Professional Documents
Culture Documents
Cisco ASA Second Generation's OS 9.x
Cisco ASA Second Generation's OS 9.x
Page 2 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 3 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 4 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 5 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 6 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Firewall Overview
Chapter 1
Firewall Introduction
Chapter 2
ASA Introduction
Chapter 3
ASA Basics
Section II.
Routing on ASA
Chapter 4
Routing Introduction
Chapter 5
RIP
Chapter 6
EIGRP
Chapter 7
OSPF
Chapter 8
IPv6 Introduction
Chapter 9
SLA
Chapter 10
Multicasting
Section III.
Chapter 11
Introduction of Access-list
Chapter 12
NAT on OS 8.0
Chapter 13
NAT on 9.2.2.4
Chapter 14
CTP
Section IV.
IPSec Introduction
Chapter 15
Overview of IPSec
Chapter 16
Site-Site VPN
Chapter 17
Chapter 18
Chapter 19
SSL VPN
Section V.
Chapter 20
Transparent Firewall
Chapter 21
Context
Page 7 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Failover
Chapter 23
MPF
Section VI.
Chapter 24
OSPFv3
Chapter 25
Chapter 26
Chapter 27
Chapter 28
BGP
Chapter 29
Chapter 30
Chapter 31
Clustering
Chapter 32
Management of ASA
Chapter 33
IPv6 Active-Standby FO
Chapter 34
IPv6 Active-Active FO
Page 8 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Firewall Overview
Firewall Introduction
ASA Introduction
ASA Basics
Routing on ASA
Routing Introduction
Page 9 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
IPv6 Introduction
SLA
Multicasting
Page 11 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Introduction of Access-list
NAT on OS 8.0
NAT on OS 9.2.2.4
CTP
IPSec Introduction
Overview of IPSec
Page 12 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Site-Site VPN
SSL VPN
Page 13 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
BGP
Page 15 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Management of ASA
Active-Standby IPv6 FO
Active-Active IPv6 FO
Page 16 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
Firewall
Firewall techniques
Packet Filtering
Proxy Server
State full Firewall
Transparent Firewall
Page 18 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Firewall Introduction
Firewall a system or group of system. That manage access between two or more network.
Firewall Techniques
1. Packet Filtering
2. Proxy Server
3. State-full Firewall
4. Transparent Firewall
Packet Filtering
In Packet filtering packets are filtered using access-list. On Cisco IOS we can use Standard or
Extended access-list, Named access-list,Time Based access-list, Dynamic access-list,Reflexive accesslist, TCP Establish access-list to filter the traffic .
Advantages
Easy to implement
Cost- effective
Disadvantages
Not-scalable
Complex access-list are hard to create & maintain
Proxy Server
It works as an intermediate system b/w inside & outside world
It will not allow inside user to go outside directly vice-versa
Limitations
Single point of failure
It introduce delay
Stateful Firewall
As name tells us that State-full .it maintain the state of connection when packet is travelling through
the appliance. It maintain the state of connection in state table. After adding information in state
table it forwards the packet to the destination. When it receive the reply-packet it match the
packet's information to state-table if match packet is accepted otherwise drop.
Page 19 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Transparent Firewall
It works at layer 2, or it forwards the frames based on destination Mac. But still it has capabilities to
filter the traffic from layer 2 to layer 7.
Page 20 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 21 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA Features
VPN
Cisco ASA support IPSec, SSL PPTP protocols for VPN
IPSec (site-site, & remote-access)
SSL (Clientless, Thin, Thick)
L2TP
Virtual Firewall
We can divide an appliance into many virtual appliances these virtual appliances are call virtual
firewall or security context.
IPv6
Cisco ASA also support ipv6 routing. Like static, Dynamic, Default.
Clustering
A feature introduce in OS Version 9.0 it enables us to group multiple appliances as a single appliance.
Page 24 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA Basic
After Reading this chapter you would be able to configure & Describe
Page 25 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
ASA Mode
ciscoasa> (User mode)
ciscoasa> enable
Password:
ciscoasa# conf t (enable mode)
ciscoasa(config)# ! hostname (config-mode)
ciscoasa(config)# hostname ASA1
How To set Enable Password
ASA1(config)#
ASA1(config)# enable password shiva
ASA1(config)# exit
Logoff
Type help or '?' for a list of available commands.
ASA1> enable
Password: shiva
ASA1# conf t
ASA1(config)# ! remove enable password
ASA1(config)# enable password (just enter)
Page 26 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Protocol
up
up
Page 27 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 28 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 29 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! verification in pc2
PC2#ssh -l shiva 192.168.102.1
Password:
Type help or '?' for a list of available commands.
ASA1>
! you can't telnet to lowest security-level
ASA1(config)# telnet 0 0 outside
ASA1(config)# ssh 0 0 outside
PC2#telnet 192.168.102.1
Trying 192.168.102.1 ...
% Connection timed out; remote host not responding
PC2#ssh
PC2#ssh -l
PC2#ssh -l shiva 192.168.102.1
Page 30 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 31 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 32 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 33 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 34 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 35 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! ASA os Backup
ASA1(config)# sh fla
ASA1(config)# sh flash:
--#-- --length-- -----date/time------ path
146 0
Aug 29 2014 13:00:14 nat_ident_migrate
147 1422
Sep 23 2014 17:29:26 admin.cfg
148 2331
Sep 23 2014 17:29:26 old_running.cfg
22 4096
Sep 27 2013 10:55:54 coredumpinfo
23 59
Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
11 4096
Aug 29 2014 12:48:00 log
21 4096
Aug 29 2014 12:48:40 crypto_archive
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096
Aug 29 2014 13:29:32 sdesktop
165 2082
Aug 29 2014 13:29:30 sdesktop/data-bkp.xml
166 2009
Aug 29 2014 13:42:06 sdesktop/data.xml
154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg
155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg
156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg
157 333
Aug 29 2014 13:28:04 Anyconnect_client_profile.xml
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
160 4096
Jan 01 1980 00:00:00 FSCK0001.REC
161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg
4118732800 bytes total (3964596224 bytes free)
ASA1(config)# copy flash: tftp:
Source filename []? asa903-smp-k8.bin
Address or name of remote host []? 192.168.101.100
Destination filename [asa903-smp-k8.bin]?
Writing file tftp://192.168.101.100/asa903-smp-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
36993024 bytes copied in 130.870 secs (284561 bytes/sec)
Page 36 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 38 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
***
*** --- START GRACEFUL SHUTDOWN --ASA1> en
ASA1> enable
Password: (now no password)
ASA1#
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Page 40 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Routing
Routing rules
Types of routing
Static Routing
Routing Protocols
Routed Protocols
IGP
EGP
Distance Vector
Link State
Enhanced Distance Vector
Page 41 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Routing
A process of transferring a packet from one network to another is called routing.
Routing Rules
1. If the destination is in the same subnet or network then a device directly forwards a packet to
destination.
Note:- ARP request is used to find out destination Mac-address.
2. If the destination is not in the same subnet or network then a device directly forwards a packet to
default gateway.
Note:- ARP request is used to find out default gateway Mac-address
Routing Types
Static
Default
Dynamic
Static Routing
In static routing we define route manually with appropriate next-hop.
In static routing we always define indirectly connected network.
Advantages
Easy to implement
Less CPU-overload
Less bandwidth consumption
Disadvantages
Not scale-able
Default Routing
It is used on stub router or network. A stub router has only one entry or exit point. It can be used to
reduce the size of routing table
Limitation
It can cause of loop in the network.
Page 42 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Dynamic Routing
In dynamic routing we use routing protocol. They dynamically learn about route & do send route
information to the neighbours routers.
Routed Protocols
They are those protocol which have capabilities to send data from one device to another device.
Like IP,IPX, Apple Talk
IGP
EGP
Distance Vector
A Distance Vector routing protocol selects the route based on distance
That is called hop count.
Hop Count
When a packet across a router that is called one hop
Page 43 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Link State
As name tells us link state a link state routing protocol sends update based in the state of link. When
a link comes up & goes down it sends update.
It sends update with a sequence number. 0x80000001 goes till 0xFFFFFFFF.
Examples:- OSPF,IS-IS.
Enhance DV
EIGRP is an Enhanced DV routing protocol based in distance vector algorithm. & sends incremental
update like link state i.e. Some people called it hybrid . But Cisco called it Enhanced DV.
Diagram:-
Page 44 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Protocol
up
up
up
Page 46 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 50 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
RIP
RIP
RIP Version
RIP Timers
RIP Loop avoidance Techniques
Route Poisoning
Poisoning Reverse
Split-Horizon
Page 51 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Version 2
Class-less
DV
AD 120
Metric Hop count
Max-hop 15
Multicast Update
224.0.0.9
Manual
Send v2
Receive v2
Support authentication
Classless
Route Poisoning
Poison Reverse
Split-Horizon
Page 52 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Route Poisoning
Rip separate the bad news with a special type of metric that is infinite-metric i.e.16. When rip
advertise a route with 16 metric that is called Route Poisoning.
Route Poisoning
Router1>>>>> 101.0=16>>>>>>>>>Router2
Poison Reverse
When a router receive Route Poisoning update it accept is and updates it routing table, and it sends
same update to the neighbour.
(Router1>>>>> 101.0=16>>>>>>>>>Router2 )
(Router1<<<<< 101.0=16<<<<<<<<<Router2) is Poison Reverse
Split Horizon
A rule in distance vector routing protocol. It doesn't allow a routing protocol to send an information
on an interface which was receive from same interface.
RIP Timers
Update
Invalid
Hold
Flush
30sec
180sec
180sec
240sec
Page 53 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
Page 54 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 58 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 59 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 60 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
EIGRP
EIGRP
EIGRP Components
EIGRP Messages
EIGRP Terminology
EIGRP Tables Types
EIGRP Modes
EIGRP Neighbours Requirements
Page 61 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Enhanced Components
PDM
It is used to support different type of routed protocol
Like IP, IPX, Apple Talk.
RTP
It is used to send some EIGRP messages
EIGRP messages:1. Hello
2. Update via RTP
3. Acknowledgement
4.Query via RTP
5.Reply via RTP
Multicast
Multicast
Unicast
Multicast
Unicast
NDR
It is used to maintain neighbour ship. Function
First it determines that how many neighbours are exist.
Second how many hello or Acknowledgement will be expected
If continue 3 hello missed neighbour is removed from neighbour table.
Page 62 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
DUAL
A modification in distance vector algorithm is called DUAL
It provides a loop free failover path.
EIGRP Terminology
Successor
Feasible Distance
Feasible Successor
Feasible Successor Requirement
AD/RD
Input Event
Local Computation
Going Active
Successor
A best route to reach a subnet or network.
Feasible Distance
Calculated metric of successor is called Feasible Distance.
Feasible Successor
An another best route it provides backup to successor.
Page 63 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
AD/RD
A Router's FD is called AD/RD for its neighbours.
Input Event
An information which has capabilities to change the data base.
Local Computation
A term it has two function
If successor goes down it use FS
If FS is not available then it become active for that route
Going Active
It means that a router is sending query to its neighbour for a route.
Incremental Updates
When there is a change in topology EIGRP will send updates.
Multicast Update
Updates at 224.0.0.10
Un-Equal Cost Load Balancing
In Un-Equal Cost Load Balancing best FD is multiply by multiplier and we get a product if
another routes are lower than that product they are eligible for load balancing.
EIGRP Tables
Neighbour Table
Topology Table
Routing Table
Page 64 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Neighbour Tables
First of all EIGRP built neighbour table. It contain following information.
IP add of neighbour
Interface
Up time
Hold time
Sequence no of last packet
Packet in queue
SRTT
RTO
Topology Tables
After neighbour table EIGRP maintain topology table
It contain successor & feasible successor.
Routing Tables
It contain three types of route
Internal
External
Summary
EIGRP Metric
EIGRP metric is called composite metric. It contain 5 elements, these elements are called K-values.
Bandwidth
Delay
Load
Reliability
MTU
Only Bandwidth & delay is used for metric calculation.
AS No.
K-values
Authentication
Page 65 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
EIGRP Modes
Passive mode
When a successor goes down and router has FS , it is called Passive mode.
Active mode
When a successor goes down and router has no FS , it is called Passive mode.
EIGRP support only MD5 auth
EIGRP AD 5/90/170(summary /internal/external)
EIGRP default hop 100 , max 255
EIGRP default variance 1, max 128
EIGRP default max-path 4, max 16
EIGRP default hello 5/60 (LAN/FR)
EIGRP default hold 15/180 (LAN/FR)
Diagram:-
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
Page 66 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Q Seq
3
3
3
3
172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.4.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.5.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.6.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.20.1.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1
172.20.2.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1
172.20.3.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
172.20.4.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
172.20.5.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
172.20.6.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
172.30.1.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.2.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.3.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.4.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.5.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.6.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.40.1.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
172.40.2.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
172.40.3.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
172.40.4.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
172.40.5.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
Page 71 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 72 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! EIGRP AD Changing
ASA1(config-router)# router eigrp 100
ASA1(config-router)# distance eigrp 111 222
ASA1(config-router)# sh route inside
D
172.10.1.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
D
172.10.2.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
D
172.10.3.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
C
192.168.1.0 255.255.255.0 is directly connected, inside
L
192.168.1.2 255.255.255.255 is directly connected, inside
(Only One EIGRP AS IS ALLOWED)
ASA1(config)# router eigrp 100
ASA1(config-router)# router eigrp 200
Too many IP routing processes for this routing protocol
ERROR: Unable to create router process
! Authenticaton in EIGRP on ASA
ASA1(config-if)# interface gigabitEthernet 0/0
ASA1(config-if)# authentication mode eigrp 100 md5
ASA1(config-if)# authentication key eigrp 100 shiva key-id 100
Page 75 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
D
D
D
D
D
D
Page 77 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF
OSPF
Difference between link State & Distance Vector
OSPF Tables
OSPF Messages & Contents
OSPF States
DR & BDR
DR & BDR Requirements
OSPF Area Structure
OSPF Network Types
OSPF Router Types
OSPF LSA Types
OSPF Area Types
OSPF Neighbour Ship Requirement
OSPF Authentication Types
OSPF Summarization Types
OSPF Virtual Link
Page 78 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Neighbours Table
Database Table
Routing Table
Hello
DBP(Database Descriptor)
LS Request
LS Update
LS Acknowledgement
Router ID
Hello & Dead Interval
Network ID
Area
Page 79 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Priority
DR & BDR information
Authentication
Stub information
Version
Type
Packet length
Router ID
Area
Checksum
Authentication
Authentication data
Data
OSPF States
Down
Attempt
Initialization
2 way
Ex-start
Exchange
Loading
Full
Page 80 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 81 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF Area
The logical grouping of OSPF routers is called OSPF Area
Backbone Area
Regular Area
OSPF Priority
OSPF Hello message has 8 bits priority field. default value 1 , maximum 255.
if priority is zero then router will not participate in DR & BDR election.
Designated Router
Router when OSPF router are connected to a multi-access network. Then there is a responsibility of
one router who is responsible for making adjacencies with other router that is called DR.
Page 82 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF Metric
Is called Cost formula= 100 Mbps /bandwidth.
RFC
Cisco
NBMA
P2MP
RFC
Cisco
Broadcast
P2P
P2MPNB
Page 83 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Hellointerval
10
10
30
30
30
Deadinterval
40
40
120
120
120
Autoneighbour
YES
YES
YES
NO
NO
Manualneighbour
NO
NO
NO
YES
YES
DR or
BDR
YES
NO
NO
NO
YES
Internal Router
Back Bone Router
ABR
ASBR
Internal Router
A router consist it's all interfaces in regular area, i.e. called Internal router.
Backbone Router
A router consist it's all interfaces in area 0 Backbone area, i.e. called Internal router.
ASBR
A router which connects OSPF routing domain to another routing domain is called ASBR.
Page 84 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
LSA Types
Router LSA
Network LSA
Summary LSA
AS LSA
External LSA
Group member ship LSA
NSSA LSA
Router LSA
It contain router ID of a router . it is sent within area.
Network LSA
It contain DR router ID sent by DR. is sent within area.
Summary LSA
When the routes of one area go to another area , they go as summary LSA.
it is sent by ABR.
AS ASBR LSA
It contain ASBR router ID . it is generated by ABR when an ABR receives External LSA form ASBR.
External LSA
It contain external routes it is sent by ASBR.
Page 85 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NSSA LSA
It contain external route . it is used in NSSA area , it allow an ASBR to send external route through
stub area to back bone.
Why because STUB/NSSA area LSA 5 in not allowed they are filtered so do hide LSA 5 they are
encapsulated as LSA 7 and LSA 7 is only recognized by NSSA area.
Standard Area
Stub Area
Totally Stub Area
NSSA
Totally NSSA
Standard Area
It contain entire OSPF domain itself.
if you are using standard area then you can't reduce the size of routing table
to reduce the size of routing table we use another area types.
Stub Area
It filter the external routes and place them as default route.
NSSA
It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).
Notes:but it filter the external route coming from ABR
it doesn't generate default-route.
Totally NSSA
It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).
Notes:but it filter the external route & inter-area route coming from ABR
It does generate default-route.
1. Null
2. Plain text
3. MD5
Type 0
Type 1
Type 2
Page 87 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF intra-area
O IA
OSPF inter-area
O E2
OSPF External Metric-type 2
O E1
OSPF External Metric-type 1
O N2
OSPF External Metric-type 2 in NSSA Area
O N1
OSPF External Metric-type 1 in NSSA Area
In Metric-type 2 internal cost is not added when route are propagated in OSPF domain.
In Metric-type 1 internal cost is do added when route are propagated in OSPF domain.
If you want that best path should be used for External router you have to use metric-type 1.
Seed Metric
when routes are redistributed in routing Protocol that wants a starting point
that starting point is called seed metric
OSPF seed metric is 20 . if you want to change it you can change it at the time of redistribution.
Important Note
1.Subet/mask
2. Hello interval
3. Dead interval
4. Authentication
5. Stub information
6. Area
7. MTU
Page 88 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF AD 110
Default max-path 4 , maximum 16
224.0.0.6 is used by NON-DR to DR only for update & acknowledgement
224.0.0.5 is used for Hello NON-DR or DR to NON-DR
224.0.0.5 is used for Update DR to NON-DR
Diagram:-
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
Page 89 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Neighbor ID
172.20.6.1
172.10.6.1
172.30.6.1
172.40.6.1
Pri State
1 FULL/DR
1 FULL/DR
1 FULL/DR
1 FULL/DR
Interface
dmz1
inside
outside
dmz2
Seq#
Checksum Link count
0x80000002 0x 4c5 1
0x80000001 0x78f7 1
Seq#
Checksum
0x80000001 0x 5c9
Page 92 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Seq#
Checksum
0x80000001 0x8075
0x80000001 0x757f
0x80000001 0x6a89
0x80000001 0x5f93
0x80000001 0x549d
0x80000001 0x49a7
0x80000002 0xfa5d
0x80000001 0xe670
0x80000001 0xdb7a
Seq#
Checksum Link count
0x80000002 0xb629 1
0x80000002 0x6011 1
Seq#
Checksum
0x80000001 0x10d3
Seq#
Checksum
0x80000001 0x8075
0x80000001 0x757f
0x80000001 0x6a89
0x80000001 0x5f93
0x80000001 0x549d
0x80000001 0x49a7
0x80000001 0xf166
0x80000001 0xe670
0x80000001 0xdb7a
Seq#
Checksum Link count
0x80000003 0x9dd2 7
0x80000001 0x8edf 1
Seq#
Checksum
0x80000001 0xf9bf
Seq#
Checksum
0x80000001 0xfc5c
0x80000001 0xf166
0x80000001 0xdb7a
Seq#
Checksum Link count
0x80000002 0x9efe 1
0x80000001 0xa4c7 1
Seq#
Checksum
0x80000001 0xeeb5
Seq#
Checksum
0x80000001 0x8075
0x80000001 0x757f
0x80000001 0x6a89
0x80000001 0x5f93
0x80000001 0x549d
0x80000001 0x49a7
0x80000001 0xfc5c
0x80000001 0xf166
0x80000001 0xe670
172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
192.168.1.0 255.255.255.0 is directly connected, inside
192.168.1.2 255.255.255.255 is directly connected, inside
192.168.2.0 255.255.255.0 is directly connected, dmz1
192.168.2.2 255.255.255.255 is directly connected, dmz1
192.168.3.0 255.255.255.0 is directly connected, outside
192.168.3.2 255.255.255.255 is directly connected, outside
192.168.4.0 255.255.255.0 is directly connected, dmz2
192.168.4.2 255.255.255.255 is directly connected, dmz2
NO AREA 4 routes
! Virtual Link in OSPF
ASA1(config-router)# router ospf 100
ASA1(config-router)# area 1 virtual-link 172.10.6.1
R1(config-router)#router os 100
R1(config-router)#area 1 virtual-link 192.168.4.2
R1(config-router)#
*Sep 28 10:02:01.999: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on OSPF_VL0 from LOADING
to FULL, Loading Done
! Verification of routes Learn via Virtual Link
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
O IA 172.10.1.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.2.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.3.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.4.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.5.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.6.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O
172.30.1.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
O
172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
O
172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
Page 95 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:41, outside
172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:41, outside
192.168.1.0 255.255.255.0 is directly connected, inside
192.168.1.2 255.255.255.255 is directly connected, inside
192.168.2.0 255.255.255.0 is directly connected, dmz1
192.168.2.2 255.255.255.255 is directly connected, dmz1
192.168.3.0 255.255.255.0 is directly connected, outside
192.168.3.2 255.255.255.255 is directly connected, outside
192.168.4.0 255.255.255.0 is directly connected, dmz2
192.168.4.2 255.255.255.255 is directly connected, dmz2
Page 98 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! By Default OSPF Treat loopback as single host if you want that it should be treat as network
please do the following
R1(config)#interface loopback 1
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 2
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 3
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 4
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 5
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 6
R1(config-if)#ip ospf network point-to-point
ASA1(config)# sh route inside
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
O IA
O IA
O IA
ASA1(config-router)# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside
O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside
O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside
O E1 172.20.1.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
Page 105 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:27, outside
172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
172.40.1.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.2.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.3.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.4.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.5.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.6.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
IPv6 Introduction
IPv6
IPv6 Styles
IPv6 Routing Protocols
RIPng
OSPFv3
EIGRPv6
IPv6
Before IPv6 we have to understand IP
IP Address
IP Addresses Styles
A logical address it enable a machine to communicate with other machine of network.
1. Unicast
2. Broadcast
IP Part
3. Multicast
1. Network ID
2. Host ID
Unicast
They goes one-to-one if we are sending a data to a group it require retransmission. it will eat
Network ID
upitour
bandwidth.
enable
us to determine that what is the network location in a class
Broadcast
Host ID
In it
we send
to all . it that
is useful
unknown
. it is used by DHCP, ARP,
It enable
usdata
to determine
whatwhen
is the destination
location of a is
host
in a network
RIPv1. Each NIC receive the broadcast and does process with it doesn't matter that, it is for
him or not. But they are not forwarded by router or appliance.
IP Address Classes
Multicast
in it source generate a stream & that is distributed among the clients.
or
A (1-126)/8
when a host
join a multicast group their NIC is again re-programmed. & it start capturing
B (128-191)/16
data for
group.
joined
C (192-223)/24
D (224-239)
Multicast
EMac
(240-255)
it is a 48 bits address. the first half address (24 bits) pre-define 0100.5e. 25th bit is always
zero. and last 23 bits obtain from multicast IP address
For examples
224.0.0.1#0100.5e00.0001
224.0.0.10#0100.5e00.000a
IP Address Types
Public
Multicast
Addresses
Private
1. Link Local
224.0.0.0/24
2. Source
Specific
232.0.0.0/8
Public
3. GLOP
They are accessible via internet , unique in the world 233.0.0.0/8
4. Administratively Scoped
239.0.0.0/8
Private Scoped
5. Globally
224.0.1.0-231.255.255.255
They are not accessible via internet. they can be used 234.0.0.0-238.255.255.255
by private organization.
Link Local
they send will TTL value one
Source Specific
Page 110 of 846
In Source Specific a host receive a multicast traffic form a single server.
GLOP
it allocate 256 multicast address to each AS. middle 16 bits are obtain from AS number.
32 bits address
Decimal format
separated by ( . )
20 bytes header
IPv6
IPv6 Style
Unicast
Multicast
Anycast
Unicast Types
Unicast Types
Global Unicast
Unique Local
Link Local
Global Unicast
They are the public address routable over internet like ipv4 public addresses.
Start with 2000::/3
Unique Local
They are the private address not routable over internet like ipv4 private addresses. Start with
FD00::/8
Link Local
They are automatically created by device they are used by routing protocols to communicate
each other
Start with FE80::/10
Link Local address contain 64 interface ID
Interface ID contain 48 Bits MAC & 16 Bits EUI
EUI is FFFE
Procedure of Link Local
for example
MAC is 0000.0c07.ac01
MAC address 1st bytes 7th bit is replaced with zero to 1
Page 111 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
IPV6 Format
1234:1234:1234:1234:1234:1234:1234:1234 (right)
2000:0000:0000:1111:0000:0000:0000:0001 (right)
2000:0:0:1111:0:0:0:1 (right)
:: Only Once
RIPng
IS-ISv6
OSPFv3
EIGRPv6
MP-BGP
EIGRPv6
Cisco Proprietary
IP protocol no. 88
Same concept like EIGRP
Max-Path 16
Default Shutdown
It require Router ID
Multicast at FF02::A
MD5 authentication
OSPFv3
Still Open Standard
IP protocol no. 89
Use IPSec Authentication
It ADD 16 bytes Header while OSPF ADD 24 bytes
Note
Cisco ASA OS version 8.6 support only static & default IPv6 routing
Cisco ASA OS version 9.2.2.4 support only static & default & OSPFv3 IPv6 routing.
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:1::1/48
int lo1
ipv6 add 192:168:101::1/48
ipv6 route ::/0 192:168:1::2
R2
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:2::1/48
int l1
ipv6 add 192:168:102::1/48
ipv6 route ::/0 192:168:2::2
R3
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:3::1/48
int l1
ipv6 add 192:168:103::1/48
ipv6 route ::/0 192:168:3::2
Page 114 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
if over primary link will goes down then appliance will use secondary.
But here condition is this , there is no problem in our access-link , but ISP networks has
problem means that ISP1 is not able to give us connectivity.
in this situation, appliance will not use ISP2 link. Because ISP1 link is up
to solve this problem we have SLA (Service Level Agreement).
In SLA we check reach ability from over end to public server. using ICMP Echo-request.
that is called in Track, Track is associated with static route example ISP1
if reach ability is available , track will remain up , track is up route will remain in routing
table.
if no reach ability track will go down , track down appliance will remote primary link form
table then secondary will use.
Diagram:-
Initial-config
PC1
PC1(config)#interface fastEthernet 0/0
PC1(config-if)#no shutdown
PC1(config-if)#ip add 192.168.101.100 255.255.255.0
PC1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.101.1
ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#no shutdown
ISP(config-if)#ip add 101.1.1.1 255.255.255.0
ISP(config-if)#int f0/1
ISP(config-if)#no shutdown
ISP(config-if)#ip add 102.1.1.1 255.255.255.0
ISP(config-if)#int l1
ISP(config-if)#ip add 1
ISP(config-if)#ip add 1.1.1.1 255.255.255.255
Page 121 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# hostname ASA1
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no sh
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip add 192.168.101.1 255.255.255.0
ASA1(config-if)# int g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside1
INFO: Security level for "outside1" set to 0 by default.
ASA1(config-if)# ip add 101.1.1.100 255.255.255.0
ASA1(config-if)# int g0/2
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside2
INFO: Security level for "outside2" set to 0 by default.
ASA1(config-if)# ip add 102.1.1.100 255.255.255.0
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# pin
ASA1(config)# ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# pin
ASA1(config)# ping 102.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
! SLA on ASA
sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.1 interface outside1
timeout 1000
frequency 1
exit
sla monitor schedule 1 start-time now life forever
track 11 rtr 1 reachability
route outside1 0 0 101.1.1.1 track 11
route outside2 0 0 102.1.1.1 2
ISP(config-if)#int l1
ISP(config-if)#no sh
ASA1# sh track
Track 11
Response Time Reporter 1 reachability
Reachability is Up
6 changes, last change 00:00:08
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside1
C
101.1.1.0 255.255.255.0 is directly connected, outside1
L
101.1.1.100 255.255.255.255 is directly connected, outside1
C
102.1.1.0 255.255.255.0 is directly connected, outside2
L
102.1.1.100 255.255.255.255 is directly connected, outside2
C
192.168.101.0 255.255.255.0 is directly connected, inside
L
192.168.101.1 255.255.255.255 is directly connected, inside
! Optional commands
ASA1(config)# nat (inside,outside1) source dynamic any interface
ASA1(config)# nat (inside,outside2) source dynamic any interface
ASA1(config)# class-map shiva
ASA1(config-cmap)# match default-inspection-traffic
ASA1(config-cmap)# policy-map shiva
ASA1(config-pmap)# class shiva
ASA1(config-pmap-c)# inspect icmp
ASA1(config-pmap-c)# service-policy shiva interface inside
this section will cover in nat & MPF........
Page 124 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Multicasting
IP addresses styles
Multicast Mac
Multicast addresses
IGMP (internet group management protocol)
IGMP snooping
Multicast routing protocols
RPF (Reverse path forwarding)
Distribution tree
PIM (protocol independent multicast )
PIM version
IP Addresses Styles
1. Unicast
2. Broadcast
3. Multicast
Unicast
They goes one-to-one if we are sending a data to a group it require retransmission. it will eat up our
bandwidth.
Broadcast
In it we send data to all . it is useful when destination is unknown . it is used by DHCP, ARP, RIPv1.
Each NIC receive the broadcast and does process with it doesn't matter that, it is for him or not. But
they are not forwarded by router or appliance.
Multicast
in it source generate a stream & that is distributed among the clients.
or
when a host join a multicast group their NIC is again re-programmed. & it start capturing data for
joined group.
Multicast Mac
It is a 48 bits address. the first half address (24 bits) pre-define 0100.5e. 25th bit is always zero. and
last 23 bits obtain from multicast IP address
For examples
224.0.0.1#0100.5e00.0001
224.0.0.10#0100.5e00.000a
Multicast Addresses
1. Link Local
2. Source Specific
3. GLOP
4. Administratively Scoped
5. Globally Scoped
224.0.0.0/24
232.0.0.0/8
233.0.0.0/8
239.0.0.0/8
224.0.1.0-231.255.255.255
234.0.0.0-238.255.255.255
Link Local
they send will TTL value one
Source Specific
In Source Specific a host receive a multicast traffic form a single server.
Page 126 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
GLOP
it allocate 256 multicast address to each AS. middle 16 bits are obtain from AS number.
Administratively Scoped
they just like IPv4 Private addresses they can be used by private organization.
239.192.0.0 organization local
239.252.0.0 site local
Globally Scoped
they are fully routable over internet.
Version 2
Router sends query after every 60 seconds on 224.0.0.1
Host can leave group using 224.0.0.2.
Query interval response time.
Group specific Queries.
Querier election
Version 3
use SSM Source specific multicast
IGMP Snooping
It enable switches to determine which port is requesting for which multicast.
DVMRP
Multicast OSPF
Centre Base Tree
Core Base Tree
PIM
Distribution Tree
Multicast routing path is called distribution tree
types
Source Tree
Shared Tree
Source Tree
in it they take the shortest path from source to destination. used in PIM
they pre-calculated path Because of dense-mode.
Shared Tree
in it they use a common set of links . First packet pass through RP after receiving packet the select
the shortest path.
Modes
Dense Mode
Sparse Mode
Sparse Dense Mode
Dense Mode
it assume that multicast recipient is in every subnet.
in it stream is flooded to each router if no receiver then they send prune message to stop un
wanted flooding.
Page 128 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
PIM Versions
Version 1
Version 2
Version1
it provides auto or manual RP process.
RP announce at 224.0.1.39
RP discovery at 224.0.1.40
we must define candidate of each router
Version 2
It use BSR boot Strap Router.
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface f0/0
Page 129 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
PC1#debug ip icmp
ICMP packet debugging is on
PC2#debug ip icmp
ICMP packet debugging is on
PC3#debug ip icmp
ICMP packet debugging is on
Server1#debug ip icmp
ICMP packet debugging is on
Server1#ping 239.1.1.1 repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
*Mar 1 00:10:19.647: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 0 from 192.168.101.10, 60 ms
*Mar 1 00:10:21.659: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 1 from 192.168.101.10, 72 ms
*Mar 1 00:10:23.679: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 2 from 192.168.101.10, 92 ms
*Mar 1 00:10:25.667: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 3 from 192.168.101.10, 80 ms
*Mar 1 00:10:27.659: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 4 from 192.168.101.10, 72 ms
Server1#
Server1#ping 239.1.1.2 repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.2, timeout is 2 seconds:
*Mar 1 00:10:37.391: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 0 from 192.168.101.20, 60 ms
*Mar 1 00:10:39.415: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 1 from 192.168.101.20, 84 ms
*Mar 1 00:10:41.383: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 2 from 192.168.101.20, 56 ms
*Mar 1 00:10:43.383: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 3 from 192.168.101.20, 52 ms
*Mar 1 00:10:45.399: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 4 from 192.168.101.20, 68 ms
Server1#
Server1#ping 239.1.1.3 repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.3, timeout is 2 seconds:
*Mar 1 00:10:53.259: ICMP: echo reply rcvd, src 192.168.101.30, dst 192.168.102.100
Page 132 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
PC1#debug ip icmp
ICMP packet debugging is on
PC1#
*Mar 1 00:09:49.379: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:20.795: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:22.807: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:24.823: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:26.823: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:28.803: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC2#debug ip icmp
ICMP packet debugging is on
PC2#
*Mar 1 00:10:39.847: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:41.863: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:43.871: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:45.847: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:47.859: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC3#debug ip icmp
ICMP packet debugging is on
PC3#
*Mar 1 00:08:39.027: %SYS-5-CONFIG_I: Configured from console by console
PC3#
*Mar 1 00:10:54.587: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
PC3#
*Mar 1 00:10:56.571: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
PC3#
*Mar 1 00:10:58.571: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
Page 133 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Access-list
A list of condition it is used to categorized packets.
Types:
Standards Access-list
Extended Access-list
Named Base Access-list
Time Base Access-list
Standards Access-list
It is used to allow or deny entire ip packet. mostly used for route filtering
(range 1-99,100-1999)
Extended Access-list
It is used to allow or deny Layer 3 , Layer 4 & upper layer protocols. Mostly used for traffic filtering.
(100-199,2000-2699)
Named Base Access-list
In this access-list we can give name to access-list instead of number.
it can be standard or extended
Time Base Access-list
it is time oriented in it we can give time in weekdays weekend etc.
Object Group
A feature of Cisco ASA it simplify access-list management.
Types
1. Network Object Group
2. Protocol Object Group
3. Service Object Group
4. ICMP Object Group
Network Object Group
In it we can define network, subnet, range, single IP address.
Protocol Object Group
In it we can define protocols like TCP, UDP etc.
Service Object Group
In it we can define services related to TCP & UDP.
ICMP Object Group
In it we can define only ICMP messages.
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
passive-interface fastEthernet 0/1
TSS1
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
Page 137 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
interface GigabitEthernet 0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet 0/1
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet 0/2
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface GigabitEthernet 0/3
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
no auto-summary
network 192.168.1.0 255.255.255.0
Page 139 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# object-group ?
configure mode commands/options:
icmp-type Specifies a group of ICMP types, such as echo
network Specifies a group of host or subnet IP addresses
protocol Specifies a group of protocols, such as TCP, etc
service Specifies a group of TCP/UDP ports/services
user
Specifies single user, local or import user group
object-group network ALL-TSS-SERVERS
network-object host 192.168.10.10
network-object host 192.168.10.20
network-object host 192.168.10.30
object-group network ALL-WEB-SERVERS
network-object host 192.168.20.10
network-object host 192.168.20.20
network-object host 192.168.20.30
Page 141 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Service Object
object-group service TELNET tcp
port-object eq telnet
object-group service SSH tcp
port-object eq ssh
object-group service HTTP tcp
port-object eq www
object-group service HTTPS tcp
port-object eq https
! ICMP Object
object-group icmp-type MY-ICMP-OBJECT
icmp-object echo-reply
access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group TELNET
access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group SSH
access-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTP
access-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTPS
access-list out extended permit icmp any object inside object-group MY-ICMP-OBJECT
access-list out extended permit icmp any object inside-lan object-group MY-ICMP-OBJECT
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/38/84 ms
R1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f
R1#ping 101.1.1.1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/45/80 ms
ASA1(config)# sh xlate
8 in use, 8 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz1:192.168.10.10 to outside:101.1.1.101
flags s idle 0:12:26 timeout 0:00:00
NAT from dmz1:192.168.10.20 to outside:101.1.1.102
flags s idle 0:12:20 timeout 0:00:00
NAT from dmz1:192.168.10.30 to outside:101.1.1.103
flags s idle 0:12:16 timeout 0:00:00
Page 142 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT on OS 8.0
Static Nat
Dynamic NAT
PAT
Static PAT
NAT Bypass
Identity NAT
NAT Exemption
Policy NAT
NAT
A services it enable internal users to access internet.
Or
Using NAT we map one IP address to another.
Types
1. Static
2. Dynamic
3. PAT
4. Static PAT
5. NAT Bypass
a. Identity NAT
b. NAT exemption
6. Policy NAT
Static NAT
In static NAT we create one to one mapping of IP addresses
It is Bi-directional.
Dynamic NAT
In dynamic NAT we map multiple IP addresses to some.
PAT
In PAT we map multiple IP addresses to one
Using PAT we can map about 65k IP address to a single IP
Uni-directional.
Static PAT
In static PAT we map the port of one IP address with another IP address port
Uni-directional.
Page 153 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT Bypass
When we enable NAT-control in OS 8.0 then natting is must. If you want to avoid NAT rule then we
use NAT Bypass.
Identity NAT
In it an IP address is translated into itself, used for those application which don't support NAT like
GDOI.
NAT Exemption
It is used for VPN traffic to exclude it for NAT rule in 8.0.
Policy NAT
In policy NAT we can define condition for natting
It could be port based or IP based.
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
Server2
Page 155 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ISP#
*Mar 1 00:17:01.699: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.751: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.795: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.815: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.835: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Mar 1 00:17:06.871: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
*Mar 1 00:17:08.903: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Mar 1 00:17:08.971: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Mar 1 00:17:08.987: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Mar 1 00:17:09.007: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
*Mar 1 00:17:35.855: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
ISP#
*Mar 1 00:17:40.675: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Mar 1 00:17:41.667: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
ISP#
*Mar 1 00:17:42.679: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
! static nat is bi-directional
! private will map with public
! public will map with private
ASA1(config)# sh xlate
3 in use, 4 most used
Global 101.1.1.100 Local 192.168.1.1
Global 101.1.1.101 Local 192.168.101.1
Page 158 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
clear configure nat
clear configure access-list
clear configure static
! dynamic nat
nat-control
nat (inside) 1 0 0
nat (dmz1) 1 0 0
nat (dmz2) 1 0 0
global (outside) 1 101.1.1.101-101.1.1.106
! TCP & UDP will Work for ICMP ACL
access-list out permit icmp any host 101.1.1.101
access-list out permit icmp any host 101.1.1.102
access-list out permit icmp any host 101.1.1.103
access-list out permit icmp any host 101.1.1.104
access-list out permit icmp any host 101.1.1.105
access-list out permit icmp any host 101.1.1.106
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/40/76 ms
R1#ping 101.1.1.1 source f0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/28/52 ms
Server1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/40/68 ms
Server1#
Server2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/40/68 ms
Server2#
ASA1(config)# sh xlate
6 in use, 6 most used
Global 101.1.1.105 Local 192.168.20.100
Global 101.1.1.104 Local 192.168.10.100
Global 101.1.1.103 Local 192.168.101.1
Global 101.1.1.106 Local 192.168.101.100
Page 161 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# sh xlate
3 in use, 7 most used
PAT Global 101.1.1.100(1) Local 192.168.102.100(138)
PAT Global 101.1.1.100(5) Local 192.168.101.100 ICMP id 1
ISP#
*Mar 1 00:42:11.739: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.839: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.867: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.887: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
Page 163 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!ASA1
! static PAT
! now we have 5 servers telnet,ssh,http,https,ftp
! telnet , ssh in dmz1
! http , https in dmz2
! ftp in inside
static (inside,outside) tcp interface 21 192.168.101.100 21
static (dmz1,outside) tcp interface 22 192.168.10.100 22
static (dmz1,outside) tcp interface 23 192.168.10.100 23
static (dmz2,outside) tcp interface 80 192.168.20.100 80
static (dmz2,outside) tcp interface 443 192.168.20.100 443
! traffic will orginate form lower to higher apply access-list
access-list out permit tcp any interface outside eq 21
access-list out permit tcp any interface outside eq 22
access-list out permit tcp any interface outside eq 23
access-list out permit tcp any interface outside eq 80
access-list out permit tcp any interface outside eq 443
access-group out in interface outside
R1#telnet 192.168.10.100
Trying 192.168.10.100 ...
% Connection refused by remote host
Page 168 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT on OS 9.2.2.4
Static Nat
Dynamic NAT
PAT
Static PAT
Identity NAT
Twice NAT
NAT
A services it enable internal users to access internet.
Or
Using NAT we map one IP address to another.
Types
1. Static
2. Dynamic
3. PAT
4. Static PAT
5. Identity NAT
6. Twice NAT
Static NAT
In static NAT we create one to one mapping of IP addresses
It is Bi-directional.
Dynamic NAT
In dynamic NAT we map multiple IP addresses to some.
PAT
In PAT we map multiple IP addresses to one
Using PAT we can map about 65k IP address to a single IP
Uni-directional.
Static PAT
In static PAT we map the port of one IP address with another IP address port
Uni-directional.
Identity NAT
In it an IP address is translated into itself, used for those application which don't support NAT like
GDOI or VPN traffic in OS Version 8.4 & later.
Twice NAT
In Twice NAT we can define condition for natting that.
If source is A destination is B translate into X.
If source is A destination is C translate into Y.
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
Page 175 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f
R1#ping 101.1.1.1 source fastEthernet 0/1
Page 178 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh xlate
5 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.1.1 to outside:101.1.1.101
flags s idle 0:01:30 timeout 0:00:00
NAT from dmz1:192.168.10.100 to outside:101.1.1.104
flags s idle 0:01:21 timeout 0:00:00
NAT from dmz2:192.168.20.100 to outside:101.1.1.105
flags s idle 0:01:12 timeout 0:00:00
Page 179 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh xlate
4 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
Page 183 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA(config) ! PAT
! PAT
object network inside
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic interface
! ASA will allow tcp & udp
! for icmp acl
access-list out permit icmp any object inside
access-group out in interface outside
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 101.1.1.1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Page 184 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# sh xlate
1 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ICMP PAT from inside:192.168.101.100/1 to outside:101.1.1.100/1 flags ri idle 0:00:27 timeout
0:00:30
ISP#
*Sep 29 04:59:48.699: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:48.703: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:48.703: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:48.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:48.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 04:59:51.259: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:51.263: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:51.263: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:51.267: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:51.267: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 04:59:58.595: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 04:59:59.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 05:00:00.591: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 05:00:01.599: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 05:00:31.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Sep 29 05:00:32.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 05:00:33.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Sep 29 05:00:34.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
! static pat
object network pc1
host 192.168.101.100
nat (inside,outside) static interface service tcp 21 2121
! open acl
access-list out permit tcp any object pc1 eq 21
access-group out in interface outside
ASA1(config)# sh xlate
8 in use, 8 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from outside:0.0.0.0/0 23-23 to inside:0.0.0.0/0 23-23
flags srIT idle 0:00:28 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 22-22 to inside:0.0.0.0/0 22-22
flags srIT idle 0:06:36 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 21-21 to inside:0.0.0.0/0 21-21
flags srIT idle 0:06:08 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 80-80 to inside:0.0.0.0/0 80-80
flags srIT idle 0:06:00 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 443-443 to inside:0.0.0.0/0 443-443
flags srIT idle 0:05:50 timeout 0:00:00
TCP PAT from inside:192.168.101.100/49237 to outside:101.1.1.23/49237 flags ri idle 0:00:28
timeout 0:00:30
TCP PAT from inside:192.168.1.1/45171 to outside:101.1.1.23/45171 flags ri idle 0:00:44 timeout
0:00:30
R1#ssh -l shiva 101.1.1.1
% Connection reset by user
R1#ssh -l shiva 101.1.1.1
Password:
ISP#
Page 188 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# sh xlate
7 in use, 9 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from outside:0.0.0.0/0 23-23 to inside:0.0.0.0/0 23-23
flags srIT idle 0:01:23 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 22-22 to inside:0.0.0.0/0 22-22
flags srIT idle 0:00:22 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 21-21 to inside:0.0.0.0/0 21-21
flags srIT idle 0:08:51 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 80-80 to inside:0.0.0.0/0 80-80
flags srIT idle 0:00:04 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 443-443 to inside:0.0.0.0/0 443-443
flags srIT idle 0:00:03 timeout 0:00:00
TCP PAT from inside:192.168.101.100/49248 to outside:101.1.1.81/49248 flags ri idle 0:00:03
timeout 0:00:30
!ASA
! twice nat using ip
object network inside
subnet 192.168.0.0 255.255.0.0
object network internet
subnet 101.1.1.0 255.255.255.0
object network internet-lan
subnet 192.168.102.0 255.255.255.0
object network ip
object network ip1
host 101.1.1.111
object network ip2
host 101.1.1.222
Page 189 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
nat (inside,outside) source static inside inside destination static s2s-traffic s2s-traffic
nat (inside,outside) source dynamic any interface
access-list out permit icmp any object inside
access-group out in interface outside
Page 190 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
CTP (Cut-Through-Proxy)
CTP (Cut-Through-Proxy)
A feature in Cisco ASA using It we can authenticate the request of following protocols like TELNET,
HTTP, HTTPS, FTP for inbound or outbound connection.
But either inbound or outbound. Not both at a time.
Working
1. Client will initiate a request for a destination
2. ASA will prompt for username & password
3. Client will provide username & password
4. ASA will redirect credential to AAA server
5. AAA will authenticate user credential
6. If User is authenticated by AAA server ASA will add connection and forward the request to actual
destination.
7. Otherwise request will be drop
Authorization
It means what a user can perform in the network.
Accounting
It means that what has been done by user.
Page 194 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
AAA Protocols
Radius
Tacacs+
Versions
4.x
5.x
5.5 Latest
Versions
1.0
1.2.0
1.2.1 Latest
Page 195 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
Server2
Page 196 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh uauth
Current Most Seen
Authenticated Users
1
1
Authen In Progress
0
1
user 'shiva' at 192.168.101.100, authenticated (idle for 0:00:10)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
ASA1# clear uauth
If ask username & password again click cancel Tab & Refresh the ftp Page
IPsec Introduction
IPsec VPN
IPsec VPN Features
Encryption Algorithms
Pre-shared Key
Public Key Infrastructure
ESP
AH
IKE
ISAKMP
NAT-T
Security Association
IPsec VPN
IPsec VPN Provides secure IP communication over insecure network.
Confidentiality
Integrity
Data Origin Authentication
Anti-Replay
Confidentiality
It mean your data will keep as secret using encryption algorithm
Like DES, 3DES, AES.
Encryption Algorithms
Encryption is simply a mathematical algorithm, a key applied to data to make the contents
unreadable to everyone except those who have the ability to decrypt it
Symmetric Encryption
Asymmetric Encryption
Symmetric Encryption
Symmetric encryption algorithms are also called secret key cryptography. As the name implies, there
is a single, secret key that is used to both encrypt and decrypt the data.
DES
3DES
AES
DES
56-bit key, has been broken in less than 24 hours using modern computers.
3DES
Three different 56-bit keys (DES encrypt, DES decrypt, DES encrypt) to create
The cipher text. It has not yet been broken, but has theoretical aws.
AES
It is considered the symmetric encryption choice today. 128 Bits to 256 bits
Integrity
It insure that your data is altered during transmission or not. Using hash algorithm like MD5, SHA.
Pre-Shared
A single key is applied on both peers.
Host will generate RSA signature & request for public key of CA.
CA sends it public keys.
Host generate a certificate request and send to CA.
CA will sign the certificate request with its private key, and send certificate to host
Host will save it
Certificate will use for secure communication.
Anti-Replay
It means that of your data will arrive late it will consider as alter & it will be
drop. Anti-Replay can be define in kilobytes or seconds.
IPsec Protocols
ESP
AH
IKE
AH (Authentication Header)
IKE Modes
Main Mode
Aggressive Mode
Quick Mode
Main Mode
In main mode 6 attributes or messages in three steps.
1. Initiator will send own proposal to responder, and responder will send own proposal to initiator.
2. Initiator will send own key to responder, and responder will send own key to initiator.
3. At the end they will authenticate the session.
OR
Step2
Step3
Aggressive Mode
In aggressive mode 6 attributes are in three steps.
1. Initiator will send own proposal &key to responder.
2. Responder will authenticate initiator's proposal & sends own proposal &key to initiator.
3. Initiator will authenticate the session.
Note: - Either main mode or aggressive mode will work not both
Quick Mode
In quick mode they will recheck their attributes using SPI (Security Parameter Index). SPI is sent with
every packet by peers.
IKE Phases
1. Phase1
2. Phase1.5 (optional)
3. Phase2
Phase 1
In Phase1 they create single IKE bi-direction tunnel. Single key is used to authenticate the session. In
phase1 main mode or aggressive mode will work.
Site-Site
Main mode
Remote Access Aggressive mode
DMVPN
Main mode
GETVPN
Main mode
Phase 1.5
It is an optional IKE phase. Phase 1.5 provides an additional layer of Authentication, called Xauth, or
Extended Authentication. Xauth forces the user to authenticate before use Of the IPsec connection
is granted.
Phase 2
When phase1 is successfully completed Phase2 is started.
If phase1 is not successfully completed Phase2 will not start.
In phase2 they create multiple IPsec tunnels. Two tunnels per protocol
ESP or AH.
ISAKMP
IKE is a management protocol actually is use isakmp for key exchange.
Internet security association key management protocol. it use UDP Port 500.
IKE Versions
IKE Version1
6 messages
Use isakmp
NAT-T support
Fire & Forget
No VOIP support
No cryptography mechanism for key exchange
IKE Version2
4-6 messages
Use isakmp
NAT-T support
Check peer existence via cookies
VOIP support
Use suit B cryptography
IKE Version 2
Steps
IKE_SA_INIT: Message 1
The Initiator Proposes Basic SA Attribute Along with
Authentication Material
Equivalent to messages 1 and 3 in IKEv1
IKE_SA_INIT: Message 2
The responder sends back a set of attributes acceptable
Under SA, along with authentication material
Equivalent to messages 2 and 4 in IKEv1
IKE_AUTH: Message 3
Authentication Material Along with CHILD_SA Info Sent
Equivalent to message 5 Main Mode
And part of the Quick Mode in IKEv1
IKE_AUTH: Message 4
Authentication Material Along with CHILD_SA Info Sent
Equivalent to message 6 Main Mode
And part of the Quick Mode in IKEv1
Note:VTI and GRE/ IPsec Complete after this Message
Optional
CREATE_CHILD_SA: Message 1
The Initiator Sends Its Authentication Material and ID
Additional child exchange equivalent to Quick Mode in IKEv1
CREATE_CHILD_SA: Message 2
The Responder Sends Its Authentication Material and ID
Additional child exchange equivalent to Quick Mode in IKEv1
IPsec Modes
1. Transport mode
2. Tunnel mode
Transport Mode
It protect layer4 & upper layer data. Used in DMVPN.
Tunnel Mode
Page 228 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT Transversal
A feature it enable us to establish VPN session through NAT device.
In NAT-T VPN devices add UDP header before ESP header, so that NAT device can perform NAT with
packet.
Why NAT-Traversal
AH doesn't work with nat. Because it include external IP address for ICV.
It include data, key, external-IP for integrity check value. If AH packet will pass through Nat device,
Nat device will translate external IP. When peer will receive AH packet it will verify packet ICV, due
to Nat peer will found ICV mismatch. So Packet will drop.
Note: - AH doesn't include TTL value for ICV. Because TTL is changed at every hop.
ESP doesn't include external IP for ICV. But it encrypt the data. A Nat device require layer 4
information but it is encrypted by esp. no layer 4 information so no Nat will perform.
To resolve this issue we use NAT-T, in NAT-T devices add UDP header before ESP header for Nat
device. That header is UDP 4500.
NAT-T Support
NAT-T Detection
NAT-T Decision
NAT-T Support
In IKE Phase1, two peers exchange their vender id and IOS version information to each other to
determine that which features are supported.
NAT-T Detection
In IKE Phase1, they create a payload of external IP addresses. They hash it after hashing payload &
hash product is exchanged between peers. They verify hash if hash match, no Nat exist in the VPN
peer path otherwise Nat exist.
NAT-T Decision
In IKE Phase2, if they found Nat in the VPN peer path. UDP 4500 header in inserted before ESP
header.
A group of security parameters & policies which is agreed between two IPsec peers.
A group of security parameters and policies which is agreed between two IPsec peers.
Parts
Security Association
SAD
SPD
stop the ca
start the ca
password is shiva
Start>run>type
http://192.168.105.100/certsrv/mscep/mscep.dll
this url will use to obtain one time password for vpn
if this ca is in virual box you can use it for real network or gns topology
if it is for gns set following things
user= administrator
pass= admin password
press OK..........
http://192.168.112.100/certsrv/mscep/mscep.dll
http://192.168.112.100/certsrv
233
0
15
4
272
963
32
230
1595
Site-Site VPN
Site-Site VPN
It enables two sites to communicate with each other in a secure way over insecure network.
Working
192.168.101.0/24
192.168.102.0/24
Site-Site-pre-8.0
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface e0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
Page 336 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
crypto isakmp key shiva add 102.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test interface outside
crypto isakmp enable outside
ASA2
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
crypto isakmp key shiva add 101.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto isakmp enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 16/41/120 ms
R2#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 16/42/92 ms
ASA1# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Page 338 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface ethernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
Page 340 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface ethernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
Page 345 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh clock
22:08:49.224 UTC Mon Sep 29 2014
ASA2# sh clock
22:10:22.070 UTC Mon Sep 29 2014
ASA1
domain-name cisco.com
crypto key generate rsa
crypto ca trustpoint ttt
enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll
ex
crypto ca authenticate ttt
yes
crypto ca enroll ttt
%% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************(this password will obtain from ca)
Re-enter password: ****************
Page 347 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
To obtain new OTP please go to CA & refresh the page copy & Paste
ASA2
domain-name cisco.com
crypto key generate rsa
crypto ca trustpoint ttt
enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll
exit
crypto ca authenticate ttt
yes
ASA2(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
ASA2
crypto isakmp policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
trust-point ttt
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
cry isakmp enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 351 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no sh
route outside 0 0 101.1.1.1
R3
Page 354 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3
R3#clock set 12:17:45 1 oct 2014
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp master
ASA1(config)# ntp server 101.1.1.1
ASA2(config)# ntp server 101.1.1.1
ASA1
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
ex
crypto ca authenticate ttt
yes
crypto ca enroll ttt
ERROR: Signature public key not found - Abort.
domain-name cisco.com
crypto key generate rsa
ASA1(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
Page 365 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
exit
crypto ca authenticate ttt
yes
crypto ca enroll ttt
ERROR: Signature public key not found - Abort.
Page 366 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto ikev1 policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev1 trust-point ttt
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev1 enable outside
ASA2
crypto ikev1 policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 trust-point ttt
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev1 enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 ms
R2#ping 192.168.101.100 repeat 100
Page 373 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3
R3#clock set 12:17:45 1 oct 2014
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp master
ASA1(config)# ntp server 101.1.1.1
ASA2(config)# ntp server 101.1.1.1
ASA1
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
exit
crypto ca authenticate ttt
ASA1(config)# crypto ca en ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
ASA1
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev2 local-authentication certificate ttt
ikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev2 enable outside
ASA2
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev2 local-authentication certificate ttt
ikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev2 enable outside
R1#ping 192.168.102.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 381 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id
Local
Remote Status
Role
4933683
102.1.1.100/500
101.1.1.100/500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 1800/59 sec
Child sa: local selector 192.168.102.0/0 - 192.168.102.255/65535
remote selector 192.168.101.0/0 - 192.168.101.255/65535
ESP spi in/out: 0x14ff9428/0x9f01e33f
ASA2# sh cry
ASA2# sh crypto ip
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
ASA1
object network inside
subnet 192.168.101.0 255.255.255.0
object network s2s
subnet 192.168.102.0 255.255.255.0
ex
nat (inside,outside) source static inside inside destination static s2s s2s
nat (inside,outside) source dynamic any interface
access-list out permit icmp any object inside
Page 383 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
copy OTP for ASA1 & Refresh page Obtain new for ASA2
Page 388 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Modes
Client
Network extension
Network extension plus
It is unidirectional only client can access server lan. But server lan can't access client.
It can be implemented on software or hardware.
It is unidirectional only client can access server lan. But server lan can't access client.
Network Extension
In Network Extension internal ip address is not offered to remote client.
it is bi-directional
it can be implemented only on hardware.
It is bi-directional
It can be implemented only on hardware.
Working
ASA_ra_pre_8.0
Initial-config
R1
interface fastEthernet 0/0
no shut
ip add 101.1.1.1 255.255.255.0
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no au
net 192.168.1.0
net 192.168.10.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
Page 397 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
go to asa
go to pc1
click OK
ping reply is not coming reason NAT exclude vpn traffic from nat
using nat exemption
access-list nat-exemption permit ip any 192.168.100.0 255.255.255.0
access-list nat-exemption permit ip any 192.168.200.0 255.255.255.0
nat (inside1) 0 access-list nat-exemption
nat (inside2) 0 access-list nat-exemption
ASA1
! banner
group-policy admin attributes
banner value ADMIN_GROUP
group-policy mgmt ge
group-policy mgmt attributes
banner value MGMT_GRPUP
ASA1# sh clock
08:59:43.968 UTC Tue Sep 30 2014
ASA1#
ASA1# sh clock
08:59:58.371 UTC Tue Sep 30 2014
ASA1# sh clock
08:59:59.029 UTC Tue Sep 30 2014
ASA1# sh clock
08:59:59.820 UTC Tue Sep 30 2014
ASA1# sh clock
09:00:01.090 UTC Tue Sep 30 2014
Initial-config
R1
interface fastEthernet 0/0
no sh
ip add 101.1.1.1 255.255.255.0
int f01
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no au
net 192.168.1.0
net 192.168.10.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
Page 421 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto isakmp policy 1
authentication rsa-sig
encryption 3des
group 2
hash sha
crypto ipsec transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto isakmp enable outside
ip local pool admin 192.168.100.100-192.168.100.254
ip local pool mgmt 192.168.200.100-192.168.200.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
Page 425 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
go to pc
ping 101.1.1.100
start
run
type
http://101.1.1.100/certsrv
if you see this error it is saying that update your ca enrolment pages from microsoft
tips
1. update ca pages
2. use client XP, ca 2003
3. use client win 7, ca 2008
what do you say..............................................?
now we will use client XP
Later Labs we will use CA 2008 & Client win 7 ok.
yes
install cert
yes
yes
ASA1
tunnel-group admin general-attributes
default-group-policy admin
tunnel-group mgmt general-attributes
default-group-policy mgmt
for split tunnel
ASA1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1#
crypto ikev1 policy 1
authentication pre-share
encryption 3des
group 2
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto ikev1 enable outside
Page 444 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1#
ASA1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.101.100
Type : user
Role : responder
Rekey : no
State : AM_ACTIVE
ASA1# sh cry
ASA1# sh crypto ip
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: d-map, seq num: 10, local addr: 101.1.1.100
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.100/255.255.255.255/0/0)
current_peer: 192.168.101.100, username: shiva
dynamic allocated peer ip: 192.168.100.100
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 108, #pkts decrypt: 108, #pkts verify: 108
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 12, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 192.168.101.100/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 349BA5D9
current inbound spi : 9D375C4D
ASA1
PAT
nat (inside1,outside) source dynamic any interface
nat (inside2,outside) source dynamic any interface
access-list out permit icmp any 192.168.0.0 255.255.0.0
access-group out in interface outside
R4#ping 101.1.1.1
Page 448 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
interface gigabitEthernet 0/0
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no sh
int g0/1
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
interface gigabitEthernet 0/2
no shu
nameif inside2
security-level 100
ip add 192.168.2.1
interface gigabitEthernet 0/3
no shu
nameif dmz
Page 451 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto ikev1 policy 1
authentication rsa-sig
encryption 3des
group 2
ex
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto ikev1 enable outside
sh history
ip local pool admin 192.168.100.100-192.168.100.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin
tunnel-group admin ipsec-attributes
ikev1 trust-point ttt
username shiva password shiva privilege 15
ASA1
Page 454 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Limitation
Only for IPsec & SSL
In IPSec, only for Remote Access. It is not for site-site vpn.
Cluster
Master
Member
VPN Load Balancing
VCA Virtual Cluster Agent.
Cluster
A logical group of devices or appliances which provides common application access it is identified
with a virtual ip.
Master
An appliance which has a higher priority. Master is responsible for handling client request and it
distributes client request to group members based on load. Master is responsible for cluster ip.
Default ASA priority 1
Member
An appliance which is participating in cluster.
Page 477 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
ASA1
ASA1# sh vpn load-balancing
-------------------------------------------------------------------------Status Role Failover Encryption Peers Cluster IP
-------------------------------------------------------------------------Enabled Master n/a
Disabled
1 101.1.1.100
Peers:
-------------------------------------------------------------------------Role Pri Model
Load-Balancing Version Public IP
Page 485 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
SSL Modes
Clientless
Thin Client
Thick Client
Clientless Mode
As name suggest us Clientless in clientless there is no need of any client software. In clientless client
makes a request to SSL gateway, gateway proxy it to internal resources.
Clientless provides secure communication only of web based applications.
Like, HTTP, HTTPS, SMTP, POP3 ,IMAP or MS exchange Server etc.
SSL Requirements
Clientless requirements
Only web browser.
Thin requirements
Web browser
Java
Active x and pop ups should be enables on client web browser.
Thick requirements
Web browser
Java
Active x and pop ups should be enable on client web browser
Any-connect package & cisco secure desktop package.
Working
ASA_ssl_8.0
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ASA1
interface Ethernet0/0
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Ethernet0/1
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
no auto-summary
Page 491 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
webvpn
enable outside
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
port-forward mgmt 2323 192.168.20.100 telnet
port-forward mgmt 8080 192.168.20.100 www
port-forward mgmt 8181 192.168.20.100 https
group-policy admin internal
group-policy admin attributes
vpn-tunnel-protocol webvpn
webvpn
port-forward name admin
port-forward enable admin
group-policy mgmt internal
group-policy mgmt attributes
vpn-tunnel-protocol webvpn
webvpn
port-forward name mgmt
port-forward auto-start mgmt
tunnel-group admin type remote-access
tunnel-group admin general-attributes
default-group-policy admin
Page 498 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
tunnel-group-list enable
webvpn
enable outside
svc image disk0:/svc2.5.pkg 1
svc enable
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
port-forward mgmt 2323 192.168.20.100 telnet
port-forward mgmt 8080 192.168.20.100 www
port-forward mgmt 8181 192.168.20.100 https
tunnel-group-list enable
group-policy admin internal
group-policy admin attributes
vpn-tunnel-protocol svc webvpn
webvpn
port-forward name admin
port-forward enable admin
svc keep-installer installed
svc ask enable
group-policy mgmt internal
group-policy mgmt attributes
vpn-tunnel-protocol svc webvpn
webvpn
port-forward name mgmt
port-forward auto-start mgmt
svc keep-installer installed
svc ask enable
Page 506 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
no enable outside
port 9090
enable outside
https://101.1.1.100:9090
webvpn
onscreen-keyboard logon
admin
ip dhcp pool admin
network 192.168.100.0
default-router 192.168.100.
mgmt
ip dhcp pool mgmt
network 192.168.200.0
default-router 192.168.200.1
nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
global (outside) 1 interface
access-list out permit icmp any interface outside
access-group out in interface outside
admin#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/46/76 ms
mgmt#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/55/92 ms
admin#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/55/124 ms
mgmt#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/141/212 ms
admin#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/51/80 ms
mgmt#ping 101.1.1.1
Page 531 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA thin
webvpn
enable outside
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
port-forward mgmt 2323 192.168.20.100 telnet
Page 538 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
Page 544 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
csd image disk0:/csd_3.6.6203-k9.pkg
csd enable
exit
http server enable
http 0 0 outside
username shiva password shiva privilege 15
PC
https://101.1.1.100/ for ssl
https://101.1.1.100/admin for ASDM
webvpn
no csd enable
webvpn
smart-tunnel list sss telnet telnet.exe
group-policy admin attributes
webvpn
port-forward disable
smart-tunnel enable sss
https://101.1.1.100
Transparent Firewall
Transparent Firewall
ASA Modes
Advantages
Limitations
Difference between Switching &Transparent Firewall
Transparent Firewall
Cisco ASA comes in two modes Routed mode, & transparent mode.
Routed Mode
In routed mode asa works as a layer 3 device. It forward the packet based on destination IP address.
Transparent Mode
In transparent mode asa works as layer 2 device it forwards the frames based on destination mac.
But still it has capabilities to filter the traffic from layer 2 to layer 7.
Advantages
If you want to implement firewall in your network without readdressing the network.
Page 571 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
1.
2.
3.
Transparent Firewall
1.
2.
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
R3
interface fastEthernet 0/0
Page 573 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R2
R2#ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1
interface fastEthernet 0/0
ip nat inside
interface fastEthernet 0/1
ip nat outside
exit
ip access-list extended natacl
permit ip 192.168.0.0 0.0.255.255 any
exit
ip nat inside source list natacl interface fastEthernet 0/1 overload
R2
interface fastEthernet 0/0
ip nat inside
Page 574 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2
ASA2(config)# firewall transparent
ciscoasa(config)# ho
ciscoasa(config)# hostname ASA2
ASA2(config)#
ASA2(config)#
ASA1
interface bvI 1
ip address 192.168.101.111 255.255.255.0
interface gigabitEthernet 0/0
Page 576 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2
interface bvI 1
ip add 192.168.102.111 255.255.255.0
interface gigabitEthernet 0/0
no shu
nameif inside
bridge-group 1
interface gigabitEthernet 0/1
no shu
nameif outside
bridge-group 1
route outside 0 0 192.168.102.1
ASA2(config-if)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config-if)# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.101.1
Page 577 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R4
R4#ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5
R5#ping 192.168.
*Oct 4 06:24:54.215: %SYS-5-CONFIG_I: Configured from console by console
R5#ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASA1
access-list out permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
access-group out in interface outside
ASA2
access-list out permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-group out in interface outside
R4#ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1
object network obj_net_192.168.101.0
subnet 192.168.101.0 255.255.255.0
Page 578 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
access-list out permit icmp any object obj_net_192.168.101.0
access-group out in interface outside
R4#ping 192.168.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
Page 579 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2
object network obj_net_192.168.102.0
subnet 192.168.102.0 255.255.255.0
object network obj_net_192.168.101.0
subnet 192.168.101.0 255.255.255.0
object network obj_net_192.168.222.0
subnet 192.168.222.0 255.255.255.0
nat (inside,outside) source static obj_net_192.168.102.0 obj_net_192.168.102.0 destination static
obj_net_192.168.101.0 obj_net_192.168.101.0
nat (inside,outside) source static obj_net_192.168.102.0 obj_net_192.168.222.0
R2#debug ip icmp
ICMP packet debugging is on
R5#ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#debug ip icmp
ICMP packet debugging is on
R2#
*Oct 4 12:38:04.111: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:04.115: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
R2#
*Oct 4 12:38:06.107: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:06.111: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
R2#
*Oct 4 12:38:08.107: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:08.107: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
R2#
*Oct 4 12:38:10.107: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:10.107: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
R2#
*Oct 4 12:38:12.107: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:38:12.107: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
Page 580 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Context
Context
Context Requirement
Context Use
Advantages
Limitations
Context Terminology
Context
We can partition an appliance in many virtual appliances these virtual appliances are called security
context.
Requirement
Assume you are running a company that provides web host services and you have 200 clients. Now
the client demands that we require a dedicated appliance for our servers. To fulfil client
requirements we have to purchase 200 appliance. 200 appliance are very costly. So virtual context
solve this problem.
Context Use
Active-Active failover
Web Hosting Companies
Companies needing more than one firewall on a single location
Advantages
Cost Saving
Eco-Friendly or Go Green
No dynamic routing
No VPN
But in ASA OS 9.2.2.4
They also support Dynamic routing & IPsec site-site VPN
Context Terminology
System Area
Admin Context
Context Channing
Shared Interface
System Area
When an appliance boots in multiple mode than you will find yourself in system area.
Functions
Admin Context
When an appliance boot in multiple mode admin context is default created.
It is used for appliance management. When appliance is in multiple mode there should be one admin
context. it is used for appliance management.
Context Channing
We can connect one context to another i.e. called context Channing. It is only possible with shared
interface.
Shared Interface
When we call one interface in more than one context that interface is called shared interface.
Initial-config
ASA_Context
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
Page 586 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
ASA1(config)# mode multiple
Page 590 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Failover
Failover
Failover Types
Failover Implementation types
Failover System Requirements
The Failover and Stateful Failover Links
Device Initialization and configuration
Failover Behaviour
Failover Triggers
Stateless (Regular) and Stateful Failover
Things not replicated during failover
Failover Health Monitoring
Interface Monitoring
Failover configuration limitation
Failover
A cisco proprietary feature it provides us uninterrupted network access.
Failover types
Stateless Failover
Hardware Failover
State full Failover
Stateless
Stateless failover provides logical redundancy. If primary link goes down secondary path is used.
Hardware Failover
When failover was introduced only Hardware Failover was supported. It provides hardware
redundancy & configuration replication. If failover occur we have to re-establish the connection.
Active-Standby
Active-Active
Active-Standby
In active-standby failover we require two appliances. One primary, another secondary. Primary will
works as an active secondary will works as standby. If primary goes down secondary will take role.
OR
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby
state. Active/Standby failover is available on units running in either single or multiple context mode.
Active-Active
In active-active failover we require two appliances & two security context or even context . Each
appliance will active for one context. With Active/Active failover, both units can pass network traffic.
Active/Active failover is available only on units running in multiple context mode.
Hardware Requirements
Software Requirements
License Requirements
Hardware Requirements
The two units in a failover configuration must have the same hardware configuration.
They must be the same model
They must have the same number and types of interfaces
The same amount of RAM
The same SSMs installed (if any).
Note: - The Exception is Flash memory. If using units with different Flash memory sizes in your
failover configuration, make sure the unit with the smaller Flash memory has enough space to
accommodate the software image files and the configuration files. Otherwise configuration
synchronization will fail.
Software Requirements
The two units in a failover configuration must be in the operating modes. They software version.
However, you can use different versions of the software during an upgrade process
License Requirements
For ASA 5510, 5512 you need Security Plus License.
You can use any unused Ethernet interface on the device as the failover link.
Using a switch, with no other device on the same network segment (broadcast domain or
VLAN) as the LAN failover interfaces of the ASA
Using a crossover Ethernet cable to connect the appliances directly
Note The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a
crossover cable or a straight-through cable. If you use a straight-through cable, the interface
automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.
Distance limitation.
Slower configuration replication.
Note:
You can use a dedicated Ethernet interface for the Stateful Failover link.
If you are using LAN-based failover, you can share the failover link.
You can share a regular data interface. However, this option is not recommended.
Enable the Port Fast option on Cisco switch ports that connect directly to the security
appliance.
Using a data interface as the Stateful Failover interface is only supported in single context,
routed mode.
In multiple context mode, the Stateful Failover link resides in the system context
Failover Behaviour
Failover Triggers
Stateless (Regular)
Stateful Failover
OS images
Any-connect Images
CSD images
ASMD Images
Smart Tunnels
Port Forwarding
Plugins
Java Applets
Pv6 clientless or Anyconnect sessions
Citrix authentication (Citrix users must reauthenticate after failover)
If the security appliance receives a response then it does not fail over.
Page 601 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
If the security appliance does not receive a response on the failover link, but receives a
response on another interface, then the unit does not failover.
The failover link is marked as failed. You should restore the failover link as soon as possible
because the unit cannot fail over to the standby while the failover link is down.
If the security appliance does not receive a response on any interface, then the standby unit
switches to active mode and classifies the other unit as failed.
Interface Monitoring
1.
2.
3.
4.
Link Up/Down testA test of the interface status. If the Link Up/Down test indicates that the
interface is operational, then the security appliance performs network tests.
Network Activity testA network activity test. The unit counts all received packets for up to 5
seconds. If no traffic is received, the ARP test begins
ARP testA reading of the unit ARP cache for the 2 most recently acquired entries. The unit counts
all received traffic for up to 5 seconds. no traffic has been received, the ping test begins.
Broadcast Ping testA ping test that consists of sending out a broadcast ping request. The unit then
counts all received packets for up to 5 seconds.
Failover Result
Failover Response
No failover
Both receives
No failover
No failover
failover
Stateful Failover is not supported on the ASA 5505 adaptive security appliance.
Active/Active failover is not supported on the ASA 5505 adaptive security appliance.
You cannot configure failover when Easy VPN remote is enabled on the ASA 5505 adaptive
security appliance.
CA server is not supported.
Diagram:-
ASA_active_standby
Initial-config
R1
int fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
R2
int fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
Page 603 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
object network inside
subnet 192.168.10.0 255.255.255.0
object network dmz
host 192.168.20.100
object network ip111
host 101.1.1.111
nat (dmz,outside) source static dmz ip111
nat (inside,outside) source dynamic inside interface
access-list out extended permit icmp any object inside
access-list out extended permit icmp any object dmz
access-list out extended permit tcp any object dmz eq ssh
access-list out extended permit tcp any object dmz eq telnet
access-list out extended permit tcp any object dmz eq www
access-list out extended permit tcp any object dmz eq https
access-group out in interface outside
R3#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R3#debug ip icmp
ICMP packet debugging is on
R3#
*Oct 4 10:10:31.019: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.019: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.023: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.023: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.023: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
R3#
*Oct 4 10:10:38.211: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
R3#
*Oct 4 10:10:40.207: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
Page 605 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
failover lan unit primary
failover lan interface shiva GigabitEthernet0/3
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
ASA2
interface gigabitEthernet 0/3
no shu
failover lan unit secondary
failover lan interface shiva g0/3
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
ASA2(config)# Beginning configuration replication from mate.
End configuration replication from mate.
ASA1
ASA1(config)# ! State full failover
ASA1(config)# failover link shiva
ASA1(config)# ! http replication
ASA1(config)# failover replication http
ASA1(config)# ! change timers
ASA1(config)# failover polltime msec 200
INFO: Failover unit holdtime is set to 800 milliseconds
ASA1(config)# failover polltime unit msec 200
INFO: Failover unit holdtime is set to 800 milliseconds
Page 608 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 16:07:52 UTC Oct 4 2014
This host: Primary - Active
Active time: 296 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.1): Normal (Monitored)
Interface outside (101.1.1.100): Normal (Monitored)
Interface dmz (192.168.20.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.2): Normal (Monitored)
Interface outside (101.1.1.101): Normal (Monitored)
Interface dmz (192.168.20.2): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/3 (up)
Stateful Obj xmit
xerr
rcv
rerr
General
41
0
29
0
sys cmd
29
0
29
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
4
0
0
0
ARP tbl
6
0
0
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
0
0
Page 609 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
ASA1(config)# ! ASA2
ASA1(config)# fa
ASA1(config)# failover a
ASA1(config)# failover active
Switching to Active
ASA2
ASA1(config)# failover active
Switching to Active
ASA1(config)# reload
System config has been modified. Save? [Y]es/[N]o: n
Proceed with reload? [confirm]
ASA1(config)#
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Page 614 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
interface fastEthernet 0/0
no shutdown
Page 616 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
changeto context c1
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.101.0 255.255.255.0
access-group out in interface outside
R1#ping 101.1.1.1
Page 618 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
changeto context c2
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.102.0 255.255.255.0
access-group out in interface outside
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1/c2(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:08 timeout 0:00:00
ICMP PAT from inside:192.168.102.100/7 to outside:102.1.1.100/7 flags ri idle 0:00:08 timeout
0:00:30
ASA1(config)# changeto system
ASA1
failover lan unit primary
failover lan interface shiva g0/4
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
Page 619 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# ! state full failover
ASA1(config)# failover link shiva
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
Page 621 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 09:15:12 UTC Oct 4 2014
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)
c2 Interface outside (102.1.1.101): Normal (Monitored)
Other host: Primary - Active
Active time: 307 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit
xerr
rcv
rerr
General
6
0
13
0
sys cmd
6
0
6
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
0
0
ARP tbl
0
0
4
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
0
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
Page 623 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
0
0
0
0
0
0
0
3
0
0
0
0
0
0
0
0
0
0
0
ASA1 primary
failover group 1
primary
preempt
failover group 2
secondary
preempt
context c1
join-failover-group 1
context c2
join-failover-group 2
Page 624 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 15:13:11 UTC Oct 4 2014
Group 2 last failover at: 15:13:21 UTC Oct 4 2014
This host: Primary
Group 1
State:
Active
Active time: 150 (sec)
Group 2
State:
Standby Ready
Active time: 9 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)
c2 Interface outside (102.1.1.101): Normal (Monitored)
Other host: Secondary
Group 1
State:
Standby Ready
Active time: 0 (sec)
Group 2
State:
Active
Active time: 79 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit
xerr
rcv
rerr
General
96
0
62
2
Page 625 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
121
ASA1
ASA1(config)# prompt hostname context state
ASA1/act(config)#
ASA1/act(config)# changeto context c1
ASA1/c1/act(config)#
ASA1/c1/act(config)# changeto context c2
ASA1/c2/stby(config)#
ASA2
ASA1/stby(config)#
ASA1/stby(config)# changeto context c
ASA1/stby(config)# changeto context c1
ASA1/c1/stby(config)#
ASA1/c1/stby(config)# changeto context c2
ASA1/c2/act(config)#
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ASA1/c1/act(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:01 timeout 0:00:00
ICMP PAT from inside:192.168.101.100/9 to outside:101.1.1.100/9 flags ri idle 0:00:01 timeout
0:00:30
ASA2
ASA1/c2/act(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
Page 628 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
***
*** --- SHUTDOWN NOW --***
*** Message to all terminals:
***
*** change mode
ASA2
ASA1/act(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 15:25:12 UTC Oct 4 2014
Group 2 last failover at: 15:13:21 UTC Oct 4 2014
This host: Secondary
Group 1
State:
Active
Page 629 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
MPF Function
Inspection of connection
Connection restriction
Traffic Prioritization
Traffic Policing
MPF Components
Class Map
Policy Map
Service Policy
DCE
SUN RPC
ILS
NET BIOS
IPSec-Pass_throu
XDMCP
ICMP Inspection
FTP Modes
SMTP
DNS
TFTP
HTTP
RSH
SQL .NET
SIP
SCCP
CTIQBE
MGCP
Page 632 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Inspection of connection
Connection Restriction
Traffic Priortization
Traffic Policing
Inspection of connection
Using this feature we can configure the Cisco Appliance that which protocol should be add in state
table along with TCP & UDP, For example ICMP. Using inspection of connection we can make ICMP
as a stateful traffic.
Connection Restriction
Using connection restriction we can set per protocol max-conn, per-client-max conn, max-embronic
conn, per-client embronic connection etc.
Traffic Prioritization
Using this feature we can give priority to delay sensitive data like voice traffic or vpn traffic.
Traffic Policing
Using this feature we can police incoming & outgoing traffic limit on an interface.
MPF Components
Class-map
Policy-map
Service-policy
Class-map types
L3/L4 Class-map
L7 Class-map
Regex Class-map
Policy-map types
L3/L4 Class-map
L7 Class-map
Serive-policy
It can be called on a specific interface or globally.
class-map default
match default-inspection-traffic
policy-map shiva
class default
inspect xdmcp
service-policy shiva global
ICMP
This protocol is use for connectivity checking. but it could be used to overload a server with ICMP
traffic i.e. it is inspected by appliance. it use ip protocol no 1.
if you want you can configure it as an inspected traffic.
class-map shiva_class
match default-inspection-traffic
policy-map shiva_policy
class shiva_class
inspect icmp
inspect icmp error
service-policy shiva_policy global
SMTP
It is used to send mail . it use TCP port 25. Appliance has capability to apply deeper inspection of
SMTP. like SMTP Boby Length.
Working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 25 Server
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 25 Server
access-list smtp-limit permit tcp any any eq 25
class-map smtp
match access-list smtp-limit
Page 637 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
DNS
Domain Name System use for name resolution . it use TCP or UDP port 53.
DNS Inspection Features
DNS Gurad
DNS Doctoring
DNS Query Length
DNS Gurad
it allow only first reply of DNS query
DNS Doctoring
This feature enale appliance to translate inside inside query with another ip address used on another
interface.
commands
static (inside,outside) interface 192.168.101.53 dns
DNS Query Length
By default DNS query lenght is 512 bytes we can extend it
Default inspected by appliance.
static (inside,outside) interface 192.168.101.53 dns
policy-map type inspect dns l7-dns
parameters
dns-guard
nat-rewrite
protocol-enforcement
message-length maximum 1024
exit
ex
class-map default
match default-inspection-traffic
policy-map shiva
class default
inspect dns l7-dns
service-policy shiva global
Page 638 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
HTTP
Used for web browsing it use TCP port 80. Appliance has capabilities to block http site using name &
ip address.
regex fb \.facebook\.com
regex 420 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
class-map type regex match-any rs
match regex fb
match regex 420
policy-map type inspect http l7-http
parameters
match request header host regex class rs
reset
access-list http permit tcp any any eq 80
class-map http-class
match access-list http
policy-map shiva
class http-class
inspect http l7-http
service-policy shiva global
RSH
Used in Unix for remote terminal. it use TCP port 514
working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 514 Server
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 1024 Server
Higher to lower inspection
Lower to higher ACL
Default Inspected.
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ip add 192.168.106.1 255.255.255.0 secondary
router ei 100
no auto-summary
net 0.0.0.0
R2
interface fastEthernet 0/0
no sh
ip add 192.168.10.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
Page 641 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 101.1.1.1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R2#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 101.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Page 646 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3#debug ip icmp
ICMP packet debugging is on
R3#
*Oct 8 07:06:55.583: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.583: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.583: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
R3#
*Oct 8 07:06:58.843: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.847: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.847: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.851: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.851: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
R3#
*Oct 8 07:07:01.019: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10
*Oct 8 07:07:01.771: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10
R3#
*Oct 8 07:07:02.519: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10
R3#
*Oct 8 07:07:14.867: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.871: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.871: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.875: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.875: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
R3#
*Oct 8 07:07:24.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.711: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.711: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.715: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
ASA1(config)# ! Open ACL for www.cisco.com
ASA1(config)# ! Open ACL for www.abc.com
ASA1(config)# ! So that Internet-Users can ping www.cisco.com ,www.abc.com
ASA1(config)# access-list out permit icmp any object R2
ASA1(config)# access-list out permit icmp any object R4
ASA1(config)# access-group out in interface outside
R3
R3(config)#ip domain-lookup
R3(config)#ip name-server 102.1.1.100
R3#ping www.cisco.com
Translating "www.cisco.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.111, timeout is 2 seconds:
Page 647 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# access-list out permit tcp any object R2 eq 22
ASA1(config)# access-list out permit tcp any object R2 eq 23
ASA1(config)# access-list out permit tcp any object R4 eq 80
ASA1(config)# access-list out permit tcp any object R4 eq 443
ASA1(config)# access-group out in interface outside
ASA1
access-list telnet-limit permit tcp any object R2 eq 23
class-map telnet-class
match access-list telnet-limit
policy-map shiva_policy
class telnet-class
set connection conn-max 123
set connection embryonic-conn-max 1
set connection per-client-max 2
set connection per-client-embryonic-max 1
ASA1
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 103.1.1.100 type ipsec-l2l
tunnel-group 103.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 103.1.1.100
crypto map test 10 match address 101
crypto map test interface outside
crypto ikev1 enable outside
object network inside
subnet 192.168.101.0 255.255.255.0
object network s2s
subnet 192.168.102.0 255.255.255.0
nat (inside,outside) 1 source static inside inside destination static s2s s2s
ASA2
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto ikev1 enable outside
R1#ping 192.168.102.100 source fastEthernet 0/1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 1/2/4 ms
R6#ping 192.168.101.100 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/8 ms
ASA1
!
priority-queue outside
class-map s2s-class
match tunnel-group 103.1.1.100
policy-map shiva_policy
class s2s-class
priority
ASA1
access-list traffic-limit deny ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list traffic-limit permit ip 192.168.101.0 255.255.255.0 any
class-map traffic-limit-class
match access-list traffic-limit
policy-map shiva_policy
class traffic-limit-class
police input 8000 conform-action transmit exceed-action drop
police output 8000 conform-action transmit exceed-action drop
FTP Inspection
outbound connection is working
check inbound connection
object network obj_net_192.168.101.100
host 192.168.101.100
object service obj_ser_ftp
service tcp source eq 21
sh running-config object
nat (inside,outside) 3 source static obj_net_192.168.101.100 interface service obj_ser_ftp
obj_ser_ftp
access-list out permit tcp any object obj_net_192.168.101.100 eq 21
not working
ASA1
policy-map shiva_policy
class shiva_class
inspect ftp
SMTP
object network obj_net_192.168.106.100
host 192.168.106.100
ex
object service obj_ser_smtp
service tcp source eq 25
object service obj_ser_pop3
service tcp source eq 110
ex
sh history
nat (inside,outside) 3 source static obj_net_192.168.106.100 interface service obj_ser_smtp
obj_ser_smtp
nat (inside,outside) 3 source static obj_net_192.168.106.100 interface service obj_ser_pop3
obj_ser_pop3
access-list out permit tcp any object obj_net_192.168.106.100 eq 25
access-list out permit tcp any object obj_net_192.168.106.100 eq 110
GO on Internet User
10.0.0.255:137 inside 10.0.0.10:137, idle 0:00:13, bytes 25650, flags 10.0.0.255:137 dmz1 10.0.0.10:137, idle 0:00:13, bytes 25800, flags 102.1.1.100:53 inside 192.168.101.100:54918, idle 0:00:12, bytes 80, flags h
102.1.1.100:53 inside 192.168.101.100:55714, idle 0:00:38, bytes 78, flags h
102.1.1.100:53 inside 192.168.101.100:63759, idle 0:00:53, bytes 84, flags h
102.1.1.100:53 inside 192.168.101.100:63597, idle 0:01:02, bytes 80, flags h
R3#ping www.cisco.com
Translating "www.cisco.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.111, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping www.abc.com
Translating "www.abc.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.222, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1(config)#ip domain-lookup
R1(config)#ip name-server 102.1.1.100
R1#ping www.cisco.com
Translating "www.cisco.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.111, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping www.abc.com
Translating "www.abc.com"...domain server (102.1.1.100) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.222, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
regex fb \.facebook\.com
regex ip420 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
class-map type regex match-any rs
match regex fb
match regex ip420
policy-map type inspect http l7-http
match request header host regex class rs
reset
ex
policy-map shiva_policy
class shiva_class
inspect http l7-http
OSPFv3
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:1::1/48
Page 685 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1
ipv6 router ospf 100
router-id 1.1.1.1
exit
interface fastEthernet 0/0
ipv6 ospf 100 area 1
interface fastEthernet 0/1
ipv6 ospf 100 area 1
int l1
ipv6 ospf 100 area 4
int l2
ipv6 ospf 100 area 4
int l3
ipv6 ospf 100 area 4
Page 688 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R4
ipv6 router ospf 100
Page 689 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Age
151
151
141
141
141
141
141
141
143
143
143
Seq#
Prefix
0x80000002 192:168:101::/48
0x80000002 192:168:1::/48
0x80000001 192:168:103::/48
0x80000001 172:30:6::1/128
0x80000001 172:30:5::1/128
0x80000001 172:30:4::1/128
0x80000001 172:30:3::1/128
0x80000001 172:30:2::1/128
0x80000001 172:30:1::1/128
0x80000001 192:168:3::/48
0x80000001 192:168:4::/48
Age
153
143
143
143
143
143
Seq#
Prefix
0x80000001 192:168:2::/48
0x80000001 192:168:103::/48
0x80000001 172:30:6::1/128
0x80000001 172:30:5::1/128
0x80000001 172:30:4::1/128
0x80000001 172:30:3::1/128
143
143
143
143
0x80000001
0x80000001
0x80000001
0x80000001
172:30:2::1/128
172:30:1::1/128
192:168:3::/48
192:168:4::/48
Age
143
143
143
143
Seq#
Prefix
0x80000001 192:168:101::/48
0x80000001 192:168:1::/48
0x80000001 192:168:4::/48
0x80000001 192:168:2::/48
Age
Seq#
0x80000003
0x80000001
0
0
1 None
1B
Age
143
143
143
143
143
143
143
143
143
143
143
Seq#
Prefix
0x80000001 192:168:101::/48
0x80000001 192:168:1::/48
0x80000001 192:168:103::/48
0x80000001 172:30:6::1/128
0x80000001 172:30:5::1/128
0x80000001 172:30:4::1/128
0x80000001 172:30:3::1/128
0x80000001 172:30:2::1/128
0x80000001 172:30:1::1/128
0x80000001 192:168:3::/48
0x80000001 192:168:2::/48
R3
R3#sh ipv6 route ospf
IPv6 Routing Table - 35 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
OI 172:10:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
Page 699 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
point-to-point
point-to-point
point-to-point
point-to-point
point-to-point
ASA1
ASA1# sh ipv6 route ospf
IPv6 Routing Table - 37 entries
Codes: C - Connected, L - Local, S - Static
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI 172:10:1::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:2::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:3::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:4::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:5::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OI 172:10:6::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
OE1 172:20:1::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:2::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:3::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:4::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:5::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:6::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
O 172:30:1::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:2::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:3::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:4::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:5::1/128 [110/10]
Page 705 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
R2
ipv6 unicast-routing
int fastEthernet 0/0
no shutdown
ipv6 add 192:168:10::100/48
ipv6 route ::/0 192:168:10::1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login lo
exit
username shiva privilege 15 secret shiva
R3
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 101:1:1::1/48
no shutdown
int f0/1
no shutdown
ipv6 add 192:168:102::1/48
Page 709 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R5
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 192:168:101::111/48
no shutdown
ipv6 route ::/0 192:168:1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login lo
exit
username shiva privilege 15 secret shiva
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:1::2/48
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
no ip address
ipv6 address 192:168:10::1/48
!
interface GigabitEthernet0/2
nameif outside
Page 710 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# sh xlate
5 in use, 20 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192:168:1::1/128 to outside:101:1:1::100/128
flags s idle 0:02:20 timeout 0:00:00
NAT from dmz1:192:168:10::100/128 to outside:101:1:1::103/128
flags s idle 0:01:55 timeout 0:00:00
NAT from dmz2:192:168:20::100/128 to outside:101:1:1::104/128
flags s idle 0:01:50 timeout 0:00:00
NAT from inside:192:168:101::1/128 to outside:101:1:1::101/128
flags s idle 0:02:14 timeout 0:00:00
Page 714 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Dynamic
ASA1
object network obj_net_inside
subnet 192:168:1::/48
object network obj_net_inside_lan
subnet 192:168:101::/48
object network obj_net_dmz1_lan
subnet 192:168:10::/48
object network obj_net_dmz2_lan
subnet 192:168:20::/48
object network obj_net_dpool
range 101:1:1::101 101:1:1::104
object network obj_net_inside
nat (inside,outside) dynamic obj_net_dpool
object network obj_net_inside_lan
nat (inside,outside) dynamic obj_net_dpool
object network obj_net_dmz1_lan
nat (dmz1,outside) dynamic obj_net_dpool
object network obj_net_dmz2_lan
nat (dmz2,outside) dynamic obj_net_dpool
ASA1
PAT
object network obj_net_inside
subnet 192:168:1::/48
object network obj_net_inside_lan
subnet 192:168:101::/48
object network obj_net_dmz1_lan
subnet 192:168:10::/48
object network obj_net_dmz2_lan
subnet 192:168:20::/48
!
object network obj_net_inside
nat (inside,outside) dynamic interface ipv6
object network obj_net_inside_lan
nat (inside,outside) dynamic interface ipv6
object network obj_net_dmz1_lan
nat (dmz1,outside) dynamic interface ipv6
object network obj_net_dmz2_lan
nat (dmz2,outside) dynamic interface ipv6
access-list out extended permit icmp6 any object obj_net_inside
access-list out extended permit icmp6 any object obj_net_inside_lan
Page 717 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
Identity NAT
object network obj_net_192:168:101::0
subnet 192:168:101::/48
object network obj_net_192:168:102::0
subnet 192:168:102::/48
ASA1
Twice NAT
object network obj_net_101:1:1::0
subnet 101:1:1::/48
object network obj_net_192:168:102::0
subnet 192:168:102::/48
object network obj_net_101:1:1::111
host 101:1:1::111
object network obj_net_101:1:1::222
host 101:1:1::222
nat (inside,outside) source dynamic any obj_net_101:1:1::111 destination static obj_net_101:1:1::0
obj_net_101:1:1::0
nat (inside,outside) source dynamic any obj_net_101:1:1::222 destination static
obj_net_192:168:102::0 obj_net_192:168:102::0
access-list out extended permit icmp6 any any
access-group out in interface outside
R1#ping 101:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
R1#ping 101:1:1::1 so
R1#ping 101:1:1::1 source f
R1#ping 101:1:1::1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101:1:1::1, timeout is 2 seconds:
Packet sent with a source address of 192:168:101::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
R1#
R1#pin
R1#ping 192:168:102::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:102::1, timeout is 2 seconds:
!!!!!
Page 722 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 101:1:1::1/48
no shutdown
Page 731 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Neighbor ID
Pri State
3 inside2
4 inside1
ASA1
webvpn
enable outside
username shiva password shiva privilege 15privilege 15
https://[101:1:1::100]
webvpn
port 9090
enable outside
webvpn
port 9090
enable outside
port-forward admin 2222 192:168:10::100 ssh
port-forward admin 2323 192:168:10::100 telnet
port-forward admin 8080 192:168:10::100 www
port-forward admin 8181 192:168:10::100 https
port-forward mgmt 2222 192:168:20::100 ssh
port-forward mgmt 2323 192:168:20::100 telnet
port-forward mgmt 8080 192:168:20::100 www
port-forward mgmt 8181 192:168:20::100 https
group-policy admin_policy internal
group-policy admin_policy attributes
vpn-tunnel-protocol ssl-clientless
webvpn
port-forward name admin
port-forward enable admin
group-policy mgmt_policy internal
group-policy mgmt_policy attributes
vpn-tunnel-protocol ssl-clientless
webvpn
port-forward name mgmt
port-forward auto-start mgmt
tunnel-group admin_group type remote-access
tunnel-group admin_group general-attributes
default-group-policy admin_policy
tunnel-group admin_group webvpn-attributes
group-alias ADMIN_GROUP enable
Page 740 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
tunnel-group-list enable
BGP Messages
BGP Tables
BGP States
BGP Terminology
BGP Lab
BGP Messages
Open
Keep Alive
Update
Notification
Open
BGP sends open message using TCP port 179
Contain:1.Version
2.My AS
3.Router ID
4.Hold Time default 180sec
Keep Alive
BGP sends periodic keep alive after every 60 sec.
Update
When two router become BGP neighbour they send update message to each other.
Contain:1. Route
2. Route's Attributes
Route's Attributes
They are those criteria which are used to select best route.
they are also called Rich Metric.
Notification
When a neighbour is rested then it sends notification message.
Contain:it contain cause of resetting.
BGP can be implemented within AS i.e. called iBGP.
BGP can be implemented over AS i.e. called eBGP.
BGP Tables
Neighbour Table
BGP Table
Routing Table
BGP States
Idle
Connect
Open Sent
Open Confirm
Establish
1.Idle
it means that searching neighbour.
2.Connect
it means that TCP three-way hand-shake complete.
3. Open Sent
it means that Open message has been sent.
4. Open Confirm
it means that Open acknowledgement has been received.
5. Establish
it means that neighbour ship complete.
Next-hop-self
Route-reflector-client
EBGP-Multi-hop
Max-path
Source-update
BGP-redistribute Internal
Next-hop-self
When a BGP edge router learns the external route then it advertise those route with default nexthop to iBGP neighbour, to solve this problem we use next-hop-self .This command force a router to
send own IP address as next-hop to iBGP neighbour.
Page 758 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
R1
interface Loopback1
ip address 192.10.1.1 255.255.255.0
!
interface Loopback2
ip address 192.10.2.1 255.255.255.0
!
interface Loopback3
ip address 192.10.3.1 255.255.255.0
!
interface Loopback4
ip address 192.10.4.1 255.255.255.0
!
interface Loopback5
ip address 192.10.5.1 255.255.255.0
!
interface Loopback6
ip address 192.10.6.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
Page 760 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# router bgp 100
ASA1(config-router)# address-family ipv4 unicast
ASA1(config-router-af)# neighbor 192.168.1.1 remote-as 100
ASA1(config-router-af)# neighbor 192.168.2.1 remote-as 100
ASA1(config-router-af)# neighbor 192.168.3.1 remote-as 200
ASA1(config-router-af)# neighbor 192.168.4.1 remote-as 100
ASA1(config-router-af)# network 192.168.1.0
ASA1(config-router-af)# network 192.168.2.0
ASA1(config-router-af)# network 192.168.3.0
ASA1(config-router-af)# network 192.168.4.0
ASA1# sh bgp neighbors
BGP neighbor is 192.168.1.1, context single_vf, remote AS 100, internal link
BGP version 4, remote router ID 192.10.6.1
BGP state = Established, up for 00:02:20
Last read 00:00:19, last write 00:00:56, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Page 763 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
BGP Authentication
ASA1(config-router-af)# neighbor 192.168.1.1 password shiva
R1(config-router)#neighbor 192.168.1.2 password shiva
R1#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:00:39
B 192.168.4.0/24 [200/0] via 192.168.1.2, 00:00:44
B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:00:39
B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:00:39
B 192.168.2.0/24 [200/0] via 192.168.1.2, 00:00:44
B 192.168.3.0/24 [200/0] via 192.168.1.2, 00:00:44
R2#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:08:42
B 192.168.4.0/24 [200/0] via 192.168.2.2, 00:08:47
B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:08:42
B 192.168.1.0/24 [200/0] via 192.168.2.2, 00:08:47
B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:08:42
B 192.168.3.0/24 [200/0] via 192.168.2.2, 00:08:47
R4#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:08:56
B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:08:56
B 192.168.1.0/24 [200/0] via 192.168.4.2, 00:09:02
Page 769 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R4
R4#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.35.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.1.0/24 [200/0] via 192.168.4.2, 00:12:43
B 192.168.103.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.2.0/24 [200/0] via 192.168.4.2, 00:12:43
B 192.168.3.0/24 [200/0] via 192.168.4.2, 00:12:43
R3
R3#sh ip route bgp
B 192.168.104.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:22:24
B 192.10.4.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.5.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.6.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.1.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.2.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.3.0/24 [20/0] via 192.168.3.2, 00:00:47
Page 770 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
B
B
B
B
B
B
B
C
L
C
L
C
L
C
L
B
Note:BGP is out of the scope of this book this book is specially designed for ASA
if you want to know which commands are working or available please have a look blow
.........Thanks....
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
Page 778 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
changeto context c1
router ei 100
no au
net 192.168.101.0
redistribute static metric 1 1 1 1 1
R1
router ei 100
no auto-summary
net 0.0.0.0
ASA1/c1# sh eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100) context(c1)
H Address
Interface
Hold Uptime SRTT RTO Q Seq
(sec)
(ms)
Cnt Num
0 192.168.101.100
inside
12 00:00:30 1 200 0 3
ASA1/c1# sh eigrp topology
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.101.1) context(c1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 0.0.0.0 0.0.0.0, 1 successors, FD is 2560000256
via Rstatic (2560000256/0)
P 192.168.101.0 255.255.255.0, 1 successors, FD is 2816
via Connected, inside
P 1.1.1.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.101.100 (130816/128256), inside
ASA1/c1# sh route eigrp
Routing Table: c1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 101.1.1.1 to network 0.0.0.0
D
1.1.1.0 255.255.255.0
[90/130816] via 192.168.101.100, 00:00:48, inside
Page 781 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ADV Router
Age
Seq#
Checksum
0x80000001 0x318e
Seq#
Checksum Tag
0x80000001 0x5925 100
Routing Table: c2
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 102.1.1.1 to network 0.0.0.0
O
2.2.2.2 255.255.255.255
[110/11] via 192.168.102.100, 00:00:38, inside
Diagram:-
Initial-config
R1
Page 784 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
ASA1/c2(config)# sh cry
ASA1/c2(config)# sh crypto ip
ASA1/c2(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
access-list 102 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 101.1.1.100
Clustering
Clustering
Clustering Terminology
Configuration Replication
ASA Cluster Management
ASA Features and Clustering
Centralized Featuring
Performance Throughput
Clustering
Clustering enables we group multiple ASAs together as a single logical device.
Note:ASA OS version 9.2 Support for 16 members for the cluster. The ASA 5585-X now supports 16-unit
clusters. Support for 32 active links in a spanned Ether-Channel for clustering
Clustering Terminology
Master Unit
Slave Unit
New Connection Ownership
ASA Cluster Interfaces & Modes
Cluster Control Link
High Availability within the ASA Cluster
Data Path Connection State Replication
Master Unit
1. The First device on which you will configure Clustering that become master unit.
2. You must perform all configuration on the master unit only the configuration is then
replicated to the slave units.
3. Bootstrap is configured on all master & slaves.
Master Unit Election
1. When you enable clustering for a unit it broadcasts an election request every 3 seconds.
2. If after 45 seconds, a unit does not receive a response from another unit with a higher
priority, then it becomes master.
3. Note if multiple units tie for the highest priority, the cluster unit name, and then the serial
number is used to determine the master.
4. If a unit later joins the cluster with a higher priority, it does not automatically become the
master unit; the existing master unit always remains as the master unless it stops
responding, at which point a new master unit is elected.
Note: - You can manually force a unit to become the master. For centralized features, if you force a
master unit change, then all connections are dropped, and you have to re-establish the connections
on the new master unit.
Slave Unit
When we enable clustering on other devices. They join the cluster as slaves. or we can configure
Spanned EtherChannel
Interfaces on multiple members of the cluster are grouped into a single EtherChannel.
The master unit monitors every slave unit by sending keepalive messages over the cluster
control link periodically (the period is configurable).
Each slave unit monitors the master unit using the same mechanism.
Interface monitoring
Each unit monitors the link status of all hardware interfaces in use, and reports status changes to the
master unit.
Spanned EtherChannelUses cluster Link Aggregation Control Protocol (cLACP). Each unit
monitors the link status and the cLACP protocol messages to determine if the port is still
active in the EtherChannel. The status is reported to the master unit.
Individual interfaces (Routed mode only)each unit self-monitors its interfaces and reports
interface status to the master unit.
Configuration Replication
All units in the cluster share a single configuration. Except for the initial bootstrap configuration
Connection Roles
There are 3 different ASA roles defined for each connection:
OwnerThe unit that initially receives the connection. The owner maintains the TCP state
and processes packets. A connection has only one owner.
DirectorThe unit that handles owner lookup requests from forwarders and also maintains
the connection state to serve as a backup if the owner fails. When the owner receives a new
connection, it chooses a director based on a hash of the source/destination IP address and
TCP ports, and sends a message to the director to register the new connection. If packets
arrive at any unit other than the owner, the unit queries the director about which unit is the
owner so it can forward the packets. A connection has only one director.
ForwarderA unit that forwards packets to the owner. If a forwarder receives a packet for a
connection it does not own, it queries the director for the owner, and then establishes a
flow to the owner for any other packets it receives for this connection. The director can also
be a forwarder. Note that if a forwarder receives the SYN-ACK packet, it can derive the
owner directly from a SYN cookie in the packet, so it does not need to query the director (if
you disable TCP sequence randomization, the SYN cookie is not used; a query to the director
is required). For short-lived flows such as DNS and ICMP, instead of querying, the forwarder
immediately sends the packet to the director, which then sends them to the owner. A
connection can have multiple forwarders; the most efficient throughput is achieved by a
Page 797 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
1. The SYN packet originates from the client and is delivered to an ASA (based on the load
balancing method), which becomes the owner. The owner creates a flow, encodes owner
information into a SYN cookie, and forwards the packet to the server.
2. The SYN-ACK packet originates from the server and is delivered to a different ASA (based on
the load balancing method). This ASA is the forwarder.
3. Because the forwarder does not own the connection, it decodes owner information from the
SYN cookie, creates a forwarding flow to the owner, and forwards the SYN-ACK to the
owner.
4. The owner sends a state update to the director, and forwards the SYN-ACK to the client.
5. The director receives the state update from the owner, creates a flow to the owner, and
records the TCP state information as well as the owner. The director acts as the backup
owner for the connection.
6. Any subsequent packets delivered to the forwarder will be forwarded to the owner.
7. If packets are delivered to any additional units, it will query the director for the owner and
establish a flow.
8. Any state change for the flow results in a state update from the owner to the director.
Unified Communications
Remote access VPN (SSL VPN and IPsec VPN)
The following application inspections:
CTIQBE
GTP
H323, H225, and RAS
IPsec passthrough
MGCP
MMP
RTSP
SIP
SCCP (Skinny)
WAAS
WCCP
Centralized Features
The following features are only supported on the master unit, and are not scaled for the cluster. For
example, you have a cluster of eight units (5585-X with SSP-60). The Other VPN license allows a
maximum of 10,000 IPsec tunnels for one ASA 5585-X with SSP-60. For the entire cluster of eight
units, you can only use 10,000 tunnels; the feature does not scale. For centralized features, if the
master unit fails, all connections are dropped, and you have to re-establish the connections on the
new master unit.
Site-to-site VPN
The following application inspections:
DCERPC
NetBios
PPTP
RADIUS
RSH
Page 799 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
SUNRPC
TFTP
XDMCP
Dynamic routing (spanned EtherChannel mode only)
Multicast routing (individual interface mode only)
Static route monitoring
IGMP multicast control plane protocol processing (data plane forwarding is distributed
across the cluster)
PIM multicast control plane protocol processing (data plane forwarding is distributed across
the cluster)
Authentication and Authorization for network access. Accounting is decentralized.
Filtering Services
Performance Throughput
70% of the combined throughput
60% of maximum connections
50% of connections per second
For example, for throughput, the ASA 5585-X with SSP-40 can handle approximately 10 Gbps of real
world firewall traffic when running alone.
For a cluster of 8 units, 8*10= 80 Gbps will be approximately 70% of 80 Gbps (8 units x 10 Gbps): 56
Gbps
For a cluster of 16 units, 16*10=160 Gbps will be approximately 70% of 160 Gbps: 112 Gbps
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/1
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1 Master Bootstrap Configuration
cluster interface-mode spanned force
Page 801 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
interface Port-channel1
port-channel span-cluster
mac-address aaaa.bbbb.cccc
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Port-channel2
port-channel span-cluster
mac-address aaaa.dddd.cccc
nameif outside
security-level 0
ip address 192.168.102.1 255.255.255.0
ASA1(config)# prompt hostname cluster-unit
Page 802 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
B:********************************************************************
8 in use, 10 most used, stub connection 0 in used, 1 most used
ASA1/B# sh cluster conn
Usage Summary In Cluster:*********************************************
17 in use, stub connection 0 in use (cluster-wide aggregated)
B(LOCAL):*************************************************************
8 in use, 10 most used, stub connection 0 in used, 1 most used
A:********************************************************************
9 in use, 10 most used, stub connection 0 in used, 0 most used
Protocol
up
up
up
up
up
up
active
active Fa0/2, Po2
act/unsup
act/unsup
act/unsup
act/unsup
Management of ASA
ASA as DHCP
ASA as DHCP Relay Agent
Disable Fragmentation on ASA
Enabling uRPF on ASA
Ether-channal
Redundent Interface
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
no ip address
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int l1
ip add 102.1.1.1 255.255.255.0
no shutdown
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ASA1(config)# sh xlate
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:02:49 timeout 0:00:00
ICMP PAT from inside:1.1.1.1/6 to outside:101.1.1.100/6 flags ri idle 0:00:02 timeout 0:00:3
ASA1(config)# ip verify reverse-path interface inside
01.1.1.1 source loopback 1 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
......
ASA1# sh xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:04:15 timeout 0:00:00
ASA AS DHCP
ASA1(config)# dhcpd address 192.168.10.100-192.168.10.254 dmz1
ASA1(config)# dhcpd enable dmz1
ASA1(config)# dhcpd option 3 ip 192.168.10.1
R2
int f0/0
no shutdown
ip add dhcp
R2#sh ip int brief
Interface
IP-Address OK? Method Status
FastEthernet0/0
192.168.10.100 YES DHCP up
FastEthernet0/1
unassigned YES NVRAM up
R2#sh ip ro
R2#sh ip route st
Protocol
up
up
Client Identifier
Lease expiration
192.168.10.100 0063.6973.636f.2d30.
3031.662e.3965.3566.
2e38.3036.302d.4661.
302f.30
ASA AS DHCP RELAY_AGNET
Type
Active-Standby IPv6 FO
Active-Standby FO
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface FastEthernet0/0
ipv6 address 192:168:10::100/48
ipv6 route ::/0 192:168:10::1
!
R2
ipv6 unicast-routing
interface FastEthernet0/0
Page 828 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3#telnet 101:1:1::100
Trying 101:1:1::100 ... Open
R1>
ASA1
failover
failover lan unit primary
failover lan interface shiva GigabitEthernet0/3
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key shiva
failover replication http
failover mac address GigabitEthernet0/0 0000.0c07.ac01 0000.0c07.ac02
failover mac address GigabitEthernet0/2 0000.0c07.ac03 0000.0c07.ac04
Page 830 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# reload
System config has been modified. Save? [Y]es/[N]o: y
Cryptochecksum: e120f795 a8075185 3bbb3555 55f80897
3836 bytes copied in 0.720 secs
Proceed with reload? [confirm]
ASA1(config)#
ASA2
ASA1(config)# sh failover
Page 833 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Active-Active IPv6 FO
ASA1/c1(config)# sh running-config
: Saved
:
: Hardware: ASA5512
:
ASA Version 9.2(2)4 <context>
!
hostname c1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ipv6 local pool inside 192:168:101::111/48 10
ipv6 local pool outside 101:1:1::111/48 10
!
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:101::1/48 cluster-pool inside
!
interface GigabitEthernet0/1
nameif outside
security-level 0
no ip address
ipv6 address 101:1:1::100/48 cluster-pool outside
!
access-list out extended permit icmp6 any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface ipv6
access-group out in interface outside
ipv6 route outside ::/0 101:1:1::1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh stricthostkeycheck
Page 838 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1/c2(config)# sh running-config
: Saved
:
: Hardware: ASA5512
:
ASA Version 9.2(2)4 <context>
!
hostname c2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
Page 839 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1/stby(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 19:02:42 UTC Oct 11 2014
Group 2 last failover at: 19:02:44 UTC Oct 11 2014
This host: Secondary
Group 1
State:
Standby Ready
Active time: 0 (sec)
Group 2
State:
Active
Active time: 536 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:102): Normal (Monitored)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:102): Normal (Monitored)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:201): Normal (Monitored)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:201): Normal (Monitored)
Other host: Primary
Group 1
State:
Active
Active time: 539 (sec)
Group 2
State:
Standby Ready
Active time: 3 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:101): Normal (Monitored)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:101): Normal (Monitored)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:202): Normal (Monitored)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:202): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit
xerr
rcv
rerr
General
21
0
26
0
Page 843 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1/act(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 19:13:41 UTC Oct 11 2014
Group 2 last failover at: 19:02:44 UTC Oct 11 2014
This host: Secondary
Group 1
State:
Active
Active time: 25 (sec)
Group 2
State:
Active
Active time: 682 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:101): Normal (Waiting)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:101): Normal (Waiting)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:201): Normal (Waiting)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:201): Normal (Waiting)
Other host: Primary
Group 1
State:
Failed
Active time: 658 (sec)
Group 2
State:
Failed
Active time: 3 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Unknown/Unknown)
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:102): Unknown (Monitored)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:102): Unknown (Monitored)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:202): Unknown (Monitored)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:202): Unknown (Monitored)
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/4 (up)
Stateful Obj xmit
xerr
rcv
rerr
General
36
0
41
2
sys cmd
31
0
30
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
0
0
ARP tbl
0
0
0
0
Xlate_Timeout 0
0
0
0
Page 845 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
5
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
6
0
0
0
0
0
0
0
0
0
0
0