CCIE  Security  V4  Lab  Workbook   Vol  1   Piotr Matusiak CCIE #19860 R&S, Security C|EH, CCSI #33705 Narbik Kocharians CCIE #12410 R&S, Security, SP CCSI #30832 Micronics Training Inc © 2013 CCIE SECURITY v4 Lab Workbook Table of Content ASA Firewall LAB 1.1   BASIC ASA CONFIGURATION   LAB 1.2   BASIC SECURITY POLICY 17   LAB 1.3   DYNAMIC ROUTING PROTOCOLS 29   LAB 1.4   ASA MANAGEMENT 46   LAB 1.5   STATIC NAT (8.2) 59   LAB 1.6   DYNAMIC NAT (8.2) 67   LAB 1.7   NAT EXEMPTION (8.2) 77   LAB 1.8   STATIC POLICY NAT (8.2) 81   LAB 1.9   DYNAMIC POLICY NAT (8.2) 91   LAB 1.10   STATIC NAT (8.3+) 99   LAB 1.11   DYNAMIC NAT (8.3+) 115   LAB 1.12   BIDIRECTIONAL NAT (8.3+) 126   LAB 1.13   MODULAR POLICY FRAMEWORK (MPF) 131   LAB 1.14   FTP ADVANCED INSPECTION 138   LAB 1.15   HTTP ADVANCED INSPECTION 146   LAB 1.16   INSTANT MESSAGING ADVANCED INSPECTION 156   LAB 1.17   ESMTP ADVANCED INSPECTION 159   LAB 1.18   DNS ADVANCED INSPECTION 164   LAB 1.19   ICMP ADVANCED INSPECTION 169   LAB 1.20   CONFIGURING VIRTUAL FIREWALLS 175   LAB 1.21   ACTIVE/STANDBY FAILOVER 198   LAB 1.22   ACTIVE/ACTIVE FAILOVER 212   LAB 1.23   REDUNDANT INTERFACES 239   LAB 1.24   TRANSPARENT FIREWALL 246   LAB 1.25   THREAT DETECTION 260   LAB 1.26   CONTROLLING ICMP AND FRAGMENTED TRAFFIC 264   LAB 1.27   TIME BASED ACCESS CONTROL 270   LAB 1.28   QOS - PRIORITY QUEUING 276   LAB 1.29   QOS – TRAFFIC POLICING 280   LAB 1.30   QOS – TRAFFIC SHAPING 285   LAB 1.31   QOS – TRAFFIC SHAPING WITH PRIORITIZATION 290   LAB 1.32   SLA ROUTE TRACKING 296   LAB 1.33   ASA IP SERVICES (DHCP) 303   LAB 1.34   URL FILTERING AND APPLETS BLOCKING 310   LAB 1.35   TROUBLESHOOTING USING PACKET TRACER AND CAPTURE TOOLS 314 Page of 1033 CCIE SECURITY v4 Lab Workbook Site-to-Site VPN LAB 1.36   BASIC SITE TO SITE IPSEC VPN MAIN MODE (IOS-IOS) 327   LAB 1.37   BASIC SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS) 353   LAB 1.38   BASIC SITE TO SITE VPN WITH NAT (IOS-IOS) 370   LAB 1.39   IOS CERTIFICATE AUTHORITY 386   LAB 1.40   SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA) 397   LAB 1.41   SITE-TO-SITE IPSEC VPN USING PKI (IOS-IOS) 411   LAB 1.42   SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA) 421   LAB 1.43   SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA) 441   LAB 1.44   SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING) 462   LAB 1.45   SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-IOS) 476   LAB 1.46   SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-ASA) 485   LAB 1.47   SITE-TO-SITE IPSEC VPN USING EASYVPN WITH ISAKMP PROFILES (IOS-IOS) 533   LAB 1.48   GRE OVER IPSEC 551   LAB 1.49   DMVPN PHASE 568   LAB 1.50   DMVPN PHASE (WITH EIGRP) 585   LAB 1.51   DMVPN PHASE (WITH OSPF) 604   LAB 1.52   DMVPN PHASE (WITH EIGRP) 624   LAB 1.53   DMVPN PHASE (WITH OSPF) 644   LAB 1.54   DMVPN PHASE DUAL HUB (SINGLE CLOUD) 668   LAB 1.55   DMVPN PHASE DUAL HUB (DUAL CLOUD) 698   LAB 1.56   GET VPN (PSK) 739   LAB 1.57   GET VPN (PKI) 761   LAB 1.58   GET VPN COOP (PKI) 780 Remote Access VPN LAB 1.59   CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO IOS) 814   LAB 1.60   CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO ASA) 824   LAB 1.61   CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PSK) 833   LAB 1.62   CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PKI) 843   LAB 1.63   CONFIGURING SSL VPN (IOS) 867   LAB 1.64   CONFIGURING SSL VPN (ASA) 884   LAB 1.65   ANYCONNECT 3.0 BASIC SETUP 897   LAB 1.66   ANYCONNECT 3.0 ADVANCED FEATURES 914   LAB 1.67   EASYVPN SERVER ON ASA WITH LDAP AUTHENTICATION 924 Page of 1033 CCIE SECURITY v4 Lab Workbook Advanced VPN Features LAB 1.68   IPSEC STATEFUL FAILOVER 957   LAB 1.69   IPSEC STATIC VTI 970   LAB 1.70   IKE ENCRYPTED KEYS 979   LAB 1.71   IPSEC DYNAMIC VTI 984   LAB 1.72   REVERSE ROUTE INJECTION (RRI) 994   LAB 1.73   CALL ADMISSION CONTROL FOR IKE 1011   LAB 1.74   IPSEC LOAD BALANCING (ASA CLUSTER) 1019   Page of 1033 CCIE SECURITY v4 Lab Workbook Physical Topology Page of 1033 CCIE SECURITY v4 Lab Workbook This page is intentionally left blank Page of 1033 CCIE SECURITY v4 Lab Workbook Advanced CCIE SECURITY v4 LAB WORKBOOK ASA Firewall Narbik Kocharians CCIE #12410 (R&S, Security, SP) CCSI #30832 Piotr Matusiak CCIE #19860 (R&S, Security) C|EH, CCSI #33705 www.MicronicsTraining.com Page of 1033 CCIE SECURITY v4 Lab Workbook Lab 1.1 Basic ASA configuration Lab Setup  R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101  R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102  R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104  Configure Telnet on all routers using password “cisco” IP Addressing Device Interface IP address R1 Lo0 1.1.1.1/24 F0/0 10.1.101.1/24 Lo0 2.2.2.2/24 G0/0 10.1.102.2/24 Lo0 4.4.4.4/24 F0/0 10.1.104.4/24 E0/0 10.1.102.10/24 R2 R4 ASA1 Page of 1033 CCIE SECURITY v4 Lab Workbook E0/1 10.1.101.10/24 E0/2.104 10.1.104.10/24 Page of 1033 CCIE SECURITY v4 Lab Workbook Task Configure ASA with the following settings: Hostname: ASA-FW Interface E0/0: name OUT, IP address 10.1.102.10/24, security level Interface E0/1: name IN, IP address 10.1.101.10/24, security level 80 On ASA configure default routing pointing to R2 and static routing for the rest of the networks On routers R1 and R2 configure default routes pointing to the ASA  Basic configuration of ASA requires port configuration including IP address, interface name and security level By default the security level is set up automatically when user tries to name the interface The ASA will use security level of 100 for interface name “inside” and security level of for other interface name (including “outside”) If you need to configure other security level, use “security-level ” command to so What is the security level for? The security level defines what connection will be considered as Inbound and what connection is Outbound The Outbound connection is a connection originated from the networks behind a higher security level interface towards the networks behind a lower security level interface The Inbound connection is a connection originated from the networks behind a lower security level interface towards the networks behind a higher security level interface The Outbound connection is automatically being inspected so that it does not require any access list for returning traffic The Inbound connection is considered unsecure by default and there must be access list allowing that connection Page 10 of 1033 CCIE SECURITY v4 Lab Workbook Lab 1.74 IPSec Load Balancing (ASA Cluster) Lab Setup  R1’s F0/0, ASA1’s E0/0 and ASA2’s E0/0 interface should be configured in VLAN 110  R2’s G0/0, ASA1’s E0/1 and ASA2’s E0/1 interface should be configured in VLAN 120  R1’s F0/1 and PC NIC (SW3 F0/15) should be configured in VLAN 112  Configure Telnet on all routers using password “cisco”  Configure EIGRP AS 120 in VLAN 120 IP Addressing Device/Hostname Interface (ifname, sec) IP address R1 F0/0 10.1.110.1/24 F0/1 112.1.1.1/24 R2 G0/0 10.1.120.2/24 ASA1 E0/0 (Outside, Sec lvl 0) 10.1.110.10/24 E0/1 (Inside, Sec lvl 100) 10.1.120.10/24 E0/0 (Outside, Sec lvl 0) 10.1.110.12/24 E0/1 (Inside, Sec lvl 100) 10.1.120.12/24 NIC 112.1.1.200/24 ASA2 PC Page 1019 of 1033 CCIE SECURITY v4 Lab Workbook Task Configure EasyVPN Server on ASA1/ASA2 VPN Cluster The ASA1 should have a Master role in the cluster and connection between cluster members should be encrypted and authenticated using key of “cisco123” Use the following ISAKMP parameters:  Phase 1: o Authentication: PSK o Encryption: 3DES o Hashing: SHA o Group:  Phase 2: o Encryption: 3DES o Hashing: SHA o PSK Group Local user named “student1” with a password of “student123” should be able to connect to the cluster using IP address of 10.1.110.254 and a group SALES with a password of “cisco123” The user should get an IP address from a pool of 10.1.21.1 – 10.1.21.254 addresses and the following additional information:  DNS Server: 10.1.120.5  WINS Server: 10.1.120.6  Domain name: micronicstraining.com After connection, only traffic destined to the network 10.1.120.0/24 should be encrypted Ensure that R2 router gets information about connected user’s IP address using EIGRP routing updates  If you have a remote access VPN in which you are using two or more ASA devices connected on the same network to handle remote sessions, you can configure these devices to share their session load This feature is called load balancing To enable that you must group together logically two or more ASA devices on the same LAN and Internet connection into a virtual cluster All devices in the virtual cluster carry session loads Load balancing directs session traffic to the least loaded device in the cluster, thus distributing the load among all devices Page 1020 of 1033 CCIE SECURITY v4 Lab Workbook One device in the virtual cluster has a Master role and directs incoming traffic to the other devices, called Secondary devices The Master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly The Master role is not tied to a physical device; it can shift among devices For example, if the current Master fails, one of the secondary devices in the cluster takes over that role and immediately becomes the new Master The virtual cluster appears to outside clients as a single virtual cluster IP address This IP address belongs to the current Master When a VPN client is attempting to connect to the cluster, the Master sends back to the client the public IP address of the least-loaded available host in the cluster In a second step, the client connects directly to that host If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address The Master then directs these connections to another active device in the cluster If the Master itself fails, another device in the cluster immediately takes over as the new Master Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is up and available Configuration Complete these steps: Step ASA1 IPSec configuration First we need to configure EasyVPN Server on both devices The configuration is typical and has been described in Remote Access VPN section of the work book ASA1(config)# crypto isakmp enable outside ASA1(config)# crypto isakmp policy 10 ASA1(config-isakmp-policy)# auth pre-share ASA1(config-isakmp-policy)# encr 3des ASA1(config-isakmp-policy)# hash sha ASA1(config-isakmp-policy)# group ASA1(config-isakmp-policy)# exit ASA1(config)# ip local pool VPN-CLIENTS 10.1.21.1-10.1.21.254 mask 255.255.255.0 ASA1(config)# access-list ST permit ip 10.1.120.0 255.255.255.0 any ASA1(config)# group-policy SALES-POLICY internal Page 1021 of 1033 CCIE SECURITY v4 Lab Workbook ASA1(config)# group-policy SALES-POLICY attributes ASA1(config-group-policy)# vpn-tunnel-protocol ipsec ASA1(config-group-policy)# dns-server value 10.1.120.5 ASA1(config-group-policy)# wins-server value 10.1.120.6 ASA1(config-group-policy)# default-domain value micronicstraining.com ASA1(config-group-policy)# split-tunnel-policy tunnelspecified ASA1(config-group-policy)# split-tunnel-network-list value ST ASA1(config-group-policy)# exit ASA1(config)# tunnel-group SALES type remote-access ASA1(config)# tunnel-group SALES ipsec-attributes ASA1(config-tunnel-ipsec)# pre-shared-key cisco123 ASA1(config-tunnel-ipsec)# exit ASA1(config)# tunnel-group SALES general-attributes ASA1(config-tunnel-general)# default-group-policy SALES-POLICY ASA1(config-tunnel-general)# address-pool VPN-CLIENTS ASA1(config-tunnel-general)# exit ASA1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac ASA1(config)# crypto dynamic-map DYN-CMAP 10 set pfs group2 ASA1(config)# crypto dynamic-map DYN-CMAP 10 set transform-set TSET ASA1(config)# crypto dynamic-map DYN-CMAP 10 set reverse-route ASA1(config)# crypto map ENCRYPT_OUT 10 ipsec-isakmp dynamic DYNCMAP ASA1(config)# crypto map ENCRYPT_OUT interface Outside ASA1(config)# ASA1(config)# access-list TO-EIGRP standard permit 10.1.21.0 255.255.255.0 ASA1(config)# route-map REDIST-EIGRP permit 10 ASA1(config-route-map)# match ip address TO-EIGRP ASA1(config-route-map)# exi ASA1(config)# router eigrp 120 ASA1(config-router)# redistribute static route-map REDIST-EIGRP metric 10000 1000 255 1500 ASA1(config-router)# exi ASA1(config)# username student1 password student123 Step ASA2 IPSec configuration The EasyVPN Server configuration must be exactly the same on both devices ASA2(config)# crypto isakmp enable outside Page 1022 of 1033 CCIE SECURITY v4 Lab Workbook ASA2(config)# crypto isakmp policy 10 ASA2(config-isakmp-policy)# auth pre-share ASA2(config-isakmp-policy)# encr 3des ASA2(config-isakmp-policy)# hash sha ASA2(config-isakmp-policy)# group ASA2(config-isakmp-policy)# exit ASA2(config)# ip local pool VPN-CLIENTS 10.1.21.1-10.1.21.254 mask 255.255.255.0 ASA2(config)# access-list ST permit ip 10.1.120.0 255.255.255.0 any ASA2(config)# group-policy SALES-POLICY internal ASA2(config)# group-policy SALES-POLICY attributes ASA2(config-group-policy)# vpn-tunnel-protocol ipsec ASA2(config-group-policy)# dns-server value 10.1.120.5 ASA2(config-group-policy)# wins-server value 10.1.120.6 ASA2(config-group-policy)# default-domain value micronicstraining.com ASA2(config-group-policy)# split-tunnel-policy tunnelspecified ASA2(config-group-policy)# split-tunnel-network-list value ST ASA2(config-group-policy)# exit ASA2(config)# tunnel-group SALES type remote-access ASA2(config)# tunnel-group SALES ipsec-attributes ASA2(config-tunnel-ipsec)# pre-shared-key cisco123 ASA2(config-tunnel-ipsec)# exit ASA2(config)# tunnel-group SALES general-attributes ASA2(config-tunnel-general)# default-group-policy SALES-POLICY ASA2(config-tunnel-general)# address-pool VPN-CLIENTS ASA2(config-tunnel-general)# exit ASA2(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac ASA2(config)# crypto dynamic-map DYN-CMAP 10 set pfs group2 ASA2(config)# crypto dynamic-map DYN-CMAP 10 set transform-set TSET ASA2(config)# crypto dynamic-map DYN-CMAP 10 set reverse-route ASA2(config)# crypto map ENCRYPT_OUT 10 ipsec-isakmp dynamic DYNCMAP ASA2(config)# crypto map ENCRYPT_OUT interface Outside ASA2(config)# access-list TO-EIGRP standard permit 10.1.21.0 255.255.255.0 ASA2(config)# route-map REDIST-EIGRP permit 10 ASA2(config-route-map)# match ip address TO-EIGRP ASA2(config-route-map)# exi ASA2(config)# router eigrp 120 ASA2(config-router)# redistribute static route-map REDIST-EIGRP Page 1023 of 1033 CCIE SECURITY v4 Lab Workbook metric 10000 1000 255 1500 ASA2(config-router)# exi ASA2(config)# username student1 password student123 Step ASA1 IPSec clustering configuration ASA1(config)# cry isakmp enable inside Devices in the cluster communicate with each other using encrypted tunnel when “cluster encryption” is enabled This tunnel is a regular ISAKMP SA authenticated with a “cluster key” We need to provide a Virtual IP address of the cluster which will be used by EasyVPN clients as a tunnel endpoint The priority value is a number between and 10 which dictates which device will become a Master Higher number wins Finally we need to enable clustering for each cluster member by issuing “participate” command ASA1(config)# vpn load-balancing ASA1(config-load-balancing)# cluster ip add 10.1.110.254 ASA1(config-load-balancing)# cluster key cisco123 ASA1(config-load-balancing)# cluster encryption ASA1(config-load-balancing)# priority 10 ASA1(config-load-balancing)# participate ASA1(config-load-balancing)# exit Step ASA2 IPSec clustering configuration ASA2(config)# cry isakmp enable inside ASA2(config)# vpn load-balancing ASA2(config-load-balancing)# cluster ip add 10.1.110.254 ASA2(config-load-balancing)# cluster key cisco123 ASA2(config-load-balancing)# cluster encryption ASA2(config-load-balancing)# priority ASA2(config-load-balancing)# participate ASA2(config-load-balancing)# exit Step Routing on R1 R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.110.254 Step Client PC configuration Page 1024 of 1033 CCIE SECURITY v4 Lab Workbook c:\>route add 10.1.110.0 mask 255.255.255.0 112.1.1.1 Verification ASA1(config)# sh vpn load-balancing Status: enabled Role: Master Failover: n/a Encryption: enabled Cluster IP: 10.1.110.254 Peers: Load (%) Public IP Role Pri Model IPSec Sessions SSL IPSec SSL * 10.1.110.10 10.1.110.12 Master 10 ASA-5510 0 0 Backup ASA-5510 0 0 As we see our ASA1 has became Master for this virtual cluster This is because of higher priority ASA1(config)# sh cry isakmp sa Active SA: Rekey SA: (A tunnel will report Active and Rekey SA during rekey) Total IKE SA: 1 IKE Peer: 10.1.120.12 Type : L2L Role : responder Page 1025 of 1033 CCIE SECURITY v4 Lab Workbook Rekey : no State : MM_ACTIVE Master device has ISAKMP SA set up with other devices Note that this SA has been established using Main Mode with IP addresses from private (inside) network ASA2(config)# sh vpn load-balancing Status: enabled Role: Backup Failover: n/a Encryption: enabled Cluster IP: 10.1.110.254 Peers: Load (%) Public IP Role Pri Model IPSec Sessions SSL IPSec SSL * 10.1.110.12 10.1.110.10 Backup ASA-5510 0 0 Master 10 ASA-5510 n/a n/a n/a n/a Same information is on other device The ASA2 is in Backup role ASA2(config)# sh cry isak sa Active SA: Rekey SA: (A tunnel will report Active and Rekey SA during rekey) Total IKE SA: 1 IKE Peer: 10.1.120.10 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Configure a new connection in Cisco VPN Client Page 1026 of 1033 CCIE SECURITY v4 Lab Workbook Authenticate using local user name Check if traffic to the desired network is to be encrypted c:\ACS_PC>ping 10.1.120.2 Pinging 10.1.120.2 with 32 bytes of data: Page 1027 of 1033 CCIE SECURITY v4 Lab Workbook Reply from 10.1.120.2: bytes=32 time=14ms TTL=255 Reply from 10.1.120.2: bytes=32 time=1ms TTL=255 Reply from 10.1.120.2: bytes=32 time=1ms TTL=255 Reply from 10.1.120.2: bytes=32 time=1ms TTL=255 Ping statistics for 10.1.120.2: Packets: Sent = 4, Received = 4, Lost = (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 14ms, Average = 4ms Tunnel is established and traffic is going through it ASA1(config)# sh vpn load-balancing Status: enabled Role: Master Failover: n/a Encryption: enabled Cluster IP: 10.1.110.254 Peers: Load (%) Public IP Role Pri Model IPSec Sessions SSL IPSec SSL * 10.1.110.10 10.1.110.12 Master 10 ASA-5510 0 0 Backup ASA-5510 0 We see one IPSec connection on the Backup device ASA1(config)# sh crypto isakmp sa Page 1028 of 1033 CCIE SECURITY v4 Lab Workbook Active SA:  Only one ISAKMP SA, meaning the client’s connection has landed on ASA2 Rekey SA: (A tunnel will report Active and Rekey SA during rekey) Total IKE SA: 1 IKE Peer: 10.1.120.12 Type : L2L Role : responder Rekey : no State : MM_ACTIVE ASA1(config)# sh crypto ipsec sa interface: inside Crypto map tag: vpn-lb-crypto-map, seq num: 65534, local addr: 10.1.120.10 access-list vpnlb-10.1.120.12 permit ip host 10.1.120.10 host 10.1.120.12 local ident (addr/mask/prot/port): (10.1.120.10/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.1.120.12/255.255.255.255/0/0) current_peer: 10.1.120.12 #pkts encaps: 547, #pkts encrypt: 547, #pkts digest: 547 #pkts decaps: 529, #pkts decrypt: 529, #pkts verify: 529 #pkts compressed: 0, #pkts decompressed: #pkts not compressed: 547, #pkts comp failed: 0, #pkts decomp failed: #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: #send errors: 0, #recv errors: local crypto endpt.: 10.1.120.10, remote crypto endpt.: 10.1.120.12 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 66A95179 inbound esp sas: spi: 0x6D983B72 (1838693234) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 4096, crypto-map: vpn-lb-crypto-map sa timing: remaining key lifetime (kB/sec): (3914973/28268) IV size: bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x66A95179 (1722372473) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 4096, crypto-map: vpn-lb-crypto-map sa timing: remaining key lifetime (kB/sec): (3914967/28268) IV size: bytes replay detection support: Y Anti replay bitmap: Page 1029 of 1033 CCIE SECURITY v4 Lab Workbook 0x00000000 0x00000001 The Master ASA establishes IPSec SA with Backup ASA only There is no IPSec SA with the client ASA1(config)# sh route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 10.1.110.1 to network 0.0.0.0 C 10.1.110.0 255.255.255.0 is directly connected, outside C 10.1.120.0 255.255.255.0 is directly connected, inside S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.110.1, outside ASA2(config)# sh vpn load-balancing Status: enabled Role: Backup Failover: n/a Encryption: enabled Cluster IP: 10.1.110.254 Peers: Load (%) Public IP Role Pri Model IPSec Sessions SSL IPSec SSL * 10.1.110.12 10.1.110.10 Backup ASA-5510 0 Master 10 ASA-5510 n/a n/a n/a n/a ASA2(config)# sh crypto isakmp sa Active SA: Rekey SA: (A tunnel will report Active and Rekey SA during rekey) Total IKE SA: 2 IKE Peer: 10.1.120.10 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE IKE Peer: 112.1.1.200 Type : user Role : responder Rekey : no State : AM_ACTIVE Page 1030 of 1033 CCIE SECURITY v4 Lab Workbook Here’s the client’s connection This is because the Master redirects IKE to the backup peer by default ASA2(config)# sh crypto ipsec sa interface: outside Crypto map tag: DYN-CMAP, seq num: 10, local addr: 10.1.110.12 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.1.21.1/255.255.255.255/0/0) current_peer: 112.1.1.200, username: student1 dynamic allocated peer ip: 10.1.21.1 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: #pkts decaps: 285, #pkts decrypt: 285, #pkts verify: 285 #pkts compressed: 0, #pkts decompressed: #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: #send errors: 0, #recv errors: Client’s packets are getting encrypted/decrypted local crypto endpt.: 10.1.110.12, remote crypto endpt.: 112.1.1.200 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: FA9342C5 inbound esp sas: spi: 0x9423992E (2485360942) transform: esp-3des esp-sha-hmac no compression in use settings ={RA, Tunnel, } slot: 0, conn_id: 8192, crypto-map: DYN-CMAP sa timing: remaining key lifetime (sec): 28624 IV size: bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xFA9342C5 (4203954885) transform: esp-3des esp-sha-hmac no compression in use settings ={RA, Tunnel, } slot: 0, conn_id: 8192, crypto-map: DYN-CMAP sa timing: remaining key lifetime (sec): 28624 IV size: bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 interface: inside Crypto map tag: vpn-lb-crypto-map, seq num: 65534, local addr: 10.1.120.12 Page 1031 of 1033 CCIE SECURITY v4 Lab Workbook access-list vpnlb-10.1.120.10 permit ip host 10.1.120.12 host 10.1.120.10 local ident (addr/mask/prot/port): (10.1.120.12/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.1.120.10/255.255.255.255/0/0) current_peer: 10.1.120.10 #pkts encaps: 618, #pkts encrypt: 618, #pkts digest: 618 #pkts decaps: 639, #pkts decrypt: 639, #pkts verify: 639 #pkts compressed: 0, #pkts decompressed: #pkts not compressed: 618, #pkts comp failed: 0, #pkts decomp failed: #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: #send errors: 0, #recv errors: local crypto endpt.: 10.1.120.12, remote crypto endpt.: 10.1.120.10 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 6D983B72 inbound esp sas: spi: 0x66A95179 (1722372473) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 4096, crypto-map: vpn-lb-crypto-map sa timing: remaining key lifetime (kB/sec): (4373961/28182) IV size: bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x6D983B72 (1838693234) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 4096, crypto-map: vpn-lb-crypto-map sa timing: remaining key lifetime (kB/sec): (4373968/28179) IV size: bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA2(config)# sh route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Page 1032 of 1033 CCIE SECURITY v4 Lab Workbook Gateway of last resort is 10.1.110.1 to network 0.0.0.0 S 10.1.21.1 255.255.255.255 [1/0] via 10.1.110.1, outside C 10.1.110.0 255.255.255.0 is directly connected, outside C 10.1.120.0 255.255.255.0 is directly connected, inside S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.110.1, outside Here’s the static for client’s connection We need to see it redistributed and sent over to R2 via EIGRP R2#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, subnets, masks D EX 10.1.21.1/32 [170/514560] via 10.1.120.12, 00:03:56, FastEthernet0/0 C 10.1.120.0/24 is directly connected, FastEthernet0/0 Page 1033 of 1033 ... 1033 CCIE SECURITY v4 Lab Workbook Physical Topology Page of 1033 CCIE SECURITY v4 Lab Workbook This page is intentionally left blank Page of 1033 CCIE SECURITY v4 Lab Workbook Advanced CCIE SECURITY. .. E0/0 10.1.102.10/24 R2 R4 ASA1 Page of 1033 CCIE SECURITY v4 Lab Workbook E0/1 10.1.101.10/24 E0/2.104 10.1.104.10/24 Page of 1033 CCIE SECURITY v4 Lab Workbook Task Configure ASA with the following... Open Page 23 of 1033 CCIE SECURITY v4 Lab Workbook User Access Verification Password: R1>exit [Connection to 1.1.1.1 closed by foreign host] Page 24 of 1033 CCIE SECURITY v4 Lab Workbook Task Configure