Cisco ASA Second Generation's OS 9.x

7/18/2019 Cisco ASA Second Generation's OS 9.x

http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 1/844



Secure Your Network With Cisco ASA Second Generation's OS 9.x

of 846


Secure Your Network With

Cisco ASA Second Generation's OS 9.xBaldev Singh Deshwal, CCIE No. 37094




of 846


About the Authors

Baldev Singh Deshwal , CCIE No. 37094, is a Senior Network Security Engineer at Network Bulls.

His primary job responsibilities include configuring maintain & t-shoot NB network . As well as he

also provides corporate trainning & cisco certification Training.

Additional certifications include MCP, MCSA, MCTS, Certified.




of 846


About the Technical Reviewers

Baldev Singh Deshwal CCIE Security Certified CCIE# 37094.




of 846


Dedications

This book is dedicated to the only & only Almighty Lord Shiva. Who created such condition that I

could not stop myself to write this book.




of 846


Special Thanks

My Special thanks to my students. Who helped me to write this book.

Sandeep Yadav, Vishwajeet Rathore, Ram Swaroop Yadav, & Aman Soni

Keshav Trivedi, Shivendra & Lab Administrator Chander Prakash.




of 846


Contents At A Glance

Section I. Firewall Overview

Chapter 1 Firewall Introduction

Chapter 2 ASA Introduction

Chapter 3 ASA Basics

Section II. Routing on ASA

Chapter 4 Routing Introduction

Chapter 5 RIP

Chapter 6 EIGRP

Chapter 7 OSPF

Chapter 8 IPv6 Introduction

Chapter 9 SLA

Chapter 10 Multicasting

Section III. Access-list & NAT

Chapter 11 Introduction of Access-list

Chapter 12 NAT on OS 8.0

Chapter 13 NAT on 9.2.2.4

Chapter 14 CTP

Section IV. IPSec Introduction

Chapter 15 Overview of IPSec

Chapter 16 Site-Site VPN

Chapter 17 Remote Access VPN

Chapter 18 VPN Load balancing

Chapter 19 SSL VPN

Section V. Advance Firewall Features

Chapter 20 Transparent Firewall

Chapter 21 Context




of 846


Chapter 22 Failover

Chapter 23 MPF

Section VI. OS 9.x Advance Features

Chapter 24 OSPFv3

Chapter 25 NAT on OS 9.2.x on IPv6

Chapter 26 Site-Site VPN on IPv6

Chapter 27 SSL VPN on IPv6

Chapter 28 BGP

Chapter 29 Dynamic Routing in Context

Chapter 30 Site-Site VPN in Context

Chapter 31 Clustering

Chapter 32 Management of ASA

Chapter 33 IPv6 Active-Standby FO

Chapter 34 IPv6 Active-Active FO




of 846


Contents

Section I. Firewall Overview

Chapter 1 Firewall Introduction

Introduction of Firewall

Packet Filtering

Proxy ServerState Full Firewall

Transparent Firewall

Chapter 2 ASA Introduction

Introduction of ASA

ASA Features

Proprietary Operating System (P)

State Full Firewall

User Based Authentication

Protocols & Application Inspection

Modular Policy Frame Work

Virtual Private NetworkVirtual Firewall

Web Based Management


Statefull Failover (P)

IPv6

Clustering

VPN LoadBalancing (P)

Chapter 3 ASA Basics

How to set Hostname

How to set enable password

How to assign IP address to interfaceHow to assign security-level

How to enable Telnet

How to enable SSH

How to enable HTTP

How to take Backup of ASA

How to Upgrade ASA

How to recover ASA password

Diagrams & Labs:-

Section II. Routing on ASA

Chapter 4 Routing Introduction

Introduction of RoutingRouting Types

Static Routing

Default Routing

Dynamic Routing

Routing Protocols

Routed Protocols

IGP

EGP

AS

IGP Types

EGP Types

Distance Vector




of 846


Link State

Enhanced Distance Vector

Chapter 5 RIP

Introduction of RIP

RIP Versions

Difference between V1 & V2RIP Timers

RIP Loop Avoidance Techniques

Route Poisoning

Poison Reverse

Split-Horizon

Diagrams & Labs:-

Chapter 6 EIGRP

Introduction of EIGRP

EIGRP Components

Protocol Dependent Module

Reliable Transport ProtocolsNeighbour Discovery & Recovery

Diffusing Update Algorithm

EIGRP Messages

EIGRP Terminologies

Successor

Feasible Distance

Feasible Successor

Feasible Successor Requirements

Advertise Distance/Reported Distance

Input Event

Local ComputationGoing Active

EIGRP Additional Features

Incremental Updates

Multicast Updates

Unequal Cost Load Balancing

EIGRP Tables

Neighbour Tables

Topology Table

Routing Table

EIGRP Neighbour ship Requirements

EIGRP MetricEIGRP Modes

Diagrams & Labs:-

Chapter 7 OSPF

Introduction of OSPF

Difference Between Distance vector & Link State

OSPF Tables

OSPF Messages

OSPF Hello Message Contents

OSPF Message Contents

OSPF States

OSPF Priority

DR & BDR




of 846


OSPF Metric

OSPF Network Types

OSPF Router Types

OSPF LSA Types

OSPF Area Types

OSPF Virtual LinksOSPF Neighbours Requirements

Diagrams & Labs:-

Chapter 8 IPv6 Introduction

Introduction of IPv6

IPv6 styles

Global Unicast

Unique Local

Link-local

Link-local Address

IPv6 Structure

IPv6 Routing ProtocolsRIPng

IS-ISv6

OSPFv3

EIGRPv6

MP-BGP-4

Diagrams & Labs:-

Chapter 9 SLA

Introduction of SLA

Diagrams & Labs:-

Chapter 10 Multicasting

IP Addresses StyleUnicast

Broadcast

Multicast

Multicast Mac Structure

Multicast Address

IGMP

Version 1

Version 2

Version 3

IGMP Snooping

Multicast Routing ProtocolsPIM

RPF

Distribution Tree

Source Tree

Shared Tree

PIM Modes

Dense Mode

Sparse Mode

Sparse-Dense-Mode

PIM versions

Diagrams & Labs:-

Section III. Access-list & NAT




of 846


Chapter 11 Introduction of Access-list

Introduction of Access-list & Types

Standards Access-list

Extended Access-list

Time Base Access-list

Object Group & TypesNetwork Object

Protocol Object

Service Object

ICMP Object

Diagrams & Labs:-

Chapter 12 NAT on OS 8.0

Practical of

Static NAT (8.0)

Dynamic NAT (8.0)

PAT (8.0)

Static PAT (8.0)NAT Bypass (8.0)

Identity NAT (8.0)

NAT Exemption (8.0)

Policy NAT (8.0)

Diagrams & Labs:-

Chapter 13 NAT on OS 9.2.2.4

Practical of

Static NAT (8.4 & Later)

Dynamic NAT (8.4 & Later)

PAT (8.4 & Later)

Static PAT (8.4 & Later)Identity NAT (8.4 & Later)

Twice NAT (8.4 & Later)

Diagrams & Labs:-

Chapter 14 CTP

CTP Introduction

AAA

TACACS+

RADIUS

CTP Working

Diagrams & Labs:-

Section IV. IPSec IntroductionChapter 15 Overview of IPSec

IPSec Introduction

IPsec Features

Confidentiality

Integrity

Data Origin Authentication

Anti-Replay

IPSec Protocols

IKE

ESP

AH

IKE Mode




of 846


Main Mode

Aggressive Mode

Quick Mode

IKE Phases

Phase 1

Phase 1.5Phase 2

IPSec Mode

Transport Mode

Tunnel Mode

SA

SA Components

SAD

SPD

NAT-T

NAT-T Steps

NAT-T SupportNAT-T Detection

NAT-T Decision

ISAKMP

Chapter 16 Site-Site VPN

Introduction

Working

Diagrams & Labs:-

Chapter 17 Remote Access VPN

Introduction

Modes

ClientNetwork Extension

Network Extension Plus

Diagrams & Labs:-

Chapter 18 VPN Load balancing

Introduction

Supported Protocols

Cluster

Master

Member

Load balancing

Virtual Cluster AgentDiagrams & Labs:-

Chapter 19 SSL VPN

SSL Introduction

SSL Mode

Clientless

Thin-client

Thick-client

Requirements

Working

Diagrams & Labs:-

Section V. Advance Firewall Features

Chapter 20 Transparent Firewall




of 846


Introduction of Transparent Firewall

ASA Mode Route & Transparent

Transparent Firewall Limitation

Diagrams & Labs:-

Chapter 21 Context

Introduction of ContextSystem Area

Admin Context

Context Channing

Mac-Address Auto

Context Requirements

Context Limitations

Diagrams & Labs:-

Chapter 22 Failover

Introduction of Failover

Failover Requirements

Failover Hardware RequirementsFailover Software Requirements

Failover Types

Stateless Failover

Hardware Failover

State Full Failover

Failover Implementation Types

Active-Standby

Active-Active

Failover Limitations

Information Don't replicate During Failover

Failover MonitoringFailover Link

Diagrams & Labs:-

Chapter 23 MPF

Introduction OF Modular Policy Framework

MPF Features

Inspection of Connection

Connection Restriction

Traffic Prioritization

Traffic Policing

MPF Components

Class-mapPolicy-map

Service-policy

Default-inspected Protocols & applications

DCE

SUN RPC

ILS

NetBIOS

XDMCP

IPSec-Pass-Through

ICMP

FTP

SMTP




of 846


DNS

TFTP

HTTP

RSH

SQL.NET

SIPSCCP

CTIQBE

MGCP

Diagrams & Labs:-

Section VI. OS 9.x Advance Features

Chapter 24 OSPFv3

Diagrams & Labs:-

Chapter 25 NAT on OS 9.2.x on IPv6

Diagrams & Labs:-

Static

DynamicPAT

Static PAT

Identity NAT

Twice NAT

Chapter 26 Site-Site VPN on IPv6

Diagrams & Labs:-

Chapter 27 SSL VPN on IPv6

Diagrams & Labs:-

Clientless

Thin-client

Chapter 28 BGPBGP Introduction

BGP Messages

iBGP

eBGP

BGP States

BGP Terminology

Next-hop-self

Route-reflector-client

BGP-redistribute internal

Summarization or Aggregation

Diagrams & Labs:-Chapter 29 Dynamic Routing in Context

Diagrams & Labs:-

EIGRP

OSPF

Chapter 30 Site-Site VPN in Context

Diagrams & Labs:-

Chapter 31 Clustering

Introduction of Clustering

Clustering Terminology

Master

Slaves

Interface Types




of 846


Load balancing in Clustering

Cluster Monitoring

Limitation of Clustering

Supported Features of Clustering

Diagrams & Labs:-

Chapter 32 Management of ASAASA as DHCP

ASA as DHCP Relay-Agent

Fragmentation

uRPF

EC

Redundent Interface

Diagrams & Labs:-

Chapter 33 Active-Standby IPv6 FO

Diagrams & Labs:-

Chapter 34 Active-Active IPv6 FO

Diagrams & Labs:-




of 846


Practicals Covered in this book

1. ASA_BASIC

2. ASA_Static_&_Default

3. ASA_RIP

4. ASA_EIGRP

5.

ASA_OSPF6. ASA_SLA

7. ASA_CTP

8. ASA_Multicasting

9. ASA_ACL_&_Objects

10. ASA_ipv6_static_default

11. ASA_NAT_8.0

12. ASA_NAT_9.2

13. How_To_Configure_2003_As_CA



16.

How_To_Configure_IOS_As_CA17. ASA_s2s_pre_8.0

18. ASA_s2s_rsa_8.0

19. ASA_s2s_overlapping_subnet

20. ASA_s2s_pre_ikev1

21. ASA_s2s_rsa_ikev1_2003_ca

22. ASA_s2s_pre_ikev2

23. ASA_s2s_rsa_ikev2_2008_ca

24. ASA_s2s_rsa_ikev2_ios_Ca

25. ASA_s2s_rsa_ikev2_2012_Ca

26. ASA_ra_pre_8.0

27.

ASA_ra_rsa_8.028. ASA_ra_ikev1_pre

29. ASA_ra_ikev1_rsa

30. ASA_ssl_8.0

31. ASA_ssl_9.2

32. ASA_vpn_load_balancing

33. ASA_Transparent_firewall

34. ASA_context

35. ASA_Inter_context_routing

36. ASA_active_standby_fo

37. ASA_active_active_fo

38.

ASA_mpf39. ASA_EC_RE

40. ASA9.x_bgp

41. ASA9.x_clustering

42. ASA9.x_dynamic_routing

43. ASA9.x_ospfv3

44. ASA9.x_s2s_in_context

45. ASA9.x_ssl

46. ASA9.x_ipv6_s2s

47. ASA9.x_ipv6_ nat

48. ASA9.x_ipv6_active_standby_fo

49. ASA9.x_ipv6_active_active_fo

50.

To Be Continue...................................................




of 846


Chapter 1

After Reading this chapter you would be able to describe

Firewall

Firewall techniques

Packet Filtering

Proxy Server

State full Firewall


Introducing Firewall &

Firewall Techniques




of 846


Firewall a system or group of system. That manage access between two or more network.

1. Packet Filtering

2. Proxy Server

3. State-full Firewall

4. Transparent Firewall

In Packet filtering packets are filtered using access-list. On Cisco IOS we can use Standard or

Extended access-list, Named access-list,Time Based access-list, Dynamic access-list,Reflexive access-

list, TCP Establish access-list to filter the traffic .

Advantages

Easy to implement

Cost- effective

DisadvantagesNot-scalable

Complex access-list are hard to create & maintain

It works as an intermediate system b/w inside & outside world

It will not allow inside user to go outside directly vice-versa

Limitations

Single point of failure

It introduce delay

As name tells us that State-full .it maintain the state of connection when packet is travelling through

the appliance. It maintain the state of connection in state table. After adding information in state

table it forwards the packet to the destination. When it receive the reply-packet it match thepacket's information to state-table if match packet is accepted otherwise drop.

Firewall Introduction

Firewall Techniques

Packet Filtering

Proxy Server

Stateful Firewall




of 846


State table contents

Source IP

Destination IP

Source Port

Destination Port Additional Information ( syn , syn-ack , ack)

It works at layer 2, or it forwards the frames based on destination Mac. But still it has capabilities to

filter the traffic from layer 2 to layer 7.





of 846


Chapter 2


Cisco ASA

Cisco ASA Features

Cisco ASA Introduction




of 846


Cisco adaptive security appliance it is a combination of state full firewall & VPN concentrator .

Proprietary Operating system

State-Full Firewall

User Base Authentication (CTP)

Protocol and application inspection

MPF VPN

Virtual Firewalls

Web Base management


State Full Failover

IPV6

Clustering

VPN LoadBalancing

It mean that both hardware & software belongs to Cisco. It is not just like another vender they use

one company OS and another company hardware.

As name tells us that State-full .it maintain the state of connection when packet is travelling for the

appliance. It maintain the state of connection in state table. After adding information in state table

it forwards the packet to the destination. When it receive the reply-packet it match the packet

information to state-table if match packet is accepted otherwise drop.

Using this feature we can authenticate the inbound or outbound request

Of telnet , http, https, ftp using AAA server.

What is Cisco ASA

ASA Features

Proprietary Operating System

State full Firewall

User Base Authentication




of 846


A part of MPF(Modular Policy Framework ) using Protocol and application inspection we can enable

deeper inspection of application layer protocols like ftp, smtp, dns, tftp, http, NetBIOS etc.

A approach to gain following features

Inspection of connection

Connection restriction

Traffic prioritization Traffic policing

Cisco ASA support IPSec, SSL PPTP protocols for VPN

IPSec (site-site, & remote-access)

SSL (Clientless, Thin, Thick)

L2TP

We can divide an appliance into many virtual appliances these virtual appliances are call virtual

firewall or security context.

If some engineer feel complexity to configure an appliance using CLI

ASA has an option to configure it using GUI via ASDM

A Cisco Proprietary feature of Cisco ASA it provides uninterrupted network access, using redundant

appliancesIt support active-standby & active-active failover.

Protocol & Application Inspection

Modular Policy Framework

VPN

Virtual Firewall

Web Base Management

State full Failover




of 846


Cisco ASA also support ipv6 routing. Like static, Dynamic, Default.

A feature introduce in OS Version 9.0 it enables us to group multiple appliances as a single appliance.

A Cisco Proprieatry Feature of cisco firewall . It enable multiple remote vpn servers to appear as a

single server.

IPv6

Clustering

VPN Load Balancing




of 846


Chapter 3

After Reading this chapter you would be able to configure & Describe

Cisco asa Modes

Hostname

Enable Password

IP Address on interface

Security-level

Telnet

SSH

HTTP Backup

Upgrade

Password Recovery

ASA Basic




of 846


How to set hostname.

How to set enable password

How to set IP add on an interface

How to enable TELNET

How to enable SSH

How to enable HTTP

How to take backup

How to upgrade an appliance

How to recover password

Diagram:-

ASA Mode

ciscoasa> (User mode)

ciscoasa> enable

Password:

ciscoasa# conf t (enable mode)

ciscoasa(config)# ! hostname (config-mode)

ciscoasa(config)# hostname ASA1

How To set Enable Password

ASA1(config)#

ASA1(config)# enable password shiva

ASA1(config)# exit

Logoff

Type help or '?' for a list of available commands.

ASA1> enable

Password: shiva

ASA1# conf t

ASA1(config)# ! remove enable password

ASA1(config)# enable password (just enter)

ASA Basic LAB




of 846


How to Check Configuration

ASA1(config)# ! show run

ASA1(config)# sh running-config

: Saved

:

ASA Version 9.0(3)!

hostname ASA1

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

How to Check Interface StatusASA1(config)# sh int ip brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES unset administratively down down






How to assign IP address & security-level to interface

ASA1(config)# ! set interface ipASA1(config)# int g0/0

ASA1(config-if)# no sh

ASA1(config-if)# ip add 192.168.101.1

ASA1(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ASA1(config-if)# int g0/1


ASA1(config-if)# no shu

ASA1(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ASA1(config-if)# ip add 192.168.102.1ASA1(config-if)# ! check

ASA1(config-if)# sh int ip br

ASA1(config-if)# sh int ip brief


GigabitEthernet0/0 192.168.101.1 YES manual up up


PC2(config)#int fastEthernet 0/0

PC2(config-if)#no shutdown

PC2(config-if)#ip add 192.168.102.100 255.255.255.0


ASA1(config-if)# ping 192.168.101.1

Type escape sequence to abort.




of 846


Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms



Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:!!!!!





!!!!!





!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

How to enable telnet

ASA1(config)# telnet 192.168.101.100 255.255.255.255 inside (for host)

ASA1(config)# telnet 192.168.101.0 255.255.255.0 inside (for n/w)

ASA1(config)# telnet 0.0.0.0 0.0.0.0 inside (wild card)

! default telnet pass is cisco till os 8.6

! but in os 9.0 & later default password removed

ASA1(config)# ! you have to setASA1(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.0(3)

ASA1(config)# passwd cisco

! verification on pc




of 846


!How to enable SSH on Cisco ASA

ASA1(config)# domain-name cisco.com

ASA1(config)# crypto key generate rsa

INFO: The name for the keys will be: <Default-RSA-Key>

Keypair generation process begin. Please wait...

ASA1(config)# ssh 0 0 insideASA1(config)# ssh 0 0 outside

ASA1(config)# username shiva password shiva privilege 15

ASA1(config)# aaa authentication ssh console LOCAL

! verification in pc




of 846


! verification in pc2

PC2#ssh -l shiva 192.168.102.1

Password:

Type help or '?' for a list of available commands.ASA1>

! you can't telnet to lowest security-level

ASA1(config)# telnet 0 0 outside

ASA1(config)# ssh 0 0 outside

PC2#telnet 192.168.102.1

Trying 192.168.102.1 ...

% Connection timed out; remote host not responding

PC2#ssh

PC2#ssh -l

PC2#ssh -l shiva 192.168.102.1




of 846


Password:

! How to enable http server

ASA1(config)# sh flash

--#-- --length-- -----date/time------ path

146 0 Aug 29 2014 13:00:14 nat_ident_migrate147 1422 Sep 23 2014 17:29:26 admin.cfg

148 2331 Sep 23 2014 17:29:26 old_running.cfg

22 4096 Sep 27 2013 10:55:54 coredumpinfo

23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg

149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg

11 4096 Aug 29 2014 12:48:00 log

21 4096 Aug 29 2014 12:48:40 crypto_archive

150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin

151 135168 Jan 01 1980 00:00:00 FSCK0000.REC

152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg

153 4096 Aug 29 2014 13:29:32 sdesktop165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml

166 2009 Aug 29 2014 13:42:06 sdesktop/data.xml

154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg

155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg

156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg

157 333 Aug 29 2014 13:28:04 Anyconnect_client_profile.xml

158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin

160 4096 Jan 01 1980 00:00:00 FSCK0001.REC

161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg

4118732800 bytes total (3964596224 bytes free)

ASA1(config)# http server enable

ASA1(config)# http 0 0 inside

ASA1(config)# username shiva pass shiva pri 15

ASA1(config)# ! verification on client




of 846


Note:-

if some wrongplease run these commands on asa

ASA1(config)# asdm image disk0:/asdm-66114.bin

initiate connection again.........................................




of 846





of 846


! ASA os Backup

ASA1(config)# sh fla

ASA1(config)# sh flash:--#-- --length-- -----date/time------ path

146 0 Aug 29 2014 13:00:14 nat_ident_migrate

147 1422 Sep 23 2014 17:29:26 admin.cfg



23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg

149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg

11 4096 Aug 29 2014 12:48:00 log


150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin

151 135168 Jan 01 1980 00:00:00 FSCK0000.REC152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg

153 4096 Aug 29 2014 13:29:32 sdesktop

165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml






158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin

160 4096 Jan 01 1980 00:00:00 FSCK0001.REC



ASA1(config)# copy flash: tftp:

Source filename []? asa903-smp-k8.bin

Address or name of remote host []? 192.168.101.100

Destination filename [asa903-smp-k8.bin]?

Writing file tftp://192.168.101.100/asa903-smp-k8.bin...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!36993024 bytes copied in 130.870 secs (284561 bytes/sec)




of 846


ASA1(config)# ! ASA os Upgrade

ASA1(config)# ! Latest os is no PC1 FTP

ASA1(config)# copy ftp://192.168.101.100/asa922-4-smp-k8.bin flash:

Address or name of remote host [192.168.101.100]? enter

Source filename [asa922-4-smp-k8.bin]? enter

Destination filename [asa922-4-smp-k8.bin]? enter

Accessing ftp://192.168.101.100/asa922-4-smp-

k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Writing file disk0:/asa922-4-smp-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

52457472 bytes copied in 63.150 secs (832658 bytes/sec)

ASA1(config)# sh flash:

--#-- --length-- -----date/time------ path

146 0 Aug 29 2014 13:00:14 nat_ident_migrate

147 1422 Sep 23 2014 17:29:26 admin.cfg



23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg




of 846


11 4096 Aug 29 2014 12:48:00 log


150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin

151 135168 Jan 01 1980 00:00:00 FSCK0000.REC

152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg

153 4096 Aug 29 2014 13:29:32 sdesktop165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml






158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin

168 52457472 Sep 28 2014 13:23:59 asa922-4-smp-k8.bin

160 4096 Jan 01 1980 00:00:00 FSCK0001.REC



! boot to latest os

ASA1(config)# boot system disk0:/asa922-4-smp-k8.bin

ASA1(config)# write

Building configuration...

Cryptochecksum: 23dfb1bc 85a02476 e2a94e9f 9626e623

2852 bytes copied in 0.750 secs

[OK]

ASA1(config)# sh running-config boot

boot system disk0:/asa922-4-smp-k8.bin

ASA1(config)# reloadProceed with reload? [confirm]

ASA1(config)#

***

*** --- START GRACEFUL SHUTDOWN ---

***

*** --- SHUTDOWN NOW ---

Booting from ROMMON

Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Launching BootLoader...Boot configuration file contains 1 entry.

Loading disk0:/asa922-4-smp-k8.bin...

ASA1# sh version

Cisco Adaptive Security Appliance Software Version 9.2(2)4

Device Manager Version 6.6(1)

Compiled on Tue 29-Jul-14 23:41 PDT by builders

System image file is "disk0:/asa922-4-smp-k8.bin"

Config file at boot was "startup-config"

ASA1 up 40 secs




of 846


! password recovery

ASA1(config)# enable password asdasdwwqek89geuqbdqweqw

ASA1(config)# wr

ASA1(config)# write

ASA1# ex

Logoff

Type help or '?' for a list of available commands.

ASA1> reset manually...the appliance......

At the time of boot....................

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 9 seconds.

Press (Use BREAK or ESC to interrupt boot) on key borad.........

Use ? for help.rommon #0> confreg 0x41

Update Config Register (0x41) in NVRAM...

rommon #1> reset

ciscoasa> en

ciscoasa> enable

Password:

ciscoasa# conf t

ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,

which allows Cisco to securely receive minimal error and health

information from the device. To learn more about this feature,

please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later:

ciscoasa(config)#

ciscoasa(config)# copy startup-config running-config

Destination filename [running-config]?

.

Cryptochecksum (unchanged): 3968c06d 20751a6b 73f37918 d875d53d


ASA1(config)#

ASA1(config)# enable password enter

ASA1(config)# config-register 0x01

ASA1(config)# reload

System config has been modified. Save? [Y]es/[N]o: y




of 846


Cryptochecksum: 3f5ee47a 0fe39be7 24974ec3 28f97b3b


Proceed with reload? [confirm] enter

ASA1(config)#

***


ASA1> en

ASA1> enable

Password: (now no password)

ASA1#

ASA1(config)# ping 192.168.101.100




ASA1(config)# pin

ASA1(config)# ping 192.168.102.100



!!!!!





of 846


Chapter 4


Routing

Routing rules

Types of routing

Static Routing

Routing Protocols

Routed Protocols

IGP

EGP Distance Vector

Link State

Enhanced Distance Vector

Routing on Cisco ASA




of 846


A process of transferring a packet from one network to another is called routing.

Routing Rules

1. If the destination is in the same subnet or network then a device directly forwards a packet to

destination.

Note:- ARP request is used to find out destination Mac-address.

2. If the destination is not in the same subnet or network then a device directly forwards a packet to

default gateway.

Note:- ARP request is used to find out default gateway Mac-address

Static

Default

Dynamic

In static routing we define route manually with appropriate next-hop.In static routing we always define indirectly connected network.

Advantages

Easy to implement

Less CPU-overload

Less bandwidth consumption

Disadvantages

Not scale-able

It is used on stub router or network. A stub router has only one entry or exit point. It can be used to

reduce the size of routing table

Limitation

It can cause of loop in the network.

Routing

Routing Types

Static Routing

Default Routing




of 846


In dynamic routing we use routing protocol. They dynamically learn about route & do send routeinformation to the neighbours routers.

They are those protocol which have capabilities to send data from one device to another device.

Like IP,IPX, Apple Talk

IGP

EGP

They are those protocols which are designed to work within AS.

IGP Types

Distance Vector

Link State

Enhanced DV (Hybrid)

AS (Autonomous System)

A collection of router managed by single Organization.

They are designed to work over AS. BGP is only EGP Protocol.

Note EGP was a protocol itself in past

A Distance Vector routing protocol selects the route based on distance

That is called hop count.

Hop Count

When a packet across a router that is called one hop

Dynamic Routing

Routed Protocols

Routing Protocols Types

Interior Gateway Protocol

Exterior Gateway Protocol

Distance Vector




of 846


A Distance Vector routing protocol select that route which provides a network at least hop.

Examples:- RIP, IGRP.

As name tells us link state a link state routing protocol sends update based in the state of link. When

a link comes up & goes down it sends update.

It sends update with a sequence number. 0x80000001 goes till 0xFFFFFFFF.

Examples:- OSPF,IS-IS.

EIGRP is an Enhanced DV routing protocol based in distance vector algorithm. & sends incrementalupdate like link state i.e. Some people called it hybrid . But Cisco called it Enhanced DV.

Diagram:-

Link State

Enhance DV




of 846


Initial-config

hostname R1

interface fastEthernet 0/0

no shutdown

ip add 192.168.1.1 255.255.255.0no shutdown

int l1

ip add 172.10.1.1 255.255.255.0

int l2

ip add 172.10.2.1 255.255.255.0

int l3

ip add 172.10.3.1 255.255.255.0

int l4

ip add 172.10.4.1 255.255.255.0

int l5

ip add 172.10.5.1 255.255.255.0int l6

ip add 172.10.6.1 255.255.255.0

R2


no shutdown

ip add 192.168.2.1 255.255.255.0

no shutdown

int l1

ip add 172.20.1.1 255.255.255.0

int l2

ip add 172.20.2.1 255.255.255.0int l3

ip add 172.20.3.1 255.255.255.0

int l4

ip add 172.20.4.1 255.255.255.0

int l5

ip add 172.20.5.1 255.255.255.0

int l6

ip add 172.20.6.1 255.255.255.0

R3


no shutdownip add 192.168.3.1 255.255.255.0

no shutdown

int l1

ip add 172.30.1.1 255.255.255.0

int l2

ip add 172.30.2.1 255.255.255.0

int l3

ip add 172.30.3.1 255.255.255.0

int l4

ip add 172.30.4.1 255.255.255.0

int l5

ip add 172.30.5.1 255.255.255.0




of 846


int l6

ip add 172.30.6.1 255.255.255.0

R4


no shutdown


int l1

ip add 172.40.1.1 255.255.255.0

int l2

ip add 172.40.2.1 255.255.255.0

int l3

ip add 172.40.3.1 255.255.255.0

int l4

ip add 172.40.4.1 255.255.255.0

int l5

ip add 172.40.5.1 255.255.255.0int l6

ip add 172.40.6.1 255.255.255.0

Routing

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2

R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2

R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.2

ASA1(config)# interface gigabitEthernet 0/0



INFO: Security level for "inside" set to 100 by default.ASA1(config-if)# ip add 192.168.1.2

ASA1(config-if)# interface g0/1


ASA1(config-if)# nameif dmz1

INFO: Security level for "dmz1" set to 0 by default.

ASA1(config-if)# security-level 60


ASA1(config-if)# interface gigabitEthernet 0/2



INFO: Security level for "outside" set to 0 by default.ASA1(config-if)# ip add 192.168.3.2















of 846



ASA1(config-if)# sh nameif

Interface Name Security

GigabitEthernet0/0 inside 100

GigabitEthernet0/1 dmz1 60

GigabitEthernet0/2 outside 0GigabitEthernet0/3 dmz2 50




!!!!!





!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1(config-if)# ping 192.168.3.1



!!!!!





!!!!!


Static & Default Routing Commands on ASA

ASA1(config)# route inside 172.10.1.0 255.255.255.0 192.168.1.1






ASA1(config)# route dmz1 172.20.1.0 255.255.255.0 192.168.2.1


ASA1(config)# route dmz1 172.20.3.0 255.255.255.0 192.168.2.1ASA1(config)# route dmz1 172.20.4.0 255.255.255.0 192.168.2.1



ASA1(config)# route outside 0 0 192.168.3.1 (Default Route)







ASA1(config)# ping 172.10.1.1





of 846



!!!!!









!!!!!









!!!!!





!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1(config)# ping 172.40.1.1



!!!!!





!!!!!


ASA1(config)# sh route insideS 172.10.1.0 255.255.255.0 [1/0] via 192.168.1.1, inside

S 172.10.2.0 255.255.255.0 [1/0] via 192.168.1.1, inside

S 172.10.3.0 255.255.255.0 [1/0] via 192.168.1.1, inside

S 172.10.4.0 255.255.255.0 [1/0] via 192.168.1.1, inside

S 172.10.5.0 255.255.255.0 [1/0] via 192.168.1.1, inside

S 172.10.6.0 255.255.255.0 [1/0] via 192.168.1.1, inside

ASA1(config)# sh route dmz1

S 172.20.1.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1

S 172.20.2.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1

S 172.20.3.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1

S 172.20.4.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1

S 172.20.5.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1




of 846


S 172.20.6.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1

ASA1(config)# sh route outside

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside

ASA1(config)# sh route dmz2S 172.40.1.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2

S 172.40.2.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2

S 172.40.3.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2

S 172.40.4.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2

S 172.40.5.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2

S 172.40.6.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2

ASA allow higher-level to lower default of not working problem access-list

Only TCP & UDP is allowed

ASA deny lower-level to higher default if you want apply access-listR1#telnet

*Sep 28 08:38:34.207: %SYS-5-CONFIG_I: Configured from console by console

R1#telnet 172.20.1.1

Trying 172.20.1.1 ... Open

Password required, but none set

[Connection to 172.20.1.1 closed by foreign host]

R1#telnet 172.30.1.1

Trying 172.30.1.1 ... Open



R1#telnet 172.40.1.1Trying 172.40.1.1 ... Open



But.........................

R2#telnet 172.10.1.1

Trying 172.10.1.1 ...

% Connection timed out; remote host not responding

R2#telnet 172.30.1.1

Trying 172.30.1.1 ... Open

Password required, but none set[Connection to 172.30.1.1 closed by foreign host]

R2#telnet 172.40.1.1

Trying 172.40.1.1 ... Open



If you want

Apply Access-list on ASA................

ASA1(config)# access-list dmz1 permit ip 172.20.0.0 255.255.0.0 172.10.0.0 255.255.0.0

ASA1(config)# access-group dmz1 in interface dmz1

R2#ping 172.10.1.1 source loopback 1




of 846




Packet sent with a source address of 172.20.1.1

!!!!!


R2#ping 172.10.6.1 source loopback 1Type escape sequence to abort.



!!!!!


R2#telnet 172.30.1.1 /source-interface loopback 1

Trying 172.30.1.1 ...

% Connection refused by remote host

it is due to access-list...............

If you want in acl permit R3 lan & R4 lan




of 846


Chapter 5


RIP

RIP Version

RIP Timers

RIP Loop avoidance Techniques

Route Poisoning

Poisoning Reverse

Split-Horizon

RIP




of 846


It is an interior gateway distance vector routing protocol.It use UDP Port no. 520. It has 2 version.

Version 1 Version 2

Class-full Class-less

DV DV

AD 120 AD 120

Metric Hop count Metric Hop count

Max-hop 15 Max-hop 15

Broadcast Update Multicast Update

255.255.255.255 224.0.0.9

Default ManualSend v1 Send v2

Receive v1&v2 Receive v2

No authentication Support authentication

Class-full Classless

A Class-full routing protocol doesn't send subnet mask information to neighbour router. Examples:-

RIPv1 & IGRP.

A Classless routing protocol do send subnet mask information to neighbour router

Examples:-Ripv2,EIGRP,OSPF,IS-IS,BGP.

Route Poisoning

Poison Reverse

Split-Horizon

Routing Information Protocol

Class Full Routing Protocols

Class Less Routing Protocols

Rip Loop Avoidance Techniques




of 846


Rip separate the bad news with a special type of metric that is infinite-metric i.e.16. When rip

advertise a route with 16 metric that is called Route Poisoning.

Route Poisoning

Router1>>>>> 101.0=16>>>>>>>>>Router2

When a router receive Route Poisoning update it accept is and updates it routing table, and it sends

same update to the neighbour.

(Router1>>>>> 101.0=16>>>>>>>>>Router2 )

(Router1<<<<< 101.0=16<<<<<<<<<Router2) is Poison Reverse

A rule in distance vector routing protocol. It doesn't allow a routing protocol to send an information

on an interface which was receive from same interface.

Update 30sec

Invalid 180sec

Hold 180sec

Flush 240sec

Route Poisoning

Poison Reverse

Split Horizon

RIP Timers




of 846


Diagram:-

Initial-config

hostname R1


no shutdown

ip add 192.168.1.1 255.255.255.0

no shutdown

int l1

ip add 172.10.1.1 255.255.255.0

int l2

ip add 172.10.2.1 255.255.255.0

int l3

ip add 172.10.3.1 255.255.255.0

int l4

ip add 172.10.4.1 255.255.255.0

int l5

ip add 172.10.5.1 255.255.255.0

int l6

ip add 172.10.6.1 255.255.255.0

R2


no shutdown

ip add 192.168.2.1 255.255.255.0

no shutdown

int l1

ip add 172.20.1.1 255.255.255.0

int l2




of 846


ip add 172.20.2.1 255.255.255.0

int l3

ip add 172.20.3.1 255.255.255.0

int l4

ip add 172.20.4.1 255.255.255.0

int l5ip add 172.20.5.1 255.255.255.0

int l6

ip add 172.20.6.1 255.255.255.0

R3


no shutdown

ip add 192.168.3.1 255.255.255.0

no shutdown

int l1

ip add 172.30.1.1 255.255.255.0

int l2ip add 172.30.2.1 255.255.255.0

int l3

ip add 172.30.3.1 255.255.255.0

int l4

ip add 172.30.4.1 255.255.255.0

int l5

ip add 172.30.5.1 255.255.255.0

int l6

ip add 172.30.6.1 255.255.255.0

R4

interface fastEthernet 0/0no shutdown

ip add 192.168.4.1 255.255.255.0

no shutdown

int l1

ip add 172.40.1.1 255.255.255.0

int l2

ip add 172.40.2.1 255.255.255.0

int l3

ip add 172.40.3.1 255.255.255.0

int l4

ip add 172.40.4.1 255.255.255.0int l5

ip add 172.40.5.1 255.255.255.0

int l6

ip add 172.40.6.1 255.255.255.0












of 846







ASA1(config-if)# nameif outsideINFO: Security level for "outside" set to 0 by default.










GigabitEthernet0/0 192.168.1.2 YES manual up upGigabitEthernet0/1 192.168.2.2 YES manual up up







GigabitEthernet0/2 outside 0



Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!





!!!!!









!!!!!


R1

router rip

no au

ver 2

net 0.0.0.0




of 846


R2

router rip

no au

ver 2

net 0.0.0.0

R3router rip

no au

ver 2

net 0.0.0.0

R4

router rip

no au

ver 2

net 0.0.0.0

ASA1

router ripno au

ver 2

net 0.0.0.0

ASA1# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside

R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside

R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside

R 172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside

R 172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside

R 172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside

R 172.20.1.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1R 172.20.2.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1

R 172.20.3.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1

R 172.20.4.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1

R 172.20.5.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1

R 172.20.6.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1

R 172.30.1.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:17, outside

R 172.30.2.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:17, outside

R 172.30.3.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside

R 172.30.4.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside

R 172.30.5.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside

R 172.30.6.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside

R 172.40.1.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2




of 846


R 172.40.2.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2

R 172.40.3.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2

R 172.40.4.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2

R 172.40.5.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2

R 172.40.6.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2

! Disabling Updates on a Particuler Interface

ASA1(config)# router rip

ASA1(config-router)# passive-interface default

ASA1(config-router)# no passive-interface inside

ASA1(config-router)# no passive-interface dmz1


ASA1(config-router)# no passive-interface outside

ASA1(config-router)# route outside 0 0 192.168.3.1

!Redistribution in RIPASA1(config-router)# router rip

ASA1(config-router)# !redistribute

ASA1(config-router)# redistribute static metric 1

! Verification on Routers

R1#sh ip route rip

R* 0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:24, FastEthernet0/0

R2#sh ip route rip

R* 0.0.0.0/0 [120/1] via 192.168.2.2, 00:00:24, FastEthernet0/0

R4#sh ip route rip

R* 0.0.0.0/0 [120/1] via 192.168.4.2, 00:00:08, FastEthernet0/0ASA1(config-router)# router rip

ASA1(config-router)# no redistribute static metric 1

! Default route Orgination via default-information orginate command

ASA1(config-router)# router rip

ASA1(config-router)# default-information originate

ASA1(config)# sh running-config route

! Verification on Routers

R1#sh ip route rip on R2, R3, R4

R* 0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:17, FastEthernet0/0ASA1# sh route inside

R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside

R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside

R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside

R 172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside

R 172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside

R 172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside

C 192.168.1.0 255.255.255.0 is directly connected, inside

L 192.168.1.2 255.255.255.255 is directly connected, inside




of 846


! Route Filtering in RIP on ASA

ASA1(config)# access-list 10 permit 172.10.1.0 255.255.255.0



ASA1(config)# router rip

ASA1(config-router)# distribute-list 10 in interface inside

! Verification on ASA

ASA1(config-router)# sh route inside

R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside

R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside

R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside

R 172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside

R 172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside

R 172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside


L 192.168.1.2 255.255.255.255 is directly connected, insideASA1# clear route all

ASA1# sh route inside

R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside

R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside

R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside



! Enabling RIP Authentication on ASA

ASA1(config-router)# interface gigabitEthernet 0/0

ASA1(config-if)# rip authentication mode md5ASA1(config-if)# rip authentication key shiva key_id 100

! Verification & Effect on Authentication









R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:07, inside

R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:07, inside

R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:07, inside






of 846


! RIP Authentication on Router

R1(config)#key chain trust

R1(config-keychain)#key 100

R1(config-keychain-key)#key-string shiva

R1(config-keychain-key)#int f0/0

R1(config-if)#ip rip authentication mode md5R1(config-if)#ip rip authentication key-chain trust

! Verification on Router

R1#sh ip route rip

172.20.0.0/24 is subnetted, 6 subnets

R 172.20.1.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0





! RIP Version custmization on Router & ASA

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip rip receive version 2

R1(config-if)#ip rip send version 2


ASA1(config-if)# rip send version 2

ASA1(config-if)# rip receive version 2




of 846


Chapter 6


EIGRP

EIGRP Components

EIGRP Messages

EIGRP Terminology

EIGRP Tables Types

EIGRP Modes

EIGRP Neighbours Requirements

EIGRP




of 846


It is an interior gateway class-less enhanced Distance vector routing protocol. It use IP protocol no

88. It sends multicast hello at 224.0.0.10.

PDM (Protocol Dependent Module)

RTP(Reliable Transport Protocol)

NDR(Neighbour Discovery and Recovery)

DUAL(Diffusing Update Algorithm)

It is used to support different type of routed protocol

Like IP, IPX, Apple Talk.

It is used to send some EIGRP messages

EIGRP messages:-

1. Hello Multicast

2. Update via RTP Multicast

3. Acknowledgement Unicast

4.Query via RTP Multicast

5.Reply via RTP Unicast

It is used to maintain neighbour ship. Function

First it determines that how many neighbours are exist.

Second how many hello or Acknowledgement will be expected

If continue 3 hello missed neighbour is removed from neighbour table.

Enhanced Interior Gateway Routing Protocol

Enhanced Components

PDM

RTP

NDR




of 846


A modification in distance vector algorithm is called DUALIt provides a loop free failover path.

Successor

Feasible Distance

Feasible Successor

Feasible Successor Requirement

AD/RD

Input Event

Local Computation

Going Active

A best route to reach a subnet or network.

Calculated metric of successor is called Feasible Distance.

An another best route it provides backup to successor.

A route whose AD is less then FD of current successor.

DUAL

EIGRP Terminology

Successor

Feasible Distance

Feasible Successor

Feasible Successor Requirements




of 846


A Router's FD is called AD/RD for its neighbours.

An information which has capabilities to change the data base.

A term it has two function

If successor goes down it use FS

If FS is not available then it become active for that route

It means that a router is sending query to its neighbour for a route.

Incremental Updates

When there is a change in topology EIGRP will send updates.

Multicast Update

Updates at 224.0.0.10

Un-Equal Cost Load Balancing

In Un-Equal Cost Load Balancing best FD is multiply by multiplier and we get a product ifanother routes are lower than that product they are eligible for load balancing.

Neighbour Table

Topology Table

Routing Table

AD/RD

Input Event

Local Computation

Going Active

EIGRP Additional Features

EIGRP Tables




of 846


First of all EIGRP built neighbour table. It contain following information.

IP add of neighbour

Interface

Up time

Hold time

Sequence no of last packet

Packet in queue

SRTT

RTO

After neighbour table EIGRP maintain topology table

It contain successor & feasible successor.

It contain three types of route

Internal

External

Summary

EIGRP metric is called composite metric. It contain 5 elements, these elements are called K-values.

Bandwidth

Delay Load

Reliability

MTU

Only Bandwidth & delay is used for metric calculation.

AS No.

K-values Authentication

Neighbour Tables

Topology Tables

Routing Tables

EIGRP Metric

EIGRP Neighbour Requirement




of 846


Static neighbour ship

Passive mode

When a successor goes down and router has FS , it is called Passive mode.

Active mode

When a successor goes down and router has no FS , it is called Passive mode.

EIGRP support only MD5 auth

EIGRP AD 5/90/170(summary /internal/external)

EIGRP default hop 100 , max 255

EIGRP default variance 1, max 128

EIGRP default max-path 4, max 16

EIGRP default hello 5/60 (LAN/FR) EIGRP default hold 15/180 (LAN/FR)

Diagram:-

Initial-config

hostname R1


no shutdown

ip add 192.168.1.1 255.255.255.0

no shutdown

int l1

ip add 172.10.1.1 255.255.255.0

int l2

ip add 172.10.2.1 255.255.255.0

EIGRP Modes




of 846


int l3

ip add 172.10.3.1 255.255.255.0

int l4

ip add 172.10.4.1 255.255.255.0

int l5

ip add 172.10.5.1 255.255.255.0int l6

ip add 172.10.6.1 255.255.255.0

R2


no shutdown

ip add 192.168.2.1 255.255.255.0

no shutdown

int l1

ip add 172.20.1.1 255.255.255.0

int l2

ip add 172.20.2.1 255.255.255.0int l3

ip add 172.20.3.1 255.255.255.0

int l4

ip add 172.20.4.1 255.255.255.0

int l5

ip add 172.20.5.1 255.255.255.0

int l6

ip add 172.20.6.1 255.255.255.0

R3



no shutdown

int l1

ip add 172.30.1.1 255.255.255.0

int l2

ip add 172.30.2.1 255.255.255.0

int l3

ip add 172.30.3.1 255.255.255.0

int l4

ip add 172.30.4.1 255.255.255.0

int l5ip add 172.30.5.1 255.255.255.0

int l6

ip add 172.30.6.1 255.255.255.0

R4


no shutdown

ip add 192.168.4.1 255.255.255.0

no shutdown

int l1

ip add 172.40.1.1 255.255.255.0

int l2

ip add 172.40.2.1 255.255.255.0




of 846


int l3

ip add 172.40.3.1 255.255.255.0

int l4

ip add 172.40.4.1 255.255.255.0

int l5

ip add 172.40.5.1 255.255.255.0int l6

ip add 172.40.6.1 255.255.255.0









INFO: Security level for "dmz1" set to 0 by default.ASA1(config-if)# security-level 60










INFO: Security level for "dmz2" set to 0 by default.ASA1(config-if)# security-level 50










GigabitEthernet0/0 inside 100GigabitEthernet0/1 dmz1 60






!!!!!





!!!!!




of 846






!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1(config-if)# ping 192.168.4.1



!!!!!


R1

router ei 100

no aut

net 0.0.0.0

R2

router ei 100no aut

net 0.0.0.0

R3

router ei 100

no aut

net 0.0.0.0

R4

router ei 100

no aut

net 0.0.0.0

ASA1router ei 100

no aut

net 0.0.0.0

! EIGRP Neighbour Verification

ASA1# sh eigrp neighbors

EIGRP-IPv4 Neighbors for AS(100)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

3 192.168.4.1 dmz2 12 00:00:12 1 200 0 3

2 192.168.3.1 outside 14 00:00:14 1 200 0 31 192.168.2.1 dmz1 12 00:00:16 1 200 0 3

0 192.168.1.1 inside 10 00:00:17 1 200 0 3

! EIGRP Topology Verification

ASA1# sh eigrp topology

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.4.2)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 172.20.5.0 255.255.255.0, 1 successors, FD is 130816

via 192.168.2.1 (130816/128256), dmz1





of 846


via Connected, dmz2


via 192.168.3.1 (130816/128256), outside


via Connected, inside

P 172.20.2.0 255.255.255.0, 1 successors, FD is 130816via 192.168.2.1 (130816/128256), dmz1


via 192.168.4.1 (130816/128256), dmz2


via 192.168.1.1 (130816/128256), inside


via 192.168.2.1 (130816/128256), dmz1


via 192.168.1.1 (130816/128256), inside


via Connected, dmz1P 172.30.1.0 255.255.255.0, 1 successors, FD is 130816

via 192.168.3.1 (130816/128256), outside


via 192.168.1.1 (130816/128256), inside


via 192.168.4.1 (130816/128256), dmz2


via 192.168.2.1 (130816/128256), dmz1


via 192.168.2.1 (130816/128256), dmz1

P 172.40.3.0 255.255.255.0, 1 successors, FD is 130816via 192.168.4.1 (130816/128256), dmz2


via Connected, outside


via 192.168.4.1 (130816/128256), dmz2


via 192.168.4.1 (130816/128256), dmz2


via 192.168.1.1 (130816/128256), inside


via 192.168.4.1 (130816/128256), dmz2P 172.30.3.0 255.255.255.0, 1 successors, FD is 130816

via 192.168.3.1 (130816/128256), outside


via 192.168.3.1 (130816/128256), outside


via 192.168.2.1 (130816/128256), dmz1


via 192.168.1.1 (130816/128256), inside


via 192.168.3.1 (130816/128256), outside


via 192.168.1.1 (130816/128256), inside




of 846



via 192.168.3.1 (130816/128256), outside

! Routing Table verification on ASA

ASA1# sh route






ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route


D 172.10.1.0 255.255.255.0[90/130816] via 192.168.1.1, 00:04:40, inside

D 172.10.2.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:04:40, inside

D 172.10.3.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:04:40, inside

D 172.10.4.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:04:40, inside

D 172.10.5.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:04:40, inside

D 172.10.6.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:04:40, insideD 172.20.1.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1

D 172.20.2.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1

D 172.20.3.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1

D 172.20.4.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1

D 172.20.5.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1

D 172.20.6.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1

D 172.30.1.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:04:38, outside

D 172.30.2.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:04:38, outside

D 172.30.3.0 255.255.255.0[90/130816] via 192.168.3.1, 00:04:38, outside

D 172.30.4.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:04:38, outside

D 172.30.5.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:04:38, outside

D 172.30.6.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:04:38, outside

D 172.40.1.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2

D 172.40.2.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2

D 172.40.3.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2

D 172.40.4.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2

D 172.40.5.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2




of 846


D 172.40.6.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2



C 192.168.2.0 255.255.255.0 is directly connected, dmz1

L 192.168.2.2 255.255.255.255 is directly connected, dmz1

C 192.168.3.0 255.255.255.0 is directly connected, outsideL 192.168.3.2 255.255.255.255 is directly connected, outside



ASA1# ping 172.10.1.1



!!!!!


ASA1# ping 172.20.1.1




ASA1# ping 172.30.1.1



!!!!!


ASA1# ping 172.40.1.1




ASA1# ping 172.10.6.1



!!!!!


ASA1# ping 172.20.6.1



!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1# ping 172.30.6.1



!!!!!


ASA1# ping 172.40.6.1



!!!!!





of 846


! Disabling Unwanted Updates or neighbourship in EIGRP

ASA1(config)# router eigrp 100

ASA1(config-router)# passive-interface default

ASA1(config-router)# no passive-interface inside



ASA1(config-router)# no passive-interface outside

ASA1(config-router)# route outside 0 0 192.168.3.1

! Redistribution in EIGRP

ASA1(config)# router eigrp 100

ASA1(config-router)# redistribute static metric 1 1 1 1 1

! Redistribution verification on Routers

R1#sh ip route eigrp on R2, R3, R4

D*EX 0.0.0.0/0 [170/2560002816] via 192.168.1.2, 00:00:35, FastEthernet0/0ASA1(config-router)# no redistribute static metric 1 1 1 1 1

ASA1(config-router)# default-metric 1 1 1 1 1

ASA1(config-router)# redistribute static

R1#sh ip route eigrp on R2, R3, R4

D*EX 0.0.0.0/0 [170/2560002816] via 192.168.1.2, 00:00:35, FastEthernet0/0

ASA1(config-router)# no redistribute static

! Static Neighbourship on ASA

ASA1(config-router)# neighbor 192.168.1.1 interface inside

! Debug Command review

R1#debug eigrp packets

EIGRP Packets debugging is on

(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)

*Sep 28 09:29:35.271: EIGRP: Sending HELLO on Loopback2

*Sep 28 09:29:35.271: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Sep 28 09:29:35.271: EIGRP: Received HELLO on Loopback2 nbr 172.10.2.1

*Sep 28 09:29:35.271: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0

*Sep 28 09:29:35.271: EIGRP: Packet from ourselves ignored


*Sep 28 09:29:35.743: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0*Sep 28 09:29:35.743: EIGRP: Received HELLO on Loopback5 nbr 172.10.5.1



R1#



*Sep 28 09:29:36.519: EIGRP: Received HELLO on Loopback3 nbr 172.10.3.1



*Sep 28 09:29:36.947: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.1.2


*Sep 28 09:29:36.947: EIGRP: Ignore unicast Hello from FastEthernet0/0 192.168.1.2




of 846


R1#



! Static Neighbourship on Router

R1(config)#router ei 100R1(config-router)#neighbor 192.168.1.2 fastEthernet 0/0

! Verification of Static neighbourship


D 172.10.1.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:00:51, inside

D 172.10.2.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:00:51, inside

D 172.10.3.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:00:51, inside

D 172.10.4.0 255.255.255.0[90/130816] via 192.168.1.1, 00:00:51, inside

D 172.10.5.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:00:51, inside

D 172.10.6.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:00:51, inside

! Route Filtering in EIGRP

ASA1

access-list 10 standard permit 172.10.1.0 255.255.255.0



! Verification

ASA1(config-router)# router eigrp 100



D 172.10.1.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:02:10, inside

D 172.10.2.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:02:10, inside

D 172.10.3.0 255.255.255.0[90/130816] via 192.168.1.1, 00:02:10, inside



ASA1(config)# sh route

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside

D 172.10.1.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:03:02, inside

D 172.10.2.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:03:02, inside

D 172.10.3.0 255.255.255.0

[90/130816] via 192.168.1.1, 00:03:02, inside




of 846


D 172.20.1.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1

D 172.20.2.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1

D 172.20.3.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1

D 172.20.4.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1

D 172.20.5.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1

D 172.20.6.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1D 172.30.1.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:10:28, outside

D 172.30.2.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:10:30, outside

D 172.30.3.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:10:30, outside

D 172.30.4.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:10:30, outside

D 172.30.5.0 255.255.255.0

[90/130816] via 192.168.3.1, 00:10:30, outside

D 172.30.6.0 255.255.255.0[90/130816] via 192.168.3.1, 00:10:30, outside

D 172.40.1.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2

D 172.40.2.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2

D 172.40.3.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2

D 172.40.4.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2

D 172.40.5.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2

D 172.40.6.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2

! EIGRP AD Changing


ASA1(config-router)# distance eigrp 111 222ASA1(config-router)# sh route inside

D 172.10.1.0 255.255.255.0

[111/130816] via 192.168.1.1, 00:00:06, inside

D 172.10.2.0 255.255.255.0

[111/130816] via 192.168.1.1, 00:00:06, inside

D 172.10.3.0 255.255.255.0

[111/130816] via 192.168.1.1, 00:00:06, inside



(Only One EIGRP AS IS ALLOWED)ASA1(config)# router eigrp 100


Too many IP routing processes for this routing protocol

ERROR: Unable to create router process

! Authenticaton in EIGRP on ASA


ASA1(config-if)# authentication mode eigrp 100 md5

ASA1(config-if)# authentication key eigrp 100 shiva key-id 100




of 846


! Verification of authentication on Router

R1(config-router)#

*Sep 28 09:39:11.267: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.2

(FastEthernet0/0) is down: Auth failure

! Authenticaton in EIGRP on RouterR1(config)#key chain trust

R1(config-keychain)#key 100

R1(config-keychain-key)#key-string shiva

R1(config-keychain-key)#int f0/0

R1(config-if)#ip authentication mode eigrp 100 md5

R1(config-if)#ip authentication key-chain eigrp 100 trust

*Sep 28 09:40:06.495: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.2

(FastEthernet0/0) is up: new adjacency

! Summrization in EIGRP

ASA1(config-if)# interface gigabitEthernet 0/0ASA1(config-if)# summary-address eigrp 100 0 0

! Verification on Router1

R1#sh ip route eigrp

D* 0.0.0.0/0 [90/28416] via 192.168.1.2, 00:00:30, FastEthernet0/0

R2# sh ip route eigrp


D 172.10.2.0 [90/156416] via 192.168.2.2, 00:01:51, FastEthernet0/0


D 172.10.1.0 [90/156416] via 192.168.2.2, 00:01:51, FastEthernet0/0172.30.0.0/24 is subnetted, 6 subnets










D 172.40.6.0 [90/156416] via 192.168.2.2, 00:06:41, FastEthernet0/0D 172.40.1.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0



D 192.168.4.0/24 [90/28416] via 192.168.2.2, 00:06:43, FastEthernet0/0




ASA1(config-if)# summary-address eigrp 100 172.10.0.0 255.255.248.0



R2# sh ip route eigrp




of 846







D 172.40.0.0 [90/156416] via 192.168.2.2, 00:00:15, FastEthernet0/0D 192.168.4.0/24 [90/28416] via 192.168.2.2, 00:07:57, FastEthernet0/0



! EIGRP Hello & Hold Changing


ASA1(config-if)# hello-interval eigrp 100 2

ASA1(config-if)# hold-time eigrp 100 4

R1#sh ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq(sec) (ms) Cnt Num

0 192.168.1.2 Fa0/0 3 00:04:15 3 200 0 133




of 846


Chapter 7


OSPF

Difference between link State & Distance Vector

OSPF Tables

OSPF Messages & Contents

OSPF States

DR & BDR

DR & BDR Requirements OSPF Area Structure

OSPF Network Types

OSPF Router Types

OSPF LSA Types

OSPF Area Types

OSPF Neighbour Ship Requirement

OSPF Authentication Types

OSPF Summarization Types

OSPF Virtual Link

OSPF




of 846


Priority

DR & BDR information

Authentication

Stub information

Version

Type

Packet length

Router ID

Area

Checksum

Authentication

Authentication data

Data

Down

Attempt

Initialization

2 way

Ex-start

Exchange

Loading

Full

it means that no hello exchange

This state is valid for NBMA network in this state a router sends Unicast hello to neighbour.

Because OSPF has no capabilities to establish neighbour ship automatically on NBMA network.

OSPF Messages Contents

OSPF States

OSPF Down State

OSPF Attempt State




of 846


when a router receives a hello that is called Initialization.

when hello is exchanged between two OSPF routers that is called 2 way.

DR & BDR is elected here.

In this state they elect master & slave. Master a router who sends DBD first.

Master requirement higher priority or higher router ID.

In this state only DBD is exchanged between OSPF routers.

In this state actual database is exchanged or we can say that LS-Request,

LS-Update ,LS Acknowledgement are also exchanged.

It means that the OSPF database is synchronized among OSPF router, and each router has a

complete database.

OSPF Initialization State

OSPF 2-Way State

OSPF Ex-Start State

OSPF Exchange State

OSPF Loading State

OSPF Full State




of 846


The logical grouping of OSPF routers is called OSPF Area

Here OSPF Area has two types

Backbone Area

Regular Area

Area zero is called backbone area. it only has the capabilities to transfer route from one area to

another are i.e. it is also called Transit Area.

Apart from area zero all other areas are called regular area.

they must be connected to backbone area.

OSPF Hello message has 8 bits priority field. default value 1 , maximum 255.if priority is zero then router will not participate in DR & BDR election.

Router when OSPF router are connected to a multi-access network. Then there is a responsibility of

one router who is responsible for making adjacencies with other router that is called DR.

OSPF Area

OSPF Area Structure

OSPF Backbone Area

OSPF Regular Area

OSPF Priority

Designated Router




of 846


Backup Designated Router it provides backup to DR.Note:-

DR & BDR concept is only used to minimise the adjacencies count

Adjacencies count without DR & BDR

n(n-1)/2

Adjacencies count with DR & BDR

n*2-3

Adjacencies count with DR

n-1

DR Requirements1. Higher Priority

2. Higher Router ID

DR is elected on every Broadcast & NB Segment.

Router ID Requirements

1. Highest Loopback

2. if no loopback then highest up physical interface ip

3. We can configure manual .

Is called Cost formula= 100 Mbps /bandwidth.

RFC

Cisco

RFC NBMA

P2MP

Cisco

Broadcast

P2P

P2MPNB

Broadcast & NB are for full mesh topology.

P2P, P2MP, P2MPNB for hub & spoke.

Backup Designated Router

OSPF Metric

OSPF Network Types




of 846


Network

type

Hello-

interval

Dead-

interval

Auto-

neighbour

Manual-

neighbour

DR or

BDR

Broadcast 10 40 YES NO YES

P2P 10 40 YES NO NO

P2MP 30 120 YES NO NO

P2MPNB 30 120 NO YES NO

NB 30 120 NO YES YES

Internal Router

Back Bone Router

ABR ASBR

A router consist it's all interfaces in regular area, i.e. called Internal router.

A router consist it's all interfaces in area 0 Backbone area, i.e. called Internal router.

Area Border Router a router which connect Backbone area to regular area is called ABR.

A router which connects OSPF routing domain to another routing domain is called ASBR.

OSPF Router Types

Internal Router

Backbone Router

Area Border Router

ASBR




of 846


Note:- OSPF sends incremental updates these updates are called LSA

Link state advertisement.

Router LSA

Network LSA

Summary LSA

AS LSA

External LSA

Group member ship LSA

NSSA LSA

It contain router ID of a router . it is sent within area.

It contain DR router ID sent by DR. is sent within area.

When the routes of one area go to another area , they go as summary LSA.

it is sent by ABR.

It contain ASBR router ID . it is generated by ABR when an ABR receives External LSA form ASBR.

It contain external routes it is sent by ASBR.

LSA Types

Router LSA

Network LSA

Summary LSA

AS ASBR LSA

External LSA




of 846


It is used in Multicast OSPF

It contain external route . it is used in NSSA area , it allow an ASBR to send external route through

stub area to back bone.

Why because STUB/NSSA area LSA 5 in not allowed they are filtered so do hide LSA 5 they are

encapsulated as LSA 7 and LSA 7 is only recognized by NSSA area.

Standard Area

Stub Area

Totally Stub Area

NSSA

Totally NSSA

It contain entire OSPF domain itself.

if you are using standard area then you can't reduce the size of routing table

to reduce the size of routing table we use another area types.

It filter the external routes and place them as default route.

It filter the external routes, inter-area routes and place them as default route.

Group Member LSA

NSSA LSA

OSPF Area Types

Standard Area

Stub Area

Totally Stub Area




of 846


It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).Notes:-

but it filter the external route coming from ABR

it doesn't generate default-route.

It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).

Notes:-but it filter the external route & inter-area route coming from ABR

It does generate default-route.

OSPF designing says that all regular area must be connected to Backbone area. if it not possible then

we have to use virtual-link.

1. Null Type 0

2. Plain text Type 1

3. MD5 Type 2

External Summarization at ASBR

Inter-Area Summarization at ABR

NSSA

Totally NSSA

OSPF Virtual Link

OSPF Authentication Types

OSPF Summarization Types




of 846


OSPF intra-area O IA OSPF inter-area

O E2 OSPF External Metric-type 2

O E1 OSPF External Metric-type 1

O N2 OSPF External Metric-type 2 in NSSA Area

O N1 OSPF External Metric-type 1 in NSSA Area

In Metric-type 2 internal cost is not added when route are propagated in OSPF domain.

In Metric-type 1 internal cost is do added when route are propagated in OSPF domain.

If you want that best path should be used for External router you have to use metric-type 1.

when routes are redistributed in routing Protocol that wants a starting point

that starting point is called seed metric

OSPF seed metric is 20 . if you want to change it you can change it at the time of redistribution.

Area 0 can't be stub

virtual link are not allowed in stub area

All router must be agree that we are a part of stub area.

1.Subet/mask

2. Hello interval

3. Dead interval

4. Authentication

5. Stub information

6. Area

7. MTU

OSPF Routes Types

Seed Metric

Important Note

OSPF NeighbourShip Requirement




of 846


OSPF AD 110

Default max-path 4 , maximum 16

224.0.0.6 is used by NON-DR to DR only for update & acknowledgement

224.0.0.5 is used for Hello NON-DR or DR to NON-DR

224.0.0.5 is used for Update DR to NON-DR

Diagram:-

Initial-config

hostname R1


no shutdown

ip add 192.168.1.1 255.255.255.0

no shutdown

int l1

ip add 172.10.1.1 255.255.255.0

int l2

ip add 172.10.2.1 255.255.255.0int l3

ip add 172.10.3.1 255.255.255.0

int l4

ip add 172.10.4.1 255.255.255.0

int l5

ip add 172.10.5.1 255.255.255.0

int l6

ip add 172.10.6.1 255.255.255.0

R2






of 846


no shutdown

int l1

ip add 172.20.1.1 255.255.255.0

int l2

ip add 172.20.2.1 255.255.255.0

int l3ip add 172.20.3.1 255.255.255.0

int l4

ip add 172.20.4.1 255.255.255.0

int l5

ip add 172.20.5.1 255.255.255.0

int l6

ip add 172.20.6.1 255.255.255.0

R3


no shutdown


int l1

ip add 172.30.1.1 255.255.255.0

int l2

ip add 172.30.2.1 255.255.255.0

int l3

ip add 172.30.3.1 255.255.255.0

int l4

ip add 172.30.4.1 255.255.255.0

int l5

ip add 172.30.5.1 255.255.255.0int l6

ip add 172.30.6.1 255.255.255.0

R4


no shutdown

ip add 192.168.4.1 255.255.255.0

no shutdown

int l1

ip add 172.40.1.1 255.255.255.0

int l2

ip add 172.40.2.1 255.255.255.0int l3

ip add 172.40.3.1 255.255.255.0

int l4

ip add 172.40.4.1 255.255.255.0

int l5

ip add 172.40.5.1 255.255.255.0

int l6

ip add 172.40.6.1 255.255.255.0








of 846







ASA1(config-if)# security-level 60ASA1(config-if)# ip add 192.168.2.2










ASA1(config-if)# security-level 50ASA1(config-if)# ip add 192.168.4.2










GigabitEthernet0/1 dmz1 60GigabitEthernet0/2 outside 0





!!!!!









!!!!!





!!!!!


R1




of 846


R1(config)#router os 100

R1(config-router)#net 192.168.1.0 0.0.0.255 area 1


R2


R2(config-router)#net 192.168.2.0 0.0.0.255 area 0R2(config-router)#router ei 100

R2(config-router)#no au

R2(config-router)#net 172.20.0.0 0.0.7.255

R3




R4



R4(config-router)#router ei 200R4(config-router)#no au

R4(config-router)#net 172.40.0.0 0.0.7.255

ASA1(config)# router os 100

ASA1(config-router)# net 192.168.1.0 255.255.255.0 area 1




! OSPF Neighbour Table Verification

ASA1(config)# sh ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

172.20.6.1 1 FULL/DR 0:00:32 192.168.2.1 dmz1

172.10.6.1 1 FULL/DR 0:00:39 192.168.1.1 inside

172.30.6.1 1 FULL/DR 0:00:37 192.168.3.1 outside

172.40.6.1 1 FULL/DR 0:00:32 192.168.4.1 dmz2

! OSPF Topology Verification

ASA1(config)# sh ospf database

OSPF Router with ID (192.168.4.2) (Process ID 100)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

172.20.6.1 172.20.6.1 265 0x80000002 0x 4c5 1

192.168.4.2 192.168.4.2 232 0x80000001 0x78f7 1

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum

192.168.2.1 172.20.6.1 265 0x80000001 0x 5c9




of 846


Summary Net Link States (Area 0)


172.30.1.1 192.168.4.2 212 0x80000001 0x8075

172.30.2.1 192.168.4.2 212 0x80000001 0x757f172.30.3.1 192.168.4.2 212 0x80000001 0x6a89

172.30.4.1 192.168.4.2 212 0x80000001 0x5f93

172.30.5.1 192.168.4.2 212 0x80000001 0x549d

172.30.6.1 192.168.4.2 212 0x80000001 0x49a7

192.168.1.0 192.168.4.2 222 0x80000002 0xfa5d

192.168.3.0 192.168.4.2 212 0x80000001 0xe670

192.168.4.0 192.168.4.2 213 0x80000001 0xdb7a


Link ID ADV Router Age Seq# Checksum Link count172.10.6.1 172.10.6.1 271 0x80000002 0xb629 1

192.168.4.2 192.168.4.2 231 0x80000002 0x6011 1



192.168.1.1 172.10.6.1 271 0x80000001 0x10d3


Link ID ADV Router Age Seq# Checksum172.30.1.1 192.168.4.2 213 0x80000001 0x8075

172.30.2.1 192.168.4.2 213 0x80000001 0x757f

172.30.3.1 192.168.4.2 213 0x80000001 0x6a89

172.30.4.1 192.168.4.2 213 0x80000001 0x5f93

172.30.5.1 192.168.4.2 213 0x80000001 0x549d

172.30.6.1 192.168.4.2 213 0x80000001 0x49a7

192.168.2.0 192.168.4.2 223 0x80000001 0xf166

192.168.3.0 192.168.4.2 213 0x80000001 0xe670

192.168.4.0 192.168.4.2 214 0x80000001 0xdb7a



172.30.6.1 172.30.6.1 229 0x80000003 0x9dd2 7

192.168.4.2 192.168.4.2 229 0x80000001 0x8edf 1



192.168.3.1 172.30.6.1 229 0x80000001 0xf9bf





of 846



192.168.1.0 192.168.4.2 224 0x80000001 0xfc5c

192.168.2.0 192.168.4.2 224 0x80000001 0xf166

192.168.4.0 192.168.4.2 214 0x80000001 0xdb7a



172.40.6.1 172.40.6.1 224 0x80000002 0x9efe 1

192.168.4.2 192.168.4.2 223 0x80000001 0xa4c7 1



192.168.4.1 172.40.6.1 224 0x80000001 0xeeb5



172.30.1.1 192.168.4.2 215 0x80000001 0x8075

172.30.2.1 192.168.4.2 215 0x80000001 0x757f

172.30.3.1 192.168.4.2 215 0x80000001 0x6a89

172.30.4.1 192.168.4.2 215 0x80000001 0x5f93

172.30.5.1 192.168.4.2 215 0x80000001 0x549d

172.30.6.1 192.168.4.2 215 0x80000001 0x49a7

192.168.1.0 192.168.4.2 215 0x80000001 0xfc5c

192.168.2.0 192.168.4.2 215 0x80000001 0xf166

192.168.3.0 192.168.4.2 215 0x80000001 0xe670

! OSPF Routing Table Verification

ASA1# sh route








Gateway of last resort is 192.168.3.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside

O 172.30.1.1 255.255.255.255

[110/11] via 192.168.3.1, 00:04:18, outside

O 172.30.2.1 255.255.255.255

[110/11] via 192.168.3.1, 00:04:18, outside

O 172.30.3.1 255.255.255.255

[110/11] via 192.168.3.1, 00:04:18, outside

O 172.30.4.1 255.255.255.255

[110/11] via 192.168.3.1, 00:04:18, outside




of 846


O 172.30.5.1 255.255.255.255

[110/11] via 192.168.3.1, 00:04:18, outside

O 172.30.6.1 255.255.255.255

[110/11] via 192.168.3.1, 00:04:18, outside


L 192.168.1.2 255.255.255.255 is directly connected, insideC 192.168.2.0 255.255.255.0 is directly connected, dmz1


C 192.168.3.0 255.255.255.0 is directly connected, outside

L 192.168.3.2 255.255.255.255 is directly connected, outside



NO AREA 4 routes

! Virtual Link in OSPF

ASA1(config-router)# router ospf 100

ASA1(config-router)# area 1 virtual-link 172.10.6.1

R1(config-router)#router os 100

R1(config-router)#area 1 virtual-link 192.168.4.2

R1(config-router)#

*Sep 28 10:02:01.999: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on OSPF_VL0 from LOADING

to FULL, Loading Done

! Verification of routes Learn via Virtual Link

ASA1# sh route









S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outsideO IA 172.10.1.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside

O IA 172.10.2.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside

O IA 172.10.3.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside

O IA 172.10.4.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside

O IA 172.10.5.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside

O IA 172.10.6.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside

O 172.30.1.1 255.255.255.255

[110/11] via 192.168.3.1, 00:02:35, outside

O 172.30.2.1 255.255.255.255

[110/11] via 192.168.3.1, 00:02:35, outside

O 172.30.3.1 255.255.255.255

[110/11] via 192.168.3.1, 00:02:35, outside




of 846


O 172.30.4.1 255.255.255.255

[110/11] via 192.168.3.1, 00:02:35, outside

O 172.30.5.1 255.255.255.255

[110/11] via 192.168.3.1, 00:02:41, outside

O 172.30.6.1 255.255.255.255

[110/11] via 192.168.3.1, 00:02:41, outsideC 192.168.1.0 255.255.255.0 is directly connected, inside








! Redistribution in OSPF on Router

R2(config)#router ospf 100R2(config-router)#redistribute eigrp 100

% Only classful networks will be redistributed

R1#sh ip route ospf


O IA 172.30.3.1 [110/12] via 192.168.1.2, 00:02:54, FastEthernet0/0






O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:02:54, FastEthernet0/0O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:02:54, FastEthernet0/0

O IA 192.168.3.0/24 [110/11] via 192.168.1.2, 00:02:54, FastEthernet0/0

NO routes of eigrp 100

R2(config-router)#router ospf 100

R2(config-router)#redistribute eigrp 100 subnets metric-type 1

! Redistributed Route Verification

R1#sh ip route ospf


O E1 172.20.1.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0

O E1 172.20.2.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0O E1 172.20.3.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0















of 846


O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:04:31, FastEthernet0/0


! OSPF External Summrization


R2(config-router)#summary-address 172.20.0.0 255.255.248.0

! OSPF External Summrization Verification

R1#sh ip route ospf








O IA 172.30.5.1 [110/12] via 192.168.1.2, 00:06:28, FastEthernet0/0O IA 172.30.4.1 [110/12] via 192.168.1.2, 00:06:28, FastEthernet0/0




! Disabling OSPF External Summrization


R2(config-router)#no summary-address 172.20.0.0 255.255.248.0

R1#sh ip route ospf

172.20.0.0/24 is subnetted, 6 subnetsO E1 172.20.1.0 [110/31] via 192.168.1.2, 00:00:12, FastEthernet0/0















! OSPF Inter-area summrization

ASA1(config)# router os 100

ASA1(config-router)# area 2 range 172.30.0.0 255.255.248.0

! OSPF Inter-area summrization Verification

R1#sh ip route ospf




of 846













! Disabling Inter-area summrization

ASA1(config-router)# router os 100

ASA1(config-router)# no area 2 range 172.30.0.0 255.255.248.0R1#sh ip route ospf

















! OSPF Authentication on ASA

ASA1(config-router)# interface gigabitEthernet 0/0

ASA1(config-if)# ospf authentication message-digestASA1(config-if)# ospf message-digest-key 100 md5 shiva

R1#

*Sep 28 10:13:20.491: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from

FULL to DOWN, Neighbor Down: Dead timer expired

R1#debug ip ospf events

OSPF events debugging is on

*Sep 28 10:20:40.255: OSPF: Rcv pkt from 192.168.1.2, FastEthernet0/0 : Mismatch Authentication

type. Input packet specified type 2, we use type 0




of 846


! OSPF Authentication on Router


R1(config-if)#ip ospf authentication message-digest

R1(config-if)#ip ospf message-digest-key 100 md5 shiva

! OSPF Authentication VerificationR1(config-if)#


LOADING to FULL, Loading Done

! OSPF Hello & Dead Interval Verification

ASA1(config-if)# sh ospf interface inside

inside is up, line protocol is up

Internet Address 192.168.1.2 mask 255.255.255.0, Area 1

Process ID 100, Router ID 192.168.4.2, Network Type BROADCAST, Cost: 10

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 192.168.4.2, Interface address 192.168.1.2Backup Designated router (ID) 172.10.6.1, Interface address 192.168.1.1

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

! OSPF Hello & Dead Interval Modification on ASA


ASA1(config-if)# ospf hello-interval 5





Transmit Delay is 1 sec, State DR, Priority 1Designated Router (ID) 192.168.4.2, Interface address 192.168.1.2

Backup Designated router (ID) 172.10.6.1, Interface address 192.168.1.1



ASA1(config-if)# ospf dead-interval 15





Transmit Delay is 1 sec, State DR, Priority 1Designated Router (ID) 192.168.4.2, Interface address 192.168.1.2

No backup designated router on this network


! Effect of Timer Chainging

R1#


FULL to DOWN, Neighbor Down: Dead timer expired

R1#

*Sep 28 10:16:26.727: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on OSPF_VL0 from FULL to

DOWN, Neighbor Down: Interface down or detached




of 846


! OSPF Debug Command Analyzation

R1#debug ip ospf events

OSPF events debugging is on

*Sep 28 10:18:03.567: OSPF: Send with youngest Key 100

*Sep 28 10:18:03.567: OSPF: Send hello to 224.0.0.5 area 1 on FastEthernet0/0 from 192.168.1.1

R1#*Sep 28 10:18:05.223: OSPF: Rcv hello from 192.168.4.2 area 1 from FastEthernet0/0 192.168.1.2

*Sep 28 10:18:05.223: OSPF: Mismatched hello parameters from 192.168.1.2

*Sep 28 10:18:05.223: OSPF: Dead R 15 C 40, Hello R 5 C 10 Mask R 255.255.255.0 C 255.255.255.0

! OSPF Timer Chainging on Router


R1(config-if)#ip ospf hello-interval 5

R1(config-if)#ip ospf dead-interval 15



R3#sh ip route ospf

















! Stub Area commands

ASA1(config)# router ospf 100

ASA1(config-router)# area 2 stubR3(config)# router ospf 100

R3(config-router)# area 2 stub

R3(config-router)#


FULL to DOWN, Neighbor Down: Adjacency forced to reset

R3(config-router)#



! Stub Area verification

R3#sh ip route ospf





of 846







O IA 172.10.1.1 [110/12] via 192.168.3.2, 00:00:49, FastEthernet0/0O IA 192.168.4.0/24 [110/11] via 192.168.3.2, 00:00:49, FastEthernet0/0



O*IA 0.0.0.0/0 [110/2] via 192.168.3.2, 00:00:49, FastEthernet0/0

! Totally Stub Commands


ASA1(config-router)# area 2 stub no-summary

! Totally Stub Area Verification

R3#sh ip route ospfO*IA 0.0.0.0/0 [110/2] via 192.168.3.2, 00:00:30, FastEthernet0/0

R4#sh ip route ospf























! Area 3 Stub Commands


ASA1(config-router)# area 3 stub

R4(config)#router ospf 100

R4(config-router)# area 3 stub




of 846


R4(config-router)#


INIT to DOWN, Neighbor Down: Adjacency forced to reset

R4(config-router)#



! Stub Verification

R4#sh ip route ospf








172.30.0.0/32 is subnetted, 6 subnetsO IA 172.30.3.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0












ASA1(config-router)# area 3 stub no-summary

! Verification of Totally Stub Area

R4#sh ip route ospf


! Redistribute EIGRP 200 Route in OSPF

R4(config)#router ospf 100R4(config-router)#redistribute eigrp 200 subnets metric-type 1

R4(config-router)#

*Sep 28 11:13:14.383: %OSPF-4-ASBR_WITHOUT_VALID_AREA: Router is currently an ASBR while

having only one area which is a stub area.

! Not allowed Please Remove Stub commands Then configure as NSSA

R4(config-router)#router os 100

R4(config-router)#no area 3 stub

R4(config-router)#area 3 nssa


ASA1(config-router)# no area 3 stub




of 846


ASA1(config-router)# area 3 nssa

! NSSA Verification on ASA

ASA1(config-router)# sh route dmz2

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area







O N1 172.40.1.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2

O N1 172.40.2.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2O N1 172.40.3.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2

O N1 172.40.4.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2

O N1 172.40.5.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2

O N1 172.40.6.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2



R4#sh ip route ospf













O IA 172.30.4.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0O IA 192.168.1.0/24 [110/11] via 192.168.4.2, 00:00:37, FastEthernet0/0



No eigrp routes



ASA1(config-router)# area 3 nssa no-summary default-information-originate




of 846


! verification of Totally NSSA

R4#sh ip route ospf


ASA1(config)# sh route inside








O IA 172.10.1.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside

O IA 172.10.2.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, insideO IA 172.10.3.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside

O IA 172.10.4.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside

O IA 172.10.5.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside

O IA 172.10.6.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside

! By Default OSPF Treat loopback as single host if you want that it should be treat as network

please do the following

R1(config)#interface loopback 1

R1(config-if)#ip ospf network point-to-point

R1(config-if)#interface loopback 2

R1(config-if)#ip ospf network point-to-pointR1(config-if)#interface loopback 3








ASA1(config)# sh route inside








O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:01:04, inside

O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside

O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside




of 846


O IA 172.10.4.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside

O IA 172.10.5.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside

O IA 172.10.6.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside



! OSPF Route filtering

ASA1






! OSPF Route filtering verification

ASA1(config-router)# sh route insideCodes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP








O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:05, inside

O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:05, inside

O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:05, insideC 192.168.1.0 255.255.255.0 is directly connected, inside


ASA1(config-router)# sh route



N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2





S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside

O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside

O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside

O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside

O E1 172.20.1.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1




of 846


O E1 172.20.2.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1

O E1 172.20.3.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1

O E1 172.20.4.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1

O E1 172.20.5.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1

O E1 172.20.6.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1

O 172.30.1.1 255.255.255.255[110/11] via 192.168.3.1, 00:00:10, outside

O 172.30.2.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:10, outside

O 172.30.3.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:14, outside

O 172.30.4.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:14, outside

O 172.30.5.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:14, outside

O 172.30.6.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:14, outsideO N1 172.40.1.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2

O N1 172.40.2.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2

O N1 172.40.3.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2

O N1 172.40.4.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2

O N1 172.40.5.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2

O N1 172.40.6.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2

! OSPF AD Changing


ASA1(config-router)#distance ospf inter-area 110 intra-area 110 external 180

ASA1(config-router)# sh route









S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside

O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:27, inside

O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:27, inside

O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:27, inside

O E1 172.20.1.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1

O E1 172.20.2.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1

O E1 172.20.3.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1

O E1 172.20.4.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1

O E1 172.20.5.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1

O E1 172.20.6.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1

O 172.30.1.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:27, outside




of 846


O 172.30.2.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:27, outside

O 172.30.3.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:28, outside

O 172.30.4.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:28, outsideO 172.30.5.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:28, outside

O 172.30.6.1 255.255.255.255

[110/11] via 192.168.3.1, 00:00:28, outside

O N1 172.40.1.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2

O N1 172.40.2.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2

O N1 172.40.3.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2

O N1 172.40.4.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2

O N1 172.40.5.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2

O N1 172.40.6.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2

R1#sh ip route ospf




















O E1 172.40.3.0 [110/31] via 192.168.1.2, 00:11:39, FastEthernet0/0O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:31:22, FastEthernet0/0



! OSPF Defaurt route Orgination


ASA1(config-router)# default-information originate always




of 846


! OSPF Defaurt route Orgination verification

R1#sh ip route ospf























O*E2 0.0.0.0/0 [110/10] via 192.168.1.2, 00:00:54, FastEthernet0/0


ASA1(config-router)# no default-information originate always

! Mannual Router ID


ASA1(config-router)# router-id 123.123.123.123

R1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface123.123.123.123 1 FULL/BDR 00:00:13 192.168.1.2 FastEthernet0/0

but virtual-link will down due to router-id mismatch.




of 846


Chapter 8


IPv6

IPv6 Styles

IPv6 Routing Protocols

RIPng

OSPFv3

EIGRPv6

IPv6 Introduction




of 846


Before IPv6 we have to understand IP

A logical address it enable a machine to communicate with other machine of network.

IP Part

1. Network ID

2. Host ID

Network ID

it enable us to determine that what is the network location in a class

Host ID

It enable us to determine that what is the location of a host in a network

A (1-126)/8

B (128-191)/16

C (192-223)/24

D (224-239)

E (240-255)

Public

Private

Public

They are accessible via internet , unique in the world

Private

They are not accessible via internet. they can be used by private organization.

IPv6

IP Address

IP Address Classes

IP Address Types




of 846


Brief

32 bits address

Decimal format

separated by ( . )

20 bytes header

IPv6

128 bits address

Hexadecimal format

separated by( : )

40 bytes header

Unicast

Multicast

Anycast

Unicast Types Global Unicast

Unique Local

Link Local

Global Unicast

They are the public address routable over internet like ipv4 public addresses.

Start with 2000::/3

Unique Local

They are the private address not routable over internet like ipv4 private addresses. Start with

FD00::/8

Link Local

They are automatically created by device they are used by routing protocols to communicate

each other

Start with FE80::/10

Link Local address contain 64 interface ID

Interface ID contain 48 Bits MAC & 16 Bits EUI

EUI is FFFE

Procedure of Link Local

for example

MAC is 0000.0c07.ac01

MAC address 1st bytes 7th bit is replaced with zero to 1

IPv6 Style

Unicast Types




of 846


do

MAC now 100.0c07.ac01

Add EUI

100.0cFF.FE07.ac01

ADD Link Local Prefix

FE80:: 100.0cFF.FE07.ac01/10

Multicast

They are just like IPv4 multicast addresses

FF02::1 for all host

FF02::2 for all router

FF02::5 for OSPF

FF02::6 for OSPF

FF02::9 for RIPng

FF02::A for EIGRP

FF02::D for PIM

1234:1234:1234:1234:1234:1234:1234:1234 (right)

2000:0000:0000:1111:0000:0000:0000:0001 (right)

2000:0:0:1111:0:0:0:1 (right)

2000::1111:0:0:0:1 (right) {8-6=2 dual :: is representing 2 block 0}

2000:0:0:1111::1 (right) {8-5=3 dual :: is representing 3 block 0}

2000::1111::1 (wrong) {8-3=5, 3+2 or 2+3 }

:: Only Once

RIPng

IS-ISv6

OSPFv3

EIGRPv6

MP-BGP

IPV6 Format

IPV6 Routing Protocols




of 846


RIPng

Routing Information Protocol next generation

It is based on RIPv2

It use UDP port 521

Multicast update FF02::9

No authentication support We can run multiple RIPng process now.

Max-Path 16

IS-ISv6

It use same concept of IS-IS. it use IP protocol no. 131 (0x83).

It works at OSI layer 3

It PDU is directly encapsulated in frame.

EIGRPv6

Cisco Proprietary

IP protocol no. 88

Same concept like EIGRP

Max-Path 16

Default Shutdown

It require Router ID

Multicast at FF02::A

MD5 authentication

OSPFv3

Still Open Standard

IP protocol no. 89 Use IPSec Authentication

It ADD 16 bytes Header while OSPF ADD 24 bytes

Note

Cisco ASA OS version 8.6 support only static & default IPv6 routing

Cisco ASA OS version 9.2.2.4 support only static & default & OSPFv3 IPv6 routing.




of 846


Diagram:-

Initial-config

R1

ipv6 unicast-routing


no shutdown

ipv6 add 192:168:1::1/48

int lo1

ipv6 add 192:168:101::1/48

ipv6 route ::/0 192:168:1::2

R2



no shutdown

ipv6 add 192:168:2::1/48

int l1

ipv6 add 192:168:102::1/48

ipv6 route ::/0 192:168:2::2

R3



no shutdown

ipv6 add 192:168:3::1/48

int l1

ipv6 add 192:168:103::1/48

ipv6 route ::/0 192:168:3::2




of 846


R4



no shutdown

ipv6 add 192:168:4::1/48

int lo1ipv6 add 192:168:104::1/48

ipv6 route ::/0 192:168:4::2

ASA1


nameif inside

security-level 100

no ip address

ipv6 address 192:168:1::2/48

!


nameif dmz1security-level 60

no ip address

ipv6 address 192:168:2::2/48

!


nameif outside

security-level 0

no ip address

ipv6 address 192:168:3::2/48

!

interface GigabitEthernet0/3nameif dmz2

security-level 50

no ip address

ipv6 address 192:168:4::2/48

!

ASA1(config)# sh ipv6 int brief

inside [up/up]

fe80::6e20:56ff:febd:ea87

192:168:1::2

dmz1 [up/up]

fe80::6e20:56ff:febd:ea84192:168:2::2

outside [up/up]


192:168:3::2

dmz2 [up/up]


192:168:4::2

GigabitEthernet0/4 [administratively down/down]

unassigned

GigabitEthernet0/5 [administratively down/down]

unassigned

Management0/0 [administratively down/down]




of 846


unassigned

ASA1(config)# ping 192:168:1::1


Sending 5, 100-byte ICMP Echos to 192:168:1::1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 msASA1(config)# ping 192:168:2::1



!!!!!





!!!!!


ASA1(config)# ping 192:168:4::1Type escape sequence to abort.


!!!!!


! ipv6 static & default

ipv6 route inside 192:168:101::/48 192:168:1::1

ipv6 route dmz1 192:168:102::/48 192:168:2::1

ipv6 route outside ::/0 192:168:3::1

ipv6 route dmz2 192:168:104::/48 192:168:4::1

ASA1(config)# ping 192:168:101::1



!!!!!


ASA1(config)# ping 192:168:102::1



!!!!!


ASA1(config)# ping 192:168:103::1Type escape sequence to abort.


!!!!!


ASA1(config)# ping 192:168:104::1



!!!!!


ASA will Allow Higher to lower

R1#telnet 192:168:102::1




of 846


Trying 192:168:102::1 ... Open


[Connection to 192:168:102::1 closed by foreign host]R1#telnet 192:168:103::1

Trying 192:168:103::1 ... Open


[Connection to 192:168:103::1 closed by foreign host]

R1#telnet 192:168:104::1

Trying 192:168:104::1 ... Open



R1#

! if you want lower to higher apply acl

ASA1

access-list dmz1 permit ip 192:168:102::/48 192:168:101::/48



access-group dmz1 in interface dmz1access-list out permit ip 192:168:103::/48 192:168:101::/48

access-list out permit ip 192:168:103::/48 192:168:102::/48

access-list out permit ip 192:168:103::/48 192:168:104::/48

access-group out in interface outside




access-group dmz2 in interface dmz2

R1

R1#ping 192:168:102::1 source loopback 1



Packet sent with a source address of 192:168:101::1

!!!!!






!!!!!





of 846







R2





!!!!!






!!!!!







R3





!!!!!






!!!!!






!!!!!





of 846


R4




Packet sent with a source address of 192:168:104::1!!!!!






!!!!!






!!!!!





of 846


Chapter 9


SLA

Service Level Agreement (SLA)




of 846


Assume that we have a appliance and it is connected to 2 ISP (ISP1,ISP2).

ISP1 is primary using AD 1, ISP2 is secondary using AD 2.

if over primary link will goes down then appliance will use secondary.

But here condition is this , there is no problem in our access-link , but ISP networks has

problem means that ISP1 is not able to give us connectivity.

in this situation, appliance will not use ISP2 link. Because ISP1 link is up

to solve this problem we have SLA (Service Level Agreement).

In SLA we check reach ability from over end to public server. using ICMP Echo-request.

that is called in Track, Track is associated with static route example ISP1

if reach ability is available , track will remain up , track is up route will remain in routing

table.

if no reach ability track will go down , track down appliance will remote primary link form

table then secondary will use.

Diagram:-

Initial-config

PC1

PC1(config)#interface fastEthernet 0/0


PC1(config-if)#ip add 192.168.101.100 255.255.255.0PC1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.101.1

ISP

ISP(config)#interface fastEthernet 0/0

ISP(config-if)#no shutdown

ISP(config-if)#ip add 101.1.1.1 255.255.255.0

ISP(config-if)#int f0/1

ISP(config-if)#no shutdown

ISP(config-if)#ip add 102.1.1.1 255.255.255.0

ISP(config-if)#int l1

ISP(config-if)#ip add 1ISP(config-if)#ip add 1.1.1.1 255.255.255.255

SLA Service Level Agreement




of 846


ASA1

ASA1(config)# hostname ASA1



ASA1(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.

ASA1(config-if)# ip add 192.168.101.1 255.255.255.0



ASA1(config-if)# nameif outside1

INFO: Security level for "outside1" set to 0 by default.

ASA1(config-if)# ip add 101.1.1.100 255.255.255.0



ASA1(config-if)# nameif outside2

INFO: Security level for "outside2" set to 0 by default.ASA1(config-if)# ip add 102.1.1.100 255.255.255.0

ASA1(config)# ping 192.168.101.100



!!!!!


ASA1(config)# pin





ASA1(config)# pin




!!!!!


! SLA on ASA

sla monitor 1

type echo protocol ipIcmpEcho 1.1.1.1 interface outside1

timeout 1000

frequency 1

exit

sla monitor schedule 1 start-time now life forever

track 11 rtr 1 reachability

route outside1 0 0 101.1.1.1 track 11

route outside2 0 0 102.1.1.1 2




of 846


ASA1# sh track

Track 11

Response Time Reporter 1 reachability

Reachability is Up

2 changes, last change 00:00:17

Latest operation return code: OKLatest RTT (millisecs) 1

Tracked by:

STATIC-IP-ROUTING 0

ASA1# sh route





i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static route



S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside1

C 101.1.1.0 255.255.255.0 is directly connected, outside1

L 101.1.1.100 255.255.255.255 is directly connected, outside1



C 192.168.101.0 255.255.255.0 is directly connected, insideL 192.168.101.1 255.255.255.255 is directly connected, inside


ISP(config-if)#shutdown

ASA1# sh track

Track 11


Reachability is Down

5 changes, last change 00:00:14

Latest operation return code: Timeout

Tracked by:STATIC-IP-ROUTING 0

ASA1# sh route












of 846


S* 0.0.0.0 0.0.0.0 [2/0] via 102.1.1.1, outside2




L 102.1.1.100 255.255.255.255 is directly connected, outside2C 192.168.101.0 255.255.255.0 is directly connected, inside



ISP(config-if)#no sh

ASA1# sh track

Track 11


Reachability is Up6 changes, last change 00:00:08

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

STATIC-IP-ROUTING 0

ASA1# sh route




E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2




S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside1




L 102.1.1.100 255.255.255.255 is directly connected, outside2C 192.168.101.0 255.255.255.0 is directly connected, inside


! Optional commands

ASA1(config)# nat (inside,outside1) source dynamic any interface

ASA1(config)# nat (inside,outside2) source dynamic any interface

ASA1(config)# class-map shiva

ASA1(config-cmap)# match default-inspection-traffic

ASA1(config-cmap)# policy-map shiva

ASA1(config-pmap)# class shiva

ASA1(config-pmap-c)# inspect icmp

ASA1(config-pmap-c)# service-policy shiva interface inside

this section will cover in nat & MPF........




of 846


Chapter 10


IP addresses styles

Multicast Mac

Multicast addresses

IGMP (internet group management protocol)

IGMP snooping

Multicast routing protocols

RPF (Reverse path forwarding)

Distribution tree PIM (protocol independent multicast )

PIM version

Multicasting




of 846


1. Unicast

2. Broadcast3. Multicast

Unicast

They goes one-to-one if we are sending a data to a group it require retransmission. it will eat up our

bandwidth.

Broadcast

In it we send data to all . it is useful when destination is unknown . it is used by DHCP, ARP, RIPv1.

Each NIC receive the broadcast and does process with it doesn't matter that, it is for him or not. But

they are not forwarded by router or appliance.

Multicast

in it source generate a stream & that is distributed among the clients.

or

when a host join a multicast group their NIC is again re-programmed. & it start capturing data for

joined group.

It is a 48 bits address. the first half address (24 bits) pre-define 0100.5e. 25th bit is always zero. and

last 23 bits obtain from multicast IP address

For examples

224.0.0.1#0100.5e00.0001

224.0.0.10#0100.5e00.000a

1. Link Local 224.0.0.0/24

2. Source Specific 232.0.0.0/8

3. GLOP 233.0.0.0/8

4. Administratively Scoped 239.0.0.0/8

5. Globally Scoped 224.0.1.0-231.255.255.255

234.0.0.0-238.255.255.255

Link Local

they send will TTL value one

Source Specific

In Source Specific a host receive a multicast traffic form a single server.

IP Addresses Styles

Multicast Mac

Multicast Addresses




of 846


DVMRP

Multicast OSPF Centre Base Tree

Core Base Tree

PIM

It is performed with every multicast packet, to determine that multicast is going root to leaves or

not.

Multicast routing path is called distribution tree

types

Source Tree

Shared Tree

Source Tree

in it they take the shortest path from source to destination. used in PIM

they pre-calculated path Because of dense-mode.

Shared Tree

in it they use a common set of links . First packet pass through RP after receiving packet the select

the shortest path.

Modes

Dense Mode

Sparse Mode

Sparse Dense Mode

Dense Mode

it assume that multicast recipient is in every subnet.

in it stream is flooded to each router if no receiver then they send prune message to stop un

wanted flooding.

Multicast Routing Protocols

RPF (Reverse Path Forwarding)

Distribution Tree

PIM (Protocol Independent Multicast)




of 846


Sparse Mode

Multicast tree is not built until some will not make request.

Sparse Dense Mode

it works in differ approach if there is any RP for a group Sparse mode will work otherwise Dense

mode will work.

Version 1

Version 2

Version1

it provides auto or manual RP process.

RP announce at 224.0.1.39

RP discovery at 224.0.1.40

we must define candidate of each router

Version 2

It use BSR boot Strap Router.

Diagram:-

Initial-config

R1


no shutdown

ip add 192.168.101.10 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R2interface f0/0

PIM Versions




of 846


no shutdown

ip add 192.168.101.20 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R3



ip route 0.0.0.0 0.0.0.0 192.168.101.1

Server1

interface f0/0

no shutdown

ip add 192.168.102.100 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.102.1

ASA1

interface gig 0/0nameif inside

security-level 100

ip address 192.168.101.1 255.255.255.0

!

interface gig 0/1

nameif outside

security-level 0

ip address 192.168.102.1 255.255.255.0

ASA1# ping 192.168.101.10


!!!!!


ASA1# ping 192.168.101.20



!!!!!


ASA1# ping 192.168.101.30




ASA1# ping 192.168.102.100



!!!!!


! Enabling Multicasting & Forwading IGMP Query

ASA1(config)# multicast-routing

ASA1(config)# int gig 0/0

ASA1(config-if)# igmp forward interface outside




of 846


! Verification of Muticast Routes

ASA1# sh mroute

No mroute entries found.

! Join Multicast Group on ClientsPC1(config)#interface fastEthernet 0/0

PC1(config-if)#ip igmp join-group 239.1.1.1


PC2(config-if)# ip igmp join-group 239.1.1.2


PC3(config-if)# ip igmp join-group 239.1.1.3

! Verification of Muticast Routes

ASA1# sh mroute

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,

C - Connected, L - Local, I - Received Source Specific Host Report,

P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

J - Join SPT

Timers: Uptime/Expires

Interface state: Interface, State

(*, 239.1.1.1), 00:01:02/never, RP 0.0.0.0, flags: DC

Incoming interface: NullRPF nbr: 0.0.0.0

Outgoing interface list:

inside, Forward, 00:01:02/never

(*, 239.1.1.2), 00:00:32/never, RP 0.0.0.0, flags: DC

Incoming interface: Null

RPF nbr: 0.0.0.0



(*, 239.1.1.3), 00:00:26/never, RP 0.0.0.0, flags: DCIncoming interface: Null

RPF nbr: 0.0.0.0



! Multcast host can access multicast Stream Because of UDP or TCP

! This ACL is only When Server is Generating ICMP Stream

ASA1(config)# access-list out permit icmp any 239.1.1.0 255.255.255.0

ASA1(config)# access-group out in interface outside




of 846


PC1#debug ip icmp

ICMP packet debugging is on

PC2#debug ip icmp


PC3#debug ip icmp


Server1#debug ip icmp


Server1#ping 239.1.1.1 repeat 5



*Mar 1 00:10:19.647: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100

Reply to request 0 from 192.168.101.10, 60 ms








Reply to request 4 from 192.168.101.10, 72 msServer1#








*Mar 1 00:10:41.383: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100Reply to request 2 from 192.168.101.20, 56 ms





Server1#








of 846







*Mar 1 00:10:59.243: ICMP: echo reply rcvd, src 192.168.101.30, dst 192.168.102.100Reply to request 3 from 192.168.101.30, 72 ms



PC1#debug ip icmp


PC1#*Mar 1 00:09:49.379: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100

PC1#

*Mar 1 00:11:20.795: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100

PC1#


PC1#


PC1#


PC1#


PC2#debug ip icmp


PC2#


PC2#


PC2#


PC2#

*Mar 1 00:10:45.847: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100PC2#


PC3#debug ip icmp


PC3#

*Mar 1 00:08:39.027: %SYS-5-CONFIG_I: Configured from console by console

PC3#


PC3#


PC3#





of 846


PC3#


PC3#





of 846


Chapter 11


Access-list

Object Group

Object Group Types

Access-list & Object Group




of 846


A list of condition it is used to categorized packets.

Types:



Named Base Access-list



It is used to allow or deny entire ip packet. mostly used for route filtering

(range 1-99,100-1999)


It is used to allow or deny Layer 3 , Layer 4 & upper layer protocols. Mostly used for traffic filtering.

(100-199,2000-2699)

Named Base Access-list

In this access-list we can give name to access-list instead of number.

it can be standard or extended


it is time oriented in it we can give time in weekdays weekend etc.

Object Group

A feature of Cisco ASA it simplify access-list management.

Types

1. Network Object Group

2. Protocol Object Group

3. Service Object Group

4. ICMP Object Group

Network Object Group

In it we can define network, subnet, range, single IP address.

Protocol Object Group

In it we can define protocols like TCP, UDP etc.

Service Object Group

In it we can define services related to TCP & UDP.

ICMP Object Group

In it we can define only ICMP messages.

Access-list




of 846


Diagram:-

Initial-config

R1


ip add 192.168.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

router ei 100

no auto-summary

net 0.0.0.0

passive-interface fastEthernet 0/1

TSS1


no shutdown

ip add 192.168.10.10 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1

ip domain-name cisco.com

crypto key generate rsa

1024

line vty 0 90transport input ssh telnet




of 846


login local

exit

username shiva privilege 15 secret shiva

TSS2



no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1



1024

line vty 0 90

transport input ssh telnet

login local

exit

username shiva privilege 15 secret shivaTSS3


no shutdown

ip add 192.168.10.30 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1



1024

line vty 0 90

transport input ssh telnetlogin local

exit


WEB1

interface f0/0

no shutdown

ip add 192.168.20.10 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1

ip http server

ip http secure-serverip http authentication local


WEB2


no shutdown

ip add 192.168.20.20 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1

ip http server

ip http secure-server

ip http authentication local





of 846


WEB3


no shutdown

ip add 192.168.20.30 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1ip http server




ISP


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1


ASA1

interface GigabitEthernet 0/0nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface GigabitEthernet 0/1

nameif dmz1

security-level 60

ip address 192.168.10.1 255.255.255.0

!


nameif outsidesecurity-level 0

ip address 101.1.1.100 255.255.255.0

!


nameif dmz2

security-level 50

ip address 192.168.20.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

router eigrp 100

no auto-summary

network 192.168.1.0 255.255.255.0




of 846


redistribute static metric 1 1 1 1 1

!

ASA1# ping 192.168.101.1




ASA1# ping 192.168.10.10



!!!!!


ASA1# ping 192.168.10.20



!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 msASA1# ping 192.168.10.30



!!!!!


ASA1# ping 192.168.20.10



!!!!!


ASA1# ping 192.168.20.20Type escape sequence to abort.


!!!!!


ASA1# ping 192.168.20.30



!!!!!


ASA1# ping 192.168.102.1


!!!!!


! Network Object

ASA1

object network inside

subnet 192.168.1.0 255.255.255.0

object network inside-lan

subnet 192.168.101.0 255.255.255.0

object network TSS1

host 192.168.10.10




of 846


object network TSS2

host 192.168.10.20

object network TSS3

host 192.168.10.30

object network WEB1

host 192.168.20.10object network WEB2

host 192.168.20.20

object network WEB3

host 192.168.20.30

object network PUB-TSS1

host 101.1.1.101


host 101.1.1.102


host 101.1.1.103

object network PUB-WEB1host 101.1.1.104

object network PUB-WEB2

host 101.1.1.105

object network PUB-WEB3

host 101.1.1.106

nat (dmz1,outside) source static TSS1 PUB-TSS1



nat (dmz2,outside) source static WEB1 PUB-WEB1

nat (dmz2,outside) source static WEB2 PUB-WEB2nat (dmz2,outside) source static WEB3 PUB-WEB3

nat (inside,outside) source dynamic inside interface

nat (inside,outside) source dynamic inside-lan interface

ASA1(config)# object-group ?

configure mode commands/options:

icmp-type Specifies a group of ICMP types, such as echo

network Specifies a group of host or subnet IP addresses

protocol Specifies a group of protocols, such as TCP, etcservice Specifies a group of TCP/UDP ports/services

user Specifies single user, local or import user group

object-group network ALL-TSS-SERVERS

network-object host 192.168.10.10



object-group network ALL-WEB-SERVERS







of 846


! Service Object

object-group service TELNET tcp

port-object eq telnet

object-group service SSH tcp

port-object eq sshobject-group service HTTP tcp

port-object eq www

object-group service HTTPS tcp

port-object eq https

! ICMP Object

object-group icmp-type MY-ICMP-OBJECT

icmp-object echo-reply

access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group TELNET

access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group SSHaccess-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTP

access-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTPS

access-list out extended permit icmp any object inside object-group MY-ICMP-OBJECT

access-list out extended permit icmp any object inside-lan object-group MY-ICMP-OBJECT


R1#ping 101.1.1.1



!!!!!


R1#ping 101.1.1.1 so

R1#ping 101.1.1.1 source f

R1#ping 101.1.1.1 source fastEthernet 0/1



Packet sent with a source address of 192.168.101.1!!!!!


ASA1(config)# sh xlate

8 in use, 8 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from dmz1:192.168.10.10 to outside:101.1.1.101

flags s idle 0:12:26 timeout 0:00:00








of 846







flags s idle 0:11:43 timeout 0:00:00ICMP PAT from inside:192.168.101.1/1 to outside:101.1.1.100/8269 flags ri idle 0:00:03 timeout

0:00:30

ICMP PAT from inside:192.168.1.1/0 to outside:101.1.1.100/10368 flags ri idle 0:00:06 timeout

0:00:30

! config Verification on Clinet Side




of 846





of 846


Chapter 12


Static Nat

Dynamic NAT

PAT

Static PAT

NAT Bypass

Identity NAT

NAT Exemption

Policy NAT

NAT on OS 8.0




of 846


A services it enable internal users to access internet.

Or

Using NAT we map one IP address to another.

1. Static

2. Dynamic

3. PAT

4. Static PAT

5. NAT Bypass

a. Identity NAT

b. NAT exemption

6. Policy NAT

In static NAT we create one to one mapping of IP addresses

It is Bi-directional.

In dynamic NAT we map multiple IP addresses to some.

In PAT we map multiple IP addresses to one

Using PAT we can map about 65k IP address to a single IP

Uni-directional.

In static PAT we map the port of one IP address with another IP address portUni-directional.

NAT

Types

Static NAT

Dynamic NAT

PAT

Static PAT




of 846


When we enable NAT-control in OS 8.0 then natting is must. If you want to avoid NAT rule then we

use NAT Bypass.

1. Identity NAT

2. NAT Exemption

In it an IP address is translated into itself, used for those application which don't support NAT like

GDOI.

It is used for VPN traffic to exclude it for NAT rule in 8.0.

In policy NAT we can define condition for natting

It could be port based or IP based.

NAT Bypass

Types of NAT Bypass

Identity NAT

NAT Exemption

Policy NAT




of 846


Diagram:

Initial-config

R1

interface f0/0

no shutdown

ip add 192.168.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.2

Server1

interface f0/0

no shutdown

ip add 192.168.10.100 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 192.168.10.1



1024

line vty 0 90


login local

exit


Server2




of 846



no shutdown

ip add 192.168.20.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1

ip http serverip http secure-server



ISP

interface f0/0

no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown


ASA1

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!


nameif dmz1

security-level 60

ip address 192.168.10.1 255.255.255.0!


nameif outside

security-level 0

ip address 101.1.1.100 255.255.255.0

!


nameif dmz2

security-level 50

ip address 192.168.20.1 255.255.255.0

!route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

route inside 192.168.101.0 255.255.255.0 192.168.1.1 1




!!!!!


ASA1(config)# pin

ASA1(config)# ping 192.168.10.100






of 846


!!!!!


ASA1(config)# pin

ASA1(config)# ping 192.168.20.100




ASA1(config)# pin




!!!!!


ASA1(config)# ping 192.168.101.100




ASA1(config)# ping 192.168.102.100



?!!!!


ASA1(config)#

! static nat

nat-controlstatic (inside,outside) interface 192.168.1.1

static (inside,outside) 101.1.1.101 192.168.101.1

static (inside,outside) 101.1.1.102 192.168.101.100



Global 101.1.1.100 Local 192.168.1.1

Global 101.1.1.101 Local 192.168.101.1

Global 101.1.1.102 Local 192.168.101.100

! TCP & UDP will Work for ICMP ACL

access-list out permit icmp any interface outside

access-list out permit icmp any host 101.1.1.101access-list out permit icmp any host 101.1.1.102


! in OS 8.0 we open access-list for natted ip

ISP#debug ip icmp


R1#ping 101.1.1.1



!!!!!





of 846


R1#ping 101.1.1.1 so

R1#ping 101.1.1.1 source f0

R1#ping 101.1.1.1 source f0/1


Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:Packet sent with a source address of 192.168.101.1

.!!!!


ISP#



*Mar 1 00:17:01.795: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100*Mar 1 00:17:01.815: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100


ISP#


ISP#





ISP#

*Mar 1 00:17:35.855: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102ISP#



ISP#


! static nat is bi-directional

! private will map with public

! public will map with private



Global 101.1.1.100 Local 192.168.1.1Global 101.1.1.101 Local 192.168.101.1




of 846


Global 101.1.1.102 Local 192.168.101.100

! Static nat is bi-directional

! to check Open ACL

ASA1

access-list out permit tcp any host 101.1.1.102

access-group out in interface outsidePC1 #

PC2 can access FTP server using Public IP Address




of 846


ASA1

clear configure nat

clear configure access-list

clear configure static

! dynamic nat

nat-control

nat (inside) 1 0 0

nat (dmz1) 1 0 0

nat (dmz2) 1 0 0

global (outside) 1 101.1.1.101-101.1.1.106! TCP & UDP will Work for ICMP ACL

access-list out permit icmp any host 101.1.1.101










of 846


! in dynamic many ip addresses map with some

! in this pool we have 6 ip address

! so 6 host can access internet

R1#ping 101.1.1.1



!!!!!






.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 8/28/52 ms

Server1#ping 101.1.1.1



.!!!!


Server1#



.!!!!


Server2#



Global 101.1.1.105 Local 192.168.20.100

Global 101.1.1.104 Local 192.168.10.100

Global 101.1.1.103 Local 192.168.101.1Global 101.1.1.106 Local 192.168.101.100




of 846


Global 101.1.1.102 Local 192.168.1.1

ISP#




*Mar 1 00:36:20.163: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102*Mar 1 00:36:20.183: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102

ISP#


ISP#





ISP#


ISP#*Mar 1 00:36:41.011: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104




ISP#


ISP#




*Mar 1 00:36:46.839: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105ISP#


ISP#



ISP#


ISP#



ISP#*Mar 1 00:37:57.927: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.106


! PAT

ASA1

nat-control

nat (inside) 1 0 0

nat (dmz1) 1 0 0

nat (dmz2) 1 0 0

global (outside) 1 interface

! TCP & UDP will Work FOR ICMP ACL





of 846



R1#ping 101.1.1.1








!!!!!





!!!!!


Server1#




!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/84 msServer2#



PAT Global 101.1.1.100(1) Local 192.168.102.100(138)

PAT Global 101.1.1.100(5) Local 192.168.101.100 ICMP id 1

ISP#








of 846





of 846


R1#telnet 192.168.10.100

Trying 192.168.10.100 ...





of 846


R1#telnet 192.168.20.100

Trying 192.168.20.100 ...


! you cann't access inside to dmz1 or dmz2 bcoz of nat-control

! here we will use nat bypass

! 1 identity! 2 nat exemption

Identity NAT

static (inside,dmz1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside,dmz1) 192.168.101.0 192.168.101.0 netmask 255.255.255.0

Nat Exemption

access-list nat-exemption permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nat-exemption permit ip 192.168.101.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nat-exemption

R1#telnet 192.168.10.100

Trying 192.168.10.100 ... Open

User Access Verification

Username: shiva

Password:

Server1#

Server1#ex

Server1#exit


R1#telnet 192.168.20.100

Trying 192.168.20.100 ... Open



clear configure natclear configure global

clear configure access-list

clear configure static

ASA1 Policy NAT Based on Port

access-list icmp-traffic permit icmp any any

access-list ssh-traffic permit tcp any any eq 22

access-list telnet-traffic permit tcp any any eq 23

access-list http-traffic permit tcp any any eq 80

access-list https-traffic permit tcp any any eq 443




of 846


nat (inside) 111 access-list icmp-traffic

nat (inside) 22 access-list ssh-traffic

nat (inside) 23 access-list telnet-traffic

nat (inside) 80 access-list http-traffic

nat (inside) 81 access-list https-traffic

nat (inside) 1 0 0global (outside) 111 101.1.1.111

global (outside) 22 101.1.1.22





sh hist



ISPip domain-name cisco.com


1024

line vty 0 90


login local

exit


R1#telnet 101.1.1.1

Trying 101.1.1.1 ... Open

User Access Verification

Username: shiva

Password:

ISP#



PAT Global 101.1.1.23(1024) Local 192.168.1.1(11440)

R1#ssh -l shiva 101.1.1.1

Password:

ISP#



PAT Global 101.1.1.22(1024) Local 192.168.1.1(15918)

R1#ping 101.1.1.1



.!!!!




of 846



R1#



PAT Global 101.1.1.111(1) Local 192.168.1.1 ICMP id 8

so no................................................................................................................

Note:-

Please open access-list for natted ip address or service in os till 8.0, 8.1, 8.2.

Please use the same topology & configuration for CTP lab.............................................Thanks




of 846


Chapter 13


Static Nat

Dynamic NAT

PAT

Static PAT

Identity NAT

Twice NAT

NAT on OS 9.2.2.4




of 846


A services it enable internal users to access internet.

Or

Using NAT we map one IP address to another.

1. Static

2. Dynamic

3. PAT

4. Static PAT

5. Identity NAT

6. Twice NAT

In static NAT we create one to one mapping of IP addresses

It is Bi-directional.

In dynamic NAT we map multiple IP addresses to some.

In PAT we map multiple IP addresses to one

Using PAT we can map about 65k IP address to a single IP

Uni-directional.

Dynamic NAT

PAT

NAT

Types

Static NAT




of 846


In static PAT we map the port of one IP address with another IP address port

Uni-directional.

In it an IP address is translated into itself, used for those application which don't support NAT like

GDOI or VPN traffic in OS Version 8.4 & later.

In Twice NAT we can define condition for natting that.

If source is A destination is B translate into X.

If source is A destination is C translate into Y.

Static PAT

Identity NAT

Twice NAT




of 846


Diagram:-

Initial-config

R1interface f0/0

no shutdown

ip add 192.168.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.2

Server1

interface f0/0no shutdown

ip add 192.168.10.100 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 192.168.10.1



1024

line vty 0 90


login local

exitusername shiva privilege 15 secret shiva




of 846


Server2


no shutdown

ip add 192.168.20.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1ip http server




ISP

interface f0/0

no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1


no shutdown



1024

line vty 0 90


login local

exit

ip http server

ip http secure-serverip http authentication local


ASA1


nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!


nameif dmz1

security-level 60ip address 192.168.10.1 255.255.255.0

!


nameif outside

security-level 0

ip address 101.1.1.100 255.255.255.0

!


nameif dmz2

security-level 50

ip address 192.168.20.1 255.255.255.0




of 846


ASA1(config-if)# sh int ip brief





GigabitEthernet0/3 192.168.20.1 YES manual up upGigabitEthernet0/4 unassigned YES unset administratively down down


Internal-Control0/0 127.0.1.1 YES unset up up

Internal-Data0/0 unassigned YES unset down down


Internal-Data0/2 unassigned YES unset up up

Management0/0 unassigned YES unset administratively down down

ASA1(config-if)# sh namei



GigabitEthernet0/0 inside 100GigabitEthernet0/1 dmz1 60



ASA1(config)# sh running-config route

route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

route inside 192.168.101.0 255.255.255.0 192.168.1.1 1

ASA1(config)# ping 192.168.101.100




ASA1(config)# ping 192.168.10.100



!!!!!


ASA1(config)# ping 192.168.20.100




ASA1(config)# ping 192.168.102.100



?!!!!


ASA1(config)# ! Object Defination

object network r1

host 192.168.1.1

object network r1-lan

host 192.168.101.1




of 846


object network pc1

host 192.168.101.100

object network server1

host 192.168.10.100


host 192.168.20.100object network ip1

host 101.1.1.101

object network ip2

host 101.1.1.102

object network ip3

host 101.1.1.103

object network ip4

host 101.1.1.104

object network ip5

host 101.1.1.105

! Static nat

object network r1

nat (inside,outside) static ip1

object network r1-lan


object network pc1



nat (dmz1,outside) static ip4


nat (dmz2,outside) static ip5

! ASA will Allow only TCP & UDP

! for ICMP Open ACL

access-list out permit icmp any object r1

access-list out permit icmp any object r1-lan

access-list out permit icmp any object pc1

access-list out permit icmp any object server1

access-list out permit icmp any object server2


ISP#debug ip icmpICMP packet debugging is on

R1#ping 101.1.1.1



!!!!!


R1#ping 101.1.1.1 so






of 846





!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msServer1#ping 101.1.1.1



.!!!!





.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

ASA1# sh xlate


Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

NAT from inside:192.168.1.1 to outside:101.1.1.101




NAT from dmz2:192.168.20.100 to outside:101.1.1.105flags s idle 0:01:12 timeout 0:00:00




of 846






ISP#

*Sep 29 04:36:56.823: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101*Sep 29 04:36:56.827: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101

*Sep 29 04:36:56.827: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101



ISP#






ISP#*Sep 29 04:37:00.679: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104





ISP#





*Sep 29 04:37:03.999: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105ISP#



ISP#


ISP#


Static is bi-directional

ASA1access-list out permit tcp any object pc1

access-list out permit tcp any object server1

access-list out permit tcp any object server2













of 846








Client Side Verification




of 846





of 846


ASA1(config)# ! Dynamic

object network all_network

subnet 192.168.0.0 255.255.0.0

object network dpool

range 101.1.1.101 101.1.1.104

object network all_network

nat (inside,outside) dynamic dpool

! ASA will allow tcp & udp

! for ICMP Acl

access-list out permit icmp any object all_network


R1#ping 101.1.1.1




R1#ping 101.1.1.1 so






!!!!!


ASA1# sh xlate







of 846


NAT from inside:192.168.101.1 to outside:101.1.1.102 flags i idle 0:00:37 timeout 3:00:00



ISP#





ISP#







ISP#


ISP#


ISP#


ASA(config) ! PAT

! PATobject network inside

subnet 192.168.0.0 255.255.0.0

nat (inside,outside) dynamic interface

! ASA will allow tcp & udp

! for icmp acl

access-list out permit icmp any object inside


R1#ping 101.1.1.1



!!!!!






!!!!!





of 846


ASA1(config)# sh xlate1 in use, 5 most used




0:00:30

ISP#





ISP#






ISP#




ISP#


ISP#



ISP#


ISP#





of 846


!ASA1(config)# ! static pat

! static pat

object network pc1

host 192.168.101.100

nat (inside,outside) static interface service tcp 21 21

sh hist! open acl

access-list out permit tcp any object pc1 eq 21


! static patobject network pc1

host 192.168.101.100

nat (inside,outside) static interface service tcp 21 2121

! open acl

access-list out permit tcp any object pc1 eq 21





of 846


ASA1(config)# !!!!!! twice nat based on ports

object service telnet

service tcp destination eq 23object service ssh

service tcp destination eq 22

object service http


object service https


object service ftp


exit

object network ip_23

host 101.1.1.23object network ip_22

host 101.1.1.22


host 101.1.1.80


host 101.1.1.81


host 101.1.1.21

ASA1(config)# sh running-config nat

nat (inside,outside) source dynamic any ip_23 service telnet telnet

nat (inside,outside) source dynamic any ip_22 service ssh sshnat (inside,outside) source dynamic any ip_21 service ftp ftp




of 846






TCP PAT from outside:0.0.0.0/0 23-23 to inside:0.0.0.0/0 23-23

flags srIT idle 0:01:23 timeout 0:00:00


flags srIT idle 0:00:22 timeout 0:00:00TCP PAT from outside:0.0.0.0/0 21-21 to inside:0.0.0.0/0 21-21






TCP PAT from inside:192.168.101.100/49248 to outside:101.1.1.81/49248 flags ri idle 0:00:03

timeout 0:00:30

!ASA! twice nat using ip


subnet 192.168.0.0 255.255.0.0

object network internet

subnet 101.1.1.0 255.255.255.0

object network internet-lan

subnet 192.168.102.0 255.255.255.0

object network ip

object network ip1

host 101.1.1.111

object network ip2

host 101.1.1.222




of 846


exit

nat (inside,outside) source dynamic inside ip1 destination static internet internet

nat (inside,outside) source dynamic inside ip2 destination static internet-lan internet-lan



ISP#debug ip icmp


R1#ping 101.1.1.1



!!!!!


R1#ping 192.168.102.1



!!!!!


R1#

ISP#debug ip icmp


ISP#





ISP#






ISP#

! ASA1(config)# ! identity nat


subnet 192.168.0.0 255.255.0.0

object network s2s-traffic

subnet 192.168.102.0 255.255.255.0

ex

nat (inside,outside) source static inside inside destination static s2s-traffic s2s-trafficnat (inside,outside) source dynamic any interface






of 846


R1#ping 101.1.1.1



!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msR1#ping 101.1.1.1 so






!!!!!


R1#

R1#pinR1#ping 192.168.102.1



.....

Success rate is 0 percent (0/5)

R1#ping 192.168.102.1 so





.....


ISP#











ISP#


ISP#


ISP#


ISP#




of 846



ISP#


ISP#



ISP#


ISP#


ISP#





of 846


Chapter 14


AAA(Authentication Authorization Accounting)

AAA Products

Radius

Tacacs+

Cisco AAA products

ACS

ISE

CTP (Cut-Through-Proxy)




of 846


A feature in Cisco ASA using It we can authenticate the request of following protocols like TELNET,

HTTP, HTTPS, FTP for inbound or outbound connection.

But either inbound or outbound. Not both at a time.

1. Client will initiate a request for a destination

2. ASA will prompt for username & password3. Client will provide username & password

4. ASA will redirect credential to AAA server

5. AAA will authenticate user credential

6. If User is authenticated by AAA server ASA will add connection and forward the request to actual

destination.

7. Otherwise request will be drop

It means validating a user access when he or she wants to access network resource.

It means what a user can perform in the network.

It means that what has been done by user.

CTP (Cut-Through-Proxy)

Working

AAA Authentication Authorization &

Accounting

Authentication

Authorization

Accounting




of 846


1. Radius(Remote authentication dial in user service)

2.Tacacs+ (Terminal Access Controller Access Control Server)

It was developed by Livingston Corporation.

Now it is open standard

It use UDP 1645, 1646 or 1812, 1813

It encrypt only password

First connection for Authentication & Authorization (1645, 1812)

Second connection for accounting (1646, 1813)

Tacacs was invented by DOD Department of Defence of U.S.A

But Tacacs+ was introduced by Cisco

It use TCP port 49

It encrypt entire packet

Single connection for AAA

ACS (Access Control Server)

ISE (Identity Service Engine)

Versions

4.x 5.x

5.5 Latest

Versions

1.0

1.2.0

1.2.1 Latest

AAA Protocols

Radius

Tacacs+

Cisco AAA Products

ACS (Access Control Server)

ISE (Identity Service Engine)




of 846


Diagram:-

Initial-config

R1


ip add 192.168.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.2

Server1

interface f0/0


no sh

ip route 0.0.0.0 0.0.0.0 192.168.10.1



1024

line vty 0 90


login local

exit

username shiva privilege 15 secret shivaServer2




of 846



no shutdown

ip add 192.168.20.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1




ISP

interface f0/0

no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown


ASA1


nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!


nameif dmz1

security-level 60

ip address 192.168.10.1 255.255.255.0!


nameif outside

security-level 0

ip address 101.1.1.100 255.255.255.0

!


nameif dmz2

security-level 50

ip address 192.168.20.1 255.255.255.0

!route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

route inside 192.168.101.0 255.255.255.0 192.168.1.1 1




!!!!!


ASA1(config)# pin

ASA1(config)# ping 192.168.10.100






of 846


!!!!!


ASA1(config)# pin

ASA1(config)# ping 192.168.20.100




ASA1(config)# pin




!!!!!


ASA1(config)# ping 192.168.101.100




ASA1(config)# ping 192.168.102.100



?!!!!


ASA1(config)#

BEFORE CTP YOU HAVE TO CONFIGURE POLICY NAT

access-list icmp-traffic permit icmp any anyaccess-list ssh-traffic permit tcp any any eq 22

access-list telnet-traffic permit tcp any any eq 23

access-list http-traffic permit tcp any any eq 80

access-list https-traffic permit tcp any any eq 443

nat (inside) 111 access-list icmp-traffic

nat (inside) 22 access-list ssh-traffic

nat (inside) 23 access-list telnet-traffic

nat (inside) 80 access-list http-traffic

nat (inside) 81 access-list https-traffic

nat (inside) 1 0 0global (outside) 111 101.1.1.111






sh hist



ISP





of 846



1024

line vty 0 90


login local

exitip http server







of 846





of 846


Please install Access control System on PC 192.168.101.100

Please Follow the instructions..............................




of 846





of 846


ASA1(config)# ping 192.168.101.100



!!!!!


ASA1(config)# ! AAA config on ASA

aaa-server myacs protocol tacacs+

aaa-server myacs (inside) host 192.168.101.100

timeout 10

key shiva

exit

! CTP Config on ASA

aaa authentication include telnet inside 0 0 0 0 myacs

aaa authentication include http inside 0 0 0 0 myacs

aaa authentication include https inside 0 0 0 0 myacs

aaa authentication include ftp inside 0 0 0 0 myacs

auth-prompt prompt AAA_4.2_Please_authenticate_yourself

auth-prompt accept Enjoy_internet_service

auth-prompt reject Hummmm............try_again




of 846


! AAA communication on ASA

test aaa-server authentication myacs host 192.168.101.100 username shiva password shiva

ASA1# test aaa-server authentication myacs host 192.168.101.100 username shiva$

INFO: Attempting Authentication test to IP address <192.168.101.100> (timeout: 12 seconds)

INFO: Authentication Successful

Please Initiate HTTP, HTTPS , FTP & TELNET Request on Client

ASA1# sh uauth

Current Most Seen

Authenticated Users 1 1Authen In Progress 0 1

user 'shiva' at 192.168.101.100, authenticated (idle for 0:00:10)

absolute timeout: 0:05:00

inactivity timeout: 0:00:00

ASA1# clear uauth




of 846





of 846


If ask username & password again click cancel Tab & Refresh the ftp Page




of 846





of 846


Chapter 15


IPsec VPN

IPsec VPN Features

Encryption Algorithms

Pre-shared Key

Public Key Infrastructure

ESP

AH

IKE ISAKMP

NAT-T

Security Association

IPsec Introduction




of 846


IPsec VPN Provides secure IP communication over insecure network.

Confidentiality

Integrity


Anti-Replay

It mean your data will keep as secret using encryption algorithm

Like DES, 3DES, AES.

Encryption is simply a mathematical algorithm, a key applied to data to make the contents

unreadable to everyone except those who have the ability to decrypt it

Symmetric Encryption

Asymmetric Encryption

Symmetric encryption algorithms are also called secret key cryptography. As the name implies, there

is a single, secret key that is used to both encrypt and decrypt the data.

IPsec VPN

IPsec VPN Features

Confidentiality

Encryption Algorithms

Types of Encryption Algorithms

Symmetric Encryption




of 846


DES

3DES

AES

56-bit key, has been broken in less than 24 hours using modern computers.

Three different 56-bit keys (DES encrypt, DES decrypt, DES encrypt) to createThe cipher text. It has not yet been broken, but has theoretical flaws.

It is considered the symmetric encryption choice today. 128 Bits to 256 bits

It insure that your data is altered during transmission or not. Using hash algorithm like MD5, SHA.

It means that both devices will authenticate to each other before data exchange. Using Pre-Shared

or Certificate (PKI).

A single key is applied on both peers.

Examples of Symmetric Algorithms

DES

3DES

AES

Integrity


Pre-Shared




of 846


PKI provides framework for managing the security attributes between peer who are engaged in

secure communication over insecure network.

The PKI consists of a number of elements, which are also network entities

■ Peers—Devices and people who securely communicate across a network. Also known as end

hosts.

■ Certification authority (CA)—Grants and maintains digital Certificates. Also known as a trusted

entity or a trust point.

■ Digital certificate—Contains information to uniquely identify a peer, a signed copy of the public

encryption key used for secure communications, certificate validity data, and the signature of the CA

that issued the certificate. X.509v3 is the current version of digital certificate.

■ Distribution mechanism—A means to distribute certificate revocation lists (CRLs) across the

network. LDAP and HTTP are examples.

Host will generate RSA signature & request for public key of CA.

CA sends it public keys. Host generate a certificate request and send to CA.

CA will sign the certificate request with its private key, and send certificate to host

Host will save it

Certificate will use for secure communication.

It means that of your data will arrive late it will consider as alter & it will be

drop. Anti-Replay can be define in kilobytes or seconds.

ESP

AH

IKE

Public Key Infrastructure

The PKI Message Exchange Process

Anti-Replay

IPsec Protocols




of 846


It provides all IPsec features

It use IP protocol no 50.

It works with NAT

It use NAT-T

It doesn't include external IP for ICV.

It doesn't provides confidentiality, because it doesn't use encryption

It use IP protocol no 51.

It doesn't works with NAT

It doesn't use NAT-T

It does include external IP for ICV.

It doesn't include TTL value for ICV

It provides a framework to exchange the security parameter & policies between two IPsec peers.

Main Mode

Aggressive Mode

Quick Mode

In main mode 6 attributes or messages in three steps.

1. Initiator will send own proposal to responder, and responder will send own proposal to initiator.

2. Initiator will send own key to responder, and responder will send own key to initiator.

3. At the end they will authenticate the session.

OR

ESP (Encapsulating Security Payload)

AH (Authentication Header)

IKE (Internet Key Exchange)

IKE Modes

Main Mode




of 846


Step1

Message 1-initiator will send own proposal to responder

Message 2-responder will send own proposal to initiator

Step2

Message 3-initiator will send own key to responder

Message 4-responder will send own key to initiatorStep3

Message 5-initiator will authenticate the session

Message 6-responder will authenticate the session

In aggressive mode 6 attributes are in three steps.

1. Initiator will send own proposal &key to responder.2. Responder will authenticate initiator's proposal & sends own proposal &key to initiator.

3. Initiator will authenticate the session.

Note: - Either main mode or aggressive mode will work not both

In quick mode they will recheck their attributes using SPI (Security Parameter Index). SPI is sent with

every packet by peers.

1. Phase1

2. Phase1.5 (optional)

3. Phase2

In Phase1 they create single IKE bi-direction tunnel. Single key is used to authenticate the session. In

phase1 main mode or aggressive mode will work.

If main mode will work, aggressive mode will not work

If aggressive mode will work, main mode will not work

It dependence on IPsec VPN

Aggressive Mode

Quick Mode

IKE Phases

Phase 1




of 846


Site-Site Main mode

Remote Access Aggressive mode

DMVPN Main mode

GETVPN Main mode

It is an optional IKE phase. Phase 1.5 provides an additional layer of Authentication, called Xauth, or

Extended Authentication. Xauth forces the user to authenticate before use Of the IPsec connection

is granted.

When phase1 is successfully completed Phase2 is started.

If phase1 is not successfully completed Phase2 will not start.

In phase2 they create multiple IPsec tunnels. Two tunnels per protocol

ESP or AH.

IKE is a management protocol actually is use isakmp for key exchange.

Internet security association key management protocol. it use UDP Port 500.

IKE Version1 IKE Version2

6 messages 4-6 messages

Use isakmp Use isakmp

NAT-T support NAT-T support

Fire & Forget Check peer existence via cookies

No VOIP support VOIP support

No cryptography mechanism for key exchange Use suit B cryptography

Steps

IKE_SA_INIT_ (Two Messages)

IKE_AUTH+CREATE_CHID_SA (Two Messages)

IKE_ CREATE_SECOND_CHID_SA (Optional)/ (Two Messages)

Phase 1.5

Phase 2

IKE Versions

ISAKMP

IKE Version 2




of 846


IKE_SA_INIT: Message 1

The Initiator Proposes Basic SA Attribute Along with

Authentication Material

Equivalent to messages 1 and 3 in IKEv1

IKE_SA_INIT: Message 2

The responder sends back a set of attributes acceptable

Under SA, along with authentication material

Equivalent to messages 2 and 4 in IKEv1

IKE_AUTH: Message 3

Authentication Material Along with CHILD_SA Info Sent

Equivalent to message 5 – Main Mode

And part of the Quick Mode in IKEv1

IKE_AUTH: Message 4 Authentication Material Along with CHILD_SA Info Sent

Equivalent to message 6 – Main Mode

And part of the Quick Mode in IKEv1

Note:-

VTI and GRE/ IPsec Complete after this Message

Optional

CREATE_CHILD_SA: Message 1

The Initiator Sends Its Authentication Material and ID

Additional child exchange – equivalent to Quick Mode in IKEv1

CREATE_CHILD_SA: Message 2 The Responder Sends Its Authentication Material and ID

Additional child exchange – equivalent to Quick Mode in IKEv1

1. Transport mode

2. Tunnel mode

It protect layer4 & upper layer data. Used in DMVPN.

IPsec Modes

Transport Mode

Tunnel Mode




of 846


It protect layer3 & upper layer data. Used in Site-Site, Remote-Access, GETVPN.

A feature it enable us to establish VPN session through NAT device.

In NAT-T VPN devices add UDP header before ESP header, so that NAT device can perform NAT with

packet.

Why NAT-Traversal

AH doesn't work with nat. Because it include external IP address for ICV.

It include data, key, external-IP for integrity check value. If AH packet will pass through Nat device,

Nat device will translate external IP. When peer will receive AH packet it will verify packet ICV, due

to Nat peer will found ICV mismatch. So Packet will drop.

Note: - AH doesn't include TTL value for ICV. Because TTL is changed at every hop.

ESP doesn't include external IP for ICV. But it encrypt the data. A Nat device require layer 4

information but it is encrypted by esp. no layer 4 information so no Nat will perform.

To resolve this issue we use NAT-T, in NAT-T devices add UDP header before ESP header for Nat

device. That header is UDP 4500.

NAT-T Support

NAT-T Detection

NAT-T Decision

In IKE Phase1, two peers exchange their vender id and IOS version information to each other to

determine that which features are supported.

In IKE Phase1, they create a payload of external IP addresses. They hash it after hashing payload &

hash product is exchanged between peers. They verify hash if hash match, no Nat exist in the VPN

peer path otherwise Nat exist.

NAT Transversal

NAT Transversal Steps

NAT-T Support

NAT-T Detection




of 846


In IKE Phase2, if they found Nat in the VPN peer path. UDP 4500 header in inserted before ESP

header.

A group of security parameters & policies which is agreed between two IPsec peers.

A group of security parameters and policies which is agreed between two IPsec peers.

Parts

SAD

SPD

It contain

Peer IP

SPI

IPsec Protocols information like ESP/AH?

It contain

Encryption algorithm (DES, 3DES, or AES)

Hash algorithm (MD5 or SHA-1)

IPsec mode (tunnel or transport)

Key lifetime (seconds or kilobytes)

DH allows two parties to share a secret key over an insecure channel. Because this key forms the

basis of the rest of the VPN, it is essential that the key be kept secret.

Both Devices create a hash of Security Policy Database

That hash is call SPI.

NAT-T Decision

Security Association

SAD (Security Association Database)

Security Policy Database

Diffie-Hellman Key Exchange

Security Parameter Index




of 846


How to create Windows 2003 as CA

first install 2003 server in virtual box or real machine

second assign ip add 192.168.105.100 or differ don't remove 2003 CD from CD-ROM

download cepsetup.exe from google

follow

start

run

appwiz.cpl




of 846





of 846


stop the ca

start the ca




of 846


password is shiva

Start>run>type http://192.168.105.100/certsrv/mscep/mscep.dll

this url will use to obtain one time password for vpn




of 846





of 846


if this ca is in virual box you can use it for real network or gns topology

if it is for gns set following things

connect gns topology with host only interface

For Real network bridge with real interface




of 846


you can connect to gig or wireless

thanks




of 846


How to install Windows 2008 as CA

first install 2008 server data Centre edition

assign ip add 192.168.108.100 or any




of 846





of 846


Turn off Firewall......




of 846





of 846


click new url




of 846


user= administrator

pass= admin password

press OK..........




of 846


your new OTP for certificate Enrollment....




of 846


How to configure windows 2012 as CA

First install 2012 server

assign ip add 192.168.112.100 or differ

follow




of 846





of 846


http://192.168.112.100/certsrv/mscep/mscep.dll




of 846





of 846


http://192.168.112.100/certsrv




of 846





of 846


How to configure IOS CA

! first set clock

clock set 12:53:00 6 oct 2014

conf t

interface fastEthernet 0/0ip add 101.1.1.1 255.255.255.0

exit

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

crypto key generate rsa general-keys exportable label shiva modulus 1024

crypto key export rsa shiva pem url nvram: 3des cisco1234

ip http server

crypto pki server cisco

database level minimum

database url nvram:

issuer-name cn=lab.nb.com l=gr c=in

lifetime certificate 365grant auto

no shutdown

give 9 alphabet password

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

R1#sh crypto pki server

Certificate Server cisco:

Status: enabled

State: enabled

Server's configuration is locked (enter "shut" to unlock it)

Issuer name: cn=lab.nb.com l=gr c=inCA cert fingerprint: 3EE215BD E41454DF 0DB85E8C 41588E7F

Granting mode is: auto

Last certificate issued serial number: 0x1

CA certificate expiration timer: 12:53:00 UTC Oct 5 2017

CRL NextUpdate timer: 18:53:00 UTC Oct 6 2014

Current primary storage dir: nvram:

Database Level: Minimum - no cert data written to storage

R1#dir nvram:

Directory of nvram:/

54 -rw- 233 <no date> startup-config

55 ---- 0 <no date> private-config

1 ---- 15 <no date> persistent-data

2 -rw- 4 <no date> rf_cold_starts

3 -rw- 272 <no date> shiva.pub

4 -rw- 963 <no date> shiva.prv

5 -rw- 32 <no date> cisco.ser

6 -rw- 230 <no date> cisco.crl

7 -rw- 1595 <no date> cisco_00001.p12





of 846


Chapter 16


Site-Site VPN

Working

Site-Site VPN




of 846


It enables two sites to communicate with each other in a secure way over insecure network.

192.168.101.0/24 192.168.102.0/24

Remote client wants to communicate with central office

It will generate a packet with 101.0 source & 102.0 destination that packet will deliver to

gateway.

Gateway will check its destination ip and packet will be forward to exit interface. When

packet will arrive a exit interface there is a crypto map. Router will intercept the packet that

if you match with crypto map access-list, it is encrypted & hashed.

then router will check sa with peer , if no sa found it will send proposal to peer using isakmp

udp port 500

IKE phase1 & Phase2 will come in picture. Phase 2 complete protected data will delivered to

peer.

Site-Site VPN

Working




of 846


Diagram:-

Site-Site-pre-8.0

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1ASA1

hostname ASA1

interface ethernet 0/0

no shu

nameif inside

ip add 192.168.101.1

interface e0/1

no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shuroute outside 0 0 101.1.1.1




of 846


R3


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1no shutdown

ip add 102.1.1.1 255.255.255.0

no shutdown

ASA2

hostname ASA2


no shu

nameif inside

ip add 192.168.102.1


no shunameif outside

ip add 102.1.1.100 255.255.255.0

no shu

route outside 0 0 102.1.1.1

R2


no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

ASA1ASA1(config)# ping 192.168.101.100



!!!!!


ASA1(config)# pin




?!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 10/20/30 msASA2

ASA2(config)# ping 192.168.102.100



!!!!!


ASA2(config)# pin




!!!!!





of 846


ASA1

crypto isakmp policy 1

authentication pre-share

encryption aes

hash shagroup 5

lifetime 1800

crypto isakmp key shiva add 102.1.1.100

crypto ipsec transform-set t-set esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 1800

access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0

crypto map test 10 set transform-set t-set

crypto map test 10 set peer 102.1.1.100

crypto map test 10 match address 101

crypto map test interface outside

crypto isakmp enable outsideASA2



encryption aes

hash sha

group 5

lifetime 1800




access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0crypto map test 10 set transform-set t-set




crypto isakmp enable outside

R1#ping 192.168.102.100 repeat 100



.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (99/100), round-trip min/avg/max = 16/41/120 ms

R2#ping 192.168.101.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


ASA1# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)




of 846


Total IKE SA: 1

1 IKE Peer: 102.1.1.100

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

ASA1# sh cryASA1# sh crypto ip

ASA1# sh crypto ipsec sa

interface: outside

Crypto map tag: test, seq num: 10, local addr: 101.1.1.100


local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)

current_peer: 102.1.1.100

#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199

#pkts compressed: 0, #pkts decompressed: 0


Active SA: 1


Total IKE SA: 1

1 IKE Peer: 101.1.1.100

Type : L2L Role : responder

Rekey : no State : MM_ACTIVEASA2# sh cry

ASA2# sh crypto ip


interface: outside






#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199

#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199





of 846


ASA_s2s_pre_8.0_overlapping_subnet

Diagram:-

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

ASA1

hostname ASA1


no shu

nameif inside

ip add 192.168.101.1


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shu





of 846


R3


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1no shutdown

ip add 102.1.1.1 255.255.255.0

no shutdown

ASA2

hostname ASA2


no shu

nameif inside

ip add 192.168.101.1



ip add 102.1.1.100 255.255.255.0

no shu


R2


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

ASA1

ASA1(config)# ping 192.168.101.100



!!!!!


ASA1(config)# pin





ASA2

ASA2(config)# ping 192.168.101.100



!!!!!


ASA2(config)# pin




!!!!!




of 846



ASA1(config)# static (inside,outside) 192.168.10.0 192.168.101.0

ASA2(config)# static (inside,outside) 192.168.20.0 192.168.101.0

ASA1

crypto isakmp policy 1authentication pre-share

encryption a

hash sha

group 5

lifetime 1800






crypto map test 10 set peer 102.1.1.100crypto map test 10 match address 101



ASA2



encryption a

hash sha

group 5

lifetime 1800

crypto isakmp key shiva add 101.1.1.100crypto ipsec transform-set t-set esp-aes esp-sha-hmac








R1#ping 192.168.20.100 repeat 100


.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R2#ping 192.168.10.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!






of 846


interface: outside




remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)current_peer: 102.1.1.100




#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 101.1.1.100, remote crypto endpt.: 102.1.1.100

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 4C0DCAEF

inbound esp sas:

spi: 0xA35E7858 (2740877400)

transform: esp-aes esp-sha-hmac none

in use settings ={L2L, Tunnel, }

ASA1# sh cry

ASA1# sh crypto is

ASA1# sh crypto isakmp saASA1# sh crypto isakmp sa

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 102.1.1.100




interface: outsideCrypto map tag: test, seq num: 10, local addr: 102.1.1.100













of 846




local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100

path mtu 1500, ipsec overhead 74, media mtu 1500current outbound spi: A35E7858

inbound esp sas:

spi: 0x4C0DCAEF (1275972335)

transform: esp-aes esp-sha-hmac none

in use settings ={L2L, Tunnel, }

ASA2# sh cry

ASA2# sh crypto is


Active SA: 1Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 101.1.1.100






of 846


ASA_s2s_rsa_8.0

Diagram:-

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

ASA1

hostname ASA1


no shu

nameif inside

ip add 192.168.101.1


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shu




of 846



R3


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdownint f0/1

no shutdown

ip add 102.1.1.1 255.255.255.0

no shutdown

int f1/0

no shutdown

ip add 192.168.105.1 255.255.255.0

no shutdown

ASA2

hostname ASA2

interface ethernet 0/0no shu

nameif inside

ip add 192.168.102.1 255.255.255.0

no shu


no shu

nameif outside

ip add 102.1.1.100 255.255.255.0

no shu


R2interface fastEthernet 0/0

no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

ASA1(config)# ping 192.168.101.100



!!!!!


ASA1(config)# ping 192.168.105.100Type escape sequence to abort.


?!!!!


ASA1(config)# pin




?!!!!


ASA2(config)# ping 192.168.102.100





of 846



!!!!!


ASA2(config)# pin



!!!!!


ASA2(config)# pin

ASA2(config)# ping 192.168.105.100



!!!!!


Configure R3 AS NTP SERVER

R3#clock set 22:07:00 29 sep 2014

R3#conf t

R3(config)#ntp master

Configure ASA1 & ASA2 AS NTP CLIENT

ASA1(config)# ntp server 101.1.1.1


ASA1# sh clock

22:08:49.224 UTC Mon Sep 29 2014

ASA2# sh clock

22:10:22.070 UTC Mon Sep 29 2014

ASA1

domain-name cisco.com


crypto ca trustpoint ttt

enrollment url http://192.168.105.100/certsrv/mscep/mscep.dllex

crypto ca authenticate ttt

yes

crypto ca enroll ttt

%% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password: ****************(this password will obtain from ca)Re-enter password: ****************




of 846


copy one time password paste to asa1 or asa2




of 846


To obtain new OTP please go to CA & refresh the page copy & Paste

ASA2




enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll

exit


yes

ASA2(config)# crypto ca enroll ttt

%

% Start certificate enrollment ..





Password: ****************

Re-enter password: ****************

% The fully-qualified domain name in the certificate will be: ASA2.cisco.com

% Include the device serial number in the subject name? [yes/no]: no




of 846


Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

ASA2(config)# The certificate has been granted by CA!

ASA1


authentication rsa-sig

encryption aes

hash sha

group 5

lifetime 1800

tunnel-group 102.1.1.100 type ipsec-l2l

tunnel-group 102.1.1.100 ipsec-attributes

trust-point ttt


crypto ipsec security-association lifetime seconds 1800access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0




crypto map test 10 set trustpoint ttt



ASA2

crypto isakmp policy 1authentication rsa-sig

encryption aes

hash sha

group 5

lifetime 1800



trust-point ttt



access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0crypto map test 10 set transform-set t-set





cry isakmp enable outside

R1#ping 192.168.102.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!




of 846


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R2#ping 192.168.101.100 re

R2#ping 192.168.101.100 repeat 100


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



interface: outside









Active SA: 1


Total IKE SA: 1

1 IKE Peer: 102.1.1.100



ASA1#

ASA2


interface: outside



local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)






Active SA: 1


Total IKE SA: 1




of 846


1 IKE Peer: 101.1.1.100






of 846


ASA_s2s_pre_ikev1

Diagram:-

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

ASA1

hostname ASA1

interface gigabitEthernet 0/0

no shu

nameif inside

ip add 192.168.101.1


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no sh


R3




of 846


int f0/0

no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1


no shutdown

ASA2


no shu

nameif inside

ip add 192.168.102.1


no shu

nameif outside

ip add 102.1.1.100 255.255.255.0no shu


R2

interface f0/0

no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

ASA1



!!!!!


ASA1# pin

ASA1# ping 102.1.1.100



?!!!!


ASA2ASA2# ping 192.168.102.100



!!!!!


ASA2# pin

ASA2# ping 101.1.1.100



!!!!!





of 846


ASA1

crypto ikev1 policy 1


encryption aes

hash sha

group 5lifetime 1800



ikev1 pre-shared-key shiva

crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac



crypto map test 10 set ikev1 transform-set t-set



crypto map test interface outsidecrypto ikev1 enable outside

ASA2



encryption aes

hash sha

group 5

lifetime 1800



ikev1 pre-shared-key shivacrypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac







crypto ikev1 enable outside

R1

R1#ping 192.168.102.100 repeat 100



.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R2#ping 192.168.101.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!





of 846


ASA1# sh crypto ikev1 sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1

1 IKE Peer: 102.1.1.100



ASA1# sh cry

ASA1# sh crypto ip


interface: outside


access-list 101 extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0








#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0


local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 102.1.1.100/0

path mtu 1500, ipsec overhead 74(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: 5F93D48A

current inbound spi : 30046549ASA2# sh crypto ikev1 sa

IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 101.1.1.100



ASA2# sh cry




of 846


ASA2# sh crypto ip


interface: outside


access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)








#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0#TFC rcvd: 0, #TFC sent: 0







current outbound spi: 30046549

current inbound spi : 5F93D48A




of 846


ASA_s2s_pre_ikev2

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

ASA1

hostname ASA1


no shu

nameif inside

ip add 192.168.101.1

interface g0/1

no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shu


R3

int f0/0

no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 102.1.1.1 255.255.255.0

no shutdown

ASA2

hostname ASA2


no shu

nameif inside

ip add 192.168.102.1

interface g0/1

no shu

nameif outside

ip add 102.1.1.100 255.255.255.0

no shu


R2

interface f0/0

no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

ASA1(config)# ping 192.168.101.100




of 846




!!!!!


ASA1(config)# pin



!!!!!


ASA2(config)# ping 192.168.102.100



!!!!!


ASA2(config)# pin



!!!!!


ASA1


encryption aes

integrity sha

group 5

lifetime seconds 1800

tunnel-group 102.1.1.100 type ipsec-l2ltunnel-group 102.1.1.100 ipsec-attributes

ikev2 local-authentication pre-shared-key shiva

ikev2 remote-authentication pre-shared-key shiva

crypto ipsec ikev2 ipsec-proposal ppp

protocol esp encryption aes

protocol esp integrity sha-1



crypto map test 10 set ikev2 ipsec-proposal ppp


crypto map test 10 match address 101crypto map test interface outside


ASA2


encryption aes

integrity sha

group 5




ikev2 local-authentication pre-shared-key shiva

ikev2 remote-authentication pre-shared-key shiva




of 846














current outbound spi: 820C8EE1

current inbound spi : BE7654EEASA1#

ASA2(config)# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role

6108915 102.1.1.100/500 101.1.1.100/500 READY RESPONDER

Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 1800/57 secChild sa: local selector 192.168.102.0/0 - 192.168.102.255/65535

remote selector 192.168.101.0/0 - 192.168.101.255/65535

ESP spi in/out: 0x820c8ee1/0xbe7654ee

ASA2(config)# sh cry

ASA2(config)# sh crypto ip

ASA2(config)# sh crypto ipsec sa

interface: outside
















of 846






ICMP error validation: disabled, TFC packets: disabledcurrent outbound spi: BE7654EE

current inbound spi : 820C8EE1




of 846


!!!!!


ASA1(config)# ping 192.168.108.100







!!!!!


ASA2(config)# ping 192.168.102.100



!!!!!




!!!!!





!!!!!


R3

R3#clock set 12:17:45 1 oct 2014

R3#conf t

Enter configuration commands, one per line. End with CNTL/Z.




ASA1crypto ca trustpoint ttt


ex


yes


ERROR: Signature public key not found - Abort.




%





of 846






Password: **************** (this password will obtain from 2008 ca)



% Include the device serial number in the subject name? [yes/no]: n




!!!!! if ca does not give cert please remove ca & install again ca on 2008!!!!!!

ASA2



exit


yes

crypto ca enroll tttERROR: Signature public key not found - Abort.




of 846





%


% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.



Password: ****************







ASA1



encryption a

hash sha

group 5

lifetime 1800tunnel-group 102.1.1.100 type ipsec-l2l


ikev1 trust-point ttt









ASA2



encryption aes

hash sha

group 5

lifetime 1800



ikev1 trust-point





of 846







crypto map test 10 match address 102crypto map test 10 set trustpoint ttt



R1#ping 192.168.102.100 repeat 100



.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 msR2#ping 192.168.101.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 102.1.1.100



ASA1# sh cry

ASA1# sh crypto ip


interface: outsideCrypto map tag: test, seq num: 10, local addr: 101.1.1.100












of 846











current outbound spi: 34159C71

current inbound spi : F446BD48


IKEv1 SAs:


Total IKE SA: 1

1 IKE Peer: 101.1.1.100



ASA2# sh cry

ASA2# sh crypto ip


interface: outside









#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0









current outbound spi: F446BD48

current inbound spi : 34159C71




of 846


ASA_s2s_rsa_ikev1_ios_ca

Initial-config

R1



no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R2

interface f0/0

no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

R3

int f0/0ip add 101.1.1.1 255.255.255.0

no sh

int f0/1

no shutdown

ip add 102.1.1.1 255.255.255.0

no shutdown

ASA1


no shu

nameif inside

ip add 192.168.101.1 255.255.255.0no shu

int g0/1

no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shu


ASA1# ping 192.168.101.100




ASA1# pin

ASA1# ping 102.1.1.1



!!!!!


ASA2


no shu

nameif inside




of 846


ip add 192.168.102.1

interface g0/1

no shu

nameif outside

ip add 102.1.1.100 255.255.255.0

no shuroute outside 0 0 102.1.1.1

ASA2(config)# ping 192.168.102.100



!!!!!


ASA2(config)# pin





R3

R3#clock set 13:52:30 7 oct 2014

R3#conf t




R3configure R3 AS CA

crypto key generate rsa general-keys exportable label shiva modulus 1024

crypto key export rsa shiva pem url nvram: 3des cisco123

yes

ip http server

crypto pki server cisco

database level minimum

database url nvram:

issuer-name cn=cisco1.cisco.com l=gurgaon c=in

lifetime certificate 365grant auto

no shutdown

(give password 999999999)

ASA1

ASA1(config)# crypto ca trustpoint ttt

ASA1(config-ca-trustpoint)# enrollment url http://101.1.1.1

ASA1(config-ca-trustpoint)# ex

ASA1(config)# crypto ca authenticate ttt

INFO: Certificate has the following attributes:

Fingerprint: 06fb1021 06e41a7a fa64dc4b fa73efa3




of 846


Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

ASA1(config)# crypto ca en ttt

%

% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this




Password:

Re-enter password:

% The fully-qualified domain name in the certificate will be: ASA1





ASA2


ASA2(config-ca-trustpoint)# enrollment url http://101.1.1.1




Fingerprint: 06fb1021 06e41a7a fa64dc4b fa73efa3




%




For security reasons your password will not be saved in the configuration.Please make a note of it.

Password:

Re-enter password:









of 846


ASA1


authentication rsa-sigencryption aes

hash sha

group 5

lifetime 1800







crypto map test 10 set ikev1 transform-set t-setcrypto map test 10 set peer 102.1.1.100





ASA2



encryption aes

hash shagroup 5

lifetime 1800









crypto map test 10 match address 102crypto map test 10 set trustpoint ttt



R1#ping 192.168.102.100 repeat 100



.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R2#ping 192.168.101.100 repeat 100




of 846




!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


ASA1


IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 102.1.1.100Type : L2L Role : initiator


ASA1# sh cry

ASA1# sh crypto ip


interface: outside












#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0#send errors: 0, #recv errors: 0





current outbound spi: 02BB4488

current inbound spi : 64AD6A6D

inbound esp sas:

spi: 0x64AD6A6D (1689086573)

transform: esp-aes esp-sha-hmac no compression




of 846


in use settings ={L2L, Tunnel, IKEv1, }

slot: 0, conn_id: 4096, crypto-map: test

sa timing: remaining key lifetime (kB/sec): (3914980/1766)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x02BB4488 (45827208)





IV size: 16 bytes


Anti replay bitmap:

0x00000000 0x00000001ASA2


IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 101.1.1.100

Type : L2L Role : responderRekey : no State : MM_ACTIVE

ASA2# sh cry

ASA2# sh crypto ip


interface: outside


















of 846






current outbound spi: 64AD6A6D

current inbound spi : 02BB4488

inbound esp sas:

spi: 0x02BB4488 (45827208)





IV size: 16 bytes


Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFFoutbound esp sas:

spi: 0x64AD6A6D (1689086573)





IV size: 16 bytes


Anti replay bitmap:

0x00000000 0x00000001




of 846


ASA_s2s_rsa_ikev2

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R2


no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

R3


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

ip add 102.1.1.1 255.255.255.0 secondary

int f0/1

no shutdown

ip add 192.168.108.1 255.255.255.0

no shutdown

ASA1


no shu

nameif inside

ip add 192.168.101.1


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shu


ASA2


no shu

nameif inside

ip add 192.168.102.1

interface g0/1

no shu

nameif outside

ip add 102.1.1.100 255.255.255.0

no shu


ASA1(config)# ping 192.168.101.100






of 846


!!!!!


ASA1(config)# ping 192.168.108.100







!!!!!


ASA2(config)# ping 192.168.102.100



!!!!!




!!!!!





!!!!!


R3

R3#clock set 12:17:45 1 oct 2014

R3#conf t

Enter configuration commands, one per line. End with CNTL/Z.







of 846


ASA1


enrollment url http://192.168.108.100/certsrv/mscep/mscep.dllexit


ASA1(config)# crypto ca en ttt

%






Password: ****************







ASA2crypto ca trustpoint ttt




of 846



exit



Obtain New Password From 2008 Ca


%






Password: ****************Re-enter password: ****************









of 846


ASA1


encryption aes

integrity sha

group 5lifetime seconds 1800



ikev2 local-authentication certificate ttt

ikev2 remote-authentication certificate






crypto map test 10 set ikev2 ipsec-proposal pppcrypto map test 10 set peer 102.1.1.100





ASA2


encryption aes

integrity sha

group 5lifetime seconds 1800



ikev2 local-authentication certificate ttt

ikev2 remote-authentication certificate






crypto map test 10 set ikev2 ipsec-proposal pppcrypto map test 10 set peer 101.1.1.100





R1#ping 192.168.102.100 repeat 100



.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!




of 846



R1#

R2#ping 192.168.101.100 repeat 100


Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



IKEv2 SAs:



5119715 101.1.1.100/500 102.1.1.100/500 READY INITIATOREncr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA

Life/Active Time: 1800/40 sec

Child sa: local selector 192.168.101.0/0 - 192.168.101.255/65535

remote selector 192.168.102.0/0 - 192.168.102.255/65535

ESP spi in/out: 0x9f01e33f/0x14ff9428




interface: outside


















current outbound spi: 14FF9428

current inbound spi : 9F01E33F





of 846


IKEv2 SAs:


Tunnel-id Local Remote Status Role4933683 102.1.1.100/500 101.1.1.100/500 READY RESPONDER

Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA



remote selector 192.168.101.0/0 - 192.168.101.255/65535

ESP spi in/out: 0x14ff9428/0x9f01e33f

ASA2# sh cry

ASA2# sh crypto ip


interface: outside









#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0









current outbound spi: 9F01E33Fcurrent inbound spi : 14FF9428

ASA1


subnet 192.168.101.0 255.255.255.0

object network s2s

subnet 192.168.102.0 255.255.255.0

ex

nat (inside,outside) source static inside inside destination static s2s s2s

nat (inside,outside) source dynamic any interface





of 846



R1#ping 101.1.1.1




R1#ping 192.168.102.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!





of 846


ASA_s2s_rsa_ikev2_2012_ca

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R2

interface f0/0

no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

R3

int f0/0

no shutdown

ip add 101.1.1.1 255.255.255.0

ip add 102.1.1.1 255.255.255.0 secondary

int f0/1

no shutdown

ip add 192.168.112.1 255.255.255.0

ASA1

int g0/0

no shu

nameif inside

ip add 192.168.101.1

interface g0/1

no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shu


ASA1# ping 192.168.101.100



!!!!!


ASA1# pin

ASA1# ping 102.1.1.1



!!!!!


ASA1# pin

ASA1# ping 192.168.112.1






of 846


!!!!!


ASA1# ping 192.168.112.100




ASA2


no shu

nameif inside

ip add 192.168.102.1


no shu

nameif outside

ip add 102.1.1.100 255.255.255.0no shu


ASA2# ping 192.168.102.100



!!!!!


ASA2# pin

ASA2# ping 101.1.1.100




ASA2# pin

ASA2# ping 192.168.112.100



!!!!!


R3

R3#clock set 14:24:30 7 oct 2014

R3#conf t




GO TO CA SERVER

http://192.168.112.100/certsrv/mscep/mscep.dll




of 846





of 846


copy OTP for ASA1 & Refresh page Obtain new for ASA2




of 846



ASA1(config-ca-trustpoint)# enrollment url http://192.168.112.100/certsrv/mscep/mscep.dll



INFO: Certificate has the following attributes:Fingerprint: 15e057f1 e800b9d9 90410bd8 cbd9263b




%





Please make a note of it.Password: ****************







ASA2


ASA2(config-ca-trustpoint)# enrollment url http://192.168.112.100/certsrv/mscep/mscep.dll




Fingerprint: 15e057f1 e800b9d9 90410bd8 cbd9263b




%






Password: ****************





of 846





% Certificate request sent to Certificate AuthorityASA2(config)# The certificate has been granted by CA!

ASA1


encryption aes

integrity sha

group 5




ikev2 local-authentication certificate tttikev2 remote-authentication certificate











ASA2


encryption aes

integrity sha

group 5




ikev2 local-authentication certificate tttikev2 remote-authentication certificate















of 846


R1#ping 192.168.102.100 repeat 100

*Oct 7 09:13:38.111: %SYS-5-CONFIG_I: Configured from console by console

R1#ping 192.168.102.100 repeat 100


Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R2#ping 192.168.101.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



IKEv2 SAs:



5337201 101.1.1.100/500 102.1.1.100/500 READY INITIATOR




remote selector 192.168.102.0/0 - 192.168.102.255/65535ESP spi in/out: 0x9888f2d4/0xb65c501b

ASA1# sh cry

ASA1# sh crypto ip



interface: outside

















of 846






current outbound spi: B65C501Bcurrent inbound spi : 9888F2D4

inbound esp sas:

spi: 0x9888F2D4 (2559111892)





IV size: 16 bytes


Anti replay bitmap:0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xB65C501B (3059503131)





IV size: 16 bytes


Anti replay bitmap:

0x00000000 0x00000001ASA2# sh crypto ikev2 sa

IKEv2 SAs:



6916937 102.1.1.100/500 101.1.1.100/500 READY RESPONDER



Child sa: local selector 192.168.102.0/0 - 192.168.102.255/65535remote selector 192.168.101.0/0 - 192.168.101.255/65535

ESP spi in/out: 0xb65c501b/0x9888f2d4

ASA2# sh cry

ASA2# sh crypto ip



interface: outside








of 846





#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0









ICMP error validation: disabled, TFC packets: disabledcurrent outbound spi: 9888F2D4

current inbound spi : B65C501B

inbound esp sas:

spi: 0xB65C501B (3059503131)





IV size: 16 bytes

replay detection support: YAnti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x9888F2D4 (2559111892)





IV size: 16 bytes


Anti replay bitmap:0x00000000 0x00000001




of 846


Chapter 17


Remote Access VPN

Modes

Working

Remote Access VPN




of 846


It enable remote user or mobile user/ internet users to access the internal network of a company.

Client

Network extension

Network extension plus

In client mode an internal ip address if offered to remote client.

When remote client wants to access internal resource of server lan it generate PDU with internal

source & destination. That is protected by esp and an external ip address is attached with packet so

that is can be routed over internet.

Note

It is unidirectional only client can access server lan. But server lan can't access client.

It can be implemented on software or hardware.

In client mode an internal ip address if offered to remote client.

When remote client lan wants to access internal resource that request is pat in obtain if. If remote

lan wants to access internet that request is pat in public ip address of remote client.

Note

It is unidirectional only client can access server lan. But server lan can't access client.

In Network Extension internal ip address is not offered to remote client.

Remote Access VPN

Modes

Client Mode Hardware

Client Mode Software

Network Extension




of 846


Note

it is bi-directional

it can be implemented only on hardware.

In Network Extension internal ip address is offered to remote client. Internal ip address is not for

patting it is for remote management purpose.

Note

It is bi-directional

It can be implemented only on hardware.

Client will initiate a request it will send proposal to server.

Client will send pre-define policy

Server will match client proposal to own configure policy if proposal match

Server will prompt for username & password.

If user is authenticated server will send policy to client. This policy includes ip address, mask,

and interesting traffic.

At last a reverse route is installed in routing table.

Network Extension Plus

Working




of 846


Diagram:-

ASA_ra_pre_8.0

Initial-config

R1


no shut

ip add 101.1.1.1 255.255.255.0

int f0/1no shutdown

ip add 192.168.101.1 255.255.255.0

R2

interface f0/0

no shutdown

ip add 192.168.1.2 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.10.1 255.255.255.0

no shutdownrouter ei 100

no au

net 192.168.1.0

net 192.168.10.0

R3


no shutdown

ip add 192.168.2.2 255.255.255.0

no shutdown

int f0/1





of 846


no shutdown

router ei 100

no au

net 192.168.2.0

net 192.168.20.0

ADMINinterface fastEthernet 0/0

ip add 192.168.10.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1



1024

line vty 0 90


login local

exitip http server




MGMT


no shutdown

ip add 192.168.20.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1

ip domain-name cisco.comcrypto key generate rsa

1024

line vty 0 90


login local

exit

ip http server




ASA1


nameif outside

security-level 0

ip address 101.1.1.100 255.255.255.0

!


nameif inside1

security-level 100

ip address 192.168.1.1 255.255.255.0

!





of 846


nameif inside2

security-level 100

ip address 192.168.2.1 255.255.255.0

!


router ei 100

no au

net 192.168.1.0

net 192.168.2.0


ASA1(config)# ping 192.168.101.100



!!!!!




!!!!!


ASA1(config)# ping 192.168.20.100



!!!!!


PAT

nat-control

nat (inside1) 1 0 0

nat (inside2) 1 0 0




admin#ping 101.1.1.1


!!!!!


admin#

mgmt#ping 101.1.1.1



!!!!!






of 846



encryption 3des

group 2

hash sha

crypto ipsec transform-set ez esp-3des esp-sha-hmac

crypto dynamic-map d-map 10 set transform-set ezcrypto dynamic-map d-map 10 set reverse-route

crypto map test 10 ipsec-isakmp dynamic d-map



ip local pool admin 192.168.100.100-192.168.100.254

ip local pool mgmt 192.168.200.100-192.168.200.100

tunnel-group admin type ipsec-ra

tunnel-group admin general-attributes

address-pool admin

tunnel-group admin ipsec-attributes

pre-shared-key admintunnel-group mgmt type ipsec-ra

tunnel-group mgmt general-attributes

address-pool mgmt

tunnel-group mgmt ipsec-attributes

pre-shared-key mgmt

Install vpn client software




of 846





of 846


connection entry any name

host asa public ip 101.1.1.100

tunnel group admin

key adminconfirm key admin




of 846


save

same task for mgmt click new tab on vpn client

do same

go to asa

ASA1(config)# username shiva password shiva privilege 15




of 846


go to pc1

click OK




of 846


ASA1(config)# sh route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP



E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route





of 846



S 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outsideS* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside

ping reply is not coming reason NAT exclude vpn traffic from nat

using nat exemption

access-list nat-exemption permit ip any 192.168.100.0 255.255.255.0

access-list nat-exemption permit ip any 192.168.200.0 255.255.255.0

nat (inside1) 0 access-list nat-exemption

nat (inside2) 0 access-list nat-exemption




of 846





of 846


no internet access use split-tunnel

on asa

access-list stacl permit 192.168.0.0 255.255.0.0




of 846


group-policy admin internal

group-policy admin attributes

split-tunnel-network-list value stacl

split-tunnel-policy tunnelspecified

group-policy mgmt internal

group-policy mgmt attributessplit-tunnel-network-list value stacl



default-group-policy admin


default-group-policy mgmt

Disconnect & connect VPN connection

& see the effect




of 846





of 846


ASA1

! banner


banner value ADMIN_GROUP

group-policy mgmt ge

group-policy mgmt attributes

banner value MGMT_GRPUP




of 846


ASA1(config)# clock set 08:56:00 30 sep 2014

clock set 08:56:00 30 sep 2014

time-range shivaperiodic weekdays 09:00 to 18:00


vpn-access-hours value shiva




of 846


no connection due to time acl now time is 8:59 wait 1 min try @ 9:00

ASA1# sh clock

08:59:43.968 UTC Tue Sep 30 2014

ASA1#ASA1# sh clock

08:59:58.371 UTC Tue Sep 30 2014

ASA1# sh clock

08:59:59.029 UTC Tue Sep 30 2014

ASA1# sh clock

08:59:59.820 UTC Tue Sep 30 2014

ASA1# sh clock

09:00:01.090 UTC Tue Sep 30 2014

currect time now you can access.




of 846


ASA_ra_rsa_8.0

Diagram:-

Initial-config

R1


no sh

ip add 101.1.1.1 255.255.255.0

int f01

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

R2

interface f0/0

no shutdown

ip add 192.168.1.2 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.10.1 255.255.255.0

no shutdown

router ei 100

no au

net 192.168.1.0

net 192.168.10.0

R3


no shutdown

ip add 192.168.2.2 255.255.255.0




of 846


no shutdown

int f0/1

no shutdown

ip add 192.168.20.1 255.255.255.0

no shutdown

do sh histrouter ei 100

no au

net 192.168.2.0

net 192.168.20.0

ADMIN


ip add 192.168.10.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1


crypto key generate rsa1024

line vty 0 90


login local

exit

ip http server




MGMT


ip add 192.168.20.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1



1024

line vty 0 90


login local

exitip http server




ASA1


nameif outside

security-level 0

ip address 101.1.1.100 255.255.255.0

!





of 846


nameif inside1

security-level 100

ip address 192.168.1.1 255.255.255.0

!


nameif inside2security-level 100

ip address 192.168.2.1 255.255.255.0

!


nameif dmz

security-level 50

ip address 192.168.105.1 255.255.255.0

! route outside 0 0 101.1.1.1

router eigrp 100

no aut

net 192.168.1.0net 192.168.2.0

net 192.168.105.0


ASA1(config)# sh int ip br


Ethernet0/0 101.1.1.100 YES manual up up




Ethernet0/4 unassigned YES unset administratively down up

Ethernet0/5 unassigned YES unset administratively down up

ASA1# ping 192.168.101.100



!!!!!


ASA1# ping 192.168.105.100




ASA1# ping 192.168.10.100



!!!!!


ASA1# ping 192.168.20.100



!!!!!





of 846


ASA1

nat-control

nat (inside1) 1 0 0

nat (inside2) 1 0 0


access-list out permit icmp any interface outsideaccess-group out in interface outside




!!!!!


mgmt#ping 101.1.1.1


!!!!!


R1

R1#clock set 09:19:15 30 sep 2014

R1#

*Sep 30 09:19:15.003: %SYS-6-CLOCKUPDATE: System clock has been updated from 01:18:29 UTC Fri

Mar 1 2002 to 09:19:15 UTC Tue Sep 30 2014, configured from console by console.

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.R1(config)#ntp master


ASA1(config)# domain-name cisco.com

ASA1(config)# crypto key generate rsa

INFO: The name for the keys will be: <Default-RSA-Key>

Keypair generation process begin. Please wait...

ASA1(config)# sh clock

09:20:29.523 UTC Tue Sep 30 2014

ASA1(config)# crypto ca trustpoint tttenrollment url http://192.168.105.100/certsrv/mscep/mscep.dll

ex


yes


%






Password: **************** this password will obtain from ca like site-site




of 846




% Include the device serial number in the subject name? [yes/no]: no




ASA1



encryption 3des

group 2

hash sha


crypto dynamic-map d-map 10 set transform-set ez

crypto dynamic-map d-map 10 set reverse-route








address-pool admin





of 846


trust-point ttt

tunnel-group mgmt type ipsec-ra


address-pool mgmt


trust-point tttusername shiva password shiva privilege 15










access-list nat0 permit ip any 192.168.100.0 255.255.255.0


nat (inside1) 0 access-list nat0


STATIC PAT for CA so that internet user can obtain certificates from CA

static (dmz,outside) tcp interface 80 192.168.105.100 80

access-list out permit tcp any interface outside eq 80


go to pc

ping 101.1.1.100

start

run

type

http://101.1.1.100/certsrv




of 846


if you see this error it is saying that update your ca enrolment pages from microsoft

tips

1. update ca pages

2. use client XP, ca 2003

3. use client win 7, ca 2008

what do you say..............................................?

now we will use client XPLater Labs we will use CA 2008 & Client win 7 ok.




of 846


in run type http://101.1.1.100/certsrv




of 846





of 846


in Department must be admin or mgmt to join tunnel group




of 846


scroll down & submit

yes




of 846


install cert

yes

yes




of 846





of 846


ASA1





for split tunnel




of 846


ASA_ra_ikev1_pre

Initial-config

R1

interface f0/0


no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

ASA1

hostname ASA1


no shu

nameif outsideip add 101.1.1.100 255.255.255.0

no shu



no shu

nameif inside1

security-level 100

ip add 192.168.1.1

interface g0/2

no shu

nameif inside2security-level 100

ip add 192.168.2.1

router ei 100

no au

net 192.168.1.0

net 192.168.2.0


R2

interface f0/0

no shutdown


int f0/1

no shutdown

ip add 192.168.10.1 255.255.255.0

no shutdown

router ei 100

no auto-summary

net 0.0.0.0

R3


no shutdown

ip add 192.168.2.2 255.255.255.0




of 846


no shutdown

int f0/1

no shutdown

ip add 192.168.20.1 255.255.255.0

no shutdown

router ei 100no auto-summary

net 192.168.2.0

net 192.168.20.0

R4

interface f0/0

no shutdown

ip add 192.168.10.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1

R5


ip add 192.168.20.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1

ASA1

ASA1# ping 192.168.101.100




ASA1# ping 192.168.10.100



!!!!!


ASA1# ping 192.168.20.100



!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1#



encryption 3des

group 2

crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac

crypto dynamic-map d-map 10 set ikev1 transform-set ez








of 846


sh history





address-pool admintunnel-group admin ipsec-attributes

ikev1 pre-shared-key admin

tunnel-group mgmt type ipsec-ra


address-pool mgmt


ikev1 pre-shared-key mgmt

username shiva password shiva privilege 15

ASA1

access-list stacl permit 192.168.0.0 255.255.0.0group-policy admin internal








sh history


default-group-policy admintunnel-group mgmt general-attributes





of 846





of 846


ASA1# sh route outside









S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside




of 846




S 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside

ASA1#


IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 192.168.101.100

Type : user Role : responder

Rekey : no State : AM_ACTIVE

ASA1# sh cryASA1# sh crypto ip


interface: outside

Crypto map tag: d-map, seq num: 10, local addr: 101.1.1.100



current_peer: 192.168.101.100, username: shiva

dynamic allocated peer ip: 192.168.100.100

dynamic allocated peer ip(ipv6): 0.0.0.0










local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 192.168.101.100/0path mtu 1500, ipsec overhead 58(36), media mtu 1500



current outbound spi: 349BA5D9

current inbound spi : 9D375C4D

ASA1

PAT

nat (inside1,outside) source dynamic any interface

nat (inside2,outside) source dynamic any interface

access-list out permit icmp any 192.168.0.0 255.255.0.0


R4#ping 101.1.1.1




of 846




!!!!!


R4#*Oct 1 09:26:49.290: %SYS-5-CONFIG_I: Configured from console by console

R5#ping 101.1.1.1



!!!!!


ASA1

object network admin

subnet 192.168.100.0 255.255.255.0object network mgmt

subnet 192.168.200.0 255.255.255.0

exit

object network inside1

subnet 192.168.10.0 255.255.255.0

object network inside2

subnet 192.168.20.0 255.255.255.0

ex

sh running-config object

nat (inside1,outside) 1 source static inside1 inside1 destination static admin admin

nat (inside1,outside) 1 source static inside1 inside1 destination static mgmt mgmtnat (inside2,outside) 1 source static inside2 inside2 destination static admin admin

nat (inside2,outside) 1 source static inside2 inside2 destination static mgmt mgmt

R4#ping 101.1.1.1



!!!!!


R5#ping 101.1.1.1


!!!!!





of 846





of 846


ASA_ra_ikev1_rsa

Diagram:-

Initial-config

R1


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

ASA1


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no sh

int g0/1

no shu

nameif inside1

security-level 100

ip add 192.168.1.1


no shu

nameif inside2

security-level 100

ip add 192.168.2.1


no shu

nameif dmz




of 846


security-level 50

ip add 192.168.108.1


router ei 100

no au

net 192.168.1.0net 192.168.2.0


R2


no shutdown

ip add 192.168.1.2 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.10.1 255.255.255.0

no shutdownrouter ei 100

no auto-summary

net 0.0.0.0

R3


no shutdown

ip add 192.168.2.2 255.255.255.0

no shutdown

int f0/1

no shutdown


router ei 100

no au

net 0.0.0.0

R4


no shutdown

ip add 192.168.10.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1

ip http serverR5


no shutdown

ip add 192.168.20.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1

ip http server

ASA1

ASA1# ping 192.168.101.100






of 846


!!!!!


ASA1# ping 192.168.108.100




ASA1# ping 192.168.10.100



!!!!!


ASA1# ping 192.168.20.100



?!!!!


R1

R1#clock set 15:00:40 1 oct 2014

R1#conf t



ASA1



ex

crypto ca authenticate tttyes


%






Password: ****************










of 846


ASA1

crypto ikev1 policy 1authentication rsa-sig

encryption 3des

group 2

ex







sh historyip local pool admin 192.168.100.100-192.168.100.254



address-pool admin

tunnel-group admin




ASA1




of 846







tunnel-group admin general-attributesdefault-group-policy admin

ASA

Static-pat

object network ca

host 192.168.108.100

nat (dmz,outside) static interface service tcp 80 80

access-list out permit tcp any object ca eq 80


On client in run type

http://101.1.1.100/certsrv




of 846





of 846


on windows 7 this site should be trusted site




of 846





of 846



S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside


L 101.1.1.100 255.255.255.255 is directly connected, outsideS 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside


interface: outside

Crypto map tag: d-map, seq num: 10, local addr: 101.1.1.100





of 846



current_peer: 192.168.101.100, username: shiva

dynamic allocated peer ip: 192.168.100.100

dynamic allocated peer ip(ipv6): 0.0.0.0

#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8#pkts decaps: 109, #pkts decrypt: 109, #pkts verify: 109









path mtu 1500, ipsec overhead 58(36), media mtu 1500PMTU time remaining (sec): 0, DF policy: copy-df


current outbound spi: CA9454E5

current inbound spi : ABBB7A60

ASA1# sh cry

ASA1# sh crypto is

ASA1# sh crypto ik

ASA1# sh crypto ikev1

ERROR: % Incomplete command


IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 192.168.101.100

Type : user Role : responder





of 846


Chapter 18


VPN Load Balancing

Limitation

VPN Load Balancing Terminology

VPN Load Balancing




of 846


Load balancing is a Cisco-proprietary feature that allows Easy VPN servers to logically appear as one

server.

Only for IPsec & SSL

In IPSec, only for Remote Access. It is not for site-site vpn.

Cluster

Master

Member

VPN Load Balancing

VCA Virtual Cluster Agent.

A logical group of devices or appliances which provides common application access it is identified

with a virtual ip.

An appliance which has a higher priority. Master is responsible for handling client request and it

distributes client request to group members based on load. Master is responsible for cluster ip.

Default ASA priority 1

An appliance which is participating in cluster.

VPN Load Balancing

Limitation

VPN Load Balancing Terminology

Cluster

Master

Member




of 846


Client will initiate a phase1 request to virtual ip address of cluster. It will accepted by master. Thenmaster will check the load of members. Load is calculated based on total active vpn connection of

total maximum connection.

It is not true load like cpu utilization or amount of traffic. After checking load master will redirect

connection to member. Redirection message in phase1 is cisco proprietary. Only cisco client can

understand it. If master has least load it will redirect connection to itself.

This protocols is used for vpn load balancing it use udp port 9023

Diagram:-

VPN Load Balancing

VCA Virtual Cluster Agent




of 846


Initial-config

R1


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdownint f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

ip add 192.168.102.1 255.255.255.0 secondary

ip add 192.168.103.1 255.255.255.0 secondary

ip add 192.168.104.1 255.255.255.0 secondary

R2


no shutdown

ip add 192.168.1.3 255.255.255.0

no shutdownint f0/1

no shutdown

ip add 192.168.10.1 255.255.255.0

no shutdown

router ei 100

no auto-summary

net 0.0.0.0

R3

interface f0/0

no shutdown


ip route 0.0.0.0 0.0.0.0 192.168.10.1

ASA1


nameif outside

security-level 0

ip address 101.1.1.101 255.255.255.0

!


nameif inside


!


nameif admin

security-level 100

ip address 192.168.100.1 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

router eigrp 100

network 192.168.1.0 255.255.255.0

network 192.168.100.0 255.255.255.0




of 846



ASA2


nameif outside

security-level 0

ip address 101.1.1.102 255.255.255.0!


nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!


nameif admin

security-level 100

ip address 192.168.200.1 255.255.255.0

!!

route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

router eigrp 100

network 192.168.1.0 255.255.255.0

network 192.168.200.0 255.255.255.0

!

!

!

ASA1(config)# ping 192.168.101.100




ASA1(config)# ping 192.168.102.100



!!!!!


ASA1(config)# ping 192.168.103.100




ASA1(config)# ping 192.168.104.100



!!!!!


ASA1(config)# ping 192.168.10.100



!!!!!





of 846


!

!

!

ASA2(config)# ping 192.168.101.100




ASA2(config)# ping 192.168.102.100



!!!!!


ASA2(config)# ping 192.168.103.100




ASA2(config)# ping 192.168.104.100



!!!!!


ASA2(config)# ping 192.168.10.100



!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms!

!

!

ASA1

!



encryption 3des

group 2


crypto dynamic-map d-map 10 set ikev1 transform-set ezcrypto dynamic-map d-map 10 set reverse-route







address-pool admin







of 846


ASA2



encryption 3des

group 2

crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmaccrypto dynamic-map d-map 10 set ikev1 transform-set ez








address-pool admin


ikev1 pre-shared-key shivausername shiva password shiva privilege 15

ASA1

vpn load-balancing

cluster ip address 101.1.1.100

interface lbpublic outside

interface lbprivate inside

priority 10

participate

ASA2

vpn load-balancingcluster ip address 101.1.1.100

interface lbpublic outside

interface lbprivate inside

priority 9

participate

ASA1

ASA1# sh vpn load-balancing

--------------------------------------------------------------------------

Status Role Failover Encryption Peers Cluster IP

--------------------------------------------------------------------------Enabled Master n/a Disabled 1 101.1.1.100

Peers:

--------------------------------------------------------------------------

Role Pri Model Load-Balancing Version Public IP

--------------------------------------------------------------------------

Master 10 ASA5512 4 101.1.1.101*

Backup 9 ASA5512 4 101.1.1.102

Total License Load:

--------------------------------------------------------------------------

AnyConnect Premium/Essentials Other VPN Public IP




of 846


----------------------------- ---------------------

Limit Used Load Limit Used Load

--------------------------------------------------------------------------

2 0 0% 250 0 0% 101.1.1.101*

2 0 0% 250 0 0% 101.1.1.102

Licenses Used By Inactive Sessions :

--------------------------------------------------------------------------

AnyConnect Premium/Essentials Inactive Load Public IP

--------------------------------------------------------------------------

0 0% 101.1.1.101*

0 0% 101.1.1.102

ASA2


--------------------------------------------------------------------------

Status Role Failover Encryption Peers Cluster IP--------------------------------------------------------------------------

Enabled Backup n/a Disabled 1 101.1.1.100

Peers:

--------------------------------------------------------------------------

Role Pri Model Load-Balancing Version Public IP

--------------------------------------------------------------------------

Backup 9 ASA5512 4 101.1.1.102*

Master 10 ASA5512 4 101.1.1.101

Total License Load:--------------------------------------------------------------------------


----------------------------- ---------------------


--------------------------------------------------------------------------

2 0 0% 250 0 0% 101.1.1.102*


--------------------------------------------------------------------------


--------------------------------------------------------------------------0 0% 101.1.1.102*

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!

!

!




of 846





of 846


ASA1


--------------------------------------------------------------------------


--------------------------------------------------------------------------

Enabled Master n/a Disabled 1 101.1.1.100

Peers:

--------------------------------------------------------------------------Role Pri Model Load-Balancing Version Public IP




of 846


--------------------------------------------------------------------------

Master 10 ASA5512 4 101.1.1.101*

Backup 9 ASA5512 4 101.1.1.102

Total License Load:

--------------------------------------------------------------------------AnyConnect Premium/Essentials Other VPN Public IP

----------------------------- ---------------------


--------------------------------------------------------------------------

2 0 0% 250 2 1% 101.1.1.101*

2 0 0% 250 2 1% 101.1.1.102


--------------------------------------------------------------------------


--------------------------------------------------------------------------0 0% 101.1.1.101*

0 0% 101.1.1.102

ASA2(config)# sh vpn load-balancing

--------------------------------------------------------------------------


--------------------------------------------------------------------------

Enabled Backup n/a Disabled 1 101.1.1.100

Peers:

--------------------------------------------------------------------------

Role Pri Model Load-Balancing Version Public IP--------------------------------------------------------------------------

Backup 9 ASA5512 4 101.1.1.102*

Master 10 ASA5512 4 101.1.1.101

Total License Load:

--------------------------------------------------------------------------


----------------------------- ---------------------


--------------------------------------------------------------------------

2 0 0% 250 2 1% 101.1.1.102*


--------------------------------------------------------------------------


--------------------------------------------------------------------------

0 0% 101.1.1.102*

ASA1







of 846








S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside



S 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside

S 192.168.100.101 255.255.255.255 [1/0] via 101.1.1.1, outside









S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside

C 101.1.1.0 255.255.255.0 is directly connected, outsideL 101.1.1.102 255.255.255.255 is directly connected, outside

S 192.168.200.100 255.255.255.255 [1/0] via 101.1.1.1, outside

S 192.168.200.101 255.255.255.255 [1/0] via 101.1.1.1, outside




of 846


Chapter19


Secure Socket Layer VPN

Modes

Requirements

Working





of 846


SSL was originally developed by Netscape . It was designed for secure data transmission between

web server & web browser over internet. But some vendors are adopting it as a VPN. Web VPN is

marketing term of cisco for SSL VPN

SSL initiate request at session layer, its data is protected at presentation layer. and that is carried by

transport layer. So in both OSI or TCP/IP modals, SSL works on the behalf of Transport Layer.

Version 1 never released

Version 2 publically released

Version 3

Clientless

Thin Client

Thick Client

As name suggest us Clientless in clientless there is no need of any client software. In clientless client

makes a request to SSL gateway, gateway proxy it to internal resources.

Clientless provides secure communication only of web based applications.

Like, HTTP, HTTPS, SMTP, POP3 ,IMAP or MS exchange Server etc.

As we know that Clientless provides secure communication only of web based applications. Thin

Client was designed for those non web based applications which have static tcp port.

Also known as Port-Forwarding. In thin-client, client makes a request to SSL gateway, gateway proxy

it to internal resources. Like Telnet, SSH, RDP etc.


SSL Modes

Clientless Mode

Thin Client Mode




of 846


It provides us network layer access like IPSec Remote access. Using thick we can access all webbased or non web based applications. In thick when client initiate request server push a package to

client , client will install this package.

After package installation server push policies to client, these policies include ip address, mask,

interesting traffic etc.

Clientless requirements Only web browser.

Thin requirements

Web browser

Java

Active x and pop ups should be enables on client web browser.

Thick requirements

Web browser

Java

Active x and pop ups should be enable on client web browser Any-connect package & cisco secure desktop package.

Client will initiate a request to server

Server will provide a certificate to client. This certificate contain public key of server.

Client generates a shared key. That key is protected by public key of server

Encrypted shared secret is delivered to server. Server decrypt is using its private key.

No both has same secret bulk encryption happen.

SSL Requirements

Thick Client Mode

Working




of 846


Diagram:-

ASA_ssl_8.0

R1


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

ASA1


nameif outside

security-level 0

ip address 101.1.1.100 255.255.255.0

!

interface Ethernet0/1nameif inside1

security-level 100

ip address 192.168.1.1 255.255.255.0

!


nameif inside2

security-level 100

ip address 192.168.2.1 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

router eigrp 100no auto-summary




of 846


network 192.168.1.0 255.255.255.0

network 192.168.2.0 255.255.255.0


!

R2


ip add 192.168.1.2 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.10.1 255.255.255.0

no shutdown

router ei 100

no auto-summary

net 0.0.0.0


no shutdown

ip add 192.168.2.2 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.20.1 255.255.255.0

no shutdown

en

router ei 100

no aunet 0.0.0.0

admin


no shutdown

ip add 192.168.10.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1



1024line vty 0 90


login local

exit

ip http server




mgmt


no shutdown




of 846


ip add 192.168.20.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1



1024line vty 0 90


login local

exit

ip http server




ASA1

ASA1(config)# ping 192.168.101.100


!!!!!


ASA1(config)# ping 192.168.10.100



!!!!!


ASA1(config)# ping 192.168.20.100




ASA1

webvpn

enable outside





of 846





of 846


ASA1

webvpn

enable outside

port-forward admin 2222 192.168.10.100 ssh

port-forward admin 2323 192.168.10.100 telnetport-forward admin 8080 192.168.10.100 www

port-forward admin 8181 192.168.10.100 https

port-forward mgmt 2222 192.168.20.100 ssh

port-forward mgmt 2323 192.168.20.100 telnet

port-forward mgmt 8080 192.168.20.100 www

port-forward mgmt 8181 192.168.20.100 https



vpn-tunnel-protocol webvpn

webvpnport-forward name admin

port-forward enable admin



vpn-tunnel-protocol webvpn

webvpn

port-forward name mgmt

port-forward auto-start mgmt

tunnel-group admin type remote-access

tunnel-group admin general-attributesdefault-group-policy admin




of 846


tunnel-group admin webvpn-attributes

group-alias admin enable

tunnel-group mgmt type remote-access



tunnel-group mgmt webvpn-attributesgroup-alias mgmt enable

webvpn

tunnel-group-list enable




of 846





of 846


webvpn

enable outside

svc image disk0:/svc2.5.pkg 1

svc enable


port-forward admin 2323 192.168.10.100 telnet

port-forward admin 8080 192.168.10.100 wwwport-forward admin 8181 192.168.10.100 https

port-forward mgmt 2222 192.168.20.100 ssh







vpn-tunnel-protocol svc webvpn

webvpnport-forward name admin


svc keep-installer installed

svc ask enable



vpn-tunnel-protocol svc webvpn

webvpn



svc keep-installer installedsvc ask enable




of 846




tunnel-group admin type remote-access

tunnel-group admin general-attributesaddress-pool admin


tunnel-group admin webvpn-attributes

group-alias admin enable

tunnel-group mgmt type remote-access


address-pool mgmt


tunnel-group mgmt webvpn-attributes

group-alias mgmt enable




of 846





of 846


webvpn

no enable outside

port 9090

enable outside




of 846


https://101.1.1.100:9090




of 846





of 846



banner value admin


banner value mgmt




of 846


webvpn

onscreen-keyboard logon




of 846


clear configure ip local pool


dhcp-network-scope 192.168.100.0


dhcp-network-scope 192.168.200.0

extunnel-group admin general-attributes

dhcp-server 192.168.10.100


dhcp-server 192.168.20.100

admin

ip dhcp pool admin

network 192.168.100.0

default-router 192.168.100.

mgmt

ip dhcp pool mgmt

network 192.168.200.0

default-router 192.168.200.1




of 846





of 846


admin#sh ip dhcp binding

Bindings from all pools not associated with VRF:

IP address Client-ID/ Lease expiration Type

Hardware address/

User name

192.168.100.1 0063.6973.636f.2d30. Mar 02 2002 01:04 AM Automatic3061.622e.6364.3932.

2e35.3230.312d.636c.

6965.6e74.312d.696e.

7369.6465.3100




of 846





of 846


mgmt#sh ip dhcp binding



Hardware address/

User name

192.168.200.1 0063.6973.636f.2d30. Mar 02 2002 01:08 AM Automatic

3061.622e.6364.3932.2e35.3230.322d.636c.

6965.6e74.322d.696e.

7369.6465.3200




of 846


nat-control

nat (inside1) 1 0 0

nat (inside2) 1 0 0


access-list out permit icmp any interface outsideaccess-group out in interface outside




!!!!!


mgmt#ping 101.1.1.1



!!!!!






access-list stacl standard permit 192.168.0.0 255.255.0.0









of 846






of 846





Hardware address/

User name


3061.622e.6364.3932.

2e35.3230.312d.636c.

6965.6e74.342d.696e.

7369.6465.3100




of 846






mgmt#ping 101.1.1.1



!!!!!




encryption 3des

group 2ex


crypto dynamic-map d-map 10 set transform-set ez





sh history


pre-shared-key admin

tunnel-group mgmt ipsec-attributespre-shared-key mgmt




of 846



vpn-tunnel-protocol svc webvpn ipSec


vpn-tunnel-protocol svc webvpn ipSec




of 846





Hardware address/

User name


3061.622e.6364.3932.

2e35.3230.312d.636c.

6965.6e74.392d.696e.

7369.6465.3100

192.168.100.9 0063.6973.636f.2d30. Mar 02 2002 01:34 AM Automatic3061.622e.6364.3932.




of 846


2e35.3230.312d.636c.

6965.6e74.312d.696e.

7369.6465.3100




!!!!!


mgmt#ping 101.1.1.1




of 846




!!!!!



Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP



E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route



S 192.168.100.9 255.255.255.255 [1/0] via 101.1.1.1, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside




of 846


ASA_ssl_9.2

Initial-config

R1


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

R2


no shutdown

ip add 192.168.1.2 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.10.1 255.255.255.0

no shutdown

router ei 100

no auto-summary

net 0.0.0.0

R3


no shutdown

ip add 192.168.2.2 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.20.1 255.255.255.0

no shutdown

router ei 100

no au

net 0.0.0.0

R4


no shutdown

ip add 192.168.10.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1



1024

line vty 0 90


login local

exit

ip http server




of 846





R5



no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1



1024

line vty 0 90


login local

exit




ASA1

hostname ASA1


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shuint gigabitEthernet 0/1

no shu

nameif inside1

security-level 100

ip add 192.168.1.1


no shu

nameif inside2

security-level 100

ip add 192.168.2.1

route outside 0 0 101.1.1.1router ei 100

no au

net 192.168.1.0

net 192.168.2.0


ASA1# ping 192.168.101.100



!!!!!


ASA1# ping 192.168.10.100





of 846



!!!!!


ASA1# ping 192.168.20.100




ASA1

webvpn

enable outside


on client access https://101.1.1.100




of 846





of 846


in url bar type http://192.168.10.100 or http://192.168.20.100




of 846


ASA thin

webvpn

enable outside



port-forward admin 8080 192.168.10.100 www

port-forward admin 8181 192.168.10.100 https

port-forward mgmt 2222 192.168.20.100 sshport-forward mgmt 2323 192.168.20.100 telnet




of 846






vpn-tunnel-protocol ssl-clientlesswebvpn

port-forward name admin




vpn-tunnel-protocol ssl-clientless

webvpn



tunnel-group admin_group type remote-access

tunnel-group admin_group general-attributesdefault-group-policy admin

tunnel-group admin_group webvpn-attributes

group-alias ADMIN_GROUP enable

tunnel-group mgmt_group type remote-access

tunnel-group mgmt_group general-attributes


tunnel-group mgmt_group webvpn-attributes

group-alias MGMT_GROUP enable

webvpn

tunnel-group-list enableASA1(config-webvpn)# username shiva password shiva privilege 15




of 846





of 846


webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable



port-forward admin 8080 192.168.10.100 www

port-forward admin 8181 192.168.10.100 httpsport-forward mgmt 2222 192.168.20.100 ssh




of 846






group-policy admin internalgroup-policy admin attributes

vpn-tunnel-protocol ssl-client ssl-clientless

webvpn



anyconnect keep-installer installed

anyconnect ask enable



vpn-tunnel-protocol ssl-client ssl-clientless

webvpnport-forward name mgmt


anyconnect keep-installer installed

anyconnect ask enable




tunnel-group admin_group general-attributes

address-pool admindefault-group-policy admin

tunnel-group admin_group webvpn-attributes

group-alias ADMIN_GROUP enable



address-pool mgmt








of 846





of 846


ASA1# vpn-sessiondb logoff webvpn

Do you want to logoff the VPN session(s)? [confirm]

INFO: Number of sessions of type "webvpn" logged off : 2




of 846





of 846


S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside



S 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside


group-policy admin attributessplit-tunnel-network-list value stacl





Disconnect & connect......................




of 846





of 846


webvpn

csd image disk0:/csd_3.6.6203-k9.pkg

csd enableexit

http server enable

http 0 0 outside


PC

https://101.1.1.100/ for ssl

https://101.1.1.100/admin for ASDM




of 846





of 846


webvpn

no csd enable

webvpn

smart-tunnel list sss telnet telnet.exe

group-policy admin attributeswebvpn

port-forward disable

smart-tunnel enable sss

https://101.1.1.100




of 846





of 846


Install the addons & again start smart-tunnel




of 846





of 846


Chapter 20



ASA Modes

Advantages

Limitations

Difference between Switching &Transparent Firewall





of 846


Cisco ASA comes in two modes Routed mode, & transparent mode.

In routed mode asa works as a layer 3 device. It forward the packet based on destination IP address.

In transparent mode asa works as layer 2 device it forwards the frames based on destination mac.

But still it has capabilities to filter the traffic from layer 2 to layer 7.

If you want to implement firewall in your network without readdressing the network.


Routed Mode

Transparent Mode

Advantages




of 846


Only 2 interface can use

No dynamic routing

No VPN only site-site vpn can configure for management. No CDP

No DTP

No VTP

No IPv6

NAT is optional in OS version 8.0 and later

No DHCP Relay Service

Non IP traffic default drop.

Switch

Learns mac based on source mac

Forwards a frame based in destination mac

Use STP

They flood

1.

Broadcast2. Multicast

3. Unknown unicast


Learns mac based on source mac

Forwards a frame based in destination mac

Don't use STP

They flood

1. Broadcast

2.

Multicast

Transparent Firewall limitation

Difference between Switching &Trans arent Firewall




of 846


Diagram:-

Initial-config

R1


no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 101.1.1.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 101.1.1.1

R2


no shutdown

ip add 192.168.102.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 102.1.1.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 102.1.1.1

R3





of 846


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown


R4


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R5


no shutdown


ip route 0.0.0.0 0.0.0.0 192.168.102.1

R1

R1#ping 102.1.1.100



!!!!!


R2

R2#ping 101.1.1.100



!!!!!


R1

interface fastEthernet 0/0ip nat inside


ip nat outside

exit

ip access-list extended natacl

permit ip 192.168.0.0 0.0.255.255 any

exit

ip nat inside source list natacl interface fastEthernet 0/1 overload

R2


ip nat inside




of 846



ip nat outside

exit

ip access-list extended natacl

permit ip 192.168.0.0 0.0.255.255 any

exitip nat inside source list natacl interface fastEthernet 0/1 overload

R1





!!!!!


R1#sh ip natR1#sh ip nat t

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 101.1.1.100:2 192.168.101.1:2 101.1.1.1:2 101.1.1.1:2




Packet sent with a source address of 192.168.102.1!!!!!


R2#sh ip nat

R2#sh ip nat t

R2#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 102.1.1.100:1 192.168.102.1:1 101.1.1.1:1 101.1.1.1:1

R1

interface t0

ip add 192.168.123.1 255.255.255.0tunnel source 101.1.1.100

tunnel destination 102.1.1.100

tunnel mode gre ip

ip ospf 100 area 0

int f0/0

ip ospf 100 area 0

R2

interface tunnel 0

ip add 192.168.123.2 255.255.255.0

tunnel source 102.1.1.100

tunnel destination 101.1.1.100




of 846


tunnel mode gre ip

ip ospf 100 area 0

int f0/0

ip ospf 100 area 0

R1R1#sh ip route ospf

O 192.168.102.0/24 [110/1001] via 192.168.123.2, 00:00:04, Tunnel0

R2

R2#sh ip route ospf

O 192.168.101.0/24 [110/1001] via 192.168.123.1, 00:00:28, Tunnel0

R1



Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:Packet sent with a source address of 192.168.101.1

!!!!!


R2





!!!!!


ASA1

ASA1(config)# firewall transparent

ciscoasa(config)# ho


ASA1(config)#

ASA2

ASA2(config)# firewall transparent

ciscoasa(config)# ho


ASA2(config)#

ASA2(config)#

ASA1

interface bvI 1

ip address 192.168.101.111 255.255.255.0





of 846


no shu

nameif inside

bridge-group 1


no shu

nameif outsidebridge-group 1

route outside 0 0 192.168.101.1

ASA1(config)# ping 192.168.101.100



!!!!!






ASA2

interface bvI 1

ip add 192.168.102.111 255.255.255.0


no shu

nameif inside

bridge-group 1


no shu

nameif outside

bridge-group 1

route outside 0 0 192.168.102.1








!!!!!


ASA1# ping 192.168.102.1



!!!!!






of 846




!!!!!


R4

R4#ping 192.168.102.100



.....


R5

R5#ping 192.168.

*Oct 4 06:24:54.215: %SYS-5-CONFIG_I: Configured from console by consoleR5#ping 192.168.101.100



.....


ASA1

access-list out permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0


ASA2access-list out permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0


R4#ping 192.168.102.100



!!!!!


R5#ping 192.168.101.100



!!!!!


ASA1

object network obj_net_192.168.101.0

subnet 192.168.101.0 255.255.255.0




of 846



subnet 192.168.102.0 255.255.255.0


subnet 192.168.111.0 255.255.255.0

nat (inside,outside) source static obj_net_192.168.101.0 obj_net_192.168.101.0 destination staticobj_net_192.168.102.0 obj_net_192.168.102.0

nat (inside,outside) source static obj_net_192.168.101.0 obj_net_192.168.111.0

R1(config)#ip route 192.168.111.0 255.255.255.0 192.168.101.111

R1#debug ip icmp


R4#ping 192.168.102.100


!!!!!


R4#ping 192.168.101.1



.....


R1#debug ip icmp

ICMP packet debugging is onR1#

*Oct 4 06:59:21.311: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100

R1#


R1#


R1#


R1#


ASA1

access-list out permit icmp any object obj_net_192.168.101.0


R4#ping 192.168.101.1



!!!!!


R1#




of 846







ASA2


subnet 192.168.102.0 255.255.255.0


subnet 192.168.101.0 255.255.255.0


subnet 192.168.222.0 255.255.255.0

nat (inside,outside) source static obj_net_192.168.102.0 obj_net_192.168.102.0 destination static

obj_net_192.168.101.0 obj_net_192.168.101.0nat (inside,outside) source static obj_net_192.168.102.0 obj_net_192.168.222.0

R2#debug ip icmp


R5#ping 192.168.101.100



!!!!!


R5#ping 192.168.102.1



.....


R2#debug ip icmp


R2#


*Oct 4 12:38:04.115: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1

R2#*Oct 4 12:38:06.107: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100


R2#



R2#



R2#






of 846


R2(config)#ip route 192.168.222.0 255.255.255.0 192.168.102.111

R5#ping 192.168.102.1



.....Success rate is 0 percent (0/5)

R2(config)#


R2(config)#


R2(config)#


R2(config)#


R2(config)#*Oct 4 12:39:22.347: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100

ASA2

access-list out permit icmp any object obj_net_192.168.102.0


R5#ping 192.168.101.100




R5#ping 192.168.102.1



!!!!!


R2(config)#

*Oct 4 12:40:43.367: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100*Oct 4 12:40:43.371: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100




R4#ping 101.1.1.1



!!!!!





of 846


R5#ping 101.1.1.1



!!!!!


R4#ping 101.1.1.1



!!!!!


R4#ping 192.168.102.100




R5#ping 192.168.101.100



!!!!!


R5#pin

R5#ping 101.1.1.1



!!!!!





of 846


Chapter 21


Context

Context Requirement

Context Use

Advantages

Limitations

Context Terminology

Context




of 846


We can partition an appliance in many virtual appliances these virtual appliances are called security

context.

Assume you are running a company that provides web host services and you have 200 clients. Now

the client demands that we require a dedicated appliance for our servers. To fulfil client

requirements we have to purchase 200 appliance. 200 appliance are very costly. So virtual context

solve this problem.

Active-Active failover

Web Hosting Companies

Companies needing more than one firewall on a single location

Cost Saving

Eco-Friendly or Go Green

No dynamic routing

No VPN

But in ASA OS 9.2.2.4

They also support Dynamic routing & IPsec site-site VPN

Context

Requirement

Context Use

Advantages

Limitations in context till OS 8.6




of 846


System Area

Admin Context

Context Channing

Shared Interface

When an appliance boots in multiple mode than you will find yourself in system area.

Functions

It is used to create or delete context

It is used to enable physical interfaces

It is used to create or delete logical interfaces

It is used to allocate resources to context

When an appliance boot in multiple mode admin context is default created.

It is used for appliance management. When appliance is in multiple mode there should be one admin

context. it is used for appliance management.

We can connect one context to another i.e. called context Channing. It is only possible with shared

interface.

When we call one interface in more than one context that interface is called shared interface.

Context Terminology

System Area

Admin Context

Context Channing

Shared Interface




of 846


Mac Address auto

A command use with only shared interface to avoid mac problems because one interface has one

mac when we use shared interface one interface is shared in multiple context. Both context will use

same mac when a packet will arrive a physical interface classifier will confused to classify frame. To

solve this problem we use Mac Address auto is command that automatically generate mac for eachshared interface.

Diagram:-

Initial-config

ASA_Context

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R2


no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdownip route 0.0.0.0 0.0.0.0 192.168.102.1




of 846


R3


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1no shutdown

ip add 102.1.1.1 255.255.255.0

no shutdown

ASA1

ASA1(config)# mode multiple

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]

Convert the system configuration? [confirm]

!The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash

Security context mode: multiple

ASA1(config)#

ASA1(config)# sh modeSecurity context mode: multiple


no shutdown


no shutdown


no shutdown


no shutdown

context c1

context c2

context c1

allocate-interface GigabitEthernet0/0


config-url disk0:/c1.cfg

!

context c2







of 846


!

ASA1

ASA1(config-ctx)# changeto context c1

changeto context c1

interface gigabitEthernet 0/0no shu

nameif inside

ip add 192.168.101.1


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shu


ASA1/c1(config)# ping 192.168.101.100Type escape sequence to abort.


!!!!!


ASA1/c1(config)# ping 102.1.1.1



!!!!!


ASA1(config)# changeto context c2interface gigabitEthernet 0/2

no shu

nameif inside

ip add 192.168.102.1


no shu

nameif outside

ip add 102.1.1.100 255.255.255.0

no shu




!!!!!


ASA1/c2(config)# pin




!!!!!


ASA1




of 846


changeto context c1




R1#ping 101.1.1.1



!!!!!


ASA1/c1(config)# sh xlate




NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0flags sIT idle 0:00:07 timeout 0:00:00


0:00:30

ASA1/c1(config)# changeto context c2

changeto context c2




R2#ping 101.1.1.1



!!!!!





s - static, T - twice, N - net-to-netNAT from outside:0.0.0.0/0 to inside:0.0.0.0/0

flags sIT idle 0:00:07 timeout 0:00:00


0:00:30




of 846


ASA_inter-context_routing

Diagram:-

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1


no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

R3


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown





of 846



no shutdown


no shutdown

interface gigabitEthernet 0/2no shutdown

context c1




!

context c2


allocate-interface GigabitEthernet0/2config-url disk0:/c2.cfg

!

ASA1(config)# mac-address auto

INFO: Converted to mac-address auto prefix 60035

ASA1(config)# changeto context c1

ASA1/c1(config)#

changeto context c1


nameif outside

ip add 101.1.1.101 255.255.255.0

no shu


no shu

nameif inside

ip add 192.168.101.1




!!!!!






!!!!!


changeto context c2




of 846



no shu

nameif outside

ip add 101.1.1.102 255.255.255.0

no shu


nameif inside

ip add 192.168.102.1


ASA1/c2(config)# ping 192.168.102.100








!!!!!


R3#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 101.1.1.1 - 44e4.d987.ecde ARPA FastEthernet0/0Internet 101.1.1.100 22 6c20.56bd.ea84 ARPA FastEthernet0/0

Internet 101.1.1.101 1 a283.ea00.0002 ARPA FastEthernet0/0

Internet 101.1.1.102 0 a283.ea00.0006 ARPA FastEthernet0/0

Internet 102.1.1.1 - 44e4.d987.ecdf ARPA FastEthernet0/1

Internet 102.1.1.100 21 6c20.56bd.ea85 ARPA FastEthernet0/1


ASA1/c1(config)# route outside 192.168.102.0 255.255.255.0 101.1.1.102

access-list out permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0access-group out in interface outside


ASA1/c2(config)# route outside 192.168.101.0 255.255.255.0 101.1.1.101

access-list out permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0


R1#ping 192.168.102.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!




of 846


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R2#ping 192.168.101.100 repeat 100


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!





of 846


Chapter 22


Failover

Failover Types

Failover Implementation types

Failover System Requirements

The Failover and Stateful Failover Links

Device Initialization and configuration

Failover Behaviour

Failover Triggers Stateless (Regular) and Stateful Failover

Things not replicated during failover

Failover Health Monitoring

Interface Monitoring

Failover configuration limitation

Failover




of 846


A cisco proprietary feature it provides us uninterrupted network access.

Stateless Failover

Hardware Failover

State full Failover

Stateless failover provides logical redundancy. If primary link goes down secondary path is used.

When failover was introduced only Hardware Failover was supported. It provides hardware

redundancy & configuration replication. If failover occur we have to re-establish the connection.

Failover

Failover types

Stateless

Hardware Failover




of 846


It not only provides hardware redundancy but also configuration replication ARP table replication,

Xlate replication, VPN connection replication, conn table replication. if failover occur there is no

need to re-establish the connection.

Active-Standby

Active-Active

In active-standby failover we require two appliances. One primary, another secondary. Primary will

works as an active secondary will works as standby. If primary goes down secondary will take role.

OR

With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby

state. Active/Standby failover is available on units running in either single or multiple context mode.

State full Failover

Failover Implementation types

Active-Standby




of 846


In active-active failover we require two appliances & two security context or even context . Each

appliance will active for one context. With Active/Active failover, both units can pass network traffic.

Active/Active failover is available only on units running in multiple context mode.

Note: - Both failover configurations support stateful or stateless (regular) failover.

Hardware Requirements

Software Requirements

License Requirements

Active-Active

Failover System Requirements




of 846


The two units in a failover configuration must have the same hardware configuration. They must be the same model

They must have the same number and types of interfaces

The same amount of RAM

The same SSMs installed (if any).

Note: - The Exception is Flash memory. If using units with different Flash memory sizes in your

failover configuration, make sure the unit with the smaller Flash memory has enough space to

accommodate the software image files and the configuration files. Otherwise configuration

synchronization will fail.

The two units in a failover configuration must be in the operating modes. They software version.

However, you can use different versions of the software during an upgrade process

For ASA 5510, 5512 you need Security Plus License.

The two units in a failover pair constantly communicate over a failover link and Stateful Failover to

determine the operating status of each unit.

Like:-

The unit state (active or standby).

Hello messages (keep-alives).

Network link status.

MAC address exchange. Configuration replication and synchronization.

Hardware Requirements

Software Requirements

License Requirements

The Failover and Stateful Failover Links




of 846


Caution: - All information sent over the failover and Stateful Failover links is sent in clear text

unless you secure the communication with a failover key.

Types:-

LAN-Based Failover Link Serial Cable Failover Link (PIX Security Appliance Only)

You can use any unused Ethernet interface on the device as the failover link.

Using a switch, with no other device on the same network segment (broadcast domain or

VLAN) as the LAN failover interfaces of the ASA

Using a crossover Ethernet cable to connect the appliances directly

Note The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a

crossover cable or a straight-through cable. If you use a straight-through cable, the interface

automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.

The serial Failover cable, or “cable-based failover,” is only available on the PIX 500 series security.

One end of the cable is labeled “Primary”. The unit attached to this end of the cable automatically

becomes the primary unit. The other end of the cable is labeled “Secondary”.

The benefits of using cable-based failover include

Immediately detect a power loss

No need of dedicated switch

The disadvantages include:

Distance limitation.

Slower configuration replication.

To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. Youhave three options for configuring a Stateful Failover link:

LAN-Based Failover Link

Serial Cable Failover Link (PIX Security

Appliance Only)

Stateful Failover Link




of 846


You can use a dedicated Ethernet interface for the Stateful Failover link.

If you are using LAN-based failover, you can share the failover link.

You can share a regular data interface. However, this option is not recommended.

Note:-

Enable the Port Fast option on Cisco switch ports that connect directly to the security

appliance. Using a data interface as the Stateful Failover interface is only supported in single context,

routed mode.

In multiple context mode, the Stateful Failover link resides in the system context

If both units boot simultaneously, then the primary unit becomes the active unit and the

secondary unit becomes the standby unit. If a unit boots and does not detect a peer, it becomes the active unit.

If a unit boots and detects a peer already running as active, it becomes the standby unit.

The primary unit MAC addresses are always coupled with the active IP addresses. The

exception to this rule occurs when the secondary unit is active

To solve this problem define static mac

The unit has a hardware failure.

The unit has a power failure.

The unit has a software failure.

The no failover active or the failover active command is entered

Interface Down

Stateless (Regular)

Stateful Failover

Device Initialization and Configuration

Failover Behaviour

Failover Triggers

Stateless (Regular) and Stateful Failover




of 846


Stateless (Regular) Failover

When a failover occurs, all active connections are dropped. Clients need to re-establish connections

when the new active unit takes over.

Stateful Failover

When Stateful Failover is enabled, the active unit continually passes per-connection state

information to the standby unit.

OS images

Any-connect Images

CSD images

ASMD Images

Smart Tunnels

Port Forwarding

Plugins

Java Applets

Pv6 clientless or Anyconnect sessions

Citrix authentication (Citrix users must reauthenticate after failover)

Unit Health Monitoring


The security appliance determines the health of the other unit by monitoring the failover link. When

a unit does not receive three consecutive hello messages on the failover link, the unit sends

interface hello messages on each interface, including the failover interface, to validate whether or

not the peer interface.

If the security appliance receives a response then it does not fail over.

Following things not replicated during

failover

Failover Health Monitoring





of 846


If the security appliance does not receive a response on the failover link, but receives a

response on another interface, then the unit does not failover.

The failover link is marked as failed. You should restore the failover link as soon as possible

because the unit cannot fail over to the standby while the failover link is down.

If the security appliance does not receive a response on any interface, then the standby unit

switches to active mode and classifies the other unit as failed.

1. Link Up/Down test

2. Network Activity test

3. ARP test

4.

Broadcast Ping test

Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the

interface is operational, then the security appliance performs network tests.

Network Activity test—A network activity test. The unit counts all received packets for up to 5

seconds. If no traffic is received, the ARP test begins

ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. The unit counts

all received traffic for up to 5 seconds. no traffic has been received, the ping test begins.

Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit thencounts all received packets for up to 5 seconds.

Failover Result Failover Response

Both don't receives No failover

Both receives No failover

Primary receives, Secondary doesn't No failover

Primary doesn't, Secondary does failover

You cannot configure failover with the following type of IP addresses:

IP addresses obtained through DHCP

IP addresses obtained through PPPoE

IPv6 addresses


Failover Configuration Limitations




of 846


Additionally, the following restrictions apply:

Stateful Failover is not supported on the ASA 5505 adaptive security appliance.

Active/Active failover is not supported on the ASA 5505 adaptive security appliance.

You cannot configure failover when Easy VPN remote is enabled on the ASA 5505 adaptive

security appliance. CA server is not supported.

Diagram:-

ASA_active_standby

Initial-config

R1

int fastEthernet 0/0

no shutdown

ip add 192.168.10.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1

R2


no shutdown

ip add 192.168.20.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.20.1



1024

line vty 0 90





of 846


login local

exit

ip http server


ip http au local


R3

interface f0/0

no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

ASA1


nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

!


nameif outside

security-level 0


!interface GigabitEthernet0/2

nameif dmz

security-level 50


!

ASA1(config-if)# route outside 0 0 101.1.1.1

ASA1(config)# ping 192.168.10.100




ASA1(config)# ping 192.168.20.100



!!!!!


ASA1(config)# ping 192.168.101.100



?!!!!





of 846


ASA1


subnet 192.168.10.0 255.255.255.0

object network dmzhost 192.168.20.100

object network ip111

host 101.1.1.111

nat (dmz,outside) source static dmz ip111


access-list out extended permit icmp any object inside

access-list out extended permit icmp any object dmz

access-list out extended permit tcp any object dmz eq ssh

access-list out extended permit tcp any object dmz eq telnetaccess-list out extended permit tcp any object dmz eq www

access-list out extended permit tcp any object dmz eq https


R3#debug ip icmp


R1#ping 101.1.1.1


!!!!!


R2#ping 101.1.1.1



.!!!!


R3#debug ip icmp


R3#






R3#


R3#





of 846








of 846


ASA1

failover lan unit primary

failover lan interface shiva GigabitEthernet0/3

failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2

failover

ASA2interface gigabitEthernet 0/3

no shu

failover lan unit secondary

failover lan interface shiva g0/3


failover

ASA2(config)# Beginning configuration replication from mate.

End configuration replication from mate.

ASA1ASA1(config)# ! State full failover

ASA1(config)# failover link shiva

ASA1(config)# ! http replication

ASA1(config)# failover replication http

ASA1(config)# ! change timers

ASA1(config)# failover polltime msec 200

INFO: Failover unit holdtime is set to 800 milliseconds

ASA1(config)# failover polltime unit msec 200

INFO: Failover unit holdtime is set to 800 milliseconds




of 846


ASA1(config)# ! failover key

ASA1(config)# failover key shiva

ASA1(config)# ! failover mac

ASA1(config)# failover mac address inside 0000.0000.0001 0000.0000.0002

ASA1(config)# failover mac address outside 0000.0000.0003 0000.0000.0004ASA1(config)# failover mac address dmz 0000.0000.0005 0000.0000.0006

Please clear arp on all devices..................thanks

ASA1

ASA1(config)# sh failover

Failover On

Failover unit PrimaryFailover LAN Interface: shiva GigabitEthernet0/3 (up)

Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 114 maximum

MAC Address Move Notification Interval not set

failover replication http

Version: Ours 9.2(2)4, Mate 9.2(2)4

Last Failover at: 16:07:52 UTC Oct 4 2014

This host: Primary - Active

Active time: 296 (sec)slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)

Interface inside (192.168.10.1): Normal (Monitored)

Interface outside (101.1.1.100): Normal (Monitored)

Interface dmz (192.168.20.1): Normal (Monitored)

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)




Stateful Failover Logical Update Statistics

Link : shiva GigabitEthernet0/3 (up)

Stateful Obj xmit xerr rcv rerr

General 41 0 29 0

sys cmd 29 0 29 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 4 0 0 0

ARP tbl 6 0 0 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0




of 846


VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0



VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

Route Session 0 0 0 0

Router ID 0 0 0 0

User-Identity 2 0 0 0

CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0

TrustSec-SXP 0 0 0 0

IPv6 Route 0 0 0 0

STS Table 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 17 30

Xmit Q: 0 282 718

ASA2


Failover On

Failover unit Secondary

Failover LAN Interface: shiva GigabitEthernet0/3 (up)

Unit Poll frequency 200 milliseconds, holdtime 800 millisecondsInterface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1






This host: Secondary - Standby Ready



Interface inside (192.168.10.2): Normal (Monitored)Interface outside (101.1.1.101): Normal (Monitored)


Other host: Primary - Active












of 846


General 42 0 56 0

sys cmd 42 0 42 0

up time 0 0 0 0


TCP conn 0 0 0 0

UDP conn 0 0 6 0ARP tbl 0 0 6 0


IPv6 ND tbl 0 0 0 0






VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0Route Session 0 0 0 0

Router ID 0 0 0 0


CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0


IPv6 Route 0 0 0 0

STS Table 0 0 0 0


Cur Max TotalRecv Q: 0 12 784

Xmit Q: 0 1 42

ASA1(config)# ! ASA2

ASA1(config)# fa

ASA1(config)# failover a

ASA1(config)# failover active

Switching to Active

ASA1 or on Active applicance



encryption 3des

group 2









of 846



sh history




address-pool admintunnel-group admin ipsec-attributes



object network admin

subnet 192.168.100.0 255.255.255.0

exit


nat (inside,outside) 1 source static inside inside destination static admin admin

PC1

ASA2

ASA1(config)# failover active

Switching to Active




of 846





of 846



System config has been modified. Save? [Y]es/[N]o: n

Proceed with reload? [confirm]

ASA1(config)#


Failover On





Interface Policy 1




of 846







This host: Secondary - ActiveActive time: 11 (sec)


Interface inside (192.168.10.1): Normal (Waiting)

Interface outside (101.1.1.100): Normal (Waiting)

Interface dmz (192.168.20.1): Normal (Waiting)

Other host: Primary - Failed


slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Unknown/Unknown)

Interface inside (192.168.10.2): Unknown (Monitored)

Interface outside (101.1.1.101): Unknown (Monitored)

Interface dmz (192.168.20.2): Unknown (Monitored)


PC1




of 846


ASA_Active_Active

Diagram:-

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R2


no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

R3


no shutdown




of 846


ip add 101.1.1.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 102.1.1.1 255.255.255.0

no shutdownASA1


no shutdown


no shutdown


no shutdown


no shutdown


no shutdown

class c1

limit-resource Conns 50.0%

limit-resource Xlates 65000

limit-resource Mac-addresses 45.0%

limit-resource VPN Other 125

!

class c2


limit-resource Xlates 65000limit-resource Mac-addresses 45.0%


!

context c1

member c1




!

context c2

member c2




!

ASA1(config)# changeto context c1

changeto context c1


nameif inside




of 846


ip add 192.168.101.1 255.255.255.0 standby 192.168.101.2


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0 standby 101.1.1.101


ASA1/c1(config)# ping 192.168.101.100



!!!!!








changeto context c2


no shu

nameif inside

ip add 192.168.102.1 255.255.255.0 standby 192.168.102.2



ip add 102.1.1.100 255.255.255.0 standby 102.1.1.101


ASA1/c2(config)# ping 192.168.102.100



!!!!!





!!!!!


changeto context c1




R1#ping 101.1.1.1




of 846




!!!!!






NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0



0:00:30

changeto context c2




R2#ping 101.1.1.1



!!!!!









0:00:30

ASA1(config)# changeto system

Active-standby failover in multiple mode

ASA1




failover




of 846


ASA2


no shutdown

failover lan unit secondary


failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2failover

ASA2(config)# .

Detected an Active mate

Beginning configuration replication from mate.

Removing context 'admin' (1)... Done

INFO: Admin context is required to get the interfaces

INFO: Admin context is required to get the interfaces

Creating context 'admin'... Done. (2)

WARNING: Skip fetching the URL disk0:/admin.cfg

INFO: Admin context will take some time to come up .... please wait.

Creating context 'c1'... Done. (3)

WARNING: Skip fetching the URL disk0:/c1.cfg

Creating context 'c2'... Done. (4)

WARNING: Skip fetching the URL disk0:/c2.cfg

End configuration replication from mate.

ASA1


Failover On

Failover unit Primary


Unit Poll frequency 1 seconds, holdtime 15 seconds


Interface Policy 1



Version: Ours 9.2(2)4, Mate 9.2(2)4Last Failover at: 14:59:26 UTC Oct 4 2014




c1 Interface inside (192.168.101.1): Normal (Monitored)

c1 Interface outside (101.1.1.100): Normal (Monitored)










of 846






Link : Unconfigured.

ASA2


Failover On





Interface Policy 1

Monitored Interfaces 4 of 114 maximumMAC Address Move Notification Interval not set



This host: Secondary - Standby Ready







Other host: Primary - ActiveActive time: 169 (sec)







Link : Unconfigured.

ASA1

ASA1(config)# ! state full failover

ASA1(config)# failover link shiva


Failover On





Interface Policy 1





of 846







slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)c1 Interface inside (192.168.101.1): Normal (Monitored)














General 9 0 2 0

sys cmd 4 0 4 0

up time 0 0 0 0


TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 4 0 0 0Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0






VPN SDI upd 0 0 0 0


SIP Session 0 0 0 0

Route Session 0 0 0 0Router ID 0 0 0 0


CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0


IPv6 Route 0 0 0 0

STS Table 0 0 0 0


Cur Max Total

Recv Q: 0 3 4

Xmit Q: 0 3 50




of 846


ASA2


Failover On





Interface Policy 1




Last Failover at: 09:15:12 UTC Oct 4 2014This host: Secondary - Standby Ready










c1 Interface inside (192.168.101.1): Normal (Monitored)c1 Interface outside (101.1.1.100): Normal (Monitored)






General 6 0 13 0

sys cmd 6 0 6 0

up time 0 0 0 0

RPC services 0 0 0 0TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 4 0


IPv6 ND tbl 0 0 0 0






VPN SDI upd 0 0 0 0





of 846


SIP Session 0 0 0 0


Router ID 0 0 0 0


CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0TrustSec-SXP 0 0 0 0

IPv6 Route 0 0 0 0

STS Table 0 0 0 0


Cur Max Total

Recv Q: 0 4 87

Xmit Q: 0 1 6

ASA1

ASA1(config)# ! to replicate httpASA1(config)# failover replication http

ASA1

! TO change timers

failover polltime msec 200

failover polltime unit msec 200

ASA1

ASA1(config)# failover key shiva

To configure Active-Active failover please disable failover

ASA2

no failover

ASA1

no failover

ASA1 primary

failover group 1

primarypreempt

failover group 2

secondary

preempt

context c1

join-failover-group 1

context c2





of 846


ASA1

failover

ASA2

failover

ASA1


Failover On





Interface Policy 1




Group 1 last failover at: 15:13:11 UTC Oct 4 2014


This host: Primary

Group 1 State: Active


Group 2 State: Standby Ready







Other host: Secondary



Group 2 State: ActiveActive time: 79 (sec)









General 96 0 62 2




of 846


sys cmd 64 0 62 0

up time 0 0 0 0


TCP conn 0 0 0 0

UDP conn 12 0 0 0


IPv6 ND tbl 0 0 0 0






VPN SDI upd 0 0 0 0


SIP Session 0 0 0 0



CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0


IPv6 Route 0 0 0 0

STS Table 0 0 0 0


Cur Max Total

Recv Q: 0 3 104Xmit Q: 0 5 1073

ASA2


Failover On





Interface Policy 1Monitored Interfaces 4 of 114 maximum






This host: Secondary








of 846







Other host: Primary








c2 Interface inside (192.168.102.2): Normal (Monitored)c2 Interface outside (102.1.1.101): Normal (Monitored)




General 67 0 97 0

sys cmd 65 0 65 0

up time 0 0 0 0


TCP conn 0 0 0 0

UDP conn 0 0 12 0ARP tbl 0 0 8 0


IPv6 ND tbl 0 0 0 0






VPN SDI upd 0 0 0 0


SIP Session 0 0 0 0Route Session 2 0 0 0

Router ID 0 0 0 0


CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0


IPv6 Route 0 0 0 0

STS Table 0 0 0 0


Cur Max Total

Recv Q: 0 5 1040




of 846


Xmit Q: 0 1 121

ASA1

ASA1(config)# prompt hostname context state

ASA1/act(config)#

ASA1/act(config)# changeto context c1

ASA1/c1/act(config)#

ASA1/c1/act(config)# changeto context c2

ASA1/c2/stby(config)#

ASA2

ASA1/stby(config)#

ASA1/stby(config)# changeto context c

ASA1/stby(config)# changeto context c1

ASA1/c1/stby(config)#ASA1/c1/stby(config)# changeto context c2

ASA1/c2/act(config)#

R1#ping 101.1.1.1



!!!!!


R2#ping 101.1.1.1



!!!!!


ASA1/c1/act(config)# sh xlate



s - static, T - twice, N - net-to-netNAT from outside:0.0.0.0/0 to inside:0.0.0.0/0



0:00:30

ASA2

ASA1/c2/act(config)# sh xlate







of 846





0:00:30

ASA1/act(config)# ! to save config

ASA1/act(config)# write memory all

ASA1/act(config)# mode single




Security context mode: single

***


****** Message to all terminals:

***

*** change mode

Shutting down isakmp

Shutting down sw-module

Shutting down License Controller

Shutting down File system

****** --- SHUTDOWN NOW ---

***

*** Message to all terminals:

***

*** change mode

ASA2

ASA1/act(config)# sh failover

Failover On


Failover LAN Interface: shiva GigabitEthernet0/4 (up)Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds


Interface Policy 1












of 846






c1 Interface inside (192.168.101.1): Normal (Waiting)c1 Interface outside (101.1.1.100): Normal (Waiting)

c2 Interface inside (192.168.102.1): Normal (Waiting)

c2 Interface outside (102.1.1.100): Normal (Waiting)

Other host: Primary

Group 1 State: Failed


Group 2 State: Failed


slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Unknown/Unknown)c1 Interface inside (192.168.101.2): Unknown (Monitored)

c1 Interface outside (101.1.1.101): Unknown (Monitored)

c2 Interface inside (192.168.102.2): Unknown (Monitored)

c2 Interface outside (102.1.1.101): Unknown (Monitored)




General 150 0 180 0

sys cmd 146 0 146 0

up time 0 0 0 0RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 12 0

ARP tbl 2 0 10 0


IPv6 ND tbl 0 0 0 0





VPN CTCP upd 0 0 0 0VPN SDI upd 0 0 0 0


SIP Session 0 0 0 0


Router ID 0 0 0 0


CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0


IPv6 Route 0 0 0 0

STS Table 0 0 0 0




of 846



Cur Max Total

Recv Q: 0 5 2072

Xmit Q: 0 1 495

R1#ping 101.1.1.1



!!!!!


R2#ping 101.1.1.1




ASA1(config)# ! TO save config

ASA1(config)# write memory all




of 846


Chapter 23


MPF Function


Connection restriction


Traffic Policing

MPF Components

Class Map

Policy Map Service Policy

DCE

SUN RPC

ILS

NET BIOS

IPSec-Pass_throu

XDMCP

ICMP Inspection

FTP Modes SMTP

DNS

TFTP

HTTP

RSH

SQL .NET

SIP

SCCP

CTIQBE

MGCP

Modular Policy Framework




of 846


Moduler Policy Framework

It provide us following Features:


Connection Restriction Traffic Priortization

Traffic Policing


Using this feature we can configure the Cisco Appliance that which protocol should be add in state

table along with TCP & UDP, For example ICMP. Using inspection of connection we can make ICMP

as a stateful traffic.

Connection Restriction

Using connection restriction we can set per protocol max-conn, per-client-max conn, max-embronic

conn, per-client embronic connection etc.


Using this feature we can give priority to delay sensitive data like voice traffic or vpn traffic.

Traffic Policing

Using this feature we can police incoming & outgoing traffic limit on an interface.

MPF Components

Class-map

Policy-map

Service-policy

Class-map types

L3/L4 Class-map

L7 Class-map

Regex Class-map

Policy-map types

L3/L4 Class-map

L7 Class-map

Serive-policy

It can be called on a specific interface or globally.




of 846


Default_inspected_protocols in version os 9.2.2.4

FTP

DNS

H.323 RAS

H.323 225RSTP

RSH

SIP

SCCP

SQL.NET

SUN RPC

ESMTP

TFTP

NETBIOS

XDMCP

IP_OPTION

DCE (Distributed Computing Environment)

A protocols it is used by programmers to make softwares. It allow software to work over multiple

systems , But it appear that software is working on a single system. It use TCP Port 135

By default it is not inspected by cisco appliance if any company is using it we have to inspect it.

class-map class_default

match default_inspection

policy-map global_policy

class class_default

inspect dce

service-policy global_policy global

SUN RPC

It was developed by sun . It is useed by NFS (Network File System) for file sharing.

By default it is inspected by appliance. it use TCP port 111




class class_default

inspect sunrpc





of 846


ILS (Internet Locater Service)

It protocol is used by microsoft active directory , netmetting . This protocol allow systems to gather

the information which is required to communicate with other system in a domain.

By default it is not inspect by appliance . it use TCP por 389.If AD or netmetting is not working properly we have to inspect it




class class_default

inspect ils


NET BIOS

This protocol is used in older OS for name resolution. name to ip or ip to name.

By default it is inspected by appliance . It use UDP port 137, 138

If you are not using it you can remove it from inspected protocol list



policy-map global_policyclass class_default

no inspect netbios


IPsec-Pass-Throu

When a vpn client establish vpn session it establish 2 connection per protocols ESP or AH.

But By default no limitation , They can establish more than 2 connection , to solve this problem

appliance as a feature ipsec-pass-throu using this we can set per client ESP or AH max connection.

It use UDP port 500.

policy-map type inspect ipsec-pass-thru l7-ipsec-pass-thru

parameters

esp per-client-max 2

ah per-client-max 2


class default_class

inspect ipsec-pass-thru l7-ipsec-pass-thru





of 846


XDMCP ( X Display Manager Protocol)

When the PC was came in this world . it was very costly so a solution was developed by UNIX

X-Dispaly, in this solution we use a diskless client & A X Server. It is By default inspected.

Working:-When client bootup it use UDP dynamic port & hit to UDP 177 of X server . this is called

management connection . after management connection client use TCP & hit to TCP 6000 for display

if there is an outbound connection nothing to do

Higher to lower nothing to do.

Client UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>UDP 177 Server

Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 6000 Server

Lower to Higher connection

we have to open acl for UDP 177

Plus establish keyword

class-map default

match default-inspection-traffic

policy-map shiva

class default

inspect xdmcp

service-policy shiva global

ICMP

This protocol is use for connectivity checking. but it could be used to overload a server with ICMP

traffic i.e. it is inspected by appliance. it use ip protocol no 1.

if you want you can configure it as an inspected traffic.

class-map shiva_class


policy-map shiva_policy

class shiva_class

inspect icmp

inspect icmp error

service-policy shiva_policy global




of 846


FTP

This protocol is use for file transfering. it use TCP port 21

it has two modes

class-map defaultmatch default-inspection-traffic

policy-map shiva

class default

inspect ftp


Modes

Active mode

Passive mode

Active mode working

Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 21 Server

Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 20 Server

Higher to lower insection

Lower to higher only ACL

Passive mode working

Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 21 Server

Client TCP 1024<<<<<<<<hit 4321 for data<<<<<<<<<<<<<<<<<<<<<TCP 21 Server


Higher to lower nothing to do

Lower to higher Acl Plus Inspection

SMTP

It is used to send mail . it use TCP port 25. Appliance has capability to apply deeper inspection of

SMTP. like SMTP Boby Length.

Working


Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 25 Server

access-list smtp-limit permit tcp any any eq 25

class-map smtp

match access-list smtp-limit




of 846


policy-map type inspect esmtp l7-esmtp

parameters

match body length gt 1000

drop-connection

policy-map shivaclass smtp

inspect esmtp l7-esmtp


DNS

Domain Name System use for name resolution . it use TCP or UDP port 53.

DNS Inspection Features

DNS Gurad DNS Doctoring

DNS Query Length

DNS Gurad

it allow only first reply of DNS query

DNS Doctoring

This feature enale appliance to translate inside inside query with another ip address used on another

interface.

commands

static (inside,outside) interface 192.168.101.53 dns

DNS Query Length

By default DNS query lenght is 512 bytes we can extend it

Default inspected by appliance.

static (inside,outside) interface 192.168.101.53 dns

policy-map type inspect dns l7-dns

parameters

dns-guard

nat-rewrite

protocol-enforcement

message-length maximum 1024

exit

ex

class-map default


policy-map shiva

class default

inspect dns l7-dns





of 846


TFTP

Used for backup & upgrade network aplliance it use UDP port 69

Default inspected

Working

Client UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>UDP 69 Server

Client UDP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<UDP 1234 Server

Higher to ower inspection

Lower to higher ACL

HTTP

Used for web browsing it use TCP port 80. Appliance has capabilities to block http site using name &

ip address.

regex fb \.facebook\.com

regex 420 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

class-map type regex match-any rs

match regex fb

match regex 420

policy-map type inspect http l7-http

parameters

match request header host regex class rs

reset

access-list http permit tcp any any eq 80

class-map http-class

match access-list http

policy-map shiva

class http-class

inspect http l7-http


RSHUsed in Unix for remote terminal. it use TCP port 514

working

Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 514 Server

Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 1024 Server

Higher to lower inspection

Lower to higher ACL

Default Inspected.




of 846


SQL.NET

Used by oracal database use TCP port 1521 default inspected.

Working

Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 1521 ServerClient TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 1521 Server

Higher to lower nothing

Lower to higher Acl

SIP/SCCP/CTIQUBE (TCP-UDP-5060/TCP-2000/TCP-2748)

These protocols used to establish voip call

Clinet IP Phone TCP/UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>5060/2000/2748 Server

Client IP Phone UDP 1025>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>voice Server

Client IP Phone UDP 1026>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>synch Server

Higher to lower nothing to do

Lower to higher ACL Plus inspection

MGCP

Used by VOIP gateway to call-manager

Working

Gateway UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>UDP 2427 Server

Gateway UDP 2727<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<UDP 1024 Server

Higher to lower inspection

Lower to higher ACL Plus Inspection




of 846


Diagram:-

Initial-config

R1



no shutdown

int f0/1

no shutdown

ip add 192.168.101.1 255.255.255.0

ip add 192.168.106.1 255.255.255.0 secondary

router ei 100

no auto-summary

net 0.0.0.0

R2

interface fastEthernet 0/0no sh

ip add 192.168.10.100 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.10.1



1024

line vty 0 90


login local

exit





of 846


R3

interface Loopback1

ip address 1.1.1.1 255.255.255.255

!

interface Loopback2

ip address 2.2.2.2 255.255.255.255!

interface Loopback3

ip address 3.3.3.3 255.255.255.255

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30ip address 101.1.1.1 255.255.255.0

!


encapsulation dot1Q 50

ip address 102.1.1.1 255.255.255.0

!


encapsulation dot1Q 60

ip address 103.1.1.1 255.255.255.0

!

interface FastEthernet0/1ip address 192.168.104.1 255.255.255.0

ip http server




R4


no shutdown


ip route 0.0.0.0 0.0.0.0 192.168.20.1

ip http server




R5


no shutdown

ip add 102.1.1.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 102.1.1.1




of 846


ip dns server

ip host www.cisco.com 101.1.1.111

ip host www.abc.com 101.1.1.222

ip host www.google.com 1.1.1.1

ip host www.facebook.com 2.2.2.2

ip host www.gmail.com 3.3.3.3

R6


no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

ASA1


nameif insidesecurity-level 100

ip address 192.168.1.2 255.255.255.0

!


nameif dmz1

security-level 60

ip address 192.168.10.1 255.255.255.0

!


nameif outside


!


nameif dmz2

security-level 50

ip address 192.168.20.1 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

router eigrp 100

network 192.168.1.0 255.255.255.0redistribute static metric 1 1 1 1 1

ASA1(config)# ping 192.168.101.100



!!!!!


ASA1(config)# ping 192.168.106.100



!!!!!





of 846


ASA1(config)# ping 192.168.10.100



!!!!!




!!!!!


ASA1(config)# ping 192.168.104.100



!!!!!




!!!!!





!!!!!


ASA2



!!!!!


ASA2(config)# pin

ASA2(config)# ping 192.168.104.100



!!!!!




!!!!!





!!!!!


ASA1

object network R2




of 846


host 192.168.10.100

object network R4

host 192.168.20.100

object network www.cisco.com

host 101.1.1.111

object network www.abc.comhost 101.1.1.222

nat (dmz1,outside) source static R2 www.cisco.com

nat (dmz2,outside) source static R4 www.abc.com


ASA1(config)# sh running-config class-map

!

class-map inspection_default


!

ASA1(config)# sh running-config policy-map

!

policy-map type inspect dns preset_dns_map

parametersmessage-length maximum client auto



class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtpinspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

ASA1(config)# sh running-config service-policy





of 846


ASA1(config)# clear configure service-policy

!

ASA1(config)# clear configure policy-map

!

ASA1(config)# clear configure class-map

!!

ASA1

ASA1(config)# class-map shiva_class

ASA1(config-cmap)# match default-inspection-traffic

ASA1(config-cmap)# policy-map shiva_policy

ASA1(config-pmap)# class shiva_class

ASA1(config-pmap-c)# inspect icmp

ASA1(config-pmap-c)# inspect icmp error

ASA1(config-pmap-c)# service-policy shiva_policy global

R3#debug ip icmp


R1#ping 101.1.1.1








!!!!!


R2#ping 101.1.1.1



!!!!!


R4#ping 101.1.1.1



!!!!!





of 846


R3#debug ip icmp


R3#





R3#






R3#

*Oct 8 07:07:01.019: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10*Oct 8 07:07:01.771: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10

R3#

*Oct 8 07:07:02.519: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10

R3#






R3#





ASA1(config)# ! Open ACL for www.cisco.com

ASA1(config)# ! Open ACL for www.abc.com

ASA1(config)# ! So that Internet-Users can ping www.cisco.com ,www.abc.com

ASA1(config)# access-list out permit icmp any object R2

ASA1(config)# access-list out permit icmp any object R4


R3

R3(config)#ip domain-lookup

R3(config)#ip name-server 102.1.1.100

R3#ping www.cisco.com

Translating "www.cisco.com"...domain server (102.1.1.100) [OK]






of 846


!!!!!


R3#ping www.abc.com

Translating "www.abc.com"...domain server (102.1.1.100) [OK]



!!!!!


PC 192.168.104.100




of 846


ASA1

ASA1(config)# access-list out permit tcp any object R2 eq 22








of 846


ASA1

access-list telnet-limit permit tcp any object R2 eq 23

class-map telnet-class

match access-list telnet-limit


class telnet-class

set connection conn-max 123

set connection embryonic-conn-max 1

set connection per-client-max 2

set connection per-client-embryonic-max 1




of 846


ASA1



encryption aes

hash shagroup 5

lifetime 1800









crypto map test 10 match address 101crypto map test interface outside



subnet 192.168.101.0 255.255.255.0

object network s2s

subnet 192.168.102.0 255.255.255.0

nat (inside,outside) 1 source static inside inside destination static s2s s2s




of 846


ASA2



encryption aeshash sha

group 5

lifetime 1800








crypto map test 10 set peer 101.1.1.100crypto map test 10 match address 102



R1#ping 192.168.102.100 source fastEthernet 0/1 repeat 100




.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 ms

R6#ping 192.168.101.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


ASA1

!

priority-queue outside

class-map s2s-class

match tunnel-group 103.1.1.100


class s2s-class

priority




of 846


ASA1




of 846


ASA1

access-list traffic-limit deny ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0

access-list traffic-limit permit ip 192.168.101.0 255.255.255.0 any

class-map traffic-limit-class

match access-list traffic-limit


class traffic-limit-classpolice input 8000 conform-action transmit exceed-action drop

police output 8000 conform-action transmit exceed-action drop




of 846


FTP Inspection

outbound connection is working

check inbound connection


host 192.168.101.100

object service obj_ser_ftp

service tcp source eq 21


nat (inside,outside) 3 source static obj_net_192.168.101.100 interface service obj_ser_ftp

obj_ser_ftp

access-list out permit tcp any object obj_net_192.168.101.100 eq 21




of 846


not working

ASA1


class shiva_class

inspect ftp




of 846


SMTP


host 192.168.106.100

ex

object service obj_ser_smtp


object service obj_ser_pop3


ex

sh history

nat (inside,outside) 3 source static obj_net_192.168.106.100 interface service obj_ser_smtpobj_ser_smtp

nat (inside,outside) 3 source static obj_net_192.168.106.100 interface service obj_ser_pop3

obj_ser_pop3






of 846


192.168.106.100 is exchange server




of 846


GO on Internet User




of 846





of 846


access-list smtp-limit permit tcp any object obj_net_192.168.106.100 eq 25

class-map smtp-class

match access-list smtp-limit

policy-map type inspect esmtp l7-esmtp

match body length gt 10

drop-connection

policy-map shiva_policyclass smtp-class




of 846


inspect esmtp l7-esmtp




of 846


ASA1(config-pmap)# policy-map shiva_policy

ASA1(config-pmap)# class smtp-class

ASA1(config-pmap-c)# no inspect esmtp l7-esmtp




of 846





of 846


ASA1(config)# sh conn


UDP outside 10.0.0.255:137 inside 10.0.0.10:137, idle 0:00:13, bytes 25650, flags -

UDP outside 10.0.0.255:137 dmz1 10.0.0.10:137, idle 0:00:13, bytes 25800, flags -

UDP outside 102.1.1.100:53 inside 192.168.101.100:54918, idle 0:00:12, bytes 80, flags hUDP outside 102.1.1.100:53 inside 192.168.101.100:55714, idle 0:00:38, bytes 78, flags h

UDP outside 102.1.1.100:53 inside 192.168.101.100:63759, idle 0:00:53, bytes 84, flags h

UDP outside 102.1.1.100:53 inside 192.168.101.100:63597, idle 0:01:02, bytes 80, flags h






R3#ping www.abc.com




!!!!!


R1(config)#ip domain-lookup

R1(config)#ip name-server 102.1.1.100





.....

Success rate is 0 percent (0/5)R1#ping www.abc.com




.....





of 846


ASA1

policy-map type inspect dns l7-dns

parameters

dns-guard

nat-rewriteprotocol-enforcement



class shiva_class

inspect dns l7-dns


nat (dmz1,outside) source static R2 www.cisco.com dns

nat (dmz2,outside) source static R4 www.abc.com dns





!!!!!


R1#ping www.abc.com




!!!!!





of 846


R1#copy tftp: flash:

Address or name of remote host []? 192.168.104.100

Source filename []? svc.pkg

Destination filename [svc.pkg]?

Accessing tftp://192.168.104.100/svc.pkg...%Error opening tftp://192.168.104.100/svc.pkg (Timed out)

R1#

ASA1(config)# ! TFTP Inspection

ASA1(config)#

ASA1(config)# policy-map shiva_policy

ASA1(config-pmap)# class shiva_class

ASA1(config-pmap-c)# inspect tftp

R1#copy tftp: flash:

Address or name of remote host [192.168.104.100]?Source filename [svc.pkg]?

Destination filename [svc.pkg]?

Accessing tftp://192.168.104.100/svc.pkg...

Erase flash: before copying? [confirm]q

Loading svc.pkg from 192.168.104.100 (via FastEthernet0/0): !

%Error opening flash:svc.pkg (No space left on device)




of 846





of 846


regex fb \.facebook\.com

regex ip420 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

class-map type regex match-any rs

match regex fb

match regex ip420

policy-map type inspect http l7-http

match request header host regex class rs

reset

ex


class shiva_class

inspect http l7-http




of 846





of 846



class shiva_class

inspect ils

inspect dcerpc

inspect sunrpc

inspect netbiosinspect xdmcp

inspect rsh

inspect sqlnet

inspect tftp

inspect sip

inspect skinny

inspect ctiqbe

inspect mgcp

policy-map type inspect ipsec-pass-thru l7-ipsec-pass-thruparameters

esp per-client-max 5

ah per-client-max 5

access-list ipsec-pass-acl permit udp any any eq 500

class-map ipsec-pass-class

match access-list ipsec-pass-acl


class ipsec-pass-classinspect ipsec-pass-thru l7-ipsec-pass-thru




of 846


Chapter 24


OSPFv3

Diagram:-

Initial-config

R1



no shutdownipv6 add 192:168:1::1/48

OSPFv3




of 846


!


ipv6 add 192:168:101::1/48

no shutdown

!

int lo1ipv6 add 172:10:1::1/48

int lo2

ipv6 add 172:10:2::1/48

int lo3

ipv6 add 172:10:3::1/48

int lo4

ipv6 add 172:10:4::1/48

int lo5

ipv6 add 172:10:5::1/48

int lo6

ipv6 add 172:10:6::1/48R2



no shutdown

ipv6 add 192:168:2::1/48

no shutdown

int lo1

ipv6 add 172:20:1::1/48

int lo2

ipv6 add 172:20:2::1/48

int lo3ipv6 add 172:20:3::1/48

int lo4

ipv6 add 172:20:4::1/48

int lo5

ipv6 add 172:20:5::1/48

int lo6

ipv6 add 172:20:6::1/48

R3




no shutdown

!


ipv6 add 192:168:103::1/48

no shutdown

!

int lo1

ipv6 add 172:30:1::1/48

int lo2

ipv6 add 172:30:2::1/48




of 846


int lo3

ipv6 add 172:30:3::1/48

int lo4

ipv6 add 172:30:4::1/48

int lo5

ipv6 add 172:30:5::1/48int lo6

ipv6 add 172:30:6::1/48

R4



no shutdown

ipv6 add 192:168:4::1/48

no shutdown

int lo1

ipv6 add 172:40:1::1/48

int lo2ipv6 add 172:40:2::1/48

int lo3

ipv6 add 172:40:3::1/48

int lo4

ipv6 add 172:40:4::1/48

int lo5

ipv6 add 172:40:5::1/48

int lo6

ipv6 add 172:40:6::1/48

ASA1interface GigabitEthernet0/0

nameif inside

security-level 100

no ip address

ipv6 address 192:168:1::2/48

!


nameif dmz1

security-level 60

no ip address

ipv6 address 192:168:2::2/48!


nameif outside

security-level 0

no ip address

ipv6 address 192:168:3::2/48

!


nameif dmz2

security-level 50

no ip address

ipv6 address 192:168:4::2/48




of 846


ASA1(config-if)# sh ipv6 int brief

inside [up/up]


192:168:1::2

dmz1 [up/up]fe80::6e20:56ff:febd:ea84

192:168:2::2

outside [up/up]


192:168:3::2

dmz2 [up/up]


192:168:4::2

ASA1(config-if)# ping 192:168:1::1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192:168:1::1, timeout is 2 seconds:

!!!!!





!!!!!




Sending 5, 100-byte ICMP Echos to 192:168:3::1, timeout is 2 seconds:!!!!!





!!!!!


R1

ipv6 router ospf 100router-id 1.1.1.1

exit


ipv6 ospf 100 area 1



int l1


int l2


int l3





of 846


int l4


int l5


int l6


R2

ipv6 router ospf 100

router-id 2.2.2.2

int f0/0


ipv6 router ei 100

no shutdown

int lo1

ip add 2.2.2.2 255.255.255.255

ipv6 eigrp 100int lo2

ipv6 eigrp 100

int lo3

ipv6 eigrp 100

int lo4

ipv6 eigrp 100

int lo5

ipv6 eigrp 100

int lo6

ipv6 eigrp 100

R3

ipv6 router os 100

router-id 3.3.3.3

int f0/0


int f0/1


int l1


int l2

ipv6 ospf 100 area 2int l3


int l4


int l5


int l6


R4





of 846


router-id 4.4.4.4

int f0/0


ipv6 router eigrp 200

router-id 4.4.4.4no sh

int l1

ipv6 eigrp 200

int l2

ipv6 eigrp 200

int l3

ipv6 eigrp 200

int l4

ipv6 eigrp 200

int l5

ipv6 eigrp 200int l6

ipv6 eigrp 200

ASA1


router-id 5.5.5.5

int g0/0


int g0/1


int g0/2ipv6 ospf 100 area 2

int g0/3


ASA1# sh ipv6 ospf neighbor

Neighbor ID Pri State Dead Time Interface ID Interface

2.2.2.2 1 FULL/DR 0:00:31 4 dmz1

1.1.1.1 1 FULL/DR 0:00:35 4 inside

3.3.3.3 1 FULL/DR 0:00:32 3 outside4.4.4.4 1 FULL/DR 0:00:33 3 dmz2

ASA1# sh ipv6 ospf database

OSPFv3 Router with ID (5.5.5.5) (Process ID 100)


ADV Router Age Seq# Fragment ID Link count Bits

2.2.2.2 162 0x80000003 0 1 None

5.5.5.5 161 0x80000001 0 1 B




of 846



ADV Router Age Seq# Link ID Rtr count

2.2.2.2 162 0x80000001 4 2

Inter Area Prefix Link States (Area 0)

ADV Router Age Seq# Prefix

5.5.5.5 151 0x80000002 192:168:101::/48

5.5.5.5 151 0x80000002 192:168:1::/48

5.5.5.5 141 0x80000001 192:168:103::/48

5.5.5.5 141 0x80000001 172:30:6::1/128

5.5.5.5 141 0x80000001 172:30:5::1/128

5.5.5.5 141 0x80000001 172:30:4::1/128

5.5.5.5 141 0x80000001 172:30:3::1/128

5.5.5.5 141 0x80000001 172:30:2::1/128

5.5.5.5 143 0x80000001 172:30:1::1/1285.5.5.5 143 0x80000001 192:168:3::/48

5.5.5.5 143 0x80000001 192:168:4::/48

Link (Type-8) Link States (Area 0)

ADV Router Age Seq# Link ID Interface

2.2.2.2 835 0x80000001 4 dmz1

5.5.5.5 162 0x80000001 4 dmz1

Intra Area Prefix Link States (Area 0)

ADV Router Age Seq# Link ID Ref-lstype Ref-LSID

2.2.2.2 163 0x80000001 4096 0x2002 4



1.1.1.1 166 0x80000007 0 1 None

5.5.5.5 160 0x80000002 0 1 B



1.1.1.1 166 0x80000001 4 2



5.5.5.5 153 0x80000001 192:168:2::/48

5.5.5.5 143 0x80000001 192:168:103::/48

5.5.5.5 143 0x80000001 172:30:6::1/128

5.5.5.5 143 0x80000001 172:30:5::1/128

5.5.5.5 143 0x80000001 172:30:4::1/128

5.5.5.5 143 0x80000001 172:30:3::1/128




of 846


5.5.5.5 143 0x80000001 172:30:2::1/128

5.5.5.5 143 0x80000001 172:30:1::1/128

5.5.5.5 143 0x80000001 192:168:3::/48

5.5.5.5 143 0x80000001 192:168:4::/48



1.1.1.1 939 0x80000001 4 inside

5.5.5.5 165 0x80000001 3 inside



1.1.1.1 166 0x80000003 0 0x2001 0

1.1.1.1 166 0x80000001 4096 0x2002 4



3.3.3.3 150 0x8000000a 0 1 None

5.5.5.5 149 0x80000001 0 1 B



3.3.3.3 150 0x80000001 3 2



5.5.5.5 143 0x80000001 192:168:101::/48

5.5.5.5 143 0x80000001 192:168:1::/48

5.5.5.5 143 0x80000001 192:168:4::/48

5.5.5.5 143 0x80000001 192:168:2::/48


ADV Router Age Seq# Link ID Interface3.3.3.3 652 0x80000001 3 outside

5.5.5.5 149 0x80000001 5 outside



3.3.3.3 150 0x80000007 0 0x2001 0

3.3.3.3 150 0x80000001 3072 0x2002 3






of 846


4.4.4.4 147 0x80000003 0 1 None

5.5.5.5 146 0x80000001 0 1 B


ADV Router Age Seq# Link ID Rtr count4.4.4.4 147 0x80000001 3 2



5.5.5.5 143 0x80000001 192:168:101::/48

5.5.5.5 143 0x80000001 192:168:1::/48

5.5.5.5 143 0x80000001 192:168:103::/48

5.5.5.5 143 0x80000001 172:30:6::1/128

5.5.5.5 143 0x80000001 172:30:5::1/128

5.5.5.5 143 0x80000001 172:30:4::1/1285.5.5.5 143 0x80000001 172:30:3::1/128

5.5.5.5 143 0x80000001 172:30:2::1/128

5.5.5.5 143 0x80000001 172:30:1::1/128

5.5.5.5 143 0x80000001 192:168:3::/48

5.5.5.5 143 0x80000001 192:168:2::/48



4.4.4.4 361 0x80000001 3 dmz2

5.5.5.5 146 0x80000001 6 dmz2



4.4.4.4 151 0x80000001 3072 0x2002 3

ASA1# sh ipv6 route ospf

IPv6 Routing Table - 18 entries

Codes: C - Connected, L - Local, S - Static

O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

O 172:30:1::1/128 [110/10]

via fe80::46e4:d9ff:fe87:ecde, outside

O 172:30:2::1/128 [110/10]


O 172:30:3::1/128 [110/10]


O 172:30:4::1/128 [110/10]


O 172:30:5::1/128 [110/10]


O 172:30:6::1/128 [110/10]




of 846



O 192:168:101::/48 [110/11]

via fe80::224:14ff:fedd:17e8, inside

O 192:168:103::/48 [110/11]


ASA1# ping 192:168:101::1



!!!!!


ASA1# ping 192:168:103::1



!!!!!


ASA1(config-rtr)# ipv6 router ospf 100

ASA1(config-rtr)# area 1 virtual-link 1.1.1.1

R1(config-rtr)#ipv6 router ospf 100

R1(config-rtr)#area 1 virtual-link 5.5.5.5

ASA1# sh ipv6 ospf neighbor

Neighbor ID Pri State Dead Time Interface ID Interface1.1.1.1 0 FULL/ - 0:00:26 15 OSPFV3_VL0

2.2.2.2 1 FULL/DR 0:00:35 4 dmz1

1.1.1.1 1 FULL/DR 0:00:39 4 inside

3.3.3.3 1 FULL/DR 0:00:39 3 outside

4.4.4.4 1 FULL/DR 0:00:39 3 dmz2





OI 172:10:1::1/128 [110/10]


OI 172:10:2::1/128 [110/10]


OI 172:10:3::1/128 [110/10]


OI 172:10:4::1/128 [110/10]


OI 172:10:5::1/128 [110/10]


OI 172:10:6::1/128 [110/10]




of 846



O 172:30:1::1/128 [110/10]


O 172:30:2::1/128 [110/10]


O 172:30:3::1/128 [110/10]via fe80::46e4:d9ff:fe87:ecde, outside

O 172:30:4::1/128 [110/10]


O 172:30:5::1/128 [110/10]


O 172:30:6::1/128 [110/10]


O 192:168:101::1/128 [110/10]


O 192:168:101::/48 [110/11]

via fe80::224:14ff:fedd:17e8, insideO 192:168:103::/48 [110/11]



ASA1(config-rtr)# passive-interface default

ASA1(config-rtr)# no passive-interface inside

ASA1(config-rtr)# no passive-interface dmz1

ASA1(config-rtr)# no passive-interface dmz2

ASA1(config-rtr)# no passive-interface outside




!!!!!





!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1(config)# ping 172:10:3::1



!!!!!





!!!!!







of 846



!!!!!







R2(config-rtr)#redistribute eigrp 100 metric-type 1 include-connected



Codes: C - Connected, L - Local, S - StaticO - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

OI 172:10:1::1/128 [110/10]


OI 172:10:2::1/128 [110/10]


OI 172:10:3::1/128 [110/10]


OI 172:10:4::1/128 [110/10]


OI 172:10:5::1/128 [110/10]via fe80::224:14ff:fedd:17e8, inside

OI 172:10:6::1/128 [110/10]


OE1 172:20:1::/48 [110/30]

via fe80::21f:9eff:fe5f:8060, dmz1

OE1 172:20:2::/48 [110/30]


OE1 172:20:3::/48 [110/30]


OE1 172:20:4::/48 [110/30]

via fe80::21f:9eff:fe5f:8060, dmz1OE1 172:20:5::/48 [110/30]


OE1 172:20:6::/48 [110/30]


O 172:30:1::1/128 [110/10]


O 172:30:2::1/128 [110/10]


O 172:30:3::1/128 [110/10]


O 172:30:4::1/128 [110/10]





of 846


O 172:30:5::1/128 [110/10]


O 172:30:6::1/128 [110/10]


O 192:168:101::1/128 [110/10]



O 192:168:103::/48 [110/11]



R2(config-rtr)#summary-prefix 172:20:0::/45


IPv6 Routing Table - 26 entriesCodes: C - Connected, L - Local, S - Static

O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2


OI 172:10:1::1/128 [110/10]


OI 172:10:2::1/128 [110/10]


OI 172:10:3::1/128 [110/10]


OI 172:10:4::1/128 [110/10]

via fe80::224:14ff:fedd:17e8, insideOI 172:10:5::1/128 [110/10]


OI 172:10:6::1/128 [110/10]


OE1 172:20::/45 [110/30]


O 172:30:1::1/128 [110/10]


O 172:30:2::1/128 [110/10]


O 172:30:3::1/128 [110/10]via fe80::46e4:d9ff:fe87:ecde, outside

O 172:30:4::1/128 [110/10]


O 172:30:5::1/128 [110/10]


O 172:30:6::1/128 [110/10]


O 192:168:101::1/128 [110/10]


O 192:168:101::/48 [110/11]


O 192:168:103::/48 [110/11]




of 846




R2(config-rtr)#no summary-prefix 172:20:0::/45

R1#sh ipv6 route ospf

IPv6 Routing Table - Default - 34 entriesCodes: C - Connected, L - Local, S - Static, U - Per-user Static route

B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP

I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary

D - EIGRP, EX - EIGRP external

O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2


OE1 172:20:1::/48 [110/31]

via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0

OE1 172:20:2::/48 [110/31]


OE1 172:20:3::/48 [110/31]via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0

OE1 172:20:4::/48 [110/31]


OE1 172:20:5::/48 [110/31]


OE1 172:20:6::/48 [110/31]


OI 172:30:1::1/128 [110/11]


OI 172:30:2::1/128 [110/11]

via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0OI 172:30:3::1/128 [110/11]


OI 172:30:4::1/128 [110/11]


OI 172:30:5::1/128 [110/11]


OI 172:30:6::1/128 [110/11]


O 192:168:1::2/128 [110/1]


O 192:168:2::/48 [110/11]via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0

OI 192:168:3::/48 [110/11]


OI 192:168:4::/48 [110/11]


OI 192:168:103::/48 [110/12]



ASA1(config-rtr)# area 2 range 172:30::/45





of 846


IPv6 Routing Table - Default - 29 entries

Codes: C - Connected, L - Local, S - Static, U - Per-user Static route

B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP



O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

OE1 172:20:1::/48 [110/31]


OE1 172:20:2::/48 [110/31]


OE1 172:20:3::/48 [110/31]


OE1 172:20:4::/48 [110/31]


OE1 172:20:5::/48 [110/31]

via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0OE1 172:20:6::/48 [110/31]


OI 172:30::/45 [110/11]


O 192:168:1::2/128 [110/1]


O 192:168:2::/48 [110/11]


OI 192:168:3::/48 [110/11]


OI 192:168:4::/48 [110/11]via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0

OI 192:168:103::/48 [110/12]



ASA1(config-rtr)# no area 2 range 172:30::/45

R3


IPv6 Routing Table - 35 entriesCodes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

U - Per-user Static route, M - MIPv6





OI 172:10:1::1/128 [110/11]


OI 172:10:2::1/128 [110/11]


OI 172:10:3::1/128 [110/11]





of 846


OI 172:10:4::1/128 [110/11]


OI 172:10:5::1/128 [110/11]


OI 172:10:6::1/128 [110/11]

via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0OE1 172:20:1::/48 [110/31]


OE1 172:20:2::/48 [110/31]


OE1 172:20:3::/48 [110/31]


OE1 172:20:4::/48 [110/31]


OE1 172:20:5::/48 [110/31]


OE1 172:20:6::/48 [110/31]via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0

OI 192:168:1::/48 [110/11]


OI 192:168:1::2/128 [110/1]


OI 192:168:2::/48 [110/11]


OI 192:168:4::/48 [110/11]


OI 192:168:101::/48 [110/12]




ASA1(config-rtr)# area 2 stub


R3(config-rtr)#area 2 stub


IPv6 Routing Table - 30 entriesCodes: C - Connected, L - Local, S - Static, R - RIP, B - BGP






OI ::/0 [110/2]


OI 172:10:1::1/128 [110/11]


OI 172:10:2::1/128 [110/11]





of 846


OI 172:10:3::1/128 [110/11]


OI 172:10:4::1/128 [110/11]


OI 172:10:5::1/128 [110/11]



OI 192:168:1::/48 [110/11]


OI 192:168:1::2/128 [110/1]


OI 192:168:2::/48 [110/11]


OI 192:168:4::/48 [110/11]



OI 192:168:101::1/128 [110/11]



ASA1(config-rtr)# area 2 stub no-summary



Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

U - Per-user Static route, M - MIPv6I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary




OI ::/0 [110/2]


ASA1


ASA1(config-rtr)# area 3 stub

R4(config)#ipv6 router ospf 100

R4(config-rtr)#area 3 stub












of 846


OI ::/0 [110/2]


OI 172:10:1::1/128 [110/11]


OI 172:10:2::1/128 [110/11]



OI 172:10:4::1/128 [110/11]


OI 172:10:5::1/128 [110/11]


OI 172:10:6::1/128 [110/11]


OI 172:30:1::1/128 [110/11]


OI 172:30:2::1/128 [110/11]via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0

OI 172:30:3::1/128 [110/11]


OI 172:30:4::1/128 [110/11]


OI 172:30:5::1/128 [110/11]


OI 172:30:6::1/128 [110/11]


OI 192:168:1::/48 [110/11]



OI 192:168:2::/48 [110/11]


OI 192:168:3::/48 [110/11]


OI 192:168:101::/48 [110/12]


OI 192:168:101::1/128 [110/11]




ASA1(config-rtr)# area 3 stub no-summary











of 846



OI ::/0 [110/2]


R4(config)#ipv6 router ospf 100R4(config-rtr)#redistribute eigrp 200 metric-type 1 include-connected

R4(config-rtr)#

*Oct 5 07:57:12.939: %OSPFv3-4-ASBR_WITHOUT_VALID_AREA: Router is currently an ASBR while

having only one area which is a stub area


R4(config-rtr)#no area 3 stub

R4(config-rtr)#area 3 nssa


ASA1(config-rtr)# no area 3 stubASA1(config-rtr)# area 3 nssa








D - EIGRP, EX - EIGRP externalOI 172:10:1::1/128 [110/11]


OI 172:10:2::1/128 [110/11]


OI 172:10:3::1/128 [110/11]


OI 172:10:4::1/128 [110/11]


OI 172:10:5::1/128 [110/11]


OI 172:10:6::1/128 [110/11]via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0

OI 172:30:1::1/128 [110/11]


OI 172:30:2::1/128 [110/11]


OI 172:30:3::1/128 [110/11]


OI 172:30:4::1/128 [110/11]


OI 172:30:5::1/128 [110/11]


OI 172:30:6::1/128 [110/11]




of 846



OI 192:168:1::/48 [110/11]


OI 192:168:1::2/128 [110/1]



OI 192:168:3::/48 [110/11]


OI 192:168:101::/48 [110/12]


OI 192:168:101::1/128 [110/11]


OI 192:168:103::/48 [110/12]


ASA1(config-rtr)# ipv6 router ospf 100ASA1(config-rtr)# area 3 nssa no-summary default-information-originate









OI ::/0 [110/2]via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0

ASA1(config)# sh ipv6 route interface dmz2





ON1 172:40:1::/48 [110/30]

via fe80::21a:6cff:fed4:e56e, dmz2

ON1 172:40:2::/48 [110/30]via fe80::21a:6cff:fed4:e56e, dmz2

ON1 172:40:3::/48 [110/30]


ON1 172:40:4::/48 [110/30]


ON1 172:40:5::/48 [110/30]


ON1 172:40:6::/48 [110/30]


R1(config-if)#interface lo1

R1(config-if)#ipv6 ospf network point-to-point




of 846







R1(config-if)#ipv6 ospf network point-to-pointR1(config-if)#interface lo5




ASA1





OI 172:10:1::/48 [110/11]


OI 172:10:2::/48 [110/11]


OI 172:10:3::/48 [110/11]


OI 172:10:4::/48 [110/11]


OI 172:10:5::/48 [110/11]

via fe80::224:14ff:fedd:17e8, insideOI 172:10:6::/48 [110/11]


OE1 172:20:1::/48 [110/30]


OE1 172:20:2::/48 [110/30]


OE1 172:20:3::/48 [110/30]


OE1 172:20:4::/48 [110/30]


OE1 172:20:5::/48 [110/30]via fe80::21f:9eff:fe5f:8060, dmz1

OE1 172:20:6::/48 [110/30]


O 172:30:1::1/128 [110/10]


O 172:30:2::1/128 [110/10]


O 172:30:3::1/128 [110/10]


O 172:30:4::1/128 [110/10]


O 172:30:5::1/128 [110/10]




of 846



O 172:30:6::1/128 [110/10]


ON1 172:40:1::/48 [110/30]



ON1 172:40:3::/48 [110/30]


ON1 172:40:4::/48 [110/30]


ON1 172:40:5::/48 [110/30]


ON1 172:40:6::/48 [110/30]


O 192:168:101::1/128 [110/10]



O 192:168:103::/48 [110/11]



ASA1(config-rtr)# distance ospf external 222 inter-area 111 intra-area 111


IPv6 Routing Table - 37 entriesCodes: C - Connected, L - Local, S - Static



OI 172:10:1::/48 [111/11]


OI 172:10:2::/48 [111/11]


OI 172:10:3::/48 [111/11]


OI 172:10:4::/48 [111/11]

via fe80::224:14ff:fedd:17e8, insideOI 172:10:5::/48 [111/11]


OI 172:10:6::/48 [111/11]


OE1 172:20:1::/48 [222/30]


OE1 172:20:2::/48 [222/30]


OE1 172:20:3::/48 [222/30]


OE1 172:20:4::/48 [222/30]





of 846


OE1 172:20:5::/48 [222/30]


OE1 172:20:6::/48 [222/30]


O 172:30:1::1/128 [111/10]

via fe80::46e4:d9ff:fe87:ecde, outsideO 172:30:2::1/128 [111/10]


O 172:30:3::1/128 [111/10]


O 172:30:4::1/128 [111/10]


O 172:30:5::1/128 [111/10]


O 172:30:6::1/128 [111/10]



ON1 172:40:2::/48 [222/30]


ON1 172:40:3::/48 [222/30]


ON1 172:40:4::/48 [222/30]


ON1 172:40:5::/48 [222/30]


ON1 172:40:6::/48 [222/30]

via fe80::21a:6cff:fed4:e56e, dmz2O 192:168:101::1/128 [111/10]


O 192:168:101::/48 [111/11]


O 192:168:103::/48 [111/11]





of 846


Chapter 25


IPv6 Static NAT

IPv6 Dynamic NAT

IPv6 PAT

IPv6 Static PAT

IPv6 Twice NAT

IPv6 Identity NAT

Diagram:-

NAT on OS 9.2.x on IPv6




of 846


Initial-config

R1


int f0/0


int f0/1

no shutdown

ipv6 add 192:168:101::1/48

ipv6 route ::/0 192:168:1::2



1024

line vty 0 90

transport input ssh telnetlogin lo

exit


ip http server




R2



no shutdown

ipv6 add 192:168:10::100/48

ipv6 route ::/0 192:168:10::1



1024

line vty 0 90


login lo

exit


R3



no shutdown

ipv6 add 101:1:1::1/48

no shutdown

int f0/1

no shutdown

ipv6 add 192:168:102::1/48




of 846


no shutdown

R4




ipv6 route ::/0 192:168:20::1

ip http server




R5

ipv6 unicast-routinginterface fastEthernet 0/0

ipv6 add 192:168:101::111/48

no shutdown

ipv6 route ::/0 192:168:1



1024

line vty 0 90


login lo

exitusername shiva privilege 15 secret shiva

ip http server




ASA1



no ip address

ipv6 address 192:168:1::2/48

!


nameif dmz1

security-level 60

no ip address

ipv6 address 192:168:10::1/48

!


nameif outside




of 846


security-level 0

no ip address

ipv6 address 101:1:1::100/48

!


nameif dmz2security-level 50

no ip address

ipv6 address 192:168:20::1/48

ipv6 route inside 192:168:101::/48 192:168:1::1


ASA1# ping 192:168:101::1


!!!!!


ASA1# ping 192:168:101::111



!!!!!


ASA1# ping 192:168:10::100




ASA1# ping 192:168:20::100



!!!!!


ASA1# ping 192:168:102::1




ASA1

STATIC

object network obj_net_192:168:1::1

host 192:168:1::1


host 192:168:101::1


host 192:168:101::111





of 846


host 192:168:10::100


host 192:168:20::100


host 101:1:1::101

object network obj_net_101:1:1::102host 101:1:1::102


host 101:1:1::103


host 101:1:1::104


nat (inside,outside) static interface ipv6


nat (inside,outside) static obj_net_101:1:1::101

object network obj_net_192:168:101::111nat (inside,outside) static obj_net_101:1:1::102


nat (dmz1,outside) static obj_net_101:1:1::103


nat (dmz2,outside) static obj_net_101:1:1::104

! ASA will allow TCP & UDP for ICMP open ACL

access-list out permit icmp6 any object obj_net_192:168:1::1



access-list out permit icmp6 any object obj_net_192:168:10::100access-list out permit icmp6 any object obj_net_192:168:20::100


R3#debug ipv6 icmp


R1#ping 101:1:1::1




R1#ping 101:1:1::1 so

R1#ping 101:1:1::1 source f

R1#ping 101:1:1::1 source fastEthernet 0/1




!!!!!


R2#ping 101:1:1::1




of 846




!!!!!


R4#ping 101:1:1::1



!!!!!


R5#ping 101:1:1::1



!!!!!


R3#debug ipv6 icmp


R3#

R3#

R3#

R3#

*Oct 5 08:54:26.379: ICMPv6: Received echo request from 101:1:1::100

*Oct 5 08:54:26.379: ICMPv6: Sending echo reply to 101:1:1::100



*Oct 5 08:54:26.383: ICMPv6: Received echo request from 101:1:1::100*Oct 5 08:54:26.383: ICMPv6: Sending echo reply to 101:1:1::100





R3#



*Oct 5 08:54:32.123: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136


*Oct 5 08:54:32.127: ICMPv6: Sending echo reply to 101:1:1::101*Oct 5 08:54:32.127: ICMPv6: Received echo request from 101:1:1::101




R3#



R3#


R3#


R3#




of 846










R3#



R3#



R3#










R3#














NAT from inside:192:168:1::1/128 to outside:101:1:1::100/128


NAT from dmz1:192:168:10::100/128 to outside:101:1:1::103/128


NAT from dmz2:192:168:20::100/128 to outside:101:1:1::104/128







of 846




Dynamic

ASA1

object network obj_net_inside

subnet 192:168:1::/48

object network obj_net_inside_lan

subnet 192:168:101::/48

object network obj_net_dmz1_lan

subnet 192:168:10::/48


subnet 192:168:20::/48

object network obj_net_dpool

range 101:1:1::101 101:1:1::104object network obj_net_inside

nat (inside,outside) dynamic obj_net_dpool


nat (inside,outside) dynamic obj_net_dpool


nat (dmz1,outside) dynamic obj_net_dpool


nat (dmz2,outside) dynamic obj_net_dpool

access-list out extended permit icmp6 any object obj_net_insideaccess-list out extended permit icmp6 any object obj_net_inside_lan

access-list out extended permit icmp6 any object obj_net_dmz1_lan



R1#ping 101:1:1::1








!!!!!


R5#ping 101:1:1::1





of 846



!!!!!


R2#ping 101:1:1::1



!!!!!


R4#ping 101:1:1::1



.....

Success rate is 0 percent (0/5)ASA1(config)# sh xlate




NAT from dmz1:192:168:10::100 to outside:101:1:1::103 flags i idle 0:02:33 timeout 3:00:00

NAT from inside:192:168:101::111 to outside:101:1:1::102 flags i idle 0:02:37 timeout 3:00:00



R3R3#










R3#*Oct 5 09:03:31.383: ICMPv6: Received echo request from 101:1:1::104


R3#













of 846



R3#









R3#



R3#


*Oct 5 09:03:41.167: ICMPv6: Sending echo reply to 101:1:1::103*Oct 5 09:03:41.171: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136







R3#



ASA1

PAT


subnet 192:168:1::/48


subnet 192:168:101::/48


subnet 192:168:10::/48


subnet 192:168:20::/48!


nat (inside,outside) dynamic interface ipv6


nat (inside,outside) dynamic interface ipv6


nat (dmz1,outside) dynamic interface ipv6


nat (dmz2,outside) dynamic interface ipv6

access-list out extended permit icmp6 any object obj_net_inside

access-list out extended permit icmp6 any object obj_net_inside_lan




of 846









!!!!!





Packet sent with a source address of 192:168:101::1!!!!!


R5#ping 101:1:1::1



!!!!!


R2#ping 101:1:1::1


!!!!!


R4#ping 101:1:1::1



!!!!!


ASA1(config-network-object)# sh xlate6 in use, 20 most used



ICMP6 PAT from dmz2:192:168:20::100/8784 to outside:101:1:1::100/8784 flags ri idle 0:00:00

timeout 0:00:30

ICMP6 PAT from dmz1:192:168:10::100/5560 to outside:101:1:1::100/5560 flags ri idle 0:00:03

timeout 0:00:30

ICMP6 PAT from inside:192:168:101::111/4159 to outside:101:1:1::100/4159 flags ri idle 0:00:08

timeout 0:00:30

ICMP6 PAT from inside:192:168:1::1/8024 to outside:101:1:1::100/8024 flags ri idle 0:00:13 timeout

0:00:30




of 846


ICMP6 PAT from inside:192:168:101::1/954 to outside:101:1:1::100/954 flags ri idle 0:00:12 timeout

0:00:30

ICMP6 PAT from inside:192:168:101::1/3788 to outside:101:1:1::100/3788 flags ri idle 0:00:15

timeout 0:00:30

ASA1STATIC PAT


host 192:168:1::1


nat (inside,outside) static interface ipv6 service tcp ssh ssh

access-list out extended permit tcp any object obj_net_192:168:1::1 eq ssh


R3#ssh -l shiva 101:1:1::100

Password:

R1#




s - static, T - twice, N - net-to-netTCP PAT from inside:192:168:1::1/128 22-22 to outside:101:1:1::100/128 22-22

flags sr idle 0:00:12 timeout 0:00:00



TCP outside 101:1:1::1:40109 inside 192:168:1::1:22, idle 0:00:03, bytes 2452, flags UIOB

R3#ssh -l shiva 101:1:1::100

Password:

R1#ex

R1#exit


R3#

R3#






of 846


ASA1

Identity NAT


subnet 192:168:101::/48


subnet 192:168:102::/48

nat (inside,outside) source static obj_net_192:168:101::0 obj_net_192:168:101::0 destination static

obj_net_192:168:102::0 obj_net_192:168:102::0nat (inside,outside) source dynamic any interface ipv6

access-list out extended permit icmp6 any object obj_net_192:168:101::0

access-list out extended permit icmp6 any 192:168:1::/48


R1#ping 101:1:1::1




R1#ping 101:1:1::1 so






!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/4 msR1#ping 192:168:102::1



!!!!!


R1#ping 192:168:102::1 so

R1#ping 192:168:102::1 source f







of 846



.....


R3#










R3#

*Oct 5 09:36:07.555: ICMPv6: Received ICMPv6 packet from 101:1:1::100, type 136R3#










*Oct 5 09:36:11.047: ICMPv6: Sending echo reply to 101:1:1::100R3#


R3#


R3#






*Oct 5 09:36:25.659: ICMPv6: Sending echo reply to 101:1:1::100*Oct 5 09:36:25.659: ICMPv6: Received echo request from 101:1:1::100




R3#



R3#



R3#





of 846



R3#



R3#


ASA1

Twice NAT


subnet 101:1:1::/48


subnet 192:168:102::/48


host 101:1:1::111object network obj_net_101:1:1::222

host 101:1:1::222

nat (inside,outside) source dynamic any obj_net_101:1:1::111 destination static obj_net_101:1:1::0

obj_net_101:1:1::0

nat (inside,outside) source dynamic any obj_net_101:1:1::222 destination static

obj_net_192:168:102::0 obj_net_192:168:102::0

access-list out extended permit icmp6 any any


R1#ping 101:1:1::1



!!!!!


R1#ping 101:1:1::1 so






!!!!!


R1#

R1#pin

R1#ping 192:168:102::1



!!!!!




of 846



R1#ping 192:168:102::1 so

R1#ping 192:168:102::1 source f




!!!!!


R3#










R3#










R3#










R3#










of 846









of 846


Chapter 26


Site-Site on IPv6

Diagram:-

Site-Site VPN on IPv6




of 846


Initial-config

R1



ipv6 add 192:168:101::100/48no shutdown

ipv6 route ::/0 192:168:101::1

R2



ipv6 add 192:168:102::100/48

no shutdown

ipv6 route ::/0 192:168:102::1

R3



ipv6 add 101:1:1::1/48

no shutdown


no shutdown

ipv6 add 102:1:1::1/48

ASA1


no shu

nameif inside

ipv6 add 192:168:101::1/48


no shu

nameif outside

ipv6 add 101:1:1::100/48


ASA1(config)# ping 192:168:101::100



!!!!!





!!!!!


ASA2


no shu

nameif inside

ipv6 add 192:168:102::1/48




of 846


no shu

interface g0/1

no shu

nameif outside

ipv6 add 102:1:1::100/48

no shuipv6 route outside ::/0 102:1:1::1

ASA2(config)# ping 192:168:102::100



!!!!!


ASA2(config)# pin





ASA1



encryption aes

hash sha

group 5

lifetime 1800

tunnel-group 102:1:1::100 type ipsec-l2ltunnel-group 102:1:1::100 ipsec-attributes




access-list 101 permit ip 192:168:101::/48 192:168:102::/48


crypto map test 10 set peer 102:1:1::100




ASA2



encryption aes

hash sha

group 5

lifetime 1800

tunnel-group 101:1:1::100 type ipsec-l2l

tunnel-group 101:1:1::100 ipsec-attributes







of 846


access-list 102 permit ip 192:168:102::/48 192:168:101::/48


crypto map test 10 set peer 101:1:1::100




R1#ping 192:168:102::100 repeat 100



.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R2#ping 192:168:101::100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



IKEv1 SAs:


Total IKE SA: 1

1 IKE Peer: 102:1:1::100






interface: outside

Crypto map tag: test, seq num: 10, local addr: 101:1:1::100

access-list 101 extended permit ip 192:168:101::/48 192:168:102::/48

local ident (addr/mask/prot/port): (192:168:101::/48/0/0)

remote ident (addr/mask/prot/port): (192:168:102::/48/0/0)

current_peer: 102:1:1::100









of 846






local crypto endpt.: 101:1:1::100/0, remote crypto endpt.: 102:1:1::100/0path mtu 1500, ipsec overhead 94(64), media mtu 1500



current outbound spi: DD53A4C1

current inbound spi : 21DA3675

inbound esp sas:

spi: 0x21DA3675 (567948917)



slot: 0, conn_id: 4096, crypto-map: testsa timing: remaining key lifetime (kB/sec): (3914980/1760)

IV size: 16 bytes


Anti replay bitmap:


outbound esp sas:

spi: 0xDD53A4C1 (3713246401)




sa timing: remaining key lifetime (kB/sec): (3914980/1760)IV size: 16 bytes


Anti replay bitmap:

0x00000000 0x00000001

ASA2


IKEv1 SAs:


Total IKE SA: 1

1 IKE Peer: 101:1:1::100






interface: outside

Crypto map tag: test, seq num: 10, local addr: 102:1:1::100




of 846


access-list 102 extended permit ip 192:168:102::/48 192:168:101::/48

local ident (addr/mask/prot/port): (192:168:102::/48/0/0)

remote ident (addr/mask/prot/port): (192:168:101::/48/0/0)

current_peer: 101:1:1::100










local crypto endpt.: 102:1:1::100/0, remote crypto endpt.: 101:1:1::100/0path mtu 1500, ipsec overhead 94(64), media mtu 1500



current outbound spi: 21DA3675

current inbound spi : DD53A4C1

inbound esp sas:

spi: 0xDD53A4C1 (3713246401)



slot: 0, conn_id: 4096, crypto-map: testsa timing: remaining key lifetime (kB/sec): (4373980/1732)

IV size: 16 bytes


Anti replay bitmap:


outbound esp sas:

spi: 0x21DA3675 (567948917)




sa timing: remaining key lifetime (kB/sec): (4373980/1732)IV size: 16 bytes


Anti replay bitmap:

0x00000000 0x00000001




of 846


Chapter 27


SSL on IPv6

Diagram:-

Initial-config

R1



ipv6 add 101:1:1::1/48

no shutdown

SSL VPN on IPv6




of 846


int f0/1

no shutdown

ipv6 add 192:168:101::1/48

no shutdown

ipv6 add 192:168:102::1/48

R2ipv6 unicast-routing

int f0/0

no shutdown

ipv6 add 192:168:1::2/48

no sh

int f0/1

no shutdown

ipv6 add 192:168:10::1/48

exit


router-id 2.2.2.2int f0/0


int f0/1


R3


int f0/0

no shutdown

ipv6 add 192:168:2::2/48

int f0/1

no shipv6 add 192:168:20::1/48

exit


router-id 3.3.3.3

int f0/0


int f0/1


R4


interface fastEthernet 0/0ipv6 add 192:168:10::100/48

no shutdown

ipv6 route ::/0 192:168:10::1



1024

line vty 0 90


login local

exit

ip http server





of 846


ip http au local


R5


int f0/0


no shutdown

ipv6 route ::/0 192:168:20::1



1024

line vty 0 90


login local

exit


ip http au local


ASA1


nameif outside

security-level 0

no ip address

ipv6 address 101:1:1::100/48


nameif inside1

security-level 100

no ip address

ipv6 address 192:168:1::1/48


!


nameif inside2

security-level 100

no ip addressipv6 address 192:168:2::1/48


!



router-id 1.1.1.1

log-adjacency-changes

!

ASA1(config)# sh ipv6 ospf neighbor

Neighbor ID Pri State Dead Time Interface ID Interface




of 846


3.3.3.3 1 FULL/BDR 0:00:35 3 inside2

2.2.2.2 1 FULL/DR 0:00:31 4 inside1

ASA1(config)# sh ipv6 route ospf


Codes: C - Connected, L - Local, S - StaticO - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2


O 192:168:10::/48 [110/11]

via fe80::21f:9eff:fe5f:8060, inside1

O 192:168:20::/48 [110/11]

via fe80::46e4:d9ff:fe87:ecde, inside2

ASA1(config)# ping 192:168:101::100




ASA1(config)# ping 192:168:10::100



!!!!!


ASA1(config)# ping 192:168:20::100



!!!!!


ASA1

webvpn

enable outside

username shiva password shiva privilege 15privilege 15

https://[101:1:1::100]




of 846


in url bar type

[192:168:10:100] for admin

[192:168:20:100] for mgmt




of 846





of 846


webvpn

port 9090

enable outside




of 846





of 846


webvpn

port 9090

enable outside

port-forward admin 2222 192:168:10::100 ssh

port-forward admin 2323 192:168:10::100 telnet

port-forward admin 8080 192:168:10::100 www

port-forward admin 8181 192:168:10::100 httpsport-forward mgmt 2222 192:168:20::100 ssh

port-forward mgmt 2323 192:168:20::100 telnet

port-forward mgmt 8080 192:168:20::100 www

port-forward mgmt 8181 192:168:20::100 https

group-policy admin_policy internal

group-policy admin_policy attributes


webvpn


port-forward enable admingroup-policy mgmt_policy internal

group-policy mgmt_policy attributes


webvpn




tunnel-group admin_group general-attributes

default-group-policy admin_policy

tunnel-group admin_group webvpn-attributesgroup-alias ADMIN_GROUP enable




of 846




default-group-policy mgmt_policy



webvpn





of 846





of 846


ASA1# vpn-sessiondb logoff webvpn

Do you want to logoff the VPN session(s)? [confirm]

INFO: Number of sessions of type "webvpn" logged off : 2




of 846





of 846


Chapter 28


BGP Messages

BGP Tables

BGP States

BGP Terminology

BGP Lab

BGP (Border Gateway Protocol)




of 846


It is an exterior gate classless path vector routing protocol.Why it is called Path Vector

Because it is path vector because it select the route based on the AS path. It reject those which

have already across their AS.

Open

Keep Alive

Update

Notification

Open

BGP sends open message using TCP port 179

Contain:-

1.Version

2.My AS

3.Router ID

4.Hold Time default 180sec

Keep Alive

BGP sends periodic keep alive after every 60 sec.

Update

When two router become BGP neighbour they send update message to each other.

Contain:-

1. Route

2. Route's Attributes

Route's Attributes

They are those criteria which are used to select best route.they are also called Rich Metric.

Notification

When a neighbour is rested then it sends notification message.

Contain:-

it contain cause of resetting.

BGP can be implemented within AS i.e. called iBGP.

BGP can be implemented over AS i.e. called eBGP.

BGP Border Gateway Protocol

BGP Messages




of 846


Neighbour Table BGP Table

Routing Table

Idle

Connect

Open Sent

Open Confirm

Establish

1.Idle

it means that searching neighbour.

2.Connect

it means that TCP three-way hand-shake complete.

3. Open Sent

it means that Open message has been sent.

4. Open Confirm

it means that Open acknowledgement has been received.

5. Establish

it means that neighbour ship complete.

Next-hop-self


EBGP-Multi-hop

Max-path

Source-update

BGP-redistribute Internal

Next-hop-self

When a BGP edge router learns the external route then it advertise those route with default next-

hop to iBGP neighbour, to solve this problem we use next-hop-self .This command force a router to

send own IP address as next-hop to iBGP neighbour.

BGP Tables

BGP States

Some BGP Terminology




of 846



Normally an iBGP router doesn't exchange the route of one neighbour with another neighbour.

To solve this we use route-reflector-client. this command force a router to exchange the routes of

one neighbour with another.

EBGP-Multi-hopWhen a BGP router wants to establish eBGP neighbour ship it set TTL value 1 in open message. if

your neighbour is not directly connected. than neighbour ship will not establish.

Using EBGP-Multi-hop command we can increase TTL value.

Max-Path

By default BGP select one best path using its attributes. or we can say

that by default BGP don't use load-balancing. if you want to use load-balancing then change max-

path value using Max-Path command.

Source-update

If you want to establish neighbour ship you can use physical interface IP for peering. But physicalinterface can be goes down. this is not recommended for BGP peering.

you can use loopback for peering. if you are using loopback for peering you have to use update-

source command . this command tells a router when you send message to your peer use particular

loopback IP as source otherwise neighbour ship will not perform.

BGP-redistribute Internal

We can redistribute IGP to iBGP, or IGP to eBGP, eBGP to IGP.

But iBGP to IGP redistribution not allowed if you want we have to use BGP-redistribute Internal.




of 846


Diagram:-

Initial-configR1

interface Loopback1

ip address 192.10.1.1 255.255.255.0

!

interface Loopback2

ip address 192.10.2.1 255.255.255.0

!

interface Loopback3

ip address 192.10.3.1 255.255.255.0

!

interface Loopback4ip address 192.10.4.1 255.255.255.0

!

interface Loopback5

ip address 192.10.5.1 255.255.255.0

!

interface Loopback6

ip address 192.10.6.1 255.255.255.0

!


ip address 192.168.1.1 255.255.255.0

duplex autospeed auto




of 846


!


ip address 192.168.101.1 255.255.255.0

duplex auto

speed auto

R2


no shutdown

ip add 192.168.2.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.102.1 255.255.255.0

R3


ip add 192.168.3.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.35.1 255.255.255.0

no shutdown

int l1

ip add 192.168.103.1 255.255.255.0

no shutdown

R4


no shutdown

ip add 192.168.4.1 255.255.255.0

no shutdown

int f0/1

no shutdown

ip add 192.168.104.1 255.255.255.0

no shutdown

R5interface f0/1

no shutdown

ip add 192.168.35.2 255.255.255.0

no shutdown

int f0/0

no shutdown

ip add 192.168.105.1 255.255.255.0

no shutdown

ASA1


nameif inside




of 846


security-level 100

ip address 192.168.1.2 255.255.255.0

!


nameif dmz1


!


nameif outside

security-level 0

ip address 192.168.3.2 255.255.255.0

!


nameif dmz2

security-level 50

ip address 192.168.4.2 255.255.255.0!




!!!!!





!!!!!




!!!!!





!!!!!


R1

R1(config)#router bgp 100

R1(config-router)#neighbor 192.168.1.2 remote-as 100

R1(config-router)#net 192.168.1.0











of 846


R2





R3







R4


R4(config-router)#neighbor 192.168.4.2 remote-as 100R4(config-router)#net 192.168.4.0


R5





ASA1

ASA1(config)# router bgp 100

ASA1(config-router)# address-family ipv4 unicast

ASA1(config-router-af)# neighbor 192.168.1.1 remote-as 100




ASA1(config-router-af)# network 192.168.1.0




ASA1# sh bgp neighbors

BGP neighbor is 192.168.1.1, context single_vf, remote AS 100, internal link

BGP version 4, remote router ID 192.10.6.1

BGP state = Established, up for 00:02:20

Last read 00:00:19, last write 00:00:56, hold time is 180, keepalive interval is 60 seconds

Neighbor sessions:

1 active, is not multisession capable (disabled)

Neighbor capabilities:

Route refresh: advertised and received(new)

Four-octets ASN Capability: advertised and received




of 846


Address family IPv4 Unicast: advertised and received

Multisession Capability:

Message statistics:

InQ depth is 0

OutQ depth is 0

Sent Rcvd

Opens: 1 1

Notifications: 0 0

Updates: 4 1

Keepalives: 3 4

Route Refresh: 0 0

Total: 8 6

Default minimum time between advertisement runs is 0 seconds

For address family: IPv4 Unicast

Session: 192.168.1.1BGP table version 17, neighbor version 17/0

Output queue size : 0

Index 1

1 update-group member

Sent Rcvd

Prefix activity: ---- ----

Prefixes Current: 7 8 (Consumes 640 bytes)

Prefixes Total: 7 8

Implicit Withdraw: 0 0

Explicit Withdraw: 0 0

Used as bestpath: n/a 7Used as multipath: n/a 0

Outbound Inbound

Local Policy Denied Prefixes: -------- -------

Bestpath from this peer: 7 n/a

Bestpath from iBGP peer: 2 n/a

Total: 9 0

Number of NLRIs in the update sent: max 4, min 0

Address tracking is enabled, the RIB does have a route to 192.168.1.1

Connections established 1; dropped 0Last reset never

Transport(tcp) path-mtu-discovery is enabled

Graceful-Restart is disabled





Neighbor sessions:






of 846



Four-octets ASN Capability: advertised and received



Message statistics:

InQ depth is 0OutQ depth is 0

Sent Rcvd

Opens: 1 1

Notifications: 0 0

Updates: 4 1

Keepalives: 4 4

Route Refresh: 0 0

Total: 9 6



Session: 192.168.2.1

BGP table version 17, neighbor version 17/0


Index 1


Sent Rcvd


Prefixes Current: 7 2 (Consumes 160 bytes)

Prefixes Total: 7 2

Implicit Withdraw: 0 0Explicit Withdraw: 0 0

Used as bestpath: n/a 1

Used as multipath: n/a 0

Outbound Inbound



Bestpath from iBGP peer: 2 n/a

Total: 9 0



Connections established 1; dropped 0

Last reset never



BGP neighbor is 192.168.3.1, context single_vf, remote AS 200, external link




Neighbor sessions:




of 846





Four-octets ASN Capability: advertised


Multisession Capability:Message statistics:

InQ depth is 0

OutQ depth is 0

Sent Rcvd

Opens: 1 1

Notifications: 0 0

Updates: 3 2

Keepalives: 4 5

Route Refresh: 0 0

Total: 8 8Default minimum time between advertisement runs is 30 seconds


Session: 192.168.3.1



Index 2


Sent Rcvd


Prefixes Current: 13 4 (Consumes 320 bytes)Prefixes Total: 13 4





Outbound Inbound



Total: 3 0




Last reset never










of 846


Neighbor sessions:





Address family IPv4 Unicast: advertised and receivedMultisession Capability:

Message statistics:

InQ depth is 0

OutQ depth is 0

Sent Rcvd

Opens: 1 1

Notifications: 0 0

Updates: 4 1

Keepalives: 4 5

Route Refresh: 0 0Total: 9 7



Session: 192.168.4.1



Index 1


Sent Rcvd

Prefix activity: ---- ----Prefixes Current: 7 2 (Consumes 160 bytes)

Prefixes Total: 7 2





Outbound Inbound



Bestpath from iBGP peer: 2 n/aTotal: 9 0




Last reset never



ASA1# sh bgp

BGP table version is 17, local router ID is 192.168.4.2




of 846


Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*>i192.10.1.0 192.168.1.1 0 100 0 i*>i192.10.2.0 192.168.1.1 0 100 0 i

*>i192.10.3.0 192.168.1.1 0 100 0 i

*>i192.10.4.0 192.168.1.1 0 100 0 i

*>i192.10.5.0 192.168.1.1 0 100 0 i

*>i192.10.6.0 192.168.1.1 0 100 0 i

*> 192.168.1.0 0.0.0.0 0 32768 i

* i 192.168.1.1 0 100 0 i

* i192.168.2.0 192.168.2.1 0 100 0 i

*> 0.0.0.0 0 32768 i

*> 192.168.3.0 0.0.0.0 0 32768 i

* 192.168.3.1 0 0 200 i* i192.168.4.0 192.168.4.1 0 100 0 i

*> 0.0.0.0 0 32768 i

*> 192.168.35.0 192.168.3.1 0 0 200 i

*>i192.168.101.0 192.168.1.1 0 100 0 i

*>i192.168.102.0 192.168.2.1 0 100 0 i

*> 192.168.103.0 192.168.3.1 0 0 200 i

*>i192.168.104.0 192.168.4.1 0 100 0 i

*> 192.168.105.0 192.168.3.1 0 200 i

ASA1# sh route bgp









B 192.10.1.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29B 192.10.2.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29

B 192.10.3.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29

B 192.10.4.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29

B 192.10.5.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29

B 192.10.6.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29

B 192.168.35.0 255.255.255.0 [20/0] via 192.168.3.1, 00:03:29

B 192.168.101.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29

B 192.168.102.0 255.255.255.0 [200/0] via 192.168.2.1, 00:03:29

B 192.168.103.0 255.255.255.0 [20/0] via 192.168.3.1, 00:03:29

B 192.168.104.0 255.255.255.0 [200/0] via 192.168.4.1, 00:03:29

B 192.168.105.0 255.255.255.0 [20/0] via 192.168.3.1, 00:03:29




of 846


ASA1# ping 192.168.101.1



!!!!!




!!!!!


ASA1# ping 192.168.103.1



!!!!!


ASA1# ping 192.168.104.1


!!!!!


ASA1# ping 192.168.105.1



!!!!!


BGP Authentication

ASA1(config-router-af)# neighbor 192.168.1.1 password shiva

R1(config-router)#neighbor 192.168.1.2 password shiva

R1#sh ip route bgp

B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:00:39

B 192.168.4.0/24 [200/0] via 192.168.1.2, 00:00:44

B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:00:39

B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:00:39

B 192.168.2.0/24 [200/0] via 192.168.1.2, 00:00:44B 192.168.3.0/24 [200/0] via 192.168.1.2, 00:00:44

R2#sh ip route bgp

B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:08:42

B 192.168.4.0/24 [200/0] via 192.168.2.2, 00:08:47

B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:08:42

B 192.168.1.0/24 [200/0] via 192.168.2.2, 00:08:47

B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:08:42

B 192.168.3.0/24 [200/0] via 192.168.2.2, 00:08:47

R4#sh ip route bgp

B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:08:56

B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:08:56

B 192.168.1.0/24 [200/0] via 192.168.4.2, 00:09:02




of 846


B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:08:56

B 192.168.2.0/24 [200/0] via 192.168.4.2, 00:09:02

B 192.168.3.0/24 [200/0] via 192.168.4.2, 00:09:02

ASA1

ASA1(config-router-af)# neighbor 192.168.1.1 next-hop-selfASA1(config-router-af)# neighbor 192.168.2.1 next-hop-self

ASA1(config-router-af)# neighbor 192.168.3.1 next-hop-self

ASA1(config-router-af)# neighbor 192.168.4.1 next-hop-self

R1

R1#sh ip route bgp

B 192.168.105.0/24 [200/0] via 192.168.1.2, 00:00:04

B 192.168.4.0/24 [200/0] via 192.168.1.2, 00:04:48

B 192.168.35.0/24 [200/0] via 192.168.1.2, 00:00:04

B 192.168.103.0/24 [200/0] via 192.168.1.2, 00:00:04

B 192.168.2.0/24 [200/0] via 192.168.1.2, 00:04:48B 192.168.3.0/24 [200/0] via 192.168.1.2, 00:04:48

R2

R2#sh ip route bgp

B 192.168.105.0/24 [200/0] via 192.168.2.2, 00:00:09

B 192.168.4.0/24 [200/0] via 192.168.2.2, 00:12:39

B 192.168.35.0/24 [200/0] via 192.168.2.2, 00:00:08

B 192.168.1.0/24 [200/0] via 192.168.2.2, 00:12:39

B 192.168.103.0/24 [200/0] via 192.168.2.2, 00:00:08

B 192.168.3.0/24 [200/0] via 192.168.2.2, 00:12:39

R4

R4#sh ip route bgp

B 192.168.105.0/24 [200/0] via 192.168.4.2, 00:00:12

B 192.168.35.0/24 [200/0] via 192.168.4.2, 00:00:12

B 192.168.1.0/24 [200/0] via 192.168.4.2, 00:12:43

B 192.168.103.0/24 [200/0] via 192.168.4.2, 00:00:12

B 192.168.2.0/24 [200/0] via 192.168.4.2, 00:12:43

B 192.168.3.0/24 [200/0] via 192.168.4.2, 00:12:43

R3

R3#sh ip route bgpB 192.168.104.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:22:24

B 192.10.4.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.10.5.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.10.6.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.10.1.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.10.2.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:00:47

B 192.10.3.0/24 [20/0] via 192.168.3.2, 00:00:47




of 846


B 192.168.101.0/24 [20/0] via 192.168.3.2, 00:00:47

ASA1(config-router-af)# aggregate-address 192.10.0.0 255.255.248.0

R3#sh ip route bgp

B 192.168.104.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:23:46

B 192.10.4.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.10.5.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.10.6.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.10.1.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.10.2.0/24 [20/0] via 192.168.3.2, 00:02:09B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.10.3.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.168.101.0/24 [20/0] via 192.168.3.2, 00:02:09

B 192.10.0.0/21 [20/0] via 192.168.3.2, 00:00:07

ASA1(config-router-af)# aggregate-address 192.10.0.0 255.255.248.0 summary-only

R3#sh ip route bgp

B 192.168.104.0/24 [20/0] via 192.168.3.2, 00:03:31

B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:25:09B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:03:31

B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:03:31

B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:03:31

B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:03:31

B 192.168.101.0/24 [20/0] via 192.168.3.2, 00:03:31

B 192.10.0.0/21 [20/0] via 192.168.3.2, 00:01:29

ASA1# ping 192.168.35.2




R5#ping 192.168.3.2



!!!!!








of 846


ASA1(config-router-af)# neighbor 192.168.35.2 ebgp-multihop 2

R5(config-router)#router bgp 200


R5(config-router)#neighbor 192.168.3.2 ebgp-multihop 2

R5(config-router)#*Oct 7 07:15:01.111: %BGP-5-ADJCHANGE: neighbor 192.168.3.2 Up

ASA1# sh bgp neighbors 192.168.35.2

BGP neighbor is 192.168.35.2, context single_vf, remote AS 200, external link




Neighbor sessions:


Neighbor capabilities:Route refresh: advertised and received(new)




Message statistics:

InQ depth is 0

OutQ depth is 0

Sent Rcvd

Opens: 1 1

Notifications: 0 0Updates: 6 5

Keepalives: 2 3

Route Refresh: 0 0

Total: 9 9


R5#sh ip bgp neighbors 192.168.3.2

BGP neighbor is 192.168.3.2, remote AS 100, external link



Last read 00:01:12, last write 00:00:11, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:

Route refresh: advertised and received(old & new)


Message statistics:

InQ depth is 0

OutQ depth is 0

Sent Rcvd

Opens: 1 1

Notifications: 0 0

Updates: 5 6

Keepalives: 4 2

Route Refresh: 0 0




of 846


Total: 10 9


router bgp 100

bgp log-neighbor-changesaddress-family ipv4 unicast

ASA1(config-router-af)# no neighbor 192.168.35.2 ebgp-multihop 2

ASA1(config-router-af)# neighbor 192.168.35.2 ttl-security hops 2


R5(config-router)#no neighbor 192.168.3.2 ebgp-multihop 2

R5(config-router)#neighbor 192.168.3.2 ttl-security hops 2






















ASA1# sh route dmz1









of 846





C 192.168.2.0 255.255.255.0 is directly connected, dmz1L 192.168.2.2 255.255.255.255 is directly connected, dmz1

ASA1# sh route dmz2











ASA1# sh route



N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2





B 192.10.0.0 255.255.248.0 [200/0] via 0.0.0.0, 00:11:07, Null0

B 192.10.1.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06

B 192.10.2.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06

B 192.10.3.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06B 192.10.4.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06

B 192.10.5.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06

B 192.10.6.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06









B 192.168.35.0 255.255.255.0 [20/0] via 192.168.3.1, 00:13:13




of 846


B 192.168.101.0 255.255.255.0 [200/0] via 192.168.1.1, 00:13:13

B 192.168.102.0 255.255.255.0 [200/0] via 192.168.2.1, 00:13:13

B 192.168.103.0 255.255.255.0 [20/0] via 192.168.3.1, 00:13:13

B 192.168.104.0 255.255.255.0 [200/0] via 192.168.4.1, 00:13:13

B 192.168.105.0 255.255.255.0 [20/0] via 192.168.3.1, 00:13:13






ASA1(config-router-af)# neighbor 192.168.1.1 distribute-list 10 in

ASA1# clear bgp 192.168.1.1

ASA1# sh route









B 192.10.1.0 255.255.255.0 [200/0] via 192.168.1.1, 00:00:03B 192.10.3.0 255.255.255.0 [200/0] via 192.168.1.1, 00:00:03

B 192.10.5.0 255.255.255.0 [200/0] via 192.168.1.1, 00:00:03









B 192.168.35.0 255.255.255.0 [20/0] via 192.168.3.1, 00:14:49B 192.168.102.0 255.255.255.0 [200/0] via 192.168.2.1, 00:14:49

B 192.168.103.0 255.255.255.0 [20/0] via 192.168.3.1, 00:14:49

B 192.168.104.0 255.255.255.0 [200/0] via 192.168.4.1, 00:14:56

B 192.168.105.0 255.255.255.0 [20/0] via 192.168.3.1, 00:14:56

Note:-

BGP is out of the scope of this book this book is specially designed for ASA

if you want to know which commands are working or available please have a look blow




of 846



ASA1(config-router)# ?

Router configuration commands:

address-family Enter Address Family command modebgp BGP specific commands

exit Exit from router configuration mode

help Interactive help for router subcommands

no Negate a command

timers Adjust routing timers



ASA1(config-router-af)# ?

Router Address Family configuration commands:aggregate-address Configure BGP aggregate entries

auto-summary Enable automatic network number summarization

bgp BGP specific commands

default Set a command to its defaults

default-information Control distribution of default information

distance Define an administrative distance

distribute-list Filter networks in routing updates

exit-address-family Exit from Address Family configuration mode

help Description of the interactive help system

maximum-paths Forward packets over multiple paths

neighbor Specify a neighbor routernetwork Specify a network to announce via BGP

no Negate a command or set its defaults

redistribute Redistribute information from another routing protocol

synchronization Perform IGP synchronization

table-map Map external entry attributes into routing table

ASA1(config-router-af)# neighbor 192.168.1.1 ?

bgp address-family mode commands/options:

activate Enable the Address Family for this Neighbor

advertisement-interval Minimum interval between sending BGP routing updatesdefault-originate Originate default route to this neighbor

description Neighbor specific description

disable-connected-check one-hop away EBGP peer using loopback address

distribute-list Filter updates to/from this neighbor

ebgp-multihop Allow EBGP neighbors not on directly connected

networks

filter-list Establish BGP filters

local-as Specify a local-as number

maximum-prefix Maximum number of prefixes accepted from this peer

next-hop-self Disable the next hop calculation for this neighbor

password Set a password

prefix-list Filter updates to/from this neighbor




of 846


remote-as Specify a BGP neighbor

remove-private-as Remove private AS number from outbound updates

route-map Apply route map to neighbor

send-community Send Community attribute to this neighbor

shutdown Administratively shut down this neighbor

timers BGP per neighbor timerstransport Transport options

ttl-security BGP ttl security check

version Set the BGP version to match a neighbor

weight Set default weight for routes from this neighbor

.........Thanks....




of 846


Chapter 29


EIGRP & OSPF in Multiple Mode

Diagram:-

Initial-config


Dynamic Routing in Context




of 846


no shutdown

ip add 192.168.101.100 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 192.168.101.1

interface l1

ip add 1.1.1.1 255.255.255.0R2


no shutdown

ip add 192.168.102.100 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 192.168.102.1

int l1

ip add 2.2.2.2 255.255.255.0

R3



no shutdown

int f0/1

no shutdown

ip add 102.1.1.1 255.255.255.0

no shutdown

ASA1


WARNING: This command will change the behavior of the deviceWARNING: This command will initiate a Reboot




no shutdown


no shutdown


no shutdown

interface gigabitEthernet 0/3no shutdown

!

context c1




!

context c2





of 846




!

changeto context c1


nameif inside

ip add 192.168.101.1


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0

no shu




!!!!!





!!!!!




!!!!!


changeto context c2


no shu

nameif inside

ip add 192.168.102.1



ip add 102.1.1.100 255.255.255.0

no shu


ASA1/c2(config)# ping 192.168.102.100



!!!!!








of 846




!!!!!


changeto context c1

router ei 100

no au

net 192.168.101.0


R1

router ei 100

no auto-summary

net 0.0.0.0

ASA1/c1# sh eigrp neighbors

EIGRP-IPv4 Neighbors for AS(100) context(c1)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 192.168.101.100 inside 12 00:00:30 1 200 0 3

ASA1/c1# sh eigrp topology

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.101.1) context(c1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status


via Rstatic (2560000256/0)


via Connected, inside


via 192.168.101.100 (130816/128256), inside

ASA1/c1# sh route eigrp

Routing Table: c1Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP








D 1.1.1.0 255.255.255.0

[90/130816] via 192.168.101.100, 00:00:48, inside




of 846


ASA1/c1(config-router)# router eigrp 100

ASA1/c1(config-router)# passive-interface default

ASA1/c1(config-router)# no passive-interface inside

ASA1/c1(config-router)# neighbor 192.168.101.100 interface inside

ASA1/c1(config-router)# distance eigrp 111 222

ASA1/c1(config-if)# interface gigabitEthernet 0/0

ASA1/c1(config-if)# hello-interval eigrp 100 2

ASA1/c1(config-if)# hold-time eigrp 100 4

ASA1/c1(config-if)# authentication mode eigrp 100 md5

ASA1/c1(config-if)# authentication key eigrp 100 shiva key-id 100

Remaining features are same...............................

ASA1/c2(config-router)# changeto context c2

ASA1/c2(config)# router ospf 100

ASA1/c2(config-router)# network 192.168.102.0 255.255.255.0 area 0

ASA1/c2(config-router)# default-information originate always

R2(config-if)#int f0/0

R2(config-if)#ip ospf 100 area 0

R2(config-if)#int lo1R2(config-if)#ip ospf 100 area 0

ASA1/c2# sh ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

2.2.2.2 1 FULL/BDR 0:00:30 192.168.102.100 inside

ASA1/c2# sh ospf database

OSPF Router with ID (192.168.102.1) (Process ID 100)



2.2.2.2 2.2.2.2 31 0x80000003 0x60a2 2

192.168.102.1 192.168.102.1 30 0x80000003 0x2fb3 1






of 846


192.168.102.1 192.168.102.1 30 0x80000001 0x318e

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag

0.0.0.0 192.168.102.1 101 0x80000001 0x5925 100

ASA1/c2# sh route ospf

Routing Table: c2








O 2.2.2.2 255.255.255.255

[110/11] via 192.168.102.100, 00:00:38, inside

Remaining features are same...............................

ASA1/c2(config)# router bgp 100

%BGP process cannot be created in non-system contextERROR: Unable to create router process

ASA1/c2(config)# changeto system


ASA1(config-router)#




of 846


Chapter 30


How to configure site-site in multiple mode

Diagram:-

Initial-config

R1

Site-Site VPN in Context




of 846


member c2-class




!

ASA1(config-ctx)# changeto context c1ASA1/c1(config)#

changeto context c1


no shu

nameif inside

ip add 192.168.101.1


no shu

nameif outside

ip add 101.1.1.100 255.255.255.0no shu


ASA1/c1(config)# ping 192.168.101.100



!!!!!





!!!!!




no shu

nameif inside

ip add 192.168.102.1


nameif outside

ip add 102.1.1.100 255.255.255.0


ASA1/c2(config)# ping 192.168.102.100



!!!!!







of 846




!!!!!





encryption aes

hash sha

group 5

lifetime 1800




crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmaccrypto ipsec security-association lifetime seconds 1800









authentication pre-shareencryption aes

hash sha

group 5

lifetime 1800







crypto map test 10 set ikev1 transform-set t-setcrypto map test 10 set peer 101.1.1.100




R1#ping 192.168.102.100 repeat 100



.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!





of 846


R2#ping 192.168.101.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


ASA1/c1(config)# sh crypto ikev1 sa

IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 102.1.1.100



ASA1/c1(config)# sh cry

ASA1/c1(config)# sh crypto ip

ASA1/c1(config)# sh crypto ipsec sa

interface: outside











#TFC rcvd: 0, #TFC sent: 0#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0






current outbound spi: 6D68EF77

current inbound spi : 18275EA3

ASA1/c2(config)# sh crypto ikev1 sa

IKEv1 SAs:




of 846


Active SA: 1


Total IKE SA: 1

1 IKE Peer: 101.1.1.100Type : L2L Role : responder


ASA1/c2(config)# sh cry

ASA1/c2(config)# sh crypto ip

ASA1/c2(config)# sh crypto ipsec sa

interface: outside












#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0#send errors: 0, #recv errors: 0





current outbound spi: 18275EA3

current inbound spi : 6D68EF77


object network insidesubnet 192.168.101.0 255.255.255.0

object network s2s

subnet 192.168.102.0 255.255.255.0

exit







subnet 192.168.102.0 255.255.255.0




of 846


object network s2s

subnet 192.168.101.0 255.255.255.0

exit



access-list out permit icmp any object insideaccess-group out in interface outside

R1#ping 192.168.102.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R1#ping 101.1.1.1 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R2#ping 192.168.101.100 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


R2#pin

R2#ping 101.1.1.1 re

R2#ping 101.1.1.1 repeat 100



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!





of 846


Chapter 31


Clustering


Configuration Replication

ASA Cluster Management

ASA Features and Clustering

Centralized Featuring

Performance Throughput

Clustering




of 846


Clustering enables we group multiple ASAs together as a single logical device.

Note:-

ASA OS version 9.2 Support for 16 members for the cluster. The ASA 5585-X now supports 16-unit

clusters. Support for 32 active links in a spanned Ether-Channel for clustering

Master Unit

Slave Unit New Connection Ownership

ASA Cluster Interfaces & Modes

Cluster Control Link

High Availability within the ASA Cluster

Data Path Connection State Replication

1. The First device on which you will configure Clustering that become master unit.

2. You must perform all configuration on the master unit only the configuration is then

replicated to the slave units.

3. Bootstrap is configured on all master & slaves.

Master Unit Election

1. When you enable clustering for a unit it broadcasts an election request every 3 seconds.

2. If after 45 seconds, a unit does not receive a response from another unit with a higher

priority, then it becomes master.

3.

Note if multiple units tie for the highest priority, the cluster unit name, and then the serialnumber is used to determine the master.

4. If a unit later joins the cluster with a higher priority, it does not automatically become the

master unit; the existing master unit always remains as the master unless it stops

responding, at which point a new master unit is elected.

Note: - You can manually force a unit to become the master. For centralized features, if you force a

master unit change, then all connections are dropped, and you have to re-establish the connections

on the new master unit.

Clustering


Master Unit




of 846


When we enable clustering on other devices. They join the cluster as slaves. or we can configure

When a new connection is directed to a member of the cluster, that unit owns both directions of the

connection. If any connection packets arrive at a different unit, they are forwarded to the owner unit

over the cluster control link.

We can configured data interface as either spanned EtherChannels or as individual interfaces. All

data interfaces in the cluster must be one type only.

Interface Types

Spanned EtherChannel

Interfaces on multiple members of the cluster are grouped into a single EtherChannel.

Slave Unit

New Connection Ownership

ASA Cluster Interfaces

Spanned EtherChannel




of 846


Individual interfaces are normal routed interfaces, each with their own local IP address. Because

interface configuration must be configured only on the master unit.

Individual interfaces (Routed mode only)




of 846


Each unit must dedicate at least one hardware interface as the cluster control link. Cluster control

link traffic includes both control and data traffic.

Control traffic includes:

Master election.

Configuration replication.

Health monitoring.

Data traffic includes:

State replication.

Connection ownership queries and data packet forwarding.

Cluster Control Link Network

Each cluster control link has an IP address on the same subnet. This subnet should be isolated from

all other traffic.


Interface monitoring


The master unit monitors every slave unit by sending keepalive messages over the cluster

control link periodically (the period is configurable).

Each slave unit monitors the master unit using the same mechanism.

Cluster Control Link

High Availability within the ASA Cluster





of 846


Each unit monitors the link status of all hardware interfaces in use, and reports status changes to themaster unit.

Spanned EtherChannel—Uses cluster Link Aggregation Control Protocol (cLACP). Each unit

monitors the link status and the cLACP protocol messages to determine if the port is still

active in the EtherChannel. The status is reported to the master unit.

Individual interfaces (Routed mode only)—each unit self-monitors its interfaces and reports

interface status to the master unit.

Unit or Interface Failure

When health monitoring is enabled, a unit is removed from the cluster if it fails or if its interfaces

fail.

When a unit in the cluster fails, the connections hosted by that unit are seamlessly transferred to

other unit’s state information for traffic flows is shared over the control cluster link.

If the master unit fails, then another member of the cluster with the highest priority (lowest

number) becomes the master.

Every connection has one owner and at least one backup owner in the cluster. The backup owner

does not take over the connection in the event of a failure instead, it stores TCP/UDP state

information, so that the connection can be seamlessly transferred to a new owner in case of a

failure.

Interface monitoring





of 846


All units in the cluster share a single configuration. Except for the initial bootstrap configuration

Management Network should be isolated to other network

Management Interface can be individual or spanned

Connection Roles

Sample Data Flow

Rebalancing New Connections across the Cluster

There are 3 different ASA roles defined for each connection:

Owner—The unit that initially receives the connection. The owner maintains the TCP state

and processes packets. A connection has only one owner.

Director—The unit that handles owner lookup requests from forwarders and also maintains

the connection state to serve as a backup if the owner fails. When the owner receives a new

connection, it chooses a director based on a hash of the source/destination IP address and

TCP ports, and sends a message to the director to register the new connection. If packets

arrive at any unit other than the owner, the unit queries the director about which unit is theowner so it can forward the packets. A connection has only one director.

Forwarder—A unit that forwards packets to the owner. If a forwarder receives a packet for a

connection it does not own, it queries the director for the owner, and then establishes a

flow to the owner for any other packets it receives for this connection. The director can also

be a forwarder. Note that if a forwarder receives the SYN-ACK packet, it can derive the

owner directly from a SYN cookie in the packet, so it does not need to query the director (if

you disable TCP sequence randomization, the SYN cookie is not used; a query to the director

is required). For short-lived flows such as DNS and ICMP, instead of querying, the forwarder

immediately sends the packet to the director, which then sends them to the owner. A

connection can have multiple forwarders; the most efficient throughput is achieved by a

Configuration Replication

ASA Cluster Management

How the ASA Cluster Manages

Connection Roles




of 846


good load-balancing method where there are no forwarders and all packets of a connection

are received by the owner.

1. The SYN packet originates from the client and is delivered to an ASA (based on the load

balancing method), which becomes the owner. The owner creates a flow, encodes owner

information into a SYN cookie, and forwards the packet to the server.

2. The SYN-ACK packet originates from the server and is delivered to a different ASA (based on

the load balancing method). This ASA is the forwarder.

3. Because the forwarder does not own the connection, it decodes owner information from the

SYN cookie, creates a forwarding flow to the owner, and forwards the SYN-ACK to the

owner.

4. The owner sends a state update to the director, and forwards the SYN-ACK to the client.

5.

The director receives the state update from the owner, creates a flow to the owner, andrecords the TCP state information as well as the owner. The director acts as the backup

owner for the connection.

6. Any subsequent packets delivered to the forwarder will be forwarded to the owner.

7. If packets are delivered to any additional units, it will query the director for the owner and

establish a flow.

8. Any state change for the flow results in a state update from the owner to the director.

Sample Data Flow




of 846


Unsupported Features

These features cannot be configured with clustering enabled, and the commands will be rejected.

Unified Communications

Remote access VPN (SSL VPN and IPsec VPN)

The following application inspections:

– CTIQBE

– GTP

– H323, H225, and RAS

– IPsec passthrough

–

MGCP – MMP

– RTSP

– SIP

– SCCP (Skinny)

– WAAS

– WCCP

Botnet Traffic Filter

Auto Update Server

DHCP client, server, relay, and proxy

VPN load balancing Failover

ASA CX module

The following features are only supported on the master unit, and are not scaled for the cluster. For

example, you have a cluster of eight units (5585-X with SSP-60). The Other VPN license allows a

maximum of 10,000 IPsec tunnels for one ASA 5585-X with SSP-60. For the entire cluster of eightunits, you can only use 10,000 tunnels; the feature does not scale. For centralized features, if the

master unit fails, all connections are dropped, and you have to re-establish the connections on the

new master unit.

Site-to-site VPN

The following application inspections:

– DCERPC

– NetBios

– PPTP

– RADIUS

–

RSH

ASA Features and Clustering

Centralized Features




of 846


– SUNRPC

– TFTP

– XDMCP

Dynamic routing (spanned EtherChannel mode only)

Multicast routing (individual interface mode only)

Static route monitoring IGMP multicast control plane protocol processing (data plane forwarding is distributed

across the cluster)

PIM multicast control plane protocol processing (data plane forwarding is distributed across

the cluster)

Authentication and Authorization for network access. Accounting is decentralized.

Filtering Services

Features Applied to Individual Units

QoS

Threat detection

When you place the cluster in your network, the upstream and downstream routers need to be able

to load-balance the data coming to and from the cluster. Using one of the following methods:

Spanned Ether-Channel (Recommended)

Policy-Based Routing (Routed mode only)

Equal-Cost Multi-Path Routing (Routed mode only)

Interfaces on multiple members of the cluster are grouped into a single EtherChannel the

EtherChannel performs load balancing between units.

In spanned ether-channel , ether-channel load balancing algorithm is used.

The upstream and downstream routers perform load balancing between units using route maps and

ACLs.

The upstream and downstream routers perform load balancing between units using equal cost static

or dynamic routes.

Spanned Ether-Channel (Recommended)

Policy-Based Routing (Routed mode only)

Equal-Cost Multi-Path Routing-Routed




of 846


• 70% of the combined throughput • 60% of maximum connections

• 50% of connections per second

For example, for throughput, the ASA 5585-X with SSP-40 can handle approximately 10 Gbps of real

world firewall traffic when running alone.

For a cluster of 8 units, 8*10= 80 Gbps will be approximately 70% of 80 Gbps (8 units x 10 Gbps): 56

Gbps

For a cluster of 16 units, 16*10=160 Gbps will be approximately 70% of 160 Gbps: 112 Gbps

Diagram:-

Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R2


no shutdown

ip add 192.168.102.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.102.1

ASA1 Master Bootstrap Configuration

cluster interface-mode spanned force

Performance Throughput




of 846


ASA1/A(config)#

ASA1/A(config)#

ASA1/A(config)# sh cluster info

Cluster shiva: On

Interface mode: spanned

This is "A" in state MASTERID : 0

Version : 9.2(2)4

Serial No.: FCH16407FXZ

CCL IP : 192.168.1.1

CCL MAC : 6c20.56bd.ea87

Last join : 16:14:25 UTC Oct 10 2014

Last leave: N/A

Other members in the cluster:

Unit "B" in state SLAVE

ID : 1

Version : 9.2(2)4Serial No.: FCH16407G0X

CCL IP : 192.168.1.2

CCL MAC : 6c20.56bd.df21

Last join : 16:20:50 UTC Oct 10 2014

Last leave: 16:17:39 UTC Oct 10 2014

ASA1/B# sh cluster info

Cluster shiva: On

Interface mode: spanned

This is "B" in state SLAVEID : 1

Version : 9.2(2)4

Serial No.: FCH16407G0X

CCL IP : 192.168.1.2

CCL MAC : 6c20.56bd.df21

Last join : 16:20:50 UTC Oct 10 2014

Last leave: N/A

Other members in the cluster:

Unit "A" in state MASTER

ID : 0

Version : 9.2(2)4Serial No.: FCH16407FXZ

CCL IP : 192.168.1.1

CCL MAC : 6c20.56bd.ea87

Last join : 16:14:25 UTC Oct 10 2014

Last leave: N/A

ASA1/A(config)# sh cluster conn

Usage Summary In Cluster:*********************************************

16 in use, stub connection 0 in use (cluster-wide aggregated)

A(LOCAL):*************************************************************

8 in use, 10 most used, stub connection 0 in used, 0 most used




of 846


B:********************************************************************


ASA1/B# sh cluster conn

Usage Summary In Cluster:*********************************************17 in use, stub connection 0 in use (cluster-wide aggregated)

B(LOCAL):*************************************************************


A:********************************************************************


ASA1/A(config)# sh port-channel summary

Flags: D - down P - bundled in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)

U - in use N - not in use, no aggregation/nameif

M - not in use, no aggregation due to minimum links not met

w - waiting to be aggregated

Number of channel-groups in use: 2

Group Port-channel Protocol Span-cluster Ports

------+-------------+---------+------------+------------------------------------

1 Po1(U) LACP Yes Gi0/1(P)2 Po2(U) LACP Yes Gi0/3(P)

ASA1/B# sh port-channel summary








Group Port-channel Protocol Span-cluster Ports------+-------------+---------+------------+------------------------------------

1 Po1(U) LACP Yes Gi0/1(P)

2 Po2(U) LACP Yes Gi0/3(P)

ASA1/A# sh int ip brief


GigabitEthernet0/0 192.168.1.1 YES unset up up

GigabitEthernet0/1 unassigned YES unset up up








of 846







Port-channel1 192.168.101.1 YES manual up upPort-channel2 192.168.102.1 YES manual up up

ASA1/B# sh int ip brief


GigabitEthernet0/0 192.168.1.2 YES unset up up






Internal-Control0/0 127.0.1.1 YES unset up upInternal-Data0/0 unassigned YES unset down down




Port-channel1 192.168.101.1 YES CONFIG up up

Port-channel2 192.168.102.1 YES CONFIG up up

SW1#sh vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------1 default active Fa1/0/2, Fa1/0/3, Fa1/0/4

Fa1/0/5, Fa1/0/6, Fa1/0/7

Fa1/0/8, Fa1/0/9, Fa1/0/10

Fa1/0/12, Fa1/0/13, Fa1/0/15

Fa1/0/16, Fa1/0/17, Fa1/0/18

Fa1/0/19, Fa1/0/20, Fa1/0/24

Gi1/0/1, Gi1/0/2

101 VLAN0101 active Fa1/0/1, Po1

102 VLAN0102 active

1002 fddi-default act/unsup

1003 trcrf-default act/unsup1004 fddinet-default act/unsup

1005 trbrf-default act/unsup

SW2#sh vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/3, Fa0/4, Fa0/5

Fa0/6, Fa0/7, Fa0/8, Fa0/9

Fa0/11, Fa0/12, Fa0/14, Fa0/15

Fa0/16, Fa0/17, Fa0/18, Fa0/23

Fa0/24, Gi0/1, Gi0/2




of 846


101 VLAN0101 active

102 VLAN0102 active Fa0/2, Po2

1002 fddi-default act/unsup

1003 trcrf-default act/unsup

1004 fddinet-default act/unsup

1005 trbrf-default act/unsup

SW1#sh etherchannel summary




R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

M - not in use, minimum links not met

u - unsuitable for bundling

w - waiting to be aggregatedd - default port


Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------

1 Po1(SU) LACP Fa1/0/11(P) Fa1/0/14(P)

SW2#sh etherchannel summaryFlags: D - down P - bundled in port-channel



R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

M - not in use, minimum links not met

u - unsuitable for bundling


d - default port


Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------

2 Po2(SU) LACP Fa0/10(P) Fa0/13(P)

ASA1/A(config)# sh cluster conn






of 846


A(LOCAL):*************************************************************


B:********************************************************************


ASA1/B# sh cluster conn



B(LOCAL):*************************************************************


A:********************************************************************


ASA1/A(config)# sh cluster access-list

hitcnt display order: cluster-wide aggregated result, A, B

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list out; 1 elements; name hash: 0x5589cfea

access-list out line 1 extended permit icmp any any (hitcnt=3, 0, 3) 0x4f3e126c

ASA1/B# sh cluster access-list

hitcnt display order: cluster-wide aggregated result, B, A

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300access-list out; 1 elements; name hash: 0x5589cfea

access-list out line 1 extended permit icmp any any (hitcnt=3, 3, 0) 0x4f3e126c

SW1

SW1#sh running-config


Current configuration : 3436 bytes

!

version 12.2

no service padservice timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SW1

!

boot-start-marker

boot-end-marker

!

!

!

!




of 846


no aaa new-model

switch 1 provision ws-c3750-24p

system mtu routing 1500

no ip domain-lookup

!

!!

!

crypto pki trustpoint TP-self-signed-3398030592

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3398030592

revocation-check none

rsakeypair TP-self-signed-3398030592

!

!

crypto pki certificate chain TP-self-signed-3398030592

certificate self-signed 013082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33333938 30333035 3932301E 170D3933 30333031 30303031

34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393830

33303539 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B71A 93D8E49D C81AF71A 6691EA05 DEC986D2 BB34BFC9 94C85C14 F5FD5663

401DBF29 94356037 D453D201 9A7D5346 717D2C40 9FBC2F07 172590EF A9D508C1

33EE703E 0197FC1F D8F23810 A54A1D61 D88D8761 246C8E27 1290964B F46CB991

9BF2270A 05EB0159 C1815D12 4BB98EE4 A708FB5C A3728098 20D7E002 9846919A

767B0203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603551D1104 08300682 04535731 2E301F06 03551D23 04183016 8014A77A 6EE8D5A3

2F3CC9BA DA830E8F A8567A87 BD4B301D 0603551D 0E041604 14A77A6E E8D5A32F

3CC9BADA 830E8FA8 567A87BD 4B300D06 092A8648 86F70D01 01040500 03818100

8CBB655C 8805B6AA B6C6E88A 0F97321C 9386F7D1 D6FC8E56 AC95263D 4A3C353E

4E3BF867 CB3ACCBF 4746DBCA 9997C688 52EE83C0 3EFBED29 EE46D396 186A01B7

3BF59B1A 37E690C9 1162867E EBAB3A32 8AA8DB26 2759EB33 9601F7A5 40285F02

8DA8A86B 8BECB5F0 4782C36F D0CCADD6 BD15EB13 B4C0E5A4 B28DB1A4 E96E2CCF

quit

!

!

!spanning-tree mode pvst

spanning-tree portfast default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!

interface Port-channel1

switchport access vlan 101

switchport mode access




of 846


!

interface FastEthernet1/0/1



!

interface FastEthernet1/0/2!


!


!


!


!


!interface FastEthernet1/0/8

!


!



!




channel-group 1 mode active!


!



!




channel-group 1 mode active


!


!


!


!


!


!




of 846



!


!



!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

!

interface Vlan1

ip address dhcp

!

ip classless


!

!

ip sla enable reaction-alerts

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line vty 0 4login

line vty 5 15

login

!

end

SW1#

SW2

SW2#sh ru

SW2#sh running-config


Current configuration : 4045 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SW2

!

!




of 846


no aaa new-model

ip subnet-zero

no ip domain-lookup

!

!

!crypto pki trustpoint TP-self-signed-1187955840

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1187955840

revocation-check none

rsakeypair TP-self-signed-1187955840

!

!

crypto pki certificate chain TP-self-signed-1187955840

certificate self-signed 01

3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 31313837 39353538 3430301E 170D3933 30333031 30303031

30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383739

35353834 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B68A 8F1A0987 7DE1BEE3 8A770370 2889D0D7 38086A59 6C976F82 04FAEB9C

59CEA030 70552551 CEFCD186 FA411F3B 6674363A 0BB0EFAA 030F4619 47F3CC18

D5889167 A42B3D0B 5EEF8076 49A7B1F3 7BDDCC2B EDE3FC20 4306AF7C 5E4B9E6B

0BB6C927 10C5D9BF 9940AA46 96C91F35 DED5E9B5 BE5A031D D910D861 1AC0569F

58830203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603

551D1104 08300682 04535732 2E301F06 03551D23 04183016 80143605 878C31DB

DC5A5428 7B800116 62CFD3DB 80AC301D 0603551D 0E041604 14360587 8C31DBDC5A54287B 80011662 CFD3DB80 AC300D06 092A8648 86F70D01 01040500 03818100

3CC0DD50 37CBC9C8 42B37386 79FEFA3C 02F53B4C 23DA6BEE 5E1ED166 17F5414F

48DF65EE F1AF7509 63DE1E42 3899E5F3 133B11AC BBEB2210 99197D5C 89391410

1AA41D6A CA850B39 AB5CC299 17F17F02 1002E315 ECEC95D1 00900B2E 357D040B

A4F6A1B2 EB0A839B 381C611B 7F63BE09 31C31232 DCCB3C83 6F6F0A5D 110BAB80

quit

!

!

spanning-tree mode pvst

spanning-tree portfast default

spanning-tree extend system-id!

vlan internal allocation policy ascending

!

!

!

!

!

!




!




of 846



switchport mode dynamic desirable

!



switchport mode access!



!



!



!

interface FastEthernet0/6switchport mode dynamic desirable

!



!



!



!interface FastEthernet0/10




!



!







!



!



!





of 846



!



!

interface FastEthernet0/18switchport mode dynamic desirable

!



!



!





!



!



!


switchport mode dynamic desirable!



!

interface Vlan1

ip address dhcp

!

ip classless

ip http server


!!

!

control-plane

!

!

line con 0

exec-timeout 0 0

logging synchronous

line vty 0 4

login

line vty 5 15

login




of 846


!

end

SW2#

ASA1/MasterASA1(config)# sh running-config

: Saved

:

: Serial Number: FCH16407FXZ

: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)

:

ASA Version 9.2(2)4

!

hostname ASA1


names!


description Clustering Interface

!



no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2no nameif

no security-level

no ip address

!



no nameif

no security-level

no ip address

!


no security-level

no ip address

!


no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown




of 846


no nameif

no security-level

no ip address

!


lacp max-bundle 8port-channel span-cluster

mac-address aaaa.bbbb.cccc

nameif inside

security-level 100

ip address 192.168.101.1 255.255.255.0

!


lacp max-bundle 8

port-channel span-cluster

mac-address aaaa.dddd.cccc

nameif outsidesecurity-level 0

ip address 192.168.102.1 255.255.255.0

!

ftp mode passive

access-list out extended permit icmp any any

cluster group shiva

key *****

local-unit A

cluster-interface GigabitEthernet0/0 ip 192.168.1.1 255.255.255.0

priority 10

health-check holdtime 3clacp system-mac auto system-priority 1

enable

pager lines 24

mtu inside 1500

mtu outside 1500

mtu cluster 1500

sno failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnectedaccess-group out in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location




of 846


no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

no ssh stricthostkeycheck

ssh timeout 5ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!



!

!

policy-map type inspect dns preset_dns_mapparameters

message-length maximum client auto





inspect ftp

inspect rsh

inspect esmtp

inspect sqlnet

inspect sunrpcinspect xdmcp

inspect netbios

inspect tftp

inspect ip-options

!


prompt hostname context

Cryptochecksum:49b89413b0c2641169352402952806c1

: end

ASA1(config)#

ASA2/Slave

ASA1(cfg-cluster)# sh running-config

: Saved

:

: Serial Number: FCH16407G0X

: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)

:

ASA Version 9.2(2)4

!

hostname ASA1


names




of 846


!


description Clustering Interface

!


channel-group 1 mode activeno nameif

no security-level

no ip address

!


no nameif

no security-level

no ip address

!


channel-group 2 mode activeno nameif

no security-level

no ip address

!


no nameif

no security-level

no ip address

!


no nameifno security-level

no ip address

!


management-only

shutdown

no nameif

no security-level

no ip address

!

interface Port-channel1lacp max-bundle 8


mac-address aaaa.bbbb.cccc

nameif inside

security-level 100

ip address 192.168.101.1 255.255.255.0

!


lacp max-bundle 8


mac-address aaaa.dddd.cccc

nameif outside




of 846


security-level 0

ip address 192.168.102.1 255.255.255.0

!

ftp mode passive

access-list out extended permit icmp any any

cluster group shivakey *****

local-unit B

cluster-interface GigabitEthernet0/0 ip 192.168.1.2 255.255.255.0

priority 20

health-check holdtime 3

clacp system-mac auto system-priority 1

enable

pager lines 24

mtu inside 1500

mtu outside 1500

mtu cluster 1500no failover



arp timeout 14400

no arp permit-nonconnected




timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute



dynamic-access-policy-record DfltAccessPolicy





crypto ca trustpool policy

telnet timeout 5

no ssh stricthostkeycheckssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list


!



!

!





of 846


parameters





inspect dns preset_dns_mapinspect ftp

inspect rsh

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy globalprompt hostname context

Cryptochecksum:5bfa37f9cceb992fef77e50f46518ca1

: end




of 846


Chapter 32


ASA as DHCP

ASA as DHCP Relay Agent

Disable Fragmentation on ASA

Enabling uRPF on ASA

Ether-channal

Redundent Interface

Diagram:-

Management of ASA




of 846


Initial-config

R1


no shutdown

ip add 192.168.101.100 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.101.1

R2


no shutdown

no ip address

R3


no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int l1

ip add 102.1.1.1 255.255.255.0

no shutdown

R4


no shutdown

ip add 192.168.20.100 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.20.1




of 846


SW1

ip routing

int vlan 1

ip add 192.168.101.1 255.255.255.0

no shutdown

exitinterface range fastEthernet 1/0/10 - 11

no switchport


interface Port-channel 1

ip add 192.168.1.1 255.255.255.0

no shutdown

router ei 100

no auto-summary

net 0.0.0.0

ASA1

interface GigabitEthernet0/0channel-group 1 mode active

no nameif

no security-level

no ip address

!



no nameif

no security-level

no ip address


nameif dmz1

security-level 60

ip address 192.168.10.1 255.255.255.0

!


no nameif

no security-level

no ip address

!


no security-level

no ip address

!


nameif dmz2

security-level 50

ip address 192.168.20.1 255.255.255.0

!


management-only

shutdown




of 846


no nameif

no security-level

no ip address

!

interface Redundant1

member-interface GigabitEthernet0/3member-interface GigabitEthernet0/4

nameif outside

security-level 0

ip address 101.1.1.100 255.255.255.0

!


lacp max-bundle 8

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

ASA1(config-router)# sh int ip brief










Internal-Data0/1 unassigned YES unset down downInternal-Data0/2 unassigned YES unset up up


Port-channel1 192.168.1.2 YES manual up up

Redundant1 101.1.1.100 YES manual up up

route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

router eigrp 100

network 192.168.1.0 255.255.255.0


!

ASA1# ping 192.168.101.100



!!!!!


ASA1# pin

ASA1# ping 192.168.20.100



!!!!!


ASA1# pin




of 846


ASA1# ping 102.1.1.1



!!!!!


ASA1# sh port-channel summary








Group Port-channel Protocol Span-cluster Ports

------+-------------+---------+------------+------------------------------------

1 Po1(U) LACP No Gi0/0(P) Gi0/1(P)

ASA1# sh interface redundant 1

Interface Redundant1 "outside", is up, line protocol is up

Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is off

MAC address 6c20.56bd.ea85, MTU 1500

IP address 101.1.1.100, subnet mask 255.255.255.0

9 packets input, 846 bytes, 0 no buffer

Received 3 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 pause input, 0 resume input

3 L2 decode drops

8 packets output, 782 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (blocks free curr/low): hardware (1013/505)

output queue (blocks free curr/low): hardware (1022/510)

Traffic Statistics for "outside":

6 packets input, 546 bytes8 packets output, 584 bytes

0 packets dropped

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 0 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

Redundancy Information:

Member GigabitEthernet0/3(Active), GigabitEthernet0/4

Last switchover at 18:03:31 UTC Oct 8 2014




of 846


ASA1





R1#ping 101.1.1.1



!!!!!


R1#ping 101.1.1.1 size 18000




ASA1(config)# fragment chain 1

ASA1(config)# fragment chain 1 inside

ASA1(config)# fragment chain 1 dmz1

ASA1(config)# fragment chain 1 dmz2

R1#ping 101.1.1.1 size 18000



.....


R1#ping 101.1.1.1



!!!!!


R1

R1(config)#interface lo1

R1(config-if)#ip add 1.1.1.1 255.255.255.255

R1(config-if)#^Z

R1#ping 101.1.1.1 source loopback 1 repeat 10




of 846





......








ICMP PAT from inside:1.1.1.1/6 to outside:101.1.1.100/6 flags ri idle 0:00:02 timeout 0:00:3

ASA1(config)# ip verify reverse-path interface inside

01.1.1.1 source loopback 1 repeat 10




......

ASA1# sh xlate






ASA AS DHCP

ASA1(config)# dhcpd address 192.168.10.100-192.168.10.254 dmz1

ASA1(config)# dhcpd enable dmz1ASA1(config)# dhcpd option 3 ip 192.168.10.1

R2

int f0/0

no shutdown

ip add dhcp

R2#sh ip int brief


FastEthernet0/0 192.168.10.100 YES DHCP up up

FastEthernet0/1 unassigned YES NVRAM up up

R2#sh ip ro

R2#sh ip route st




of 846


R2#sh ip route static

S* 0.0.0.0/0 [254/0] via 192.168.10.1

ASA1# sh dhcpd binding

IP address Client Identifier Lease expiration Type

192.168.10.100 0063.6973.636f.2d30. 3545 seconds Automatic

3031.662e.3965.3566.

2e38.3036.302d.4661.

302f.30

ASA AS DHCP RELAY_AGNET

ASA1(config)# clear configure dhcpd

R4

R4(config)#ip dhcp pool dmz1R4(dhcp-config)#network 192.168.10.0

R4(dhcp-config)#default-router 192.168.10.1

R4(dhcp-config)#ex

R4(config)#ip dhcp excluded-address 192.168.10.1

ASA1

ASA1(config)# dhcprelay server 192.168.20.100 dmz2

ASA1(config)# dhcprelay enable dmz1


R2(config-if)#no ip address

R2(config-if)#ip address dhcp

R2#sh ip int brief


FastEthernet0/0 192.168.10.2 YES DHCP up up

FastEthernet0/1 unassigned YES NVRAM up up

R2#sh ip route static


S 192.168.20.100 [254/0] via 192.168.10.1, FastEthernet0/0S* 0.0.0.0/0 [254/0] via 192.168.10.1

R4#sh ip dhcp binding



Hardware address/

User name

192.168.10.2 0063.6973.636f.2d30. Oct 09 2014 01:38 PM Automatic

3031.662e.3965.3566.

2e38.3036.302d.4661.

302f.30




of 846


Chapter 33


Active-Standby FO

Diagram:-

Initial-config

R1



ipv6 address 192:168:10::100/48

ipv6 route ::/0 192:168:10::1

!

R2

ipv6 unicast-routinginterface FastEthernet0/0

Active-Standby IPv6 FO




of 846


ipv6 address 192:168:20::100/48

ipv6 route ::/0 192:168:20::1

R3


ipv6 address 101:1:1::1/48

ASA1


nameif inside

security-level 100

no ip address

ipv6 address 192:168:10::1/48 standby 192:168:10::2

!


nameif outside

security-level 0no ip address


!


nameif dmz

security-level 50

no ip address


!


ASA1# ping 192:168:10::100



!!!!!


ASA1# ping 192:168:20::100



!!!!!


ASA1# ping 101:1:1::1Type escape sequence to abort.


!!!!!



subnet 192:168:10::/48

object network s2s

subnet 192:168:102::/48




of 846


ASA1


nat (inside,outside) source static R1 interface ipv6 service telnet telnet

nat (inside,outside) source dynamic any interface ipv6

access-list out extended permit icmp6 any 192:168:10::/48access-list out extended permit tcp any object R1 eq telnet


R3#debug ipv6 icmp


R1#ping 101:1:1::1




R3#debug ipv6 icmp


R3#

*Oct 9 06:13:44.059: ICMPv6: Received ICMPv6 packet from FE80::200:CFF:FE07:AC05, type 136

R3#










R3#telnet 101:1:1::100

Trying 101:1:1::100 ... Open

R1>

ASA1

failover



failover polltime unit msec 200 holdtime msec 800

failover polltime interface msec 500 holdtime 5

failover key shiva


failover mac address GigabitEthernet0/0 0000.0c07.ac01 0000.0c07.ac02





of 846



failover link shiva GigabitEthernet0/3

failover interface ip shiva 192:168:111::1/48 standby 192:168:111::2

ASA2

failoverfailover lan unit secondary



failover polltime interface msec 500 holdtime 5

failover key shiva








Failover On




Interface Poll frequency 500 milliseconds, holdtime 5 seconds

Interface Policy 1



failover replication httpVersion: Ours 9.2(2)4, Mate 9.2(2)4





Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Monitored)

Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Monitored)

Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Monitored)



slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)Interface inside (0.0.0.0/fe80::200:cff:fe07:ac02): Normal (Monitored)






General 85 0 76 0

sys cmd 75 0 75 0

up time 0 0 0 0


TCP conn 0 0 0 0




of 846


UDP conn 0 0 0 0

ARP tbl 0 0 0 0


IPv6 ND tbl 10 0 0 0


VPN IKEv1 P2 0 0 0 0VPN IKEv2 SA 0 0 0 0



VPN SDI upd 0 0 0 0


SIP Session 0 0 0 0


Router ID 0 0 0 0


CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0TrustSec-SXP 0 0 0 0

IPv6 Route 0 0 0 0

STS Table 0 0 0 0


Cur Max Total

Recv Q: 0 9 567

Xmit Q: 0 1 172

ASA2

ASA1(config)# sh failoverFailover On





Interface Policy 1





Last Failover at: 06:30:14 UTC Oct 9 2014This host: Secondary - Standby Ready















of 846





General 94 0 110 0

sys cmd 93 0 93 0up time 0 0 0 0


TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 0 0


IPv6 ND tbl 0 0 16 0




VPN IKEv2 P2 0 0 0 0VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0


SIP Session 0 0 0 0


Router ID 0 0 0 0


CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0


IPv6 Route 0 0 0 0STS Table 0 0 0 0


Cur Max Total

Recv Q: 0 9 541

Xmit Q: 0 282 585

ASA1


System config has been modified. Save? [Y]es/[N]o: yCryptochecksum: e120f795 a8075185 3bbb3555 55f80897


Proceed with reload? [confirm]

ASA1(config)#

ASA2





of 846


Failover On





Interface Policy 1Monitored Interfaces 3 of 114 maximum





This host: Secondary - Active



Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Waiting)

Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Waiting)

Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Waiting)Other host: Primary - Failed


slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Unknown/Unknown)

Interface inside (0.0.0.0): Unknown (Monitored)

Interface outside (0.0.0.0): Unknown (Monitored)

Interface dmz (0.0.0.0): Unknown (Monitored)




of 846


Chapter 34


Active-Active IPv6 FO

Diagram:-

Active-Active IPv6 FO




of 846


Initial-config

R1




no sh

ipv6 route ::/0 192:168:101::1

R2



no shutdown

ipv6 add 192:168:102::100/48

no shutdown

ipv6 route ::/0 192:168:102::1

R3



no shutdown

ipv6 add 101:1:1::1/48

no shutdown

int f0/1

no shutdown

ipv6 add 102:1:1::1/48

no shutdown

ASA1






ASA2






ASA1


ASA1(config-if)# no shutdown










of 846




!

class c1

limit-resource Conns 50.0%limit-resource Xlates 65000


!

class c2


limit-resource Xlates 65000


!

!

admin-context admin

context admin

config-url disk0:/admin.cfg

!

context c1

member c1




join-failover-group 1!

context c2

member c2





!

failover group 1

preemptfailover group 2

secondary

preempt

!

!

failover







of 846


ASA1/c1(config)# sh running-config

: Saved

:

: Hardware: ASA5512:

ASA Version 9.2(2)4 <context>

!

hostname c1


names

ipv6 local pool inside 192:168:101::111/48 10

ipv6 local pool outside 101:1:1::111/48 10

!



no ip address

ipv6 address 192:168:101::1/48 cluster-pool inside

!


nameif outside

security-level 0

no ip address

ipv6 address 101:1:1::100/48 cluster-pool outside

!

access-list out extended permit icmp6 any anypager lines 24

mtu inside 1500

mtu outside 1500



arp timeout 14400





timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02










telnet timeout 5

ssh stricthostkeycheck




of 846


ssh timeout 5



!


match default-inspection-traffic!

!


parameters






inspect ftp

inspect h323 h225inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sipinspect xdmcp

!


Cryptochecksum:885c4647c80e89f4ec3a2eaa43731b2f

: end

ASA1/c2(config)# sh running-config

: Saved

:

: Hardware: ASA5512

:

ASA Version 9.2(2)4 <context>

!

hostname c2


names




of 846


ipv6 local pool inside 192:168:102::111/48 10

ipv6 local pool outside 102:1:1::111/48 10

!


nameif inside

security-level 100no ip address

ipv6 address 192:168:102::1/48 cluster-pool inside

!


nameif outside

security-level 0

no ip address

ipv6 address 102:1:1::100/48 cluster-pool outside

!

access-list out extended permit icmp6 any any

pager lines 24mtu inside 1500

mtu outside 1500



arp timeout 14400






timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00









telnet timeout 5

ssh stricthostkeycheckssh timeout 5



!



!

!


parameters






of 846





inspect ftp

inspect h323 h225

inspect h323 rasinspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp!


Cryptochecksum:d7353dc0e7aca0f5812eb5557e8df3dd

: end

ASA1(config)#

failover




failover polltime interface msec 500 holdtime 5failover replication http



failover group 1

preempt

failover group 2

secondary

preempt

ASA1/act(config)# sh failover

Failover OnFailover unit Primary




Interface Policy 1










of 846


This host: Primary






c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:101): Normal (Monitored)

c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:101): Normal (Monitored)



Other host: Secondary













General 22 0 17 0sys cmd 15 0 15 0

up time 0 0 0 0


TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 0 0


IPv6 ND tbl 3 0 0 0



VPN IKEv2 SA 0 0 0 0VPN IKEv2 P2 0 0 0 0


VPN SDI upd 0 0 0 0


SIP Session 0 0 0 0


Router ID 0 0 0 0


CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0


IPv6 Route 0 0 0 0




of 846


STS Table 0 0 0 0


Cur Max Total

Recv Q: 0 2 70

Xmit Q: 0 2 199

ASA1/stby(config)# sh failover

Failover On





Interface Policy 1
















Other host: Primary



Group 2 State: Standby ReadyActive time: 3 (sec)









General 21 0 26 0




sys cmd 19 0 19 0

up time 0 0 0 0


TCP conn 0 0 0 0

UDP conn 0 0 0 0


IPv6 ND tbl 0 0 3 0






VPN SDI upd 0 0 0 0


SIP Session 0 0 0 0


Cisco ASA Second Generation's OS 9.x

Documents

Transcript of Cisco ASA Second Generation's OS 9.x