.0 0. flow_id: Onboard VPN:8. L1 .1 to network 0.EIGRP.candidate default.2.BGP D .2/500 remote 10.2. N2 .168. Tunnel0 2.OSPF NSSA external type 1.per-user static route o .OSPF NSSA external type 2 E1 .2 is directly connected.0.0. P . origin: crypto map R2#sh cryp eng conn act Crypto Engine Connections Type Algorithm 1002 ID IKE SHA+DES Encrypt 0 Decrypt IP-Address 0 10.0.

loopback not set Keepalive not set Tunnel source 10. 0 runts.12. 0 output buffers swapped out Page 978 of 1033 .1 Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1443 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "SVTI") Last input never. txload 1/255. 0 abort 5 packets output. 0 ignored.1.CCIE SECURITY v4 Lab Workbook R2#sh int tu0 Tunnel0 is up. Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec. 0 overrun. 2000 bytes. 0 underruns 0 output errors. 0 throttles 0 input errors. 500 bytes. DLY 50000 usec.2/24 MTU 17883 bytes.1. 0 CRC. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). reliability 255/255. 0 interface resets 0 unknown protocol drops 0 output buffer failures.2 (GigabitEthernet0/0). 0 packets/sec 5 minute output rate 0 bits/sec. 0 collisions.168.12.12. rxload 1/255 Encapsulation TUNNEL. 0 no buffer Received 0 broadcasts. BW 100 Kbit/sec. 0 frame. 0 giants. destination 10. line protocol is up Hardware is Tunnel Internet address is 192. output never. 0 packets/sec 20 packets input.

Use the following ISAKMP parameters:  Phase 1: o Authentication: PSK o Encryption: DES o Hashing: SHA o Group: 1 o Key: cisco123  Phase 2: Page 979 of 1033 .2.12.1.12.1/32 F0/0 10.1/24 G0/0 10.CCIE SECURITY v4 Lab Workbook Lab 1.2/32 R2 Task 1 Configure IPSec VPN between R1 and R2 using Static VTI interface. Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 120  Configure Telnet on all routers using password “cisco” IP Addressing Device Interface IP address R1 Lo0 1.2/24 Lo0 2.70. IKE encrypted keys This lab setup is based on the previous lab configuration. You do not need to erase configs before configuring this lab.2.1.1.1.

The second option is available from IOS version 12. they cannot be decrypted! Configuration Complete these steps: Step 1 R1 configuration. To resolve that issue we should either use certificates for authentication or enable strong encryption of PSK in the configuration.2 R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R1(cfg-crypto-trans)#exi R1(config)#crypto ipsec profile SVTI Page 980 of 1033 .3(2)T. For security reasons.12. To enable this feature we first need a Master Key configured for the router.1.CCIE SECURITY v4 Lab Workbook o Encryption: 3DES o Hashing: SHA Use IP addresses of 192. neither the removal of the master key.  The problem with pre-shared key (PSK) authentication is not that it is weak comparing to the authentication using certificates. nor the removal of the “password encryption aes” command decrypts the passwords in the router configuration. Once passwords are encrypted. The Master Key is used by AES cryptographic protocol to encrypt all PSKs in the configuration.12. Ensure that IKE pre-shared keys are encrypted using most secure algorithm with a master password of “Cisco!1234”.168. Ensure that all traffic destined to unknown networks will be routed through the VPN tunnel.12. R1(config)#crypto isakmp policy 10 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#exi R1(config)#crypto isakmp key cisco123 address 10.1 and 192. The problem is that those keys are stored in configuration in clear text so that an attacker will get information about used PSK by seeing the configuration.2 for tunnel addressing for R1 and R2 respectively. The configuration may be stored on a backup media or on TFTP server in a clear format so getting that information is relatively easy. The master key is not stored in the router configuration and cannot be seen or obtained in any way while connected to the router.168.

168.0.0.255.1.255. Step 2 R2 configuration.1 255.12.12. The second command actually encrypts PSKs in the configuration.2 R1(config-if)#tunnel mode ipsec ipv4 R1(config-if)#tunnel protection ipsec profile SVTI R1(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0. then the router asks for it interactively via command line.1.0 R1(config-if)#tunnel source FastEthernet0/0 R1(config-if)#tunnel destination 10.1.255.12. changed state to down R1(config-if)#exi R1(config)#ip route 0. If not specified in the command.2 R1(config)#key config-key password-encrypt Cisco!1234 R1(config)#password encryption aes The first command configures Master Key.0 0.12.12.255.CCIE SECURITY v4 Lab Workbook R1(ipsec-profile)#set transform-set TSET R1(ipsec-profile)#exi R1(config)#interface Tunnel0 R1(config-if)#ip address 192.2 255.0.168.12.1 R2(config-if)#tunnel mode ipsec ipv4 R2(config-if)#tunnel protection ipsec profile SVTI R2(config-if)# Page 981 of 1033 .1 R2(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R2(cfg-crypto-trans)#exi R2(config)#crypto ipsec profile SVTI R2(ipsec-profile)#set transform-set TSET R2(ipsec-profile)#exi R2(config)#interface Tunnel0 R2(config-if)#ip address 192.168.0 192.0 R2(config-if)#tunnel source GigabitEthernet0/0 R2(config-if)#tunnel destination 10. R2(config)#crypto isakmp policy 10 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#exi R2(config)#crypto isakmp key cisco123 address 10.0.

1 crypto ipsec transform-set TSET esp-3des esp-sha-hmac crypto ipsec profile SVTI The master key is very important to decrypt the password for crypto use.0.0.1.168.0 192.0.12. R2(config)#no key config-key password-encrypt WARNING: All type 6 encrypted keys will become unusable Continue with master key deletion ? [yes/no]: yes R2(config)#do clear cry isak R2(config)#do clear cry sa R2(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.12. changed state to up R2(config-if)#exi R2(config)#ip route 0. changed state to down R2(config)#do sh run | in key crypto isakmp key 6 `ABgQCUbUODNbNOMXLYU\ZXgVQfXfc]HF address 10.0.1.1 crypto ipsec transform-set TSET esp-3des esp-sha-hmac crypto ipsec profile SVTI [After key encryption] R2#sh run | in crypto crypto isakmp policy 10 crypto isakmp key 6 `ABgQCUbUODNbNOMXLYU\ZXgVQfXfc]HF address 10.1 R2(config)#do sh cry isa sa Page 982 of 1033 .1.12. You must then reissue the command with a new password in clear text to make it work. We can delete the master key but then all passwords become unusable.1 R2(config)#key config-key password-encrypt Cisco!1234 R2(config)#password encryption aes Verification [Before key encryption] R2#sh run | in crypto crypto isakmp policy 10 crypto isakmp key cisco123 address 10.12.0 0.CCIE SECURITY v4 Lab Workbook %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.

12.CCIE SECURITY v4 Lab Workbook IPv4 Crypto ISAKMP SA dst src state 10.12.1 10.12.1.1. changed state to up R2(config)#do sh cry isa sa IPv4 Crypto ISAKMP SA dst src state 10.1. R2(config)#no crypto isakmp key 6 `ABgQCUbUODNbNOMXLYU\ZXgVQfXfc]HF address 10.12.2 QM_IDLE conn-id slot status fine! IPv6 Crypto ISAKMP SA Page 983 of 1033 1005 0 ACTIVE  Now IKE works .2 MM_KEY_EXCH conn-id slot status 1004 0 ACTIVE The IKE cannot exchange Keying Material as the PSK is not accessible IPv6 Crypto ISAKMP SA Delete the encrypted PSK and create a new one in clear text.12. Please configure a configuration-key with 'key config-key' R2(config)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0.1.1 10.1.1.1 R2(config)#crypto isakmp key cisco123 address 10.1 Can not encrypt password.12.

24.1.1/24 G0/0 10.1.2/24 R4 F0/0 10.1.1/24 F0/1 112.71.1. IPSec Dynamic VTI Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12  R2’s G0/1 and R4’s F0/0 interface should be configured in VLAN 24  R1’s F0/1 and PC NIC (SW3 F0/15) should be configured in VLAN 112  Configure Telnet on all routers using password “cisco”  Configure default routing on R4 pointing to R2 and R2 pointing to R1 IP Addressing Device Interface IP address R1 F0/0 10.1.4/24 PC NIC 112.1.2/24 G0/1 10.1.12. Use the following ISAKMP parameters:  Phase 1: o Authentication: PSK o Encryption: AES o Hashing: SHA o Group: 2 Page 984 of 1033 .12.1.CCIE SECURITY v4 Lab Workbook Lab 1.24.200 /24 R2 Task 1 Configure EasyVPN Server on R2 using Dynamic VTI interface.

The user should get an IP address from a pool of 10.24. only traffic destined to the network 10. DVTI can be used on both the Easy VPN Server and Easy VPN Remote scenarios. CBAC or ACLs. Configuration Complete these steps: Step 1 R2 configuration. which is used by traditional Easy VPN deployment.1.21.1.1.  Cisco Enhanced Easy VPN is a new method for configuring Easy VPN using Dynamic Virtual Tunnel Interface (DVTI) instead of a crypto map. such as QoS.CCIE SECURITY v4 Lab Workbook  Phase 2: o Encryption: AES 128 o Hashing: SHA Local user named “student1” with a password of “student123” should be able to connect to SALES group using “cisco123” as a group password.1 – 10.21. DVTI relies on the virtual tunnel interface to create a virtual access interface for every new Easy VPN tunnel. NAT. R2(config)#aaa new-model R2(config)#aaa authentication login AUTH-LOCAL local R2(config)#aaa authorization network AUTHOR-LOCAL local R2(config)#username student1 password student123 R2(config)#crypto isakmp policy 5 R2(config-isakmp)#encr aes R2(config-isakmp)#authentication pre-share R2(config-isakmp)#group 2 R2(config-isakmp)#exi R2(config)#crypto isakmp client configuration group SALES R2(config-isakmp-group)#key cisco123 R2(config-isakmp-group)#pool RA-VPN R2(config-isakmp-group)#acl 124 R2(config-isakmp-group)#exi Like in every EasyVPN Server scenario we need to configure Page 985 of 1033 . After connection. The cloned configuration includes the IPSec configuration and any Cisco IOS feature configured on the virtual template interface. The configuration of the virtual access interface is cloned from a virtual template configuration.10 addresses.0/24 should be encrypted.

Those policies are then used by ISAKMP and IPSec profile respectively. In EasyVPN deployment we often matching using EasyVPN group name. R2(config)#interface Virtual-Template1 type tunnel R2(config-if)#ip unnumbered GigabitEthernet0/0 R2(config-if)#tunnel mode ipsec ipv4 Page 986 of 1033 . We need to configure EasyVPN authentication and authorization in the ISAKMP profile and an ability to serve IP addresses to the clients by the EasyVPN server. This interface is called Virtual Access. R2(config)#crypto isakmp profile IKE-RA % A profile is deemed incomplete until it has match identity statements R2(conf-isa-prof)#match identity group SALES R2(conf-isa-prof)#client authentication list AUTH-LOCAL R2(conf-isa-prof)#isakmp authorization list AUTHOR-LOCAL R2(conf-isa-prof)#client configuration address respond R2(conf-isa-prof)#virtual-template 1 R2(conf-isa-prof)#exi ISAKMP Profile is consulted for every new ISAKMP packet which is coming to the router.CCIE SECURITY v4 Lab Workbook Group with a password and a pool of addresses which will be used for clients. R2(config)#crypto ipsec profile DVTI R2(ipsec-profile)#set transform-set TS-RA R2(ipsec-profile)#set isakmp-profile IKE-RA R2(ipsec-profile)#exi The IPSec Profile specifies IPSec policies by attaching transform set to that profile. The split Tunneling feature is enabled by assigning an ACL to the group. The very important thing is to assign a special interface with ISAKMP profile. We do not use any crypto map in this deployment and this is very useful in case that we do not want any crypto map on the interface. The profile has at least one “match” statement which must be true in order to use this profile. R2(config)#crypto ipsec transform-set TS-RA esp-aes esp-sha-hmac R2(cfg-crypto-trans)#exi On the EasyVPN server we need to configure ISAKMP policy and IPSec policy. This interface is called Virtual Template and is used to dynamically build an interface which will be used to terminate the EasyVPN clients on. Those profiles are used to “catch” ISAKMP packets and start EasyVPN negotiation. We can also attach ISAKMP Profile here but this is not necessary here as we have only one ISAKMP Profile configured on the router.

1.CCIE SECURITY v4 Lab Workbook R2(config-if)#tunnel protection ipsec profile DVTI The Virtual Template interface must be a type of “tunnel” and has a mode of IPSec IPv4.1.1.21. the default encapsulation is PPP and there is no way to configure “tunnel mode”.1.10 Finally we need to create a pool of IP addresses to serve to the clients and our Split Tunnel ACL. R2(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)#exi %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Template1. If we do not specify the Virtual Template type of tunnel.0. Configure IP address of 112. The IP address is used from the G0/0 interface and finally there is IPSec profile attached to it for tunnel traffic encryption.24.255 any Step 2 Client PC configuration. Always check that using “show interface virtual-template 1” command. This is crucial to configure that correctly as a default tunnel type is GRE.21. Page 987 of 1033 .1 10.0 0. R2(config)#access-list 124 permit ip 10.1.0.200/24 on the PC and add a route to reach R2. changed state to down R2(config)#ip local pool RA-VPN 10.

1.1. 3.255.12. Run Cisco IPSec VPN client software and create a new connection entry. Click connect and enter user’s credentials. VPN tunnel should be established and an appropriate network secured.CCIE SECURITY v4 Lab Workbook c:\>route add 10.0 112. 2.1 Verification 1.1.255. Page 988 of 1033 .0 mask 255.

4: Packets: Sent = 4.1.24.4: bytes=32 time=59ms TTL=254 Reply from 10. 255 Tunnel transport MTU 1500 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "DVTI") Last input never. rxload 1/255 Encapsulation TUNNEL. changed state to up Note that interface Virtual-Access2 is up but Virtual-Template1 is down.24.24.12. This is because Virtual-Template is only used to build up Virtual-Access. output never. R2#sh int virtual-template1 Virtual-Template1 is down.1. txload 1/255.4 Pinging 10.1. BW 100 Kbit/sec.CCIE SECURITY v4 Lab Workbook C:\>ping 10. reliability 255/255.24. loopback not set Keepalive not set Tunnel source UNKNOWN Tunnel protocol/transport IPSEC/IP Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0). DLY 50000 usec.1. output hang never Last clearing of "show interface" counters never Page 989 of 1033 Tunnel TTL . Average = 16ms R2# %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2.1. Using address of GigabitEthernet0/0 (10.24.4: bytes=32 time=2ms TTL=254 Ping statistics for 10.4 with 32 bytes of data: Reply from 10. Lost = 0 (0% loss).24. Approximate round trip times in milli-seconds: Minimum = 1ms. line protocol is down Hardware is Virtual Template interface Interface is unnumbered.2) MTU 17940 bytes.4: bytes=32 time=2ms TTL=254 Reply from 10. Maximum = 59ms.1.4: bytes=32 time=1ms TTL=254 Reply from 10. Received = 4.1.1.24.

0 CRC. Note that it has no tunnel source destination specified. R2#sh int Virtual-Access2 Virtual-Access2 is up.12. Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec. 0 packets/sec 5 minute output rate 0 bits/sec. loopback not set Keepalive not set Tunnel source 10.2) MTU 17867 bytes. 0 no buffer Received 0 broadcasts. 0 underruns 0 output errors. line protocol is up Hardware is Virtual Access interface Interface is unnumbered. Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec.1. 0 giants. 0 packets/sec 0 packets input. 0 ignored. output never. rxload 1/255 Encapsulation TUNNEL Tunnel vaccess.2. 0 overrun. 0 collisions. DLY 50000 usec. 480 bytes. 0 interface resets 0 unknown protocol drops 0 output buffer failures. 0 underruns 0 output errors. txload 1/255. 0 runts. 0 frame.1. In Remote Access VPNs we have many remote clients so that tunnel destination is always different. 0 packets/sec 5 minute output rate 0 bits/sec. 0 bytes. 0 abort 4 packets output. 0 giants. 0 overrun. 240 bytes.200 Tunnel protocol/transport IPSEC/IP Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0). 0 throttles 0 input errors.1. reliability 255/255. This information will be derived from IPSec and used on Virtual-Access interface. 0 no buffer Received 0 broadcasts. 0 collisions.12. destination 112. 0 output buffers swapped out The interface Virtual-Template has correct tunnel protocol of IPSec/IP.CCIE SECURITY v4 Lab Workbook Input queue: 0/75/0/0 (size/max/drops/flushes). 0 bytes.1. 0 packets/sec 4 packets input. 0 output buffers swapped out Page 990 of 1033 Tunnel TTL . 0 ignored. 0 abort 0 packets output. cloned from Virtual-Template1 Vaccess status 0x0. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). 0 interface resets 0 unknown protocol drops 0 output buffer failures. 0 CRC. BW 100 Kbit/sec. Using address of GigabitEthernet0/0 (10. 0 throttles 0 input errors. 0 frame. 0 runts. 255 Tunnel transport MTU 1427 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "DVTI") Last input never.

0/0/0) remote ident (addr/mask/prot/port): (10.1. in use settings ={Tunnel.1. D .255/0/0) current_peer 112. #pkts compr.200 path mtu 1500. remote crypto endpt. sibling_flags 80000046. ACTIVE aes sha 2 23:57:19 CX SW:3 IPv6 Crypto ISAKMP SA R2#sh crypto ipsec sa interface: Virtual-Access2 Crypto map tag: Virtual-Access2-head-0.1. #pkts decrypt: 4. local addr 10.1.RSA signature renc . #pkts verify: 4 #pkts compressed: 0. flags={origin_is_acl.1/255. failed: 0 #pkts not decompressed: 0.1. rsig .NAT-traversal T . R2#sh cry isakmp sa det Codes: C .2 112. } conn id: 2009.0/0.cTCP encapsulation. Note that Proxy ID is different for every EasyVPN client. local crypto endpt.CCIE SECURITY v4 Lab Workbook Virtual-Access interface has all information required to tunnel the traffic.255. #pkts decompress failed: 0 #send errors 0. crypto map: Virtual-Access2-head-0 sa timing: remaining key lifetime (k/sec): (4548296/3442) Page 991 of 1033 .Preshared key.21. X .RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1003 10.1.1.12.12.0.Dead Peer Detection K .} #pkts encaps: 4. #pkts digest: 4 #pkts decaps: 4.0. Also note that MTU is automatically changed to lower value to accommodate IPSec headers. N . DH group: none inbound esp sas: spi: 0x4675F596(1182135702) transform: esp-aes esp-sha-hmac . ip mtu 1500. #pkts encrypt: 4.0.IKE Extended Authentication psk .12. #recv errors 0 ICMP packets have been encrypted/decrypted.1.0.: 10.: 112.200 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.2 protected vrf: (none) local ident (addr/mask/prot/port): (0.255. #pkts decompressed: 0 #pkts not compressed: 0.200 port 1286 PERMIT.2.Keepalives.1. ip mtu idb GigabitEthernet0/0 current outbound spi: 0xE0C449C7(3770960327) PFS (Y/N): N. flow_id: Onboard VPN:9.1.IKE configuration mode.

crypto map: Virtual-Access2-head-0 sa timing: remaining key lifetime (k/sec): (4548296/3442) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R2#sh ip route Codes: C .EIGRP external. GigabitEthernet0/0 C 10. This static route can be redistributed into dynamic routing protocol if RRI feature is enabled. O . L1 .static.1 Static route is injected to the routing table to reach remote client IP address.IS-IS level-1. } conn id: 2010.0/24 is directly connected. in use settings ={Tunnel.0. 3 subnets.12. flow_id: Onboard VPN:10. IA . B .mobile.IS-IS. E2 .candidate default.24.BGP D .2 YES manual up up Serial0/1/0 unassigned YES NVRAM administratively down down Serial0/2/0 unassigned YES NVRAM administratively down down FastEthernet1/0 unassigned YES unset administratively down down Page 992 of 1033 .OSPF.21.IS-IS level-2 ia .OSPF external type 1.1.CCIE SECURITY v4 Lab Workbook IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE0C449C7(3770960327) transform: esp-aes esp-sha-hmac .0/0 [1/0] via 10.OSPF external type 2 i .0/8 is variably subnetted.EIGRP.0.1. Virtual-Access2 0.1 to network 0.0.2 YES manual up up GigabitEthernet0/1 10.1. P .IS-IS summary.12. M .1.12.200.24. R2#sh ip int brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.0. GigabitEthernet0/1 S S* 10. L2 . N2 .1/32 [1/0] via 112. 2 masks C 10. * .12.connected. sibling_flags 80000046.0.1. S . su .ODR.0/24 is directly connected. R . U .periodic downloaded static route Gateway of last resort is 10.1.1. EX .OSPF NSSA external type 2 E1 .0.per-user static route o .IS-IS inter area.OSPF inter area N1 .1.OSPF NSSA external type 1.RIP.0 10.

0.OSPF external type 2 i .0.CCIE SECURITY v4 Lab Workbook FastEthernet1/1 unassigned YES unset administratively down down FastEthernet1/2 unassigned YES unset administratively down down FastEthernet1/3 unassigned YES unset administratively down down FastEthernet1/4 unassigned YES unset administratively down down FastEthernet1/5 unassigned YES unset administratively down down FastEthernet1/6 unassigned YES unset administratively down down FastEthernet1/7 unassigned YES unset administratively down down FastEthernet1/8 unassigned YES unset administratively down down FastEthernet1/9 unassigned YES unset administratively down down FastEthernet1/10 unassigned YES unset administratively down down FastEthernet1/11 unassigned YES unset administratively down down FastEthernet1/12 unassigned YES unset administratively down down FastEthernet1/13 unassigned YES unset administratively down down FastEthernet1/14 unassigned YES unset administratively down down FastEthernet1/15 unassigned YES unset administratively down down Vlan1 unassigned YES NVRAM up down Virtual-Access1 unassigned YES unset down down Virtual-Template1 10.IS-IS inter area.IS-IS. E2 .per-user static route o .mobile. EX .periodic downloaded static route Gateway of last resort is 10. L1 .2 YES TFTP up up R4#sh ip route Codes: C .24.connected. 1 subnets C S* 10. B .RIP.OSPF external type 1.0/0 [1/0] via 10.2 YES TFTP down down Virtual-Access2 10.0 is directly connected.0.EIGRP external. M .EIGRP. FastEthernet0/0 0. P . L2 .1.0 10. U . su .12.1.OSPF inter area N1 .1. IA .2 Page 993 of 1033 . S .OSPF.24.2 to network 0.1.0.OSPF NSSA external type 1.candidate default.12.IS-IS level-1. N2 .BGP D .static.OSPF NSSA external type 2 E1 .1.IS-IS level-2 ia . R . * . O .IS-IS summary.0.0/24 is subnetted.ODR.24.0.

4.72.1.24.12.24. R1 should have only static default route pointing to R2.1.4.4/24 R2 R4 Task 1 Configure EIGRP AS 24 between R2 and R4 routers and advertise R4’s loopback address.CCIE SECURITY v4 Lab Workbook Lab 1.1. Reverse Route Injection (RRI) Lab Setup  R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12  R2’s G0/1 and R4’s F0/0 interface should be configured in VLAN 24  Configure Telnet on all routers using password “cisco” IP Addressing Router Interface IP address R1 F0/0 10.4/24 Lo0 4.1.1/24 Lo0 1.2/24 F0/0 10.1.1/24 G0/0 10.12. Use the following ISAKMP parameters:  Phase 1: o Authentication: PSK o Encryption: AES o Hashing: SHA Page 994 of 1033 . Configure EasyVPN Server on R2 using Dynamic VTI interface.1.2/24 G0/1 10.

4.1. The user should get an IP address from a pool of 10.0. The username and password should be configured on the client and used automatically to connect. Configuration Complete these steps: Step 1 R2 configuration.4. R2(config)#aaa new-model R2(config)#aaa authentication login AUTH-LOCAL local R2(config)#aaa authorization network AUTHOR-LOCAL local R2(config)#username student password student123 R2(config)#crypto isakmp policy 5 R2(config-isakmp)#encr aes R2(config-isakmp)#authentication pre-share R2(config-isakmp)#group 2 R2(config-isakmp)#exi Page 995 of 1033 .4 using its Loopback0 interface by automatically injecting static route for EasyVPN Client’s IP address on R2 and redistribute ONLY that prefix into EIGRP. only traffic destined to the network 4.CCIE SECURITY v4 Lab Workbook o Group: 2  Phase 2: o Encryption: AES 128 o Hashing: SHA Local user named “student1” with a password of “student123” should be able to connect to DVTI group using “cisco123” as a group password.24. R2(config)#router eigrp 24 R2(config-router)#no au R2(config-router)#net 10.10 addresses.0.21.0/24 (R4’s Loopback0 interface) should be encrypted. Client should encrypt traffic sourced from R1’s Loopback0 interface.21. Configure EIGRP AS 24 on R2’s G0/1.2 0. Configure R1 as an EasyVPN Remote using client mode.0 Configure EasyVPN Server on R2 using DVTI technology.1.4.1 – 10. Ensure that R1 can ping IP address of 4. After connection.1.4.

24.0.0 R4(config-router)#net 10.0 0.4.CCIE SECURITY v4 Lab Workbook R2(config)#ip local pool RA-VPN 10.0.0.1 10. changed state to down R2(config-if)#tunnel protection ipsec profile DVTI R2(config-if)#exi R2(config)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Step 2 R4 configuration.0.1.4 0.255 any R2(config)#crypto isakmp client configuration group DVTI R2(config-isakmp-group)#key cisco123 R2(config-isakmp-group)#pool RA-VPN R2(config-isakmp-group)#acl 124 R2(config-isakmp-group)#save-password R2(config-isakmp-group)#exi R2(config)#crypto isakmp profile IKE-RA % A profile is deemed incomplete until it has match identity statements R2(conf-isa-prof)#match identity group DVTI R2(conf-isa-prof)#client authentication list AUTH-LOCAL R2(conf-isa-prof)#isakmp authorization list AUTHOR-LOCAL R2(conf-isa-prof)#client configuration address respond R2(conf-isa-prof)#virtual-template 1  do not forget about this!!! R2(conf-isa-prof)#exit R2(config)#crypto ipsec transform-set TS-RA esp-aes esp-sha-hmac R2(cfg-crypto-trans)#crypto ipsec profile DVTI R2(ipsec-profile)#set transform-set TS-RA R2(ipsec-profile)#set isakmp-profile IKE-RA R2(ipsec-profile)#exit R2(config)#interface Virtual-Template1 type tunnel R2(config-if)#ip unnumbered GigabitEthernet0/0 R2(config-if)#tunnel mode ipsec ipv4 R2(config-if)#tunnel protection ipsec profile DVTI %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Template1.4 0.1.1.0 R4(config-router)#exi Page 996 of 1033 . Configure EIGRP AS 24 on R4 and advertise its Loopback0 network.4.21.4.4.0.10 R2(config)#access-list 124 permit ip 4. R4(config)#router eigrp 24 R4(config-router)#no au R4(config-router)#net 4.21.0.

OSPF NSSA external type 1. S .OSPF inter area N1 .0. N2 .CCIE SECURITY v4 Lab Workbook R4(config)# %DUAL-5-NBRCHANGE: IP-EIGRP(0) 24: Neighbor 10.BGP D .24. P . R1(config-if)#ip route 0.EIGRP external.12.0.0 Page 997 of 1033 .0. L2 .IS-IS summary.2 R1(config-crypto-ezvpn)#username student password student123 R1(config-crypto-ezvpn)#xauth userid mode local R1(config-crypto-ezvpn)#exit R1(config)#int lo0 R1(config-if)#crypto ipsec client ezvpn EZ inside R1(config-if)#int f0/0 R1(config-if)#crypto ipsec client ezvpn EZ outside R1(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)#exi NOTE: this is not a solution yet!!! For full solution see rest of this task.1. configure EasyVPN Remote using client mode. L1 .2 (FastEthernet0/0) is up: new adjacency Step 3 R1 configuration. su .per-user static route o . EX .0.1.OSPF external type 1.mobile. B .1. U . E2 .candidate default.0.2 R1(config)#crypto ipsec client ezvpn EZ R1(config-crypto-ezvpn)#connect auto R1(config-crypto-ezvpn)#group DVTI key cisco123 R1(config-crypto-ezvpn)#mode client R1(config-crypto-ezvpn)#peer 10.IS-IS.ODR.connected. IA . O .EIGRP.2 to network 0.OSPF external type 2 i .1.OSPF NSSA external type 2 E1 .OSPF.0. Use appropriate interfaces to encrypt traffic sourced from Loopback0.12.IS-IS level-2 ia .RIP.periodic downloaded static route Gateway of last resort is 10. M .static. * . Configure default static route on R1 pointing on R2. R .0 10.IS-IS inter area.IS-IS level-1.12. Verification R1#sh ip route Codes: C .0 0. Then.

1 (applied on Loopback10000) Mask: 255.0/24 is directly connected. 2 subnets.1.0.4.RSA signature renc . ACTIVE aes SW:4 IPv6 Crypto ISAKMP SA R1#sh cryp ipsec sa Page 998 of 1033 sha 2 23:58:49 CX .CCIE SECURITY v4 Lab Workbook 1. Loopback10000  R1 has only default route 0. 1 subnets C 1.255.255 Save Password: Allowed Split Tunnel List: 1 Address : 4.255.12.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 10.255.1.2 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap.1.IKE Extended Authentication psk . X .1.cTCP encapsulation.21. FastEthernet0/0 10.0.0/24 is subnetted.1.Dead Peer Detection K .12.Keepalives.1.1/32 is directly connected. rsig .1.0/8 is variably subnetted.12. Loopback0 10.0.1. N .12.0 Mask : 255. 2 masks C C S* 10.2 R1#sh cry isakmp sa IPv4 Crypto ISAKMP SA dst src state 10.12.0 is directly connected.0/0 [1/0] via 10.1.12.0.0.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1004 10.255.NAT-traversal T .Preshared key. D .1.1 QM_IDLE conn-id status 1004 ACTIVE IPv6 Crypto ISAKMP SA R1#sh cry isakmp sa det Codes: C .2 10.21.IKE configuration mode.12.2 R1#sh cry ipsec client ezvpn Easy VPN Remote Phase: 8 Tunnel name : EZ Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED  Client got this IP address Address: 10.1.1 10.4.0.

#pkts digest: 0 #pkts decaps: 0.21.1.} #pkts encaps: 0.1/255.1 protected vrf: (none) local ident (addr/mask/prot/port): (10. flags={origin_is_acl. } conn id: 2011. #pkts decompressed: 0 #pkts not compressed: 0. #pkts decrypt: 0.1. } conn id: 2012. failed: 0 #pkts not decompressed: 0.255. ip mtu idb FastEthernet0/0 current outbound spi: 0xD3960772(3549824882) PFS (Y/N): N.0/0/0) current_peer 10.1.255. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4405245/3540) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD3960772(3549824882) transform: esp-aes esp-sha-hmac .0. flow_id: NETGX:12. #pkts encrypt: 0. sibling_flags 80000046.CCIE SECURITY v4 Lab Workbook interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0. DH group: none inbound esp sas: spi: 0x732BF69F(1932261023) transform: esp-aes esp-sha-hmac .255/0/0) remote ident (addr/mask/prot/port): (0. flow_id: NETGX:11. in use settings ={Tunnel.2 path mtu 1500.0/0. in use settings ={Tunnel. ip mtu 1500. #pkts compr. #pkts verify: 0 No traffic has been sent through the tunnel yet. remote crypto endpt. local addr 10.1. #pkts decompress failed: 0 #send errors 0.: 10.: 10.0.1.1.12.12. #pkts compressed: 0. #recv errors 0 local crypto endpt.0.12.12.0.2 port 500 PERMIT. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4405245/3540) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: Page 999 of 1033 . sibling_flags 80000046.

#pkts encrypt: 5. failed: 0 #pkts not decompressed: 0.1.21.255. remote crypto endpt.. 100-byte ICMP Echos to 4. in use settings ={Tunnel.1.: 10.0/0. flow_id: NETGX:11. #recv errors 0 local crypto endpt.1.} #pkts encaps: 5. } conn id: 2011.2 path mtu 1500.. local addr 10. #pkts decompress failed: 0 #send errors 0.0/0/0) current_peer 10.2 port 500 PERMIT. #pkts digest: 5 #pkts decaps: 0.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.255/0/0) remote ident (addr/mask/prot/port): (0. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4405245/3511) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: Page 1000 of 1033 . sibling_flags 80000046. #pkts decompressed: 0 #pkts not compressed: 0. ip mtu idb FastEthernet0/0 current outbound spi: 0xD3960772(3549824882) PFS (Y/N): N.1.1.1.1.0. #pkts compr. Success rate is 0 percent (0/5) R1#sh cryp ipsec sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0. ip mtu 1500.0. DH group: none inbound esp sas: spi: 0x732BF69F(1932261023) transform: esp-aes esp-sha-hmac .4.0. #pkts verify: 0 Seems traffic is sent out thru the tunnel but is not returning #pkts compressed: 0.12..0.12.4. Sending 5. #pkts decrypt: 0.4 so lo0 Type escape sequence to abort.1  Ping is not successful. timeout is 2 seconds: Packet sent with a source address of 1.CCIE SECURITY v4 Lab Workbook outbound pcp sas: R1#ping 4.4.4.12.: 10. flags={origin_is_acl.1.1/255.4. see if traffic goes through the VPN ..255.12.

3 subnets.OSPF. Virtual-Access2 R2 has a correct route back to the Client R2#sh cry isak sa det Codes: C .1. GigabitEthernet0/1 S 10.4.2 10.mobile. N2 . EX . U .static. IA . flow_id: NETGX:12.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1001 10. } conn id: 2012. sibling_flags 80000046.candidate default.IS-IS summary.1/32 [1/0] via 10.OSPF external type 2 i .0/24 is directly connected.IS-IS level-1.0. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4405244/3511) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R2#sh ip route Codes: C .NAT-traversal T .1.4. 00:02:13.OSPF inter area N1 .4.12.Dead Peer Detection K .RSA signature renc . L1 .1.0/8 is variably subnetted. X .EIGRP. L2 .OSPF external type 1. su .periodic downloaded static route Gateway of last resort is not set 4.IS-IS. ACTIVE aes SW:1 Page 1001 of 1033 sha 2 23:58:08 CX .1.0.0 [90/156160] via 10.CCIE SECURITY v4 Lab Workbook spi: 0xD3960772(3549824882) transform: esp-aes esp-sha-hmac .24. S .connected.Keepalives.OSPF NSSA external type 2 E1 . GigabitEthernet0/1 10.1.12.12. M .OSPF NSSA external type 1.BGP D .24.IS-IS inter area.1.per-user static route o .21.IKE Extended Authentication psk . P . O .RIP.EIGRP external. * . R .IS-IS level-2 ia .1 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap. GigabitEthernet0/0 C 10.12.cTCP encapsulation.0. E2 . D . 1 subnets D 4.IKE configuration mode. rsig .0/24 is subnetted. B .0/24 is directly connected.1. in use settings ={Tunnel. 2 masks C 10. N .Preshared key.0.1.ODR.

flow_id: Onboard VPN:1. ip mtu idb GigabitEthernet0/0 current outbound spi: 0x732BF69F(1932261023) PFS (Y/N): N. flags={origin_is_acl.0. #pkts digest: 0 #pkts decaps: 5.12.1.12.1. crypto map: Virtual-Access2-head-0 sa timing: remaining key lifetime (k/sec): (4601019/3484) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x732BF69F(1932261023) transform: esp-aes esp-sha-hmac .0. sibling_flags 80000046.1 path mtu 1500. remote crypto endpt. #pkts decrypt: 5. local addr 10. in use settings ={Tunnel.12. } conn id: 2001. sibling_flags 80000046.255. ip mtu 1500. failed: 0 #pkts not decompressed: 0.: 10.0. #pkts verify: 5 Packets came to R2 but has not been sent back #pkts compressed: 0. #pkts compr. #recv errors 0 local crypto endpt.255.2. in use settings ={Tunnel.1. DH group: none inbound esp sas: spi: 0xD3960772(3549824882) transform: esp-aes esp-sha-hmac .: 10.} #pkts encaps: 0. #pkts decompress failed: 0 #send errors 0. flow_id: Onboard VPN:2.0. } conn id: 2002. #pkts encrypt: 0.21.1/255. crypto map: Virtual-Access2-head-0 sa timing: remaining key lifetime (k/sec): (4601020/3484) IV size: 16 bytes replay detection support: Y Page 1002 of 1033 .12. #pkts decompressed: 0 #pkts not compressed: 0.CCIE SECURITY v4 Lab Workbook IPv6 Crypto ISAKMP SA R2#sh cry ips sa interface: Virtual-Access2 Crypto map tag: Virtual-Access2-head-0.1 port 500 PERMIT.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (0.0/0/0) remote ident (addr/mask/prot/port): (10.1.0/0.255/0/0) current_peer 10.

S . N2 .EIGRP external.0.OSPF external type 1.0 is directly connected. In addition to that. L2 .OSPF NSSA external type 2 E1 .periodic downloaded static route Gateway of last resort is not set 4.0/24 is subnetted.static. Configuration Complete these steps: Step 4 R2 RRI configuration.OSPF. IA .OSPF NSSA external type 1. M . To do that we’ll need a route map where we’ll match prefixes based on conditions. That’s not good :-) To make it work we need to send routing information over to R4.RIP.ODR. we’re asked to redistribute ONLY this prefix.4.mobile.IS-IS level-2 ia .candidate default. 1 subnets C 4.connected.4. R . U . B .IS-IS level-1. P . 1 subnets C 10. Most natural (and easy) way to do that is to use route tagging. O .0. E2 .OSPF inter area N1 . Loopback0 10.IS-IS inter area.0 is directly connected. L1 .24.0/24 is subnetted. FastEthernet0/0 R4 has no clue about EasyVPN Client’s IP address.EIGRP. We could NOT just simply redistribute that static route because we are not allowed to. To allow R2 redistribute that route into EIGRP we need a feature called RRI.1.0.OSPF external type 2 i .0.IS-IS summary.IS-IS. su . EX . * .BGP D .per-user static route o .CCIE SECURITY v4 Lab Workbook Status: ACTIVE outbound ah sas: outbound pcp sas: R4#sh ip route Codes: C . This can be configured using “set reverse-route” under the IPSec Profile or “reverse-route” under the dynamic crypto map (in case you use it instead of DVTI). R2(config)#crypto ipsec profile DVTI R2(ipsec-profile)#set reverse-route tag 124 This will remove previously installed VPN routes and SAs R2(ipsec-profile)#exi R2(config)#route-map DVTI-RRI permit 10 R2(config-route-map)#match tag 124 Page 1003 of 1033 some .

N2 .OSPF NSSA external type 2 E1 .1.255.1.BGP D .OSPF. IA . client got different IP address Mask: 255. E2 .1.IS-IS level-2 ia .4.IS-IS.OSPF external type 2 i . R1#cle cryp isak %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) Client_public_addr=10.1.12.EIGRP external.IS-IS inter area.OSPF inter area N1 . R .2 R1#sh ip route Codes: C .0 Mask : 255.2 (applied on Loopback10000)  This time. O .RIP.255.candidate default.CCIE SECURITY v4 Lab Workbook R2(config-route-map)#exi R2(config)#router eigrp 24 R2(config-router)#redistribute static route-map DVTI-RRI R2(config-router)#ex Verification Reconnect to EasyVPN Server to refresh the configuration. * .255. U .EIGRP.mobile.255 Save Password: Allowed Split Tunnel List: 1 Address : 4.1.IS-IS level-1.OSPF external type 1.4.per-user static route Page 1004 of 1033 .255.static.1.2 Assigned_client_addr=10.21. M .12.12.2 R1#sh cry ipsec client ezvpn Easy VPN Remote Phase: 8 Tunnel name : EZ Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Address: 10.connected.OSPF NSSA external type 1.1. S .1 User=student Group=DVTI Server_public_addr=10.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 10. L2 . B .1 User=student Group=DVTI Server_public_addr=10.IS-IS summary. EX .12.2 R1# %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) Client_public_addr=10. L1 . su .12.21.

crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4523368/3557) IV size: 16 bytes replay detection support: Y Status: ACTIVE Page 1005 of 1033 . Loopback0 10.1. sibling_flags 80000046. failed: 0 #pkts not decompressed: 0.1.0 1.0. in use settings ={Tunnel.0.12.2/255. DH group: none inbound esp sas: spi: 0xA8AA6AA3(2829740707) transform: esp-aes esp-sha-hmac .255/0/0) remote ident (addr/mask/prot/port): (0.1.CCIE SECURITY v4 Lab Workbook o . ip mtu 1500.0/24 is subnetted.21. P . } conn id: 2013.1. #pkts decompressed: 0 #pkts not compressed: 0. Loopback10000 0. #recv errors 0 local crypto endpt.12.2 path mtu 1500.2 R1#sh cryp isak sa IPv4 Crypto ISAKMP SA dst src state 10.0. 2 subnets.2 10.1 MM_NO_STATE 1004 ACTIVE (deleted) IPv6 Crypto ISAKMP SA R1#sh cryp ips sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0.0.0/0.12. flags={origin_is_acl.0 is directly connected.1 QM_IDLE conn-id status 1005 ACTIVE 10.0/24 is directly connected. #pkts compr.2/32 is directly connected. local addr 10.1.0.0. #pkts decompress failed: 0 #send errors 0.12. #pkts verify: 0 #pkts compressed: 0.0.21.2 to network 0.0/8 is variably subnetted.0/0/0) current_peer 10. remote crypto endpt.1.0.: 10. 2 masks C 10.255. 1 subnets C 1.ODR.: 10.0.0.2 10.1.1. #pkts decrypt: 0.12.} #pkts encaps: 0. FastEthernet0/0 C S* 10.1.12.0.0/0 [1/0] via 10.12.12.1.periodic downloaded static route Gateway of last resort is 10.1.12.1.1. flow_id: NETGX:13.255.2 port 500 PERMIT. ip mtu idb FastEthernet0/0 current outbound spi: 0xED619BF8(3982597112) PFS (Y/N): N.0. #pkts digest: 0 #pkts decaps: 0.12.12.1. #pkts encrypt: 0.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.

4.1.4. #recv errors 0 Page 1006 of 1033 . #pkts decompressed: 0 #pkts not compressed: 0.0. flow_id: NETGX:14.4.0/0/0) current_peer 10.21. #pkts decrypt: 5.1 protected vrf: (none) local ident (addr/mask/prot/port): (10. sibling_flags 80000046. #pkts verify: 5 ICMP packets are encrypted and decrypted #pkts compressed: 0.255/0/0) remote ident (addr/mask/prot/port): (0. } conn id: 2014.12. failed: 0 #pkts not decompressed: 0.1. local addr 10.1. Sending 5. #pkts digest: 5 #pkts decaps: 5.4.1.4 so lo0 Type escape sequence to abort. #pkts compr.1 !!!!! Success rate is 100 percent (5/5).255.CCIE SECURITY v4 Lab Workbook inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xED619BF8(3982597112) transform: esp-aes esp-sha-hmac . R1#sh cryp ips sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0. timeout is 2 seconds: Packet sent with a source address of 1.0. #pkts decompress failed: 0 #send errors 0. So far so good.255.0.2/255.2 port 500 PERMIT.4. 100-byte ICMP Echos to 4.} #pkts encaps: 5. round-trip min/avg/max = 1/3/4 ms Ping is successful. in use settings ={Tunnel.0. flags={origin_is_acl.0/0. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4523368/3557) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#ping 4. #pkts encrypt: 5.12.1.

IS-IS level-2 ia .4.0.12. in use settings ={Tunnel.OSPF.per-user static route o . M .12.OSPF external type 2 i .0. GigabitEthernet0/0 Page 1007 of 1033 .0.0.1.1.static.IS-IS level-1.ODR. } conn id: 2014. L2 . su .12. 1 subnets D 4.1. U . } conn id: 2013.4.1.RIP. flow_id: NETGX:13. DH group: none inbound esp sas: spi: 0xA8AA6AA3(2829740707) transform: esp-aes esp-sha-hmac .24. ip mtu idb FastEthernet0/0 current outbound spi: 0xED619BF8(3982597112) PFS (Y/N): N.OSPF external type 1.OSPF NSSA external type 1. R . P . ip mtu 1500.CCIE SECURITY v4 Lab Workbook local crypto endpt.1. in use settings ={Tunnel.IS-IS.2 path mtu 1500.candidate default. flow_id: NETGX:14. crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4523367/3535) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xED619BF8(3982597112) transform: esp-aes esp-sha-hmac .mobile.periodic downloaded static route Gateway of last resort is not set 4. GigabitEthernet0/1 10. * .connected. N2 . crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4523367/3535) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R2#sh ip route Codes: C . sibling_flags 80000046. 3 subnets. sibling_flags 80000046.IS-IS summary.EIGRP external.0/24 is subnetted. B .OSPF NSSA external type 2 E1 .EIGRP. 2 masks C 10. O . 00:05:40.: 10.4.: 10. E2 .IS-IS inter area. S . EX . remote crypto endpt.BGP D .0 [90/156160] via 10.0/24 is directly connected.0/8 is variably subnetted.OSPF inter area N1 . L1 . IA .

2 Routing entry for 10.0. #pkts verify: 5 #pkts compressed: 0.2.12.1.21. #pkts decompress failed: 0 #send errors 0. sibling_flags 80000046.1 path mtu 1500.255.255/0/0) current_peer 10.1.0.1.1.0/0.2 protected vrf: (none) local ident (addr/mask/prot/port): (0.1 QM_IDLE conn-id status 1002 ACTIVE IPv6 Crypto ISAKMP SA R2#sh cry ips sa interface: Virtual-Access2 Crypto map tag: Virtual-Access2-head-0.12.21.21. #pkts compr.12. DH group: none inbound esp sas: spi: 0xED619BF8(3982597112) transform: esp-aes esp-sha-hmac .1. crypto map: Virtual-Access2-head-0 Page 1008 of 1033 . GigabitEthernet0/1 S 10.12.1.1.CCIE SECURITY v4 Lab Workbook C 10. traffic share count is 1 Route tag 124  The prefix is tagged R2#sh cry isak sa IPv4 Crypto ISAKMP SA dst src state 10. flow_id: Onboard VPN:3. ip mtu idb GigabitEthernet0/0 current outbound spi: 0xA8AA6AA3(2829740707) PFS (Y/N): N. remote crypto endpt. } conn id: 2003.1.12.2/255.: 10.2/32 Known via "static".1.12.12. ip mtu 1500.1.12.0.0/0/0) remote ident (addr/mask/prot/port): (10.1.2 10.2/32 [1/0] via 10. Virtual-Access2 R2 has a route to the client’s IP address R2#sh ip route 10.0/24 is directly connected. local addr 10.1. metric 0 Tag 124 Redistributing via eigrp 24 Advertised by eigrp 24 route-map DVTI-RRI Routing Descriptor Blocks: * 10.1. via Virtual-Access2 Route metric is 0. #recv errors 0 local crypto endpt.24.: 10. #pkts decompressed: 0 #pkts not compressed: 0.} #pkts encaps: 5. #pkts encrypt: 5.255.1. #pkts decrypt: 5.1 port 500 PERMIT. #pkts digest: 5 #pkts decaps: 5. distance 1.1.0. flags={origin_is_acl.21. failed: 0 #pkts not decompressed: 0. in use settings ={Tunnel.

OSPF inter area N1 . K4=0. eigrp 24 EIGRP NSF-aware route hold timer is 240s Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 10. sibling_flags 80000046. crypto map: Virtual-Access2-head-0 sa timing: remaining key lifetime (k/sec): (4492064/3492) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R2#sh ip protocol Routing Protocol is "eigrp 24" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1.OSPF NSSA external type 1. E2 .2/32 Routing Information Sources: Gateway 10. flow_id: Onboard VPN:4.OSPF external type 2 Page 1009 of 1033 .CCIE SECURITY v4 Lab Workbook sa timing: remaining key lifetime (k/sec): (4492064/3492) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xA8AA6AA3(2829740707) transform: esp-aes esp-sha-hmac . M .1.mobile.1. } conn id: 2004. in use settings ={Tunnel. K2=0.EIGRP external. R . IA .RIP.EIGRP.static. O .connected.BGP D .OSPF NSSA external type 2 E1 .24. N2 . K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: static. K3=1.4 Distance 90 Last Update 00:06:13 Distance: internal 90 external 170 R4#sh ip route Codes: C .OSPF external type 1.24. B .OSPF. S . EX .

0 is directly connected. L2 .periodic downloaded static route Gateway of last resort is not set 4. FastEthernet0/0 D EX 10. Loopback0 10.0. 2 masks C 10.0.1.IS-IS inter area.21. * . 2 subnets.0.0. 00:02:06.IS-IS summary.24. 1 subnets C 4.ODR.24.IS-IS level-2 ia .IS-IS level-1.IS-IS.CCIE SECURITY v4 Lab Workbook i .4.per-user static route o .candidate default.2.4.2/32 [170/26882560] via 10.1. Page 1010 of 1033 . U .1. FastEthernet0/0 See the redistributed route on R4. L1 .0/24 is directly connected.0/8 is variably subnetted. P .0/24 is subnetted. su .

1/24 G0/0 10.4/24 Lo0 4.1. Call Admission Control for IKE Lab Setup  R1’s F0/0.4.1.1.4.1.4/24 R2 R4 Task 1 Configure basic Site to Site IPSec VPN (using Static VTI) between R1/R2 and R4 using the following policy: Page 1011 of 1033 .124.CCIE SECURITY v4 Lab Workbook Lab 1.2/24 Lo0 2.2. R2’s G0/0 and R4’s F0/0 interface should be configured in VLAN 124  Configure Telnet on all routers using password “cisco” IP Addressing Router Interface IP address R1 F0/0 10.1.1/24 Lo0 1.2.124.2/24 F0/0 10.124.73.

124.CCIE SECURITY v4 Lab Workbook ISAKMP Policy IPSec Policy Authentication: Pre-shared Encryption: ESP-3DES Encryption: 3DES Hash: MD5 Hash: MD5 DH Group: 2 PSK for R1: R1-KEY PSK for R2: R2-KEY Configure IKE protection on R4 so that it cannot accept more than 10 IKE SA’s negotiations at the time and no more than 1 IKE SA to be established in total.1.1. You as an administrator can configure two things: (1) Total limit of IKE session which can be terminated on the router (“crypto call admission limit ike sa” (2) command) Limit of IKE negotiations at the same time (“crypto call addmission limit ike in-negotiation-sa” command). Configuration Complete these steps: Step 1 R4 configuration.  Using Call Admission Control (CAC) feature for IKE allows router resource protection and prevents against DoS attacks using IKE protocol. R4(config)#crypto isakmp policy 10 R4(config-isakmp)#encr 3des R4(config-isakmp)#hash md5 R4(config-isakmp)#authentication pre-share R4(config-isakmp)#group 2 R4(config-isakmp)#exi R4(config)#crypto isakmp key R1-KEY address 10.1 R4(config)#crypto isakmp key R2-KEY address 10.2 R4(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac R4(cfg-crypto-trans)#exi R4(config)#crypto ipsec profile PROF R4(ipsec-profile)#set transform-set TS Page 1012 of 1033 .124.

1 R4(config-if)#tunnel mode ipsec ipv4 R4(config-if)#tunnel protection ipsec profile PROF R4(config-if)#interface Tunnel42 R4(config-if)#ip address 172.255.41.1 255.41.0 R1(config-if)#tunnel source FastEthernet0/0 R1(config-if)#tunnel destination 10.255.2 R4(config-if)#tunnel mode ipsec ipv4 R4(config-if)#tunnel protection ipsec profile PROF R4(config-if)#exi %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config)#crypto call admission limit ike sa 1 R4(config)#crypto call admission limit ike in-negotiation-sa 10 Step 2 R1 configuration.1.1.16.4 R1(config-if)#tunnel mode ipsec ipv4 R1(config-if)#tunnel protection ipsec profile PROF R1(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)#exi R1(config)# Page 1013 of 1033 .255.255.255.4 R1(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exi R1(config)#crypto ipsec profile PROF R1(ipsec-profile)#set transform-set TS R1(ipsec-profile)#exi R1(config)#interface Tunnel14 R1(config-if)#ip address 172.4 255.1.CCIE SECURITY v4 Lab Workbook R4(ipsec-profile)#exi R4(config)#interface Tunnel41 R4(config-if)#ip address 172.1.16. R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encr 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#exi R1(config)#crypto isakmp key R1-KEY address 10.124.16.124.124.42.124.0 R4(config-if)#tunnel source FastEthernet0/0 R4(config-if)#tunnel destination 10.4 255.0 R4(config-if)#tunnel source FastEthernet0/0 R4(config-if)#tunnel destination 10.255.

changed state to up Step 3 R2 configuration.2 255.4 Engine-id:Conn-id = I-VRF Status Encr Hash Auth DH Lifetime Cap. N .cTCP encapsulation.RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote 1006 10. ACTIVE 3des md5 SW:6 IPv6 Crypto ISAKMP SA Page 1014 of 1033 psk 2 23:54:00 .124.NAT-traversal T .4 R2(config-if)#tunnel mode ipsec ipv4 R2(config-if)#tunnel protection ipsec profile PROF R2(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Verification R1#sh cry isak sa det Codes: C .1.4 R2(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac R2(cfg-crypto-trans)#exi R2(config)#crypto ipsec profile PROF R2(ipsec-profile)#set transform-set TS R2(ipsec-profile)#exi R2(config)#interface Tunnel24 R2(config-if)#ip address 172. X .IKE configuration mode.1.255.Preshared key.16.1.0 R2(config-if)#tunnel source GigabitEthernet0/0 R2(config-if)#tunnel destination 10.Keepalives.IKE Extended Authentication psk .255.124.42.1 10. D .124. rsig .Dead Peer Detection K . R2(config)#crypto isakmp policy 10 R2(config-isakmp)#encr 3des R2(config-isakmp)#hash md5 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#group 2 R2(config-isakmp)#exi R2(config)#crypto isakmp key R2-KEY address 10.RSA signature renc .124.1.CCIE SECURITY v4 Lab Workbook %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel14.

local addr 10. flags={origin_is_acl.0/0/0) current_peer 10.124.0/0.1.0/0. #pkts decrypt: 0. #pkts encrypt: 0.1 protected vrf: (none) local ident (addr/mask/prot/port): (0.0. } conn id: 2019. } conn id: 2020. #pkts digest: 0 #pkts decaps: 0. crypto map: Tunnel14head-0 sa timing: remaining key lifetime (k/sec): (4403231/3546) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8B215125(2334216485) transform: esp-3des esp-md5-hmac . #pkts compr.: 10.0.124. ip mtu 1500.4 path mtu 1500.: 10. #pkts verify: 0 #pkts compressed: 0. failed: 0 #pkts not decompressed: 0. DH group: none inbound esp sas: spi: 0x3118577C(823678844) transform: esp-3des esp-md5-hmac . ip mtu idb FastEthernet0/0 current outbound spi: 0x8B215125(2334216485) PFS (Y/N): N. in use settings ={Tunnel.4 port 500 PERMIT. in use settings ={Tunnel.124. flow_id: NETGX:20.0/0/0) remote ident (addr/mask/prot/port): (0.1. sibling_flags 80000046.1.1.CCIE SECURITY v4 Lab Workbook R1#sh cry ips sa interface: Tunnel14 Crypto map tag: Tunnel14-head-0. remote crypto endpt.0. sibling_flags 80000046. #pkts decompress failed: 0 #send errors 0. flow_id: NETGX:19.0. crypto map: Tunnel14head-0 sa timing: remaining key lifetime (k/sec): (4403231/3546) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Page 1015 of 1033 .0.0.1.124.0.} #pkts encaps: 0.0. #pkts decompressed: 0 #pkts not compressed: 0. #recv errors 0 local crypto endpt.

0. flags={origin_is_acl. DH group: none inbound esp sas: spi: 0x3118577C(823678844) transform: esp-3des esp-md5-hmac .1.16.1. sibling_flags 80000046.1 protected vrf: (none) local ident (addr/mask/prot/port): (0.0/0/0) current_peer 10.0. } conn id: 2019. 100-byte ICMP Echos to 172.} #pkts encaps: 5. remote crypto endpt.4 Type escape sequence to abort.0. Sending 5. failed: 0 #pkts not decompressed: 0. round-trip min/avg/max = 4/4/4 ms R1#sh cry ips sa interface: Tunnel14 Crypto map tag: Tunnel14-head-0.0/0/0) remote ident (addr/mask/prot/port): (0. #pkts decompress failed: 0 #send errors 0.124. flow_id: NETGX:19.16. crypto map: Tunnel14head-0 sa timing: remaining key lifetime (k/sec): (4403230/3531) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: Page 1016 of 1033 . timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).4 path mtu 1500. in use settings ={Tunnel.0.0.41. #pkts decrypt: 5. #pkts encrypt: 5.4 port 500 PERMIT. ip mtu 1500.4. ip mtu idb FastEthernet0/0 current outbound spi: 0x8B215125(2334216485) PFS (Y/N): N.1.124.124. local crypto endpt. #pkts verify: 5 #pkts compressed: 0.0/0. Let’s send traffic through the tunnel.: 10.: 10.41.0/0.1.0.0.124. #recv errors 0 Traffic has been encrypted/decrypted. #pkts digest: 5 #pkts decaps: 5. local addr 10.CCIE SECURITY v4 Lab Workbook The IPSec tunnel is up and running between R1 and R4.0. #pkts decompressed: 0 #pkts not compressed: 0. R1#ping 172.1. #pkts compr.

in use settings ={Tunnel.1.124.0.4 10.0. sibling_flags 80000046. flow_id: NETGX:20.0/0/0) remote ident (addr/mask/prot/port): (0. #pkts decrypt: 0.1/500 remote 10.0.4 port 500 PERMIT. flags={origin_is_acl.0/0.} #pkts encaps: 0.0.0. #pkts encrypt: 0. crypto map: Tunnel14head-0 sa timing: remaining key lifetime (k/sec): (4403230/3531) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#sh cry sess Crypto session current status Interface: Tunnel14 Session status: UP-ACTIVE Peer: 10. } conn id: 2020.2 protected vrf: (none) local ident (addr/mask/prot/port): (0.1.1.1.1.1.124.124.4/500 Active IPSEC FLOW: permit ip 0. #pkts digest: 0 #pkts decaps: 0.0.0 0.0/0/0) current_peer 10.0.4 port 500 IKE SA: local 10.0/0. origin: crypto map R2#sh cryp isak sa IPv4 Crypto ISAKMP SA dst src state 10.124.0.124.1.0.CCIE SECURITY v4 Lab Workbook spi: 0x8B215125(2334216485) transform: esp-3des esp-md5-hmac .0/0.0.124. #pkts compr.0. R2#sh cry ips sa interface: Tunnel24 Crypto map tag: Tunnel24-head-0.0/0. local addr 10. failed: 0 #pkts not decompressed: 0.0. #pkts decompress failed: 0 #send errors 0.0 Active SAs: 2.124.0. #pkts verify: 0 #pkts compressed: 0.2 MM_NO_STATE conn-id status 0 ACTIVE (deleted) IPv6 Crypto ISAKMP SA R2 cannot negotiate ISAKMP SA.0. #recv errors 0 Page 1017 of 1033 . #pkts decompressed: 0 #pkts not compressed: 0.0.0.

2/500 remote 10.124.0.1.CCIE SECURITY v4 Lab Workbook local crypto endpt.124.124. origin: crypto map Note that R2 cannot establish IKE SA.124.0.124.1.1.2.: 10.0.1.2 to 10.124.0 Active SAs: 0.124.0.1.1.2 due to IKE SA LIMIT REACHED Page 1018 of 1033 .0.0.124. R2#sh cry sess Crypto session current status Interface: Tunnel24 Session status: DOWN-NEGOTIATING Peer: 10.124. It clearly states that IKE request has been denied by CEC feature.0.1.0. ip mtu 1500.4/500 Inactive IPSEC FLOW: permit ip 0. so that R4 cannot initiate IKE session towards R2 as well.4 to 10. Note that it works both ways.0 0. See the output on R4’s console.0/0.4 due to IKE SA LIMIT REACHED R4# %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an OUTGOING SA request from 10. remote crypto endpt. DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: There are no SPIs for IPSec.1. ip mtu idb GigabitEthernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N.0/0.1.4 port 500 IKE SA: local 10. R4# %CRYPTO-4-IKE_DENY_SA_REQ: IKE denied an INCOMING SA request from 10.: 10.4 path mtu 1500.

sec) IP address R1 F0/0 10.1/24 R2 G0/0 10.CCIE SECURITY v4 Lab Workbook Lab 1. Sec lvl 0) 10.10/24 E0/1 (Inside.10/24 E0/0 (Outside.110.1. Sec lvl 100) 10. ASA1’s E0/1 and ASA2’s E0/1 interface should be configured in VLAN 120  R1’s F0/1 and PC NIC (SW3 F0/15) should be configured in VLAN 112  Configure Telnet on all routers using password “cisco”  Configure EIGRP AS 120 in VLAN 120 IP Addressing Device/Hostname Interface (ifname. Sec lvl 0) 10.1.74.1.120. ASA1’s E0/0 and ASA2’s E0/0 interface should be configured in VLAN 110  R2’s G0/0.1.1.2/24 ASA1 E0/0 (Outside.1.110.120.120.110. Sec lvl 100) 10.1.1.1.12/24 E0/1 (Inside.200/24 ASA2 PC Page 1019 of 1033 . IPSec Load Balancing (ASA Cluster) Lab Setup  R1’s F0/0.1/24 F0/1 112.12/24 NIC 112.1.

Page 1020 of 1033 . Ensure that R2 router gets information about connected user’s IP address using EIGRP routing updates. Load balancing directs session traffic to the least loaded device in the cluster.1.120.21.1.1.CCIE SECURITY v4 Lab Workbook Task 1 Configure EasyVPN Server on ASA1/ASA2 VPN Cluster.1. only traffic destined to the network 10. This feature is called load balancing.254 addresses and the following additional information:  DNS Server: 10.6  Domain name: micronicstraining.110.5  WINS Server: 10.21.1.120. Use the following ISAKMP parameters:  Phase 1: o Authentication: PSK o Encryption: 3DES o Hashing: SHA o Group: 2  Phase 2: o Encryption: 3DES o Hashing: SHA o PSK Group 2 Local user named “student1” with a password of “student123” should be able to connect to the cluster using IP address of 10. To enable that you must group together logically two or more ASA devices on the same LAN and Internet connection into a virtual cluster.1 – 10.1.254 and a group SALES with a password of “cisco123”. All devices in the virtual cluster carry session loads. you can configure these devices to share their session load.120.com After connection.  If you have a remote access VPN in which you are using two or more ASA devices connected on the same network to handle remote sessions. The user should get an IP address from a pool of 10. thus distributing the load among all devices. The ASA1 should have a Master role in the cluster and connection between cluster members should be encrypted and authenticated using key of “cisco123”.0/24 should be encrypted.

one of the secondary devices in the cluster takes over that role and immediately becomes the new Master. Even if several devices in the cluster fail.0 255. The Master then directs these connections to another active device in the cluster.21.CCIE SECURITY v4 Lab Workbook One device in the virtual cluster has a Master role and directs incoming traffic to the other devices. Configuration Complete these steps: Step 1 ASA1 IPSec configuration.1-10. For example.255. ASA1(config)# crypto isakmp enable outside ASA1(config)# crypto isakmp policy 10 ASA1(config-isakmp-policy)# auth pre-share ASA1(config-isakmp-policy)# encr 3des ASA1(config-isakmp-policy)# hash sha ASA1(config-isakmp-policy)# group 2 ASA1(config-isakmp-policy)# exit ASA1(config)# ip local pool VPN-CLIENTS 10. The configuration is typical and has been described in Remote Access VPN section of the work book. When a VPN client is attempting to connect to the cluster. the client connects directly to that host.1. First we need to configure EasyVPN Server on both devices.0 ASA1(config)# access-list ST permit ip 10.255. keeps track of how busy each is.254 mask 255. another device in the cluster immediately takes over as the new Master. In a second step. the Master sends back to the client the public IP address of the least-loaded available host in the cluster.255. The virtual cluster appears to outside clients as a single virtual cluster IP address.21. called Secondary devices.1.255. and distributes the session load accordingly. This IP address belongs to the current Master. it can shift among devices. If the Master itself fails. If a machine in the cluster fails.0 any ASA1(config)# group-policy SALES-POLICY internal Page 1021 of 1033 . users can continue to connect to the cluster as long as any one device in the cluster is up and available. if the current Master fails. the terminated sessions can immediately reconnect to the virtual cluster IP address. The Master role is not tied to a physical device. The Master monitors all devices in the cluster.1.120.

1. The EasyVPN Server configuration must be exactly the same on both devices.0 ASA1(config)# route-map REDIST-EIGRP permit 10 ASA1(config-route-map)# match ip address TO-EIGRP ASA1(config-route-map)# exi ASA1(config)# router eigrp 120 ASA1(config-router)# redistribute static route-map REDIST-EIGRP metric 10000 1000 255 1 1500 ASA1(config-router)# exi ASA1(config)# username student1 password student123 Step 2 ASA2 IPSec configuration.com ASA1(config-group-policy)# split-tunnel-policy tunnelspecified ASA1(config-group-policy)# split-tunnel-network-list value ST ASA1(config-group-policy)# exit ASA1(config)# tunnel-group SALES type remote-access ASA1(config)# tunnel-group SALES ipsec-attributes ASA1(config-tunnel-ipsec)# pre-shared-key cisco123 ASA1(config-tunnel-ipsec)# exit ASA1(config)# tunnel-group SALES general-attributes ASA1(config-tunnel-general)# default-group-policy SALES-POLICY ASA1(config-tunnel-general)# address-pool VPN-CLIENTS ASA1(config-tunnel-general)# exit ASA1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac ASA1(config)# crypto dynamic-map DYN-CMAP 10 set pfs group2 ASA1(config)# crypto dynamic-map DYN-CMAP 10 set transform-set TSET ASA1(config)# crypto dynamic-map DYN-CMAP 10 set reverse-route ASA1(config)# crypto map ENCRYPT_OUT 10 ipsec-isakmp dynamic DYNCMAP ASA1(config)# crypto map ENCRYPT_OUT interface Outside ASA1(config)# ASA1(config)# access-list TO-EIGRP standard permit 10. ASA2(config)# crypto isakmp enable outside Page 1022 of 1033 .0 255.CCIE SECURITY v4 Lab Workbook ASA1(config)# group-policy SALES-POLICY attributes ASA1(config-group-policy)# vpn-tunnel-protocol ipsec ASA1(config-group-policy)# dns-server value 10.21.120.255.5 ASA1(config-group-policy)# wins-server value 10.6 ASA1(config-group-policy)# default-domain value micronicstraining.1.120.255.1.

0 ASA2(config)# route-map REDIST-EIGRP permit 10 ASA2(config-route-map)# match ip address TO-EIGRP ASA2(config-route-map)# exi ASA2(config)# router eigrp 120 ASA2(config-router)# redistribute static route-map REDIST-EIGRP Page 1023 of 1033 .0 any ASA2(config)# group-policy SALES-POLICY internal ASA2(config)# group-policy SALES-POLICY attributes ASA2(config-group-policy)# vpn-tunnel-protocol ipsec ASA2(config-group-policy)# dns-server value 10.1-10.21.0 255.21.120.21.255.1.1.CCIE SECURITY v4 Lab Workbook ASA2(config)# crypto isakmp policy 10 ASA2(config-isakmp-policy)# auth pre-share ASA2(config-isakmp-policy)# encr 3des ASA2(config-isakmp-policy)# hash sha ASA2(config-isakmp-policy)# group 2 ASA2(config-isakmp-policy)# exit ASA2(config)# ip local pool VPN-CLIENTS 10.120.255.254 mask 255.1.1.1.5 ASA2(config-group-policy)# wins-server value 10.1.255.0 ASA2(config)# access-list ST permit ip 10.255.255.6 ASA2(config-group-policy)# default-domain value micronicstraining.0 255.255.120.com ASA2(config-group-policy)# split-tunnel-policy tunnelspecified ASA2(config-group-policy)# split-tunnel-network-list value ST ASA2(config-group-policy)# exit ASA2(config)# tunnel-group SALES type remote-access ASA2(config)# tunnel-group SALES ipsec-attributes ASA2(config-tunnel-ipsec)# pre-shared-key cisco123 ASA2(config-tunnel-ipsec)# exit ASA2(config)# tunnel-group SALES general-attributes ASA2(config-tunnel-general)# default-group-policy SALES-POLICY ASA2(config-tunnel-general)# address-pool VPN-CLIENTS ASA2(config-tunnel-general)# exit ASA2(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac ASA2(config)# crypto dynamic-map DYN-CMAP 10 set pfs group2 ASA2(config)# crypto dynamic-map DYN-CMAP 10 set transform-set TSET ASA2(config)# crypto dynamic-map DYN-CMAP 10 set reverse-route ASA2(config)# crypto map ENCRYPT_OUT 10 ipsec-isakmp dynamic DYNCMAP ASA2(config)# crypto map ENCRYPT_OUT interface Outside ASA2(config)# access-list TO-EIGRP standard permit 10.

CCIE SECURITY v4 Lab Workbook metric 10000 1000 255 1 1500 ASA2(config-router)# exi ASA2(config)# username student1 password student123 Step 3 ASA1 IPSec clustering configuration.254 ASA1(config-load-balancing)# cluster key cisco123 ASA1(config-load-balancing)# cluster encryption ASA1(config-load-balancing)# priority 10 ASA1(config-load-balancing)# participate ASA1(config-load-balancing)# exit Step 4 ASA2 IPSec clustering configuration. Higher number wins. This tunnel is a regular ISAKMP SA authenticated with a “cluster key”.1. ASA1(config)# cry isakmp enable inside Devices in the cluster communicate with each other using encrypted tunnel when “cluster encryption” is enabled. We need to provide a Virtual IP address of the cluster which will be used by EasyVPN clients as a tunnel endpoint.110. ASA2(config)# cry isakmp enable inside ASA2(config)# vpn load-balancing ASA2(config-load-balancing)# cluster ip add 10.1.0.110. Page 1024 of 1033 .110.254 ASA2(config-load-balancing)# cluster key cisco123 ASA2(config-load-balancing)# cluster encryption ASA2(config-load-balancing)# priority 5 ASA2(config-load-balancing)# participate ASA2(config-load-balancing)# exit Step 5 Routing on R1.1. Finally we need to enable clustering for each cluster member by issuing “participate” command. ASA1(config)# vpn load-balancing ASA1(config-load-balancing)# cluster ip add 10.0.254 Step 6 Client PC configuration.0.0. The priority value is a number between 1 and 10 which dictates which device will become a Master.0 0. R1(config)#ip route 0.0 10.

254 Peers: 1 Load (%) Public IP Role Pri Model IPSec Sessions SSL IPSec SSL --------------------------------------------------------------------------* 10.255.1.10 10.1.255.1.110.1 Verification ASA1(config)# sh vpn load-balancing Status: enabled Role: Master Failover: n/a Encryption: enabled Cluster IP: 10.110. ASA1(config)# sh cry isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.110.1.12 Master 10 ASA-5510 0 0 0 0 Backup ASA-5510 0 0 0 0 5 As we see our ASA1 has became Master for this virtual cluster.0 112.120.1. This is because of higher priority.CCIE SECURITY v4 Lab Workbook c:\>route add 10.1.110.0 mask 255.12 Type : L2L Role : responder Page 1025 of 1033 .1.

254 Peers: 1 Load (%) Public IP Role Pri Model IPSec Sessions SSL IPSec SSL --------------------------------------------------------------------------* 10. Note that this SA has been established using Main Mode with IP addresses from private (inside) network.12 10.1. Page 1026 of 1033 .110.1.10 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Configure a new connection in Cisco VPN Client.110. ASA2(config)# sh vpn load-balancing Status: enabled Role: Backup Failover: n/a Encryption: enabled Cluster IP: 10. ASA2(config)# sh cry isak sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.1.120. The ASA2 is in Backup role.CCIE SECURITY v4 Lab Workbook Rekey : no State : MM_ACTIVE Master device has ISAKMP SA set up with other devices.110.1.10 Backup 5 ASA-5510 0 0 0 0 Master 10 ASA-5510 n/a n/a n/a n/a Same information is on other device.

CCIE SECURITY v4 Lab Workbook Authenticate using local user name.1. c:\ACS_PC>ping 10.120.1. Check if traffic to the desired network is to be encrypted.2 with 32 bytes of data: Page 1027 of 1033 .2 Pinging 10.120.

2: bytes=32 time=1ms TTL=255 Reply from 10.1.2: Packets: Sent = 4.120.120. Maximum = 14ms.110. Approximate round trip times in milli-seconds: Minimum = 1ms. Average = 4ms Tunnel is established and traffic is going through it.12 Master 10 ASA-5510 0 0 0 0 Backup ASA-5510 0 0 1 0 5 We see one IPSec connection on the Backup device.120.2: bytes=32 time=14ms TTL=255 Reply from 10.1. Received = 4.110.10 10. ASA1(config)# sh vpn load-balancing Status: enabled Role: Master Failover: n/a Encryption: enabled Cluster IP: 10. ASA1(config)# sh crypto isakmp sa Page 1028 of 1033 .2: bytes=32 time=1ms TTL=255 Reply from 10.1.254 Peers: 1 Load (%) Public IP Role Pri Model IPSec Sessions SSL IPSec SSL --------------------------------------------------------------------------* 10. Lost = 0 (0% loss).CCIE SECURITY v4 Lab Workbook Reply from 10.120.2: bytes=32 time=1ms TTL=255 Ping statistics for 10.1.120.1.1.1.110.1.

local addr: 10. ipsec overhead 58.12 local ident (addr/mask/prot/port): (10.120. meaning the client’s connection has landed on ASA2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.120. seq num: 65534. #pkts decomp failed: 0 #pre-frag successes: 0.12/255.1. } slot: 0. #decapsulated frgs needing reassembly: 0 #send errors: 0.12 permit ip host 10. remote crypto endpt. } slot: 0.1. conn_id: 4096.1. Tunnel.CCIE SECURITY v4 Lab Workbook Active SA: 1  Only one ISAKMP SA. crypto-map: __vpn-lb-crypto-map sa timing: remaining key lifetime (kB/sec): (3914967/28268) IV size: 8 bytes replay detection support: Y Anti replay bitmap: Page 1029 of 1033 .12 path mtu 1500. crypto-map: __vpn-lb-crypto-map sa timing: remaining key lifetime (kB/sec): (3914973/28268) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x66A95179 (1722372473) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L.120. #pkts decrypt: 529.10 host 10.10 access-list vpnlb-10.120. #pkts encrypt: 547. media mtu 1500 current outbound spi: 66A95179 inbound esp sas: spi: 0x6D983B72 (1838693234) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L.120.255/0/0) remote ident (addr/mask/prot/port): (10. #recv errors: 0 local crypto endpt. Tunnel.: 10.1.: 10.120. #pkts verify: 529 #pkts compressed: 0. conn_id: 4096.255.120. #pre-frag failures: 0.1.1.120.1.1.255.10/255.120.1.12 #pkts encaps: 547. #fragments created: 0 #PMTUs sent: 0.12 Type : L2L Role : responder Rekey : no State : MM_ACTIVE ASA1(config)# sh crypto ipsec sa interface: inside Crypto map tag: __vpn-lb-crypto-map.10.1.255. #pkts digest: 547 #pkts decaps: 529. #PMTUs rcvd: 0.120.255. #pkts comp failed: 0. #pkts decompressed: 0 #pkts not compressed: 547.255/0/0) current_peer: 10.

ASA1(config)# sh route Codes: C . E2 .1.110.1.0.ODR P .0.110.10 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE IKE Peer: 112.OSPF NSSA external type 2 E1 .OSPF NSSA external type 1.mobile.120. o . EX .110.0 0. E .1.OSPF external type 2.per-user static route. O . outside ASA2(config)# sh vpn load-balancing Status: enabled Role: Backup Failover: n/a Encryption: enabled Cluster IP: 10.IS-IS level-2.EGP i .1.BGP D .1.OSPF.110.CCIE SECURITY v4 Lab Workbook 0x00000000 0x00000001 The Master ASA establishes IPSec SA with Backup ASA only.IS-IS. L2 .0 is directly connected.static.EIGRP external.candidate default.connected.0. R .IS-IS inter area * . S . L1 .0 [1/0] via 10.RIP.120.periodic downloaded static route Gateway of last resort is 10. I .1.12 10.10 Backup 5 ASA-5510 0 0 1 0 Master 10 ASA-5510 n/a n/a n/a n/a ASA2(config)# sh crypto isakmp sa Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2 1 2 IKE Peer: 10.1.0.IGRP. B . inside S* 0. ia .OSPF external type 1. There is no IPSec SA with the client.1. outside C 10.200 Type : user Role : responder Rekey : no State : AM_ACTIVE Page 1030 of 1033 .254 Peers: 1 Load (%) Public IP Role Pri Model IPSec Sessions SSL IPSec SSL --------------------------------------------------------------------------* 10.0 255. N2 . M .0.1.255.OSPF inter area N1 .255.255.110.0.0 is directly connected.1.EIGRP. U .1.255.0 C 10.IS-IS level-1. IA .1 to network 0.110.0 255.

crypto-map: DYN-CMAP sa timing: remaining key lifetime (sec): 28624 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xFA9342C5 (4203954885) transform: esp-3des esp-sha-hmac no compression in use settings ={RA. #pkts decrypt: 285. conn_id: 8192.: 10. #fragments created: 0 #PMTUs sent: 0.CCIE SECURITY v4 Lab Workbook Here’s the client’s connection.1. remote crypto endpt. local crypto endpt. seq num: 10.110. Tunnel.255. #PMTUs rcvd: 0.: 112.0. username: student1 dynamic allocated peer ip: 10.1. ASA2(config)# sh crypto ipsec sa interface: outside Crypto map tag: DYN-CMAP.110.120.200 path mtu 1500. } slot: 0.1. #pkts verify: 285 #pkts compressed: 0. } slot: 0.200. #pkts digest: 5 #pkts decaps: 285.1/255. #decapsulated frgs needing reassembly: 0 #send errors: 0. #pkts decomp failed: 0 #pre-frag successes: 0.0/0/0) remote ident (addr/mask/prot/port): (10.12.21. #recv errors: 0 Client’s packets are getting encrypted/decrypted.21. conn_id: 8192.1.1. media mtu 1500 current outbound spi: FA9342C5 inbound esp sas: spi: 0x9423992E (2485360942) transform: esp-3des esp-sha-hmac no compression in use settings ={RA.1. This is because the Master redirects IKE to the backup peer by default. Tunnel.0/0.255/0/0) current_peer: 112.12 local ident (addr/mask/prot/port): (0.1. seq num: 65534. ipsec overhead 58. #pkts encrypt: 5.12 Page 1031 of 1033 .1. #pkts comp failed: 0.1 #pkts encaps: 5. #pkts decompressed: 0 #pkts not compressed: 0. local addr: 10. #pre-frag failures: 0. crypto-map: DYN-CMAP sa timing: remaining key lifetime (sec): 28624 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 interface: inside Crypto map tag: __vpn-lb-crypto-map.0.0.1.0.255. local addr: 10.

O .periodic downloaded static route Page 1032 of 1033 . U . N2 .OSPF NSSA external type 2 E1 .IS-IS level-1. #pkts decrypt: 639.CCIE SECURITY v4 Lab Workbook access-list vpnlb-10. Tunnel. #pkts comp failed: 0. crypto-map: __vpn-lb-crypto-map sa timing: remaining key lifetime (kB/sec): (4373961/28182) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x6D983B72 (1838693234) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L.120.10 path mtu 1500. #fragments created: 0 #PMTUs sent: 0. } slot: 0.IS-IS.255.IS-IS inter area * . } slot: 0.ODR P . M . #decapsulated frgs needing reassembly: 0 #send errors: 0. o . IA . ipsec overhead 58.: 10.255.BGP D . E2 .OSPF external type 1. #pkts decompressed: 0 #pkts not compressed: 618. #pre-frag failures: 0.1.255. #pkts decomp failed: 0 #pre-frag successes: 0.mobile.1.120.255/0/0) remote ident (addr/mask/prot/port): (10. crypto-map: __vpn-lb-crypto-map sa timing: remaining key lifetime (kB/sec): (4373968/28179) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA2(config)# sh route Codes: C .static.120. #pkts verify: 639 #pkts compressed: 0.IGRP. ia .OSPF.OSPF NSSA external type 1.120.120. L1 . #pkts encrypt: 618.connected. #pkts digest: 618 #pkts decaps: 639.255.EGP i .1.10/255.1. R .120.OSPF inter area N1 . L2 .OSPF external type 2. S .per-user static route. #recv errors: 0 local crypto endpt.IS-IS level-2.120. E .10 local ident (addr/mask/prot/port): (10.EIGRP.1.RIP.candidate default.120.1. #PMTUs rcvd: 0. B . conn_id: 4096.255/0/0) current_peer: 10.10 #pkts encaps: 618. EX . media mtu 1500 current outbound spi: 6D983B72 inbound esp sas: spi: 0x66A95179 (1722372473) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L.10 permit ip host 10.12 host 10.: 10.12.1. I . remote crypto endpt. conn_id: 4096. Tunnel.EIGRP external.1.12/255.

1 255. We need to see it redistributed and sent over to R2 via EIGRP.0 is directly connected.0 255.110.21.255. outside Here’s the static for client’s connection.0 255.0.1.OSPF external type 1.1.periodic downloaded static route Gateway of last resort is not set 10. L1 .1.ODR.0 0.255.255. FastEthernet0/0 C 10.candidate default.0. inside S* 0.1.1.110.CCIE SECURITY v4 Lab Workbook Gateway of last resort is 10.0 is directly connected.255.OSPF.IS-IS level-1.255 [1/0] via 10.1.255.1. 2 subnets.connected.OSPF NSSA external type 2 E1 .EIGRP external.OSPF inter area N1 .0.120.110.0.1. R .OSPF NSSA external type 1.0. U .0 S 10.RIP. outside C 10.12. * .IS-IS.IS-IS level-2 ia . su . R2#sh ip route Codes: C .static. O .120.OSPF external type 2 i . M .1.EIGRP.0 [1/0] via 10. S .IS-IS inter area. 2 masks D EX 10.110.0.BGP D . P . 00:03:56.0.IS-IS summary. EX .255.1 to network 0. N2 . L2 .0/24 is directly connected.1/32 [170/514560] via 10. outside C 10. IA .mobile.120.1.0. FastEthernet0/0 Page 1033 of 1033 .21. E2 .per-user static route o . B .1.0/8 is variably subnetted.