You are on page 1of 694

2010

Advanced
CCIE SECURITY v3
LAB WORKBOOK
Part 1

Narbik Kocharians Piotr Matusiak
CCIE #12410 CCIE #19860
R&S, Security, SP R&S, Security
CCIE Security v3 Lab Workbook

Table of Content
ASA Firewall
LAB 1.1. BASIC ASA CONFIGURATION ................................................................................................ 9
LAB 1.2. BASIC SECURITY POLICY..................................................................................................... 13
LAB 1.3. DYNAMIC ROUTING PROTOCOLS ..................................................................................... 20
LAB 1.4. ASA MANAGEMENT ................................................................................................................ 31
LAB 1.5. STATIC NAT .............................................................................................................................. 40
LAB 1.6. DYNAMIC NAT.......................................................................................................................... 45
LAB 1.7. NAT EXEMPTION ..................................................................................................................... 51
LAB 1.8. STATIC POLICY NAT .............................................................................................................. 54
LAB 1.9. DYNAMIC POLICY NAT ......................................................................................................... 60
LAB 1.10. MODULAR POLICY FRAMEWORK (MPF) ........................................................................ 64
LAB 1.11. FTP ADVANCED INSPECTION .............................................................................................. 69
LAB 1.12. HTTP ADVANCED INSPECTION .......................................................................................... 74
LAB 1.13. INSTANT MESSAGING ADVANCED INSPECTION .......................................................... 80
LAB 1.14. ESMTP ADVANCED INSPECTION ....................................................................................... 83
LAB 1.15. DNS ADVANCED INSPECTION ............................................................................................. 87
LAB 1.16. ICMP ADVANCED INSPECTION ........................................................................................... 90
LAB 1.17. CONFIGURING VIRTUAL FIREWALLS ............................................................................. 94
LAB 1.18. ACTIVE/STANDBY FAILOVER ........................................................................................... 108
LAB 1.19. ACTIVE/ACTIVE FAILOVER ............................................................................................... 117
LAB 1.20. REDUNDANT INTERFACES ................................................................................................. 134
LAB 1.21. TRANSPARENT FIREWALL ................................................................................................ 139
LAB 1.22. THREAT DETECTION ........................................................................................................... 148
LAB 1.23. CONTROLLING ICMP AND FRAGMENTED TRAFFIC ................................................. 151
LAB 1.24. TIME BASED ACCESS CONTROL ...................................................................................... 155
LAB 1.25. QOS - PRIORITY QUEUING ................................................................................................. 159
LAB 1.26. QOS – TRAFFIC POLICING.................................................................................................. 162
LAB 1.27. QOS – TRAFFIC SHAPING.................................................................................................... 165
LAB 1.28. QOS – TRAFFIC SHAPING WITH PRIORITIZATION .................................................... 169
LAB 1.29. SLA ROUTE TRACKING ....................................................................................................... 173
LAB 1.30. ASA IP SERVICES (DHCP) .................................................................................................... 178
LAB 1.31. URL FILTERING AND APPLETS BLOCKING .................................................................. 183
LAB 1.32. TROUBLESHOOTING USING PACKET TRACER AND CAPTURE TOOLS .............. 186

Site to Site VPN
LAB 1.33. BASIC SITE TO SITE IPSEC VPN MAIN MODE (IOS-IOS) ............................................ 195
LAB 1.34. BASIC SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS) ............................. 213

Page 2 of 694
CCIE Security v3 Lab Workbook

LAB 1.35. BASIC SITE TO SITE VPN WITH NAT (IOS-IOS) ............................................................ 224
LAB 1.36. IOS CERTIFICATE AUTHORITY ........................................................................................ 235
LAB 1.37. SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA) .......................................................... 242
LAB 1.38. SITE-TO-SITE IPSEC VPN USING PKI (IOS-IOS) ............................................................ 251
LAB 1.39. SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA) ...................................... 258
LAB 1.40. SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA) ................................. 271
LAB 1.41. SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING) .............................. 285
LAB 1.42. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-IOS) ..................................... 295
LAB 1.43. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-ASA) .................................... 301
LAB 1.44. SITE-TO-SITE IPSEC VPN USING EASYVPN WITH ISAKMP PROFILES (IOS-IOS)
333
LAB 1.45. GRE OVER IPSEC ................................................................................................................... 345
LAB 1.46. DMVPN PHASE 1..................................................................................................................... 357
LAB 1.47. DMVPN PHASE 2 (WITH EIGRP) ........................................................................................ 368
LAB 1.48. DMVPN PHASE 2 (WITH OSPF)........................................................................................... 381
LAB 1.49. DMVPN PHASE 3 (WITH EIGRP) ........................................................................................ 394
LAB 1.50. DMVPN PHASE 3 (WITH OSPF)........................................................................................... 407
LAB 1.51. DMVPN PHASE 2 DUAL HUB (SINGLE CLOUD) ............................................................ 423
LAB 1.52. DMVPN PHASE 2 DUAL HUB (DUAL CLOUD) ................................................................ 443
LAB 1.53. GET VPN (PSK) ........................................................................................................................ 470
LAB 1.54. GET VPN (PKI) ........................................................................................................................ 484
LAB 1.55. GET VPN COOP (PKI) ............................................................................................................ 496

Remote Access VPN
LAB 1.56. CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO IOS) .... 517
LAB 1.57. CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO ASA) ... 524
LAB 1.58. CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PSK) ..................... 530
LAB 1.59. CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PKI) ...................... 538
LAB 1.60. CONFIGURING SSL VPN (IOS) ............................................................................................ 554
LAB 1.61. CONFIGURING SSL VPN (ASA) ........................................................................................... 567
LAB 1.62. EASYVPN IOS SERVER WITH AAA AUTHENTICATION AND AUTHORIZATION 577
LAB 1.63. EASYVPN ASA SERVER WITH AAA AUTHENTICATION AND AUTHORIZATION 597
LAB 1.64. EASYVPN SERVER ON ASA WITH LDAP AUTHENTICATION ................................... 619

Advanced VPN Features
LAB 1.65. IPSEC STATEFUL FAILOVER ............................................................................................. 643
LAB 1.66. IPSEC STATIC VTI ................................................................................................................. 651
LAB 1.67. IKE ENCRYPTED KEYS ........................................................................................................ 657
LAB 1.68. IPSEC DYNAMIC VTI ............................................................................................................ 660
LAB 1.69. REVERSE ROUTE INJECTION (RRI) ................................................................................. 667

Page 3 of 694
CCIE Security v3 Lab Workbook

LAB 1.70. CALL ADMISSION CONTROL FOR IKE ........................................................................... 678
LAB 1.71. IPSEC LOAD BALANCING (ASA CLUSTER) .................................................................... 684

Page 4 of 694
CCIE Security v3 Lab Workbook

Physical Topology
F0/1 F0/0 F0/1 F0/1

R1
F0/2 G0/0 G0/1 F0/2

R2 F0/6
SW2
F0/4 F0/0 F0/1
R4

F0/5 F0/0 F0/1

SW1 R5

F0/0 F0/1
R6

F0/4

F0/5
E0/0 F0/10
E0/1 F0/11
E0/2 F0/12
E0/3 F0/13
F0/6 ASA1 ACS
F0/14
F0/10 E0/0
F0/11 E0/1
F0/12 E0/2
F0/15 SW3
F0/13 E0/3
ASA2
PC
F0/14 C&C
F0/15 G0/0
F0/16 G0/1
F0/17 G0/2 IPS
F0/18 G0/3

SW4

Page 5 of 694
CCIE Security v3 Lab Workbook

Inter-switch and Frame Relay connections
G0/1

F0/23-24

SW1 SW2

F0
/1
9
-2
F0/21-22

F0/21-22
0
0
-2
19
/
F0

F0/23-24
SW3 SW4

To R4: 204 To R2: 502
To R5: 205 To R4: 504
To R6: 206 To R6: 506
R2 R5
S0/1/0 S0/1/0

FR

S0/0/0 S0/1/0

To R2: 402 To R2: 602
R4 To R5: 405 To R4: 604
R6
To R6: 406 To R5: 605

Page 6 of 694
CCIE Security v3 Lab Workbook

Advanced
CCIE SECURITY v3
LAB WORKBOOK

ASA Firewall

Narbik Kocharians
CCIE #12410
R&S, Security, SP

Piotr Matusiak
CCIE #19860
R&S, Security

www.MicronicsTraining.com

Page 7 of 694
CCIE Security v3 Lab Workbook

This page is intentionally left blank.

Page 8 of 694
CCIE Security v3 Lab Workbook

Lab 1.1. Basic ASA configuration

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Task 1
Configure ASA with the following settings:
Hostname: ASA-FW
Interface E0/0: name OUT, IP address 10.1.102.10/24, security level 0

Page 9 of 694
CCIE Security v3 Lab Workbook

Interface E0/1: name IN, IP address 10.1.101.10/24, security level 80
On ASA configure default routing pointing to R2 and static routing for the rest of the
networks. On routers R1 and R2 configure default routes pointing to the ASA.

Basic configuration of ASA requires port configuration including IP address, interface name and
security level. By default the security level is set up automatically when user tries to name the
interface. The ASA will use security level of 100 for interface name “inside” and security level of 0
for other interface name (including “outside”). If you need to configure other security level, use
“security-level <level>” command to do so.
What is the security level for? The security level defines what connection will be considered as
Inbound and what connection is Outbound.
The Outbound connection is a connection originated from the networks behind a higher security
level interface towards the networks behind a lower security level interface.
The Inbound connection is a connection originated from the networks behind a lower security level
interface towards the networks behind a higher security level interface.
The Outbound connection is automatically being inspected so that it does not require any access
list for returning traffic. The Inbound connection is considered unsecure by default and there must
be access list allowing that connection.

On ASA
ciscoasa# conf term
ciscoasa(config)# hostname ASA-FW

ASA-FW(config)# int e0/0
ASA-FW(config-if)# ip add 10.1.102.10 255.255.255.0
ASA-FW(config-if)# nameif OUT
INFO: Security level for "OUT" set to 0 by default.
ASA-FW(config-if)# no sh

ASA-FW(config-if)# int e0/1
ASA-FW(config-if)# ip add 10.1.101.10 255.255.255.0
ASA-FW(config-if)# nameif IN
INFO: Security level for "IN" set to 0 by default.
ASA-FW(config-if)# security-level 80
ASA-FW(config-if)# no sh
ASA-FW(config-if)# exit

Verification
ASA-FW(config)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.1.102.10 YES manual up up
Ethernet0/1 10.1.101.10 YES manual up up
Ethernet0/2 unassigned YES unset administratively down up
Ethernet0/3 unassigned YES unset administratively down up
Management0/0 unassigned YES unset administratively down down

ASA-FW(config)# ping 10.1.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA-FW(config)# ping 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

On ASA

Page 10 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config)# route OUT 0 0 10.1.102.2
ASA-FW(config)# route IN 1.1.1.0 255.255.255.0 10.1.101.1

To access non-directly connected subnets a static routing (or dynamic) must be
configured on the ASA. As the ASA is usually located at the edge of the network the
default route points to the edge router using outside interface in most of solutions.
Note that you must use interface name (not direction) to configure the static routes.

Verification
ASA-FW(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA-FW(config)# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Routers R1 and R2 must have default routes pointing to the respective ASA interface.
After adding those routes, R1 should be able to telnet to R2‟s loopback interface.
Note that R2 cannot ping R1 – this is because ASA blocks traffic originated from the
lower security level interface towards higher security level interface (OUT to IN)
without explicit permit in the outbound ACL.

On R1
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.101.10

On R2
R2(config)#ip route 0.0.0.0 0.0.0.0 10.1.102.10

Verification
R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:00:26
*578 vty 0 idle 00:00:00 1.1.1.1

The “Location” field shows source address of user session established on the router. It
is very useful if we need to determine whether or not a connection goes through NAT or
PAT.

Interface User Mode Idle Peer Address

R2>exit

[Connection to 2.2.2.2 closed by foreign host]

R1#p 2.2.2.2 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)

This is caused by the ASA default rule of traffic processing. See: remark in the frame
above.

Page 11 of 694
CCIE Security v3 Lab Workbook

Task 2
Configure interface E0/2 on the ASA so that it will connect via dot1q trunk to the
switch and will be connected to R4‟s F0/0 interface using VLAN 104 and IP address
of 10.1.104.10/24. Configure static routing on ASA and default routing on R4 to
achieve full connectivity.

The interface on ASA can be configured as a trunk to the switch to make more subnets on the one
physical interface possible. This is useful when there is a lack of physical interfaces on the ASA
and logical segmentation is enough from the security point of view. Remember that you need to
bring a physical interface up (no shutdown) first and then configure subinterfaces.

On ASA
ASA-FW(config)# int e0/2
ASA-FW(config-if)# no sh
ASA-FW(config-if)# int e0/2.104
ASA-FW(config-subif)# vlan 104
ASA-FW(config-subif)# ip add 10.1.104.10 255.255.255.0
ASA-FW(config-subif)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.

Remember that ASA sets security level to 0 by default for interfaces other than
“inside”. Don‟t forget about that during your lab exam.

ASA-FW(config-subif)# security-level 50
ASA-FW(config-subif)# no sh

ASA-FW(config-subif)# route DMZ 4.4.4.0 255.255.255.0 10.1.104.4

On R4
R4(config)#ip route 0.0.0.0 0.0.0.0 10.1.104.10

On SW3
SW3(config)#int f0/12
SW3(config-if)#switchport trunk encapsulation dot1q
SW3(config-if)#switchport mode trunk
SW3(config-if)#exi
SW3(config)#vlan 104
SW3(config-vlan)#exi

Verification
ASA-FW(config)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.1.102.10 YES manual up up
Ethernet0/1 10.1.101.10 YES manual up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/2.104 10.1.104.10 YES manual up up
Ethernet0/3 unassigned YES unset administratively down up
Management0/0 unassigned YES unset administratively down down

ASA-FW(config)# ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Page 12 of 694
CCIE Security v3 Lab Workbook

Lab 1.2. Basic security policy

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

This lab is based on the previous lab configuration.

Task 1
Configure ASA with the policy that Ping and Telnet are allowed from the inside
subnet (IN) to the outside subnet (OUT) and DMZ.

The main rule on the ASA is to allow traffic coming from the interface with a higher security level
towards the interface with a lower security level. However traffic is blocked in opposite direction by
default and there is need for an inbound ACL to permit that traffic.
Remember that ICMP traffic is stateless, so there is no session available to track. The ASA has no
ICMP inspection enabled by default so that ICMP traffic coming from the interface with higher
security level towards the interface with lower security level will be blocked by the lower security
level interface (ICMP echo reply will be blocked).
There are two ways to allow that traffic coming through: (1) configure ICMP inspection globally or
on the interface or (2) configure inbound ACL on the interface with lower security level.

On ASA
ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any echo-reply
ASA-FW(config)# access-list DMZ_IN permit icmp any any echo-reply

ASA-FW(config)# access-group OUTSIDE_IN in interface OUT
ASA-FW(config)# access-group DMZ_IN in interface DMZ

Page 13 of 694
CCIE Security v3 Lab Workbook

Verification
R1#ping 2.2.2.2 so lo0
Test from IN (inside) to OUT (outside) - ICMP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R1#ping 4.4.4.4
Test from IN (inside) to DMZ (dmz) - ICMP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open
Test from IN (inside) to OUT (outside) - TCP

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:13:07
*578 vty 0 idle 00:00:00 1.1.1.1

Interface User Mode Idle Peer Address

R2>exi

[Connection to 2.2.2.2 closed by foreign host]
R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open
Test from IN (inside) to DMZ (dmz) - TCP

User Access Verification

Password:
R4>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:11:58
*514 vty 0 idle 00:00:00 1.1.1.1

Interface User Mode Idle Peer Address

R4>exit

[Connection to 4.4.4.4 closed by foreign host]

R2#ping 1.1.1.1
Test from OUT (outside) to IN (inside) - ICMP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R4#ping 1.1.1.1
Test from DMZ (dmz) to IN (inside) - ICMP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Note that the ping is not working for the traffic initiated from the interface with a
lower security level. This is because ACL allows only ICMP echo-reply.
Also note that Telnet traffic is allowed automatically as the ASA has TCP packet
inspection enabled by default so all TCP traffic coming from the interface with higher
security level to the interface with lower security level will be statefully inspected
(returning traffic will be allowed back).

Page 14 of 694
CCIE Security v3 Lab Workbook

Task 2
Allow SSH and TELNET connections from R2‟s and R4‟s loopback0 interface to the
R1‟s loopback0 interface. You are allowed to add only one line to the existing access
lists.

As this task requires using only one ACL line there is a need for object grouping. This method
allows us to group up similar objects (hosts, ports, subnets, etc.) and then use group names in the
ACL. There are different object group types:
 icmp-type - specifies a group of ICMP types, such as echo
 network - specifies a group of host or subnet IP addresses
 protocol - specifies a group of protocols, such as TCP, etc
 service - specifies a group of TCP/UDP ports/services

On ASA
ASA-FW(config)# object-group network MGMT-HOSTS
ASA-FW(config-network)# network-object host 2.2.2.2
ASA-FW(config-network)# network-object host 4.4.4.4
ASA-FW(config-network)# exit

Object group of network type is for grouping hosts and subnets.

ASA-FW(config)# object-group service TELNET-and-SSH tcp
ASA-FW(config-service)# port-object eq telnet
ASA-FW(config-service)# port-object eq ssh
ASA-FW(config-service)# exit

Object group of service type is for grouping TCP/UDP ports. We need to specify what
protocol we‟re going to match (tcp or udp). We can also use tcp-udp to match both
services in one rule. There is also a possibility to not specify the service type and
then we can use « service-object » to specify any other protocol (for example GRE,
ICMP, ESP, etc).

ASA-FW(config)# access-list OUTSIDE_IN permit tcp object-group MGMT-HOSTS host 1.1.1.1 object-
group TELNET-and-SSH
ASA-FW(config)# access-list DMZ_IN permit tcp object-group MGMT-HOSTS host 1.1.1.1 object-
group TELNET-and-SSH

The object groups are then used in ACL building.

Verification
ASA-FW(config)# sh run object-group
object-group network MGMT-HOSTS
network-object host 2.2.2.2
network-object host 4.4.4.4
object-group service TELNET-and-SSH tcp
port-object eq telnet
port-object eq ssh

ASA-FW(config)# sh access-list OUTSIDE_IN
access-list OUTSIDE_IN; 5 elements; name hash: 0xe01d8199
access-list OUTSIDE_IN line 1 extended permit icmp any any echo-reply (hitcnt=1) 0xc857b49e
access-list OUTSIDE_IN line 2 extended permit tcp object-group MGMT-HOSTS host 1.1.1.1 object-
group TELNET-and-SSH 0xb422f490
access-list OUTSIDE_IN line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet
(hitcnt=0) 0x939bf78d
access-list OUTSIDE_IN line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq ssh
(hitcnt=0) 0x8d022728
access-list OUTSIDE_IN line 2 extended permit tcp host 4.4.4.4 host 1.1.1.1 eq telnet
(hitcnt=0) 0xbf14a304
access-list OUTSIDE_IN line 2 extended permit tcp host 4.4.4.4 host 1.1.1.1 eq ssh
(hitcnt=0) 0x04c16117

ASA-FW(config)# sh access-list DMZ_IN
access-list DMZ_IN; 5 elements; name hash: 0x229557de
access-list DMZ_IN line 1 extended permit icmp any any echo-reply (hitcnt=1) 0x7fb4c5b2

Page 15 of 694
CCIE Security v3 Lab Workbook

access-list DMZ_IN line 2 extended permit tcp object-group MGMT-HOSTS host 1.1.1.1 object-
group TELNET-and-SSH 0x909d621e
access-list DMZ_IN line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet (hitcnt=0)
0x231b90e2
access-list DMZ_IN line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq ssh (hitcnt=0)
0x4284ac66
access-list DMZ_IN line 2 extended permit tcp host 4.4.4.4 host 1.1.1.1 eq telnet (hitcnt=0)
0xfd96744e
access-list DMZ_IN line 2 extended permit tcp host 4.4.4.4 host 1.1.1.1 eq ssh (hitcnt=0)
0x44528edd

Note that access-list entry (ACEs) is expanded and displayed as multiple ACEs with the
same line number when grouped objects are used.

R2#tel 1.1.1.1
Trying 1.1.1.1 ...
% Connection timed out; remote host not responding

R2#tel 1.1.1.1 /so lo0
Trying 1.1.1.1 ... Open

User Access Verification

Password:
R1>exit

[Connection to 1.1.1.1 closed by foreign host]

R4#tel 1.1.1.1
Trying 1.1.1.1 ...
% Connection timed out; remote host not responding

R4#tel 1.1.1.1 /so lo0
Trying 1.1.1.1 ... Open

User Access Verification

Password:
R1>exit

[Connection to 1.1.1.1 closed by foreign host]

R2#tel 1.1.1.1
Trying 1.1.1.1 ...
% Connection timed out; remote host not responding

R2#tel 1.1.1.1 /so lo0
Trying 1.1.1.1 ... Open

User Access Verification

Password:
R1>exit

[Connection to 1.1.1.1 closed by foreign host]

R4#tel 1.1.1.1
Trying 1.1.1.1 ...
% Connection timed out; remote host not responding

R4#tel 1.1.1.1 /so lo0
Trying 1.1.1.1 ... Open

User Access Verification

Password:
R1>exit

[Connection to 1.1.1.1 closed by foreign host]

Page 16 of 694
CCIE Security v3 Lab Workbook

Task 3
Configure the following outbound access policy for hosts located in the inside
network:

Host/Subnet Source port Destination host Destination port
1.1.1.1 any 10.1.104.4 tcp/23
4.4.4.4 tcp/22
tcp/80

1.1.1.1 4000 – 5000 10.1.102.2 tcp/21
10.1.101.0/24 any any tcp/80
tcp/443
tcp/110
icmp/echo

Use object groups where possible to simplify the configuration.

This time we must use object groups as per task requirement. However, it must be considered
carefully to use as minimum objects as possible. This task can be done using only three ACL lines.
Note that this is not about how many object groups we can use. It is how many ACE we can use!

On ASA
ASA-FW(config)# object-group network R1-lo0
ASA-FW(config-network)# network-object host 1.1.1.1

ASA-FW(config-network)# object-group network R2-f0
ASA-FW(config-network)# network-object host 10.1.102.2

ASA-FW(config-network)# object-group network Inside-Subnet
ASA-FW(config-network)# network-object 10.1.101.0 255.255.255.0

ASA-FW(config-network)# object-group network R4
ASA-FW(config-network)# network-object host 4.4.4.4
ASA-FW(config-network)# network-object host 10.1.104.4

ASA-FW(config-network)# object-group service R4-Services tcp
ASA-FW(config-service)# port-object eq telnet
ASA-FW(config-service)# port-object eq ssh
ASA-FW(config-service)# port-object eq http

ASA-FW(config-service)# object-group service FTP-PORT-RANGE
ASA-FW(config-service)# service-object tcp source range 4000 5000 ftp

ASA-FW(config-service)# object-group service ALLOWED
ASA-FW(config-service)# service-object tcp http
ASA-FW(config-service)# service-object tcp https
ASA-FW(config-service)# service-object tcp pop3
ASA-FW(config-service)# service-object icmp echo
ASA-FW(config-service)# exit

ASA-FW(config)# access-list INSIDE_IN permit tcp object-group R1-lo0 object-group R4 object-
group R4-Services
ASA-FW(config)# access-list INSIDE_IN permit object-group FTP-PORT-RANGE object-group R1-lo0
object-group R2-f0
ASA-FW(config)# access-list INSIDE_IN permit object-group ALLOWED object-group Inside-Subnet
any

ASA-FW(config)# access-group INSIDE_IN in interface IN

Page 17 of 694
CCIE Security v3 Lab Workbook

Verification
ASA-FW(config)# sh run object-group
object-group network MGMT-HOSTS
network-object host 2.2.2.2
network-object host 4.4.4.4
object-group service TELNET-and-SSH tcp
port-object eq telnet
port-object eq ssh
object-group network R1-lo0
network-object host 1.1.1.1
object-group network R2-f0
network-object host 10.1.102.2
object-group network Inside-Subnet
network-object 10.1.101.0 255.255.255.0
object-group network R4
network-object host 4.4.4.4
network-object host 10.1.104.4
object-group service R4-Services tcp
port-object eq telnet
port-object eq ssh
port-object eq www
object-group service FTP-PORT-RANGE
service-object tcp source range 4000 5000 eq ftp
object-group service ALLOWED
service-object tcp eq www
service-object tcp eq https
service-object tcp eq pop3
service-object icmp echo

ASA-FW(config)# sh access-li INSIDE_IN
access-list INSIDE_IN; 11 elements; name hash: 0xf4313c68
access-list INSIDE_IN line 1 extended permit tcp object-group R1-lo0 object-group R4 object-
group R4-Services 0x8a493604
access-list INSIDE_IN line 1 extended permit tcp host 1.1.1.1 host 4.4.4.4 eq telnet
(hitcnt=0) 0xee9f0a8f
access-list INSIDE_IN line 1 extended permit tcp host 1.1.1.1 host 4.4.4.4 eq ssh (hitcnt=0)
0x2f408621
access-list INSIDE_IN line 1 extended permit tcp host 1.1.1.1 host 4.4.4.4 eq www (hitcnt=0)
0x4e8fc6d9
access-list INSIDE_IN line 1 extended permit tcp host 1.1.1.1 host 10.1.104.4 eq telnet
(hitcnt=0) 0x929ae368
access-list INSIDE_IN line 1 extended permit tcp host 1.1.1.1 host 10.1.104.4 eq ssh
(hitcnt=0) 0xf20b6c11
access-list INSIDE_IN line 1 extended permit tcp host 1.1.1.1 host 10.1.104.4 eq www
(hitcnt=0) 0xa6a8ec29
access-list INSIDE_IN line 2 extended permit object-group FTP-PORT-RANGE object-group R1-lo0
object-group R2-f0 0x5add7170
access-list INSIDE_IN line 2 extended permit tcp host 1.1.1.1 range 4000 5000 host
10.1.102.2 eq ftp (hitcnt=0) 0x12709c5b
access-list INSIDE_IN line 3 extended permit object-group ALLOWED object-group Inside-Subnet
any 0x3aba7b0d
access-list INSIDE_IN line 3 extended permit tcp 10.1.101.0 255.255.255.0 any eq www
(hitcnt=0) 0x2865d7c5
access-list INSIDE_IN line 3 extended permit tcp 10.1.101.0 255.255.255.0 any eq https
(hitcnt=0) 0x8defc473
access-list INSIDE_IN line 3 extended permit tcp 10.1.101.0 255.255.255.0 any eq pop3
(hitcnt=0) 0xb42c48d1
access-list INSIDE_IN line 3 extended permit icmp 10.1.101.0 255.255.255.0 any echo
(hitcnt=0) 0x0a464bf7

R1#ping 2.2.2.2 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)

R1#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#tel 4.4.4.4

Page 18 of 694
CCIE Security v3 Lab Workbook

Trying 4.4.4.4 ...
% Connection refused by remote host

R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open

User Access Verification

Password:
R4>exit

[Connection to 4.4.4.4 closed by foreign host]

Page 19 of 694
CCIE Security v3 Lab Workbook

Lab 1.3. Dynamic routing protocols

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

This lab is based on the previous lab configuration.

Task 1
Remove static routing for inside networks and configure RIP version 2 between R1
and ASA only. Ensure RIP updates are being authenticated using MD5 with
password of “cisco123”.

RIPv2 configuration on ASA is pretty simple and very similar to the configuration on routers.
Remember that you need to use passive-interface to not advertise on all ASA’s interfaces (as all
interfaces are in 10.0.0.0/8 network). RIPv2 authentication is configured on the interface (along with
a MD5 key) – there is no keychain configuration on the ASA.

On ASA
ASA-FW(config)# sh run route
route OUT 0.0.0.0 0.0.0.0 10.1.102.2 1
route IN 1.1.1.0 255.255.255.0 10.1.101.1 1
route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1

ASA-FW(config)# no route IN 1.1.1.0 255.255.255.0 10.1.101.1 1

ASA-FW(config)# router rip
ASA-FW(config-router)# version 2
ASA-FW(config-router)# no auto
ASA-FW(config-router)# network 10.0.0.0
ASA-FW(config-router)# passive-interface default

Page 20 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config-router)# no passive-interface IN

ASA-FW(config-router)# int e0/1
ASA-FW(config-if)# rip authentication mode MD5
ASA-FW(config-if)# rip authentication key cisco123 key_id 1
ASA-FW(config-if)# exit

Note that RIP authentication configuration is different on ASA and IOS router. On the
ASA the MD5 key is configured directly on the interface whereas on IOS router there
must be a key-chain configured and attached on the interface.

On R1
R1#sh run | in route
ip route 0.0.0.0 0.0.0.0 10.1.101.10

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no ip route 0.0.0.0 0.0.0.0 10.1.101.10

R1(config)#key chain AUTH
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco123

R1(config-keychain-key)#int f0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authentication key-chain AUTH

R1(config-if)#router rip
R1(config-router)#ver 2
R1(config-router)#no auto-summary
R1(config-router)#network 10.0.0.0
R1(config-router)#network 1.0.0.0
R1(config-router)#end

Verification
ASA-FW(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 10.1.102.2 to network 0.0.0.0

R 1.1.1.0 255.255.255.0 [120/1] via 10.1.101.1, 0:00:13, IN

This prefix has been injected by RIPv2 to the routing table. R1 has sent information
about its networks to ASA via authenticated RIPv2 update.

S 4.4.4.0 255.255.255.0 [1/0] via 10.1.104.4, DMZ
C 10.1.104.0 255.255.255.0 is directly connected, DMZ
C 10.1.102.0 255.255.255.0 is directly connected, OUT
C 10.1.101.0 255.255.255.0 is directly connected, IN
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.102.2, OUT

ASA-FW(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Page 21 of 694
CCIE Security v3 Lab Workbook

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 3 subnets
R 10.1.104.0 [120/1] via 10.1.101.10, 00:00:06, FastEthernet0/0
R 10.1.102.0 [120/1] via 10.1.101.10, 00:00:06, FastEthernet0/0

The ASA has sent information about its connected networks to R1 via authenticated RIPv2
updates. Note that routes to R2 and R4 loopbacks are not present in R1‟s routing table
because dynamic routing is configured only on inside (ASA‟s IN interface).

C 10.1.101.0 is directly connected, FastEthernet0/0

R1#sh ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 9 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2 AUTH

This indicates that authentication on Fa0/0 is enabled

Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
1.0.0.0
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
10.1.101.10 120 00:00:15
Distance: (default is 120)

Note that even though there is passive interface configured on the ASA, RIPv2 is
sending updates to R1 for all ASA‟s directly connected networks.

Task 2
Configure OSPF Area 0 on the outside interface and authenticate it using interface
authentication with password of “cisco456” and key ID 1. Use 10.10.10.10 as OSPF
router ID.
Remove static routing between ASA and R2 and ensure that R2 sends a default
gateway for ASA outside connections using OSPF. Use 2.2.2.2 as a router-id on R2.

The OSPF configuration on ASA is similar to the configuration on the routers. Remember that on
the ASA you need to use network mask when specifying network/interface where OSPF is running
on. On the router however, you need to configure wildcard mask to specify the network.

On ASA
ASA-FW(config)# sh run route
route OUT 0.0.0.0 0.0.0.0 10.1.102.2 1
route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1

ASA-FW(config)# no route OUT 0.0.0.0 0.0.0.0 10.1.102.2 1

Page 22 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config)# router ospf 1
ASA-FW(config-router)# router-id 10.10.10.10
ASA-FW(config-router)# network 10.1.102.10 255.255.255.0 area 0

ASA-FW(config-router)# int e0/0
ASA-FW(config-if)# ospf authentication message-digest
ASA-FW(config-if)# ospf message-digest-key 1 MD5 cisco456
ASA-FW(config-if)# exit

On R2
R2#sh run | in route
ip route 0.0.0.0 0.0.0.0 10.1.102.10
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no ip route 0.0.0.0 0.0.0.0 10.1.102.10

R2(config)#int g0/0
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco456
R2(config-if)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 0.0.0.0 0.0.0.0 ar 0
R2(config-router)#default-information originate always
R2(config-router)#end
R2#
%OSPF-5-ADJCHG: Process 1, Nbr 10.10.10.10 on GigabitEthernet0/0 from LOADING to FULL, Loading
Done

Note that IOS router does not use key-chain when configuring OSPF authentication. The
OSPF authentication configuration on the ASA and IOS router is exactly the same.
The R2 must send default route to the ASA so that “default-information” command is
used.

Verification
ASA-FW(config)# sh ospf 1

Routing Process "ospf 1" with ID 10.10.10.10 and Domain ID 0.0.0.1

This indicates that OSPF process 1 is running and router ID is 10.10.10.10

Supports only single TOS(TOS0) routes
Does not support opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 1. Checksum Sum 0x feab
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication

This indicates that authentication is not enabled for the OSPF.

SPF algorithm executed 3 times
Area ranges are
Number of LSA 3. Checksum Sum 0x 1520d
Number of opaque link LSA 0. Checksum Sum 0x 0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

ASA-FW(config)# sh ospf 1 int OUT

OUT is up, line protocol is up
Internet Address 10.1.102.10 mask 255.255.255.0, Area 0
Process ID 1, Router ID 10.10.10.10, Network Type BROADCAST, Cost: 10

Page 23 of 694
CCIE Security v3 Lab Workbook

This shows that interface OUT is used by OSPF process 1. OSPF network type for this
interface is BROADCAST (the default OSPF network type for Ethernet: DR/BDR election is
performed and updates are sent via multicast packets)

Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 10.10.10.10, Interface address 10.1.102.10
Backup Designated router (ID) 2.2.2.2, Interface address 10.1.102.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:08
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

The authentication is enabled for that interface.

ASA-FW(config)# sh ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/BDR 0:00:38 10.1.102.2 OUT

ASA-FW(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 10.1.102.2 to network 0.0.0.0

R 1.1.1.0 255.255.255.0 [120/1] via 10.1.101.1, 0:00:14, IN
O 2.2.2.2 255.255.255.255 [110/11] via 10.1.102.2, 0:01:13, OUT
S 4.4.4.0 255.255.255.0 [1/0] via 10.1.104.4, DMZ
C 10.1.104.0 255.255.255.0 is directly connected, DMZ
C 10.1.102.0 255.255.255.0 is directly connected, OUT
C 10.1.101.0 255.255.255.0 is directly connected, IN
O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.1.102.2, 0:01:13, OUT

R2‟s loopback IP address is in ASA‟s routing table. Note that this IP address is a
„host” route (255.255.255.255). This is because the default OSPF network type for
loopback interfaces is LOOPBACK so that OSPF sends out “host” route. To change that you
should use “ip ospf network point-to-point” command on the R2‟s loopback interface.
Also note there is a default route injected by the OSPF process into the routing table.

R2#sh ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 2.2.2.2
It is an autonomous system boundary router
Redistributing External Routes from,
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)

R2#sh ip ospf interface
Loopback0 is up, line protocol is up
Internet Address 2.2.2.2/24, Area 0
Process ID 1, Router ID 2.2.2.2, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
GigabitEthernet0/0 is up, line protocol is up
Internet Address 10.1.102.2/24, Area 0
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1

Page 24 of 694
CCIE Security v3 Lab Workbook

Designated Router (ID) 10.10.10.10, Interface address 10.1.102.10
Backup Designated router (ID) 2.2.2.2, Interface address 10.1.102.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:03
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.10.10.10 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

R2#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.10.10.10 1 FULL/DR 00:00:35 10.1.102.10 GigabitEthernet0/0

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.102.0 is directly connected, GigabitEthernet0/0

Task 3
Configure EIGRP AS 104 between ASA and R4. EIGRP messages should be
authenticated using MD5 with key of “cisco789”. Remove previously configured static
routes for that segment.

EIGRP has some similarities to the previous two dynamic routing protocols. It uses keychain on the
router (as RIPv2) and requires normal mask to be provided for a network on ASA (as OSPF).

On ASA
ASA-FW(config)# sh run route
route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1

ASA-FW(config)# no route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1

ASA-FW(config)# router eigrp 104
ASA-FW(config-router)# no auto-summary
ASA-FW(config-router)# network 10.1.104.10 255.255.255.255
ASA-FW(config-router)# int e0/2.104
ASA-FW(config-subif)# authentication mode eigrp 104 md5
ASA-FW(config-subif)# authentication key eigrp 104 cisco789 key-id 1
ASA-FW(config-subif)# exit

Page 25 of 694
CCIE Security v3 Lab Workbook

Note that you must use regular netmask on the ASA and wildcard netmask on the IOS
router when configuring networks under EIGRP. Authentication is enabled per interface
basis.

On R4
R4#sh run | in route
ip source-route
ip route 0.0.0.0 0.0.0.0 10.1.104.10

R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#no ip route 0.0.0.0 0.0.0.0 10.1.104.10

R4(config)#key chain AUTH
R4(config-keychain)#key 1
R4(config-keychain-key)#key-string cisco789

R4(config-keychain-key)#router eigrp 104
R4(config-router)#no auto
R4(config-router)#network 0.0.0.0 0.0.0.0

R4(config-router)#int f0/0
R4(config-if)#ip authentication mode eigrp 104 md5
R4(config-if)#ip authentication key-chain eigrp 104 AUTH
R4(config-if)#end
R4#
%SYS-5-CONFIG_I: Configured from console by console
R4#
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 104: Neighbor 10.1.104.10 (FastEthernet0/0) is up: new
adjacency

Verification
R4#sh ip eigrp neighbors
IP-EIGRP neighbors for process 104
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.104.10 Fa0/0 10 00:00:55 3 200 0 5

R4#sh ip protocols
Routing Protocol is "eigrp 104"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 104
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
0.0.0.0
Routing Information Sources:
Gateway Distance Last Update
Distance: internal 90 external 170

EIGRP is enabled on every interface.

R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

Page 26 of 694
CCIE Security v3 Lab Workbook

4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.104.0 is directly connected, FastEthernet0/0

ASA-FW(config)# sh eigrp 104 int
EIGRP-IPv4 interfaces for process 104

Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
DMZ 1 0/0 1 0/1 50 0

On the ASA EIGRP is enabled only on DMZ interface

ASA-FW(config)# sh eigrp 104 neighbors
EIGRP-IPv4 neighbors for process 104
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.104.4 Et0/2.104 13 00:01:52 1 200 0 3

ASA-FW(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 10.1.102.2 to network 0.0.0.0

R 1.1.1.0 255.255.255.0 [120/1] via 10.1.101.1, 0:00:14, IN
O 2.2.2.2 255.255.255.255 [110/11] via 10.1.102.2, 0:11:03, OUT
D 4.4.4.0 255.255.255.0 [90/156160] via 10.1.104.4, 0:01:58, DMZ
C 10.1.104.0 255.255.255.0 is directly connected, DMZ
C 10.1.102.0 255.255.255.0 is directly connected, OUT
C 10.1.101.0 255.255.255.0 is directly connected, IN
O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.1.102.2, 0:11:03, OUT

EIGRP prefix for R4‟s loopback is in ASA‟s routing table.

Task 4
On ASA configure route redistribution between all three dynamic routing protocols, so
that the network will gain full reachability.

Redistribution should be carefully configured as each of dynamic routing protocols requires
specific parameters to successfully redistribute routes. Here are the most important things you
should remember:
- RIPv2 requires metric (hops) to be specified during redistribution;
- OSPF requires “subnet” keyword in order to take subnetted networks under
consideration;
- EIGRP requires metric to be specified during redistribution;
Remember that you can use more complex redistribution scenarios (like route-maps or other
filtering methods) if required.
If no metric is specified in the task you can use any metric you want during redistribution.

On ASA
ASA-FW(config)# router rip
ASA-FW(config-router)# redistribute ospf 1 metric 2

Page 27 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config-router)# redistribute eigrp 104 metric 1

ASA-FW(config-router)# router ospf 1
ASA-FW(config-router)# redistribute rip subnets
ASA-FW(config-router)# redistribute eigrp 104 subnets

ASA-FW(config-router)# router eigrp 104
ASA-FW(config-router)# redistribute rip metric 100000 0 255 1 1500
ASA-FW(config-router)# redistribute ospf 1 metric 100000 0 255 1 1500
ASA-FW(config-router)# exit

Verification
ASA-FW(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 10.1.102.2 to network 0.0.0.0

R 1.1.1.0 255.255.255.0 [120/1] via 10.1.101.1, 0:00:11, IN
O 2.2.2.2 255.255.255.255 [110/11] via 10.1.102.2, 0:00:11, OUT
D 4.4.4.0 255.255.255.0 [90/156160] via 10.1.104.4, 0:06:58, DMZ
C 10.1.104.0 255.255.255.0 is directly connected, DMZ
C 10.1.102.0 255.255.255.0 is directly connected, OUT
C 10.1.101.0 255.255.255.0 is directly connected, IN
O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.1.102.2, 0:00:11, OUT

The ASA sees all networks so that it can redistribute that information into its routing
protocols to let other routers know about those networks.

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.101.10 to network 0.0.0.0

1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
R 2.2.2.2 [120/2] via 10.1.101.10, 00:00:02, FastEthernet0/0
4.0.0.0/24 is subnetted, 1 subnets
R 4.4.4.0 [120/1] via 10.1.101.10, 00:00:02, FastEthernet0/0
10.0.0.0/24 is subnetted, 3 subnets
R 10.1.104.0 [120/1] via 10.1.101.10, 00:00:02, FastEthernet0/0
R 10.1.102.0 [120/1] via 10.1.101.10, 00:00:02, FastEthernet0/0
C 10.1.101.0 is directly connected, FastEthernet0/0
R* 0.0.0.0/0 [120/2] via 10.1.101.10, 00:00:03, FastEthernet0/0

R1 got all information via RIPv2. Note that prefixes redistributed from the OSPF have
higher metric (hop count) than prefixes from EIGRP. This is due to “metric” keyword
during the redistribution.

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

Page 28 of 694
CCIE Security v3 Lab Workbook

1.0.0.0/24 is subnetted, 1 subnets
O E2 1.1.1.0 [110/20] via 10.1.102.10, 00:00:36, GigabitEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback0
4.0.0.0/24 is subnetted, 1 subnets
O E2 4.4.4.0 [110/20] via 10.1.102.10, 00:00:36, GigabitEthernet0/0
10.0.0.0/24 is subnetted, 3 subnets
O E2 10.1.104.0 [110/20] via 10.1.102.10, 00:00:36, GigabitEthernet0/0
C 10.1.102.0 is directly connected, GigabitEthernet0/0
O E2 10.1.101.0 [110/20] via 10.1.102.10, 00:00:37, GigabitEthernet0/0

R2 sees all networks as OSPF External type. The cost of a type 2 route is always the
external cost, irrespective of the interior cost to reach that route.

R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.104.10 to network 0.0.0.0

1.0.0.0/24 is subnetted, 1 subnets
D EX 1.1.1.0 [170/28160] via 10.1.104.10, 00:00:45, FastEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets
D EX 2.2.2.2 [170/28160] via 10.1.104.10, 00:00:45, FastEthernet0/0
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 3 subnets
C 10.1.104.0 is directly connected, FastEthernet0/0
D EX 10.1.102.0 [170/28160] via 10.1.104.10, 00:00:45, FastEthernet0/0
D EX 10.1.101.0 [170/28160] via 10.1.104.10, 00:00:46, FastEthernet0/0
D*EX 0.0.0.0/0 [170/28160] via 10.1.104.10, 00:00:46, FastEthernet0/0

R4 has EIGRP External type with AD (Administrative Distance) of 170. This AD is much
worse than regular EIGRP which is 90. This is a basic loop prevention mechanism.

R1#p 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#p 10.1.104.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.104.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#p 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#p 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open

User Access Verification

Password:
R4>exit

Page 29 of 694
CCIE Security v3 Lab Workbook

[Connection to 4.4.4.4 closed by foreign host]

R2#tel 1.1.1.1
Trying 1.1.1.1 ...
% Connection timed out; remote host not responding

R2#tel 1.1.1.1 /so lo0
Trying 1.1.1.1 ... Open

User Access Verification

Password:
R1>exit

[Connection to 1.1.1.1 closed by foreign host]

Full network connectivity has been achived.

Page 30 of 694
CCIE Security v3 Lab Workbook

Lab 1.4. ASA management

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

This lab is based on the previous lab configuration.

Task 1
Configure domain name of “micronicstraining.com” and enable Adaptive Security
Device Manager (ASDM) access to the ASA from the inside network. To accomplish
this put the management station (TestPC, 10.1.101.254/24) in the Inside network
(VLAN 101). Create user admin with password of “cisco123”.

ASDM is a graphical user interface (GUI) for managing ASA. Although it is not mentioned in the
CCIE Security v3 Lab Exam Blueprint as a configuration tool it is useful to know how to use it. There
are some configuration tasks which cannot be done from configuration line interface (CLI) and can
be accomplished using ASDM (i.e. bookmark lists for Clientless VPN, etc.)
ASDM image file is located on the flash disk and needs to be configured before first use. Access to
the ASDM is via HTTP/HTTPS and some special configuration needs to be done to enable HTTP
server on the ASA.

On SW3
SW3(config)#int f0/15
SW3(config-if)#switchport mode access
SW3(config-if)#switchport access vlan 101
SW3(config-if)#exi

On ASA

Page 31 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config)# domain-name micronicstraining.com
ASA-FW(config)# http server enable
ASA-FW(config)# http 10.1.101.254 255.255.255.255 IN

ASA-FW(config)# sh flash | in asdm
108 11348300 May 25 2010 16:51:02 asdm-621.bin

ASA-FW(config)# asdm image flash:/asdm-621.bin
ASA-FW(config)# username admin password cisco123 privilege 15

On TestPC

Verification
Step 1: Run a web browser and type https://10.1.101.10 in an address bar. A security alert should show up which needs to be
accepted.

Step 2: You have an option to download and install ASDM software on your local computer or to run it remotely. Click Run
ASDM to run it on your local machine.

Page 32 of 694
CCIE Security v3 Lab Workbook

Step 3: Accept a security warning to be able to run ASDM’s Java scripts.

Step 4: You can create shortcut on your desktop and start menu for later use.

Step 5: Once ASDM is downloaded and run you must provide username and password for authentication. After successful
authentication ASDM should open configuration GUI.

Page 33 of 694
CCIE Security v3 Lab Workbook

Task 2
Configure remote management access via SSH version 2 from host IP 1.1.1.1
located in the Inside network. Make sure user is automatically logged out after 12
minutes of inactivity. Use RSA keys of 1024 bits in length to secure management
connections and password of “cisco789”.

SSH management access requires RSA keys to be generated. You must configure subnets/hosts
which will be allowed to connect to the ASA. There is a built-in username of “pix” configured on the
ASA which can be used for SSH access. The password for this user is the same as enable
password.

On ASA
ASA-FW(config)# ssh 1.1.1.1 255.255.255.255 IN

Page 34 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config)# ssh timeout 12
ASA-FW(config)# ssh version 2
ASA-FW(config)# passwd cisco789

ASA-FW(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...

Verification
ASA-FW(config)# sh ssh
Timeout: 12 minutes
Version allowed: 2
1.1.1.1 255.255.255.255 IN

Note that to test this configuration you must change source IP address for SSH
connections on R1. By default source address is an IP address of the outgoing
interface. You‟ll need RSA keys of at least 768 bits size to be able to use SSHv2. If
your router has no RSA keys already, you must generate new keys (remember that you need
hostname and domain name to be configured before generating keys).

R1(config)#ip ssh source-interface lo0
Please create RSA keys (of atleast 768 bits size) to enable SSH v2.

R1(config)#ip domain-name micronicstraining.com
R1(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R1.micronicstraining.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled

R1#ssh -c 3des -l pix 10.1.101.10

Password:
Type help or '?' for a list of available commands.
ASA-FW>

Task 3
Configure banner message so that it will display for successful remote connection via
SSH. The banner should include the following message:
*
Welcome to ASA-FW.micronicstraining.com.
Only authorized users are allowed to connect.
*

In this task a Message of the Day (MOTD) banner should be configured. Remember that you can use
some variables to be included in the banner automatically.
The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the
ASA.

On ASA
ASA-FW(config)# banner motd *
ASA-FW(config)# banner motd Welcome to $(hostname).$(domain).
ASA-FW(config)# banner motd Only authorized users are allowed to connect.
ASA-FW(config)# banner motd *

Page 35 of 694
CCIE Security v3 Lab Workbook

Verification
ASA-FW(config)# sh banner
motd:
*
Welcome to $(hostname).$(domain).
Only authorized users are allowed to connect.
*

R1#ssh -c 3des -l pix 10.1.101.10

Password:
*
Welcome to ASA-FW.micronicstraining.com.
Only authorized users are allowed to connect.
*
Type help or '?' for a list of available commands.
ASA-FW>

Task 4
Configure ASA so that it will automatically sends configuration file to a TFTP server
after issuing “write net” CLI command. The TFTP server is located in the Inside
network with IP address of 10.1.101.254 and the file should be stored in the directory
named “backups” using the file name of “ASA-FW.cfg”.

This is a one-line simple task. All you need is to configure TFTP server remote location specifying
an interface which should be used to connect to the TFTP server, and IP address of the TFTP server
and the file name with a full path to store the configuration in. Note that you can be unable to test
that configuration on remote racks if there is no TFTP server running on the specified IP address.

On ASA
ASA-FW(config)# tftp-server IN 10.1.101.254 /backups/ASA-FW.cfg

Verification
ASA-FW(config)# write net
Building configuration...
Cryptochecksum: d424e00c c58583c2 0c78ad3a 080ed6f9
!!
[OK]

Task 5
Enable SYSLOG logging so that it will send all Informational and higher level events
to the SYSLOG server located at 10.1.101.254 using UDP port 514 as a transport.
The logging queue should be able to hold 100 messages when SYSLOG server is
busy.
In addition to that, firewall administrator should be notified by email
(fwadmin@micronicstraining.com) of every events regarding AUTH logging
subsystem which are higher than or equal to level 3. Use email address of asa-
fw@micronicstraining.com as a source and SMTP server located at 10.1.101.254.
Also, configure rate limit for all Debug level messages so that no more than 10
messages are generated in 1 second interval in case console logging is used.

Page 36 of 694
CCIE Security v3 Lab Workbook

SYSLOG logging is a most popular method of sending system logs to the external server. It uses
UDP port 514 by default and sends only those logs which are specified by the administrator (log
level must be configured). You can also configure other logging methods like sending logs to some
email using specified SMTP server.
When configuring SYSLOG logging ensure you use appropriate logging level to not be
overwhelmed by lots of unnecessary information. Remember that configured logging level includes
all lower levels, for example when you configure critical (2) level it includes alerts (1) and
emergencies (0) as well. There are the following logging levels:
- (0) emergencies - system is unusable
- (1) alerts - immediate action needed
- (2) critical - critical conditions
- (3) errors - error conditions
- (4) warnings - warning conditions
- (5) notifications - normal but significant conditions
- (6) informational - informational messages
- (7) debugging - debugging messages
You must be very careful when enabling logging for level 7 (debugging) as this will generate lots of
SYSLOG messages (depends on system usage). This is very dangerous for ASA stability especially
when you enable logging on the console. Thus, there is a good practice to rate limit those
messages to not be surprised when debugging is on the console.

On ASA
ASA-FW(config)# logging host IN 10.1.101.254
WARNING: interface Ethernet1 security level is 80.
ASA-FW(config)# logging queue 100
ASA-FW(config)# logging trap informational
ASA-FW(config)# logging enable

SYSLOG server is to be expected behind the most trusted interface (usually having
security level of 100). When this server is specified behind lower security level
interface then a warning message is displayed.
Logs are processed sequentially by the queue mechanism. If there are so many logs that
the ASA cannot handle, the logs can be discarded. Note that if you specify the logging
queue of zero, this means the queue is set to 8192 which is maximum.
SNMP Traps are usually sent to some NMS (Network Management System) but we can also
send them to the SYSLOG server, but we need to specify what severity level we want to
be send.
Finally, do not forget to enable logging. You can do that using “logging enable” or
“logging on” commands.

ASA-FW(config)# logging from-address asa-fw@micronicstraining.com
ASA-FW(config)# logging recipient-address fwadmin@micronicstraining.com level errors
ASA-FW(config)# logging list AUTH-ERR level errors class auth
ASA-FW(config)# logging mail AUTH-ERR
ASA-FW(config)# smtp-server 10.1.101.254

There is also a chance to send logs to other destination than SYSLOG. For example, you
can send logs to the email address you specify. Doing that is pretty risky as there
must be a lot of logs to be send so that an email is not a perfect solution. However,
you can create a list of severity levels and classes which should be sent using that
method. In our example we‟re sending only Severity level of 3 with a class Auth for
user authentication events.
Do not forget to configure SMTP server to send the emails to.

ASA-FW(config)# logging rate-limit 10 1 level debug

Debugging is a really good troubleshooting method. However, it may be really
destructive for ASA‟s performance - Especially when we want to see debugging messages
on the console. To lower the risk, we should always limit number of logging messages
while debugging.

Page 37 of 694
CCIE Security v3 Lab Workbook

Verification
ASA-FW(config)# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level informational, facility 20, 10 messages logged
Logging to IN 10.1.101.254 errors: 1 dropped: 7
History logging: disabled
Device ID: disabled
Mail logging: list AUTH-ERR, 0 messages logged
ASDM logging: disabled

ASA-FW(config)# sh logging queue

Logging Queue length limit : 100 msg(s)
0 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 0 msg on queue, 1 msgs most on queue

After configuring logging features we should always check then using “show logg”
command.

Task 6
Configure ASA as NTP client using MD5 authentication with a key of “Cisco_NTP”.
The NTP server must be configured at 1.1.1.1 with a stratum of 4.

Network Time Protocol (NTP) is used for time synchronization on network devices. Having current
time on the ASA is very important from a security audit perspective. It is important to have valid
timestamps in the logs to be able to track malicious activity. Time is also very important when the
ASA terminates VPNs and uses X.509 certificates for authentication (certificates have validity time
and must be checked against reliable time source before usage).
NTP authentication is used to authenticate server to ensure that the ASA gets time from valid
source.
The router can be an NTP server by using “ntp master <stratum>” command. The stratum level
defines its distance from the reference clock. It is important to note that the stratum is not an
indication of quality or reliability of the NTP server.

On ASA
ASA-FW(config)# ntp authentication-key 1 md5 Cisco_NTP
ASA-FW(config)# ntp authenticate
ASA-FW(config)# ntp trusted-key 1
ASA-FW(config)# ntp server 1.1.1.1 key 1 source IN

Remember that you must specify the trusted key to be used. Without this the NTP Sever
does not enable authentication.

On R1
R1(config)#ntp authentication-key 1 md5 Cisco_NTP
R1(config)#ntp authenticate
R1(config)#ntp trusted-key 1
R1(config)#ntp master 4
R1(config)#ntp source lo0

Page 38 of 694
CCIE Security v3 Lab Workbook

Verification
ASA-FW(config)# sh ntp associations
address ref clock st when poll reach delay offset disp
*~1.1.1.1 127.127.7.1 4 33 64 37 0.9 -0.95 890.8
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

ASA-FW(config)# sh ntp associations detail

1.1.1.1 configured, authenticated, our_master, sane, valid, stratum 4
ref ID 127.127.7.1, time ce822bf1.417e5616 (23:17:05.255 UTC Thu Oct 15 2009)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 37, sync dist 891.235
delay 0.85 msec, offset -0.9517 msec, dispersion 890.78
precision 2**18, version 3
org time ce822c00.8e86d0be (23:17:20.556 UTC Thu Oct 15 2009)
rcv time ce822c00.8ee1a66d (23:17:20.558 UTC Thu Oct 15 2009)
xmt time ce822c00.8e573047 (23:17:20.556 UTC Thu Oct 15 2009)
filtdelay = 0.85 0.89 0.87 1.08 1.02 0.00 0.00 0.00
filtoffset = -0.95 -0.97 -1.09 -1.33 -2.05 0.00 0.00 0.00
filterror = 15.63 16.60 17.58 18.55 19.53 16000.0 16000.0 16000.0

ASA-FW(config)# sh ntp status
Clock is synchronized, stratum 5, reference is 1.1.1.1
nominal freq is 99.9984 Hz, actual freq is 99.9985 Hz, precision is 2**6
reference time is ce822c00.8ee1a66d (23:17:20.558 UTC Thu Oct 15 2009)
clock offset is -0.9517 msec, root delay is 0.85 msec
root dispersion is 891.77 msec, peer dispersion is 890.78 msec

Page 39 of 694
CCIE Security v3 Lab Workbook

Lab 1.5. Static NAT

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Page 40 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA so that when someone from the outside (network segment behind
ASA‟s OUT interface) tries to connect to IP address of 10.1.102.1 he/she will be
pointed to R1‟s loopback0 interface. Limit the embryonic connections for hosts using
that connection to 2. Ensure all packets need to be translated in order to pass
through the ASA.

First of all NAT Control feature must be enabled to control ASA behavior in such way that all
packets need to be translated in order to pass between interfaces.
To accomplish this task you need to configure R1’s loopback0 IP address to be seen as 10.1.102.1
on the ASA’s outside subnet. This can be done by using Static NAT (SNAT) with a parameter of
hosts embryonic connections set to 2.
However, this is not enough to pass traffic. The ASA does not allow connections coming from an
interface with a lower security level to an interface with a higher security level without an ACL
allowing that connections. Thus, you need to configure an ACL in the inbound direction on ASA’s
outside interface.

On ASA
ASA-FW(config)# nat-control
ASA-FW(config)# static (IN,OUT) 10.1.102.1 1.1.1.1 netmask 255.255.255.255 tcp 0 2

ASA-FW(config)# access-list OUTSIDE_IN permit ip any host 10.1.102.1
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT

Verification
ASA-FW(config)# sh xlate
1 in use, 1 most used
Global 10.1.102.1 Local 1.1.1.1

ASA-FW(config)# sh xlate detail
1 in use, 1 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:1.1.1.1 to OUT:10.1.102.1 flags s

See the xlate created – there is a flag field indicating that the xlate is due to
static translation. This xlate will be in the xlate table all the time.

R2#tel 10.1.102.1
Trying 10.1.102.1 ... Open

User Access Verification

Password:
R1>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:03:44
*514 vty 0 idle 00:00:00 10.1.102.2

Interface User Mode Idle Peer Address

The location field indicates that the source IP address has been translated in the
path.

R1>exit

[Connection to 10.1.102.1 closed by foreign host]

R2#ping 10.1.102.1

Type escape sequence to abort.

Page 41 of 694
CCIE Security v3 Lab Workbook

Sending 5, 100-byte ICMP Echos to 10.1.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R1#tel 2.2.2.2
Trying 2.2.2.2 ...
% Connection refused by remote host

Connection is refused by the ASA as there is no translation configured for that IP
address. There is NAT Control enabled and all packets must have translation rule in
place to be allowed through the ASA.

R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:00:24
*578 vty 0 idle 00:00:00 10.1.102.1

Interface User Mode Idle Peer Address

R2>exit

[Connection to 2.2.2.2 closed by foreign host]

Note that Static NAT works in both ways – no matter if you originate traffic from R2 or
R1.

Task 2
Configure ASA so that when someone from the outside (network segment behind
ASA‟s OUT interface) tries to connect to IP address of 10.1.102.4 using TELNET,
he/she will be pointed to R4‟s loopback0 interface.

This task is similar to the previous however there is one difference. The translation must be used
only for TELNET traffic. This is called Static PAT (Port Address Translation) and it’s useful for “port
redirection”.

On ASA
ASA-FW(config)# static (DMZ,OUT) tcp 10.1.102.4 telnet 4.4.4.4 telnet netmask 255.255.255.255
ASA-FW(config)# access-list OUTSIDE_IN permit tcp any host 10.1.102.4 eq telnet

Note that “telnet” keyword can be changed to port numer (23 in this case).

Verification
ASA-FW(config)# sh xlate
2 in use, 2 most used
Global 10.1.102.1 Local 1.1.1.1
PAT Global 10.1.102.4(23) Local 4.4.4.4(23)

ASA-FW(config)# sh xlate detail
2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:1.1.1.1 to OUT:10.1.102.1 flags s
TCP PAT from DMZ:4.4.4.4/23 to OUT:10.1.102.4/23 flags sr

The flag field indicates this is “static portmap” rule – port redirection in other
words.

Page 42 of 694
CCIE Security v3 Lab Workbook

R2#tel 10.1.102.4
Trying 10.1.102.4 ... Open

User Access Verification

Password:
R4>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:07:45
*514 vty 0 idle 00:00:00 10.1.102.2

Interface User Mode Idle Peer Address

R4>exit

[Connection to 10.1.102.4 closed by foreign host]

R2#ping 10.1.102.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R4#tel 10.1.102.2
Trying 10.1.102.2 ...
% Connection refused by remote host

R4#tel 10.1.102.2 /so lo0
Trying 10.1.102.2 ...
% Connection refused by remote host

Note that when Static PAT is used there is only one way translation.

Task 3
Configure ASA so that when someone from the outside (network segment behind
ASA‟s OUT interface) tries to connect to ASA‟s OUT interface using port 2323,
he/she will be redirected to R1‟s F0/0 interface using port 23.

This task is similar to the previous however in this case the ASA must “listen” on its outside
interface on port 2323 and “redirect” all traffic coming to that interface/port to the IP address of R1’s
F0/0 interface and port 23.
Note that you still need an ACL entry on the outside interface for those connections.

On ASA
ASA-FW(config)# static (IN,OUT) tcp interface 2323 10.1.101.1 telnet netmask 255.255.255.255
SA-FW(config)# access-list OUTSIDE_IN permit tcp any host 10.1.102.10 eq 2323

Verification
ASA-FW(config)# sh xlate
3 in use, 3 most used
Global 10.1.102.1 Local 1.1.1.1
PAT Global 10.1.102.4(23) Local 4.4.4.4(23)
PAT Global 10.1.102.10(2323) Local 10.1.101.1(23)

ASA-FW(config)# sh xlate detail
3 in use, 3 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:1.1.1.1 to OUT:10.1.102.1 flags s
TCP PAT from DMZ:4.4.4.4/23 to OUT:10.1.102.4/23 flags sr

Page 43 of 694
CCIE Security v3 Lab Workbook

TCP PAT from IN:10.1.101.1/23 to OUT:10.1.102.10/2323 flags sr

R2#tel 10.1.102.10 2323
Trying 10.1.102.10, 2323 ... Open

User Access Verification

Password:
R1>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:08:58
*514 vty 0 idle 00:00:00 10.1.102.2

Interface User Mode Idle Peer Address

R1>exit

[Connection to 10.1.102.10 closed by foreign host]

Page 44 of 694
CCIE Security v3 Lab Workbook

Lab 1.6. Dynamic NAT

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the following commands:
clear configure static
clear configure access-list

Page 45 of 694
CCIE Security v3 Lab Workbook

Task 1
Ensure all packets need to be translated in order to pass through the ASA. However,
when R4 tries to go outside using its loopback0 interface packets should not be
translated.

NAT Control ensures that every packet going through the ASA must be translated. If there is no
translation rule in place the packet is dropped. However, in this task we need to bypass this rule by
configuring feature called NAT 0 (or Identity NAT). When we use ID 0 configuring NAT translation
(source IP addresses to be translated) it means that packet matched that rule will NOT be
translated. NAT 0 is evaluated before any other NAT statements and you don’t need to configure
Global statement for ID 0. This kind of NAT is useful in case of VPN configuration where is a need to
not translate packets which are subjected to be going through the VPN tunnel.

On ASA
ASA-FW(config)# nat-control
ASA-FW(config)# nat (DMZ) 0 4.4.4.4 255.255.255.255
nat 0 4.4.4.4 will be identity translated for outbound

Verification
R4#tel 2.2.2.2
Trying 2.2.2.2 ...
% Connection refused by remote host

No translation rule for that connection.

R4#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:12:00
*578 vty 0 idle 00:00:00 4.4.4.4

Interface User Mode Idle Peer Address

R2>exit

[Connection to 2.2.2.2 closed by foreign host]

Note the 4.4.4.4 has not been translated.

ASA-FW(config)# sh xlate
1 in use, 3 most used
Global 4.4.4.4 Local 4.4.4.4

ASA-FW(config)# sh xlate detail
1 in use, 3 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from DMZ:4.4.4.4 to OUT:4.4.4.4 flags iI

Note that the above translation is dynamically created when there is connection from
R4‟s Lo0. The Identity NAT creates xlates for all IP addresses even though there is the
same IP address used for translation.
The xlate will be present in the translation table for duration of 3 hours by default.
This can be configured using timeout xlate <idle_time> command.

Page 46 of 694
CCIE Security v3 Lab Workbook

Task 2
Configure ASA so that all IP addresses from the inside subnet (10.1.101.0/24) will be
translated to the dynamic pool of 10.1.102.100 – 10.1.102.200. If the pool is
exhausted, configure ASA to perform dynamic port translation using IP address of
10.1.102.201.

This is the most common NAT configuration in the real world. Dynamic NAT translates all source IP
addresses (specified by “nat (ifname) id IP-addresses” command) to the pool of IP addresses
(specified by “global (ifname) ID IP-address-range” command). The ID must match NAT and
GLOBAL statements.
That configuration will dynamically translate each IP address to one GLOBAL IP address (one-to-
one translation) so you need to ensure that after exhaustion of GLOBAL IP addresses the
communication won’t suffer. This is usually done by configuring one (or more) GLOBAL “backup”
IP address to which packets will be translated using PAT (ca. 64k ports can be used, so many
connections can be covered).

On ASA
ASA-FW(config)# nat (IN) 1 10.1.101.0 255.255.255.0
ASA-FW(config)# global (OUT) 1 10.1.102.100-10.1.102.200 netmask 255.255.255.0
ASA-FW(config)# global (OUT) 1 10.1.102.201 netmask 255.255.255.255
INFO: Global 10.1.102.201 will be Port Address Translated

Verification
R1#tel 2.2.2.2
Trying 2.2.2.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:00:18
*578 vty 0 idle 00:00:00 10.1.102.170

Interface User Mode Idle Peer Address

Note that the source IP address has been translated to the random IP address from the
pool.

R2>exit

[Connection to 2.2.2.2 closed by foreign host]

R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ...
% Connection refused by remote host

R1#tel 4.4.4.4
Trying 4.4.4.4 ...
% Connection refused by remote host

Note that only connections between inside and outside subnets are translated. Since NAT
Control is enabled, all packets must be translated. Thus, no connections allowed
between inside and DMZ.

ASA-FW(config)# sh xlate
2 in use, 3 most used
Global 4.4.4.4 Local 4.4.4.4
Global 10.1.102.170 Local 10.1.101.1

ASA-FW(config)# sh xlate detail
2 in use, 3 most used

Page 47 of 694
CCIE Security v3 Lab Workbook

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from DMZ:4.4.4.4 to OUT:4.4.4.4 flags iI
NAT from IN:10.1.101.1 to OUT:10.1.102.170 flags i

Task 3
Configure ASA so that when R1 tries to communicate with hosts in DMZ using its
loopback0 interface as a source, it will be dynamically translated to ASA‟s DMZ
interface IP address.

Instead of configuring GLOBAL pool of IP addresses you can specify ASA’s interface and all source
IP addresses specified by NAT command will be PATed to this IP address. Remember that you need
to use different NAT ID for every NAT/GLOBAL pair.

On ASA
ASA-FW(config)# nat (IN) 2 1.1.1.1 255.255.255.255
ASA-FW(config)# global (DMZ) 2 interface
INFO: DMZ interface address added to PAT pool

Verification
R1#tel 4.4.4.4
Trying 4.4.4.4 ...
% Connection refused by remote host

R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open

User Access Verification

Password:
R4>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:13:23
*514 vty 0 idle 00:00:00 10.1.104.10

Interface User Mode Idle Peer Address

R4>exit

[Connection to 4.4.4.4 closed by foreign host]

Do not disconnect from R4 and check ASA‟s translations. If you close the connection ASA
will remove XLATE entry.

ASA-FW(config)# sh xlate
3 in use, 3 most used
Global 4.4.4.4 Local 4.4.4.4
PAT Global 10.1.104.10(29892) Local 1.1.1.1(56160)
Global 10.1.102.170 Local 10.1.101.1

ASA-FW(config)# sh xlate detail
3 in use, 3 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from DMZ:4.4.4.4 to OUT:4.4.4.4 flags iI
TCP PAT from IN:1.1.1.1/56160 to DMZ:10.1.104.10/29892 flags ri
NAT from IN:10.1.101.1 to OUT:10.1.102.170 flags i

Page 48 of 694
CCIE Security v3 Lab Workbook

Task 4
Configure ASA so that when R1 tries to communicate with hosts on the outside
network using its loopback0 interface as a source, it will be dynamically translated to
IP address of 10.1.102.202. Use minimal number of commands to accomplish this
task.

Note that the NAT statement for IP address of 1.1.1.1 has been configured in the previous task;
hence there is just need for GLOBAL statement for the outside interface. The NAT ID must be the
same to match with NAT command. In this example the R1’s loopback0 interface will be translated
to two different IP addresses depends on the outbound interface on the ASA.

On ASA
ASA-FW(config)# global (OUT) 2 10.1.102.202 netmask 255.255.255.255
INFO: Global 10.1.102.202 will be Port Address Translated

Verification
R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:19:34
*578 vty 0 idle 00:00:00 10.1.102.202

Interface User Mode Idle Peer Address

R2>

When you‟re using terminal server to access your devices in the rack, use
Ctrl+Shift+6+x to get back to the R1 and make another connection to R4‟s loopback0
using R1‟s loopback0 interface as a source. Do not disconnect previous sessions in
order to see XLATE entries on the ASA.

<Ctrl+Shift+6 X>

R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open

User Access Verification

Password:
R4>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:15:15
*514 vty 0 idle 00:00:00 10.1.104.10

Interface User Mode Idle Peer Address

R4>

<Ctrl+Shift+6 X>

R1#tel 2.2.2.2
Trying 2.2.2.2 ... Open

User Access Verification

Page 49 of 694
CCIE Security v3 Lab Workbook

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:21:24
578 vty 0 idle 00:01:49 10.1.102.202
*579 vty 1 idle 00:00:09 10.1.102.170

Interface User Mode Idle Peer Address

ASA-FW(config)# sh xlate
4 in use, 4 most used
Global 4.4.4.4 Local 4.4.4.4
PAT Global 10.1.104.10(4460) Local 1.1.1.1(52849)
PAT Global 10.1.102.202(6995) Local 1.1.1.1(29961)
Global 10.1.102.170 Local 10.1.101.1

ASA-FW(config)# sh xlate detail
4 in use, 4 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from DMZ:4.4.4.4 to OUT:4.4.4.4 flags iI
TCP PAT from IN:1.1.1.1/52849 to DMZ:10.1.104.10/4460 flags ri
TCP PAT from IN:1.1.1.1/29961 to OUT:10.1.102.202/6995 flags ri
NAT from IN:10.1.101.1 to OUT:10.1.102.170 flags i

Page 50 of 694
CCIE Security v3 Lab Workbook

Lab 1.7. NAT Exemption

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the following commands:
clear configure nat
clear configure global

Page 51 of 694
CCIE Security v3 Lab Workbook

clear xlate

Task 1
Ensure all packets need to be translated in order to pass through the ASA. Configure
ASA so that it will dynamically translate all IP addresses coming from inside subnets
(10.1.101.0/24 and 1.1.1.0/24) and destined to the outside networks to the pool of
10.1.102.100 – 10.1.102.200. However, communication between host 1.1.1.1 and
2.2.2.2 should not be translated.

NAT Control feature ensures that every packet going through the ASA will be translated.
This task is very similar to Identity NAT (from lab 1.6) but here we need to bypass NAT for traffic
between two hosts (not only sourced from the inside network). To specify both source and
destination we need to use an access list which will be used by “NAT 0” statement. This
configuration is called NAT Exemption and is useful in VPN scenarios where some flows (usually
those going through the VPN tunnel) must bypass translation.

On ASA
ASA-FW(config)# nat-control
ASA-FW(config)# nat (IN) 1 1.1.1.0 255.255.255.0
ASA-FW(config)# nat (IN) 1 10.1.101.0 255.255.255.0
ASA-FW(config)# global (OUT) 1 10.1.102.100-10.1.102.200 netmask 255.255.255.0

ASA-FW(config)# access-list NO-NAT permit ip host 1.1.1.1 host 2.2.2.2
ASA-FW(config)# nat (IN) 0 access-list NO-NAT

Verification
R1#tel 10.1.102.2
Trying 10.1.102.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:35:38
*578 vty 0 idle 00:00:00 10.1.102.106

Interface User Mode Idle Peer Address

R2>exit

[Connection to 10.1.102.2 closed by foreign host]

R1#tel 2.2.2.2
Trying 2.2.2.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:35:59
*578 vty 0 idle 00:00:00 10.1.102.106

Interface User Mode Idle Peer Address

R2>exit

[Connection to 2.2.2.2 closed by foreign host]

Page 52 of 694
CCIE Security v3 Lab Workbook

R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:36:22
*578 vty 0 idle 00:00:00 1.1.1.1

Interface User Mode Idle Peer Address

Note there is no translation (it seems like Identity NAT but it‟s not). See “sh xlate”
to show the difference.

R2>exit

[Connection to 2.2.2.2 closed by foreign host]

R1#tel 4.4.4.4
Trying 4.4.4.4 ...
% Connection refused by remote host

Note that Telnet connection between R1‟s loopback0 and R2‟s loopback0 is bypassing the
translation (source IP address is the same after connection). However, connections to
DMZ are unsuccessful because of NAT Control in place (no NAT/GLOBAL statement for such
traffic is configured).

ASA-FW(config)# sh xlate
1 in use, 4 most used
Global 10.1.102.106 Local 10.1.101.1

ASA-FW(config)# sh xlate detail
1 in use, 4 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:10.1.101.1 to OUT:10.1.102.106 flags i

Note that there is no XLATE for NAT Exemption!!! The NAT exemption DOES NOT work like
Identity NAT. The Identity NAT creates Identity XLATE (the same Local and Global IP) and
allows connections from both sites.

Page 53 of 694
CCIE Security v3 Lab Workbook

Lab 1.8. Static Policy NAT

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the following commands:
clear configure nat
clear configure global

Page 54 of 694
CCIE Security v3 Lab Workbook

clear xlate

Task 1
Ensure all packets need to be translated in order to pass through the ASA. Configure
ASA so that it statically translates R1‟s loopback0 IP address to its outside interface‟s
IP address. The translation must be enforced only for traffic going between R1‟s
loopback0 and R2‟s loopback0 interface.

NAT Control must be enabled in order to translate all packets going through the ASA. From the task
we know that there must be STATIC translation in place and it should work only for traffic between
two hosts. This leads to only one conclusion: there must be an access list involved.
Remember that even you configure ASA’s interface to “serve” global translation IP address, there is
a need for ACL in inbound direction to successfully pass the traffic.

On ASA
ASA-FW(config)# nat-control
ASA-FW(config)# access-list STATIC-POLICY permit ip host 1.1.1.1 host 2.2.2.2
ASA-FW(config)# static (IN,OUT) interface access-list STATIC-POLICY
WARNING: All traffic destined to the IP address of the OUT interface is being redirected.
WARNING: Users will not be able to access any service enabled on the OUT interface.

ASA-FW(config)# access-list OUTSIDE_IN permit ip any host 10.1.102.10
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT

Verification
ASA-FW(config)# sh xlate
1 in use, 4 most used
Global 10.1.102.10 Local 1.1.1.1

ASA-FW(config)# sh xlate detail
1 in use, 4 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:1.1.1.1 to OUT(STATIC-POLICY):10.1.102.10 flags s

Note the ACL name in the brackets. This XLATE entry is a conditional static.

R1#tel 10.1.102.2
Trying 10.1.102.2 ...
% Connection refused by remote host

R1#tel 10.1.102.2 /so lo0
Trying 10.1.102.2 ...
% Connection refused by remote host

R1#tel 2.2.2.2
Trying 2.2.2.2 ...
% Connection refused by remote host

R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:43:07
*578 vty 0 idle 00:00:00 10.1.102.10

Interface User Mode Idle Peer Address

Page 55 of 694
CCIE Security v3 Lab Workbook

R2>exit

[Connection to 2.2.2.2 closed by foreign host]

Only this traffic is translated.

R2#tel 10.1.102.10
Trying 10.1.102.10 ... Open

User Access Verification

Password:
R1>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:00:21
*514 vty 0 idle 00:00:00 10.1.102.2

Interface User Mode Idle Peer Address

R1>exit

[Connection to 10.1.102.10 closed by foreign host]

R2#tel 10.1.102.10 /so lo0
Trying 10.1.102.10 ... Open

User Access Verification

Password:
R1>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:01:39
*514 vty 0 idle 00:00:00 2.2.2.2

Interface User Mode Idle Peer Address

R1>exi

[Connection to 10.1.102.10 closed by foreign host]

Note that only traffic between 1.1.1.1 and 2.2.2.2 is translated, no other traffic is
allowed to go though the ASA because of NAT Control in place.
However, due to the inbound ACL on the ASA‟s OUT interface the traffic can be
originated from R2‟s loopback0 interface and destined to R1‟s loopback0 (destination IP
address in this case should be ASA‟s OUT interface).

Task 2
Configure ASA so that it statically translates to the IP address of 10.1.104.1 all traffic
coming from R1‟s loopback0 interface towards DMZ subnet. The translation rule
should be used only for traffic originated from 1.1.1.1 and destined to 4.4.4.4.

This task is very similar to the previous one. The difference is that here we need to use an arbitrary
IP address for translation instead of ASA interface’s IP address. Again, there is a need for ACL to
specify what flows must be subjected to translation. Read the task carefully to see that the
translation must work ONLY for traffic originated from 1.1.1.1. To disallow traffic coming
(originating) from 4.4.4.4 towards 1.1.1.1 you just do NOT need to configure any inbound ACL on
ASA’s DMZ interface.

On ASA
ASA-FW(config)# access-list STATIC-POLICY-DMZ permit ip host 1.1.1.1 host 4.4.4.4
ASA-FW(config)# static (IN,DMZ) 10.1.104.1 access-list STATIC-POLICY-DMZ

Page 56 of 694
CCIE Security v3 Lab Workbook

Verification
ASA-FW(config)# sh xlate
2 in use, 4 most used
Global 10.1.104.1 Local 1.1.1.1
Global 10.1.102.10 Local 1.1.1.1

ASA-FW(config)# sh xlate detail
2 in use, 4 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:1.1.1.1 to DMZ(STATIC-POLICY-DMZ):10.1.104.1 flags s
NAT from IN:1.1.1.1 to OUT(STATIC-POLICY):10.1.102.10 flags s

R1#tel 4.4.4.4
Trying 4.4.4.4 ...
% Connection refused by remote host

R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ...
% Connection timed out; remote host not responding

R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open

User Access Verification

Password:
R4>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:47:15
*514 vty 0 idle 00:00:00 10.1.104.1

Interface User Mode Idle Peer Address

R4>exit

[Connection to 4.4.4.4 closed by foreign host]

R4#tel 10.1.104.1
Trying 10.1.104.1 ...
% Connection timed out; remote host not responding

R4#tel 10.1.104.1 /so lo0
Trying 10.1.104.1 ...
% Connection timed out; remote host not responding

Note that traffic from R4 to R1 is denied by ASA because there is no access list
allowing it on DMZ interface. The ASA displays the following log (when logging is
configured):
%ASA-2-106001: Inbound TCP connection denied from 4.4.4.4/46869 to 10.1.104.1/23 flags
SYN on interface DMZ

Task 3
Configure static translation on ASA so that when R2 telnets to the IP address of
10.1.102.1 port tcp/2323 using its loopback0 interface as a source it will be
automatically redirected to the host 1.1.1.1 port tcp/23. This translation rule should
work only for traffic initiated from R2‟s loopback0 interface and destined to
10.1.102.1.

This task requires “port redirection” but only for traffic between two hosts. Again, there must be
ACL involved to specify that hosts and enable translation for that specific flow. Be careful here
because ACL must contain “original” IP address (non-translated) and destination port to be
effective.

Page 57 of 694
CCIE Security v3 Lab Workbook

On ASA
ASA-FW(config)# access-list STATIC-R1 permit tcp host 1.1.1.1 eq telnet host 2.2.2.2
ASA-FW(config)# static (IN,OUT) tcp 10.1.102.1 2323 access-list STATIC-R1

ASA-FW(config)# access-list OUTSIDE_IN permit tcp host 2.2.2.2 host 10.1.102.1 eq 2323

Verification
ASA-FW(config)# sh xlate
3 in use, 4 most used
Global 10.1.104.1 Local 1.1.1.1
Global 10.1.102.10 Local 1.1.1.1
PAT Global 10.1.102.1(2323) Local 1.1.1.1(23)

ASA-FW(config)# sh xlate detail
3 in use, 4 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:1.1.1.1 to DMZ(STATIC-POLICY-DMZ):10.1.104.1 flags s
NAT from IN:1.1.1.1 to OUT(STATIC-POLICY):10.1.102.10 flags s
TCP PAT from IN:1.1.1.1/23 to OUT(STATIC-R1):10.1.102.1/2323 flags sr

R2#tel 10.1.102.1 2323
Trying 10.1.102.1, 2323 ...
% Connection timed out; remote host not responding

R2#tel 10.1.102.1 2323 /so lo0
Trying 10.1.102.1, 2323 ... Open

User Access Verification

Password:
R1>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:05:02
*514 vty 0 idle 00:00:00 2.2.2.2

Interface User Mode Idle Peer Address

R1>exit

[Connection to 10.1.102.1 closed by foreign host]

Note that it works as expected and only traffic originated from R2‟s loopback0
interface is translated (redirected). Traffic originated from other IP address is
denied by inbound ACL on the OUT interface.

Task 4
Configure ASA so that it statically translate all hosts from the inside network
(10.1.101.0/24) to addresses on the 10.1.104.0/24 network making them all
accessible from DMZ.

This type of NAT is useful when we want to make two networks fully accessible for each other. We
need to translate whole network to another network and allow traffic to be originated from the
subnet behind lower security level interface by configuring inbound ACL.

Page 58 of 694
CCIE Security v3 Lab Workbook

On ASA
ASA-FW(config)# access-list STATIC-IN-DMZ permit ip 10.1.101.0 255.255.255.0 10.1.104.0
255.255.255.0
ASA-FW(config)# static (IN,DMZ) 10.1.104.0 access-list STATIC-IN-DMZ
WARNING: mapped-address conflict with existing static
IN:1.1.1.1 to DMZ:10.1.104.1 netmask 255.255.255.255

ASA-FW(config)# access-list DMZ_IN permit ip any 10.1.104.0 255.255.255.0
ASA-FW(config)# access-group DMZ_IN in interface DMZ

Note there is warning message saying that there is conflict with already configured
translation. However, this translation is for different source IP address – no big deal
in the lab environment, however in the real world you must ensure there are no
conflicts and use the same subnet masks for both networks (so that there are sufficient
number of IP addresses for translation).

Verification
ASA-FW(config)# sh xlate
4 in use, 4 most used
Global 10.1.104.1 Local 1.1.1.1
Global 10.1.104.0 Local 10.1.101.0
Global 10.1.102.10 Local 1.1.1.1
PAT Global 10.1.102.1(2323) Local 1.1.1.1(23)

ASA-FW(config)# sh xlate detail
4 in use, 4 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:1.1.1.1 to DMZ(STATIC-POLICY-DMZ):10.1.104.1 flags s
NAT from IN:10.1.101.0 to DMZ(STATIC-IN-DMZ):10.1.104.0 flags s
NAT from IN:1.1.1.1 to OUT(STATIC-POLICY):10.1.102.10 flags s
TCP PAT from IN:1.1.1.1/23 to OUT(STATIC-R1):10.1.102.1/2323 flags sr

R4#tel 10.1.104.1
Trying 10.1.104.1 ... Open

User Access Verification

Password:
R1>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:10:03
*514 vty 0 idle 00:00:00 10.1.104.4

Interface User Mode Idle Peer Address

R1>exit

[Connection to 10.1.104.1 closed by foreign host]

R4#tel 10.1.104.1 /so lo0
Trying 10.1.104.1 ... Open

User Access Verification

Password:
R1>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:10:50
*514 vty 0 idle 00:00:00 4.4.4.4

Interface User Mode Idle Peer Address

R1>exit

[Connection to 10.1.104.1 closed by foreign host]

Page 59 of 694
CCIE Security v3 Lab Workbook

Lab 1.9. Dynamic Policy NAT

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the following commands:
clear configure static
clear configure access-list

Page 60 of 694
CCIE Security v3 Lab Workbook

Task 1
Ensure all packets need to be translated in order to pass through the ASA. Configure
ASA so that it dynamically translates source IP addresses of telnet traffic going
between 1.1.1.1 and 2.2.2.2. Use ASA‟s outside IP address as a global address.

First, configure NAT Control feature to ensure all packets must be translated to pass through ASA.
There is a requirement for using dynamic translation which means we should look at NAT/GLOBAL
configuration. Another important thing is that we need translate only packets for specific flows
(between two hosts). This should lead us to the final solution which is Dynamic NAT with ACL
(called Policy DNAT).

On ASA
ASA-FW(config)# nat-control
ASA-FW(config)# access-list DYNA-NAT permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet
ASA-FW(config)# nat (IN) 1 access-list DYNA-NAT
ASA-FW(config)# global (OUT) 1 interface
INFO: OUT interface address added to PAT pool

Verification
R1#tel 10.1.102.2
Trying 10.1.102.2 ...
% Connection refused by remote host

R1#tel 10.1.102.2 /so lo0
Trying 10.1.102.2 ...
% Connection refused by remote host

R1#tel 2.2.2.2
Trying 2.2.2.2 ...
% Connection refused by remote host

All connections are denied by the NAT Control function on the ASA.

R1#tel 2.2.2.2 /so lo0
Trying 2.2.2.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:12:57
*578 vty 0 idle 00:00:00 10.1.102.10

Interface User Mode Idle Peer Address

Note that you can‟t connect from other IP addresses as there is no translation rule in
place (and NAT Control is enabled). After establishing telnet session between R1 and R2
do not disconnect to see XLATE on the ASA.

ASA-FW(config)# sh xlate
1 in use, 4 most used
PAT Global 10.1.102.10(23407) Local 1.1.1.1(53426)

ASA-FW(config)# sh xlate detail
1 in use, 4 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
TCP PAT from IN:1.1.1.1/53426 to OUT(DYNA-NAT):10.1.102.10/23407 flags ri

Page 61 of 694
CCIE Security v3 Lab Workbook

Task 2
Configure ASA so that it translates source IP addresses for traffic going between
inside subnet (10.1.101.0/24) and outside subnet (10.1.102.0/24). Use dynamic
address pool of 10.1.102.100-200 and ensure it will be backed up by IP address of
10.1.102.201 in case the pool is exhausted.

This task is very similar to the previous one. The difference is we need to dynamically translate
whole inside subnet to some IP address pool. In addition to that we should back up this pool with
one IP address. Remember that you can also use ASA’s outside interface as a backup.

On ASA
ASA-FW(config)# access-list DYNA-NAT2 permit ip 10.1.101.0 255.255.255.0 10.1.102.0
255.255.255.0

ASA-FW(config)# nat (IN) 2 access-list DYNA-NAT2

ASA-FW(config)# global (OUT) 2 10.1.102.100-10.1.102.200 netmask 255.255.255.0
ASA-FW(config)# global (OUT) 2 10.1.102.201 netmask 255.255.255.255
INFO: Global 10.1.102.201 will be Port Address Translated

Verification
R1#tel 2.2.2.2
Trying 2.2.2.2 ...
% Connection refused by remote host

R1#tel 10.1.102.2 /so lo0
Trying 10.1.102.2 ...
% Connection refused by remote host

R1#tel 10.1.102.2
Trying 10.1.102.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:17:45
*578 vty 0 idle 00:00:00 10.1.102.196

Note there is a random IP address from the pool.

Interface User Mode Idle Peer Address

ASA-FW(config)# sh xlate
1 in use, 4 most used
Global 10.1.102.196 Local 10.1.101.1

ASA-FW(config)# sh xlate detail
1 in use, 4 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:10.1.101.1 to OUT(DYNA-NAT2):10.1.102.196 flags i

Page 62 of 694
CCIE Security v3 Lab Workbook

Note that using dynamic translation we can initiate communication from only one
direction. In above example we couldn‟t initiate telnet session from R2 to R1 even
though we had inbound ACL on ASA‟s outside interface configured.

Task 3
Configure ASA so that it translates source IP address for traffic initiated from 1.1.1.1
and destined to 4.4.4.4. Use IP address 10.1.104.1 for this translation.

Here, we are requested for dynamic PAT configuration for traffic between R1’s loopback0 and R4’s
loopback0 interface. Note that the task is very specific and it clearly states that traffic should be
initiated from R1. This means we need to use dynamic translation.
Be careful and check what translation IDs you have configured to ensure you won’t overwrite or add
next NAT statement to the previously configured NAT rule instead of adding new NAT statement.
Also, watch out what interfaces you use for NAT and GLOBAL statements.
Remember that you should configure ONLY what you’ve asked for. Do not configure inbound ACL
on DMZ interface in this task as this is not necessary.

On ASA
ASA-FW(config)# access-list DYNA-NAT3 permit ip host 1.1.1.1 host 4.4.4.4

ASA-FW(config)# nat (IN) 3 access-list DYNA-NAT3
ASA-FW(config)# global (DMZ) 3 10.1.104.1 netmask 255.255.255.255
INFO: Global 10.1.104.1 will be Port Address Translated

Verification
R1#tel 4.4.4.4
Trying 4.4.4.4 ...
% Connection refused by remote host

R1#tel 4.4.4.4 /so lo0
Trying 4.4.4.4 ... Open

User Access Verification

Password:
R4>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:17:01
*514 vty 0 idle 00:00:00 10.1.104.1

Interface User Mode Idle Peer Address

ASA-FW(config)# sh xlate
2 in use, 4 most used
PAT Global 10.1.104.1(31496) Local 1.1.1.1(63820)
Global 10.1.102.196 Local 10.1.101.1

ASA-FW(config)# sh xlate detail
2 in use, 4 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
TCP PAT from IN:1.1.1.1/63820 to DMZ(DYNA-NAT3):10.1.104.1/31496 flags ri
NAT from IN:10.1.101.1 to OUT(DYNA-NAT2):10.1.102.196 flags i

Page 63 of 694
CCIE Security v3 Lab Workbook

Lab 1.10. Modular Policy Framework (MPF)

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the following commands:
clear configure nat
clear configure nat-control

Page 64 of 694
CCIE Security v3 Lab Workbook

clear configure global
clear configure access-list

Task 1
Configure ASA so that it inspects HTTP and ICMP in order to pass that type of traffic
in secure manner. All inbound packets traversing ASA secure appliance should be
inspected (no matter on what interface traffic come).

Packets inspection allows ASA to look deeper inside the packets when they’re traversing the
device. It allows ASA to automatically open a hole in the inbound direction on the outgoing
interface for returning packets. Thus, configuring an ACL for the returning traffic is no longer
required.
This advanced inspection policies allow traffic to pass the device in secure manner disallowing
bogus or crafted packets.
There is a global inspection policy enabled by default on every interface in the inbound direction,
however you can configure custom policy and apply it on the interface as well.
MPF configuration contains three steps:
1. Configure class-map to match interesting traffic (to be inspected)
2. Configure policy-map, attach previously configured class-map to it and enable inspection
3. Apply policy-map globally or on an interface
MPF can perform deep packet inspection for a number of protocols. Each protocol has its own set
of attributes and parameters which can be checked against when such traffic comes into the
interface. To perform deep packet inspection (also called L7 inspection) a new class map and policy
map type has been introduced. This is an “inspection” type class map and policy map which is also
called L7 maps. Those maps can be used to build up an advanced inspection policy and they can be
attached under L3/L4 class map/policy map. More details will be presented later when it comes to
advanced inspection on specific protocols (like HTTP or FTP).

The easiest way to accomplish this task is to configure inspection for HTTP and ICMP on a global
level. All inbound packets on all ASA interfaces will be inspected automatically. We do not have to
match any traffic as it will be done automatically using inspection_default class map. This class
map matches a number of default protocols and includes HTTP (port 80) and ICMP by default.

On ASA
ASA-FW(config)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect http
ASA-FW(config-pmap-c)# inspect icmp
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit

Verification
R1#p 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ASA-FW(config)# sh service-policy global

Global policy:
Service-policy: global_policy

Page 65 of 694
CCIE Security v3 Lab Workbook

Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: http, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 10, drop 0, reset-drop 0

Why 10 packets? Because the default policy is attached globally, meaning it works on
every interface in inbound direction. Hence, ten packets as there were 5 ICMP Echo
Request and 5 ICMP Echo Replies.

ASA-FW(config)# sh run class-map inspection_default
!
class-map inspection_default
match default-inspection-traffic

ASA-FW(config)# class-map inspection_default
ASA-FW(config-cmap)# match ?

mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 radius-acct---udp--1646
rpc-------udp--111 rsh-------tcp--514
rtsp------tcp--554 sip-------tcp--5060
sip-------udp--5060 skinny----tcp--2000
smtp------tcp--25 sqlnet----tcp--1521
tftp------udp--69 waas------tcp--1-65535
xdmcp-----udp--177
dscp Match IP DSCP (DiffServ CodePoints)
flow Flow based Policy
port Match TCP/UDP port(s)
precedence Match IP precedence
rtp Match RTP port numbers
tunnel-group Match a Tunnel Group

ASA-FW(config)# sh conn all
7 in use, 10 most used
UDP DMZ 10.1.104.4:520 NP Identity Ifc 224.0.0.9:520, idle 0:00:20, bytes 15144, flags -
ICMP OUT 2.2.2.2:0 IN 10.1.101.1:2, idle 0:00:00, bytes 72
UDP IN 10.1.101.1:520 NP Identity Ifc 224.0.0.9:520, idle 0:00:18, bytes 15216, flags -
UDP OUT 10.1.102.2:520 NP Identity Ifc 224.0.0.9:520, idle 0:00:10, bytes 15192, flags -
UDP OUT 224.0.0.9:520 NP Identity Ifc 10.1.102.10:520, idle 0:00:06, bytes 53280, flags -
UDP IN 224.0.0.9:520 NP Identity Ifc 10.1.101.10:520, idle 0:00:06, bytes 53280, flags -
UDP DMZ 224.0.0.9:520 NP Identity Ifc 10.1.104.10:520, idle 0:00:06, bytes 53280, flags -

Note that you need to start contiguous ping on R1 to see dynamic connection entries on
the ASA.

Page 66 of 694
CCIE Security v3 Lab Workbook

Task 2
There is a SMTP server located on 4.4.4.4. Configure ASA so that it only inspects
ESMTP traffic between 1.1.1.1 and 4.4.4.4.

ASA can inspect Simple Mail Transport Protocol (SMTP) allowing this traffic to be checked against a
number of checks to ensure there is no malicious packets destined to the mail server. SMTP
inspection is enabled by default on a global level (matched by inspection_default class map, all
traffic destined to the port 25 is considered to be SMTP), hence there is no need for an ACL for
allowing returning traffic and basic checks are enforced to ensure there is no harm in SMTP
packets. However, in our case we’re asked for SMTP inspection between two hosts only. This
cannot be done on a global level and we need to match our traffic using an access list and enable
SMTP inspection on the interface.
It is also wise to disable SMTP inspection on a global level if we don’t want the inspection to be
done on every interface.

On ASA
ASA-FW(config)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# no inspect esmtp

ASA-FW(config-pmap-c)#access-list R1-to-R4-inspection permit ip host 1.1.1.1 host 4.4.4.4

ASA-FW(config)# class-map CM-R1-to-R4
ASA-FW(config-cmap)# match access-list R1-to-R4-inspection
ASA-FW(config-cmap)# exit

ASA-FW(config)# policy-map PM-R1-to-R4
ASA-FW(config-pmap)# class CM-R1-to-R4
ASA-FW(config-pmap-c)# inspect esmtp
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit

ASA-FW(config)# service-policy PM-R1-to-R4 interface DMZ

Verification
ASA-FW(config)# sh service-policy interface DMZ

Interface DMZ:
Service-policy: PM-R1-to-R4
Class-map: CM-R1-to-R4
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

ASA-FW(config)# sh run all policy-map type inspect esmtp
!
policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
no allow-tls
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log

Page 67 of 694
CCIE Security v3 Lab Workbook

match ehlo-reply-parameter others
mask

Note there are many SMTP checks configured by default. Hence, enabling SMTP inspection
may cause your mail connections suffer. Be careful and know what you‟re doing!

ASA-FW(config)# sh service-policy inspect esmtp

Global policy:
Service-policy: global_policy
Class-map: inspection_default

Interface DMZ:
Service-policy: PM-R1-to-R4
Class-map: CM-R1-to-R4
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
mask-banner, count 0
match cmd line length gt 512
drop-connection log, packet 0
match cmd RCPT count gt 100
drop-connection log, packet 0
match body line length gt 998
log, packet 0
match header line length gt 998
drop-connection log, packet 0
match sender-address length gt 320
drop-connection log, packet 0
match MIME filename length gt 255
drop-connection log, packet 0
match ehlo-reply-parameter others
mask, packet 0

Page 68 of 694
CCIE Security v3 Lab Workbook

Lab 1.11. FTP Advanced Inspection

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the command clear configure all and then paste the initial config.

Page 69 of 694
CCIE Security v3 Lab Workbook

Task 1
There is an FTP server located in DMZ at 10.1.104.20. Configure ASA so that it
resets any connection from the outside networks to that FTP server containing one of
the following commands:
 DELE
 APPE
 PUT
 RMD

This task requires configuration of deep packet inspection for FTP. We’re required to reset packets
containing some FTP commands. To do that, ASA must be able to properly recognize the traffic (as
FTP) and then check some fields inside FTP header/body to perform some actions. When we see a
requirement for checking something which is protocol specific we should automatically start
thinking about L7 class maps and policy maps.
So, we need to create L7 policy map (type inspect for FTP protocol) and match required commands
inside the packets (we can also use L7 class map here and match it under L7 policy map but since
we can match FTP commands using only one configuration line we can do that directly under the L7
policy map).
There is also need for L3/L4 class map matching traffic using an access list. The ACL is required
here as we need to specify destination IP address (if we’d need to match all FTP traffic, the better
option is to use “match port” statement).
L7 policy maps cannot be applied directly to the interface or at the global level. Instead, they first
need to be applied under L3/L4 policy map when specifying the inspection.
Last thing is to assign L3/L4 policy map to the interface and since we want to protect our FTP
server located in DMZ by resetting some commands which can be sent over from a FTP client
(located on the outside networks) we must do it on the outside interface.

On ASA
ASA-FW(config)# access-list DMZ_FTP permit tcp any host 10.1.104.20 eq ftp

ASA-FW(config)# policy-map type inspect ftp PM_FTP
ASA-FW(config-pmap)# match request-command DELE APPE PUT RMD
ASA-FW(config-pmap-c)# reset

ASA-FW(config-pmap-c)# class-map CM_FTP
ASA-FW(config-cmap)# match access-list DMZ_FTP

ASA-FW(config-cmap)# policy-map OUTSIDE_MPF
ASA-FW(config-pmap)# class CM_FTP
ASA-FW(config-pmap-c)# inspect ftp strict PM_FTP

ASA-FW(config-pmap-c)# service-policy OUTSIDE_MPF interface OUT

Verification

ASA-FW(config)# sh service-policy inspect ftp

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0

Interface OUT:
Service-policy: OUTSIDE_MPF
Class-map: CM_FTP
Inspect: ftp strict PM_FTP, packet 0, drop 0, reset-drop 0
match request-command appe put dele rmd

Page 70 of 694
CCIE Security v3 Lab Workbook

reset, packet 0

Task 2
The FTP server located in DMZ at 10.1.104.20 is managed from the inside network.
Configure ASA so that it denies and logs all users except user “admin” from
accessing directory “/secret” on all FTP servers located behind DMZ and OUT
interfaces.

Here we need to block some users from accessing a directory on FTP servers. This can be done
using regular expressions matching those two values (username and directory name) and resetting
packets containing those values. Note that we need to disallow all usernames but “admin”
username from accessing “/secret” folder. So, the easiest way to do that is to use NOT in the match
statement.
Also note that we must use L7 class map here to match both conditions at once. This cannot be
done using L7 policy map, as policy maps don’t have match-all/match-any keywords available.
Thus, first we need to create L7 class map matching two regexs (match-all perfectly suits here) and
then nest this class map under the L7 policy map (remember that we can’t use L7 class map under
L3/L4 policy map).
As we’re required to perform that inspection on every FTP connection originated from the inside
network, we can simply match port 21 (using ACL is not necessary here) and apply L3/L4 policy
map on the inside interface.

On ASA
ASA-FW(config)# regex FTP_USER "admin"
ASA-FW(config)# regex FTP_DIR "\/secret"

We need to use backslash sign before the “slash” because “slash” is a special character
in the regex world, so that, we need to tell the regex engine to treat the “slash” like
a normal character.

ASA-FW(config)# class-map type inspect ftp match-all CM_FTP_ACCESS
ASA-FW(config-cmap)# match not username regex FTP_USER
ASA-FW(config-cmap)# match filename regex FTP_DIR

Class map has match-all/match-any keywords available so that we can use more “match”
statements to build more complex policies.

ASA-FW(config-cmap)# policy-map type inspect ftp PM_FTP_ACCESS
ASA-FW(config-pmap)# class CM_FTP_ACCESS
ASA-FW(config-pmap-c)# reset log

ASA-FW(config-pmap-c)# class-map CM_FTP_TRAFFIC
ASA-FW(config-cmap)# match port tcp eq ftp

Since we need to inspect FTP traffic the easiest way to do that is to match FTP port.
However, this solution does not work for non-standard FTP ports. Be careful!

ASA-FW(config-cmap)# policy-map INSIDE_MPF
ASA-FW(config-pmap)# class CM_FTP_TRAFFIC
ASA-FW(config-pmap-c)# inspect ftp strict PM_FTP_ACCESS

The “strict” keyword enables enhanced inspection of FTP traffic and forces
compliance with RFC standards.

ASA-FW(config-pmap-c)# service-policy INSIDE_MPF interface IN

Since our FTP server is located in the DMZ network and is managed from the inside
network only, the best option is to enable inspection on IN interface. Better than
enabling this globally.

Page 71 of 694
CCIE Security v3 Lab Workbook

Verification
ASA-FW(config)# sh service-policy inspect ftp table

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
INFO: There is no rule in the table.

Interface OUT:
Service-policy: OUTSIDE_MPF
Class-map: CM_FTP
Inspect: ftp strict PM_FTP, packet 0, drop 0, reset-drop 0
Match request-command appe put dele rmd
Number of filters 1, action: reset
Filter id: 2, subid/is_regex: 0x0/0, value_type: VALUE_GENERIC
value: 2625(0xa41), value_high: 0(0x0)
mask_match: ANY, mask_value: 0x0, negate: 0

Interface IN:
Service-policy: INSIDE_MPF
Class-map: CM_FTP_TRAFFIC
Inspect: ftp strict PM_FTP_ACCESS, packet 0, drop 0, reset-drop 0
Class-map: CM_FTP_ACCESS
Number of filters 2, action: reset log
Filter id: 0, subid/is_regex: 0x0/0, value_type: VALUE_REGEX
value: 21(0x15)/FTP_DIR, value_high: 21(0x15)
mask_match: NONE, mask_value: 0x0, negate: 0
Filter id: 4, subid/is_regex: 0x0/0, value_type: VALUE_REGEX
value: 20(0x14)/FTP_USER, value_high: 20(0x14)
mask_match: NONE, mask_value: 0x0, negate: 1

Task 3
The FTP server in DMZ should NOT disclose any information about software version
or system greeting to the users behind OUT interface. You can alter existing
configuration to accomplish this task.

To protect our FTP server located in DMZ we can mask some information which is usually disclosed
while user connects to the server. That information could be used for a reconnesaince part of an
attack.
Since we have some configuration done already (Task 1) we can simply add more lines to existing
config. This can be done by configuring “parameters” part under the L7 policy map (remember that
this is protocol specific so it must be done using L7 maps) where we just add some checks to be
done while inspecting traffic.

On ASA
ASA-FW(config)# policy-map type inspect ftp PM_FTP
ASA-FW(config-pmap)# parameters
ASA-FW(config-pmap-p)# mask-banner
ASA-FW(config-pmap-p)# mask-syst-reply
ASA-FW(config-pmap-p)# exit
ASA-FW(config-pmap)# exit

Verification
ASA-FW(config)# sh service-policy inspect ftp

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0

Interface OUT:

Page 72 of 694
CCIE Security v3 Lab Workbook

Service-policy: OUTSIDE_MPF
Class-map: CM_FTP
Inspect: ftp strict PM_FTP, packet 0, drop 0, reset-drop 0
mask-banner enabled
mask-syst-reply enabled
match request-command appe put dele rmd
reset, packet 0

Interface IN:
Service-policy: INSIDE_MPF
Class-map: CM_FTP_TRAFFIC
Inspect: ftp strict PM_FTP_ACCESS, packet 0, drop 0, reset-drop 0
class CM_FTP_ACCESS
reset log, packet 0

Page 73 of 694
CCIE Security v3 Lab Workbook

Lab 1.12. HTTP Advanced Inspection

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the command clear configure all and then paste the initial config.

Page 74 of 694
CCIE Security v3 Lab Workbook

Task 1
You have discovered a new version of peer-to-peer software uses in your network.
After sniffing the traffic you have caught a few HTTP packets with User-Agent =
“P2P-new-app” in the header. Configure ASA to block that peer-to-peer application
and log that activity.

This task requires configuration of deep packet inspection for HTTP. All we need is to recognize
some peer-to-peer software which uses HTTP as a transport by matching against User-Agent HTTP
header field. This can be done using regular expression and L7 policy map.
As we want to perform the inspection for HTTP traffic comes from every direction, we can use
global policy in that case (remember that global policy uses inspection_default class map which
matches HTTP by default).

On ASA
ASA-FW(config)# regex P2P "P2P-new-app"

ASA-FW(config)# policy-map type inspect http PM_HTTP_P2P
ASA-FW(config-pmap)# match request header user-agent regex P2P
ASA-FW(config-pmap-c)# drop-connection log

ASA-FW(config-pmap-c)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect http PM_HTTP_P2P
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit

Verification
ASA-FW(config)# sh service-policy inspect http

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http PM_HTTP_P2P, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
match request header user-agent regex P2P
drop-connection log, packet 0

Task 2
Configure ASA so that it disallows Internet surfing for websites http://www.yahoo.com
and http://mail.google.com using MPF. This policy should be enforced on the inside
interface.

Using MPF it is possible to filter out packets containing a specific field’s value in HTTP header. In
this case we’re requested to look after specific URLs to block out users access to some websites.
This can be easily done using regular expressions as some header fields may contain additional
control characters and it’s sometimes hard to match an exact value. Following is an example of
HTTP packet capture which depicts most of header fields and their possible values. As you can see
the URL is carried by the header field named “Host” so we should match that field in our L7 class
map (or L7 policy map if we have only one condition to match).

Page 75 of 694
CCIE Security v3 Lab Workbook

Two regex statements must be matched by L7 type “regex” class map (remember that you need to
use “match-any” as those two URLs never be seen in one packet). Then this class map must be
used in another L7 type “inspect” class map in order to match by specific header field. Next, L7
policy map is used to perform an action on our matched traffic (HTTP traffic containing specific
URLs in Host filed).
Last thing is to enable deep packet inspection for HTTP traffic using L3/L4 policy map. The L3/L4
class map used in this task can be either “inspection_default” which is pre-configured and we know
it matches HTTP using port 80 or it can be a new L3/L4 class map configured (matching port 80 for
example). As this task does not specify that this must be done ONLY for HTTP traffic we can use
both solutions.
The L3/L4 policy map must be assigned with inside interface, as the HTTP header field (Host) is sent
in the very first HTTP packet from the client to the server and we want to match and reset that
session as near to the source as possible.

On ASA
ASA-FW(config)# regex URL_YAHOO "www\.yahoo\.com"
ASA-FW(config)# regex URL_GMAIL "mail\.google\.com"

Note that backslash sign must be used to treat the dot “.” as a string not a regular
expression control sign.

ASA-FW(config)# class-map type regex match-any CM_URL_REGEX
ASA-FW(config-cmap)# match regex URL_YAHOO
ASA-FW(config-cmap)# match regex URL_GMAIL

We must use class-map type regex here as there are two regex for matching.

ASA-FW(config-cmap)# class-map type inspect http CM_HTTP_URLS
ASA-FW(config-cmap)# match request header host regex class CM_URL_REGEX

ASA-FW(config-cmap)# policy-map type inspect http PM_BLOCK_URLS
ASA-FW(config-pmap)# class CM_HTTP_URLS
ASA-FW(config-pmap-c)# reset log

ASA-FW(config-pmap-c)# policy-map INSIDE_MPF
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect http PM_BLOCK_URLS

ASA-FW(config-pmap-c)# service-policy INSIDE_MPF interface IN

Verification
ASA-FW(config)# sh service-policy inspect http

Global policy:
Service-policy: global_policy
Class-map: inspection_default

Page 76 of 694
CCIE Security v3 Lab Workbook

Inspect: http PM_HTTP_P2P, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
match request header user-agent regex P2P
drop-connection log, packet 0

Interface IN:
Service-policy: INSIDE_MPF
Class-map: inspection_default
Inspect: http PM_BLOCK_URLS, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
class CM_HTTP_URLS
reset log, packet 0

Task 3
There is a Web Server configured on R4 (10.1.104.4). You need to protect this server
from the outside networks by the following policy:
- replace server name in the server banner to “MySecureServer”
- prohibit any HTTP request that does not contain a GET or POST request
method and generate SYSLOG message when such a request is detected
- silently drop all connections which violates HTTP protocol specification

Each deep protocol inspection has its own set of additional parameters which can be check. Those
parameters can differ in ASA software depends on version as some additional checks can be added
in the future. For HTTP we are requested to mask our server’s banner and enforce protocol
compliance with HTTP standard. This can be done using L7 policy map with “parameters” sub-
section. In addition we’re requested to allow only GET and POST HTTP methods to be destined to
our web server. As there can be more HTTP methods available in protocol specification (and we do
not need to know every method available) it is wise to use NOT in match statement to filter out
remaining methods.
Finally, as we need to protect our web server which is specified in the task, there is a need for an
access list matching traffic destined to the server. The policy must be enforced on the outside
interface.

On ASA
ASA-FW(config)# class-map type inspect http match-all CM_METHODS
ASA-FW(config-cmap)# match not request method get
ASA-FW(config-cmap)# match not request method post

This will match all HTTP methods but GET and POST.

ASA-FW(config-cmap)# policy-map type inspect http SERVER_PROTECTION
ASA-FW(config-pmap)# parameters
ASA-FW(config-pmap-p)# spoof-server "MySecureServer"
ASA-FW(config-pmap-p)# protocol-violation action drop-connection
ASA-FW(config-pmap-p)# class CM_METHODS
ASA-FW(config-pmap-c)# reset log

A web server is usually introduces itself to every client by attaching some information
in HTTP header. This can be a risk as a malicious user may get information about
software version of the server and search for bugs and security holes for that version.
Hence, the best option is to mislead the attacker by spoofing server‟s banner and
pretending this server software is from other vendors.

ASA-FW(config-pmap-c)# access-list TO_WEB_SERVER permit tcp any host 10.1.104.4 eq http

ASA-FW(config)# class-map CM_WEB_SERVER
ASA-FW(config-cmap)# match access-list TO_WEB_SERVER

ASA-FW(config-cmap)# policy-map OUTSIDE_MPF

Page 77 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config-pmap)# class CM_WEB_SERVER
ASA-FW(config-pmap-c)# inspect http SERVER_PROTECTION

ASA-FW(config-pmap-c)# service-policy OUTSIDE_MPF interface OUT

Verification
ASA-FW(config)# sh service-policy inspect http

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http PM_HTTP_P2P, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
match request header user-agent regex P2P
drop-connection log, packet 0

Interface OUT:
Service-policy: OUTSIDE_MPF
Class-map: CM_WEB_SERVER
Inspect: http SERVER_PROTECTION, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
server spoofs, packet 0
class CM_METHODS
reset log, packet 0

Interface IN:
Service-policy: INSIDE_MPF
Class-map: inspection_default
Inspect: http PM_BLOCK_URLS, packet 12, drop 2, reset-drop 2
protocol violations
packet 0
class CM_HTTP_URLS
reset log, packet 0

Task 4
There is a Web proxy server located in DMZ at 10.1.104.20. All internal users use
this server to surf the Internet. Configure ASA so that it disallows other protocols
tunneling though HTTP by configuring strict size and number of headers allowed.
Any HTTP request message that containing host field longer than 6 bytes and host
field appears more than 3 times in the packet must be dropped.

HTTP tunneling is often used to provide connectivity for applications which have restricted access
or with lack of native support for communication. Tunneled application adds additional header
information inside the HTTP packet which is processed somehow on the far end.
We can block such applications using simple MPF configuration and looking at number of headers
inside HTTP and length of the Host field which is usually longer than it is in “pure” HTTP traffic.
We must be careful here as the task asks us for checking traffic sourced from the Proxy server
located in DMZ, so the inspection policy must be applied on DMZ interface.

On ASA
ASA-FW(config)# class-map type inspect http CM_HTTP_HEADER_LENGTH
ASA-FW(config-cmap)# match request header host length gt 6

ASA-FW(config-cmap)# class-map type inspect http CM_HTTP_HEADERS
ASA-FW(config-cmap)# match request header host count gt 3

Page 78 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config-cmap)# policy-map type inspect http PM_HTTP_CHECK
ASA-FW(config-pmap)# class CM_HTTP_HEADER_LENGTH
ASA-FW(config-pmap-c)# reset
ASA-FW(config-pmap-c)# class CM_HTTP_HEADERS
ASA-FW(config-pmap-c)# reset

ASA-FW(config-pmap-c)# access-list PROXY permit tcp host 10.1.104.20 any eq 80

ASA-FW(config)# class-map CM_PROXY
ASA-FW(config-cmap)# match access-list PROXY

ASA-FW(config-cmap)# policy-map DMZ_MPF
ASA-FW(config-pmap)# class CM_PROXY
ASA-FW(config-pmap-c)# inspect http PM_HTTP_CHECK

ASA-FW(config-pmap-c)# service-policy DMZ_MPF interface DMZ

Verification
ASA-FW(config)# sh service-policy inspect http

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http PM_HTTP_P2P, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
match request header user-agent regex P2P
drop-connection log, packet 0

Interface OUT:
Service-policy: OUTSIDE_MPF
Class-map: CM_WEB_SERVER
Inspect: http SERVER_PROTECTION, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
server spoofs, packet 0
class CM_METHODS
reset log, packet 0

Interface IN:
Service-policy: INSIDE_MPF
Class-map: inspection_default
Inspect: http PM_BLOCK_URLS, packet 12, drop 2, reset-drop 2
protocol violations
packet 0
class CM_HTTP_URLS
reset log, packet 0

Interface DMZ:
Service-policy: DMZ_MPF
Class-map: CM_PROXY
Inspect: http PM_HTTP_CHECK, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
class CM_HTTP_HEADER_LENGTH
reset, packet 0
class CM_HTTP_HEADERS
reset, packet 0

Page 79 of 694
CCIE Security v3 Lab Workbook

Lab 1.13. Instant Messaging Advanced
Inspection

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Page 80 of 694
CCIE Security v3 Lab Workbook

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the command clear configure all and then paste the initial config.

Task 1
You have discovered that users in your inside network are using Yahoo and/or MSN
instant messenger software. Configure ASA to block the following services offered by
those applications:
- Conference
- Games
- File transfer
- Webcam
In addition to that, totally block usage of both applications for host 10.1.101.123.

ASA allows us to configure policy settings for Instant Messaging software containing Microsoft’s
MSN and Yahoo IM. Each of this applications have a number of services which are for example
Chat, Conference, Games, File transfer, Webcam, etc. Some of those services could be dangerous
for our users as they may be used by skilled attacker to upload and run malicious software on
user’s computer.
We are requested here to block out some of those services for our internal users. In addition to that
one user’s IP address must NOT be able to use messaging applications at all.
As you can see, we have two things to do which requires slightly different policy. Thus, we need
two L7 class maps. One is to match IM protocols (MSN and Yahoo) and their services (Conference,
Games, File transfer and Webcam). Second is to match IM protocols and user’s IP address. Both L7
class maps can then be used in one L7 policy map to take an action.
We can use global policy to enforce our IM inspection.

On ASA
ASA-FW(config)# class-map type inspect im match-all CM_IM_SERVICES
ASA-FW(config-cmap)# match protocol yahoo-im msn-im
ASA-FW(config-cmap)# match service conference games file-transfer webcam

ASA-FW(config-cmap)# class-map type inspect im match-all CM_IM_HOST
ASA-FW(config-cmap)# match protocol yahoo-im msn-im
ASA-FW(config-cmap)# match ip-address 10.1.101.123 255.255.255.255

ASA-FW(config-cmap)# policy-map type inspect im PM_IM
ASA-FW(config-pmap)# class CM_IM_SERVICES
ASA-FW(config-pmap-c)# reset
ASA-FW(config-pmap-c)# class CM_IM_HOST
ASA-FW(config-pmap-c)# drop-connection

ASA-FW(config-pmap-c)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect im PM_IM
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit

Verification
ASA-FW(config)# sh service-policy inspect im

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: im PM_IM, packet 0, drop 0, reset-drop 0
class CM_IM_SERVICES
reset, packet 0
class CM_IM_HOST

Page 81 of 694
CCIE Security v3 Lab Workbook

drop-connection, packet 0

Page 82 of 694
CCIE Security v3 Lab Workbook

Lab 1.14. ESMTP Advanced Inspection

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the command clear configure all and then paste the initial config.

Page 83 of 694
CCIE Security v3 Lab Workbook

Task 1
There is a plan to deploy a number of SMTP servers in the DMZ. You are requested
to pro-actively configure the following policy to protect the servers against potential
attackers (from all directions):
- drop all ESMTP messages longer than 48000 characters and generate log
when such incident happen
- limit all EHLO commands to 10 per second
- drop all messages with more than 10 recipients per transaction
- do not allow ESMTP command line to be longer than 600 bytes.

Simple Mail Transport Protocol inspection is complex and can use lot of parameters. Thanks for
that, because we can create more flexible policies controlling SMTP traffic before it hits the mail
server.
It is possible to control commands which are sent through SMTP and limit their number to ensure
some commands can’t overwhelm our mail server causing DOS attack.
In this task we do not need L7 class map as all requested checks can be configured directly under
L7 policy map. As we are requested to apply the inspection policy on the global level, we first need
to disable default SMTP inspection to be able to assign our custom L7 policy map.

On ASA
ASA-FW(config)# policy-map type inspect esmtp PM_SMTP
ASA-FW(config-pmap)# match body length gt 48000
ASA-FW(config-pmap-c)# drop-connection log
ASA-FW(config-pmap-c)# match cmd verb EHLO
ASA-FW(config-pmap-c)# rate-limit 10
ASA-FW(config-pmap-c)# match cmd RCPT count gt 10
ASA-FW(config-pmap-c)# drop-connection
ASA-FW(config-pmap-c)# match cmd line length gt 600
ASA-FW(config-pmap-c)# drop-connection

ASA-FW(config-pmap-c)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect esmtp PM_SMTP
ERROR: Inspect configuration of this type exists, first remove
that configuration and then add the new configuration

There is a default ESMTP inspection enabled which uses “_default_esmtp_map” policy map
with bunch of checks preconfigured. We need to disable it first before configuring our
new policy.

ASA-FW(config-pmap-c)# no inspect esmtp
ASA-FW(config-pmap-c)# inspect esmtp PM_SMTP
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit

Verification
Here is a default SNMP inspection L7 policy map. As you can see, there are lots of
default parameters configured to protect mail servers. Those default settings can
sometimes cause problems and needs to be considered when deploying ASA in the new
environment where mail servers are located.

ASA-FW(config)# sh run all policy-map type inspect esmtp _default_esmtp_map
!
policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
no allow-tls

Page 84 of 694
CCIE Security v3 Lab Workbook

match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
!

ASA-FW(config)# sh service-policy inspect esmtp

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: esmtp PM_SMTP, packet 0, drop 0, reset-drop 0
mask-banner, count 0
match body length gt 48000
drop-connection log, packet 0
match cmd verb EHLO
rate-limit 10, packet 0
match cmd RCPT count gt 10
drop-connection, packet 0
match cmd line length gt 600
drop-connection, packet 0

Task 2
Recently, you have been asked by mail server administrator to help him block
senders and domains of malicious mails. You need to block emails coming from the
following domains:
- @gmail.com
- @yahoo.com
- specific user with e-mail address of jdoe@hotmail.com
You can alter existing configuration to accomplish this task.

In this task we need to match SMTP packets containing some string values. When it comes to
strings the best option to use is regular expressions. We can easily match those strings using L7
class map (remember to use “match-any” keyword as those strings may not appear in SMTP
packets together). Then we can match sender address using L7 policy map configured in the
previous task.

On ASA
ASA-FW(config)# regex GMAIL "@gmail\.com"
ASA-FW(config)# regex YAHOO "@yahoo\.com"
ASA-FW(config)# regex HOTMAIL "jdoe@hotmail\.com"

ASA-FW(config)# class-map type regex match-any CM_BLOCK_EMAIL
ASA-FW(config-cmap)# match regex GMAIL
ASA-FW(config-cmap)# match regex YAHOO
ASA-FW(config-cmap)# match regex HOTMAIL

There must be class map of type regex as there are three regexs to match.

ASA-FW(config-cmap)# policy-map type inspect esmtp PM_SMTP
ASA-FW(config-pmap)# match sender-address regex class CM_BLOCK_EMAIL
ASA-FW(config-pmap-c)# drop-connection
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit

Page 85 of 694
CCIE Security v3 Lab Workbook

Verification
ASA-FW(config)# sh service-policy inspect esmtp

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: esmtp PM_SMTP, packet 0, drop 0, reset-drop 0
mask-banner, count 0
match body length gt 48000
drop-connection log, packet 0
match cmd verb EHLO
rate-limit 10, packet 0
match cmd RCPT count gt 10
drop-connection, packet 0
match cmd line length gt 600
drop-connection, packet 0
match sender-address regex class CM_BLOCK_EMAIL
drop-connection, packet 0

Page 86 of 694
CCIE Security v3 Lab Workbook

Lab 1.15. DNS Advanced Inspection

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the command clear configure all and then paste the initial config.

Page 87 of 694
CCIE Security v3 Lab Workbook

Task 1
A new DNS server for domain micronicstraining.com has been deployed in DMZ.
Configure ASA so that it allows only this domain to be queried and mask RD bit in the
DNS header to prevent the server from sending recursive queries on behalf of a
requester.

DNS cache poisoning attacks use DNS open resolvers when attempting to corrupt the DNS cache of
vulnerable systems. The DNS messages sent to open resolvers set the recursion desired (RD) flag
in the DNS header. Utilizing the DNS application inspection flag filtering feature, these attacks can
be minimized by dropping DNS messages with the RD flag present in the DNS header.
Another useful security control is to ensure that DNS query contains only domain name belonging
to us. If other domain name is requested the DNS server might use recursive lookup for this domain
and waste resources.
Note that we are asked to mask RD bit inside the DNS query, NOT drop those packets. This can be
done using “mask” keyword as an action in L7 policy map.
The inspection policy should be applied on the outside interface as most queries come from the
outside networks.

On ASA
ASA-FW(config)# regex DOMAIN "micronicstraining\.com"

ASA-FW(config)# policy-map type inspect dns PM_DNS
ASA-FW(config-pmap)# match not domain-name regex DOMAIN
ASA-FW(config-pmap-c)# drop
ASA-FW(config-pmap-c)# match header-flag RD
ASA-FW(config-pmap-c)# mask

ASA-FW(config-pmap-c)# class-map CM_DNS_SERVER
ASA-FW(config-cmap)# match port udp eq 53

ASA-FW(config-cmap)# policy-map OUTSIDE_MPF
ASA-FW(config-pmap)# class CM_DNS_SERVER
ASA-FW(config-pmap-c)# inspect dns PM_DNS

ASA-FW(config-pmap-c)# service-policy OUTSIDE_MPF interface OUT

Verification
ASA-FW(config)# sh service-policy inspect dns

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
message-length maximum 512, drop 0
dns-guard, count 0
protocol-enforcement, drop 0
nat-rewrite, count 0

Interface OUT:
Service-policy: OUTSIDE_MPF
Class-map: CM_DNS_SERVER
Inspect: dns PM_DNS, packet 0, drop 0, reset-drop 0
dns-guard, count 0
protocol-enforcement, drop 0
nat-rewrite, count 0
match not domain-name regex DOMAIN
drop, packet 0
match header-flag RD
mask, packet 0

Page 88 of 694
CCIE Security v3 Lab Workbook

Task 2
There is a new Web Server hosting www.micronicstraining.com website deployed in
the inside network at 10.1.101.25. This server needs to be visible to the outside world
as 10.1.102.25. Client workstations located in the inside network must access the
Web Server using its FQDN which has DNS A record pointing to 10.1.102.25 in the
external DNS server located in ISP network.
Configure ASA so that it performs dynamic NAT translation for all inside hosts to the
pool of 10.1.102.100-200. Ensure that client workstations get private IP address of
the Web Server when connecting to www.micronicstraining.com.

The problem here is that internal clients will get public IP address of the Web server from an
external DNS server. This can be an issue if the Web server’s IP address is translated on the ASA.
Fortunately, there is an additional “dns” keyword in the static command which rewrites the A
(address) record in DNS replies that match this static. For DNS replies traversing from a mapped
interface to any other interface, the A record is rewritten from the mapped value to the real value.
Inversely, for DNS replies traversing from any interface to a mapped interface, the A record is
rewritten from the real value to the mapped value.
Also note that DNS inspection must be enabled to support this functionality (it is enabled by default
in the global policy).

On ASA
ASA-FW(config)# nat (IN) 1 0 0 dns
ASA-FW(config)# global (OUT) 1 10.1.102.100-10.1.102.200 netmask 255.255.255.0

ASA-FW(config)# static (IN,OUT) 10.1.102.25 10.1.102.25 dns

ASA-FW(config)# access-list OUTSIDE_IN permit tcp any host 10.1.102.25 eq 80
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT

Verification
ASA-FW(config)# sh xlate detail
1 in use, 1 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from IN:10.1.102.25 to OUT:10.1.102.25 flags sD

ASA-FW(config)# sh nat IN OUT
match ip IN host 10.1.102.25 OUT any
static translation to 10.1.102.25
translate_hits = 0, untranslate_hits = 0
match ip IN any OUT any
dynamic translation to pool 1 (10.1.102.100 - 10.1.102.200)
translate_hits = 0, untranslate_hits = 0

Page 89 of 694
CCIE Security v3 Lab Workbook

Lab 1.16. ICMP Advanced Inspection

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
E0/1 10.1.101.10/24
E0/2.104 10.1.104.10/24

Note that the topology is the same so that you can quickly revert to initial config on the ASA by
using the command clear configure all and then paste the initial config.

Page 90 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA so that it allows ICMP traffic coming from inside network to DMZ and
to outside and to be initiated from the outside to DMZ. You are not allowed using of
access list however you can alter initial configuration to accomplish this task.

We have two things to do in this task: (1) allow ICMP traffic from Inside to outside and DMZ and (2)
allow ICMP traffic from outside to DMZ but not inside. In addition we are not allowed to use any ACL
to accomplish this task. This should direct us to the solution using MPF. It is enough to enable
ICMP inspection in the global policy to accomplish first part of the question.
However, ICMP inspection won’t work for traffic originated from outside network to DMZ as it is
against basic rule that traffic from the interface with lower security level to the interface with higher
security level is not allowed by default (there must be an ACL on the outside to allow this traffic).
Fortunately, we’re allowed to alter initial configuration. Thus, the best option which meets
requirements is to change security level on the outside interface to be higher than security level on
DMZ interface.

On ASA
ASA-FW(config)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect icmp
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit

ASA-FW(config)# int e0/0
ASA-FW(config-subif)# security-level 60
ASA-FW(config-subif)# exit

Verification
R1#ping 2.2.2.2 so lo0 rep 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/66/180 ms

ASA-FW(config)# sh conn all | in ICMP
ICMP OUT 2.2.2.2:0 IN 1.1.1.1:4, idle 0:00:00, bytes 72

R1#ping 4.4.4.4 so lo0 rep 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/57/204 ms

ASA-FW(config)# sh conn all | in ICMP
ICMP DMZ 4.4.4.4:0 IN 1.1.1.1:4, idle 0:00:00, bytes 72

R2#ping 4.4.4.4 so lo0 rep 10000

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2

Page 91 of 694
CCIE Security v3 Lab Workbook

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/54/188 ms

ASA-FW(config)# sh conn all | in ICMP
ICMP DMZ 4.4.4.4:0 OUT 2.2.2.2:2, idle 0:00:00, bytes 72

ASA-FW(config)# logg buffered 7
ASA-FW(config)# logg on
ASA-FW(config)# clear logg buffer

R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ASA-FW(config)# sh logg
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 8 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-3-106014: Deny inbound icmp src OUT:10.1.102.2 dst IN:1.1.1.1 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src OUT:10.1.102.2 dst IN:1.1.1.1 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src OUT:10.1.102.2 dst IN:1.1.1.1 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src OUT:10.1.102.2 dst IN:1.1.1.1 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src OUT:10.1.102.2 dst IN:1.1.1.1 (type 8, code 0)

Note that there is no ACL in the logging output so that this traffic has been denied on
the OUT interface by the ASA‟s rules.

Task 2
Statically translate R1‟s F0/0 interface to be visible on the outside network as
10.1.102.1. Enable traceroute packets to go through the ASA and ensure that inside
network‟s address is hidden when doing traceroute on R2 to the network behind R1
(use R1‟s loopback0 IP address).

ICMP inspection allows ICMP packets to go through the ASA without configuring ACL on the
outbound interface for returning traffic. However, it can also be used for changing some information
inside ICMP packets to not disclose sensitive information about the network. This is useful when
traceroute is used as it sends UDP packets with increased TTL and waiting for ICMP time-exceeded
or ICMP port unreachable packets. When NAT is configured on the ASA a traceroute tools can
reveal IP addressing of subnets behind the ASA when tracerouting IP addresses in remote
networks.
We can mitigate that issue by enabling ICMP error inspection on the ASA. Then the ASA changes IP
address of the translated host (which sends out ICMP time-exceeded or port unreachable)
according to the translation configured.

Page 92 of 694
CCIE Security v3 Lab Workbook

On ASA
ASA-FW(config)# static (IN,OUT) 10.1.102.1 10.1.101.1

ASA-FW(config)# access-list OUTSIDE_IN permit udp any any
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT

ASA-FW(config)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect icmp error
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit

Verification
[before enabling ICMP error inspection]

R2#traceroute 1.1.1.1

Type escape sequence to abort.
Tracing the route to 1.1.1.1

1 10.1.101.1 252 msec 212 msec *

[after enabling ICMP error inspection]

R2#traceroute 1.1.1.1

Type escape sequence to abort.
Tracing the route to 1.1.1.1

1 10.1.102.1 200 msec 120 msec *

Note that the IP address in returning ICMP packet has been altered based on configured
translation.

ASA-FW(config)# sh service-policy global

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 60, drop 0, reset-drop 0
Inspect: icmp error, packet 2, drop 0, reset-drop 0

Page 93 of 694
CCIE Security v3 Lab Workbook

Lab 1.17. Configuring Virtual Firewalls

Inside1 Lo0 Inside2 Lo0

R1 R4
.1 F0/0 .4 F0/0
10.1.101.0/24 10.1.104.0/24
.10 E0/1 .10 E0/3
DMZ
Lo0
.10
F0/0
E0/2
R5 .5

.10 E0/0
10.1.105.0/24 10.1.102.0/24
Lo0 G0/0 .2 Outside

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1‟s E0/3 interface should be configured in VLAN 104
 R5‟s F0/0 and ASA1‟s E0/2 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure static default route on all routers pointing to ASA.
IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24

Page 94 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA with the following security contexts:

Context name: CTX1 CTX2
Interfaces: E0/0 – Outside E0/0 – Outside
E0/1 – Inside E0/3 – Inside
E0/2.104 – DMZ
Context file: CTX1.CFG CTX2.CFG

The context configuration should be stored on the Flash memory. Assigned
interfaces should be named as showed in the table so that no physical interface
name is disclosed inside the context.

You can partition a single security appliance into multiple virtual devices, known as security
contexts. Each context acts like an independent device, with its own security policy, interfaces, and
administrators. Multiple contexts are similar to having multiple standalone devices. Many features
are supported in multiple context mode, including routing tables, firewall features, IPS, and
management. Some features are not supported, including VPN and dynamic routing protocols.
You can run all your contexts in routed mode or transparent mode; you cannot run some contexts
in one mode and others in another. Multiple context mode supports static routing only.

To enable multiple mode (security contexts), enter command mode multiple. You will be
prompted to reboot the security appliance.
When you convert from single mode to multiple mode, the security appliance converts the running
configuration into two files: a new startup configuration that comprises the system configuration,
and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory).
The original running configuration is saved as old_running.cfg (in the root directory of the internal
Flash memory). The original startup configuration is not saved. The security appliance
automatically adds an entry for the admin context to the system configuration with the name admin.

The system administrator adds and manages contexts by configuring each context configuration
location, allocated interfaces, and other context operating parameters in the system configuration,
which, like a single mode configuration, is the startup configuration. The system configuration
identifies basic settings for the security appliance. The system configuration does not include any
network interfaces or network settings for itself; rather, when the system needs to access network
resources (such as downloading the contexts from the server), it uses one of the contexts that is
designated as the admin context. The system configuration does include a specialized failover
interface for failover traffic only.

To create a new security context you must enter command “context <name>” in the system
configuration and specify context configuration file (usually on the Flash) and allocate interfaces to
the context. Those interfaces will be visible in the context mode. To ensure that an administrator of
the context will not see any physical interface’s name, you can name the interface during its
allocation.

On ASA
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device

Page 95 of 694
CCIE Security v3 Lab Workbook

WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode

Rebooting....

Booting system, please wait...

CISCO SYSTEMS
Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17

Low Memory: 631 KB
High Memory: 256 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 2578 Host Bridge
00 01 00 8086 2579 PCI-to-PCI Bridge
00 03 00 8086 257B PCI-to-PCI Bridge
00 1C 00 8086 25AE PCI-to-PCI Bridge
00 1D 00 8086 25A9 Serial Bus 11
00 1D 01 8086 25AA Serial Bus 10
00 1D 04 8086 25AB System
00 1D 05 8086 25AC IRQ Controller
00 1D 07 8086 25AD Serial Bus 9
00 1E 00 8086 244E PCI-to-PCI Bridge
00 1F 00 8086 25A1 ISA Bridge
00 1F 02 8086 25A3 IDE Controller 11
00 1F 03 8086 25A4 Serial Bus 5
00 1F 05 8086 25A6 Audio 5
02 01 00 8086 1075 Ethernet 11
03 01 00 177D 0003 Encrypt/Decrypt 9
03 02 00 8086 1079 Ethernet 9
03 02 01 8086 1079 Ethernet 9
03 03 00 8086 1079 Ethernet 9
03 03 01 8086 1079 Ethernet 9
04 02 00 8086 1209 Ethernet 11
04 03 00 8086 1209 Ethernet 5

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006

Platform ASA5510-K8

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa821-k8.bin... Booting...
Loading...

Processor memory 177934336, Reserved memory: 20971520 (DSOs: 0 + kernel: 20971520)

Page 96 of 694
CCIE Security v3 Lab Workbook

Guest RAM start: 0xd4000080
Guest RAM end: 0xdd400000
Guest RAM brk: 0xd4001000

IO memory 51224576 bytes
IO memory start: 0xd0bff000
IO memory end: 0xd3cd9000

Total SSMs found: 0

Total NICs found: 7
mcwa i82557 Ethernet at irq 11 MAC: 0019.e8d9.6271
mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
i82546GB rev03 Ethernet @ irq09 dev 3 index 00 MAC: 0019.e8d9.6272
i82546GB rev03 Ethernet @ irq09 dev 3 index 01 MAC: 0019.e8d9.6273
i82546GB rev03 Ethernet @ irq09 dev 2 index 02 MAC: 0019.e8d9.6274
i82546GB rev03 Ethernet @ irq09 dev 2 index 03 MAC: 0019.e8d9.6275
i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 5
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 100
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2

This platform has an ASA 5510 Security Plus license.

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
Creating context 'system'... Done. (0)
Creating context 'null'... Done. (257)

Cisco Adaptive Security Appliance Software Version 8.0(4) <system>

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************

Copyright (c) 1996-2008 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Page 97 of 694
CCIE Security v3 Lab Workbook

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

INFO: Admin context is required to get the interfaces
*** Output from config line 20, "arp timeout 14400"
Creating context 'admin'... Done. (1)
*** Output from config line 23, "admin-context admin"

Cryptochecksum (changed): cf287bec dd6e8cf1 b96cbba9 ca2251ec

*** Output from config line 25, " config-url flash:/admi..."

Cryptochecksum (changed): 6f50b7d4 8539ef8c b6c4265c 7c8ef765
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa#

ciscoasa# show mode
Security context mode: multiple
ciscoasa#

It is very important to create contexts with an exact name as it was specified in the
task. Context names are case sensitive.
Also, physical interfaces must be up when allocating to the context. If not, they will
not be operative inside the context and it is very common mistake.
Note that you can allocate the same physical interface to difference contexts. It is
called “interface sharing” and will be described in more details in the following
sections.

ciscoasa# conf t
ciscoasa(config)# int e0/0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# int e0/1
ciscoasa(config-if)# no sh
ciscoasa(config-if)# int e0/2
ciscoasa(config-if)# no sh
ciscoasa(config-if)# int e0/3
ciscoasa(config-if)# no sh

ciscoasa(config-if)# int e0/2.105
ciscoasa(config-subif)# vlan 105
ciscoasa(config-subif)# exit

ciscoasa(config)# context CTX1
Creating context 'CTX1'... Done. (2)
ciscoasa(config-ctx)# config-url flash:/CTX1.CFG
INFO: Converting flash:/CTX1.CFG to disk0:/CTX1.CFG

WARNING: Could not fetch the URL disk0:/CTX1.CFG
INFO: Creating context with default config

Note that there is no CTX1.CFG file on the flash/disk0 so that the ASA creates a new
file with basic configuration template. Be careful here as if there was a file on the
flash with the same name already, the ASA would import that file as a configuration of
the context. Thus, the best option is to do “sh flash” and check if there is such file
already.
Another thing is that the ASA does not write the file to the flash if you do not save
the config either within the context (“write mem”) or for all contexts within system
mode (“write mem all”).

ciscoasa(config-ctx)# allocate-interface e0/0 Outside
ciscoasa(config-ctx)# allocate-interface e0/1 Inside
ciscoasa(config-ctx)# allocate-interface e0/2.105 DMZ

When allocating interfaces to the context you can specify the name for that interface
within the context. This is NOT nameif! This is just a name for the “physical”
interface. There is also additional keyword at the end of that command:
 visible – all physical properties for that interface will be visible inside the
context (“show interface” shows that info)
 invisible – only limited info will be displayed using “show interface” command,
and this is the default.

ciscoasa(config-ctx)# context CTX2
Creating context 'CTX2'... Done. (3)

Page 98 of 694
CCIE Security v3 Lab Workbook

ciscoasa(config-ctx)# config-url flash:/CTX2.CFG
INFO: Converting flash:/CTX2.CFG to disk0:/CTX2.CFG

WARNING: Could not fetch the URL disk0:/CTX2.CFG
INFO: Creating context with default config

ciscoasa(config-ctx)# allocate-interface e0/0 Outside
ciscoasa(config-ctx)# allocate-interface e0/3 Inside
ciscoasa(config-ctx)# exit

On SW3
SW3(config)#int f0/12
SW3(config-if)#switchport trunk encapsulation dot1q
SW3(config-if)#switchport mode trunk
SW3(config-if)#exi
SW3(config)#vlan 105
SW3(config-vlan)#exi

Verification
ciscoasa(config)# sh mode
Security context mode: multiple

ciscoasa(config)# sh context
Context Name Class Interfaces URL
*admin default disk0:/admin.cfg
CTX1 default Ethernet0/0,Ethernet0/1, disk0:/CTX1.CFG
Ethernet0/2.105
CTX2 default Ethernet0/0,Ethernet0/3 disk0:/CTX2.CFG

Total active Security Contexts: 3

ciscoasa(config)# sh context detail
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Ethernet0/0, Ethernet0/1, Ethernet0/2,
Ethernet0/2.105, Ethernet0/3, Management0/0, Virtual254
Class: default, Flags: 0x00000819, ID: 0

Context "admin", has been created
Config URL: disk0:/admin.cfg
Real Interfaces:
Mapped Interfaces:
Real IPS Sensors:
Mapped IPS Sensors:
Class: default, Flags: 0x00000813, ID: 1

Context "CTX1", has been created
Config URL: disk0:/CTX1.CFG
Real Interfaces: Ethernet0/0, Ethernet0/1, Ethernet0/2.105
Mapped Interfaces: DMZ, Inside, Outside
Real IPS Sensors:
Mapped IPS Sensors:
Class: default, Flags: 0x00000811, ID: 2

Context "CTX2", has been created
Config URL: disk0:/CTX2.CFG
Real Interfaces: Ethernet0/0, Ethernet0/3
Mapped Interfaces: Inside, Outside
Real IPS Sensors:
Mapped IPS Sensors:
Class: default, Flags: 0x00000811, ID: 3

Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Real IPS Sensors:
Mapped IPS Sensors:
Class: default, Flags: 0x00000809, ID: 257

Page 99 of 694
CCIE Security v3 Lab Workbook

Task 2
Configure ASA so that it will assign the following resources to the newly created
contexts:
Context CTX1 Policy ASDM Connections 2
Connections 1000
SSH Sessions 2
Telnet Sessions 1
XLATE Objects 300
Context CTX2 Policy ASDM Connections 4
Connections 2000
SSH Sessions 5
Telnet Sessions 1
XLATE Objects 1000

Sharing hardware resources is always risky and may lead to performance issues when one context
uses more resources than the others. In that case it is wise to limit resources per context. ASA by
default limits some resources which are allocated to the contexts. However, those limits can be too
lax for some organizations and the administrator can change them.
Here’s the list of resources which can be limited:
- mac-address - the number of MAC addresses allowed in the MAC address table (only on
transparent firewall)
- conns - TCP/UDP connections between any two hosts
- inspects - application inspections rate
- hosts - the number of hosts that can connect through the ASA
- asdm - concurrent ASDM management sessions
- ssh - concurrent SSH sessions
- syslogs - system logs messages rate
- telnet - concurrent telnet sessions
- xlates - concurrent address translations
Limiting the resources is nothing else like configuration of special class where the above resources
are allocated. This class is then assigned to the context using “member <class-name>” command.

On ASA
ciscoasa(config)# class CTX1
ciscoasa(config-class)# limit-resource ASDM 2
ciscoasa(config-class)# limit-resource Conns 1000
ciscoasa(config-class)# limit-resource SSH 2
ciscoasa(config-class)# limit-resource Telnet 1
ciscoasa(config-class)# limit-resource xlate 300

ciscoasa(config-class)# class CTX2
ciscoasa(config-class)# limit-resource ASDM 4
ciscoasa(config-class)# limit-resource conn 2000
ciscoasa(config-class)# limit-resource telnet 1
ciscoasa(config-class)# limit-resource xlate 1000

Note that you do not need to configure SSH resources as this number will be inherited
from the default class.
All resources are set to unlimited, except for the following limits, which are by
default set to the maximum allowed per context:
 Telnet sessions - 5 sessions,
 SSH sessions - 5 sessions,
 IPSec sessions - 5 sessions,
 MAC addresses - 65,535 entries.

Page 100 of 694
CCIE Security v3 Lab Workbook

ciscoasa(config-class)# context CTX1
ciscoasa(config-ctx)# member CTX1
ciscoasa(config-ctx)# context CTX2
ciscoasa(config-ctx)# member CTX2
ciscociscoasa(config-ctx)# exit

Verification
ciscoasa(config)# sh run all class
class default
limit-resource All 0
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!

class CTX1
limit-resource ASDM 2
limit-resource Conns 1000
limit-resource SSH 2
limit-resource Telnet 1
limit-resource Xlates 300
!

class CTX2
limit-resource ASDM 4
limit-resource Conns 2000
limit-resource Telnet 1
limit-resource Xlates 1000
!

ciscoasa(config)# sh class default
Class Name Members ID Flags
default All 1 0001

ciscoasa(config)# sh class CTX1
Class Name Members ID Flags
CTX1 1 2 0000

ciscoasa(config)# sh class CTX2
Class Name Members ID Flags
CTX2 1 3 0000

ciscociscoasa(config)# sh context detail CTX1
Context "CTX1", has been created
Config URL: disk0:/CTX1.CFG
Real Interfaces: Ethernet0/0, Ethernet0/1, Ethernet0/2.105
Mapped Interfaces: DMZ, Inside, Outside
Real IPS Sensors:
Mapped IPS Sensors:
Class: CTX1, Flags: 0x00000811, ID: 2

ciscociscoasa(config)# sh context detail CTX2
Context "CTX2", has been created
Config URL: disk0:/CTX2.CFG
Real Interfaces: Ethernet0/0, Ethernet0/3
Mapped Interfaces: Inside, Outside
Real IPS Sensors:
Mapped IPS Sensors:
Class: CTX2, Flags: 0x00000811, ID: 3

Task 3
Configure interfaces for new contexts as follow:
Context Interface name Security level IP address
CTX1 Inside 100 10.1.101.10/24
Outside 0 10.1.102.10/24
DMZ 50 10.1.105.10/24
CTX2 Inside 80 10.1.104.10/24

Page 101 of 694
CCIE Security v3 Lab Workbook

Outside 40 10.1.102.11/24

Now it’s time to configure context. This is done exactly in the same way as it is in a single mode
configuration. The one difference is the administrator needs to go to the respective context’s config
mode before entering command. Using command of “changeto context <context-name>” the
administrator can move between contexts.
Note that in the context configuration you have access to all configuration command as it is in
single config mode. In our case there are no physical interfaces visible inside the context, manually
configured logical names are showed instead of that.

On ASA
ciscoasa(config)# changeto context CTX1
ciscoasa/CTX1(config)# int Inside
ciscoasa/CTX1(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ciscoasa/CTX1(config-if)# ip add 10.1.101.10 255.255.255.0
ciscoasa/CTX1(config-if)# int Outside
ciscoasa/CTX1(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ciscoasa/CTX1(config-if)# ip add 10.1.102.10 255.255.255.0
ciscoasa/CTX1(config-if)# int DMZ
ciscoasa/CTX1(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ciscoasa/CTX1(config-if)# security-level 50
ciscoasa/CTX1(config-if)# ip add 10.1.105.10 255.255.255.0

ciscoasa/CTX1(config-if)# changeto context CTX2
ciscoasa/CTX2(config)# int Inside
ciscoasa/CTX2(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ciscoasa/CTX2(config-if)# security-level 80
ciscoasa/CTX2(config-if)# ip add 10.1.104.10 255.255.255.0
ciscoasa/CTX2(config-if)# int Outside
ciscoasa/CTX2(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ciscoasa/CTX2(config-if)# security-level 40
ciscoasa/CTX2(config-if)# ip add 10.1.102.11 255.255.255.0
ciscoasa/CTX2(config-if)# exit

Verification
ciscoasa/CTX2(config)# changeto context CTX1

ciscoasa/CTX1(config)# ping 10.1.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa/CTX1(config)# ping 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ciscoasa/CTX1(config)# ping 10.1.105.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.105.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ciscoasa/CTX1(config)# changeto context CTX2

ciscoasa/CTX2(config)# ping 10.1.104.4
Type escape sequence to abort.

Page 102 of 694
CCIE Security v3 Lab Workbook

Sending 5, 100-byte ICMP Echos to 10.1.104.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa/CTX2(config)# ping 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa/CTX2(config)# ping 10.1.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
No route to host 10.1.101.1

Success rate is 0 percent (0/1)

There is no route to this network as this is behind context CTX1.

Task 4
Ensure that R4 can ping R2 without configuring any access list. You are not allowed
to configure any type of address translation to accomplish this task.

As you can see, you cannot ping R2 from R4. This is because there is no inspection for ICMP
enabled or ACL on the outside interface allowing ICMP echo-reply packets back.
However, after enabling ICMP inspection in the CTX2 context, you’ll see that you are still not able to
ping R2. Let’s do some quick troubleshooting to see the issue.

On ASA
ciscoasa(config)# changeto context CTX2

ciscoasa/CTX2(config)# policy-map global_policy
ciscoasa/CTX2(config-pmap)# class inspection_default
ciscoasa/CTX2(config-pmap-c)# inspect icmp
ciscoasa/CTX2(config-pmap-c)# exit
ciscoasa/CTX2(config-pmap)# exit

What’s the problem?
R4#ping 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ciscoasa/CTX2(config)# sh int Outside
Interface Outside "Outside", is up, line protocol is up
MAC address 0019.e8d9.6272, MTU 1500
IP address 10.1.102.11, subnet mask 255.255.255.0
Traffic Statistics for "Outside":
9 packets input, 630 bytes
17 packets output, 1556 bytes
0 packets dropped

ciscoasa/CTX2(config)# changeto context CTX1

ciscoasa/CTX1(config)# sh int Outside
Interface Outside "Outside", is up, line protocol is up
MAC address 0019.e8d9.6272, MTU 1500
IP address 10.1.102.10, subnet mask 255.255.255.0
Traffic Statistics for "Outside":

Page 103 of 694
CCIE Security v3 Lab Workbook

9 packets input, 630 bytes
7 packets output, 556 bytes
0 packets dropped

ciscoasa/CTX1(config)# changeto system

ciscoasa(config)# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available for allocation to a context
MAC address 0019.e8d9.6272, MTU not set
IP address unassigned
22 packets input, 2488 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
24 packets output, 2616 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (1/1) software (0/0)
output queue (curr/max packets): hardware (0/1) software (0/0)

Ping from R4 does not work. Take a quick look at the interface in both contexts and in
the system context. As you can see the Outside interface in the contexts inherits MAC
address from the physical interface. This is normal behavior and everything should work
smooth as long as contexts are not sharing interfaces.
The problem with shared interface is that ASA must be able to properly classify
incoming traffic and send it to an appropriate context. There are three methods to make
it work:
Using unique interfaces
If only one context is associated with the ingress interface, the security
appliance classifies the packet into that context. In transparent firewall
mode, unique interfaces for contexts are required, so this method is used to
classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface
MAC address. The ASA lets you assign a different MAC address in each context to
the same shared interface, whether it is a shared physical interface or a
shared subinterface. An upstream router cannot route directly to a context
without unique MAC addresses. You can set the MAC addresses manually when you
configure each interface, or you can automatically generate MAC addresses using
“mac-address auto” command.
NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the
packet and performs a destination IP address lookup. All other fields are
ignored; only the destination IP address is used. To use the destination
address for classification, the classifier must have knowledge about the
subnets located behind each security context. The classifier relies on the NAT
configuration to determine the subnets in each context. The classifier matches
the destination IP address to either a static command or a global command. In
the case of the global command, the classifier does not need a matching nat
command or an active NAT session to classify the packet.

As we are not allowed to use any NAT in our solution, the only choice left is to use
different MAC addresses for each security context. We can use an automatic method
configuring “mac-address auto” command in the system context.

On ASA
ciscoasa/CTX2(config)# changeto system

ciscoasa(config)# mac-address auto

Verification
ciscoasa(config)# changeto context CTX1

ciscoasa/CTX1(config)# sh int Outside
Interface Outside "Outside", is up, line protocol is up
MAC address 1200.0000.0200, MTU 1500

Page 104 of 694
CCIE Security v3 Lab Workbook

IP address 10.1.102.10, subnet mask 255.255.255.0
Traffic Statistics for "Outside":
11 packets input, 686 bytes
8 packets output, 584 bytes
0 packets dropped
ciscoasa/CTX1(config)# changeto context CTX2

ciscoasa/CTX2(config)# sh int Outside
Interface Outside "Outside", is up, line protocol is up
MAC address 1200.0000.0300, MTU 1500
IP address 10.1.102.11, subnet mask 255.255.255.0
Traffic Statistics for "Outside":
11 packets input, 686 bytes
18 packets output, 1584 bytes
0 packets dropped

R2#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.102.2 - 001b.533b.ea58 ARPA FastEthernet0/0
Internet 10.1.102.10 0 1200.0000.0200 ARPA FastEthernet0/0
Internet 10.1.102.11 0 1200.0000.0300 ARPA FastEthernet0/0

As you can see, ASA uses different MAC addresses for each context. R2 also sees those
addresses in its ARP table. However, R2 has no information how to route the traffic to
R4, so we need to add static route.

On R2
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip route 10.1.104.0 255.255.255.0 10.1.102.11

R4#ping 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Task 5
Disable automatic MAC address generation and accomplish the same using network
address translation.

OK, it is always good to see how it works with NAT. Hence, first disable MAC autogeneration and
configure simple Dynamic PAT in CTX2 context. Let’s translate all inside IP addresses to the
address of the outside interface.

On ASA
ciscoasa/CTX2(config)# changeto system
ciscoasa(config)# no mac-address auto

Verification
R4#ping 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:

Page 105 of 694
CCIE Security v3 Lab Workbook

.....
Success rate is 0 percent (0/5)

It does not work when there are the same MAC addresses.

On ASA
ciscoasa(config)# changeto context CTX2

ciscoasa/CTX2(config)# nat (Inside) 1 0 0
ciscoasa/CTX2(config)# global (Outside) 1 interface
INFO: Outside interface address added to PAT pool

Verification
R4#ping 10.1.102.2 rep 10000

Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ciscoasa/CTX2(config)# sh xlate detail
1 in use, 1 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
ICMP PAT from Inside:10.1.104.4/8 to Outside:10.1.102.11/63477 flags ri

Task 6
Assign IP address of 10.254.254.8/24 to the management interface of ASA.
Configure following limits for system resources on the admin context:
- limit ASDM connections 1
- limit SSH connections 1
- limit TELNET connections 1
Configure SSH and Telnet access to the device from anywhere on management
interface. Authenticate users using local username/password of admin/cisco.

ASA has dedicated management interface which can be used for management only or in some
cases it can be “converted” to the normal interface. It is recommended to use this interface for
management of ASA, so it must be allocated to the admin context. Each of contexts configured can
be set as admin context. If a context is marked as admin context administrators logging onto that
context have rights to administer other contexts as well (including system context).
The admin context is created automatically when an administrator converts ASA to multi-context
mode.

On ASA
ciscoasa/CTX2(config)# changeto system

ciscoasa(config)# admin-context admin
ciscoasa(config)# int m0/0
ciscoasa(config-if)# no sh

ciscoasa(config)# context admin
ciscoasa(config-ctx)# allocate-interface Management0/0
ciscoasa(config-ctx)# config-url disk0:/admin.cfg

WARNING: Could not fetch the URL disk0:/admin.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.

Page 106 of 694
CCIE Security v3 Lab Workbook

ciscoasa(config)# class CL-ADMIN
ciscoasa(config-class)# limit-resource ASDM 1
ciscoasa(config-class)# limit-resource SSH 1
ciscoasa(config-class)# limit-resource Telnet 1
ciscoasa(config-class)# context admin
ciscoasa(config-ctx)# member CL-ADMIN
ciscoasa(config-ctx)# changeto context admin

ciscoasa/admin(config)# int management0/0
ciscoasa/admin(config-if)# nameif management
INFO: Security level for "management" set to 0 by default.
ciscoasa/admin(config-if)# security 100
ciscoasa/admin(config-if)# ip add 10.254.254.8 255.255.255.0
ciscoasa/admin(config-if)# management-only

ciscoasa/admin(config)# username admin password cisco privilege 15

ciscoasa/admin(config)# aaa authentication ssh console LOCAL
ciscoasa/admin(config)# aaa authentication telnet console LOCAL

ciscoasa/admin(config)# telnet 0 0 management
ciscoasa/admin(config)# ssh 0 0 management

Verification
ciscoasa(config)# sh context detail admin
Context "admin", has been created
Config URL: disk0:/admin.cfg
Real Interfaces: Management0/0
Mapped Interfaces: Management0/0
Real IPS Sensors:
Mapped IPS Sensors:
Class: CL-ADMIN, Flags: 0x00000813, ID: 1

Page 107 of 694
CCIE Security v3 Lab Workbook

Lab 1.18. Active/Standby Failover

Lo0

Inside
R1
.1 F0/0
10.1.101.0/24

.10 E0/1 .11 E0/1

E0/3 E0/3
Stateful Failover Link
E0/2 .10 .10 E0/2
10.1.104.0/24
Lo0 .4 F0/0
DMZ
.10 E0/0 .11 E0/0
R4

10.1.102.0/24
Lo0 G0/0 .2
Outside

R2

Lab Setup:

 R1‟s F0/0 and ASA1/ASA2 E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1/ASA2 E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA1/ASA2 E0/2 interface should be configured in VLAN 104
 ASA1 and ASA2 E0/3 interface should be configured in VLAN 254
 Configure Telnet on all routers using password “cisco”
 Configure static default route on all routers pointing to ASA.
IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24

Page 108 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA interfaces as follow:
Physical Interface Interface name Security level IP address
E0/0 IN 80 Pri 10.1.101.10/24
Sby 10.1.101.11/24
E0/1 OUT 0 Pri 10.1.102.10/24
Sby 10.1.102.11/24
E0/2 DMZ 50 Pri 10.1.104.10/24
Sby 10.1.104.11/24

Configure ASA2 device to back up ASA1 firewall in the event of failure. Configure
interface E0/3 as the Failover Link. This interface will be used to transmit failover
control messages. Assign a name of LAN_FO and active IP address of
10.1.254.10/24 with a standby address of 10.1.254.11. Authenticate the failover
control messages using a key of “cisco987”. Configure host name of ASA-FW.

ASA failover uses a special link which must be configured appropriately to successfully monitor
state of primary ASA device. This link is a dedicated physical Ethernet interface. The best practice
is to use the fastest ASA interface possible as an amount of data traversing this link may be
significant and usually depends on the amount of data traverses all remaining interfaces. This link
may have two things to do (1) it must synchronize configuration, monitor ASA interfaces and send
those information to second ASA to continue working if primary ASA fails (2) it may carry stateful
information (like state table and translation table) to maintain all connections by second ASA in
case of failure.
Although, the first task does not require fast interface, the second may require significant
bandwidth of the interface. In addition to that, this link shouldn’t be set up using crossover cable. It
is highly recommended to use switch for interconnection with PortFast configured on the switch
port.
In case of configuration, the interface used as failover link should be in UP state, meaning an
administrator must enter “no shutdown” command on that interface. No other configuration is
required. All failover configuration is done using “failover….” command.
Two very important commands are required (1) “failover lan…” which is used for specifying what
interface will be used as failover link and (2) “failover interface ip…” which configures IP address of
that link (note the IP address is configured here, not under the physical interface).
Note that all ASA interfaces must have standby IP addresses configured. It is usually omitted when
ASA is already pre-configured and we need to add failover to the existing configuration. Those
standby IP addresses will be used on secondary ASA as all interfaces must send out heartbeat
information on their subnet to check if there is standby interface ready on a given subnet.
The first ASA must be “marked” as primary unit and second ASA as secondary unit. A good
practice mandates usage of “encryption” key for securing failover communication.

Configuration of secondary ASA is similar to that it was on primary unit. All you need is to unshut
failover interface and configure it in the same way as it was on primary device. The one difference is
that secondary device must be marked as secondary unit.
The very last configuration command is simple “failover” which enables failover and starts
communication between ASAs.
Note that you do not need to configure any IP addresses (except for failover link) on the secondary
ASA. After enabling failover, all configuration should be sent to the second device.

Page 109 of 694
CCIE Security v3 Lab Workbook

On primary ASA
ciscoasa(config)# hostname ASA-FW

ASA-FW(config)# interface e0/0
ASA-FW(config-if)# nameif OUT
INFO: Security level for "OUT" set to 0 by default.
ASA-FW(config-if)# ip address 10.1.102.10 255.255.255.0 standby 10.1.102.11
ASA-FW(config-if)# no shut

ASA-FW(config-if)# interface e0/1
ASA-FW(config-if)# nameif IN
INFO: Security level for "IN" set to 0 by default.
ASA-FW(config-if)# security-level 80
ASA-FW(config-if)# ip address 10.1.101.10 255.255.255.0 standby 10.1.101.11
ASA-FW(config-if)# no shut

ASA-FW(config-if)# interface e0/2
ASA-FW(config-subif)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ASA-FW(config-subif)# security-level 50
ASA-FW(config-subif)# ip address 10.1.104.10 255.255.255.0 standby 10.1.104.11
ASA-FW(config-subif)# no shut
ASA-FW(config-subif)# exit

ASA-FW(config)# int e0/3
ASA-FW(config-if)# no sh

Do not forget to unshut that interface!

ASA-FW(config)# failover lan unit primary
ASA-FW(config)# failover lan interface LAN_FO e0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
ASA-FW(config)# failover interface ip LAN_FO 10.1.254.10 255.255.255.0 standby 10.1.254.11
ASA-FW(config)# failover key cisco987
ASA-FW(config)# failover

You must enable failover at the endo of the configuration using “failover” command.

On secondary ASA
ciscoasa(config)# int e0/3
ciscoasa(config-if)# no sh

Same on the secondary ASA. You must manually unshut the interface for LAN failover.

ciscoasa(config)# failover lan unit secondary
ciscoasa(config-if)# failover lan interface LAN_FO e0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
ciscoasa(config)# failover interface ip LAN_FO 10.1.254.10 255.255.255.0 standby 10.1.254.11
ciscoasa(config)# failover key cisco987
ciscoasa(config)# failover
ciscoasa(config)# .

Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

ASA-FW(config)#

ASA-FW(config)# int e0/0
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.

Note that you cannot configure the ASA using being on the Standby unit. Although, it is
possible to enable commands the config will NOT be synchronized between devices.

On Active ASA
ASA-FW(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)

Page 110 of 694
CCIE Security v3 Lab Workbook

Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 17:08:59 UTC Jul 10 2010
This host: Primary - Active
Active time: 105 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
Interface OUT (10.1.102.10): Normal
Interface IN (10.1.101.10): Normal
Interface DMZ (10.1.104.10): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 291 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
Interface OUT (10.1.102.11): Normal
Interface IN (10.1.101.11): Normal
Interface DMZ (10.1.104.11): Normal
slot 1: empty

Note the IP addresses in the brackets and “normal” state of those interfaces. The IP
addresses are simply Active and Standby IP address configured on the interface. If you
see 0.0.0.0 there, it means you do not have Standby IP address configured on a
particular interface.
Also the state may be different. There may be Waiting, Non-Monitored and Normal states.
Since the ASA does not monitor subinterfaces by default you may see Non-Monitored state
very often when using subinterfaces. However, a Waiting state means there is a process
of communicating between interfaces in the same subnet on both ASA units. If this state
is displayed for too long (couple of minutes) that means the ASA has communication
issues with other ASA device – meaning issues with L2 (switch) in most cases.

Stateful Failover Logical Update Statistics
Link : Unconfigured.

It is highly recommended to perform failover test after configuration. Below is an
example test which can easily verify if failover works fine.
1. Enable ICMP inspection to allow ICMP traffic go through the ASA
2. Start pinging R2 from R1 (Inside to Outside)
3. Make Standby ASA to become Active
4. Verify that failover took place and everyting is OK in means of verification
commands and check if ping is still going on.

FAILOVER TEST

1. Enable ICMP inspection on ASA (just to allow ICMP traffic to pass through the ASA)
ASA-FW(config)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect icmp
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit

2. Perform repeated ping from R1
R1#ping 10.1.102.2 rep 1000

3. On standby ASA enter command “failover active” to become an active device
ASA-FW(config)# failover active

Switching to Active

ASA-FW(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)

Page 111 of 694
CCIE Security v3 Lab Workbook

Last Failover at: 23:14:41 UTC Oct 17 2009
This host: Secondary - Active
Active time: 22 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface OUT (10.1.102.10): Normal (Waiting)
Interface IN (10.1.101.10): Normal (Waiting)
Interface DMZ (10.1.104.10): Normal (Waiting)
slot 1: empty
Other host: Primary - Standby Ready
Active time: 740 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface OUT (10.1.102.11): Normal
Interface IN (10.1.101.11): Normal
Interface DMZ (10.1.104.11): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : Unconfigured.

Note that some of monitored interfaces have Waiting status. Do not worry. Just wait a
bit and run “show failover” command again. This may takes a while for interfaces to see
each other and update their status.

ASA-FW(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 23:14:41 UTC Oct 17 2009
This host: Secondary - Active
Active time: 37 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface OUT (10.1.102.10): Normal
Interface IN (10.1.101.10): Normal
Interface DMZ (10.1.104.10): Normal
slot 1: empty
Other host: Primary - Standby Ready
Active time: 740 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface OUT (10.1.102.11): Normal
Interface IN (10.1.101.11): Normal
Interface DMZ (10.1.104.11): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : Unconfigured.

4. Check R1 ping:
R1#ping 10.1.102.2 rep 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (999/1000), round-trip min/avg/max = 1/2/4 ms

Page 112 of 694
CCIE Security v3 Lab Workbook

Note that only one ping is lost. The failover is working quite fast.
Also keep in mind that you can use redundant interfaces along with failover.

Task 2
Configure ASA so that it will maintain TCP connections (including HTTP) in the event
of active device failure. Use the same interface which is already used for LAN
Failover.

To use Stateful Failover, you must configure a Stateful Failover link to pass all state information.
You have three options for configuring a Stateful Failover link:
 You can use a dedicated Ethernet interface for the Stateful Failover link.
 If you are using LAN-based failover, you can share the failover link.
 You can share a regular data interface, such as the inside interface (not recommended).
By default, ASA does not replicate HTTP session information when Stateful Failover is enabled.
Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed
connection attempts, not replicating HTTP sessions increases system performance without causing
serious data or connection loss.

On active ASA
ASA-FW(config)# failover link LAN_FO

ASA-FW(config)# failover replication http

Verification
ASA-FW(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 17:08:59 UTC Jul 10 2010
This host: Primary - Active
Active time: 695 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
Interface OUT (10.1.102.10): Normal
Interface IN (10.1.101.10): Normal
Interface DMZ (10.1.104.10): Normal
slot 1: empty
Other host: Secondary - Bulk Sync
Active time: 291 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
Interface OUT (10.1.102.11): Normal
Interface IN (10.1.101.11): Normal
Interface DMZ (10.1.104.11): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : LAN_FO Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 3 0 3 0
sys cmd 3 0 3 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0

Page 113 of 694
CCIE Security v3 Lab Workbook

VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 8 3
Xmit Q: 0 26 36

ASA-FW(config)# sh failover interface
interface LAN_FO Ethernet0/3
System IP Address: 10.1.254.10 255.255.255.0
My IP Address : 10.1.254.10
Other IP Address : 10.1.254.11

ASA-FW(config)# sh run all monitor
monitor-interface OUT
monitor-interface IN
monitor-interface DMZ

By default ASA monitors only physical interfaces; it does not monitor logical
interfaces of subinterfaces. This must be manually enabled using “monitor-interface”
command.
There is also a feature called Remote Command Execution which is very useful when
making changes to the configuration in failover environment.
Because configuration commands are replicated from the active unit or context to the
standby unit or context, you can use the “failover exec” command to enter configuration
commands on the correct unit, no matter which unit you are logged-in to. For example,
if you are logged-in to the standby unit, you can use the “failover exec active”
command to send configuration changes to the active unit. Those changes are then
replicated to the standby unit.

Task 3
Configure ASA so that it will use static MAC address on the outside interface in case
standby device boots first. Use MAC address of 0011.0011.0011 as Active and
0022.0022.0022 as Standby.

MAC addresses for the interfaces on the primary unit are used for the interfaces on the active unit.
However, if both units are not brought online at the same time and the secondary unit boots first
and becomes active, it uses the burned-in MAC addresses for its own interfaces. When the primary
unit comes online, the secondary unit will obtain the MAC addresses from the primary unit. This
change can disrupt network traffic. Configuring virtual MAC addresses for the interfaces ensures
that the secondary unit uses the correct MAC address when it is the active unit, even if it comes
online before the primary unit.
This command has no effect when ASA is configured for Active/Active failover. In A/A failover there
is a command “mac address” under failover group.

On active ASA
ASA-FW(config)# failover mac address e0/0 0011.0011.0011 0022.0022.0022

Verification (on Active unit)
ASA-FW(config)# sh int out
Interface Ethernet0/0 "OUT", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0011.0011.0011, MTU 1500

Page 114 of 694
CCIE Security v3 Lab Workbook

IP address 10.1.102.10, subnet mask 255.255.255.0
1440 packets input, 173626 bytes, 0 no buffer
Received 50 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1401 packets output, 167906 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/25) software (0/0)
output queue (curr/max packets): hardware (0/3) software (0/0)
Traffic Statistics for "OUT":
1400 packets input, 142518 bytes
1401 packets output, 142508 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 24 bytes/sec
1 minute output rate 0 pkts/sec, 23 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 20 bytes/sec
5 minute output rate 0 pkts/sec, 20 bytes/sec
5 minute drop rate, 0 pkts/sec

Verification (on Standby unit)
ASA-FW(config)# sh int out
Interface Ethernet0/0 "OUT", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0022.0022.0022, MTU 1500
IP address 10.1.102.11, subnet mask 255.255.255.0
10413 packets input, 1231356 bytes, 0 no buffer
Received 9 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
10427 packets output, 1232128 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (1/5) software (0/0)
output queue (curr/max packets): hardware (0/3) software (0/0)
Traffic Statistics for "OUT":
10413 packets input, 1043922 bytes
10427 packets output, 1043956 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 21 bytes/sec
1 minute output rate 0 pkts/sec, 21 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 20 bytes/sec
5 minute output rate 0 pkts/sec, 20 bytes/sec
5 minute drop rate, 0 pkts/sec

ASA-FW(config)# failover exec mate sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 17:04:18 UTC Jul 10 2010
This host: Secondary - Standby Ready
Active time: 291 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
Interface OUT (10.1.102.11): Normal
Interface IN (10.1.101.11): Normal
Interface DMZ (10.1.104.11): Normal
slot 1: empty
Other host: Primary - Active
Active time: 855 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
Interface OUT (10.1.102.10): Normal
Interface IN (10.1.101.10): Normal

Page 115 of 694
CCIE Security v3 Lab Workbook

Interface DMZ (10.1.104.10): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : LAN_FO Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 24 0 24 0
sys cmd 24 0 24 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 5 219
Xmit Q: 0 1 24

Page 116 of 694
CCIE Security v3 Lab Workbook

Lab 1.19. Active/Active Failover
Lo0

Inside1 Lo0 Inside2

R4
.4 F0/0
R1 10.1.104.0/24
.1 F0/0
10.1.101.0/24
.10 .11 .11 .10
DMZ E0/1.101 E0/1.104 E0/1.101 E0/1.104
Lo0
.10 FO
F0/0 CTX CTX
E0/3 E0/3 CTX CTX
E0/2 1 2 1 2

R5 .5
.10 .13 E0/2 .11 .11 .12

E0/0 E0/0
10.1.105.0/24

10.1.102.0/24

Lo0 G0/0 .2 Outside

R2

Lab Setup:

 R2‟s G0/0 and ASA‟s‟ E0/0 interface should be configured in VLAN 102
 R5‟s F0/0 and ASA‟s‟ E0/2 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure static default route on all routers pointing to ASA
IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
G0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24

Page 117 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA1 with a hostname of ASA-FW and the following security contexts:
Context name: CTX1 CTX2
Interfaces: E0/0 – Outside E0/0 – Outside
E0/1.101 – Inside E0/1.104 – Inside
E0/2 – DMZ
Context file: CTX1.cfg CTX2.cfg

The context configuration should be stored on the Flash memory.

Configure interfaces for new contexts as follow:
Context Interface name Security level IP address
CTX1 Inside 100 10.1.101.10/24
Outside 0 10.1.102.10/24
DMZ 50 10.1.105.10/24
CTX2 Inside 100 10.1.104.10/24
Outside 0 10.1.102.12/24

In the Active/Active (A/A) implementation of failover, both appliances in the failover pair process
traffic. To accomplish this, two contexts are needed, as is depicted in the diagram above. On the left
appliance, CTX1 performs an active role and CTX2 a standby role. On the right appliance, CTX1 is
standby and CTX2 is active.
The configuration required in this task is very similar to the configuration of single ASA device. The
ASA must be converted to multiple mode, security contexts must be created and appropriate
interfaces allocated. Then interfaces must be configured as requested inside respective context.

On SW3
SW3(config-if)#int f0/11
SW3(config-if)#sw tru enca dot
SW3(config-if)#sw mo tru

SW3(config)#vlan 101
SW3(config-vlan)#exi
SW3(config)#vlan 104
SW3(config-vlan)#exit

On both ASA devices
ciscoasa# conf t
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***

Page 118 of 694
CCIE Security v3 Lab Workbook

*** change mode

Rebooting....

<…output ommited…>

On ASA1
ciscoasa(config)# hostname ASA-FW
ASA-FW(config)# int e0/0
ASA-FW(config-if)# no sh
ASA-FW(config-if)# int e0/1
ASA-FW(config-if)# no sh
ASA-FW(config-if)# int e0/1.101
ASA-FW(config-subif)# vlan 101
ASA-FW(config-subif)# no sh
ASA-FW(config-subif)# int e0/1.104
ASA-FW(config-subif)# vlan 104
ASA-FW(config-subif)# no sh
ASA-FW(config-subif)# int e0/2
ASA-FW(config-if)# no sh
ASA-FW(config-if)# context CTX1
Creating context 'CTX1'... Done. (2)

Depends on your previous configuration you may get a message saying:

ERROR: Identify admin context first, using the 'admin-context' command

Then, you need to create “admin” context first and tell the ASA to use that context for
administrative purposes. Both things can be done using the following command:

ASA-FW(config)# admin-context admin
Creating context 'admin'... Done. (2)

Unfortunately, the above command does not specify when admin context is going to write
its configuration. Hence, we need to specify that manually:

ASA-FW(config)# context admin
ASA-FW(config-ctx)# config-url disk0:/admin.ctx

WARNING: Could not fetch the URL disk0:/admin.ctx
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.

Note that it is wise to check if there is no file with previous configuration stored on
the flash before configuring config URL. If there is a file with the same name already,
it will be imported and used inside the context.

ASA-FW(config-ctx)# sh disk0: | in cfg|CFG
164 724 Oct 19 2009 18:38:50 admin.cfg
166 1437 Oct 19 2009 18:38:50 old_running.cfg

ASA-FW(config-ctx)# config-url disk0:CTX1.cfg
INFO: Converting disk0:CTX1.cfg to disk0:/CTX1.cfg

WARNING: Could not fetch the URL disk0:/CTX1.cfg
INFO: Creating context with default config
ASA-FW(config-ctx)# allocate-interface e0/1.101
ASA-FW(config-ctx)# allocate-interface e0/0
ASA-FW(config-ctx)# allocate-interface e0/2

ASA-FW(config-ctx)# context CTX2
Creating context 'CTX2'... Done. (3)
ASA-FW(config-ctx)# config-url disk0:CTX2.cfg
INFO: Converting disk0:CTX2.cfg to disk0:/CTX2.cfg

WARNING: Could not fetch the URL disk0:/CTX2.cfg
INFO: Creating context with default config
ASA-FW(config-ctx)# allocate-interface e0/1.104
ASA-FW(config-ctx)# allocate-interface e0/0

Page 119 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config-ctx)# changeto context CTX1
ASA-FW/CTX1(config)# int e0/1.101
ASA-FW/CTX1(config-if)# ip add 10.1.101.10 255.255.255.0
ASA-FW/CTX1(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.

ASA-FW/CTX1(config-if)# int e0/0
ASA-FW/CTX1(config-if)# ip add 10.1.102.10 255.255.255.0
ASA-FW/CTX1(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.

ASA-FW/CTX1(config-if)# int e0/2
ASA-FW/CTX1(config-if)# ip add 10.1.105.10 255.255.255.0
ASA-FW/CTX1(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ASA-FW/CTX1(config-if)# security-level 50

ASA-FW/CTX1(config-if)# changeto context CTX2

ASA-FW/CTX2(config)# int e0/1.104
ASA-FW/CTX2(config-if)# ip add 10.1.104.10 255.255.255.0
ASA-FW/CTX2(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.

ASA-FW/CTX2(config-if)# int e0/0
ASA-FW/CTX2(config-if)# ip add 10.1.102.12 255.255.255.0
ASA-FW/CTX2(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ASA-FW/CTX2(config-if)# exit

Verification
ASA-FW/CTX2(config)# ping 10.1.104.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.104.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA-FW/CTX2(config)# ping 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA-FW/CTX2(config)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/1.104 10.1.104.10 YES manual up up
Ethernet0/0 10.1.102.12 YES manual up up

ASA-FW/CTX2(config)# changeto context CTX1

ASA-FW/CTX1(config)# ping 10.1.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA-FW/CTX1(config)# ping 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA-FW/CTX1(config)# ping 10.1.105.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.105.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA-FW/CTX1(config)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/1.101 10.1.101.10 YES manual up up

Page 120 of 694
CCIE Security v3 Lab Workbook

Ethernet0/2 10.1.105.10 YES manual up up
Ethernet0/0 10.1.102.10 YES manual up up

Task 2
Configure Active/Active failover between ASA1 and ASA2 so that the context CTX1
is active on ASA1 and standby on ASA2 whilst the context CTX2 is active on ASA2
and standby on ASA1. As there is a shared interface among both devices, ensure
that packet classification is based on MAC addresses. Use interface E0/3 as failover
LAN and stateful link with IP address of 10.1.254.10/24 (VLAN 254). All standby IP
addresses should be derived from the last octet of primary IP address plus one (e.g.
if primary IP address is 10.1.1.10 the standby IP address will be 10.1.1.11). Secure
failover transmission with a key of “cisco456”.
Change the command line prompt to show hostname, context and current state of
the context for better visibility.

In Active/Standby failover, failover is performed on a unit basis. One unit is active while the other
unit is standby. In Active/Active, one context is active while the same context on the other ASA is in
standby state.
ASA uses failover groups to manage contexts. Each ASA supports up to two failover groups as
there can only be two ASAs in the failover pair. By default all security contexts are assigned to the
failover group 1.
You can control the distribution of active contexts between the ASAs by controlling each context's
membership in a failover group. Within the failover group configuration mode the "primary"
command gives the primary ASA higher priority for failover group 1. However, the "secondary"
command under failover group 2 gives secondary ASA higher priority for this failover group.
Assigning a primary or secondary priority to a failover group specifies which unit the failover group
becomes active on when both units boot simultaneously. If one unit boots before the other, both
failover groups become active on that unit. When the other unit comes online, any failover groups
that have the secondary unit as a priority do not become active on the second unit unless the
failover group is configured with the "preempt" command or is manually forced using "no
failover active" command.

On ASA1
ASA-FW/CTX1(config)# changeto system
ASA-FW(config)# failover group 1
ASA-FW(config-fover-group)# primary
ASA-FW(config-fover-group)# preempt

ASA-FW(config-fover-group)# failover group 2
ASA-FW(config-fover-group)# secondary
ASA-FW(config-fover-group)# preempt

ASA-FW(config-fover-group)# context CTX1
ASA-FW(config-ctx)# join-failover-group 1

ASA-FW(config-ctx)# context CTX2
ASA-FW(config-ctx)# join-failover-group 2
ASA-FW(config-ctx)# exit

ASA-FW(config)# failover lan unit primary
ASA-FW(config)# int e0/3
ASA-FW(config-if)# no sh
ASA-FW(config)# failover lan interface LAN_FO e0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces

Page 121 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config)# failover interface ip LAN_FO 10.1.254.10 255.255.255.0 standby 10.1.254.11
ASA-FW(config)# failover key cisco456
ASA-FW(config)# failover link LAN_FO
ASA-FW(config)# failover

The failover configuration is exactly the same as it was for Active/Standby failover.
Remember that when adding failover to the existing configuration, you must configure
standby IP addresses for all interfaces inside the security contexts.

ASA-FW(config)# changeto con CTX2

ASA-FW/CTX2(config)# int e0/1.104
ASA-FW/CTX2(config-if)# ip add 10.1.104.10 255.255.255.0 standby 10.1.104.11
ASA-FW/CTX2(config-if)# int e0/0
ASA-FW/CTX2(config-if)# ip add 10.1.102.12 255.255.255.0 standby 10.1.102.13

ASA-FW(config)# changeto con CTX1
ASA-FW/CTX1(config)# int e0/1.101
ASA-FW/CTX1(config-if)# ip add 10.1.101.10 255.255.255.0 standby 10.1.101.11
ASA-FW/CTX1(config-if)# int e0/0
ASA-FW/CTX1(config-if)# ip add 10.1.102.10 255.255.255.0 standby 10.1.102.11
ASA-FW/CTX1(config-if)# int e0/2
ASA-FW/CTX1(config-if)# ip add 10.1.103.10 255.255.255.0 standby 10.1.103.11
ASA-FW/CTX1(config-if)# changeto system

In multiple context mode, you can view the extended prompt when you log in to the
system execution space or the admin context. Within a non-admin context, you only see
the default prompt, which is the hostname and the context name.
The ability to add information to a prompt allows you to see at-a-glance which adaptive
security appliance you are logged into when you have multiple modules. During a
failover, this feature is useful when both adaptive security appliances have the same
hostname.

ASA-FW(config)# prompt hostname context priority state
ASA-FW/pri/act(config)#

Note that in Active/Active failover the ASA automatically generates different MAC
addresses on shared interfaces. You do NOT need to configure “mac-address auto” in A/A
failover scenario.

On SW3
SW3(config)#int f0/13
SW3(config-if)#sw mo acc
SW3(config-if)#sw acc vl 254
% Access VLAN does not exist. Creating vlan 254
SW3(config-if)#exi

On SW4
Switch(config)#ho SW4
SW4(config)#int f0/10
SW4(config-if)#sw mo acc
SW4(config-if)#sw acc vl 102
% Access VLAN does not exist. Creating vlan 102

SW4(config-if)#int f0/11
SW4(config-if)#sw tru enca dot
SW4(config-if)#sw mo tru

SW4(config-if)#int f0/12
SW4(config-if)#sw mo acc
SW4(config-if)#sw acc vl 105
% Access VLAN does not exist. Creating vlan 105

SW4(config-if)#int f0/13
SW4(config-if)#sw mo acc
SW4(config-if)#sw acc vl 254
% Access VLAN does not exist. Creating vlan 254

SW4(config-if)#int ran f0/19 - 24
SW4(config-if-range)#sw tru enca dot
SW4(config-if-range)#sw mo tru
SW4(config-if-range)#exi

Page 122 of 694
CCIE Security v3 Lab Workbook

SW4(config)#vlan 101
SW4(config-vlan)#exi
SW4(config)#vlan 104
SW4(config-vlan)#exi

On ASA2
On secondary ASA there is only basic failover configuration required. After configuring
and enabling failover, the secondary unit contacts the primary unit and copies
configuration for all contexts and system execution space.
As you can see both failover groups are active on the primary ASA at the beginning.
However, after configuration replication the secondary ASA “preempts” failover group 2.

ciscoasa(config)# no failover
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# int e0/3
ciscoasa(config-if)# no sh
ciscoasa(config-if)# failover lan interface LAN_FO e0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
ciscoasa(config)# failover interface ip LAN_FO 10.1.254.10 255.255.255.0 standby 10.1.254.11
ciscoasa(config)# failover key cisco456
ciscoasa(config)# failover link LAN_FO
ciscoasa(config)# failover
ciscoasa(config)# .

Detected an Active mate

ciscoasa(config)# Removing context 'admin' (1)... Done
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)

WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
Creating context 'CTX1'... Done. (3)

WARNING: Skip fetching the URL disk0:/CTX1.cfg
INFO: Creating context with default config
Creating context 'CTX2'... Done. (4)

WARNING: Skip fetching the URL disk0:/CTX2.cfg
INFO: Creating context with default config

Group 1 Detected Active mate

Group 2 Detected Active mate
End configuration replication from mate.

Group 2 preempt mate
ASA-FW/sec/stby(config)#

Verification
ASA-FW/pri/act(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Group 1 last failover at: 05:37:45 UTC Jul 17 2010
Group 2 last failover at: 05:47:42 UTC Jul 17 2010

This host: Primary
Group 1 State: Active
Active time: 701 (sec)
Group 2 State: Standby Ready
Active time: 597 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.10): Normal (Not-Monitored)

Page 123 of 694
CCIE Security v3 Lab Workbook

CTX1 Interface Outside (10.1.102.10): Normal
CTX1 Interface DMZ (10.1.105.10): Normal
CTX2 Interface Inside (10.1.104.11): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.13): Normal
slot 1: empty

Other host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 103 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.11): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.11): Normal
CTX1 Interface DMZ (10.1.105.11): Normal
CTX2 Interface Inside (10.1.104.10): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.12): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : LAN_FO Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 15 0 15 0
sys cmd 15 0 15 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 16
Xmit Q: 0 1 16

Note that the status for Inside interface in both contexts is “Normal (Not-Monitored)”.
This is because by default ASA does not monitor subinterfaces or logical interfaces. To
enable monitoring for those interfaces there should be “monitor-interface Inside”
command configured in each of security contexts.

ASA-FW/pri/act(config)# sh failover group 1

Last Failover at: 05:37:45 UTC Jul 17 2010

This host: Primary
State: Active
Active time: 829 (sec)

CTX1 Interface Inside (10.1.101.10): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.10): Normal
CTX1 Interface DMZ (10.1.105.10): Normal

Other host: Secondary
State: Standby Ready
Active time: 0 (sec)

CTX1 Interface Inside (10.1.101.11): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.11): Normal
CTX1 Interface DMZ (10.1.105.11): Normal

Stateful Failover Logical Update Statistics
Status: Configured.
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0

ASA-FW/pri/act(config)# sh failover group 2

Last Failover at: 05:47:42 UTC Jul 17 2010

Page 124 of 694
CCIE Security v3 Lab Workbook

This host: Primary
State: Standby Ready
Active time: 597 (sec)

CTX2 Interface Inside (10.1.104.11): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.13): Normal

Other host: Secondary
State: Active
Active time: 248 (sec)

CTX2 Interface Inside (10.1.104.10): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.12): Normal

Stateful Failover Logical Update Statistics
Status: Configured.
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0

ASA-FW/pri/act(config)# sh failover interface
interface LAN_FO Ethernet0/3
System IP Address: 10.1.254.10 255.255.255.0
My IP Address : 10.1.254.10
Other IP Address : 10.1.254.11

ASA-FW/pri/act(config)# changeto context CTX1

ASA-FW/CTX1/pri/act(config)# sh int e0/0
Interface Ethernet0/0 "Outside", is up, line protocol is up
MAC address 1200.0000.a300, MTU 1500
IP address 10.1.102.10, subnet mask 255.255.255.0
Traffic Statistics for "Outside":
99 packets input, 7632 bytes
72 packets output, 6696 bytes
0 packets dropped

ASA-FW/CTX1/pri/act(config)# sh int e0/1.101
Interface Ethernet0/1.101 "Inside", is up, line protocol is up
MAC address 1200.0165.03b0, MTU 1500
IP address 10.1.101.10, subnet mask 255.255.255.0
Traffic Statistics for "Inside":
9 packets input, 684 bytes
20 packets output, 920 bytes
0 packets dropped

ASA-FW/CTX1/pri/act(config)# changeto context CTX2

ASA-FW/CTX2/pri/stby(config)# sh int e0/0
Interface Ethernet0/0 "Outside", is up, line protocol is up
MAC address 1200.0000.04b5, MTU 1500
IP address 10.1.102.13, subnet mask 255.255.255.0
Traffic Statistics for "Outside":
99 packets input, 7872 bytes
81 packets output, 7268 bytes
0 packets dropped

ASA-FW/CTX2/pri/stby(config)# sh int e0/1.104
Interface Ethernet0/1.104 "Inside", is up, line protocol is up
MAC address 1200.0168.04b6, MTU 1500
IP address 10.1.104.11, subnet mask 255.255.255.0
Traffic Statistics for "Inside":
12 packets input, 822 bytes
25 packets output, 1060 bytes
0 packets dropped

Note: Enable ICMP inspection in both security contexts to ease the verification. Since
we are on Primary ASA in CTX2 security context (which is standby), we cannot configure
any commands. However we can use Remote Command Execution feature to configure remotely
Active context on the second device.

Page 125 of 694
CCIE Security v3 Lab Workbook

Unfortunately, this tool cannot be used for changing security context (“changeto”
command does not work). Hence, to make changes to CTX1 we need to do it manually.

ASA-FW/CTX2/pri/stby(config)# policy-map global_policy
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
ASA-FW/CTX2/pri/stby(config-pmap)#
ASA-FW/CTX2/pri/stby(config-pmap)# exi
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.

ASA-FW/CTX2/pri/stby(config)# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!  Note: No ICMP Inspection

ASA-FW/CTX2/pri/stby(config)# failover exec mate policy-map global_policy
ASA-FW/CTX2/pri/stby(config)# failover exec mate class inspection_default
ASA-FW/CTX2/pri/stby(config)# failover exec mate inspect icmp

ASA-FW/CTX2/pri/stby(config)# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp  ICMP Inspection is now enabled (configured on Active and sychronized over the
Failover link)
!

ASA-FW/CTX2/pri/stby(config)# sh failover exec mate
Active unit Failover EXEC is at mpf-policy-map-class sub-command mode

ASA-FW/CTX2/pri/stby(config)# failover exec mate show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map

Page 126 of 694
CCIE Security v3 Lab Workbook

inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!

ASA-FW/CTX2/pri/stby(config)# changeto context CTX1

ASA-FW/CTX1/pri/act(config)# policy-map global_policy
ASA-FW/CTX1/pri/act(config-pmap)# class inspection_default
ASA-FW/CTX1/pri/act(config-pmap-c)# inspect icmp
ASA-FW/CTX1/pri/act(config-pmap-c)# exi
ASA-FW/CTX1/pri/act(config-pmap)# exi

R1#p 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#p 10.1.105.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.105.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R5#p 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R4#p 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Ping on R4 is not successful because there is no route back on R2. It has nothing to do
with ASA packets classification. After adding a route back, the ping in successful.

R2(config)#ip route 10.1.104.0 255.255.255.0 10.1.102.12

R4#p 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

It is highly recommended to perform failover test after configuration. The best test in
this situation would be shutting down switch port for DMZ interface of CTX1 security
context and check if failover “moves” CTX1 over to the secondary ASA.

FAILOVER TEST:
SW23#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#int f0/12
SW3(config-if)#shut

Page 127 of 694
CCIE Security v3 Lab Workbook

ASA-FW/CTX1/pri/stby(config)# changeto system

ASA-FW/pri/stby(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Group 1 last failover at: 06:03:55 UTC Jul 17 2010
Group 2 last failover at: 05:47:42 UTC Jul 17 2010

This host: Primary
Group 1 State: Failed
Active time: 1570 (sec)
Group 2 State: Standby Ready
Active time: 597 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.11): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.11): Normal
CTX1 Interface DMZ (10.1.105.11): No Link (Waiting)
CTX2 Interface Inside (10.1.104.11): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.13): Normal
slot 1: empty

Other host: Secondary
Group 1 State: Active
Active time: 40 (sec)
Group 2 State: Active
Active time: 1012 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.10): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.10): Normal
CTX1 Interface DMZ (10.1.105.10): Normal (Waiting)
CTX2 Interface Inside (10.1.104.10): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.12): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : LAN_FO Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 139 0 138 0
sys cmd 136 0 136 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 3 0 2 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 138
Xmit Q: 0 1 139

Note that now both security contexts are active on the secondary ASA.
We can bring the switch port back up now and see if primary ASA preempts CTX1 context.

Bring the switch port back up.

SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#int f0/12
SW3(config-if)#no shut

ASA-FW/pri/act(config)#
Group 1 preempt mate

ASA-FW/pri/act(config)# sh failover
Failover On

Page 128 of 694
CCIE Security v3 Lab Workbook

Failover unit Primary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Group 1 last failover at: 06:07:48 UTC Jul 17 2010
Group 2 last failover at: 05:47:42 UTC Jul 17 2010

This host: Primary
Group 1 State: Active
Active time: 1601 (sec)
Group 2 State: Standby Ready
Active time: 597 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.10): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.10): Normal (Waiting)
CTX1 Interface DMZ (10.1.105.10): Normal (Waiting)
CTX2 Interface Inside (10.1.104.11): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.13): Normal
slot 1: empty

Other host: Secondary
Group 1 State: Standby Ready
Active time: 210 (sec)
Group 2 State: Active
Active time: 1215 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.11): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.11): Normal (Waiting)
CTX1 Interface DMZ (10.1.105.11): Normal (Waiting)
CTX2 Interface Inside (10.1.104.10): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.12): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : LAN_FO Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 166 0 165 0
sys cmd 163 0 163 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 3 0 2 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 165
Xmit Q: 0 1 166

You may see “Normal (Waiting)” state for DMZ link for a while. This is because the ASA
uses keepalives between the interfaces to detect failure. Wait a bit and re-issue the
command again.
If you see “waiting” state for a long time this may indicate problem with L2
configuration. Check if both interfaces are reachable and switchports are configured
correctly.

ASA-FW/pri/act(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Group 1 last failover at: 06:07:48 UTC Jul 17 2010
Group 2 last failover at: 05:47:42 UTC Jul 17 2010

This host: Primary
Group 1 State: Active

Page 129 of 694
CCIE Security v3 Lab Workbook

Active time: 1711 (sec)
Group 2 State: Standby Ready
Active time: 597 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.10): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.10): Normal
CTX1 Interface DMZ (10.1.105.10): Normal
CTX2 Interface Inside (10.1.104.11): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.13): Normal
slot 1: empty

Other host: Secondary
Group 1 State: Standby Ready
Active time: 210 (sec)
Group 2 State: Active
Active time: 1325 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.11): Normal (Not-Monitored)
CTX1 Interface Outside (10.1.102.11): Normal
CTX1 Interface DMZ (10.1.105.11): Normal
CTX2 Interface Inside (10.1.104.10): Normal (Not-Monitored)
CTX2 Interface Outside (10.1.102.12): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : LAN_FO Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 188 0 187 0
sys cmd 185 0 185 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 3 0 2 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 187
Xmit Q: 0 1 188

Task 3
To improve failover speed between two ASAs, configure both, unit and interface poll
time to exchange hello packets on every 500ms. Set the hold time to 5sec. Also,
ensure that the ASA will perform switchover for context CTX1 if minimum two
interfaces fail. Configure ASA to monitor all its interfaces.

If you want failover to occur faster, decrease the failover unit poll time, which specifies how often
hello messages are sent on the failover link. The hold time value specifies the amount of time that
ASA will wait (after lost three consecutive hellos) before declaring the peer unit failed and triggering
a failover.
You can also specify those parameters for monitored interfaces, as ASA sends hello packets out of
each monitored data interface to monitor interface health.
Also, there is a default failover policy which specifies a percentage or a number of the interfaces
which must failed before ASA triggers a failover. The default is 1 meaning the failover will trigger
when only one interface fails.

On Primary ASA
ASA-FW/pri/act(config)# changeto system

Page 130 of 694
CCIE Security v3 Lab Workbook

ASA-FW/pri/act(config)# failover polltime unit msec 500 holdtime 5

ASA-FW/pri/act(config)# failover group 1
ASA-FW/pri/act(config-fover-group)# interface-policy 2
ASA-FW/pri/act(config-fover-group)# polltime interface msec 500 holdtime 5

ASA-FW/pri/act(config-fover-group)# failover group 2
ASA-FW/pri/act(config-fover-group)# polltime interface msec 500 holdtime 5
ASA-FW/pri/act(config-fover-group)# exi

Note that Unit Pooltime and Interface Policy are configured under the failover groups.

ASA-FW/pri/act(config)# changeto context CTX1
ASA-FW/CTX1/pri/act(config)# monitor-interface Inside

Interface monitoring is configured in each security context and this is only one
command related to the failover configured in this place. This is because this is the
place where the ASA has access to the IP address of the interface.
Rest of failover commands are configured under the system context.

ASA-FW/CTX1/pri/act(config)# changeto context CTX2
ASA-FW/CTX2/pri/stby(config)# failover exec active monitor-interface Inside

Verification
ASA-FW/CTX2/pri/stby(config)# changeto system

ASA-FW/pri/act(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN_FO Ethernet0/3 (up)
Unit Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Group 1 last failover at: 06:07:48 UTC Jul 17 2010
Group 2 last failover at: 05:47:42 UTC Jul 17 2010

This host: Primary
Group 1 State: Active
Active time: 3114 (sec)
Group 2 State: Standby Ready
Active time: 597 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.10): Normal
CTX1 Interface Outside (10.1.102.10): Normal
CTX1 Interface DMZ (10.1.105.10): Normal
CTX2 Interface Inside (10.1.104.11): Normal
CTX2 Interface Outside (10.1.102.13): Normal
slot 1: empty

Other host: Secondary
Group 1 State: Standby Ready
Active time: 210 (sec)
Group 2 State: Active
Active time: 2728 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(1)) status (Up Sys)
CTX1 Interface Inside (10.1.101.11): Normal
CTX1 Interface Outside (10.1.102.11): Normal
CTX1 Interface DMZ (10.1.105.11): Normal
CTX2 Interface Inside (10.1.104.10): Normal
CTX2 Interface Outside (10.1.102.12): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : LAN_FO Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 368 0 367 0
sys cmd 365 0 365 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0

Page 131 of 694
CCIE Security v3 Lab Workbook

UDP conn 0 0 0 0
ARP tbl 3 0 2 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 367
Xmit Q: 0 1 368

ASA-FW/pri/act(config)# changeto context CTX1

ASA-FW/CTX1/pri/act(config)# sh monitor-interface
This host: Primary - Active
Interface Inside (10.1.101.10): Normal
Interface Outside (10.1.102.10): Normal
Interface DMZ (10.1.105.10): Normal
Other host: Secondary - Standby Ready
Interface Inside (10.1.101.11): Normal
Interface Outside (10.1.102.11): Normal
Interface DMZ (10.1.105.11): Normal

ASA-FW/CTX1/pri/act(config)# changeto context CTX2

ASA-FW/CTX2/pri/stby(config)# sh monitor-interface
This host: Primary - Standby Ready
Interface Inside (10.1.104.11): Normal
Interface Outside (10.1.102.13): Normal
Other host: Secondary - Active
Interface Inside (10.1.104.10): Normal
Interface Outside (10.1.102.12): Normal

Task 4
You have been noticed by you company‟s networking team that they plan to deploy
another router on the outside network to connect to another ISP for redundancy and
load sharing. You must act proactively and ensure that any asymmetric traffic
(including HTTP) caused by redundant ISPs will be handled by the ASA in both
contexts.

In Active/Active designs, there is a greater chance for asymmetric routing. This means that one unit
may receive a return packet for a connection originated through its peer unit. Because this unit
does not have any connection information for this packet, the packet is dropped. This is most
common when there are two ISPs with BGP and packet can return from a different ISP.
This can be prevented on the ASA by using ASR Groups (Asynchronous Routing Groups)
configured on the interface inside the context. When an asr-group is configured on the interface
and it receives a packet for which it has no session information, it checks the session information
for the other interfaces that are in the same ASR Group. Then, instead of being dropped, the Layer 2
header is re-written and the packet is redirected to the other unit.

On Primary ASA
ASA-FW/CTX2/pri/stby(config)# changeto system
ASA-FW/pri/act(config)# failover group 1
ASA-FW/pri/act(config-fover-group)# replication http
ASA-FW/pri/act(config-fover-group)# failover group 2
ASA-FW/pri/act(config-fover-group)# replication http
ASA-FW/pri/act(config-fover-group)# changeto context CTX1

ASA-FW/CTX1/pri/act(config)# interface e0/0
ASA-FW/CTX1/pri/act(config-if)# asr-group 1

ASA-FW/CTX1/pri/act(config-if)# changeto context CTX2

Page 132 of 694
CCIE Security v3 Lab Workbook

ASA-FW/CTX2/pri/stby(config)# failover exec active interface e0/0
ASA-FW/CTX2/pri/stby(config)# failover exec active asr-group 1

Verification
ASA-FW/CTX2/pri/stby(config)# failover exec active sh interface e0/0 detail
Interface Ethernet0/0 "Outside", is up, line protocol is up
MAC address 1200.0000.0400, MTU 1500
IP address 10.1.102.12, subnet mask 255.255.255.0
Traffic Statistics for "Outside":
4015 packets input, 432772 bytes
4012 packets output, 432696 bytes
0 packets dropped
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Asymmetrical Routing Statistics:
Received 0 packets
Transmitted 0 packets
Dropped 0 packets

ASA-FW/CTX2/pri/stby(config)# changeto context CTX1

ASA-FW/CTX1/pri/act(config)# sh interface e0/0 detail
Interface Ethernet0/0 "Outside", is up, line protocol is up
MAC address 1200.0000.0500, MTU 1500
IP address 10.1.102.10, subnet mask 255.255.255.0
Traffic Statistics for "Outside":
6088 packets input, 539738 bytes
4105 packets output, 442420 bytes
1955 packets dropped
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Asymmetrical Routing Statistics:
Received 0 packets
Transmitted 0 packets
Dropped 0 packets

Page 133 of 694
CCIE Security v3 Lab Workbook

Lab 1.20. Redundant Interfaces

Lo0

Inside

R1
.1 F0/0
10.1.101.0/24
E0/0 .10 E0/1

E0/2 E0/3
.10
10.1.102.0/24

Lo0 G0/0 .2 Outside

R2

Lab Setup:

 R1‟s F0/0 and ASA1 E0/0 & E0/1 interfaces should be configured in VLAN
101.
 R2‟s G0/0 and ASA1 E0/2 & E0/3 interfaces should be configured in VLAN
102
 Configure Telnet on all routers using password “cisco”
 Configure static default route on all routers pointing to ASA.
IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24

Page 134 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure the following redundant interfaces on ASA1:
Interface name Redundant1 Redundant2
Member physical E0/0, E0/1 E0/2, E0/3
interfaces
IP address 10.1.101.10/24 10.1.102.10/24
nameif Inside Outside
Security 100 0

Configure ASA1 with a hostname of ASA-FW.

A redundant interface is a logical interface made up of two physical interfaces. One physical
interface serves as the active interface while the other serves as the standby. When active interface
fails, the standby interface becomes active and starts passing traffic. It does not load share across
both interfaces at the same time. A redundant interface is considered in failure state only when both
of the underlying physical interfaces fail.
Up to eight redundant interface pairs can be configured. Both member interfaces must be of the
same physical type (i.e. Ethernet) and have similar parameters configured (i.e. duplex, speed). There
must not be any other logical parameters configured on member interfaces like nameif, security
level or IP address. Those parameters must be first removed before adding physical interface to the
redundant pair.
You can use redundant interface for failover link between two ASA devices. There must be switch
between the ASAs and the same active link (redundant interface member) must be up on both sides
of the link.
Be careful because when the active interface fails over to the standby interface, the redundant
interface does not appear to be failed when being monitored for device-level failover.
The redundant interface uses the MAC address of the first physical interface you add. If you change
the order of the member interfaces in the configuration, the MAC address changes to match the
MAC address of the interface that is now listed first. You can assign a MAC address to the
redundant interface, which is regardless of the member interface MAC address.
Also remember that there is no preemption between redundant interface members. If one member
fails and then come back, it will not become an active member automatically.

On ASA
ciscoasa(config)# hostname ASA-FW
ASA-FW(config)# int e0/0
ASA-FW(config-if)# no sh
ASA-FW(config-if)# int e0/1
ASA-FW(config-if)# no sh
ASA-FW(config-if)# int e0/2
ASA-FW(config-if)# no sh
ASA-FW(config-if)# int e0/3
ASA-FW(config-if)# no sh

ASA-FW(config-if)# interface redundant 1
ASA-FW(config-if)# member-interface e0/0
INFO: security-level and IP address are cleared on Ethernet0/0.
ASA-FW(config-if)# member-interface e0/1
INFO: security-level and IP address are cleared on Ethernet0/1.
ASA-FW(config-if)# ip add 10.1.101.10 255.255.255.0
ASA-FW(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ASA-FW(config-if)# no sh

ASA-FW(config-if)# interface redundant 2

Page 135 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config-if)# member-interface e0/2
INFO: security-level and IP address are cleared on Ethernet0/2.
ASA-FW(config-if)# member-interface e0/3
INFO: security-level and IP address are cleared on Ethernet0/3.
ASA-FW(config-if)# ip add 10.1.102.10 255.255.255.0
ASA-FW(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ASA-FW(config-if)# no sh
ASA-FW(config-if)# exit

Verification
ASA-FW(config)# sh int red1
Interface Redundant1 "Inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0019.e8d9.6272, MTU 1500
IP address 10.1.101.10, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
358 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (8/25) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "Inside":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/1
Last switchover at 20:50:29 UTC Oct 19 2009

ASA-FW(config)# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Active member of Redundant1
MAC address 0019.e8d9.6272, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/255)
output queue (blocks free curr/low): hardware (255/254)

ASA-FW(config)# sh int red2
Interface Redundant2 "Outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0019.e8d9.6274, MTU 1500
IP address 10.1.102.10, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
33 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (8/25) software (0/0)

Page 136 of 694
CCIE Security v3 Lab Workbook

output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "Outside":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member Ethernet0/2(Active), Ethernet0/3
Last switchover at 20:51:11 UTC Oct 19 2009

See the Active member is by default first member added to the redundant interface pair.
Also note that the MAC address of the redundant interface is inherited from the first
member added to the configuration.
Now, it‟s time to test. Shut down switch port where E0/0 interface is connected.

TEST:
SW3(config)#int f0/10
SW3(config-if)#shut
SW3(config-if)#

ASA-FW(config)# sh int red1
Interface Redundant1 "Inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0019.e8d9.6272, MTU 1500
IP address 10.1.101.10, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
358 L2 decode drops
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/25) software (0/0)
output queue (curr/max packets): hardware (0/1) software (0/0)
Traffic Statistics for "Inside":
0 packets input, 0 bytes
1 packets output, 28 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member Ethernet0/1(Active), Ethernet0/0
Last switchover at 20:58:09 UTC Oct 19 2009

The second member interface has been promoted to Active state. Note that MAC address
has not been changed. This is because it is inherited from the first member in the
configuration – not from the Active member!
Now, bring the switch port back up.

SW3(config)#int f0/10
SW3(config-if)#no sh
SW3(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up
SW3(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to up

ASA-FW(config)# sh int red1
Interface Redundant1 "Inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0019.e8d9.6272, MTU 1500

Page 137 of 694
CCIE Security v3 Lab Workbook

IP address 10.1.101.10, subnet mask 255.255.255.0
109 packets input, 6985 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
358 L2 decode drops
124 packets output, 8788 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (1/25) software (0/0)
output queue (curr/max packets): hardware (0/1) software (0/0)
Traffic Statistics for "Inside":
109 packets input, 4503 bytes
124 packets output, 6078 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 23 bytes/sec
1 minute output rate 0 pkts/sec, 41 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member Ethernet0/1(Active), Ethernet0/0
Last switchover at 20:58:09 UTC Oct 19 2009

See that the Active interface did not change. This is because there is no preempt in
the redundant interfaces. Active interface in the redundant pair can be changed using
command “redundant-interface red1 active-member”.

ASA-FW(config)# redundant-interface red1 active-member ethernet0/0

ASA-FW(config)# sh int red1
Interface Redundant1 "Inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0019.e8d9.6272, MTU 1500
IP address 10.1.101.10, subnet mask 255.255.255.0
110 packets input, 7049 bytes, 0 no buffer
Received 1 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
359 L2 decode drops
125 packets output, 8852 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (2/25) software (0/0)
output queue (curr/max packets): hardware (0/2) software (0/0)
Traffic Statistics for "Inside":
109 packets input, 4503 bytes
125 packets output, 6106 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 15 bytes/sec
5 minute output rate 0 pkts/sec, 20 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/1
Last switchover at 21:05:15 UTC Oct 19 2009

Page 138 of 694
CCIE Security v3 Lab Workbook

Lab 1.21. Transparent Firewall

Lo0
VLAN 104 - 10.1.104.0/24
Lo0 Inside
.1
F0/1
F0/1 R1
R4 .4 .1 F0/0
VLAN 101 - 10.1.100.0/24
E0/1

E0/0
VLAN 102 - 10.1.100.0/24

Lo0 G0/0 .2 Outside

R2

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interfaces should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interfaces should be configured in VLAN 102
 R1‟s F0/1 and R4‟s F0/1 interfaces should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
IP Addressing:

Router Interface IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.100.1/24
F0/1 10.1.104.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.100.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24

Page 139 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure the ASA as transparent firewall. Use interface E0/0 as the Outside and
interface E0/1 as the Inside. Assign management IP address of 10.1.100.10/24 and
allow connections via SSH from the inside networks only. Set SSH access password
to “cisco123”. Configure domain name of MicronicsTraining.com.

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts in the local network.
A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a "bump in the wire" and
it not seen as a router hop to other devices. The ASA connects the same network on its inside and
outside ports, but each interface resides on a different broadcast domain (different VLAN is used),
so that the ASA performs secured transparent bridging between the two VLANs.
It is very useful and allows us to deploy a firewall in the network without IP readdressing or
changing routing domain. However, the ASA in transparent mode differs from the routed mode in
the following ways:
 Supports only two data interfaces - you can use only Inside and Outside, no DMZ is
allowed
 Require only one IP address - this IP address is assigned to the entire device and it's used
for management purposes and to communicate the ASA with external services like AAA
servers or SYSLOG.
 Bridges packets from one interface/VLAN to the other - there is no routing decision taking
place, packets are bridged based on Layer 2 addresses.
 Can pass traffic that cannot be passed by a security appliance in routed mode - for
example Layer 2 traffic like BPDU, IPX or MPLS.

In addition to that ASA in transparent mode does not support:
 Dynamic Domain Name System (DynDNS)
 Dynamic routing protocols - however, you can use static routes for traffic originated on
the ASA; dynamic routing protocols can be allowed to go through the ASA if ACL permits
 IPv6
 DHCP relay - the transparent ASA can act as DHCP server, but cannot act as DHCP relay,
simply because it is no longer necessary as you can pass DHCP traffic through the ASA
using ACL
 Quality of Service (QoS)
 Multicast - you can, however, allow multicast traffic through the ASA
 Virtual private network (VPN) termination - the transparent ASA supports only site-to-site
VPN tunnels for management connections. It does not terminate remote access VPNs but
it passes VPN traffic through using ACL.

To set the firewall mode to transparent mode, use the "firewall transparent" command in
global configuration mode. For multiple context mode, you can use only one firewall mode for all
contexts (no mix of routed and transparent is possible). Hence, this command is located in the
system execution space (however, it also appears in each context configuration just for
informational purposes).
After changing the mode, the ASA clears the configuration because many commands are not
supported in the transparent mode.

On ASA
ciscoasa(config)# firewall transparent

Page 140 of 694
CCIE Security v3 Lab Workbook

Note that to change the firewall type back to Routed you must enter “no firewall
transparent” command.

ciscoasa(config)# int e0/0
ciscoasa(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ciscoasa(config-if)# no sh

ciscoasa(config-if)# int e0/1
ciscoasa(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ciscoasa(config-if)# no sh

ciscoasa(config-if)# ip add 10.1.100.10 255.255.255.0

ciscoasa(config)# domain-name MicronicsTraining.com

ciscoasa(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...

ciscoasa(config)# ssh 0 0 inside
ciscoasa(config)# passwd cisco123

Verification
R1#ssh -l pix -c 3des 10.1.100.10

Password:
Type help or '?' for a list of available commands.
ciscoasa> exit

[Connection to 10.1.100.10 closed by foreign host]

There is a built-in username of “pix” which can be use for remote access. The password
of this user is the same as enable password for the device.

R1#tel 10.1.100.2
Trying 10.1.100.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:00:39
*514 vty 0 idle 00:00:00 10.1.100.1

Interface User Mode Idle Peer Address

R2>exit

[Connection to 10.1.100.2 closed by foreign host]

R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.100.1 - 0012.8031.dcf8 ARPA FastEthernet0/0
Internet 10.1.100.2 0 0011.9368.b380 ARPA FastEthernet0/0
Internet 10.1.100.10 0 0018.7317.b0e1 ARPA FastEthernet0/0
Internet 10.1.104.1 - 0012.8031.dcf9 ARPA FastEthernet0/1

ciscoasa(config)# sh arp
Outside 10.1.100.2 0011.9368.b380 40
Inside 10.1.100.1 0012.8031.dcf8 40

Note that we see ARP table on the ASA but it is not used for traffic crossing the
device.

Task 2
Configure a BGP neighbor relationship between R1 and R2 in AS 100. The neighbor
relationship should be authenticated using key of “bgp123”.

Page 141 of 694
CCIE Security v3 Lab Workbook

Just like any other routing protocol, BGP can be configured for authentication. You can configure
MD5 authentication between two BGP peers, which means that each packet sent on the TCP
connection between the peers is verified. MD5 authentication must be configured with the same
password on both BGP peers.
When you are configuring BGP peers with MD5 authentication that pass through an ASA, it is
important to disable sequence number randomization because the sequence number is used by
BGP peers to calculate the MD5 hash value.
The 16-bit hash value is produced using the following items:
 the TCP pseudo-header (in the order: source IP address, destination IP address, zero-
padded protocol number, and segment length)
 the TCP header, excluding options, and assuming a checksum of zero
 the TCP segment data (if any)
 an independently-specified key or password, known to both peers (BGP password)
Then this MD5 hash is send over the BGP peer using TCP Option 19 in the TCP header. And here is
another issue as the ASA automatically clears all TCP Options and forwards packets to the
destination.
So, just to summarize up, two things must be done on the ASA to successfully establish BGP
peering:
 Sequence number randomization for BGP packets must be disabled
 TCP option 19 must be allowed in the BGP packets
This can be done using so called TCP normalization features. Using tcp-map we can specify/match
advanced options inside TCP header (it works like class-map but it is designed for TCP) and then in
the policy-map we use “set connection” command (instead of “inspect”) to perform an action on
our matched traffic.
Without that configuration on ASA, the BGP authentication is broken and BGP peers display the
following error message on the console:
%TCP-6-BADAUTH: No MD5 digest from 10.1.100.2(179) to 10.1.100.1(54787) (RST)

On R1
R1(config)#router bgp 100
R1(config-router)#neighbor 10.1.100.2 remote-as 100
R1(config-router)#neighbor 10.1.100.2 password bgp123

On R2
R2(config)#router bgp 100
R2(config-router)#neighbor 10.1.100.1 remote-as 100
R2(config-router)#neighbor 10.1.100.1 password bgp123

On ASA
ciscoasa(config)# tcp-map BGPMAP
ciscoasa(config-tcp-map)# tcp-options range 19 19 allow

ciscoasa(config-tcp-map)# class-map BGP
ciscoasa(config-cmap)# match port tcp eq 179

ciscoasa(config-cmap)# policy-map global_policy
ciscoasa(config-pmap)# class BGP
ciscoasa(config-pmap-c)# set connection random-sequence-number disable
ciscoasa(config-pmap-c)# set connection advanced-options BGPMAP
ciscoasa(config-pmap-c)# exi
ciscoasa(config-pmap)# exi

Verification
R1(config-router)#

Page 142 of 694
CCIE Security v3 Lab Workbook

%TCP-6-BADAUTH: No MD5 digest from 10.1.100.2(179) to 10.1.100.1(21762) (RST)
R1(config-router)#
%TCP-6-BADAUTH: No MD5 digest from 10.1.100.2(179) to 10.1.100.1(21762) (RST)

R1#sh ip bgp summary
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.100.2 4 100 0 0 0 0 0 never Active
R1#
%BGP-5-ADJCHANGE: neighbor 10.1.100.2 Up

Be careful here as Active state in “show ip bgp summary” means that BGP actively trying
to connect to its peer. There must be status of zero or any other number to be sure
that BGP works fine.

R1#sh ip bgp summary
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.100.2 4 100 5 5 1 0 0 00:01:52 0

Task 3
Configure the ASA so that it examines each ARP packet on the inside and outside
interfaces before forwarding the packet. It should look in the static ARP table for a
matching entry and if there is no match it should drop the packet. Create a static ARP
entry for R1 and R2 Ethernet interfaces.

ARP packets are allowed through the transparent ASA in both directions by default without any
ACL. However, you can control ARP packets by enabling ARP inspection.
This feature prevents malicious users from doing "main-in-the-middle" attack. For example, a host
sends an ARP request to its default gateway, the default gateway router responds with its MAC
address. The attacker can send another ARP response to the host with the attacker's MAC address
instead of router’s MAC address. Thus, the attacker can intercept traffic and forward it to the real
default gateway, so that it is completely transparent to the user.
ARP inspection ensures that attacker cannot send an ARP response with its MAC address, as long
as the correct MAC address and the associated IP address are in the static ARP table on the ASA.
You must configure static ARP entries before enabling ARP inspection. When you enable ARP
inspection, the ASA compares the MAC address, IP address, and source interface in all ARP
packets to static entries in the ARP table. The following rules are enforced:
 if the IP address, MAC address, and source interface match an ARP entry, the packet is
passed through.
 if there is a mismatch between the MAC address, the IP address, or the interface, the ASA
drops the packet.
 if the ARP packet does not match any entries in the static ARP table, you can configure
the ASA to either forward the packet out all interfaces (flood), or to drop the packet (no-
flood).

On R1
R1#sh int f0/0 | in bia
Hardware is MV96340 Ethernet, address is 001b.533b.ce68 (bia 001b.533b.ce68)

Page 143 of 694
CCIE Security v3 Lab Workbook

On R2
R2#sh int g0/0 | in bia
Hardware is BCM1125 Internal MAC, address is 001b.533b.ea58 (bia 001b.533b.ea58)

First, we need to know MAC addresses for both hosts communicating. Then we need to
configure those MAC addresses on the ASA and enable ARP inspection feature.

On ASA
ciscoasa(config)# arp inside 10.1.100.1 001b.533b.ce68
ciscoasa(config)# arp outside 10.1.100.2 001b.533b.ea58

ciscoasa(config)# arp-inspection inside enable no-flood
ciscoasa(config)# arp-inspection outside enable no-flood

Verification
ciscoasa(config)# sh arp-inspection
interface arp-inspection miss
----------------------------------------------------
Outside enabled no-flood
Inside enabled no-flood

ciscoasa(config)# sh arp
Outside 10.1.100.2 001b.533b.ea58 -
Inside 10.1.100.1 001b.533b.ce68 –

R1#tel 10.1.100.2
Trying 10.1.100.2 ... Open

User Access Verification

Password:
R2>exit

[Connection to 10.1.100.2 closed by foreign host]

To verify, let‟s change MAC address on R1. Telnet connection does not work after MAC
changing. Logs on the ASA indicate that ARP inspection blocked the traffic:

%ASA-3-322002: ARP inspection check failed for ARP response received from host
0011.0011.0011 on interface Inside. This host is advertising MAC Address 0011.0011.0011
for IP Address 10.1.100.1, which is statically bound to MAC Address 001b.533b.ce68

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#mac-address 0011.0011.0011
R1(config-if)#^Z
R1#
%SYS-5-CONFIG_I: Configured from console by console

R1#tel 10.1.100.2
Trying 10.1.100.2 ...
% Connection timed out; remote host not responding

Task 4
Remove the static MAC address from R1‟s F0/0 interface.
Configure R1 and R2 interface to be a part of OSPF Area 0. Ensure that routers
successfully establish OSPF neighbor relationship.

Page 144 of 694
CCIE Security v3 Lab Workbook

By default only Layer 3 unicast traffic is passed through the ASA (from the interface with higher
security level to the interface with lower security level). To permit Layer 3 broadcast or multicast
packets through the ASA, you must configure an ACL with a Layer 3 destination address of
255.255.255.255 for broadcast or 224.x.x.x for multicast. The ACL must be applied in both directions
(inside and outside) to allow adjacency forming for routing protocols like OSPF or EIGRP.
For OSPF you need to permit OSPF traffic (IP protocol 89) destined to the multicast address
224.0.0.5 and 224.0.0.6. As the OSPF updates are sending between DR and OTHER router using
unicast it is needed to allow that traffic as well.
OSPF configuration on the routers may be different in real world and hence there must be different
ACL entries configured. Thus, it is recommended to enable logging on the ASA to see what OSPF
packets are getting dropped and then build proper ACL base on that information.

On R1
R1(config)#int f0/0
R1(config-if)#no mac-address 0011.0011.0011
R1(config-if)#router ospf 1
R1(config-router)#network 0.0.0.0 0.0.0.0 area 0

On R2
R2(config)#router ospf 1
R2(config-router)#network 0.0.0.0 0.0.0.0 area 0

On ASA
ciscoasa(config)# access-list OUTSIDE_IN permit 89 host 10.1.100.2 host 224.0.0.5
ciscoasa(config)# access-list OUTSIDE_IN permit 89 host 10.1.100.2 host 224.0.0.6
ciscoasa(config)# access-list OUTSIDE_IN permit 89 host 10.1.100.2 host 10.1.100.1
ciscoasa(config)# access-group OUTSIDE_IN in interface outside

ciscoasa(config)# access-list INSIDE_IN permit 89 host 10.1.100.1 host 224.0.0.5
ciscoasa(config)# access-list INSIDE_IN permit 89 host 10.1.100.1 host 224.0.0.6
ciscoasa(config)# access-list INSIDE_IN permit 89 host 10.1.100.1 host 10.1.100.2
ciscoasa(config)# access-group INSIDE_IN in interface inside

Verification
Message on R1
%OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done

R1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 00:00:35 10.1.100.2 FastEthernet0/0

R2#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/BDR 00:00:35 10.1.100.1 FastEthernet0/0

Note that above access-list breaks BGP relationship previously configured as it blocks
TCP/179 traffic. As BGP relation can be establish from both directions, there should be
access-list entries allowing this.

On ASA
ciscoasa(config)# access-list OUTSIDE_IN permit tcp host 10.1.100.2 host 10.1.100.1 eq 179
ciscoasa(config)# access-list INSIDE_IN permit tcp host 10.1.100.1 host 10.1.100.2 eq 179

Page 145 of 694
CCIE Security v3 Lab Workbook

Verification
R1#sh ip bgp summ
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.100.2 4 100 33 37 1 0 0 00:00:43 0

Task 5
Configure ASA so that it translates R1‟s F0/0 IP address to the IP address of
10.1.105.1. Also, R4‟s F0/0 IP address should be translated to the IP address of
10.1.125.4. Ensure that Telnet works from R1 and R4 to R2‟s F0/0 interface and the
translation takes place.

The ASA (version 8.0 and later) in transparent mode allows us to configure NAT for Layer 3
addresses traversing the firewall. This can be done in the same way as it is in routed mode.
However, you must configure static routing on the ASA to upstream router if there is translation of
not directly connected subnet. Also remember that you cannot configure interface PAT in the
transparent mode as the ASA has no IP addresses on the interfaces.

On R4
R4(config)#ip route 0.0.0.0 0.0.0.0 10.1.104.1

On R2
R2(config)#ip route 10.1.125.4 255.255.255.255 10.1.100.1
R2(config)#ip route 10.1.105.1 255.255.255.255 10.1.100.1

On ASA

ciscoasa(config)# static (in,out) 10.1.105.1 10.1.100.1
ciscoasa(config)# static (in,out) 10.1.125.4 10.1.104.4

ciscoasa(config)# route inside 10.1.104.0 255.255.255.0 10.1.100.1

ciscoasa(config)# access-list INSIDE_IN permit tcp any any eq 23

Verification
R1#tel 10.1.100.2
Trying 10.1.100.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:00:23
*514 vty 0 idle 00:00:00 10.1.105.1

Interface User Mode Idle Peer Address

R2>exit

[Connection to 10.1.100.2 closed by foreign host]

Page 146 of 694
CCIE Security v3 Lab Workbook

R4#tel 10.1.100.2
Trying 10.1.100.2 ... Open

User Access Verification

Password:
R2>sh users
Line User Host(s) Idle Location
0 con 0 idle 00:01:19
*514 vty 0 idle 00:00:00 10.1.125.4

Interface User Mode Idle Peer Address

R2>exit

[Connection to 10.1.100.2 closed by foreign host]

ciscoasa(config)# sh xlate
2 in use, 2 most used
Global 10.1.105.1 Local 10.1.100.1
Global 10.1.125.4 Local 10.1.104.4

ciscoasa(config)# sh xlate detail
2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from Inside:10.1.100.1 to Outside:10.1.105.1 flags s
NAT from Inside:10.1.104.4 to Outside:10.1.125.4 flags s

Page 147 of 694
CCIE Security v3 Lab Workbook

Lab 1.22. Threat Detection

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1/ASA-FW E0/0 (OUT, Security 0) 10.1.102.10 /24
E0/1 (IN, Security 80) 10.1.101.10 /24
E0/2.104 (DMZ, Security 50) 10.1.104.10 /24

Page 148 of 694
CCIE Security v3 Lab Workbook

Task 1
On ASA configure Threat Detection feature so that it collects information about used
protocols and hosts. Configure this feature to generate SYSLOG message when
access-list drops packets at rate of 1000pkt/sec through 20 minutes or at 100pkt/sec
burst rate.
If the attack is discovered block the attacker‟s host for 30 minutes.

The Threat Detection feature can help an administrator determine the level of severity for packets
that are detected and dropped by the ASA. There are two types of threat detection:
 Basic threat detection - tracks the rate at which threat-related packets are dropped and
generates a SYSLOG message when rates exceed their thresholds
 Scanning thread detection - detects network sweeps and scans and optionally takes
appropriate preventive action
In addition the treat detection feature provides statistics for host-based, port-based and protocol-
based information. Those statistics can help you detect activity that might be related to an attack,
such as denial of service (DoS) attack. The basic threat detection is enabled by default on the ASA
and can slightly affect performance when there are lots of drops.
Basic threat detection provides threat-related drop statistics by monitoring the following events:
 Access list drops
 Bad packet format
 Exceeded connection limits
 Detection of DoS attacks
 Failed basic firewall checks
 Detection of suspicious ICMP packets
 Packets failing application inspection
 Interface overload
 Detection of scanning attacks
 Detection of incomplete sessions, such as TCP SYN attacks or no data UDP sessions
attacks
Each of these monitored events has a default rate limit (threshold). When this is exceeded a
SYSLOG message (733100) is generated. The ASA tracks two types of rates for each monitored
event: (1) the average event rate over an interval and (2) the burst event rate over a shorter burst
interval (which is 1/60th of the average rate interval or 10 seconds, whichever is higher).
In our example the rate interval must be 20 minutes (1200 seconds), the average rate is 1000 packet
drops per second and the burst rate is 100 drops per second. The calculated burst rate interval is
1/60 of 1200, which equals 20.

Scanning threat detection determines whether a scan is in progress by correlating the host
database statistics over a specified host or subnet. If the default scanning threat rate threshold is
exceeded, the ASA generates SYSLOG message 733101, which indicates that a host has been
identified as a target or an attacker. You can configure scanning treat detection to perform
automatic shunning (blocking a host), the ASA terminates connections from hosts identified as
attackers and generates SYSLOG message. You can exempt host IP address from being shunned.
Use "show threat-detection shun" command to view the shunned hosts and release a host
from being shunned using "clear threat-detection shun" command.
You can configure the ASA to collect extensive threat detection statistics for hosts, protocols, ports
and access lists. Statistics for access lists are enabled by default.

Page 149 of 694
CCIE Security v3 Lab Workbook

On ASA
ASA-FW(config)# threat-detection rate acl-drop rate-interval 1200 average-rate 1000 burst-rate
100
ASA-FW(config)# threat-detection scanning-threat shun duration 1800

ASA-FW(config)# threat-detection statistics host
ASA-FW(config)# threat-detection statistics protocol

Verification
R2#pi 10.1.101.1 rep 10000 time 0

Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 10.1.101.1, timeout is 0 seconds:
......................................................................
<…output ommited…>

ASA-FW(config)# sh threat-detection statistics
Current monitored hosts:0 Total not monitored hosts:0
Average(eps) Current(eps) Trigger Total events
Top Name Id Average(eps) Current(eps) Trigger Total events
Top Name Id Average(eps) Current(eps) Trigger Total events
Average(eps) Current(eps) Trigger Total events
ICMP * 1: tot-ses:3 act-ses:0
1-hour Sent byte: 196 0 0 708600
8-hour Sent byte: 24 738 0 708600
24-hour Sent byte: 8 246 0 708600
1-hour Sent pkts: 1 0 0 7086
8-hour Sent pkts: 0 7 0 7086
24-hour Sent pkts: 0 2 0 7086

ASA-FW(config)# sh threat-detection rate acl-drop
Average(eps) Current(eps) Trigger Total events
10-min ACL drop: 16 500 0 10000
20-min ACL drop: 8 0 1 10000
1-hour ACL drop: 2 0 0 10000

ASA-FW(config)# sh threat-detection shun
Shunned Host List:

Page 150 of 694
CCIE Security v3 Lab Workbook

Lab 1.23. Controlling ICMP and fragmented
traffic

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1/ASA-FW E0/0 (OUT, Security 0) 10.1.102.10 /24
E0/1 (IN, Security 80) 10.1.101.10 /24
E0/2.104 (DMZ, Security 50) 10.1.104.10 /24

Page 151 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA so that it can ping all outside networks, but nobody can ping ASA
from the outside. Do not use ACL to accomplish this task.

ASA controls ICMP messages which are direct to the firewall in the other way than IOS router. There
are special commands available to accept or not ICMP messages on the interfaces. By default ASA
can be pinged from every side, however, pings directed to the broadcast address are dropped.
ICMP control works in inbound direction only, meaning you can configure what networks/hosts are
allowed to send ICMP specified messages and on which ASA interface.

On ASA
ASA-FW(config)# icmp permit any echo-reply OUT

Simply speaking this command permits ICMP Echo Reply packets on outside interface. This
means the ASA can send out ICMP Echo Request and will permit ICMP Echo Reply messages
only.

Verification
ASA-FW(config)# sh run all icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply OUT

ASA-FW(config)# ping 10.1.102.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA-FW(config)# ping 10.1.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R2#ping 10.1.102.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#ping 10.1.101.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Task 2
Ensure that pMTU discovery and traceroute work successfully with the firewall. All
other ICMP messages terminating on firewall interfaces should be discarded.

Traceroute tools uses ICMP time-exceeded and ICMP unreachable messages to determine the hops
in the network. To make that tool work the ASA must be able to pass that traffic through, so you
need to configure ACL on the outside to allow that traffic.

Page 152 of 694
CCIE Security v3 Lab Workbook

Pre-verification
R1#traceroute 10.1.102.2

Type escape sequence to abort.
Tracing the route to 10.1.102.2

1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * *

On ASA
ASA-FW(config)# icmp permit any time-exceeded OUT
ASA-FW(config)# icmp permit any unreachable OUT
ASA-FW(config)# !
ASA-FW(config)# icmp permit any time-exceeded IN
ASA-FW(config)# icmp permit any unreachable IN
ASA-FW(config)# !
ASA-FW(config)# icmp permit any time-exceeded DMZ
ASA-FW(config)# icmp permit any unreachable DMZ

ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any unreachable
ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any time-exceeded
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT

Verification
R1#traceroute 10.1.102.2

Type escape sequence to abort.
Tracing the route to 10.1.102.2

1 10.1.102.2 0 msec 0 msec *

Task 3
Disable fragment reassembling on the ASA‟s outside interface. You can allow ICMP
traffic to pass through the ASA to validate the solution.

By default, the ASA accepts up to 24 fragments to reconstruct full IP packet. So, the easiest way to
prevent packets reassembling on the ASA is to change that value to 1. This means, no fragments
can be accepted. There is also limit of packets that can be buffered for reassembly which is 200 by
default. Changing this value to a large number can make the ASA more vulnerable to a DoS attack
by fragment flooding.

On ASA
ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any
ASA-FW(config)# fragment chain 1 OUT

Verification

Page 153 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config)# sh run all fragment
fragment size 200 OUT
fragment chain 1 OUT
fragment timeout 5 OUT
no fragment reassembly full OUT
fragment size 200 IN
fragment chain 24 IN
fragment timeout 5 IN
no fragment reassembly full IN
fragment size 200 DMZ
fragment chain 24 DMZ
fragment timeout 5 DMZ
no fragment reassembly full DMZ

R2#ping 10.1.101.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2#ping 10.1.101.1 size 1600

Type escape sequence to abort.
Sending 5, 1600-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ASA-FW(config)# logg con 7
ASA-FW(config)# logg on
ASA-FW(config)# %ASA-5-111008: User 'enable_15' executed the 'logging on' command.

R2#ping 10.1.101.1 size 1600

Type escape sequence to abort.
Sending 5, 1600-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:

ASA#
%ASA-4-209005: Discard IP fragment set with more than 1 elements: src = 10.1.102.2, dest =
10.1.101.1, proto = ICMP, id = 15

Page 154 of 694
CCIE Security v3 Lab Workbook

Lab 1.24. Time based access control

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1/ASA-FW E0/0 (OUT, Security 0) 10.1.102.10 /24
E0/1 (IN, Security 80) 10.1.101.10 /24
E0/2.104 (DMZ, Security 50) 10.1.104.10 /24

Page 155 of 694
CCIE Security v3 Lab Workbook

Task 1
Your company uses outsourced services for maintaining the network infrastructure.
Configure ASA to allow telnet and SSH connections to R1‟s F0/0 from the outside.
Connections should be allowed only during the contract time, starting from 1 Jan
2010 at 8 a.m. to 31 Dec 2010 at 6 p.m.

Time ranged access lists can be used to control traffic passing ASA in regards to the current time
and date on the device. There must be time range object configured first and then it must be
attached to specific ACE (Access Control Entry). The time range can be defined by one of two
types:
(1) absolute – the start and the end time and date must be fixed and must describe
contiguous range
(2) periodic – describes repeatable periods like day-by-day, weekends, days of week, etc.
As this feature solely depends on time on the device, you must ensure that the time is current – the
best option is to use reliable NTP source of course. However, in our case we’re not asked to do so.

On ASA
ASA-FW(config)# time-range Outsourced
ASA-FW(config-time-range)# absolute start 8:00 1 January 2010 end 18:00 31 December 2010

ASA-FW(config-time-range)# access-list OUTSIDE_IN permit tcp any host 10.1.101.1 eq 22 time-
range Outsourced
ASA-FW(config)# access-list OUTSIDE_IN permit tcp any host 10.1.101.1 eq 23 time-range
Outsourced
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT

Verification
ASA-FW(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 2 elements
access-list OUTSIDE_IN line 1 extended permit tcp any host 10.1.101.1 eq ssh time-range
Outsourced (hitcnt=0) 0xdb76f8a9
access-list OUTSIDE_IN line 2 extended permit tcp any host 10.1.101.1 eq telnet time-range
Outsourced (hitcnt=0) 0x4861ab27

Note that there are no hits in our ACL. Check the time on the ASA before testing.

ASA-FW(config)# sh clock
22:37:25.169 UTC Fri Jan 22 2010

R2#tel 10.1.101.1
Trying 10.1.101.1 ... Open

User Access Verification

Password:
Password:
Password:
% Bad passwords

[Connection to 10.1.101.1 closed by foreign host]
R2#

ASA-FW(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 2 elements
access-list OUTSIDE_IN line 1 extended permit tcp any host 10.1.101.1 eq ssh time-range
Outsourced (hitcnt=0) 0xdb76f8a9

Page 156 of 694
CCIE Security v3 Lab Workbook

access-list OUTSIDE_IN line 2 extended permit tcp any host 10.1.101.1 eq telnet time-range
Outsourced (hitcnt=1) 0x4861ab27

Telnet works fine and there is a hit in the ACL.

ASA-FW(config)# sh time-range

time-range entry: Outsourced (active)
absolute start 08:00 01 January 2010 end 18:00 31 December 2010
used in: IP ACL entry
used in: IP ACL entry

Change the clock on the ASA to see the difference.

ASA-FW(config)# clock set 10:00:00 1 Jun 2011

ASA-FW(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 2 elements
access-list OUTSIDE_IN line 1 extended permit tcp any host 10.1.101.1 eq ssh time-range
Outsourced (hitcnt=0) (inactive) 0xdb76f8a9
access-list OUTSIDE_IN line 2 extended permit tcp any host 10.1.101.1 eq telnet time-range
Outsourced (hitcnt=0) (inactive) 0x4861ab27

Note that when the configured time range is out of current time on the device, the ACL
entry is marked as “inactive” in the output of “show access-list” command. This can be
useful in troubleshooting and gives us instant information if our configuration is
correct or not.

R2#tel 10.1.101.1
Trying 10.1.101.1 ...
% Connection timed out; remote host not responding

Task 2
Users in all you internal network (10.1.101.0/24) should have access to the Internet
(HTTP and HTTPS) only during business hours (9am to 5pm) on workdays (Mon-Fri).
However, an administrator from IP address of 1.1.1.1 should not have any limits.
Ensure that other services are not affected by this policy.

This task clearly states that we should allow traffic in some periodic timeslots only. Hence, the best
option here is to use periodic type of time range object. There is also requirement that admin
workstation is not getting blocked by this policy, thus we need to specify it at the beginning of the
ACL.

On ASA
ASA-FW(config)# time-range Users_Internet
ASA-FW(config-time-range)# periodic weekdays 9:00 to 17:00
ASA-FW(config-time-range)# exi

ASA-FW(config)# access-list INSIDE_IN permit ip host 1.1.1.1 any
ASA-FW(config)# access-list INSIDE_IN permit tcp any any eq 80 time-range Users_Internet
ASA-FW(config)# access-list INSIDE_IN permit tcp any any eq 443 time-range Users_Internet
ASA-FW(config)# access-list INSIDE_IN deny tcp any any eq 80
ASA-FW(config)# access-list INSIDE_IN deny tcp any any eq 443
ASA-FW(config)# access-list INSIDE_IN permit ip any any
ASA-FW(config)# access-group INSIDE_IN in interface IN

Page 157 of 694
CCIE Security v3 Lab Workbook

Verification
To verify we can change the clock on the ASA to point to some weekend day. Once it is
done, we should see that respective ACEs are inactive and Web traffic will be blocked
by the next ACEs.
We do not need to use web browser to make the test. It is enough to enable (if not
enabled by default) HTTP server on R2 and telnet to it using “telnet 10.1.102.2 80”
command on R1.

ASA-FW(config)# clock set 10:00:00 5 Jun 2010

ASA-FW(config)# sh clock
10:00:03.399 UTC Sat Jun 5 2010

ASA-FW(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 2 elements
access-list OUTSIDE_IN line 1 extended permit tcp any host 10.1.101.1 eq ssh time-range
Outsourced (hitcnt=0) 0xdb76f8a9
access-list OUTSIDE_IN line 2 extended permit tcp any host 10.1.101.1 eq telnet time-range
Outsourced (hitcnt=0) 0x4861ab27
access-list INSIDE_IN; 6 elements
access-list INSIDE_IN line 1 extended permit ip host 1.1.1.1 any (hitcnt=0) 0x0abd7ebf
access-list INSIDE_IN line 2 extended permit tcp any any eq www time-range Users_Internet
(hitcnt=0) (inactive) 0x49796a57
access-list INSIDE_IN line 3 extended permit tcp any any eq https time-range Users_Internet
(hitcnt=0) (inactive) 0x4af8d6f5
access-list INSIDE_IN line 4 extended deny tcp any any eq www (hitcnt=0) 0x83fa0440
access-list INSIDE_IN line 5 extended deny tcp any any eq https (hitcnt=0) 0x28e2c45f
access-list INSIDE_IN line 6 extended permit ip any any (hitcnt=0) 0x96858cf8
ASA-FW(config)#

R1#tel 10.1.102.2 80
Trying 10.1.102.2, 80 ...
% Connection refused by remote host

R1#tel 10.1.102.2 80 /so lo0
Trying 10.1.102.2, 80 ... Open
GET \
HTTP/1.1 400 Bad Request
Date: Sat, 23 Jan 2010 01:13:05 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 10.1.102.2 closed by foreign host]

ASA-FW(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 2 elements
access-list OUTSIDE_IN line 1 extended permit tcp any host 10.1.101.1 eq ssh time-range
Outsourced (hitcnt=0) 0xdb76f8a9
access-list OUTSIDE_IN line 2 extended permit tcp any host 10.1.101.1 eq telnet time-range
Outsourced (hitcnt=0) 0x4861ab27
access-list INSIDE_IN; 6 elements
access-list INSIDE_IN line 1 extended permit ip host 1.1.1.1 any (hitcnt=2) 0x0abd7ebf
access-list INSIDE_IN line 2 extended permit tcp any any eq www time-range Users_Internet
(hitcnt=0) (inactive) 0x49796a57
access-list INSIDE_IN line 3 extended permit tcp any any eq https time-range Users_Internet
(hitcnt=0) (inactive) 0x4af8d6f5
access-list INSIDE_IN line 4 extended deny tcp any any eq www (hitcnt=1) 0x83fa0440
access-list INSIDE_IN line 5 extended deny tcp any any eq https (hitcnt=0) 0x28e2c45f
access-list INSIDE_IN line 6 extended permit ip any any (hitcnt=0) 0x96858cf8

Page 158 of 694
CCIE Security v3 Lab Workbook

Lab 1.25. QoS - Priority queuing

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1/ASA-FW E0/0 (OUT, Security 0) 10.1.102.10 /24
E0/1 (IN, Security 80) 10.1.101.10 /24
E0/2.104 (DMZ, Security 50) 10.1.104.10 /24

Page 159 of 694
CCIE Security v3 Lab Workbook

Task 1
Your company extensively uses Cisco IP Phones (traffic marked DSCP EF) and
some business critical application (TCP port range 15000 to 15200). You need to
ensure that ASA will prioritize that traffic going to the outside networks.

Each interface has two levels of queuing available. One is a hardware queue (called tx-ring) which is
serviced by FIFO (First In First Out) method. Second is a software queue which is configurable
(default serviced by FIFO as well).
As Voice and business critical application’s traffic is more important than other corporate traffic
(like Web traffic) it is recommended to make use from software queue and prioritize some traffic
over the other. Prioritize in software queue will allow important traffic to go sooner to the hardware
queue than non-important traffic. This is most useful for latency-dependant traffic like Voice or
Video.
Voice traffic is usually marked by EF (Expedited Forwarding) bit in the Layer 3 header. We can use
this information to match the traffic and prioritize it. We can also use an ACL to mark the traffic.
It is important to enable priority queuing on the respective interface before configuring action for
class map. Finally, our policy map must be attached globally or on the interface. Attaching it
globally has effect on every interface where priority queuing is enabled.
Also note that priority queuing is an outbound only solution. We cannot prioritize inbound traffic.

On ASA
ASA-FW(config)# priority-queue OUT

ASA-FW(config-priority-queue)# access-list APP extended permit tcp any any range 15000 15200

ASA-FW(config)# class-map APP
ASA-FW(config-cmap)# match access-list APP
ASA-FW(config-cmap)# class-map VOICE
ASA-FW(config-cmap)# match dscp ef

ASA-FW(config-cmap)# policy-map LLQ-POLICY
ASA-FW(config-pmap)# class VOICE
ASA-FW(config-pmap-c)# priority
ASA-FW(config-pmap-c)# class APP
ASA-FW(config-pmap-c)# priority

ASA-FW(config-pmap-c)# service-policy LLQ-POLICY interface OUT

Verification
ASA-FW(config)# sh service-policy priority

Interface OUT:
Service-policy: LLQ-POLICY
Class-map: VOICE
Priority:
Interface OUT: aggregate drop 0, aggregate transmit 0
Class-map: APP
Priority:
Interface OUT: aggregate drop 0, aggregate transmit 0

To test our solution, we can configure HTTP server on R2 listening on TCP port 15000.
This traffic coming from R1 towards R2 should be prioritized.

R2(config)#ip http port 15000
R2(config)#ip http server

R1#tel 10.1.102.2 15000
Trying 10.1.102.2, 15000 ... Open
GET /

Page 160 of 694
CCIE Security v3 Lab Workbook

HTTP/1.1 400 Bad Request
Date: Wed, 03 Feb 2010 20:34:37 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 10.1.102.2 closed by foreign host]
R1#

ASA-FW(config)# sh service-policy priority

Interface OUT:
Service-policy: LLQ-POLICY
Class-map: VOICE
Priority:
Interface OUT: aggregate drop 0, aggregate transmit 11
Class-map: APP
Priority:
Interface OUT: aggregate drop 0, aggregate transmit 11

ASA-FW(config)# sh priority-queue config

Priority-Queue Config interface OUT
current default range
queue-limit 2048 2048 0 - 2048
tx-ring-limit 80 80 3 - 256

Priority-Queue Config interface IN
current default range
queue-limit 0 2048 0 - 2048
tx-ring-limit -1 80 3 - 256

ASA-FW(config)# sh priority-queue statistics

Priority-Queue Statistics interface OUT

Queue Type = BE  Best Effort
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 15
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0

Queue Type = LLQ  Low Latency Queuing
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 11
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0

Page 161 of 694
CCIE Security v3 Lab Workbook

Lab 1.26. QoS – Traffic Policing

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1/ASA-FW E0/0 (OUT, Security 0) 10.1.102.10 /24
E0/1 (IN, Security 80) 10.1.101.10 /24
E0/2.104 (DMZ, Security 50) 10.1.104.10 /24

Page 162 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA1 so that it limits ICMP traffic on the outside interface. This traffic
should be limited to 32kbps in both directions and dropped if this level is exceeded.

This task requires configuring traffic policing on the ASA. It clearly states that we should “limit” the
traffic (two technologies should come to your mind right now: policing and shaping) and drop
packets which are above configured limit (which leaves us with only one solution: policing).
Policing can be configured in both directions on the interface. If it is configured globally it affects all
ASA interfaces.
Policing does not buffer packets; it just drops non-conformed packets. Thus, it should be carefully
used with TCP traffic (as TCP rapidly slowing down when seeing packets drop) and UDP (as UDP is
connectionless and has no mechanisms to confirm that packets reached the destination).

On ASA
ASA-FW(config)# access-list ICMP permit icmp any any

ASA-FW(config)# class-map ICMP
ASA-FW(config-cmap)# match access-list ICMP

ASA-FW(config-cmap)# policy-map OUT-POLICY
ASA-FW(config-pmap)# class ICMP
ASA-FW(config-pmap-c)# police input 32000
ASA-FW(config-pmap-c)# police output 32000

ASA-FW(config-pmap-c)# service-policy OUT-POLICY interface OUT

Verification
ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT

ASA-FW(config)# sh service-policy police

Interface OUT:
Service-policy: OUT-POLICY
Class-map: ICMP
Input police Interface OUT:
cir 32000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Output police Interface OUT:
cir 32000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
ASA-FW(config)#

Test from R1
R1#pi 10.1.102.2 size 5000 rep 10

Type escape sequence to abort.
Sending 10, 5000-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!.!.!.!.!.
Success rate is 50 percent (5/10), round-trip min/avg/max = 4/4/4 ms
R1#

ASA-FW(config)# sh service-policy police

Interface OUT:
Service-policy: OUT-POLICY
Class-map: ICMP
Input police Interface OUT:

Page 163 of 694
CCIE Security v3 Lab Workbook

cir 32000 bps, bc 1500 bytes
conformed 5 packets, 7570 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 144 bps, exceed 0 bps
Output police Interface OUT:
cir 32000 bps, bc 1500 bytes
conformed 20 packets, 25580 bytes; actions: transmit
exceeded 20 packets, 25580 bytes; actions: drop
conformed 976 bps, exceed 488 bps

Note that there are packets matched by Input and Output policer. As the policer may
work for both directions it matches returning ICMP packets. We used ICMP packets of
5000 bytes in size, so the ASA must fragment that traffic and hence there are 40
packets out instead of 10.

Test from R2
ASA-FW(config)# clear service-policy interface OUT

ASA-FW(config)# sh service-policy police

Interface OUT:
Service-policy: OUT-POLICY
Class-map: ICMP
Input police Interface OUT:
cir 32000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Output police Interface OUT:
cir 32000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps

R2#pi 10.1.101.1 size 1500 rep 10

Type escape sequence to abort.
Sending 10, 1500-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
!!!.!!!.!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 1/3/4 ms
R2#

ASA-FW(config)# sh service-policy police

Interface OUT:
Service-policy: OUT-POLICY
Class-map: ICMP
Input police Interface OUT:
cir 32000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Output police Interface OUT:
cir 32000 bps, bc 1500 bytes
conformed 8 packets, 12112 bytes; actions: transmit
exceeded 2 packets, 3028 bytes; actions: drop
conformed 2208 bps, exceed 552 bps

Page 164 of 694
CCIE Security v3 Lab Workbook

Lab 1.27. QoS – Traffic Shaping

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1/ASA-FW E0/0 (OUT, Security 0) 10.1.102.10 /24
E0/1 (IN, Security 80) 10.1.101.10 /24
E0/2.104 (DMZ, Security 50) 10.1.104.10 /24

Page 165 of 694
CCIE Security v3 Lab Workbook

Task 1
Users in the inside network uses ASA to connect to the Internet. Although, you have
10Mbps outside connection on the ASA you must ensure that traffic going to the
Internet takes no more than 1Mbps (1024kbps with a burst of 10240).

ASA can only send out data with its full interface speed (this is AIR – Access Information Rate). To
limit the speed on which packets are sending out we can use policing or shaping. Policing usually
drops excessive packets causing problems with TCP/UDP based applications and services.
Shaping is more polite and it buffers excessive traffic to send it out later. This results in less
packets dropping and smoother traffic flows.
Shaping uses four values to calculate the shaper:
 CIR - Committed Information Rate (a contracted value to which we should shape our
traffic)
 Bc – Committed Burst (an amount of bits that can be buffered for later use)
 Be – Excessive Burst (an limit of bits that can be buffered)
 Tc – Time Interval (usually 1/8th of a second, equals 125ms)
Typical shaper sends no more than CIR*Tc in each Tc slot. However, there can be some Tc without
data, so that shaper can use it to send out buffered packets. This buffer is described by Bc value
and the shaper can accommodate no more than Bc+Be data in the buffer. The ASA sets Be=Bc by
default. The Tc is not explicitly configured, rather it is calculated by the following formula
Tc=CIR/Bc.
Also note that Bc and Be are in bytes (CIR/Rate is in bits).

On ASA

ASA-FW(config)# policy-map SHAPE-POLICY
ASA-FW(config-pmap)# class class-default
ASA-FW(config-pmap-c)# shape average 1024000 10240

ASA-FW(config-pmap-c)# service-policy SHAPE-POLICY interface OUT

Verification
ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT

ASA-FW(config)# sh service-policy shape

Interface OUT:
Service-policy: SHAPE-POLICY
Class-map: class-default

shape (average) cir 1024000, bc 10240, be 10240
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

R1#pi 10.1.102.2 size 1500 rep 1000

Type escape sequence to abort.
Sending 1000, 1500-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Page 166 of 694
CCIE Security v3 Lab Workbook

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/11/36 ms
R1#

ASA-FW(config)# sh service-policy shape

Interface OUT:
Service-policy: SHAPE-POLICY
Class-map: class-default

shape (average) cir 1024000, bc 10240, be 10240
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 1000/1500000

As we can see our shaper did match traffic. However it is quite hard to determine if
the shaper did something more than just matched the traffic and send it out.
Fortunately, in the lab we can use round-trip values from the ping command output. Note
the average round-trip for sending 1000 ICMP packets from R1 to R2 is 11ms.
Let‟s do the same for ICMP coming from R2 towards R1.

R2#pi 10.1.101.1 size 1500 rep 1000

Type escape sequence to abort.
Sending 1000, 1500-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 4/11/12 ms
R2#

ASA-FW(config)# sh service-policy shape

Interface OUT:
Service-policy: SHAPE-POLICY
Class-map: class-default

shape (average) cir 1024000, bc 10240, be 10240
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 2000/3000000

The round-trip average value is the same (11 ms) and the number of packets is now 2000.
Remember that shaping is only an outbound feature, so why do we see packets counter
incrementing? This is because in this particular case we use ICMP and there are ICMP
returning packets matched by the shaper.
Let‟s disable shaping and see the difference.

ASA-FW(config)# no service-policy SHAPE-POLICY interface OUT

R1#pi 10.1.102.2 size 1500 rep 1000

Page 167 of 694
CCIE Security v3 Lab Workbook

Type escape sequence to abort.
Sending 1000, 1500-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/2/4 ms
R1#

Now the round-trip average value is 2 ms. This is evidence that shaper did its work
previously. It was buffering the packets and send out without any drops.

Page 168 of 694
CCIE Security v3 Lab Workbook

Lab 1.28. QoS – Traffic Shaping with
Prioritization

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1/ASA-FW E0/0 (OUT, Security 0) 10.1.102.10 /24
E0/1 (IN, Security 80) 10.1.101.10 /24
E0/2.104 (DMZ, Security 50) 10.1.104.10 /24

Page 169 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA to enforce QoS policy for outside traffic so that traffic marked with
DSCP EF is shaped up to 2Mbps and prioritized. All other traffic should be best-effort
serviced.

In this task we need ensure that our Voice traffic will not get more than 2Mbps and it will be
prioritized at the same time. Unfortunately, we cannot configure LLQ (Low Latency Queuing) and
shaping on the same interface. This can be done however, by prioritizing traffic inside shaped
queue. This will effectively create two sub-queues: (1) priority queue and (2) best effort queue inside
shaped parent queue. To configure that, we need to nest priority queue (policy map for LLQ) using
service-policy command under shaper policy map.

On ASA
ASA-FW(config)# priority-queue OUT

ASA-FW(config-priority-queue)# class-map VOICE
ASA-FW(config-cmap)# match dscp ef

ASA-FW(config-cmap)# policy-map VOICE
ASA-FW(config-pmap)# class VOICE
ASA-FW(config-pmap-c)# priority

ASA-FW(config-pmap-c)# policy-map SHAPE-OUTSIDE
ASA-FW(config-pmap)# class class-default
ASA-FW(config-pmap-c)# shape average 2048000
ASA-FW(config-pmap-c)# service-policy VOICE

ASA-FW(config-pmap-c)# service-policy SHAPE-OUTSIDE interface OUT

Verification
ASA-FW(config)# sh service-policy interface OUT

Interface OUT:
Service-policy: SHAPE-OUTSIDE
Class-map: class-default

shape (average) cir 2048000, bc 8192, be 8192

(pkts output/bytes output) 0/0
(total drops/no-buffer drops) 0/0

Service-policy: VOICE
Class-map: VOICE

priority

Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: class-default

Default Queueing

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

To test our solution we need to mark some traffic with DSCP EF bit. This can be quickly
done on R1 by using MQC. In addition to that we need to allow ICMP on the ASA either by
configuring ACL or ICMP inspection.

Page 170 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT

R1(config)#class-map ICMP
R1(config-cmap)#match protocol icmp
R1(config-cmap)#exi

R1(config)#policy-map ICMP-EF
R1(config-pmap)#class ICMP
R1(config-pmap-c)#set dscp ef
R1(config-pmap-c)#exi
R1(config-pmap)#exi

R1(config)#int f0/0
R1(config-if)#service-policy output ICMP-EF

R1#pi 10.1.102.2 size 1500 rep 1000

Type escape sequence to abort.
Sending 1000, 1500-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (985/1000), round-trip min/avg/max = 1/2/8 ms
R1#

ASA-FW(config)# sh service-policy interface OUT

Interface OUT:
Service-policy: SHAPE-OUTSIDE
Class-map: class-default

shape (average) cir 2048000, bc 8192, be 8192

(pkts output/bytes output) 986/1479000
(total drops/no-buffer drops) 0/0

Service-policy: VOICE
Class-map: VOICE

priority

Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/28/0
(pkts output/bytes output) 986/1479000

Class-map: class-default

Default Queueing

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

As you can see there are some packets prioritized and no packets in the default class.
To ensure that only packets with DSCP EF bit set are prioritized, let‟s make another
test.

R1#tel 10.1.102.2
Trying 10.1.102.2 ... Open

User Access Verification

Page 171 of 694
CCIE Security v3 Lab Workbook

Password:
R2>exi

[Connection to 10.1.102.2 closed by foreign host]
R1#

ASA-FW(config)# sh service-policy interface OUT

Interface OUT:
Service-policy: SHAPE-OUTSIDE
Class-map: class-default

shape (average) cir 2048000, bc 8192, be 8192

(pkts output/bytes output) 1008/1479926
(total drops/no-buffer drops) 0/0

Service-policy: VOICE
Class-map: VOICE

priority

Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/28/0
(pkts output/bytes output) 986/1479000

Class-map: class-default

Default Queueing

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 22/926

ASA-FW(config)#

Page 172 of 694
CCIE Security v3 Lab Workbook

Lab 1.29. SLA Route Tracking

Inside
R1
.1 F0/0
10.1.101.0/24
.10 E0/1

Outside1
E0/0 .10 E0/2 Outside2
10.1.102.0/24

G0/0 .2
F0/0 .5

R2
G0/1 .2
R5
10.1.245.0/24 F0/1 .5

F0/1 .4

R4

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R5‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 105
 R2‟s G0/1, R5‟s F0/1 and R4‟s F0/1 interface should be configured in VLAN
245
 Configure Telnet on all routers using password “cisco”
 Configure default gateway on R1/R2/R5 pointing to the ASA
IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 F0/0 10.1.101.1/24
R2 G0/0 10.1.102.2/24
G0/1 10.1.245.2/24
R4 F0/1 10.1.245.4 /24
R5 F0/0 10.1.105.5 /24
F0/1 10.1.245.5 /24
ASA1/ASA-FW E0/0 (Outside1, Security 0) 10.1.102.10 /24
E0/1 (Inside, Security 100) 10.1.101.10 /24
E0/2 (Outside2, Security 0) 10.1.105.10 /24

Page 173 of 694
CCIE Security v3 Lab Workbook

Task 1
You have installed second connection to the outside networks to achieve
redundancy. Configure ASA so that it uses R2 as a default gateway as long as its
F0/1 interface IP address is reachable. If three ICMP packets fail within 10 seconds
the ASA should withdraw the static route from its routing table and use IP address of
R5‟s F0/1 interface as a new default gateway.

Static route tracking provides a method for tracking the availability of a static route and for making
a backup route available it the primary route fails.
The ASA associates a static route with monitoring target that you define. If this target becomes
unavailable the ASA removes the route associated with the target from its routing table and start
using backup route instead. To ensure the backup route will not be visible in the routing table along
with primary route (two default gateways would force the ASA to load sharing packets) there should
be higher AD (Administrative Distance) associated with the backup route.
The SLA (Service Level Agreement) operation monitors the target with periodic ICMP echo
requests. If an echo reply is not received within a specified period of time, the object is considered
down, and the associated route for that target is removed from the routing table. A previously
configured backup route is used instead of the route that is removed. While the backup route is in
use, the SLA monitor operation continues to try to reach the monitoring target. Once the target is
available again, the first route is returned to the routing table and the backup route is removed.

On ASA
ASA-FW(config)# sla monitor 1
ASA-FW(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.102.2 interface outside1
ASA-FW(config-sla-monitor-echo)# num-packets 3
ASA-FW(config-sla-monitor-echo)# frequency 10
ASA-FW(config-sla-monitor-echo)# exi
ASA-FW(config)# sla monitor schedule 1 start-time now life forever
ASA-FW(config)# track 1 rtr 1 reachability
ASA-FW(config)# route outside1 0.0.0.0 0.0.0.0 10.1.102.2 track 1
ASA-FW(config)# route outside2 0.0.0.0 0.0.0.0 10.1.105.5 254

Verification
ASA-FW(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 10.1.102.2 to network 0.0.0.0

C 10.1.105.0 255.255.255.0 is directly connected, Outside2
C 10.1.102.0 255.255.255.0 is directly connected, Outside1
C 10.1.101.0 255.255.255.0 is directly connected, Inside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.102.2, Outside1

ASA-FW(config)# sh sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 10.1.102.2

Page 174 of 694
CCIE Security v3 Lab Workbook

Interface: Outside1
Number of packets: 3
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

ASA-FW(config)# sh sla monitor operational-state
Entry number: 1
Modification time: 10:57:46.666 UTC Sat Jul 17 2010
Number of Octets Used by this Entry: 1480
Number of operations attempted: 36
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 11:03:36.667 UTC Sat Jul 17 2010
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 3 RTTSum: 3 RTTSum2: 3

ASA-FW(config)# sh track 1
Track 1
Response Time Reporter 1 reachability
Reachability is Up
1 change, last change 00:02:08
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0

Test
We can test our solution by running traceroute to the R4‟s IP address from R1. To make
it work, we need to apply an ACL on both ASA‟s outside interfaces allowing ICMP (type
3, code 3) back from R4.
In addition to that, R4 will need to have a route back to R1. So the best option here
is to configure dynamic NAT on R2 and R5 translating all source IP addresses to their
interfaces towards R4.

As we can see ASA routes the traffic through R2 as it is in its routing table as
default gateway. As long as R2‟s G0/0 IP address is responding on SLA ICMP packets, the
default route points to R2. Once we shut R2‟s interface down, the default route is
deleted from the routing table and the default route with AD of 254 is used instead.

On ASA
ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any
ASA-FW(config)# access-group OUTSIDE_IN in interface Outside1
ASA-FW(config)# access-group OUTSIDE_IN in interface Outside2

On R2
R2(config)#ip nat inside source list 140 interface g0/1
R2(config)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R2(config)#access-list 140 permit ip any any
R2(config)#int g0/0
R2(config-if)#ip nat inside
R2(config-if)#int g0/1

Page 175 of 694
CCIE Security v3 Lab Workbook

R2(config-if)#ip nat outside
R2(config-if)#exi

On R5
R5(config)#ip nat inside source list 140 interface f0/1

R5(config)#access-list 140 permit ip any any
R5(config)#int f0/0
R5(config-if)#ip nat inside
%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R5(config-if)#int f0/1
R5(config-if)#ip nat outside
R5(config-if)#exi

R1#ping 10.1.245.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.245.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

R1#trace 10.1.245.4

Type escape sequence to abort.
Tracing the route to 10.1.245.4

1 10.1.102.2 0 msec 0 msec 0 msec
2 10.1.245.4 4 msec 0 msec *

R2(config)#int g0/0
R2(config-if)#sh
R2(config-if)#
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

ASA-FW(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 10.1.105.5 to network 0.0.0.0

C 10.1.105.0 255.255.255.0 is directly connected, Outside2
C 10.1.102.0 255.255.255.0 is directly connected, Outside1
C 10.1.101.0 255.255.255.0 is directly connected, Inside
S* 0.0.0.0 0.0.0.0 [254/0] via 10.1.105.5, Outside2

ASA-FW(config)# sh sla monitor operational-state
Entry number: 1
Modification time: 09:48:02.952 UTC Sun Jul 18 2010
Number of Octets Used by this Entry: 1480
Number of operations attempted: 36
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 09:53:42.953 UTC Sun Jul 18 2010
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0

ASA-FW(config)# clear conn
6 connection(s) deleted.

Page 176 of 694
CCIE Security v3 Lab Workbook

R1#trace 10.1.245.4

Type escape sequence to abort.
Tracing the route to 10.1.245.4

1 10.1.105.5 0 msec 0 msec 4 msec
2 10.1.245.4 0 msec 0 msec *

Because traceroute uses UDP packets, the ASA creates flows in its connections (state)
table. UDP has a default timeout of 2 minutes on the ASA, so we need to wait at least 2
minutes before checking again (tracerouting from R1) or we can clear connections table
manually.

Page 177 of 694
CCIE Security v3 Lab Workbook

Lab 1.30. ASA IP Services (DHCP)

Lo0

IN

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 OUT

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1/ASA-FW E0/0 (OUT, Security 0) 10.1.102.10 /24
E0/1 (IN, Security 80) 10.1.101.10 /24
E0/2.104 (DMZ, Security 50) 10.1.104.10 /24

Page 178 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA to give out IP addresses for inside hosts automatically using the
following information:
IP address range: 10.1.101.100-10.1.101.200
DNS Server: 10.1.101.5
WINS Server 10.1.101.6
Domain Name: MicronicsTraining.com
Lease time: 8h

The ASA may work as a DHCP server in both routed and transparent mode. It may serve IP
addresses to the hosts on the network (usually inside network), configure additional DHCP options
like DNS/WINS server and configure itself as a default gateway for the clients.
DHCP lease time is 3600 seconds (1h) by default.
In addition to that, the ASA can serve additional DHCP options for its clients like different default
gateway (useful in transparent mode as the ASA does not have an IP address and the default
gateway usually lays on the other side of the ASA), TFTP server IP address and so on.
Note that you must enable DHCP server on the ASA after configuring it by using “dhcpd enable
<interface>” command.

On ASA
ASA-FW(config)# dhcpd address 10.1.101.100-10.1.101.200 IN
ASA-FW(config)# dhcpd dns 10.1.101.5
ASA-FW(config)# dhcpd wins 10.1.101.6
ASA-FW(config)# dhcpd domain MicronicsTraining.com
ASA-FW(config)# dhcpd lease 28800
ASA-FW(config)# dhcpd enable IN

Verification
ASA-FW(config)# sh dhcpd state
Context Configured as DHCP Server
Interface OUT, Not Configured for DHCP
Interface IN, Configured for DHCP SERVER
Interface DMZ, Not Configured for DHCP

ASA-FW(config)# sh dhcpd binding

IP address Hardware address Lease expiration Type

R1(config)#int f0/0
R1(config-if)#ip address dhcp
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.1.101.100, mask
255.255.255.0, hostname R1

R1#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.1.101.100/24
Broadcast address is 255.255.255.255
Address determined by DHCP
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled

Page 179 of 694
CCIE Security v3 Lab Workbook

ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled

R1#sh ip dns view
DNS View default parameters:
Logging is off
DNS Resolver settings:
Domain lookup is enabled
Default domain name: MicronicsTraining.com
Domain search list:
Lookup timeout: 3 seconds
Lookup retries: 2
Domain name-servers:
10.1.101.5
DNS Server settings:
Forwarding of queries is enabled
Forwarder timeout: 3 seconds
Forwarder retries: 2
Forwarder addresses:

ASA-FW(config)# sh dhcpd binding

IP address Hardware address Lease expiration Type

10.1.101.100 0063.6973.636f.2d30. 28648 seconds Automatic
3031.392e.3330.3130.
2e38.3631.382d.4661.
302f.30

ASA-FW(config)# sh dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0

Address pools 1
Automatic bindings 1
Expired bindings 0
Malformed messages 0

Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 1
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0

Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 0

Page 180 of 694
CCIE Security v3 Lab Workbook

Task 2
Clear previous DHCP server configuration on ASA.
There is a DHCP server located on R4. Configure ASA so that it forwards all DHCP
messages coming from inside hosts to that server. The ASA should be a default
gateway for inside network.

The ASA can also be used as DHCP Relay Agent in case the DHCP server is located on different
network. In that mode the ASA relays all DHCP messages to the configured DHCP server and can
set itself as a default gateway in the DHCP messages returned to the clients.
Note that the DHCP Relay Agent feature is unavailable in transparent firewall mode as there is no
reason to relay DHCP messages in this mode. The ASA passes DHCP messages natively when
working in transparent mode.

On ASA
ASA-FW(config)# clear configure dhcpd

ASA-FW(config)# dhcprelay server 10.1.104.4 DMZ
ASA-FW(config)# dhcprelay enable IN
ASA-FW(config)# dhcprelay setroute IN

Verification
ASA-FW(config)# sh dhcprelay state
Context Configured as DHCP Relay
Interface OUT, Not Configured for DHCP
Interface IN, Configured for DHCP RELAY SERVER
Interface DMZ, Configured for DHCP RELAY

ASA-FW(config)# sh dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0

Packets Relayed
BOOTREQUEST 0
DHCPDISCOVER 0
DHCPREQUEST 0
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0

BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0

R1(config)#int f0/0
R1(config-if)#shut
%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#no shut
R1(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.1.101.1, mask
255.255.255.0, hostname R1

R4#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.1.101.1 0063.6973.636f.2d30. Feb 04 2010 09:13 PM Automatic

Page 181 of 694
CCIE Security v3 Lab Workbook

3031.392e.3330.3130.
2e38.3631.382d.4661.
302f.30

ASA-FW(config)# sh dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0

Packets Relayed
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 1
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0

BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 0

Page 182 of 694
CCIE Security v3 Lab Workbook

Lab 1.31. URL filtering and applets blocking

Inside Lo0

R1
.1 F0/0
10.1.101.0/24
DMZ .10 E0/1

.10
.100
E0/2

.10 E0/0
10.1.103.0/24
10.1.102.0/24

Lo0 G0/0 .2 Outside

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101.
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 Websense server‟s NIC (installed on ACS) and ASA‟s E0/2 interface should
be configured in VLAN 103
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
WebSense NIC 10.1.103.100/24
ASA1/ASA-FW E0/0 (Outside, Security 0) 10.1.102.10/24
E0/1 (Inside, Security 100) 10.1.101.10/24
E0/2 (DMZ, Security 50) 10.1.103.10/24

Page 183 of 694
CCIE Security v3 Lab Workbook

Task 1
Configure ASA to cooperate with WebSense server to filter out URL‟s blocked by
WebSense policy. The policy should be enforced for HTTP/HTTPS traffic from every
IP address and in case of WebSense server failure, ASA should pass traffic without
URL filtering.
In addition to that, configure ASA so that it blocks all ActiveX and Java objects
embedded into HTTP packets.
The FTP access should also be blocked for IP addresses from subnet 10.1.10.0/24
except the Administrator‟s workstation on 10.1.10.100.

Java applets and ActiveX controls are executable programs that can be dangerous for end user.
Some applets contain hidden code that can destroy data on the internal network. This can be
downloaded when you permit access to HTTP port 80.
The ASA can prevent users from downloading applets from the websites by using "filter" command.
This can be configured for some users/subnets only allowing other users downloading applets
when surfing the Internet.
In addition to applets filtering, the ASA can filter URLs in conjunction with Websense and Secure
Computing URL-filtering software. It works this way so that when the ASA receives a request from a
user to access a URL, it queries the URL-filtering server to determine whether to allow, or block, the
requested web page. Before you enable URL filtering, you must designate at least one server on
which the Websense or SmartFilter URL-filtering application is installed.
Configuring URL-filtering software is out of scope for CCIE Security lab exam, so in case of such
question, the grading script (or person) will probably look after appropriate commands in the ASA
configuration.
The command of "filter url" enables URL filtering and has some additional options at the end to
specify the following:
 allow - this keyword allows outbound traffic when URL server is down
 cgi_truncate - if question mark is found in the URL, this will remove all characters after
the question mark
 longurl-deny - denies oversized URL requests
 longurl-truncate - sends only simple URL (e.g. domain.com) to the URL-filtering server
oversized URL is found
The URL filtering features extend web-based URL filtering to HTTPS and FTP as well. However in
case of HTTPS the header is encrypted and the ASA cannot retrieve URL information. The ASA will
send an IP address of the Web server to the URL-filtering server for checking. For FTP there is an
additional option (interact-block) which prevents users from using interactive FTP sessions.

On ASA
ASA-FW(config)# url-server (DMZ) vendor websense host 10.1.103.100 timeout 30 protocol TCP
version 4 connections 5

ASA-FW(config)# filter ftp except 10.1.10.100 255.255.255.255 0.0.0.0 0.0.0.0
ASA-FW(config)# filter ftp 21 10.1.10.0 255.255.255.0 0.0.0.0 0.0.0.0 interact-block
ASA-FW(config)# filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ASA-FW(config)# filter url 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
ASA-FW(config)# filter ActiveX 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ASA-FW(config)# filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

Verification
ASA-FW(config)# sh url-server statistics

Page 184 of 694
CCIE Security v3 Lab Workbook

Global Statistics:
--------------------
URLs total/allowed/denied 0/0/0
URLs allowed by cache/server 0/0
URLs denied by cache/server 0/0
HTTPSs total/allowed/denied 0/0/0
HTTPSs allowed by cache/server 0/0
HTTPSs denied by cache/server 0/0
FTPs total/allowed/denied 0/0/0
FTPs allowed by cache/server 0/0
FTPs denied by cache/server 0/0
Requests dropped 0
Server timeouts/retries 0/0
Processed rate average 60s/300s 0/0 requests/second
Denied rate average 60s/300s 0/0 requests/second
Dropped rate average 60s/300s 0/0 requests/second

Server Statistics:
--------------------
10.1.103.100 DOWN
Vendor websense
Port 15868
Requests total/allowed/denied 0/0/0
Server timeouts/retries 0/0
Responses received 0
Response time average 60s/300s 0/0

URL Packets Sent and Received Stats:
------------------------------------
Message Sent Received
STATUS_REQUEST 7 0
LOOKUP_REQUEST 0 0
LOG_REQUEST 0 NA

Errors:
-------
RFC noncompliant GET method 0
URL buffer update failure 0

Note that the Websense server is in DOWN state. This is because there is no Websense
software installed on the ACS. In the lab, however, it is possible to install trial
Websense software on the ACS server and check the configuration.

Page 185 of 694
CCIE Security v3 Lab Workbook

Lab 1.32. Troubleshooting using Packet
Tracer and Capture tools

Lo0

Inside

R1
.1 F0/0
10.1.101.0/24
.10 E0/1
DMZ
Lo0
.10
F0/0
E0/2
R4 .4

.10 E0/0
10.1.104.0/24 10.1.102.0/24
Lo0 G0/0 .2 Outside

R2

Lab Setup:

 R1‟s F0/0 and ASA‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA‟s E0/0 interface should be configured in VLAN 102
 R4‟s F0/0 and ASA‟s E0/2 interface should be configured in VLAN 104
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all devices and advertise their all directly connected
networks.

IP Addressing:

Device/Hostname Interface (ifname) IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 Lo0 2.2.2.2/24
F0/0 10.1.102.2/24
R4 Lo0 4.4.4.4/24
F0/0 10.1.104.4/24
ASA1/ASA-FW E0/0 (Outside, Security 0) 10.1.102.10 /24
E0/1 (Inside, Security 100) 10.1.101.10 /24
E0/2 (DMZ, Security 50) 10.1.104.10 /24

Page 186 of 694
CCIE Security v3 Lab Workbook

Task 1
You are trying to ping R1 from R2‟s F0/0 interface. The ping fails. Using available
ASA tools troubleshoot and resolve the issue.
R1#ping 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Troubleshooting
ASA-FW(config)# packet-tracer input Inside icmp 10.1.101.1 0 0 10.1.102.2 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd78c48c0, priority=1, domain=permit, deny=false
hits=22, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.102.0 255.255.255.0 Outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7c4e720, priority=0, domain=permit-ip-option, deny=true
hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7cb61f0, priority=66, domain=inspect-icmp-error, deny=false
hits=2, user_data=0xd78c1080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:

Page 187 of 694
CCIE Security v3 Lab Workbook

Additional Information:
New flow created with id 728, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Hmm, seems everything is OK. Take a closer look to the above output – this is ONLY for
unidirectional flow. The ICMP packet has flown by Inside and Outside interface. We need
to check the same for returning traffic. Let‟s look…

ASA-FW(config)# packet-tracer input Outside icmp 10.1.102.2 8 0 10.1.101.1 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.101.0 255.255.255.0 Inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x330f848, priority=0, domain=permit, deny=true
hits=6, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

As you can see, the packet has been denied by the ACL (implicit rule). Let‟s confirm
that by enabling logging at Debug (7) level.

ASA-FW(config)# logging buffered 7

ASA-FW(config)# logging on

ASA-FW(config)# clear logging buffer

Page 188 of 694
CCIE Security v3 Lab Workbook

R2#pi 10.1.101.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ASA-FW(config)# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 6 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
User 'enable_15' executed the 'clear logging buffer' command.
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)
Deny inbound icmp src Outside:10.1.102.2 dst Inside:10.1.101.1 (type 8, code 0)

Confirmed! Five packets (Echo Requests) have been denied by the outside interface.
We can also use another tool to check what happened. Capture – is the packet sniffer on
the ASA which can “trace” the packets to see what happened on the device. Let‟s capture
traffic on the outside interface with “trace” option enabled.

ASA-FW(config)# capture ISSUE trace interface outside

R2#pi 10.1.101.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ASA-FW(config)# sh capture ISSUE trace
5 packets captured
1: 14:22:20.842348 10.1.102.2 > 10.1.101.1: icmp: echo request
2: 14:22:20.854386 10.1.102.2 > 10.1.101.1: icmp: echo request
3: 14:22:20.855073 10.1.102.2 > 10.1.101.1: icmp: echo request
4: 14:22:20.867905 10.1.102.2 > 10.1.101.1: icmp: echo request
5: 14:22:20.885055 10.1.102.2 > 10.1.101.1: icmp: echo request

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:

Page 189 of 694
CCIE Security v3 Lab Workbook

Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.101.0 255.255.255.0 Inside

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

5 packets shown

ASA-FW(config)# no capture ISSUE

Similar output as it was for Packet Tracer. Again, we see that the packets have been
dropped by the outside ACL.
However, the main difference between Packet Tracer and Capture is that the capture sees
existing flow but Packet Tracer only injects the packet into the traffic plane. Capture
is more useful as it may show bidirectional flows – meaning you can check if returning
packets are not getting dropped for some reason.
Let‟s look at ping in the other direction, from R1 towards R2. Assuming default ASA
configuration, the Echo Request should pass the ASA as this packet is going from Inside
(100) to Outside (0). However, returning packet, which is Echo Reply should be dropped
due to lack of flow information (there is no inspect enable for ICMP by default) nor
ACL on the outside. Let‟s check this out then…

ASA-FW(config)# capture ICMP-I trace detail interface Inside

ASA-FW(config)# capture ICMP-O trace detail interface Outside

ASA-FW(config)# sh capture ICMP-I
1 packet captured
1: 14:41:26.596404 10.1.101.1 > 10.1.102.2: icmp: echo request
1 packet shown

ASA-FW(config)# sh capture ICMP-O
2 packets captured
1: 14:41:26.597259 10.1.101.1 > 10.1.102.2: icmp: echo request
2: 14:41:26.603774 10.1.102.2 > 10.1.101.1: icmp: echo reply
2 packets shown

Huh! See that there are two packets captured on the Outside interface and only one on
the Inside. This should make you suspicious that something is not right here. The Echo
Reply packet should be seen on the Inside interface if everything works perfect.
Let‟s “trace” that capture to see what ASA has done with those packets.

ASA-FW(config)# sh capture ICMP-O trace
2 packets captured
1: 14:41:26.597259 10.1.101.1 > 10.1.102.2: icmp: echo request
2: 14:41:26.603774 10.1.102.2 > 10.1.101.1: icmp: echo reply

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x333b008, priority=12, domain=capture, deny=false
hits=1, user_data=0x32f33b0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000

Page 190 of 694
CCIE Security v3 Lab Workbook

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x330f5d8, priority=1, domain=permit, deny=false
hits=168, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow  This is because ICMP is stateless

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.101.0 255.255.255.0 Inside

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x330f848, priority=0, domain=permit, deny=true
hits=35, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-FW(config)# sh capture
capture ICMP-I type raw-data trace detail interface Inside [Capturing - 212 bytes]
capture ICMP-O type raw-data trace detail interface Outside [Capturing - 342 bytes]

ASA-FW(config)# no cap ICMP-I

ASA-FW(config)# no cap ICMP-O

Again, we see the returning packet has been denied by the ACL. This is because ICMP is
stateless and there is no ICMP inspection enabled on the ASA. To make it work we should
either configure ICMP inspection or permit ICMP echo reply in the inbound ACL on the
Outside interface.

Another useful tool is DEBUG. However it is not recommended to enable it in production
as this may overwhelm your device. A very quick check we can use here by enabling
“debug icmp trace”.

R1#ping 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Page 191 of 694
CCIE Security v3 Lab Workbook

ASA-FW(config)# deb icmp trace
debug icmp trace enabled at level 1
ASA-FW(config)# ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=18 seq=0
len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=18 seq=1 len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=18 seq=2 len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=18 seq=3 len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=18 seq=4 len=72

From the output we see that ICMP packets get routed out of Outside interface but never
return back.

Let‟s fix the issue by enabling ICMP inspection.

ASA-FW(config)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect icmp
ASA-FW(config-pmap-c)# exi
ASA-FW(config-pmap)# exi

R1#ping 10.1.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ASA-FW(config)# sh debug
debug icmp trace enabled at level 1

ASA-FW(config)# ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=19 seq=0
len=72
ICMP echo reply from Outside:10.1.102.2 to Inside:10.1.101.1 ID=19 seq=0 len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=19 seq=1 len=72
ICMP echo reply from Outside:10.1.102.2 to Inside:10.1.101.1 ID=19 seq=1 len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=19 seq=2 len=72
ICMP echo reply from Outside:10.1.102.2 to Inside:10.1.101.1 ID=19 seq=2 len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=19 seq=3 len=72
ICMP echo reply from Outside:10.1.102.2 to Inside:10.1.101.1 ID=19 seq=3 len=72
ICMP echo request from Inside:10.1.101.1 to Outside:10.1.102.2 ID=19 seq=4 len=72
ICMP echo reply from Outside:10.1.102.2 to Inside:10.1.101.1 ID=19 seq=4 len=72

Page 192 of 694
CCIE Security v3 Lab Workbook

This page is intentionally left blank.

Page 193 of 694
CCIE Security v3 Lab Workbook

Advanced
CCIE SECURITY v3
LAB WORKBOOK

Site-to-Site VPN

Narbik Kocharians
CCIE #12410
R&S, Security, SP

Piotr Matusiak
CCIE #19860
R&S, Security

www.MicronicsTraining.com

Page 194 of 694
CCIE Security v3 Lab Workbook

Lab 1.33. Basic Site to Site IPSec VPN
Main Mode (IOS-IOS)

Lo0 Lo0
1.1.1.1/32 2.2.2.2/32

.1 .2
R1 F0/0 10.1.12.0/24 G0/0
R2

Lab Setup:

 R1‟s F0/0 and R2‟s G0/0 interface should be configured in VLAN 120
 Configure Telnet on all routers using password “cisco”
 Configure static routing on R1 and R2 to be able to reach Loopback IP
addresses

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/32
F0/0 10.1.12.1/24
R2 F0/0 10.1.12.2/24
Lo0 2.2.2.2/32

Task 1
Configure basic Site to Site IPSec VPN to protect traffic between IP addresses
1.1.1.1 and 2.2.2.2 using the following policy:

ISAKMP Policy IPSec Policy
Authentication: Pre-shared Encrytpion: ESP-3DES
Encryption: 3DES Hash: MD5
Hash: MD5 Proxy ID: 1.1.1.1  2.2.2.2
DH Group: 2
PSK: cisco123

ISAKMP (Internet Security Association and Key Management Protocol) is defined in RFC 2408 and it
a framework which defines the following:
- procedures to authenticate a communicating peer
- how to create and manage SAs (Security Associations)
- key generation techniques
- threat mitigation (like DoS and replay attacks)

ISAKMP does not specify any details of key management or key exchange and is not bound to any
key generation technique. Inside of ISAKMP, Cisco uses Oakley for the key exchange protocol.
Oakley enables you to choose between different well-known DH (Diffie-Hellman) groups.

Page 195 of 694
CCIE Security v3 Lab Workbook

ISAKMP and Oakley create an authenticated, secure tunnel between two entities, and then negotiate
the SA for IPSec. Both peers must authenticate each other and establish shared key. There are
three authentication methods available: (1) RSA signatures (PKI), (2) RSA encrypted pseudo-
random numbers (NONCES), and pre-shared keys (PSK). The DH protocol is used to agree on a
common session key.
IPSec uses a different shared key from ISAKMP and Oakley. The IPSec shared key can be derived
by using DH again to ensure PFS (Perfect Forward Secrecy) or by refreshing the shared secret
derived from the original DH exchange.

IKE is a hybrid protocol which establishes a shared security policy and authenticated keys for
services that require keys, such as IPSec. Before IPSec tunnel is established, each device must be
able to identify its peer. ISAKMP and IKE are both used interchangeably, however these two items
are somewhat different.
IKE Phase 1 - two ISAKMP peers establish a secure, authenticated channel. This channel is known
as teh ISAKMP SA. There are two modes defined by ISAKMP: Main Mode and Aggressive Mode.
IKE Phase 2 - SAs are negotiated on behalf of services such as IPSec that needs keying material.
This phase is called Quick Mode.
To configure IKE Phase 1 you need to create ISAKMP policies. It is possible to configure multiple
policy statements with different configuration statements, and then let the two hosts come to an
agreement.
You can use two methods to configure ISAKMP (IKE Phase 1):
I. Using PSK:
1. Configure ISAKMP protection suite (policy)
- Specify what size modulus to use for DH calculation (group1: 768bits; group2:
1024bits; group5: 1536bits)
- Specify a hashing algorithm (MD5 or SHA)
- Specify the lifetime of the SA (in seconds)
- Specify the authentication method (PSK)
- Specify encryption algorithm (DES, 3DES, AES)
2. Configure the ISAKMP pre-shared key (one per peer)
II. Using PKI
1. Create an RSA key for the router
2. Request certificate of the CA
3. Enroll certificates for the clien router (certify your keys)
4. Configure ISAKMP protection suite (policy) like it is for PSK but specify rsa-sig as the
authentication method

To configure IPSec (IKE Phase 2) do the following:
1. Create an extended ACL (determines interesting traffic - the traffic that should be
protected by IPSec)
2. Create IPSec transform set - like ISAKMP policies, transform sets are the setting suites to
choose from
3. Create crypto map to bind all components together:
- Specify peer IP address
- Specify SA lifetime (for IPSec SAs)
- Specify transform sets
- Specify the ACL to match interesting traffic
4. Apply the crypto map to an egress interface

Page 196 of 694
CCIE Security v3 Lab Workbook

On R1
R1(config)#crypto isakmp policy 10
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2

R1(config-isakmp)#crypto isakmp key cisco123 address 10.1.12.2

Be careful of using leading spaces in pre-shared key value.
It may complicate seriously your lab exam. Remember that the pre-shared key value must
be the same at the both side of a IPSEC tunnel.

R1(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

R1(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)# set peer 10.1.12.2
R1(config-crypto-map)# set transform-set TSET
R1(config-crypto-map)# match address 120

R1(config-crypto-map)#access-list 120 permit ip host 1.1.1.1 host 2.2.2.2

R1(config)#int f0/0
R1(config-if)#crypto map CMAP
R1(config-if)#exi
R1(config)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

ISAKMP is enabled and working. The router will be processing IKE packets (UDP protocol,
port 500) for establishing ISAKMP “auxiliary” tunnel which will be used to negotiate
securely parameters of an IPSec tunnel.

R1(config)#

On R2
R2(config)#crypto isakmp policy 10
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2

R2(config-isakmp)#crypto isakmp key cisco123 address 10.1.12.1

R2(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

R2(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)# set peer 10.1.12.1
R2(config-crypto-map)# set transform-set TSET
R2(config-crypto-map)# match address 120

R2(config-crypto-map)#access-list 120 permit ip host 2.2.2.2 host 1.1.1.1

R2(config)#int g0/0
R2(config-if)#crypto map CMAP
R2(config-if)#exi
R2(config)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Detailed verification on R1
Let‟s perform some debuging to see what‟s exactly going on during IPSec tunnel
establishment. The best two debugs are: debug crypto isakmp and debug crypto ipsec.
To actually see something we need to pass „interesting‟ traffic (defined by crypto ACL)
which will trigger ISAKMP process.

R1#deb crypto isakmp
Crypto ISAKMP debugging is on
R1#deb crypto ipsec
Crypto IPSEC debugging is on

Page 197 of 694
CCIE Security v3 Lab Workbook

R1#ping 2.2.2.2 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
R1#

The first ICMP packet triggers ISAKMP process as this is our interesting traffic
matching our ACL. Before actually start sending IKE packets to the peer the router
first checks if there is any local SA (Security Association) matching that traffic.
Note that this check is against IPSec SA not IKE SA.
OK, no SA means there must be IKE packet send out.

IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.1.12.1, remote= 10.1.12.2,
local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
ISAKMP:(0): SA request profile is (NULL) The router has tried to find any IPSec SA
matching outgoing connection but no valid
SA has been found in Security Association
Database (SADB) on the router.
ISAKMP: Created a peer struct for 10.1.12.2, peer port 500
ISAKMP: New peer created peer = 0x49E25A08 peer_handle = 0x80000003
ISAKMP: Locking peer struct 0x49E25A08, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE

IKE Phase 1 (Main Mode) message 1
By default, IKE Main Mode is used so we should expect 6 packets for Phase I. There is a message
saying that Aggressive Mode cannot start, however it does not mean that there is some error, it just
means that Aggressive Mode is not configured on the local router.
Then, the router checks ISAKMP policy configured and sees that there is PSK (Pre-Shared Key)
authentication configured. It must check if there is a key for the peer configured as well.
After that the 1st IKE packet is send out to the peer's IP address on port UDP 500 which is default.
The packet contains locally configured ISAKMP policy (or policies if many) to be chosen by the
peer.

ISAKMP:(0):insert sa successfully sa = 48C5EC5C
ISAKMP:(0):Can not start Aggressive mode, trying Main mode. The router has started IKE
Main Mode (it is a
default)

ISAKMP:(0):found peer pre-shared key matching 10.1.12.2 Pre-shared key for remote
peer has been found.
ISAKMP will use it to
authenticate the peer
during one of the last
stages of IKE Phase 1.
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0): constructed NAT-T vendor-02 ID
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

ISAKMP:(0): beginning Main Mode exchange
ISAKMP:(0): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) MM_NO_STATE

The router initiating IKE exchange is called “the initiator”.
The router responding to IKE request is called “the responder”.
The initiator (R1) has sent ISAKMP policy along with vendor specific
IDs which are a part of IKE packet payload. MM_NO_STATE indicates
that ISAKMP SA has been created, but nothing else has happened yet.

Page 198 of 694
CCIE Security v3 Lab Workbook

ISAKMP:(0):Sending an IKE IPv4 Packet.

IKE Phase 1 (Main Mode) message 2
OK, seems everything is going smooth, we have got a response packet from the peer. This is the
first place where something could go wrong and this is most common issue when configuring
VPNs. The received packet contains SA chosen by the peer and some other useful information like
Vendor IDs. Those vendor specific payloads are used to discover NAT along the path and maintain
keepalives (DPD). The router matches ISAKMP policy from the packet to one locally configured. If
there is a match, the tunnel establishment process continues. If the policy configured on both
routers is not the same, the cross-check process fails and the tunnel is down.

ISAKMP (0): received packet from 10.1.12.2 dport 500 sport 500 Global (I) MM_NO_STATE

The responder (R2) has responded with IKE packet that contains negotiated
ISAKMP policy along with its vendor specific IDs. Note that the IKE Main Mode
state is still MM_NO_STATE.

ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0):found peer pre-shared key matching 10.1.12.2
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0

The router is processing ISAKMP parameters that have been sent as the reply.
Vendor IDs are processed to determine if peer supports e.g. NAT-Traversal, Dead
Peer Detection feature. ISAKMP policy is checked against policies defined
locally.
“atts are acceptable” indicates that ISAKMP policy matches with remote peer.
Remember that comparing the policy that has been obtained from remote peer with
locally defined polices starting from the lowest index (number) of policy
defined in the running config.

ISAKMP:(0):Acceptable atts:actual life: 0
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.

The lifetime timer has been started. Note that default value of “lifetime” is
used (86400 seconds). This is lifetime for ISAKMP SA. Note that IPSEC SAs have
their own lifetime parameters which may be defined as number of seconds or
kilobytes of transmitted traffic.

ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

Page 199 of 694
CCIE Security v3 Lab Workbook

IKE Phase 1 (Main Mode) message 3
The third message is sent out containing KE (Key Exchange) information for DH (Diffie-Hellman)
secure key exchange process.

ISAKMP:(0): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

IKE Phase 1 (Main Mode) message 4
4th message has been received from the peer. This message contains KE payload and base on that
information both peers can generate a common session key to be used in securing further
communication. The pre-shared key configured locally for the peer is used in this calculation.
After receiving this message peers can also be able to determine if there is a NAT along the path.

ISAKMP (0): received packet from 10.1.12.2 dport 500 sport 500 Global (I) MM_SA_SETUP
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

“MM_SA_SETUP” idicates that the peers have agreed on parameters for the ISAKMP SA.

ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching 10.1.12.2
ISAKMP:(1002): processing vendor id payload
ISAKMP:(1002): vendor ID is Unity
ISAKMP:(1002): processing vendor id payload
ISAKMP:(1002): vendor ID is DPD
ISAKMP:(1002): processing vendor id payload
ISAKMP:(1002): speaking to another IOS box!
ISAKMP:received payload type 20
ISAKMP (1002): His hash no match - this node outside NAT
ISAKMP:received payload type 20
ISAKMP (1002): No NAT Found for self or peer
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4

IKE Phase 1 (Main Mode) message 5
Fifth message is used for sending out authentication information the peer. This information is
transmitted under the protection of the common shared secret.

ISAKMP:(1002):Send initial contact
ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 10.1.12.1
protocol : 17
port : 500
length : 12
ISAKMP:(1002):Total payload length: 12
ISAKMP:(1002): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

“MM_KEY_EXCH” indicates that the peers have exchanged Diffie-Hellman public keys
and have generated a shared secret. The ISAKMP SA remains unauthenticated. Note
that the process of authentication has been just started.

ISAKMP:(1002):Sending an IKE IPv4 Packet.
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5

Page 200 of 694
CCIE Security v3 Lab Workbook

IKE Phase 1 (Main Mode) message 6
The peer identity is verified by the local router and SA is established.
This message finishes ISAKMP Main Mode (Phase I) and the status is changed to
IKE_P1_COMPLETE.

ISAKMP (1002): received packet from 10.1.12.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

Note that the process of peer authentication is still in progress (MM_KEY_EXCH).
Remember that there is also one IKE Main Mode state which is not visible in the
debug output. It is “MM_KEY_AUTH” which indicates that the ISAKMP SA has been
authenticated. If the router initiated this exchange, this state transitions
immediately to QM_IDLE and a Quick mode exchange begins.

ISAKMP:(1002): processing ID payload. message ID = 0
ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 10.1.12.2
protocol : 17
port : 500
length : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(1002): processing HASH payload. message ID = 0
ISAKMP:(1002):SA authentication status:
authenticated
ISAKMP:(1002):SA has been authenticated with 10.1.12.2
ISAKMP: Trying to insert a peer 10.1.12.1/10.1.12.2/500/, and inserted successfully 49E25A08.

The peer has been authenticated now. Note that SA number has been generated and
inserted into SADB along with the information relevant to the peer which has been
agreed during IKE Main Mode.

ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6

ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6

ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

IKE Phase 2 (Quick Mode) message 1
Now it’s time for Phase II which is Quick Mode (QM). The router sends out the packet containing
local Proxy IDs (network/hosts addresses to be protected by the IPSec tunnel) and security policy
defined by the Transform Set.

ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 680665262
ISAKMP:(1002):QM Initiator gets spi
ISAKMP:(1002): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1002):Sending an IKE IPv4 Packet.
ISAKMP:(1002):Node 680665262, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

IKE Phase 2 (Quick Mode) message 2
Second QM message is a response from the peer. It contains IPSec policy chosen by the peer and
peer’s proxy ID. This is a next place where something can go wrong if the Proxy IDs are different on
both sides of the tunnel. The router cross-checks if its Proxy ID is a mirrored peer’s Proxy ID.

ISAKMP (1002): received packet from 10.1.12.2 dport 500 sport 500 Global (I) QM_IDLE

Page 201 of 694
CCIE Security v3 Lab Workbook

The state of IKE is “QM_IDLE”. This indicates that the ISAKMP SA is idle. It
remains authenticated with its peer and may be used for subsequent quick mode
exchanges. It is in a quiescent state.

ISAKMP:(1002): processing HASH payload. message ID = 680665262
ISAKMP:(1002): processing SA payload. message ID = 680665262
ISAKMP:(1002):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(1002):atts are acceptable.

The routers are negotiating parameters for IPSec tunnel which will be used for
traffic transmission. These parameters are defined by “crypto ipsec transform-set”
command. Note that lifetime values of IPSec SA are visible at this moment. You are
able to set it both: globally or in the crypto map entry.
“Attr are acceptable” indicates that IPSec parameters defined as IPSec transform-
set match at the both sides.

IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.1.12.1, remote= 10.1.12.2,
local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 0
src port : 0
dst port : 0

The local and remote proxy are defined. This indicates sources and destinations set
in crypto ACL which defines the interesting traffic for the IPSec tunnel. Remember
that the crypto ACL at the both sides of the tunnel must be “mirrored”. If not, you
may get the following entry in the debug output: IPSEC(initialize_sas): invalid
proxy IDs.

ISAKMP:(1002): processing NONCE payload. message ID = 680665262
ISAKMP:(1002): processing ID payload. message ID = 680665262
ISAKMP:(1002): processing ID payload. message ID = 680665262
ISAKMP:(1002): Creating IPSec SAs
inbound SA from 10.1.12.2 to 10.1.12.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
has spi 0xB7629AFD and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
outbound SA from 10.1.12.1 to 10.1.12.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
has spi 0xC486083C and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes

The IPSec SA have been created and inserted in the router‟s security associations
database (SADB). SAs are distingusthed by SPI values which are also used to
differentiate many tunnels terminated on the same router. Note that two SPI values are
generated for one tunnel: one SPI for inbound SA and one SPI for outbound SA. SPI
value is inserted in the ESP header of the packet leaving the router. At the second
side of the tunnel, SPI value inserted into the ESP header enables the router to reach
parameters and keys which have been dynamicaly agreed during IKE negotiations or
session key refreshment in case of lifetime timeout. The SPI value is an index of
entities in the router‟s SADB.

Page 202 of 694
CCIE Security v3 Lab Workbook

IKE Phase 2 (Quick Mode) message 3
The last message finishes QM. Upon completion of Phase II IPsec session key is derived from new
DH shared secret. This session key will be used for encryption until IPSec timer expires.

ISAKMP:(1002): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1002):Sending an IKE IPv4 Packet.
ISAKMP:(1002):deleting node 680665262 error FALSE reason "No Error"
ISAKMP:(1002):Node 680665262, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 0
src port : 0
dst port : 0
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.1.12.2
IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0

IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.12.1, sa_proto= 50,
sa_spi= 0xB7629AFD(3076692733),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003
sa_lifetime(k/sec)= (4449173/3600)
IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.12.2, sa_proto= 50,
sa_spi= 0xC486083C(3297118268),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
sa_lifetime(k/sec)= (4449173/3600)
IPSEC(update_current_outbound_sa): updated peer 10.1.12.2 current outbound sa to SPI C486083C
R1#

All the negotiations have been completed. The tunnel is up and ready to pass the
traffic.

Detailed verification on R2

IKE Phase 1 (Main Mode) message 1
First ISAKMP packet hits the router. It comes from port 500 to the port 500. The transport is UDP.
This packet contains ISAKMP policy (or policies) which are configured on remote peer. The local
router needs to choose one which matches locally configured policy. This process is going until
first match, so from a security perspective it is important to put more secure policy suites at the
beginning (the crypto isakmp policy <ID> determines the order).

This debug output presents the IKE negotiation from the responder point of view. Only
the most interesting entires or non-present in debug of the initiator are remarked and
commented.

ISAKMP (0): received packet from 10.1.12.1 dport 500 sport 500 Global (N) NEW SA
ISAKMP: Created a peer struct for 10.1.12.1, peer port 500
ISAKMP: New peer created peer = 0x48AE852C peer_handle = 0x80000002
ISAKMP: Locking peer struct 0x48AE852C, refcount 1 for crypto_isakmp_process_block
ISAKMP: local port 500, remote port 500
ISAKMP:(0):insert sa successfully sa = 487BE048
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload

Page 203 of 694
CCIE Security v3 Lab Workbook

ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):found peer pre-shared key matching 10.1.12.1
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0):Acceptable atts:actual life: 0
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.

ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

IKE Phase 1 (Main Mode) message 2
The router sends back ISAKMP packet containing chosen ISAKMP policy. There are also other
payloads attached to that message like Vendor ID (DPD, NAT-T).

ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

IKE Phase 1 (Main Mode) message 3
Now router receives packet containing KE payload. This is Diffie-Hellman exchange taking place to
generate session key in secure manner. After receiving this packet the routers knows if there is
NAT Traversal aware device on the other end and if NAT has been discovered along the path.

ISAKMP (0): received packet from 10.1.12.1 dport 500 sport 500 Global (R) MM_SA_SETUP
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching 10.1.12.1
ISAKMP:(1001): processing vendor id payload
ISAKMP:(1001): vendor ID is DPD
ISAKMP:(1001): processing vendor id payload
ISAKMP:(1001): speaking to another IOS box!

Page 204 of 694
CCIE Security v3 Lab Workbook

Vendor specific IDs in the IKE packet payload tell the router that it is negotiating
the ISAKMP SA with IOS router.

ISAKMP:(1001): processing vendor id payload
ISAKMP:(1001): vendor ID seems Unity/DPD but major 166 mismatch
ISAKMP:(1001): vendor ID is XAUTH
ISAKMP:received payload type 20
ISAKMP (1001): His hash no match - this node outside NAT
ISAKMP:received payload type 20
ISAKMP (1001): No NAT Found for self or peer

NAT-D payloads exchanged during NAT Discovery process tell the routers at the both
ends that no NAT device has been found between the peers.

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1001):Old State = IKE_R_MM3 New State = IKE_R_MM3

IKE Phase 1 (Main Mode) message 4
Local router sends out message with its KE payload to finish DH exchange.

ISAKMP:(1001): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP:(1001):Sending an IKE IPv4 Packet.
ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1001):Old State = IKE_R_MM3 New State = IKE_R_MM4

IKE Phase 1 (Main Mode) message 5
Peer authentication taking place upon receiving 5th message.

ISAKMP (1001): received packet from 10.1.12.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(1001):Old State = IKE_R_MM4 New State = IKE_R_MM5

ISAKMP:(1001): processing ID payload. message ID = 0
ISAKMP (1001): ID payload
next-payload : 8
type : 1
address : 10.1.12.1
protocol : 17
port : 500
length : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(1001): processing HASH payload. message ID = 0
ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 487BE048
ISAKMP:(1001):SA authentication status:
authenticated
ISAKMP:(1001):SA has been authenticated with 10.1.12.1
ISAKMP:(1001):SA authentication status:
authenticated
ISAKMP:(1001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.12.2 remote 10.1.12.1 remote port 500
ISAKMP: Trying to insert a peer 10.1.12.2/10.1.12.1/500/, and inserted successfully 48AE852C.
ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1001):Old State = IKE_R_MM5 New State = IKE_R_MM5

Page 205 of 694
CCIE Security v3 Lab Workbook

IKE Phase 1 (Main Mode) message 6
The peer identity is verified by the local router and SA is established.
This message finishes ISAKMP Main Mode (Phase I) and the status is changed to
IKE_P1_COMPLETE.

IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (1001): ID payload
next-payload : 8
type : 1
address : 10.1.12.2
protocol : 17
port : 500
length : 12
ISAKMP:(1001):Total payload length: 12
ISAKMP:(1001): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP:(1001):Sending an IKE IPv4 Packet.
ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1001):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

IKE Phase 2 (Quick Mode) message 1
After completing Phase 1 the router receives first packet for Quick Mode (Phase 2).
The packet contains peer’s Proxy IDs (network/hosts addresses to be protected by the IPSec
tunnel) and security policy defined by the Transform Set. This must be checked against local
configuration. If there is a match (crypto ACLs are mirrored and the IPSec encryption and
authentication algorithms are agreed) the router continues Phase 2.

ISAKMP (1001): received packet from 10.1.12.1 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -584676094 to QM_IDLE
ISAKMP:(1001): processing HASH payload. message ID = -584676094
ISAKMP:(1001): processing SA payload. message ID = -584676094
ISAKMP:(1001):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(1001):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.1.12.2, remote= 10.1.12.1,
local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 2.2.2.2
dst addr : 1.1.1.1
protocol : 0
src port : 0
dst port : 0
ISAKMP:(1001): processing NONCE payload. message ID = -584676094
ISAKMP:(1001): processing ID payload. message ID = -584676094
ISAKMP:(1001): processing ID payload. message ID = -584676094
ISAKMP:(1001):QM Responder gets spi
ISAKMP:(1001):Node -584676094, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP:(1001): Creating IPSec SAs
inbound SA from 10.1.12.1 to 10.1.12.2 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)

Page 206 of 694
CCIE Security v3 Lab Workbook

has spi 0xE272C715 and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
outbound SA from 10.1.12.2 to 10.1.12.1 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
has spi 0x3E8C462 and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes

IKE Phase 2 (Quick Mode) message 2
The local router sends out its Proxy IDs and IPSec policy to the remote peer.

ISAKMP:(1001): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(1001):Sending an IKE IPv4 Packet.
ISAKMP:(1001):Node -584676094, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 2.2.2.2
dst addr : 1.1.1.1
protocol : 0
src port : 0
dst port : 0
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.1.12.1
IPSEC(policy_db_add_ident): src 2.2.2.2, dest 1.1.1.1, dest_port 0

IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.12.2, sa_proto= 50,
sa_spi= 0xE272C715(3799172885),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001
sa_lifetime(k/sec)= (4595027/3600)
IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.12.1, sa_proto= 50,
sa_spi= 0x3E8C462(65586274),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2002
sa_lifetime(k/sec)= (4595027/3600)

IKE Phase 2 (Quick Mode) message 3
The last message finishes QM. Upon completion of Phase II IPSec session key is derived from new
DH shared secret. This session key will be used for encryption until IPSec timer expires.

ISAKMP (1001): received packet from 10.1.12.1 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP:(1001):deleting node -584676094 error FALSE reason "QM done (await)"
ISAKMP:(1001):Node -584676094, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
IPSEC(key_engine_enable_outbound): enable SA with spi 65586274/50
IPSEC(update_current_outbound_sa): updated peer 10.1.12.1 current outbound sa to SPI 3E8C462
R2#

Verification

After establishing IPSec tunnel, we should see one ISAKMP SA and two IPSec SAs. This can be
easily seen when entering the command “show crypto engine connections active”. There
are two useful commands to verify IPSec VPNs:
“show crypto isakmp sa” – displays ISAKMMP SA and gives us information about state of the
tunnel establishment. QM_IDLE state means Quick Mode (Phase 2) has been fininshed. If something

Page 207 of 694
CCIE Security v3 Lab Workbook

goes wrong, the state should give us information what phase or message has generated an error.
“show crypto ipsec sa” – displays IPSec SAs (inbound and outbound) and gives us
information about Proxy IDs and number of packets being encrypted/decrypted. Inboud and
outbound SA are described by SPI (Security Parameters Index) which is carried in ESP/AH header
and allows router to differentiate between IPSec tunnels. Inbound SPI must be the same as
Outbound SPI on the peer router.

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.12.2 10.1.12.1 QM_IDLE 1002 ACTIVE

This is the normal state of established IKE tunnel.

IPv6 Crypto ISAKMP SA

R1#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1002 10.1.12.1 10.1.12.2 ACTIVE 3des md5 psk 2 23:57:08
Engine-id:Conn-id = SW:2

Negotiated ISAKMP policy is visible. This command is useful to figure out which policy
has been used for establishing the IKE tunnel when there are several polices matching
at the both sides.

IPv6 Crypto ISAKMP SA

R1#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.1

This command shows information regarding the interfaces and defined crypto.

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 10.1.12.2 port 500

The proxies (source and destination of interesitng traffic) are displayed. “0/0” after
IP address and netmask indicates that IP protocol is transported in the tunnel.

PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

Very important output usefull for the IPSec debugging and troubleshooting.
This indicates that outgoing packets are: encapsulated by ESP, encrypted and digested
(the hash has been made to discover any alterations). The second marked line indicates
that incomming packets are: decapsulated (the IPSec header have been extracted),
decrypted and hash/digest has been verified.

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

This output is relevant only when compression of IPSec packets is enabled in the
transform-set.

local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.12.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xC486083C(3297118268)
PFS (Y/N): N, DH group: none

Page 208 of 694
CCIE Security v3 Lab Workbook

If PFS (Perfect Forward Secrecy) has been enabled then the line above indicates that
along with configured Diffie-Hellman group.

inbound esp sas:
spi: 0xB7629AFD(3076692733)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }

conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4449172/3420)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

This output contains useful information relevant to unidirectional SA. This shows the
following: used IPSec protocol (ESP), SPI value, used transform-set (encryption
algorithm along with hash function), ESP mode (tunnel or transport), connection ID,
crypto map and lifetime values in second and kilobytes which remains to session key
refreshment (tunnel will be terminated instead of key refreshment if no packets need
to be transported via tunnel when SA expired).

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC486083C(3297118268)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4449172/3420)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R1#sh crypto ipsec sa identity

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer (none) port 500
DENY, flags={ident_is_root,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 10.1.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

R1#sh crypto ipsec sa address
fvrf/address: (none)/10.1.12.1
protocol: ESP
spi: 0xB7629AFD(3076692733)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }

Page 209 of 694
CCIE Security v3 Lab Workbook

conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4449172/3386)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

fvrf/address: (none)/10.1.12.2
protocol: ESP
spi: 0xC486083C(3297118268)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4449172/3386)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

R1#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1002 IKE MD5+3DES 0 0 10.1.12.1
2003 IPsec 3DES+MD5 0 4 10.1.12.1
2004 IPsec 3DES+MD5 4 0 10.1.12.1

One IPSec tunnel has three SA – one of IKE tunnel and two of IPSec tunnel used for
traffic encryption.

R1#sh crypto engine connections dh
Number of DH's pregenerated = 2
DH lifetime = 86400 seconds

Software Crypto Engine:
Conn Status Group Time left
1 Used Group 2 85948

The Diffie-Hellman group and the time that remains to next DH key generation.

Verification performed on R2 (The responder).

R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.12.2 10.1.12.1 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

R2#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1002 10.1.12.2 10.1.12.1 ACTIVE 3des md5 psk 2 23:55:03
Engine-id:Conn-id = SW:2

IPv6 Crypto ISAKMP SA

R2#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.2

protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 10.1.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0

Page 210 of 694
CCIE Security v3 Lab Workbook

#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.12.2, remote crypto endpt.: 10.1.12.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB7629AFD(3076692733)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xC486083C(3297118268)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4445162/3296)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB7629AFD(3076692733)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4445162/3296)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R2#sh crypto ipsec sa address
fvrf/address: (none)/10.1.12.2
protocol: ESP
spi: 0xC486083C(3297118268)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4445162/3287)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

fvrf/address: (none)/10.1.12.1
protocol: ESP
spi: 0xB7629AFD(3076692733)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4445162/3287)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

R2#sh crypto ipsec sa identity

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer (none) port 500
DENY, flags={ident_is_root,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Page 211 of 694
CCIE Security v3 Lab Workbook

protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 10.1.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

R2#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1002 IKE MD5+3DES 0 0 10.1.12.2
2003 IPsec 3DES+MD5 0 4 10.1.12.2
2004 IPsec 3DES+MD5 4 0 10.1.12.2

Page 212 of 694
CCIE Security v3 Lab Workbook

Lab 1.34. Basic Site to Site IPSec VPN
Aggressive Mode (IOS-IOS)

Lo0 Lo0
1.1.1.1/32 2.2.2.2/32

.1 .2
R1 F0/0 10.1.12.0/24 G0/0
R2

Lab Setup:
 R1‟s F0/0 and R2‟s G0/0 interface should be configured in VLAN 120
 Configure Telnet on all routers using password “cisco”
 Configure static routing on R1 and R2 to be able to reach Loopback IP
addresses

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/32
F0/0 10.1.12.1/24
R2 F0/0 10.1.12.2/24
Lo0 2.2.2.2/32

Task 1
Configure basic Site to Site IPSec VPN to protect traffic between IP addresses
1.1.1.1 and 2.2.2.2 using the following policy:

ISAKMP Policy IPSec Policy
Authentication: Pre-shared Encrytpion: ESP-3DES
Encryption: 3DES Hash: MD5
Hash: MD5 Proxy ID: 1.1.1.1  2.2.2.2
DH Group: 2

Your solution must use only three messages during IKE Phase 1 SA establisment.
Peer authentication should use password of “Aggressive123”.

Aggressive Mode squeezes the IKE SA negotiation into three packets, with all data required for the
SA passed by the initiator. The responder sends the proposal, key material and ID, and
authenticates the session in the next packet. The initiator replies by authenticating the session.
Negotiation is quicker, and the initiator and responder ID pass in the clear.

On R1
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encr 3des
R1(config-isakmp)#hash md5

Page 213 of 694
CCIE Security v3 Lab Workbook

R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2

R1(config)#crypto isakmp peer address 10.1.12.2
R1(config-isakmp-peer)#set aggressive-mode client-endpoint ipv4-address 10.1.12.2
R1(config-isakmp-peer)#set aggressive-mode password Aggressive123

The tunnel-password and the client endpoint type ID for IKE Aggressive Mode.
The “client-endpoint” parameter may be the following: ipv4-address (the ip address,
ID: ID_IPV4), fqdn (the fully qualified domain name, ID: ID_FQDN), user-fqdn (e-mail
address, ID: ID_USER_FQDN). These types of client-endpoint IDs are translated to the
corresponding ID type in the Internet Key Exchange (IKE).

R1(config-isakmp-peer)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

R1(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 10.1.12.2
R1(config-crypto-map)#set transform-set TSET
R1(config-crypto-map)#match address 120

R1(config-crypto-map)#access-list 120 permit ip host 1.1.1.1 host 2.2.2.2

R1(config)#int f0/0
R1(config-if)#crypto map CMAP
R1(config-if)#exi
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

On R2
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#encr 3des
R2(config-isakmp)#hash md5
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2

R2(config)#crypto isakmp peer address 10.1.12.1
R2(config-isakmp-peer)#set aggressive-mode client-endpoint ipv4-address 10.1.12.1
R2(config-isakmp-peer)#set aggressive-mode password Aggressive123

R2(config-isakmp-peer)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

R2(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 10.1.12.1
R2(config-crypto-map)#set transform-set TSET
R2(config-crypto-map)#match address 120

R2(config-crypto-map)#access-list 120 permit ip host 2.2.2.2 host 1.1.1.1

R2(config)#int g0/0
R2(config-if)#crypto map CMAP
R2(config-if)#exi
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Verification
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.12.2 10.1.12.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

ISAKMP SA has been negotiated and IKE tunnel is set up and active.

R1#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.1

protected vrf: (none)

Page 214 of 694
CCIE Security v3 Lab Workbook

local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 10.1.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.12.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD18E8F5F(3515780959)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE40153C8(3825292232)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4534905/3541)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xD18E8F5F(3515780959)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4534905/3541)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

IPSec SAs have been negotiated. The tunnel is up.

R1#sh crypto ipsec sa identity

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer (none) port 500
DENY, flags={ident_is_root,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 10.1.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

R1#sh crypto ipsec sa address

Page 215 of 694
CCIE Security v3 Lab Workbook

fvrf/address: (none)/10.1.12.1
protocol: ESP
spi: 0xE40153C8(3825292232)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4534905/3520)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

fvrf/address: (none)/10.1.12.2
protocol: ESP
spi: 0xD18E8F5F(3515780959)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4534905/3520)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

R1#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1001 IKE MD5+3DES 0 0 10.1.12.1
2001 IPsec 3DES+MD5 0 4 10.1.12.1
2002 IPsec 3DES+MD5 4 0 10.1.12.1

R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.12.2 10.1.12.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R2#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1001 10.1.12.2 10.1.12.1 ACTIVE 3des md5 psk 2 23:52:03
Engine-id:Conn-id = SW:1

IPv6 Crypto ISAKMP SA

R2#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.2

protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 10.1.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.12.2, remote crypto endpt.: 10.1.12.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xE40153C8(3825292232)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xD18E8F5F(3515780959)

Page 216 of 694
CCIE Security v3 Lab Workbook

transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607831/3116)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE40153C8(3825292232)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607831/3116)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R2#sh crypto ipsec sa identity

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer (none) port 500
DENY, flags={ident_is_root,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 10.1.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

R2#sh crypto ipsec sa address
fvrf/address: (none)/10.1.12.2
protocol: ESP
spi: 0xD18E8F5F(3515780959)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607831/3099)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

fvrf/address: (none)/10.1.12.1
protocol: ESP
spi: 0xE40153C8(3825292232)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607831/3099)
IV size: 8 bytes

Page 217 of 694
CCIE Security v3 Lab Workbook

replay detection support: Y
Status: ACTIVE

R2#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1001 IKE MD5+3DES 0 0 10.1.12.2
2001 IPsec 3DES+MD5 0 4 10.1.12.2
2002 IPsec 3DES+MD5 4 0 10.1.12.2

Detailed verification on R1
R1#deb cry isak
Crypto ISAKMP debugging is on
R1#deb cry ips
Crypto IPSEC debugging is on
R1#

R1#ping 2.2.2.2 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
R1#

IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.1.12.1, remote= 10.1.12.2,
local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
ISAKMP:(0): SA request profile is (NULL)
ISAKMP: Created a peer struct for 10.1.12.2, peer port 500
ISAKMP: New peer created peer = 0x48AAB8D0 peer_handle = 0x80000004
ISAKMP: Locking peer struct 0x48AAB8D0, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE
ISAKMP:(0):insert sa successfully sa = 49F4F45C
ISAKMP:(0):SA has tunnel attributes set.
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0): constructed NAT-T vendor-02 ID
ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0): ID payload
next-payload : 13
type : 1
address : 10.1.12.2
protocol : 17
port : 0
length : 12
ISAKMP:(0):Total payload length: 12
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1

ISAKMP:(0): beginning Aggressive Mode exchange
ISAKMP:(0): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

IKE Aggressive Mode has been started. The state of ISAKMP SA is AG_INIT_EXCH which
indicates that the peers have done the first exchange in aggressive mode, but the
SA is not yet authenticated.

ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP (0): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH

The remote peer (R2) responds with IKE packet that contains the following: its ISAKMP
policy (proposal), key material and its ID. The state of ISAKMP SA is still
AG_INIT_EXCH.

Page 218 of 694
CCIE Security v3 Lab Workbook

ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing ID payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 10
type : 1
address : 10.1.12.2
protocol : 0
port : 0
length : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is Unity
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): speaking to another IOS box!
ISAKMP:(0):SA using tunnel password as pre-shared key.
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0

The password configured for the peer as “aggressive-mode password” has been used for
the peer authentication. ISAKMP proposal has been checked against locally defined
ISAKMP policies.

ISAKMP:(0):Acceptable atts:actual life: 86400
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.

ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):SA using tunnel password as pre-shared key.
ISAKMP:(1001): processing HASH payload. message ID = 0
ISAKMP:received payload type 20
ISAKMP (1001): His hash no match - this node outside NAT
ISAKMP:received payload type 20
ISAKMP (1001): No NAT Found for self or peer
ISAKMP:(1001):SA authentication status:
authenticated
ISAKMP:(1001):SA has been authenticated with 10.1.12.2
ISAKMP: Trying to insert a peer 10.1.12.1/10.1.12.2/500/, and inserted successfully 48AAB8D0.
ISAKMP:(1001):Send initial contact
ISAKMP:(1001): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

The ISAKMP SA has been negotiated, authenticated and insterted into SADB. The peer has
been informed that the connection has been authenticated. Phase 1 is completed. The
ISAKMP SA state will be transited to QM_IDLE. The IKE tunnel is established and ready
for IPSec parameters and SAs negotiations.

ISAKMP:(1001):Sending an IKE IPv4 Packet.
ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(1001):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE

ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1329820426
ISAKMP:(1001):QM Initiator gets spi
ISAKMP:(1001): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1001):Sending an IKE IPv4 Packet.
ISAKMP:(1001):Node 1329820426, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP (1001): received packet from 10.1.12.2 dport 500 sport 500 Global (I) QM_IDLE
ISAKMP:(1001): processing HASH payload. message ID = 1329820426
ISAKMP:(1001): processing SA payload. message ID = 1329820426
ISAKMP:(1001):Checking IPSec proposal 1

Page 219 of 694
CCIE Security v3 Lab Workbook

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(1001):atts are acceptable. IPSec parameters have been agreed upon.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.1.12.1, remote= 10.1.12.2,
local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 0
src port : 0
dst port : 0
ISAKMP:(1001): processing NONCE payload. message ID = 1329820426
ISAKMP:(1001): processing ID payload. message ID = 1329820426
ISAKMP:(1001): processing ID payload. message ID = 1329820426
ISAKMP:(1001): Creating IPSec SAs
inbound SA from 10.1.12.2 to 10.1.12.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
has spi 0xE40153C8 and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
outbound SA from 10.1.12.1 to 10.1.12.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
has spi 0xD18E8F5F and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
ISAKMP:(1001): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1001):Sending an IKE IPv4 Packet.
ISAKMP:(1001):deleting node 1329820426 error FALSE reason "No Error"
ISAKMP:(1001):Node 1329820426, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 0
src port : 0
dst port : 0
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.1.12.2
IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0

IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.12.1, sa_proto= 50,
sa_spi= 0xE40153C8(3825292232),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001
sa_lifetime(k/sec)= (4534906/3600)
IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.12.2, sa_proto= 50,
sa_spi= 0xD18E8F5F(3515780959),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2002
sa_lifetime(k/sec)= (4534906/3600)
IPSEC(update_current_outbound_sa): updated peer 10.1.12.2 current outbound sa to SPI D18E8F5F
ISAKMP:(1001): no outgoing phase 1 packet to retransmit. QM_IDLE

IKE Phase 2 (Quick Mode) has been completed. ESP tunnel has been established.

Detailed verificatin on R2
ISAKMP (0): received packet from 10.1.12.1 dport 500 sport 500 Global (N) NEW SA

The responder has received the initial IKE packet from the initiator (R1). The payload
contains ISAKMP proposal, key material and ID.

ISAKMP: Created a peer struct for 10.1.12.1, peer port 500
ISAKMP: New peer created peer = 0x49BD96B8 peer_handle = 0x80000003

Page 220 of 694
CCIE Security v3 Lab Workbook

ISAKMP: Locking peer struct 0x49BD96B8, refcount 1 for crypto_isakmp_process_block
ISAKMP: local port 500, remote port 500
ISAKMP:(0):insert sa successfully sa = 48B8E45C
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing ID payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 13
type : 1
address : 10.1.12.2
protocol : 17
port : 0
length : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):SA using tunnel password as pre-shared key.
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0):Acceptable atts:actual life: 0
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.

The proposal has been processed by the responder and ISAKMP policy has been accepted.

ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):SA using tunnel password as pre-shared key.
ISAKMP:(1001): processing vendor id payload
ISAKMP:(1001): vendor ID is DPD
ISAKMP:(1001): processing vendor id payload
ISAKMP:(1001): vendor ID seems Unity/DPD but major 151 mismatch
ISAKMP:(1001): vendor ID is XAUTH
ISAKMP:(1001): processing vendor id payload
ISAKMP:(1001): claimed IOS but failed authentication
ISAKMP:(1001): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (1001): ID payload
next-payload : 10
type : 1
address : 10.1.12.2
protocol : 0
port : 0
length : 12
ISAKMP:(1001):Total payload length: 12

Page 221 of 694
CCIE Security v3 Lab Workbook

ISAKMP:(1001): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) AG_INIT_EXCH

The reply has been sent to the initiator. ISAKMP SA state is still AG_INIT_EXCH.

ISAKMP:(1001):Sending an IKE IPv4 Packet.
ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(1001):Old State = IKE_READY New State = IKE_R_AM2

ISAKMP (1001): received packet from 10.1.12.1 dport 500 sport 500 Global (R) AG_INIT_EXCH

The responder has got the information that SA has been authenticated

ISAKMP:(1001): processing HASH payload. message ID = 0
ISAKMP:received payload type 20
ISAKMP (1001): His hash no match - this node outside NAT
ISAKMP:received payload type 20
ISAKMP (1001): No NAT Found for self or peer

It has been determined by NAT discovery process that there is no NAT between the
peers.

ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 48B8E45C
ISAKMP:(1001):SA authentication status:
authenticated
ISAKMP:(1001):SA has been authenticated with 10.1.12.1
ISAKMP:(1001):SA authentication status:
authenticated
ISAKMP:(1001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.12.2 remote 10.1.12.1 remote port 500
ISAKMP: Trying to insert a peer 10.1.12.2/10.1.12.1/500/, and inserted successfully 49BD96B8.
ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(1001):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE

IKE Phase 1 completed, SA is negotiated. The ISAKMP SA state has been changed to
QM_IDLE.

IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP (1001): received packet from 10.1.12.1 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node 1329820426 to QM_IDLE
ISAKMP:(1001): processing HASH payload. message ID = 1329820426
ISAKMP:(1001): processing SA payload. message ID = 1329820426
ISAKMP:(1001):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(1001):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.1.12.2, remote= 10.1.12.1,
local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 2.2.2.2
dst addr : 1.1.1.1
protocol : 0
src port : 0
dst port : 0
ISAKMP:(1001): processing NONCE payload. message ID = 1329820426
ISAKMP:(1001): processing ID payload. message ID = 1329820426
ISAKMP:(1001): processing ID payload. message ID = 1329820426
ISAKMP:(1001):QM Responder gets spi
ISAKMP:(1001):Node 1329820426, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP:(1001): Creating IPSec SAs
inbound SA from 10.1.12.1 to 10.1.12.2 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
has spi 0xD18E8F5F and conn_id 0
lifetime of 3600 seconds

Page 222 of 694
CCIE Security v3 Lab Workbook

lifetime of 4608000 kilobytes
outbound SA from 10.1.12.2 to 10.1.12.1 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
has spi 0xE40153C8 and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
ISAKMP:(1001): sending packet to 10.1.12.1 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(1001):Sending an IKE IPv4 Packet.
ISAKMP:(1001):Node 1329820426, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 2.2.2.2
dst addr : 1.1.1.1
protocol : 0
src port : 0
dst port : 0
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.1.12.1
IPSEC(policy_db_add_ident): src 2.2.2.2, dest 1.1.1.1, dest_port 0

IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.12.2, sa_proto= 50,
sa_spi= 0xD18E8F5F(3515780959),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001
sa_lifetime(k/sec)= (4607832/3600)
IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.12.1, sa_proto= 50,
sa_spi= 0xE40153C8(3825292232),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2002
sa_lifetime(k/sec)= (4607832/3600)
ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP (1001): received packet from 10.1.12.1 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP:(1001):deleting node 1329820426 error FALSE reason "QM done (await)"
ISAKMP:(1001):Node 1329820426, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
IPSEC(key_engine_enable_outbound): enable SA with spi 3825292232/50
IPSEC(update_current_outbound_sa): updated peer 10.1.12.1 current outbound sa to SPI E40153C8
ISAKMP:(1001):purging node 1329820426

The IPSec tunnel has been established.

Page 223 of 694
CCIE Security v3 Lab Workbook

Lab 1.35. Basic Site to Site VPN with NAT
(IOS-IOS)

Lo0 Lo0
1.1.1.1/32 4.4.4.4/32
10.1.12.0/24 10.1.24.0/24
.1 .2 .2 .4
R1 F0/0 G0/0 R2 G0/1 F0/0 R4

Lab Setup:
 R1‟s F0/0 and R2‟s G0/0 interface should be configured in VLAN 120
 R2‟s G0/1 and R4‟s F0/0 interface should be configured in VLAN 240
 Configure Telnet on all routers using password “cisco”
 Configure RIPv2 on all routers to establish full connectivity

IP Addressing:

Device Interface IP address
R1 Lo0 1.1.1.1/32
F0/0 10.1.12.1/24
R2 G0/0 10.1.12.2/24
G0/1 10.1.24.2/24
R4 F0/0 10.1.24.4/24
Lo0 4.4.4.4/32

Task 1
Configure static NAT translation on R2 so that IP address of 10.1.12.1 will be seen
on R4 as 10.1.24.1.
Configure basic Site to Site IPSec VPN to protect IP traffic between IP addresses
1.1.1.1 and 4.4.4.4 using the following policy:

ISAKMP Policy IPSec Policy
Authentication: Pre-shared Encryption: ESP-3DES
Encryption: 3DES Hash: MD5
Hash: MD5 Proxy ID: 1.1.1.1  4.4.4.4
DH Group: 2
PSK: cisco123

On R2
R2(config)#ip nat inside source static 10.1.12.1 10.1.24.1
%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

Static network address translation (R1‟s Fa0/0: 10.1.12.1 -> 10.1.24.1)

R2(config)#int g0/0
R2(config-if)#ip nat inside

Page 224 of 694
CCIE Security v3 Lab Workbook

R2(config-if)#int g0/1
R2(config-if)#ip nat outside

On R1
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encr 3des
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2

R1(config-isakmp)#crypto isakmp key cisco123 address 10.1.24.4

From R1‟s perspective the peer (R4) is seen as 10.1.24.4.

R1(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

R1(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 10.1.24.4
R1(config-crypto-map)#set transform-set TSET
R1(config-crypto-map)#match address 140

R1(config-crypto-map)#access-list 140 permit ip host 1.1.1.1 ho 4.4.4.4

R1(config)#int f0/0
R1(config-if)#crypto map CMAP
R1(config-if)#exi
R1(config)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

On R4
R4(config)#crypto isakmp policy 10
R4(config-isakmp)#encr 3des
R4(config-isakmp)#hash md5
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 2

R4(config-isakmp)#crypto isakmp key cisco123 address 10.1.24.1

From R4‟s perspective the peer (R1) is seen as 10.1.24.1 (this address R1‟s Fa0/0 is
translated to by R2)

R4(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

R4(cfg-crypto-trans)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)#set peer 10.1.24.1
R4(config-crypto-map)#set transform-set TSET
R4(config-crypto-map)#match address 140

R4(config-crypto-map)#access-list 140 permit ip ho 4.4.4.4 host 1.1.1.1

R4(config)#int f0/0
R4(config-if)#crypto map CMAP
R4(config-if)#exi
R4(config)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Verification
R1#tel 10.1.24.4
Trying 10.1.24.4 ... Open

User Access Verification

Password:
R4>sh users
Line User Host(s) Idle Location

Page 225 of 694
CCIE Security v3 Lab Workbook

0 con 0 idle 00:01:03
*514 vty 0 idle 00:00:00 10.1.24.1

Translation is working.

Interface User Mode Idle Peer Address

R4>exit

[Connection to 10.1.24.4 closed by foreign host]

R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.1.24.1:13083 10.1.12.1:13083 10.1.24.4:23 10.1.24.4:23
--- 10.1.24.1 10.1.12.1 --- ---

Translation is working.

R1#ping 4.4.4.4 so lo0 rep 4

Type escape sequence to abort.
Sending 4, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!
Success rate is 75 percent (3/4), round-trip min/avg/max = 4/4/4 ms

Interesting traffic has started the tunnel negotiation.

R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 10.1.24.1:500 10.1.12.1:500 10.1.24.4:500 10.1.24.4:500
udp 10.1.24.1:4500 10.1.12.1:4500 10.1.24.4:4500 10.1.24.4:4500
--- 10.1.24.1 10.1.12.1 --- ---

Note that IKE traffic (UDP port 500) has been translated. During IKE Phase 1 NAT
discovery has determined that trafic between the peer is translated, so that it
enforces NAT Traversal. From this moment the peers transmit ESP packets encapsulated
into UDP packets. The NAT-T traffic uses UDP port 4500.

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.24.4 10.1.12.1 QM_IDLE 1003 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1003 10.1.12.1 10.1.24.4 ACTIVE 3des md5 psk 2 23:57:11 N
Engine-id:Conn-id = SW:3

IPv6 Crypto ISAKMP SA

R1#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.1

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer 10.1.24.4 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0

Page 226 of 694
CCIE Security v3 Lab Workbook

#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0

local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.24.4
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xE1815114(3783348500)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x65D0096B(1708132715)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2005, flow_id: NETGX:5, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4378448/3532)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE1815114(3783348500)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2006, flow_id: NETGX:6, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4378448/3532)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R1#sh crypto ipsec sa identity

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer (none) port 500
DENY, flags={ident_is_root,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer 10.1.24.4 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0

R1#sh crypto ipsec sa address
fvrf/address: (none)/10.1.12.1
protocol: ESP
spi: 0x65D0096B(1708132715)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2005, flow_id: NETGX:5, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4378448/3510)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

Page 227 of 694
CCIE Security v3 Lab Workbook

fvrf/address: (none)/10.1.24.4
protocol: ESP
spi: 0xE1815114(3783348500)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2006, flow_id: NETGX:6, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4378448/3510)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

R1#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1003 IKE MD5+3DES 0 0 10.1.12.1
2005 IPsec 3DES+MD5 0 3 10.1.12.1
2006 IPsec 3DES+MD5 3 0 10.1.12.1

R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.24.4 10.1.24.1 QM_IDLE 1001 ACTIVE

Note that R4‟s ISAKMP SA is negotiated with translated R1‟s IP address.

IPv6 Crypto ISAKMP SA

R4#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1001 10.1.24.4 10.1.24.1 ACTIVE 3des md5 psk 2 23:49:57 N
Engine-id:Conn-id = SW:1

IPv6 Crypto ISAKMP SA

R4#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.24.4

protected vrf: (none)
local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 10.1.24.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.24.4, remote crypto endpt.: 10.1.24.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x65D0096B(1708132715)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE1815114(3783348500)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4581780/3076)
IV size: 8 bytes
replay detection support: Y

Page 228 of 694
CCIE Security v3 Lab Workbook

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x65D0096B(1708132715)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4581780/3076)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R4#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1001 IKE MD5+3DES 0 0 10.1.24.4
2001 IPsec 3DES+MD5 0 3 10.1.24.4
2002 IPsec 3DES+MD5 3 0 10.1.24.4

Detailed verification on R1
R1#deb cry isak
Crypto ISAKMP debugging is on

R1#pi 4.4.4.4 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

ISAKMP:(0): SA request profile is (NULL)
ISAKMP: Created a peer struct for 10.1.24.4, peer port 500
ISAKMP: New peer created peer = 0x489472CC peer_handle = 0x8000000A
ISAKMP: Locking peer struct 0x489472CC, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE
ISAKMP:(0):insert sa successfully sa = 483BFC34
ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
ISAKMP:(0):found peer pre-shared key matching 10.1.24.4
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0): constructed NAT-T vendor-02 ID
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

ISAKMP:(0): beginning Main Mode exchange
ISAKMP:(0): sending packet to 10.1.24.4 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP (0): received packet from 10.1.24.4 dport 500 sport 500 Global (I) MM_NO_STATE
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0):found peer pre-shared key matching 10.1.24.4
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds

Page 229 of 694
CCIE Security v3 Lab Workbook

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0):Acceptable atts:actual life: 0
ISAKMP:(0):Acceptable .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R1#atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.

ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

ISAKMP:(0): sending packet to 10.1.24.4 my_port 500 peer_port 500 (I) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

ISAKMP (0): received packet from 10.1.24.4 dport 500 sport 500 Global (I) MM_SA_SETUP
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching 10.1.24.4
ISAKMP:(1005): processing vendor id payload
ISAKMP:(1005): vendor ID is Unity
ISAKMP:(1005): processing vendor id payload
ISAKMP:(1005): vendor ID is DPD
ISAKMP:(1005): processing vendor id payload
ISAKMP:(1005): speaking to another IOS box!
ISAKMP:received payload type 20
ISAKMP (1005): NAT found, both nodes inside NAT
ISAKMP:received payload type 20
ISAKMP (1005): My hash no match - this node inside NAT

R1 has analyzed the results of NAT discovery. It has determined that its IP address is
NATed in the path because received hash (NAT-D payload) does not match the localy
calculated hash.

ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1005):Old State = IKE_I_MM4 New State = IKE_I_MM4

ISAKMP:(1005):Send initial contact
ISAKMP:(1005):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (1005): ID payload
next-payload : 8
type : 1
address : 10.1.12.1
protocol : 17
port : 0
length : 12
ISAKMP:(1005):Total payload length: 12
ISAKMP:(1005): sending packet to 10.1.24.4 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Note that from this moment the peers are exchanging the packets using UDP protocol and
port 4500 (NAT-T).

ISAKMP:(1005):Sending an IKE IPv4 Packet.
ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1005):Old State = IKE_I_MM4 New State = IKE_I_MM5

ISAKMP (1005): received packet from 10.1.24.4 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
ISAKMP:(1005): processing ID payload. message ID = 0
ISAKMP (1005): ID payload
next-payload : 8
type : 1
address : 10.1.24.4
protocol : 17
port : 0
length : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(1005): processing HASH payload. message ID = 0

Page 230 of 694
CCIE Security v3 Lab Workbook

ISAKMP:(1005):SA authentication status:
authenticated
ISAKMP:(1005):SA has been authenticated with 10.1.24.4
ISAKMP:(1005):Setting UDP ENC peer struct 0x49383A9C sa= 0x483BFC34
ISAKMP: Trying to insert a peer 10.1.12.1/10.1.24.4/4500/, and inserted successfully
489472CC.
ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(1005):Old State = IKE_I_MM5 New State = IKE_I_MM6

ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1005):Old State = IKE_I_MM6 New State = IKE_I_MM6

ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1005):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

ISAKMP:(1005):beginning Quick Mode exchange, M-ID of -1428024928
ISAKMP:(1005):QM Initiator gets spi
ISAKMP:(1005): sending packet to 10.1.24.4 my_port 4500 peer_port 4500 (I) QM_IDLE
ISAKMP:(1005):Sending an IKE IPv4 Packet.
ISAKMP:(1005):Node -1428024928, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
ISAKMP:(1005):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP (1005): received packet from 10.1.24.4 dport 4500 sport 4500 Global (I) QM_IDLE
ISAKMP:(1005): processing HASH payload. message ID = -1428024928
ISAKMP:(1005): processing SA payload. message ID = -1428024928
ISAKMP:(1005):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 3 (Tunnel-UDP)

Note that this inidactes that tunnel is encaplustated into UDP

ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(1005):atts are acceptable.
ISAKMP:(1005): processing NONCE payload. message ID = -1428024928
ISAKMP:(1005): processing ID payload. message ID = -1428024928
ISAKMP:(1005): processing ID payload. message ID = -1428024928
ISAKMP:(1005): Creating IPSec SAs
inbound SA from 10.1.24.4 to 10.1.12.1 (f/i) 0/ 0
(proxy 4.4.4.4 to 1.1.1.1)
has spi 0xE219E9BB and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
outbound SA from 10.1.12.1 to 10.1.24.4 (f/i) 0/0
(proxy 1.1.1.1 to 4.4.4.4)
has spi 0xE481597 and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
ISAKMP:(1005): sending packet to 10.1.24.4 my_port 4500 peer_port 4500 (I) QM_IDLE
ISAKMP:(1005):Sending an IKE IPv4 Packet.
ISAKMP:(1005):deleting node -1428024928 error FALSE reason "No Error"
ISAKMP:(1005):Node -1428024928, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1005):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
R1#
R1#un all
All possible debugging has been turned off

Detailed verification on R4
R4#deb cry isak
Crypto ISAKMP debugging is on

ISAKMP (0): received packet from 10.1.24.1 dport 500 sport 500 Global (N) NEW SA
ISAKMP: Created a peer struct for 10.1.24.1, peer port 500
ISAKMP: New peer created peer = 0x49CEE97C peer_handle = 0x80000004
ISAKMP: Locking peer struct 0x49CEE97C, refcount 1 for crypto_isakmp_process_block
ISAKMP: local port 500, remote port 500
ISAKMP:(0):insert sa successfully sa = 489FDD70
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Page 231 of 694
CCIE Security v3 Lab Workbook

ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vend
R4#or id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):found peer pre-shared key matching 10.1.24.1
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0):Acceptable atts:actual life: 0
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.

ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): sending packet to 10.1.24.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

ISAKMP (0): received packet from 10.1.24.1 dport 500 sport 500 Global (R) MM_SA_SETUP
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching 10.1.24.1
ISAKMP:(1003): processing vendor id payload
ISAKMP:(1003): vendor ID is DPD
ISAKMP:(1003): processing vendor id payload
ISAKMP:(1003): speaking to another IOS box!
ISAKMP:(1003): processing vendor id payload
ISAKMP:(1003): vendor ID seems Unity/DPD but major 50 mismatch
ISAKMP:(1003): vendor ID is XAUTH
ISAKMP:received payload type 20
ISAKMP (1003): His hash no match - this node outside NAT
ISAKMP:received payload type 20
ISAKMP (1003): His hash no match - this node outside NAT
ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1003):Old State = IKE_R_MM3 New State = IKE_R_MM3

Page 232 of 694
CCIE Security v3 Lab Workbook

R4 has analyzed the results of NAT discovery. It has determined that R1‟s IP address
is NATed in the path because received hash (NAT-D payload) does not match the localy
calculated hash.

ISAKMP:(1003): sending packet to 10.1.24.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP:(1003):Sending an IKE IPv4 Packet.
ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1003):Old State = IKE_R_MM3 New State = IKE_R_MM4

ISAKMP (1003): received packet from 10.1.24.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(1003):Old State = IKE_R_MM4 New State = IKE_R_MM5

ISAKMP:(1003): processing ID payload. message ID = 0
ISAKMP (1003): ID payload
next-payload : 8
type : 1
address : 10.1.12.1
protocol : 17
port : 0
length : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(1003): processing HASH payload. message ID = 0
ISAKMP:(1003): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 489FDD70
ISAKMP:(1003):SA authentication status:
authenticated
ISAKMP:(1003):SA has been authenticated with 10.1.24.1
ISAKMP:(1003):Detected port floating to port = 4500
ISAKMP: Trying to find existing peer 10.1.24.4/10.1.24.1/4500/
ISAKMP:(1003):SA authentication status:
authenticated
ISAKMP:(1003): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.24.4 remote 10.1.24.1 remote port 4500
ISAKMP: Trying to insert a peer 10.1.24.4/10.1.24.1/4500/, and inserted successfully
49CEE97C.
ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1003):Old State = IKE_R_MM5 New State = IKE_R_MM5

ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (1003): ID payload
next-payload : 8
type : 1
address : 10.1.24.4
protocol : 17
port : 0
length : 12
ISAKMP:(1003):Total payload length: 12
ISAKMP:(1003): sending packet to 10.1.24.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
ISAKMP:(1003):Sending an IKE IPv4 Packet.
ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1003):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP (1003): received packet from 10.1.24.1 dport 4500 sport 4500 Global (R) QM_IDLE
ISAKMP: set new node -1428024928 to QM_IDLE
ISAKMP:(1003): processing HASH payload. message ID = -1428024928
ISAKMP:(1003): processing SA payload. message ID = -1428024928
ISAKMP:(1003):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(1003):atts are acceptable.
ISAKMP:(1003): processing NONCE payload. message ID = -1428024928
ISAKMP:(1003): processing ID payload. message ID = -1428024928
ISAKMP:(1003): processing ID payload. message ID = -1428024928
ISAKMP:(1003):QM Responder gets spi
ISAKMP:(1003):Node -1428024928, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1003):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

Page 233 of 694
CCIE Security v3 Lab Workbook

ISAKMP:(1003): Creating IPSec SAs
inbound SA from 10.1.24.1 to 10.1.24.4 (f/i) 0/ 0
(proxy 1.1.1.1 to 4.4.4.4)
has spi 0xE481597 and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
outbound SA from 10.1.24.4 to 10.1.24.1 (f/i) 0/0
(proxy 4.4.4.4 to 1.1.1.1)
has spi 0xE219E9BB and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
ISAKMP:(1003): sending packet to 10.1.24.1 my_port 4500 peer_port 4500 (R) QM_IDLE
ISAKMP:(1003):Sending an IKE IPv4 Packet.
ISAKMP:(1003):Node -1428024928, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP:(1003):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
ISAKMP (1003): received packet from 10.1.24.1 dport 4500 sport 4500 Global (R) QM_IDLE
ISAKMP:(1003):deleting node -1428024928 error FALSE reason "QM done (await)"
ISAKMP:(1003):Node -1428024928, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1003):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
R4#
R4#un all
All possible debugging has been turned off

Page 234 of 694
CCIE Security v3 Lab Workbook

Lab 1.36. IOS Certificate Authority
Inside HQ 10.1.101.0/24
Lo0
.10
F0/0
E0/1
R1 .1
ASA1
E0/0 .10
192.168.1.0/24

G0/0 .2

Outside
R2 (Internet)

G0/1 .2
192.168.2.0/24
Inside US
.10 E0/0
Branch
10.1.105.0/24
Lo0
.10
F0/0 E0/2 Inside Canada
E0/1 Branch
R5 .5 .10
Lo0
ASA2 10.1.104.0/24
.4
F0/0 R4

Lab Setup:
 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R2‟s G0/1 and ASA2‟s E0/0 interface should be configured in VLAN 122
 R4‟s F0/0 and ASA2‟s E0/2 interface should be configured in VLAN 104
 R5‟s F0/0 and ASA2‟s E0/1 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the respective ASA‟s
interface
 Configure default routing on both ASAs pointing to the respective R2 interface
IP Addressing:

Device Interface / ifname / sec level IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 G0/0 192.168.1.2/24
G0/1 192.168.2.2/24
R4 Lo0 4.4.4.4 /24
F0/0 10.1.104.4 /24

Page 235 of 694
CCIE Security v3 Lab Workbook

R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24
ASA1 E0/0, Outside, Security 0 192.168.1.10 /24
E0/1, Inside, Security 100 10.1.101.10 /24
ASA2 E0/0, Outside, Security 0 192.168.2.10 /24
E0/1, Inside_US, Security 100 10.1.105.10 /24
E0/2, Inside_CA, Security 100 10.1.104.10 /24

Task 1
Configure IOS Certificate Authority server on R1. The server should have self-signed
certificate with a lifetime of 5 years and grant certificates to the clients with a lifetime
of 3 years. Store all certificates on the flash using PEM 64-base excryption with
password of “Cisco_CA”. The server should service all certificate requests
automatically.

On R1
R1(config)#ip http server

HTTP server must be enabled. It will be used for the automatic certificate enrollment.
This feature uses SCEP (Simple Certificate Enrollment Protocol).

R1(config)#crypto pki server IOS_CA
R1(cs-server)#lifetime certificate 1095

The lifetime of client certificates (3 years).

R1(cs-server)#lifetime ca-certificate 1825
R1(cs-server)#database archive pem password Cisco_CA
R1(cs-server)#database url pem flash:/IOS_CA
R1(cs-server)#grant auto
%PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
R1(cs-server)#no shutdown
Certificate server 'no shut' event has been queued for processing.

R1(cs-server)#
%Some server settings cannot be changed after CA certificate generation.
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

%SSH-5-ENABLED: SSH 1.99 has been enabled
% Exporting Certificate Server signing certificate and keys...

%PKI-6-CS_ENABLED: Certificate server now enabled.
R1(cs-server)#exit

CA is up after issuing “no shutdown” command. Remember that at the lab exam.

Verification
R1#sh crypto pki server
Certificate Server IOS_CA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=IOS_CA
CA cert fingerprint: 2CCFEC44 8B1FA216 4B9CA190 024184A0
Granting mode is: auto
Last certificate issued serial number: 0x1
CA certificate expiration timer: 21:37:39 UTC Oct 19 2014
CRL NextUpdate timer: 03:37:40 UTC Oct 21 2009
Current primary storage dir: nvram:
Current storage dir for .pem files: flash:/IOS_CA
Database Level: Minimum - no cert data written to storage

Page 236 of 694
CCIE Security v3 Lab Workbook

R1#sh flash | in IOS_CA
22 1714 Oct 20 2009 21:37:42 +00:00 IOS_CA_00001.pem

The password-protected certificate store has been created on the router flash.

Task 2
To ensure all devices in the network have the same time configure NTP server on R1
with a stratum of 4. The server should authenticate the clients with a password of
“Cisco_NTP”. Configure rest of devices as NTP clients to the R1‟s NTP source.

On R1
R1(config)#ntp authentication-key 1 md5 Cisco_NTP
R1(config)#ntp trusted-key 1
R1(config)#ntp authenticate
R1(config)#ntp master 4

On ASA1
ASA1(config)# ntp authentication-key 1 md5 Cisco_NTP
ASA1(config)# ntp authenticate
ASA1(config)# ntp trusted-key 1
ASA1(config)# ntp server 10.1.101.1 key 1

ASA1(config)# access-list OUTSIDE_IN permit udp any host 10.1.101.1 eq 123
ASA1(config)# access-group OUTSIDE_IN in interface Outside

The access from the NTP peers to NTP master (R1).

On ASA2
ASA2(config)# ntp authentication-key 1 md5 Cisco_NTP
ASA2(config)# ntp authenticate
ASA2(config)# ntp trusted-key 1
ASA2(config)# ntp server 10.1.101.1 key 1

On R2
R2(config)#ntp authentication-key 1 md5 Cisco_NTP
R2(config)#ntp authenticate
R2(config)#ntp trusted-key 1
R2(config)#ntp server 10.1.101.1 key 1

R2(config)#ip route 10.1.101.0 255.255.255.0 192.168.1.10
R2(config)#ip route 10.1.105.0 255.255.255.0 192.168.2.10
R2(config)#ip route 10.1.104.0 255.255.255.0 192.168.2.10

On R4
R4(config)#ntp authentication-key 1 md5 Cisco_NTP
R4(config)#ntp authenticate
R4(config)#ntp trusted-key 1
R4(config)#ntp server 10.1.101.1 key 1

On R5
R5(config)#ntp authentication-key 1 md5 Cisco_NTP
R5(config)#ntp authenticate
R5(config)#ntp trusted-key 1
R5(config)#ntp server 10.1.101.1 key 1

Verification
R1#sh ntp status
Clock is synchronized, stratum 4, reference is 127.127.7.1

Page 237 of 694
CCIE Security v3 Lab Workbook

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CE88ADA8.1FB35E7B (21:44:08.123 UTC Tue Oct 20 2009)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

Note that R1 (the master) is synchronized with 127.127.7.1. This is a internaly
created IP address of internal NTP server which instance has been created after
issuing “ntp master” command. With this internal address the R1‟s clock is
synchronized. Remember, if you would be asked to enable a peer authentication on NTP
master than you have to configure an peer ACLs and permit 127.127.7.1. Without doing
that the NTP server will be always out of sync.

R1#sh ntp associations

address ref clock st when poll reach delay offset disp
*~127.127.7.1 127.127.7.1 3 2 64 377 0.0 0.00 0.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

ASA1(config)# sh ntp status
Clock is synchronized, stratum 5, reference is 10.1.101.1
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is ce88af37.bc6be95a (21:50:47.736 UTC Tue Oct 20 2009)
clock offset is -0.5972 msec, root delay is 0.98 msec
root dispersion is 3891.33 msec, peer dispersion is 3890.69 msec

Note that ASA is assiociated with R1.

ASA1(config)# sh ntp associations
address ref clock st when poll reach delay offset disp
*~10.1.101.1 127.127.7.1 4 50 64 7 1.0 -0.60 3890.7
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

R1 is the NTP master and ASA is synced with it. The asterisk indicates that.
Address field contains an IP address of the NTP peer. Ref clock field (reference
clock) contains an IP address of reference clock of peer. Note that stratum for this
peer is 5 (every next NTP peer in the NTP path will results of increased stratum
value).

ASA2(config)# sh ntp status
Clock is synchronized, stratum 5, reference is 10.1.101.1
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is ce88b2ee.eb59aae0 (22:06:38.919 UTC Tue Oct 20 2009)
clock offset is 0.5964 msec, root delay is 1.27 msec
root dispersion is 7891.36 msec, peer dispersion is 7890.73 msec

ASA2(config)# sh ntp associations
address ref clock st when poll reach delay offset disp
*~10.1.101.1 127.127.7.1 4 11 64 3 1.3 0.60 7890.7
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

R2#sh ntp status
Clock is synchronized, stratum 5, reference is 10.1.101.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CE88B210.397BFBDE (22:02:56.224 UTC Tue Oct 20 2009)
clock offset is 1.3123 msec, root delay is 1.77 msec
root dispersion is 15876.36 msec, peer dispersion is 15875.02 msec

R2#sh ntp associations

address ref clock st when poll reach delay offset disp
*~10.1.101.1 127.127.7.1 4 28 64 1 1.8 1.31 15875.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

R4#sh ntp status
Clock is synchronized, stratum 5, reference is 10.1.101.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CE8B342F.39971B35 (19:42:39.224 UTC Thu Oct 22 2009)
clock offset is 1.5869 msec, root delay is 2.15 msec
root dispersion is 15876.62 msec, peer dispersion is 15875.02 msec

R4#sh ntp associations

address ref clock st when poll reach delay offset disp
*~10.1.101.1 127.127.7.1 4 26 64 1 2.2 1.59 15875.

Page 238 of 694
CCIE Security v3 Lab Workbook

* master (synced), # master (unsynced), + selected, - candidate, ~ configure

R5#sh ntp status
Clock is synchronized, stratum 5, reference is 10.1.101.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CE88B28F.63FAD3D2 (22:05:03.390 UTC Tue Oct 20 2009)
clock offset is 2.5238 msec, root delay is 2.12 msec
root dispersion is 3877.93 msec, peer dispersion is 3875.38 msec

R5#sh ntp associations

address ref clock st when poll reach delay offset disp
*~10.1.101.1 127.127.7.1 4 24 64 7 2.1 2.52 3875.4
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Task 3
On both ASAs enroll a certificate for IPSec peer authentication. Ensure that FQDN
and certificate attributes like Common Name and Country are used. Certificate uses
for IPSec authentication should have at least 1024 bytes keys. Configure domain
name of MicronicsTraining.com

On ASA1
ASA1(config)# domain-name MicronicsTraining.com
ASA1(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
ASA1(config)# crypto ca trustpoint IOS_CA
ASA1(config-ca-trustpoint)# id-usage ssl-ipsec

The certificate will be used for SSL or IPSec authentication.

ASA1(config-ca-trustpoint)# subject-name CN=ASA1, C=US
ASA1(config-ca-trustpoint)# fqdn ASA1.MicronicsTraining.com
ASA1(config-ca-trustpoint)# enrollment url http://10.1.101.1
ASA1(config-ca-trustpoint)# exit
ASA1(config)# crypto ca authenticate IOS_CA

INFO: Certificate has the following attributes:
Fingerprint: 2ccfec44 8b1fa216 4b9ca190 024184a0
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

The CA configured at 10.1.101.1 has been authenticated. Authentication of the CA
results of the root CA certificate retrieval and writing it in the router‟s
configuration after the acceptance.

ASA1(config)# crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********

% The subject name in the certificate will be: CN=ASA1, C=US

% The fully-qualified domain name in the certificate will be: ASA1.MicronicsTraining.com

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!

The certificate has been issued automaticaly. Auto enrollment is working

Page 239 of 694
CCIE Security v3 Lab Workbook

ASA1(config)# access-list OUTSIDE_IN permit tcp host 192.168.2.10 host 10.1.101.1 eq 80

SCEP (it uses HTTP protocol) for ASA2 should be allowed.

On ASA2
ASA2(config)# domain-name MicronicsTraining.com
ASA2(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
ASA2(config)# crypto ca trustpoint IOS_CA
ASA2(config-ca-trustpoint)# id-usage ssl-ipsec
ASA2(config-ca-trustpoint)# subject-name CN=ASA2, C=US
ASA2(config-ca-trustpoint)# fqdn ASA2.MicronicsTraining.com
ASA2(config-ca-trustpoint)# enrollment url http://10.1.101.1
ASA2(config-ca-trustpoint)# exit
ASA2(config)# crypto ca authenticate IOS_CA

INFO: Certificate has the following attributes:
Fingerprint: 2ccfec44 8b1fa216 4b9ca190 024184a0
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

ASA2(config)# crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********

% The subject name in the certificate will be: CN=ASA2, C=US

% The fully-qualified domain name in the certificate will be: ASA2.MicronicsTraining.com

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA2(config)# The certificate has been granted by CA!

Verification
ASA1(config)# sh crypto ca trustpoints

Trustpoint IOS_CA:
Subject Name:
cn=IOS_CA
Serial Number: 01
Certificate configured.
CEP URL: http://10.1.101.1

ASA1(config)# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=IOS_CA
Subject Name:
hostname=ASA1.MicronicsTraining.com
cn=ASA1
c=US
Validity Date:
start date: 22:14:31 UTC Oct 20 2009
end date: 22:14:31 UTC Oct 19 2012
Associated Trustpoints: IOS_CA

Page 240 of 694
CCIE Security v3 Lab Workbook

CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=IOS_CA
Subject Name:
cn=IOS_CA
Validity Date:
start date: 21:37:39 UTC Oct 20 2009
end date: 21:37:39 UTC Oct 19 2014
Associated Trustpoints: IOS_CA

This is the CA root certificate accepted during the trustpoint authentication.

ASA2(config)# sh crypto ca trustpoints

Trustpoint IOS_CA:
Subject Name:
cn=IOS_CA
Serial Number: 01
Certificate configured.
CEP URL: http://10.1.101.1

ASA2(config)# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=IOS_CA
Subject Name:
hostname=ASA2.MicronicsTraining.com
cn=ASA2
c=US
Validity Date:
start date: 22:19:48 UTC Oct 20 2009
end date: 22:19:48 UTC Oct 19 2012
Associated Trustpoints: IOS_CA

CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=IOS_CA
Subject Name:
cn=IOS_CA
Validity Date:
start date: 21:37:39 UTC Oct 20 2009
end date: 21:37:39 UTC Oct 19 2014
Associated Trustpoints: IOS_CA

Page 241 of 694
CCIE Security v3 Lab Workbook

Lab 1.37. Site-to-Site IPSec VPN using PKI
(ASA-ASA)
This lab is based on the previous lab configuration.

Inside HQ 10.1.101.0/24
Lo0
.10
F0/0
E0/1
R1 .1
ASA1
E0/0 .10
192.168.1.0/24

G0/0 .2

Outside
R2 (Internet)

G0/1 .2
192.168.2.0/24
Inside US
.10 E0/0
Branch
10.1.105.0/24
Lo0
.10
F0/0 E0/2 Inside Canada
E0/1 Branch
R5 .5 .10
Lo0
ASA2 10.1.104.0/24
.4
F0/0 R4

Task 1
Configure Site to Site IPSec VPN between ASA1 and ASA2. Ensure that only traffic
between hosts 1.1.1.1 and 5.5.5.5 gets encrypted. Use Certificate Authority and
keys/certificates enrolled in the previous lab.
Use the following setting for building the VPN:
ISAKMP Policy:
- Authentincation: RSA signatures
- Encryption 3DES
- Hash MD5
- DH Group 2
IPSec Policy:
- Encryption 3DES
- Hash MD5
- Enable PFS.

Page 242 of 694
CCIE Security v3 Lab Workbook

On ASA1
ASA1(config)# crypto isakmp enable outside

ASA1(config)# access-list CRYPTO_ACL permit ip host 1.1.1.1 host 5.5.5.5

ASA1(config)# tunnel-group 192.168.2.10 type ipsec-l2l
ASA1(config)# tunnel-group 192.168.2.10 ipsec-attributes
ASA1(config-tunnel-ipsec)# trust-point IOS_CA

The special arrangements for IPSec on ASA are configured in the tunnel-group
configuration. The tunnel group has been pointed to valid CA. This CA will be used for
peer authentication.

ASA1(config-tunnel-ipsec)# crypto isakmp policy 10
ASA1(config-isakmp-policy)# auth rsa-sig

For peer authentication based on X509v3 certificates the authentication with RSA
signatures has to be enabled in the ISAKMP policy.

ASA1(config-isakmp-policy)# encry 3des
ASA1(config-isakmp-policy)# hash md5
ASA1(config-isakmp-policy)# group 2

ASA1(config-isakmp-policy)# crypto ipsec transform-set TSET esp-3des esp-md5-hmac

ASA1(config)# crypto map ENCRYPT_OUT 1 match address CRYPTO_ACL
ASA1(config)# crypto map ENCRYPT_OUT 1 set peer 192.168.2.10
ASA1(config)# crypto map ENCRYPT_OUT 1 set pfs group2

The Perfect Forward Secrecy will be used along with 1024-bits RSA keys (DH Group 2).

ASA1(config)# crypto map ENCRYPT_OUT 1 set transform-set TSET
ASA1(config)# crypto map ENCRYPT_OUT 1 set trustpoint IOS_CA

ASA1(config)# crypto map ENCRYPT_OUT interface Outside

ASA1(config)# route inside 1.1.1.1 255.255.255.255 10.1.101.1

On ASA2
ASA2(config)# crypto isakmp enable outside

ASA2(config)# access-list CRYPTO_ACL permit ip host 5.5.5.5 host 1.1.1.1

ASA2(config)# tunnel-group 192.168.1.10 type ipsec-l2l
ASA2(config)# tunnel-group 192.168.1.10 ipsec-attributes
ASA2(config-tunnel-ipsec)# trust-point IOS_CA

ASA2(config-tunnel-ipsec)# crypto isakmp policy 10
ASA2(config-isakmp-policy)# auth rsa-sig
ASA2(config-isakmp-policy)# encry 3des
ASA2(config-isakmp-policy)# hash md5
ASA2(config-isakmp-policy)# group 2

ASA2(config-isakmp-policy)# crypto ipsec transform-set TSET esp-3des esp-md5-hmac

ASA2(config)# crypto map ENCRYPT_OUT 1 match address CRYPTO_ACL
ASA2(config)# crypto map ENCRYPT_OUT 1 set peer 192.168.1.10
ASA2(config)# crypto map ENCRYPT_OUT 1 set pfs group2
ASA2(config)# crypto map ENCRYPT_OUT 1 set transform-set TSET
ASA2(config)# crypto map ENCRYPT_OUT 1 set trustpoint IOS_CA

ASA2(config)# crypto map ENCRYPT_OUT interface Outside

ASA2(config)# route Inside_US 5.5.5.5 255.255.255.255 10.1.105.5

Verification
R1#ping 5.5.5.5 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

Page 243 of 694
CCIE Security v3 Lab Workbook

.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

ASA1(config)# sh crypto isakmp

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.168.2.10
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

IKE tunnel has been established. Note that command outputs on ASA differ from command
output from IOS router. The ASA distinguishes the role of the device in ISAKMP SA
negotiation. Also Main Mode state is named differently. In this case MM_ACTIVE has the
same meaning as QM_IDLE on the router.

Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 4
In Octets: 9216
In Packets: 50
In Drop Packets: 3
In Notifys: 27
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 9724
Out Packets: 53
Out Drop Packets: 0
Out Notifys: 54
Out P2 Exchanges: 4
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 3
Initiator Tunnels: 4
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

ASA1(config)# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.168.2.10
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

ASA1(config)# sh crypto ipsec sa
interface: Outside
Crypto map tag: ENCRYPT_OUT, seq num: 1, local addr: 192.168.1.10

Page 244 of 694
CCIE Security v3 Lab Workbook

access-list CRYPTO_ACL permit ip host 1.1.1.1 host 5.5.5.5
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
current_peer: 192.168.2.10

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 192.168.2.10

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 5C4F95C0

inbound esp sas:
spi: 0x1AC28131 (448954673)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (3914999/28641)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x5C4F95C0 (1548719552)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (3914999/28641)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA1(config)# sh vpn-sessiondb

Active Session Summary

Sessions:
Active : Cumulative : Peak Concurrent : Inactive
SSL VPN : 0 : 0 : 0
Clientless only : 0 : 0 : 0
With client : 0 : 0 : 0 : 0
Email Proxy : 0 : 0 : 0
IPsec LAN-to-LAN : 1 : 4 : 1
IPsec Remote Access : 0 : 0 : 0
VPN Load Balancing : 0 : 0 : 0
Totals : 1 : 4

License Information:
IPsec : 250 Configured : 250 Active : 1 Load : 0%
SSL VPN : 2 Configured : 2 Active : 0 Load : 0%
Active : Cumulative : Peak Concurrent
IPsec : 1 : 4 : 1
SSL VPN : 0 : 0 : 0
AnyConnect Mobile : 0 : 0 : 0
Linksys Phone : 0 : 0 : 0
Totals : 1 : 4

Tunnels:
Active : Cumulative : Peak Concurrent
IKE : 1 : 4 : 1
IPsec : 1 : 4 : 1
Totals : 2 : 8

Active NAC Sessions:
No NAC sessions to display

Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display

Page 245 of 694
CCIE Security v3 Lab Workbook

ASA1(config)# sh vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : 192.168.2.10
Index : 4 IP Addr : 5.5.5.5
Protocol : IKE IPsec
Encryption : 3DES Hashing : MD5
Bytes Tx : 400 Bytes Rx : 400
Login Time : 10:03:25 UTC Sun Jul 18 2010
Duration : 0h:06m:18s

ASA2(config)# sh crypto isakmp

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.168.1.10
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 4
In Octets: 12112
In Packets: 82
In Drop Packets: 3
In Notifys: 55
In P2 Exchanges: 4
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 3
Out Octets: 11028
Out Packets: 71
Out Drop Packets: 0
Out Notifys: 104
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

ASA2(config)# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.168.1.10
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

Page 246 of 694
CCIE Security v3 Lab Workbook

ASA2(config)# sh crypto ipsec sa
interface: Outside
Crypto map tag: ENCRYPT_OUT, seq num: 1, local addr: 192.168.2.10

access-list CRYPTO_ACL permit ip host 5.5.5.5 host 1.1.1.1
local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer: 192.168.1.10

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.2.10, remote crypto endpt.: 192.168.1.10

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1AC28131

inbound esp sas:
spi: 0x5C4F95C0 (1548719552)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/28441)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x1AC28131 (448954673)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/28441)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA2(config)# sh vpn-sessiondb detail

Active Session Summary

Sessions:
Active : Cumulative : Peak Concurrent : Inactive
SSL VPN : 0 : 0 : 0
Clientless only : 0 : 0 : 0
With client : 0 : 0 : 0 : 0
Email Proxy : 0 : 0 : 0
IPsec LAN-to-LAN : 1 : 4 : 1
IPsec Remote Access : 0 : 0 : 0
VPN Load Balancing : 0 : 0 : 0
Totals : 1 : 4

License Information:
IPsec : 250 Configured : 250 Active : 1 Load : 0%
SSL VPN : 2 Configured : 2 Active : 0 Load : 0%
Active : Cumulative : Peak Concurrent
IPsec : 1 : 4 : 1
SSL VPN : 0 : 0 : 0
AnyConnect Mobile : 0 : 0 : 0
Linksys Phone : 0 : 0 : 0
Totals : 1 : 4

Tunnels:
Active : Cumulative : Peak Concurrent
IKE : 1 : 4 : 1
IPsec : 1 : 4 : 1
Totals : 2 : 8

Active NAC Sessions:
No NAC sessions to display

Page 247 of 694
CCIE Security v3 Lab Workbook

Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display

ASA2(config)# sh vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : 192.168.1.10
Index : 4 IP Addr : 1.1.1.1
Protocol : IKE IPsec
Encryption : 3DES Hashing : MD5
Bytes Tx : 400 Bytes Rx : 400
Login Time : 10:03:25 UTC Sun Jul 18 2010
Duration : 0h:06m:34s

Verification (detailed)
ASA1(config)# deb cry isakmp 9
ASA1(config)#
ASA1(config)# Jul 18 10:03:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE Initiator: New Phase 1, Intf Inside, IKE Peer
192.168.2.10 local Proxy Address 1.1.1.1, remote Proxy Address 5.5.5.5, Crypto map
(ENCRYPT_OUT)
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing ISAKMP SA payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing NAT-Traversal VID ver 02
payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing NAT-Traversal VID ver 03
payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing NAT-Traversal VID ver RFC
payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing Fragmentation VID + extended
capabilities payload
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=0) with payloads
: HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length
: 168
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128

Layout of IKE packet payloads presented (the both: sent and received)

Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing SA payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Oakley proposal is acceptable
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Received NAT-Traversal ver 02 VID
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Received Fragmentation VID
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, IKE Peer included IKE fragmentation
capability flags: Main Mode: True Aggressive Mode: True
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing ke payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing nonce payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing certreq payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing Cisco Unity VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing xauth V6 VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Send IOS VID
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Constructing ASA spoofing IOS Vendor ID
payload (version: 1.0.0, capabilities: 20000001)
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing NAT-Discovery payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, computing NAT Discovery hash
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing NAT-Discovery payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, computing NAT Discovery hash

NAT-D payload has been prepared.

Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=0) with payloads
: HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 320
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 320
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing ke payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing ISA_KE payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing nonce payload

Page 248 of 694
CCIE Security v3 Lab Workbook

Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing cert request payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Received Cisco Unity client VID
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Received xauth V6 VID
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Processing VPN3000/ASA spoofing IOS Vendor
ID payload (version: 1.0.0, capabilities: 20000001)
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Received Altiga/Cisco VPN3000/Cisco ASA GW
VID
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing NAT-Discovery payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, computing NAT Discovery hash
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing NAT-Discovery payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, computing NAT Discovery hash
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Generating keys for Initiator...
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing ID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing cert payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing RSA signature
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Computing hash for ISAKMP
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Constructing IOS keep alive payload:
proposal=32767/32767 sec.
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, constructing dpd vid payload
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=0) with payloads
: HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total
length : 865
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, Automatic NAT Detection Status: Remote end is
NOT behind a NAT device This end is NOT behind a NAT device

NAT Discovery process has been performed. The devices are not behind the NAT.

Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Rcv'd fragment from a new fragmentation set.
Deleting any old fragments.
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Successfully assembled an encrypted pkt from
rcv'd fragments!
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0)
total length : 865
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing ID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing cert payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing RSA signature
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Computing hash for ISAKMP
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Processing IOS keep alive payload:
proposal=32767/32767 sec.
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: IP = 192.168.2.10, Received DPD VID
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, Trying to find group via OU...
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, No Group found by matching OU(s) from ID payload:
Unknown
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, Trying to find group via IKE ID...
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, No Group found by matching OU(s) from ID payload:
Unknown
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, Trying to find group via IP ADDR...

The ASA has searched the ID for identify localy configured tunnel group. The IP
address has been chosen.

Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, Connection landed on tunnel_group 192.168.2.10
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, peer ID type 9
received (DER_ASN1_DN)
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, Oakley begin quick
mode
Jul 18 10:03:25 [IKEv1]: Group = 192.168.2.10, IP = 192.168.2.10, PHASE 1 COMPLETED
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, Keep-alive type for this connection: DPD
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, Starting P1 rekey
timer: 73440 seconds.
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, IKE got SPI from key
engine: SPI = 0x1ac28131
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, oakley constucting
quick mode
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, constructing blank
hash payload
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, constructing IPSec SA
payload
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, constructing IPSec
nonce payload

Page 249 of 694
CCIE Security v3 Lab Workbook

Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, constructing pfs ke
payload
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, constructing proxy ID
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, Transmitting Proxy Id:
Local host: 1.1.1.1 Protocol 0 Port 0
Remote host: 5.5.5.5 Protocol 0 Port 0

Local and remote proxies. The ip protocol between 1.1.1.1 and 5.5.5.5 will be
encrypted.

Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, constructing qm hash
payload
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=a0018003) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) +
NONE (0) total length : 320
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=a0018003) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total
length : 292
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, processing hash
payload
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, processing SA payload
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, processing nonce
payload
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, processing ke payload
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, processing ISA_KE for
PFS in phase 2
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, processing ID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, processing ID payload
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, loading all IPSEC SAs
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, Generating Quick Mode
Key!
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, NP encrypt rule look
up for crypto map ENCRYPT_OUT 1 matching ACL CRYPTO_ACL: returned cs_id=d7cf5238;
rule=d79baf10
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, Generating Quick Mode
Key!
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, NP encrypt rule look
up for crypto map ENCRYPT_OUT 1 matching ACL CRYPTO_ACL: returned cs_id=d7cf5238;
rule=d79baf10
Jul 18 10:03:25 [IKEv1]: Group = 192.168.2.10, IP = 192.168.2.10, Security negotiation
complete for LAN-to-LAN Group (192.168.2.10) Initiator, Inbound SPI = 0x1ac28131, Outbound
SPI = 0x5c4f95c0
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, oakley constructing
final quick mode
Jul 18 10:03:25 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=a0018003) with
payloads : HDR + HASH (8) + NONE (0) total length : 72
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, IKE got a KEY_ADD msg
for SA: SPI = 0x5c4f95c0
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, Pitcher: received
KEY_UPDATE, spi 0x1ac28131
Jul 18 10:03:25 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, Starting P2 rekey
timer: 24480 seconds.
Jul 18 10:03:25 [IKEv1]: Group = 192.168.2.10, IP = 192.168.2.10, PHASE 2 COMPLETED
(msgid=a0018003)
Jul 18 10:03:40 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=30705dbc) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, processing hash
payload
Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, processing notify
payload
Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, Received keep-alive of
type DPD R-U-THERE (seq number 0x3990fdb6)
Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, Sending keep-alive of
type DPD R-U-THERE-ACK (seq number 0x3990fdb6)
Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, constructing blank
hash payload
Jul 18 10:03:40 [IKEv1 DEBUG]: Group = 192.168.2.10, IP = 192.168.2.10, constructing qm hash
payload
Jul 18 10:03:40 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=f34536d8) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

ASA1(config)# un all
ASA1(config)#

Page 250 of 694
CCIE Security v3 Lab Workbook

Lab 1.38. Site-to-Site IPSec VPN using PKI
(IOS-IOS)
Inside HQ 10.1.101.0/24
Lo0
.10
F0/0
E0/1
R1 .1
ASA1
E0/0 .10
192.168.1.0/24

G0/0 .2

Outside
R2 (Internet)

G0/1 .2
192.168.2.0/24
Inside US
.10 E0/0
Branch
10.1.105.0/24
Lo0
.10
F0/0 E0/2 Inside Canada
E0/1 Branch
R5 .5 .10
Lo0
ASA2 10.1.104.0/24
.4
F0/0 R4

This lab is based on the LAB 2.4 configuration. You need to perform actions
from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before
going through this lab.

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R2‟s G0/1 and ASA2‟s E0/0 interface should be configured in VLAN 122
 R4‟s F0/0 and ASA2‟s E0/2 interface should be configured in VLAN 104
 R5‟s F0/0 and ASA2‟s E0/1 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the respective ASA‟s
interface
 Configure default routing on both ASAs pointing to the respective R2 interface

Page 251 of 694
CCIE Security v3 Lab Workbook

IP Addressing:

Device Interface / ifname / sec level IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 G0/0 192.168.1.2/24
G0/1 192.168.2.2/24
R4 Lo0 4.4.4.4 /24
F0/0 10.1.104.4 /24
R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24
ASA1 E0/0, Outside, Security 0 192.168.1.10 /24
E0/1, Inside, Security 100 10.1.101.10 /24
ASA2 E0/0, Outside, Security 0 192.168.2.10 /24
E0/1, Inside_US, Security 100 10.1.105.10 /24
E0/2, Inside_CA, Security 100 10.1.104.10 /24

Task 1
Configure Site-to-Site IPSec Tunnel between R4 and R5 to encrypt traffic flows going
between IP address of 4.4.4.4 and IP address of 5.5.5.5.
Use the following parameters for the tunnel:
 ISAKMP Parameters
o Authentication: RSA Certificate
o Encryption: 3DES
o Group: 2
o Hash: MD5
 IPSec Parameters
o Encryption: ESP/3DES
o Authentication: ESP/MD5
Use IOS CA server configured on R1 for certificate enrollment. Configure domain
name of MicronicsTraining.com and ensure that FQDN and Country (US) are
included in the certificate request.

On R5
R5(config)#ip domain-name MicronicsTraining.com
R5(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R5.MicronicsTraining.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R5(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled
R5(config)#crypto ca trustpoint IOS_CA
R5(ca-trustpoint)#usage ike

The usage of the certificate has been defined. The certificate is intended to use for
IKE peer authentication.

R5(ca-trustpoint)#subject-name CN=R5, C=US
R5(ca-trustpoint)#enrollment url http://10.1.101.1
R5(ca-trustpoint)#exit
R5(config)#crypto ca authenticate IOS_CA
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0
%PKI-3-SOCKETSEND: Failed to send out message to CA server.

Page 252 of 694
CCIE Security v3 Lab Workbook

The above error indicates that there is a problem with connection to the CA. It seems
like ASA is blocking that connection. Let‟s configure appropriate ACE in access list
of OUTSIDE_IN (for R4 and R5)

On ASA1
ASA1(config)# access-list OUTSIDE_IN permit tcp host 10.1.105.5 host 10.1.101.1 eq 80
ASA1(config)# access-list OUTSIDE_IN permit tcp host 10.1.104.4 host 10.1.101.1 eq 80

The SCEP has been allowed through ASA1.

On R5
R5(config)#crypto ca authenticate IOS_CA
Certificate has the following attributes:
Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC
Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

R5(config)#crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=R5, C=US
% The subject name in the certificate will include: R5.MicronicsTraining.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint.

R5(config)#
CRYPTO_PKI: Certificate Request Fingerprint MD5: 05D7E98F E04055D7 AA68622D B48D6C92
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 302D643E 69C6FECF 71984DF1 D29DB5ED
C110B64F
R5(config)#
%PKI-6-CERTRET: Certificate received from Certificate Authority

R5(config)#crypto isakmp policy 10
R5(config-isakmp)#encr 3des
R5(config-isakmp)#hash md5
R5(config-isakmp)#authentication rsa-sig
R5(config-isakmp)#group 2

R5(config-isakmp)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac
R5(cfg-crypto-trans)#exit

R5(config)#access-list 120 permit ip host 5.5.5.5 host 4.4.4.4

R5(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R5(config-crypto-map)#set peer 10.1.104.4
R5(config-crypto-map)#set transform-set TSET
R5(config-crypto-map)#match address 120
R5(config-crypto-map)#exit

R5(config)#int f0/0
R5(config-if)#crypto map ENCRYPT

On R4
R4(config)#ip domain-name MicronicsTraining.com
R4(config)#crypto key generate rsa modulus 1024

Page 253 of 694
CCIE Security v3 Lab Workbook

The name for the keys will be: R4.MicronicsTraining.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R4(config)#
Oct 22 19:45:14.441: %SSH-5-ENABLED: SSH 1.99 has been enabled

R4(config)#crypto ca trustpoint IOS_CA
R4(ca-trustpoint)#usage ike
R4(ca-trustpoint)#subject-name CN=R4, C=CA
R4(ca-trustpoint)#enrollment url http://10.1.101.1
R4(ca-trustpoint)#exit

R4(config)#crypto ca authenticate IOS_CA
Certificate has the following attributes:
Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC
Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

R4(config)#crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=R4, C=CA
% The subject name in the certificate will include: R4.MicronicsTraining.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint.

R4(config)#
CRYPTO_PKI: Certificate Request Fingerprint MD5: D709C725 A0D9081A D8FA55B4 EAF866C6
CRYPTO_PKI: Certificate Request Fingerprint SHA1: A82A6373 70FEA31E AE3B1933 4965B8C0
41695706
R4(config)#
%PKI-6-CERTRET: Certificate received from Certificate Authority

R4(config)#crypto isakmp policy 10
R4(config-isakmp)#encr 3des
R4(config-isakmp)#hash md5
R4(config-isakmp)#authentication rsa-sig
R4(config-isakmp)#group 2

R4(config-isakmp)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

R4(cfg-crypto-trans)#access-list 120 permit ip host 4.4.4.4 host 5.5.5.5

R4(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)#set peer 10.1.105.5
R4(config-crypto-map)#set transform-set TSET
R4(config-crypto-map)#match address 120

R4(config-crypto-map)#int f0/0
R4(config-if)#crypto map ENCRYPT
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

On ASA2
Since IPSec tunnel needs to be established between two peers which are on different
interfaces of ASA but with the same security level of 100, this must be explicitly
allowed.

Page 254 of 694
CCIE Security v3 Lab Workbook

ASA2(config)# same-security-traffic permit inter-interface

Verification

Run ping from R5‟s loopback0 towards R4‟s loopback0.

R5#pi 4.4.4.4 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/4 ms

R5#sh cry engine conn act
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1001 IKE MD5+3DES 0 0 10.1.105.5
2001 IPsec 3DES+MD5 0 4 10.1.105.5
2002 IPsec 3DES+MD5 4 0 10.1.105.5

The tunnels have been established.

R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.104.4 10.1.105.5 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R5#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: ENCRYPT, local addr 10.1.105.5

protected vrf: (none)
local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer 10.1.104.4 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.1.105.5, remote crypto endpt.: 10.1.104.4
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF1BDE182(4055753090)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xF37CEB79(4085050233)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4599543/3585)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF1BDE182(4055753090)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4599543/3585)
IV size: 8 bytes

Page 255 of 694
CCIE Security v3 Lab Workbook

replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R5#sh crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 10.1.104.4 port 500
IKE SA: local 10.1.105.5/500 remote 10.1.104.4/500 Active
IPSEC FLOW: permit ip host 5.5.5.5 host 4.4.4.4
Active SAs: 2, origin: crypto map

R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.104.4 10.1.105.5 QM_IDLE 1004 ACTIVE

IPv6 Crypto ISAKMP SA

R4#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: ENCRYPT, local addr 10.1.104.4

protected vrf: (none)
local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
current_peer 10.1.105.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.104.4, remote crypto endpt.: 10.1.105.5
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF37CEB79(4085050233)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xF1BDE182(4055753090)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: NETGX:7, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4417938/3561)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF37CEB79(4085050233)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: NETGX:8, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4417938/3561)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R4#sh crypto session
Crypto session current status

Page 256 of 694
CCIE Security v3 Lab Workbook

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 10.1.105.5 port 500
IKE SA: local 10.1.104.4/500 remote 10.1.105.5/500 Active
IPSEC FLOW: permit ip host 4.4.4.4 host 5.5.5.5
Active SAs: 2, origin: crypto map

Page 257 of 694
CCIE Security v3 Lab Workbook

Lab 1.39. Site-to-Site IPSec VPN using PKI
(Static IP IOS-ASA)
Inside HQ 10.1.101.0/24
Lo0
.10
F0/0
E0/1
R1 .1
ASA1
E0/0 .10
192.168.1.0/24

G0/0 .2

Outside
R2 (Internet)

G0/1 .2
192.168.2.0/24
Inside US
.10 E0/0
Branch
10.1.105.0/24
Lo0
.10
F0/0 E0/2 Inside Canada
E0/1 Branch
R5 .5 .10
Lo0
ASA2 10.1.104.0/24
.4
F0/0 R4

This lab is based on the LAB 2.4 configuration. You need to perform actions
from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before
going through this lab.

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R2‟s G0/1 and ASA2‟s E0/0 interface should be configured in VLAN 122
 R4‟s F0/0 and ASA2‟s E0/2 interface should be configured in VLAN 104
 R5‟s F0/0 and ASA2‟s E0/1 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the respective ASA‟s
interface
 Configure default routing on both ASAs pointing to the respective R2 interface

Page 258 of 694
CCIE Security v3 Lab Workbook

IP Addressing:

Device Interface / ifname / sec level IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 G0/0 192.168.1.2/24
G0/1 192.168.2.2/24
R4 Lo0 4.4.4.4 /24
F0/0 10.1.104.4 /24
R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24
ASA1 E0/0, Outside, Security 0 192.168.1.10 /24
E0/1, Inside, Security 100 10.1.101.10 /24
ASA2 E0/0, Outside, Security 0 192.168.2.10 /24
E0/1, Inside_US, Security 100 10.1.105.10 /24
E0/2, Inside_CA, Security 100 10.1.104.10 /24

Task 1
There is Company‟s Headquarters in US consists of ASA1 and R1. The Company
has two branch offices: one in US (R5) and other in Canada (R4). All routers use
static IP while connecting to the Internet.
Configure the following Site-to-Site IPSec Tunnels:

Tunnel SRC DST ISAKMP Policy IPSec Policy
Endpoint Network Network
R5 – ASA1 5.5.5.5 1.1.1.1 Authentication: RSA Encryption:
Encryption: 3DES ESP/3DES
Group: 2 Authentication:
Hash: MD5 ESP/MD5
R4 – ASA1 4.4.4.4 1.1.1.1 Authentication: RSA Encryption: ESP/DES
Encryption: DES Authentication:
Group: 2 ESP/SHA
Hash: SHA

Use IOS CA server configured on R1 for certificate enrollment. Configure domain
name of MicronicsTraining.com and ensure that FQDN and Country are included in
the certificate request. Enable Perfect Forward Secrecy feature.

On ASA1
ASA1(config)# domain-name MicronicsTraining.com
ASA1(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...

ASA1(config)# crypto ca trustpoint IOS_CA
ASA1(config-ca-trustpoint)# id-usage ssl-ipsec
ASA1(config-ca-trustpoint)# subject-name CN=ASA1, C=US
ASA1(config-ca-trustpoint)# fqdn ASA1.MicronicsTraining.com
ASA1(config-ca-trustpoint)# enrollment url http://10.1.101.1
ASA1(config-ca-trustpoint)# exit

Page 259 of 694
CCIE Security v3 Lab Workbook

ASA1(config)# crypto ca authenticate IOS_CA

INFO: Certificate has the following attributes:
Fingerprint: 01973e0c a51f6b10 cb074127 c07c60bc
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

ASA1(config)# crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********

% The subject name in the certificate will be: CN=ASA1, C=US

% The fully-qualified domain name in the certificate will be: ASA1.MicronicsTraining.com

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!

ASA1(config)# crypto isakmp enable outside

ASA1(config)# crypto isakmp policy 10
ASA1(config-isakmp-policy)# auth rsa-sig
ASA1(config-isakmp-policy)# enc 3des
ASA1(config-isakmp-policy)# has md5
ASA1(config-isakmp-policy)# gr 2

ASA1(config-isakmp-policy)# crypto isakmp policy 20
ASA1(config-isakmp-policy)# auth rsa-sig
ASA1(config-isakmp-policy)# enc des
ASA1(config-isakmp-policy)# ha sha
ASA1(config-isakmp-policy)# gr 2
ASA1(config-isakmp-policy)# exit

ASA1(config)# tunnel-group 10.1.105.5 type ipsec-l2l
ASA1(config)# tunnel-group 10.1.105.5 ipsec-attr
ASA1(config-tunnel-ipsec)# peer-id-validate nocheck

The “peer-id-validate” command has three options:
* Required = Enable the IKE peer identity validation feature. If a peer's certificate does not provide
sufficient information to perform an identity check, drop the tunnel.
* If supported by certificate = Enable the IKE peer identity validation feature. If a peer's certificate
does not provide sufficient information to perform an identity check, allow the tunnel.
* Do not check = Do not check the peer's identity at all. Selecting this option disables the feature.

The default option is “required”, meaning that if the remote peer does not provide correct identity
information during IKE Phase 1, the tunnel will fail. What does the ASA do? It checks if peer’s
identity (default is an IP address) is included in certificate’s Subject Alt Name.
Hence, we have two options here:
(1) Disable this feature on the ASA by issuing “peer-id-validate
nocheck” command
(2) Send correct identity info from peers, by issuing “crypto isakmp
identity dn” command on R4 and R5

ASA1(config-tunnel-ipsec)# trust-point IOS_CA

Page 260 of 694
CCIE Security v3 Lab Workbook

ASA1(config-tunnel-ipsec)# tunnel-group 10.1.104.4 type ipsec-l2l
ASA1(config)# tunnel-group 10.1.104.4 ipsec-attr
ASA1(config-tunnel-ipsec)# peer-id-validate nocheck
ASA1(config-tunnel-ipsec)# trust-point IOS_CA
ASA1(config-tunnel-ipsec)# exit

ASA1(config)# crypto ipsec transform-set TSET_US esp-3des esp-md5-hmac
ASA1(config)# crypto ipsec transform-set TSET_CA esp-des esp-sha-hmac

ASA1(config)# access-list ACL_US permit ip ho 1.1.1.1 ho 5.5.5.5
ASA1(config)# access-list ACL_CA permit ip ho 1.1.1.1 ho 4.4.4.4

The crypto ACLs that enable the ASA and its peers to traffic encryption thoughout
tunnels terminated on ASA‟s outside interface.

ASA1(config)# crypto map ENCRYPT_OUT 1 match address ACL_US
ASA1(config)# crypto map ENCRYPT_OUT 1 set transform TSET_US
ASA1(config)# crypto map ENCRYPT_OUT 1 set trustpoint IOS_CA
ASA1(config)# crypto map ENCRYPT_OUT 1 set peer 10.1.105.5
ASA1(config)# crypto map ENCRYPT_OUT 1 set pfs group2

ASA1(config)# crypto map ENCRYPT_OUT 2 match address ACL_CA
ASA1(config)# crypto map ENCRYPT_OUT 2 set transform TSET_CA
ASA1(config)# crypto map ENCRYPT_OUT 2 set trustpoint IOS_CA
ASA1(config)# crypto map ENCRYPT_OUT 2 set peer 10.1.104.4
ASA1(config)# crypto map ENCRYPT_OUT 2 set pfs group2

ASA1(config)# crypto map ENCRYPT_OUT interface Outside

ASA1(config)# route Inside 1.1.1.1 255.255.255.255 10.1.101.1

ASA1(config)# access-list OUTSIDE_IN permit tcp host 10.1.105.5 host 10.1.101.1 eq 80
ASA1(config)# access-list OUTSIDE_IN permit tcp host 10.1.104.4 host 10.1.101.1 eq 80

The SCEP from R5 and R4 has been allowed to inside (R1).

On ASA2
We need to take care of ESP traffic going through ASA2 from both branches. As ESP is
not Stateful we either need to allow it in the outside ACL or just enable inspection.

ASA2(config)# policy-map global_policy
ASA2(config-pmap)# class inspection_default
ASA2(config-pmap-c)# inspect ipsec-pass-thru
ASA2(config-pmap-c)# exit
ASA2(config-pmap)# exit

On R5
R5(config)#ip domain-name MicronicsTraining.com
R5(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R5.MicronicsTraining.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R5(config)#crypto ca trustpoint IOS_CA
R5(ca-trustpoint)#usage ike
R5(ca-trustpoint)#subject-name CN=R5, C=US
R5(ca-trustpoint)#enrollment url http://10.1.101.1
R5(ca-trustpoint)#fqdn R5.MicronicsTraining.com
R5(ca-trustpoint)#exit

R5(config)#crypto ca authenticate IOS_CA
Certificate has the following attributes:
Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC
Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

R5(config)#crypto ca enroll IOS_CA
%

Page 261 of 694
CCIE Security v3 Lab Workbook

% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=R5, C=US
% The subject name in the certificate will include: R5.MicronicsTraining.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint.

R5(config)#
CRYPTO_PKI: Certificate Request Fingerprint MD5: CB51F487 829E24AB 160BA244 F0256E9B
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 362D19EC 4865EC2E 06915FC0 A45A9551
3B7F4A58
R5(config)#
%PKI-6-CERTRET: Certificate received from Certificate Authority

R5(config)#crypto isakmp policy 10
R5(config-isakmp)#encr 3des
R5(config-isakmp)#authentication rsa-sig
R5(config-isakmp)#hash md5
R5(config-isakmp)#group 2

R5(config-isakmp)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

R5(cfg-crypto-trans)#access-list 120 permit ip host 5.5.5.5 host 1.1.1.1

R5(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R5(config-crypto-map)#set peer 192.168.1.10
R5(config-crypto-map)#set transform-set TSET
R5(config-crypto-map)#set pfs group2
R5(config-crypto-map)#match address 120

R5(config-crypto-map)#int f0/0
R5(config-if)#crypto map ENCRYPT
R5(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

On R4
R4(config)#ip domain-name MicronicsTraining.com
R4(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R4.MicronicsTraining.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R4(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled

R4(config)#crypto ca trustpoint IOS_CA
R4(ca-trustpoint)#usage ike
R4(ca-trustpoint)#subject-name CN=R4, C=CA
R4(ca-trustpoint)#enrollment url http://10.1.101.1
R4(ca-trustpoint)#fqdn R4.MicronicsTraining.com
R4(ca-trustpoint)#exit

R4(config)#crypto ca authenticate IOS_CA
Certificate has the following attributes:
Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC
Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD

% Do you accept this certificate? [yes/no]: yes

Page 262 of 694
CCIE Security v3 Lab Workbook

Trustpoint CA certificate accepted.

R4(config)#crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=R4, C=CA
% The subject name in the certificate will include: R4.MicronicsTraining.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint.

R4(config)#
CRYPTO_PKI: Certificate Request Fingerprint MD5: C37B49A5 39B60647 3928452D CB501CFF
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 7E096059 984DF493 DC68F185 4325FDDF
5C9D9F7C
R4(config)#
%PKI-6-CERTRET: Certificate received from Certificate Authority

R4(config)#crypto isakmp policy 10
R4(config-isakmp)#encr des
R4(config-isakmp)#ha sha
R4(config-isakmp)#authentication rsa-sig
R4(config-isakmp)#group 2

R4(config-isakmp)#crypto ipsec transform-set TSET esp-des esp-sha-hmac

R4(cfg-crypto-trans)#access-list 120 permit ip host 4.4.4.4 host 1.1.1.1

R4(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)#set peer 192.168.1.10
R4(config-crypto-map)#set transform-set TSET
R4(config-crypto-map)#set pfs group2
R4(config-crypto-map)#match address 120

R4(config-crypto-map)#int f0/0
R4(config-if)# crypto map ENCRYPT
R4(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Verification
R4#ping 1.1.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.10 10.1.104.4 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R4#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: ENCRYPT, local addr 10.1.104.4

Page 263 of 694
CCIE Security v3 Lab Workbook

protected vrf: (none)
local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.1.104.4, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF2B4FC1B(4071947291)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0xE63FC84A(3862939722)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4405037/3512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF2B4FC1B(4071947291)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4405037/3512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
R4#sh crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.104.4/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip host 4.4.4.4 host 1.1.1.1
Active SAs: 2, origin: crypto map

R5#ping 1.1.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.10 10.1.105.5 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

R5#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: ENCRYPT, local addr 10.1.105.5

protected vrf: (none)
local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)

Page 264 of 694
CCIE Security v3 Lab Workbook

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0

local crypto endpt.: 10.1.105.5, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x89B0F77C(2310076284)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0xB4192B2C(3021548332)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4407895/3499)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x89B0F77C(2310076284)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4407895/3499)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
R5#sh crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.105.5/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip host 5.5.5.5 host 1.1.1.1
Active SAs: 2, origin: crypto map

ASA1(config)# un all
ASA1(config)# sh crypto isakmp sa

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 10.1.105.5
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 10.1.104.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA1(config)# sh crypto ipsec sa
interface: Outside
Crypto map tag: ENCRYPT_OUT, seq num: 2, local addr: 192.168.1.10

access-list ACL_CA permit ip host 1.1.1.1 host 4.4.4.4
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer: 10.1.104.4

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

Page 265 of 694
CCIE Security v3 Lab Workbook

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.104.4

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E63FC84A

inbound esp sas:
spi: 0xF2B4FC1B (4071947291)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 24576, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3556)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xE63FC84A (3862939722)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 24576, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3556)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: ENCRYPT_OUT, seq num: 1, local addr: 192.168.1.10

access-list ACL_US permit ip host 1.1.1.1 host 5.5.5.5
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
current_peer: 10.1.105.5

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.105.5

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B4192B2C

inbound esp sas:
spi: 0x89B0F77C (2310076284)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3469)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xB4192B2C (3021548332)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3468)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA1(config)# sh vpn-sessiondb

Active Session Summary

Page 266 of 694
CCIE Security v3 Lab Workbook

Sessions:
Active : Cumulative : Peak Concurrent : Inactive
SSL VPN : 0 : 0 : 0
Clientless only : 0 : 0 : 0
With client : 0 : 0 : 0 : 0
Email Proxy : 0 : 0 : 0
IPsec LAN-to-LAN : 2 : 6 : 2
IPsec Remote Access : 0 : 0 : 0
VPN Load Balancing : 0 : 0 : 0
Totals : 2 : 6

License Information:
IPsec : 250 Configured : 250 Active : 2 Load : 1%
SSL VPN : 2 Configured : 2 Active : 0 Load : 0%
Active : Cumulative : Peak Concurrent
IPsec : 2 : 6 : 2
SSL VPN : 0 : 0 : 0
AnyConnect Mobile : 0 : 0 : 0
Linksys Phone : 0 : 0 : 0
Totals : 2 : 6

Tunnels:
Active : Cumulative : Peak Concurrent
IKE : 2 : 6 : 2
IPsec : 2 : 6 : 2
Totals : 4 : 12

Active NAC Sessions:
No NAC sessions to display

Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display
ASA1(config)# sh vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : 10.1.105.5
Index : 5 IP Addr : 5.5.5.5
Protocol : IKE IPsec
Encryption : 3DES Hashing : MD5
Bytes Tx : 400 Bytes Rx : 400
Login Time : 11:18:19 UTC Sun Jul 18 2010
Duration : 0h:02m:27s
Connection : 10.1.104.4
Index : 6 IP Addr : 4.4.4.4
Protocol : IKE IPsec
Encryption : DES Hashing : SHA1
Bytes Tx : 400 Bytes Rx : 400
Login Time : 11:19:43 UTC Sun Jul 18 2010
Duration : 0h:01m:03s
ASA1(config)#

Verification (detailed)
ASA1(config)# deb cry isak 9
ASA1(config)# Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 164
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing SA payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Oakley proposal is acceptable
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received NAT-Traversal RFC VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received NAT-Traversal ver 03 VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received NAT-Traversal ver 02 VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing IKE SA payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, IKE SA Proposal # 1, Transform # 1 acceptable
Matches global IKE entry # 3
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing ISAKMP SA payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing NAT-Traversal VID ver 02 payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing Fragmentation VID + extended
capabilities payload

Page 267 of 694
CCIE Security v3 Lab Workbook

Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=0) with payloads
: HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D
(130) + NAT-D (130) + NONE (0) total length : 300
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing ke payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing ISA_KE payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing nonce payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing cert request payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received DPD VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Processing IOS/PIX Vendor ID payload (version:
1.0.0, capabilities: 00000f6f)
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Received xauth V6 VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing NAT-Discovery payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, computing NAT Discovery hash
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing NAT-Discovery payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, computing NAT Discovery hash
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing ke payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing nonce payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing certreq payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing Cisco Unity VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing xauth V6 VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Send IOS VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Constructing ASA spoofing IOS Vendor ID
payload (version: 1.0.0, capabilities: 20000001)
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing VID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing NAT-Discovery payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, computing NAT Discovery hash
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing NAT-Discovery payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, computing NAT Discovery hash
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Generating keys for Responder...
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 320
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=0) with payloads
: HDR + ID (5) + CERT (6) + SIG (9) + NOTIFY (11) + NONE (0) total length : 766
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing ID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing cert payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing RSA signature
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Computing hash for ISAKMP
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, processing notify payload
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Automatic NAT Detection Status: Remote end is
NOT behind a NAT device This end is NOT behind a NAT device
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Trying to find group via OU...
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, No Group found by matching OU(s) from ID payload:
Unknown
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Trying to find group via IKE ID...
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Trying to find group via IP ADDR...
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Connection landed on tunnel_group 10.1.105.5
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, peer ID type 2 received
(FQDN)
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Peer ID check bypassed
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing ID payload
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing cert payload
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing RSA signature
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Computing hash for ISAKMP
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Constructing IOS keep alive payload:
proposal=32767/32767 sec.
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing dpd vid
payload
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length
: 818
Jul 18 11:18:19 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, PHASE 1 COMPLETED
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Keep-alive type for this connection: DPD
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Starting P1 rekey timer:
64800 seconds.
Jul 18 11:18:20 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=64bdc5ed) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total
length : 292
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing hash payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing SA payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing nonce payload

Page 268 of 694
CCIE Security v3 Lab Workbook

Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing ke payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing ISA_KE for PFS
in phase 2
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing ID payload
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Received remote Proxy Host data
in ID Payload: Address 5.5.5.5, Protocol 0, Port 0
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing ID payload
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Received local Proxy Host data
in ID Payload: Address 1.1.1.1, Protocol 0, Port 0
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, QM IsRekeyed old sa not found by
addr
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Static Crypto Map check,
checking map = ENCRYPT_OUT, seq = 1...
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Static Crypto Map check, map
ENCRYPT_OUT, seq = 1 is a successful match
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, IKE Remote Peer configured for
crypto map: ENCRYPT_OUT
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing IPSec SA
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, IPSec SA Proposal # 1,
Transform # 1 acceptable Matches global IPSec SA entry # 1
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, IKE: requesting SPI!
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, IKE got SPI from key
engine: SPI = 0x89b0f77c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, oakley constucting quick
mode
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing blank hash
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing IPSec SA
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing IPSec nonce
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing pfs ke
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing proxy ID
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Transmitting Proxy Id:
Remote host: 5.5.5.5 Protocol 0 Port 0
Local host: 1.1.1.1 Protocol 0 Port 0
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing qm hash
payload
Jul 18 11:18:20 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=64bdc5ed) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total
length : 292
Jul 18 11:18:20 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=64bdc5ed) with
payloads : HDR + HASH (8) + NONE (0) total length : 48
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing hash payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, loading all IPSEC SAs
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Generating Quick Mode Key!
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, NP encrypt rule look up
for crypto map ENCRYPT_OUT 1 matching ACL ACL_US: returned cs_id=d7cb38c0; rule=d7c9fc68
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Generating Quick Mode Key!
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, NP encrypt rule look up
for crypto map ENCRYPT_OUT 1 matching ACL ACL_US: returned cs_id=d7cb38c0; rule=d7c9fc68
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Security negotiation complete
for LAN-to-LAN Group (10.1.105.5) Responder, Inbound SPI = 0x89b0f77c, Outbound SPI =
0xb4192b2c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, IKE got a KEY_ADD msg for
SA: SPI = 0xb4192b2c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Pitcher: received
KEY_UPDATE, spi 0x89b0f77c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Starting P2 rekey timer:
3420 seconds.
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, PHASE 2 COMPLETED
(msgid=64bdc5ed)
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Sending keep-alive of type
DPD R-U-THERE (seq number 0x22ad78e5)
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing blank hash
payload
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing qm hash
payload
Jul 18 11:18:38 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=81cb2dd5) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:38 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=6e139995) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing hash payload
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing notify payload

Page 269 of 694
CCIE Security v3 Lab Workbook

Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Received keep-alive of
type DPD R-U-THERE-ACK (seq number 0x22ad78e5)
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Sending keep-alive of type
DPD R-U-THERE (seq number 0x22ad78e6)
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing blank hash
payload
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing qm hash
payload
Jul 18 11:18:48 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=530ce865) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:48 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=11faf851) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing hash payload
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing notify payload
Jul 18 11:18:48 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Received keep-alive of
type DPD R-U-THERE-ACK (seq number 0x22ad78e6)
Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Sending keep-alive of type
DPD R-U-THERE (seq number 0x22ad78e7)
Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing blank hash
payload
Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing qm hash
payload
Jul 18 11:18:58 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=d1cf7f74) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:58 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=fcf96857) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing hash payload
Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing notify payload
Jul 18 11:18:58 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Received keep-alive of
type DPD R-U-THERE-ACK (seq number 0x22ad78e7)

ASA1(config)# un all

Page 270 of 694
CCIE Security v3 Lab Workbook

Lab 1.40. Site-to-Site IPSec VPN using PKI
(Dynamic IP IOS-ASA)
Inside HQ 10.1.101.0/24
Lo0
.10
F0/0
E0/1
R1 .1
ASA1
E0/0 .10
192.168.1.0/24

G0/0 .2

Outside
R2 (Internet)

G0/1 .2
192.168.2.0/24
Inside US
.10 E0/0
Branch
10.1.105.0/24
Lo0
.10
F0/0 E0/2 Inside Canada
E0/1 Branch
R5 .5 .10
Lo0
ASA2 10.1.104.0/24
.4
F0/0 R4

This lab is based on the LAB 2.4 configuration. You need to perform actions
from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before
going through this lab.

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R2‟s G0/1 and ASA2‟s E0/0 interface should be configured in VLAN 122
 R4‟s F0/0 and ASA2‟s E0/2 interface should be configured in VLAN 104
 R5‟s F0/0 and ASA2‟s E0/1 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the respective ASA‟s
interface
 Configure default routing on both ASAs pointing to the respective R2 interface

Page 271 of 694
CCIE Security v3 Lab Workbook

IP Addressing:

Device Interface / ifname / sec level IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 G0/0 192.168.1.2/24
G0/1 192.168.2.2/24
R4 Lo0 4.4.4.4 /24
F0/0 10.1.104.4 /24
R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24
ASA1 E0/0, Outside, Security 0 192.168.1.10 /24
E0/1, Inside, Security 100 10.1.101.10 /24
ASA2 E0/0, Outside, Security 0 192.168.2.10 /24
E0/1, Inside_US, Security 100 10.1.105.10 /24
E0/2, Inside_CA, Security 100 10.1.104.10 /24

Task 1
There is Company‟s Headquarters in US consists of ASA1 and R1. The Company
has two branch offices: one in US (R5) and other in Canada (R4). To cut leased lines
cost you decided to migrate from static IP routers at branches to dynamic IP DSLs.
The IP address of DSL modems in branches is changing every day.
Configure the following Site-to-Site IPSec Tunnels:

Tunnel SRC DST ISAKMP Policy IPSec Policy
Endpoint Network Network
R5 – ASA1 5.5.5.5 1.1.1.1 Authentication: RSA Encryption:
Encryption: 3DES ESP/3DES
Group: 2 Authentication:
Hash: MD5 ESP/MD5
R4 – ASA1 4.4.4.4 1.1.1.1 Authentication: RSA Encryption: ESP/DES
Encryption: DES Authentication:
Group: 2 ESP/SHA
Hash: SHA

Use IOS CA server configured on R1 for certificate enrollment. Configure domain
name of MicronicsTraining.com and ensure that FQDN and Country are included in
the certificate request. Enable Perfect Forward Secrecy feature. You should assign
proper IPSec Profile for every branch peer using Country field in the peer‟s
Certificate.

On ASA1
ASA1(config)# domain-name MicronicsTraining.com
ASA1(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
ASA1(config)# crypto ca trustpoint IOS_CA
ASA1(config-ca-trustpoint)# id-usage ssl-ipsec
ASA1(config-ca-trustpoint)# subject-name CN=ASA1, C=US
ASA1(config-ca-trustpoint)# fqdn ASA1.MicronicsTraining.com

Page 272 of 694
CCIE Security v3 Lab Workbook

ASA1(config-ca-trustpoint)# enrollment url http://10.1.101.1
ASA1(config-ca-trustpoint)# exit
ASA1(config)# crypto ca authenticate IOS_CA

INFO: Certificate has the following attributes:
Fingerprint: 2ccfec44 8b1fa216 4b9ca190 024184a0
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
ASA1(config)# crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********

% The subject name in the certificate will be: CN=ASA1, C=US

% The fully-qualified domain name in the certificate will be: ASA1.MicronicsTraining.com

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!

ASA1(config)# crypto isakmp enable outside
ASA1(config)# crypto isakmp policy 10
ASA1(config-isakmp-policy)# auth rsa-sig
ASA1(config-isakmp-policy)# enc 3des
ASA1(config-isakmp-policy)# has md5
ASA1(config-isakmp-policy)# gr 2

ASA1(config-isakmp-policy)# crypto isakmp policy 20
ASA1(config-isakmp-policy)# auth rsa-sig
ASA1(config-isakmp-policy)# enc des
ASA1(config-isakmp-policy)# ha sha
ASA1(config-isakmp-policy)# gr 2
ASA1(config-isakmp-policy)# exit

ASA1(config)# tunnel-group US_VPN type ipsec-l2l
WARNING: L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digitial Certificates and/or The peer is
configured to use Aggressive Mode
ASA1(config)# tunnel-group US_VPN ipsec-attr
ASA1(config-tunnel-ipsec)# peer-id-validate nocheck
ASA1(config-tunnel-ipsec)# trust-point IOS_CA
ASA1(config-tunnel-ipsec)# exit

ASA1(config)# tunnel-group CA_VPN type ipsec-l2l
WARNING: L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digitial Certificates and/or The peer is
configured to use Aggressive Mode
ASA1(config)# tunnel-group CA_VPN ipsec-attr
ASA1(config-tunnel-ipsec)# peer-id-validate nocheck
ASA1(config-tunnel-ipsec)# trust-point IOS_CA
ASA1(config-tunnel-ipsec)# exit

We use named tunnel group (instead of IP address). This is because our branch routers
have dynamic IP addresses and we cannot rely on them. Hence, we use certificates for
authentication. By default, the ASA uses OU field from the certificate to match (pick)
the correct tunnel group, hoever, we use certificate maps later in the configuration
to achive the same.

ASA1(config)# crypto ipsec transform-set TSET_US esp-3des esp-md5-hmac
ASA1(config)# crypto ipsec transform-set TSET_CA esp-des esp-sha-hmac

ASA1(config)# access-list ACL_US permit ip ho 1.1.1.1 ho 5.5.5.5
ASA1(config)# access-list ACL_CA permit ip ho 1.1.1.1 ho 4.4.4.4

ASA1(config)# crypto dynamic-map US_VPN 1 match address ACL_US
ASA1(config)# crypto dynamic-map US_VPN 1 set transform TSET_US
ASA1(config)# crypto dynamic-map US_VPN 1 set pfs group2

Page 273 of 694
CCIE Security v3 Lab Workbook

ASA1(config)# crypto dynamic-map CA_VPN 2 match address ACL_CA
ASA1(config)# crypto dynamic-map CA_VPN 2 set transform TSET_CA
ASA1(config)# crypto dynamic-map CA_VPN 2 set pfs group2

This configuration is based on dynamic crypto maps which are used when peer IP address
is unknown or other IPSec parameters are intended to be negotiated (i.e. EasyVPN).

ASA1(config)# crypto map CRYPTO_OUT 1 ipsec-isakmp dynamic US_VPN
ASA1(config)# crypto map CRYPTO_OUT 2 ipsec-isakmp dynamic CA_VPN

ASA1(config)# crypto map CRYPTO_OUT interface Outside

The crypto map has been attached to the outside interface. Note that the peer IP
addresse has not been specified in the crypto map.

ASA1(config)# tunnel-group-map enable rules

ASA1(config)# crypto ca certificate map CERT_MAP 10
ASA1(config-ca-cert-map)# subject-name attr C eq US
ASA1(config-ca-cert-map)# crypto ca certificate map CERT_MAP 20
ASA1(config-ca-cert-map)# subject-name attr C eq CA
ASA1(config-ca-cert-map)# exit

ASA1(config)# tunnel-group-map CERT_MAP 10 US_VPN
ASA1(config)# tunnel-group-map CERT_MAP 20 CA_VPN

The tunnel-group-maps have tied respective crypto maps and certificate maps that allow
to fullfiling the task requirements (Country field in the certificate must be present
and set).

ASA1(config)# route Inside 1.1.1.1 255.255.255.255 10.1.101.1

ASA1(config)# access-list OUTSIDE_IN permit tcp host 10.1.105.5 host 10.1.101.1 eq 80
ASA1(config)# access-list OUTSIDE_IN permit tcp host 10.1.104.4 host 10.1.101.1 eq 80

On ASA2
ASA2(config)# policy-map global_policy
ASA2(config-pmap)# class inspection_default
ASA2(config-pmap-c)# inspect ipsec-pass-thru
ASA2(config-pmap-c)# exit
ASA2(config-pmap)# exit

On R5
R5(config)#ip domain-name MicronicsTraining.com
R5(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R5.MicronicsTraining.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R5(config)#crypto ca trustpoint IOS_CA
R5(ca-trustpoint)#usage ike
R5(ca-trustpoint)#subject-name CN=R5, C=US
R5(ca-trustpoint)#enrollment url http://10.1.101.1
R5(ca-trustpoint)#fqdn R5.MicronicsTraining.com
R5(ca-trustpoint)#exit

R5(config)#crypto ca authenticate IOS_CA
Certificate has the following attributes:
Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC
Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

R5(config)#crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.

Page 274 of 694
CCIE Security v3 Lab Workbook

For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=R5, C=US
% The subject name in the certificate will include: R5.MicronicsTraining.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint.

R5(config)#
CRYPTO_PKI: Certificate Request Fingerprint MD5: CB51F487 829E24AB 160BA244 F0256E9B
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 362D19EC 4865EC2E 06915FC0 A45A9551
3B7F4A58
R5(config)#
%PKI-6-CERTRET: Certificate received from Certificate Authority

R5(config)#crypto isakmp policy 10
R5(config-isakmp)#encr 3des
R5(config-isakmp)#authentication rsa-sig
R5(config-isakmp)#hash md5
R5(config-isakmp)#group 2

R5(config-isakmp)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

R5(cfg-crypto-trans)#access-list 120 permit ip host 5.5.5.5 host 1.1.1.1

R5(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R5(config-crypto-map)#set peer 192.168.1.10
R5(config-crypto-map)#set transform-set TSET
R5(config-crypto-map)#set pfs group2
R5(config-crypto-map)#match address 120

R5(config-crypto-map)#int f0/0
R5(config-if)#crypto map ENCRYPT
R5(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

On R4
R4(config)#ip domain-name MicronicsTraining.com
R4(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R4.MicronicsTraining.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R4(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled

R4(config)#crypto ca trustpoint IOS_CA
R4(ca-trustpoint)#usage ike
R4(ca-trustpoint)#subject-name CN=R4, C=CA
R4(ca-trustpoint)#enrollment url http://10.1.101.1
R4(ca-trustpoint)#fqdn R4.MicronicsTraining.com
R4(ca-trustpoint)#exit

R4(config)#crypto ca authenticate IOS_CA
Certificate has the following attributes:
Fingerprint MD5: 01973E0C A51F6B10 CB074127 C07C60BC
Fingerprint SHA1: 24A01750 51D02F6B 9BB419DE B6F40C72 B9E43EDD

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

Page 275 of 694
CCIE Security v3 Lab Workbook

R4(config)#crypto ca enroll IOS_CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=R4, C=CA
% The subject name in the certificate will include: R4.MicronicsTraining.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate IOS_CA verbose' commandwill show the fingerprint.

R4(config)#
CRYPTO_PKI: Certificate Request Fingerprint MD5: C37B49A5 39B60647 3928452D CB501CFF
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 7E096059 984DF493 DC68F185 4325FDDF
5C9D9F7C
R4(config)#
%PKI-6-CERTRET: Certificate received from Certificate Authority

R4(config)#crypto isakmp policy 10
R4(config-isakmp)#encr des
R4(config-isakmp)#ha sha
R4(config-isakmp)#authentication rsa-sig
R4(config-isakmp)#group 2

R4(config-isakmp)#crypto ipsec transform-set TSET esp-des esp-sha-hmac

R4(cfg-crypto-trans)#access-list 120 permit ip host 4.4.4.4 host 1.1.1.1

R4(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)#set peer 192.168.1.10
R4(config-crypto-map)#set transform-set TSET
R4(config-crypto-map)#set pfs group2
R4(config-crypto-map)#match address 120

R4(config-crypto-map)#int f0/0
R4(config-if)# crypto map ENCRYPT
R4(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Verification
R4#pin 1.1.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

R5#ping 1.1.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

R4#sh cry isak sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature

Page 276 of 694
CCIE Security v3 Lab Workbook

renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime
Cap.

1001 10.1.104.4 192.168.1.10 ACTIVE des sha rsig 2 23:58:20
Engine-id:Conn-id = SW:1

The peers have been authenticated by using certificates - “rsig” indicates that. “show
crypto isakmp sa detail” may be used to determine which ISAKMP policy has been chosen
by the peers.

IPv6 Crypto ISAKMP SA

R4#sh cry eng conn ac
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1001 IKE SHA+DES 0 0 10.1.104.4
2001 IPsec DES+SHA 0 4 10.1.104.4
2002 IPsec DES+SHA 4 0 10.1.104.4

R4#sh cry sess
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.104.4/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip host 4.4.4.4 host 1.1.1.1
Active SAs: 2, origin: crypto map

This command shows the peers, status of the tunnel and definition of interesting
traffic.

R4#sh cry ips sa

interface: FastEthernet0/0
Crypto map tag: ENCRYPT, local addr 10.1.104.4

protected vrf: (none)
local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.1.104.4, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x21D3F08A(567537802)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0x13B6803F(330727487)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4492988/3479)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x21D3F08A(567537802)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: ENCRYPT

Page 277 of 694
CCIE Security v3 Lab Workbook

sa timing: remaining key lifetime (k/sec): (4492988/3479)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R5#sh cry isak sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1005 10.1.105.5 192.168.1.10 ACTIVE 3des md5 rsig 2 23:58:54
Engine-id:Conn-id = SW:5

IPv6 Crypto ISAKMP SA

R5#sh cry eng conn ac
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1005 IKE MD5+3DES 0 0 10.1.105.5
2003 IPsec 3DES+MD5 0 4 10.1.105.5
2004 IPsec 3DES+MD5 4 0 10.1.105.5

R5#sh cry sess
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.105.5/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip host 5.5.5.5 host 1.1.1.1
Active SAs: 2, origin: crypto map

R5#sh cry ips sa

interface: FastEthernet0/0
Crypto map tag: ENCRYPT, local addr 10.1.105.5

protected vrf: (none)
local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.1.105.5, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF539870C(4114188044)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0x5FF3F295(1609822869)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4446487/3522)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

Page 278 of 694
CCIE Security v3 Lab Workbook

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF539870C(4114188044)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4446487/3522)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

ASA1(config)# sh cry isak

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 10.1.104.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 10.1.105.5
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

Global IKE Statistics
Active Tunnels: 2
Previous Tunnels: 6
In Octets: 73056
In Packets: 501
In Drop Packets: 54
In Notifys: 376
In P2 Exchanges: 6
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 2
Out Octets: 50884
Out Packets: 472
Out Drop Packets: 0
Out Notifys: 768
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 2
Initiator Tunnels: 1
Initiator Fails: 1
Responder Fails: 21
System Capacity Fails: 0
Auth Fails: 5
Decrypt Fails: 0
Hash Valid Fails: 1
No Sa Fails: 10

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

Page 279 of 694
CCIE Security v3 Lab Workbook

ASA1(config)# sh cry isak sa detail

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 10.1.104.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : SHA
Auth : rsa Lifetime: 86400
Lifetime Remaining: 86029
2 IKE Peer: 10.1.105.5
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : rsa Lifetime: 86400
Lifetime Remaining: 86112

ASA1(config)# sh cry ips sa
interface: Outside
Crypto map tag: CA_VPN, seq num: 2, local addr: 192.168.1.10

access-list ACL_CA permit ip host 1.1.1.1 host 4.4.4.4
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer: 10.1.104.4

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.104.4

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 13B6803F

inbound esp sas:
spi: 0x21D3F08A (567537802)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 36864, crypto-map: CA_VPN
sa timing: remaining key lifetime (kB/sec): (4373999/3219)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x13B6803F (330727487)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 36864, crypto-map: CA_VPN
sa timing: remaining key lifetime (kB/sec): (4373999/3219)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: US_VPN, seq num: 1, local addr: 192.168.1.10

access-list ACL_US permit ip host 1.1.1.1 host 5.5.5.5
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
current_peer: 10.1.105.5

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

Page 280 of 694
CCIE Security v3 Lab Workbook

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.105.5

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 5FF3F295

inbound esp sas:
spi: 0xF539870C (4114188044)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 40960, crypto-map: US_VPN
sa timing: remaining key lifetime (kB/sec): (4373999/3300)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x5FF3F295 (1609822869)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 40960, crypto-map: US_VPN
sa timing: remaining key lifetime (kB/sec): (4373999/3298)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA1(config)# sh vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : CA_VPN
Index : 9 IP Addr : 4.4.4.4
Protocol : IKE IPsec
Encryption : DES Hashing : SHA1
Bytes Tx : 400 Bytes Rx : 400
Login Time : 03:43:19 UTC Fri Jul 23 2010
Duration : 0h:06m:34s
Connection : US_VPN
Index : 10 IP Addr : 5.5.5.5
Protocol : IKE IPsec
Encryption : 3DES Hashing : MD5
Bytes Tx : 400 Bytes Rx : 400
Login Time : 03:44:42 UTC Fri Jul 23 2010
Duration : 0h:05m:11s

Verification (detailed)

ASA1(config)# deb cry isak 20
ASA1(config)# Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 164
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing SA payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Oakley proposal is acceptable
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Received NAT-Traversal RFC VID
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Received NAT-Traversal ver 03 VID
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Received NAT-Traversal ver 02 VID
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing IKE SA payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, IKE SA Proposal # 1, Transform # 1 acceptable
Matches global IKE entry # 5
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing ISAKMP SA payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing NAT-Traversal VID ver 02 payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing Fragmentation VID + extended
capabilities payload
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads
: HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D
(130) + NAT-D (130) + NONE (0) total length : 308

Page 281 of 694
CCIE Security v3 Lab Workbook

Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing ke payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing ISA_KE payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing nonce payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing cert request payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Received DPD VID
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Processing IOS/PIX Vendor ID payload (version:
1.0.0, capabilities: 00000f6f)
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Received xauth V6 VID
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing NAT-Discovery payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, computing NAT Discovery hash
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing NAT-Discovery payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, computing NAT Discovery hash
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing ke payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing nonce payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing certreq payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing Cisco Unity VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing xauth V6 VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Send IOS VID
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Constructing ASA spoofing IOS Vendor ID
payload (version: 1.0.0, capabilities: 20000001)
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing VID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing NAT-Discovery payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, computing NAT Discovery hash
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing NAT-Discovery payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, computing NAT Discovery hash
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Generating keys for Responder...
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 328
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads
: HDR + ID (5) + CERT (6) + SIG (9) + NOTIFY (11) + NONE (0) total length : 766
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing ID payload
Jul 23 03:43:19 [IKEv1 DECODE]: IP = 10.1.104.4, ID_FQDN ID received, len 24
0000: 52342E4D 6963726F 6E696373 54726169 R4.MicronicsTrai
0010: 6E696E67 2E636F6D ning.com

Note that ID_FQDN ID type has been received by the ASA. ID_FQDN is written in the
certificate used for peer authentication.

Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing cert payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing RSA signature
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Computing hash for ISAKMP
Jul 23 03:43:19 [IKEv1 DECODE]: Dump of received Signature, len 128:
0000: 31F1AF7C 7B266908 92DFF3AB C547EEAE 1..|{&i......G..
0010: AF8853FF F4082F91 2D78869C A38BBF41 ..S.../.-x.....A
0020: 63185454 A7E6B250 00BFBF6A 36F1EACD c.TT...P...j6...
0030: 849CA235 908F61FA EC4D8BBE 0D7ADBBA ...5..a..M...z..
0040: 0A83E023 7E22EEB6 677034C2 D17E04ED ...#~"..gp4..~..
0050: 97621F26 13A12C1C 1497D0B9 2AE52E03 .b.&..,.....*...
0060: 532B7B90 4F67F6F4 3C954E8E 2D9E0B66 S+{.Og..<.N.-..f
0070: A85A1EEE 216F86A9 1CDF4EFA 81FE317C .Z..!o....N...1|

Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, processing notify payload
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, Automatic NAT Detection Status: Remote end is
NOT behind a NAT device This end is NOT behind a NAT device
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, Trying to find group via cert rules...
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, Connection landed on tunnel_group CA_VPN

“tunnel-group-map” has caused that the connection has been properly assigned to the
configured tunnel-group. This assignement has been based on certificate-map which
examines the certificate‟s field values.

Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, peer ID type 2 received (FQDN)
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, Peer ID check bypassed
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing ID payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing cert payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing RSA signature
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, Computing hash for ISAKMP
Jul 23 03:43:19 [IKEv1 DECODE]: Constructed Signature Len: 128
Jul 23 03:43:19 [IKEv1 DECODE]: Constructed Signature:
0000: 09458DE0 978EE65F FA3A7075 14E03532 .E....._.:pu..52
0010: 73AD3FFF 2820C912 4EF30FB1 A48A91F7 s.?.( ..N.......

Page 282 of 694
CCIE Security v3 Lab Workbook

0020: 8D042A8B 884D571C D1FED0FB 53271E43 ..*..MW.....S'.C
0030: 29217A90 C9BDC3E3 BAE510EE 9CCEA703 )!z.............
0040: 673D0A25 DCE4A48E FF73B4A4 8C0B963F g=.%.....s.....?
0050: 389C842A 83C2ADB4 1153CACC E3E246C8 8..*.....S....F.
0060: 7C0F8A22 F4E43654 60CDD30A D16BD027 |.."..6T`....k.'
0070: A5A94979 99F6B8FE 4920B5DA 0C95A677 ..Iy....I .....w

Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Constructing IOS keep alive payload:
proposal=32767/32767 sec.
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing dpd vid payload
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length
: 818
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, PHASE 1 COMPLETED

Phase 1 completed – the Quick Mode has begun.

Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, Keep-alive type for this connection: DPD
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, Starting P1 rekey timer: 64800
seconds.
Jul 23 03:43:19 [IKEv1 DECODE]: IP = 10.1.104.4, IKE Responder starting QM: msg id = 9b5f88d8
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE RECEIVED Message (msgid=9b5f88d8) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total
length : 296
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, processing hash payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, processing SA payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, processing nonce payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, processing ke payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, processing ISA_KE for PFS in
phase 2
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, processing ID payload
Jul 23 03:43:19 [IKEv1 DECODE]: Group = CA_VPN, IP = 10.1.104.4, ID_IPV4_ADDR ID received
4.4.4.4
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, Received remote Proxy Host data in
ID Payload: Address 4.4.4.4, Protocol 0, Port 0
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, processing ID payload
Jul 23 03:43:19 [IKEv1 DECODE]: Group = CA_VPN, IP = 10.1.104.4, ID_IPV4_ADDR ID received
1.1.1.1
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, Received local Proxy Host data in ID
Payload: Address 1.1.1.1, Protocol 0, Port 0

Local and remote proxies presented by the remote peer match locally configured
proxies.

Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, QM IsRekeyed old sa not found by
addr
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, Mismatch: P1 Authentication
algorithm in the crypto map entry different from negotiated algorithm for the L2L connection
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, IKE Remote Peer configured for
crypto map: CA_VPN
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, processing IPSec SA payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, IPSec SA Proposal # 1,
Transform # 1 acceptable Matches global IPSec SA entry # 2
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, IKE: requesting SPI!
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, IKE got SPI from key engine:
SPI = 0x21d3f08a
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, oakley constucting quick mode
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing blank hash
payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing IPSec SA payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing IPSec nonce
payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing pfs ke payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing proxy ID
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, Transmitting Proxy Id:
Remote host: 4.4.4.4 Protocol 0 Port 0
Local host: 1.1.1.1 Protocol 0 Port 0

The ASA has presented its proxy to the remote peer (R4).

Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing qm hash payload
Jul 23 03:43:19 [IKEv1 DECODE]: Group = CA_VPN, IP = 10.1.104.4, IKE Responder sending 2nd QM
pkt: msg id = 9b5f88d8
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE SENDING Message (msgid=9b5f88d8) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total
length : 296

Page 283 of 694
CCIE Security v3 Lab Workbook

Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE RECEIVED Message (msgid=9b5f88d8) with
payloads : HDR + HASH (8) + NONE (0) total length : 52
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, processing hash payload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, loading all IPSEC SAs
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, Generating Quick Mode Key!
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, NP encrypt rule look up for
crypto map CA_VPN 2 matching ACL ACL_CA: returned cs_id=d7beba18; rule=d7bef8f8
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, Generating Quick Mode Key!
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, NP encrypt rule look up for
crypto map CA_VPN 2 matching ACL ACL_CA: returned cs_id=d7beba18; rule=d7bef8f8
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, Security negotiation complete for
LAN-to-LAN Group (CA_VPN) Responder, Inbound SPI = 0x21d3f08a, Outbound SPI = 0x13b6803f
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, IKE got a KEY_ADD msg for SA:
SPI = 0x13b6803f
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, Pitcher: received KEY_UPDATE,
spi 0x21d3f08a
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, Starting P2 rekey timer: 3420
seconds.
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, PHASE 2 COMPLETED (msgid=9b5f88d8)

ASA1(config)# un all

Page 284 of 694
CCIE Security v3 Lab Workbook

Lab 1.41. Site-to-Site IPSec VPN using PSK
(IOS-ASA Hairpinning)
Inside HQ 10.1.101.0/24
Lo0
.10
F0/0
E0/1
R1 .1
ASA1
E0/0 .10
192.168.1.0/24

G0/0 .2

Outside
R2 (Internet)

G0/1 .2
192.168.2.0/24
Inside US
.10 E0/0
Branch
10.1.105.0/24
Lo0
.10
F0/0 E0/2 Inside Canada
E0/1 Branch
R5 .5 .10
Lo0
ASA2 10.1.104.0/24
.4
F0/0 R4

This lab is based on the LAB 2.4 configuration. You need to perform actions
from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before
going through this lab.

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R2‟s G0/1 and ASA2‟s E0/0 interface should be configured in VLAN 122
 R4‟s F0/0 and ASA2‟s E0/2 interface should be configured in VLAN 104
 R5‟s F0/0 and ASA2‟s E0/1 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the respective ASA‟s
interface
 Configure default routing on both ASAs pointing to the respective R2 interface

Page 285 of 694
CCIE Security v3 Lab Workbook

IP Addressing:

Device Interface / ifname / sec level IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 G0/0 192.168.1.2/24
G0/1 192.168.2.2/24
R4 Lo0 4.4.4.4 /24
F0/0 10.1.104.4 /24
R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24
ASA1 E0/0, Outside, Security 0 192.168.1.10 /24
E0/1, Inside, Security 100 10.1.101.10 /24
ASA2 E0/0, Outside, Security 0 192.168.2.10 /24
E0/1, Inside_US, Security 100 10.1.105.10 /24
E0/2, Inside_CA, Security 100 10.1.104.10 /24

Task 1
There is Company‟s Headquarters in US consists of ASA1 and R1. The Company
has two branch offices: one in US (R5) and other in Canada (R4). All routers have
static IP addresses. Configure the following Site-to-Site IPSec Tunnels:

Tunnel SRC DST ISAKMP Policy IPSec Policy
Endpoint Network Network
R5 – ASA1 5.5.5.5 1.1.1.1 Authentication: PSK Encryption:
Encryption: 3DES ESP/3DES
Group: 2 Authentication:
Hash: MD5 ESP/MD5
Key: R5-ASA
R4 – ASA1 4.4.4.4 1.1.1.1 Authentication: PSK Encryption: ESP/DES
Encryption: DES Authentication:
Group: 2 ESP/SHA
Hash: SHA
Key: R4-ASA

Configure the above IPSec tunnels and ensure branch networks can communincate
between each other using Headquarters‟ hub device.

On ASA1
ASA1(config)# crypto isakmp enable outside

ASA1(config)# crypto isakmp policy 5
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption 3des
ASA1(config-isakmp-policy)# hash md5
ASA1(config-isakmp-policy)# group 2

ASA1(config-isakmp-policy)# crypto isakmp policy 10
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption des
ASA1(config-isakmp-policy)# hash sha
ASA1(config-isakmp-policy)# group 2
ASA1(config-isakmp-policy)# exit

Page 286 of 694
CCIE Security v3 Lab Workbook

ASA1(config)# tunnel-group 10.1.105.5 type ipsec-l2l
ASA1(config)# tunnel-group 10.1.105.5 ipsec-attributes
ASA1(config-tunnel-ipsec)# pre-shared-key R5-ASA
ASA1(config-tunnel-ipsec)# exi

ASA1(config)# tunnel-group 10.1.104.4 type ipsec-l2l
ASA1(config)# tunnel-group 10.1.104.4 ipsec-attributes
ASA1(config-tunnel-ipsec)# pre-shared-key R4-ASA
ASA1(config-tunnel-ipsec)# exi

ASA1(config)# access-list CRYPTO-ACL-R5 extended permit ip host 1.1.1.1 host 5.5.5.5
ASA1(config)# access-list CRYPTO-ACL-R5 extended permit ip host 4.4.4.4 host 5.5.5.5

ASA1(config)# access-list CRYPTO-ACL-R4 extended permit ip host 1.1.1.1 host 4.4.4.4
ASA1(config)# access-list CRYPTO-ACL-R4 extended permit ip host 5.5.5.5 host 4.4.4.4

Additional ACEs allow to communicate IPSec-protected IP addresses of R4 and R5
throughout “hairpinned” tunnels on ASA‟s outside interface.

ASA1(config)# crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

ASA1(config)# crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

ASA1(config)# crypto map ENCRYPT_OUT 1 match address CRYPTO-ACL-R5
ASA1(config)# crypto map ENCRYPT_OUT 1 set peer 10.1.105.5
ASA1(config)# crypto map ENCRYPT_OUT 1 set transform-set ESP-3DES-MD5

ASA1(config)# crypto map ENCRYPT_OUT 2 match address CRYPTO-ACL-R4
ASA1(config)# crypto map ENCRYPT_OUT 2 set peer 10.1.104.4
ASA1(config)# crypto map ENCRYPT_OUT 2 set transform-set ESP-DES-SHA

ASA1(config)# crypto map ENCRYPT_OUT interface Outside

ASA1(config)# route Inside 1.1.1.1 255.255.255.255 10.1.101.1 1

ASA1(config)# same-security-traffic permit intra-interface

The capability to route a traffic in and out of the same interface has been enabled

On R5
R5(config)#crypto isakmp policy 10
R5(config-isakmp)#encr 3des
R5(config-isakmp)#hash md5
R5(config-isakmp)#authentication pre-share
R5(config-isakmp)#group 2

R5(config-isakmp)#crypto isakmp key R5-ASA address 192.168.1.10

R5(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac
R5(cfg-crypto-trans)#exi

R5(config)#access-list 120 permit ip host 5.5.5.5 host 1.1.1.1
R5(config)#access-list 120 permit ip host 5.5.5.5 host 4.4.4.4

R5(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R5(config-crypto-map)#set peer 192.168.1.10
R5(config-crypto-map)#set transform-set TSET
R5(config-crypto-map)#match address 120
R5(config-crypto-map)#exi

R5(config)#int f0/0
R5(config-if)#crypto map ENCRYPT
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R5(config-if)#exi

On R4
R4(config)#crypto isakmp policy 30
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 2

Page 287 of 694
CCIE Security v3 Lab Workbook

R4(config-isakmp)#crypto isakmp key R4-ASA address 192.168.1.10

R4(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac

R4(cfg-crypto-trans)#access-list 120 permit ip host 4.4.4.4 host 1.1.1.1
R4(config)#access-list 120 permit ip host 4.4.4.4 host 5.5.5.5

R4(config)#crypto map ENCRYPT 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)# set peer 192.168.1.10
R4(config-crypto-map)# set transform-set TSET
R4(config-crypto-map)# match address 120
R4(config-crypto-map)#exi

R4(config)#int f0/0
R4(config-if)# crypto map ENCRYPT

On ASA2
ASA2(config)# policy-map global_policy
ASA2(config-pmap)# class inspection_default
ASA2(config-pmap-c)# inspect ipsec-pass-thru
ASA2(config)# access-list OUTSIDE_IN permit udp host 192.168.1.10 eq 500 host 10.1.104.4 eq
500
ASA2(config)# access-list OUTSIDE_IN permit udp host 192.168.1.10 eq 500 host 10.1.105.5 eq
500
ASA2(config)# access-group OUTSIDE_IN in interface outside

The above ACL is created to allow IKE tunnel setup from ASA1 to R4/R5 because there
may be a case where R4 is sending something behind R5 and there is no tunnel between
R5 and ASA1 already established. In that case, the ASA1 must be able to establish a
tunnel to R5 to handle that traffic.

Verification

R4#pi 1.1.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

R4#pi 5.5.5.5 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

R4#sh cry isa sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1002 10.1.104.4 192.168.1.10 ACTIVE des sha psk 2 23:41:30
Engine-id:Conn-id = SW:2

IPv6 Crypto ISAKMP SA

R4#sh cry eng conn ac
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address

Page 288 of 694
CCIE Security v3 Lab Workbook

1002 IKE SHA+DES 0 0 10.1.104.4
2003 IPsec DES+SHA 0 5 10.1.104.4
2004 IPsec DES+SHA 5 0 10.1.104.4
2005 IPsec DES+SHA 0 5 10.1.104.4
2006 IPsec DES+SHA 19 0 10.1.104.4

Note that two IPSec SAs (inbound and outbound) have been created for every local-
remote proxy pair.

R4#sh cry sess
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.104.4/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip host 4.4.4.4 host 1.1.1.1
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 4.4.4.4 host 5.5.5.5
Active SAs: 2, origin: crypto map

Two active SAs for every IPSec flow mentioned above are visible when cryto sessions
have been displayed.

R4#sh cry ips sa

interface: FastEthernet0/0
Crypto map tag: ENCRYPT, local addr 10.1.104.4

protected vrf: (none)
local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.104.4, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x880857A4(2282248100)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x55652A60(1432693344)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4607369/2454)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x880857A4(2282248100)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4607369/2454)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

One pair of SAs have been created for 4.4.4.4/32 and 1.1.1.1/32.

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

Page 289 of 694
CCIE Security v3 Lab Workbook

local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.104.4, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xAFFA8D8D(2952433037)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xFC97ED38(4237815096)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: NETGX:5, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4587626/2496)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xAFFA8D8D(2952433037)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: NETGX:6, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4587624/2496)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

The second pair of SAs have been created for 4.4.4.4/32 and 5.5.5.5/32.

R5#sh cry isak sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1001 10.1.105.5 192.168.1.10 ACTIVE 3des md5 psk 2 23:57:07
Engine-id:Conn-id = SW:1

IPv6 Crypto ISAKMP SA

R5#sh cry sess
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.105.5/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip host 5.5.5.5 host 1.1.1.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 5.5.5.5 host 4.4.4.4
Active SAs: 2, origin: crypto map

R5#sh cry ips sa

interface: FastEthernet0/0

Page 290 of 694
CCIE Security v3 Lab Workbook

Crypto map tag: ENCRYPT, local addr 10.1.105.5

protected vrf: (none)
local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0  No traffic for that flow yet
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.105.5, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.105.5, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8689FE2F(2257190447)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xD396C0D5(3549872341)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4563711/3425)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x8689FE2F(2257190447)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: ENCRYPT
sa timing: remaining key lifetime (k/sec): (4563711/3425)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Page 291 of 694
CCIE Security v3 Lab Workbook

ASA1(config)# sh cry isa sa det

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 10.1.104.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 85180
2 IKE Peer: 10.1.105.5
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86186

Note that because R4 pinged R5 the ASA1 is an Initiator for the second L2L tunnel.

ASA1(config)# sh cry ips sa
interface: Outside
Crypto map tag: ENCRYPT_OUT, seq num: 2, local addr: 192.168.1.10

access-list CRYPTO-ACL-R4 permit ip host 1.1.1.1 host 4.4.4.4
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer: 10.1.104.4

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.104.4

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 55652A60

inbound esp sas:
spi: 0x880857A4 (2282248100)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/2373)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0x55652A60 (1432693344)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/2373)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: ENCRYPT_OUT, seq num: 2, local addr: 192.168.1.10

access-list CRYPTO-ACL-R4 permit ip host 5.5.5.5 host 4.4.4.4
local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer: 10.1.104.4

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

Page 292 of 694
CCIE Security v3 Lab Workbook

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.104.4

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: FC97ED38

inbound esp sas:
spi: 0xAFFA8D8D (2952433037)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373998/2413)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000FFFFF
outbound esp sas:
spi: 0xFC97ED38 (4237815096)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/2411)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: ENCRYPT_OUT, seq num: 1, local addr: 192.168.1.10

access-list CRYPTO-ACL-R5 permit ip host 4.4.4.4 host 5.5.5.5
local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
current_peer: 10.1.105.5

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.105.5

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D396C0D5

inbound esp sas:
spi: 0x8689FE2F (2257190447)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 49152, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3372)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xD396C0D5 (3549872341)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 49152, crypto-map: ENCRYPT_OUT
sa timing: remaining key lifetime (kB/sec): (4373999/3372)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA1(config)# sh vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : 10.1.104.4
Index : 11 IP Addr : 4.4.4.4
Protocol : IKE IPsec

Page 293 of 694
CCIE Security v3 Lab Workbook

Encryption : DES Hashing : SHA1
Bytes Tx : 1000 Bytes Rx : 2400
Login Time : 04:12:23 UTC Fri Jul 23 2010
Duration : 0h:20m:54s
Connection : 10.1.105.5
Index : 12 IP Addr : 5.5.5.5
Protocol : IKE IPsec
Encryption : 3DES Hashing : MD5
Bytes Tx : 500 Bytes Rx : 500
Login Time : 04:29:09 UTC Fri Jul 23 2010
Duration : 0h:04m:08s

Page 294 of 694
CCIE Security v3 Lab Workbook

Lab 1.42. Site-to-Site IPSec VPN using
EasyVPN NEM (IOS-IOS)
Inside HQ 10.1.101.0/24
Lo0
.10
F0/0
E0/1
R1 .1
ASA1
E0/0 .10
192.168.1.0/24

G0/0 .2

Outside
R2 (Internet)

G0/1 .2
192.168.2.0/24
Inside US
.10 E0/0
Branch
10.1.105.0/24
Lo0
.10
F0/0 E0/2 Inside Canada
E0/1 Branch
R5 .5 .10
Lo0
ASA2 10.1.104.0/24
.4
F0/0 R4

This lab is based on the LAB 2.4 configuration. You need to perform actions
from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before
going through this lab.

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R2‟s G0/1 and ASA2‟s E0/0 interface should be configured in VLAN 122
 R4‟s F0/0 and ASA2‟s E0/2 interface should be configured in VLAN 104
 R5‟s F0/0 and ASA2‟s E0/1 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the respective ASA‟s
interface
 Configure default routing on both ASAs pointing to the respective R2 interface

Page 295 of 694
CCIE Security v3 Lab Workbook

IP Addressing:

Device Interface / ifname / sec level IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 G0/0 192.168.1.2/24
G0/1 192.168.2.2/24
R4 Lo0 4.4.4.4 /24
F0/0 10.1.104.4 /24
R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24
ASA1 E0/0, Outside, Security 0 192.168.1.10 /24
E0/1, Inside, Security 100 10.1.101.10 /24
ASA2 E0/0, Outside, Security 0 192.168.2.10 /24
E0/1, Inside_US, Security 100 10.1.105.10 /24
E0/2, Inside_CA, Security 100 10.1.104.10 /24

Task 1
Configure IPSec VPN tunnel between branch routers with the following parameters:
Tunnel SRC DST ISAKMP Policy IPSec Policy
Endpoint Network Network
R5 – R4 5.5.5.5 4.4.4.4 Authentication: PSK Encryption:
Encryption: 3DES ESP/3DES
Group: 2 Authentication:
Hash: SHA ESP/SHA

Use Easy VPN to configure the tunnel in network extension mode. Router R5 should
act as EasyVPN Remote and router R4 should be EasyVPN Server. Use group name
of “BRANCH_US” with the password of “cisco123”. Configure a new user name of
“easy” with password of “vpn123” in R4‟s local database and use it for extended
authentication.

On R4
R4(config)#username easy password vpn123

R4(config)#aaa new-model
R4(config)#aaa authentication login USER-AUTH local
R4(config)#aaa authorization network GR-AUTH local

AAA on the router must be enabled because EasyVPN feature may use additional peer
authentication which is named “XAUTH” (Extended authentication). Authorization list
(network) specifies where session parameters which should be populated to a client are
stored.

R4(config)#crypto isakmp policy 3
R4(config-isakmp)# encr 3des
R4(config-isakmp)# authentication pre-share
R4(config-isakmp)# group 2
R4(config-isakmp)#exit

R4(config)#crypto isakmp client configuration group BRANCH_US
R4(config-isakmp-group)# key cisco123
R4(config-isakmp-group)#exit

This is a configuration item which enables to specify parameters which are populated
to the client during “Config Mode”. Config Mode (often called IKE Phase 1.5) is a
special stage of IKE during which client requests configuration parameters for the

Page 296 of 694
CCIE Security v3 Lab Workbook

session that is being negotiated. The EasyVPN Server populates these parameters to
EasyVPN client.

R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac
R4(cfg-crypto-trans)#exit

R4(config)#crypto dynamic-map DYN-CMAP 10
R4(config-crypto-map)# set transform-set TSET
R4(config-crypto-map)#exit

The peer IP address and other IPSec parameters are unknown at the moment of crypto map
configuration. Dynamic crypto map enables to negotiate proper values during tunnel
establishment.

R4(config)#crypto map EASY-VPN client authentication list USER-AUTH
R4(config)#crypto map EASY-VPN isakmp authorization list GR-AUTH
R4(config)#crypto map EASY-VPN 10 ipsec-isakmp dynamic DYN-CMAP

R4(config)#interface f0/0
R4(config-if)# crypto map EASY-VPN
R4(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

On R5
R5(config)#crypto ipsec client ezvpn EZ
R5(config-crypto-ezvpn)# connect auto

The connection will be initiated automatically.

R5(config-crypto-ezvpn)# group BRANCH_US key cisco123

EasyVPN group authentication - it is similar to peer authentication in L2L tunnel
negotiations. This is a device authentication.

R5(config-crypto-ezvpn)# mode network-extension

NEM (Network Extension Mode) enables EasyVPN client to preserve its IP address as
tunnel endpoint. The traffic initiated from the client inside network is not NATed so
that it allows to connect to this network from the networks behind the EasyVPN server.

R5(config-crypto-ezvpn)# peer 10.1.104.4

EasyVPN Server IP address.

R5(config-crypto-ezvpn)# xauth userid mode interactive

Interactive entering of the user credential that will be used during Extended
Authentication (XAUTH). These credentials have to be entered during every IKE
negotaitions. The credential storage in the EasyVPN client configuration have to be
exclusively enabled in the EasyVPN Server configuration (save-password command in the
group configuration).

R5(config-crypto-ezvpn)#exi

R5(config)#int lo0
R5(config-if)# crypto ipsec client ezvpn EZ inside
R5(config-if)#exit

R5(config)#int f0/0
R5(config-if)# crypto ipsec client ezvpn EZ outside
R5(config-if)#

These commands define the inside and outside interfaces of the EasyVPN Client. Outside
interface is used for IPSec tunnel termination.

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

After a while the following error message appears on R5. Since IPSec tunnel needs to
be established between two peers who are on different interfaces of ASA but with the
same security level of 100. This must be explicitly allowed on the ASA.

%CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=BRANCH_US
Client_public_addr=10.1.105.5 Server_public_addr=10.1.104.4

Page 297 of 694
CCIE Security v3 Lab Workbook

On ASA2
ASA2(config)# same-security-traffic permit inter-interface

On R5
R5#
EZVPN(EZ): Pending XAuth Request, Please enter the following command:
EZVPN: crypto ipsec client ezvpn xauth

R5#
R5#crypto ipsec client ezvpn xauth
Username: easy
Password:
R5#
%CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=BRANCH_US Client_public_addr=10.1.105.5
Server_public_addr=10.1.104.4 NEM_Remote_Subnets=5.5.5.0/255.255.255.0

The user and the password have been provided for XAUTH. Note that EasyVPN connection
is up. The client informs the server about its inside networks. These networks may be
injected into the server‟s routing table when reverse route feature is.

Verification
R5#ping 4.4.4.4 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

The connection is established. R5 is able to ping R4‟s loopback through the IPSec
tunnel.

R5#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : EZ
Inside interface list: Loopback0
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Disallowed
Current EzVPN Peer: 10.1.104.4

EasyVPN session status. Note that saving XAUTH password is disabled (this is a default
setting).

R5#sh crypto isakmp sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1002 10.1.105.5 10.1.104.4 ACTIVE 3des sha 2 23:59:10 CX
Engine-id:Conn-id = SW:2

IPv6 Crypto ISAKMP SA

R5#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr 10.1.105.5

protected vrf: (none)
local ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.1.104.4 port 500

Page 298 of 694
CCIE Security v3 Lab Workbook

Note that remote proxy identity is 0.0.0.0/0 that means “any”. By default EasyVPN
disallow the client to transmit unencrypted traffic apart from established IPSec
tunnel. This may be changed when split-tunnel feature is enabled on the EasyVPN
server.

PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.105.5, remote crypto endpt.: 10.1.104.4
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB33E0E9(187949289)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x428A6416(1116365846)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: FastEthernet0/0-
head-0
sa timing: remaining key lifetime (k/sec): (4603441/3543)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB33E0E9(187949289)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: FastEthernet0/0-
head-0
sa timing: remaining key lifetime (k/sec): (4603441/3543)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R4#pi 5.5.5.5 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

Note that inside network of the client is accessible from the server inside network.
It is an advantage of network-extension mode. In case of using the “client mode”
accessing the inside client network is not feasible due to PAT enabled on the IPSec
tunnel endpoint that translates the client inside network.

R4#sh cry isak sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1002 10.1.104.4 10.1.105.5 ACTIVE 3des sha 2 23:58:35 CX
Engine-id:Conn-id = SW:2

IPv6 Crypto ISAKMP SA

Page 299 of 694
CCIE Security v3 Lab Workbook

R4#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: EASY-VPN, local addr 10.1.104.4

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
current_peer 10.1.105.5 port 500
PERMIT, flags={}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.104.4, remote crypto endpt.: 10.1.105.5
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x428A6416(1116365846)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xB33E0E9(187949289)

R4#sh crypto map
Crypto Map "EASY-VPN" 10 ipsec-isakmp
Dynamic map template tag: DYN-CMAP

Crypto Map "EASY-VPN" 65536 ipsec-isakmp
Peer = 10.1.105.5
Extended IP access list
access-list permit ip any 5.5.5.0 0.0.0.255
dynamic (created from dynamic map DYN-CMAP/10)

Note that definition of interesting traffic has been configured dynamically by
dynamic-crypto map. Information relevant to the client inside networks is passed to
the server during IKE negotiation.

Current peer: 10.1.105.5
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TSET: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map EASY-VPN:
FastEthernet0/0

Page 300 of 694
CCIE Security v3 Lab Workbook

Lab 1.43. Site-to-Site IPSec VPN using
EasyVPN NEM (IOS-ASA)
Inside HQ 10.1.101.0/24
Lo0
.10
F0/0
E0/1
R1 .1
ASA1
E0/0 .10
192.168.1.0/24

G0/0 .2

Outside
R2 (Internet)

G0/1 .2
192.168.2.0/24
Inside US
.10 E0/0
Branch
10.1.105.0/24
Lo0
.10
F0/0 E0/2 Inside Canada
E0/1 Branch
R5 .5 .10
Lo0
ASA2 10.1.104.0/24
.4
F0/0 R4

This lab is based on the LAB 2.4 configuration. You need to perform actions
from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before
going through this lab.

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R2‟s G0/1 and ASA2‟s E0/0 interface should be configured in VLAN 122
 R4‟s F0/0 and ASA2‟s E0/2 interface should be configured in VLAN 104
 R5‟s F0/0 and ASA2‟s E0/1 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the respective ASA‟s
interface
 Configure default routing on both ASAs pointing to the respective R2 interface

Page 301 of 694
CCIE Security v3 Lab Workbook

IP Addressing:

Device Interface / ifname / sec level IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 G0/0 192.168.1.2/24
G0/1 192.168.2.2/24
R4 Lo0 4.4.4.4 /24
F0/0 10.1.104.4 /24
R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24
ASA1 E0/0, Outside, Security 0 192.168.1.10 /24
E0/1, Inside, Security 100 10.1.101.10 /24
ASA2 E0/0, Outside, Security 0 192.168.2.10 /24
E0/1, Inside_US, Security 100 10.1.105.10 /24
E0/2, Inside_CA, Security 100 10.1.104.10 /24

Task 1
Configure IPSec VPN tunnel between ASA1 and R5/R4 with the following
parameters:
Tunnel SRC DST ISAKMP Policy IPSec Policy
Endpoint Network Network
ASA1 – 1.1.1.1 5.5.5.5 Authentication: PSK Encryption:
R5/R4 4.4.4.4 Encryption: 3DES ESP/3DES
Group: 2 Authentication:
Hash: SHA ESP/SHA
Use Easy VPN to configure the tunnel in network extension mode. R5 should act as
EasyVPN Remote and ASA1 should be an EasyVPN Server. Use group name of
“BRANCHES” with the password of “cisco123”.
Do not use extended authentication, the branch routers should connect using only
group credentials. Ensure that branch routers will tunnel traffic only destined to the
network of 1.1.1.0/24.
On ASA1
ASA1(config)# access-list EZVPN-TRAFFIC permit ip host 1.1.1.1 host 5.5.5.5
ASA1(config)# access-list EZVPN-TRAFFIC permit ip host 1.1.1.1 host 4.4.4.4

ASA1(config)# access-list ST standard permit 1.1.1.0 255.255.255.0

ASA1(config)# group-policy EZ-POLICY internal

The group-policy contains parameters that are passed down to the client or such
parameters may be requirements that the client have to fullfil before IPSec session is
established. Note that this is an internally configured group-policy. Group-policies
may be provided from ACS Server. Note that group-policy definition is based on
Attribute-Value pairs.

ASA1(config)# group-policy EZ-POLICY attributes
ASA1(config-group-policy)# split-tunnel-policy tunnelspecified
ASA1(config-group-policy)# split-tunnel-network-list value ST
ASA1(config-group-policy)# nem enable

Network Extension Mode has been enabled. This policy includes also the definition of
split tunneling. This feature enables the server to define the exceptions of default
rule that enforcing full traffic encryption between the client and the server. The
traffic definition is made by an ACL which is tied to group-policy by the command of
“split-tunnel-network-list”.

Page 302 of 694
CCIE Security v3 Lab Workbook

“split-tunnel-policy” defines the policy which is applied for a traffic chosen by the
split-tunnel ACL. The traffic may be encrypted if “tunnelspecified” is enabled or the
traffic is excluded from encryption if “excludespecified” is enabled. A “tunnelall”
option may also be used but encryption of all the traffic is the default. Note that
from the client perspective the network defined by the ACL in split-tunneling in fact
defines a destination of the traffic rather than the source.

ASA1(config-group-policy)# exit

ASA1(config)# isakmp enable Outside

ASA1(config)# crypto isakmp policy 1 authentication pre-share
ASA1(config)# crypto isakmp policy 1 encryption 3des
ASA1(config)# crypto isakmp policy 1 hash sha
ASA1(config)# crypto isakmp policy 1 group 2

ASA1(config)# tunnel-group BRANCHES type remote-access
ASA1(config)# tunnel-group BRANCHES general-attributes
ASA1(config-tunnel-general)# default-group-policy EZ-POLICY
ASA1(config-tunnel-general)# exit

Tunnel-group for EasyVPN clients has been defined. Note that group-policy has been
tied to tunnel-group as its general attribute.

ASA1(config)# tunnel-group BRANCHES ipsec-attributes
ASA1(config-tunnel-ipsec)# pre-shared-key cisco123
ASA1(config-tunnel-ipsec)# isakmp ikev1-user-authentication none
ASA1(config-tunnel-ipsec)# exit

XAUTH has been disabled (by default ASA requires XAUTH). Only the peer authenticaton
will be performed.

ASA1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac

ASA1(config)# crypto dynamic-map DYN-MAP 5 set transform-set TSET

ASA1(config)# crypto map ENCRYPT_OUT 1 ipsec-isakmp dynamic DYN-MAP

ASA1(config)# crypto map ENCRYPT_OUT interface Outside

ASA1(config)# route Inside 1.1.1.1 255.255.255.255 10.1.101.1

On ASA2
ASA2(config)# policy-map global_policy
ASA2(config-pmap)# class inspection_default
ASA2(config-pmap-c)# inspect ipsec-pass-thru

The IPSec-related traffic through ASA2 has been allowed.

On R5
R5(config)#crypto ipsec client ezvpn HQ
R5(config-crypto-ezvpn)#connect auto
R5(config-crypto-ezvpn)#group BRANCHES key cisco123
R5(config-crypto-ezvpn)#mode network-extension
R5(config-crypto-ezvpn)#peer 192.168.1.10

R5(config-crypto-ezvpn)#int f0/0
R5(config-if)# crypto ipsec client ezvpn HQ outside

R5(config-if)#int lo0
R5(config-if)# crypto ipsec client ezvpn HQ inside
R5(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
%CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=BRANCHES Client_public_addr=10.1.105.5
Server_public_addr=192.168.1.10 NEM_Remote_Subnets=5.5.5.0/255.255.255.0

The tunnel has been established. Note that entering the user and password
interactively is no longer needed.

On R4
R4(config)#crypto ipsec client ezvpn HQ
R4(config-crypto-ezvpn)#connect auto
R4(config-crypto-ezvpn)#group BRANCHES key cisco123

Page 303 of 694
CCIE Security v3 Lab Workbook

R4(config-crypto-ezvpn)#mode network-extension
R4(config-crypto-ezvpn)#peer 192.168.1.10
R4(config-crypto-ezvpn)#exit

R4(config)#int f0/0
R4(config-if)#crypto ipsec client ezvpn HQ outside

R4(config-if)#int lo0
R4(config-if)#crypto ipsec client ezvpn HQ inside
R4(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
%CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=BRANCHES Client_public_addr=10.1.104.4
Server_public_addr=192.168.1.10 NEM_Remote_Subnets=4.4.4.0/255.255.255.0

Verification
R4#ping 1.1.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

R4#sh cry isak sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1003 10.1.104.4 192.168.1.10 ACTIVE 3des sha psk 2 23:57:23 C
Engine-id:Conn-id = SW:3

Note that authentication by using tunnel-group name and the password is treated as
pre-shared ISAKMP peer authentication.

IPv6 Crypto ISAKMP SA

R4#sh cry ips sa

interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr 10.1.104.4

protected vrf: (none)
local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.104.4, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x63FABD04(1677376772)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xD3631C04(3546487812)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: NETGX:5, sibling_flags 80000046, crypto map: FastEthernet0/0-
head-0
sa timing: remaining key lifetime (k/sec): (4483637/28677)
IV size: 8 bytes
replay detection support: Y

Page 304 of 694
CCIE Security v3 Lab Workbook

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x63FABD04(1677376772)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: NETGX:6, sibling_flags 80000046, crypto map: FastEthernet0/0-
head-0
sa timing: remaining key lifetime (k/sec): (4483637/28677)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R4#sh cry sess
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.104.4/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip 4.4.4.0/255.255.255.0 1.1.1.0/255.255.255.0
Active SAs: 2, origin: crypto map

R4#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : HQ
Inside interface list: Loopback0
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Disallowed
Split Tunnel List: 1
Address : 1.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 192.168.1.10

The client has obtained split-tunnel configuration from the server during Mode Config.
Protocol value 0x0 means that all IP traffic to 1.1.1.0/24 will be encrypted.

R5#ping 1.1.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R5#sh cry isa sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1003 10.1.105.5 192.168.1.10 ACTIVE 3des sha psk 2 23:58:00 C
Engine-id:Conn-id = SW:3

IPv6 Crypto ISAKMP SA

R5#sh cry ips sa

interface: FastEthernet0/0

Page 305 of 694
CCIE Security v3 Lab Workbook

Crypto map tag: FastEthernet0/0-head-0, local addr 10.1.105.5

protected vrf: (none)
local ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.105.5, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8AD193D1(2328990673)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xDAA2BC9A(3668098202)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: NETGX:5, sibling_flags 80000046, crypto map: FastEthernet0/0-
head-0
sa timing: remaining key lifetime (k/sec): (4494113/28711)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x8AD193D1(2328990673)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: NETGX:6, sibling_flags 80000046, crypto map: FastEthernet0/0-
head-0
sa timing: remaining key lifetime (k/sec): (4494113/28711)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R5#sh cry sess
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.10 port 500
IKE SA: local 10.1.105.5/500 remote 192.168.1.10/500 Active
IPSEC FLOW: permit ip 5.5.5.0/255.255.255.0 1.1.1.0/255.255.255.0
Active SAs: 2, origin: crypto map

R5#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : HQ
Inside interface list: Loopback0
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Disallowed
Split Tunnel List: 1
Address : 1.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 192.168.1.10

Page 306 of 694
CCIE Security v3 Lab Workbook

ASA1(config)# sh cry isak sa det

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 10.1.105.5
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86245
2 IKE Peer: 10.1.104.4
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86266

Note that ASA plays the role of responder for the both connecton because the tunnels
have been initiated from the client side.

ASA1(config)# sh cry ips sa
interface: Outside
Crypto map tag: DYN-MAP, seq num: 5, local addr: 192.168.1.10

local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
current_peer: 10.1.104.4, username: BRANCHES
dynamic allocated peer ip: 0.0.0.0

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.104.4

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D3631C04

inbound esp sas:
spi: 0x63FABD04 (1677376772)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: DYN-MAP
sa timing: remaining key lifetime (sec): 28659
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xD3631C04 (3546487812)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: DYN-MAP
sa timing: remaining key lifetime (sec): 28659
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: DYN-MAP, seq num: 5, local addr: 192.168.1.10

local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
current_peer: 10.1.105.5, username: BRANCHES
dynamic allocated peer ip: 0.0.0.0

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0

Page 307 of 694
CCIE Security v3 Lab Workbook

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.105.5

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: DAA2BC9A

inbound esp sas:
spi: 0x8AD193D1 (2328990673)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 65536, crypto-map: DYN-MAP
sa timing: remaining key lifetime (sec): 28636
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xDAA2BC9A (3668098202)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 65536, crypto-map: DYN-MAP
sa timing: remaining key lifetime (sec): 28635
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA1(config)# sh vpn-sessiondb ra protocol
Filter Group : All
Total Active Tunnels : 4
Cumulative Tunnels : 29

Protocol Tunnels Percent
IKE 2 50%
IPsec 2 50%
IPsecLAN2LAN 0 0%
IPsecLAN2LANOverNatT 0 0%
IPsecOverNatT 0 0%
IPsecOverTCP 0 0%
IPsecOverUDP 0 0%
L2TPOverIPsec 0 0%
L2TPOverIPsecOverNatT 0 0%
Clientless 0 0%
Port-Forwarding 0 0%
IMAP4S 0 0%
POP3S 0 0%
SMTPS 0 0%
SSL-Tunnel 0 0%
DTLS-Tunnel 0 0%

Note that vpnsession database indicated that there are four active tunnels: two of IKE
and two of IPSec.

ASA1(config)# sh vpn-sessiondb remote

Session Type: IPsec

Username : BRANCHES Index : 16
Assigned IP : 5.5.5.0 Public IP : 10.1.105.5
Protocol : IKE IPsec
License : IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 500 Bytes Rx : 500
Group Policy : EZ-POLICY Tunnel Group : BRANCHES
Login Time : 06:09:57 UTC Fri Jul 23 2010
Duration : 0h:03m:26s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Username : BRANCHES Index : 18
Assigned IP : 4.4.4.0 Public IP : 10.1.104.4
Protocol : IKE IPsec
License : IPsec

Page 308 of 694
CCIE Security v3 Lab Workbook

Encryption : 3DES Hashing : SHA1
Bytes Tx : 500 Bytes Rx : 500
Group Policy : EZ-POLICY Tunnel Group : BRANCHES
Login Time : 06:10:18 UTC Fri Jul 23 2010
Duration : 0h:03m:05s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Show vpn-sessiondb remote displays information relevat to tunnels established with
remote peers. Note that Network Extension Mode makes inside client network visible.

Verification (detailed)
ASA1(config)# deb cry isak 20

Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=0) with payloads
: HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + KE (4) + NONCE (10) +
ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1140
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing SA payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, Received NAT-Traversal RFC VID
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, Received NAT-Traversal ver 03 VID
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, Received NAT-Traversal ver 02 VID
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing ke payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing ISA_KE payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing nonce payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing ID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, Received DPD VID
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, Received xauth V6 VID
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, Claims to be IOS but failed authentication
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, processing VID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: IP = 10.1.105.5, Received Cisco Unity client VID
Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, Connection landed on tunnel_group BRANCHES
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, No valid authentication type found
for the tunnel group
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing IKE SA payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKE SA Proposal # 1,
Transform # 17 acceptable Matches global IKE entry # 3
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing ISAKMP SA
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing ke payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing nonce payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Generating keys for
Responder...
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing ID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing hash payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Computing hash for ISAKMP
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing Cisco Unity VID
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing xauth V6 VID
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing dpd vid payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing NAT-Traversal
VID ver 02 payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing NAT-Discovery
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, computing NAT Discovery hash
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing NAT-Discovery
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, computing NAT Discovery hash
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing Fragmentation
VID + extended capabilities payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing VID payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=0) with payloads :
HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total
length : 440

Page 309 of 694
CCIE Security v3 Lab Workbook

Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=0) with payloads
: HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing hash payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Computing hash for ISAKMP
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing NAT-Discovery
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, computing NAT Discovery hash
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing NAT-Discovery
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, computing NAT Discovery hash
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing notify payload
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, Automatic NAT Detection Status:
Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKEGetUserAttributes:
primary DNS = cleared
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKEGetUserAttributes:
secondary DNS = cleared
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKEGetUserAttributes:
primary WINS = cleared
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKEGetUserAttributes:
secondary WINS = cleared
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKEGetUserAttributes: split
tunneling list = ST
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKEGetUserAttributes: IP
Compression = disabled
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKEGetUserAttributes: Split
Tunneling Policy = Split Network
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKEGetUserAttributes:
Browser Proxy Setting = no-modify
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKEGetUserAttributes:
Browser Proxy Bypass Local = disable

The session parameters have been set and prepared for passing them to the client. Note
that split-tunnel network list and policy are visible. Undefined parameters in the
group-policy have been marked as “cleared”.

Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=a776bd6d) with
payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 380
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, process_attr(): Enter!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Processing cfg Request
attributes
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, Received unknown transaction mode
attribute: 28692
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, Received unknown transaction mode
attribute: 28693
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for DNS server address!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for DNS server address!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for WINS server address!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for WINS server address!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for Split Tunnel List!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for Split DNS!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for Default Domain Name!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for Save PW setting!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for Local LAN Include!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for PFS setting!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for backup ip-sec peer list!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for Application Version!

Mode Config has been started. The client has requested a set of parameters which will
be passed down from the server. The client has requested the following: DNS server,
WINS server, Split tunnel list, Split tunnel DNS (the DNS server which will be used
for inquiring about names through the tunnel), allowance for saving the XAUTH password
locally on the client, allowance for communication with local lan without an
encryption, PFS settings and the list of backup peers (EasyVPN servers).

Page 310 of 694
CCIE Security v3 Lab Workbook

Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, Client Type: IOS Client
Application Version: 12.4(24)T2
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for Banner!
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, Received unknown transaction mode
attribute: 28695
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, MODE_CFG: Received request
for DHCP hostname for DDNS is: R5!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing blank hash
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing qm hash payload
Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=a776bd6d) with
payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 172
Jul 23 06:15:33 [IKEv1 DECODE]: IP = 10.1.105.5, IKE Responder starting QM: msg id = 9196d7a4
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Delay Quick Mode processing,
Cert/Trans Exch/RM DSID in progress
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Resume Quick Mode
processing, Cert/Trans Exch/RM DSID completed
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, PHASE 1 COMPLETED
Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, Keep-alive type for this connection: DPD
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Starting P1 rekey timer:
82080 seconds.
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, sending notify message
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing blank hash
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing qm hash payload
Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=94a8c6f) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=9196d7a4) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length :
1280
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing hash payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing SA payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing nonce payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing ID payload
Jul 23 06:15:33 [IKEv1 DECODE]: Group = BRANCHES, IP = 10.1.105.5, ID_IPV4_ADDR_SUBNET ID
received--5.5.5.0--255.255.255.0
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, Received remote IP Proxy Subnet
data in ID Payload: Address 5.5.5.0, Mask 255.255.255.0, Protocol 0, Port 0
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing ID payload
Jul 23 06:15:33 [IKEv1 DECODE]: Group = BRANCHES, IP = 10.1.105.5, ID_IPV4_ADDR_SUBNET ID
received--1.1.1.0--255.255.255.0
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, Received local IP Proxy Subnet
data in ID Payload: Address 1.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0

The client has informed the server about its inside network to establish identity of
local and remote IPSec proxy.

Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, QM IsRekeyed old sa not found by
addr
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, IKE Remote Peer configured for
crypto map: DYN-MAP
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing IPSec SA payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IPSec SA Proposal # 11,
Transform # 1 acceptable Matches global IPSec SA entry # 5
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, IKE: requesting SPI!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKE got SPI from key engine:
SPI = 0x592ce8c6
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, oakley constucting quick
mode
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing blank hash
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing IPSec SA
payload
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, Overriding Initiator's IPSec
rekeying duration from 2147483 to 28800 seconds
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing IPSec nonce
payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing proxy ID
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Transmitting Proxy Id:
Remote subnet: 5.5.5.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 1.1.1.0 mask 255.255.255.0 Protocol 0 Port 0

The server has informed the client about remote and local proxy ID.

Page 311 of 694
CCIE Security v3 Lab Workbook

Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Sending RESPONDER LIFETIME
notification to Initiator
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, constructing qm hash payload
Jul 23 06:15:33 [IKEv1 DECODE]: Group = BRANCHES, IP = 10.1.105.5, IKE Responder sending 2nd
QM pkt: msg id = 9196d7a4
Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=9196d7a4) with
payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0)
total length : 196
Jul 23 06:15:33 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=9196d7a4) with
payloads : HDR + HASH (8) + NONE (0) total length : 52
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing hash payload
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, loading all IPSEC SAs
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Generating Quick Mode Key!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, NP encrypt rule look up for
crypto map DYN-MAP 5 matching ACL Unknown: returned cs_id=d791a4b0; rule=00000000
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Generating Quick Mode Key!
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, NP encrypt rule look up for
crypto map DYN-MAP 5 matching ACL Unknown: returned cs_id=d791a4b0; rule=00000000
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, Security negotiation complete for
User (BRANCHES) Responder, Inbound SPI = 0x592ce8c6, Outbound SPI = 0xf1e42b1c
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, IKE got a KEY_ADD msg for
SA: SPI = 0xf1e42b1c
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Pitcher: received
KEY_UPDATE, spi 0x592ce8c6
Jul 23 06:15:33 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, Starting P2 rekey timer:
27360 seconds.
Jul 23 06:15:33 [IKEv1]: Group = BRANCHES, IP = 10.1.105.5, PHASE 2 COMPLETED (msgid=9196d7a4)
Jul 23 06:15:34 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=2468295b) with
payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 205
Jul 23 06:15:34 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing hash payload
Jul 23 06:15:34 [IKEv1 DEBUG]: Group = BRANCHES, IP = 10.1.105.5, processing notify payload
Jul 23 06:15:34 [IKEv1 DECODE]: OBSOLETE DESCRIPTOR - INDEX 1
Jul 23 06:15:34 [IKEv1 DECODE]: 0000: 00000000 75340003 52352E75 32000A43 ....u4..R5.u2..C
0010: 6973636F 20323831 31753500 0B46484B isco 2811u5..FHK
0020: 30383439 46314241 75300009 32353735 0849F1BAu0..2575
0030: 34303039 36753100 09313330 31353835 40096u1..1301585
0040: 39327536 00093232 38353839 35363875 92u6..228589568u
0050: 39000836 33303139 36303875 33002E66 9..63019608u3..f
0060: 6C617368 3A633238 30306E6D 2D616476 lash:c2800nm-adv
0070: 656E7465 72707269 73656B39 2D6D7A2E enterprisek9-mz.
0080: 3132342D 32342E54 322E6269 6E 124-24.T2.bin

ASA1(config)# un all

Verification (deep dive)
Alternatively you can use ISAKMP capure to get all IKE packets and analize their
content. The output is pretty long but it‟s worth to see it.

ASA1(config)# capture IKE type isakmp interface outside
ASA1(config)# sho capture IKE

18 packets captured

1: 06:37:20.47184260 10.1.105.5.500 > 192.168.1.10.500: udp 1140
2: 06:37:20.47184270 192.168.1.10.500 > 10.1.105.5.500: udp 440
3: 06:37:20.47184320 10.1.105.5.500 > 192.168.1.10.500: udp 132
4: 06:37:20.47184320 10.1.105.5.500 > 192.168.1.10.500: udp 132
5: 06:37:20.47184320 10.1.105.5.500 > 192.168.1.10.500: udp 388
6: 06:37:20.47184320 10.1.105.5.500 > 192.168.1.10.500: udp 388
7: 06:37:20.47184320 192.168.1.10.500 > 10.1.105.5.500: udp 172
8: 06:37:20.47184320 192.168.1.10.500 > 10.1.105.5.500: udp 172
9: 06:37:20.47184350 10.1.105.5.500 > 192.168.1.10.500: udp 1284
10: 06:37:20.47184350 192.168.1.10.500 > 10.1.105.5.500: udp 92
11: 06:37:20.47184350 192.168.1.10.500 > 10.1.105.5.500: udp 92
12: 06:37:20.47184350 10.1.105.5.500 > 192.168.1.10.500: udp 1284
13: 06:37:20.47184350 192.168.1.10.500 > 10.1.105.5.500: udp 196
14: 06:37:20.47184350 192.168.1.10.500 > 10.1.105.5.500: udp 196
15: 06:37:20.47184360 10.1.105.5.500 > 192.168.1.10.500: udp 60
16: 06:37:20.47184360 10.1.105.5.500 > 192.168.1.10.500: udp 60
17: 06:37:21.47185020 10.1.105.5.500 > 192.168.1.10.500: udp 212
18: 06:37:21.47185020 10.1.105.5.500 > 192.168.1.10.500: udp 212
18 packets shown

Page 312 of 694
CCIE Security v3 Lab Workbook

Note: 18 packets has been captured. Let‟s see what they contain.

ASA1(config)# sho capture IKE decode

18 packets captured

See that R5 sends IKE packet in Aggressive Mode. It contains almost all required
information like SA Proposals, Group name, Key Exchange, and identity info – see greyed
fields. Remember that the aggressive mode in EasyVPN is used when ISAKMP peer
authentication is based on pre-shared-key.

1: 06:37:20.47184260 10.1.105.5.500 > 192.168.1.10.500: udp 1140
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Aggressive Mode
Flags: (none)
MessageID: 00000000
Length: 1140
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 788
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 776
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 20
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b

This and the next Payload Transforms are ISAKMP policies hardcoded into the EasyVPN
client software.

Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 192

Page 313 of 694
CCIE Security v3 Lab Workbook

Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 4
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 192
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 6
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 7
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 8
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform

Page 314 of 694
CCIE Security v3 Lab Workbook

Reserved: 00
Payload Length: 40
Transform #: 9
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 192
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 10
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 192
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 11
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 12
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 13
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 14
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: MD5
Group Description: Group 2

Page 315 of 694
CCIE Security v3 Lab Workbook

Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 15
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 16
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: DES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 17
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 18
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 19
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 20
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: DES-CBC
Hash Algorithm: MD5

Page 316 of 694
CCIE Security v3 Lab Workbook

Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
43 9b 59 f8 ba 67 6c 4c 77 37 ae 22 ea b8 f5 82
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Payload Vendor ID
Next Payload: Key Exchange
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
f0 25 90 d8 3f 81 9c 9a dd 71 3e bb 56 57 24 d0
81 c7 6e 35 8f 66 03 95 4f 57 6f 00 5b 8b 4b fe
12 55 4e af 01 19 5b 11 55 60 fd 19 d7 ae 5a c3
59 75 92 aa 70 bd 13 5b a8 cb d1 a7 60 aa 38 16
74 65 d6 9c 15 ba 4c b3 09 11 93 48 f4 d5 da 43
ed ba b8 38 c0 ab 1e 67 5c c2 33 47 0a 9a 44 90
d2 8d a9 0a f8 a9 8d 63 91 9d e9 09 16 4c 0d 85
7e 92 04 2e fd 43 e4 3e 6d 8c 0a 1b eb 57 2a f9
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
c6 a1 41 66 13 2b e4 aa 7f 28 a4 69 42 76 bb d2
f6 0f f8 27

The nounces used for key generation are visible at this part of IKE packet.

Payload Identification
Next Payload: Vendor ID
Reserved: 00
Payload Length: 16
ID Type: ID_KEY_ID (11)
Protocol ID (UDP/TCP, etc...): 17
Port: 0
ID Data: BRANCHES
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
8d fc 3c f7 4d 00 0b 3f 57 27 fa 9a a4 83 76 02
Payload Vendor ID

Page 317 of 694
CCIE Security v3 Lab Workbook

Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00

The last part of the packet are as follows: Identification data (the EasyVPN group is
visible) and vendor specific IDs which define IPSec features supported by the device.

Second packet is a response from the EasyVPN Server. It contain agreed transform (only
one that server agreed to) and data required for Key Exchange.

2: 06:37:20.47184270 192.168.1.10.500 > 10.1.105.5.500: udp 440
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Security Association
Version: 1.0
Exchange Type: Aggressive Mode
Flags: (none)
MessageID: 00000000
Length: 440
Payload Security Association
Next Payload: Key Exchange
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 17
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b

Chosen ISAKMP policy has been sent as a reply of EasyVPN server

Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
1f 65 76 e3 81 7a 55 1e d8 9d 5b 5e 88 8d d8 d9
ae 69 ba 3a 61 0b 29 4f 54 32 ab fe 02 a9 16 95
05 7a ec 7e c3 7e dd 50 bf 2b 86 8b 33 5f 5f bf
65 ef 8e 49 5c 8f 38 48 cd fa 9a f1 ab 18 c7 4b
0c b5 e8 66 f4 5e 9b dd bb e5 ee 28 c0 2a 8b f3
ea 00 68 71 88 00 65 d6 0e 0f 8d 85 30 23 87 76
ac d9 ca 21 6e 73 8e e7 2e d6 c8 2d d4 f7 69 88
34 8d 11 e9 0e 1b 67 5b f0 20 6a 66 e0 fa 39 41
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
db f3 19 e4 cb d0 f8 27 47 45 09 11 fe ee dc 12
6e 8f 04 68

Further session key material negotiations.

Payload Identification
Next Payload: Hash

Page 318 of 694
CCIE Security v3 Lab Workbook

Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 0
ID Data: 192.168.1.10

Identity of the EasyVPN server.

Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
72 a4 56 ac 28 ff 93 c8 f3 de d1 7d 6c fd c6 a7
2e 0a 86 fc
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Payload Vendor ID
Next Payload: NAT-D
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload NAT-D
Next Payload: NAT-D
Reserved: 00
Payload Length: 24
Data:
01 98 6a ce 63 c9 1f 1b 2a 7b 6e bc 2d 84 38 90
3e 65 6c 49
Payload NAT-D
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
eb 80 2d 65 2f e0 45 a8 b4 7e 2e 7a 33 b6 0c c2
c0 01 ad 51

NAT Discovery hashes (NAT-D payload) that enable the peer to discover the NAT enabled
across the network.

Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00

3: 06:37:20.47184320 10.1.105.5.500 > 192.168.1.10.500: udp 132
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0

Page 319 of 694
CCIE Security v3 Lab Workbook

Exchange Type: Aggressive Mode
Flags: (Encryption)
MessageID: 00000000
Length: 132

4: 06:37:20.47184320 10.1.105.5.500 > 192.168.1.10.500: udp 132
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Aggressive Mode
Flags: (none)
MessageID: 00000000
Length: 132
Payload Hash
Next Payload: NAT-D
Reserved: 00
Payload Length: 24
Data:
a4 66 61 29 f9 a5 26 66 19 00 a4 a1 9c 7f a0 9d
b1 3b 59 60
Payload NAT-D
Next Payload: NAT-D
Reserved: 00
Payload Length: 24
Data:
eb 80 2d 65 2f e0 45 a8 b4 7e 2e 7a 33 b6 0c c2
c0 01 ad 51
Payload NAT-D
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
01 98 6a ce 63 c9 1f 1b 2a 7b 6e bc 2d 84 38 90
3e 65 6c 49
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: STATUS_INITIAL_CONTACT
SPI:
78 3b 9b ea 4d 01 0b 3f dc 15 82 8e fd f2 7f b7
Extra data: 00 00 00 00

5: 06:37:20.47184320 10.1.105.5.500 > 192.168.1.10.500: udp 388
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Transaction
Flags: (Encryption)
MessageID: 021567B1
Length: 388

Third packet is the last one for Aggressive Mode, but in this case there is an EasyVPN
feature which requires Mode Config for the client. Note that config request is sent
(required) from the client side.

6: 06:37:20.47184320 10.1.105.5.500 > 192.168.1.10.500: udp 388
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Transaction
Flags: (none)
MessageID: 021567B1
Length: 388
Payload Hash
Next Payload: Attributes
Reserved: 00
Payload Length: 24

Page 320 of 694
CCIE Security v3 Lab Workbook

Data:
5d 28 f7 ad fd 6d ac 4a dc 47 94 b5 76 98 ec 3e
07 c8 b8 20
Payload Attributes
Next Payload: None
Reserved: 00
Payload Length: 328
type: ISAKMP_CFG_REQUEST
Reserved: 00
Identifier: 0000
Unknown: (empty)
Unknown: (empty)
IPv4 DNS: (empty)
IPv4 DNS: (empty)
IPv4 NBNS (WINS): (empty)
IPv4 NBNS (WINS): (empty)
Cisco extension: Split Include: (empty)
Cisco extension: Split DNS Name: (empty)
Cisco extension: Default Domain Name: (empty)
Cisco extension: Save PWD: (empty)
Cisco extension: Include Local LAN: (empty)
Cisco extension: Do PFS: (empty)
Cisco extension: Backup Servers: (empty)
Application Version:
43 69 73 63 6f 20 49 4f 53 20 53 6f 66 74 77 61
72 65 2c 20 32 38 30 30 20 53 6f 66 74 77 61 72
65 20 28 43 32 38 30 30 4e 4d 2d 41 44 56 45 4e
54 45 52 50 52 49 53 45 4b 39 2d 4d 29 2c 20 56
65 72 73 69 6f 6e 20 31 32 2e 34 28 32 34 29 54
32 2c 20 52 45 4c 45 41 53 45 20 53 4f 46 54 57
41 52 45 20 28 66 63 32 29 0a 54 65 63 68 6e 69
63 61 6c 20 53 75 70 70 6f 72 74 3a 20 68 74 74
70 3a 2f 2f 77 77 77 2e 63 69 73 63 6f 2e 63 6f
6d 2f 74 65 63 68 73 75 70 70 6f 72 74 0a 43 6f
70 79 72 69 67 68 74 20 28 63 29 20 31 39 38 36
2d 32 30 30 39 20 62 79 20 43 69 73 63 6f 20 53
79 73 74 65 6d 73 2c 20 49 6e 63 2e 0a 43 6f 6d
70 69 6c 65 64 20 4d 6f 6e 20 31 39 2d 4f 63 74
2d 30 39 20 31 37 3a 33 38 20 62 79 20 70 72 6f
64 5f 72 65 6c 5f 74 65 61 6d
Cisco extension: Banner: (empty)
Unknown: (empty)
Cisco extension: Dynamic DNS Hostname: 52 35
Extra data: 00 00 00 00 00 00 00 00

Server agreeds that it supports Client Mode Config and sends out all Mode Config
information it has.

7: 06:37:20.47184320 192.168.1.10.500 > 10.1.105.5.500: udp 172
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Transaction
Flags: (none)
MessageID: 021567B1
Length: 172
Payload Hash
Next Payload: Attributes
Reserved: 00
Payload Length: 24
Data:
73 24 60 32 dc 32 33 0c 8f a3 57 1a 98 65 a6 b0
ae 5f b0 ad
Payload Attributes
Next Payload: None
Reserved: 00
Payload Length: 120
type: ISAKMP_CFG_REPLY
Reserved: 00
Identifier: 0000
Cisco extension: Save PWD: No
Cisco extension: Split Include: 1.1.1.0/255.255.255.0/0/0/0
Cisco extension: Do PFS: No
Application Version:
43 69 73 63 6f 20 53 79 73 74 65 6d 73 2c 20 49

Page 321 of 694
CCIE Security v3 Lab Workbook

6e 63 20 41 53 41 35 35 31 30 20 56 65 72 73 69
6f 6e 20 38 2e 32 28 31 29 20 62 75 69 6c 74 20
62 79 20 62 75 69 6c 64 65 72 73 20 6f 6e 20 54
75 65 20 30 35 2d 4d 61 79 2d 30 39 20 32 32 3a
34 35

8: 06:37:20.47184320 192.168.1.10.500 > 10.1.105.5.500: udp 172
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Transaction
Flags: (Encryption)
MessageID: 021567B1
Length: 172

9: 06:37:20.47184350 10.1.105.5.500 > 192.168.1.10.500: udp 1284
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 1D0E05C1
Length: 1284

10: 06:37:20.47184350 192.168.1.10.500 > 10.1.105.5.500: udp 92
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 8BA99D99
Length: 92
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
1b f2 17 e7 41 11 d2 1f 91 6a c1 90 07 3e 80 65
61 08 64 3c
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 40
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: STATUS_RESP_LIFETIME
SPI:
78 3b 9b ea 4d 01 0b 3f dc 15 82 8e fd f2 7f b7
Data: 80 0b 00 01 00 0c 00 04 00 01 51 80

11: 06:37:20.47184350 192.168.1.10.500 > 10.1.105.5.500: udp 92
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 8BA99D99
Length: 92

Here IKE Phase 2 (Quick Mode) starts. Client sends out his SA proposals and Proxy IDs.

12: 06:37:20.47184350 10.1.105.5.500 > 192.168.1.10.500: udp 1284
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode

Page 322 of 694
CCIE Security v3 Lab Workbook

Flags: (none)
MessageID: 1D0E05C1
Length: 1284
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
d9 5e e8 91 75 de f9 af 31 24 e1 12 5f de 51 8c
dd 6f d2 88
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 1172
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 56 7c 92 a4
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: SHA1
Key Length: 128
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 2
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 31 73 c5 d0
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: MD5
Key Length: 128
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 3
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: ce 71 a8 5c
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES

Page 323 of 694
CCIE Security v3 Lab Workbook

Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: SHA1
Key Length: 128
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 3
Protocol-Id: PROTO_IPSEC_IPCOMP
SPI Size: 4
# of transforms: 1
SPI: 00 00 4b ff
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: IPCOMP_LZS
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 4
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: bd dc b8 ab
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: MD5
Key Length: 128
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 4
Protocol-Id: PROTO_IPSEC_IPCOMP
SPI Size: 4
# of transforms: 1
SPI: 00 00 fe 00
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: IPCOMP_LZS
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56

Page 324 of 694
CCIE Security v3 Lab Workbook

Proposal #: 5
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 35 06 a3 cb
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: SHA1
Key Length: 192
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 6
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 90 2c 99 79
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: MD5
Key Length: 192
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 7
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: de 82 91 dd
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: SHA1
Key Length: 256
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 8
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 03 de d8 0a
Payload Transform
Next Payload: None
Reserved: 00

Page 325 of 694
CCIE Security v3 Lab Workbook

Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: MD5
Key Length: 256
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 9
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 40 54 5e 23
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: SHA1
Key Length: 256
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 9
Protocol-Id: PROTO_IPSEC_IPCOMP
SPI Size: 4
# of transforms: 1
SPI: 00 00 81 e8
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: IPCOMP_LZS
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 10
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 3f 55 57 df
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: MD5

Page 326 of 694
CCIE Security v3 Lab Workbook

Key Length: 256
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 10
Protocol-Id: PROTO_IPSEC_IPCOMP
SPI Size: 4
# of transforms: 1
SPI: 00 00 d8 81
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: IPCOMP_LZS
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 11
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: e8 49 67 0b
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: SHA1
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 12
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: ac 85 7d 5f
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: MD5
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 13
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 06 32 54 41
Payload Transform
Next Payload: None

Page 327 of 694
CCIE Security v3 Lab Workbook

Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: SHA1
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 13
Protocol-Id: PROTO_IPSEC_IPCOMP
SPI Size: 4
# of transforms: 1
SPI: 00 00 74 a5
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: IPCOMP_LZS
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 14
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: e3 5b 48 e2
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: MD5
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 14
Protocol-Id: PROTO_IPSEC_IPCOMP
SPI Size: 4
# of transforms: 1
SPI: 00 00 5a c2
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: IPCOMP_LZS
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Payload Proposal
Next Payload: Proposal

Page 328 of 694
CCIE Security v3 Lab Workbook

Reserved: 00
Payload Length: 52
Proposal #: 15
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 65 75 36 ff
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_DES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: SHA1
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 16
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: c0 36 b5 6f
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_DES
Reserved2: 0000
Encapsulation Mode: Tunnel
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Authentication Algorithm: MD5
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
c9 9c 07 90 28 9c f0 c6 10 54 01 f2 0e fa ba 4e
37 74 0e 99
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 5.5.5.0/255.255.255.0
Payload Identification
Next Payload: None
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 1.1.1.0/255.255.255.0
Extra data: 00 00 00 00

The EasyVPN Server responses with chosen SA proposal and it‟s Proxy IDs.

13: 06:37:20.47184350 192.168.1.10.500 > 10.1.105.5.500: udp 196
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)

Page 329 of 694
CCIE Security v3 Lab Workbook

MessageID: 1D0E05C1
Length: 196
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
d9 ac 1c 49 2b 2c 55 cc de a0 52 70 5e fc e7 53
60 31 f3 88
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 64
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 59 08 47 15
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 00 20 c4 9b
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
38 d5 0b 1f 1e c4 15 93 d2 ea 3c 96 ec 67 ef 28
55 7f 97 6f
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 5.5.5.0/255.255.255.0
Payload Identification
Next Payload: Notification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 1.1.1.0/255.255.255.0
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 24
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: STATUS_RESP_LIFETIME
SPI: 59 08 47 15
Data: 80 01 00 01 80 02 70 80

14: 06:37:20.47184350 192.168.1.10.500 > 10.1.105.5.500: udp 196
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0

Page 330 of 694
CCIE Security v3 Lab Workbook

Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 1D0E05C1
Length: 196

15: 06:37:20.47184360 10.1.105.5.500 > 192.168.1.10.500: udp 60
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 1D0E05C1
Length: 60

16: 06:37:20.47184360 10.1.105.5.500 > 192.168.1.10.500: udp 60
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: 1D0E05C1
Length: 60
Payload Hash
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
82 7a fe 77 fa 45 4d 45 68 1f c9 d4 3f 99 15 d6
b7 ba 07 53
Extra data: 00 00 00 00 00 00 00 00

17: 06:37:21.47185020 10.1.105.5.500 > 192.168.1.10.500: udp 212
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: DD36CA24
Length: 212

18: 06:37:21.47185020 10.1.105.5.500 > 192.168.1.10.500: udp 212
ISAKMP Header
Initiator COOKIE: 78 3b 9b ea 4d 01 0b 3f
Responder COOKIE: dc 15 82 8e fd f2 7f b7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: DD36CA24
Length: 212
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
0d 61 fc 2a 93 01 d7 a0 11 dd ce b5 67 69 6e 91
60 cd 23 bb
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 153
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 0
Notify Type: Unknown
Data:
00 00 00 00 75 34 00 03 52 35 2e 75 32 00 0a 43
69 73 63 6f 20 32 38 31 31 75 35 00 0b 46 48 4b
30 38 34 39 46 31 42 41 75 30 00 09 32 35 37 35
34 30 30 39 36 75 31 00 09 31 33 30 31 35 38 35
39 32 75 36 00 09 32 32 38 35 38 39 35 36 38 75

Page 331 of 694
CCIE Security v3 Lab Workbook

39 00 08 36 33 30 33 33 33 35 36 75 33 00 2e 66
6c 61 73 68 3a 63 32 38 30 30 6e 6d 2d 61 64 76
65 6e 74 65 72 70 72 69 73 65 6b 39 2d 6d 7a 2e
31 32 34 2d 32 34 2e 54 32 2e 62 69 6e
Extra data: 00 00 00 00 00 00 00

18 packets shown

Page 332 of 694
CCIE Security v3 Lab Workbook

Lab 1.44. Site-to-Site IPSec VPN using
EasyVPN with ISAKMP Profiles (IOS-IOS)
Inside HQ 10.1.101.0/24
Lo0
.10
F0/0
E0/1
R1 .1
ASA1
E0/0 .10
192.168.1.0/24

G0/0 .2

Outside
R2 (Internet)

G0/1 .2
192.168.2.0/24
Inside US
.10 E0/0
Branch
10.1.105.0/24
Lo0
.10
F0/0 E0/2 Inside Canada
E0/1 Branch
R5 .5 .10
Lo0
ASA2 10.1.104.0/24
.4
F0/0 R4

This lab is based on the LAB 2.4 configuration. You need to perform actions
from Task 1 (IOS CA configuration) and Task 2 (NTP configuration) before
going through this lab.

Lab Setup:

 R1‟s F0/0 and ASA1‟s E0/1 interface should be configured in VLAN 101
 R2‟s G0/0 and ASA1‟s E0/0 interface should be configured in VLAN 102
 R2‟s G0/1 and ASA2‟s E0/0 interface should be configured in VLAN 122
 R4‟s F0/0 and ASA2‟s E0/2 interface should be configured in VLAN 104
 R5‟s F0/0 and ASA2‟s E0/1 interface should be configured in VLAN 105
 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the respective ASA‟s
interface
 Configure default routing on both ASAs pointing to the respective R2 interface

Page 333 of 694
CCIE Security v3 Lab Workbook

IP Addressing:

Device Interface / ifname / sec level IP address
R1 Lo0 1.1.1.1/24
F0/0 10.1.101.1/24
R2 G0/0 192.168.1.2/24
G0/1 192.168.2.2/24
R4 Lo0 4.4.4.4 /24
F0/0 10.1.104.4 /24
R5 Lo0 5.5.5.5/24
F0/0 10.1.105.5/24
ASA1 E0/0, Outside, Security 0 192.168.1.10 /24
E0/1, Inside, Security 100 10.1.101.10 /24
ASA2 E0/0, Outside, Security 0 192.168.2.10 /24
E0/1, Inside_US, Security 100 10.1.105.10 /24
E0/2, Inside_CA, Security 100 10.1.104.10 /24

Task 1
Configure IPSec VPN tunnel between R5 and R4 with the following parameters:
Tunnel SRC DST ISAKMP Policy IPSec Policy
Endpoint Network Network
R5 – R4 5.5.5.5 4.4.4.4 Authentication: PSK Encryption:
Encryption: 3DES ESP/3DES
Group: 2 Authentication:
Hash: SHA ESP/SHA
Use Easy VPN to configure the tunnel in network extension mode. R5 should act as
EasyVPN Remote and R4 should be an EasyVPN Server. Use group name of “R5”
with the password of “cisco123”. You should use ISAKMP profile when configuring
EasyVPN Server on R4.
On R4
R4(config)#username student5 password student5
R4(config)#aaa new-model
R4(config)#aaa authorization network GROUP-AUTH local

R4(config)#crypto isakmp policy 1
R4(config-isakmp)#encr 3des
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 2
R4(config-isakmp)#exit

R4(config)#crypto isakmp client configuration group R5
R4(config-isakmp-group)#key cisco123
R4(config-isakmp-group)#exit

R4(config)#crypto isakmp profile VPN-CLIENTS
% A profile is deemed incomplete until it has match identity statements
R4(conf-isa-prof)#match identity group R5
R4(conf-isa-prof)#isakmp authorization list GROUP-AUTH

ISAKMP profile allows to specify an ISAKMP parameters when defined identity criteria
are matched (e.g. group name, ip address, host name, host domain, user name and user
domain). In this case, for any connection where the name of the group (R5) is used as
the identity then configuration (authorization) for this connection will be processed
locally from router‟s database.

R4(conf-isa-prof)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac

Page 334 of 694
CCIE Security v3 Lab Workbook

R4(cfg-crypto-trans)#crypto dynamic-map DYN-CMAP 10
R4(config-crypto-map)# set transform-set TSET
R4(config-crypto-map)# set isakmp-profile VPN-CLIENTS

R4(config)#crypto map ENCRYPT 10 ipsec-isakmp dynamic DYN-CMAP

R4(config)#int f0/0
R4(config-if)#crypto map ENCRYPT
R4(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

On R5
R5(config)#crypto ipsec client ezvpn EZ
R5(config-crypto-ezvpn)#connect auto
R5(config-crypto-ezvpn)#group R5 key cisco123
R5(config-crypto-ezvpn)#mode network-extension
R5(config-crypto-ezvpn)#peer 10.1.104.4

R5(config-crypto-ezvpn)#int f0/0
R5(config-if)# crypto ipsec client ezvpn EZ outside

R5(config-if)#int lo0
R5(config-if)# crypto ipsec client ezvpn EZ inside
R5(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
%CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=R5 Client_public_addr=10.1.105.5
Server_public_addr=10.1.104.4 NEM_Remote_Subnets=5.5.5.0/255.255.255.0

On ASA2

Since IPSec tunnel needs to be established between two peers who are on different
interfaces of ASA but with the same security level of 100. This must be explicitly
allowed on ASA.

ASA2(config)# same-security-traffic permit inter-interface

Verification
R5#ping 4.4.4.4 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R5#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : EZ
Inside interface list: Loopback0
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Disallowed
Current EzVPN Peer: 10.1.104.4

R5#sh crypto isakmp sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1001 10.1.105.5 10.1.104.4 ACTIVE 3des sha psk 2 23:56:41 C
Engine-id:Conn-id = SW:1

IPv6 Crypto ISAKMP SA

Page 335 of 694
CCIE Security v3 Lab Workbook

R5#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr 10.1.105.5

protected vrf: (none)
local ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.1.104.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.105.5, remote crypto endpt.: 10.1.104.4
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD4F8B509(3573069065)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xD5881B72(3582466930)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: FastEthernet0/0-
head-0
sa timing: remaining key lifetime (k/sec): (4448645/3441)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xD4F8B509(3573069065)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: FastEthernet0/0-
head-0
sa timing: remaining key lifetime (k/sec): (4448645/3441)