Cisco ASA Second Generation's OS 9.x
-
Upload
sergeiachernooki -
Category
Documents
-
view
522 -
download
57
description
Transcript of Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 1/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 2/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 2 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With
Cisco ASA Second Generation's OS 9.xBaldev Singh Deshwal, CCIE No. 37094
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 3/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 3 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
About the Authors
Baldev Singh Deshwal , CCIE No. 37094, is a Senior Network Security Engineer at Network Bulls.
His primary job responsibilities include configuring maintain & t-shoot NB network . As well as he
also provides corporate trainning & cisco certification Training.
Additional certifications include MCP, MCSA, MCTS, Certified.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 4/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 4 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
About the Technical Reviewers
Baldev Singh Deshwal CCIE Security Certified CCIE# 37094.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 5/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 5 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Dedications
This book is dedicated to the only & only Almighty Lord Shiva. Who created such condition that I
could not stop myself to write this book.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 6/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 6 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Special Thanks
My Special thanks to my students. Who helped me to write this book.
Sandeep Yadav, Vishwajeet Rathore, Ram Swaroop Yadav, & Aman Soni
Keshav Trivedi, Shivendra & Lab Administrator Chander Prakash.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 7/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 7 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Contents At A Glance
Section I. Firewall Overview
Chapter 1 Firewall Introduction
Chapter 2 ASA Introduction
Chapter 3 ASA Basics
Section II. Routing on ASA
Chapter 4 Routing Introduction
Chapter 5 RIP
Chapter 6 EIGRP
Chapter 7 OSPF
Chapter 8 IPv6 Introduction
Chapter 9 SLA
Chapter 10 Multicasting
Section III. Access-list & NAT
Chapter 11 Introduction of Access-list
Chapter 12 NAT on OS 8.0
Chapter 13 NAT on 9.2.2.4
Chapter 14 CTP
Section IV. IPSec Introduction
Chapter 15 Overview of IPSec
Chapter 16 Site-Site VPN
Chapter 17 Remote Access VPN
Chapter 18 VPN Load balancing
Chapter 19 SSL VPN
Section V. Advance Firewall Features
Chapter 20 Transparent Firewall
Chapter 21 Context
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 8/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 8 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 22 Failover
Chapter 23 MPF
Section VI. OS 9.x Advance Features
Chapter 24 OSPFv3
Chapter 25 NAT on OS 9.2.x on IPv6
Chapter 26 Site-Site VPN on IPv6
Chapter 27 SSL VPN on IPv6
Chapter 28 BGP
Chapter 29 Dynamic Routing in Context
Chapter 30 Site-Site VPN in Context
Chapter 31 Clustering
Chapter 32 Management of ASA
Chapter 33 IPv6 Active-Standby FO
Chapter 34 IPv6 Active-Active FO
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 9/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 9 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Contents
Section I. Firewall Overview
Chapter 1 Firewall Introduction
Introduction of Firewall
Packet Filtering
Proxy ServerState Full Firewall
Transparent Firewall
Chapter 2 ASA Introduction
Introduction of ASA
ASA Features
Proprietary Operating System (P)
State Full Firewall
User Based Authentication
Protocols & Application Inspection
Modular Policy Frame Work
Virtual Private NetworkVirtual Firewall
Web Based Management
Transparent Firewall
Statefull Failover (P)
IPv6
Clustering
VPN LoadBalancing (P)
Chapter 3 ASA Basics
How to set Hostname
How to set enable password
How to assign IP address to interfaceHow to assign security-level
How to enable Telnet
How to enable SSH
How to enable HTTP
How to take Backup of ASA
How to Upgrade ASA
How to recover ASA password
Diagrams & Labs:-
Section II. Routing on ASA
Chapter 4 Routing Introduction
Introduction of RoutingRouting Types
Static Routing
Default Routing
Dynamic Routing
Routing Protocols
Routed Protocols
IGP
EGP
AS
IGP Types
EGP Types
Distance Vector
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 10/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 10 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Link State
Enhanced Distance Vector
Chapter 5 RIP
Introduction of RIP
RIP Versions
Difference between V1 & V2RIP Timers
RIP Loop Avoidance Techniques
Route Poisoning
Poison Reverse
Split-Horizon
Diagrams & Labs:-
Chapter 6 EIGRP
Introduction of EIGRP
EIGRP Components
Protocol Dependent Module
Reliable Transport ProtocolsNeighbour Discovery & Recovery
Diffusing Update Algorithm
EIGRP Messages
EIGRP Terminologies
Successor
Feasible Distance
Feasible Successor
Feasible Successor Requirements
Advertise Distance/Reported Distance
Input Event
Local ComputationGoing Active
EIGRP Additional Features
Incremental Updates
Multicast Updates
Unequal Cost Load Balancing
EIGRP Tables
Neighbour Tables
Topology Table
Routing Table
EIGRP Neighbour ship Requirements
EIGRP MetricEIGRP Modes
Diagrams & Labs:-
Chapter 7 OSPF
Introduction of OSPF
Difference Between Distance vector & Link State
OSPF Tables
OSPF Messages
OSPF Hello Message Contents
OSPF Message Contents
OSPF States
OSPF Priority
DR & BDR
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 11/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 11 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF Metric
OSPF Network Types
OSPF Router Types
OSPF LSA Types
OSPF Area Types
OSPF Virtual LinksOSPF Neighbours Requirements
Diagrams & Labs:-
Chapter 8 IPv6 Introduction
Introduction of IPv6
IPv6 styles
Global Unicast
Unique Local
Link-local
Link-local Address
IPv6 Structure
IPv6 Routing ProtocolsRIPng
IS-ISv6
OSPFv3
EIGRPv6
MP-BGP-4
Diagrams & Labs:-
Chapter 9 SLA
Introduction of SLA
Diagrams & Labs:-
Chapter 10 Multicasting
IP Addresses StyleUnicast
Broadcast
Multicast
Multicast Mac Structure
Multicast Address
IGMP
Version 1
Version 2
Version 3
IGMP Snooping
Multicast Routing ProtocolsPIM
RPF
Distribution Tree
Source Tree
Shared Tree
PIM Modes
Dense Mode
Sparse Mode
Sparse-Dense-Mode
PIM versions
Diagrams & Labs:-
Section III. Access-list & NAT
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 12/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 12 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 11 Introduction of Access-list
Introduction of Access-list & Types
Standards Access-list
Extended Access-list
Time Base Access-list
Object Group & TypesNetwork Object
Protocol Object
Service Object
ICMP Object
Diagrams & Labs:-
Chapter 12 NAT on OS 8.0
Practical of
Static NAT (8.0)
Dynamic NAT (8.0)
PAT (8.0)
Static PAT (8.0)NAT Bypass (8.0)
Identity NAT (8.0)
NAT Exemption (8.0)
Policy NAT (8.0)
Diagrams & Labs:-
Chapter 13 NAT on OS 9.2.2.4
Practical of
Static NAT (8.4 & Later)
Dynamic NAT (8.4 & Later)
PAT (8.4 & Later)
Static PAT (8.4 & Later)Identity NAT (8.4 & Later)
Twice NAT (8.4 & Later)
Diagrams & Labs:-
Chapter 14 CTP
CTP Introduction
AAA
TACACS+
RADIUS
CTP Working
Diagrams & Labs:-
Section IV. IPSec IntroductionChapter 15 Overview of IPSec
IPSec Introduction
IPsec Features
Confidentiality
Integrity
Data Origin Authentication
Anti-Replay
IPSec Protocols
IKE
ESP
AH
IKE Mode
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 13/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 13 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Main Mode
Aggressive Mode
Quick Mode
IKE Phases
Phase 1
Phase 1.5Phase 2
IPSec Mode
Transport Mode
Tunnel Mode
SA
SA Components
SAD
SPD
NAT-T
NAT-T Steps
NAT-T SupportNAT-T Detection
NAT-T Decision
ISAKMP
Chapter 16 Site-Site VPN
Introduction
Working
Diagrams & Labs:-
Chapter 17 Remote Access VPN
Introduction
Modes
ClientNetwork Extension
Network Extension Plus
Diagrams & Labs:-
Chapter 18 VPN Load balancing
Introduction
Supported Protocols
Cluster
Master
Member
Load balancing
Virtual Cluster AgentDiagrams & Labs:-
Chapter 19 SSL VPN
SSL Introduction
SSL Mode
Clientless
Thin-client
Thick-client
Requirements
Working
Diagrams & Labs:-
Section V. Advance Firewall Features
Chapter 20 Transparent Firewall
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 14/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 14 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Introduction of Transparent Firewall
ASA Mode Route & Transparent
Transparent Firewall Limitation
Diagrams & Labs:-
Chapter 21 Context
Introduction of ContextSystem Area
Admin Context
Context Channing
Mac-Address Auto
Context Requirements
Context Limitations
Diagrams & Labs:-
Chapter 22 Failover
Introduction of Failover
Failover Requirements
Failover Hardware RequirementsFailover Software Requirements
Failover Types
Stateless Failover
Hardware Failover
State Full Failover
Failover Implementation Types
Active-Standby
Active-Active
Failover Limitations
Information Don't replicate During Failover
Failover MonitoringFailover Link
Diagrams & Labs:-
Chapter 23 MPF
Introduction OF Modular Policy Framework
MPF Features
Inspection of Connection
Connection Restriction
Traffic Prioritization
Traffic Policing
MPF Components
Class-mapPolicy-map
Service-policy
Default-inspected Protocols & applications
DCE
SUN RPC
ILS
NetBIOS
XDMCP
IPSec-Pass-Through
ICMP
FTP
SMTP
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 15/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 15 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
DNS
TFTP
HTTP
RSH
SQL.NET
SIPSCCP
CTIQBE
MGCP
Diagrams & Labs:-
Section VI. OS 9.x Advance Features
Chapter 24 OSPFv3
Diagrams & Labs:-
Chapter 25 NAT on OS 9.2.x on IPv6
Diagrams & Labs:-
Static
DynamicPAT
Static PAT
Identity NAT
Twice NAT
Chapter 26 Site-Site VPN on IPv6
Diagrams & Labs:-
Chapter 27 SSL VPN on IPv6
Diagrams & Labs:-
Clientless
Thin-client
Chapter 28 BGPBGP Introduction
BGP Messages
iBGP
eBGP
BGP States
BGP Terminology
Next-hop-self
Route-reflector-client
BGP-redistribute internal
Summarization or Aggregation
Diagrams & Labs:-Chapter 29 Dynamic Routing in Context
Diagrams & Labs:-
EIGRP
OSPF
Chapter 30 Site-Site VPN in Context
Diagrams & Labs:-
Chapter 31 Clustering
Introduction of Clustering
Clustering Terminology
Master
Slaves
Interface Types
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 16/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 16 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Load balancing in Clustering
Cluster Monitoring
Limitation of Clustering
Supported Features of Clustering
Diagrams & Labs:-
Chapter 32 Management of ASAASA as DHCP
ASA as DHCP Relay-Agent
Fragmentation
uRPF
EC
Redundent Interface
Diagrams & Labs:-
Chapter 33 Active-Standby IPv6 FO
Diagrams & Labs:-
Chapter 34 Active-Active IPv6 FO
Diagrams & Labs:-
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 17/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 17 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Practicals Covered in this book
1. ASA_BASIC
2. ASA_Static_&_Default
3. ASA_RIP
4. ASA_EIGRP
5.
ASA_OSPF6. ASA_SLA
7. ASA_CTP
8. ASA_Multicasting
9. ASA_ACL_&_Objects
10. ASA_ipv6_static_default
11. ASA_NAT_8.0
12. ASA_NAT_9.2
13. How_To_Configure_2003_As_CA
14. How_To_Configure_2008_As_CA
15. How_To_Configure_2012_As_CA
16.
How_To_Configure_IOS_As_CA17. ASA_s2s_pre_8.0
18. ASA_s2s_rsa_8.0
19. ASA_s2s_overlapping_subnet
20. ASA_s2s_pre_ikev1
21. ASA_s2s_rsa_ikev1_2003_ca
22. ASA_s2s_pre_ikev2
23. ASA_s2s_rsa_ikev2_2008_ca
24. ASA_s2s_rsa_ikev2_ios_Ca
25. ASA_s2s_rsa_ikev2_2012_Ca
26. ASA_ra_pre_8.0
27.
ASA_ra_rsa_8.028. ASA_ra_ikev1_pre
29. ASA_ra_ikev1_rsa
30. ASA_ssl_8.0
31. ASA_ssl_9.2
32. ASA_vpn_load_balancing
33. ASA_Transparent_firewall
34. ASA_context
35. ASA_Inter_context_routing
36. ASA_active_standby_fo
37. ASA_active_active_fo
38.
ASA_mpf39. ASA_EC_RE
40. ASA9.x_bgp
41. ASA9.x_clustering
42. ASA9.x_dynamic_routing
43. ASA9.x_ospfv3
44. ASA9.x_s2s_in_context
45. ASA9.x_ssl
46. ASA9.x_ipv6_s2s
47. ASA9.x_ipv6_ nat
48. ASA9.x_ipv6_active_standby_fo
49. ASA9.x_ipv6_active_active_fo
50.
To Be Continue...................................................
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 18/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 18 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 1
After Reading this chapter you would be able to describe
Firewall
Firewall techniques
Packet Filtering
Proxy Server
State full Firewall
Transparent Firewall
Introducing Firewall &
Firewall Techniques
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 19/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 19 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Firewall a system or group of system. That manage access between two or more network.
1. Packet Filtering
2. Proxy Server
3. State-full Firewall
4. Transparent Firewall
In Packet filtering packets are filtered using access-list. On Cisco IOS we can use Standard or
Extended access-list, Named access-list,Time Based access-list, Dynamic access-list,Reflexive access-
list, TCP Establish access-list to filter the traffic .
Advantages
Easy to implement
Cost- effective
DisadvantagesNot-scalable
Complex access-list are hard to create & maintain
It works as an intermediate system b/w inside & outside world
It will not allow inside user to go outside directly vice-versa
Limitations
Single point of failure
It introduce delay
As name tells us that State-full .it maintain the state of connection when packet is travelling through
the appliance. It maintain the state of connection in state table. After adding information in state
table it forwards the packet to the destination. When it receive the reply-packet it match thepacket's information to state-table if match packet is accepted otherwise drop.
Firewall Introduction
Firewall Techniques
Packet Filtering
Proxy Server
Stateful Firewall
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 20/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 20 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
State table contents
Source IP
Destination IP
Source Port
Destination Port Additional Information ( syn , syn-ack , ack)
It works at layer 2, or it forwards the frames based on destination Mac. But still it has capabilities to
filter the traffic from layer 2 to layer 7.
Transparent Firewall
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 21/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 21 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 2
After Reading this chapter you would be able to describe
Cisco ASA
Cisco ASA Features
Cisco ASA Introduction
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 22/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 22 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Cisco adaptive security appliance it is a combination of state full firewall & VPN concentrator .
Proprietary Operating system
State-Full Firewall
User Base Authentication (CTP)
Protocol and application inspection
MPF VPN
Virtual Firewalls
Web Base management
Transparent Firewall
State Full Failover
IPV6
Clustering
VPN LoadBalancing
It mean that both hardware & software belongs to Cisco. It is not just like another vender they use
one company OS and another company hardware.
As name tells us that State-full .it maintain the state of connection when packet is travelling for the
appliance. It maintain the state of connection in state table. After adding information in state table
it forwards the packet to the destination. When it receive the reply-packet it match the packet
information to state-table if match packet is accepted otherwise drop.
Using this feature we can authenticate the inbound or outbound request
Of telnet , http, https, ftp using AAA server.
What is Cisco ASA
ASA Features
Proprietary Operating System
State full Firewall
User Base Authentication
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 23/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 23 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A part of MPF(Modular Policy Framework ) using Protocol and application inspection we can enable
deeper inspection of application layer protocols like ftp, smtp, dns, tftp, http, NetBIOS etc.
A approach to gain following features
Inspection of connection
Connection restriction
Traffic prioritization Traffic policing
Cisco ASA support IPSec, SSL PPTP protocols for VPN
IPSec (site-site, & remote-access)
SSL (Clientless, Thin, Thick)
L2TP
We can divide an appliance into many virtual appliances these virtual appliances are call virtual
firewall or security context.
If some engineer feel complexity to configure an appliance using CLI
ASA has an option to configure it using GUI via ASDM
A Cisco Proprietary feature of Cisco ASA it provides uninterrupted network access, using redundant
appliancesIt support active-standby & active-active failover.
Protocol & Application Inspection
Modular Policy Framework
VPN
Virtual Firewall
Web Base Management
State full Failover
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 24/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 24 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Cisco ASA also support ipv6 routing. Like static, Dynamic, Default.
A feature introduce in OS Version 9.0 it enables us to group multiple appliances as a single appliance.
A Cisco Proprieatry Feature of cisco firewall . It enable multiple remote vpn servers to appear as a
single server.
IPv6
Clustering
VPN Load Balancing
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 25/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 25 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 3
After Reading this chapter you would be able to configure & Describe
Cisco asa Modes
Hostname
Enable Password
IP Address on interface
Security-level
Telnet
SSH
HTTP Backup
Upgrade
Password Recovery
ASA Basic
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 26/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 26 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
How to set hostname.
How to set enable password
How to set IP add on an interface
How to enable TELNET
How to enable SSH
How to enable HTTP
How to take backup
How to upgrade an appliance
How to recover password
Diagram:-
ASA Mode
ciscoasa> (User mode)
ciscoasa> enable
Password:
ciscoasa# conf t (enable mode)
ciscoasa(config)# ! hostname (config-mode)
ciscoasa(config)# hostname ASA1
How To set Enable Password
ASA1(config)#
ASA1(config)# enable password shiva
ASA1(config)# exit
Logoff
Type help or '?' for a list of available commands.
ASA1> enable
Password: shiva
ASA1# conf t
ASA1(config)# ! remove enable password
ASA1(config)# enable password (just enter)
ASA Basic LAB
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 27/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 27 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
How to Check Configuration
ASA1(config)# ! show run
ASA1(config)# sh running-config
: Saved
:
ASA Version 9.0(3)!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
How to Check Interface StatusASA1(config)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/1 unassigned YES unset administratively down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
How to assign IP address & security-level to interface
ASA1(config)# ! set interface ipASA1(config)# int g0/0
ASA1(config-if)# no sh
ASA1(config-if)# ip add 192.168.101.1
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# int g0/1
ASA1(config-if)# no sh
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip add 192.168.102.1ASA1(config-if)# ! check
ASA1(config-if)# sh int ip br
ASA1(config-if)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.101.1 YES manual up up
GigabitEthernet0/1 192.168.102.1 YES manual up up
PC2(config)#int fastEthernet 0/0
PC2(config-if)#no shutdown
PC2(config-if)#ip add 192.168.102.100 255.255.255.0
PC2(config-if)#no shutdown
ASA1(config-if)# ping 192.168.101.1
Type escape sequence to abort.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 28/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 28 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config-if)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
How to enable telnet
ASA1(config)# telnet 192.168.101.100 255.255.255.255 inside (for host)
ASA1(config)# telnet 192.168.101.0 255.255.255.0 inside (for n/w)
ASA1(config)# telnet 0.0.0.0 0.0.0.0 inside (wild card)
! default telnet pass is cisco till os 8.6
! but in os 9.0 & later default password removed
ASA1(config)# ! you have to setASA1(config)# sh ver
Cisco Adaptive Security Appliance Software Version 9.0(3)
ASA1(config)# passwd cisco
! verification on pc
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 29/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 29 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!How to enable SSH on Cisco ASA
ASA1(config)# domain-name cisco.com
ASA1(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA1(config)# ssh 0 0 insideASA1(config)# ssh 0 0 outside
ASA1(config)# username shiva password shiva privilege 15
ASA1(config)# aaa authentication ssh console LOCAL
! verification in pc
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 30/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 30 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! verification in pc2
PC2#ssh -l shiva 192.168.102.1
Password:
Type help or '?' for a list of available commands.ASA1>
! you can't telnet to lowest security-level
ASA1(config)# telnet 0 0 outside
ASA1(config)# ssh 0 0 outside
PC2#telnet 192.168.102.1
Trying 192.168.102.1 ...
% Connection timed out; remote host not responding
PC2#ssh
PC2#ssh -l
PC2#ssh -l shiva 192.168.102.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 31/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 31 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Password:
! How to enable http server
ASA1(config)# sh flash
--#-- --length-- -----date/time------ path
146 0 Aug 29 2014 13:00:14 nat_ident_migrate147 1422 Sep 23 2014 17:29:26 admin.cfg
148 2331 Sep 23 2014 17:29:26 old_running.cfg
22 4096 Sep 27 2013 10:55:54 coredumpinfo
23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
11 4096 Aug 29 2014 12:48:00 log
21 4096 Aug 29 2014 12:48:40 crypto_archive
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096 Aug 29 2014 13:29:32 sdesktop165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml
166 2009 Aug 29 2014 13:42:06 sdesktop/data.xml
154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg
155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg
156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg
157 333 Aug 29 2014 13:28:04 Anyconnect_client_profile.xml
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
160 4096 Jan 01 1980 00:00:00 FSCK0001.REC
161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg
4118732800 bytes total (3964596224 bytes free)
ASA1(config)# http server enable
ASA1(config)# http 0 0 inside
ASA1(config)# username shiva pass shiva pri 15
ASA1(config)# ! verification on client
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 32/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 32 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Note:-
if some wrongplease run these commands on asa
ASA1(config)# asdm image disk0:/asdm-66114.bin
initiate connection again.........................................
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 33/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 33 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 34/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 34 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 35/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 35 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 36/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 36 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! ASA os Backup
ASA1(config)# sh fla
ASA1(config)# sh flash:--#-- --length-- -----date/time------ path
146 0 Aug 29 2014 13:00:14 nat_ident_migrate
147 1422 Sep 23 2014 17:29:26 admin.cfg
148 2331 Sep 23 2014 17:29:26 old_running.cfg
22 4096 Sep 27 2013 10:55:54 coredumpinfo
23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
11 4096 Aug 29 2014 12:48:00 log
21 4096 Aug 29 2014 12:48:40 crypto_archive
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096 Aug 29 2014 13:29:32 sdesktop
165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml
166 2009 Aug 29 2014 13:42:06 sdesktop/data.xml
154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg
155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg
156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg
157 333 Aug 29 2014 13:28:04 Anyconnect_client_profile.xml
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
160 4096 Jan 01 1980 00:00:00 FSCK0001.REC
161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg
4118732800 bytes total (3964596224 bytes free)
ASA1(config)# copy flash: tftp:
Source filename []? asa903-smp-k8.bin
Address or name of remote host []? 192.168.101.100
Destination filename [asa903-smp-k8.bin]?
Writing file tftp://192.168.101.100/asa903-smp-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!36993024 bytes copied in 130.870 secs (284561 bytes/sec)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 37/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 37 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# ! ASA os Upgrade
ASA1(config)# ! Latest os is no PC1 FTP
ASA1(config)# copy ftp://192.168.101.100/asa922-4-smp-k8.bin flash:
Address or name of remote host [192.168.101.100]? enter
Source filename [asa922-4-smp-k8.bin]? enter
Destination filename [asa922-4-smp-k8.bin]? enter
Accessing ftp://192.168.101.100/asa922-4-smp-
k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa922-4-smp-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
52457472 bytes copied in 63.150 secs (832658 bytes/sec)
ASA1(config)# sh flash:
--#-- --length-- -----date/time------ path
146 0 Aug 29 2014 13:00:14 nat_ident_migrate
147 1422 Sep 23 2014 17:29:26 admin.cfg
148 2331 Sep 23 2014 17:29:26 old_running.cfg
22 4096 Sep 27 2013 10:55:54 coredumpinfo
23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 38/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 38 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
11 4096 Aug 29 2014 12:48:00 log
21 4096 Aug 29 2014 12:48:40 crypto_archive
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096 Aug 29 2014 13:29:32 sdesktop165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml
166 2009 Aug 29 2014 13:42:06 sdesktop/data.xml
154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg
155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg
156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg
157 333 Aug 29 2014 13:28:04 Anyconnect_client_profile.xml
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
168 52457472 Sep 28 2014 13:23:59 asa922-4-smp-k8.bin
160 4096 Jan 01 1980 00:00:00 FSCK0001.REC
161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg
4118732800 bytes total (3912138752 bytes free)
! boot to latest os
ASA1(config)# boot system disk0:/asa922-4-smp-k8.bin
ASA1(config)# write
Building configuration...
Cryptochecksum: 23dfb1bc 85a02476 e2a94e9f 9626e623
2852 bytes copied in 0.750 secs
[OK]
ASA1(config)# sh running-config boot
boot system disk0:/asa922-4-smp-k8.bin
ASA1(config)# reloadProceed with reload? [confirm]
ASA1(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
***
*** --- SHUTDOWN NOW ---
Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...Boot configuration file contains 1 entry.
Loading disk0:/asa922-4-smp-k8.bin...
ASA1# sh version
Cisco Adaptive Security Appliance Software Version 9.2(2)4
Device Manager Version 6.6(1)
Compiled on Tue 29-Jul-14 23:41 PDT by builders
System image file is "disk0:/asa922-4-smp-k8.bin"
Config file at boot was "startup-config"
ASA1 up 40 secs
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 39/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 39 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! password recovery
ASA1(config)# enable password asdasdwwqek89geuqbdqweqw
ASA1(config)# wr
ASA1(config)# write
ASA1# ex
Logoff
Type help or '?' for a list of available commands.
ASA1> reset manually...the appliance......
At the time of boot....................
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 9 seconds.
Press (Use BREAK or ESC to interrupt boot) on key borad.........
Use ? for help.rommon #0> confreg 0x41
Update Config Register (0x41) in NVRAM...
rommon #1> reset
ciscoasa> en
ciscoasa> enable
Password:
ciscoasa# conf t
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)#
ciscoasa(config)# copy startup-config running-config
Destination filename [running-config]?
.
Cryptochecksum (unchanged): 3968c06d 20751a6b 73f37918 d875d53d
2941 bytes copied in 0.370 secs
ASA1(config)#
ASA1(config)# enable password enter
ASA1(config)# config-register 0x01
ASA1(config)# reload
System config has been modified. Save? [Y]es/[N]o: y
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 40/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 40 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Cryptochecksum: 3f5ee47a 0fe39be7 24974ec3 28f97b3b
3403 bytes copied in 0.710 secs
Proceed with reload? [confirm] enter
ASA1(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
ASA1> en
ASA1> enable
Password: (now no password)
ASA1#
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 41/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 41 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 4
After Reading this chapter you would be able to describe
Routing
Routing rules
Types of routing
Static Routing
Routing Protocols
Routed Protocols
IGP
EGP Distance Vector
Link State
Enhanced Distance Vector
Routing on Cisco ASA
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 42/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 42 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A process of transferring a packet from one network to another is called routing.
Routing Rules
1. If the destination is in the same subnet or network then a device directly forwards a packet to
destination.
Note:- ARP request is used to find out destination Mac-address.
2. If the destination is not in the same subnet or network then a device directly forwards a packet to
default gateway.
Note:- ARP request is used to find out default gateway Mac-address
Static
Default
Dynamic
In static routing we define route manually with appropriate next-hop.In static routing we always define indirectly connected network.
Advantages
Easy to implement
Less CPU-overload
Less bandwidth consumption
Disadvantages
Not scale-able
It is used on stub router or network. A stub router has only one entry or exit point. It can be used to
reduce the size of routing table
Limitation
It can cause of loop in the network.
Routing
Routing Types
Static Routing
Default Routing
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 43/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 43 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
In dynamic routing we use routing protocol. They dynamically learn about route & do send routeinformation to the neighbours routers.
They are those protocol which have capabilities to send data from one device to another device.
Like IP,IPX, Apple Talk
IGP
EGP
They are those protocols which are designed to work within AS.
IGP Types
Distance Vector
Link State
Enhanced DV (Hybrid)
AS (Autonomous System)
A collection of router managed by single Organization.
They are designed to work over AS. BGP is only EGP Protocol.
Note EGP was a protocol itself in past
A Distance Vector routing protocol selects the route based on distance
That is called hop count.
Hop Count
When a packet across a router that is called one hop
Dynamic Routing
Routed Protocols
Routing Protocols Types
Interior Gateway Protocol
Exterior Gateway Protocol
Distance Vector
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 44/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 44 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A Distance Vector routing protocol select that route which provides a network at least hop.
Examples:- RIP, IGRP.
As name tells us link state a link state routing protocol sends update based in the state of link. When
a link comes up & goes down it sends update.
It sends update with a sequence number. 0x80000001 goes till 0xFFFFFFFF.
Examples:- OSPF,IS-IS.
EIGRP is an Enhanced DV routing protocol based in distance vector algorithm. & sends incrementalupdate like link state i.e. Some people called it hybrid . But Cisco called it Enhanced DV.
Diagram:-
Link State
Enhance DV
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 45/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 45 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
ip add 172.20.2.1 255.255.255.0int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
interface fastEthernet 0/0
no shutdownip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 46/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 46 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int l6
ip add 172.30.6.1 255.255.255.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.4.1 255.255.255.0no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0int l6
ip add 172.40.6.1 255.255.255.0
Routing
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.2
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no shu
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.ASA1(config-if)# ip add 192.168.1.2
ASA1(config-if)# interface g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz1
INFO: Security level for "dmz1" set to 0 by default.
ASA1(config-if)# security-level 60
ASA1(config-if)# ip add 192.168.2.2
ASA1(config-if)# interface gigabitEthernet 0/2
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.ASA1(config-if)# ip add 192.168.3.2
ASA1(config-if)# interface gigabitEthernet 0/3
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz2
INFO: Security level for "dmz2" set to 0 by default.
ASA1(config-if)# security-level 50
ASA1(config-if)# ip add 192.168.4.2
ASA1(config-if)# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.2 YES manual up up
GigabitEthernet0/1 192.168.2.2 YES manual up up
GigabitEthernet0/2 192.168.3.2 YES manual up up
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 47/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 47 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
GigabitEthernet0/3 192.168.4.2 YES manual up up
ASA1(config-if)# sh nameif
Interface Name Security
GigabitEthernet0/0 inside 100
GigabitEthernet0/1 dmz1 60
GigabitEthernet0/2 outside 0GigabitEthernet0/3 dmz2 50
ASA1(config-if)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1(config-if)# ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Static & Default Routing Commands on ASA
ASA1(config)# route inside 172.10.1.0 255.255.255.0 192.168.1.1
ASA1(config)# route inside 172.10.2.0 255.255.255.0 192.168.1.1
ASA1(config)# route inside 172.10.3.0 255.255.255.0 192.168.1.1
ASA1(config)# route inside 172.10.4.0 255.255.255.0 192.168.1.1
ASA1(config)# route inside 172.10.5.0 255.255.255.0 192.168.1.1
ASA1(config)# route inside 172.10.6.0 255.255.255.0 192.168.1.1
ASA1(config)# route dmz1 172.20.1.0 255.255.255.0 192.168.2.1
ASA1(config)# route dmz1 172.20.2.0 255.255.255.0 192.168.2.1
ASA1(config)# route dmz1 172.20.3.0 255.255.255.0 192.168.2.1ASA1(config)# route dmz1 172.20.4.0 255.255.255.0 192.168.2.1
ASA1(config)# route dmz1 172.20.5.0 255.255.255.0 192.168.2.1
ASA1(config)# route dmz1 172.20.6.0 255.255.255.0 192.168.2.1
ASA1(config)# route outside 0 0 192.168.3.1 (Default Route)
ASA1(config)# route dmz2 172.40.1.0 255.255.255.0 192.168.4.1
ASA1(config)# route dmz2 172.40.2.0 255.255.255.0 192.168.4.1
ASA1(config)# route dmz2 172.40.3.0 255.255.255.0 192.168.4.1
ASA1(config)# route dmz2 172.40.4.0 255.255.255.0 192.168.4.1
ASA1(config)# route dmz2 172.40.5.0 255.255.255.0 192.168.4.1
ASA1(config)# route dmz2 172.40.6.0 255.255.255.0 192.168.4.1
ASA1(config)# ping 172.10.1.1
Type escape sequence to abort.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 48/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 48 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Sending 5, 100-byte ICMP Echos to 172.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172.10.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.10.6.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172.20.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.6.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172.30.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172.30.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1(config)# ping 172.40.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.40.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172.40.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.40.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# sh route insideS 172.10.1.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S 172.10.2.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S 172.10.3.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S 172.10.4.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S 172.10.5.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S 172.10.6.0 255.255.255.0 [1/0] via 192.168.1.1, inside
ASA1(config)# sh route dmz1
S 172.20.1.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
S 172.20.2.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
S 172.20.3.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
S 172.20.4.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
S 172.20.5.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 49/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 49 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
S 172.20.6.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
ASA1(config)# sh route outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
ASA1(config)# sh route dmz2S 172.40.1.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S 172.40.2.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S 172.40.3.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S 172.40.4.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S 172.40.5.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S 172.40.6.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
ASA allow higher-level to lower default of not working problem access-list
Only TCP & UDP is allowed
ASA deny lower-level to higher default if you want apply access-listR1#telnet
*Sep 28 08:38:34.207: %SYS-5-CONFIG_I: Configured from console by console
R1#telnet 172.20.1.1
Trying 172.20.1.1 ... Open
Password required, but none set
[Connection to 172.20.1.1 closed by foreign host]
R1#telnet 172.30.1.1
Trying 172.30.1.1 ... Open
Password required, but none set
[Connection to 172.30.1.1 closed by foreign host]
R1#telnet 172.40.1.1Trying 172.40.1.1 ... Open
Password required, but none set
[Connection to 172.40.1.1 closed by foreign host]
But.........................
R2#telnet 172.10.1.1
Trying 172.10.1.1 ...
% Connection timed out; remote host not responding
R2#telnet 172.30.1.1
Trying 172.30.1.1 ... Open
Password required, but none set[Connection to 172.30.1.1 closed by foreign host]
R2#telnet 172.40.1.1
Trying 172.40.1.1 ... Open
Password required, but none set
[Connection to 172.40.1.1 closed by foreign host]
If you want
Apply Access-list on ASA................
ASA1(config)# access-list dmz1 permit ip 172.20.0.0 255.255.0.0 172.10.0.0 255.255.0.0
ASA1(config)# access-group dmz1 in interface dmz1
R2#ping 172.10.1.1 source loopback 1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 50/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 50 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.10.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.20.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#ping 172.10.6.1 source loopback 1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.10.6.1, timeout is 2 seconds:
Packet sent with a source address of 172.20.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#telnet 172.30.1.1 /source-interface loopback 1
Trying 172.30.1.1 ...
% Connection refused by remote host
it is due to access-list...............
If you want in acl permit R3 lan & R4 lan
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 51/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 51 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 5
After Reading this chapter you would be able to describe
RIP
RIP Version
RIP Timers
RIP Loop avoidance Techniques
Route Poisoning
Poisoning Reverse
Split-Horizon
RIP
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 52/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 52 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It is an interior gateway distance vector routing protocol.It use UDP Port no. 520. It has 2 version.
Version 1 Version 2
Class-full Class-less
DV DV
AD 120 AD 120
Metric Hop count Metric Hop count
Max-hop 15 Max-hop 15
Broadcast Update Multicast Update
255.255.255.255 224.0.0.9
Default ManualSend v1 Send v2
Receive v1&v2 Receive v2
No authentication Support authentication
Class-full Classless
A Class-full routing protocol doesn't send subnet mask information to neighbour router. Examples:-
RIPv1 & IGRP.
A Classless routing protocol do send subnet mask information to neighbour router
Examples:-Ripv2,EIGRP,OSPF,IS-IS,BGP.
Route Poisoning
Poison Reverse
Split-Horizon
Routing Information Protocol
Class Full Routing Protocols
Class Less Routing Protocols
Rip Loop Avoidance Techniques
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 53/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 53 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Rip separate the bad news with a special type of metric that is infinite-metric i.e.16. When rip
advertise a route with 16 metric that is called Route Poisoning.
Route Poisoning
Router1>>>>> 101.0=16>>>>>>>>>Router2
When a router receive Route Poisoning update it accept is and updates it routing table, and it sends
same update to the neighbour.
(Router1>>>>> 101.0=16>>>>>>>>>Router2 )
(Router1<<<<< 101.0=16<<<<<<<<<Router2) is Poison Reverse
A rule in distance vector routing protocol. It doesn't allow a routing protocol to send an information
on an interface which was receive from same interface.
Update 30sec
Invalid 180sec
Hold 180sec
Flush 240sec
Route Poisoning
Poison Reverse
Split Horizon
RIP Timers
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 54/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 54 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 55/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 55 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ip add 172.20.2.1 255.255.255.0
int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0
int l6
ip add 172.30.6.1 255.255.255.0
R4
interface fastEthernet 0/0no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0int l5
ip add 172.40.5.1 255.255.255.0
int l6
ip add 172.40.6.1 255.255.255.0
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no shu
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip add 192.168.1.2
ASA1(config-if)# interface g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 56/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 56 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
INFO: Security level for "dmz1" set to 0 by default.
ASA1(config-if)# security-level 60
ASA1(config-if)# ip add 192.168.2.2
ASA1(config-if)# interface gigabitEthernet 0/2
ASA1(config-if)# no shu
ASA1(config-if)# nameif outsideINFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip add 192.168.3.2
ASA1(config-if)# interface gigabitEthernet 0/3
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz2
INFO: Security level for "dmz2" set to 0 by default.
ASA1(config-if)# security-level 50
ASA1(config-if)# ip add 192.168.4.2
ASA1(config-if)# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.2 YES manual up upGigabitEthernet0/1 192.168.2.2 YES manual up up
GigabitEthernet0/2 192.168.3.2 YES manual up up
GigabitEthernet0/3 192.168.4.2 YES manual up up
ASA1(config-if)# sh nameif
Interface Name Security
GigabitEthernet0/0 inside 100
GigabitEthernet0/1 dmz1 60
GigabitEthernet0/2 outside 0
GigabitEthernet0/3 dmz2 50
ASA1(config-if)# ping 192.168.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1
router rip
no au
ver 2
net 0.0.0.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 57/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 57 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R2
router rip
no au
ver 2
net 0.0.0.0
R3router rip
no au
ver 2
net 0.0.0.0
R4
router rip
no au
ver 2
net 0.0.0.0
ASA1
router ripno au
ver 2
net 0.0.0.0
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
R 172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
R 172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
R 172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
R 172.20.1.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1R 172.20.2.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
R 172.20.3.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
R 172.20.4.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
R 172.20.5.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
R 172.20.6.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
R 172.30.1.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:17, outside
R 172.30.2.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:17, outside
R 172.30.3.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside
R 172.30.4.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside
R 172.30.5.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside
R 172.30.6.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside
R 172.40.1.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 58/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 58 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R 172.40.2.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
R 172.40.3.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
R 172.40.4.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
R 172.40.5.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
R 172.40.6.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
! Disabling Updates on a Particuler Interface
ASA1(config)# router rip
ASA1(config-router)# passive-interface default
ASA1(config-router)# no passive-interface inside
ASA1(config-router)# no passive-interface dmz1
ASA1(config-router)# no passive-interface dmz2
ASA1(config-router)# no passive-interface outside
ASA1(config-router)# route outside 0 0 192.168.3.1
!Redistribution in RIPASA1(config-router)# router rip
ASA1(config-router)# !redistribute
ASA1(config-router)# redistribute static metric 1
! Verification on Routers
R1#sh ip route rip
R* 0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:24, FastEthernet0/0
R2#sh ip route rip
R* 0.0.0.0/0 [120/1] via 192.168.2.2, 00:00:24, FastEthernet0/0
R4#sh ip route rip
R* 0.0.0.0/0 [120/1] via 192.168.4.2, 00:00:08, FastEthernet0/0ASA1(config-router)# router rip
ASA1(config-router)# no redistribute static metric 1
! Default route Orgination via default-information orginate command
ASA1(config-router)# router rip
ASA1(config-router)# default-information originate
ASA1(config)# sh running-config route
! Verification on Routers
R1#sh ip route rip on R2, R3, R4
R* 0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:17, FastEthernet0/0ASA1# sh route inside
R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 59/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 59 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Route Filtering in RIP on ASA
ASA1(config)# access-list 10 permit 172.10.1.0 255.255.255.0
ASA1(config)# access-list 10 permit 172.10.2.0 255.255.255.0
ASA1(config)# access-list 10 permit 172.10.3.0 255.255.255.0
ASA1(config)# router rip
ASA1(config-router)# distribute-list 10 in interface inside
! Verification on ASA
ASA1(config-router)# sh route inside
R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside
R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside
R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside
R 172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside
R 172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside
R 172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, insideASA1# clear route all
ASA1# sh route inside
R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside
R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside
R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
! Enabling RIP Authentication on ASA
ASA1(config-router)# interface gigabitEthernet 0/0
ASA1(config-if)# rip authentication mode md5ASA1(config-if)# rip authentication key shiva key_id 100
! Verification & Effect on Authentication
ASA1# sh route inside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:07, inside
R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:07, inside
R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:07, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 60/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 60 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! RIP Authentication on Router
R1(config)#key chain trust
R1(config-keychain)#key 100
R1(config-keychain-key)#key-string shiva
R1(config-keychain-key)#int f0/0
R1(config-if)#ip rip authentication mode md5R1(config-if)#ip rip authentication key-chain trust
! Verification on Router
R1#sh ip route rip
172.20.0.0/24 is subnetted, 6 subnets
R 172.20.1.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
R 172.20.2.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
R 172.20.3.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
R 172.20.4.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
R 172.20.5.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
! RIP Version custmization on Router & ASA
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip rip receive version 2
R1(config-if)#ip rip send version 2
ASA1(config-if)# interface gigabitEthernet 0/0
ASA1(config-if)# rip send version 2
ASA1(config-if)# rip receive version 2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 61/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 61 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 6
After Reading this chapter you would be able to describe
EIGRP
EIGRP Components
EIGRP Messages
EIGRP Terminology
EIGRP Tables Types
EIGRP Modes
EIGRP Neighbours Requirements
EIGRP
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 62/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 62 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It is an interior gateway class-less enhanced Distance vector routing protocol. It use IP protocol no
88. It sends multicast hello at 224.0.0.10.
PDM (Protocol Dependent Module)
RTP(Reliable Transport Protocol)
NDR(Neighbour Discovery and Recovery)
DUAL(Diffusing Update Algorithm)
It is used to support different type of routed protocol
Like IP, IPX, Apple Talk.
It is used to send some EIGRP messages
EIGRP messages:-
1. Hello Multicast
2. Update via RTP Multicast
3. Acknowledgement Unicast
4.Query via RTP Multicast
5.Reply via RTP Unicast
It is used to maintain neighbour ship. Function
First it determines that how many neighbours are exist.
Second how many hello or Acknowledgement will be expected
If continue 3 hello missed neighbour is removed from neighbour table.
Enhanced Interior Gateway Routing Protocol
Enhanced Components
PDM
RTP
NDR
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 63/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 63 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A modification in distance vector algorithm is called DUALIt provides a loop free failover path.
Successor
Feasible Distance
Feasible Successor
Feasible Successor Requirement
AD/RD
Input Event
Local Computation
Going Active
A best route to reach a subnet or network.
Calculated metric of successor is called Feasible Distance.
An another best route it provides backup to successor.
A route whose AD is less then FD of current successor.
DUAL
EIGRP Terminology
Successor
Feasible Distance
Feasible Successor
Feasible Successor Requirements
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 64/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 64 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A Router's FD is called AD/RD for its neighbours.
An information which has capabilities to change the data base.
A term it has two function
If successor goes down it use FS
If FS is not available then it become active for that route
It means that a router is sending query to its neighbour for a route.
Incremental Updates
When there is a change in topology EIGRP will send updates.
Multicast Update
Updates at 224.0.0.10
Un-Equal Cost Load Balancing
In Un-Equal Cost Load Balancing best FD is multiply by multiplier and we get a product ifanother routes are lower than that product they are eligible for load balancing.
Neighbour Table
Topology Table
Routing Table
AD/RD
Input Event
Local Computation
Going Active
EIGRP Additional Features
EIGRP Tables
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 65/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 65 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
First of all EIGRP built neighbour table. It contain following information.
IP add of neighbour
Interface
Up time
Hold time
Sequence no of last packet
Packet in queue
SRTT
RTO
After neighbour table EIGRP maintain topology table
It contain successor & feasible successor.
It contain three types of route
Internal
External
Summary
EIGRP metric is called composite metric. It contain 5 elements, these elements are called K-values.
Bandwidth
Delay Load
Reliability
MTU
Only Bandwidth & delay is used for metric calculation.
AS No.
K-values Authentication
Neighbour Tables
Topology Tables
Routing Tables
EIGRP Metric
EIGRP Neighbour Requirement
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 66/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 66 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Static neighbour ship
Passive mode
When a successor goes down and router has FS , it is called Passive mode.
Active mode
When a successor goes down and router has no FS , it is called Passive mode.
EIGRP support only MD5 auth
EIGRP AD 5/90/170(summary /internal/external)
EIGRP default hop 100 , max 255
EIGRP default variance 1, max 128
EIGRP default max-path 4, max 16
EIGRP default hello 5/60 (LAN/FR) EIGRP default hold 15/180 (LAN/FR)
Diagram:-
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
EIGRP Modes
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 67/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 67 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
ip add 172.20.2.1 255.255.255.0int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
interface fastEthernet 0/0
no shutdownip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5ip add 172.30.5.1 255.255.255.0
int l6
ip add 172.30.6.1 255.255.255.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 68/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 68 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0int l6
ip add 172.40.6.1 255.255.255.0
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no shu
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip add 192.168.1.2
ASA1(config-if)# interface g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz1
INFO: Security level for "dmz1" set to 0 by default.ASA1(config-if)# security-level 60
ASA1(config-if)# ip add 192.168.2.2
ASA1(config-if)# interface gigabitEthernet 0/2
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip add 192.168.3.2
ASA1(config-if)# interface gigabitEthernet 0/3
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz2
INFO: Security level for "dmz2" set to 0 by default.ASA1(config-if)# security-level 50
ASA1(config-if)# ip add 192.168.4.2
ASA1(config-if)# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.2 YES manual up up
GigabitEthernet0/1 192.168.2.2 YES manual up up
GigabitEthernet0/2 192.168.3.2 YES manual up up
GigabitEthernet0/3 192.168.4.2 YES manual up up
ASA1(config-if)# sh nameif
Interface Name Security
GigabitEthernet0/0 inside 100GigabitEthernet0/1 dmz1 60
GigabitEthernet0/2 outside 0
GigabitEthernet0/3 dmz2 50
ASA1(config-if)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 69/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 69 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1(config-if)# ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1
router ei 100
no aut
net 0.0.0.0
R2
router ei 100no aut
net 0.0.0.0
R3
router ei 100
no aut
net 0.0.0.0
R4
router ei 100
no aut
net 0.0.0.0
ASA1router ei 100
no aut
net 0.0.0.0
! EIGRP Neighbour Verification
ASA1# sh eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 192.168.4.1 dmz2 12 00:00:12 1 200 0 3
2 192.168.3.1 outside 14 00:00:14 1 200 0 31 192.168.2.1 dmz1 12 00:00:16 1 200 0 3
0 192.168.1.1 inside 10 00:00:17 1 200 0 3
! EIGRP Topology Verification
ASA1# sh eigrp topology
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.4.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.20.5.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.2.1 (130816/128256), dmz1
P 192.168.4.0 255.255.255.0, 1 successors, FD is 2816
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 70/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 70 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
via Connected, dmz2
P 172.30.6.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.3.1 (130816/128256), outside
P 192.168.1.0 255.255.255.0, 1 successors, FD is 2816
via Connected, inside
P 172.20.2.0 255.255.255.0, 1 successors, FD is 130816via 192.168.2.1 (130816/128256), dmz1
P 172.40.2.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.4.1 (130816/128256), dmz2
P 172.10.1.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.1.1 (130816/128256), inside
P 172.20.4.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.2.1 (130816/128256), dmz1
P 172.10.2.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.1.1 (130816/128256), inside
P 192.168.2.0 255.255.255.0, 1 successors, FD is 2816
via Connected, dmz1P 172.30.1.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.3.1 (130816/128256), outside
P 172.10.4.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.1.1 (130816/128256), inside
P 172.40.1.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.4.1 (130816/128256), dmz2
P 172.20.3.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.2.1 (130816/128256), dmz1
P 172.20.1.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.2.1 (130816/128256), dmz1
P 172.40.3.0 255.255.255.0, 1 successors, FD is 130816via 192.168.4.1 (130816/128256), dmz2
P 192.168.3.0 255.255.255.0, 1 successors, FD is 2816
via Connected, outside
P 172.40.4.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.4.1 (130816/128256), dmz2
P 172.40.5.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.4.1 (130816/128256), dmz2
P 172.10.6.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.1.1 (130816/128256), inside
P 172.40.6.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.4.1 (130816/128256), dmz2P 172.30.3.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.3.1 (130816/128256), outside
P 172.30.2.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.3.1 (130816/128256), outside
P 172.20.6.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.2.1 (130816/128256), dmz1
P 172.10.3.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.1.1 (130816/128256), inside
P 172.30.4.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.3.1 (130816/128256), outside
P 172.10.5.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.1.1 (130816/128256), inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 71/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 71 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
P 172.30.5.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.3.1 (130816/128256), outside
! Routing Table verification on ASA
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
D 172.10.1.0 255.255.255.0[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.4.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.5.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.6.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, insideD 172.20.1.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1
D 172.20.2.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1
D 172.20.3.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
D 172.20.4.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
D 172.20.5.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
D 172.20.6.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
D 172.30.1.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.2.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.3.0 255.255.255.0[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.4.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.5.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.6.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.40.1.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
D 172.40.2.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
D 172.40.3.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
D 172.40.4.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
D 172.40.5.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 72/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 72 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
D 172.40.6.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, dmz1
L 192.168.2.2 255.255.255.255 is directly connected, dmz1
C 192.168.3.0 255.255.255.0 is directly connected, outsideL 192.168.3.2 255.255.255.255 is directly connected, outside
C 192.168.4.0 255.255.255.0 is directly connected, dmz2
L 192.168.4.2 255.255.255.255 is directly connected, dmz2
ASA1# ping 172.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 172.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 172.30.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 172.40.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.40.1.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 172.10.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.10.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 172.20.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1# ping 172.30.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 172.40.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.40.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 73/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 73 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Disabling Unwanted Updates or neighbourship in EIGRP
ASA1(config)# router eigrp 100
ASA1(config-router)# passive-interface default
ASA1(config-router)# no passive-interface inside
ASA1(config-router)# no passive-interface dmz1
ASA1(config-router)# no passive-interface dmz2
ASA1(config-router)# no passive-interface outside
ASA1(config-router)# route outside 0 0 192.168.3.1
! Redistribution in EIGRP
ASA1(config)# router eigrp 100
ASA1(config-router)# redistribute static metric 1 1 1 1 1
! Redistribution verification on Routers
R1#sh ip route eigrp on R2, R3, R4
D*EX 0.0.0.0/0 [170/2560002816] via 192.168.1.2, 00:00:35, FastEthernet0/0ASA1(config-router)# no redistribute static metric 1 1 1 1 1
ASA1(config-router)# default-metric 1 1 1 1 1
ASA1(config-router)# redistribute static
R1#sh ip route eigrp on R2, R3, R4
D*EX 0.0.0.0/0 [170/2560002816] via 192.168.1.2, 00:00:35, FastEthernet0/0
ASA1(config-router)# no redistribute static
! Static Neighbourship on ASA
ASA1(config-router)# neighbor 192.168.1.1 interface inside
! Debug Command review
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
*Sep 28 09:29:35.271: EIGRP: Sending HELLO on Loopback2
*Sep 28 09:29:35.271: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Sep 28 09:29:35.271: EIGRP: Received HELLO on Loopback2 nbr 172.10.2.1
*Sep 28 09:29:35.271: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0
*Sep 28 09:29:35.271: EIGRP: Packet from ourselves ignored
*Sep 28 09:29:35.743: EIGRP: Sending HELLO on Loopback5
*Sep 28 09:29:35.743: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0*Sep 28 09:29:35.743: EIGRP: Received HELLO on Loopback5 nbr 172.10.5.1
*Sep 28 09:29:35.743: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0
*Sep 28 09:29:35.743: EIGRP: Packet from ourselves ignored
R1#
*Sep 28 09:29:36.519: EIGRP: Sending HELLO on Loopback3
*Sep 28 09:29:36.519: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Sep 28 09:29:36.519: EIGRP: Received HELLO on Loopback3 nbr 172.10.3.1
*Sep 28 09:29:36.519: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0
*Sep 28 09:29:36.519: EIGRP: Packet from ourselves ignored
*Sep 28 09:29:36.947: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.1.2
*Sep 28 09:29:36.947: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0
*Sep 28 09:29:36.947: EIGRP: Ignore unicast Hello from FastEthernet0/0 192.168.1.2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 74/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 74 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#
*Sep 28 09:29:38.091: EIGRP: Sending HELLO on Loopback6
*Sep 28 09:29:38.091: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
! Static Neighbourship on Router
R1(config)#router ei 100R1(config-router)#neighbor 192.168.1.2 fastEthernet 0/0
! Verification of Static neighbourship
ASA1(config-router)# sh route inside
D 172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
D 172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
D 172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
D 172.10.4.0 255.255.255.0[90/130816] via 192.168.1.1, 00:00:51, inside
D 172.10.5.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
D 172.10.6.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
! Route Filtering in EIGRP
ASA1
access-list 10 standard permit 172.10.1.0 255.255.255.0
access-list 10 standard permit 172.10.2.0 255.255.255.0
access-list 10 standard permit 172.10.3.0 255.255.255.0
! Verification
ASA1(config-router)# router eigrp 100
ASA1(config-router)# distribute-list 10 in interface inside
ASA1(config-router)# sh route inside
D 172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:02:10, inside
D 172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:02:10, inside
D 172.10.3.0 255.255.255.0[90/130816] via 192.168.1.1, 00:02:10, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
ASA1(config)# sh route
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
D 172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:03:02, inside
D 172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:03:02, inside
D 172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:03:02, inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 75/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 75 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
D 172.20.1.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
D 172.20.2.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
D 172.20.3.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
D 172.20.4.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
D 172.20.5.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
D 172.20.6.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1D 172.30.1.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:28, outside
D 172.30.2.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:30, outside
D 172.30.3.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:30, outside
D 172.30.4.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:30, outside
D 172.30.5.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:30, outside
D 172.30.6.0 255.255.255.0[90/130816] via 192.168.3.1, 00:10:30, outside
D 172.40.1.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
D 172.40.2.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
D 172.40.3.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
D 172.40.4.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
D 172.40.5.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
D 172.40.6.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
! EIGRP AD Changing
ASA1(config-router)# router eigrp 100
ASA1(config-router)# distance eigrp 111 222ASA1(config-router)# sh route inside
D 172.10.1.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
D 172.10.2.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
D 172.10.3.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
(Only One EIGRP AS IS ALLOWED)ASA1(config)# router eigrp 100
ASA1(config-router)# router eigrp 200
Too many IP routing processes for this routing protocol
ERROR: Unable to create router process
! Authenticaton in EIGRP on ASA
ASA1(config-if)# interface gigabitEthernet 0/0
ASA1(config-if)# authentication mode eigrp 100 md5
ASA1(config-if)# authentication key eigrp 100 shiva key-id 100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 76/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 76 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Verification of authentication on Router
R1(config-router)#
*Sep 28 09:39:11.267: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.2
(FastEthernet0/0) is down: Auth failure
! Authenticaton in EIGRP on RouterR1(config)#key chain trust
R1(config-keychain)#key 100
R1(config-keychain-key)#key-string shiva
R1(config-keychain-key)#int f0/0
R1(config-if)#ip authentication mode eigrp 100 md5
R1(config-if)#ip authentication key-chain eigrp 100 trust
*Sep 28 09:40:06.495: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.2
(FastEthernet0/0) is up: new adjacency
! Summrization in EIGRP
ASA1(config-if)# interface gigabitEthernet 0/0ASA1(config-if)# summary-address eigrp 100 0 0
! Verification on Router1
R1#sh ip route eigrp
D* 0.0.0.0/0 [90/28416] via 192.168.1.2, 00:00:30, FastEthernet0/0
R2# sh ip route eigrp
172.10.0.0/24 is subnetted, 3 subnets
D 172.10.2.0 [90/156416] via 192.168.2.2, 00:01:51, FastEthernet0/0
D 172.10.3.0 [90/156416] via 192.168.2.2, 00:01:51, FastEthernet0/0
D 172.10.1.0 [90/156416] via 192.168.2.2, 00:01:51, FastEthernet0/0172.30.0.0/24 is subnetted, 6 subnets
D 172.30.2.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0
D 172.30.3.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0
D 172.30.1.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0
D 172.30.6.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0
D 172.30.4.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0
D 172.30.5.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0
172.40.0.0/24 is subnetted, 6 subnets
D 172.40.4.0 [90/156416] via 192.168.2.2, 00:06:41, FastEthernet0/0
D 172.40.5.0 [90/156416] via 192.168.2.2, 00:06:41, FastEthernet0/0
D 172.40.6.0 [90/156416] via 192.168.2.2, 00:06:41, FastEthernet0/0D 172.40.1.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0
D 172.40.2.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0
D 172.40.3.0 [90/156416] via 192.168.2.2, 00:06:42, FastEthernet0/0
D 192.168.4.0/24 [90/28416] via 192.168.2.2, 00:06:43, FastEthernet0/0
D 192.168.1.0/24 [90/28416] via 192.168.2.2, 00:06:43, FastEthernet0/0
D 192.168.3.0/24 [90/28416] via 192.168.2.2, 00:06:43, FastEthernet0/0
ASA1(config)# interface gigabitEthernet 0/1
ASA1(config-if)# summary-address eigrp 100 172.10.0.0 255.255.248.0
ASA1(config-if)# summary-address eigrp 100 172.30.0.0 255.255.248.0
ASA1(config-if)# summary-address eigrp 100 172.40.0.0 255.255.248.0
R2# sh ip route eigrp
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 77/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 77 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
172.10.0.0/21 is subnetted, 1 subnets
D 172.10.0.0 [90/156416] via 192.168.2.2, 00:00:23, FastEthernet0/0
172.30.0.0/21 is subnetted, 1 subnets
D 172.30.0.0 [90/156416] via 192.168.2.2, 00:00:19, FastEthernet0/0
172.40.0.0/21 is subnetted, 1 subnets
D 172.40.0.0 [90/156416] via 192.168.2.2, 00:00:15, FastEthernet0/0D 192.168.4.0/24 [90/28416] via 192.168.2.2, 00:07:57, FastEthernet0/0
D 192.168.1.0/24 [90/28416] via 192.168.2.2, 00:07:57, FastEthernet0/0
D 192.168.3.0/24 [90/28416] via 192.168.2.2, 00:07:57, FastEthernet0/0
! EIGRP Hello & Hold Changing
ASA1(config-if)# interface gigabitEthernet 0/0
ASA1(config-if)# hello-interval eigrp 100 2
ASA1(config-if)# hold-time eigrp 100 4
R1#sh ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq(sec) (ms) Cnt Num
0 192.168.1.2 Fa0/0 3 00:04:15 3 200 0 133
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 78/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 78 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 7
After Reading this chapter you would be able to describe
OSPF
Difference between link State & Distance Vector
OSPF Tables
OSPF Messages & Contents
OSPF States
DR & BDR
DR & BDR Requirements OSPF Area Structure
OSPF Network Types
OSPF Router Types
OSPF LSA Types
OSPF Area Types
OSPF Neighbour Ship Requirement
OSPF Authentication Types
OSPF Summarization Types
OSPF Virtual Link
OSPF
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 79/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 80/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 80 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Priority
DR & BDR information
Authentication
Stub information
Version
Type
Packet length
Router ID
Area
Checksum
Authentication
Authentication data
Data
Down
Attempt
Initialization
2 way
Ex-start
Exchange
Loading
Full
it means that no hello exchange
This state is valid for NBMA network in this state a router sends Unicast hello to neighbour.
Because OSPF has no capabilities to establish neighbour ship automatically on NBMA network.
OSPF Messages Contents
OSPF States
OSPF Down State
OSPF Attempt State
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 81/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 81 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
when a router receives a hello that is called Initialization.
when hello is exchanged between two OSPF routers that is called 2 way.
DR & BDR is elected here.
In this state they elect master & slave. Master a router who sends DBD first.
Master requirement higher priority or higher router ID.
In this state only DBD is exchanged between OSPF routers.
In this state actual database is exchanged or we can say that LS-Request,
LS-Update ,LS Acknowledgement are also exchanged.
It means that the OSPF database is synchronized among OSPF router, and each router has a
complete database.
OSPF Initialization State
OSPF 2-Way State
OSPF Ex-Start State
OSPF Exchange State
OSPF Loading State
OSPF Full State
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 82/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 82 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
The logical grouping of OSPF routers is called OSPF Area
Here OSPF Area has two types
Backbone Area
Regular Area
Area zero is called backbone area. it only has the capabilities to transfer route from one area to
another are i.e. it is also called Transit Area.
Apart from area zero all other areas are called regular area.
they must be connected to backbone area.
OSPF Hello message has 8 bits priority field. default value 1 , maximum 255.if priority is zero then router will not participate in DR & BDR election.
Router when OSPF router are connected to a multi-access network. Then there is a responsibility of
one router who is responsible for making adjacencies with other router that is called DR.
OSPF Area
OSPF Area Structure
OSPF Backbone Area
OSPF Regular Area
OSPF Priority
Designated Router
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 83/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 83 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Backup Designated Router it provides backup to DR.Note:-
DR & BDR concept is only used to minimise the adjacencies count
Adjacencies count without DR & BDR
n(n-1)/2
Adjacencies count with DR & BDR
n*2-3
Adjacencies count with DR
n-1
DR Requirements1. Higher Priority
2. Higher Router ID
DR is elected on every Broadcast & NB Segment.
Router ID Requirements
1. Highest Loopback
2. if no loopback then highest up physical interface ip
3. We can configure manual .
Is called Cost formula= 100 Mbps /bandwidth.
RFC
Cisco
RFC NBMA
P2MP
Cisco
Broadcast
P2P
P2MPNB
Broadcast & NB are for full mesh topology.
P2P, P2MP, P2MPNB for hub & spoke.
Backup Designated Router
OSPF Metric
OSPF Network Types
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 84/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 84 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Network
type
Hello-
interval
Dead-
interval
Auto-
neighbour
Manual-
neighbour
DR or
BDR
Broadcast 10 40 YES NO YES
P2P 10 40 YES NO NO
P2MP 30 120 YES NO NO
P2MPNB 30 120 NO YES NO
NB 30 120 NO YES YES
Internal Router
Back Bone Router
ABR ASBR
A router consist it's all interfaces in regular area, i.e. called Internal router.
A router consist it's all interfaces in area 0 Backbone area, i.e. called Internal router.
Area Border Router a router which connect Backbone area to regular area is called ABR.
A router which connects OSPF routing domain to another routing domain is called ASBR.
OSPF Router Types
Internal Router
Backbone Router
Area Border Router
ASBR
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 85/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 85 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Note:- OSPF sends incremental updates these updates are called LSA
Link state advertisement.
Router LSA
Network LSA
Summary LSA
AS LSA
External LSA
Group member ship LSA
NSSA LSA
It contain router ID of a router . it is sent within area.
It contain DR router ID sent by DR. is sent within area.
When the routes of one area go to another area , they go as summary LSA.
it is sent by ABR.
It contain ASBR router ID . it is generated by ABR when an ABR receives External LSA form ASBR.
It contain external routes it is sent by ASBR.
LSA Types
Router LSA
Network LSA
Summary LSA
AS ASBR LSA
External LSA
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 86/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 86 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It is used in Multicast OSPF
It contain external route . it is used in NSSA area , it allow an ASBR to send external route through
stub area to back bone.
Why because STUB/NSSA area LSA 5 in not allowed they are filtered so do hide LSA 5 they are
encapsulated as LSA 7 and LSA 7 is only recognized by NSSA area.
Standard Area
Stub Area
Totally Stub Area
NSSA
Totally NSSA
It contain entire OSPF domain itself.
if you are using standard area then you can't reduce the size of routing table
to reduce the size of routing table we use another area types.
It filter the external routes and place them as default route.
It filter the external routes, inter-area routes and place them as default route.
Group Member LSA
NSSA LSA
OSPF Area Types
Standard Area
Stub Area
Totally Stub Area
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 87/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 87 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).Notes:-
but it filter the external route coming from ABR
it doesn't generate default-route.
It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).
Notes:-but it filter the external route & inter-area route coming from ABR
It does generate default-route.
OSPF designing says that all regular area must be connected to Backbone area. if it not possible then
we have to use virtual-link.
1. Null Type 0
2. Plain text Type 1
3. MD5 Type 2
External Summarization at ASBR
Inter-Area Summarization at ABR
NSSA
Totally NSSA
OSPF Virtual Link
OSPF Authentication Types
OSPF Summarization Types
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 88/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 88 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF intra-area O IA OSPF inter-area
O E2 OSPF External Metric-type 2
O E1 OSPF External Metric-type 1
O N2 OSPF External Metric-type 2 in NSSA Area
O N1 OSPF External Metric-type 1 in NSSA Area
In Metric-type 2 internal cost is not added when route are propagated in OSPF domain.
In Metric-type 1 internal cost is do added when route are propagated in OSPF domain.
If you want that best path should be used for External router you have to use metric-type 1.
when routes are redistributed in routing Protocol that wants a starting point
that starting point is called seed metric
OSPF seed metric is 20 . if you want to change it you can change it at the time of redistribution.
Area 0 can't be stub
virtual link are not allowed in stub area
All router must be agree that we are a part of stub area.
1.Subet/mask
2. Hello interval
3. Dead interval
4. Authentication
5. Stub information
6. Area
7. MTU
OSPF Routes Types
Seed Metric
Important Note
OSPF NeighbourShip Requirement
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 89/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 89 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF AD 110
Default max-path 4 , maximum 16
224.0.0.6 is used by NON-DR to DR only for update & acknowledgement
224.0.0.5 is used for Hello NON-DR or DR to NON-DR
224.0.0.5 is used for Update DR to NON-DR
Diagram:-
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdownip add 192.168.2.1 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 90/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 90 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
ip add 172.20.2.1 255.255.255.0
int l3ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.3.1 255.255.255.0no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0int l6
ip add 172.30.6.1 255.255.255.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0
int l6
ip add 172.40.6.1 255.255.255.0
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no shu
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 91/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 91 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config-if)# ip add 192.168.1.2
ASA1(config-if)# interface g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz1
INFO: Security level for "dmz1" set to 0 by default.
ASA1(config-if)# security-level 60ASA1(config-if)# ip add 192.168.2.2
ASA1(config-if)# interface gigabitEthernet 0/2
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip add 192.168.3.2
ASA1(config-if)# interface gigabitEthernet 0/3
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz2
INFO: Security level for "dmz2" set to 0 by default.
ASA1(config-if)# security-level 50ASA1(config-if)# ip add 192.168.4.2
ASA1(config-if)# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.2 YES manual up up
GigabitEthernet0/1 192.168.2.2 YES manual up up
GigabitEthernet0/2 192.168.3.2 YES manual up up
GigabitEthernet0/3 192.168.4.2 YES manual up up
ASA1(config-if)# sh nameif
Interface Name Security
GigabitEthernet0/0 inside 100
GigabitEthernet0/1 dmz1 60GigabitEthernet0/2 outside 0
GigabitEthernet0/3 dmz2 50
ASA1(config-if)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 92/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 92 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1(config)#router os 100
R1(config-router)#net 192.168.1.0 0.0.0.255 area 1
R1(config-router)#net 172.10.0.0 0.0.7.255 area 4
R2
R2(config)#router os 100
R2(config-router)#net 192.168.2.0 0.0.0.255 area 0R2(config-router)#router ei 100
R2(config-router)#no au
R2(config-router)#net 172.20.0.0 0.0.7.255
R3
R3(config)#router os 100
R3(config-router)#net 192.168.3.0 0.0.0.255 area 2
R3(config-router)#net 172.30.0.0 0.0.7.255 area 2
R4
R4(config)#router os 100
R4(config-router)#net 192.168.4.0 0.0.0.255 area 3
R4(config-router)#router ei 200R4(config-router)#no au
R4(config-router)#net 172.40.0.0 0.0.7.255
ASA1(config)# router os 100
ASA1(config-router)# net 192.168.1.0 255.255.255.0 area 1
ASA1(config-router)# net 192.168.2.0 255.255.255.0 area 0
ASA1(config-router)# net 192.168.3.0 255.255.255.0 area 2
ASA1(config-router)# net 192.168.4.0 255.255.255.0 area 3
! OSPF Neighbour Table Verification
ASA1(config)# sh ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
172.20.6.1 1 FULL/DR 0:00:32 192.168.2.1 dmz1
172.10.6.1 1 FULL/DR 0:00:39 192.168.1.1 inside
172.30.6.1 1 FULL/DR 0:00:37 192.168.3.1 outside
172.40.6.1 1 FULL/DR 0:00:32 192.168.4.1 dmz2
! OSPF Topology Verification
ASA1(config)# sh ospf database
OSPF Router with ID (192.168.4.2) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
172.20.6.1 172.20.6.1 265 0x80000002 0x 4c5 1
192.168.4.2 192.168.4.2 232 0x80000001 0x78f7 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
192.168.2.1 172.20.6.1 265 0x80000001 0x 5c9
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 93/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 93 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.30.1.1 192.168.4.2 212 0x80000001 0x8075
172.30.2.1 192.168.4.2 212 0x80000001 0x757f172.30.3.1 192.168.4.2 212 0x80000001 0x6a89
172.30.4.1 192.168.4.2 212 0x80000001 0x5f93
172.30.5.1 192.168.4.2 212 0x80000001 0x549d
172.30.6.1 192.168.4.2 212 0x80000001 0x49a7
192.168.1.0 192.168.4.2 222 0x80000002 0xfa5d
192.168.3.0 192.168.4.2 212 0x80000001 0xe670
192.168.4.0 192.168.4.2 213 0x80000001 0xdb7a
Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count172.10.6.1 172.10.6.1 271 0x80000002 0xb629 1
192.168.4.2 192.168.4.2 231 0x80000002 0x6011 1
Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
192.168.1.1 172.10.6.1 271 0x80000001 0x10d3
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum172.30.1.1 192.168.4.2 213 0x80000001 0x8075
172.30.2.1 192.168.4.2 213 0x80000001 0x757f
172.30.3.1 192.168.4.2 213 0x80000001 0x6a89
172.30.4.1 192.168.4.2 213 0x80000001 0x5f93
172.30.5.1 192.168.4.2 213 0x80000001 0x549d
172.30.6.1 192.168.4.2 213 0x80000001 0x49a7
192.168.2.0 192.168.4.2 223 0x80000001 0xf166
192.168.3.0 192.168.4.2 213 0x80000001 0xe670
192.168.4.0 192.168.4.2 214 0x80000001 0xdb7a
Router Link States (Area 2)
Link ID ADV Router Age Seq# Checksum Link count
172.30.6.1 172.30.6.1 229 0x80000003 0x9dd2 7
192.168.4.2 192.168.4.2 229 0x80000001 0x8edf 1
Net Link States (Area 2)
Link ID ADV Router Age Seq# Checksum
192.168.3.1 172.30.6.1 229 0x80000001 0xf9bf
Summary Net Link States (Area 2)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 94/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 94 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Link ID ADV Router Age Seq# Checksum
192.168.1.0 192.168.4.2 224 0x80000001 0xfc5c
192.168.2.0 192.168.4.2 224 0x80000001 0xf166
192.168.4.0 192.168.4.2 214 0x80000001 0xdb7a
Router Link States (Area 3)
Link ID ADV Router Age Seq# Checksum Link count
172.40.6.1 172.40.6.1 224 0x80000002 0x9efe 1
192.168.4.2 192.168.4.2 223 0x80000001 0xa4c7 1
Net Link States (Area 3)
Link ID ADV Router Age Seq# Checksum
192.168.4.1 172.40.6.1 224 0x80000001 0xeeb5
Summary Net Link States (Area 3)
Link ID ADV Router Age Seq# Checksum
172.30.1.1 192.168.4.2 215 0x80000001 0x8075
172.30.2.1 192.168.4.2 215 0x80000001 0x757f
172.30.3.1 192.168.4.2 215 0x80000001 0x6a89
172.30.4.1 192.168.4.2 215 0x80000001 0x5f93
172.30.5.1 192.168.4.2 215 0x80000001 0x549d
172.30.6.1 192.168.4.2 215 0x80000001 0x49a7
192.168.1.0 192.168.4.2 215 0x80000001 0xfc5c
192.168.2.0 192.168.4.2 215 0x80000001 0xf166
192.168.3.0 192.168.4.2 215 0x80000001 0xe670
! OSPF Routing Table Verification
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
O 172.30.1.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
O 172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
O 172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
O 172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 95/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 95 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O 172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
O 172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, insideC 192.168.2.0 255.255.255.0 is directly connected, dmz1
L 192.168.2.2 255.255.255.255 is directly connected, dmz1
C 192.168.3.0 255.255.255.0 is directly connected, outside
L 192.168.3.2 255.255.255.255 is directly connected, outside
C 192.168.4.0 255.255.255.0 is directly connected, dmz2
L 192.168.4.2 255.255.255.255 is directly connected, dmz2
NO AREA 4 routes
! Virtual Link in OSPF
ASA1(config-router)# router ospf 100
ASA1(config-router)# area 1 virtual-link 172.10.6.1
R1(config-router)#router os 100
R1(config-router)#area 1 virtual-link 192.168.4.2
R1(config-router)#
*Sep 28 10:02:01.999: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on OSPF_VL0 from LOADING
to FULL, Loading Done
! Verification of routes Learn via Virtual Link
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outsideO IA 172.10.1.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.2.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.3.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.4.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.5.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.6.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O 172.30.1.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
O 172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
O 172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 96/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 96 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O 172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
O 172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:41, outside
O 172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:41, outsideC 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, dmz1
L 192.168.2.2 255.255.255.255 is directly connected, dmz1
C 192.168.3.0 255.255.255.0 is directly connected, outside
L 192.168.3.2 255.255.255.255 is directly connected, outside
C 192.168.4.0 255.255.255.0 is directly connected, dmz2
L 192.168.4.2 255.255.255.255 is directly connected, dmz2
! Redistribution in OSPF on Router
R2(config)#router ospf 100R2(config-router)#redistribute eigrp 100
% Only classful networks will be redistributed
R1#sh ip route ospf
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.1.2, 00:02:54, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.1.2, 00:02:54, FastEthernet0/0
O IA 172.30.1.1 [110/12] via 192.168.1.2, 00:02:54, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.1.2, 00:02:54, FastEthernet0/0
O IA 172.30.5.1 [110/12] via 192.168.1.2, 00:02:54, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.1.2, 00:02:54, FastEthernet0/0
O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:02:54, FastEthernet0/0O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:02:54, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.1.2, 00:02:54, FastEthernet0/0
NO routes of eigrp 100
R2(config-router)#router ospf 100
R2(config-router)#redistribute eigrp 100 subnets metric-type 1
! Redistributed Route Verification
R1#sh ip route ospf
172.20.0.0/24 is subnetted, 6 subnets
O E1 172.20.1.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0
O E1 172.20.2.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0O E1 172.20.3.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0
O E1 172.20.4.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0
O E1 172.20.5.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0
O E1 172.20.6.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.1.2, 00:04:30, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.1.2, 00:04:30, FastEthernet0/0
O IA 172.30.1.1 [110/12] via 192.168.1.2, 00:04:30, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.1.2, 00:04:30, FastEthernet0/0
O IA 172.30.5.1 [110/12] via 192.168.1.2, 00:04:30, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.1.2, 00:04:30, FastEthernet0/0
O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:04:30, FastEthernet0/0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 97/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 97 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:04:31, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.1.2, 00:04:31, FastEthernet0/0
! OSPF External Summrization
R2(config-router)#router ospf 100
R2(config-router)#summary-address 172.20.0.0 255.255.248.0
! OSPF External Summrization Verification
R1#sh ip route ospf
172.20.0.0/21 is subnetted, 1 subnets
O E1 172.20.0.0 [110/31] via 192.168.1.2, 00:00:18, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.1.2, 00:06:28, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.1.2, 00:06:28, FastEthernet0/0
O IA 172.30.1.1 [110/12] via 192.168.1.2, 00:06:28, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.1.2, 00:06:28, FastEthernet0/0
O IA 172.30.5.1 [110/12] via 192.168.1.2, 00:06:28, FastEthernet0/0O IA 172.30.4.1 [110/12] via 192.168.1.2, 00:06:28, FastEthernet0/0
O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:06:28, FastEthernet0/0
O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:06:28, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.1.2, 00:06:28, FastEthernet0/0
! Disabling OSPF External Summrization
R2(config-router)#router ospf 100
R2(config-router)#no summary-address 172.20.0.0 255.255.248.0
R1#sh ip route ospf
172.20.0.0/24 is subnetted, 6 subnetsO E1 172.20.1.0 [110/31] via 192.168.1.2, 00:00:12, FastEthernet0/0
O E1 172.20.2.0 [110/31] via 192.168.1.2, 00:00:12, FastEthernet0/0
O E1 172.20.3.0 [110/31] via 192.168.1.2, 00:00:12, FastEthernet0/0
O E1 172.20.4.0 [110/31] via 192.168.1.2, 00:00:12, FastEthernet0/0
O E1 172.20.5.0 [110/31] via 192.168.1.2, 00:00:12, FastEthernet0/0
O E1 172.20.6.0 [110/31] via 192.168.1.2, 00:00:12, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.1.2, 00:07:14, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.1.2, 00:07:14, FastEthernet0/0
O IA 172.30.1.1 [110/12] via 192.168.1.2, 00:07:14, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.1.2, 00:07:14, FastEthernet0/0O IA 172.30.5.1 [110/12] via 192.168.1.2, 00:07:14, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.1.2, 00:07:14, FastEthernet0/0
O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:07:14, FastEthernet0/0
O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:07:15, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.1.2, 00:07:15, FastEthernet0/0
! OSPF Inter-area summrization
ASA1(config)# router os 100
ASA1(config-router)# area 2 range 172.30.0.0 255.255.248.0
! OSPF Inter-area summrization Verification
R1#sh ip route ospf
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 98/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 98 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
172.20.0.0/24 is subnetted, 6 subnets
O E1 172.20.1.0 [110/31] via 192.168.1.2, 00:01:27, FastEthernet0/0
O E1 172.20.2.0 [110/31] via 192.168.1.2, 00:01:27, FastEthernet0/0
O E1 172.20.3.0 [110/31] via 192.168.1.2, 00:01:27, FastEthernet0/0
O E1 172.20.4.0 [110/31] via 192.168.1.2, 00:01:27, FastEthernet0/0
O E1 172.20.5.0 [110/31] via 192.168.1.2, 00:01:27, FastEthernet0/0O E1 172.20.6.0 [110/31] via 192.168.1.2, 00:01:27, FastEthernet0/0
172.30.0.0/21 is subnetted, 1 subnets
O IA 172.30.0.0 [110/12] via 192.168.1.2, 00:00:34, FastEthernet0/0
O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:08:29, FastEthernet0/0
O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:08:29, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.1.2, 00:08:29, FastEthernet0/0
! Disabling Inter-area summrization
ASA1(config-router)# router os 100
ASA1(config-router)# no area 2 range 172.30.0.0 255.255.248.0R1#sh ip route ospf
172.20.0.0/24 is subnetted, 6 subnets
O E1 172.20.1.0 [110/31] via 192.168.1.2, 00:02:14, FastEthernet0/0
O E1 172.20.2.0 [110/31] via 192.168.1.2, 00:02:14, FastEthernet0/0
O E1 172.20.3.0 [110/31] via 192.168.1.2, 00:02:14, FastEthernet0/0
O E1 172.20.4.0 [110/31] via 192.168.1.2, 00:02:14, FastEthernet0/0
O E1 172.20.5.0 [110/31] via 192.168.1.2, 00:02:14, FastEthernet0/0
O E1 172.20.6.0 [110/31] via 192.168.1.2, 00:02:14, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.1.2, 00:00:14, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.1.2, 00:00:14, FastEthernet0/0O IA 172.30.1.1 [110/12] via 192.168.1.2, 00:00:14, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.1.2, 00:00:14, FastEthernet0/0
O IA 172.30.5.1 [110/12] via 192.168.1.2, 00:00:14, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.1.2, 00:00:14, FastEthernet0/0
O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:09:16, FastEthernet0/0
O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:09:17, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.1.2, 00:09:17, FastEthernet0/0
! OSPF Authentication on ASA
ASA1(config-router)# interface gigabitEthernet 0/0
ASA1(config-if)# ospf authentication message-digestASA1(config-if)# ospf message-digest-key 100 md5 shiva
R1#
*Sep 28 10:13:20.491: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
FULL to DOWN, Neighbor Down: Dead timer expired
R1#debug ip ospf events
OSPF events debugging is on
*Sep 28 10:20:40.255: OSPF: Rcv pkt from 192.168.1.2, FastEthernet0/0 : Mismatch Authentication
type. Input packet specified type 2, we use type 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 99/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 99 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! OSPF Authentication on Router
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 100 md5 shiva
! OSPF Authentication VerificationR1(config-if)#
*Sep 28 10:13:46.747: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
LOADING to FULL, Loading Done
! OSPF Hello & Dead Interval Verification
ASA1(config-if)# sh ospf interface inside
inside is up, line protocol is up
Internet Address 192.168.1.2 mask 255.255.255.0, Area 1
Process ID 100, Router ID 192.168.4.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.4.2, Interface address 192.168.1.2Backup Designated router (ID) 172.10.6.1, Interface address 192.168.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
! OSPF Hello & Dead Interval Modification on ASA
ASA1(config-if)# int g0/0
ASA1(config-if)# ospf hello-interval 5
ASA1(config-if)# sh ospf interface inside
inside is up, line protocol is up
Internet Address 192.168.1.2 mask 255.255.255.0, Area 1
Process ID 100, Router ID 192.168.4.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1Designated Router (ID) 192.168.4.2, Interface address 192.168.1.2
Backup Designated router (ID) 172.10.6.1, Interface address 192.168.1.1
Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5
ASA1(config-if)# int g0/0
ASA1(config-if)# ospf dead-interval 15
ASA1(config-if)# sh ospf interface inside
inside is up, line protocol is up
Internet Address 192.168.1.2 mask 255.255.255.0, Area 1
Process ID 100, Router ID 192.168.4.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1Designated Router (ID) 192.168.4.2, Interface address 192.168.1.2
No backup designated router on this network
Timer intervals configured, Hello 5, Dead 15, Wait 15, Retransmit 5
! Effect of Timer Chainging
R1#
*Sep 28 10:16:21.227: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
FULL to DOWN, Neighbor Down: Dead timer expired
R1#
*Sep 28 10:16:26.727: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on OSPF_VL0 from FULL to
DOWN, Neighbor Down: Interface down or detached
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 100/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 100 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! OSPF Debug Command Analyzation
R1#debug ip ospf events
OSPF events debugging is on
*Sep 28 10:18:03.567: OSPF: Send with youngest Key 100
*Sep 28 10:18:03.567: OSPF: Send hello to 224.0.0.5 area 1 on FastEthernet0/0 from 192.168.1.1
R1#*Sep 28 10:18:05.223: OSPF: Rcv hello from 192.168.4.2 area 1 from FastEthernet0/0 192.168.1.2
*Sep 28 10:18:05.223: OSPF: Mismatched hello parameters from 192.168.1.2
*Sep 28 10:18:05.223: OSPF: Dead R 15 C 40, Hello R 5 C 10 Mask R 255.255.255.0 C 255.255.255.0
! OSPF Timer Chainging on Router
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf hello-interval 5
R1(config-if)#ip ospf dead-interval 15
*Sep 28 10:18:51.267: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
LOADING to FULL, Loading Done
R3#sh ip route ospf
172.10.0.0/32 is subnetted, 6 subnets
O IA 172.10.6.1 [110/12] via 192.168.3.2, 00:04:13, FastEthernet0/0
O IA 172.10.5.1 [110/12] via 192.168.3.2, 00:04:13, FastEthernet0/0
O IA 172.10.4.1 [110/12] via 192.168.3.2, 00:04:13, FastEthernet0/0
O IA 172.10.3.1 [110/12] via 192.168.3.2, 00:04:13, FastEthernet0/0
O IA 172.10.2.1 [110/12] via 192.168.3.2, 00:04:13, FastEthernet0/0
O IA 172.10.1.1 [110/12] via 192.168.3.2, 00:04:13, FastEthernet0/0
172.20.0.0/24 is subnetted, 6 subnets
O E1 172.20.1.0 [110/31] via 192.168.3.2, 00:16:37, FastEthernet0/0
O E1 172.20.2.0 [110/31] via 192.168.3.2, 00:16:37, FastEthernet0/0O E1 172.20.3.0 [110/31] via 192.168.3.2, 00:16:37, FastEthernet0/0
O E1 172.20.4.0 [110/31] via 192.168.3.2, 00:16:37, FastEthernet0/0
O E1 172.20.5.0 [110/31] via 192.168.3.2, 00:16:37, FastEthernet0/0
O E1 172.20.6.0 [110/31] via 192.168.3.2, 00:16:37, FastEthernet0/0
O IA 192.168.4.0/24 [110/11] via 192.168.3.2, 00:24:45, FastEthernet0/0
O IA 192.168.1.0/24 [110/11] via 192.168.3.2, 00:24:45, FastEthernet0/0
O IA 192.168.2.0/24 [110/11] via 192.168.3.2, 00:24:45, FastEthernet0/0
! Stub Area commands
ASA1(config)# router ospf 100
ASA1(config-router)# area 2 stubR3(config)# router ospf 100
R3(config-router)# area 2 stub
R3(config-router)#
*Sep 28 10:07:58.103: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
FULL to DOWN, Neighbor Down: Adjacency forced to reset
R3(config-router)#
*Sep 28 10:08:03.107: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
LOADING to FULL, Loading Done
! Stub Area verification
R3#sh ip route ospf
172.10.0.0/32 is subnetted, 6 subnets
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 101/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 101 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O IA 172.10.6.1 [110/12] via 192.168.3.2, 00:00:49, FastEthernet0/0
O IA 172.10.5.1 [110/12] via 192.168.3.2, 00:00:49, FastEthernet0/0
O IA 172.10.4.1 [110/12] via 192.168.3.2, 00:00:49, FastEthernet0/0
O IA 172.10.3.1 [110/12] via 192.168.3.2, 00:00:49, FastEthernet0/0
O IA 172.10.2.1 [110/12] via 192.168.3.2, 00:00:49, FastEthernet0/0
O IA 172.10.1.1 [110/12] via 192.168.3.2, 00:00:49, FastEthernet0/0O IA 192.168.4.0/24 [110/11] via 192.168.3.2, 00:00:49, FastEthernet0/0
O IA 192.168.1.0/24 [110/11] via 192.168.3.2, 00:00:49, FastEthernet0/0
O IA 192.168.2.0/24 [110/11] via 192.168.3.2, 00:00:49, FastEthernet0/0
O*IA 0.0.0.0/0 [110/2] via 192.168.3.2, 00:00:49, FastEthernet0/0
! Totally Stub Commands
ASA1(config-router)# router ospf 100
ASA1(config-router)# area 2 stub no-summary
! Totally Stub Area Verification
R3#sh ip route ospfO*IA 0.0.0.0/0 [110/2] via 192.168.3.2, 00:00:30, FastEthernet0/0
R4#sh ip route ospf
172.10.0.0/32 is subnetted, 6 subnets
O IA 172.10.6.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 172.10.5.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 172.10.4.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 172.10.3.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 172.10.2.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 172.10.1.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
172.20.0.0/24 is subnetted, 6 subnetsO E1 172.20.1.0 [110/31] via 192.168.4.2, 00:00:05, FastEthernet0/0
O E1 172.20.2.0 [110/31] via 192.168.4.2, 00:00:05, FastEthernet0/0
O E1 172.20.3.0 [110/31] via 192.168.4.2, 00:00:05, FastEthernet0/0
O E1 172.20.4.0 [110/31] via 192.168.4.2, 00:00:05, FastEthernet0/0
O E1 172.20.5.0 [110/31] via 192.168.4.2, 00:00:05, FastEthernet0/0
O E1 172.20.6.0 [110/31] via 192.168.4.2, 00:00:05, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 172.30.1.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0O IA 172.30.5.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 192.168.1.0/24 [110/11] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 192.168.2.0/24 [110/11] via 192.168.4.2, 00:00:05, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.4.2, 00:00:07, FastEthernet0/0
! Area 3 Stub Commands
ASA1(config-router)# router ospf 100
ASA1(config-router)# area 3 stub
R4(config)#router ospf 100
R4(config-router)# area 3 stub
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 102/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 102 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R4(config-router)#
*Sep 28 11:10:58.275: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
INIT to DOWN, Neighbor Down: Adjacency forced to reset
R4(config-router)#
*Sep 28 11:11:03.631: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
LOADING to FULL, Loading Done
! Stub Verification
R4#sh ip route ospf
172.10.0.0/32 is subnetted, 6 subnets
O IA 172.10.6.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.5.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.4.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.3.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.2.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.1.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnetsO IA 172.30.3.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.1.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.5.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 192.168.1.0/24 [110/11] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 192.168.2.0/24 [110/11] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.4.2, 00:00:38, FastEthernet0/0
O*IA 0.0.0.0/0 [110/2] via 192.168.4.2, 00:00:38, FastEthernet0/0
! Totally Stub Commands
ASA1(config-router)# router ospf 100
ASA1(config-router)# area 3 stub no-summary
! Verification of Totally Stub Area
R4#sh ip route ospf
O*IA 0.0.0.0/0 [110/2] via 192.168.4.2, 00:00:17, FastEthernet0/0
! Redistribute EIGRP 200 Route in OSPF
R4(config)#router ospf 100R4(config-router)#redistribute eigrp 200 subnets metric-type 1
R4(config-router)#
*Sep 28 11:13:14.383: %OSPF-4-ASBR_WITHOUT_VALID_AREA: Router is currently an ASBR while
having only one area which is a stub area.
! Not allowed Please Remove Stub commands Then configure as NSSA
R4(config-router)#router os 100
R4(config-router)#no area 3 stub
R4(config-router)#area 3 nssa
ASA1(config-router)# router os 100
ASA1(config-router)# no area 3 stub
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 103/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 103 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config-router)# area 3 nssa
! NSSA Verification on ASA
ASA1(config-router)# sh route dmz2
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
O N1 172.40.1.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
O N1 172.40.2.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2O N1 172.40.3.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
O N1 172.40.4.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
O N1 172.40.5.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
O N1 172.40.6.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
C 192.168.4.0 255.255.255.0 is directly connected, dmz2
L 192.168.4.2 255.255.255.255 is directly connected, dmz2
R4#sh ip route ospf
172.10.0.0/32 is subnetted, 6 subnets
O IA 172.10.6.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 172.10.5.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0O IA 172.10.4.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 172.10.3.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 172.10.2.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 172.10.1.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 172.30.1.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 172.30.5.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.4.2, 00:00:37, FastEthernet0/0O IA 192.168.1.0/24 [110/11] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 192.168.2.0/24 [110/11] via 192.168.4.2, 00:00:37, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.4.2, 00:00:37, FastEthernet0/0
No eigrp routes
! Totally Stub Commands
ASA1(config-router)# router os 100
ASA1(config-router)# area 3 nssa no-summary default-information-originate
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 104/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 104 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! verification of Totally NSSA
R4#sh ip route ospf
O*IA 0.0.0.0/0 [110/2] via 192.168.4.2, 00:00:17, FastEthernet0/0
ASA1(config)# sh route inside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
O IA 172.10.1.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
O IA 172.10.2.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, insideO IA 172.10.3.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
O IA 172.10.4.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
O IA 172.10.5.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
O IA 172.10.6.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
! By Default OSPF Treat loopback as single host if you want that it should be treat as network
please do the following
R1(config)#interface loopback 1
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 2
R1(config-if)#ip ospf network point-to-pointR1(config-if)#interface loopback 3
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 4
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 5
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 6
R1(config-if)#ip ospf network point-to-point
ASA1(config)# sh route inside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:01:04, inside
O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 105/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 105 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O IA 172.10.4.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
O IA 172.10.5.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
O IA 172.10.6.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
! OSPF Route filtering
ASA1
access-list 10 standard permit 172.10.1.0 255.255.255.0
access-list 10 standard permit 172.10.2.0 255.255.255.0
access-list 10 standard permit 172.10.3.0 255.255.255.0
ASA1(config-router)# router ospf 100
ASA1(config-router)# distribute-list 10 in interface inside
! OSPF Route filtering verification
ASA1(config-router)# sh route insideCodes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:05, inside
O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:05, inside
O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:05, insideC 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
ASA1(config-router)# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside
O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside
O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside
O E1 172.20.1.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 106/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 106 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O E1 172.20.2.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O E1 172.20.3.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O E1 172.20.4.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O E1 172.20.5.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O E1 172.20.6.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O 172.30.1.1 255.255.255.255[110/11] via 192.168.3.1, 00:00:10, outside
O 172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:10, outside
O 172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:14, outside
O 172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:14, outside
O 172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:14, outside
O 172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:14, outsideO N1 172.40.1.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.2.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.3.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.4.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.5.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.6.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
! OSPF AD Changing
ASA1(config-router)# router ospf 100
ASA1(config-router)#distance ospf inter-area 110 intra-area 110 external 180
ASA1(config-router)# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:27, inside
O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:27, inside
O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:27, inside
O E1 172.20.1.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.2.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.3.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.4.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.5.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.6.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O 172.30.1.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:27, outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 107/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 107 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O 172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:27, outside
O 172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
O 172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outsideO 172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
O 172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
O N1 172.40.1.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.2.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.3.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.4.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.5.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.6.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
R1#sh ip route ospf
172.20.0.0/24 is subnetted, 6 subnets
O E1 172.20.1.0 [110/31] via 192.168.1.2, 00:11:38, FastEthernet0/0
O E1 172.20.2.0 [110/31] via 192.168.1.2, 00:11:38, FastEthernet0/0
O E1 172.20.3.0 [110/31] via 192.168.1.2, 00:11:38, FastEthernet0/0
O E1 172.20.4.0 [110/31] via 192.168.1.2, 00:11:38, FastEthernet0/0
O E1 172.20.5.0 [110/31] via 192.168.1.2, 00:11:38, FastEthernet0/0
O E1 172.20.6.0 [110/31] via 192.168.1.2, 00:11:38, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.1.2, 00:25:48, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.1.2, 00:25:48, FastEthernet0/0O IA 172.30.1.1 [110/12] via 192.168.1.2, 00:25:48, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.1.2, 00:25:48, FastEthernet0/0
O IA 172.30.5.1 [110/12] via 192.168.1.2, 00:25:48, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.1.2, 00:25:48, FastEthernet0/0
172.40.0.0/24 is subnetted, 6 subnets
O E1 172.40.4.0 [110/31] via 192.168.1.2, 00:11:39, FastEthernet0/0
O E1 172.40.5.0 [110/31] via 192.168.1.2, 00:11:39, FastEthernet0/0
O E1 172.40.6.0 [110/31] via 192.168.1.2, 00:11:39, FastEthernet0/0
O E1 172.40.1.0 [110/31] via 192.168.1.2, 00:11:39, FastEthernet0/0
O E1 172.40.2.0 [110/31] via 192.168.1.2, 00:11:39, FastEthernet0/0
O E1 172.40.3.0 [110/31] via 192.168.1.2, 00:11:39, FastEthernet0/0O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:31:22, FastEthernet0/0
O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:31:22, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.1.2, 00:31:22, FastEthernet0/0
! OSPF Defaurt route Orgination
ASA1(config-router)# router ospf 100
ASA1(config-router)# default-information originate always
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 108/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 108 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! OSPF Defaurt route Orgination verification
R1#sh ip route ospf
172.20.0.0/24 is subnetted, 6 subnets
O E1 172.20.1.0 [110/31] via 192.168.1.2, 00:13:00, FastEthernet0/0
O E1 172.20.2.0 [110/31] via 192.168.1.2, 00:13:00, FastEthernet0/0
O E1 172.20.3.0 [110/31] via 192.168.1.2, 00:13:00, FastEthernet0/0O E1 172.20.4.0 [110/31] via 192.168.1.2, 00:13:00, FastEthernet0/0
O E1 172.20.5.0 [110/31] via 192.168.1.2, 00:13:00, FastEthernet0/0
O E1 172.20.6.0 [110/31] via 192.168.1.2, 00:13:00, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.1.2, 00:27:11, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.1.2, 00:27:11, FastEthernet0/0
O IA 172.30.1.1 [110/12] via 192.168.1.2, 00:27:11, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.1.2, 00:27:11, FastEthernet0/0
O IA 172.30.5.1 [110/12] via 192.168.1.2, 00:27:11, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.1.2, 00:27:11, FastEthernet0/0
172.40.0.0/24 is subnetted, 6 subnetsO E1 172.40.4.0 [110/31] via 192.168.1.2, 00:13:02, FastEthernet0/0
O E1 172.40.5.0 [110/31] via 192.168.1.2, 00:13:02, FastEthernet0/0
O E1 172.40.6.0 [110/31] via 192.168.1.2, 00:13:02, FastEthernet0/0
O E1 172.40.1.0 [110/31] via 192.168.1.2, 00:13:02, FastEthernet0/0
O E1 172.40.2.0 [110/31] via 192.168.1.2, 00:13:02, FastEthernet0/0
O E1 172.40.3.0 [110/31] via 192.168.1.2, 00:13:02, FastEthernet0/0
O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:32:44, FastEthernet0/0
O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:32:44, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.1.2, 00:32:45, FastEthernet0/0
O*E2 0.0.0.0/0 [110/10] via 192.168.1.2, 00:00:54, FastEthernet0/0
ASA1(config-router)# router ospf 100
ASA1(config-router)# no default-information originate always
! Mannual Router ID
ASA1(config-router)# router ospf 100
ASA1(config-router)# router-id 123.123.123.123
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface123.123.123.123 1 FULL/BDR 00:00:13 192.168.1.2 FastEthernet0/0
but virtual-link will down due to router-id mismatch.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 109/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 109 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 8
After Reading this chapter you would be able to describe
IPv6
IPv6 Styles
IPv6 Routing Protocols
RIPng
OSPFv3
EIGRPv6
IPv6 Introduction
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 110/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 110 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Before IPv6 we have to understand IP
A logical address it enable a machine to communicate with other machine of network.
IP Part
1. Network ID
2. Host ID
Network ID
it enable us to determine that what is the network location in a class
Host ID
It enable us to determine that what is the location of a host in a network
A (1-126)/8
B (128-191)/16
C (192-223)/24
D (224-239)
E (240-255)
Public
Private
Public
They are accessible via internet , unique in the world
Private
They are not accessible via internet. they can be used by private organization.
IPv6
IP Address
IP Address Classes
IP Address Types
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 111/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 111 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Brief
32 bits address
Decimal format
separated by ( . )
20 bytes header
IPv6
128 bits address
Hexadecimal format
separated by( : )
40 bytes header
Unicast
Multicast
Anycast
Unicast Types Global Unicast
Unique Local
Link Local
Global Unicast
They are the public address routable over internet like ipv4 public addresses.
Start with 2000::/3
Unique Local
They are the private address not routable over internet like ipv4 private addresses. Start with
FD00::/8
Link Local
They are automatically created by device they are used by routing protocols to communicate
each other
Start with FE80::/10
Link Local address contain 64 interface ID
Interface ID contain 48 Bits MAC & 16 Bits EUI
EUI is FFFE
Procedure of Link Local
for example
MAC is 0000.0c07.ac01
MAC address 1st bytes 7th bit is replaced with zero to 1
IPv6 Style
Unicast Types
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 112/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 112 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
do
MAC now 100.0c07.ac01
Add EUI
100.0cFF.FE07.ac01
ADD Link Local Prefix
FE80:: 100.0cFF.FE07.ac01/10
Multicast
They are just like IPv4 multicast addresses
FF02::1 for all host
FF02::2 for all router
FF02::5 for OSPF
FF02::6 for OSPF
FF02::9 for RIPng
FF02::A for EIGRP
FF02::D for PIM
1234:1234:1234:1234:1234:1234:1234:1234 (right)
2000:0000:0000:1111:0000:0000:0000:0001 (right)
2000:0:0:1111:0:0:0:1 (right)
2000::1111:0:0:0:1 (right) {8-6=2 dual :: is representing 2 block 0}
2000:0:0:1111::1 (right) {8-5=3 dual :: is representing 3 block 0}
2000::1111::1 (wrong) {8-3=5, 3+2 or 2+3 }
:: Only Once
RIPng
IS-ISv6
OSPFv3
EIGRPv6
MP-BGP
IPV6 Format
IPV6 Routing Protocols
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 113/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 113 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
RIPng
Routing Information Protocol next generation
It is based on RIPv2
It use UDP port 521
Multicast update FF02::9
No authentication support We can run multiple RIPng process now.
Max-Path 16
IS-ISv6
It use same concept of IS-IS. it use IP protocol no. 131 (0x83).
It works at OSI layer 3
It PDU is directly encapsulated in frame.
EIGRPv6
Cisco Proprietary
IP protocol no. 88
Same concept like EIGRP
Max-Path 16
Default Shutdown
It require Router ID
Multicast at FF02::A
MD5 authentication
OSPFv3
Still Open Standard
IP protocol no. 89 Use IPSec Authentication
It ADD 16 bytes Header while OSPF ADD 24 bytes
Note
Cisco ASA OS version 8.6 support only static & default IPv6 routing
Cisco ASA OS version 9.2.2.4 support only static & default & OSPFv3 IPv6 routing.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 114/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 114 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:1::1/48
int lo1
ipv6 add 192:168:101::1/48
ipv6 route ::/0 192:168:1::2
R2
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:2::1/48
int l1
ipv6 add 192:168:102::1/48
ipv6 route ::/0 192:168:2::2
R3
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:3::1/48
int l1
ipv6 add 192:168:103::1/48
ipv6 route ::/0 192:168:3::2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 115/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 115 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R4
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:4::1/48
int lo1ipv6 add 192:168:104::1/48
ipv6 route ::/0 192:168:4::2
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:1::2/48
!
interface GigabitEthernet0/1
nameif dmz1security-level 60
no ip address
ipv6 address 192:168:2::2/48
!
interface GigabitEthernet0/2
nameif outside
security-level 0
no ip address
ipv6 address 192:168:3::2/48
!
interface GigabitEthernet0/3nameif dmz2
security-level 50
no ip address
ipv6 address 192:168:4::2/48
!
ASA1(config)# sh ipv6 int brief
inside [up/up]
fe80::6e20:56ff:febd:ea87
192:168:1::2
dmz1 [up/up]
fe80::6e20:56ff:febd:ea84192:168:2::2
outside [up/up]
fe80::6e20:56ff:febd:ea88
192:168:3::2
dmz2 [up/up]
fe80::6e20:56ff:febd:ea85
192:168:4::2
GigabitEthernet0/4 [administratively down/down]
unassigned
GigabitEthernet0/5 [administratively down/down]
unassigned
Management0/0 [administratively down/down]
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 116/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 116 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
unassigned
ASA1(config)# ping 192:168:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 msASA1(config)# ping 192:168:2::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:2::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192:168:3::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:3::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192:168:4::1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:4::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
! ipv6 static & default
ipv6 route inside 192:168:101::/48 192:168:1::1
ipv6 route dmz1 192:168:102::/48 192:168:2::1
ipv6 route outside ::/0 192:168:3::1
ipv6 route dmz2 192:168:104::/48 192:168:4::1
ASA1(config)# ping 192:168:101::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:101::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192:168:102::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192:168:103::1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:103::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192:168:104::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:104::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA will Allow Higher to lower
R1#telnet 192:168:102::1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 117/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 117 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Trying 192:168:102::1 ... Open
Password required, but none set
[Connection to 192:168:102::1 closed by foreign host]R1#telnet 192:168:103::1
Trying 192:168:103::1 ... Open
Password required, but none set
[Connection to 192:168:103::1 closed by foreign host]
R1#telnet 192:168:104::1
Trying 192:168:104::1 ... Open
Password required, but none set
[Connection to 192:168:104::1 closed by foreign host]
R1#
! if you want lower to higher apply acl
ASA1
access-list dmz1 permit ip 192:168:102::/48 192:168:101::/48
access-list dmz1 permit ip 192:168:102::/48 192:168:103::/48
access-list dmz1 permit ip 192:168:102::/48 192:168:104::/48
access-group dmz1 in interface dmz1access-list out permit ip 192:168:103::/48 192:168:101::/48
access-list out permit ip 192:168:103::/48 192:168:102::/48
access-list out permit ip 192:168:103::/48 192:168:104::/48
access-group out in interface outside
access-list dmz2 permit ip 192:168:104::/48 192:168:101::/48
access-list dmz2 permit ip 192:168:104::/48 192:168:102::/48
access-list dmz2 permit ip 192:168:104::/48 192:168:103::/48
access-group dmz2 in interface dmz2
R1
R1#ping 192:168:102::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R1#ping 192:168:103::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:103::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 118/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 118 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#ping 192:168:104::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:104::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R2
R2#ping 192:168:101::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:101::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:102::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R2#ping 192:168:103::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:103::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:102::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R2#ping 192:168:104::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:104::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:102::1
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R3
R3#ping 192:168:101::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:101::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:103::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
R3#ping 192:168:102::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:103::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R3#ping 192:168:104::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:104::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:103::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 119/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 119 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R4
R4#ping 192:168:101::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:101::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:104::1!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R4#ping 192:168:102::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:104::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R4#ping 192:168:103::1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:103::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:104::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 120/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 120 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 9
After Reading this chapter you would be able to describe
SLA
Service Level Agreement (SLA)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 121/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 121 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Assume that we have a appliance and it is connected to 2 ISP (ISP1,ISP2).
ISP1 is primary using AD 1, ISP2 is secondary using AD 2.
if over primary link will goes down then appliance will use secondary.
But here condition is this , there is no problem in our access-link , but ISP networks has
problem means that ISP1 is not able to give us connectivity.
in this situation, appliance will not use ISP2 link. Because ISP1 link is up
to solve this problem we have SLA (Service Level Agreement).
In SLA we check reach ability from over end to public server. using ICMP Echo-request.
that is called in Track, Track is associated with static route example ISP1
if reach ability is available , track will remain up , track is up route will remain in routing
table.
if no reach ability track will go down , track down appliance will remote primary link form
table then secondary will use.
Diagram:-
Initial-config
PC1
PC1(config)#interface fastEthernet 0/0
PC1(config-if)#no shutdown
PC1(config-if)#ip add 192.168.101.100 255.255.255.0PC1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.101.1
ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#no shutdown
ISP(config-if)#ip add 101.1.1.1 255.255.255.0
ISP(config-if)#int f0/1
ISP(config-if)#no shutdown
ISP(config-if)#ip add 102.1.1.1 255.255.255.0
ISP(config-if)#int l1
ISP(config-if)#ip add 1ISP(config-if)#ip add 1.1.1.1 255.255.255.255
SLA Service Level Agreement
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 122/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 122 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# hostname ASA1
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no sh
ASA1(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip add 192.168.101.1 255.255.255.0
ASA1(config-if)# int g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside1
INFO: Security level for "outside1" set to 0 by default.
ASA1(config-if)# ip add 101.1.1.100 255.255.255.0
ASA1(config-if)# int g0/2
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside2
INFO: Security level for "outside2" set to 0 by default.ASA1(config-if)# ip add 102.1.1.100 255.255.255.0
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# pin
ASA1(config)# ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# pin
ASA1(config)# ping 102.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
! SLA on ASA
sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.1 interface outside1
timeout 1000
frequency 1
exit
sla monitor schedule 1 start-time now life forever
track 11 rtr 1 reachability
route outside1 0 0 101.1.1.1 track 11
route outside2 0 0 102.1.1.1 2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 123/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 123 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh track
Track 11
Response Time Reporter 1 reachability
Reachability is Up
2 changes, last change 00:00:17
Latest operation return code: OKLatest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside1
C 101.1.1.0 255.255.255.0 is directly connected, outside1
L 101.1.1.100 255.255.255.255 is directly connected, outside1
C 102.1.1.0 255.255.255.0 is directly connected, outside2
L 102.1.1.100 255.255.255.255 is directly connected, outside2
C 192.168.101.0 255.255.255.0 is directly connected, insideL 192.168.101.1 255.255.255.255 is directly connected, inside
ISP(config-if)#int l1
ISP(config-if)#shutdown
ASA1# sh track
Track 11
Response Time Reporter 1 reachability
Reachability is Down
5 changes, last change 00:00:14
Latest operation return code: Timeout
Tracked by:STATIC-IP-ROUTING 0
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 102.1.1.1 to network 0.0.0.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 124/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 124 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
S* 0.0.0.0 0.0.0.0 [2/0] via 102.1.1.1, outside2
C 101.1.1.0 255.255.255.0 is directly connected, outside1
L 101.1.1.100 255.255.255.255 is directly connected, outside1
C 102.1.1.0 255.255.255.0 is directly connected, outside2
L 102.1.1.100 255.255.255.255 is directly connected, outside2C 192.168.101.0 255.255.255.0 is directly connected, inside
L 192.168.101.1 255.255.255.255 is directly connected, inside
ISP(config-if)#int l1
ISP(config-if)#no sh
ASA1# sh track
Track 11
Response Time Reporter 1 reachability
Reachability is Up6 changes, last change 00:00:08
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside1
C 101.1.1.0 255.255.255.0 is directly connected, outside1
L 101.1.1.100 255.255.255.255 is directly connected, outside1
C 102.1.1.0 255.255.255.0 is directly connected, outside2
L 102.1.1.100 255.255.255.255 is directly connected, outside2C 192.168.101.0 255.255.255.0 is directly connected, inside
L 192.168.101.1 255.255.255.255 is directly connected, inside
! Optional commands
ASA1(config)# nat (inside,outside1) source dynamic any interface
ASA1(config)# nat (inside,outside2) source dynamic any interface
ASA1(config)# class-map shiva
ASA1(config-cmap)# match default-inspection-traffic
ASA1(config-cmap)# policy-map shiva
ASA1(config-pmap)# class shiva
ASA1(config-pmap-c)# inspect icmp
ASA1(config-pmap-c)# service-policy shiva interface inside
this section will cover in nat & MPF........
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 125/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 125 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 10
After Reading this chapter you would be able to describe
IP addresses styles
Multicast Mac
Multicast addresses
IGMP (internet group management protocol)
IGMP snooping
Multicast routing protocols
RPF (Reverse path forwarding)
Distribution tree PIM (protocol independent multicast )
PIM version
Multicasting
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 126/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 126 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
1. Unicast
2. Broadcast3. Multicast
Unicast
They goes one-to-one if we are sending a data to a group it require retransmission. it will eat up our
bandwidth.
Broadcast
In it we send data to all . it is useful when destination is unknown . it is used by DHCP, ARP, RIPv1.
Each NIC receive the broadcast and does process with it doesn't matter that, it is for him or not. But
they are not forwarded by router or appliance.
Multicast
in it source generate a stream & that is distributed among the clients.
or
when a host join a multicast group their NIC is again re-programmed. & it start capturing data for
joined group.
It is a 48 bits address. the first half address (24 bits) pre-define 0100.5e. 25th bit is always zero. and
last 23 bits obtain from multicast IP address
For examples
224.0.0.1#0100.5e00.0001
224.0.0.10#0100.5e00.000a
1. Link Local 224.0.0.0/24
2. Source Specific 232.0.0.0/8
3. GLOP 233.0.0.0/8
4. Administratively Scoped 239.0.0.0/8
5. Globally Scoped 224.0.1.0-231.255.255.255
234.0.0.0-238.255.255.255
Link Local
they send will TTL value one
Source Specific
In Source Specific a host receive a multicast traffic form a single server.
IP Addresses Styles
Multicast Mac
Multicast Addresses
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 127/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 128/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 128 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
DVMRP
Multicast OSPF Centre Base Tree
Core Base Tree
PIM
It is performed with every multicast packet, to determine that multicast is going root to leaves or
not.
Multicast routing path is called distribution tree
types
Source Tree
Shared Tree
Source Tree
in it they take the shortest path from source to destination. used in PIM
they pre-calculated path Because of dense-mode.
Shared Tree
in it they use a common set of links . First packet pass through RP after receiving packet the select
the shortest path.
Modes
Dense Mode
Sparse Mode
Sparse Dense Mode
Dense Mode
it assume that multicast recipient is in every subnet.
in it stream is flooded to each router if no receiver then they send prune message to stop un
wanted flooding.
Multicast Routing Protocols
RPF (Reverse Path Forwarding)
Distribution Tree
PIM (Protocol Independent Multicast)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 129/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 129 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Sparse Mode
Multicast tree is not built until some will not make request.
Sparse Dense Mode
it works in differ approach if there is any RP for a group Sparse mode will work otherwise Dense
mode will work.
Version 1
Version 2
Version1
it provides auto or manual RP process.
RP announce at 224.0.1.39
RP discovery at 224.0.1.40
we must define candidate of each router
Version 2
It use BSR boot Strap Router.
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2interface f0/0
PIM Versions
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 130/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 130 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
ip add 192.168.101.20 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R3
interface fastEthernet 0/0
no shutdownip add 192.168.101.30 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
Server1
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
interface gig 0/0nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface gig 0/1
nameif outside
security-level 0
ip address 192.168.102.1 255.255.255.0
ASA1# ping 192.168.101.10
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.101.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/80 ms
ASA1# ping 192.168.101.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/60 ms
ASA1# ping 192.168.101.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.30, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/50 ms
ASA1# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/32/80 ms
! Enabling Multicasting & Forwading IGMP Query
ASA1(config)# multicast-routing
ASA1(config)# int gig 0/0
ASA1(config-if)# igmp forward interface outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 131/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 131 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Verification of Muticast Routes
ASA1# sh mroute
No mroute entries found.
! Join Multicast Group on ClientsPC1(config)#interface fastEthernet 0/0
PC1(config-if)#ip igmp join-group 239.1.1.1
PC2(config)#interface fastEthernet 0/0
PC2(config-if)# ip igmp join-group 239.1.1.2
PC3(config)#interface fastEthernet 0/0
PC3(config-if)# ip igmp join-group 239.1.1.3
! Verification of Muticast Routes
ASA1# sh mroute
Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
C - Connected, L - Local, I - Received Source Specific Host Report,
P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
J - Join SPT
Timers: Uptime/Expires
Interface state: Interface, State
(*, 239.1.1.1), 00:01:02/never, RP 0.0.0.0, flags: DC
Incoming interface: NullRPF nbr: 0.0.0.0
Outgoing interface list:
inside, Forward, 00:01:02/never
(*, 239.1.1.2), 00:00:32/never, RP 0.0.0.0, flags: DC
Incoming interface: Null
RPF nbr: 0.0.0.0
Outgoing interface list:
inside, Forward, 00:00:32/never
(*, 239.1.1.3), 00:00:26/never, RP 0.0.0.0, flags: DCIncoming interface: Null
RPF nbr: 0.0.0.0
Outgoing interface list:
inside, Forward, 00:00:26/never
! Multcast host can access multicast Stream Because of UDP or TCP
! This ACL is only When Server is Generating ICMP Stream
ASA1(config)# access-list out permit icmp any 239.1.1.0 255.255.255.0
ASA1(config)# access-group out in interface outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 132/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 132 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
PC1#debug ip icmp
ICMP packet debugging is on
PC2#debug ip icmp
ICMP packet debugging is on
PC3#debug ip icmp
ICMP packet debugging is on
Server1#debug ip icmp
ICMP packet debugging is on
Server1#ping 239.1.1.1 repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
*Mar 1 00:10:19.647: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 0 from 192.168.101.10, 60 ms
*Mar 1 00:10:21.659: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 1 from 192.168.101.10, 72 ms
*Mar 1 00:10:23.679: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 2 from 192.168.101.10, 92 ms
*Mar 1 00:10:25.667: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 3 from 192.168.101.10, 80 ms
*Mar 1 00:10:27.659: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 4 from 192.168.101.10, 72 msServer1#
Server1#ping 239.1.1.2 repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.2, timeout is 2 seconds:
*Mar 1 00:10:37.391: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 0 from 192.168.101.20, 60 ms
*Mar 1 00:10:39.415: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 1 from 192.168.101.20, 84 ms
*Mar 1 00:10:41.383: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100Reply to request 2 from 192.168.101.20, 56 ms
*Mar 1 00:10:43.383: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 3 from 192.168.101.20, 52 ms
*Mar 1 00:10:45.399: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 4 from 192.168.101.20, 68 ms
Server1#
Server1#ping 239.1.1.3 repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.3, timeout is 2 seconds:
*Mar 1 00:10:53.259: ICMP: echo reply rcvd, src 192.168.101.30, dst 192.168.102.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 133/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 133 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Reply to request 0 from 192.168.101.30, 88 ms
*Mar 1 00:10:55.231: ICMP: echo reply rcvd, src 192.168.101.30, dst 192.168.102.100
Reply to request 1 from 192.168.101.30, 64 ms
*Mar 1 00:10:57.235: ICMP: echo reply rcvd, src 192.168.101.30, dst 192.168.102.100
Reply to request 2 from 192.168.101.30, 64 ms
*Mar 1 00:10:59.243: ICMP: echo reply rcvd, src 192.168.101.30, dst 192.168.102.100Reply to request 3 from 192.168.101.30, 72 ms
*Mar 1 00:11:01.227: ICMP: echo reply rcvd, src 192.168.101.30, dst 192.168.102.100
Reply to request 4 from 192.168.101.30, 56 ms
PC1#debug ip icmp
ICMP packet debugging is on
PC1#*Mar 1 00:09:49.379: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:20.795: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:22.807: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:24.823: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:26.823: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:28.803: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC2#debug ip icmp
ICMP packet debugging is on
PC2#
*Mar 1 00:10:39.847: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:41.863: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:43.871: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:45.847: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100PC2#
*Mar 1 00:10:47.859: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC3#debug ip icmp
ICMP packet debugging is on
PC3#
*Mar 1 00:08:39.027: %SYS-5-CONFIG_I: Configured from console by console
PC3#
*Mar 1 00:10:54.587: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
PC3#
*Mar 1 00:10:56.571: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
PC3#
*Mar 1 00:10:58.571: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 134/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 134 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
PC3#
*Mar 1 00:11:00.595: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
PC3#
*Mar 1 00:11:02.579: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 135/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 135 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 11
After Reading this chapter you would be able to describe
Access-list
Object Group
Object Group Types
Access-list & Object Group
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 136/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 136 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A list of condition it is used to categorized packets.
Types:
Standards Access-list
Extended Access-list
Named Base Access-list
Time Base Access-list
Standards Access-list
It is used to allow or deny entire ip packet. mostly used for route filtering
(range 1-99,100-1999)
Extended Access-list
It is used to allow or deny Layer 3 , Layer 4 & upper layer protocols. Mostly used for traffic filtering.
(100-199,2000-2699)
Named Base Access-list
In this access-list we can give name to access-list instead of number.
it can be standard or extended
Time Base Access-list
it is time oriented in it we can give time in weekdays weekend etc.
Object Group
A feature of Cisco ASA it simplify access-list management.
Types
1. Network Object Group
2. Protocol Object Group
3. Service Object Group
4. ICMP Object Group
Network Object Group
In it we can define network, subnet, range, single IP address.
Protocol Object Group
In it we can define protocols like TCP, UDP etc.
Service Object Group
In it we can define services related to TCP & UDP.
ICMP Object Group
In it we can define only ICMP messages.
Access-list
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 137/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 137 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Initial-config
R1
interface fastEthernet 0/0no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
passive-interface fastEthernet 0/1
TSS1
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90transport input ssh telnet
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 138/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 138 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
login local
exit
username shiva privilege 15 secret shiva
TSS2
interface fastEthernet 0/0
no shutdownip add 192.168.10.20 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shivaTSS3
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.30 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnetlogin local
exit
username shiva privilege 15 secret shiva
WEB1
interface f0/0
no shutdown
ip add 192.168.20.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ip http secure-serverip http authentication local
username shiva privilege 15 secret shiva
WEB2
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.20 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 139/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 139 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
WEB3
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.30 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ISP
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdownip add 192.168.102.1 255.255.255.0
ASA1
interface GigabitEthernet 0/0nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet 0/1
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet 0/2
nameif outsidesecurity-level 0
ip address 101.1.1.100 255.255.255.0
!
interface GigabitEthernet 0/3
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
no auto-summary
network 192.168.1.0 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 140/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 140 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
redistribute static metric 1 1 1 1 1
!
ASA1# ping 192.168.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/20 ms
ASA1# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/50 ms
ASA1# ping 192.168.10.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 msASA1# ping 192.168.10.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/36/90 ms
ASA1# ping 192.168.20.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/50 ms
ASA1# ping 192.168.20.20Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/50 ms
ASA1# ping 192.168.20.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/50 ms
ASA1# ping 192.168.102.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/40/110 ms
! Network Object
ASA1
object network inside
subnet 192.168.1.0 255.255.255.0
object network inside-lan
subnet 192.168.101.0 255.255.255.0
object network TSS1
host 192.168.10.10
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 141/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 141 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
object network TSS2
host 192.168.10.20
object network TSS3
host 192.168.10.30
object network WEB1
host 192.168.20.10object network WEB2
host 192.168.20.20
object network WEB3
host 192.168.20.30
object network PUB-TSS1
host 101.1.1.101
object network PUB-TSS2
host 101.1.1.102
object network PUB-TSS3
host 101.1.1.103
object network PUB-WEB1host 101.1.1.104
object network PUB-WEB2
host 101.1.1.105
object network PUB-WEB3
host 101.1.1.106
nat (dmz1,outside) source static TSS1 PUB-TSS1
nat (dmz1,outside) source static TSS2 PUB-TSS2
nat (dmz1,outside) source static TSS3 PUB-TSS3
nat (dmz2,outside) source static WEB1 PUB-WEB1
nat (dmz2,outside) source static WEB2 PUB-WEB2nat (dmz2,outside) source static WEB3 PUB-WEB3
nat (inside,outside) source dynamic inside interface
nat (inside,outside) source dynamic inside-lan interface
ASA1(config)# object-group ?
configure mode commands/options:
icmp-type Specifies a group of ICMP types, such as echo
network Specifies a group of host or subnet IP addresses
protocol Specifies a group of protocols, such as TCP, etcservice Specifies a group of TCP/UDP ports/services
user Specifies single user, local or import user group
object-group network ALL-TSS-SERVERS
network-object host 192.168.10.10
network-object host 192.168.10.20
network-object host 192.168.10.30
object-group network ALL-WEB-SERVERS
network-object host 192.168.20.10
network-object host 192.168.20.20
network-object host 192.168.20.30
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 142/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 142 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Service Object
object-group service TELNET tcp
port-object eq telnet
object-group service SSH tcp
port-object eq sshobject-group service HTTP tcp
port-object eq www
object-group service HTTPS tcp
port-object eq https
! ICMP Object
object-group icmp-type MY-ICMP-OBJECT
icmp-object echo-reply
access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group TELNET
access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group SSHaccess-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTP
access-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTPS
access-list out extended permit icmp any object inside object-group MY-ICMP-OBJECT
access-list out extended permit icmp any object inside-lan object-group MY-ICMP-OBJECT
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/38/84 ms
R1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f
R1#ping 101.1.1.1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/45/80 ms
ASA1(config)# sh xlate
8 in use, 8 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz1:192.168.10.10 to outside:101.1.1.101
flags s idle 0:12:26 timeout 0:00:00
NAT from dmz1:192.168.10.20 to outside:101.1.1.102
flags s idle 0:12:20 timeout 0:00:00
NAT from dmz1:192.168.10.30 to outside:101.1.1.103
flags s idle 0:12:16 timeout 0:00:00
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 143/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 143 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT from dmz2:192.168.20.10 to outside:101.1.1.104
flags s idle 0:11:56 timeout 0:00:00
NAT from dmz2:192.168.20.20 to outside:101.1.1.105
flags s idle 0:11:52 timeout 0:00:00
NAT from dmz2:192.168.20.30 to outside:101.1.1.106
flags s idle 0:11:43 timeout 0:00:00ICMP PAT from inside:192.168.101.1/1 to outside:101.1.1.100/8269 flags ri idle 0:00:03 timeout
0:00:30
ICMP PAT from inside:192.168.1.1/0 to outside:101.1.1.100/10368 flags ri idle 0:00:06 timeout
0:00:30
! config Verification on Clinet Side
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 144/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 144 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 145/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 146/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 146 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 147/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 147 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 148/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 148 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 149/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 149 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 150/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 150 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 151/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 151 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 152/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 152 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 12
After Reading this chapter you would be able to describe
Static Nat
Dynamic NAT
PAT
Static PAT
NAT Bypass
Identity NAT
NAT Exemption
Policy NAT
NAT on OS 8.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 153/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 153 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A services it enable internal users to access internet.
Or
Using NAT we map one IP address to another.
1. Static
2. Dynamic
3. PAT
4. Static PAT
5. NAT Bypass
a. Identity NAT
b. NAT exemption
6. Policy NAT
In static NAT we create one to one mapping of IP addresses
It is Bi-directional.
In dynamic NAT we map multiple IP addresses to some.
In PAT we map multiple IP addresses to one
Using PAT we can map about 65k IP address to a single IP
Uni-directional.
In static PAT we map the port of one IP address with another IP address portUni-directional.
NAT
Types
Static NAT
Dynamic NAT
PAT
Static PAT
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 154/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 154 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
When we enable NAT-control in OS 8.0 then natting is must. If you want to avoid NAT rule then we
use NAT Bypass.
1. Identity NAT
2. NAT Exemption
In it an IP address is translated into itself, used for those application which don't support NAT like
GDOI.
It is used for VPN traffic to exclude it for NAT rule in 8.0.
In policy NAT we can define condition for natting
It could be port based or IP based.
NAT Bypass
Types of NAT Bypass
Identity NAT
NAT Exemption
Policy NAT
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 155/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 155 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
Server2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 156/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 156 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http serverip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ISP
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0no shutdown
ASA1
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0!
interface Ethernet0/2
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Ethernet0/3
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
route inside 192.168.101.0 255.255.255.0 192.168.1.1 1
ASA1(config)# ping 192.168.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/70 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 157/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 157 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/18/60 ms
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/20/20 ms
ASA1(config)#
! static nat
nat-controlstatic (inside,outside) interface 192.168.1.1
static (inside,outside) 101.1.1.101 192.168.101.1
static (inside,outside) 101.1.1.102 192.168.101.100
ASA1(config)# sh xlate
3 in use, 3 most used
Global 101.1.1.100 Local 192.168.1.1
Global 101.1.1.101 Local 192.168.101.1
Global 101.1.1.102 Local 192.168.101.100
! TCP & UDP will Work for ICMP ACL
access-list out permit icmp any interface outside
access-list out permit icmp any host 101.1.1.101access-list out permit icmp any host 101.1.1.102
access-group out in interface outside
! in OS 8.0 we open access-list for natted ip
ISP#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/29/60 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 158/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 158 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f0
R1#ping 101.1.1.1 source f0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:Packet sent with a source address of 192.168.101.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/34/64 ms
ISP#
*Mar 1 00:17:01.699: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.751: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.795: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100*Mar 1 00:17:01.815: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.835: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Mar 1 00:17:06.871: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
*Mar 1 00:17:08.903: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Mar 1 00:17:08.971: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Mar 1 00:17:08.987: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Mar 1 00:17:09.007: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
*Mar 1 00:17:35.855: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102ISP#
*Mar 1 00:17:40.675: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Mar 1 00:17:41.667: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
ISP#
*Mar 1 00:17:42.679: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
! static nat is bi-directional
! private will map with public
! public will map with private
ASA1(config)# sh xlate
3 in use, 4 most used
Global 101.1.1.100 Local 192.168.1.1Global 101.1.1.101 Local 192.168.101.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 159/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 159 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Global 101.1.1.102 Local 192.168.101.100
! Static nat is bi-directional
! to check Open ACL
ASA1
access-list out permit tcp any host 101.1.1.102
access-group out in interface outsidePC1 #
PC2 can access FTP server using Public IP Address
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 160/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 160 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
clear configure nat
clear configure access-list
clear configure static
! dynamic nat
nat-control
nat (inside) 1 0 0
nat (dmz1) 1 0 0
nat (dmz2) 1 0 0
global (outside) 1 101.1.1.101-101.1.1.106! TCP & UDP will Work for ICMP ACL
access-list out permit icmp any host 101.1.1.101
access-list out permit icmp any host 101.1.1.102
access-list out permit icmp any host 101.1.1.103
access-list out permit icmp any host 101.1.1.104
access-list out permit icmp any host 101.1.1.105
access-list out permit icmp any host 101.1.1.106
access-group out in interface outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 161/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 161 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! in dynamic many ip addresses map with some
! in this pool we have 6 ip address
! so 6 host can access internet
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/40/76 ms
R1#ping 101.1.1.1 source f0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 8/28/52 ms
Server1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/40/68 ms
Server1#
Server2#ping 101.1.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/40/68 ms
Server2#
ASA1(config)# sh xlate
6 in use, 6 most used
Global 101.1.1.105 Local 192.168.20.100
Global 101.1.1.104 Local 192.168.10.100
Global 101.1.1.103 Local 192.168.101.1Global 101.1.1.106 Local 192.168.101.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 162/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 162 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Global 101.1.1.102 Local 192.168.1.1
ISP#
*Mar 1 00:36:20.015: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Mar 1 00:36:20.079: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Mar 1 00:36:20.139: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Mar 1 00:36:20.163: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102*Mar 1 00:36:20.183: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
ISP#
*Mar 1 00:36:21.955: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Mar 1 00:36:23.935: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
*Mar 1 00:36:24.027: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
*Mar 1 00:36:24.043: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
*Mar 1 00:36:24.055: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Mar 1 00:36:39.003: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
ISP#*Mar 1 00:36:41.011: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
*Mar 1 00:36:41.111: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
*Mar 1 00:36:41.127: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
*Mar 1 00:36:41.155: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
ISP#
*Mar 1 00:36:44.711: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105
ISP#
*Mar 1 00:36:46.723: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105
*Mar 1 00:36:46.799: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105
*Mar 1 00:36:46.823: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105
*Mar 1 00:36:46.839: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105ISP#
*Mar 1 00:37:36.527: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.106
ISP#
*Mar 1 00:37:41.195: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.106
*Mar 1 00:37:42.187: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.106
ISP#
*Mar 1 00:37:43.199: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.106
ISP#
*Mar 1 00:37:55.927: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.106
*Mar 1 00:37:56.919: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.106
ISP#*Mar 1 00:37:57.927: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.106
*Mar 1 00:37:58.923: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.106
! PAT
ASA1
nat-control
nat (inside) 1 0 0
nat (dmz1) 1 0 0
nat (dmz2) 1 0 0
global (outside) 1 interface
! TCP & UDP will Work FOR ICMP ACL
access-list out permit icmp any interface outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 163/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 163 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/74/200 ms
R1#ping 101.1.1.1 source f0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/56 ms
Server1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/40/96 ms
Server1#
Server2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/84 msServer2#
ASA1(config)# sh xlate
3 in use, 7 most used
PAT Global 101.1.1.100(1) Local 192.168.102.100(138)
PAT Global 101.1.1.100(5) Local 192.168.101.100 ICMP id 1
ISP#
*Mar 1 00:42:11.739: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.839: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.867: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.887: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 164/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 165/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 165 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 166/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 166 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 167/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 167 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 168/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 168 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#telnet 192.168.10.100
Trying 192.168.10.100 ...
% Connection refused by remote host
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 169/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 169 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#telnet 192.168.20.100
Trying 192.168.20.100 ...
% Connection refused by remote host
! you cann't access inside to dmz1 or dmz2 bcoz of nat-control
! here we will use nat bypass
! 1 identity! 2 nat exemption
Identity NAT
static (inside,dmz1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz1) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
Nat Exemption
access-list nat-exemption permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nat-exemption permit ip 192.168.101.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list nat-exemption
R1#telnet 192.168.10.100
Trying 192.168.10.100 ... Open
User Access Verification
Username: shiva
Password:
Server1#
Server1#ex
Server1#exit
[Connection to 192.168.10.100 closed by foreign host]
R1#telnet 192.168.20.100
Trying 192.168.20.100 ... Open
Password required, but none set
[Connection to 192.168.20.100 closed by foreign host]
clear configure natclear configure global
clear configure access-list
clear configure static
ASA1 Policy NAT Based on Port
access-list icmp-traffic permit icmp any any
access-list ssh-traffic permit tcp any any eq 22
access-list telnet-traffic permit tcp any any eq 23
access-list http-traffic permit tcp any any eq 80
access-list https-traffic permit tcp any any eq 443
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 170/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 170 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
nat (inside) 111 access-list icmp-traffic
nat (inside) 22 access-list ssh-traffic
nat (inside) 23 access-list telnet-traffic
nat (inside) 80 access-list http-traffic
nat (inside) 81 access-list https-traffic
nat (inside) 1 0 0global (outside) 111 101.1.1.111
global (outside) 22 101.1.1.22
global (outside) 23 101.1.1.23
global (outside) 80 101.1.1.80
global (outside) 81 101.1.1.81
global (outside) 1 interface
sh hist
access-list out permit icmp any host 101.1.1.111
access-group out in interface outside
ISPip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
R1#telnet 101.1.1.1
Trying 101.1.1.1 ... Open
User Access Verification
Username: shiva
Password:
ISP#
ASA1(config)# sh xlate
2 in use, 8 most used
PAT Global 101.1.1.23(1024) Local 192.168.1.1(11440)
R1#ssh -l shiva 101.1.1.1
Password:
ISP#
ASA1(config)# sh xlate
1 in use, 8 most used
PAT Global 101.1.1.22(1024) Local 192.168.1.1(15918)
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.!!!!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 171/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 171 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/44/64 ms
R1#
ASA1(config)# sh xlate
2 in use, 8 most used
PAT Global 101.1.1.111(1) Local 192.168.1.1 ICMP id 8
so no................................................................................................................
Note:-
Please open access-list for natted ip address or service in os till 8.0, 8.1, 8.2.
Please use the same topology & configuration for CTP lab.............................................Thanks
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 172/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 172 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 13
After Reading this chapter you would be able to describe
Static Nat
Dynamic NAT
PAT
Static PAT
Identity NAT
Twice NAT
NAT on OS 9.2.2.4
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 173/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 173 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A services it enable internal users to access internet.
Or
Using NAT we map one IP address to another.
1. Static
2. Dynamic
3. PAT
4. Static PAT
5. Identity NAT
6. Twice NAT
In static NAT we create one to one mapping of IP addresses
It is Bi-directional.
In dynamic NAT we map multiple IP addresses to some.
In PAT we map multiple IP addresses to one
Using PAT we can map about 65k IP address to a single IP
Uni-directional.
Dynamic NAT
PAT
NAT
Types
Static NAT
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 174/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 174 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
In static PAT we map the port of one IP address with another IP address port
Uni-directional.
In it an IP address is translated into itself, used for those application which don't support NAT like
GDOI or VPN traffic in OS Version 8.4 & later.
In Twice NAT we can define condition for natting that.
If source is A destination is B translate into X.
If source is A destination is C translate into Y.
Static PAT
Identity NAT
Twice NAT
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 175/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 175 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Initial-config
R1interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exitusername shiva privilege 15 secret shiva
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 176/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 176 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Server2
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ISP
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdownip add 192.168.102.1 255.255.255.0
no shutdown
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-serverip http authentication local
username shiva privilege 15 secret shiva
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 177/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 177 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config-if)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.2 YES manual up up
GigabitEthernet0/1 192.168.10.1 YES manual up up
GigabitEthernet0/2 101.1.1.100 YES manual up up
GigabitEthernet0/3 192.168.20.1 YES manual up upGigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset down down
Internal-Data0/1 unassigned YES unset down down
Internal-Data0/2 unassigned YES unset up up
Management0/0 unassigned YES unset administratively down down
ASA1(config-if)# sh namei
ASA1(config-if)# sh nameif
Interface Name Security
GigabitEthernet0/0 inside 100GigabitEthernet0/1 dmz1 60
GigabitEthernet0/2 outside 0
GigabitEthernet0/3 dmz2 50
ASA1(config)# sh running-config route
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
route inside 192.168.101.0 255.255.255.0 192.168.1.1 1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ! Object Defination
object network r1
host 192.168.1.1
object network r1-lan
host 192.168.101.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 178/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 178 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
object network pc1
host 192.168.101.100
object network server1
host 192.168.10.100
object network server2
host 192.168.20.100object network ip1
host 101.1.1.101
object network ip2
host 101.1.1.102
object network ip3
host 101.1.1.103
object network ip4
host 101.1.1.104
object network ip5
host 101.1.1.105
! Static nat
object network r1
nat (inside,outside) static ip1
object network r1-lan
nat (inside,outside) static ip2
object network pc1
nat (inside,outside) static ip3
object network server1
nat (dmz1,outside) static ip4
object network server2
nat (dmz2,outside) static ip5
! ASA will Allow only TCP & UDP
! for ICMP Open ACL
access-list out permit icmp any object r1
access-list out permit icmp any object r1-lan
access-list out permit icmp any object pc1
access-list out permit icmp any object server1
access-list out permit icmp any object server2
access-group out in interface outside
ISP#debug ip icmpICMP packet debugging is on
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f
R1#ping 101.1.1.1 source fastEthernet 0/1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 179/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 179 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msServer1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
Server2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
ASA1# sh xlate
5 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.1.1 to outside:101.1.1.101
flags s idle 0:01:30 timeout 0:00:00
NAT from dmz1:192.168.10.100 to outside:101.1.1.104
flags s idle 0:01:21 timeout 0:00:00
NAT from dmz2:192.168.20.100 to outside:101.1.1.105flags s idle 0:01:12 timeout 0:00:00
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 180/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 180 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT from inside:192.168.101.1 to outside:101.1.1.102
flags s idle 0:01:27 timeout 0:00:00
NAT from inside:192.168.101.100 to outside:101.1.1.103
flags s idle 0:00:22 timeout 0:00:00
ISP#
*Sep 29 04:36:56.823: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101*Sep 29 04:36:56.827: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:36:56.827: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:36:56.831: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:36:56.831: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
*Sep 29 04:36:58.387: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:36:58.387: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:36:58.387: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:36:58.391: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:36:58.391: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
ISP#*Sep 29 04:37:00.679: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
*Sep 29 04:37:00.683: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
*Sep 29 04:37:00.683: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
*Sep 29 04:37:00.683: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
*Sep 29 04:37:00.687: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.104
ISP#
*Sep 29 04:37:03.991: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105
*Sep 29 04:37:03.995: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105
*Sep 29 04:37:03.995: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105
*Sep 29 04:37:03.999: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105
*Sep 29 04:37:03.999: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.105ISP#
*Sep 29 04:37:07.595: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
*Sep 29 04:37:08.591: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Sep 29 04:37:09.599: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Sep 29 04:37:10.603: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
Static is bi-directional
ASA1access-list out permit tcp any object pc1
access-list out permit tcp any object server1
access-list out permit tcp any object server2
access-group out in interface outside
ASA1(config)# sh xlate
5 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.1.1 to outside:101.1.1.101
flags s idle 0:02:46 timeout 0:00:00
NAT from dmz1:192.168.10.100 to outside:101.1.1.104
flags s idle 0:02:42 timeout 0:00:00
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 181/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 181 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT from dmz2:192.168.20.100 to outside:101.1.1.105
flags s idle 0:02:39 timeout 0:00:00
NAT from inside:192.168.101.1 to outside:101.1.1.102
flags s idle 0:02:44 timeout 0:00:00
NAT from inside:192.168.101.100 to outside:101.1.1.103
flags s idle 0:02:32 timeout 0:00:00
Client Side Verification
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 182/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 182 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 183/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 183 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# ! Dynamic
object network all_network
subnet 192.168.0.0 255.255.0.0
object network dpool
range 101.1.1.101 101.1.1.104
object network all_network
nat (inside,outside) dynamic dpool
! ASA will allow tcp & udp
! for ICMP Acl
access-list out permit icmp any object all_network
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f
R1#ping 101.1.1.1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1# sh xlate
4 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 184/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 184 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT from inside:192.168.101.1 to outside:101.1.1.102 flags i idle 0:00:37 timeout 3:00:00
NAT from inside:192.168.101.100 to outside:101.1.1.103 flags i idle 0:00:23 timeout 3:00:00
NAT from inside:192.168.1.1 to outside:101.1.1.101 flags i idle 0:00:39 timeout 3:00:00
ISP#
*Sep 29 04:56:12.735: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101*Sep 29 04:56:12.739: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:56:12.739: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:56:12.743: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:56:12.743: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
*Sep 29 04:56:15.335: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:56:15.335: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:56:15.339: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:56:15.339: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:56:15.343: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
ISP#*Sep 29 04:56:26.475: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Sep 29 04:56:27.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Sep 29 04:56:28.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Sep 29 04:56:29.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ASA(config) ! PAT
! PATobject network inside
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic interface
! ASA will allow tcp & udp
! for icmp acl
access-list out permit icmp any object inside
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 101.1.1.1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 185/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 185 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# sh xlate1 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ICMP PAT from inside:192.168.101.100/1 to outside:101.1.1.100/1 flags ri idle 0:00:27 timeout
0:00:30
ISP#
*Sep 29 04:59:48.699: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:48.703: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:48.703: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:48.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100*Sep 29 04:59:48.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 04:59:51.259: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:51.263: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:51.263: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:51.267: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:51.267: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 04:59:58.595: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:59.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#*Sep 29 05:00:00.591: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 05:00:01.599: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 05:00:31.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 05:00:32.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 05:00:33.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 05:00:34.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 186/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 186 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!ASA1(config)# ! static pat
! static pat
object network pc1
host 192.168.101.100
nat (inside,outside) static interface service tcp 21 21
sh hist! open acl
access-list out permit tcp any object pc1 eq 21
access-group out in interface outside
! static patobject network pc1
host 192.168.101.100
nat (inside,outside) static interface service tcp 21 2121
! open acl
access-list out permit tcp any object pc1 eq 21
access-group out in interface outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 187/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 187 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# !!!!!! twice nat based on ports
object service telnet
service tcp destination eq 23object service ssh
service tcp destination eq 22
object service http
service tcp destination eq 80
object service https
service tcp destination eq 443
object service ftp
service tcp destination eq 21
exit
object network ip_23
host 101.1.1.23object network ip_22
host 101.1.1.22
object network ip_80
host 101.1.1.80
object network ip_81
host 101.1.1.81
object network ip_21
host 101.1.1.21
ASA1(config)# sh running-config nat
nat (inside,outside) source dynamic any ip_23 service telnet telnet
nat (inside,outside) source dynamic any ip_22 service ssh sshnat (inside,outside) source dynamic any ip_21 service ftp ftp
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 188/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 189/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 189 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# sh xlate
7 in use, 9 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from outside:0.0.0.0/0 23-23 to inside:0.0.0.0/0 23-23
flags srIT idle 0:01:23 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 22-22 to inside:0.0.0.0/0 22-22
flags srIT idle 0:00:22 timeout 0:00:00TCP PAT from outside:0.0.0.0/0 21-21 to inside:0.0.0.0/0 21-21
flags srIT idle 0:08:51 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 80-80 to inside:0.0.0.0/0 80-80
flags srIT idle 0:00:04 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 443-443 to inside:0.0.0.0/0 443-443
flags srIT idle 0:00:03 timeout 0:00:00
TCP PAT from inside:192.168.101.100/49248 to outside:101.1.1.81/49248 flags ri idle 0:00:03
timeout 0:00:30
!ASA! twice nat using ip
object network inside
subnet 192.168.0.0 255.255.0.0
object network internet
subnet 101.1.1.0 255.255.255.0
object network internet-lan
subnet 192.168.102.0 255.255.255.0
object network ip
object network ip1
host 101.1.1.111
object network ip2
host 101.1.1.222
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 190/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 190 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
exit
nat (inside,outside) source dynamic inside ip1 destination static internet internet
nat (inside,outside) source dynamic inside ip2 destination static internet-lan internet-lan
access-list out permit icmp any object inside
access-group out in interface outside
ISP#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
ISP#debug ip icmp
ICMP packet debugging is on
ISP#
*Sep 29 07:49:50.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Sep 29 07:49:50.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111*Sep 29 07:49:50.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Sep 29 07:49:50.591: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Sep 29 07:49:50.591: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
ISP#
*Sep 29 07:49:52.783: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
*Sep 29 07:49:52.783: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
*Sep 29 07:49:52.787: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
*Sep 29 07:49:52.787: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
*Sep 29 07:49:52.787: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
ISP#
! ASA1(config)# ! identity nat
object network inside
subnet 192.168.0.0 255.255.0.0
object network s2s-traffic
subnet 192.168.102.0 255.255.255.0
ex
nat (inside,outside) source static inside inside destination static s2s-traffic s2s-trafficnat (inside,outside) source dynamic any interface
access-list out permit icmp any object inside
access-group out in interface outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 191/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 191 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msR1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f
R1#ping 101.1.1.1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
R1#pinR1#ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 192.168.102.1 so
R1#ping 192.168.102.1 source f
R1#ping 192.168.102.1 source fastEthernet 0/1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
.....
Success rate is 0 percent (0/5)
ISP#
*Sep 29 07:56:41.783: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 07:56:41.783: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 07:56:41.787: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 07:56:41.787: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 07:56:41.791: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#*Sep 29 07:56:47.303: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 07:56:47.303: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 07:56:47.307: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 07:56:47.307: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 07:56:47.311: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 07:56:54.627: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.1.1
ISP#
*Sep 29 07:56:56.627: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.1.1
ISP#
*Sep 29 07:56:58.627: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.1.1
ISP#
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 192/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 192 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
*Sep 29 07:57:00.627: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.1.1
ISP#
*Sep 29 07:57:02.627: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.1.1
ISP#
*Sep 29 07:57:14.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
ISP#*Sep 29 07:57:16.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
ISP#
*Sep 29 07:57:18.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
ISP#
*Sep 29 07:57:20.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
ISP#
*Sep 29 07:57:22.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 193/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 193 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 14
After Reading this chapter you would be able to describe
AAA(Authentication Authorization Accounting)
AAA Products
Radius
Tacacs+
Cisco AAA products
ACS
ISE
CTP (Cut-Through-Proxy)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 194/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 194 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A feature in Cisco ASA using It we can authenticate the request of following protocols like TELNET,
HTTP, HTTPS, FTP for inbound or outbound connection.
But either inbound or outbound. Not both at a time.
1. Client will initiate a request for a destination
2. ASA will prompt for username & password3. Client will provide username & password
4. ASA will redirect credential to AAA server
5. AAA will authenticate user credential
6. If User is authenticated by AAA server ASA will add connection and forward the request to actual
destination.
7. Otherwise request will be drop
It means validating a user access when he or she wants to access network resource.
It means what a user can perform in the network.
It means that what has been done by user.
CTP (Cut-Through-Proxy)
Working
AAA Authentication Authorization &
Accounting
Authentication
Authorization
Accounting
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 195/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 195 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
1. Radius(Remote authentication dial in user service)
2.Tacacs+ (Terminal Access Controller Access Control Server)
It was developed by Livingston Corporation.
Now it is open standard
It use UDP 1645, 1646 or 1812, 1813
It encrypt only password
First connection for Authentication & Authorization (1645, 1812)
Second connection for accounting (1646, 1813)
Tacacs was invented by DOD Department of Defence of U.S.A
But Tacacs+ was introduced by Cisco
It use TCP port 49
It encrypt entire packet
Single connection for AAA
ACS (Access Control Server)
ISE (Identity Service Engine)
Versions
4.x 5.x
5.5 Latest
Versions
1.0
1.2.0
1.2.1 Latest
AAA Protocols
Radius
Tacacs+
Cisco AAA Products
ACS (Access Control Server)
ISE (Identity Service Engine)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 196/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 196 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Initial-config
R1
interface f0/0no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdownip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shivaServer2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 197/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 197 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http serverip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ISP
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0no shutdown
ASA1
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0!
interface Ethernet0/2
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Ethernet0/3
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
route inside 192.168.101.0 255.255.255.0 192.168.1.1 1
ASA1(config)# ping 192.168.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/70 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 198/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 198 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/18/60 ms
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/20/20 ms
ASA1(config)#
BEFORE CTP YOU HAVE TO CONFIGURE POLICY NAT
access-list icmp-traffic permit icmp any anyaccess-list ssh-traffic permit tcp any any eq 22
access-list telnet-traffic permit tcp any any eq 23
access-list http-traffic permit tcp any any eq 80
access-list https-traffic permit tcp any any eq 443
nat (inside) 111 access-list icmp-traffic
nat (inside) 22 access-list ssh-traffic
nat (inside) 23 access-list telnet-traffic
nat (inside) 80 access-list http-traffic
nat (inside) 81 access-list https-traffic
nat (inside) 1 0 0global (outside) 111 101.1.1.111
global (outside) 22 101.1.1.22
global (outside) 23 101.1.1.23
global (outside) 80 101.1.1.80
global (outside) 81 101.1.1.81
global (outside) 1 interface
sh hist
access-list out permit icmp any host 101.1.1.111
access-group out in interface outside
ISP
ip domain-name cisco.com
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 199/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 199 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exitip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 200/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 200 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 201/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 201 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 202/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 202 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Please install Access control System on PC 192.168.101.100
Please Follow the instructions..............................
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 203/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 203 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 204/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 204 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 205/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 205 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 206/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 206 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 207/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 207 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 208/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 208 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 209/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 209 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 210/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 210 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 211/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 211 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 212/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 212 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 213/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 213 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 214/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 214 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 215/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 215 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 216/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 216 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/60 ms
ASA1(config)# ! AAA config on ASA
aaa-server myacs protocol tacacs+
aaa-server myacs (inside) host 192.168.101.100
timeout 10
key shiva
exit
! CTP Config on ASA
aaa authentication include telnet inside 0 0 0 0 myacs
aaa authentication include http inside 0 0 0 0 myacs
aaa authentication include https inside 0 0 0 0 myacs
aaa authentication include ftp inside 0 0 0 0 myacs
auth-prompt prompt AAA_4.2_Please_authenticate_yourself
auth-prompt accept Enjoy_internet_service
auth-prompt reject Hummmm............try_again
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 217/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 217 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! AAA communication on ASA
test aaa-server authentication myacs host 192.168.101.100 username shiva password shiva
ASA1# test aaa-server authentication myacs host 192.168.101.100 username shiva$
INFO: Attempting Authentication test to IP address <192.168.101.100> (timeout: 12 seconds)
INFO: Authentication Successful
Please Initiate HTTP, HTTPS , FTP & TELNET Request on Client
ASA1# sh uauth
Current Most Seen
Authenticated Users 1 1Authen In Progress 0 1
user 'shiva' at 192.168.101.100, authenticated (idle for 0:00:10)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
ASA1# clear uauth
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 218/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 218 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 219/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 219 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
If ask username & password again click cancel Tab & Refresh the ftp Page
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 220/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 220 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 221/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 221 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 15
After Reading this chapter you would be able to describe
IPsec VPN
IPsec VPN Features
Encryption Algorithms
Pre-shared Key
Public Key Infrastructure
ESP
AH
IKE ISAKMP
NAT-T
Security Association
IPsec Introduction
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 222/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 222 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
IPsec VPN Provides secure IP communication over insecure network.
Confidentiality
Integrity
Data Origin Authentication
Anti-Replay
It mean your data will keep as secret using encryption algorithm
Like DES, 3DES, AES.
Encryption is simply a mathematical algorithm, a key applied to data to make the contents
unreadable to everyone except those who have the ability to decrypt it
Symmetric Encryption
Asymmetric Encryption
Symmetric encryption algorithms are also called secret key cryptography. As the name implies, there
is a single, secret key that is used to both encrypt and decrypt the data.
IPsec VPN
IPsec VPN Features
Confidentiality
Encryption Algorithms
Types of Encryption Algorithms
Symmetric Encryption
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 223/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 223 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
DES
3DES
AES
56-bit key, has been broken in less than 24 hours using modern computers.
Three different 56-bit keys (DES encrypt, DES decrypt, DES encrypt) to createThe cipher text. It has not yet been broken, but has theoretical flaws.
It is considered the symmetric encryption choice today. 128 Bits to 256 bits
It insure that your data is altered during transmission or not. Using hash algorithm like MD5, SHA.
It means that both devices will authenticate to each other before data exchange. Using Pre-Shared
or Certificate (PKI).
A single key is applied on both peers.
Examples of Symmetric Algorithms
DES
3DES
AES
Integrity
Data Origin Authentication
Pre-Shared
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 224/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 224 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
PKI provides framework for managing the security attributes between peer who are engaged in
secure communication over insecure network.
The PKI consists of a number of elements, which are also network entities
■ Peers—Devices and people who securely communicate across a network. Also known as end
hosts.
■ Certification authority (CA)—Grants and maintains digital Certificates. Also known as a trusted
entity or a trust point.
■ Digital certificate—Contains information to uniquely identify a peer, a signed copy of the public
encryption key used for secure communications, certificate validity data, and the signature of the CA
that issued the certificate. X.509v3 is the current version of digital certificate.
■ Distribution mechanism—A means to distribute certificate revocation lists (CRLs) across the
network. LDAP and HTTP are examples.
Host will generate RSA signature & request for public key of CA.
CA sends it public keys. Host generate a certificate request and send to CA.
CA will sign the certificate request with its private key, and send certificate to host
Host will save it
Certificate will use for secure communication.
It means that of your data will arrive late it will consider as alter & it will be
drop. Anti-Replay can be define in kilobytes or seconds.
ESP
AH
IKE
Public Key Infrastructure
The PKI Message Exchange Process
Anti-Replay
IPsec Protocols
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 225/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 225 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It provides all IPsec features
It use IP protocol no 50.
It works with NAT
It use NAT-T
It doesn't include external IP for ICV.
It doesn't provides confidentiality, because it doesn't use encryption
It use IP protocol no 51.
It doesn't works with NAT
It doesn't use NAT-T
It does include external IP for ICV.
It doesn't include TTL value for ICV
It provides a framework to exchange the security parameter & policies between two IPsec peers.
Main Mode
Aggressive Mode
Quick Mode
In main mode 6 attributes or messages in three steps.
1. Initiator will send own proposal to responder, and responder will send own proposal to initiator.
2. Initiator will send own key to responder, and responder will send own key to initiator.
3. At the end they will authenticate the session.
OR
ESP (Encapsulating Security Payload)
AH (Authentication Header)
IKE (Internet Key Exchange)
IKE Modes
Main Mode
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 226/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 226 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Step1
Message 1-initiator will send own proposal to responder
Message 2-responder will send own proposal to initiator
Step2
Message 3-initiator will send own key to responder
Message 4-responder will send own key to initiatorStep3
Message 5-initiator will authenticate the session
Message 6-responder will authenticate the session
In aggressive mode 6 attributes are in three steps.
1. Initiator will send own proposal &key to responder.2. Responder will authenticate initiator's proposal & sends own proposal &key to initiator.
3. Initiator will authenticate the session.
Note: - Either main mode or aggressive mode will work not both
In quick mode they will recheck their attributes using SPI (Security Parameter Index). SPI is sent with
every packet by peers.
1. Phase1
2. Phase1.5 (optional)
3. Phase2
In Phase1 they create single IKE bi-direction tunnel. Single key is used to authenticate the session. In
phase1 main mode or aggressive mode will work.
If main mode will work, aggressive mode will not work
If aggressive mode will work, main mode will not work
It dependence on IPsec VPN
Aggressive Mode
Quick Mode
IKE Phases
Phase 1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 227/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 227 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Site-Site Main mode
Remote Access Aggressive mode
DMVPN Main mode
GETVPN Main mode
It is an optional IKE phase. Phase 1.5 provides an additional layer of Authentication, called Xauth, or
Extended Authentication. Xauth forces the user to authenticate before use Of the IPsec connection
is granted.
When phase1 is successfully completed Phase2 is started.
If phase1 is not successfully completed Phase2 will not start.
In phase2 they create multiple IPsec tunnels. Two tunnels per protocol
ESP or AH.
IKE is a management protocol actually is use isakmp for key exchange.
Internet security association key management protocol. it use UDP Port 500.
IKE Version1 IKE Version2
6 messages 4-6 messages
Use isakmp Use isakmp
NAT-T support NAT-T support
Fire & Forget Check peer existence via cookies
No VOIP support VOIP support
No cryptography mechanism for key exchange Use suit B cryptography
Steps
IKE_SA_INIT_ (Two Messages)
IKE_AUTH+CREATE_CHID_SA (Two Messages)
IKE_ CREATE_SECOND_CHID_SA (Optional)/ (Two Messages)
Phase 1.5
Phase 2
IKE Versions
ISAKMP
IKE Version 2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 228/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 228 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
IKE_SA_INIT: Message 1
The Initiator Proposes Basic SA Attribute Along with
Authentication Material
Equivalent to messages 1 and 3 in IKEv1
IKE_SA_INIT: Message 2
The responder sends back a set of attributes acceptable
Under SA, along with authentication material
Equivalent to messages 2 and 4 in IKEv1
IKE_AUTH: Message 3
Authentication Material Along with CHILD_SA Info Sent
Equivalent to message 5 – Main Mode
And part of the Quick Mode in IKEv1
IKE_AUTH: Message 4 Authentication Material Along with CHILD_SA Info Sent
Equivalent to message 6 – Main Mode
And part of the Quick Mode in IKEv1
Note:-
VTI and GRE/ IPsec Complete after this Message
Optional
CREATE_CHILD_SA: Message 1
The Initiator Sends Its Authentication Material and ID
Additional child exchange – equivalent to Quick Mode in IKEv1
CREATE_CHILD_SA: Message 2 The Responder Sends Its Authentication Material and ID
Additional child exchange – equivalent to Quick Mode in IKEv1
1. Transport mode
2. Tunnel mode
It protect layer4 & upper layer data. Used in DMVPN.
IPsec Modes
Transport Mode
Tunnel Mode
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 229/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 229 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It protect layer3 & upper layer data. Used in Site-Site, Remote-Access, GETVPN.
A feature it enable us to establish VPN session through NAT device.
In NAT-T VPN devices add UDP header before ESP header, so that NAT device can perform NAT with
packet.
Why NAT-Traversal
AH doesn't work with nat. Because it include external IP address for ICV.
It include data, key, external-IP for integrity check value. If AH packet will pass through Nat device,
Nat device will translate external IP. When peer will receive AH packet it will verify packet ICV, due
to Nat peer will found ICV mismatch. So Packet will drop.
Note: - AH doesn't include TTL value for ICV. Because TTL is changed at every hop.
ESP doesn't include external IP for ICV. But it encrypt the data. A Nat device require layer 4
information but it is encrypted by esp. no layer 4 information so no Nat will perform.
To resolve this issue we use NAT-T, in NAT-T devices add UDP header before ESP header for Nat
device. That header is UDP 4500.
NAT-T Support
NAT-T Detection
NAT-T Decision
In IKE Phase1, two peers exchange their vender id and IOS version information to each other to
determine that which features are supported.
In IKE Phase1, they create a payload of external IP addresses. They hash it after hashing payload &
hash product is exchanged between peers. They verify hash if hash match, no Nat exist in the VPN
peer path otherwise Nat exist.
NAT Transversal
NAT Transversal Steps
NAT-T Support
NAT-T Detection
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 230/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 230 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
In IKE Phase2, if they found Nat in the VPN peer path. UDP 4500 header in inserted before ESP
header.
A group of security parameters & policies which is agreed between two IPsec peers.
A group of security parameters and policies which is agreed between two IPsec peers.
Parts
SAD
SPD
It contain
Peer IP
SPI
IPsec Protocols information like ESP/AH?
It contain
Encryption algorithm (DES, 3DES, or AES)
Hash algorithm (MD5 or SHA-1)
IPsec mode (tunnel or transport)
Key lifetime (seconds or kilobytes)
DH allows two parties to share a secret key over an insecure channel. Because this key forms the
basis of the rest of the VPN, it is essential that the key be kept secret.
Both Devices create a hash of Security Policy Database
That hash is call SPI.
NAT-T Decision
Security Association
SAD (Security Association Database)
Security Policy Database
Diffie-Hellman Key Exchange
Security Parameter Index
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 231/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 231 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
How to create Windows 2003 as CA
first install 2003 server in virtual box or real machine
second assign ip add 192.168.105.100 or differ don't remove 2003 CD from CD-ROM
download cepsetup.exe from google
follow
start
run
appwiz.cpl
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 232/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 232 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 233/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 233 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 234/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 234 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 235/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 235 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 236/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 236 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 237/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 237 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 238/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 239/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 239 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 240/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 240 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 241/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 241 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 242/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 242 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 243/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 243 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 244/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 244 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 245/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 246/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 246 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 247/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 247 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 248/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 248 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 249/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 249 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 250/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 250 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 251/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 251 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 252/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 252 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
stop the ca
start the ca
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 253/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 253 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
password is shiva
Start>run>type http://192.168.105.100/certsrv/mscep/mscep.dll
this url will use to obtain one time password for vpn
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 254/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 254 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 255/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 255 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
if this ca is in virual box you can use it for real network or gns topology
if it is for gns set following things
connect gns topology with host only interface
For Real network bridge with real interface
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 256/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 256 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
you can connect to gig or wireless
thanks
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 257/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 257 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
How to install Windows 2008 as CA
first install 2008 server data Centre edition
assign ip add 192.168.108.100 or any
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 258/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 258 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 259/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 259 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 260/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 260 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 261/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 261 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 262/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 262 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 263/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 263 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 264/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 264 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 265/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 265 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 266/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 266 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 267/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 267 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 268/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 268 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 269/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 269 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 270/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 270 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 271/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 271 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 272/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 272 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 273/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 274/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 274 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 275/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 275 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 276/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 276 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 277/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 277 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 278/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 278 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 279/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 279 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 280/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 280 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 281/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 281 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 282/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 282 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 283/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 283 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 284/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 284 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 285/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 285 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 286/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 286 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Turn off Firewall......
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 287/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 288/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 288 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 289/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 289 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
click new url
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 290/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 290 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
user= administrator
pass= admin password
press OK..........
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 291/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 291 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
your new OTP for certificate Enrollment....
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 292/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 292 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
How to configure windows 2012 as CA
First install 2012 server
assign ip add 192.168.112.100 or differ
follow
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 293/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 293 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 294/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 294 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 295/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 295 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 296/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 296 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 297/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 297 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 298/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 298 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 299/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 299 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 300/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 300 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 301/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 301 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 302/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 302 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 303/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 303 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 304/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 304 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 305/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 305 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 306/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 306 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 307/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 307 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 308/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 309/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 309 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 310/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 310 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 311/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 311 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 312/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 312 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 313/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 313 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 314/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 314 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 315/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 316/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 316 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 317/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 317 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 318/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 318 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 319/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 319 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 320/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 320 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 321/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 321 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
http://192.168.112.100/certsrv/mscep/mscep.dll
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 322/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 322 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 323/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 323 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 324/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 324 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
http://192.168.112.100/certsrv
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 325/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 325 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 326/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 326 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 327/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 327 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 328/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 328 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 329/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 329 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 330/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 330 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 331/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 331 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 332/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 332 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 333/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 333 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
How to configure IOS CA
! first set clock
clock set 12:53:00 6 oct 2014
conf t
interface fastEthernet 0/0ip add 101.1.1.1 255.255.255.0
exit
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
crypto key generate rsa general-keys exportable label shiva modulus 1024
crypto key export rsa shiva pem url nvram: 3des cisco1234
ip http server
crypto pki server cisco
database level minimum
database url nvram:
issuer-name cn=lab.nb.com l=gr c=in
lifetime certificate 365grant auto
no shutdown
give 9 alphabet password
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
R1#sh crypto pki server
Certificate Server cisco:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=lab.nb.com l=gr c=inCA cert fingerprint: 3EE215BD E41454DF 0DB85E8C 41588E7F
Granting mode is: auto
Last certificate issued serial number: 0x1
CA certificate expiration timer: 12:53:00 UTC Oct 5 2017
CRL NextUpdate timer: 18:53:00 UTC Oct 6 2014
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
R1#dir nvram:
Directory of nvram:/
54 -rw- 233 <no date> startup-config
55 ---- 0 <no date> private-config
1 ---- 15 <no date> persistent-data
2 -rw- 4 <no date> rf_cold_starts
3 -rw- 272 <no date> shiva.pub
4 -rw- 963 <no date> shiva.prv
5 -rw- 32 <no date> cisco.ser
6 -rw- 230 <no date> cisco.crl
7 -rw- 1595 <no date> cisco_00001.p12
57336 bytes total (48859 bytes free)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 334/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 334 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 16
After Reading this chapter you would be able to describe
Site-Site VPN
Working
Site-Site VPN
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 335/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 335 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It enables two sites to communicate with each other in a secure way over insecure network.
192.168.101.0/24 192.168.102.0/24
Remote client wants to communicate with central office
It will generate a packet with 101.0 source & 102.0 destination that packet will deliver to
gateway.
Gateway will check its destination ip and packet will be forward to exit interface. When
packet will arrive a exit interface there is a crypto map. Router will intercept the packet that
if you match with crypto map access-list, it is encrypted & hashed.
then router will check sa with peer , if no sa found it will send proposal to peer using isakmp
udp port 500
IKE phase1 & Phase2 will come in picture. Phase 2 complete protected data will delivered to
peer.
Site-Site VPN
Working
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 336/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 336 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Site-Site-pre-8.0
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface e0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shuroute outside 0 0 101.1.1.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 337/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 337 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface ethernet 0/1
no shunameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/70 ms
ASA1(config)# pin
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 10/20/30 msASA2
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA2(config)# pin
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/30 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 338/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 338 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto isakmp policy 1
authentication pre-share
encryption aes
hash shagroup 5
lifetime 1800
crypto isakmp key shiva add 102.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test interface outside
crypto isakmp enable outsideASA2
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
crypto isakmp key shiva add 101.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0crypto map test 10 set transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto isakmp enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (99/100), round-trip min/avg/max = 16/41/120 ms
R2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 16/42/92 ms
ASA1# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 339/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 339 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1# sh cryASA1# sh crypto ip
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer: 102.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
ASA2# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L Role : responder
Rekey : no State : MM_ACTIVEASA2# sh cry
ASA2# sh crypto ip
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 340/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 340 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_s2s_pre_8.0_overlapping_subnet
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface ethernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 341/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 341 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface ethernet 0/1
no shunameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/40 ms
ASA1(config)# pin
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/50 ms
ASA2
ASA2(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/24/70 ms
ASA2(config)# pin
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 342/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 342 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
ASA1(config)# static (inside,outside) 192.168.10.0 192.168.101.0
ASA2(config)# static (inside,outside) 192.168.20.0 192.168.101.0
ASA1
crypto isakmp policy 1authentication pre-share
encryption a
hash sha
group 5
lifetime 1800
crypto isakmp key shiva add 102.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 102.1.1.100crypto map test 10 match address 101
crypto map test interface outside
crypto isakmp enable outside
ASA2
crypto isakmp policy 1
authentication pre-share
encryption a
hash sha
group 5
lifetime 1800
crypto isakmp key shiva add 101.1.1.100crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto isakmp enable outside
R1#ping 192.168.20.100 repeat 100
Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 16/37/84 ms
R2#ping 192.168.10.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 20/42/100 ms
ASA1# sh crypto ipsec sa
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 343/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 343 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)current_peer: 102.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100, remote crypto endpt.: 102.1.1.100
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 4C0DCAEF
inbound esp sas:
spi: 0xA35E7858 (2740877400)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, }
ASA1# sh cry
ASA1# sh crypto is
ASA1# sh crypto isakmp saASA1# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA2# sh crypto ipsec sa
interface: outsideCrypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 344/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 344 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100
path mtu 1500, ipsec overhead 74, media mtu 1500current outbound spi: A35E7858
inbound esp sas:
spi: 0x4C0DCAEF (1275972335)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, }
ASA2# sh cry
ASA2# sh crypto is
ASA2# sh crypto isakmp sa
Active SA: 1Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 345/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 345 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_s2s_rsa_8.0
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface ethernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 346/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 346 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
route outside 0 0 101.1.1.1
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdownint f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
int f1/0
no shutdown
ip add 192.168.105.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
interface ethernet 0/0no shu
nameif inside
ip add 192.168.102.1 255.255.255.0
no shu
interface ethernet 0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
R2interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/26/80 ms
ASA1(config)# ping 192.168.105.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.105.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 10/17/20 ms
ASA1(config)# pin
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/22/30 ms
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 347/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 347 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/20 ms
ASA2(config)# pin
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
ASA2(config)# pin
ASA2(config)# ping 192.168.105.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.105.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/30 ms
Configure R3 AS NTP SERVER
R3#clock set 22:07:00 29 sep 2014
R3#conf t
R3(config)#ntp master
Configure ASA1 & ASA2 AS NTP CLIENT
ASA1(config)# ntp server 101.1.1.1
ASA2(config)# ntp server 101.1.1.1
ASA1# sh clock
22:08:49.224 UTC Mon Sep 29 2014
ASA2# sh clock
22:10:22.070 UTC Mon Sep 29 2014
ASA1
domain-name cisco.com
crypto key generate rsa
crypto ca trustpoint ttt
enrollment url http://192.168.105.100/certsrv/mscep/mscep.dllex
crypto ca authenticate ttt
yes
crypto ca enroll ttt
%% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************(this password will obtain from ca)Re-enter password: ****************
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 348/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 349/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 349 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
copy one time password paste to asa1 or asa2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 350/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 350 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
To obtain new OTP please go to CA & refresh the page copy & Paste
ASA2
domain-name cisco.com
crypto key generate rsa
crypto ca trustpoint ttt
enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll
exit
crypto ca authenticate ttt
yes
ASA2(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
% The fully-qualified domain name in the certificate will be: ASA2.cisco.com
% Include the device serial number in the subject name? [yes/no]: no
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 351/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 351 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA2(config)# The certificate has been granted by CA!
ASA1
crypto isakmp policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
trust-point ttt
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto isakmp enable outside
ASA2
crypto isakmp policy 1authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
trust-point ttt
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0crypto map test 10 set transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
cry isakmp enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 352/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 352 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 20/50/264 ms
R2#ping 192.168.101.100 re
R2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 16/49/136 ms
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)current_peer: 102.1.1.100
#pkts encaps: 328, #pkts encrypt: 328, #pkts digest: 328
#pkts decaps: 300, #pkts decrypt: 300, #pkts verify: 300
#pkts compressed: 0, #pkts decompressed: 0
ASA1# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1#
ASA2
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
#pkts encaps: 300, #pkts encrypt: 300, #pkts digest: 300
#pkts decaps: 328, #pkts decrypt: 328, #pkts verify: 328
#pkts compressed: 0, #pkts decompressed: 0
ASA2# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 353/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 353 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
1 IKE Peer: 101.1.1.100
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 354/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 354 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_s2s_pre_ikev1
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no sh
route outside 0 0 101.1.1.1
R3
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 355/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 355 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdownip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0no shu
route outside 0 0 102.1.1.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
ASA1# ping 192.168.101.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# pin
ASA1# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
ASA2ASA2# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2# pin
ASA2# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 356/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 356 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5lifetime 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test interface outsidecrypto ikev1 enable outside
ASA2
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 pre-shared-key shivacrypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto ikev1 enable outside
R1
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 ms
R2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 357/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 357 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1# sh cry
ASA1# sh crypto ip
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
access-list 101 extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer: 102.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 102.1.1.100/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5F93D48A
current inbound spi : 30046549ASA2# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA2# sh cry
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 358/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 358 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2# sh crypto ip
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 102.1.1.100/0, remote crypto endpt.: 101.1.1.100/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 30046549
current inbound spi : 5F93D48A
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 359/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 359 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_s2s_pre_ikev2
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface g0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
R3
int f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1(config)# ping 192.168.101.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 360/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 360 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# pin
ASA1(config)# ping 102.1.1.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config)# pin
ASA2(config)# ping 101.1.1.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 102.1.1.100 type ipsec-l2ltunnel-group 102.1.1.100 ipsec-attributes
ikev2 local-authentication pre-shared-key shiva
ikev2 remote-authentication pre-shared-key shiva
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101crypto map test interface outside
crypto ikev2 enable outside
ASA2
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev2 local-authentication pre-shared-key shiva
ikev2 remote-authentication pre-shared-key shiva
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 361/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 362/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 362 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100/500, remote crypto endpt.: 102.1.1.100/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 820C8EE1
current inbound spi : BE7654EEASA1#
ASA2(config)# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
6108915 102.1.1.100/500 101.1.1.100/500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 1800/57 secChild sa: local selector 192.168.102.0/0 - 192.168.102.255/65535
remote selector 192.168.101.0/0 - 192.168.101.255/65535
ESP spi in/out: 0x820c8ee1/0xbe7654ee
ASA2(config)# sh cry
ASA2(config)# sh crypto ip
ASA2(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 363/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 363 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
#send errors: 0, #recv errors: 0
local crypto endpt.: 102.1.1.100/500, remote crypto endpt.: 101.1.1.100/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabledcurrent outbound spi: BE7654EE
current inbound spi : 820C8EE1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 364/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 365/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 365 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA2(config)# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3
R3#clock set 12:17:45 1 oct 2014
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp master
ASA1(config)# ntp server 101.1.1.1
ASA2(config)# ntp server 101.1.1.1
ASA1crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
ex
crypto ca authenticate ttt
yes
crypto ca enroll ttt
ERROR: Signature public key not found - Abort.
domain-name cisco.com
crypto key generate rsa
ASA1(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 366/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 366 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: **************** (this password will obtain from 2008 ca)
Re-enter password: ****************
% The fully-qualified domain name in the certificate will be: ASA1.cisco.com
% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!
!!!!! if ca does not give cert please remove ca & install again ca on 2008!!!!!!
ASA2
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
exit
crypto ca authenticate ttt
yes
crypto ca enroll tttERROR: Signature public key not found - Abort.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 367/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 367 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
domain-name cisco.com
crypto key generate rsa
ASA2(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
% The fully-qualified domain name in the certificate will be: ASA2.cisco.com
% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA2(config)# The certificate has been granted by CA!
ASA1
crypto ikev1 policy 1
authentication rsa-sig
encryption a
hash sha
group 5
lifetime 1800tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev1 trust-point ttt
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outsidecrypto ikev1 enable outside
ASA2
crypto ikev1 policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 trust-point
ikev1 trust-point ttt
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 368/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 368 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev1 enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 msR2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
ASA1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1# sh cry
ASA1# sh crypto ip
ASA1# sh crypto ipsec sa
interface: outsideCrypto map tag: test, seq num: 10, local addr: 101.1.1.100
access-list 101 extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer: 102.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 369/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 369 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 102.1.1.100/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 34159C71
current inbound spi : F446BD48
ASA2# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA2# sh cry
ASA2# sh crypto ip
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 102.1.1.100/0, remote crypto endpt.: 101.1.1.100/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F446BD48
current inbound spi : 34159C71
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 370/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 370 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_s2s_rsa_ikev1_ios_ca
Initial-config
R1
interface fastEthernet 0/0
no shutdownip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
int f0/0ip add 101.1.1.1 255.255.255.0
no sh
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1 255.255.255.0no shu
int g0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# pin
ASA1# ping 102.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 371/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 371 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shuroute outside 0 0 102.1.1.1
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config)# pin
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3
R3#clock set 13:52:30 7 oct 2014
R3#conf t
R3(config)#ntp master
ASA1(config)# ntp server 101.1.1.1
ASA2(config)# ntp server 101.1.1.1
R3configure R3 AS CA
crypto key generate rsa general-keys exportable label shiva modulus 1024
crypto key export rsa shiva pem url nvram: 3des cisco123
yes
ip http server
crypto pki server cisco
database level minimum
database url nvram:
issuer-name cn=cisco1.cisco.com l=gurgaon c=in
lifetime certificate 365grant auto
no shutdown
(give password 999999999)
ASA1
ASA1(config)# crypto ca trustpoint ttt
ASA1(config-ca-trustpoint)# enrollment url http://101.1.1.1
ASA1(config-ca-trustpoint)# ex
ASA1(config)# crypto ca authenticate ttt
INFO: Certificate has the following attributes:
Fingerprint: 06fb1021 06e41a7a fa64dc4b fa73efa3
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 372/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 372 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
ASA1(config)# crypto ca en ttt
%
% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The fully-qualified domain name in the certificate will be: ASA1
% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!
ASA2
ASA2(config)# crypto ca trustpoint ttt
ASA2(config-ca-trustpoint)# enrollment url http://101.1.1.1
ASA2(config-ca-trustpoint)# ex
ASA2(config)# crypto ca authenticate ttt
INFO: Certificate has the following attributes:
Fingerprint: 06fb1021 06e41a7a fa64dc4b fa73efa3
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
ASA2(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.Please make a note of it.
Password:
Re-enter password:
% The fully-qualified domain name in the certificate will be: ASA2
% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA2(config)# The certificate has been granted by CA!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 373/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 373 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto ikev1 policy 1
authentication rsa-sigencryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev1 trust-point ttt
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-setcrypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev1 enable outside
ASA2
crypto ikev1 policy 1
authentication rsa-sig
encryption aes
hash shagroup 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 trust-point ttt
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev1 enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 ms
R2#ping 192.168.101.100 repeat 100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 374/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 374 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
ASA1
ASA1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 102.1.1.100Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1# sh cry
ASA1# sh crypto ip
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
access-list 101 extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)current_peer: 102.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 102.1.1.100/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 02BB4488
current inbound spi : 64AD6A6D
inbound esp sas:
spi: 0x64AD6A6D (1689086573)
transform: esp-aes esp-sha-hmac no compression
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 375/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 375 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (3914980/1766)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x02BB4488 (45827208)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (3914980/1766)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001ASA2
ASA2# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L Role : responderRekey : no State : MM_ACTIVE
ASA2# sh cry
ASA2# sh crypto ip
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 376/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 376 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
local crypto endpt.: 102.1.1.100/0, remote crypto endpt.: 101.1.1.100/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 64AD6A6D
current inbound spi : 02BB4488
inbound esp sas:
spi: 0x02BB4488 (45827208)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (4373980/1743)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFFoutbound esp sas:
spi: 0x64AD6A6D (1689086573)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (4373980/1743)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 377/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 377 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_s2s_rsa_ikev2
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
ip add 102.1.1.1 255.255.255.0 secondary
int f0/1
no shutdown
ip add 192.168.108.1 255.255.255.0
no shutdown
ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 378/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 378 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA2(config)# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3
R3#clock set 12:17:45 1 oct 2014
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp master
ASA1(config)# ntp server 101.1.1.1
ASA2(config)# ntp server 101.1.1.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 379/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 379 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dllexit
crypto ca authenticate ttt
ASA1(config)# crypto ca en ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
% The fully-qualified domain name in the certificate will be: ASA1
% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!
ASA2crypto ca trustpoint ttt
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 380/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 380 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
exit
crypto ca authenticate ttt
crypto ca enroll ttt
Obtain New Password From 2008 Ca
ASA2(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************Re-enter password: ****************
% The fully-qualified domain name in the certificate will be: ASA2
% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA2(config)# The certificate has been granted by CA!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 381/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 381 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto ikev2 policy 1
encryption aes
integrity sha
group 5lifetime seconds 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev2 local-authentication certificate ttt
ikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal pppcrypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev2 enable outside
ASA2
crypto ikev2 policy 1
encryption aes
integrity sha
group 5lifetime seconds 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev2 local-authentication certificate ttt
ikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal pppcrypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev2 enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 382/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 382 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 ms
R1#
R2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
ASA1(config)# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
5119715 101.1.1.100/500 102.1.1.100/500 READY INITIATOREncr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 1800/40 sec
Child sa: local selector 192.168.101.0/0 - 192.168.101.255/65535
remote selector 192.168.102.0/0 - 192.168.102.255/65535
ESP spi in/out: 0x9f01e33f/0x14ff9428
ASA1(config)# sh cry
ASA1(config)# sh crypto ip
ASA1(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
access-list 101 extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer: 102.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100/500, remote crypto endpt.: 102.1.1.100/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 14FF9428
current inbound spi : 9F01E33F
ASA2# sh crypto ikev2 sa
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 383/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 383 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role4933683 102.1.1.100/500 101.1.1.100/500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 1800/59 sec
Child sa: local selector 192.168.102.0/0 - 192.168.102.255/65535
remote selector 192.168.101.0/0 - 192.168.101.255/65535
ESP spi in/out: 0x14ff9428/0x9f01e33f
ASA2# sh cry
ASA2# sh crypto ip
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 102.1.1.100/500, remote crypto endpt.: 101.1.1.100/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 9F01E33Fcurrent inbound spi : 14FF9428
ASA1
object network inside
subnet 192.168.101.0 255.255.255.0
object network s2s
subnet 192.168.102.0 255.255.255.0
ex
nat (inside,outside) source static inside inside destination static s2s s2s
nat (inside,outside) source dynamic any interface
access-list out permit icmp any object inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 384/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 384 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 385/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 385 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_s2s_rsa_ikev2_2012_ca
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
int f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
ip add 102.1.1.1 255.255.255.0 secondary
int f0/1
no shutdown
ip add 192.168.112.1 255.255.255.0
ASA1
int g0/0
no shu
nameif inside
ip add 192.168.101.1
interface g0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# pin
ASA1# ping 102.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# pin
ASA1# ping 192.168.112.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.112.1, timeout is 2 seconds:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 386/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 386 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192.168.112.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.112.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0no shu
route outside 0 0 102.1.1.1
ASA2# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2# pin
ASA2# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2# pin
ASA2# ping 192.168.112.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.112.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
R3
R3#clock set 14:24:30 7 oct 2014
R3#conf t
R3(config)#ntp master
ASA1(config)# ntp server 101.1.1.1
ASA2(config)# ntp server 101.1.1.1
GO TO CA SERVER
http://192.168.112.100/certsrv/mscep/mscep.dll
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 387/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 387 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 388/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 388 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
copy OTP for ASA1 & Refresh page Obtain new for ASA2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 389/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 389 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# crypto ca trustpoint ttt
ASA1(config-ca-trustpoint)# enrollment url http://192.168.112.100/certsrv/mscep/mscep.dll
ASA1(config-ca-trustpoint)# ex
ASA1(config)# crypto ca authenticate ttt
INFO: Certificate has the following attributes:Fingerprint: 15e057f1 e800b9d9 90410bd8 cbd9263b
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
ASA1(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.Password: ****************
Re-enter password: ****************
% The fully-qualified domain name in the certificate will be: ASA1
% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!
ASA2
ASA2(config)# crypto ca trustpoint ttt
ASA2(config-ca-trustpoint)# enrollment url http://192.168.112.100/certsrv/mscep/mscep.dll
ASA2(config-ca-trustpoint)# ex
ASA2(config)# crypto ca authenticate ttt
INFO: Certificate has the following attributes:
Fingerprint: 15e057f1 e800b9d9 90410bd8 cbd9263b
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
ASA2(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 390/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 390 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
% The fully-qualified domain name in the certificate will be: ASA2
% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate AuthorityASA2(config)# The certificate has been granted by CA!
ASA1
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev2 local-authentication certificate tttikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outsidecrypto ikev2 enable outside
ASA2
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev2 local-authentication certificate tttikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev2 enable outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 391/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 391 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#ping 192.168.102.100 repeat 100
*Oct 7 09:13:38.111: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 ms
R2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
ASA1# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
5337201 101.1.1.100/500 102.1.1.100/500 READY INITIATOR
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 1800/24 sec
Child sa: local selector 192.168.101.0/0 - 192.168.101.255/65535
remote selector 192.168.102.0/0 - 192.168.102.255/65535ESP spi in/out: 0x9888f2d4/0xb65c501b
ASA1# sh cry
ASA1# sh crypto ip
ASA1# sh crypto ipsec sa
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
access-list 101 extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)current_peer: 102.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 392/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 392 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
local crypto endpt.: 101.1.1.100/500, remote crypto endpt.: 102.1.1.100/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B65C501Bcurrent inbound spi : 9888F2D4
inbound esp sas:
spi: 0x9888F2D4 (2559111892)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 8192, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (3962860/1771)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xB65C501B (3059503131)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 8192, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (4193260/1771)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001ASA2# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
6916937 102.1.1.100/500 101.1.1.100/500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 1800/42 sec
Child sa: local selector 192.168.102.0/0 - 192.168.102.255/65535remote selector 192.168.101.0/0 - 192.168.101.255/65535
ESP spi in/out: 0xb65c501b/0x9888f2d4
ASA2# sh cry
ASA2# sh crypto ip
ASA2# sh crypto ipsec sa
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 393/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 393 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
current_peer: 101.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 102.1.1.100/500, remote crypto endpt.: 101.1.1.100/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabledcurrent outbound spi: 9888F2D4
current inbound spi : B65C501B
inbound esp sas:
spi: 0xB65C501B (3059503131)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 8192, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (4147180/1753)
IV size: 16 bytes
replay detection support: YAnti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9888F2D4 (2559111892)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 8192, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (4008940/1753)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:0x00000000 0x00000001
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 394/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 394 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 17
After Reading this chapter you would be able to describe
Remote Access VPN
Modes
Working
Remote Access VPN
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 395/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 395 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It enable remote user or mobile user/ internet users to access the internal network of a company.
Client
Network extension
Network extension plus
In client mode an internal ip address if offered to remote client.
When remote client wants to access internal resource of server lan it generate PDU with internal
source & destination. That is protected by esp and an external ip address is attached with packet so
that is can be routed over internet.
Note
It is unidirectional only client can access server lan. But server lan can't access client.
It can be implemented on software or hardware.
In client mode an internal ip address if offered to remote client.
When remote client lan wants to access internal resource that request is pat in obtain if. If remote
lan wants to access internet that request is pat in public ip address of remote client.
Note
It is unidirectional only client can access server lan. But server lan can't access client.
In Network Extension internal ip address is not offered to remote client.
Remote Access VPN
Modes
Client Mode Hardware
Client Mode Software
Network Extension
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 396/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 396 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Note
it is bi-directional
it can be implemented only on hardware.
In Network Extension internal ip address is offered to remote client. Internal ip address is not for
patting it is for remote management purpose.
Note
It is bi-directional
It can be implemented only on hardware.
Client will initiate a request it will send proposal to server.
Client will send pre-define policy
Server will match client proposal to own configure policy if proposal match
Server will prompt for username & password.
If user is authenticated server will send policy to client. This policy includes ip address, mask,
and interesting traffic.
At last a reverse route is installed in routing table.
Network Extension Plus
Working
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 397/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 397 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
ASA_ra_pre_8.0
Initial-config
R1
interface fastEthernet 0/0
no shut
ip add 101.1.1.1 255.255.255.0
int f0/1no shutdown
ip add 192.168.101.1 255.255.255.0
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdownrouter ei 100
no au
net 192.168.1.0
net 192.168.10.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdownip add 192.168.20.1 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 398/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 398 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
router ei 100
no au
net 192.168.2.0
net 192.168.20.0
ADMINinterface fastEthernet 0/0
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exitip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
MGMT
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.comcrypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
interface Ethernet0/0
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Ethernet0/1
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 399/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 399 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
route outside 0 0 101.1.1.1
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
redistribute static metric 1 1 1 1 1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms
ASA1(config)# ping 192.168.10.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/50 ms
ASA1(config)# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/50 ms
PAT
nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
global (outside) 1 interface
access-list out permit icmp any interface outside
access-group out in interface outside
admin#ping 101.1.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/55/84 ms
admin#
mgmt#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/46/76 ms
crypto isakmp policy 1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 400/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 400 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
authentication pre-share
encryption 3des
group 2
hash sha
crypto ipsec transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set transform-set ezcrypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto isakmp enable outside
ip local pool admin 192.168.100.100-192.168.100.254
ip local pool mgmt 192.168.200.100-192.168.200.100
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
pre-shared-key admintunnel-group mgmt type ipsec-ra
tunnel-group mgmt general-attributes
address-pool mgmt
tunnel-group mgmt ipsec-attributes
pre-shared-key mgmt
Install vpn client software
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 401/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 401 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 402/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 402 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 403/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 403 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 404/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 404 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 405/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 405 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 406/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 406 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 407/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 407 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 408/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 408 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
connection entry any name
host asa public ip 101.1.1.100
tunnel group admin
key adminconfirm key admin
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 409/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 409 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
save
same task for mgmt click new tab on vpn client
do same
go to asa
ASA1(config)# username shiva password shiva privilege 15
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 410/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 410 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
go to pc1
click OK
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 411/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 411 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# sh route outside
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 412/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 412 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
C 101.1.1.0 255.255.255.0 is directly connected, outside
S 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outsideS* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
ping reply is not coming reason NAT exclude vpn traffic from nat
using nat exemption
access-list nat-exemption permit ip any 192.168.100.0 255.255.255.0
access-list nat-exemption permit ip any 192.168.200.0 255.255.255.0
nat (inside1) 0 access-list nat-exemption
nat (inside2) 0 access-list nat-exemption
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 413/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 413 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 414/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 414 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no internet access use split-tunnel
on asa
access-list stacl permit 192.168.0.0 255.255.0.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 415/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 415 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
group-policy admin internal
group-policy admin attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
group-policy mgmt internal
group-policy mgmt attributessplit-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
tunnel-group admin general-attributes
default-group-policy admin
tunnel-group mgmt general-attributes
default-group-policy mgmt
Disconnect & connect VPN connection
& see the effect
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 416/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 416 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 417/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 417 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 418/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 418 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
! banner
group-policy admin attributes
banner value ADMIN_GROUP
group-policy mgmt ge
group-policy mgmt attributes
banner value MGMT_GRPUP
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 419/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 419 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# clock set 08:56:00 30 sep 2014
clock set 08:56:00 30 sep 2014
time-range shivaperiodic weekdays 09:00 to 18:00
group-policy admin attributes
vpn-access-hours value shiva
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 420/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 420 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no connection due to time acl now time is 8:59 wait 1 min try @ 9:00
ASA1# sh clock
08:59:43.968 UTC Tue Sep 30 2014
ASA1#ASA1# sh clock
08:59:58.371 UTC Tue Sep 30 2014
ASA1# sh clock
08:59:59.029 UTC Tue Sep 30 2014
ASA1# sh clock
08:59:59.820 UTC Tue Sep 30 2014
ASA1# sh clock
09:00:01.090 UTC Tue Sep 30 2014
currect time now you can access.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 421/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 421 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_ra_rsa_8.0
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no sh
ip add 101.1.1.1 255.255.255.0
int f01
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no au
net 192.168.1.0
net 192.168.10.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 422/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 422 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
do sh histrouter ei 100
no au
net 192.168.2.0
net 192.168.20.0
ADMIN
interface fastEthernet 0/0
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
MGMT
interface fastEthernet 0/0no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exitip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
interface Ethernet0/0
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Ethernet0/1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 423/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 423 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
nameif dmz
security-level 50
ip address 192.168.105.1 255.255.255.0
! route outside 0 0 101.1.1.1
router eigrp 100
no aut
net 192.168.1.0net 192.168.2.0
net 192.168.105.0
redistribute static metric 1 1 1 1 1
ASA1(config)# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 101.1.1.100 YES manual up up
Ethernet0/1 192.168.1.1 YES manual up up
Ethernet0/2 192.168.2.1 YES manual up up
Ethernet0/3 192.168.105.1 YES manual up up
Ethernet0/4 unassigned YES unset administratively down up
Ethernet0/5 unassigned YES unset administratively down up
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
ASA1# ping 192.168.105.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.105.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/20 ms
ASA1# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/36/70 ms
ASA1# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/60 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 424/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 424 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
global (outside) 1 interface
access-list out permit icmp any interface outsideaccess-group out in interface outside
admin#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/64/128 ms
mgmt#ping 101.1.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/49/64 ms
R1
R1#clock set 09:19:15 30 sep 2014
R1#
*Sep 30 09:19:15.003: %SYS-6-CLOCKUPDATE: System clock has been updated from 01:18:29 UTC Fri
Mar 1 2002 to 09:19:15 UTC Tue Sep 30 2014, configured from console by console.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.R1(config)#ntp master
ASA1(config)# ntp server 101.1.1.1
ASA1(config)# domain-name cisco.com
ASA1(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA1(config)# sh clock
09:20:29.523 UTC Tue Sep 30 2014
ASA1(config)# crypto ca trustpoint tttenrollment url http://192.168.105.100/certsrv/mscep/mscep.dll
ex
crypto ca authenticate ttt
yes
crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: **************** this password will obtain from ca like site-site
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 425/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 425 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Re-enter password: ****************
% The fully-qualified domain name in the certificate will be: ASA1.cisco.com
% Include the device serial number in the subject name? [yes/no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!
ASA1
crypto isakmp policy 1
authentication rsa-sig
encryption 3des
group 2
hash sha
crypto ipsec transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto isakmp enable outside
ip local pool admin 192.168.100.100-192.168.100.254
ip local pool mgmt 192.168.200.100-192.168.200.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 426/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 426 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
trust-point ttt
tunnel-group mgmt type ipsec-ra
tunnel-group mgmt general-attributes
address-pool mgmt
tunnel-group mgmt ipsec-attributes
trust-point tttusername shiva password shiva privilege 15
access-list stacl permit 192.168.0.0 255.255.0.0
group-policy admin internal
group-policy admin attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
group-policy mgmt internal
group-policy mgmt attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
access-list nat0 permit ip any 192.168.100.0 255.255.255.0
access-list nat0 permit ip any 192.168.200.0 255.255.255.0
nat (inside1) 0 access-list nat0
nat (inside2) 0 access-list nat0
STATIC PAT for CA so that internet user can obtain certificates from CA
static (dmz,outside) tcp interface 80 192.168.105.100 80
access-list out permit tcp any interface outside eq 80
access-group out in interface outside
go to pc
ping 101.1.1.100
start
run
type
http://101.1.1.100/certsrv
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 427/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 427 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
if you see this error it is saying that update your ca enrolment pages from microsoft
tips
1. update ca pages
2. use client XP, ca 2003
3. use client win 7, ca 2008
what do you say..............................................?
now we will use client XPLater Labs we will use CA 2008 & Client win 7 ok.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 428/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 428 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
in run type http://101.1.1.100/certsrv
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 429/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 429 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 430/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 430 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 431/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 431 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
in Department must be admin or mgmt to join tunnel group
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 432/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 432 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
scroll down & submit
yes
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 433/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 433 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
install cert
yes
yes
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 434/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 434 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 435/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 435 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 436/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 436 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 437/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 437 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 438/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 438 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 439/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 439 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 440/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 440 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 441/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 441 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 442/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 442 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
tunnel-group admin general-attributes
default-group-policy admin
tunnel-group mgmt general-attributes
default-group-policy mgmt
for split tunnel
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 443/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 443 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_ra_ikev1_pre
Initial-config
R1
interface f0/0
no shutdownip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif outsideip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
interface gigabitEthernet 0/1
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
interface g0/2
no shu
nameif inside2security-level 100
ip add 192.168.2.1
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
redistribute static metric 1 1 1 1 1
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 444/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 444 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
router ei 100no auto-summary
net 192.168.2.0
net 192.168.20.0
R4
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
R5
interface f0/0no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ASA1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1#
crypto ikev1 policy 1
authentication pre-share
encryption 3des
group 2
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto ikev1 enable outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 445/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 445 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
sh history
ip local pool admin 192.168.100.100-192.168.100.254
ip local pool mgmt 192.168.200.100-192.168.200.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admintunnel-group admin ipsec-attributes
ikev1 pre-shared-key admin
tunnel-group mgmt type ipsec-ra
tunnel-group mgmt general-attributes
address-pool mgmt
tunnel-group mgmt ipsec-attributes
ikev1 pre-shared-key mgmt
username shiva password shiva privilege 15
ASA1
access-list stacl permit 192.168.0.0 255.255.0.0group-policy admin internal
group-policy admin attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
group-policy mgmt internal
group-policy mgmt attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
sh history
tunnel-group admin general-attributes
default-group-policy admintunnel-group mgmt general-attributes
default-group-policy mgmt
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 446/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 446 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 447/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 447 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh route outside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 448/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 448 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
C 101.1.1.0 255.255.255.0 is directly connected, outside
L 101.1.1.100 255.255.255.255 is directly connected, outside
S 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside
ASA1#
ASA1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.101.100
Type : user Role : responder
Rekey : no State : AM_ACTIVE
ASA1# sh cryASA1# sh crypto ip
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: d-map, seq num: 10, local addr: 101.1.1.100
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.100/255.255.255.255/0/0)
current_peer: 192.168.101.100, username: shiva
dynamic allocated peer ip: 192.168.100.100
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 108, #pkts decrypt: 108, #pkts verify: 108
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 12, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 192.168.101.100/0path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 349BA5D9
current inbound spi : 9D375C4D
ASA1
PAT
nat (inside1,outside) source dynamic any interface
nat (inside2,outside) source dynamic any interface
access-list out permit icmp any 192.168.0.0 255.255.0.0
access-group out in interface outside
R4#ping 101.1.1.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 449/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 449 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#*Oct 1 09:26:49.290: %SYS-5-CONFIG_I: Configured from console by console
R5#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
ASA1
object network admin
subnet 192.168.100.0 255.255.255.0object network mgmt
subnet 192.168.200.0 255.255.255.0
exit
object network inside1
subnet 192.168.10.0 255.255.255.0
object network inside2
subnet 192.168.20.0 255.255.255.0
ex
sh running-config object
nat (inside1,outside) 1 source static inside1 inside1 destination static admin admin
nat (inside1,outside) 1 source static inside1 inside1 destination static mgmt mgmtnat (inside2,outside) 1 source static inside2 inside2 destination static admin admin
nat (inside2,outside) 1 source static inside2 inside2 destination static mgmt mgmt
R4#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 101.1.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 450/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 450 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 451/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 451 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_ra_ikev1_rsa
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
interface gigabitEthernet 0/0
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no sh
int g0/1
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
interface gigabitEthernet 0/2
no shu
nameif inside2
security-level 100
ip add 192.168.2.1
interface gigabitEthernet 0/3
no shu
nameif dmz
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 452/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 452 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
security-level 50
ip add 192.168.108.1
route outside 0 0 101.1.1.1
router ei 100
no au
net 192.168.1.0net 192.168.2.0
redistribute static metric 1 1 1 1 1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdownrouter ei 100
no auto-summary
net 0.0.0.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0no shutdown
router ei 100
no au
net 0.0.0.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip http serverR5
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ASA1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 453/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 453 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R1
R1#clock set 15:00:40 1 oct 2014
R1#conf t
R1(config)#ntp master
ASA1(config)# ntp server 101.1.1.1
ASA1
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
ex
crypto ca authenticate tttyes
ASA1(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
% The fully-qualified domain name in the certificate will be: ASA1
% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 454/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 454 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto ikev1 policy 1authentication rsa-sig
encryption 3des
group 2
ex
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto ikev1 enable outside
sh historyip local pool admin 192.168.100.100-192.168.100.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin
tunnel-group admin ipsec-attributes
ikev1 trust-point ttt
username shiva password shiva privilege 15
ASA1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 455/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 455 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
access-list stacl permit 192.168.0.0 255.255.0.0
group-policy admin internal
group-policy admin attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
tunnel-group admin general-attributesdefault-group-policy admin
ASA
Static-pat
object network ca
host 192.168.108.100
nat (dmz,outside) static interface service tcp 80 80
access-list out permit tcp any object ca eq 80
access-group out in interface outside
On client in run type
http://101.1.1.100/certsrv
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 456/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 456 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 457/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 457 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
on windows 7 this site should be trusted site
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 458/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 458 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 459/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 459 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 460/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 460 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 461/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 461 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 462/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 462 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 463/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 463 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 464/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 464 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 465/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 465 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 466/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 466 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 467/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 467 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 468/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 468 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 469/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 469 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 470/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 470 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 471/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 471 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 472/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 472 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 473/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 473 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh route outside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route, + - replicated route
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 474/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 474 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
C 101.1.1.0 255.255.255.0 is directly connected, outside
L 101.1.1.100 255.255.255.255 is directly connected, outsideS 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: d-map, seq num: 10, local addr: 101.1.1.100
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 475/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 475 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
remote ident (addr/mask/prot/port): (192.168.100.100/255.255.255.255/0/0)
current_peer: 192.168.101.100, username: shiva
dynamic allocated peer ip: 192.168.100.100
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8#pkts decaps: 109, #pkts decrypt: 109, #pkts verify: 109
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 192.168.101.100/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CA9454E5
current inbound spi : ABBB7A60
ASA1# sh cry
ASA1# sh crypto is
ASA1# sh crypto ik
ASA1# sh crypto ikev1
ERROR: % Incomplete command
ASA1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.101.100
Type : user Role : responder
Rekey : no State : MM_ACTIVE
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 476/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 476 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 18
After Reading this chapter you would be able to describe
VPN Load Balancing
Limitation
VPN Load Balancing Terminology
VPN Load Balancing
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 477/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 477 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Load balancing is a Cisco-proprietary feature that allows Easy VPN servers to logically appear as one
server.
Only for IPsec & SSL
In IPSec, only for Remote Access. It is not for site-site vpn.
Cluster
Master
Member
VPN Load Balancing
VCA Virtual Cluster Agent.
A logical group of devices or appliances which provides common application access it is identified
with a virtual ip.
An appliance which has a higher priority. Master is responsible for handling client request and it
distributes client request to group members based on load. Master is responsible for cluster ip.
Default ASA priority 1
An appliance which is participating in cluster.
VPN Load Balancing
Limitation
VPN Load Balancing Terminology
Cluster
Master
Member
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 478/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 478 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Client will initiate a phase1 request to virtual ip address of cluster. It will accepted by master. Thenmaster will check the load of members. Load is calculated based on total active vpn connection of
total maximum connection.
It is not true load like cpu utilization or amount of traffic. After checking load master will redirect
connection to member. Redirection message in phase1 is cisco proprietary. Only cisco client can
understand it. If master has least load it will redirect connection to itself.
This protocols is used for vpn load balancing it use udp port 9023
Diagram:-
VPN Load Balancing
VCA Virtual Cluster Agent
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 479/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 479 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdownint f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ip add 192.168.102.1 255.255.255.0 secondary
ip add 192.168.103.1 255.255.255.0 secondary
ip add 192.168.104.1 255.255.255.0 secondary
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.3 255.255.255.0
no shutdownint f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ASA1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 101.1.1.101 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif admin
security-level 100
ip address 192.168.100.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
network 192.168.1.0 255.255.255.0
network 192.168.100.0 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 480/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 480 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
redistribute static metric 1 1 1 1 1
ASA2
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 101.1.1.102 255.255.255.0!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif admin
security-level 100
ip address 192.168.200.1 255.255.255.0
!!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
network 192.168.1.0 255.255.255.0
network 192.168.200.0 255.255.255.0
!
!
!
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192.168.103.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.103.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192.168.104.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.104.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 481/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 481 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!
!
!
ASA2(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.103.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.103.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.104.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.104.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms!
!
!
ASA1
!
crypto ikev1 policy 1
authentication pre-share
encryption 3des
group 2
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ezcrypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto ikev1 enable outside
ip local pool admin 192.168.100.100-192.168.100.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
ikev1 pre-shared-key admin
username shiva password shiva privilege 15
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 482/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 482 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2
crypto ikev1 policy 1
authentication pre-share
encryption 3des
group 2
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmaccrypto dynamic-map d-map 10 set ikev1 transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto ikev1 enable outside
ip local pool admin 192.168.200.100-192.168.200.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
ikev1 pre-shared-key shivausername shiva password shiva privilege 15
ASA1
vpn load-balancing
cluster ip address 101.1.1.100
interface lbpublic outside
interface lbprivate inside
priority 10
participate
ASA2
vpn load-balancingcluster ip address 101.1.1.100
interface lbpublic outside
interface lbprivate inside
priority 9
participate
ASA1
ASA1# sh vpn load-balancing
--------------------------------------------------------------------------
Status Role Failover Encryption Peers Cluster IP
--------------------------------------------------------------------------Enabled Master n/a Disabled 1 101.1.1.100
Peers:
--------------------------------------------------------------------------
Role Pri Model Load-Balancing Version Public IP
--------------------------------------------------------------------------
Master 10 ASA5512 4 101.1.1.101*
Backup 9 ASA5512 4 101.1.1.102
Total License Load:
--------------------------------------------------------------------------
AnyConnect Premium/Essentials Other VPN Public IP
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 483/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 483 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
----------------------------- ---------------------
Limit Used Load Limit Used Load
--------------------------------------------------------------------------
2 0 0% 250 0 0% 101.1.1.101*
2 0 0% 250 0 0% 101.1.1.102
Licenses Used By Inactive Sessions :
--------------------------------------------------------------------------
AnyConnect Premium/Essentials Inactive Load Public IP
--------------------------------------------------------------------------
0 0% 101.1.1.101*
0 0% 101.1.1.102
ASA2
ASA2# sh vpn load-balancing
--------------------------------------------------------------------------
Status Role Failover Encryption Peers Cluster IP--------------------------------------------------------------------------
Enabled Backup n/a Disabled 1 101.1.1.100
Peers:
--------------------------------------------------------------------------
Role Pri Model Load-Balancing Version Public IP
--------------------------------------------------------------------------
Backup 9 ASA5512 4 101.1.1.102*
Master 10 ASA5512 4 101.1.1.101
Total License Load:--------------------------------------------------------------------------
AnyConnect Premium/Essentials Other VPN Public IP
----------------------------- ---------------------
Limit Used Load Limit Used Load
--------------------------------------------------------------------------
2 0 0% 250 0 0% 101.1.1.102*
Licenses Used By Inactive Sessions :
--------------------------------------------------------------------------
AnyConnect Premium/Essentials Inactive Load Public IP
--------------------------------------------------------------------------0 0% 101.1.1.102*
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
!
!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 484/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 484 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 485/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 485 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1# sh vpn load-balancing
--------------------------------------------------------------------------
Status Role Failover Encryption Peers Cluster IP
--------------------------------------------------------------------------
Enabled Master n/a Disabled 1 101.1.1.100
Peers:
--------------------------------------------------------------------------Role Pri Model Load-Balancing Version Public IP
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 486/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 486 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
--------------------------------------------------------------------------
Master 10 ASA5512 4 101.1.1.101*
Backup 9 ASA5512 4 101.1.1.102
Total License Load:
--------------------------------------------------------------------------AnyConnect Premium/Essentials Other VPN Public IP
----------------------------- ---------------------
Limit Used Load Limit Used Load
--------------------------------------------------------------------------
2 0 0% 250 2 1% 101.1.1.101*
2 0 0% 250 2 1% 101.1.1.102
Licenses Used By Inactive Sessions :
--------------------------------------------------------------------------
AnyConnect Premium/Essentials Inactive Load Public IP
--------------------------------------------------------------------------0 0% 101.1.1.101*
0 0% 101.1.1.102
ASA2(config)# sh vpn load-balancing
--------------------------------------------------------------------------
Status Role Failover Encryption Peers Cluster IP
--------------------------------------------------------------------------
Enabled Backup n/a Disabled 1 101.1.1.100
Peers:
--------------------------------------------------------------------------
Role Pri Model Load-Balancing Version Public IP--------------------------------------------------------------------------
Backup 9 ASA5512 4 101.1.1.102*
Master 10 ASA5512 4 101.1.1.101
Total License Load:
--------------------------------------------------------------------------
AnyConnect Premium/Essentials Other VPN Public IP
----------------------------- ---------------------
Limit Used Load Limit Used Load
--------------------------------------------------------------------------
2 0 0% 250 2 1% 101.1.1.102*
Licenses Used By Inactive Sessions :
--------------------------------------------------------------------------
AnyConnect Premium/Essentials Inactive Load Public IP
--------------------------------------------------------------------------
0 0% 101.1.1.102*
ASA1
ASA1# sh route outside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 487/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 487 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
C 101.1.1.0 255.255.255.0 is directly connected, outside
L 101.1.1.101 255.255.255.255 is directly connected, outside
S 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside
S 192.168.100.101 255.255.255.255 [1/0] via 101.1.1.1, outside
ASA2# sh route outside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
C 101.1.1.0 255.255.255.0 is directly connected, outsideL 101.1.1.102 255.255.255.255 is directly connected, outside
S 192.168.200.100 255.255.255.255 [1/0] via 101.1.1.1, outside
S 192.168.200.101 255.255.255.255 [1/0] via 101.1.1.1, outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 488/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 488 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter19
After Reading this chapter you would be able to describe
Secure Socket Layer VPN
Modes
Requirements
Working
Secure Socket Layer VPN
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 489/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 489 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
SSL was originally developed by Netscape . It was designed for secure data transmission between
web server & web browser over internet. But some vendors are adopting it as a VPN. Web VPN is
marketing term of cisco for SSL VPN
SSL initiate request at session layer, its data is protected at presentation layer. and that is carried by
transport layer. So in both OSI or TCP/IP modals, SSL works on the behalf of Transport Layer.
Version 1 never released
Version 2 publically released
Version 3
Clientless
Thin Client
Thick Client
As name suggest us Clientless in clientless there is no need of any client software. In clientless client
makes a request to SSL gateway, gateway proxy it to internal resources.
Clientless provides secure communication only of web based applications.
Like, HTTP, HTTPS, SMTP, POP3 ,IMAP or MS exchange Server etc.
As we know that Clientless provides secure communication only of web based applications. Thin
Client was designed for those non web based applications which have static tcp port.
Also known as Port-Forwarding. In thin-client, client makes a request to SSL gateway, gateway proxy
it to internal resources. Like Telnet, SSH, RDP etc.
Secure Socket Layer VPN
SSL Modes
Clientless Mode
Thin Client Mode
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 490/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 490 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It provides us network layer access like IPSec Remote access. Using thick we can access all webbased or non web based applications. In thick when client initiate request server push a package to
client , client will install this package.
After package installation server push policies to client, these policies include ip address, mask,
interesting traffic etc.
Clientless requirements Only web browser.
Thin requirements
Web browser
Java
Active x and pop ups should be enables on client web browser.
Thick requirements
Web browser
Java
Active x and pop ups should be enable on client web browser Any-connect package & cisco secure desktop package.
Client will initiate a request to server
Server will provide a certificate to client. This certificate contain public key of server.
Client generates a shared key. That key is protected by public key of server
Encrypted shared secret is delivered to server. Server decrypt is using its private key.
No both has same secret bulk encryption happen.
SSL Requirements
Thick Client Mode
Working
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 491/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 491 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
ASA_ssl_8.0
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ASA1
interface Ethernet0/0
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Ethernet0/1nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100no auto-summary
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 492/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 492 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
network 192.168.1.0 255.255.255.0
network 192.168.2.0 255.255.255.0
redistribute static metric 1 1 1 1 1
!
R2
interface fastEthernet 0/0no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
en
router ei 100
no aunet 0.0.0.0
admin
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
mgmt
interface fastEthernet 0/0
no shutdown
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 493/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 493 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.com
crypto key generate rsa
1024line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/24/40 ms
ASA1(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms
ASA1(config)# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/30 ms
ASA1
webvpn
enable outside
username shiva password shiva privilege 15
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 494/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 494 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 495/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 495 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 496/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 496 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 497/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 497 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 498/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 498 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
webvpn
enable outside
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnetport-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
port-forward mgmt 2323 192.168.20.100 telnet
port-forward mgmt 8080 192.168.20.100 www
port-forward mgmt 8181 192.168.20.100 https
group-policy admin internal
group-policy admin attributes
vpn-tunnel-protocol webvpn
webvpnport-forward name admin
port-forward enable admin
group-policy mgmt internal
group-policy mgmt attributes
vpn-tunnel-protocol webvpn
webvpn
port-forward name mgmt
port-forward auto-start mgmt
tunnel-group admin type remote-access
tunnel-group admin general-attributesdefault-group-policy admin
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 499/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 499 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
tunnel-group admin webvpn-attributes
group-alias admin enable
tunnel-group mgmt type remote-access
tunnel-group mgmt general-attributes
default-group-policy mgmt
tunnel-group mgmt webvpn-attributesgroup-alias mgmt enable
webvpn
tunnel-group-list enable
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 500/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 500 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 501/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 501 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 502/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 502 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 503/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 503 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 504/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 504 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 505/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 505 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 506/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 506 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
enable outside
svc image disk0:/svc2.5.pkg 1
svc enable
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 wwwport-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
port-forward mgmt 2323 192.168.20.100 telnet
port-forward mgmt 8080 192.168.20.100 www
port-forward mgmt 8181 192.168.20.100 https
tunnel-group-list enable
group-policy admin internal
group-policy admin attributes
vpn-tunnel-protocol svc webvpn
webvpnport-forward name admin
port-forward enable admin
svc keep-installer installed
svc ask enable
group-policy mgmt internal
group-policy mgmt attributes
vpn-tunnel-protocol svc webvpn
webvpn
port-forward name mgmt
port-forward auto-start mgmt
svc keep-installer installedsvc ask enable
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 507/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 507 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ip local pool admin 192.168.100.100-192.168.100.254
ip local pool mgmt 192.168.200.100-192.168.200.254
tunnel-group admin type remote-access
tunnel-group admin general-attributesaddress-pool admin
default-group-policy admin
tunnel-group admin webvpn-attributes
group-alias admin enable
tunnel-group mgmt type remote-access
tunnel-group mgmt general-attributes
address-pool mgmt
default-group-policy mgmt
tunnel-group mgmt webvpn-attributes
group-alias mgmt enable
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 508/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 508 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 509/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 509 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 510/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 510 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 511/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 511 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
no enable outside
port 9090
enable outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 512/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 512 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
https://101.1.1.100:9090
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 513/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 513 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 514/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 514 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
group-policy admin attributes
banner value admin
group-policy mgmt attributes
banner value mgmt
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 515/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 515 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
onscreen-keyboard logon
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 516/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 516 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
clear configure ip local pool
group-policy admin attributes
dhcp-network-scope 192.168.100.0
group-policy mgmt attributes
dhcp-network-scope 192.168.200.0
extunnel-group admin general-attributes
dhcp-server 192.168.10.100
tunnel-group mgmt general-attributes
dhcp-server 192.168.20.100
admin
ip dhcp pool admin
network 192.168.100.0
default-router 192.168.100.
mgmt
ip dhcp pool mgmt
network 192.168.200.0
default-router 192.168.200.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 517/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 517 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 518/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 518 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 519/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 519 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 520/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 520 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
admin#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.100.1 0063.6973.636f.2d30. Mar 02 2002 01:04 AM Automatic3061.622e.6364.3932.
2e35.3230.312d.636c.
6965.6e74.312d.696e.
7369.6465.3100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 521/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 521 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 522/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 522 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 523/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 523 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 524/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 524 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
mgmt#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.200.1 0063.6973.636f.2d30. Mar 02 2002 01:08 AM Automatic
3061.622e.6364.3932.2e35.3230.322d.636c.
6965.6e74.322d.696e.
7369.6465.3200
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 525/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 525 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
global (outside) 1 interface
access-list out permit icmp any interface outsideaccess-group out in interface outside
admin#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/46/76 ms
mgmt#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/55/92 ms
access-list nat0 permit ip any 192.168.100.0 255.255.255.0
access-list nat0 permit ip any 192.168.200.0 255.255.255.0
nat (inside1) 0 access-list nat0
nat (inside2) 0 access-list nat0
access-list stacl standard permit 192.168.0.0 255.255.0.0
group-policy admin attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
group-policy mgmt attributes
split-tunnel-network-list value stacl
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 526/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 526 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
split-tunnel-policy tunnelspecified
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 527/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 527 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
admin#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.100.7 0063.6973.636f.2d30. Mar 01 2002 01:24 AM Automatic
3061.622e.6364.3932.
2e35.3230.312d.636c.
6965.6e74.342d.696e.
7369.6465.3100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 528/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 528 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
admin#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/55/124 ms
mgmt#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/141/212 ms
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2ex
crypto ipsec transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 1 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto isakmp enable outside
sh history
tunnel-group admin ipsec-attributes
pre-shared-key admin
tunnel-group mgmt ipsec-attributespre-shared-key mgmt
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 529/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 529 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
group-policy admin attributes
vpn-tunnel-protocol svc webvpn ipSec
group-policy mgmt attributes
vpn-tunnel-protocol svc webvpn ipSec
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 530/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 530 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
admin#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.100.8 0063.6973.636f.2d30. Mar 01 2002 01:36 AM Automatic
3061.622e.6364.3932.
2e35.3230.312d.636c.
6965.6e74.392d.696e.
7369.6465.3100
192.168.100.9 0063.6973.636f.2d30. Mar 02 2002 01:34 AM Automatic3061.622e.6364.3932.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 531/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 531 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
2e35.3230.312d.636c.
6965.6e74.312d.696e.
7369.6465.3100
admin#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/51/80 ms
mgmt#ping 101.1.1.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 532/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 532 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/63/120 ms
ASA1# sh route outside
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
C 101.1.1.0 255.255.255.0 is directly connected, outside
S 192.168.100.9 255.255.255.255 [1/0] via 101.1.1.1, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 533/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 533 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_ssl_9.2
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
router ei 100
no au
net 0.0.0.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 534/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 534 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
R5
interface fastEthernet 0/0
no shutdownip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http serverip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shuint gigabitEthernet 0/1
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
interface gigabitEthernet 0/2
no shu
nameif inside2
security-level 100
ip add 192.168.2.1
route outside 0 0 101.1.1.1router ei 100
no au
net 192.168.1.0
net 192.168.2.0
redistribute static metric 1 1 1 1 1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.10.100
Type escape sequence to abort.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 535/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 535 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1
webvpn
enable outside
username shiva password shiva privilege 15
on client access https://101.1.1.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 536/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 536 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 537/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 537 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
in url bar type http://192.168.10.100 or http://192.168.20.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 538/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 538 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA thin
webvpn
enable outside
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 sshport-forward mgmt 2323 192.168.20.100 telnet
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 539/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 539 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
port-forward mgmt 8080 192.168.20.100 www
port-forward mgmt 8181 192.168.20.100 https
group-policy admin internal
group-policy admin attributes
vpn-tunnel-protocol ssl-clientlesswebvpn
port-forward name admin
port-forward enable admin
group-policy mgmt internal
group-policy mgmt attributes
vpn-tunnel-protocol ssl-clientless
webvpn
port-forward name mgmt
port-forward auto-start mgmt
tunnel-group admin_group type remote-access
tunnel-group admin_group general-attributesdefault-group-policy admin
tunnel-group admin_group webvpn-attributes
group-alias ADMIN_GROUP enable
tunnel-group mgmt_group type remote-access
tunnel-group mgmt_group general-attributes
default-group-policy mgmt
tunnel-group mgmt_group webvpn-attributes
group-alias MGMT_GROUP enable
webvpn
tunnel-group-list enableASA1(config-webvpn)# username shiva password shiva privilege 15
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 540/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 540 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 541/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 541 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 542/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 542 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 543/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 543 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 544/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 544 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 httpsport-forward mgmt 2222 192.168.20.100 ssh
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 545/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 545 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
port-forward mgmt 2323 192.168.20.100 telnet
port-forward mgmt 8080 192.168.20.100 www
port-forward mgmt 8181 192.168.20.100 https
tunnel-group-list enable
group-policy admin internalgroup-policy admin attributes
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
port-forward name admin
port-forward enable admin
anyconnect keep-installer installed
anyconnect ask enable
group-policy mgmt internal
group-policy mgmt attributes
vpn-tunnel-protocol ssl-client ssl-clientless
webvpnport-forward name mgmt
port-forward auto-start mgmt
anyconnect keep-installer installed
anyconnect ask enable
ip local pool admin 192.168.100.100-192.168.100.254
ip local pool mgmt 192.168.200.100-192.168.200.254
tunnel-group admin_group type remote-access
tunnel-group admin_group general-attributes
address-pool admindefault-group-policy admin
tunnel-group admin_group webvpn-attributes
group-alias ADMIN_GROUP enable
tunnel-group mgmt_group type remote-access
tunnel-group mgmt_group general-attributes
address-pool mgmt
default-group-policy mgmt
tunnel-group mgmt_group webvpn-attributes
group-alias MGMT_GROUP enable
username shiva password shiva privilege 15
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 546/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 546 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 547/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 547 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# vpn-sessiondb logoff webvpn
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions of type "webvpn" logged off : 2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 548/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 548 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 549/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 549 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 550/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 550 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 551/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 551 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh route outside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 552/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 552 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
C 101.1.1.0 255.255.255.0 is directly connected, outside
L 101.1.1.100 255.255.255.255 is directly connected, outside
S 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside
access-list stacl permit 192.168.0.0 255.255.0.0
group-policy admin attributessplit-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
group-policy mgmt attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
Disconnect & connect......................
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 553/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 553 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 554/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 554 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 555/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 555 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 556/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 556 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 557/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 557 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 558/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 558 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
csd image disk0:/csd_3.6.6203-k9.pkg
csd enableexit
http server enable
http 0 0 outside
username shiva password shiva privilege 15
PC
https://101.1.1.100/ for ssl
https://101.1.1.100/admin for ASDM
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 559/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 559 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 560/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 560 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 561/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 561 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 562/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 562 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 563/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 563 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 564/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 564 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
no csd enable
webvpn
smart-tunnel list sss telnet telnet.exe
group-policy admin attributeswebvpn
port-forward disable
smart-tunnel enable sss
https://101.1.1.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 565/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 565 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 566/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 566 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Install the addons & again start smart-tunnel
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 567/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 567 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 568/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 568 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 569/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 569 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 570/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 570 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 20
After Reading this chapter you would be able to describe
Transparent Firewall
ASA Modes
Advantages
Limitations
Difference between Switching &Transparent Firewall
Transparent Firewall
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 571/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 571 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Cisco ASA comes in two modes Routed mode, & transparent mode.
In routed mode asa works as a layer 3 device. It forward the packet based on destination IP address.
In transparent mode asa works as layer 2 device it forwards the frames based on destination mac.
But still it has capabilities to filter the traffic from layer 2 to layer 7.
If you want to implement firewall in your network without readdressing the network.
Transparent Firewall
Routed Mode
Transparent Mode
Advantages
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 572/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 572 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Only 2 interface can use
No dynamic routing
No VPN only site-site vpn can configure for management. No CDP
No DTP
No VTP
No IPv6
NAT is optional in OS version 8.0 and later
No DHCP Relay Service
Non IP traffic default drop.
Switch
Learns mac based on source mac
Forwards a frame based in destination mac
Use STP
They flood
1.
Broadcast2. Multicast
3. Unknown unicast
Transparent Firewall
Learns mac based on source mac
Forwards a frame based in destination mac
Don't use STP
They flood
1. Broadcast
2.
Multicast
Transparent Firewall limitation
Difference between Switching &Trans arent Firewall
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 573/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 573 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
R3
interface fastEthernet 0/0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 574/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 574 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0no shutdown
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R5
interface fastEthernet 00/0
no shutdown
ip add 192.168.102.100 255.255.255.0no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R1
R1#ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R2
R2#ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1
interface fastEthernet 0/0ip nat inside
interface fastEthernet 0/1
ip nat outside
exit
ip access-list extended natacl
permit ip 192.168.0.0 0.0.255.255 any
exit
ip nat inside source list natacl interface fastEthernet 0/1 overload
R2
interface fastEthernet 0/0
ip nat inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 575/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 575 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
interface fastEthernet 0/1
ip nat outside
exit
ip access-list extended natacl
permit ip 192.168.0.0 0.0.255.255 any
exitip nat inside source list natacl interface fastEthernet 0/1 overload
R1
R1#ping 101.1.1.1 source fastEthernet 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#sh ip natR1#sh ip nat t
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 101.1.1.100:2 192.168.101.1:2 101.1.1.1:2 101.1.1.1:2
R2#ping 101.1.1.1 source fastEthernet 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.102.1!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#sh ip nat
R2#sh ip nat t
R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 102.1.1.100:1 192.168.102.1:1 101.1.1.1:1 101.1.1.1:1
R1
interface t0
ip add 192.168.123.1 255.255.255.0tunnel source 101.1.1.100
tunnel destination 102.1.1.100
tunnel mode gre ip
ip ospf 100 area 0
int f0/0
ip ospf 100 area 0
R2
interface tunnel 0
ip add 192.168.123.2 255.255.255.0
tunnel source 102.1.1.100
tunnel destination 101.1.1.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 576/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 576 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
tunnel mode gre ip
ip ospf 100 area 0
int f0/0
ip ospf 100 area 0
R1R1#sh ip route ospf
O 192.168.102.0/24 [110/1001] via 192.168.123.2, 00:00:04, Tunnel0
R2
R2#sh ip route ospf
O 192.168.101.0/24 [110/1001] via 192.168.123.1, 00:00:28, Tunnel0
R1
R1#ping 192.168.102.1 source fastEthernet 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R2
R2#ping 192.168.101.1 source fastEthernet 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.102.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1
ASA1(config)# firewall transparent
ciscoasa(config)# ho
ciscoasa(config)# hostname ASA1
ASA1(config)#
ASA2
ASA2(config)# firewall transparent
ciscoasa(config)# ho
ciscoasa(config)# hostname ASA2
ASA2(config)#
ASA2(config)#
ASA1
interface bvI 1
ip address 192.168.101.111 255.255.255.0
interface gigabitEthernet 0/0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 577/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 577 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shu
nameif inside
bridge-group 1
interface gigabitEthernet 0/1
no shu
nameif outsidebridge-group 1
route outside 0 0 192.168.101.1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2
interface bvI 1
ip add 192.168.102.111 255.255.255.0
interface gigabitEthernet 0/0
no shu
nameif inside
bridge-group 1
interface gigabitEthernet 0/1
no shu
nameif outside
bridge-group 1
route outside 0 0 192.168.102.1
ASA2(config-if)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config-if)# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.101.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 578/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 578 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
R4
R4#ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5
R5#ping 192.168.
*Oct 4 06:24:54.215: %SYS-5-CONFIG_I: Configured from console by consoleR5#ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASA1
access-list out permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
access-group out in interface outside
ASA2access-list out permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-group out in interface outside
R4#ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1
object network obj_net_192.168.101.0
subnet 192.168.101.0 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 579/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 579 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
object network obj_net_192.168.102.0
subnet 192.168.102.0 255.255.255.0
object network obj_net_192.168.111.0
subnet 192.168.111.0 255.255.255.0
nat (inside,outside) source static obj_net_192.168.101.0 obj_net_192.168.101.0 destination staticobj_net_192.168.102.0 obj_net_192.168.102.0
nat (inside,outside) source static obj_net_192.168.101.0 obj_net_192.168.111.0
R1(config)#ip route 192.168.111.0 255.255.255.0 192.168.101.111
R1#debug ip icmp
ICMP packet debugging is on
R4#ping 192.168.102.100
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 192.168.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#debug ip icmp
ICMP packet debugging is onR1#
*Oct 4 06:59:21.311: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
R1#
*Oct 4 06:59:23.307: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
R1#
*Oct 4 06:59:25.307: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
R1#
*Oct 4 06:59:27.307: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
R1#
*Oct 4 06:59:29.307: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
ASA1
access-list out permit icmp any object obj_net_192.168.101.0
access-group out in interface outside
R4#ping 192.168.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 580/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 580 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
*Oct 4 07:02:21.219: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
*Oct 4 07:02:21.219: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
*Oct 4 07:02:21.223: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
*Oct 4 07:02:21.223: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
*Oct 4 07:02:21.227: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
ASA2
object network obj_net_192.168.102.0
subnet 192.168.102.0 255.255.255.0
object network obj_net_192.168.101.0
subnet 192.168.101.0 255.255.255.0
object network obj_net_192.168.222.0
subnet 192.168.222.0 255.255.255.0
nat (inside,outside) source static obj_net_192.168.102.0 obj_net_192.168.102.0 destination static
obj_net_192.168.101.0 obj_net_192.168.101.0nat (inside,outside) source static obj_net_192.168.102.0 obj_net_192.168.222.0
R2#debug ip icmp
ICMP packet debugging is on
R5#ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#debug ip icmp
ICMP packet debugging is on
R2#
*Oct 4 12:38:04.111: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:04.115: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
R2#*Oct 4 12:38:06.107: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:06.111: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
R2#
*Oct 4 12:38:08.107: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:08.107: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
R2#
*Oct 4 12:38:10.107: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:10.107: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
R2#
*Oct 4 12:38:12.107: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:12.107: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 581/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 581 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R2(config)#ip route 192.168.222.0 255.255.255.0 192.168.102.111
R5#ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
.....Success rate is 0 percent (0/5)
R2(config)#
*Oct 4 12:39:14.351: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R2(config)#
*Oct 4 12:39:16.347: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R2(config)#
*Oct 4 12:39:18.347: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R2(config)#
*Oct 4 12:39:20.347: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R2(config)#*Oct 4 12:39:22.347: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
ASA2
access-list out permit icmp any object obj_net_192.168.102.0
access-group out in interface outside
R5#ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2(config)#
*Oct 4 12:40:43.367: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100*Oct 4 12:40:43.371: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:40:43.371: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:40:43.375: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:40:43.375: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R4#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 582/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 582 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R5#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#pin
R5#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 583/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 583 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 21
After Reading this chapter you would be able to describe
Context
Context Requirement
Context Use
Advantages
Limitations
Context Terminology
Context
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 584/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 584 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
We can partition an appliance in many virtual appliances these virtual appliances are called security
context.
Assume you are running a company that provides web host services and you have 200 clients. Now
the client demands that we require a dedicated appliance for our servers. To fulfil client
requirements we have to purchase 200 appliance. 200 appliance are very costly. So virtual context
solve this problem.
Active-Active failover
Web Hosting Companies
Companies needing more than one firewall on a single location
Cost Saving
Eco-Friendly or Go Green
No dynamic routing
No VPN
But in ASA OS 9.2.2.4
They also support Dynamic routing & IPsec site-site VPN
Context
Requirement
Context Use
Advantages
Limitations in context till OS 8.6
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 585/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 585 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
System Area
Admin Context
Context Channing
Shared Interface
When an appliance boots in multiple mode than you will find yourself in system area.
Functions
It is used to create or delete context
It is used to enable physical interfaces
It is used to create or delete logical interfaces
It is used to allocate resources to context
When an appliance boot in multiple mode admin context is default created.
It is used for appliance management. When appliance is in multiple mode there should be one admin
context. it is used for appliance management.
We can connect one context to another i.e. called context Channing. It is only possible with shared
interface.
When we call one interface in more than one context that interface is called shared interface.
Context Terminology
System Area
Admin Context
Context Channing
Shared Interface
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 586/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 586 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Mac Address auto
A command use with only shared interface to avoid mac problems because one interface has one
mac when we use shared interface one interface is shared in multiple context. Both context will use
same mac when a packet will arrive a physical interface classifier will confused to classify frame. To
solve this problem we use Mac Address auto is command that automatically generate mac for eachshared interface.
Diagram:-
Initial-config
ASA_Context
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdownip route 0.0.0.0 0.0.0.0 192.168.102.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 587/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 587 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
ASA1(config)#
ASA1(config)# sh modeSecurity context mode: multiple
interface gigabitEthernet 0/0
no shutdown
interface gigabitEthernet 0/1
no shutdown
interface gigabitEthernet 0/2
no shutdown
interface gigabitEthernet 0/3
no shutdown
context c1
context c2
context c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
!
context c2
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 588/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 588 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!
ASA1
ASA1(config-ctx)# changeto context c1
changeto context c1
interface gigabitEthernet 0/0no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA1/c1(config)# ping 192.168.101.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c1(config)# ping 102.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# changeto context c2interface gigabitEthernet 0/2
no shu
nameif inside
ip add 192.168.102.1
interface gigabitEthernet 0/3
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
ASA1/c2(config)# ping 192.168.102.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c2(config)# pin
ASA1/c2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 589/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 589 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
changeto context c1
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.101.0 255.255.255.0
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1/c1(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0flags sIT idle 0:00:07 timeout 0:00:00
ICMP PAT from inside:192.168.101.100/0 to outside:101.1.1.100/29051 flags ri idle 0:00:07 timeout
0:00:30
ASA1/c1(config)# changeto context c2
changeto context c2
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.102.0 255.255.255.0
access-group out in interface outside
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
ASA1/c2(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-netNAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:07 timeout 0:00:00
ICMP PAT from inside:192.168.102.100/0 to outside:102.1.1.100/44332 flags ri idle 0:00:07 timeout
0:00:30
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 590/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 590 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_inter-context_routing
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
ASA1(config)# mode multiple
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 591/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 591 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
interface gigabitEthernet 0/0
no shutdown
interface gigabitEthernet 0/1
no shutdown
interface gigabitEthernet 0/2no shutdown
context c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
!
context c2
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/2config-url disk0:/c2.cfg
!
ASA1(config)# mac-address auto
INFO: Converted to mac-address auto prefix 60035
ASA1(config)# changeto context c1
ASA1/c1(config)#
changeto context c1
interface gigabitEthernet 0/0no shu
nameif outside
ip add 101.1.1.101 255.255.255.0
no shu
interface gigabitEthernet 0/1
no shu
nameif inside
ip add 192.168.101.1
route outside 0 0 101.1.1.1
ASA1/c1(config)# ping 192.168.101.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1/c1(config)# pin
ASA1/c1(config)# ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
changeto context c2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 592/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 592 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
interface gigabitEthernet 0/0
no shu
nameif outside
ip add 101.1.1.102 255.255.255.0
no shu
interface gigabitEthernet 0/2no shu
nameif inside
ip add 192.168.102.1
route outside 0 0 102.1.1.1
ASA1/c2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1/c2(config)# pin
ASA1/c2(config)# ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 101.1.1.1 - 44e4.d987.ecde ARPA FastEthernet0/0Internet 101.1.1.100 22 6c20.56bd.ea84 ARPA FastEthernet0/0
Internet 101.1.1.101 1 a283.ea00.0002 ARPA FastEthernet0/0
Internet 101.1.1.102 0 a283.ea00.0006 ARPA FastEthernet0/0
Internet 102.1.1.1 - 44e4.d987.ecdf ARPA FastEthernet0/1
Internet 102.1.1.100 21 6c20.56bd.ea85 ARPA FastEthernet0/1
ASA1/c1(config)# changeto context c1
ASA1/c1(config)# route outside 192.168.102.0 255.255.255.0 101.1.1.102
access-list out permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0access-group out in interface outside
ASA1/c2(config)# changeto context c2
ASA1/c2(config)# route outside 192.168.101.0 255.255.255.0 101.1.1.101
access-list out permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-group out in interface outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 593/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 593 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
R2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 594/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 594 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 22
After Reading this chapter you would be able to describe
Failover
Failover Types
Failover Implementation types
Failover System Requirements
The Failover and Stateful Failover Links
Device Initialization and configuration
Failover Behaviour
Failover Triggers Stateless (Regular) and Stateful Failover
Things not replicated during failover
Failover Health Monitoring
Interface Monitoring
Failover configuration limitation
Failover
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 595/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 595 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A cisco proprietary feature it provides us uninterrupted network access.
Stateless Failover
Hardware Failover
State full Failover
Stateless failover provides logical redundancy. If primary link goes down secondary path is used.
When failover was introduced only Hardware Failover was supported. It provides hardware
redundancy & configuration replication. If failover occur we have to re-establish the connection.
Failover
Failover types
Stateless
Hardware Failover
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 596/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 596 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It not only provides hardware redundancy but also configuration replication ARP table replication,
Xlate replication, VPN connection replication, conn table replication. if failover occur there is no
need to re-establish the connection.
Active-Standby
Active-Active
In active-standby failover we require two appliances. One primary, another secondary. Primary will
works as an active secondary will works as standby. If primary goes down secondary will take role.
OR
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby
state. Active/Standby failover is available on units running in either single or multiple context mode.
State full Failover
Failover Implementation types
Active-Standby
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 597/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 597 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
In active-active failover we require two appliances & two security context or even context . Each
appliance will active for one context. With Active/Active failover, both units can pass network traffic.
Active/Active failover is available only on units running in multiple context mode.
Note: - Both failover configurations support stateful or stateless (regular) failover.
Hardware Requirements
Software Requirements
License Requirements
Active-Active
Failover System Requirements
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 598/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 598 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
The two units in a failover configuration must have the same hardware configuration. They must be the same model
They must have the same number and types of interfaces
The same amount of RAM
The same SSMs installed (if any).
Note: - The Exception is Flash memory. If using units with different Flash memory sizes in your
failover configuration, make sure the unit with the smaller Flash memory has enough space to
accommodate the software image files and the configuration files. Otherwise configuration
synchronization will fail.
The two units in a failover configuration must be in the operating modes. They software version.
However, you can use different versions of the software during an upgrade process
For ASA 5510, 5512 you need Security Plus License.
The two units in a failover pair constantly communicate over a failover link and Stateful Failover to
determine the operating status of each unit.
Like:-
The unit state (active or standby).
Hello messages (keep-alives).
Network link status.
MAC address exchange. Configuration replication and synchronization.
Hardware Requirements
Software Requirements
License Requirements
The Failover and Stateful Failover Links
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 599/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 599 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Caution: - All information sent over the failover and Stateful Failover links is sent in clear text
unless you secure the communication with a failover key.
Types:-
LAN-Based Failover Link Serial Cable Failover Link (PIX Security Appliance Only)
You can use any unused Ethernet interface on the device as the failover link.
Using a switch, with no other device on the same network segment (broadcast domain or
VLAN) as the LAN failover interfaces of the ASA
Using a crossover Ethernet cable to connect the appliances directly
Note The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a
crossover cable or a straight-through cable. If you use a straight-through cable, the interface
automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.
The serial Failover cable, or “cable-based failover,” is only available on the PIX 500 series security.
One end of the cable is labeled “Primary”. The unit attached to this end of the cable automatically
becomes the primary unit. The other end of the cable is labeled “Secondary”.
The benefits of using cable-based failover include
Immediately detect a power loss
No need of dedicated switch
The disadvantages include:
Distance limitation.
Slower configuration replication.
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. Youhave three options for configuring a Stateful Failover link:
LAN-Based Failover Link
Serial Cable Failover Link (PIX Security
Appliance Only)
Stateful Failover Link
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 600/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 600 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
You can use a dedicated Ethernet interface for the Stateful Failover link.
If you are using LAN-based failover, you can share the failover link.
You can share a regular data interface. However, this option is not recommended.
Note:-
Enable the Port Fast option on Cisco switch ports that connect directly to the security
appliance. Using a data interface as the Stateful Failover interface is only supported in single context,
routed mode.
In multiple context mode, the Stateful Failover link resides in the system context
If both units boot simultaneously, then the primary unit becomes the active unit and the
secondary unit becomes the standby unit. If a unit boots and does not detect a peer, it becomes the active unit.
If a unit boots and detects a peer already running as active, it becomes the standby unit.
The primary unit MAC addresses are always coupled with the active IP addresses. The
exception to this rule occurs when the secondary unit is active
To solve this problem define static mac
The unit has a hardware failure.
The unit has a power failure.
The unit has a software failure.
The no failover active or the failover active command is entered
Interface Down
Stateless (Regular)
Stateful Failover
Device Initialization and Configuration
Failover Behaviour
Failover Triggers
Stateless (Regular) and Stateful Failover
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 601/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 601 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Stateless (Regular) Failover
When a failover occurs, all active connections are dropped. Clients need to re-establish connections
when the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state
information to the standby unit.
OS images
Any-connect Images
CSD images
ASMD Images
Smart Tunnels
Port Forwarding
Plugins
Java Applets
Pv6 clientless or Anyconnect sessions
Citrix authentication (Citrix users must reauthenticate after failover)
Unit Health Monitoring
Interface Monitoring
The security appliance determines the health of the other unit by monitoring the failover link. When
a unit does not receive three consecutive hello messages on the failover link, the unit sends
interface hello messages on each interface, including the failover interface, to validate whether or
not the peer interface.
If the security appliance receives a response then it does not fail over.
Following things not replicated during
failover
Failover Health Monitoring
Unit Health Monitoring
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 602/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 602 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
If the security appliance does not receive a response on the failover link, but receives a
response on another interface, then the unit does not failover.
The failover link is marked as failed. You should restore the failover link as soon as possible
because the unit cannot fail over to the standby while the failover link is down.
If the security appliance does not receive a response on any interface, then the standby unit
switches to active mode and classifies the other unit as failed.
1. Link Up/Down test
2. Network Activity test
3. ARP test
4.
Broadcast Ping test
Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the
interface is operational, then the security appliance performs network tests.
Network Activity test—A network activity test. The unit counts all received packets for up to 5
seconds. If no traffic is received, the ARP test begins
ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. The unit counts
all received traffic for up to 5 seconds. no traffic has been received, the ping test begins.
Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit thencounts all received packets for up to 5 seconds.
Failover Result Failover Response
Both don't receives No failover
Both receives No failover
Primary receives, Secondary doesn't No failover
Primary doesn't, Secondary does failover
You cannot configure failover with the following type of IP addresses:
IP addresses obtained through DHCP
IP addresses obtained through PPPoE
IPv6 addresses
Interface Monitoring
Failover Configuration Limitations
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 603/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 603 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Additionally, the following restrictions apply:
Stateful Failover is not supported on the ASA 5505 adaptive security appliance.
Active/Active failover is not supported on the ASA 5505 adaptive security appliance.
You cannot configure failover when Easy VPN remote is enabled on the ASA 5505 adaptive
security appliance. CA server is not supported.
Diagram:-
ASA_active_standby
Initial-config
R1
int fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
R2
int fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 604/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 604 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
login local
exit
ip http server
ip http secure-server
ip http au local
username shiva privilege 15 secret shiva
R3
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0 standby 101.1.1.101
!interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2
!
ASA1(config-if)# route outside 0 0 101.1.1.1
ASA1(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/10 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 605/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 605 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
object network inside
subnet 192.168.10.0 255.255.255.0
object network dmzhost 192.168.20.100
object network ip111
host 101.1.1.111
nat (dmz,outside) source static dmz ip111
nat (inside,outside) source dynamic inside interface
access-list out extended permit icmp any object inside
access-list out extended permit icmp any object dmz
access-list out extended permit tcp any object dmz eq ssh
access-list out extended permit tcp any object dmz eq telnetaccess-list out extended permit tcp any object dmz eq www
access-list out extended permit tcp any object dmz eq https
access-group out in interface outside
R3#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R3#debug ip icmp
ICMP packet debugging is on
R3#
*Oct 4 10:10:31.019: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.019: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.023: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.023: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.023: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
R3#
*Oct 4 10:10:38.211: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
R3#
*Oct 4 10:10:40.207: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 606/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 606 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
*Oct 4 10:10:40.211: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 4 10:10:40.211: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 4 10:10:40.215: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 607/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 607 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 608/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 608 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
failover lan unit primary
failover lan interface shiva GigabitEthernet0/3
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
ASA2interface gigabitEthernet 0/3
no shu
failover lan unit secondary
failover lan interface shiva g0/3
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
ASA2(config)# Beginning configuration replication from mate.
End configuration replication from mate.
ASA1ASA1(config)# ! State full failover
ASA1(config)# failover link shiva
ASA1(config)# ! http replication
ASA1(config)# failover replication http
ASA1(config)# ! change timers
ASA1(config)# failover polltime msec 200
INFO: Failover unit holdtime is set to 800 milliseconds
ASA1(config)# failover polltime unit msec 200
INFO: Failover unit holdtime is set to 800 milliseconds
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 609/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 609 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# ! failover key
ASA1(config)# failover key shiva
ASA1(config)# ! failover mac
ASA1(config)# failover mac address inside 0000.0000.0001 0000.0000.0002
ASA1(config)# failover mac address outside 0000.0000.0003 0000.0000.0004ASA1(config)# failover mac address dmz 0000.0000.0005 0000.0000.0006
Please clear arp on all devices..................thanks
ASA1
ASA1(config)# sh failover
Failover On
Failover unit PrimaryFailover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 16:07:52 UTC Oct 4 2014
This host: Primary - Active
Active time: 296 (sec)slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.1): Normal (Monitored)
Interface outside (101.1.1.100): Normal (Monitored)
Interface dmz (192.168.20.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.2): Normal (Monitored)
Interface outside (101.1.1.101): Normal (Monitored)
Interface dmz (192.168.20.2): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 41 0 29 0
sys cmd 29 0 29 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 4 0 0 0
ARP tbl 6 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 610/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 610 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 2 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 30
Xmit Q: 0 282 718
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 millisecondsInterface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 10:06:18 UTC Oct 4 2014
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.2): Normal (Monitored)Interface outside (101.1.1.101): Normal (Monitored)
Interface dmz (192.168.20.2): Normal (Monitored)
Other host: Primary - Active
Active time: 392 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.1): Normal (Monitored)
Interface outside (101.1.1.100): Normal (Monitored)
Interface dmz (192.168.20.1): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 611/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 611 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
General 42 0 56 0
sys cmd 42 0 42 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 6 0ARP tbl 0 0 6 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 2 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max TotalRecv Q: 0 12 784
Xmit Q: 0 1 42
ASA1(config)# ! ASA2
ASA1(config)# fa
ASA1(config)# failover a
ASA1(config)# failover active
Switching to Active
ASA1 or on Active applicance
crypto ikev1 policy 1
authentication pre-share
encryption 3des
group 2
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 612/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 612 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
crypto ikev1 enable outside
sh history
ip local pool admin 192.168.100.100-192.168.100.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admintunnel-group admin ipsec-attributes
ikev1 pre-shared-key admin
username shiva password shiva privilege 15
object network admin
subnet 192.168.100.0 255.255.255.0
exit
sh running-config object
nat (inside,outside) 1 source static inside inside destination static admin admin
PC1
ASA2
ASA1(config)# failover active
Switching to Active
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 613/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 613 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 614/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 614 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# reload
System config has been modified. Save? [Y]es/[N]o: n
Proceed with reload? [confirm]
ASA1(config)#
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 615/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 615 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 11:01:17 UTC Oct 4 2014
This host: Secondary - ActiveActive time: 11 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.1): Normal (Waiting)
Interface outside (101.1.1.100): Normal (Waiting)
Interface dmz (192.168.20.1): Normal (Waiting)
Other host: Primary - Failed
Active time: 40 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Unknown/Unknown)
Interface inside (192.168.10.2): Unknown (Monitored)
Interface outside (101.1.1.101): Unknown (Monitored)
Interface dmz (192.168.20.2): Unknown (Monitored)
Stateful Failover Logical Update Statistics
PC1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 616/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 616 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_Active_Active
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
interface fastEthernet 0/0
no shutdown
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 617/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 617 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdownASA1
interface gigabitEthernet 0/0
no shutdown
interface gigabitEthernet 0/1
no shutdown
interface gigabitEthernet 0/2
no shutdown
interface gigabitEthernet 0/3
no shutdown
interface gigabitEthernet 0/4
no shutdown
class c1
limit-resource Conns 50.0%
limit-resource Xlates 65000
limit-resource Mac-addresses 45.0%
limit-resource VPN Other 125
!
class c2
limit-resource Conns 50.0%
limit-resource Xlates 65000limit-resource Mac-addresses 45.0%
limit-resource VPN Other 125
!
context c1
member c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
!
context c2
member c2
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
!
ASA1(config)# changeto context c1
changeto context c1
interface gigabitEthernet 0/0
nameif inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 618/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 618 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ip add 192.168.101.1 255.255.255.0 standby 192.168.101.2
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0 standby 101.1.1.101
route outside 0 0 101.1.1.1
ASA1/c1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c1(config)# pin
ASA1/c1(config)# ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c1(config)# changeto context c2
changeto context c2
interface gigabitEthernet 0/2
no shu
nameif inside
ip add 192.168.102.1 255.255.255.0 standby 192.168.102.2
interface gigabitEthernet 0/3
no shunameif outside
ip add 102.1.1.100 255.255.255.0 standby 102.1.1.101
route outside 0 0 102.1.1.1
ASA1/c2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c2(config)# pin
ASA1/c2(config)# ping 101.1.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
changeto context c1
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.101.0 255.255.255.0
access-group out in interface outside
R1#ping 101.1.1.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 619/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 619 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1/c1(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:09 timeout 0:00:00
ICMP PAT from inside:192.168.101.100/6 to outside:101.1.1.100/6 flags ri idle 0:00:09 timeout
0:00:30
changeto context c2
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.102.0 255.255.255.0
access-group out in interface outside
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1/c2(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:08 timeout 0:00:00
ICMP PAT from inside:192.168.102.100/7 to outside:102.1.1.100/7 flags ri idle 0:00:08 timeout
0:00:30
ASA1(config)# changeto system
Active-standby failover in multiple mode
ASA1
failover lan unit primary
failover lan interface shiva g0/4
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 620/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 620 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2
interface gigabitEthernet 0/4
no shutdown
failover lan unit secondary
failover lan interface shiva g0/4
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2failover
ASA2(config)# .
Detected an Active mate
Beginning configuration replication from mate.
Removing context 'admin' (1)... Done
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)
WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
Creating context 'c1'... Done. (3)
WARNING: Skip fetching the URL disk0:/c1.cfg
Creating context 'c2'... Done. (4)
WARNING: Skip fetching the URL disk0:/c2.cfg
End configuration replication from mate.
ASA1
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4Last Failover at: 14:59:26 UTC Oct 4 2014
This host: Primary - Active
Active time: 152 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 621/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 621 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)
c2 Interface outside (102.1.1.101): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : Unconfigured.
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximumMAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 09:15:12 UTC Oct 4 2014
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)
c2 Interface outside (102.1.1.101): Normal (Monitored)
Other host: Primary - ActiveActive time: 169 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : Unconfigured.
ASA1
ASA1(config)# ! state full failover
ASA1(config)# failover link shiva
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 622/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 622 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 14:59:26 UTC Oct 4 2014
This host: Primary - Active
Active time: 288 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)
c2 Interface outside (102.1.1.101): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit xerr rcv rerr
General 9 0 2 0
sys cmd 4 0 4 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 4 0 0 0Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0Router ID 0 0 0 0
User-Identity 3 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 3 4
Xmit Q: 0 3 50
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 623/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 623 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 09:15:12 UTC Oct 4 2014This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)
c2 Interface outside (102.1.1.101): Normal (Monitored)
Other host: Primary - Active
Active time: 307 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit xerr rcv rerr
General 6 0 13 0
sys cmd 6 0 6 0
up time 0 0 0 0
RPC services 0 0 0 0TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 4 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 624/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 624 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 3 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 4 87
Xmit Q: 0 1 6
ASA1
ASA1(config)# ! to replicate httpASA1(config)# failover replication http
ASA1
! TO change timers
failover polltime msec 200
failover polltime unit msec 200
ASA1
ASA1(config)# failover key shiva
To configure Active-Active failover please disable failover
ASA2
no failover
ASA1
no failover
ASA1 primary
failover group 1
primarypreempt
failover group 2
secondary
preempt
context c1
join-failover-group 1
context c2
join-failover-group 2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 625/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 625 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
failover
ASA2
failover
ASA1
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximumMAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 15:13:11 UTC Oct 4 2014
Group 2 last failover at: 15:13:21 UTC Oct 4 2014
This host: Primary
Group 1 State: Active
Active time: 150 (sec)
Group 2 State: Standby Ready
Active time: 9 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)
c2 Interface outside (102.1.1.101): Normal (Monitored)
Other host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: ActiveActive time: 79 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit xerr rcv rerr
General 96 0 62 2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 626/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 626 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
sys cmd 64 0 62 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 12 0 0 0
ARP tbl 8 0 0 0Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 2Router ID 0 0 0 0
User-Identity 12 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 3 104Xmit Q: 0 5 1073
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 15:13:13 UTC Oct 4 2014
Group 2 last failover at: 15:13:21 UTC Oct 4 2014
This host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 102 (sec)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 627/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 627 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
Other host: Primary
Group 1 State: Active
Active time: 173 (sec)
Group 2 State: Standby Ready
Active time: 9 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)c2 Interface outside (102.1.1.101): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit xerr rcv rerr
General 67 0 97 0
sys cmd 65 0 65 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 12 0ARP tbl 0 0 8 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0Route Session 2 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 12 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 5 1040
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 628/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 628 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Xmit Q: 0 1 121
ASA1
ASA1(config)# prompt hostname context state
ASA1/act(config)#
ASA1/act(config)# changeto context c1
ASA1/c1/act(config)#
ASA1/c1/act(config)# changeto context c2
ASA1/c2/stby(config)#
ASA2
ASA1/stby(config)#
ASA1/stby(config)# changeto context c
ASA1/stby(config)# changeto context c1
ASA1/c1/stby(config)#ASA1/c1/stby(config)# changeto context c2
ASA1/c2/act(config)#
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1/c1/act(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-netNAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:01 timeout 0:00:00
ICMP PAT from inside:192.168.101.100/9 to outside:101.1.1.100/9 flags ri idle 0:00:01 timeout
0:00:30
ASA2
ASA1/c2/act(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 629/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 629 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:01 timeout 0:00:00
ICMP PAT from inside:192.168.102.100/10 to outside:102.1.1.100/10 flags ri idle 0:00:01 timeout
0:00:30
ASA1/act(config)# ! to save config
ASA1/act(config)# write memory all
ASA1/act(config)# mode single
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Security context mode: single
***
*** --- START GRACEFUL SHUTDOWN ---
****** Message to all terminals:
***
*** change mode
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system
****** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
ASA2
ASA1/act(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 15:25:12 UTC Oct 4 2014
Group 2 last failover at: 15:13:21 UTC Oct 4 2014
This host: Secondary
Group 1 State: Active
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 630/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 630 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Active time: 14 (sec)
Group 2 State: Active
Active time: 725 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Waiting)c1 Interface outside (101.1.1.100): Normal (Waiting)
c2 Interface inside (192.168.102.1): Normal (Waiting)
c2 Interface outside (102.1.1.100): Normal (Waiting)
Other host: Primary
Group 1 State: Failed
Active time: 780 (sec)
Group 2 State: Failed
Active time: 9 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Unknown/Unknown)c1 Interface inside (192.168.101.2): Unknown (Monitored)
c1 Interface outside (101.1.1.101): Unknown (Monitored)
c2 Interface inside (192.168.102.2): Unknown (Monitored)
c2 Interface outside (102.1.1.101): Unknown (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit xerr rcv rerr
General 150 0 180 0
sys cmd 146 0 146 0
up time 0 0 0 0RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 12 0
ARP tbl 2 0 10 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 2 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 12 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 631/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 631 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Logical Update Queue Information
Cur Max Total
Recv Q: 0 5 2072
Xmit Q: 0 1 495
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1(config)# ! TO save config
ASA1(config)# write memory all
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 632/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 632 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 23
After Reading this chapter you would be able to describe
MPF Function
Inspection of connection
Connection restriction
Traffic Prioritization
Traffic Policing
MPF Components
Class Map
Policy Map Service Policy
DCE
SUN RPC
ILS
NET BIOS
IPSec-Pass_throu
XDMCP
ICMP Inspection
FTP Modes SMTP
DNS
TFTP
HTTP
RSH
SQL .NET
SIP
SCCP
CTIQBE
MGCP
Modular Policy Framework
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 633/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 633 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Moduler Policy Framework
It provide us following Features:
Inspection of connection
Connection Restriction Traffic Priortization
Traffic Policing
Inspection of connection
Using this feature we can configure the Cisco Appliance that which protocol should be add in state
table along with TCP & UDP, For example ICMP. Using inspection of connection we can make ICMP
as a stateful traffic.
Connection Restriction
Using connection restriction we can set per protocol max-conn, per-client-max conn, max-embronic
conn, per-client embronic connection etc.
Traffic Prioritization
Using this feature we can give priority to delay sensitive data like voice traffic or vpn traffic.
Traffic Policing
Using this feature we can police incoming & outgoing traffic limit on an interface.
MPF Components
Class-map
Policy-map
Service-policy
Class-map types
L3/L4 Class-map
L7 Class-map
Regex Class-map
Policy-map types
L3/L4 Class-map
L7 Class-map
Serive-policy
It can be called on a specific interface or globally.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 634/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 634 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Default_inspected_protocols in version os 9.2.2.4
FTP
DNS
H.323 RAS
H.323 225RSTP
RSH
SIP
SCCP
SQL.NET
SUN RPC
ESMTP
TFTP
NETBIOS
XDMCP
IP_OPTION
DCE (Distributed Computing Environment)
A protocols it is used by programmers to make softwares. It allow software to work over multiple
systems , But it appear that software is working on a single system. It use TCP Port 135
By default it is not inspected by cisco appliance if any company is using it we have to inspect it.
class-map class_default
match default_inspection
policy-map global_policy
class class_default
inspect dce
service-policy global_policy global
SUN RPC
It was developed by sun . It is useed by NFS (Network File System) for file sharing.
By default it is inspected by appliance. it use TCP port 111
class-map class_default
match default_inspection
policy-map global_policy
class class_default
inspect sunrpc
service-policy global_policy global
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 635/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 635 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ILS (Internet Locater Service)
It protocol is used by microsoft active directory , netmetting . This protocol allow systems to gather
the information which is required to communicate with other system in a domain.
By default it is not inspect by appliance . it use TCP por 389.If AD or netmetting is not working properly we have to inspect it
class-map class_default
match default_inspection
policy-map global_policy
class class_default
inspect ils
service-policy global_policy global
NET BIOS
This protocol is used in older OS for name resolution. name to ip or ip to name.
By default it is inspected by appliance . It use UDP port 137, 138
If you are not using it you can remove it from inspected protocol list
class-map class_default
match default_inspection
policy-map global_policyclass class_default
no inspect netbios
service-policy global_policy global
IPsec-Pass-Throu
When a vpn client establish vpn session it establish 2 connection per protocols ESP or AH.
But By default no limitation , They can establish more than 2 connection , to solve this problem
appliance as a feature ipsec-pass-throu using this we can set per client ESP or AH max connection.
It use UDP port 500.
policy-map type inspect ipsec-pass-thru l7-ipsec-pass-thru
parameters
esp per-client-max 2
ah per-client-max 2
policy-map global_policy
class default_class
inspect ipsec-pass-thru l7-ipsec-pass-thru
service-policy global_policy global
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 636/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 636 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
XDMCP ( X Display Manager Protocol)
When the PC was came in this world . it was very costly so a solution was developed by UNIX
X-Dispaly, in this solution we use a diskless client & A X Server. It is By default inspected.
Working:-When client bootup it use UDP dynamic port & hit to UDP 177 of X server . this is called
management connection . after management connection client use TCP & hit to TCP 6000 for display
if there is an outbound connection nothing to do
Higher to lower nothing to do.
Client UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>UDP 177 Server
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 6000 Server
Lower to Higher connection
we have to open acl for UDP 177
Plus establish keyword
class-map default
match default-inspection-traffic
policy-map shiva
class default
inspect xdmcp
service-policy shiva global
ICMP
This protocol is use for connectivity checking. but it could be used to overload a server with ICMP
traffic i.e. it is inspected by appliance. it use ip protocol no 1.
if you want you can configure it as an inspected traffic.
class-map shiva_class
match default-inspection-traffic
policy-map shiva_policy
class shiva_class
inspect icmp
inspect icmp error
service-policy shiva_policy global
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 637/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 637 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
FTP
This protocol is use for file transfering. it use TCP port 21
it has two modes
class-map defaultmatch default-inspection-traffic
policy-map shiva
class default
inspect ftp
service-policy shiva global
Modes
Active mode
Passive mode
Active mode working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 21 Server
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 20 Server
Higher to lower insection
Lower to higher only ACL
Passive mode working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 21 Server
Client TCP 1024<<<<<<<<hit 4321 for data<<<<<<<<<<<<<<<<<<<<<TCP 21 Server
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 4321 Server
Higher to lower nothing to do
Lower to higher Acl Plus Inspection
SMTP
It is used to send mail . it use TCP port 25. Appliance has capability to apply deeper inspection of
SMTP. like SMTP Boby Length.
Working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 25 Server
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 25 Server
access-list smtp-limit permit tcp any any eq 25
class-map smtp
match access-list smtp-limit
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 638/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 638 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
policy-map type inspect esmtp l7-esmtp
parameters
match body length gt 1000
drop-connection
policy-map shivaclass smtp
inspect esmtp l7-esmtp
service-policy shiva global
DNS
Domain Name System use for name resolution . it use TCP or UDP port 53.
DNS Inspection Features
DNS Gurad DNS Doctoring
DNS Query Length
DNS Gurad
it allow only first reply of DNS query
DNS Doctoring
This feature enale appliance to translate inside inside query with another ip address used on another
interface.
commands
static (inside,outside) interface 192.168.101.53 dns
DNS Query Length
By default DNS query lenght is 512 bytes we can extend it
Default inspected by appliance.
static (inside,outside) interface 192.168.101.53 dns
policy-map type inspect dns l7-dns
parameters
dns-guard
nat-rewrite
protocol-enforcement
message-length maximum 1024
exit
ex
class-map default
match default-inspection-traffic
policy-map shiva
class default
inspect dns l7-dns
service-policy shiva global
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 639/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 639 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
TFTP
Used for backup & upgrade network aplliance it use UDP port 69
Default inspected
Working
Client UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>UDP 69 Server
Client UDP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<UDP 1234 Server
Higher to ower inspection
Lower to higher ACL
HTTP
Used for web browsing it use TCP port 80. Appliance has capabilities to block http site using name &
ip address.
regex fb \.facebook\.com
regex 420 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
class-map type regex match-any rs
match regex fb
match regex 420
policy-map type inspect http l7-http
parameters
match request header host regex class rs
reset
access-list http permit tcp any any eq 80
class-map http-class
match access-list http
policy-map shiva
class http-class
inspect http l7-http
service-policy shiva global
RSHUsed in Unix for remote terminal. it use TCP port 514
working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 514 Server
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 1024 Server
Higher to lower inspection
Lower to higher ACL
Default Inspected.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 640/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 640 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
SQL.NET
Used by oracal database use TCP port 1521 default inspected.
Working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 1521 ServerClient TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 1521 Server
Higher to lower nothing
Lower to higher Acl
SIP/SCCP/CTIQUBE (TCP-UDP-5060/TCP-2000/TCP-2748)
These protocols used to establish voip call
Clinet IP Phone TCP/UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>5060/2000/2748 Server
Client IP Phone UDP 1025>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>voice Server
Client IP Phone UDP 1026>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>synch Server
Higher to lower nothing to do
Lower to higher ACL Plus inspection
MGCP
Used by VOIP gateway to call-manager
Working
Gateway UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>UDP 2427 Server
Gateway UDP 2727<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<UDP 1024 Server
Higher to lower inspection
Lower to higher ACL Plus Inspection
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 641/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 641 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdownip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ip add 192.168.106.1 255.255.255.0 secondary
router ei 100
no auto-summary
net 0.0.0.0
R2
interface fastEthernet 0/0no sh
ip add 192.168.10.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 642/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 642 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Loopback2
ip address 2.2.2.2 255.255.255.255!
interface Loopback3
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.30
encapsulation dot1Q 30ip address 101.1.1.1 255.255.255.0
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 102.1.1.1 255.255.255.0
!
interface FastEthernet0/0.60
encapsulation dot1Q 60
ip address 103.1.1.1 255.255.255.0
!
interface FastEthernet0/1ip address 192.168.104.1 255.255.255.0
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
R5
interface fastEthernet 0/0
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 643/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 643 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ip dns server
ip host www.cisco.com 101.1.1.111
ip host www.abc.com 101.1.1.222
ip host www.google.com 1.1.1.1
ip host www.facebook.com 2.2.2.2
ip host www.gmail.com 3.3.3.3
R6
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
interface GigabitEthernet0/0
nameif insidesecurity-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0ip address 101.1.1.100 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
network 192.168.1.0 255.255.255.0redistribute static metric 1 1 1 1 1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.106.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.106.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 644/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 644 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192.168.20.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.104.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.104.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 103.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 103.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2
ASA2(config)# ping 192.168.102.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# pin
ASA2(config)# ping 192.168.104.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.104.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 101.1.1.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1
object network R2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 645/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 645 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
host 192.168.10.100
object network R4
host 192.168.20.100
object network www.cisco.com
host 101.1.1.111
object network www.abc.comhost 101.1.1.222
nat (dmz1,outside) source static R2 www.cisco.com
nat (dmz2,outside) source static R4 www.abc.com
nat (inside,outside) source dynamic any interface
ASA1(config)# sh running-config class-map
!
class-map inspection_default
match default-inspection-traffic
!
ASA1(config)# sh running-config policy-map
!
policy-map type inspect dns preset_dns_map
parametersmessage-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtpinspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
ASA1(config)# sh running-config service-policy
service-policy global_policy global
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 646/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 646 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# clear configure service-policy
!
ASA1(config)# clear configure policy-map
!
ASA1(config)# clear configure class-map
!!
ASA1
ASA1(config)# class-map shiva_class
ASA1(config-cmap)# match default-inspection-traffic
ASA1(config-cmap)# policy-map shiva_policy
ASA1(config-pmap)# class shiva_class
ASA1(config-pmap-c)# inspect icmp
ASA1(config-pmap-c)# inspect icmp error
ASA1(config-pmap-c)# service-policy shiva_policy global
R3#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 101.1.1.1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 647/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 647 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3#debug ip icmp
ICMP packet debugging is on
R3#
*Oct 8 07:06:55.583: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.583: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100*Oct 8 07:06:55.583: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
R3#
*Oct 8 07:06:58.843: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.847: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.847: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.851: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.851: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
R3#
*Oct 8 07:07:01.019: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10*Oct 8 07:07:01.771: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10
R3#
*Oct 8 07:07:02.519: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10
R3#
*Oct 8 07:07:14.867: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.871: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.871: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.875: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.875: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
R3#
*Oct 8 07:07:24.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222*Oct 8 07:07:24.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.711: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.711: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.715: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
ASA1(config)# ! Open ACL for www.cisco.com
ASA1(config)# ! Open ACL for www.abc.com
ASA1(config)# ! So that Internet-Users can ping www.cisco.com ,www.abc.com
ASA1(config)# access-list out permit icmp any object R2
ASA1(config)# access-list out permit icmp any object R4
ASA1(config)# access-group out in interface outside
R3
R3(config)#ip domain-lookup
R3(config)#ip name-server 102.1.1.100
R3#ping www.cisco.com
Translating "www.cisco.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.111, timeout is 2 seconds:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 648/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 648 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping www.abc.com
Translating "www.abc.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.222, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
PC 192.168.104.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 649/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 649 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# access-list out permit tcp any object R2 eq 22
ASA1(config)# access-list out permit tcp any object R2 eq 23
ASA1(config)# access-list out permit tcp any object R4 eq 80
ASA1(config)# access-list out permit tcp any object R4 eq 443
ASA1(config)# access-group out in interface outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 650/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 650 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
access-list telnet-limit permit tcp any object R2 eq 23
class-map telnet-class
match access-list telnet-limit
policy-map shiva_policy
class telnet-class
set connection conn-max 123
set connection embryonic-conn-max 1
set connection per-client-max 2
set connection per-client-embryonic-max 1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 651/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 651 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash shagroup 5
lifetime 1800
tunnel-group 103.1.1.100 type ipsec-l2l
tunnel-group 103.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 103.1.1.100
crypto map test 10 match address 101crypto map test interface outside
crypto ikev1 enable outside
object network inside
subnet 192.168.101.0 255.255.255.0
object network s2s
subnet 192.168.102.0 255.255.255.0
nat (inside,outside) 1 source static inside inside destination static s2s s2s
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 652/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 652 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2
crypto ikev1 policy 1
authentication pre-share
encryption aeshash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101.1.1.100crypto map test 10 match address 102
crypto map test interface outside
crypto ikev1 enable outside
R1#ping 192.168.102.100 source fastEthernet 0/1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 ms
R6#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/8 ms
ASA1
!
priority-queue outside
class-map s2s-class
match tunnel-group 103.1.1.100
policy-map shiva_policy
class s2s-class
priority
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 653/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 653 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 654/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 654 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
access-list traffic-limit deny ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list traffic-limit permit ip 192.168.101.0 255.255.255.0 any
class-map traffic-limit-class
match access-list traffic-limit
policy-map shiva_policy
class traffic-limit-classpolice input 8000 conform-action transmit exceed-action drop
police output 8000 conform-action transmit exceed-action drop
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 655/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 655 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
FTP Inspection
outbound connection is working
check inbound connection
object network obj_net_192.168.101.100
host 192.168.101.100
object service obj_ser_ftp
service tcp source eq 21
sh running-config object
nat (inside,outside) 3 source static obj_net_192.168.101.100 interface service obj_ser_ftp
obj_ser_ftp
access-list out permit tcp any object obj_net_192.168.101.100 eq 21
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 656/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 656 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
not working
ASA1
policy-map shiva_policy
class shiva_class
inspect ftp
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 657/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 657 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
SMTP
object network obj_net_192.168.106.100
host 192.168.106.100
ex
object service obj_ser_smtp
service tcp source eq 25
object service obj_ser_pop3
service tcp source eq 110
ex
sh history
nat (inside,outside) 3 source static obj_net_192.168.106.100 interface service obj_ser_smtpobj_ser_smtp
nat (inside,outside) 3 source static obj_net_192.168.106.100 interface service obj_ser_pop3
obj_ser_pop3
access-list out permit tcp any object obj_net_192.168.106.100 eq 25
access-list out permit tcp any object obj_net_192.168.106.100 eq 110
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 658/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 658 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
192.168.106.100 is exchange server
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 659/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 659 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
GO on Internet User
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 660/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 660 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 661/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 661 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 662/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 662 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 663/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 663 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 664/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 664 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 665/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 665 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 666/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 666 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 667/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 667 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 668/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 668 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
access-list smtp-limit permit tcp any object obj_net_192.168.106.100 eq 25
class-map smtp-class
match access-list smtp-limit
policy-map type inspect esmtp l7-esmtp
match body length gt 10
drop-connection
policy-map shiva_policyclass smtp-class
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 669/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 669 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
inspect esmtp l7-esmtp
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 670/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 670 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config-pmap)# policy-map shiva_policy
ASA1(config-pmap)# class smtp-class
ASA1(config-pmap-c)# no inspect esmtp l7-esmtp
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 671/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 671 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 672/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 672 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 673/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 673 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# sh conn
8 in use, 11 most used
UDP outside 10.0.0.255:137 inside 10.0.0.10:137, idle 0:00:13, bytes 25650, flags -
UDP outside 10.0.0.255:137 dmz1 10.0.0.10:137, idle 0:00:13, bytes 25800, flags -
UDP outside 102.1.1.100:53 inside 192.168.101.100:54918, idle 0:00:12, bytes 80, flags hUDP outside 102.1.1.100:53 inside 192.168.101.100:55714, idle 0:00:38, bytes 78, flags h
UDP outside 102.1.1.100:53 inside 192.168.101.100:63759, idle 0:00:53, bytes 84, flags h
UDP outside 102.1.1.100:53 inside 192.168.101.100:63597, idle 0:01:02, bytes 80, flags h
R3#ping www.cisco.com
Translating "www.cisco.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.111, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping www.abc.com
Translating "www.abc.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.222, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1(config)#ip domain-lookup
R1(config)#ip name-server 102.1.1.100
R1#ping www.cisco.com
Translating "www.cisco.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.111, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)R1#ping www.abc.com
Translating "www.abc.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.222, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 674/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 674 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
policy-map type inspect dns l7-dns
parameters
dns-guard
nat-rewriteprotocol-enforcement
message-length maximum 1024
policy-map shiva_policy
class shiva_class
inspect dns l7-dns
nat (inside,outside) source static inside inside destination static s2s s2s
nat (dmz1,outside) source static R2 www.cisco.com dns
nat (dmz2,outside) source static R4 www.abc.com dns
R1#ping www.cisco.com
Translating "www.cisco.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping www.abc.com
Translating "www.abc.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 675/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 675 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#copy tftp: flash:
Address or name of remote host []? 192.168.104.100
Source filename []? svc.pkg
Destination filename [svc.pkg]?
Accessing tftp://192.168.104.100/svc.pkg...%Error opening tftp://192.168.104.100/svc.pkg (Timed out)
R1#
ASA1(config)# ! TFTP Inspection
ASA1(config)#
ASA1(config)# policy-map shiva_policy
ASA1(config-pmap)# class shiva_class
ASA1(config-pmap-c)# inspect tftp
R1#copy tftp: flash:
Address or name of remote host [192.168.104.100]?Source filename [svc.pkg]?
Destination filename [svc.pkg]?
Accessing tftp://192.168.104.100/svc.pkg...
Erase flash: before copying? [confirm]q
Loading svc.pkg from 192.168.104.100 (via FastEthernet0/0): !
%Error opening flash:svc.pkg (No space left on device)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 676/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 676 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 677/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 677 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 678/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 678 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
regex fb \.facebook\.com
regex ip420 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
class-map type regex match-any rs
match regex fb
match regex ip420
policy-map type inspect http l7-http
match request header host regex class rs
reset
ex
policy-map shiva_policy
class shiva_class
inspect http l7-http
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 679/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 679 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 680/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 680 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 681/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 681 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 682/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 682 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 683/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 683 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 684/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 684 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
policy-map shiva_policy
class shiva_class
inspect ils
inspect dcerpc
inspect sunrpc
inspect netbiosinspect xdmcp
inspect rsh
inspect sqlnet
inspect tftp
inspect sip
inspect skinny
inspect ctiqbe
inspect mgcp
policy-map type inspect ipsec-pass-thru l7-ipsec-pass-thruparameters
esp per-client-max 5
ah per-client-max 5
access-list ipsec-pass-acl permit udp any any eq 500
class-map ipsec-pass-class
match access-list ipsec-pass-acl
policy-map shiva_policy
class ipsec-pass-classinspect ipsec-pass-thru l7-ipsec-pass-thru
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 685/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 685 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 24
After Reading this chapter you would be able to describe
OSPFv3
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdownipv6 add 192:168:1::1/48
OSPFv3
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 686/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 686 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!
interface fastEthernet 0/1
ipv6 add 192:168:101::1/48
no shutdown
!
int lo1ipv6 add 172:10:1::1/48
int lo2
ipv6 add 172:10:2::1/48
int lo3
ipv6 add 172:10:3::1/48
int lo4
ipv6 add 172:10:4::1/48
int lo5
ipv6 add 172:10:5::1/48
int lo6
ipv6 add 172:10:6::1/48R2
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:2::1/48
no shutdown
int lo1
ipv6 add 172:20:1::1/48
int lo2
ipv6 add 172:20:2::1/48
int lo3ipv6 add 172:20:3::1/48
int lo4
ipv6 add 172:20:4::1/48
int lo5
ipv6 add 172:20:5::1/48
int lo6
ipv6 add 172:20:6::1/48
R3
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdownipv6 add 192:168:3::1/48
no shutdown
!
interface fastEthernet 0/1
ipv6 add 192:168:103::1/48
no shutdown
!
int lo1
ipv6 add 172:30:1::1/48
int lo2
ipv6 add 172:30:2::1/48
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 687/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 687 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int lo3
ipv6 add 172:30:3::1/48
int lo4
ipv6 add 172:30:4::1/48
int lo5
ipv6 add 172:30:5::1/48int lo6
ipv6 add 172:30:6::1/48
R4
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:4::1/48
no shutdown
int lo1
ipv6 add 172:40:1::1/48
int lo2ipv6 add 172:40:2::1/48
int lo3
ipv6 add 172:40:3::1/48
int lo4
ipv6 add 172:40:4::1/48
int lo5
ipv6 add 172:40:5::1/48
int lo6
ipv6 add 172:40:6::1/48
ASA1interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:1::2/48
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
no ip address
ipv6 address 192:168:2::2/48!
interface GigabitEthernet0/2
nameif outside
security-level 0
no ip address
ipv6 address 192:168:3::2/48
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
no ip address
ipv6 address 192:168:4::2/48
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 688/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 688 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config-if)# sh ipv6 int brief
inside [up/up]
fe80::6e20:56ff:febd:ea87
192:168:1::2
dmz1 [up/up]fe80::6e20:56ff:febd:ea84
192:168:2::2
outside [up/up]
fe80::6e20:56ff:febd:ea88
192:168:3::2
dmz2 [up/up]
fe80::6e20:56ff:febd:ea85
192:168:4::2
ASA1(config-if)# ping 192:168:1::1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192:168:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config-if)# ping 192:168:2::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:2::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config-if)# ping 192:168:3::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:3::1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192:168:4::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:4::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1
ipv6 router ospf 100router-id 1.1.1.1
exit
interface fastEthernet 0/0
ipv6 ospf 100 area 1
interface fastEthernet 0/1
ipv6 ospf 100 area 1
int l1
ipv6 ospf 100 area 4
int l2
ipv6 ospf 100 area 4
int l3
ipv6 ospf 100 area 4
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 689/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 689 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int l4
ipv6 ospf 100 area 4
int l5
ipv6 ospf 100 area 4
int l6
ipv6 ospf 100 area 4
R2
ipv6 router ospf 100
router-id 2.2.2.2
int f0/0
ipv6 ospf 100 area 0
ipv6 router ei 100
no shutdown
int lo1
ip add 2.2.2.2 255.255.255.255
ipv6 eigrp 100int lo2
ipv6 eigrp 100
int lo3
ipv6 eigrp 100
int lo4
ipv6 eigrp 100
int lo5
ipv6 eigrp 100
int lo6
ipv6 eigrp 100
R3
ipv6 router os 100
router-id 3.3.3.3
int f0/0
ipv6 ospf 100 area 2
int f0/1
ipv6 ospf 100 area 2
int l1
ipv6 ospf 100 area 2
int l2
ipv6 ospf 100 area 2int l3
ipv6 ospf 100 area 2
int l4
ipv6 ospf 100 area 2
int l5
ipv6 ospf 100 area 2
int l6
ipv6 ospf 100 area 2
R4
ipv6 router ospf 100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 690/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 690 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
router-id 4.4.4.4
int f0/0
ipv6 ospf 100 area 3
ipv6 router eigrp 200
router-id 4.4.4.4no sh
int l1
ipv6 eigrp 200
int l2
ipv6 eigrp 200
int l3
ipv6 eigrp 200
int l4
ipv6 eigrp 200
int l5
ipv6 eigrp 200int l6
ipv6 eigrp 200
ASA1
ipv6 router ospf 100
router-id 5.5.5.5
int g0/0
ipv6 ospf 100 area 1
int g0/1
ipv6 ospf 100 area 0
int g0/2ipv6 ospf 100 area 2
int g0/3
ipv6 ospf 100 area 3
ASA1# sh ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
2.2.2.2 1 FULL/DR 0:00:31 4 dmz1
1.1.1.1 1 FULL/DR 0:00:35 4 inside
3.3.3.3 1 FULL/DR 0:00:32 3 outside4.4.4.4 1 FULL/DR 0:00:33 3 dmz2
ASA1# sh ipv6 ospf database
OSPFv3 Router with ID (5.5.5.5) (Process ID 100)
Router Link States (Area 0)
ADV Router Age Seq# Fragment ID Link count Bits
2.2.2.2 162 0x80000003 0 1 None
5.5.5.5 161 0x80000001 0 1 B
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 691/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 691 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Net Link States (Area 0)
ADV Router Age Seq# Link ID Rtr count
2.2.2.2 162 0x80000001 4 2
Inter Area Prefix Link States (Area 0)
ADV Router Age Seq# Prefix
5.5.5.5 151 0x80000002 192:168:101::/48
5.5.5.5 151 0x80000002 192:168:1::/48
5.5.5.5 141 0x80000001 192:168:103::/48
5.5.5.5 141 0x80000001 172:30:6::1/128
5.5.5.5 141 0x80000001 172:30:5::1/128
5.5.5.5 141 0x80000001 172:30:4::1/128
5.5.5.5 141 0x80000001 172:30:3::1/128
5.5.5.5 141 0x80000001 172:30:2::1/128
5.5.5.5 143 0x80000001 172:30:1::1/1285.5.5.5 143 0x80000001 192:168:3::/48
5.5.5.5 143 0x80000001 192:168:4::/48
Link (Type-8) Link States (Area 0)
ADV Router Age Seq# Link ID Interface
2.2.2.2 835 0x80000001 4 dmz1
5.5.5.5 162 0x80000001 4 dmz1
Intra Area Prefix Link States (Area 0)
ADV Router Age Seq# Link ID Ref-lstype Ref-LSID
2.2.2.2 163 0x80000001 4096 0x2002 4
Router Link States (Area 1)
ADV Router Age Seq# Fragment ID Link count Bits
1.1.1.1 166 0x80000007 0 1 None
5.5.5.5 160 0x80000002 0 1 B
Net Link States (Area 1)
ADV Router Age Seq# Link ID Rtr count
1.1.1.1 166 0x80000001 4 2
Inter Area Prefix Link States (Area 1)
ADV Router Age Seq# Prefix
5.5.5.5 153 0x80000001 192:168:2::/48
5.5.5.5 143 0x80000001 192:168:103::/48
5.5.5.5 143 0x80000001 172:30:6::1/128
5.5.5.5 143 0x80000001 172:30:5::1/128
5.5.5.5 143 0x80000001 172:30:4::1/128
5.5.5.5 143 0x80000001 172:30:3::1/128
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 692/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 692 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
5.5.5.5 143 0x80000001 172:30:2::1/128
5.5.5.5 143 0x80000001 172:30:1::1/128
5.5.5.5 143 0x80000001 192:168:3::/48
5.5.5.5 143 0x80000001 192:168:4::/48
Link (Type-8) Link States (Area 1)
ADV Router Age Seq# Link ID Interface
1.1.1.1 939 0x80000001 4 inside
5.5.5.5 165 0x80000001 3 inside
Intra Area Prefix Link States (Area 1)
ADV Router Age Seq# Link ID Ref-lstype Ref-LSID
1.1.1.1 166 0x80000003 0 0x2001 0
1.1.1.1 166 0x80000001 4096 0x2002 4
Router Link States (Area 2)
ADV Router Age Seq# Fragment ID Link count Bits
3.3.3.3 150 0x8000000a 0 1 None
5.5.5.5 149 0x80000001 0 1 B
Net Link States (Area 2)
ADV Router Age Seq# Link ID Rtr count
3.3.3.3 150 0x80000001 3 2
Inter Area Prefix Link States (Area 2)
ADV Router Age Seq# Prefix
5.5.5.5 143 0x80000001 192:168:101::/48
5.5.5.5 143 0x80000001 192:168:1::/48
5.5.5.5 143 0x80000001 192:168:4::/48
5.5.5.5 143 0x80000001 192:168:2::/48
Link (Type-8) Link States (Area 2)
ADV Router Age Seq# Link ID Interface3.3.3.3 652 0x80000001 3 outside
5.5.5.5 149 0x80000001 5 outside
Intra Area Prefix Link States (Area 2)
ADV Router Age Seq# Link ID Ref-lstype Ref-LSID
3.3.3.3 150 0x80000007 0 0x2001 0
3.3.3.3 150 0x80000001 3072 0x2002 3
Router Link States (Area 3)
ADV Router Age Seq# Fragment ID Link count Bits
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 693/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 693 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
4.4.4.4 147 0x80000003 0 1 None
5.5.5.5 146 0x80000001 0 1 B
Net Link States (Area 3)
ADV Router Age Seq# Link ID Rtr count4.4.4.4 147 0x80000001 3 2
Inter Area Prefix Link States (Area 3)
ADV Router Age Seq# Prefix
5.5.5.5 143 0x80000001 192:168:101::/48
5.5.5.5 143 0x80000001 192:168:1::/48
5.5.5.5 143 0x80000001 192:168:103::/48
5.5.5.5 143 0x80000001 172:30:6::1/128
5.5.5.5 143 0x80000001 172:30:5::1/128
5.5.5.5 143 0x80000001 172:30:4::1/1285.5.5.5 143 0x80000001 172:30:3::1/128
5.5.5.5 143 0x80000001 172:30:2::1/128
5.5.5.5 143 0x80000001 172:30:1::1/128
5.5.5.5 143 0x80000001 192:168:3::/48
5.5.5.5 143 0x80000001 192:168:2::/48
Link (Type-8) Link States (Area 3)
ADV Router Age Seq# Link ID Interface
4.4.4.4 361 0x80000001 3 dmz2
5.5.5.5 146 0x80000001 6 dmz2
Intra Area Prefix Link States (Area 3)
ADV Router Age Seq# Link ID Ref-lstype Ref-LSID
4.4.4.4 151 0x80000001 3072 0x2002 3
ASA1# sh ipv6 route ospf
IPv6 Routing Table - 18 entries
Codes: C - Connected, L - Local, S - Static
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O 172:30:1::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:2::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:3::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:4::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:5::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:6::1/128 [110/10]
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 694/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 694 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
via fe80::46e4:d9ff:fe87:ecde, outside
O 192:168:101::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:103::/48 [110/11]
via fe80::46e4:d9ff:fe87:ecde, outside
ASA1# ping 192:168:101::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:101::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192:168:103::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:103::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# area 1 virtual-link 1.1.1.1
R1(config-rtr)#ipv6 router ospf 100
R1(config-rtr)#area 1 virtual-link 5.5.5.5
ASA1# sh ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface1.1.1.1 0 FULL/ - 0:00:26 15 OSPFV3_VL0
2.2.2.2 1 FULL/DR 0:00:35 4 dmz1
1.1.1.1 1 FULL/DR 0:00:39 4 inside
3.3.3.3 1 FULL/DR 0:00:39 3 outside
4.4.4.4 1 FULL/DR 0:00:39 3 dmz2
ASA1# sh ipv6 route ospf
IPv6 Routing Table - 25 entries
Codes: C - Connected, L - Local, S - Static
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI 172:10:1::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:2::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:3::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:4::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:5::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:6::1/128 [110/10]
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 695/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 695 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
via fe80::224:14ff:fedd:17e8, inside
O 172:30:1::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:2::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:3::1/128 [110/10]via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:4::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:5::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:6::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 192:168:101::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:101::/48 [110/11]
via fe80::224:14ff:fedd:17e8, insideO 192:168:103::/48 [110/11]
via fe80::46e4:d9ff:fe87:ecde, outside
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# passive-interface default
ASA1(config-rtr)# no passive-interface inside
ASA1(config-rtr)# no passive-interface dmz1
ASA1(config-rtr)# no passive-interface dmz2
ASA1(config-rtr)# no passive-interface outside
ASA1(config)# ping 172:10:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172:10:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172:10:2::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172:10:2::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msASA1(config)# ping 172:10:3::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172:10:3::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172:10:4::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172:10:4::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172:10:5::1
Type escape sequence to abort.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 696/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 696 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Sending 5, 100-byte ICMP Echos to 172:10:5::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 172:10:6::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172:10:6::1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2(config-rtr)#ipv6 router ospf 100
R2(config-rtr)#redistribute eigrp 100 metric-type 1 include-connected
ASA1# sh ipv6 route ospf
IPv6 Routing Table - 31 entries
Codes: C - Connected, L - Local, S - StaticO - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI 172:10:1::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:2::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:3::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:4::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:5::1/128 [110/10]via fe80::224:14ff:fedd:17e8, inside
OI 172:10:6::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OE1 172:20:1::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:2::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:3::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:4::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1OE1 172:20:5::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:6::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
O 172:30:1::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:2::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:3::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:4::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 697/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 697 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O 172:30:5::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:6::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 192:168:101::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, insideO 192:168:101::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:103::/48 [110/11]
via fe80::46e4:d9ff:fe87:ecde, outside
R2(config-rtr)#ipv6 router ospf 100
R2(config-rtr)#summary-prefix 172:20:0::/45
ASA1# sh ipv6 route ospf
IPv6 Routing Table - 26 entriesCodes: C - Connected, L - Local, S - Static
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI 172:10:1::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:2::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:3::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:4::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, insideOI 172:10:5::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:6::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
OE1 172:20::/45 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
O 172:30:1::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:2::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:3::1/128 [110/10]via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:4::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:5::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:6::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 192:168:101::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:101::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:103::/48 [110/11]
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 698/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 698 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
via fe80::46e4:d9ff:fe87:ecde, outside
R2(config-rtr)#ipv6 router ospf 100
R2(config-rtr)#no summary-prefix 172:20:0::/45
R1#sh ipv6 route ospf
IPv6 Routing Table - Default - 34 entriesCodes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
D - EIGRP, EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OE1 172:20:1::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:2::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:3::/48 [110/31]via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:4::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:5::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:6::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 172:30:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 172:30:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0OI 172:30:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 172:30:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 172:30:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 172:30:6::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
O 192:168:1::2/128 [110/1]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
O 192:168:2::/48 [110/11]via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 192:168:3::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 192:168:4::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 192:168:103::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# area 2 range 172:30::/45
R1#sh ipv6 route ospf
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 699/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 699 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
IPv6 Routing Table - Default - 29 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
D - EIGRP, EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OE1 172:20:1::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:2::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:3::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:4::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:5::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0OE1 172:20:6::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 172:30::/45 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
O 192:168:1::2/128 [110/1]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
O 192:168:2::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 192:168:3::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 192:168:4::/48 [110/11]via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OI 192:168:103::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# no area 2 range 172:30::/45
R3
R3#sh ipv6 route ospf
IPv6 Routing Table - 35 entriesCodes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
OI 172:10:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 700/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 700 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OI 172:10:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:6::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0OE1 172:20:1::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:2::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:3::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:4::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:5::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:6::/48 [110/31]via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:1::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:1::2/128 [110/1]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:2::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:4::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:101::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0OI 192:168:101::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# area 2 stub
R3(config-rtr)#ipv6 router ospf 100
R3(config-rtr)#area 2 stub
R3#sh ipv6 route ospf
IPv6 Routing Table - 30 entriesCodes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
OI ::/0 [110/2]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 701/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 701 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OI 172:10:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0OI 172:10:6::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:1::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:1::2/128 [110/1]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:2::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:4::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:101::/48 [110/12]via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:101::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# area 2 stub no-summary
R3#sh ipv6 route ospf
IPv6 Routing Table - 18 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
OI ::/0 [110/2]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
ASA1
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# area 3 stub
R4(config)#ipv6 router ospf 100
R4(config-rtr)#area 3 stub
R4#sh ipv6 route ospf
IPv6 Routing Table - 35 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 702/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 702 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OI ::/0 [110/2]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0OI 172:10:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:6::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:2::1/128 [110/11]via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:6::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:1::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0OI 192:168:1::2/128 [110/1]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:2::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:3::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:101::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:101::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:103::/48 [110/12]via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# area 3 stub no-summary
R4#sh ipv6 route ospf
IPv6 Routing Table - 16 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 703/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 703 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
D - EIGRP, EX - EIGRP external
OI ::/0 [110/2]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
R4(config)#ipv6 router ospf 100R4(config-rtr)#redistribute eigrp 200 metric-type 1 include-connected
R4(config-rtr)#
*Oct 5 07:57:12.939: %OSPFv3-4-ASBR_WITHOUT_VALID_AREA: Router is currently an ASBR while
having only one area which is a stub area
R4(config-rtr)#ipv6 router ospf 100
R4(config-rtr)#no area 3 stub
R4(config-rtr)#area 3 nssa
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# no area 3 stubASA1(config-rtr)# area 3 nssa
R4#sh ipv6 route ospf
IPv6 Routing Table - 34 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP externalOI 172:10:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:6::1/128 [110/11]via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:6::1/128 [110/11]
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 704/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 704 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:1::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:1::2/128 [110/1]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:2::/48 [110/11]via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:3::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:101::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:101::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:103::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
ASA1(config-rtr)# ipv6 router ospf 100ASA1(config-rtr)# area 3 nssa no-summary default-information-originate
R4#sh ipv6 route ospf
IPv6 Routing Table - 16 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
OI ::/0 [110/2]via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
ASA1(config)# sh ipv6 route interface dmz2
IPv6 Routing Table - 37 entries
Codes: C - Connected, L - Local, S - Static
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
ON1 172:40:1::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:2::/48 [110/30]via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:3::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:4::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:5::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:6::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
R1(config-if)#interface lo1
R1(config-if)#ipv6 ospf network point-to-point
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 705/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 705 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1(config-if)#interface lo2
R1(config-if)#ipv6 ospf network point-to-point
R1(config-if)#interface lo3
R1(config-if)#ipv6 ospf network point-to-point
R1(config-if)#interface lo4
R1(config-if)#ipv6 ospf network point-to-pointR1(config-if)#interface lo5
R1(config-if)#ipv6 ospf network point-to-point
R1(config-if)#interface lo6
R1(config-if)#ipv6 ospf network point-to-point
ASA1
ASA1# sh ipv6 route ospf
IPv6 Routing Table - 37 entries
Codes: C - Connected, L - Local, S - Static
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI 172:10:1::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:2::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:3::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:4::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:5::/48 [110/11]
via fe80::224:14ff:fedd:17e8, insideOI 172:10:6::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OE1 172:20:1::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:2::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:3::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:4::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:5::/48 [110/30]via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:6::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
O 172:30:1::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:2::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:3::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:4::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:5::1/128 [110/10]
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 706/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 706 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:6::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
ON1 172:40:1::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:2::/48 [110/30]via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:3::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:4::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:5::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:6::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
O 192:168:101::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, insideO 192:168:101::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:103::/48 [110/11]
via fe80::46e4:d9ff:fe87:ecde, outside
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# distance ospf external 222 inter-area 111 intra-area 111
ASA1# sh ipv6 route ospf
IPv6 Routing Table - 37 entriesCodes: C - Connected, L - Local, S - Static
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI 172:10:1::/48 [111/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:2::/48 [111/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:3::/48 [111/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:4::/48 [111/11]
via fe80::224:14ff:fedd:17e8, insideOI 172:10:5::/48 [111/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:6::/48 [111/11]
via fe80::224:14ff:fedd:17e8, inside
OE1 172:20:1::/48 [222/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:2::/48 [222/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:3::/48 [222/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:4::/48 [222/30]
via fe80::21f:9eff:fe5f:8060, dmz1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 707/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 707 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OE1 172:20:5::/48 [222/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:6::/48 [222/30]
via fe80::21f:9eff:fe5f:8060, dmz1
O 172:30:1::1/128 [111/10]
via fe80::46e4:d9ff:fe87:ecde, outsideO 172:30:2::1/128 [111/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:3::1/128 [111/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:4::1/128 [111/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:5::1/128 [111/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:6::1/128 [111/10]
via fe80::46e4:d9ff:fe87:ecde, outside
ON1 172:40:1::/48 [222/30]via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:2::/48 [222/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:3::/48 [222/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:4::/48 [222/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:5::/48 [222/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:6::/48 [222/30]
via fe80::21a:6cff:fed4:e56e, dmz2O 192:168:101::1/128 [111/10]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:101::/48 [111/11]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:103::/48 [111/11]
via fe80::46e4:d9ff:fe87:ecde, outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 708/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 708 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 25
After Reading this chapter you would be able to describe
IPv6 Static NAT
IPv6 Dynamic NAT
IPv6 PAT
IPv6 Static PAT
IPv6 Twice NAT
IPv6 Identity NAT
Diagram:-
NAT on OS 9.2.x on IPv6
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 709/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 709 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
ipv6 unicast-routing
int f0/0
no shutdownipv6 add 192:168:1::1/48
int f0/1
no shutdown
ipv6 add 192:168:101::1/48
ipv6 route ::/0 192:168:1::2
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnetlogin lo
exit
username shiva privilege 15 secret shiva
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
R2
ipv6 unicast-routing
int fastEthernet 0/0
no shutdown
ipv6 add 192:168:10::100/48
ipv6 route ::/0 192:168:10::1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login lo
exit
username shiva privilege 15 secret shiva
R3
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 101:1:1::1/48
no shutdown
int f0/1
no shutdown
ipv6 add 192:168:102::1/48
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 710/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 710 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
R4
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdownipv6 add 192:168:20::100/48
ipv6 route ::/0 192:168:20::1
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
R5
ipv6 unicast-routinginterface fastEthernet 0/0
ipv6 add 192:168:101::111/48
no shutdown
ipv6 route ::/0 192:168:1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login lo
exitusername shiva privilege 15 secret shiva
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
interface GigabitEthernet0/0
nameif insidesecurity-level 100
no ip address
ipv6 address 192:168:1::2/48
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
no ip address
ipv6 address 192:168:10::1/48
!
interface GigabitEthernet0/2
nameif outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 711/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 711 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
security-level 0
no ip address
ipv6 address 101:1:1::100/48
!
interface GigabitEthernet0/3
nameif dmz2security-level 50
no ip address
ipv6 address 192:168:20::1/48
ipv6 route inside 192:168:101::/48 192:168:1::1
ipv6 route outside ::/0 101:1:1::1
ASA1# ping 192:168:101::1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192:168:101::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192:168:101::111
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:101::111, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192:168:10::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:10::100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192:168:20::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:20::100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192:168:102::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1
STATIC
object network obj_net_192:168:1::1
host 192:168:1::1
object network obj_net_192:168:101::1
host 192:168:101::1
object network obj_net_192:168:101::111
host 192:168:101::111
object network obj_net_192:168:10::100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 712/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 712 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
host 192:168:10::100
object network obj_net_192:168:20::100
host 192:168:20::100
object network obj_net_101:1:1::101
host 101:1:1::101
object network obj_net_101:1:1::102host 101:1:1::102
object network obj_net_101:1:1::103
host 101:1:1::103
object network obj_net_101:1:1::104
host 101:1:1::104
object network obj_net_192:168:1::1
nat (inside,outside) static interface ipv6
object network obj_net_192:168:101::1
nat (inside,outside) static obj_net_101:1:1::101
object network obj_net_192:168:101::111nat (inside,outside) static obj_net_101:1:1::102
object network obj_net_192:168:10::100
nat (dmz1,outside) static obj_net_101:1:1::103
object network obj_net_192:168:20::100
nat (dmz2,outside) static obj_net_101:1:1::104
! ASA will allow TCP & UDP for ICMP open ACL
access-list out permit icmp6 any object obj_net_192:168:1::1
access-list out permit icmp6 any object obj_net_192:168:101::1
access-list out permit icmp6 any object obj_net_192:168:101::111
access-list out permit icmp6 any object obj_net_192:168:10::100access-list out permit icmp6 any object obj_net_192:168:20::100
access-group out in interface outside
R3#debug ipv6 icmp
ICMP packet debugging is on
R1#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R1#ping 101:1:1::1 so
R1#ping 101:1:1::1 source f
R1#ping 101:1:1::1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R2#ping 101:1:1::1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 713/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 713 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R4#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R5#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R3#debug ipv6 icmp
ICMP packet debugging is on
R3#
R3#
R3#
R3#
*Oct 5 08:54:26.379: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 08:54:26.379: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 08:54:26.383: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 08:54:26.383: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 08:54:26.383: ICMPv6: Received echo request from 101:1:1::100*Oct 5 08:54:26.383: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 08:54:26.387: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 08:54:26.387: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 08:54:26.387: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 08:54:26.387: ICMPv6: Sending echo reply to 101:1:1::100
R3#
*Oct 5 08:54:32.123: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 08:54:32.123: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 08:54:32.123: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
*Oct 5 08:54:32.127: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 08:54:32.127: ICMPv6: Sending echo reply to 101:1:1::101*Oct 5 08:54:32.127: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 08:54:32.127: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 08:54:32.127: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 08:54:32.127: ICMPv6: Sending echo reply to 101:1:1::101
R3#
*Oct 5 08:54:32.131: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 08:54:32.131: ICMPv6: Sending echo reply to 101:1:1::101
R3#
*Oct 5 08:54:37.119: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 135
R3#
*Oct 5 08:54:42.119: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
R3#
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 714/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 714 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
*Oct 5 08:54:43.839: ICMPv6: Received echo request from 101:1:1::102
*Oct 5 08:54:43.839: ICMPv6: Sending echo reply to 101:1:1::102
*Oct 5 08:54:43.839: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
*Oct 5 08:54:43.843: ICMPv6: Received echo request from 101:1:1::102
*Oct 5 08:54:43.843: ICMPv6: Sending echo reply to 101:1:1::102
*Oct 5 08:54:43.843: ICMPv6: Received echo request from 101:1:1::102*Oct 5 08:54:43.843: ICMPv6: Sending echo reply to 101:1:1::102
*Oct 5 08:54:43.847: ICMPv6: Received echo request from 101:1:1::102
*Oct 5 08:54:43.847: ICMPv6: Sending echo reply to 101:1:1::102
R3#
*Oct 5 08:54:43.847: ICMPv6: Received echo request from 101:1:1::102
*Oct 5 08:54:43.847: ICMPv6: Sending echo reply to 101:1:1::102
R3#
*Oct 5 08:54:46.819: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 134
*Oct 5 08:54:47.107: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 135
R3#
*Oct 5 08:54:51.479: ICMPv6: Received echo request from 101:1:1::103*Oct 5 08:54:51.479: ICMPv6: Sending echo reply to 101:1:1::103
*Oct 5 08:54:51.479: ICMPv6: Received echo request from 101:1:1::103
*Oct 5 08:54:51.479: ICMPv6: Sending echo reply to 101:1:1::103
*Oct 5 08:54:51.483: ICMPv6: Received echo request from 101:1:1::103
*Oct 5 08:54:51.483: ICMPv6: Sending echo reply to 101:1:1::103
*Oct 5 08:54:51.483: ICMPv6: Received echo request from 101:1:1::103
*Oct 5 08:54:51.483: ICMPv6: Sending echo reply to 101:1:1::103
*Oct 5 08:54:51.487: ICMPv6: Received echo request from 101:1:1::103
*Oct 5 08:54:51.487: ICMPv6: Sending echo reply to 101:1:1::103
R3#
*Oct 5 08:54:56.595: ICMPv6: Received echo request from 101:1:1::104*Oct 5 08:54:56.595: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 08:54:56.595: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 08:54:56.595: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 08:54:56.599: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 08:54:56.599: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 08:54:56.599: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 08:54:56.599: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 08:54:56.599: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 08:54:56.599: ICMPv6: Sending echo reply to 101:1:1::104
ASA1(config)# sh xlate
5 in use, 20 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192:168:1::1/128 to outside:101:1:1::100/128
flags s idle 0:02:20 timeout 0:00:00
NAT from dmz1:192:168:10::100/128 to outside:101:1:1::103/128
flags s idle 0:01:55 timeout 0:00:00
NAT from dmz2:192:168:20::100/128 to outside:101:1:1::104/128
flags s idle 0:01:50 timeout 0:00:00
NAT from inside:192:168:101::1/128 to outside:101:1:1::101/128
flags s idle 0:02:14 timeout 0:00:00
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 715/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 715 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT from inside:192:168:101::111/128 to outside:101:1:1::102/128
flags s idle 0:02:03 timeout 0:00:00
Dynamic
ASA1
object network obj_net_inside
subnet 192:168:1::/48
object network obj_net_inside_lan
subnet 192:168:101::/48
object network obj_net_dmz1_lan
subnet 192:168:10::/48
object network obj_net_dmz2_lan
subnet 192:168:20::/48
object network obj_net_dpool
range 101:1:1::101 101:1:1::104object network obj_net_inside
nat (inside,outside) dynamic obj_net_dpool
object network obj_net_inside_lan
nat (inside,outside) dynamic obj_net_dpool
object network obj_net_dmz1_lan
nat (dmz1,outside) dynamic obj_net_dpool
object network obj_net_dmz2_lan
nat (dmz2,outside) dynamic obj_net_dpool
access-list out extended permit icmp6 any object obj_net_insideaccess-list out extended permit icmp6 any object obj_net_inside_lan
access-list out extended permit icmp6 any object obj_net_dmz1_lan
access-list out extended permit icmp6 any object obj_net_dmz2_lan
access-group out in interface outside
R1#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R1#ping 101:1:1::1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R5#ping 101:1:1::1
Type escape sequence to abort.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 716/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 716 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R2#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R4#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)ASA1(config)# sh xlate
4 in use, 20 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from dmz1:192:168:10::100 to outside:101:1:1::103 flags i idle 0:02:33 timeout 3:00:00
NAT from inside:192:168:101::111 to outside:101:1:1::102 flags i idle 0:02:37 timeout 3:00:00
NAT from inside:192:168:101::1 to outside:101:1:1::101 flags i idle 0:02:41 timeout 3:00:00
NAT from inside:192:168:1::1 to outside:101:1:1::104 flags i idle 0:02:43 timeout 3:00:00
R3R3#
*Oct 5 09:03:31.375: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.375: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 09:03:31.375: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
*Oct 5 09:03:31.379: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.379: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 09:03:31.379: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.379: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 09:03:31.383: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.383: ICMPv6: Sending echo reply to 101:1:1::104
R3#*Oct 5 09:03:31.383: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.383: ICMPv6: Sending echo reply to 101:1:1::104
R3#
*Oct 5 09:03:33.095: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 09:03:33.095: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 09:03:33.095: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 09:03:33.095: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 09:03:33.099: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 09:03:33.099: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 09:03:33.099: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 09:03:33.099: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 09:03:33.103: ICMPv6: Received echo request from 101:1:1::101
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 717/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 717 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
*Oct 5 09:03:33.103: ICMPv6: Sending echo reply to 101:1:1::101
R3#
*Oct 5 09:03:36.371: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 135
*Oct 5 09:03:37.275: ICMPv6: Received echo request from 101:1:1::102
*Oct 5 09:03:37.275: ICMPv6: Sending echo reply to 101:1:1::102
*Oct 5 09:03:37.279: ICMPv6: Received echo request from 101:1:1::102*Oct 5 09:03:37.279: ICMPv6: Sending echo reply to 101:1:1::102
*Oct 5 09:03:37.279: ICMPv6: Received echo request from 101:1:1::102
*Oct 5 09:03:37.279: ICMPv6: Sending echo reply to 101:1:1::102
*Oct 5 09:03:37.283: ICMPv6: Received echo request from 101:1:1::102
*Oct 5 09:03:37.283: ICMPv6: Sending echo reply to 101:1:1::102
R3#
*Oct 5 09:03:37.283: ICMPv6: Received echo request from 101:1:1::102
*Oct 5 09:03:37.283: ICMPv6: Sending echo reply to 101:1:1::102
R3#
*Oct 5 09:03:41.167: ICMPv6: Received echo request from 101:1:1::103
*Oct 5 09:03:41.167: ICMPv6: Sending echo reply to 101:1:1::103*Oct 5 09:03:41.171: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
*Oct 5 09:03:41.171: ICMPv6: Received echo request from 101:1:1::103
*Oct 5 09:03:41.171: ICMPv6: Sending echo reply to 101:1:1::103
*Oct 5 09:03:41.175: ICMPv6: Received echo request from 101:1:1::103
*Oct 5 09:03:41.175: ICMPv6: Sending echo reply to 101:1:1::103
*Oct 5 09:03:41.175: ICMPv6: Received echo request from 101:1:1::103
*Oct 5 09:03:41.175: ICMPv6: Sending echo reply to 101:1:1::103
R3#
*Oct 5 09:03:41.175: ICMPv6: Received echo request from 101:1:1::103
*Oct 5 09:03:41.179: ICMPv6: Sending echo reply to 101:1:1::103
ASA1
PAT
object network obj_net_inside
subnet 192:168:1::/48
object network obj_net_inside_lan
subnet 192:168:101::/48
object network obj_net_dmz1_lan
subnet 192:168:10::/48
object network obj_net_dmz2_lan
subnet 192:168:20::/48!
object network obj_net_inside
nat (inside,outside) dynamic interface ipv6
object network obj_net_inside_lan
nat (inside,outside) dynamic interface ipv6
object network obj_net_dmz1_lan
nat (dmz1,outside) dynamic interface ipv6
object network obj_net_dmz2_lan
nat (dmz2,outside) dynamic interface ipv6
access-list out extended permit icmp6 any object obj_net_inside
access-list out extended permit icmp6 any object obj_net_inside_lan
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 718/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 718 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
access-list out extended permit icmp6 any object obj_net_dmz1_lan
access-list out extended permit icmp6 any object obj_net_dmz2_lan
access-group out in interface outside
R1#ping 101:1:1::1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R1#ping 101:1:1::1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R5#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R2#ping 101:1:1::1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R4#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
ASA1(config-network-object)# sh xlate6 in use, 20 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ICMP6 PAT from dmz2:192:168:20::100/8784 to outside:101:1:1::100/8784 flags ri idle 0:00:00
timeout 0:00:30
ICMP6 PAT from dmz1:192:168:10::100/5560 to outside:101:1:1::100/5560 flags ri idle 0:00:03
timeout 0:00:30
ICMP6 PAT from inside:192:168:101::111/4159 to outside:101:1:1::100/4159 flags ri idle 0:00:08
timeout 0:00:30
ICMP6 PAT from inside:192:168:1::1/8024 to outside:101:1:1::100/8024 flags ri idle 0:00:13 timeout
0:00:30
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 719/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 719 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ICMP6 PAT from inside:192:168:101::1/954 to outside:101:1:1::100/954 flags ri idle 0:00:12 timeout
0:00:30
ICMP6 PAT from inside:192:168:101::1/3788 to outside:101:1:1::100/3788 flags ri idle 0:00:15
timeout 0:00:30
ASA1STATIC PAT
object network obj_net_192:168:1::1
host 192:168:1::1
object network obj_net_192:168:1::1
nat (inside,outside) static interface ipv6 service tcp ssh ssh
access-list out extended permit tcp any object obj_net_192:168:1::1 eq ssh
access-group out in interface outside
R3#ssh -l shiva 101:1:1::100
Password:
R1#
ASA1(config)# sh xlate
1 in use, 20 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-netTCP PAT from inside:192:168:1::1/128 22-22 to outside:101:1:1::100/128 22-22
flags sr idle 0:00:12 timeout 0:00:00
ASA1(config)# sh conn
1 in use, 28 most used
TCP outside 101:1:1::1:40109 inside 192:168:1::1:22, idle 0:00:03, bytes 2452, flags UIOB
R3#ssh -l shiva 101:1:1::100
Password:
R1#ex
R1#exit
[Connection to 101:1:1::100 closed by foreign host]
R3#
R3#
ASA1(config)# sh conn
0 in use, 28 most used
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 720/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 720 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
Identity NAT
object network obj_net_192:168:101::0
subnet 192:168:101::/48
object network obj_net_192:168:102::0
subnet 192:168:102::/48
nat (inside,outside) source static obj_net_192:168:101::0 obj_net_192:168:101::0 destination static
obj_net_192:168:102::0 obj_net_192:168:102::0nat (inside,outside) source dynamic any interface ipv6
access-list out extended permit icmp6 any object obj_net_192:168:101::0
access-list out extended permit icmp6 any 192:168:1::/48
access-group out in interface outside
R1#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/4 ms
R1#ping 101:1:1::1 so
R1#ping 101:1:1::1 source f
R1#ping 101:1:1::1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/4 msR1#ping 192:168:102::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
R1#ping 192:168:102::1 so
R1#ping 192:168:102::1 source f
R1#ping 192:168:102::1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 721/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 721 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Packet sent with a source address of 192:168:101::1
.....
Success rate is 0 percent (0/5)
R3#
*Oct 5 09:36:02.555: ICMPv6: Received echo request from 101:1:1::100*Oct 5 09:36:02.555: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:02.559: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:02.559: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:02.559: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:02.559: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:02.563: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:02.563: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:02.563: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:02.563: ICMPv6: Sending echo reply to 101:1:1::100
R3#
*Oct 5 09:36:07.555: ICMPv6: Received ICMPv6 packet from 101:1:1::100, type 136R3#
*Oct 5 09:36:11.039: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:11.047: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.047: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:11.047: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.047: ICMPv6: Sending echo reply to 101:1:1::100R3#
*Oct 5 09:36:12.551: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 135
R3#
*Oct 5 09:36:17.551: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
R3#
*Oct 5 09:36:25.651: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.655: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:25.655: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.655: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:25.655: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.659: ICMPv6: Sending echo reply to 101:1:1::100*Oct 5 09:36:25.659: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.659: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:25.659: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.659: ICMPv6: Sending echo reply to 101:1:1::100
R3#
*Oct 5 09:36:28.591: ICMPv6: Received echo request from 192:168:101::1
*Oct 5 09:36:28.591: ICMPv6: Sending echo reply to 192:168:101::1
R3#
*Oct 5 09:36:30.591: ICMPv6: Received echo request from 192:168:101::1
*Oct 5 09:36:30.591: ICMPv6: Sending echo reply to 192:168:101::1
R3#
*Oct 5 09:36:32.591: ICMPv6: Received echo request from 192:168:101::1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 722/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 722 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
*Oct 5 09:36:32.591: ICMPv6: Sending echo reply to 192:168:101::1
R3#
*Oct 5 09:36:34.591: ICMPv6: Received echo request from 192:168:101::1
*Oct 5 09:36:34.591: ICMPv6: Sending echo reply to 192:168:101::1
R3#
*Oct 5 09:36:36.591: ICMPv6: Received echo request from 192:168:101::1*Oct 5 09:36:36.591: ICMPv6: Sending echo reply to 192:168:101::1
ASA1
Twice NAT
object network obj_net_101:1:1::0
subnet 101:1:1::/48
object network obj_net_192:168:102::0
subnet 192:168:102::/48
object network obj_net_101:1:1::111
host 101:1:1::111object network obj_net_101:1:1::222
host 101:1:1::222
nat (inside,outside) source dynamic any obj_net_101:1:1::111 destination static obj_net_101:1:1::0
obj_net_101:1:1::0
nat (inside,outside) source dynamic any obj_net_101:1:1::222 destination static
obj_net_192:168:102::0 obj_net_192:168:102::0
access-list out extended permit icmp6 any any
access-group out in interface outside
R1#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R1#ping 101:1:1::1 so
R1#ping 101:1:1::1 source f
R1#ping 101:1:1::1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R1#
R1#pin
R1#ping 192:168:102::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
!!!!!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 723/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 723 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
R1#ping 192:168:102::1 so
R1#ping 192:168:102::1 source f
R1#ping 192:168:102::1 source fastEthernet 0/1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R3#
*Oct 5 09:46:16.803: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:16.803: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:16.803: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:16.803: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:16.807: ICMPv6: Received echo request from 101:1:1::111*Oct 5 09:46:16.807: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:16.807: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:16.807: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:16.811: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:16.811: ICMPv6: Sending echo reply to 101:1:1::111
R3#
*Oct 5 09:46:20.155: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:20.155: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:20.159: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:20.159: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:20.159: ICMPv6: Received echo request from 101:1:1::111*Oct 5 09:46:20.159: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:20.163: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:20.163: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:20.163: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:20.163: ICMPv6: Sending echo reply to 101:1:1::111
R3#
*Oct 5 09:46:28.055: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:28.055: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:28.055: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:28.055: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:28.059: ICMPv6: Received echo request from 101:1:1::222*Oct 5 09:46:28.059: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:28.059: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:28.059: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:28.063: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:28.063: ICMPv6: Sending echo reply to 101:1:1::222
R3#
*Oct 5 09:46:31.047: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:31.051: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:31.051: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:31.051: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:31.051: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:31.055: ICMPv6: Sending echo reply to 101:1:1::222
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 724/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 724 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
*Oct 5 09:46:31.055: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:31.055: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:31.055: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:31.055: ICMPv6: Sending echo reply to 101:1:1::222
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 725/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 725 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 26
After Reading this chapter you would be able to describe
Site-Site on IPv6
Diagram:-
Site-Site VPN on IPv6
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 726/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 726 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 192:168:101::100/48no shutdown
ipv6 route ::/0 192:168:101::1
R2
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 192:168:102::100/48
no shutdown
ipv6 route ::/0 192:168:102::1
R3
ipv6 unicast-routing
interface fastEthernet 0/0no shutdown
ipv6 add 101:1:1::1/48
no shutdown
interface fastEthernet 0/1
no shutdown
ipv6 add 102:1:1::1/48
ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ipv6 add 192:168:101::1/48
interface gigabitEthernet 0/1
no shu
nameif outside
ipv6 add 101:1:1::100/48
ipv6 route outside ::/0 101:1:1::1
ASA1(config)# ping 192:168:101::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:101::100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 102:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ipv6 add 192:168:102::1/48
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 727/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 727 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shu
interface g0/1
no shu
nameif outside
ipv6 add 102:1:1::100/48
no shuipv6 route outside ::/0 102:1:1::1
ASA2(config)# ping 192:168:102::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# pin
ASA2(config)# ping 101:1:1::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::100, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102:1:1::100 type ipsec-l2ltunnel-group 102:1:1::100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192:168:101::/48 192:168:102::/48
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 102:1:1::100
crypto map test 10 match address 101
crypto map test interface outside
crypto ikev1 enable outside
ASA2
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101:1:1::100 type ipsec-l2l
tunnel-group 101:1:1::100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 728/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 728 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
access-list 102 permit ip 192:168:102::/48 192:168:101::/48
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101:1:1::100
crypto map test 10 match address 102
crypto map test interface outside
crypto ikev1 enable outside
R1#ping 192:168:102::100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192:168:102::100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 0/2/4 ms
R2#ping 192:168:101::100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192:168:101::100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 0/2/4 ms
ASA1(config)# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 102:1:1::100
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1(config)# sh cry
ASA1(config)# sh crypto ip
ASA1(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101:1:1::100
access-list 101 extended permit ip 192:168:101::/48 192:168:102::/48
local ident (addr/mask/prot/port): (192:168:101::/48/0/0)
remote ident (addr/mask/prot/port): (192:168:102::/48/0/0)
current_peer: 102:1:1::100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 729/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 729 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101:1:1::100/0, remote crypto endpt.: 102:1:1::100/0path mtu 1500, ipsec overhead 94(64), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: DD53A4C1
current inbound spi : 21DA3675
inbound esp sas:
spi: 0x21DA3675 (567948917)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: testsa timing: remaining key lifetime (kB/sec): (3914980/1760)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDD53A4C1 (3713246401)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (3914980/1760)IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA2
ASA2(config)# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 101:1:1::100
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA2(config)# sh cry
ASA2(config)# sh crypto ip
ASA2(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102:1:1::100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 730/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 730 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
access-list 102 extended permit ip 192:168:102::/48 192:168:101::/48
local ident (addr/mask/prot/port): (192:168:102::/48/0/0)
remote ident (addr/mask/prot/port): (192:168:101::/48/0/0)
current_peer: 101:1:1::100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 102:1:1::100/0, remote crypto endpt.: 101:1:1::100/0path mtu 1500, ipsec overhead 94(64), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 21DA3675
current inbound spi : DD53A4C1
inbound esp sas:
spi: 0xDD53A4C1 (3713246401)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: testsa timing: remaining key lifetime (kB/sec): (4373980/1732)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x21DA3675 (567948917)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (4373980/1732)IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 731/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 731 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 27
After Reading this chapter you would be able to describe
SSL on IPv6
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 101:1:1::1/48
no shutdown
SSL VPN on IPv6
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 732/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 732 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int f0/1
no shutdown
ipv6 add 192:168:101::1/48
no shutdown
ipv6 add 192:168:102::1/48
R2ipv6 unicast-routing
int f0/0
no shutdown
ipv6 add 192:168:1::2/48
no sh
int f0/1
no shutdown
ipv6 add 192:168:10::1/48
exit
ipv6 router ospf 100
router-id 2.2.2.2int f0/0
ipv6 ospf 100 area 0
int f0/1
ipv6 ospf 100 area 0
R3
ipv6 unicast-routing
int f0/0
no shutdown
ipv6 add 192:168:2::2/48
int f0/1
no shipv6 add 192:168:20::1/48
exit
ipv6 router ospf 100
router-id 3.3.3.3
int f0/0
ipv6 ospf 100 area 0
int f0/1
ipv6 ospf 100 area 0
R4
ipv6 unicast-routing
interface fastEthernet 0/0ipv6 add 192:168:10::100/48
no shutdown
ipv6 route ::/0 192:168:10::1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 733/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 733 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ip http au local
username shiva privilege 15 secret shiva
R5
ipv6 unicast-routing
int f0/0
no shutdownipv6 add 192:168:20::100/48
no shutdown
ipv6 route ::/0 192:168:20::1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http serverip http secure-server
ip http au local
username shiva privilege 15 secret shiva
ASA1
interface GigabitEthernet0/0
nameif outside
security-level 0
no ip address
ipv6 address 101:1:1::100/48
!interface GigabitEthernet0/1
nameif inside1
security-level 100
no ip address
ipv6 address 192:168:1::1/48
ipv6 ospf 100 area 0
!
interface GigabitEthernet0/2
nameif inside2
security-level 100
no ip addressipv6 address 192:168:2::1/48
ipv6 ospf 100 area 0
!
ipv6 route outside ::/0 101:1:1::1
ipv6 router ospf 100
router-id 1.1.1.1
log-adjacency-changes
!
ASA1(config)# sh ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 734/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 734 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
3.3.3.3 1 FULL/BDR 0:00:35 3 inside2
2.2.2.2 1 FULL/DR 0:00:31 4 inside1
ASA1(config)# sh ipv6 route ospf
IPv6 Routing Table - 13 entries
Codes: C - Connected, L - Local, S - StaticO - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O 192:168:10::/48 [110/11]
via fe80::21f:9eff:fe5f:8060, inside1
O 192:168:20::/48 [110/11]
via fe80::46e4:d9ff:fe87:ecde, inside2
ASA1(config)# ping 192:168:101::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:101::100, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192:168:10::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:10::100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192:168:20::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:20::100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1
webvpn
enable outside
username shiva password shiva privilege 15privilege 15
https://[101:1:1::100]
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 735/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 735 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
in url bar type
[192:168:10:100] for admin
[192:168:20:100] for mgmt
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 736/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 736 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 737/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 737 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 738/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 738 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
port 9090
enable outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 739/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 739 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 740/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 740 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
port 9090
enable outside
port-forward admin 2222 192:168:10::100 ssh
port-forward admin 2323 192:168:10::100 telnet
port-forward admin 8080 192:168:10::100 www
port-forward admin 8181 192:168:10::100 httpsport-forward mgmt 2222 192:168:20::100 ssh
port-forward mgmt 2323 192:168:20::100 telnet
port-forward mgmt 8080 192:168:20::100 www
port-forward mgmt 8181 192:168:20::100 https
group-policy admin_policy internal
group-policy admin_policy attributes
vpn-tunnel-protocol ssl-clientless
webvpn
port-forward name admin
port-forward enable admingroup-policy mgmt_policy internal
group-policy mgmt_policy attributes
vpn-tunnel-protocol ssl-clientless
webvpn
port-forward name mgmt
port-forward auto-start mgmt
tunnel-group admin_group type remote-access
tunnel-group admin_group general-attributes
default-group-policy admin_policy
tunnel-group admin_group webvpn-attributesgroup-alias ADMIN_GROUP enable
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 741/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 741 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
tunnel-group mgmt_group type remote-access
tunnel-group mgmt_group general-attributes
default-group-policy mgmt_policy
tunnel-group mgmt_group webvpn-attributes
group-alias MGMT_GROUP enable
webvpn
tunnel-group-list enable
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 742/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 742 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 743/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 743 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 744/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 744 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 745/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 745 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 746/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 746 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 747/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 747 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 748/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 748 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 749/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 749 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 750/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 750 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 751/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 751 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# vpn-sessiondb logoff webvpn
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions of type "webvpn" logged off : 2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 752/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 752 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 753/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 753 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 754/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 755/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 755 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 756/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 756 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 28
After Reading this chapter you would be able to describe
BGP Messages
BGP Tables
BGP States
BGP Terminology
BGP Lab
BGP (Border Gateway Protocol)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 757/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 757 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
It is an exterior gate classless path vector routing protocol.Why it is called Path Vector
Because it is path vector because it select the route based on the AS path. It reject those which
have already across their AS.
Open
Keep Alive
Update
Notification
Open
BGP sends open message using TCP port 179
Contain:-
1.Version
2.My AS
3.Router ID
4.Hold Time default 180sec
Keep Alive
BGP sends periodic keep alive after every 60 sec.
Update
When two router become BGP neighbour they send update message to each other.
Contain:-
1. Route
2. Route's Attributes
Route's Attributes
They are those criteria which are used to select best route.they are also called Rich Metric.
Notification
When a neighbour is rested then it sends notification message.
Contain:-
it contain cause of resetting.
BGP can be implemented within AS i.e. called iBGP.
BGP can be implemented over AS i.e. called eBGP.
BGP Border Gateway Protocol
BGP Messages
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 758/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 758 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Neighbour Table BGP Table
Routing Table
Idle
Connect
Open Sent
Open Confirm
Establish
1.Idle
it means that searching neighbour.
2.Connect
it means that TCP three-way hand-shake complete.
3. Open Sent
it means that Open message has been sent.
4. Open Confirm
it means that Open acknowledgement has been received.
5. Establish
it means that neighbour ship complete.
Next-hop-self
Route-reflector-client
EBGP-Multi-hop
Max-path
Source-update
BGP-redistribute Internal
Next-hop-self
When a BGP edge router learns the external route then it advertise those route with default next-
hop to iBGP neighbour, to solve this problem we use next-hop-self .This command force a router to
send own IP address as next-hop to iBGP neighbour.
BGP Tables
BGP States
Some BGP Terminology
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 759/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 759 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Route-reflector-client
Normally an iBGP router doesn't exchange the route of one neighbour with another neighbour.
To solve this we use route-reflector-client. this command force a router to exchange the routes of
one neighbour with another.
EBGP-Multi-hopWhen a BGP router wants to establish eBGP neighbour ship it set TTL value 1 in open message. if
your neighbour is not directly connected. than neighbour ship will not establish.
Using EBGP-Multi-hop command we can increase TTL value.
Max-Path
By default BGP select one best path using its attributes. or we can say
that by default BGP don't use load-balancing. if you want to use load-balancing then change max-
path value using Max-Path command.
Source-update
If you want to establish neighbour ship you can use physical interface IP for peering. But physicalinterface can be goes down. this is not recommended for BGP peering.
you can use loopback for peering. if you are using loopback for peering you have to use update-
source command . this command tells a router when you send message to your peer use particular
loopback IP as source otherwise neighbour ship will not perform.
BGP-redistribute Internal
We can redistribute IGP to iBGP, or IGP to eBGP, eBGP to IGP.
But iBGP to IGP redistribution not allowed if you want we have to use BGP-redistribute Internal.
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 760/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 760 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Initial-configR1
interface Loopback1
ip address 192.10.1.1 255.255.255.0
!
interface Loopback2
ip address 192.10.2.1 255.255.255.0
!
interface Loopback3
ip address 192.10.3.1 255.255.255.0
!
interface Loopback4ip address 192.10.4.1 255.255.255.0
!
interface Loopback5
ip address 192.10.5.1 255.255.255.0
!
interface Loopback6
ip address 192.10.6.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex autospeed auto
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 761/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 761 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!
interface FastEthernet0/1
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0
R3
interface fastEthernet 0/0no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.35.1 255.255.255.0
no shutdown
int l1
ip add 192.168.103.1 255.255.255.0
no shutdown
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.104.1 255.255.255.0
no shutdown
R5interface f0/1
no shutdown
ip add 192.168.35.2 255.255.255.0
no shutdown
int f0/0
no shutdown
ip add 192.168.105.1 255.255.255.0
no shutdown
ASA1
interface GigabitEthernet0/0
nameif inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 762/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 762 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 192.168.3.2 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
ip address 192.168.4.2 255.255.255.0!
ASA1(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 msASA1(config)# ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
R1
R1(config)#router bgp 100
R1(config-router)#neighbor 192.168.1.2 remote-as 100
R1(config-router)#net 192.168.1.0
R1(config-router)#net 192.168.101.0
R1(config-router)#net 192.10.1.0
R1(config-router)#net 192.10.2.0
R1(config-router)#net 192.10.3.0
R1(config-router)#net 192.10.4.0
R1(config-router)#net 192.10.5.0
R1(config-router)#net 192.10.6.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 763/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 763 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R2
R2(config)#router bgp 100
R2(config-router)#neighbor 192.168.2.2 remote-as 100
R2(config-router)#net 192.168.2.0
R2(config-router)#net 192.168.102.0
R3
R3(config)#router bgp 200
R3(config-router)#neighbor 192.168.3.2 remote-as 100
R3(config-router)#neighbor 192.168.35.2 remote-as 200
R3(config-router)#net 192.168.3.0
R3(config-router)#net 192.168.103.0
R3(config-router)#net 192.168.35.0
R4
R4(config)#router bgp 100
R4(config-router)#neighbor 192.168.4.2 remote-as 100R4(config-router)#net 192.168.4.0
R4(config-router)#net 192.168.104.0
R5
R5(config)#router bgp 200
R5(config-router)#neighbor 192.168.35.1 remote-as 200
R5(config-router)#net 192.168.35.0
R5(config-router)#net 192.168.105.0
ASA1
ASA1(config)# router bgp 100
ASA1(config-router)# address-family ipv4 unicast
ASA1(config-router-af)# neighbor 192.168.1.1 remote-as 100
ASA1(config-router-af)# neighbor 192.168.2.1 remote-as 100
ASA1(config-router-af)# neighbor 192.168.3.1 remote-as 200
ASA1(config-router-af)# neighbor 192.168.4.1 remote-as 100
ASA1(config-router-af)# network 192.168.1.0
ASA1(config-router-af)# network 192.168.2.0
ASA1(config-router-af)# network 192.168.3.0
ASA1(config-router-af)# network 192.168.4.0
ASA1# sh bgp neighbors
BGP neighbor is 192.168.1.1, context single_vf, remote AS 100, internal link
BGP version 4, remote router ID 192.10.6.1
BGP state = Established, up for 00:02:20
Last read 00:00:19, last write 00:00:56, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 764/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 764 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Address family IPv4 Unicast: advertised and received
Multisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 1
Keepalives: 3 4
Route Refresh: 0 0
Total: 8 6
Default minimum time between advertisement runs is 0 seconds
For address family: IPv4 Unicast
Session: 192.168.1.1BGP table version 17, neighbor version 17/0
Output queue size : 0
Index 1
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 7 8 (Consumes 640 bytes)
Prefixes Total: 7 8
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 7Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 7 n/a
Bestpath from iBGP peer: 2 n/a
Total: 9 0
Number of NLRIs in the update sent: max 4, min 0
Address tracking is enabled, the RIB does have a route to 192.168.1.1
Connections established 1; dropped 0Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
BGP neighbor is 192.168.2.1, context single_vf, remote AS 100, internal link
BGP version 4, remote router ID 192.168.102.1
BGP state = Established, up for 00:02:10
Last read 00:00:10, last write 00:00:01, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 765/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 765 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Multisession Capability:
Message statistics:
InQ depth is 0OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 1
Keepalives: 4 4
Route Refresh: 0 0
Total: 9 6
Default minimum time between advertisement runs is 0 seconds
For address family: IPv4 Unicast
Session: 192.168.2.1
BGP table version 17, neighbor version 17/0
Output queue size : 0
Index 1
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 7 2 (Consumes 160 bytes)
Prefixes Total: 7 2
Implicit Withdraw: 0 0Explicit Withdraw: 0 0
Used as bestpath: n/a 1
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 7 n/a
Bestpath from iBGP peer: 2 n/a
Total: 9 0
Number of NLRIs in the update sent: max 4, min 0
Address tracking is enabled, the RIB does have a route to 192.168.2.1
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
BGP neighbor is 192.168.3.1, context single_vf, remote AS 200, external link
BGP version 4, remote router ID 192.168.103.1
BGP state = Established, up for 00:02:17
Last read 00:00:16, last write 00:00:03, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 766/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 766 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised
Address family IPv4 Unicast: advertised and received
Multisession Capability:Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 3 2
Keepalives: 4 5
Route Refresh: 0 0
Total: 8 8Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Session: 192.168.3.1
BGP table version 17, neighbor version 17/0
Output queue size : 0
Index 2
2 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 13 4 (Consumes 320 bytes)Prefixes Total: 13 4
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 3
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 3 n/a
Total: 3 0
Number of NLRIs in the update sent: max 9, min 0
Address tracking is enabled, the RIB does have a route to 192.168.3.1
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
BGP neighbor is 192.168.4.1, context single_vf, remote AS 100, internal link
BGP version 4, remote router ID 192.168.104.1
BGP state = Established, up for 00:02:17
Last read 00:00:16, last write 00:00:03, hold time is 180, keepalive interval is 60 seconds
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 767/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 767 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised
Address family IPv4 Unicast: advertised and receivedMultisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 1
Keepalives: 4 5
Route Refresh: 0 0Total: 9 7
Default minimum time between advertisement runs is 0 seconds
For address family: IPv4 Unicast
Session: 192.168.4.1
BGP table version 17, neighbor version 17/0
Output queue size : 0
Index 1
1 update-group member
Sent Rcvd
Prefix activity: ---- ----Prefixes Current: 7 2 (Consumes 160 bytes)
Prefixes Total: 7 2
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 1
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 7 n/a
Bestpath from iBGP peer: 2 n/aTotal: 9 0
Number of NLRIs in the update sent: max 4, min 0
Address tracking is enabled, the RIB does have a route to 192.168.4.1
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
ASA1# sh bgp
BGP table version is 17, local router ID is 192.168.4.2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 768/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 768 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.10.1.0 192.168.1.1 0 100 0 i*>i192.10.2.0 192.168.1.1 0 100 0 i
*>i192.10.3.0 192.168.1.1 0 100 0 i
*>i192.10.4.0 192.168.1.1 0 100 0 i
*>i192.10.5.0 192.168.1.1 0 100 0 i
*>i192.10.6.0 192.168.1.1 0 100 0 i
*> 192.168.1.0 0.0.0.0 0 32768 i
* i 192.168.1.1 0 100 0 i
* i192.168.2.0 192.168.2.1 0 100 0 i
*> 0.0.0.0 0 32768 i
*> 192.168.3.0 0.0.0.0 0 32768 i
* 192.168.3.1 0 0 200 i* i192.168.4.0 192.168.4.1 0 100 0 i
*> 0.0.0.0 0 32768 i
*> 192.168.35.0 192.168.3.1 0 0 200 i
*>i192.168.101.0 192.168.1.1 0 100 0 i
*>i192.168.102.0 192.168.2.1 0 100 0 i
*> 192.168.103.0 192.168.3.1 0 0 200 i
*>i192.168.104.0 192.168.4.1 0 100 0 i
*> 192.168.105.0 192.168.3.1 0 200 i
ASA1# sh route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
B 192.10.1.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29B 192.10.2.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
B 192.10.3.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
B 192.10.4.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
B 192.10.5.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
B 192.10.6.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
B 192.168.35.0 255.255.255.0 [20/0] via 192.168.3.1, 00:03:29
B 192.168.101.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
B 192.168.102.0 255.255.255.0 [200/0] via 192.168.2.1, 00:03:29
B 192.168.103.0 255.255.255.0 [20/0] via 192.168.3.1, 00:03:29
B 192.168.104.0 255.255.255.0 [200/0] via 192.168.4.1, 00:03:29
B 192.168.105.0 255.255.255.0 [20/0] via 192.168.3.1, 00:03:29
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 769/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 769 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# ping 192.168.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.102.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.103.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.103.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.104.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.104.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.105.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.105.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
BGP Authentication
ASA1(config-router-af)# neighbor 192.168.1.1 password shiva
R1(config-router)#neighbor 192.168.1.2 password shiva
R1#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:00:39
B 192.168.4.0/24 [200/0] via 192.168.1.2, 00:00:44
B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:00:39
B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:00:39
B 192.168.2.0/24 [200/0] via 192.168.1.2, 00:00:44B 192.168.3.0/24 [200/0] via 192.168.1.2, 00:00:44
R2#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:08:42
B 192.168.4.0/24 [200/0] via 192.168.2.2, 00:08:47
B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:08:42
B 192.168.1.0/24 [200/0] via 192.168.2.2, 00:08:47
B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:08:42
B 192.168.3.0/24 [200/0] via 192.168.2.2, 00:08:47
R4#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:08:56
B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:08:56
B 192.168.1.0/24 [200/0] via 192.168.4.2, 00:09:02
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 770/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 770 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:08:56
B 192.168.2.0/24 [200/0] via 192.168.4.2, 00:09:02
B 192.168.3.0/24 [200/0] via 192.168.4.2, 00:09:02
ASA1
ASA1(config-router-af)# neighbor 192.168.1.1 next-hop-selfASA1(config-router-af)# neighbor 192.168.2.1 next-hop-self
ASA1(config-router-af)# neighbor 192.168.3.1 next-hop-self
ASA1(config-router-af)# neighbor 192.168.4.1 next-hop-self
R1
R1#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.1.2, 00:00:04
B 192.168.4.0/24 [200/0] via 192.168.1.2, 00:04:48
B 192.168.35.0/24 [200/0] via 192.168.1.2, 00:00:04
B 192.168.103.0/24 [200/0] via 192.168.1.2, 00:00:04
B 192.168.2.0/24 [200/0] via 192.168.1.2, 00:04:48B 192.168.3.0/24 [200/0] via 192.168.1.2, 00:04:48
R2
R2#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.2.2, 00:00:09
B 192.168.4.0/24 [200/0] via 192.168.2.2, 00:12:39
B 192.168.35.0/24 [200/0] via 192.168.2.2, 00:00:08
B 192.168.1.0/24 [200/0] via 192.168.2.2, 00:12:39
B 192.168.103.0/24 [200/0] via 192.168.2.2, 00:00:08
B 192.168.3.0/24 [200/0] via 192.168.2.2, 00:12:39
R4
R4#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.35.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.1.0/24 [200/0] via 192.168.4.2, 00:12:43
B 192.168.103.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.2.0/24 [200/0] via 192.168.4.2, 00:12:43
B 192.168.3.0/24 [200/0] via 192.168.4.2, 00:12:43
R3
R3#sh ip route bgpB 192.168.104.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:22:24
B 192.10.4.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.5.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.6.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.1.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.2.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.3.0/24 [20/0] via 192.168.3.2, 00:00:47
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 771/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 771 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
B 192.168.101.0/24 [20/0] via 192.168.3.2, 00:00:47
ASA1(config-router-af)# aggregate-address 192.10.0.0 255.255.248.0
R3#sh ip route bgp
B 192.168.104.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:23:46
B 192.10.4.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.5.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.6.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.1.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.2.0/24 [20/0] via 192.168.3.2, 00:02:09B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.3.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.101.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.0.0/21 [20/0] via 192.168.3.2, 00:00:07
ASA1(config-router-af)# aggregate-address 192.10.0.0 255.255.248.0 summary-only
R3#sh ip route bgp
B 192.168.104.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:25:09B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.101.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.10.0.0/21 [20/0] via 192.168.3.2, 00:01:29
ASA1# ping 192.168.35.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.35.2, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
R5#ping 192.168.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1(config)# router bgp 100
ASA1(config-router)# address-family ipv4 unicast
ASA1(config-router-af)# neighbor 192.168.35.2 remote-as 200
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 772/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 772 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config-router-af)# neighbor 192.168.35.2 ebgp-multihop 2
R5(config-router)#router bgp 200
R5(config-router)#neighbor 192.168.3.2 remote-as 100
R5(config-router)#neighbor 192.168.3.2 ebgp-multihop 2
R5(config-router)#*Oct 7 07:15:01.111: %BGP-5-ADJCHANGE: neighbor 192.168.3.2 Up
ASA1# sh bgp neighbors 192.168.35.2
BGP neighbor is 192.168.35.2, context single_vf, remote AS 200, external link
BGP version 4, remote router ID 192.168.105.1
BGP state = Established, up for 00:00:35
Last read 00:00:05, last write 00:00:35, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised
Address family IPv4 Unicast: advertised and received
Multisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0Updates: 6 5
Keepalives: 2 3
Route Refresh: 0 0
Total: 9 9
Default minimum time between advertisement runs is 30 seconds
R5#sh ip bgp neighbors 192.168.3.2
BGP neighbor is 192.168.3.2, remote AS 100, external link
BGP version 4, remote router ID 192.168.4.2
BGP state = Established, up for 00:01:12
Last read 00:01:12, last write 00:00:11, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 5 6
Keepalives: 4 2
Route Refresh: 0 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 773/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 773 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Total: 10 9
Default minimum time between advertisement runs is 30 seconds
router bgp 100
bgp log-neighbor-changesaddress-family ipv4 unicast
ASA1(config-router-af)# no neighbor 192.168.35.2 ebgp-multihop 2
ASA1(config-router-af)# neighbor 192.168.35.2 ttl-security hops 2
R5(config)#router bgp 200
R5(config-router)#no neighbor 192.168.3.2 ebgp-multihop 2
R5(config-router)#neighbor 192.168.3.2 ttl-security hops 2
ASA1# sh route inside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
ASA1# sh route outside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 192.168.3.0 255.255.255.0 is directly connected, outside
L 192.168.3.2 255.255.255.255 is directly connected, outside
ASA1# sh route dmz1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 774/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 774 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 192.168.2.0 255.255.255.0 is directly connected, dmz1L 192.168.2.2 255.255.255.255 is directly connected, dmz1
ASA1# sh route dmz2
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 192.168.4.0 255.255.255.0 is directly connected, dmz2
L 192.168.4.2 255.255.255.255 is directly connected, dmz2
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
B 192.10.0.0 255.255.248.0 [200/0] via 0.0.0.0, 00:11:07, Null0
B 192.10.1.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
B 192.10.2.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
B 192.10.3.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06B 192.10.4.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
B 192.10.5.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
B 192.10.6.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, dmz1
L 192.168.2.2 255.255.255.255 is directly connected, dmz1
C 192.168.3.0 255.255.255.0 is directly connected, outside
L 192.168.3.2 255.255.255.255 is directly connected, outside
C 192.168.4.0 255.255.255.0 is directly connected, dmz2
L 192.168.4.2 255.255.255.255 is directly connected, dmz2
B 192.168.35.0 255.255.255.0 [20/0] via 192.168.3.1, 00:13:13
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 775/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 775 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
B 192.168.101.0 255.255.255.0 [200/0] via 192.168.1.1, 00:13:13
B 192.168.102.0 255.255.255.0 [200/0] via 192.168.2.1, 00:13:13
B 192.168.103.0 255.255.255.0 [20/0] via 192.168.3.1, 00:13:13
B 192.168.104.0 255.255.255.0 [200/0] via 192.168.4.1, 00:13:13
B 192.168.105.0 255.255.255.0 [20/0] via 192.168.3.1, 00:13:13
ASA1(config)# access-list 10 permit 192.10.1.0 255.255.255.0
ASA1(config)# access-list 10 permit 192.10.3.0 255.255.255.0
ASA1(config)# access-list 10 permit 192.10.5.0 255.255.255.0
ASA1(config)# router bgp 100
ASA1(config-router)# address-family ipv4 unicast
ASA1(config-router-af)# neighbor 192.168.1.1 distribute-list 10 in
ASA1# clear bgp 192.168.1.1
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
B 192.10.1.0 255.255.255.0 [200/0] via 192.168.1.1, 00:00:03B 192.10.3.0 255.255.255.0 [200/0] via 192.168.1.1, 00:00:03
B 192.10.5.0 255.255.255.0 [200/0] via 192.168.1.1, 00:00:03
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, dmz1
L 192.168.2.2 255.255.255.255 is directly connected, dmz1
C 192.168.3.0 255.255.255.0 is directly connected, outside
L 192.168.3.2 255.255.255.255 is directly connected, outside
C 192.168.4.0 255.255.255.0 is directly connected, dmz2
L 192.168.4.2 255.255.255.255 is directly connected, dmz2
B 192.168.35.0 255.255.255.0 [20/0] via 192.168.3.1, 00:14:49B 192.168.102.0 255.255.255.0 [200/0] via 192.168.2.1, 00:14:49
B 192.168.103.0 255.255.255.0 [20/0] via 192.168.3.1, 00:14:49
B 192.168.104.0 255.255.255.0 [200/0] via 192.168.4.1, 00:14:56
B 192.168.105.0 255.255.255.0 [20/0] via 192.168.3.1, 00:14:56
Note:-
BGP is out of the scope of this book this book is specially designed for ASA
if you want to know which commands are working or available please have a look blow
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 776/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 776 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# router bgp 100
ASA1(config-router)# ?
Router configuration commands:
address-family Enter Address Family command modebgp BGP specific commands
exit Exit from router configuration mode
help Interactive help for router subcommands
no Negate a command
timers Adjust routing timers
ASA1(config)# router bgp 100
ASA1(config-router)# address-family ipv4 unicast
ASA1(config-router-af)# ?
Router Address Family configuration commands:aggregate-address Configure BGP aggregate entries
auto-summary Enable automatic network number summarization
bgp BGP specific commands
default Set a command to its defaults
default-information Control distribution of default information
distance Define an administrative distance
distribute-list Filter networks in routing updates
exit-address-family Exit from Address Family configuration mode
help Description of the interactive help system
maximum-paths Forward packets over multiple paths
neighbor Specify a neighbor routernetwork Specify a network to announce via BGP
no Negate a command or set its defaults
redistribute Redistribute information from another routing protocol
synchronization Perform IGP synchronization
table-map Map external entry attributes into routing table
ASA1(config-router-af)# neighbor 192.168.1.1 ?
bgp address-family mode commands/options:
activate Enable the Address Family for this Neighbor
advertisement-interval Minimum interval between sending BGP routing updatesdefault-originate Originate default route to this neighbor
description Neighbor specific description
disable-connected-check one-hop away EBGP peer using loopback address
distribute-list Filter updates to/from this neighbor
ebgp-multihop Allow EBGP neighbors not on directly connected
networks
filter-list Establish BGP filters
local-as Specify a local-as number
maximum-prefix Maximum number of prefixes accepted from this peer
next-hop-self Disable the next hop calculation for this neighbor
password Set a password
prefix-list Filter updates to/from this neighbor
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 777/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 777 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
remote-as Specify a BGP neighbor
remove-private-as Remove private AS number from outbound updates
route-map Apply route map to neighbor
send-community Send Community attribute to this neighbor
shutdown Administratively shut down this neighbor
timers BGP per neighbor timerstransport Transport options
ttl-security BGP ttl security check
version Set the BGP version to match a neighbor
weight Set default weight for routes from this neighbor
.........Thanks....
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 778/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 778 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 29
After Reading this chapter you would be able to describe
EIGRP & OSPF in Multiple Mode
Diagram:-
Initial-config
R1interface fastEthernet 0/0
Dynamic Routing in Context
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 779/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 779 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
ip add 192.168.101.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.101.1
interface l1
ip add 1.1.1.1 255.255.255.0R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.102.1
int l1
ip add 2.2.2.2 255.255.255.0
R3
interface fastEthernet 0/0
no shutdownip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
ASA1(config)# mode multiple
WARNING: This command will change the behavior of the deviceWARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
interface gigabitEthernet 0/0
no shutdown
interface gigabitEthernet 0/1
no shutdown
interface gigabitEthernet 0/2
no shutdown
interface gigabitEthernet 0/3no shutdown
!
context c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
!
context c2
allocate-interface GigabitEthernet0/2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 780/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 780 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
!
changeto context c1
interface gigabitEthernet 0/0no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA1/c1(config)# ping 192.168.101.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c1(config)# ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c1(config)# ping 102.1.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 102.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
changeto context c2
interface gigabitEthernet 0/2
no shu
nameif inside
ip add 192.168.102.1
interface gigabitEthernet 0/3
no shunameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
ASA1/c2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c2(config)# pin
ASA1/c2(config)# pin
ASA1/c2(config)# ping 101.1.1.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 781/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 781 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
changeto context c1
router ei 100
no au
net 192.168.101.0
redistribute static metric 1 1 1 1 1
R1
router ei 100
no auto-summary
net 0.0.0.0
ASA1/c1# sh eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100) context(c1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.101.100 inside 12 00:00:30 1 200 0 3
ASA1/c1# sh eigrp topology
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.101.1) context(c1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 0.0.0.0 0.0.0.0, 1 successors, FD is 2560000256
via Rstatic (2560000256/0)
P 192.168.101.0 255.255.255.0, 1 successors, FD is 2816
via Connected, inside
P 1.1.1.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.101.100 (130816/128256), inside
ASA1/c1# sh route eigrp
Routing Table: c1Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
D 1.1.1.0 255.255.255.0
[90/130816] via 192.168.101.100, 00:00:48, inside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 782/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 782 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1/c1(config-router)# router eigrp 100
ASA1/c1(config-router)# passive-interface default
ASA1/c1(config-router)# no passive-interface inside
ASA1/c1(config-router)# neighbor 192.168.101.100 interface inside
ASA1/c1(config-router)# distance eigrp 111 222
ASA1/c1(config-if)# interface gigabitEthernet 0/0
ASA1/c1(config-if)# hello-interval eigrp 100 2
ASA1/c1(config-if)# hold-time eigrp 100 4
ASA1/c1(config-if)# authentication mode eigrp 100 md5
ASA1/c1(config-if)# authentication key eigrp 100 shiva key-id 100
Remaining features are same...............................
ASA1/c2(config-router)# changeto context c2
ASA1/c2(config)# router ospf 100
ASA1/c2(config-router)# network 192.168.102.0 255.255.255.0 area 0
ASA1/c2(config-router)# default-information originate always
R2(config-if)#int f0/0
R2(config-if)#ip ospf 100 area 0
R2(config-if)#int lo1R2(config-if)#ip ospf 100 area 0
ASA1/c2# sh ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/BDR 0:00:30 192.168.102.100 inside
ASA1/c2# sh ospf database
OSPF Router with ID (192.168.102.1) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
2.2.2.2 2.2.2.2 31 0x80000003 0x60a2 2
192.168.102.1 192.168.102.1 30 0x80000003 0x2fb3 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 783/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 783 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
192.168.102.1 192.168.102.1 30 0x80000001 0x318e
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
0.0.0.0 192.168.102.1 101 0x80000001 0x5925 100
ASA1/c2# sh route ospf
Routing Table: c2
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 102.1.1.1 to network 0.0.0.0
O 2.2.2.2 255.255.255.255
[110/11] via 192.168.102.100, 00:00:38, inside
Remaining features are same...............................
ASA1/c2(config)# router bgp 100
%BGP process cannot be created in non-system contextERROR: Unable to create router process
ASA1/c2(config)# changeto system
ASA1(config)# router bgp 100
ASA1(config-router)#
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 784/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 784 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 30
After Reading this chapter you would be able to describe
How to configure site-site in multiple mode
Diagram:-
Initial-config
R1
Site-Site VPN in Context
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 785/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 786/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 786 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
member c2-class
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
!
ASA1(config-ctx)# changeto context c1ASA1/c1(config)#
changeto context c1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0no shu
route outside 0 0 101.1.1.1
ASA1/c1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1/c1(config)# pin
ASA1/c1(config)# ping 101.1.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1/c1(config)# changeto context c2
interface gigabitEthernet 0/2
no shu
nameif inside
ip add 192.168.102.1
interface gigabitEthernet 0/3no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
route outside 0 0 102.1.1.1
ASA1/c2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c2(config)# pin
ASA1/c2(config)# ping 101.1.1.100
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 787/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 787 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c1(config)# changeto context c1
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmaccrypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test interface outside
crypto ikev1 enable outside
ASA1/c1(config)# changeto context c2
crypto ikev1 policy 1
authentication pre-shareencryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-setcrypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto ikev1 enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 788/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 788 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
ASA1/c1(config)# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1/c1(config)# sh cry
ASA1/c1(config)# sh crypto ip
ASA1/c1(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
access-list 101 extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer: 102.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 102.1.1.100/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6D68EF77
current inbound spi : 18275EA3
ASA1/c2(config)# sh crypto ikev1 sa
IKEv1 SAs:
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 789/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 789 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 101.1.1.100Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA1/c2(config)# sh cry
ASA1/c2(config)# sh crypto ip
ASA1/c2(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)current_peer: 101.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0#send errors: 0, #recv errors: 0
local crypto endpt.: 102.1.1.100/0, remote crypto endpt.: 101.1.1.100/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 18275EA3
current inbound spi : 6D68EF77
ASA1/c1(config)# changeto context c1
object network insidesubnet 192.168.101.0 255.255.255.0
object network s2s
subnet 192.168.102.0 255.255.255.0
exit
nat (inside,outside) 1 source static inside inside destination static s2s s2s
nat (inside,outside) source dynamic inside interface
access-list out permit icmp any object inside
access-group out in interface outside
ASA1/c1(config)# changeto context c2
object network inside
subnet 192.168.102.0 255.255.255.0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 790/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 790 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
object network s2s
subnet 192.168.101.0 255.255.255.0
exit
nat (inside,outside) 1 source static inside inside destination static s2s s2s
nat (inside,outside) source dynamic inside interface
access-list out permit icmp any object insideaccess-group out in interface outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
R1#ping 101.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/4 ms
R2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
R2#pin
R2#ping 101.1.1.1 re
R2#ping 101.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 791/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 791 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 31
After Reading this chapter you would be able to describe
Clustering
Clustering Terminology
Configuration Replication
ASA Cluster Management
ASA Features and Clustering
Centralized Featuring
Performance Throughput
Clustering
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 792/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 792 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Clustering enables we group multiple ASAs together as a single logical device.
Note:-
ASA OS version 9.2 Support for 16 members for the cluster. The ASA 5585-X now supports 16-unit
clusters. Support for 32 active links in a spanned Ether-Channel for clustering
Master Unit
Slave Unit New Connection Ownership
ASA Cluster Interfaces & Modes
Cluster Control Link
High Availability within the ASA Cluster
Data Path Connection State Replication
1. The First device on which you will configure Clustering that become master unit.
2. You must perform all configuration on the master unit only the configuration is then
replicated to the slave units.
3. Bootstrap is configured on all master & slaves.
Master Unit Election
1. When you enable clustering for a unit it broadcasts an election request every 3 seconds.
2. If after 45 seconds, a unit does not receive a response from another unit with a higher
priority, then it becomes master.
3.
Note if multiple units tie for the highest priority, the cluster unit name, and then the serialnumber is used to determine the master.
4. If a unit later joins the cluster with a higher priority, it does not automatically become the
master unit; the existing master unit always remains as the master unless it stops
responding, at which point a new master unit is elected.
Note: - You can manually force a unit to become the master. For centralized features, if you force a
master unit change, then all connections are dropped, and you have to re-establish the connections
on the new master unit.
Clustering
Clustering Terminology
Master Unit
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 793/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 793 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
When we enable clustering on other devices. They join the cluster as slaves. or we can configure
When a new connection is directed to a member of the cluster, that unit owns both directions of the
connection. If any connection packets arrive at a different unit, they are forwarded to the owner unit
over the cluster control link.
We can configured data interface as either spanned EtherChannels or as individual interfaces. All
data interfaces in the cluster must be one type only.
Interface Types
Spanned EtherChannel
Interfaces on multiple members of the cluster are grouped into a single EtherChannel.
Slave Unit
New Connection Ownership
ASA Cluster Interfaces
Spanned EtherChannel
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 794/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 794 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Individual interfaces are normal routed interfaces, each with their own local IP address. Because
interface configuration must be configured only on the master unit.
Individual interfaces (Routed mode only)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 795/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 795 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Each unit must dedicate at least one hardware interface as the cluster control link. Cluster control
link traffic includes both control and data traffic.
Control traffic includes:
Master election.
Configuration replication.
Health monitoring.
Data traffic includes:
State replication.
Connection ownership queries and data packet forwarding.
Cluster Control Link Network
Each cluster control link has an IP address on the same subnet. This subnet should be isolated from
all other traffic.
Unit Health Monitoring
Interface monitoring
Data Path Connection State Replication
The master unit monitors every slave unit by sending keepalive messages over the cluster
control link periodically (the period is configurable).
Each slave unit monitors the master unit using the same mechanism.
Cluster Control Link
High Availability within the ASA Cluster
Unit Health Monitoring
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 796/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 796 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Each unit monitors the link status of all hardware interfaces in use, and reports status changes to themaster unit.
Spanned EtherChannel—Uses cluster Link Aggregation Control Protocol (cLACP). Each unit
monitors the link status and the cLACP protocol messages to determine if the port is still
active in the EtherChannel. The status is reported to the master unit.
Individual interfaces (Routed mode only)—each unit self-monitors its interfaces and reports
interface status to the master unit.
Unit or Interface Failure
When health monitoring is enabled, a unit is removed from the cluster if it fails or if its interfaces
fail.
When a unit in the cluster fails, the connections hosted by that unit are seamlessly transferred to
other unit’s state information for traffic flows is shared over the control cluster link.
If the master unit fails, then another member of the cluster with the highest priority (lowest
number) becomes the master.
Every connection has one owner and at least one backup owner in the cluster. The backup owner
does not take over the connection in the event of a failure instead, it stores TCP/UDP state
information, so that the connection can be seamlessly transferred to a new owner in case of a
failure.
Interface monitoring
Data Path Connection State Replication
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 797/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 797 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
All units in the cluster share a single configuration. Except for the initial bootstrap configuration
Management Network should be isolated to other network
Management Interface can be individual or spanned
Connection Roles
Sample Data Flow
Rebalancing New Connections across the Cluster
There are 3 different ASA roles defined for each connection:
Owner—The unit that initially receives the connection. The owner maintains the TCP state
and processes packets. A connection has only one owner.
Director—The unit that handles owner lookup requests from forwarders and also maintains
the connection state to serve as a backup if the owner fails. When the owner receives a new
connection, it chooses a director based on a hash of the source/destination IP address and
TCP ports, and sends a message to the director to register the new connection. If packets
arrive at any unit other than the owner, the unit queries the director about which unit is theowner so it can forward the packets. A connection has only one director.
Forwarder—A unit that forwards packets to the owner. If a forwarder receives a packet for a
connection it does not own, it queries the director for the owner, and then establishes a
flow to the owner for any other packets it receives for this connection. The director can also
be a forwarder. Note that if a forwarder receives the SYN-ACK packet, it can derive the
owner directly from a SYN cookie in the packet, so it does not need to query the director (if
you disable TCP sequence randomization, the SYN cookie is not used; a query to the director
is required). For short-lived flows such as DNS and ICMP, instead of querying, the forwarder
immediately sends the packet to the director, which then sends them to the owner. A
connection can have multiple forwarders; the most efficient throughput is achieved by a
Configuration Replication
ASA Cluster Management
How the ASA Cluster Manages
Connection Roles
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 798/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 798 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
good load-balancing method where there are no forwarders and all packets of a connection
are received by the owner.
1. The SYN packet originates from the client and is delivered to an ASA (based on the load
balancing method), which becomes the owner. The owner creates a flow, encodes owner
information into a SYN cookie, and forwards the packet to the server.
2. The SYN-ACK packet originates from the server and is delivered to a different ASA (based on
the load balancing method). This ASA is the forwarder.
3. Because the forwarder does not own the connection, it decodes owner information from the
SYN cookie, creates a forwarding flow to the owner, and forwards the SYN-ACK to the
owner.
4. The owner sends a state update to the director, and forwards the SYN-ACK to the client.
5.
The director receives the state update from the owner, creates a flow to the owner, andrecords the TCP state information as well as the owner. The director acts as the backup
owner for the connection.
6. Any subsequent packets delivered to the forwarder will be forwarded to the owner.
7. If packets are delivered to any additional units, it will query the director for the owner and
establish a flow.
8. Any state change for the flow results in a state update from the owner to the director.
Sample Data Flow
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 799/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 799 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Unsupported Features
These features cannot be configured with clustering enabled, and the commands will be rejected.
Unified Communications
Remote access VPN (SSL VPN and IPsec VPN)
The following application inspections:
– CTIQBE
– GTP
– H323, H225, and RAS
– IPsec passthrough
–
MGCP – MMP
– RTSP
– SIP
– SCCP (Skinny)
– WAAS
– WCCP
Botnet Traffic Filter
Auto Update Server
DHCP client, server, relay, and proxy
VPN load balancing Failover
ASA CX module
The following features are only supported on the master unit, and are not scaled for the cluster. For
example, you have a cluster of eight units (5585-X with SSP-60). The Other VPN license allows a
maximum of 10,000 IPsec tunnels for one ASA 5585-X with SSP-60. For the entire cluster of eightunits, you can only use 10,000 tunnels; the feature does not scale. For centralized features, if the
master unit fails, all connections are dropped, and you have to re-establish the connections on the
new master unit.
Site-to-site VPN
The following application inspections:
– DCERPC
– NetBios
– PPTP
– RADIUS
–
RSH
ASA Features and Clustering
Centralized Features
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 800/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 800 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
– SUNRPC
– TFTP
– XDMCP
Dynamic routing (spanned EtherChannel mode only)
Multicast routing (individual interface mode only)
Static route monitoring IGMP multicast control plane protocol processing (data plane forwarding is distributed
across the cluster)
PIM multicast control plane protocol processing (data plane forwarding is distributed across
the cluster)
Authentication and Authorization for network access. Accounting is decentralized.
Filtering Services
Features Applied to Individual Units
QoS
Threat detection
When you place the cluster in your network, the upstream and downstream routers need to be able
to load-balance the data coming to and from the cluster. Using one of the following methods:
Spanned Ether-Channel (Recommended)
Policy-Based Routing (Routed mode only)
Equal-Cost Multi-Path Routing (Routed mode only)
Interfaces on multiple members of the cluster are grouped into a single EtherChannel the
EtherChannel performs load balancing between units.
In spanned ether-channel , ether-channel load balancing algorithm is used.
The upstream and downstream routers perform load balancing between units using route maps and
ACLs.
The upstream and downstream routers perform load balancing between units using equal cost static
or dynamic routes.
Spanned Ether-Channel (Recommended)
Policy-Based Routing (Routed mode only)
Equal-Cost Multi-Path Routing-Routed
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 801/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 801 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
• 70% of the combined throughput • 60% of maximum connections
• 50% of connections per second
For example, for throughput, the ASA 5585-X with SSP-40 can handle approximately 10 Gbps of real
world firewall traffic when running alone.
For a cluster of 8 units, 8*10= 80 Gbps will be approximately 70% of 80 Gbps (8 units x 10 Gbps): 56
Gbps
For a cluster of 16 units, 16*10=160 Gbps will be approximately 70% of 160 Gbps: 112 Gbps
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/1
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1 Master Bootstrap Configuration
cluster interface-mode spanned force
Performance Throughput
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 802/844
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 803/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 803 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1/A(config)#
ASA1/A(config)#
ASA1/A(config)# sh cluster info
Cluster shiva: On
Interface mode: spanned
This is "A" in state MASTERID : 0
Version : 9.2(2)4
Serial No.: FCH16407FXZ
CCL IP : 192.168.1.1
CCL MAC : 6c20.56bd.ea87
Last join : 16:14:25 UTC Oct 10 2014
Last leave: N/A
Other members in the cluster:
Unit "B" in state SLAVE
ID : 1
Version : 9.2(2)4Serial No.: FCH16407G0X
CCL IP : 192.168.1.2
CCL MAC : 6c20.56bd.df21
Last join : 16:20:50 UTC Oct 10 2014
Last leave: 16:17:39 UTC Oct 10 2014
ASA1/B# sh cluster info
Cluster shiva: On
Interface mode: spanned
This is "B" in state SLAVEID : 1
Version : 9.2(2)4
Serial No.: FCH16407G0X
CCL IP : 192.168.1.2
CCL MAC : 6c20.56bd.df21
Last join : 16:20:50 UTC Oct 10 2014
Last leave: N/A
Other members in the cluster:
Unit "A" in state MASTER
ID : 0
Version : 9.2(2)4Serial No.: FCH16407FXZ
CCL IP : 192.168.1.1
CCL MAC : 6c20.56bd.ea87
Last join : 16:14:25 UTC Oct 10 2014
Last leave: N/A
ASA1/A(config)# sh cluster conn
Usage Summary In Cluster:*********************************************
16 in use, stub connection 0 in use (cluster-wide aggregated)
A(LOCAL):*************************************************************
8 in use, 10 most used, stub connection 0 in used, 0 most used
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 804/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 804 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
B:********************************************************************
8 in use, 10 most used, stub connection 0 in used, 1 most used
ASA1/B# sh cluster conn
Usage Summary In Cluster:*********************************************17 in use, stub connection 0 in use (cluster-wide aggregated)
B(LOCAL):*************************************************************
8 in use, 10 most used, stub connection 0 in used, 1 most used
A:********************************************************************
9 in use, 10 most used, stub connection 0 in used, 0 most used
ASA1/A(config)# sh port-channel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 2
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
1 Po1(U) LACP Yes Gi0/1(P)2 Po2(U) LACP Yes Gi0/3(P)
ASA1/B# sh port-channel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 2
Group Port-channel Protocol Span-cluster Ports------+-------------+---------+------------+------------------------------------
1 Po1(U) LACP Yes Gi0/1(P)
2 Po2(U) LACP Yes Gi0/3(P)
ASA1/A# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES unset up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset up up
GigabitEthernet0/3 unassigned YES unset up up
GigabitEthernet0/4 unassigned YES unset up up
GigabitEthernet0/5 unassigned YES unset up up
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 805/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 805 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset down down
Internal-Data0/1 unassigned YES unset down down
Internal-Data0/2 unassigned YES unset up up
Management0/0 unassigned YES unset administratively down down
Port-channel1 192.168.101.1 YES manual up upPort-channel2 192.168.102.1 YES manual up up
ASA1/B# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.2 YES unset up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset up up
GigabitEthernet0/3 unassigned YES unset up up
GigabitEthernet0/4 unassigned YES unset up up
GigabitEthernet0/5 unassigned YES unset up up
Internal-Control0/0 127.0.1.1 YES unset up upInternal-Data0/0 unassigned YES unset down down
Internal-Data0/1 unassigned YES unset down down
Internal-Data0/2 unassigned YES unset up up
Management0/0 unassigned YES unset administratively down down
Port-channel1 192.168.101.1 YES CONFIG up up
Port-channel2 192.168.102.1 YES CONFIG up up
SW1#sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------1 default active Fa1/0/2, Fa1/0/3, Fa1/0/4
Fa1/0/5, Fa1/0/6, Fa1/0/7
Fa1/0/8, Fa1/0/9, Fa1/0/10
Fa1/0/12, Fa1/0/13, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/24
Gi1/0/1, Gi1/0/2
101 VLAN0101 active Fa1/0/1, Po1
102 VLAN0102 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW2#sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/11, Fa0/12, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/23
Fa0/24, Gi0/1, Gi0/2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 806/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 806 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
101 VLAN0101 active
102 VLAN0102 active Fa0/2, Po2
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW1#sh etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregatedd - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa1/0/11(P) Fa1/0/14(P)
SW2#sh etherchannel summaryFlags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
2 Po2(SU) LACP Fa0/10(P) Fa0/13(P)
ASA1/A(config)# sh cluster conn
Usage Summary In Cluster:*********************************************
24 in use, stub connection 0 in use (cluster-wide aggregated)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 807/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 807 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A(LOCAL):*************************************************************
11 in use, 11 most used, stub connection 0 in used, 0 most used
B:********************************************************************
13 in use, 13 most used, stub connection 0 in used, 1 most used
ASA1/B# sh cluster conn
Usage Summary In Cluster:*********************************************
24 in use, stub connection 0 in use (cluster-wide aggregated)
B(LOCAL):*************************************************************
13 in use, 13 most used, stub connection 0 in used, 1 most used
A:********************************************************************
11 in use, 11 most used, stub connection 0 in used, 0 most used
ASA1/A(config)# sh cluster access-list
hitcnt display order: cluster-wide aggregated result, A, B
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list out; 1 elements; name hash: 0x5589cfea
access-list out line 1 extended permit icmp any any (hitcnt=3, 0, 3) 0x4f3e126c
ASA1/B# sh cluster access-list
hitcnt display order: cluster-wide aggregated result, B, A
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300access-list out; 1 elements; name hash: 0x5589cfea
access-list out line 1 extended permit icmp any any (hitcnt=3, 3, 0) 0x4f3e126c
SW1
SW1#sh running-config
Building configuration...
Current configuration : 3436 bytes
!
version 12.2
no service padservice timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
!
!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 808/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 808 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no aaa new-model
switch 1 provision ws-c3750-24p
system mtu routing 1500
no ip domain-lookup
!
!!
!
crypto pki trustpoint TP-self-signed-3398030592
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3398030592
revocation-check none
rsakeypair TP-self-signed-3398030592
!
!
crypto pki certificate chain TP-self-signed-3398030592
certificate self-signed 013082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333938 30333035 3932301E 170D3933 30333031 30303031
34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393830
33303539 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B71A 93D8E49D C81AF71A 6691EA05 DEC986D2 BB34BFC9 94C85C14 F5FD5663
401DBF29 94356037 D453D201 9A7D5346 717D2C40 9FBC2F07 172590EF A9D508C1
33EE703E 0197FC1F D8F23810 A54A1D61 D88D8761 246C8E27 1290964B F46CB991
9BF2270A 05EB0159 C1815D12 4BB98EE4 A708FB5C A3728098 20D7E002 9846919A
767B0203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603551D1104 08300682 04535731 2E301F06 03551D23 04183016 8014A77A 6EE8D5A3
2F3CC9BA DA830E8F A8567A87 BD4B301D 0603551D 0E041604 14A77A6E E8D5A32F
3CC9BADA 830E8FA8 567A87BD 4B300D06 092A8648 86F70D01 01040500 03818100
8CBB655C 8805B6AA B6C6E88A 0F97321C 9386F7D1 D6FC8E56 AC95263D 4A3C353E
4E3BF867 CB3ACCBF 4746DBCA 9997C688 52EE83C0 3EFBED29 EE46D396 186A01B7
3BF59B1A 37E690C9 1162867E EBAB3A32 8AA8DB26 2759EB33 9601F7A5 40285F02
8DA8A86B 8BECB5F0 4782C36F D0CCADD6 BD15EB13 B4C0E5A4 B28DB1A4 E96E2CCF
quit
!
!
!spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface Port-channel1
switchport access vlan 101
switchport mode access
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 809/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 809 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!
interface FastEthernet1/0/1
switchport access vlan 101
switchport mode access
!
interface FastEthernet1/0/2!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
switchport mode access
!
interface FastEthernet1/0/11
switchport access vlan 101
switchport mode access
channel-group 1 mode active!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
switchport mode access
!
interface FastEthernet1/0/14
switchport access vlan 101
switchport mode access
channel-group 1 mode active
!interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 810/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 810 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!interface FastEthernet1/0/24
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
ip address dhcp
!
ip classless
ip http serverip http secure-server
!
!
ip sla enable reaction-alerts
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4login
line vty 5 15
login
!
end
SW1#
SW2
SW2#sh ru
SW2#sh running-config
Building configuration...
Current configuration : 4045 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 811/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 811 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
!crypto pki trustpoint TP-self-signed-1187955840
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1187955840
revocation-check none
rsakeypair TP-self-signed-1187955840
!
!
crypto pki certificate chain TP-self-signed-1187955840
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 31313837 39353538 3430301E 170D3933 30333031 30303031
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383739
35353834 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B68A 8F1A0987 7DE1BEE3 8A770370 2889D0D7 38086A59 6C976F82 04FAEB9C
59CEA030 70552551 CEFCD186 FA411F3B 6674363A 0BB0EFAA 030F4619 47F3CC18
D5889167 A42B3D0B 5EEF8076 49A7B1F3 7BDDCC2B EDE3FC20 4306AF7C 5E4B9E6B
0BB6C927 10C5D9BF 9940AA46 96C91F35 DED5E9B5 BE5A031D D910D861 1AC0569F
58830203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
551D1104 08300682 04535732 2E301F06 03551D23 04183016 80143605 878C31DB
DC5A5428 7B800116 62CFD3DB 80AC301D 0603551D 0E041604 14360587 8C31DBDC5A54287B 80011662 CFD3DB80 AC300D06 092A8648 86F70D01 01040500 03818100
3CC0DD50 37CBC9C8 42B37386 79FEFA3C 02F53B4C 23DA6BEE 5E1ED166 17F5414F
48DF65EE F1AF7509 63DE1E42 3899E5F3 133B11AC BBEB2210 99197D5C 89391410
1AA41D6A CA850B39 AB5CC299 17F17F02 1002E315 ECEC95D1 00900B2E 357D040B
A4F6A1B2 EB0A839B 381C611B 7F63BE09 31C31232 DCCB3C83 6F6F0A5D 110BAB80
quit
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Port-channel2
switchport access vlan 102
switchport mode access
!
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 812/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 812 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
interface FastEthernet0/1
switchport mode dynamic desirable
!
interface FastEthernet0/2
switchport access vlan 102
switchport mode access!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!interface FastEthernet0/10
switchport access vlan 102
switchport mode access
channel-group 2 mode active
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!interface FastEthernet0/13
switchport access vlan 102
switchport mode access
channel-group 2 mode active
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 813/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 813 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport mode dynamic desirable
!
interface FastEthernet0/18switchport mode dynamic desirable
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
ip address dhcp
!
ip classless
ip http server
ip http secure-server
!!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 814/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 814 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!
end
SW2#
ASA1/MasterASA1(config)# sh running-config
: Saved
:
: Serial Number: FCH16407FXZ
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(2)4
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names!
interface GigabitEthernet0/0
description Clustering Interface
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 2 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 815/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 815 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no nameif
no security-level
no ip address
!
interface Port-channel1
lacp max-bundle 8port-channel span-cluster
mac-address aaaa.bbbb.cccc
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Port-channel2
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.dddd.cccc
nameif outsidesecurity-level 0
ip address 192.168.102.1 255.255.255.0
!
ftp mode passive
access-list out extended permit icmp any any
cluster group shiva
key *****
local-unit A
cluster-interface GigabitEthernet0/0 ip 192.168.1.1 255.255.255.0
priority 10
health-check holdtime 3clacp system-mac auto system-priority 1
enable
pager lines 24
mtu inside 1500
mtu outside 1500
mtu cluster 1500
sno failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnectedaccess-group out in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 816/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 816 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_mapparameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpcinspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:49b89413b0c2641169352402952806c1
: end
ASA1(config)#
ASA2/Slave
ASA1(cfg-cluster)# sh running-config
: Saved
:
: Serial Number: FCH16407G0X
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(2)4
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 817/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 817 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!
interface GigabitEthernet0/0
description Clustering Interface
!
interface GigabitEthernet0/1
channel-group 1 mode activeno nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 2 mode activeno nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameifno security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
interface Port-channel1lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.bbbb.cccc
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Port-channel2
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.dddd.cccc
nameif outside
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 818/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 818 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
security-level 0
ip address 192.168.102.1 255.255.255.0
!
ftp mode passive
access-list out extended permit icmp any any
cluster group shivakey *****
local-unit B
cluster-interface GigabitEthernet0/0 ip 192.168.1.2 255.255.255.0
priority 20
health-check holdtime 3
clacp system-mac auto system-priority 1
enable
pager lines 24
mtu inside 1500
mtu outside 1500
mtu cluster 1500no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group out in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheckssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 819/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 819 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_mapinspect ftp
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy globalprompt hostname context
Cryptochecksum:5bfa37f9cceb992fef77e50f46518ca1
: end
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 820/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 820 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 32
After Reading this chapter you would be able to describe
ASA as DHCP
ASA as DHCP Relay Agent
Disable Fragmentation on ASA
Enabling uRPF on ASA
Ether-channal
Redundent Interface
Diagram:-
Management of ASA
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 821/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 821 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
no ip address
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int l1
ip add 102.1.1.1 255.255.255.0
no shutdown
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.20.1
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 822/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 822 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
SW1
ip routing
int vlan 1
ip add 192.168.101.1 255.255.255.0
no shutdown
exitinterface range fastEthernet 1/0/10 - 11
no switchport
channel-group 1 mode active
interface Port-channel 1
ip add 192.168.1.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
ASA1
interface GigabitEthernet0/0channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!interface GigabitEthernet0/2
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!
interface Management0/0
management-only
shutdown
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 823/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 823 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/3member-interface GigabitEthernet0/4
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Port-channel1
lacp max-bundle 8
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
ASA1(config-router)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 192.168.10.1 YES manual up up
GigabitEthernet0/3 unassigned YES unset up up
GigabitEthernet0/4 unassigned YES unset up up
GigabitEthernet0/5 192.168.20.1 YES manual up up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset down down
Internal-Data0/1 unassigned YES unset down downInternal-Data0/2 unassigned YES unset up up
Management0/0 unassigned YES unset administratively down down
Port-channel1 192.168.1.2 YES manual up up
Redundant1 101.1.1.100 YES manual up up
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
network 192.168.1.0 255.255.255.0
redistribute static metric 1 1 1 1 1
!
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# pin
ASA1# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# pin
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 824/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 824 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# ping 102.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# sh port-channel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
1 Po1(U) LACP No Gi0/0(P) Gi0/1(P)
ASA1# sh interface redundant 1
Interface Redundant1 "outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 6c20.56bd.ea85, MTU 1500
IP address 101.1.1.100, subnet mask 255.255.255.0
9 packets input, 846 bytes, 0 no buffer
Received 3 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 pause input, 0 resume input
3 L2 decode drops
8 packets output, 782 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (1013/505)
output queue (blocks free curr/low): hardware (1022/510)
Traffic Statistics for "outside":
6 packets input, 546 bytes8 packets output, 584 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member GigabitEthernet0/3(Active), GigabitEthernet0/4
Last switchover at 18:03:31 UTC Oct 8 2014
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 825/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 825 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.1.0 255.255.255.0
access-list out permit icmp any 192.168.101.0 255.255.255.0
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 101.1.1.1 size 18000
Type escape sequence to abort.
Sending 5, 18000-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms
ASA1(config)# fragment chain 1
ASA1(config)# fragment chain 1 inside
ASA1(config)# fragment chain 1 dmz1
ASA1(config)# fragment chain 1 dmz2
R1#ping 101.1.1.1 size 18000
Type escape sequence to abort.
Sending 5, 18000-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1
R1(config)#interface lo1
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#^Z
R1#ping 101.1.1.1 source loopback 1 repeat 10
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 826/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 826 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
......
Success rate is 0 percent (0/6)
ASA1(config)# sh xlate
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:02:49 timeout 0:00:00
ICMP PAT from inside:1.1.1.1/6 to outside:101.1.1.100/6 flags ri idle 0:00:02 timeout 0:00:3
ASA1(config)# ip verify reverse-path interface inside
01.1.1.1 source loopback 1 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
......
ASA1# sh xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:04:15 timeout 0:00:00
ASA AS DHCP
ASA1(config)# dhcpd address 192.168.10.100-192.168.10.254 dmz1
ASA1(config)# dhcpd enable dmz1ASA1(config)# dhcpd option 3 ip 192.168.10.1
R2
int f0/0
no shutdown
ip add dhcp
R2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.100 YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM up up
R2#sh ip ro
R2#sh ip route st
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 827/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 827 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R2#sh ip route static
S* 0.0.0.0/0 [254/0] via 192.168.10.1
ASA1# sh dhcpd binding
IP address Client Identifier Lease expiration Type
192.168.10.100 0063.6973.636f.2d30. 3545 seconds Automatic
3031.662e.3965.3566.
2e38.3036.302d.4661.
302f.30
ASA AS DHCP RELAY_AGNET
ASA1(config)# clear configure dhcpd
R4
R4(config)#ip dhcp pool dmz1R4(dhcp-config)#network 192.168.10.0
R4(dhcp-config)#default-router 192.168.10.1
R4(dhcp-config)#ex
R4(config)#ip dhcp excluded-address 192.168.10.1
ASA1
ASA1(config)# dhcprelay server 192.168.20.100 dmz2
ASA1(config)# dhcprelay enable dmz1
R2(config)#interface fastEthernet 0/0
R2(config-if)#no ip address
R2(config-if)#ip address dhcp
R2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.2 YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM up up
R2#sh ip route static
192.168.20.0/32 is subnetted, 1 subnets
S 192.168.20.100 [254/0] via 192.168.10.1, FastEthernet0/0S* 0.0.0.0/0 [254/0] via 192.168.10.1
R4#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.10.2 0063.6973.636f.2d30. Oct 09 2014 01:38 PM Automatic
3031.662e.3965.3566.
2e38.3036.302d.4661.
302f.30
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 828/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 828 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 33
After Reading this chapter you would be able to describe
Active-Standby FO
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface FastEthernet0/0
ipv6 address 192:168:10::100/48
ipv6 route ::/0 192:168:10::1
!
R2
ipv6 unicast-routinginterface FastEthernet0/0
Active-Standby IPv6 FO
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 829/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 829 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ipv6 address 192:168:20::100/48
ipv6 route ::/0 192:168:20::1
R3
interface FastEthernet0/0
ipv6 address 101:1:1::1/48
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:10::1/48 standby 192:168:10::2
!
interface GigabitEthernet0/1
nameif outside
security-level 0no ip address
ipv6 address 101:1:1::100/48 standby 101:1:1::101
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
no ip address
ipv6 address 192:168:20::1/48 standby 192:168:20::2
!
ipv6 route outside ::/0 101:1:1::1
ASA1# ping 192:168:10::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:10::100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192:168:20::100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:20::100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 101:1:1::1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
object network inside
subnet 192:168:10::/48
object network s2s
subnet 192:168:102::/48
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 830/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 830 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
nat (inside,outside) source static inside inside destination static s2s s2s
nat (inside,outside) source static R1 interface ipv6 service telnet telnet
nat (inside,outside) source dynamic any interface ipv6
access-list out extended permit icmp6 any 192:168:10::/48access-list out extended permit tcp any object R1 eq telnet
access-group out in interface outside
R3#debug ipv6 icmp
ICMP packet debugging is on
R1#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R3#debug ipv6 icmp
ICMP packet debugging is on
R3#
*Oct 9 06:13:44.059: ICMPv6: Received ICMPv6 packet from FE80::200:CFF:FE07:AC05, type 136
R3#
*Oct 9 06:14:11.091: ICMPv6: Received echo request from 101:1:1::100
*Oct 9 06:14:11.091: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 9 06:14:11.095: ICMPv6: Received echo request from 101:1:1::100
*Oct 9 06:14:11.095: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 9 06:14:11.095: ICMPv6: Received echo request from 101:1:1::100*Oct 9 06:14:11.095: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 9 06:14:11.099: ICMPv6: Received echo request from 101:1:1::100
*Oct 9 06:14:11.099: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 9 06:14:11.099: ICMPv6: Received echo request from 101:1:1::100
*Oct 9 06:14:11.099: ICMPv6: Sending echo reply to 101:1:1::100
R3#telnet 101:1:1::100
Trying 101:1:1::100 ... Open
R1>
ASA1
failover
failover lan unit primary
failover lan interface shiva GigabitEthernet0/3
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key shiva
failover replication http
failover mac address GigabitEthernet0/0 0000.0c07.ac01 0000.0c07.ac02
failover mac address GigabitEthernet0/2 0000.0c07.ac03 0000.0c07.ac04
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 831/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 831 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
failover mac address GigabitEthernet0/1 0000.0c07.ac05 0000.0c07.ac06
failover link shiva GigabitEthernet0/3
failover interface ip shiva 192:168:111::1/48 standby 192:168:111::2
ASA2
failoverfailover lan unit secondary
failover lan interface shiva GigabitEthernet0/3
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key shiva
failover replication http
failover mac address GigabitEthernet0/0 0000.0c07.ac01 0000.0c07.ac02
failover mac address GigabitEthernet0/2 0000.0c07.ac03 0000.0c07.ac04
failover mac address GigabitEthernet0/1 0000.0c07.ac05 0000.0c07.ac06
failover link shiva GigabitEthernet0/3
failover interface ip shiva 192:168:111::1/48 standby 192:168:111::2
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication httpVersion: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 11:55:35 UTC Oct 9 2014
This host: Primary - Active
Active time: 160 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Monitored)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Monitored)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 577 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)Interface inside (0.0.0.0/fe80::200:cff:fe07:ac02): Normal (Monitored)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac06): Normal (Monitored)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac04): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 85 0 76 0
sys cmd 75 0 75 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 832/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 832 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 10 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 567
Xmit Q: 0 1 172
ASA2
ASA1(config)# sh failoverFailover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 06:30:14 UTC Oct 9 2014This host: Secondary - Standby Ready
Active time: 577 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac02): Normal (Monitored)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac06): Normal (Monitored)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac04): Normal (Monitored)
Other host: Primary - Active
Active time: 122 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Monitored)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Monitored)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Monitored)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 833/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 833 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 94 0 110 0
sys cmd 93 0 93 0up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 16 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 1 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 541
Xmit Q: 0 282 585
ASA1
ASA1(config)# reload
System config has been modified. Save? [Y]es/[N]o: yCryptochecksum: e120f795 a8075185 3bbb3555 55f80897
3836 bytes copied in 0.720 secs
Proceed with reload? [confirm]
ASA1(config)#
ASA2
ASA1(config)# sh failover
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 834/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 834 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 06:37:03 UTC Oct 9 2014
This host: Secondary - Active
Active time: 17 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Waiting)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Waiting)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Waiting)Other host: Primary - Failed
Active time: 408 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Unknown/Unknown)
Interface inside (0.0.0.0): Unknown (Monitored)
Interface outside (0.0.0.0): Unknown (Monitored)
Interface dmz (0.0.0.0): Unknown (Monitored)
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 835/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 835 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 34
After Reading this chapter you would be able to describe
Active-Active IPv6 FO
Diagram:-
Active-Active IPv6 FO
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 836/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 836 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdownipv6 add 192:168:101::100/48
no sh
ipv6 route ::/0 192:168:101::1
R2
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:102::100/48
no shutdown
ipv6 route ::/0 192:168:102::1
R3
ipv6 unicast-routing
int fastEthernet 0/0
no shutdown
ipv6 add 101:1:1::1/48
no shutdown
int f0/1
no shutdown
ipv6 add 102:1:1::1/48
no shutdown
ASA1
ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
ASA2
ASA2(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
ASA1
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitEthernet 0/1
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitEthernet 0/2
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitEthernet 0/3
ASA1(config-if)# no shutdown
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 837/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 837 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config-if)# interface gigabitEthernet 0/4
ASA1(config-if)# no shutdown
!
class c1
limit-resource Conns 50.0%limit-resource Xlates 65000
limit-resource VPN Other 125
!
class c2
limit-resource Conns 50.0%
limit-resource Xlates 65000
limit-resource VPN Other 125
!
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
member c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
join-failover-group 1!
context c2
member c2
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
join-failover-group 2
!
failover group 1
preemptfailover group 2
secondary
preempt
!
!
failover
failover lan unit primary
failover lan interface shiva GigabitEthernet0/4
failover interface ip shiva 192:168:111::1/48 standby 192:168:111::2
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 838/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 838 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1/c1(config)# sh running-config
: Saved
:
: Hardware: ASA5512:
ASA Version 9.2(2)4 <context>
!
hostname c1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ipv6 local pool inside 192:168:101::111/48 10
ipv6 local pool outside 101:1:1::111/48 10
!
interface GigabitEthernet0/0
nameif insidesecurity-level 100
no ip address
ipv6 address 192:168:101::1/48 cluster-pool inside
!
interface GigabitEthernet0/1
nameif outside
security-level 0
no ip address
ipv6 address 101:1:1::100/48 cluster-pool outside
!
access-list out extended permit icmp6 any anypager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface ipv6
access-group out in interface outside
ipv6 route outside ::/0 101:1:1::1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh stricthostkeycheck
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 839/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 839 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sipinspect xdmcp
!
service-policy global_policy global
Cryptochecksum:885c4647c80e89f4ec3a2eaa43731b2f
: end
ASA1/c2(config)# sh running-config
: Saved
:
: Hardware: ASA5512
:
ASA Version 9.2(2)4 <context>
!
hostname c2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 840/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 840 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ipv6 local pool inside 192:168:102::111/48 10
ipv6 local pool outside 102:1:1::111/48 10
!
interface GigabitEthernet0/2
nameif inside
security-level 100no ip address
ipv6 address 192:168:102::1/48 cluster-pool inside
!
interface GigabitEthernet0/3
nameif outside
security-level 0
no ip address
ipv6 address 102:1:1::100/48 cluster-pool outside
!
access-list out extended permit icmp6 any any
pager lines 24mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface ipv6
access-group out in interface outside
ipv6 route outside ::/0 102:1:1::1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh stricthostkeycheckssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 841/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 841 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 rasinspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp!
service-policy global_policy global
Cryptochecksum:d7353dc0e7aca0f5812eb5557e8df3dd
: end
ASA1(config)#
failover
failover lan unit primary
failover lan interface shiva GigabitEthernet0/4
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5failover replication http
failover link shiva GigabitEthernet0/4
failover interface ip shiva 192:168:111::1/48 standby 192:168:111::2
failover group 1
preempt
failover group 2
secondary
preempt
ASA1/act(config)# sh failover
Failover OnFailover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 19:02:41 UTC Oct 11 2014
Group 2 last failover at: 19:02:45 UTC Oct 11 2014
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 842/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 842 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
This host: Primary
Group 1 State: Active
Active time: 508 (sec)
Group 2 State: Standby Ready
Active time: 3 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:101): Normal (Monitored)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:101): Normal (Monitored)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:202): Normal (Monitored)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:202): Normal (Monitored)
Other host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 504 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:102): Normal (Monitored)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:102): Normal (Monitored)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:201): Normal (Monitored)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:201): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit xerr rcv rerr
General 22 0 17 0sys cmd 15 0 15 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 3 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 4 0 2 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 843/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 843 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 70
Xmit Q: 0 2 199
ASA1/stby(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximumMAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 19:02:42 UTC Oct 11 2014
Group 2 last failover at: 19:02:44 UTC Oct 11 2014
This host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 536 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:102): Normal (Monitored)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:102): Normal (Monitored)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:201): Normal (Monitored)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:201): Normal (Monitored)
Other host: Primary
Group 1 State: Active
Active time: 539 (sec)
Group 2 State: Standby ReadyActive time: 3 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:101): Normal (Monitored)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:101): Normal (Monitored)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:202): Normal (Monitored)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:202): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit xerr rcv rerr
General 21 0 26 0
7/18/2019 Cisco ASA Second Generation's OS 9.x
http://slidepdf.com/reader/full/cisco-asa-second-generations-os-9x 844/844
Secure Your Network With Cisco ASA Second Generation's OS 9.x
sys cmd 19 0 19 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 3 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0Router ID 0 0 0 0