Thursday, November 1, 2012

INE Vol 2 Lab 3

Difficulty 8

  • Lots of tasks here. Many dependent tasks. You must configure the in-line VLAN pair on the IPS before you can even reach one leg of the network
  • Lots of routing protocols to watch out for. OSPF, RIP, EIGRP and BGP
  • Lots of filtering going on here - ZBF, Two ASAs, CBAC.
  • Not a lot of PAT here (nat + global) but there is several static NATs. Must be cautious if you are using the pre-NAT or post-NAT address. 
  • Good drawings will be absolutely necessary if you get a lab like this
  • Order of operations are important too. You have to read the entire thing and plot out how to do this. A few examples -
    • You need to enable QoS on a L2L in section 1, but the tunnel isn't created until section 3
    • ZBF and other filtering comes later in the task list. Would be useful to set these up first, so you can allow specific traffic in other tasks. There is a lot of reliance on the ACS server - logging, websense, CA, etc. So this could get tricky.k
    • You have to enable ICMP to pass through all zones in a ZBF. The next task stated you had to enable logging as well. If you can read ahead and accomplish this in one step, you can save yourself a few minutes.

Websense Filter

  • After configuring the web sense filter, you need to enable HTTP inspection and attach to the interface (ip inspect name HTTP_INSPECT http).
  • 'show ip urlfilter config' shows you the port used for the web filter
VPN Client
  • Got rather easily tripped up here. My authentication to RADIUS were not passing. I was able to troubleshoot correctly, but not fix the issue. I saw packets were matching the ACS access list on my ZBF, but they were not matching the policy-map. Show ip port-map showed 1645/1646 instead of 1812/1813. Changing this on the ASA aaa-server group fixed the issue.
  • You need 'crypto isakmp identity hostname' to authenticate with certificates
  • As such, the tunnel-group name should be the FQDN of the remote side
  • 'ip nhrp shortcut' and 'ip nhrp redirect' enable spoke nodes to discover NBMA address of another spoke without querying the hub
  • Be careful of MTU sizes..
Cut-Through Authentication


Cut-through authentication was previously configured with the aaa authentication include command. Now, the aaa authentication matchcommand is used. Traffic that requires authentication is permitted in an access list that is referenced by the aaa authentication match command, which causes the host to be authenticated before the specified traffic is allowed through the ASA.
Here is a configuration example for web traffic authentication:
username cisco password cisco privilege 15

access-list authmatch permit tcp any any eq 80

aaa authentication match authmatch inside LOCAL


  • I recall this from R&S studies, need to refresh. You need to be in root view before you configure another view.
Password Encryption
  • You can decrypt a '7' key by copying the key string into a key chain and issuing a 'show key chain'. Neat
  • By default 'service password-encryption' does not encrypt all ISAKMP keys. You enable with 'password encryption aes' and setting an encryption key with 'key config-key password-encrypt KEYSTRING'
Traffic Filtering
  • RFC 2827 is for anti-spoofing. Do not allow your own network address space in, allow only your address space out.
  • Never surprised by creative requests...for example, disable IP unreachables to RFC1918 address space. Match on an access list, match in the route map, set interface to Null 0 and policy route the local traffic.
DOS Prevention
  • FPM - also remember this from R&S studies. Best bet is to string together a configuration form the configuration guide -
    • Load FPM Protocol definitions
      • load protocol system:/fpm/phdf/ip.phdf
      • load protocol system:/fpm/phdf/tcp.phdf
    • Match Traffic
      • class-map type access-control match-any TELNET
        • match field TCP dest-port eq 23
        • match field TCP source-port eq 23
    • Match TCP over IP
      • class-map type stack match-all TCP_TRAFFIC
        • match field IP protocol eq 0x6 next TCP
    • Drop matched traffic
      • policy-map type access-control BLOCK_TELNET
        • class TELNET
          • drop
      • policy-map type access-control INTERFACE_POLICY
        • class TCP_TRAFFIC
          • service-policy BLOCK_TELNET
      • interface serial1/0
        • service-policy type access-control output INTERFACE_POLICY
TCP Normalization
  • On an ASA, can be handled with TCP MAP
    • TCP Echo and Echo Reply are option 6 and 7
    • syn-data drop will make sure no data payload is carried in connection-establishment segments
Despite my lack of notes above, this lab kicked my ass. I have doubts that I am really ready for this lab. In any event, I will continue to study and take in as much as I can. Two weeks from now, I'll be walking out of the lab in RTP. I can only study hard and hope for the best....

No comments:

Post a Comment