Remember to read the entire task list. Mark items that could collide with other configuration directives (allowing routing protocols on access-list, etc). Make sure you validate your commands, don't take them for face value.
- When configuring failover, you can exclude interfaces from being monitored with the 'no monitor-interface inside' command
- You must also enable HSRP-like standby IPs for each interface
- There is a default global_policy policy-map
- Enable TCP Options with a TCP MAP. Apply under class in policy-map with 'set connection advanced-options MAPNAME'
- There is a default inspection_default class-map
- UNIX Traceroute uses UDP 33434 33464 range. I've seen other docs state 33434 - 33564. In short, each 'hop' increments the port, and most system by default have a max hops of 30. So I believe the correct answer to be 33434 - 33464. INE states that for every hop, three probes are sent with a TTL=1 to incrementing port numbers. With a max of 30 hops, this bring the range up to 33434 to 33524. I'm not totally sure which is correct. Also remember, the inbound response is ICMP TTL Exceeded or ICMP Unreachable.
- Task asked to map inside address to outside address. I did a nat (inside) 2 inside_host_address global (outside) 2 global_host_address which accomplishes the task. The better solution is static (inside,outside) global_address inside_address
- Enabling 'inspect icmp error' under the global policy provides NAT translation for the traceroute responses.
- Remember to pay attention to what is specifically required. To police ICMP on the outside interface only, you need to create an interface policy-map and apply it. Changing the global_policy affects all interfaces.
- I need to make sure I name my access-list/class-map/policy-map/etc correctly as they could be used later. INE names class-map ICMP_Traffic and the policy-map OUTSIDE_Traffic. This will help identify these later for other tasks or troubleshooting.
- It's easy to overthink some of the tasks. One task asked to allow trace route from inside to outside with only one access-list statement. I was trying to think of creative ways to do this - in actuality, you could just use an object-group. Per INE - this is a common requirement 'use X number of lines, or use minimum number of lines'
- Still having issues with the alias command. Need to remember it's a DST NAT and a dns rewrite.
- alias (interface) orig_address nat_address
- With IOS ZBF, there are multiple ways to accomplish some tasks - usually hinging on if you need deep packet inspection or not. I'm getting better with this, but still need some more practice.
- By default, routing traffic is not affected by ZBF as default traffic to self zone is permitted.
- Overlapping address space can be tricky. Need to determine the correct place to apply the NAT, especially when the overlapping address spaces are a few hops apart.
- Creating an IOS PKI - not something that was covered in Vol 1
- Set issuer name cn=NAME,ou=DEPT
- grant auto
- no shutdown
- That's it.
- Remember for certificates you need a domain name, a key and a synced time source
- You can change the ISAKMP source address with 'crypto map VPN local-interface lo0'
- Logic steps to configuring ezVPN server
- Enable AAA and define AAA lists, protect from console lockouts
- Define ISAKMP authentication settings and global ISAKMP parameters
- Create address-pool
- Configure client group and split-tunnel access-list. Define group key, associate address pool and bind split-tunnel ACL. Define other required settings.
- Create ISAKMP profile that binds together the following:
- Calling client identity - normall group name
- Configuration group for clients matching this profile
- Authentication and authorization groups for ezVPN
- Virtual-Template interface numbers
- Enables responding to ISAKMP 1.5 transaction mode address requests for this group.
- Create IPsec profile. Define transform set prior to this. Profile may need to define RRI settings if used.
- Create virtual-template type tunnel and assign IPSec protection profile. Must define IP on VTI to work correctly.
- Lastly, configure routing process for redistribution of RRI information. Use route-map.
- INE makes it a point - this should be remembered verbatim and you should not require a manual to complete this. I can already do this with LAN-to-LAN tunnels. I will be typing this scenario up in notepad a few times to validate I can do this.
- ASA - Tunnel-group filter filters traffic inside the IPsec tunnel. Applied via group-policy.
- ASA - must remember to create the tunnel-group. Shouldn't have missed this as it is the only way to define the PSK.
- ASA - dont forget to exempt the VPN traffic from any NAT rules.
- ASA - to apply QoS, you need to match the tunnel-group and apply to the interface. You also need to match 'flow ip destination-address' in the class-map. You must also enable priority-queue on the interface globally.
- ASA - policing is the only working per-flow QoS command
- ASA - Virtual http provides transparent redirection back to the URL entered by the end-user, and HTTP server capability for authentication
- ASA - cut-through proxy authentication. You must configure an authentication service, then create an access-list matching the traffic to authenticate as well as traffic going to the virtualIP, next configure the cut-through proxy rule. 'aaa authentication match ACL inside TACACS'
- You can assign privilege levels through TACACS. You must enable it for group or for user under interface configuration. Don't forget to enabled shell exec and then set privilege level on TACACS. This task created the privilege level commands on the router.
- Separation of authentication and authorization is only possible using tacacs.
- 802.1x requires authorization as well as authentication. Watch out for CONSOLE authentication/authorization.
- Make sure to create your guest vlans
- To assign a vlan via dot1x, set the following under group settings
- Tunnel-Type="VLAN"
- Tunnel-Medium-Type="802"
- Tunnel-Private-Group-ID="255"
- For sending logging reports to e-mail, there is a generic 'smtp-server x.x.x.x' command under global configuration and not under 'logging'.
- For QOS priority on a tunnel in IOS, you need to use nested policy-maps.
- class-map VPN_TRAFFIC
- match access-group name TUNNEL_TRAFFIC
- policy-map INTERFACE_POLICY
- class VPN_TRAFFIC
- shape average 2000000
- bandwidth 2000000
- service-policy TUNNEL_POLICY
- policy-map TUNNEL_POLICY
- class VOICE_TRAFFIC
- priority 128
- Shape limits the maximum speed, bandwidth provides the minimum bandwidth reservation
- Remote Triggered Blackholes
- really cool concept. I won't talk about it, only link to a PDF from Cisco
- http://www.cisco.com/web/about/security/intelligence/blackhole.pdf
And after entirely way too long, I have finally finished lab 1. I'm not totally worried as I remember feeling the same way after my first R&S lab. I'm off now to watch some INE videos, and then start on Lab 2 hopefully next week.
No comments:
Post a Comment