- You can attach a crypto map to an interface running HSRP
- crypto map VPN redundancy HSRP1
IPSec High Availability with NAT and HSRP
- You can create NAT availability by attaching the HSRP group name to your nat statements
- ip nat inside source static 136.1.134.1 136.1.234.1 redundancy HSRP1
IPSec Pass-Thru Inspection on ASA
- The ASA can inspect IPSec going through the firewall.
- class-map IKE
- match port udp eq 500
- policy-map global_policy
- class IKE
- inspect ipsec-pass-thru
- service-policy global_policy global
- show service-policy global
L2TP over IPSec between ASA and Windows
- Create a standard isakmp policy
- Create a wildcard isakmp key
- Create a transform set, mode transport
- Create dynamic crypto-map that matches udp port 1701 (l2tp) and sets transform set
- Create crypto map, assign dynamic map and attach to interface
- Create local pool
- Create username/password with mschap keyword
- Create group-policy
- Specify ipsec and l2tp-ipsec as protocols
- default-domain name
- dns-server
- Modify built-in tunnel-group DefaultRAGroup general-attributes
- Assign local address from pool
- default local authentication
- apply group-policy L2TP
- Modify built-in tunnel-group DefaultRAGroup ppp-attributes
- Use ms-chap v2 as authentication protocol
- Modify built-in tunnel-group DefaultRAGroup ipsec-attributes
- Specify pre-shared-key
- Not too different than setting up other VPNs, other than the use of the default tunnel-group. There are a lot of things to configure, so it could be easy to forget an attribute
ISAKMP Profiles
- Can support termination of multiple VPNs through use of identities
- Match identities and use multiple lines in crypto map (10, 20, etc).
- I will be reading more about ISAKMP identities
Access-List Refresher
- 33434-33464 is the UDP range for UNIX/IOS traceroute
- ICMP pMTU requires ICMP type 3, packet too big
- ICMP traceroute uses ICMP unreachables and time-exceeded
- Don't forget unspecified but necessary traffic - like routing protocols!
- I've always found it easy to draw my access-lists on paper. Draw a line down the middle, left is IN, right of the line is OUT. Now draw arrows for the direction you need to allow/block. Draw it all out and then look at your drawing - is your return traffic going to make it back?
- Some IOS versions will not policy route multicast traffic. This is a just a side note, but I needed to reflect RIP to allow routing updates on an interface and had to policy-route so they would be caught by the access-list.
I have about 140 pages left which I should complete by next Wednesday which gives me a solid two months to finish up my studying. Hopefully I will have my full labs soon. I ordered them through my employer which takes forever. Once i've finished up with my home study, I will grab some rack time to finish up the things I could not do at home. I will then circle back through the volume 1 and touch anything that I need more practice on.
Wish me luck!
No comments:
Post a Comment