Looking up and ahead

Well, I got my results late last night and unfortunately I failed. There was two VPN related questions, a total of 11 points that would have put me over the edge and resulted in a pass. I'm kind of bummed knowing full well I could have passed that exam. To come all this way and get that close just stinks.

I'm not complaining. I learned a lot about security technologies and security devices such as ASA. For now, I am going to relax and enjoy some much needed time off. Maybe if I feel up to it, I will focus on the next version of the exam. Then again, maybe not.

Thanks to everyone for your support.

CCIE Security Final Push...

Well, I have completed my studying. My lab is tomorrow morning at 7am.  Unfortunately, I was unable to complete Volume 2, which is unfortunate. Every new lab was teaching me something new and/or a new way to complete a task.

I don't feel anywhere near as comfortable as I did with my last attempt at my R&S. Honestly, I feel I could use at least another 6-8 weeks just to complete Vol 2, complete Vol 1 again, and then pick and choose tasks from Vol 2 to complete. 

I don't think all of this is a total loss. If I get the right lab, I feel I have a decent chance to pass. I'm not relying on getting a lab that is more applicable to my skills, I'm just stating the facts. If I had started my studying earlier, or had more time to complete, I would be more comfortable. 

In all honesty, I think this is a one time shot at the Security CCIE. The lab exam is changing (starting next week) and it's that lovely time of year (holidays). In addition, I have had to take some time off of work just to get as much studying in as I could. I won't be able to take a lot of time off of work in the next few months. 

It will be kind of fun going in there tomorrow without so much stress and worrying about passing. I would love to pass, but it's not going to make or break me like the R&S lab did. No matter what, this has not been a total loss. I've learned so much about security and security products like the ASA and the IPS appliances. 

I will be sure to post my thoughts following tomorrows lab. Wish me luck!

INE Vol 2 Lab 5

IOS Firewall

• 'ip options drop' can be configured from global config mode to drop all IP options

SSL VPN

• Enable webvpn
• webvpn
• port 443
• enable outside
• tunnel-group-list enable
• svc image flash:/anyconnect.img
• svc enable
• Set the tunnel-protocol to svc under group policy
• Enable webvpn for the tunnel group
• tunnel-group SSLVPN webvpn-attributes
• group-alias SSLVPN enable
• authentication aaa
• If necessary, create local user and attach to group
• username SSLUSER attributes
• group-lock value SSLVPN
• Set encryption
• ssl encryption rc4-md5
• Lastly, enable NAT exemption if required

DMVPN

• Interesting point, I created my tunnel interfaces first, then I was going to protect them with IPSec, but my CA enrollment kept failing. If I shutdown the tunnel interfaces, and then enroll, it works just fine. Could be a code thing, I'm not sure.
• Remember timers are negotiated - so if you already have a isakmp policy, you will not need to create another just for different timers.

AAA/Tacacs

• Set configure level privilege commands with 'privilege configure all level 7 snmp-server'
• aaa authorization config-commands
• Required to autorize config mode, even if you set 'aaa authorization commands 7 default start-stop group tacacs'

Process Monitoring

• You can alert on processor and memory usage
• memory free low-watermark processor 5000
• process cpu threshold type total rising 75 interval 60 falling 30 interval 60
• snmp-server enable traps cpu
• snmp-server enable traps memory
• logging host 162.1.38.100 transport tcp

Login Security

• login quiet-mode access-class 1
• This exempts the hosts in ACL 1 from the login parameters
• login parameters are only supported with local password auth or aaa

Source Tracking

• ip source-track [address] - enables source tracking for the specified host
• show ip source-track [address] - show results

IOS IPS

• specify the IPS signature location
• ip ips config location flash:ips
• Enable IOS basic set of signatures
• ip ips signature-category
• category ios_ips basic
• retired false
• category all
• retired true
• Disable a specific signature
• ip ips signature-definition
• signature 3106 0
• status
• retired true
• Tune Signature
• ip ips signature-definition
• signature 2000 0
• alert-severity high
• Enable SDEE event report
• ip ips notify SDEE
• Set TVR
• ip ips event-action-rules
• target-value high target-address 192.10.1.0/24
• Enable IPS
• ip ips name IPS list IPS
• int s1/0
• ip ips IPS in
• Show ips configuration
• show ip ips configuration

INE Vol 2 Lab 3

Difficulty 8

• Lots of tasks here. Many dependent tasks. You must configure the in-line VLAN pair on the IPS before you can even reach one leg of the network
• Lots of routing protocols to watch out for. OSPF, RIP, EIGRP and BGP
• Lots of filtering going on here - ZBF, Two ASAs, CBAC.
• Not a lot of PAT here (nat + global) but there is several static NATs. Must be cautious if you are using the pre-NAT or post-NAT address. 
• Good drawings will be absolutely necessary if you get a lab like this
• Order of operations are important too. You have to read the entire thing and plot out how to do this. A few examples -
• You need to enable QoS on a L2L in section 1, but the tunnel isn't created until section 3
• ZBF and other filtering comes later in the task list. Would be useful to set these up first, so you can allow specific traffic in other tasks. There is a lot of reliance on the ACS server - logging, websense, CA, etc. So this could get tricky.k
• You have to enable ICMP to pass through all zones in a ZBF. The next task stated you had to enable logging as well. If you can read ahead and accomplish this in one step, you can save yourself a few minutes.

Websense Filter

• After configuring the web sense filter, you need to enable HTTP inspection and attach to the interface (ip inspect name HTTP_INSPECT http).
• 'show ip urlfilter config' shows you the port used for the web filter

VPN Client

• Got rather easily tripped up here. My authentication to RADIUS were not passing. I was able to troubleshoot correctly, but not fix the issue. I saw packets were matching the ACS access list on my ZBF, but they were not matching the policy-map. Show ip port-map showed 1645/1646 instead of 1812/1813. Changing this on the ASA aaa-server group fixed the issue.

VPN L2L RSA Sig

• You need 'crypto isakmp identity hostname' to authenticate with certificates
• As such, the tunnel-group name should be the FQDN of the remote side

DMVPN

• 'ip nhrp shortcut' and 'ip nhrp redirect' enable spoke nodes to discover NBMA address of another spoke without querying the hub
• Be careful of MTU sizes..

Cut-Through Authentication

Cut-Through

Cut-through authentication was previously configured with the aaa authentication include command. Now, the aaa authentication matchcommand is used. Traffic that requires authentication is permitted in an access list that is referenced by the aaa authentication match command, which causes the host to be authenticated before the specified traffic is allowed through the ASA.

Here is a configuration example for web traffic authentication:

username cisco password cisco privilege 15

access-list authmatch permit tcp any any eq 80

aaa authentication match authmatch inside LOCAL

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

PARSER VIEW

• I recall this from R&S studies, need to refresh. You need to be in root view before you configure another view.

Password Encryption

• You can decrypt a '7' key by copying the key string into a key chain and issuing a 'show key chain'. Neat
• By default 'service password-encryption' does not encrypt all ISAKMP keys. You enable with 'password encryption aes' and setting an encryption key with 'key config-key password-encrypt KEYSTRING'

Traffic Filtering

• RFC 2827 is for anti-spoofing. Do not allow your own network address space in, allow only your address space out.
• Never surprised by creative requests...for example, disable IP unreachables to RFC1918 address space. Match on an access list, match in the route map, set interface to Null 0 and policy route the local traffic.

DOS Prevention

• FPM - also remember this from R&S studies. Best bet is to string together a configuration form the configuration guide - http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_fpm/configuration/12-4t/sec-flex-pack-match.html#GUID-FDC435A4-5FEC-4A14-82C7-6E92A80160FE
• Load FPM Protocol definitions
• load protocol system:/fpm/phdf/ip.phdf
• load protocol system:/fpm/phdf/tcp.phdf
• Match Traffic
• class-map type access-control match-any TELNET
• match field TCP dest-port eq 23
• match field TCP source-port eq 23
• Match TCP over IP
• class-map type stack match-all TCP_TRAFFIC
• match field IP protocol eq 0x6 next TCP
• Drop matched traffic
• policy-map type access-control BLOCK_TELNET
• class TELNET
• drop
• policy-map type access-control INTERFACE_POLICY
• class TCP_TRAFFIC
• service-policy BLOCK_TELNET
• interface serial1/0
• service-policy type access-control output INTERFACE_POLICY

TCP Normalization

• On an ASA, can be handled with TCP MAP
• TCP Echo and Echo Reply are option 6 and 7
• syn-data drop will make sure no data payload is carried in connection-establishment segments

Despite my lack of notes above, this lab kicked my ass. I have doubts that I am really ready for this lab. In any event, I will continue to study and take in as much as I can. Two weeks from now, I'll be walking out of the lab in RTP. I can only study hard and hope for the best....

INE Vol 2 Lab 2

Difficulty 6

• Seem to forget that you can't establish BGP over a default route...amazing the things you forget
• Always be sure to verify your tasks. Enabled RIP authentication between R2 and ASA, thought everything was ok as R2 was getting the default route. The ASA was not getting anything from R2 because of invalid authentication. 'debug ip rip' showed the issue a few moments later.
• Do not apply key-chain to an interface before it has been created. This generally does not work.
• Remember that you need to allow option 19 and disabled random-sequence numbers for BGP authentication!!!
• Some times, it's easy to read too much in something. Task asked to port forward to a server, but deny this traffic on the weekends. I figured you would need to add a time range to the ACL used in the NAT statement. I'm not even sure that is possible, but since there were no further requirements in the task, easy answer was 2 static statements and an ACL attached to a time-range.....
• If a request asks for 'minimal IPSec overhead', it requires transport mode as opposed to the default tunnel mode
• Transport mode assumes there are just 2 endpoint addresses
• You may need to set 'local-address' on the crypto map
• GET VPN
• Requires configuration of a key server
• IPSec pretty straight forward, isakmp policy, isakmp key, ipsec transform set and IPSec profile
• Require's generating labeled and exportable keys
• crypto key generate rsa general-keys label GETVPN modulus 512 exportable
• Key Server Config
• crypto gdoi group GETVPN_GROUP
•  identity number 1234
•  server local
•   rekey retransmit 10 number 2
•   rekey authentication mypubkey rsa GETVPN_KEYS
•   rekey transport unicast
•   sa ipsec 1
•    profile GETVPN_Profile
•    match address ipv4 100
•    replay time window-size 5
• You can create a special port-filter policy map on control-plane host subinterface. With this, you can match closed ports. 
• class-map type port-filter match-all CLOSED_PORTS
• match closed-ports
• policy-map type port-filter PORT_FILTER
• class CLOSED_PORTS
• drop
• control-plane host
• service-policy type port-filter input PORT_FILTER
• SNMPv3
• Need to configure engine ID for the remote entity to be able to send informs
• Create group
• snmp-server group TRAP v3 priv !for auth and encry
• Create user
• snmp-server user TRAP TRAP remote 10.0.0.100 v3 auth sha CISCO priv 3des CISCO
• Enable
• snmp-server host 10.0.0.100 informs version 3 priv TRAP
• snmp-server enable traps envmon
• Need to read more on SNMPv3
• IPS
• From INE Volume 2

Recall the formula for Risk Rating (RR), which defines the potential impact of a particular attack against the particular server:

           RR = (Fidelity*Severity*TVR)/(100*100).

Target Value Ratings (TVR) values are as follows: low (75), medium (100), high (150), mission-critical (200). You assign them to the company’s assets, identified by the IP addresses. Default TVR value is medium (100).

Signature severity values are: info (25), low (50), medium (75), high (100). They describe how dangerous the attack is. They are part of signature definition. Finally, fidelity values tell how well a signature “recognizes” the corresponding attack. They are also a part of signature definition and range from 0 to 100.

 That is all I have for Lab 2. Overall, I agree with the difficulty rating of 6. A few things tripped me up, but absolutely doable in 8 hours. 

INE Volume 2 Lab 1

Difficulty 7

Remember to read the entire task list. Mark items that could collide with other configuration directives (allowing routing protocols on access-list, etc). Make sure you validate your commands, don't take them for face value.

• When configuring failover, you can exclude interfaces from being monitored with the 'no monitor-interface inside' command
• You must also enable HSRP-like standby IPs for each interface
• There is a default global_policy policy-map
• Enable TCP Options with a TCP MAP. Apply under class in policy-map with 'set connection advanced-options MAPNAME'
• There is a default inspection_default class-map
• UNIX Traceroute uses UDP 33434 33464 range. I've seen other docs state 33434 - 33564. In short, each 'hop' increments the port, and most system by default have a max hops of 30. So I believe the correct answer to be 33434 - 33464. INE states that for every hop, three probes are sent with a TTL=1 to incrementing port numbers. With a max of 30 hops, this bring the range up to 33434 to 33524. I'm not totally sure which is correct. Also remember, the inbound response is ICMP TTL Exceeded or ICMP Unreachable.
• Task asked to map inside address to outside address. I did a nat (inside) 2 inside_host_address global (outside) 2 global_host_address which accomplishes the task. The better solution is static (inside,outside) global_address inside_address
• Enabling 'inspect icmp error' under the global policy provides NAT translation for the traceroute responses.
• Remember to pay attention to what is specifically required. To police ICMP on the outside interface only, you need to create an interface policy-map and apply it. Changing the global_policy affects all interfaces.
• I need to make sure I name my access-list/class-map/policy-map/etc correctly as they could be used later. INE names class-map ICMP_Traffic and the policy-map OUTSIDE_Traffic. This will help identify these later for other tasks or troubleshooting.
• It's easy to overthink some of the tasks. One task asked to allow trace route from inside to outside with only one access-list statement. I was trying to think of creative ways to do this - in actuality, you could just use an object-group. Per INE - this is a common requirement 'use X number of lines, or use minimum number of lines'
• Still having issues with the alias command. Need to remember it's a DST NAT and a dns rewrite.
• alias (interface) orig_address nat_address
• With IOS ZBF, there are multiple ways to accomplish some tasks - usually hinging on if you need deep packet inspection or not. I'm getting better with this, but still need some more practice.
• By default, routing traffic is not affected by ZBF as default traffic to self zone is permitted. 
• Overlapping address space can be tricky. Need to determine the correct place to apply the NAT, especially when the overlapping address spaces are a few hops apart.
• Creating an IOS PKI - not something that was covered in Vol 1
• Set issuer name cn=NAME,ou=DEPT
• grant auto
• no shutdown
• That's it. 
• Remember for certificates you need a domain name, a key and a synced time source
• You can change the ISAKMP source address with 'crypto map VPN local-interface lo0'
• Logic steps to configuring ezVPN server
• Enable AAA and define AAA lists, protect from console lockouts
• Define ISAKMP authentication settings and global ISAKMP parameters
• Create address-pool
• Configure client group and split-tunnel access-list. Define group key, associate address pool and bind split-tunnel ACL. Define other required settings.
• Create ISAKMP profile that binds together the following:
• Calling client identity - normall group name
• Configuration group for clients matching this profile
• Authentication and authorization groups for ezVPN
• Virtual-Template interface numbers
• Enables responding to ISAKMP 1.5 transaction mode address requests for this group.
• Create IPsec profile. Define transform set prior to this. Profile may need to define RRI settings if used.
• Create virtual-template type tunnel and assign IPSec protection profile. Must define IP on VTI to work correctly. 
• Lastly, configure routing process for redistribution of RRI information. Use route-map.
• INE makes it a point - this should be remembered verbatim and you should not require a manual to complete this. I can already do this with LAN-to-LAN tunnels. I will be typing this scenario up in notepad a few times to validate I can do this.
• ASA - Tunnel-group filter filters traffic inside the IPsec tunnel. Applied via group-policy.
• ASA - must remember to create the tunnel-group. Shouldn't have missed this as it is the only way to define the PSK.
• ASA - dont forget to exempt the VPN traffic from any NAT rules.
• ASA - to apply QoS, you need to match the tunnel-group and apply to the interface. You also need to match 'flow ip destination-address' in the class-map. You must also enable priority-queue on the interface globally. 
• ASA - policing is the only working per-flow QoS command
• ASA - Virtual http provides transparent redirection back to the URL entered by the end-user, and HTTP server capability for authentication
• ASA - cut-through proxy authentication. You must configure an authentication service, then create an access-list matching the traffic to authenticate as well as traffic going to the virtualIP, next configure the cut-through proxy rule. 'aaa authentication match ACL inside TACACS'
• You can assign privilege levels through TACACS. You must enable it for group or for user under interface configuration. Don't forget to enabled shell exec and then set privilege level on TACACS. This task created the privilege level commands on the router.
• Separation of authentication and authorization is only possible using tacacs.
• 802.1x requires authorization as well as authentication. Watch out for CONSOLE authentication/authorization.
• Make sure to create your guest vlans
• To assign a vlan via dot1x, set the following under group settings
• Tunnel-Type="VLAN"
• Tunnel-Medium-Type="802"
• Tunnel-Private-Group-ID="255"
• For sending logging reports to e-mail, there is a generic 'smtp-server x.x.x.x' command under global configuration and not under 'logging'.
• For QOS priority on a tunnel in IOS, you need to use nested policy-maps. 
• class-map VPN_TRAFFIC
• match access-group name TUNNEL_TRAFFIC
• policy-map INTERFACE_POLICY
• class VPN_TRAFFIC
• shape average 2000000
• bandwidth 2000000
• service-policy TUNNEL_POLICY
• policy-map TUNNEL_POLICY
• class VOICE_TRAFFIC
• priority 128
• Shape limits the maximum speed, bandwidth provides the minimum bandwidth reservation
• Remote Triggered Blackholes
• really cool concept. I won't talk about it, only link to a PDF from Cisco
• http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

And after entirely way too long, I have finally finished lab 1. I'm not totally worried as I remember feeling the same way after my first R&S lab. I'm off now to watch some INE videos, and then start on Lab 2 hopefully next week.

IOS IPS

You can enable IPS on your IOS routers. I seem to remember this being covered by the R&S blueprint, although it was on the outer fringes of what you should expect to know for R&S. This time around, there is probably a fair shot of seeing it on the Security lab.

• Basic Setup
• ip ips config location flash:/ips/
• ip ips name IPS
• ip ips notify log
• ip ips signature-category
• category all
• retired true
• category ios_ips basic
• retired flase
• interface Fa0/0
• ip ips IPS in
• You then need to download the signature definition file. Would you actually need to do this in the lab?
• Store the signing key from Cisco in routers NVRAM.
• Load signature definition file. If you dont have much of the signatures retired, this process could drain your router of memory.
• copy flash:/IOS-S347-CLI.pkg idconf
• Enable the necessary signatures.
• ip ips signature-definition
• signature 2000 0
• status
• retired false
• exit
• exit
• signature 2004 0
• status
• retired false
• exit
• You may need to change the target value rating
• ip ips event-action-rules
• target-value mission-critical target-address 183.1.46.0/24
• exit
• Validate with 'shop ip ips all'
• Show signatures with 'show ip ips signatures sigid 2000 subid 0'
• Show target value rating
• 'show ip ips event-action-rules target-value rating'

This covers just the basic setup. I will be looking IOS IPS in the configuration guide and posting more information later.

IPS and Volume 1 wrap-up

IPS

• Initial setup can be completed via the setup command, or through standard configuration
• conf t
• service host
• network-settings
• Create an inline vlan pair through the interfaces configuration
• conf t
• service interfaces
• physical-interfaces gi0/0
• subinterface-type inline-vlan-pair
• subinterface 1
• vlan1 101
• vlan2 102
• admin-state enabled
• You must then assign the interfaces to an analysis engine
• conf t
• service analysis-engine
• virtual-sensor vs0
• physical-interface gig0/0 subinterface-number 1

There was a lot more topics on IPS, but I didn't keep notes. Just FYI - I ended up buying at 4215 as I was having too much trouble with GNS3/Qemu/Breakout Switch. Not a bad investment at $60 and I was able to complete all the topics in Volume 1.

Now that I have completed Volume 1, it's time to move on to full labs. I've also rented rack time at INE for some of the previously mentioned tasks that couldn't be completed on emulated hardware.

I will revisit topics in Volume 1 if I encounter them the full labs and I am having issues completing the task. If I had more time, I would go through volume 1 again (or at least 50% of it). 

Here's hoping I can get my full lab topology setup fairly quickly....

IOS as a firewall...

CBAC

• Also covered in CCIE R&S, so I consider this a refresher
• You can map a global port to a specific host with an access-list
• ip port-map http port 21 list 99
• CBAC works for any protocol
• Only supported mode is watch as opposed to tcp intercept
• Limited by two basic line-rating features
• Total half-open session
• one-minute half-open session rate
• High and low limits for both
• TCP has additional parameters
• Connection establishment/inactivity/teardown timers
• per-host limits and block time
• You can specify UDP sessions timeout and DNS timeout separately
• CBAC typically used to protect servers
• CBAC Tuning
• Try to make the hashtable size the same as the number of average concurrent connections
• By default, CBAC generates alerts when it finds inconsistencies in protocol tracking. You should disable alerts globally or per protocol to improve performance.
• Session audit can also be enabled globally or per protocol.

Authentication proxy

• Download per-user ACLs and merge with interface access-group
• To authenticate, a HTTP session is intercepted and authentication is performed by the router
• You have to enable user-level RADIUS/TACACS attributes, then you need to set what attributes are available through the interface configuration in ACS
• Always remember that if you have to create an ACL, it may not always be as specific as it needs to be. For example, if your ACS is on that interface, you need to enable RADIUS/TACACS traffic in that ACL.
• Be sure that your av-pair definition is correct. Debugs only kind of helped here, but I defined auth-proxy:prive-lvl=15 instead of the correct auth-proxy:priv-lvl=15. I was given the error Auth Fail! and the debug were not real clear.
• Is there a list of Cisco AV Pairs on the Cisco site? Namely the cisco-av-pair valid attributes? If anyone knows, I would love the URL!
• The priv-lvl=15 is necessary for all users
• More Information - Authentication Proxy Configuration

More VPN and Access-Lists...

IPSec High Availability

• You can attach a crypto map to an interface running HSRP
• crypto map VPN redundancy HSRP1

IPSec High Availability with NAT and HSRP

• You can create NAT availability by attaching the HSRP group name to your nat statements
• ip nat inside source static 136.1.134.1 136.1.234.1 redundancy HSRP1

IPSec Pass-Thru Inspection on ASA

• The ASA can inspect IPSec going through the firewall. 
• class-map IKE
• match port udp eq 500
• policy-map global_policy
• class IKE
• inspect ipsec-pass-thru
• service-policy global_policy global
• show service-policy global

L2TP over IPSec between ASA and Windows

• Create a standard isakmp policy
• Create a wildcard isakmp key
• Create a transform set, mode transport
• Create dynamic crypto-map that matches udp port 1701 (l2tp) and sets transform set
• Create crypto map, assign dynamic map and attach to interface
• Create local pool
• Create username/password with mschap keyword
• Create group-policy
• Specify ipsec and l2tp-ipsec as protocols
• default-domain name
• dns-server
• Modify built-in tunnel-group DefaultRAGroup general-attributes
• Assign local address from pool
• default local authentication
• apply group-policy L2TP
• Modify built-in tunnel-group DefaultRAGroup ppp-attributes
• Use ms-chap v2 as authentication protocol
• Modify built-in tunnel-group DefaultRAGroup ipsec-attributes
• Specify pre-shared-key
• Not too different than setting up other VPNs, other than the use of the default tunnel-group. There are a lot of things to configure, so it could be easy to forget an attribute

ISAKMP Profiles

• Can support termination of multiple VPNs through use of identities
• Match identities and use multiple lines in crypto map (10, 20, etc).
• I will be reading more about ISAKMP identities

Access-List Refresher

• 33434-33464 is the UDP range for UNIX/IOS traceroute
• ICMP pMTU requires ICMP type 3, packet too big
• ICMP traceroute uses ICMP unreachables and time-exceeded
• Don't forget unspecified but necessary traffic - like routing protocols!
• I've always found it easy to draw my access-lists on paper. Draw a line down the middle, left is IN, right of the line is OUT. Now draw arrows for the direction you need to allow/block. Draw it all out and then look at your drawing - is your return traffic going to make it back?
• Some IOS versions will not policy route multicast traffic. This is a just a side note, but I needed to reflect RIP to allow routing updates on an interface and had to policy-route so they would be caught by the access-list.

I have about 140 pages left which I should complete by next Wednesday which gives me a solid two months to finish up my studying. Hopefully I will have my full labs soon. I ordered them through my employer which takes forever. Once i've finished up with my home study, I will grab some rack time to finish up the things I could not do at home. I will then circle back through the volume 1 and touch anything that I need more practice on. 

Wish me luck!

VPN QoS, TED and ISAKMP Authorization

L2L QoS

• Functions much like IOS (MQC)
• Under class-map, you match tunnel-group as well as other parameters (dscp, ipp, etc)
• Create a policy-map
• Attach to interface with service-policy

QoS Pre-classify

• This was similar to some of the frame-relay shaping commands from R&S
• Enable qos pre-classify under the crypto map
• Configure your class-maps, policy-map just like normal
• Create a parent policy-map, configure class-default, shape and attach your QoS policy here. It is the parent policy that will be applied to the interface.

Fragmentation

• A near-MTU sized packet can be fragmented before or after encryption with an interface-level 'crypto ipsec fragmentation before/after' command

IOS Router ISAKMP pre-shared keys with AAA

• Router sends remote peer ID as login name along with 'cisco' which is a hardcoded value. The attributes in reply are used to extract pre-shared key for IKE and deduce various other attributes
• On authenticating router, set identity and password with 'crypto isakmp peer address 1.1.1.1' command
• set aggressive-mode password CISCO
• set aggressive-mode client-endpoint ....
• On secure router, enable isakmp authentication with
• crypto map VPN isakmp authorization list AAA_GRP_NAME
• You also need to set parameters in ACS
• AV Pair : ipsec:key-exchange=IKE
• IETF Service : outbound
• IETF Tunnel-Type : IP ESP
• IETF Tunnel-Password : pre-shared key
• Create user in ACS and add to group with the above parameters
• For some reason, my routers weren't picking up on the ISAKMP authorization list, so I had to create a default. This could be something with GNS3 or a bug.

Tunnel Endpoint Discovery

• Create a dynamic map that matches the IP addresses and sets the transform set. Then attach the dynamic map to a crypto map with the keyword of 'dynamic' at the end
• crypto map VPN 10 ipsec-isakmp dynamic-map DISCOVER discover

Well, that puts the finishing touches on another couple of sections. Down to 200 pages left, which has me pretty excited. I want to make it through this so I can get some more reading done (compare to blueprint) and begin some full labs to see how this is all tied together.

EasyVPN and SSL VPN

EasyVPN

• The below config is for client mode
• Most EasyVPN configuration is under the 'crypto isakmp client' configuration

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp client configuration address-pool local EZVPN

crypto isakmp client configuration group EZVPN

 key CISCO

 pool EZVPN

 acl SPLIT_TUNNEL

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 

crypto dynamic-map DYNAMIC 10

 set transform-set 3DES_MD5 

 reverse-route
crypto map VPN isakmp authorization list EZVPN

crypto map VPN client authentication list EZVPN

crypto map VPN client configuration address respond

crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC 

 crypto map VPN

• On the client, configuration is under 'crypto ipsec client'

crypto ipsec client ezvpn EZVPN

 connect manual

 group EZVPN key CISCO

 mode client

 peer 136.1.123.3

 xauth userid mode interactive

interface Lo0

 crypto ipsec client ezvpn EZVPN inside

interface Fa0/0

 crypto ipsec client ezvpn EZVPN

• In a manual configuration, you connect the tunnel with 'crypto ipsec client ezvpn connect'. If you have configured xauth, you will need to enter 'crypto ipsec client ezvpn xauth' following the connect statement to enter your credentials.
• You can have multiple inside/outside interfaces
• You can have multiple subnets, but you must use an ACL to capture the subnets.
• crypto ipsec client ezvpn EZVPN
• acl ACCESS_LIST_NAME
• Show/clear commands include
• show crypto ipsec client ezvpn
• show ip nat statistics
• clear crypto ipsec client ezvpn
• You can also enable network-extension mode, which means there is no NAT, no pool and the remote addresses are routable on the protected network.
• Configuration on an ASA is similar, albeit using tunnel-groups and group-policy

tunnel-group DefaultRAGroup general-attributes

 address-pool (inside) EZVPN

tunnel-group DefaultWEBVPNGroup general-attributes

 address-pool (inside) EZVPN

tunnel-group EZVPN type remote-access

tunnel-group EZVPN general-attributes

 address-pool EZVPN

 default-group-policy EZVPN

tunnel-group EZVPN ipsec-attributes

 pre-shared-key *

!

group-policy EZVPN internal

group-policy EZVPN attributes

 dns-server value 10.0.0.100

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value SPLIT_TUNNEL

!

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 

crypto dynamic-map DYNAMIC 10 set transform-set 3DES_MD5

crypto dynamic-map DYNAMIC 10 set reverse-route

crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC

crypto map VPN interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

• Configuring ASA w/ VPN Client and external policy
• This required configuration and setup of the ACS server. I have no experience with ACS other than adding users/groups/etc. I do have experience with RADIUS in an ISP environment, so the concept isn't totally foreign.
• Define Radius server with the 'aaa-server' command on ASA
• To use an external policy, use 'group-policy EZVPN external server-group RADIUS password CISCO'
• Add ASA as AAA Client in ACS
• Under Interface - Radius (VPN3k, ASA, PIX) enable the VSAs you are required to use such as Primary DNS, IPSec-Authentication,Split-tunnel list
• Create an EZVPN Group in ACS and fill in the values for the selected VSA
• Finally, add user and assign to EZVPN group
• This configuration enables group authentication to the ACS, but user authentication to the ASA
• Authenticate remote VPN user to ACS
• user authentication is performed prior to group-policy download, so you can specify policy per-user.
• The OU is used for group match in ACS

WebVPN

• Configuration seemed straight-forward.
• WebVPN configuration is under the webvpn context
• You can create group-policy for webvpn

group-policy WEBVPN attributes

 webvpn

  filter value WEBACCESS

  url-entry enable

• There are special access list for webvpn called webtype
• There is also a webvpn tunnel-group type
• You configure port-forwards under the main webvpn context

port-forward TELNET_R3 20023 136.1.121.1 telnet 

SSL VPN

• Similar to WebVPN setup. You indicate where the client image as located, and enable it under webvpn

webvpn

  svc image disk0:/sslclient.pkg 1

  svc enable

• You need to create a pool for SSL VPN users (ip local pool)
• Create a group policy similar to webvpn

group-policy SSLVPN attributes

  vpn-tunnel-protocol webvpn

  webvpn

    svc required

    svc keep-installer installed

• Create a tunnel group

tunnel-group SSLVPN type webvpn

tunnel-group SSLVPN general-attributes

  address-pool NAME

  default-group-policy SSLVPN

• Attach policy to username

username CISCO attributes

  vpn-group-policy SSLVPN

ASA Reading - L2L and Remote Access VPNs

Decided to do some reading this morning before my lab time. Reading "Cisco ASA, All-in-one firewall, IPS, Anti-X and VPN Adaptive Security Appliance" by Jazib Frahim and Omar Santos. Overall, I have to say it's a good intermediate level book. It does not seem to get real deep into any one topic, but it covers enough on a very wide range of topics. 

• L2L Tunnels
• Modify ISAKMP keepalive parameters under tunnel-group
• Set Phase 1 mode (Agg, MM) under crypto map
• Timers also set by crypto map
• Enable management access across VPN tunnels with 'management-access INTERFACE' global command
• Set reverse-route with Crypto Map
• ASA,by default, allows fragmentation to occur before packets are encrypted. However, if DF is set, the ASA retains the DF bit. If large packets are sent through the ASA with DF bit, they are dropped. 
• You can clear the DF bit with 'crypto ipsec df-bit clear-df INTERFACE' global command.
• 'crypto ipsec fragmentation before-encryption INTERFACE' global command forces fragmentation before encryption, otherwise the remote end is responsible for re-assembly and defragmentation which is processor intensive
• Like IOS, you can set a debug condition - 'debug crypto condition peer 1.12.35.8'
• You can also monitor with the capture command
• capture NAME type isakmp interface outside
• show capture NAME decode
• Remote Access
• Group policies have inheritance
• Group policies are attached to tunnel groups
• group-policy IPSecPolicyName internal
• group-policy IPSecPolicyName attributes
• vpn-tunnel-protocol IPSec
• tunnel-group GroupName type remote-access
• tunnel-group GroupName general-attributes
• default-group-policy IPSecPolicyName
• tunnel-group GroupName ipsec-attributes
• pre-shared-key C!$c0K3y
• Define RADIUS server for authentication
• aaa-server Radius protocol radius
• aaa-server Radius (inside) host 1.12.35.8
• key C1$c0K3y
• exit
• tunnel-group GroupName general-attributes
• authentication-server-group Radius
• Address assignment
• Local
• ip local pool IPPool 1.1.1.1-1.1.1.254 mask 255.255.255.0
• group-policy IPSecPolicyName attributes
• address-pools value IPPool
• You can also link pool to tunnel group - group-policy is preferred.
• DHCP
• vpn-addr-assign dhcp
• tunnel-group GroupName general-attributes
• dhcp-server 1.0.0.10
• Dynamic Crypto Map
• Required remote remote hosts have dynamic addresses
• Automatically created when you enable isakmp
• crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535
• Must set transform set
• Attach to outside crypto map
• crypto map outside_map 65535 ipsec-isaskmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
• Finally, attach to interface
• crypto map outside_map interface outside
• Access Filtering
• You can attach ACL to group policy
• group-policy IPSecPolicyName attributes
• vpn-filter value ACL_NAME
• Split Tunneling
• Attached to group-policy. You can define the split-tunnel ACL and the split-tunnel policy
• group-policy-IPSecPolicyName attributes
• split-tunnel-policy tunnelspecified
• split-tunnel-network-list value SplitTunnelACL
• Can also assign DNS and Wins via group-policy attributes
• VPN Load Balancing
• ASA devices have a priority ie; 5510 is 2, 5580 is 10. Higher wins. If same priority powered up at same time, lowest IP becomes master
• Virtual IP
• Clients must support IKE redirect
• vpn load-balancing
• priority 6
• cluster key C1$c0K3y
• cluster ip address 10.0.0.1
• cluster encryption
• participate
• ISAKMP must be enabled on all devices/interfaces participating in load balancing

Tunnels and DMVPN

• GRE over IPSec with static crypto
• Standard tunnels with an IPSec overlay. Just create access-list to match the GRE traffic. You ISAKMP keys will be based on the physical address. Seemed pretty straight forward if you have ever created a tunnel and turned up a L2L VPN before.
• GRE over IPSec with profiles
• The difference with profiles is IPSec is initiated from the loopbacks hence you need to configure your keys for the loopback address and not the physical address. You create a profile 'crypto ipsec profile VPN' and attach the transform set 'set transform-set 3DES_MD5_TRANS' and then apply the profile to the tunnel 'tunnel protection ipsec profile VPN'
• DMVPN w/ PSK
• Now on to something new I have not done before. I did take a few classes on DMVPN at Cisco Live this year in preparation for my exam.
• DMVPN basic -
• Dynamic next-hop resolution using NHRP
• Ability to build dynamic site-to-site tunnels instead of the hub and spoke model
• Utilizes multipoint GRE
• I need to go back and read some more about DMVPN - mainly the NHRP. Just to get familiar again with what the various commands mean such as 'ip nhrp map'.
• Wildcard IKE keys are necessary for dynamic tunnels
• ip nhrp map multicast dynamic  - allows NHRP to automatically add spoke routers to multicast NHRP mappings
• NHRP network IDs are locally significant although it makes sense to use unique IDs
• ip nhrp map x.x.x.x y.y.y.y maps the tunnel address (x.x.x.x) to the physical address (y.y.y.y) on the spoke
• Statically configures the IP-to-NBMA address mapping of IP destinations connected to an MBMA network.
  • hub-tunnel-ip-address --Defines the NHRP server at the hub, which is permanently mapped to the static public IP address of the hub.
  • hub-physical-ip-address --Defines the static public IP address of the hub.
• ip nhrp map multicast y.y.y.y - enables the use of dynamic routing protocols and sends multicast packets to the hub router
• DMVPN Monitoring commands
• clear dmvpn session
• clear dmvpn statistics
• debug dmvpn
• debug nhrp condition
• debug nhrp error
• logging dmvpn
• show dmvpn
• show dmvpn traffic
• Other standard IPSec/ISAKMP monitoring commands
• An important note is split-horizon in a DMVPN network. You will need to disable this on the hub tunnel to ensure full EIGRP routing table

VPNs

I have actually worked a fair amount with IOS VPNs and even some VPN3K in the past. It will be interesting to see how the configuration is adapted to the ASA platform.

• IOS and ASA LAN-to-LAN w/ PSK
• Setting ISAKMP policy is the same as IOS. You must explicitly enable isakmp on the firewall interface
• sysopt connection permit-vpn is what allows VPNs to bypass ACL checking
• You use tunnel-group to attach the PSK to the host address
• The crypto map configuration is slightly different than IOS, but if you have done it on IOS, you will get it.
• This all of course through a pretty basic firewall - no nat.
• LAN-to-LAN w/ PSK & NAT
• Different than IOS - you cannot use a deny access-list statement in a nat (inside) statement
• Instead, you must use nat exempt - nat (inside) 0 access-list EXEMPT
• Outside of this, nothing special
• LAN-to-LAN w/ Digital Certificates (as opposed to paper certificates?!)
• This is certainly something new for me as far as configuration goes. I've read a decent about about setting up a ca and issuing certificates, but I've never actually configured it
• I had way too many issues, but mainly on the CA side (never setup a windows CA before)
• IKE Authentication will be rsa-sig as opposed to pre-shared key
• You must configure the CA, authenticate the CA and then enroll with the CA. This is where I ran in to problems on the CA side. Took a while to get the SCEP up and going. For anyone that had problems like I did, here is the latest link on where to download the SCEP add-on : http://www.microsoft.com/en-us/download/details.aspx?id=2178
• After finally configuring everything, including CA - it didn't work! What now? I got this error on my IOS box 

Translating "ciscoacs-bzykjz"

Aug 26 11:46:46.803: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 136.1.123.12 is bad: CA request failed!

R3#

Aug 26 11:46:46.807: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 136.1.123.12

R3#

Aug 26 11:46:47.859: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 136.1.123.12 failed its sanity check or is malformed

R3#                 

Translating "ciscoacs-bzykjz"

Aug 26 11:47:16.702: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 136.1.123.12 is bad: CA request failed!

• So it looked like the name resolution was failing as I recognized the "ciscoacs-bzykjz" as the hostname of my Windows 2003 server. Added an 'ip host ciscoacs-bzykjz x.x.x.x" on my IOS box and like magic - it worked!
• You can also create a tunnel-group based on the FQDN. To work, you need to set both identities to be the hostname. These must also be the name you used to request your certificate from the CA.
• When configuring L2L between IOS devices across the firewall with NAT, you need to make some adjustments.
• Wildcard key on outside peer as the traffic will be NAT'ed from the inside host ( could by interface, but could also be POOL)
• Creation of a dynamic map since you aren't defining a specific peer due to the nat
• crypto dynamic-map DYNAMIC 10
• set transform-set 3DES_MD5
• crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC
• interface Fa0/0
• crypto map VPN
• Overlapping NAT - this is a real world scenario where there is overlapping address space at both endpoints. A simple 'ip nat inside source static network x.x.x.x y.y.y.y /zz' at both sides, with routes pointed to the global address at both endpoints.
• You must also configure the ACL for the L2L appropriately as well.
• Spent way too much time troubleshooting this one. I did not apply my access-list on the ASA but both endpoints believed the tunnel to be up but no traffic would pass. I applied the access-list and things began to flow.
• Lan-to-Lan with aggressive mode
• The main advantage of IKE aggressive mode is the identity is present during IKE negotiation, allowing flexible policy lookup.
• When tied in with NAT, we can use the hostname as the identity to avoid using the previously used wildcard key on the outside host
• This is where you use ISAKMP profiles - to define the ISAKMP mode and configure self-identity.
• You must also configure the key as hostname and not IP.
• You have to apply the ISAKMP profile to the crypto map - 'crypto map VPN isakmp-profile AGGRESSIVE'
• On the outside, you would not need the AGGRESSIVE profile - just 'crypto isakmp identity hostname'
• You think you need an 'ip host R1 x.x.x.x' here, but that is not the case. This type of configured tunnel can only be created from inside -> outside.
• Again here, you use the dynamic map. The is very little the outside host knows about the inside.
• Here you will see that from the inside, we are actually authenticated with the outside peer address 'ISAKMP:(1001):SA has been authenticated with 136.1.122.2' 
• 'local crypto endpt.: 136.1.121.1, remote crypto endpt.: 136.1.122.2'
• On the outside, you will see we are authenticated/peered with the ASA outside address ' local crypto endpt.: 136.1.122.2, remote crypto endpt.: 136.1.122.12'
• IOS Lan-to-Lan across ASA w/ Digital Certificates
• I didn't see how this was any different other than allowing traffic for NTP and WWW for certificate enrollment

Ok, next on the plate is DMVPN. The VPN section was pretty straight forward and I did a little better than I thought I would. I've made good progress now - over 1/3 of the way through volume one. 

System Monitoring and advanced inspection

• System Monitoring
• Similar to IOS level commands. The instructions did ask to deny snmp version 1 via a 'snmp-map'. If you look, there is a default global-policy. You just create the snmp-map and then reference it in the global policy.

snmp-map TST

 deny version 1
!

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 

  inspect snmp TST 

• You could also do this without creating a new map with 'snmp deny version 1'
• DHCP Server
• Nothing outside of the normal when compared to IOS, it's just dhcpd commands instead of ip dhcp-server
• Interesting, but I couldn't get to work in my lab. I saw the DHCP Discover come into my ASA interface, but it never went anywhere from there
• HTTP Inspection with MPF
• Similar to IOS MQC but with additional class-maps and policy-maps for granular filtering.
• Very easy to get confused but easy once you see it in action. Create access-list and class-map just like IOS. From there, you can create 'type inspect http' policy-maps. Inside the inspect policy-map, under 'parameters' you can do things like reset on protocol violations and spoof the server header. 
• You can now apply this to a regular policy-map with the 'inspect' keyword. 
• Under the policy map, within the class, you can also 'set' connection options like max connections, max half open, etc.
• Finally, you attach to the interface with 'service-policy'. Only difference from IOS is this is not completed from the interface context, but from the global.
• Advanced FTP Inspection using Regex
• You can define regex with 'regex NAME regex_string'
• You can then reference these with 'class-type regex'. This is namely used to match FTP file names.
• You can create a policy-map type inspect ftp - similar to HTTP above and reference in a parent policy-map. Lots of nesting here

class-map FTP

 match port tcp eq ftp

class-map type inspect ftp match-any DENIED_COMMANDS

 match request-command dele 

 match request-command site 

 match request-command rmd 

class-map type regex match-any DENIED_FILES

 match regex REG_26XX

 match regex REG_28XX

 match regex REG_36XX

policy-map OUTSIDE

 class FTP

  inspect ftp strict FTP_INSPECT 

policy-map type inspect ftp FTP_INSPECT

 parameters

  mask-banner

  mask-syst-reply

 match filename regex class DENIED_FILES

  reset

 class DENIED_COMMANDS

  reset

• Authenticating BGP through Firewall
• TCP Protocol Option 19 is used for BGP authentication. You need to create a custom TCP-Map allowing option 19. You then create a class that matches BGP, reference in the global policy, disable TCP random sequencing (which doesn't work with BGP) and apply your custom TCP Map.
• Validate with 'show connection detail'
• Again, i see this as another simple task, but if you don't pay attention you could lose the points!
• TCP Normalization
• Creating a custom TCP Map - you have several options.
• check-retransmission  
• checksum-verification 
• default               
• exceed-mss                            
• no                    
• queue-limit                               
• reserved-bits                             
• syn-data                                 
• tcp-options           
• ttl-evasion-protection                     
• urgent-flag                               
• window-variation    
• Radius Account Inspection
• Must remember to use the right class types and policy types. I find that if a certain option isn't there for what you are trying to configure, you probably have specified a wrong class-map type or policy-map type - or no type at all.
• ICMP Inspection
• Will enable ICMP across the FW interfaces without an access-list being defined

And with that, I've completed what I call the first section of INE Volume 1. Now it's time to move on to VPN! I feel like I've been moving at a good pace today. I'm also not worried about how far along I've made it through the 800+ page guide. After browsing through the guide, there is easily 100 pages or more dedicated to VPN3k, which is no longer on the version 3 blueprint.

Not sure if anyone out there is reading my blog. In short, I originally created this to keep my own notes and help out other CCIE candidates. I will continue to do this on the security track.  

Topics better suited to physical hardware

Below is a running list of items I come across that are better suited to being practiced on physical hardware as opposed to GNS3/Qemu/Vbox/etc...

• Failover modes - for obvious reasons
• Transparent Firewall - just couldn't get this to work correctly in GNS, and other people have indicated the same
• ASDM related tasks
• WebVPN related tasks (namely SSL VPN)
• QoS - for some reason crashed my firewalls?!?
• NAC
• IPS

Here is also a list of what is pertinent for me to revisit

• ezVPN
• External Group-policy
• Advanced NAT
• Remote Access Certificate Authentication
• WebVPN/SSLVPN
• NAC - http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/ns617/net_implementation_white_paper0900aecd80217e26.pdf
• NAC - http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd80417226.pdf
• NAC - http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd8040bbd8.pdf

And that pretty much completes the list, more than I expected but still a fair amount that can be competed in GNS3. With that, I am off to purchases some Rack Rental tokens from INE.