Friday, November 16, 2012

Looking up and ahead

Well, I got my results late last night and unfortunately I failed. There was two VPN related questions, a total of 11 points that would have put me over the edge and resulted in a pass. I'm kind of bummed knowing full well I could have passed that exam. To come all this way and get that close just stinks.

I'm not complaining. I learned a lot about security technologies and security devices such as ASA. For now, I am going to relax and enjoy some much needed time off. Maybe if I feel up to it, I will focus on the next version of the exam. Then again, maybe not.

Thanks to everyone for your support.

Wednesday, November 14, 2012

CCIE Security Final Push...

Well, I have completed my studying. My lab is tomorrow morning at 7am.  Unfortunately, I was unable to complete Volume 2, which is unfortunate. Every new lab was teaching me something new and/or a new way to complete a task.

I don't feel anywhere near as comfortable as I did with my last attempt at my R&S. Honestly, I feel I could use at least another 6-8 weeks just to complete Vol 2, complete Vol 1 again, and then pick and choose tasks from Vol 2 to complete. 

I don't think all of this is a total loss. If I get the right lab, I feel I have a decent chance to pass. I'm not relying on getting a lab that is more applicable to my skills, I'm just stating the facts. If I had started my studying earlier, or had more time to complete, I would be more comfortable. 

In all honesty, I think this is a one time shot at the Security CCIE. The lab exam is changing (starting next week) and it's that lovely time of year (holidays). In addition, I have had to take some time off of work just to get as much studying in as I could. I won't be able to take a lot of time off of work in the next few months. 

It will be kind of fun going in there tomorrow without so much stress and worrying about passing. I would love to pass, but it's not going to make or break me like the R&S lab did. No matter what, this has not been a total loss. I've learned so much about security and security products like the ASA and the IPS appliances. 

I will be sure to post my thoughts following tomorrows lab. Wish me luck!

Friday, November 9, 2012

INE Vol 2 Lab 5

IOS Firewall
  • 'ip options drop' can be configured from global config mode to drop all IP options
  • Enable webvpn
    • webvpn
      • port 443
      • enable outside
      • tunnel-group-list enable
      • svc image flash:/anyconnect.img
      • svc enable
  • Set the tunnel-protocol to svc under group policy
  • Enable webvpn for the tunnel group
    • tunnel-group SSLVPN webvpn-attributes
      • group-alias SSLVPN enable
      • authentication aaa
  • If necessary, create local user and attach to group
    • username SSLUSER attributes
      • group-lock value SSLVPN
  • Set encryption
    • ssl encryption rc4-md5
  • Lastly, enable NAT exemption if required
  • Interesting point, I created my tunnel interfaces first, then I was going to protect them with IPSec, but my CA enrollment kept failing. If I shutdown the tunnel interfaces, and then enroll, it works just fine. Could be a code thing, I'm not sure.
  • Remember timers are negotiated - so if you already have a isakmp policy, you will not need to create another just for different timers.
  • Set configure level privilege commands with 'privilege configure all level 7 snmp-server'
  • aaa authorization config-commands
    • Required to autorize config mode, even if you set 'aaa authorization commands 7 default start-stop group tacacs'
Process Monitoring
  • You can alert on processor and memory usage
    • memory free low-watermark processor 5000
    • process cpu threshold type total rising 75 interval 60 falling 30 interval 60
    • snmp-server enable traps cpu
    • snmp-server enable traps memory
    • logging host transport tcp
Login Security
  • login quiet-mode access-class 1
    • This exempts the hosts in ACL 1 from the login parameters
  • login parameters are only supported with local password auth or aaa
Source Tracking
  • ip source-track [address] - enables source tracking for the specified host
  • show ip source-track [address] - show results
  • specify the IPS signature location
    • ip ips config location flash:ips
  • Enable IOS basic set of signatures
    • ip ips signature-category
      • category ios_ips basic
        • retired false
      • category all
        • retired true
  • Disable a specific signature
    • ip ips signature-definition
      • signature 3106 0
        • status
          • retired true
  • Tune Signature
    • ip ips signature-definition
      • signature 2000 0
        • alert-severity high
  • Enable SDEE event report
    • ip ips notify SDEE
  • Set TVR
    • ip ips event-action-rules
      • target-value high target-address
  • Enable IPS
    • ip ips name IPS list IPS
    • int s1/0
      • ip ips IPS in
  • Show ips configuration
    • show ip ips configuration

Thursday, November 1, 2012

INE Vol 2 Lab 3

Difficulty 8

  • Lots of tasks here. Many dependent tasks. You must configure the in-line VLAN pair on the IPS before you can even reach one leg of the network
  • Lots of routing protocols to watch out for. OSPF, RIP, EIGRP and BGP
  • Lots of filtering going on here - ZBF, Two ASAs, CBAC.
  • Not a lot of PAT here (nat + global) but there is several static NATs. Must be cautious if you are using the pre-NAT or post-NAT address. 
  • Good drawings will be absolutely necessary if you get a lab like this
  • Order of operations are important too. You have to read the entire thing and plot out how to do this. A few examples -
    • You need to enable QoS on a L2L in section 1, but the tunnel isn't created until section 3
    • ZBF and other filtering comes later in the task list. Would be useful to set these up first, so you can allow specific traffic in other tasks. There is a lot of reliance on the ACS server - logging, websense, CA, etc. So this could get tricky.k
    • You have to enable ICMP to pass through all zones in a ZBF. The next task stated you had to enable logging as well. If you can read ahead and accomplish this in one step, you can save yourself a few minutes.

Websense Filter

  • After configuring the web sense filter, you need to enable HTTP inspection and attach to the interface (ip inspect name HTTP_INSPECT http).
  • 'show ip urlfilter config' shows you the port used for the web filter
VPN Client
  • Got rather easily tripped up here. My authentication to RADIUS were not passing. I was able to troubleshoot correctly, but not fix the issue. I saw packets were matching the ACS access list on my ZBF, but they were not matching the policy-map. Show ip port-map showed 1645/1646 instead of 1812/1813. Changing this on the ASA aaa-server group fixed the issue.
  • You need 'crypto isakmp identity hostname' to authenticate with certificates
  • As such, the tunnel-group name should be the FQDN of the remote side
  • 'ip nhrp shortcut' and 'ip nhrp redirect' enable spoke nodes to discover NBMA address of another spoke without querying the hub
  • Be careful of MTU sizes..
Cut-Through Authentication


Cut-through authentication was previously configured with the aaa authentication include command. Now, the aaa authentication matchcommand is used. Traffic that requires authentication is permitted in an access list that is referenced by the aaa authentication match command, which causes the host to be authenticated before the specified traffic is allowed through the ASA.
Here is a configuration example for web traffic authentication:
username cisco password cisco privilege 15

access-list authmatch permit tcp any any eq 80

aaa authentication match authmatch inside LOCAL


  • I recall this from R&S studies, need to refresh. You need to be in root view before you configure another view.
Password Encryption
  • You can decrypt a '7' key by copying the key string into a key chain and issuing a 'show key chain'. Neat
  • By default 'service password-encryption' does not encrypt all ISAKMP keys. You enable with 'password encryption aes' and setting an encryption key with 'key config-key password-encrypt KEYSTRING'
Traffic Filtering
  • RFC 2827 is for anti-spoofing. Do not allow your own network address space in, allow only your address space out.
  • Never surprised by creative requests...for example, disable IP unreachables to RFC1918 address space. Match on an access list, match in the route map, set interface to Null 0 and policy route the local traffic.
DOS Prevention
  • FPM - also remember this from R&S studies. Best bet is to string together a configuration form the configuration guide -
    • Load FPM Protocol definitions
      • load protocol system:/fpm/phdf/ip.phdf
      • load protocol system:/fpm/phdf/tcp.phdf
    • Match Traffic
      • class-map type access-control match-any TELNET
        • match field TCP dest-port eq 23
        • match field TCP source-port eq 23
    • Match TCP over IP
      • class-map type stack match-all TCP_TRAFFIC
        • match field IP protocol eq 0x6 next TCP
    • Drop matched traffic
      • policy-map type access-control BLOCK_TELNET
        • class TELNET
          • drop
      • policy-map type access-control INTERFACE_POLICY
        • class TCP_TRAFFIC
          • service-policy BLOCK_TELNET
      • interface serial1/0
        • service-policy type access-control output INTERFACE_POLICY
TCP Normalization
  • On an ASA, can be handled with TCP MAP
    • TCP Echo and Echo Reply are option 6 and 7
    • syn-data drop will make sure no data payload is carried in connection-establishment segments
Despite my lack of notes above, this lab kicked my ass. I have doubts that I am really ready for this lab. In any event, I will continue to study and take in as much as I can. Two weeks from now, I'll be walking out of the lab in RTP. I can only study hard and hope for the best....