Info

Apply the crypto map statement on interfaces Dialerl and Tunnel interfaces on R4 and Serial1 0, Tunnel interfaces and Fastethernet 0 0 on R6. See Example 2-9 on Cisco.com to configure IPSec redundancy over ISDN using Dialer Watch. Read carefully the Verify section in the following URL, which explains how this works Example 2-9. IPSec RedundancySnip from R4 and R6 Before shutting down all interfaces on R6, the watched route is learnt via Serial link Routing entry for 16.0.0.0 8, 2 known subnets...

About the Author

Fahim Hussain Yusuf Bhaiji, CCIE No. 9305, has been with Cisco Systems, Inc. for over three years and is currently a CCIE proctor in Cisco Systems' Sydney, Australia Lab. He has recently been charged with the management of content development for the CCIE Security. Prior to this, he was Technical Lead for the Sydney TAC Security and VPN team. Yusufs passion for security- and VPN-related technologies has played a dominant role in his 12 years of industry experience, from as far back as his...

About the Technical Reviewers

Gert De Laet, CCIE No. 2657, has both CCIE Security and Routing and Switching certifications. He has more than nine years of experience in internetworking. Gert currently works for the CCIE team at Cisco in Brussels, Belgium, as CCIE Proctor Content Engineer and Program Manager for EMEA. He also holds an Engineering degree in Electronics. Gert Schauwers, CCIE No. 6924, has CCIE certifications in Security, Routing and Switching, and Communications and Services. He has more than four years of...

The Need for Security Certification

Security is one of the fastest-growing areas in the industry. Information security is on the top of the agenda for all organizations. Companies have a need to keep information secure, and there is an ever-growing demand for IT professionals who know how to do this. Cisco Systems delivers this by offering CCIE Security certification, setting a professional benchmark in internetworking expertise. This essential need for security in IT is undeniable. International Data Corporation predicted that...

Practice

All labs in this book are multi-protocol, multi-technology, testing you in areas such as Routing, Switching, Security, and VPN, as outlined in the CCIE Security blueprint. When you first read the questions in the lab, you might find them fairly easy, but they are carefully written to present high complexity and many hidden problems. Such is the case in the real CCIE lab exam. To assist you, solutions are provided for the entire lab, including configurations and common show command outputs from...

General Guidelines

Do not configure any static default routes unless otherwise specified required. Use DLCIs provided in the diagram. Use the IP addressing scheme provided in the diagram do not change any IP addressing unless otherwise specified. In the CCIE Lab, initial configurations are loaded, and therefore IP addresses are not to be changed. In this book, each chapter has a separate lab topology with different IP addressing, so each chapter needs to be recabled and all IP addresses need to be redone from the...

Security Written Qualification Exam

The two-hour, multiple-choice exam is computerized and administered at Cisco authorized testing centers. The exam is closed-book and contains 100 questions. No reference materials are allowed in the exam room. For more details, refer to the Security written exam blueprint at

AAA on the Switch

Configure Authentication, Exec Authorization, and Accounting for Exec and Commands on the switch. Refer to Example 2-14 for the AAA configuration on the switch. Refer to Figure 2-11 for the Accounting logs. Figure 2-11. Exec Accounting Logs from CiscoSecure ACS Figure 2-11. Exec Accounting Logs from CiscoSecure ACS No need to create ACL on PIX for RADIUS requests, as Switch-1 and AAA are on the same VLAN.

Access Control

In this case, you can configure autocommand for a user to Telnet to the router. autocommand will execute the required command and exit the session. This way the user will not be able to keep its Telnet session username testconfig privilege 15 password 7 15060E1F1029242A2E3A32 username testconfig autocommand show run line vty 0 4 privilege level 15 password 7 110A1016141D login local Test by Telnetting from R1 to 10.50.13.2. Username testconfig Password testconfig Building configuration Current...

Access Restriction 2 points

A local host behind PIX 10.1.1.10 starts a TCP connection using source port 1515 to a foreign host 175.1.6.10 on any destination port. PIX is denying this connection for a custom-based application on this server, which has return traffic on ports other than those used for originating the connection when establishing the session. Configure PIX to allow packets from the foreign host 175.1.6.10 source port 2525 back to local host 10.1.1.10 destination port 5252 instead of 1515.

Acknowledgments

I would like to take this opportunity to thank the members of the Sydney TAC Security and VPN team for their support in writing this book. I have benefited greatly from working with them and can proudly say that it has been the best team with which I have ever worked. The wealth of knowledge and diversity of experience within the Cisco Systems, Inc. Technical Assistance Center (TAC) is equal to none. In my mind, these people are gurus. While the list of people I could mention may be endless, I...

Advanced Context Based Access Control CBAC

Allow Java applets from 164.0.0.0 8 and 165.0.0.0 8 network(s) only, as demonstrated in the example following item 2. Configure CBAC for TCP half-open sessions on per-host to 200 concurrent embryonic connections. Offending hosts are to be blocked for 1 hour, as demonstrated in the following example ip inspect name lab6 http java-list 6 ip inspect tcp max-incomplete host 200 block-time 60 access-list 6 permit 164.0.0.0 0.255.255.255 access-list 6 permit 165.0.0.0 0.255.255.255

Advanced IPSec LANtoLAN

Configure GRE traffic in section 5.2. IPSec access list should be host-to-host and use tunnel mode. Configure ISAKMP keepalive to check the connectivity. If the peer does not respond, phase1 SA will go down and this will also take down the phase 2 SAs. Also remember to configure no ip route-cache on all GRE tunnels and physical interfaces where crypto map is applied. This is a tricky one. Configure GRE between R3 and R6. You need to configure static translation on PIX for loopback2 to the same...

BGP Attributes

Advertise loopback1 using the network command on R6. You are restricted to use the network command to advertise loopback2 you will need to redistribute connected in BGP. Create an access list and a route map to redistribute loopback2 only. After doing so, do a show ip bgp on R6 and you will find that the origin-code for loopback2 is incomplete, denoted by a , because it has been redistributed and BGP hasn't learned this internally. To change the origin-code to denote i, use the set origin igp...

Cabling Instructions

Use Tables 1-1 and 1-2 for cabling all devices in your topology. It is not a must to use same type or sequence of interface. You may use any combination of interface(s) as long as you fulfill the requirement. Table 1-1. Cabling Instructions (Ethernet) Table 1-1. Cabling Instructions (Ethernet) Table 1-2. Cabling Instructions (Serial) Table 1-2. Cabling Instructions (Serial)

CCIE Security Practice Labs

Publisher Cisco Press Pub Date February 24, 2004 Seven comprehensive CCIE security labs to hone configuration and troubleshooting skills Prepare for the CCIE Security lab exam and hone your security configuration and troubleshooting skills with seven complete practice scenarios that cover VPN configuration, including IPSec, GRE, L2TP, and PPTP Intrusion Detection System (IDS) 42xx Appliance configuration IP services and protocol-independent features The explosive growth of the Internet economy...

Change the default network type on the ATM link from nonbroadcast to pointtopoint

< snip from R5> interface ATM0 0 ip address 171.7.5.2 255.255.255.252 ip ospf authentication-key 7 094F471A1A0A ip ospf network point-to-point no atm ilmi-keepalive pvc 0 0 700 protocol ip 171.7.5.1 broadcast broadcast < OSPF network type before changing the default> Internet Address 171.7.5.2 30, Area 10 Process ID 110, Router ID 5.5.5.5, Network Type NON_BROADCAST, Cost 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 5.5.5.5, Interface address 171.7.5.2 No...

Configure ACL to deny ICMP and permit everything Apply this ACL to the Virtual Template interface

Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 interface Virtual-Templatel ip unnumbered FastEthernetl 0 ip access-group 101 in peer default ip address pool pptp-pool ppp authentication ms-chap pptp ip local pool pptp-pool 172.16.11.1 172.16.11.50 access-list 101 deny icmp any any access-list 101 permit ip any any < Launch PPTP client connection from Test PC in VLAN5. Verify PPTP session> PPTP Session Information Total tunnels 1 sessions 1 LocID RemID TunID Intf...

Configure authentication using password cisco as demonstrated in the following example

Interface Ethernet0 0 ip address 164.15.4.6 255.255.255.0 no ip redirects no ip directed-broadcast ip ospf message-digest-key 1 md5 cisco standby 1 priority 105 preempt standby 1 authentication cisco standby 1 ip 164.15.4.100 standby 1 track Serial0 0 Local state is Active, priority 105, may preempt Hot standby IP address is 164.15.4.100 configured Active router is local Standby router is 164.15.4.5 expires in 00 00 09 Standby virtual mac address is 0000.0c07.ac01 Tracking interface states for...

Configure LANtoLAN configuration on the VPN3000 concentrator as shown in Figures 76a through 76d

LAN-to-LAN Configuration on VPN3000 (Define Peer, Preshared, IKE Figure 7-6a. LAN-to-LAN Configuration on VPN3000 (Define Peer, Preshared, IKE Figure 7-6d. LAN-to-LAN Configuration on VPN3000 (Modify) Figure 7-6b. LAN-to-LAN Configuration on VPN3000 (Define Local and Remote Networks) i'-. llfHfirt. 1.1. vil iMi flt P liij. - _ -.-Rfuiiufnii n HI o lu AT-T t - tL r.J Ifii LAK 4 Jkif KVEb li ibv i lUT ItVKE Y l JDUt uub Clwop* II.- lu ,-, > > lu .AJ1-I'-LAJI IVVIE Jr Jvifl...

Configure local authentication for Telnet with username ADMIN password cisco

Aaa authentication login vty local-case username ADMIN password 7 00071A150754 access-list 110 permit tcp any any eq telnet time-range work-hours line vty 0 4 access-class 110 in login authentication vty time-range work-hours periodic weekdays 9 00 to 17 00 Verify Telnet from R2 to R1. r1 clock set 14 40 00 May 21 2003 r1 show clock 00 00 09 172.16.1.10 Idle Peer Address time-range entry work-hours (active) periodic weekdays 9 00 to 17 00 used in IP ACL entry r1 show access-lists 110 Extended...

Configure NAT on PIX for VLAN2 to 16415420 as demonstrated in the following example

Access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 nat (inside) 0 access-list nonat nat (inside) 2 10.1.1.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 164.15.4.254 global (outside) 2 164.15.4.20 Ping from R1 to anywhere on the network sourcing from VLAN2 network. eg 22.22.22.22 Source address or interface 10.1.1.1 Loose, Strict, Record, Timestamp, Verbose none Sweep range of sizes n Type escape sequence to abort. Sending 5, 100-byte ICMP Echos...

Configure queue 3 for ICMP change the queue length limit from the default 20 packets to 40 packets The following

Interface Serial1 0 ip address 179.7.2.4 255.255.255.248 encapsulation frame-relay custom-queue-list 1 access-list 103 permit icmp any 175.1.6.0 0.0.0.255 queue-list 1 protocol ip 1 tcp telnet queue-list 1 protocol ip 2 list 102 queue-list 1 protocol ip 3 list 103 queue-list 1 protocol ip 4 tcp www queue-list 1 default 5 queue-list 1 queue 3 limit 40 queue-list 1 queue 4 byte-count 2000 r4 show interfaces serial 1 0 Serial1 0 is up, line protocol is up Hardware is cxBus Serial Internet address...

Configure the established keyword for R3 to be able to Telnet R2 but not vice versa as demonstrated in the following

Interface Ethernet0 0 ip address 164.15.4.6 255.255.255.0 ip access-group 110 in access-list 110 permit tcp host 164.15.4.5 host 164.15.4.6 established access-list 110 deny tcp host 164.15.4.5 host 164.15.4.6 eq telnet access-list 110 permit ip any any Telnet from R2 to R3 successful after applying ACL. r3 telnet 164.15.4.5 Trying 164.15.4.5 Open Telnet from R2 to R3 fails after applying ACL. r2 telnet 164.15.4.6 Trying 164.15.4.6 Destination unreachable gateway or host down r2 Verify counters...

Configure Unicast OSPF on R2 R3 and R4 using the neighbor command as the Frame Relay network by default is Nonbroadcast

R2 show ip ospf interface Serial0 is up, line protocol is up Internet Address 179.7.2.2 29, Area 0 Process ID 110, Router ID 2.2.2.2, Network Type NON_BROADCAST, Cost 64 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 3.3.3.3, Interface address 179.7.2.3 Backup Designated router (ID) 4.4.4.4, Interface address 179.7.2.4 Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 Hello due in 00 00 01 Index 1 1, flood queue length 0 Next 0x0(0) 0x0(0) Last...

Configure xlate timeout on PIX to 1 hour using the timeout command the default is 3 hours as demonstrated in the

PIX(config) show timeout timeout xlate 3 00 00 timeout conn 1 00 00 half-closed 0 10 00 udp 0 02 00 rpc 0 10 00 h323 0 05 00 sip 0 30 00 sip_media 0 02 00 timeout uauth 0 05 00 absolute Change using 'timeout' command shown below. PIX(config) timeout xlate 1 00 00 PIX(config) show timeout timeout xlate 1 00 00 timeout conn 1 00 00 half-closed 0 10 00 udp 0 02 00 rpc 0 10 00 h323 0 05 00 sip 0 30 00 sip_media 0 02 00 timeout uauth 0 05 00 absolute

Congestion ManagementQoS 4 points

Control congestion on R6 by configuring queuing using the following parameters o IP packets with a byte count greater than 1500 are assigned a low-priority queue level. IP packets originating on or destined for TCP port 23 are assigned a medium-priority queue level. IP packets entering on interface Ethernet 0 0 (VLAN5) have medium priority. All IP routing protocols configured on R6 have high priority. All other IP packets assigned have a high-priority queue level. Select a queuing type that...

Context Based Access Control CBAC

Inspect TCP, UDP, and HTTP traffic. Configure inspection inbound on Ethernet0 (VLAN_3) on R5. See Example 2-11 for testing CBAC from R7. Configure anti-spoofing inbound ACL on Serial0 on R5 for dynamic entries. See Example 2-10 to test anti-spoofing ACL. Refer to the following URL for more on configuring anti-spoofing ACL Example 2-10. Anti-Spoofing Test from R1 Create a Loopback with IP address that of VLAN3, do an Extended Ping from R1 to R5 r1 show ip interface brief...

Equipment List

8 routers with the following specifications (all routers are to be loaded with the latest Cisco IOS version in 12.1(T) train). R1 4 Ethernet (with Enterprise + IPSec 56 image) R3 2 Ethernet, 1 BRI (with IP Plus image) R5 1 Ethernet, 1 serial (with IP Plus + IPSec 56 image) R6 1 Ethernet, 1 serial, 1 BRI (with IP Plus image) R7 1 Ethernet, 1 serial (with IP Plus image) R8 1 Ethernet, 1 serial (with IP Plus image) 1 PIX with 2 interfaces (version 6.x with DES enabled) 1 PC Windows 2000 Server...

Example 317 Bgp Med

Snip from R2 configuration router bgp 1 no synchronization bgp router-id 2.2.2.2 neighbor 14.14.14.14 remote-as 2 neighbor 14.14.14.14 ebgp-multihop 255 neighbor 14.14.14.14 update-source Loopback1 neighbor 14.14.14.14 route-map setmed out no auto-summary access-list 1 permit 144.144.144.0 0.0.0.255 route-map setmed permit 10 match as-path 1 set metric 60 route-map setmed permit 20 match as-path 2 set metric 50 route-map setpref permit 10 match ip address 1 set local-preference 200 router bgp...

Frame Relay Configuration 5 points

Configure R1 as a Frame Relay switch using the DLCI information provided for Frame Relay routing in Figure 5-2. Configure a full-mesh Frame Relay network between R5, R6, and R7. Do not configure subinterfaces on any router. Configure static frame maps on all routers. Configure Frame Relay routers to verify end-to-end communication. Local PVC status should be active only if the PVC status on the other end is active. Configure three consecutive end-to-end confirmations received and sent before...

Frame Relay DLCI Information

Configure R8 as a Frame Relay switch and use Figure 2-2 for DLCI information. Only DLCIs indicated in Figure 2-2 should be mapped on the routers. Figure 2-2. Frame Relay DLCI Diagram Figure 2-2. Frame Relay DLCI Diagram Use Figure 2-3 to configure routing protocols for the exercises to follow. Figure 2-3. Routing Protocol Information

Hidden issue There is ingress ACL on the R5 ATM link You need to allow UDP18121813 from switch1 to the AAA server

R5 show access-lists 101 Extended IP access list 101 deny ip any 179.7.2.0 0.0.0.7 (29 matches) deny icmp any 175.1.2.0 0.0.0.255 echo-reply (26 matches) permit tcp any any eq telnet (90 matches) permit tcp any any eq bgp (34 matches) permit tcp host 171.7.5.1 host 175.1.2.3 eq tacacs (56 matches) permit udp host 175.1.5.25 host 175.1.2.3 eq 1812 (4 matches) permit udp host 175.1.5.25 host 175.1.2.3 eq 1813 (10 matches)

Hidden trick The NTP master must be configured on R3 and R7 for Switchl redundancy Configure Virtual IP as the NTP

< snip from R7> ntp authentication-key 1 md5 02050D480809 7 ntp master end Clock is synchronized, stratum 8, reference is 127.127.7.1 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24 reference time is C2724021.6452EDE7 (03 23 45.391 AST Mon May 19 2003) clock offset is 0.0000 msec, root delay is 0.00 msec root dispersion is 0.02 msec, peer dispersion is 0.02 msec 127.127.7.1 configured, our_master, sane, valid, stratum 7 ref ID 127.127.7.1, time C2724021.6452EDE7...

IP Fragment Attack

Configure the IP Frag Guard feature with the sysopt security fragguard command on the PIX. This feature enforces two security checks First, each noninitial IP fragment is required to be associated with an already seen valid initial IP fragment. Second, IP fragments are rated to 100 full IP fragmented packets per second to each internal host. For information on the IP Frag Guard feature, see the following URL

IPSec LANtoLAN Through the Firewall Using CA

Overlapping networks on R1 and R510.1.1.0 24need to be encrypted. IPSec access list cannot be configured for this. The solution is to create NAT on both ends and use the NATed address for IPSec ACL. See Example 4-26. On an ingress IPSec packet, NAT is performed first, followed by IPSec ACL. See the following URL for more information about the order of operation

IPSec LANtoLAN Using Preshared

Encrypt BGP traffic between R1 and R7 using loopbackl(s). See Example 3-24. Use preshared authentication and choose all other parameters as appropriate. You need to create a static NAT on PIX and ACL to permit IPSec and ISAKMP traffic. See Example 3-25. Example 3-24. IPSec Configuration on R1 and R7 Snip from R1 crypto isakmp policy 10 hash md5 crypto isakmp key cisco address 17.17.17.17 crypto ipsec transform-set lab3 esp-des esp-md5-hmac crypto map lab3 local-address Loopback1 crypto map lab3...

IPSec Remote Access to VPN3000 Concentrator

Configure the VPN3000 interface setting as per the topology diagram in Figure 3-1. Configure OSPF on the private interface and RIPvl on the public interface. See Figure 3-4 for interface and routing protocol settings. Figure 3-4. Interface and Routing Protocol Settings on VPN3000 Figure 3-4. Interface and Routing Protocol Settings on VPN3000 Configure group and user information as shown in Figure 3-5. Figure 3-5. Group and User Information on VPN3000 TVi D.a ulii Ji irV q R.< i Ii * I L 1 I'm...

Make sure you can ping Loopback1 of R6 and all other networks Verify in the VPN client connection that only Loopback1

VPN Client Ping Split-Tunnel Network Pinning 66.66.66.66 uilii 22 byti of itoii Reply fruti 66.66.66.66 lijlei'32 t iiie-40ns TTL-255 Reply fron 66.66.66.66 bytes-32 tint-4flns TTL-255 Reply fiun 66.66.66.66 bytn -32 lie, -41ns TTL-255 Reply ffun 66.66.66.66- hjjtes 32 tiiic-40ns TTL-255 Packets Sent 11 4 _ Htceivcil *t. Lost 6 < 0* hUPiiKiniiti hound ttiu tines in nilli-stctnds iiniiwifi 4flm, Itavirion Has, IWsrago 48ms Pinging -1*1 .44 44 iti 32 hytcs of rtatai Reply fi*on...

Network Address Translation NAT

Configure NAT on both R6 and R7 for redundancy, as a packet from VLAN-4 can use either the R6 or R7 path, as demonstrated in the following example Configure static NAT on R6 and R7 (same on both routers). interface Ethernet0 0 ip address 173.5.1.2 255.255.255.128 ip nat inside interface Serial1 0 ip address 173.5.1.130 255.255.255.128 ip nat outside ip nat inside source static 173.5.1.40 173.5.1.135 ip nat outside source static 173.5.1.136 173.5.1.41 Pro Inside global...

Perimeter Security

If the network is under a heavy load, and it does not give adequate CPU time to process system-level tasks such as handling routing protocols, configure the scheduler command to allocate CPU times efficiently. Configure R8 with scheduler allocate 2000 500. For more info on the scheduler command, see the following URL 39

Permit any DNS request originating from VLAN2

Interface SerialO ip address 179.7.2.2 255.255.255.248 ip access-group 199 in access-list 199 permit tcp any any eq domain established access-list 199 deny tcp any any eq domain syn Verify by telnetting from R3 to R2 on port 53 r3 telnet 179.7.2.2 53 Trying 179.7.2.2, 53 Destination unreachable gateway or host down r3 Check ACL counters on R2 r2 show access-lists 199 Extended IP access list 199 permit tcp any any eq domain established deny tcp any any eq domain syn (46 matches) permit ip any...

Policy Routing

Configure policy routing on R1 to change the next hop for mail and web server off R3 interface Serial2 0.2 point-to-point ip address 10.50.13.33 255.255.255.240 ip policy route-map server interface Serial2 0.3 point-to-point ip address 10.50.13.1 255.255.255.240 ip policy route-map server access-list 101 permit ip any host 10.50.31.98 access-list 102 permit ip any host 10.50.31.99 route-map server permit 10 match ip address 101 set ip next-hop 10.50.13.34 route-map server permit 20 match ip...

Policy Based Routing

Configure Policy-Based Routing using a route map and set the default interface to null0. See Example 3-38. An important thing to remember is to apply policy on the ingress interface (Serial0) where packets arrive from R3. Ping to any unknown networks hosts from R3 that are not used in this lab. Ping a couple of times and verify on R5 with show route-map black-hole. See Example 3-39. Example 3-38. Policy-Based Routing on R5 Snip from R5 config interface SerialO ip address 120.5.72.166...

PPP Authentication and Load Balancing

Configure PPP authentication on R3 and R6 BRI(s). Configure a username on both routers. Note that R6 is sending CHAP host name R6 (case-sensitive). Configure username R6 on R3 and username r3 on R6. See Example 4-20 in Section 3.1. Configure the backup load command on R3 to bring up the ISDN link if the VLAN-5 link load exceeds 75 percent, and tear down when the aggregate load is 5 percent. See Example 4-20 in Section 3.1.

Prevent this by configuring an ACL on all links to deny TCP514 used for RSH

Interface FastEthernet0 0 ip address 171.8.5.1 255.255.255.0 ip access-group 101 in interface FastEthernet0 1 ip address 178.1.1.2 255.255.255.252 ip access-group 101 in access-list 101 deny tcp any any eq cmd Verify by configuring RSH on R8 as per URL below and test by executing any IOS command on R8 remotely from any router. deny tcp any any eq cmd (16 matches) permit ip any any (22 matches)

Section 30 ISDN Configuration

Configure OSPF demand circuit for redundancy on R3. Configure R1 as callback server and R3 as callback client. Do not configure dialer-map on R1, as it will retrieve the callback number from the AAA server. Configure AAA server with username r3 and its callback attributes. Refer to Figure 1-5 for PPP callback user profile settings on ACS. Figure 1-5. PPP Callback Settings on CiscoSecure ACS Figure 1-5. PPP Callback Settings on CiscoSecure ACS As a fallback,...

Section 50 IPSecGRE Configuration

5.1.1 IPSec Remote Access Using Preshared Key 1. Configure the VPN client to terminate on PIX using the preshared key. Refer to Figure 2-5 for setting up the VPN client on Test_PC. Figure 2-5. Properties for Cisco VPN Client 3.x for Windows Figure 2-5. Properties for Cisco VPN Client 3.x for Windows Configure extended authentication and assign IP address, WINS, DNS. Refer to Figure 2-6 for screen shots of the Cisco VPN client when establishing the connection. Figure 2-6. Establishing a VPN...

Section 90 IP Services and Protocol Independent Features

Create multiple route maps to NAT to the corresponding egress interface. See Example 2-18. See the following sample config to configure GRE IPSec with NAT Example 2-18. NAT Configuration from R4 (R6 and R8 Look Similar Except for the ACL See Solutions) interface LoopbacklO ip address 10.1.4.1 255.255.255.0 ip nat inside interface Serial2 0 ip address 110.50.33.4 255.255.255.0 ip nat outside interface Dialer1 ip address 110.50.46.1 255.255.255.0 ip nat outside ip nat inside source route-map...

Section 90 IP Services and Protocol Independent Features 91 NAT

Configure NAT for Loopback3 192.168.3.1 24. The objective is that when sourced from Loopback3 to anywhere on the network, it should be translated using the egress interface. For example, if you ping 122.122.122.122, it will use egress interface Serial1 0.3, whereas if you ping 144.144.144.144, it will use egress interface Serial1 0.1. If you ping 166.166.166.166, it will use egress interface FastEthernet0 0. To configure this multihomed NAT, enter the following ip nat inside source route-map...

See Figure 711 for Tacacs accounting startstop time records for billing purposes on Cisco Secure ACS

TACACS+ Accounting for Session Start-Stop Time (Billing Purposes) See Figure 7-12a for TACACS+ administration for command authorization on CiscoSecure ACS and Figure 7-12b for failed attempts of command authorization on CiscoSecure ACS. Figure 7-12a. TACACS+ Administration for Command Authorization Figure 7-12a. TACACS+ Administration for Command Authorization Figure 7-12b. Failed Attempts for Command Authorization

Serial Configuration

Serial links between R4 and R2 are connected back-to-back, no Frame Relay. See Figure 6-1 to configure with PPP encapsulation. Configure AAA and local authentication and authorization for PPP. Configure R2 to send CHAP host name router2. Configure username router2 on R4 and username r4 on R2, as demonstrated in the following example aaa authentication ppp default local aaa authorization network default local interface SerialO ip address 165.1.2.1 255.255.255.252 aaa authentication ppp default...

Syslog reports lots of false positive alarms as shown in the following syslog snip from R6 Disable this alarm from said

*Mar 15 03 10 14.597 IDS-4-ICMP_FRAGMENT_SIG Sig 2150 Fragmented ICMP Traffic - from *Mar 15 03 10 44.658 IDS-4-ICMP_FRAGMENT_SIG Sig 215 0 Fragmented ICMP Traffic -from *Mar 15 03 11 14.767 IDS-4-ICMP_FRAGMENT_SIG Sig 215 0 Fragmented ICMP Traffic -from *Mar 15 03 11 44.901 IDS-4-ICMP_FRAGMENT_SIG Sig 215 0 Fragmented ICMP Traffic -from

The complete AAA configuration on Switchl is as follows

Aaa authentication login vty group radius local aaa authorization exec vty group radius local aaa accounting exec vty start-stop group radius username switch-telnet password 7 1511021F0725 radius-server host 175.1.2.3 auth-port 1812 acct-port 1813 radius-server retransmit 3 line con 0 exec-timeout 0 0 authorization exec con accounting exec vty login authentication con line vty 0 4 password 7 14141B180F0B authorization exec vty accounting exec vty login authentication vty See Figure 7-13 to...

Time Based Policy Routing

Configure Time-Based Access Lists on R6 and apply to the policy route and set the next hop to R5. See Example 4-51. Verify by changing the clock on R5, and traceroute to 17.17.17.17 to see if Policy Routing with Time-Based ACL is working. See Example 4-52. Example 4-51. Policy Routing with Time-Based ACL on R4 ip local policy route-map time-based-pbr access-list 170 permit ip any host 17.17.17.17 time-range pbr route-map time-based-pbr permit 10 match ip address 170 set ip next-hop 142.52.0.3...

To filter OSPF routes for R8 configure ospf databasefilter on R5 to stop advertising LSAs but continue to advertise

Interface Ethernet1 1 ip address 171.8.5.2 255.255.255.0 ip ospf database-filter all out < R8 routing table before applying database-filter on R5> r8 show ip route ospf 171.7.0.0 30 is subnetted, 1 subnets O IA 171.7.5.0 110 11 via 171.8.5.2, 00 00 50, FastEthernet0 0 175.1.0.0 24 is subnetted, 3 subnets O IA 175.1.6.0 110 11 via 171.8.5.2, 00 00 50, FastEthernet0 0 O E1 175.1.5.0 110 12 via 171.8.5.2, 00 00 40, FastEthernet0 0 O E2 175.1.2.0 110 1 via 171.8.5.2, 00 00 40, FastEthernet0 0...

Traffic Based Accounting

Configure MAC-based IP accounting on R1 on the VLAN-2 interface (Ethernet0 0), as demonstrated in the example following item 3. The MAC address accounting feature provides accounting stats for IP traffic based on the source and destination MAC addresses on a LAN interface. Verify MAC accounting information using the show interface mac command, as demonstrated in the following example interface Ethernet0 0 ip address 172.16.1.2 255.255.255.0 ip accounting mac-address input ip accounting...

Tune signature 2150 using ACL to deny from host 175152 Verify by sending large ICMP packets from Test PC and R4 or R2

Ip audit notify nr-director ip audit notify log ip audit po max-events 100 ip audit po remote hostid 3 orgid 100 rmtaddress 175.1.2.3 localaddress 175.1.6.3 port 45000 preference 1 timeout 5 application director ip audit po local hostid 1 orgid 100 ip audit signature 2150 list 5 ip audit name lab7 info action alarm ip audit name lab7 attack action alarm drop reset interface Ethernet0 0 ip address 175.1.6.3 255.255.255.0 ip audit lab7 in interface Dialer1 ip address 179.7.2.10 255.255.255.252 ip...

Verification Hints and Troubleshooting Tips

This is a very important section in this book. It helps you troubleshoot problems and verify answers. There are lots of hidden tricks and problems within the exercise for which there are numerous methods to troubleshoot, as there is no set formula or way to do this. The best method to use is the one you feel comfortable using. Having said that, you can use the troubleshooting methodology in this book. Get familiar with the debug and show commands used in this section, as they are very handy....

Verify ACL and CBAC configurations

< Verify by telnetting from R4 to R7, check session table and dynamic ACL entry on R5> r5 show ip inspect sessions Established Sessions Session 62D34A24 (175.1.6.1 11039) > (171.7.5.1 23) tcp SIS_OPEN r5 show access-lists 101 Extended IP access list 101 permit tcp host 171.7.5.1 eq telnet host 175.1.6.1 eq 11039 (27 matches) deny ip any 179.7.2.0 0.0.0.7 (29 matches) deny icmp any 175.1.2.0 0.0.0.255 echo-reply (10 matches) permit tcp any any eq telnet (90 matches) permit tcp any any eq...

Verify IPSec configuration by pinging 19216811 from R2 sourcing from 19216821 loopbackl Verify tunnel on R2 and

R2 show crypto engine connections active Interface < none> Ethernet0 Ethernet0 175.1.2.2 set HMAC MD5+DES 56 CB dst src state conn-id slot 175.1.2.5 175.1.2.2 QM IDLE 1 0 local ident (addr mask prot port) remote ident (addr mask prot port) current_peer 175.1.2.5 (192.168.2.0 2 55.255.255.0 0 0) (192.168.1.0 2 55.255.255.0 0 0) PERMIT, flags origin_is_acl, pkts encaps 102, pkts encrypt 102, pkts digest 102 pkts decaps 102, pkts decrypt 102, pkts verify 102 pkts compressed 0, pkts...

Verify the client connection from Test PC in VLAN 5 See Figures 78a and 78b

VPN Client Connection (General) Cisco Systems VPN Client Connection Status Cisco Systems VPN Client Connection Status Note Stateful Firewall (Always On) status is not represented above. To view this status. right click on the system tray icon. If checked, this functionality is enabled. Figure 7-8b. VPN Client Connection (Statistics) Cisco Systems VPIN Client Connection Status Packets decrypted Packets bypassed Bytes out Packets encrypted Packets discarded

Web Server Security

Configure the embryonic connection limit on static translation on PIX for web server 120.5.72.120. See Example 3-33. Example 3-33. Embryonic Connection Limit on PIX static (inside,outside) 120.5.72.120 10.1.4.120 netmask 255.255.255.255 0 5000 norandomseq For more information, see the PIX Command Reference URL

Key Management

Configure two keys on R3 and R4, one default key cisco and another strict key for a specific time range. See Example 4-47. Make sure your clock is synchronized on both routers. No need to configure NTP. Manually configure the clocks. To verify if keys are working in the hours specified, change the clock manually and shut unshut the interface(s) in RIP to reconverge with new keys. See Example 4-48. Example 4-47. Snip from R3 Configuration (Same Config on R4) key-string cisco key 2 key-string...

Intrusion Detection System IDS

Configure IDS from the console log in as root and default password attack. Use the sysconfig-sensor utility on the sensor to configure IP address, mask, default route, and ACL to allow the 172. network to be able to manage it. By default the ACL allows for network 10. only. See Figure 5-6. Figure 5-6. Sensor Initialization Using Sysconfig-Sensor Figure 5-6. Sensor Initialization Using Sysconfig-Sensor Use any workstation (AAA CA server in this case) to browse to the sensor. That is, use IDM...

Why CCIE Security

CCIE Security distinguishes the top level of Network Security experts. The CCIE Security Certification enables individuals to optimize career growth, opportunity, and compensation by distinguishing themselves as being part of the Network Security experts of the world. The CCIE Security Certification enables companies to minimize their risk by identifying the highest caliber of security personnel with the training and skills necessary to protect their critical information assets. This book will...

Advanced Intrusion Detection System IDS

Change ICMP echo signature 2004 as HIGH severity using IDM. See Figure 5-8. Ping any device in VLAN 3 or 4 and make sure you receive alarms in IEV. See Figures 5-9a through 5-9c for IEV. Figure 5-8. Signature Tuning Using IDM Figure 5-8. Signature Tuning Using IDM Figure 5-9c. Viewing Alarms Using IEV (View Sorted by Destination IP) Figure 5-9c. Viewing Alarms Using IEV (View Sorted by Destination IP) Figure 5-9b. Viewing Alarms Using IEV (View Sorted by Signature Name) If you are not receiving...

Traffic Shaping

Configure the Frame Relay Discard Eligible (DE) list and apply this to DLCI 106 on subinterface Serial 3 0.6 on R1. Configure ACL to deny OSPF packets for getting tagged for discard eligible by Frame Relay so that they do get dropped by the Frame Relay switch. See Example 2-21. Example 2-21. Frame Relay Traffic Shaping Snip from R1 configuration and output from show command. frame-relay de-list 1 protocol ip list 102 interface Serial3 0.6 point-to-point ip address 110.50.31.1 255.255.255.0...

Multiple Paths

Configure the maximum-paths command under each routing protocol configured on R4. See Example 4-55. area 0 authentication message-digest area 1 authentication message-digest area 1 virtual-link 6.6.6.6 message-digest-key 1 md5 cisco area 2 authentication message-digest redistribute static metric 1 subnets neighbor 140.52.0.100 ebgp-multihop 255 neighbor 140.52.0.100 send-community neighbor 140.52.0.100 route-map set-next-hop in neighbor 140.52.0.100 route-map change-community out By default,...

Overview of the CCIE Security Exam

The CCIE Security exam covers IP and IP routing as well as specific security components. Becoming a CCIE is a two-step process. The first step is to pass a two-hour, written qualification exam administered through Cisco-authorized testing centers. The second step is to successfully complete a hands-on lab examination at a Cisco facility demonstrating the candidate's expertise in configuring, testing, and troubleshooting real network equipment. The qualification exam is a prerequisite for...

Overview of the CCIE Certification

CCIE is widely considered the industry's highest-level IT certification program, commonly referred to as the doctorate of networking. It equips candidates with excellent internetworking skills that are simply the best in the industry. CCIE certification was recently voted 1 by IT professionals in the CertCities.com annual survey, The Hottest Certifications for 2003a ranking attributed to the growing importance of certifications in a tight job market. Furthermore, it also grabbed the title of...

Verify that the sensor is configured correctly for the sensing interface and the command and control interface as

By default, on some 42xx appliances, the sensing interface is configured to use int2 and not int0. Check the documentation. You can change this from the sensor console as follows Before changing the port sensor1 show interfaces command-control is up Internet address is 192.168.3.2, subnet mask is 255.255.255.0, telnet is eth1 Link encap Ethernet HWaddr 00 06 5B ED 59 B4 inet addr 192.168.3.2 Bcast 192.168.3.255 Mask 255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 58...

Load Sharing Using HSRP

Configure two HSRP groups on R5 and R6 for load balancing traffic in VLAN-7. See Example 4-53. Configure preempt for both groups to fail over in the event Active is Dead for any group. Test HSRP failover by shutting the EthernetO on R5. See Example 4-54. Example 4-53. Two HSRP Groups Between R5 and R6 for Load Balancing Snip configuration from R6 interface Fast 0 0 0 standby 1 ip 142.52.0.50 standby 1 priority 110 standby 1 preempt standby 2 ip 142.52.0.51 standby 2 preempt Snip configuration...

Configure conditional advertisement on R6 to advertise Loopbackl to R5 only if Loopbackl of R4 4444440 is absent from

< snip from R6> router bgp 2 no synchronization bgp router-id 6.6.6.6 network 66.66.66.0 mask 255.255.255.0 neighbor 175.1.6.1 remote-as 1 neighbor 175.1.6.2 remote-as 2 neighbor 175.1.6.2 advertise-map advertise non-exist-map check-exist-route no auto-summary access-list 1 permit 44.44.44.0 0.0.0.255 access-list 2 permit 66.66.66.0 0.0.0.255 route-map check-exist-route permit 10 match ip address 1 route-map advertise permit 10 match ip address 2 Verify Conditional advertisement using...

D

Create an ICMP ACL on R2 as follows to confirm that packets from source 18.18.18.18 to destination 12.12.12.12 are arriving on VLAN 4 ingress interface ethernet0 0. You can check hit counts to prove that the attack is successful. access-list 101 permit icmp host 18.18.18.18 host 12.12.12.12. Do a debug ip packet detail 101 and debug ip icmp on R2. You will see echo-replies being sent to R8 from R2. Example 2-24. IP Spoofing Simulation Ping R2 loopback-1 using spoofed source IP address of R8 r3...

See the following examples from R2 and R6 respectively to test and verify DDR using dialerwatch

Test and verify DDR using dialer-watch, Shutdown Serial1 0 on R4 (Frame Relay link to R2) r2 show debugging Dial on demand Dial on demand events debugging is on 2w6d DDR Dialer Watch watch-group 1 2w6d DDR network 44.44.44.0 255.255.255.0 DOWN, 2w6d DDR Dialer Watch Dial Reason Primary of group 1 DOWN 2w6d DDR Dialer Watch watch-group 1, 2w6d BR0 DDR rotor dialout priority 2w6d DDR dialing secondary by dialer string 99047265 on Di1 2w6d BR0 DDR Attempting to dial 99047265 2w6d LINK-3-UPDOWN...

Target Audience

This book is intended for candidates preparing for the CCIE Security Lab exam. Network engineers with specialization in security can also take advantage of this book with the complex scenarios, troubleshooting tips, and solutions provided. One of the primary objectives of this book is to assist candidates preparing for the CCIE Lab exam by providing complex practice scenarios to give the candidate a look-and-feel for the real CCIE Lab exam. CCIE candidates can use this book as a gauging element...

Rommon Security

Disclaimer The author and Cisco Press are not liable for any damage to routers when using this feature. Please use this feature with extreme caution, and read all related materials and the following recovery procedure. The 2600 3600 series (and newer versions of ROMMON for the 1700 series) all have what is known as a ROMMON security feature. ROMMON security is designed to prevent a person with physical access to the router (2600 or 3600) from viewing the configuration file. ROMMON security...

Section 100 Security Violations

Configure the TCP Intercept feature on R1 to protect TCP servers from TCP SYN-flooding attacks. Configure ACL to protect only network 172.16.4.0 with TCP Intercept. See Example 4-56. Configure TCP Intercept in Watch mode where all TCP connections passed through are watched by the router. If any connection does not complete the three-way hand-shake within the time specified, it will drop the connection by sending a reset. See Example 4-56. access-list 102 permit tcp any 172.16.4.0 0.0.0.255 For...