Post on 08-Apr-2023
Piotr Matusiak CCIE #19860
R&S, Security
C|EH, CCSI #33705
Narbik Kocharians CCIE #12410
R&S, Security, SP
CCSI #30832
M i c r o n i c s T r a i n i n g I n c . © 2 0 1 3
CCIE Security V4 Lab Workbook
Vol. 1
CCIE SECURITY v4 Lab Workbook
Page 2 of 1033
Table of Content
ASA Firewall
LAB 1.1. BASIC ASA CONFIGURATION..................................................................................................... 8
LAB 1.2. BASIC SECURITY POLICY ......................................................................................................... 17
LAB 1.3. DYNAMIC ROUTING PROTOCOLS.......................................................................................... 29
LAB 1.4. ASA MANAGEMENT..................................................................................................................... 46
LAB 1.5. STATIC NAT (8.2) ........................................................................................................................... 59
LAB 1.6. DYNAMIC NAT (8.2) ...................................................................................................................... 67
LAB 1.7. NAT EXEMPTION (8.2) ................................................................................................................. 77
LAB 1.8. STATIC POLICY NAT (8.2) .......................................................................................................... 81
LAB 1.9. DYNAMIC POLICY NAT (8.2) ..................................................................................................... 91
LAB 1.10. STATIC NAT (8.3+)....................................................................................................................... 99
LAB 1.11. DYNAMIC NAT (8.3+)................................................................................................................ 115
LAB 1.12. BIDIRECTIONAL NAT (8.3+)................................................................................................... 126
LAB 1.13. MODULAR POLICY FRAMEWORK (MPF) ......................................................................... 131
LAB 1.14. FTP ADVANCED INSPECTION............................................................................................... 138
LAB 1.15. HTTP ADVANCED INSPECTION ........................................................................................... 146
LAB 1.16. INSTANT MESSAGING ADVANCED INSPECTION........................................................... 156
LAB 1.17. ESMTP ADVANCED INSPECTION ........................................................................................ 159
LAB 1.18. DNS ADVANCED INSPECTION .............................................................................................. 164
LAB 1.19. ICMP ADVANCED INSPECTION ........................................................................................... 169
LAB 1.20. CONFIGURING VIRTUAL FIREWALLS .............................................................................. 175
LAB 1.21. ACTIVE/STANDBY FAILOVER .............................................................................................. 198
LAB 1.22. ACTIVE/ACTIVE FAILOVER.................................................................................................. 212
LAB 1.23. REDUNDANT INTERFACES.................................................................................................... 239
LAB 1.24. TRANSPARENT FIREWALL ................................................................................................... 246
LAB 1.25. THREAT DETECTION .............................................................................................................. 260
LAB 1.26. CONTROLLING ICMP AND FRAGMENTED TRAFFIC ................................................... 264
LAB 1.27. TIME BASED ACCESS CONTROL......................................................................................... 270
LAB 1.28. QOS - PRIORITY QUEUING .................................................................................................... 276
LAB 1.29. QOS – TRAFFIC POLICING .................................................................................................... 280
LAB 1.30. QOS – TRAFFIC SHAPING ...................................................................................................... 285
LAB 1.31. QOS – TRAFFIC SHAPING WITH PRIORITIZATION....................................................... 290
LAB 1.32. SLA ROUTE TRACKING.......................................................................................................... 296
LAB 1.33. ASA IP SERVICES (DHCP)....................................................................................................... 303
LAB 1.34. URL FILTERING AND APPLETS BLOCKING .................................................................... 310
LAB 1.35. TROUBLESHOOTING USING PACKET TRACER AND CAPTURE TOOLS................. 314
CCIE SECURITY v4 Lab Workbook
Page 3 of 1033
Site-to-Site VPN
LAB 1.36. BASIC SITE TO SITE IPSEC VPN MAIN MODE (IOS-IOS) .............................................. 327
LAB 1.37. BASIC SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS) ............................... 353
LAB 1.38. BASIC SITE TO SITE VPN WITH NAT (IOS-IOS)............................................................... 370
LAB 1.39. IOS CERTIFICATE AUTHORITY........................................................................................... 386
LAB 1.40. SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA) ............................................................ 397
LAB 1.41. SITE-TO-SITE IPSEC VPN USING PKI (IOS-IOS)............................................................... 411
LAB 1.42. SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA)......................................... 421
LAB 1.43. SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA).................................... 441
LAB 1.44. SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING) ................................ 462
LAB 1.45. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-IOS)........................................ 476
LAB 1.46. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-ASA) ...................................... 485
LAB 1.47. SITE-TO-SITE IPSEC VPN USING EASYVPN WITH ISAKMP PROFILES (IOS-IOS) 533
LAB 1.48. GRE OVER IPSEC...................................................................................................................... 551
LAB 1.49. DMVPN PHASE 1........................................................................................................................ 568
LAB 1.50. DMVPN PHASE 2 (WITH EIGRP) ........................................................................................... 585
LAB 1.51. DMVPN PHASE 2 (WITH OSPF) ............................................................................................. 604
LAB 1.52. DMVPN PHASE 3 (WITH EIGRP) ........................................................................................... 624
LAB 1.53. DMVPN PHASE 3 (WITH OSPF) ............................................................................................. 644
LAB 1.54. DMVPN PHASE 2 DUAL HUB (SINGLE CLOUD) .............................................................. 668
LAB 1.55. DMVPN PHASE 2 DUAL HUB (DUAL CLOUD) .................................................................. 698
LAB 1.56. GET VPN (PSK)........................................................................................................................... 739
LAB 1.57. GET VPN (PKI) ........................................................................................................................... 761
LAB 1.58. GET VPN COOP (PKI) ............................................................................................................... 780
Remote Access VPN
LAB 1.59. CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO IOS) ...... 814
LAB 1.60. CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO ASA) ..... 824
LAB 1.61. CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PSK)........................ 833
LAB 1.62. CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PKI) ........................ 843
LAB 1.63. CONFIGURING SSL VPN (IOS)............................................................................................... 867
LAB 1.64. CONFIGURING SSL VPN (ASA).............................................................................................. 884
LAB 1.65. ANYCONNECT 3.0 BASIC SETUP .......................................................................................... 897
LAB 1.66. ANYCONNECT 3.0 ADVANCED FEATURES ....................................................................... 914
LAB 1.67. EASYVPN SERVER ON ASA WITH LDAP AUTHENTICATION ..................................... 924
CCIE SECURITY v4 Lab Workbook
Page 4 of 1033
Advanced VPN Features
LAB 1.68. IPSEC STATEFUL FAILOVER................................................................................................ 957
LAB 1.69. IPSEC STATIC VTI .................................................................................................................... 970
LAB 1.70. IKE ENCRYPTED KEYS........................................................................................................... 979
LAB 1.71. IPSEC DYNAMIC VTI ............................................................................................................... 984
LAB 1.72. REVERSE ROUTE INJECTION (RRI).................................................................................... 994
LAB 1.73. CALL ADMISSION CONTROL FOR IKE............................................................................ 1011
LAB 1.74. IPSEC LOAD BALANCING (ASA CLUSTER)..................................................................... 1019
CCIE SECURITY v4 Lab Workbook
Page 7 of 1033
Advanced
CCIE SECURITY v4
LAB WORKBOOK
ASA Firewall
Narbik Kocharians
CCIE #12410 (R&S, Security, SP)
CCSI #30832
Piotr Matusiak
CCIE #19860 (R&S, Security)
C|EH, CCSI #33705
www.MicronicsTraining.com
CCIE SECURITY v4 Lab Workbook
Page 8 of 1033
Lab 1.1. Basic ASA configuration
Lab Setup
R1’s F0/0 and ASA1’s E0/1 interface should be configured in VLAN 101
R2’s G0/0 and ASA1’s E0/0 interface should be configured in VLAN 102
R4’s F0/0 and ASA1’s E0/2 interface should be configured in VLAN 104
Configure Telnet on all routers using password “cisco”
IP Addressing
Device Interface IP address
R1 Lo0
F0/0
1.1.1.1/24
10.1.101.1/24
R2 Lo0
G0/0
2.2.2.2/24
10.1.102.2/24
R4 Lo0
F0/0
4.4.4.4/24
10.1.104.4/24
ASA1 E0/0 10.1.102.10/24
CCIE SECURITY v4 Lab Workbook
Page 10 of 1033
Task 1
Configure ASA with the following settings:
Hostname: ASA-FW
Interface E0/0: name OUT, IP address 10.1.102.10/24, security level 0
Interface E0/1: name IN, IP address 10.1.101.10/24, security level 80
On ASA configure default routing pointing to R2 and static routing for the rest
of the networks. On routers R1 and R2 configure default routes pointing to the
ASA.
Basic configuration of ASA requires port configuration including IP address,
interface name and security level. By default the security level is set up
automatically when user tries to name the interface. The ASA will use security
level of 100 for interface name “inside” and security level of 0 for other interface
name (including “outside”). If you need to configure other security level, use
“security-level <level>” command to do so.
What is the security level for? The security level defines what connection will be
considered as Inbound and what connection is Outbound.
The Outbound connection is a connection originated from the networks behind
a higher security level interface towards the networks behind a lower security
level interface.
The Inbound connection is a connection originated from the networks behind a
lower security level interface towards the networks behind a higher security
level interface.
The Outbound connection is automatically being inspected so that it does not
require any access list for returning traffic. The Inbound connection is
considered unsecure by default and there must be access list allowing that
connection.