Re: [OSL | CCIE_Security] Query on Management interface
Hi, Well, the interface has to be advertised to other devices using a routing protocol or at least other devices should know where that loopback is located, the rest of it, is just a matter of defining which protocols are allowed to be done to that specific interface. Mike Date: Fri, 2 Mar 2012 12:45:23 +0530 From: k.dav...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Query on Management interface Hi all, I have a small query.How is management interface used for in-band access to a device is the logical loopback interface?I am reading the online study material Cisco IOS hardening from the cisco website. -- Regards Kshitij Dave ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] IPSEC VRF Aware
Does anybody has a good document that explains this topic? Maybe with a topology and so on? The documents that I have found so far are either complex and not related to VPN or the synatax is incomplete or incorrect. I have been banging my head over this topic and I can seem to find a way to make it work. Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] IPSEC VRF Aware
Hey, I have an issue, where VPN is not that magic... Here are the two configs From one side, it encrypts (without VRFs on it) the other side (With VRFs) it unencrypt, but does not encrypt. I get the following log: *Mar 2 18:02:37.569: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= outside/136.1.100.1, src_addr= 150.4.4.1, prot= 1 Configs attached From: fawa...@gmail.com Date: Fri, 2 Mar 2012 18:16:11 -0500 Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-4t/sec-ipsec-virt-tunnl.html This link has a lot of good examples provided which kind of IpSec aware VRF you are using. FNK On Fri, Mar 2, 2012 at 5:36 PM, Mike Rojas mike_c...@hotmail.com wrote: Does anybody has a good document that explains this topic? Maybe with a topology and so on? The documents that I have found so far are either complex and not related to VPN or the synatax is incomplete or incorrect. I have been banging my head over this topic and I can seem to find a way to make it work. Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com uccess rate is 0 percent (0/10) R4# R4#sh run Building configuration... Current configuration : 1257 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 15 ! ! dot11 syslog ! ! ip cef ! ! ip domain name ine.com ! multilink bundle-name authenticated ! ! ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp key cisco address 136.1.136.3 ! ! crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac ! crypto map outside 10 ipsec-isakmp set peer 136.1.136.3 set transform-set L2L match address L2L ! archive log config hidekeys ! ! ! ! ! interface Loopback0 ip address 150.4.4.1 255.255.255.0 ! interface FastEthernet0/0 ip address 136.1.0.4 255.255.255.0 duplex auto speed auto crypto map outside ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router ospf 1 log-adjacency-changes network 136.1.0.0 0.0.0.255 area 0 network 150.4.4.0 0.0.0.255 area 0 ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! ip access-list extended L2L permit ip 150.4.4.0 0.0.0.255 136.1.100.0 0.0.0.255 ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login ! scheduler allocate 2 1000 ! end 3#SH RUN Building configuration... Current configuration : 1684 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! logging buffered 4096 ! no aaa new-model ! ! no ip cef ! ! ip vrf inside ! ip vrf outside ! ip domain name ine.com ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! crypto keyring outside vrf outside pre-shared-key address 136.1.0.4 key cisco ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp profile L2L vrf outside keyring outside match identity address 136.1.0.4 255.255.255.255 outside ! ! crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac ! crypto map outside 10 ipsec-isakmp set peer 136.1.0.4 set transform-set L2L set isakmp-profile L2L match address L2L ! ! ! ! ! ! ! interface FastEthernet0/0 ip vrf forwarding outside ip address 136.1.136.3 255.255.255.0 duplex auto speed auto crypto map outside ! interface FastEthernet0/1 ip vrf forwarding inside ip address 136.1.100.1 255.255.255.0 duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 136.1.136.1 ip route vrf outside 0.0.0.0 0.0.0.0 136.1.136.1 ip route vrf inside 150.4.4.1 255.255.255.255 136.1.136.1 ! ! ip http server no ip http secure-server ! ip access-list extended L2L permit ip 136.1.100.0 0.0.0.255 150.4.4.0 0.0.0.255 ! access-list 199 permit icmp any any ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login ! scheduler allocate 2 1000 ! end ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] IPSEC VRF Aware
Hey Kingsley and Eugene, Essentially is just to understand better the technology. Sometimes when you just complete a task and dont fully understand how the technology works, when they change the task a little bit, and you dont have the foundations right, is like starting all over again. But yes, mainly I understand that VRFs have their own routing table. In the configs I sent, keyring was not the problem, as Phase 1 was up and running with no issues, what I am confused is how the packets are going to be sent out to the IVRF. When I see the router which has the VRFs set, on the oustside, I can see the packets being decrypted, but I cannot see anything being encrypted. Not quite sure if the association made on the Isakmp profile IVRF vs FVRF are going to do the trick, but I am willing to test it out one more time. Thanks a lot for the inputs. Mike From: eug...@koiossystems.com To: kingsley.char...@gmail.com CC: mike_c...@hotmail.com; fawa...@gmail.com; ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware Date: Sat, 3 Mar 2012 07:21:06 + So, my findings in Mike's config are correct then ? ;) From: Kingsley Charles kingsley.char...@gmail.com Date: Sat, 3 Mar 2012 12:30:03 +0530 To: Eugene Pefti eug...@koiossystems.com Cc: Mike Rojas mike_c...@hotmail.com, fawa...@gmail.com fawa...@gmail.com, ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware You need to some good efforts to understand VPN with VRFs. Each VRF has it's own routing table and that's where we need to start working on. We have Internal VRF (IVRF) that connects internal network (LAN) and FVRF (Front VRF) that connects to the internet (public network). The following are the uses cases. Local VPN router has only IVRF and the external network is connected using global routing - IVRF Router --- Global Routing Router Configure IVRF in the VRF command under ISAKMP profiles. And a route in VRF for the peer using global keyword. Local VPN router has IVRF and the external network is in FVRF. Here IVRF = FVRF - IVRF Router FVRF Router Configure IVRF in the VRF command under ISAKMP profiles. And a route in VRF for the peer using global keyword. Configure FRVF with the crypto keyring and match identity under ISAKMP profile Local VPN router has IVRF and the external network is in FVRF. Here IVRF |= FVRF - IVRF Router FVRF Router Configure IVRF in the VRF command under ISAKMP profiles. And a route in VRF for the peer using global keyword. Configure FRVF with the crypto keyring and match identity under ISAKMP profile Here you need tweak the routing table For this use the following method, that I have discussed in this link. https://learningnetwork.cisco.com/message/184180#184180 The ones that I have highlighted are key things that you should always remember while configuring VPN with VRF. First classify whether there is IVRF or FVRF or both of them and then configure it. With regards Kings On Sat, Mar 3, 2012 at 9:32 AM, Eugene Pefti eug...@koiossystems.com wrote: I took one more careful look into your configs, Mike, and two things jumped into my eyes. As Kingsley recently mentioned named keyrings don't always work good and I confirmed it but there's was no consistency in this. One time the named keyring worked the other didn't If you look at the crypto isakmp profile section you'll see VRF outside referenced twice. As far as I understand the first statement vrf VRF_NAME should refer to the internal VRF and the second one (in the end of match identity address) should specify the outside VRF name. So, I'd rewrite your crypto isakmp profile as follows: crypto isakmp profile L2L vrf inside keyring outside match identity address 136.1.0.4 255.255.255.255 outside Take a look at these two guides: https://supportforums.cisco.com/docs/DOC-13524 http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec.html#wp1054317 Eugene From: Mike Rojas mike_c...@hotmail.com Date: Fri, 2 Mar 2012 17:55:47 -0600 To: fawa...@gmail.com Cc: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware Hey, I have an issue, where VPN is not that magic... Here are the two configs From one side, it encrypts (without VRFs on it) the other side (With VRFs) it unencrypt, but does not encrypt. I get the following log: *Mar 2 18:02:37.569: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= outside/136.1.100.1, src_addr= 150.4.4.1, prot= 1 Configs attached From: fawa...@gmail.com Date: Fri, 2 Mar 2012 18:16:11 -0500 Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware To: mike_c...@hotmail.com CC
Re: [OSL | CCIE_Security] IPX task 4.6 Easy VPN server with reverse route injection and distance of 15
Hello Eugene, If the VPN server has the route of the VPN client connected on the routing table, you should be able to redistributed to the router that is intended to be the destination. I am not aware of the topology nor the task you are at, but if the server has the route, is just a matter of redistributing it and make sure the destination knows where to send the packets when the destination address is the pool of the VPN client. Mike From: eug...@koiossystems.com To: kingsley.char...@gmail.com Date: Sun, 4 Mar 2012 04:42:28 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IPX task 4.6 Easy VPN server with reverse route injection and distance of 15 Hi Kings Of course I have the virtual-template interface referenced in the isakmp profile. The problem is gone after I reloaded the router. I don't know what happened to the router. The line protocol on the virtual-access interface was up but the protocol was always down. Sent from iPhone On Mar 3, 2012, at 8:14 PM, Kingsley Charles kingsley.char...@gmail.com wrote: It's not reversre route adding route on the client. Reverse route is is used to add route on the server only pointing towards the client. You need to add vitual template on the server. With regards Kings On Sun, Mar 4, 2012 at 5:38 AM, Eugene Pefti eug...@koiossystems.com wrote: It’s me again, baffled over almost the same topic. Here we go again, I have a tunnel from PC to R4 acting as EzVPN server. The PC is able to reach hosts defined by the split ACL, i.e. R4: ip access-list extended EZVPN-SPLIT permit ip 10.4.4.0 0.0.0.255 any crypto isakmp client configuration group CCIE domain cisco.com pool EZVPN-POOL acl EZVPN-SPLIT crypto ipsec profile IPSEC-PROF set transform-set ESP-3DES-MD5 set reverse-route distance 2 set isakmp-profile ISA-PROF The PC has a route to 10.4.4.0 network because I do reverse route injection in the IPSec profile: Active Routes on the PC: Network DestinationNetmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.10.12.1 10.10.12.13 20 8.0.0.0255.0.0.08.9.100.2 8.9.100.2 20 8.9.100.2 255.255.255.255127.0.0.1 127.0.0.1 20 8.255.255.255 255.255.255.2558.9.100.2 8.9.100.2 20 10.4.4.0255.255.255.08.9.100.2 8.9.100.2 1 But when I configure R8 as EzVPN remote client I fail to reach 10.4.4.0 because neither R4 nor R8 set inject the network in question into the routing table. R8 crypto section looks as follows: crypto ipsec client ezvpn EZVPN connect manual group REMOTE key cisco123 mode client peer 192.168.8.4 virtual-interface 8 username ciscouser password cisco123 xauth userid mode local interface Loopback8 ip address 8.8.8.8 255.255.255.0 crypto ipsec client ezvpn EZVPN inside interface FastEthernet0/1 ip address 192.168.8.8 255.255.255.0 duplex auto speed auto crypto ipsec client ezvpn EZVPN interface Virtual-Template8 type tunnel ip unnumbered FastEthernet0/1 tunnel mode ipsec ipv4 What am I missing while doing it ? Eugene From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Eugene Pefti Sent: 02 March 2012 19:46 To: CCIE Security Maillist Subject: [OSL | CCIE_Security] IPX task 4.6 Easy VPN server with reverse route injection and distance of 15 Hello folks, Sorry for me being very inquisitive about every step in the IP Experts solution guide but I want to understand the logic and what is the most important is why would one in real life introduce the distance of 15 to the Easy VPN client network. To be more precise the task says: R4 should see the route to the remote client with the distance of 15. The solution guide advises us to redistribute static routes into RIP. The RIP runs on the router but it doesn't participate in routing updates with any peer and more over setting this distance under the crypto ipsec profile takes care about it without configuring RIP protocol: crypto ipsec profile IPSEC-PROF set reverse-route distance 15 R4#show ip route S 8.9.100.2/32 [15/0] via 10.10.12.13, Virtual-Access2 Eugene ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___
Re: [OSL | CCIE_Security] Per User TACACs settings
Hi Martha, Yeah, Basically the tacacs settings where there is a box to check Exec and then add the value for privilege level, I am only able to see that at the group level, not under User. On the ACS at work (when I do most of my labs) I can see it under each user. On the interface configuration, I am sure that I already enable it, but cant see it. Is there something else that I need to put? Date: Tue, 6 Mar 2012 10:03:02 +0100 Subject: Re: [OSL | CCIE_Security] Per User TACACs settings From: marta.sokolow...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Mike, I'm not sure if I understand your question correctly, but to be able to see TACACS settings in ACS Interface configuration section, you have to have at least one network device added as a TACACS+ AAA Client (in Network Configuration). Marta Sokolowska. 2012/3/6 Mike Rojas mike_c...@hotmail.com How do I make the Tacacs settings appear on the host, I tried checking the box on the Interface configuration, however, no go. Cheers! Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Per User TACACs settings
Hello Marta, Let me give it a try tonight. I will let u know. Mike Rojas Security Technical Lead Date: Wed, 7 Mar 2012 11:12:53 +0100 Subject: Re: [OSL | CCIE_Security] Per User TACACs settings From: marta.sokolow...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Check if you have Interface Configuration Advanced Options Per-user TACACS+/RADIUS Attributes marked. After turning it on, you'll see separate columns (for User and for Group) in Interface Configuration/TACACS+ (Cisco). Mark specific TACACS option in User column and it should be visible in User settings. I've just checked my fresh ACS installation (with the default config) and I had to follow these steps to see TACACS options in user settings: Add a network device as TACACS+ AAA Client (in Network Configuration) Turn on Interface Configuration Advanced Options Per-user TACACS+/RADIUS Attributes (after that separate User and Group columns are available in Interface Configuration/TACACS+ (Cisco)) Turn on Interface Configuration Advanced Configuration Options Advanced TACACS+ Features (optional)Mark specific option in Interface Configuration TACACS+ (Cisco) (after this step you should see this option in User settings). I hope it will be helpful for you. Marta Sokolowska. 2012/3/7 Mike Rojas mike_c...@hotmail.com Hi Martha, Yeah, Basically the tacacs settings where there is a box to check Exec and then add the value for privilege level, I am only able to see that at the group level, not under User. On the ACS at work (when I do most of my labs) I can see it under each user. On the interface configuration, I am sure that I already enable it, but cant see it. Is there something else that I need to put? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] NHRP map multicast
When you finish the tunnel configuration... make sure that on the left you have the tunnel IP and on the right you have the interface IP... thats when I know I did it right :P... From: pi...@howto.pl Date: Fri, 16 Mar 2012 08:24:01 +0100 To: joeastorino1...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] NHRP map multicast I think this is to keep those commands straight :) I think this way. All NHRP map command are like 'ip nhrp map priv public' so that on spokes you have: ip nhrp map 172.16.1.1 100.1.1.1 to map between priv-public IP address on the hub. And you also have (in case of mGRE on the spoke) command: ip nhrp multicast 100.1.1.1 multicast is just a keyword specifying priv part. Similarly on Hub you have: ip nhrp map multicast dynamic which means send all multicast traffic to dynamically learnt Public (NBMA) IP addresses of your spokes (from NHRP DB). I know, this is not enough technical answer :) Also, note that sending mcast traffic over multipoint interface must have some replication features enabled. In this case you instruct the router to send mcast traffic to Hub's Public IP and this must be tunnel destination IP I suppose. Regards, Piotr 2012/3/16 Joe Astorino joeastorino1...@gmail.com Can anybody shed some light on understanding why the ip nhrp map multicast command on a spoke maps to the public NMBA IP and not the tunnel IP of the hub? I understand that it is used so that any broadcasts/multicasts sent out the interface get sent to the hub only just trying to understand why the NBMA address is used. Any tips on how do you keep straight which NHRP commands use the tunnel IP vs the NBMA IP? -- Sent from my mobile device Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com He not busy being born is busy dying - Dylan ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] ASA Multiple context
NO, wait wait Admin context is from where you can manage your device... some sort of like the management interface on a single context based ASA... where you actually assign the resources in on the System context... dont mix them up.. . Regarding to your question, yes indeed is needed to have an admin contextyou cant configure any other context you want until you define the admin one. You will get the other configuration on flash once you actually configure something on it... Otherwise, it wont appear on flash.. Is until you actually do some modifications to the context when you actually see the file on flash. Hope it helps. Mike From: d...@craddock.us To: salloum.a...@gmail.com Date: Sat, 17 Mar 2012 12:23:19 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] ASA Multiple context The admin context is basiclly there to assign the physical resorce to the virtual asa so you have to have it The file system is not case sencetive so both admin and Admin are the same Sent from Moxier Mail (http://www.moxier.com) - Original Message - From: Aous SAlloum salloum.a...@gmail.com To: ccie security ccie_security@onlinestudylist.com Sent: 3/17/2012 11:52 AM Subject: [OSL | CCIE_Security] ASA Multiple context Hello Dears , I am trying to configure ASA with Multicontext 1 , is it mandatory to have admin-context admin keywork ? or i can creat any two contexts like con1 and con2 and make one of the admin ?? like admin-context con1 without having context named admin 2, If i have tow contexts: context Admin config-url disk0:/Admin.cfg , and another one: context admin config-url disk0:/admin.cfg and then am getting only admin.cfg in the show flash means both are sharing the same config-url or what ? am not very clear about it :( appreciate your help ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] IPS Question Regarding event action filters.
Hi All, This is something I just thought off, when you get an exercise that says excempt loopback blah to trigger any action on the virtual sensor blah. I do actually need to configure 2 action filters right? One from it being the attacker and other one to be as the victim? Is this correct? Cheers, Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] IPS Rate Limiting
Hello, Another question (I know getting a little bit annoying, but I guess some others may have the same doubts) In regards of the configuration on the Blocking device when using ssh, you either have to do a bunch of stuffs configuring Authorization (in case you dont have an enable password) or configure an enable password. Now, I've been using proctor labs where they say please dont even do it, dont put enable passwords...so I ended up doing the aaa the whole 9 yards. My question is... on the exam, if no further hints given, shall we put just an enable password? Mike. ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Shell Exec Authorization with Radius
So here is something else that I find really concerning. There was an exercise that said... authorize user Blah and make you sure that the user falls into privilege level 12. Do not change anything on the group. So I figured that it has to do with the Cisco AV pair boxes under the ACS right. So I didnt really remember the command to put the user on the privilege... Out of the hand, I remembered that was something like: priv-lvl=12 Test it and it worked fine. However, on the solution, the correct command is: shell:priv-lvl=12 Any Idea why it worked if the Attribute value was not with the right syntax? (By the way, the user showed the privilege fine, and if I removed it, the user never got into the exec mode) Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Anybody Having problems accessing workbooks at IPexpert?
___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Anybody Having problems accessing workbooks at IPexpert?
Thanks Joe, Weird stuff... well, lost afternoon :(... Thanks for checking. Mike Date: Sun, 18 Mar 2012 17:57:26 -0400 Subject: Re: [OSL | CCIE_Security] Anybody Having problems accessing workbooks at IPexpert? From: joeastorino1...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Hi MIke, I just tested my volume 1 workbooks and they opened fine after the usual authentication On Sun, Mar 18, 2012 at 5:04 PM, Mike Rojas mike_c...@hotmail.com wrote: ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com He not busy being born is busy dying - Dylan ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] GET VPN IPSEC Mode
Joe, This is the only thing related to Transport mode fragmentation that I found. RFC 2401 If required, IP fragmentation occurs after IPsec processing within an IPsec implementation. Thus, transport mode AH or ESP is applied only to whole IP datagrams (not to IP fragments). An IP packet to which AH or ESP has been applied may itself be fragmented by routers en route, and such fragments MUST be reassembled prior to IPsec processing at a receiver Now, I am guessing that taking out those reserved bits that are not used in this mode, it is still subject (as any other packet) to be bigger than 1500 bytes. I think the statement should say IPsec transport mode MAY suffer from fragmentation and reassembly. Thus it should not be used where applications can be sensitive to them Something funny, there was the exact same question, and there was no answer for it. Anyway... if someone has any other better explanation, would be greatly appreciated. Mike Date: Sun, 18 Mar 2012 18:48:55 -0400 Subject: Re: [OSL | CCIE_Security] GET VPN IPSEC Mode From: joeastorino1...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Thanks Mike! From that document, I have found the answer: It is worth noting that tunnel header preservation seems very similar to IPsec transport mode. However, the underlying IPsec mode of operation is IPsec tunnel mode. While IPsec transport mode reuses the original IP header and therefore adds less overhead to an IP packet (5% for IMIX packets; 1% for 1400-byte packets), IPsec transport mode suffers from fragmentation and reassembly limitations and must not be used in deployments where encrypted or clear packets might require fragmentation. Now, the ultimate question would be OK, why does transport mode suffer from IP fragmentation and reassumbly limitations? But hm.Do I care that much today?! : ) On Sun, Mar 18, 2012 at 6:43 PM, Mike Rojas mike_c...@hotmail.com wrote: Hello Joe, Back on the SNRS version , yes, there is a new IP header inserted on the packet, but is exactly the same as the first one So it would be like this: [Original IP_Header] [ESP Header] [Original IP_Header] [Payload]. Based on the documents that I have, it was done this way in order to mitigate routing overlay and to preserve Qos and Multicast capabilities. Check the following doc http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf And look for: 1.2.2 Tunnel Header Preservation Mike Date: Sun, 18 Mar 2012 18:01:25 -0400 From: joeastorino1...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] GET VPN IPSEC Mode So, I'm a bit confused -- Just started reading about GET VPN and in Yusuf's book Network Security Technologies Solutions there is a diagram that shows an IP packet after GET VPN encapsulation and it is basically IPSEC transport mode as follows [IP Header] [ESP] [DATA] Then today I am reading the 12.4T configuration guide for GETVPN and it contradicts this saying that it is actually TUNNEL mode but the outer and inner IP headers are identical. See http://www.cisco.com/en/US/i/11-20/170001-18/170001-171000/170836.jpg So they are saying it looks like this [IP Header2] [ESP] [IP Header 1] [ DATA] where both IP headers are identical copies. Which is it? It seems from further research that the DOC CD is correct, but I want to make sure. Further, if that IS the case why in the world would they use a second IP header that is identical in tunnel mode instead of just using IPSEC transport mode as described in the book? Thanks everybody! -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com He not busy being born is busy dying - Dylan ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com He not busy being born is busy dying - Dylan ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] GDOI Multicast Key Server ID
Hi, The GetVPN is able to connect without the IP address of the server specified That was the trick, now the tricky part is that for redundancy (if they asked you) you need to configure the IP address of the server in order for the cluster to be up and then you remove it. The output should appear with 0.0.0.0 0.0.0.0 Mike Date: Thu, 22 Mar 2012 01:36:39 +0300 From: salloum.a...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] GDOI Multicast Key Server ID Hello , I am configuring GET VPN using multicast if in the exam they ask me to match the output and the key server id in the show crypto gdoi ks members is 0.0.0.0 how my configuration should looks like now when i do show crypto gdoi ks members the output is showing key Server ID : 22.22.22.22 ( what shall i do ot make it appear 0.0.0.0 ) crypto gdoi group GET identity number 1 server local rekey address ipvr 105 ( for multicast ) rekey retransmit 10 num 2 rekey authentication mybupkey rsa CISCO address ipv4 22.22.22.22 ( My KS IP address ) sa ipsec 1 profile ipsec.prof match address ipvr 106 ( for intersting traffic ) replay counter window size 64 ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] aaa authentication secure-http-client doesn't work with virtual http
What happened to me, (and the lab is still up) is the fact that it does work, it does authenticate and dowloads the ACL fine, BUT, on the client itself, authentication says it failed but it actually doesnt on the ASAWeird stuff.. Mike From: eug...@koiossystems.com To: kingsley.char...@gmail.com; ccie_security@onlinestudylist.com Date: Thu, 22 Mar 2012 08:37:38 + Subject: Re: [OSL | CCIE_Security] aaa authentication secure-http-client doesn't work with virtual http Aren't you falling into one of those limitations laid out in the guide: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html#wp1043431 See section Enabling Secure Authentication of Web Clients Or you refer to the fact that it does work on its own and with aaa authentication listener but doesn't work with virtual http ? I know for sure as I tested and confirmed the former method but don't have any comments on the latter. Eugene From: Kingsley Charles kingsley.char...@gmail.com Date: Thu, 22 Mar 2012 12:13:04 +0530 To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] aaa authentication secure-http-client doesn't work with virtual http Hi ASA's aaa authentication secure-http-client doesn't work with virtual http Any comments? With regards Kings ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] DMVPN Phase 2
Hello All, So this is something fun, check this out: Router 1 (Hub) 172.1.0.1 | 172.1.0.2 | Router2 (SpokeASA | | IPS | Router6 172.1.0.4 | Router4(Spoke) | So I was playing around and said, hey in Phase 2, it requires the spokes to create on demand tunnels without having to pass across the hub right, so, I am going to play mean and wont let the ASA to pass that traffic. Then, I tried to ping from Router 2 to the protected network on Router 4 it worked. I was like well, this is a bitter disappointment, however, it did try to build the tunnel, it didnt care, but instead I am assuming that it went to the hub and relay the traffic there. Here are the outputs: Router2 44.0.0.0/24 is subnetted, 1 subnets D 44.44.44.0 [90/28288000] via 172.1.0.4, 00:01:40, Tunnel0 IPv4 Crypto ISAKMP SA dst src state conn-id status 192.168.3.11192.168.4.11QM_IDLE 2002 ACTIVE 192.168.64.4192.168.4.11MM_NO_STATE 0 ACTIVE --- It is in case if you guys have any comments or can explain it better, cuz this clearly kills my theory of how this works... :P Cheers, Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] GETVPN with Multicast rekey
In case you are interested :D http://sites.google.com/site/amitsciscozone/home/ipsec/get-vpn-rekey-using-multicast Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Key Server as Group member
Hi All, I have a question, I configured the KS as GM but it is not working, it gives me the following error: *Apr 13 20:07:54.903: ISAKMP:(0): Invalid phase 1 SA response! *Apr 13 20:07:54.903: ISAKMP:(0): phase 1 SA policy not acceptable! (local 192.168.6.6 remote 10.6.6.1) *Apr 13 20:07:54.903: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 3: construct_fail_ag_init *Apr 13 20:07:54.903: ISAKMP:(0): sending packet to 10.6.6.1 my_port 848 peer_port 848 (I) MM_NO_STATE *Apr 13 20:07:54.903: ISAKMP:(0):Sending an IKE IPv4 Packet. *Apr 13 20:07:54.903: ISAKMP:(0):peer does not do paranoid keepalives. I just added the following: crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto gdoi group dmvpn_gdoi identity number 2 server address ipv4 10.6.6.1 crypto map outside 10 gdoi set group dmvpn_gdoi crypto map outside and applied on the Interface, however I get the mentioned error, is there something special that need to be added? Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Key Server as Group member
Nevermind, I think Yusuf had a typo... cuz the on the output from the group members appears the Loopback of another router and not router6 and the next question requires those guys that you configured on the previous question to be part of DMVPN. Sorry for the spam. Mike From: mike_c...@hotmail.com To: ccie_security@onlinestudylist.com Date: Fri, 13 Apr 2012 20:01:43 -0600 Subject: [OSL | CCIE_Security] Key Server as Group member Hi All, I have a question, I configured the KS as GM but it is not working, it gives me the following error: *Apr 13 20:07:54.903: ISAKMP:(0): Invalid phase 1 SA response! *Apr 13 20:07:54.903: ISAKMP:(0): phase 1 SA policy not acceptable! (local 192.168.6.6 remote 10.6.6.1) *Apr 13 20:07:54.903: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 3: construct_fail_ag_init *Apr 13 20:07:54.903: ISAKMP:(0): sending packet to 10.6.6.1 my_port 848 peer_port 848 (I) MM_NO_STATE *Apr 13 20:07:54.903: ISAKMP:(0):Sending an IKE IPv4 Packet. *Apr 13 20:07:54.903: ISAKMP:(0):peer does not do paranoid keepalives. I just added the following: crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto gdoi group dmvpn_gdoi identity number 2 server address ipv4 10.6.6.1 crypto map outside 10 gdoi set group dmvpn_gdoi crypto map outside and applied on the Interface, however I get the mentioned error, is there something special that need to be added? Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Formula to calculate Burst value
I have a big question with these kind of exercises, the Majority of questions that I have seen (INE,IPexpert and Yusuf) they mostlikely want you to restrict the traffic to a certain value, but in very few cases they ask you to configure the BC TC and the other values. I guess my question is, if not specified, what should we do, we leave it as it is? Or do we apply the values that appear on the doc? Cuz I would expect that the question would say something like, use the values recommended or something about the values... Mike Date: Mon, 23 Apr 2012 22:01:02 +0530 From: kingsley.char...@gmail.com To: joeastorino1...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Formula to calculate Burst value Tc is involved in both shaping and policing. With policing, Tc is the seconds for which tokens are put in the bucket. With regards Kings On Mon, Apr 23, 2012 at 7:26 PM, Joe Astorino joeastorino1...@gmail.com wrote: The forumulas for calculating the Bc and Be for policing are how you have defined, them but I would be careful with the use of the term Tc when dealing with policing. Tc is generally a term that applies to traffic shaping and not traffic policing. Why? What does Tc do for us? With a shaper, Tc is a static defined interval of time. As you know, each Tc interval we get to add Bc tokens to the bucket to use. Traffic policing does not work the same way, contrary to popular belief. With traffic policing, the token bucket is refreshed based on a function of 2 things: The CIR value and the amount of time passed since the last packet was received. It has nothing to do with Tc. My point is simply that Tc is not involved with the calculations of traffic policing, as it is a concept that applies to traffic shaping. On Sun, Apr 22, 2012 at 12:32 PM, Kingsley Charles kingsley.char...@gmail.com wrote: Hi all The following is how we calculate Bc for QoS MQC policing and TCP rate-limiting. Now for ZPF policing, which formula should be used. I need Cisco doc for confirmation. Policing Tc = 0.25 secs BC = CIR/8 * 0.25 = CIR/32 Be = Bc, if not specified TCP Rate-limiting = Tc = 1.5 secs BC = CIR/8 * 1.5 BE = 2 BC With regards Kings ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com He not busy being born is busy dying - Dylan ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Selective packet discard
You never know, and since they are hidden commands, I think you would like to have the path to find the document: HOMESUPPORTPRODUCT SUPPORTROUTERSCISCO 12000 SERIES ROUTERSTROUBLESHOOT AND ALERTSTROUBLESHOOTING TECHNOTESUnderstanding Selective Packet Discard (SPD) Cheers, Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Selective packet discard
Ohhh Yeah, I am talking about the path, at the end in order to find docs, we need to go through the path dont we? Mike From: fawa...@gmail.com Date: Mon, 23 Apr 2012 22:22:29 -0400 Subject: Re: [OSL | CCIE_Security] Selective packet discard To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com All the links that you have posted, actually are for Partners, so if any one click on any of them would require PARTNER level access. So it would be better to remember the path as a stair-caseor remove the /partner from the URL try the following link (without partner) Cisco 12000 Series Routers Understanding Selective Packet Discard (SPD)http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a008012fb87.shtml FNK On Mon, Apr 23, 2012 at 7:55 PM, Mike Rojas mike_c...@hotmail.com wrote: You never know, and since they are hidden commands, I think you would like to have the path to find the document: HOME SUPPORTPRODUCT SUPPORT ROUTERSCISCO 12000 SERIES ROUTERS TROUBLESHOOT AND ALERTSTROUBLESHOOTING TECHNOTES Understanding Selective Packet Discard (SPD) Cheers, Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Unicast reverse path forwarding
They basically do the same but ip verify unicast reverse-path is going to be deprecated and IOS will start using only erify unicast source reachable-via where you can put any or rx or even an acl. Mike Date: Tue, 24 Apr 2012 01:57:54 +0100 From: stalker_t...@hotmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Unicast reverse path forwarding Hi All, What is the difference between ip verify unicast reverse-path and ip verify unicast source reachable-via rx? I know the reverse-path command is the legacy one, but when working with the INE workbooks sometimes 1 is used and sometimes its the other but why? is their a difference? should one be used over the other in different scenarios? Cheers Tony ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Port Filter for Control Plane
Hi All, I have the following question, Class Map type port-filter match-any CLOSED-PORTS (id 1) Match not port tcp 3020 Match not port udp 3020 Match not port udp 3040 Match not port tcp 3040 Match closed-ports Prot Local Address Foreign Address ServiceState tcp*:23 *:0 Telnet LISTEN If I try to telnet to the router, the connection gets dropped, but If I change the class map to match-all instead of match-any, the connection is established. I dont understand why thou, as with Match all, I would assume is the same thing as Zone based firewall where the packet must contain the criteria in the class map itself. Anyways, a little clarification would be appreciated. Cheers, Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Selective packet discard
You are right, I remember logging to Service provider Edge routers... :D Thanks Eugene... Mike From: eug...@koiossystems.com To: mike_c...@hotmail.com; fawa...@gmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Selective packet discard Date: Wed, 25 Apr 2012 00:56:41 + I’d insert “Service Provider Edge Routers” between “Routers” and “Cisco 12000 Edge Routers” in the below path. The question is whether we’ll have to documentation as if we logon as partners or not ? Eugene From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Mike Rojas Sent: Tuesday, April 24, 2012 11:11 AM To: fawa...@gmail.com Cc: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Selective packet discard Ohhh Yeah, I am talking about the path, at the end in order to find docs, we need to go through the path dont we? Mike From: fawa...@gmail.com Date: Mon, 23 Apr 2012 22:22:29 -0400 Subject: Re: [OSL | CCIE_Security] Selective packet discard To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com All the links that you have posted, actually are for Partners, so if any one click on any of them would require PARTNER level access. So it would be better to remember the path as a stair-caseor remove the /partner from the URL try the following link (without partner) Cisco 12000 Series Routers Understanding Selective Packet Discard (SPD) http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a008012fb87.shtml FNK On Mon, Apr 23, 2012 at 7:55 PM, Mike Rojas mike_c...@hotmail.com wrote: You never know, and since they are hidden commands, I think you would like to have the path to find the document: HOME SUPPORT PRODUCT SUPPORT ROUTERS CISCO 12000 SERIES ROUTERS TROUBLESHOOT AND ALERTS TROUBLESHOOTING TECHNOTES Understanding Selective Packet Discard (SPD) Cheers, Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Does the IOS CA Server have a web interface for certificate creation
Ben, Besides the GUI from the IDM, you are not going to be allowed to use any. (Exam purpose) but in regards of the real life scenario I have not seen any. Mike Date: Thu, 26 Apr 2012 01:42:30 +1000 From: veeduby...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Does the IOS CA Server have a web interface for certificate creation Hi All one of the things I like about the ASA CA server is that it has a web interface to be able to create certificate signing requests for client computers. There is also the ability to add these requests via the CLI wit the 'user-db' function. Consider I believe it will be an IOS CA we will be asked to create in the lan exam and not a CA on an ASA, have been looking to see if the IOS CA has the same feature in v12.4 so that a client computer can enrol with the CA and receive a certificate without needing to install the Cisco VPN Client to create the CSR or use some other convoluted method such as via IIS. Can anyone tell me if there is such a feature within the IOS CA that allows certificates to be created for client computers via the CLI like there is in the ASA CA? Thanks Ben ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Lab 13 IPexpert
Hi, I have a couple of questions just starting lab 13 of IPexpert, In regards of the failover Unit poll time, it says configure to be half of the default. The solution says that the default is 1 second, which I tend to differ: Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds On the solution, what he modifies is the Unit poll time. Second, if you read the firewall for the interfaces configuration part, the show command is incomplete. If you do a show interface | include|System without being on the context itself, you care not going to see the output as expected. As per the show command exhibit, it is being taken from the ASA system context, otherwise, it would show (by default) hostname and context name, which would rule out two different configuration questions, 1 That the device is indeed in multiple context and second, the names of the contexts to be configured. Is this how the do the questions on the Lab? Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Lab 13 IPexpert
I was not questioning the tests and the reason of why the value was changed to 500 Msec. I was more confused about the values by default on the Unit poll time. The question is very clear on what value to change, I got confused when Looked at the answer that it was 500 msec if the Unit poll time was a total of 15 Seconds. I got confused on the values as they changed from the old pix to the ASA firewall. Pix firewall Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 0 of 250 maximum ASA Firewall Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 0 of 250 maximum Even thou, the following document states that is for Pix and ASA firewalls, is not entirely true http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml The values (as well as the example) should be for the Pix, although the commands are almost the same, the timers change. http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html But thanks for the documentation. Mike Date: Tue, 1 May 2012 08:35:09 +0530 Subject: Re: [OSL | CCIE_Security] Lab 13 IPexpert From: kingsley.char...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com The interface health monitoring only takes 1/2 of the holdtime. The criteria of Unit health monitoring, is not receiving three consecutive hellos. Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1042444 Unit Health Monitoring The security appliance determines the health of the other unit by monitoring the failover link. When a unit does not receive three consecutive hello messages on the failover link, the unit sends interface hello messages on each interface, including the failover interface, to validate whether or not the peer interface is responsive. The action that the security appliance takes depends upon the response from the other unit. See the following possible actions: •If the security appliance receives a response on the failover interface, then it does not fail over. •If the security appliance does not receive a response on the failover link, but receives a response on another interface, then the unit does not failover. The failover link is marked as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby while the failover link is down. •If the security appliance does not receive a response on any interface, then the standby unit switches to active mode and classifies the other unit as failed. Interface Monitoring You can monitor up to 250 interfaces divided between all contexts. You should monitor important interfaces, for example, you might configure one context to monitor a shared interface (because the interface is shared, all contexts benefit from the monitoring). When a unit does not receive hello messages on a monitored interface for half of the configured hold time, it runs the following tests: With regards Kings On Mon, Apr 30, 2012 at 10:58 PM, Mike Rojas mike_c...@hotmail.com wrote: Hi, I have a couple of questions just starting lab 13 of IPexpert, In regards of the failover Unit poll time, it says configure to be half of the default. The solution says that the default is 1 second, which I tend to differ: Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds On the solution, what he modifies is the Unit poll time. Second, if you read the firewall for the interfaces configuration part, the show command is incomplete. If you do a show interface | include|System without being on the context itself, you care not going to see the output as expected. As per the show command exhibit, it is being taken from the ASA system context, otherwise, it would show (by default) hostname and context name, which would rule out two different configuration questions, 1 That the device is indeed in multiple context and second, the names of the contexts to be configured. Is this how the do the questions on the Lab? Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN Solutions
Matt, You can find the most regular ones here: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml Make sure you have cisco-av-pair enabled with these attributes: ipsec:key-exchange=ike ipsec:key-exchange=preshared-key ipsec:addr-pool=ippool ipsec:inacl=108 (only needed if you use split tunneling on the router) Also, make sure that you have theseg IETF RADIUS Attributes enabled: Attribute 6: Service-Type=Outbound Attribute 64: Tunnel-Type=IP ESP Attribute 69: Tunnel-Password=cisco123 (this is your group password on the VPN Client) Under Vendor Specific Attributes, you can also enable these optional attributes: ipsec:default-domain= ipsec:timeout= ipsec:idletime= ipsec:dns-servers= ipsec:wins-servers= HOME SUPPORT TECHNOLOGY SUPPORT SECURITY AND VPN IPSEC NEGOTIATION/IKE PROTOCOLS CONFIGURE CONFIGURATION EXAMPLES AND TECHNOTES Mike From: mman...@firstrate.com Date: Wed, 2 May 2012 10:56:04 -0500 To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN Solutions Guys, I am trying to work through the practice VPN lab “4.8 Easy VPN with External Group Authorization and XAUTH.” In regards to performing external authentication, where can I find a list/documentation for the RADIUS attributes to add to the [009\001] cisco-av-pair box under Group authentication? For example, as part of this solution I am supposed to input the following values in the [009\001] cisco-av-pair box under Group authentication: Ipsec:tunnel-type=ESP Ipsec:key-exchange=ikeIpsec:inacl=170 Ipsec:save-password=1Ipsec:addr-pool=EZPOOL2 Where can a list of these attributes be found for reference? psec:tunnel-type=Ipsec:key-exchange= Ipsec:inacl=Ipsec:save-password= Ipsec:addr-pool= Thanks, Matt Manire CCSP, CCNP, CCDP, MCSE 2003 MCSE 2000 Information Systems Security Manager mman...@firstrate.com t: 817.525.1863 f: 817.525.1903 m: 817.271.9165 First Rate | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Fawad Khan Sent: Wednesday, May 02, 2012 9:05 AM To: Kingsley Charles Cc: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] AnyConnect per group ACLs No still on any connect VPN-filter On Wednesday, May 2, 2012, Kingsley Charles wrote: Are you talking about GETVPN? With regards KingsOn Wed, May 2, 2012 at 6:18 PM, Fawad Khan fawa...@gmail.com wrote: There are two ways to handle that situation which You mentioned. 1. An outbound acl on the inside/DMz interface. So that inside hosts cannot initiate the traffic because of the unnecessary hole created by acl. 2. This one is not very restrictive but still better than something I.e instead of having the acl like you mentioned Permit tcp vpn ip host 10.20.30.40 23 Use this aclPermit tcp VPN ip gt 1023 host 10.20.30.40 23 FNK On Wednesday, May 2, 2012, Kingsley Charles wrote:ASA VPN filter is tricky, but one think to remember is that is directional. permit tcp any host 10.20.30.40 eq 23 Now this ACL will permit outside user to connect to 10.20.30.40@23 (inbound/post decrypt) and at the same time allow 10.20.30.40@23 (outbound/pre-encrypt) to any one outside. Have your tried the match acl in GETVPN crypto map? Seems it also bears a similar property. We can add an ACL with only deny entries and precedes the donwloaded acl from KS and those traffic are bypassed. This bypass is for outbound. What about inbound? The mirror traffic should also be bypassed,right? Whether the same ACE is going to the job. It has not been the case for me. With regards KingsOn Wed, May 2, 2012 at 1:54 PM, Fawad Khan fawa...@gmail.com wrote:Not the outside network specifically, by remote I mean ip address from the VPN pool (which is from perspective outside of the network but another perspective it's now part of the network after connecting to VPN. On Wednesday, May 2, 2012, Kingsley Charles wrote:Is 10.X.X.0/24 outside network? The format for vpn filter is always access-list name permit outside IP outside port inside IP inside port irrespective of whatever is the direction of traffic (inbound/outbound). Is this what you said? With regards KingsOn Wed, May 2, 2012 at 7:21 AM, Fawad Khan fawa...@gmail.com wrote:Matt, As others have said. VPN-Filter will do the job.. however as Eugene pointed out, the ACL is tricky.. remember that SOURCE in the ACL is always REMOTE (no matter who is initiating the connection). Check this
Re: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN Solutions
Eugene and all of the ones that have doubts about it: This is the non partner document (which is the same I posted before to Matt) http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml If you follow the path on the Left, you will get there from the Support page without having to be logged in. If you want to check if a document is reachable, look it on google, or follow the same path on the left without being logged in and check if you can get there. Mike From: eug...@koiossystems.com To: mman...@firstrate.com Date: Wed, 2 May 2012 20:21:14 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN Solutions Interesting, It never occurred to me that I access that page as a partner as my browser cached my Cisco CCO credentials. It raises a legitimate question how can CCIE candidates get access to Cisco documentation without a partner status? Eugene From: Matt Manire [mailto:mman...@firstrate.com] Sent: 02 May 2012 12:55 To: Eugene Pefti Subject: RE: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN Solutions Thanks Eugene but unfortunately I am not a partner so I can’t access the site. Matt Manire CCSP, CCNP, CCDP, MCSE 2003 MCSE 2000 Information Systems Security Manager mman...@firstrate.com t: 817.525.1863 f: 817.525.1903 m: 817.271.9165 First Rate | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com From: Eugene Pefti [mailto:eug...@koiossystems.com] Sent: Wednesday, May 02, 2012 2:53 PM To: Matt Manire; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN Solutions Take a look at this document, Matt. http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml I have never found any place in Cisco documentation where they would provide a full list of Cisco VSA for IPSec. Eugene From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Matt Manire Sent: 02 May 2012 08:56 To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN Solutions Guys, I am trying to work through the practice VPN lab “4.8 Easy VPN with External Group Authorization and XAUTH.” In regards to performing external authentication, where can I find a list/documentation for the RADIUS attributes to add to the [009\001] cisco-av-pair box under Group authentication? For example, as part of this solution I am supposed to input the following values in the [009\001] cisco-av-pair box under Group authentication: Ipsec:tunnel-type=ESP Ipsec:key-exchange=ike Ipsec:inacl=170 Ipsec:save-password=1 Ipsec:addr-pool=EZPOOL2 Where can a list of these attributes be found for reference? psec:tunnel-type= Ipsec:key-exchange= Ipsec:inacl= Ipsec:save-password= Ipsec:addr-pool= Thanks, Matt Manire CCSP, CCNP, CCDP, MCSE 2003 MCSE 2000 Information Systems Security Manager mman...@firstrate.com t: 817.525.1863 f: 817.525.1903 m: 817.271.9165 First Rate | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Fawad Khan Sent: Wednesday, May 02, 2012 9:05 AM To: Kingsley Charles Cc: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] AnyConnect per group ACLs No still on any connect VPN-filter On Wednesday, May 2, 2012, Kingsley Charles wrote: Are you talking about GETVPN? With regards Kings On Wed, May 2, 2012 at 6:18 PM, Fawad Khan fawa...@gmail.com wrote: There are two ways to handle that situation which You mentioned. 1. An outbound acl on the inside/DMz interface. So that inside hosts cannot initiate the traffic because of the unnecessary hole created by acl. 2. This one is not very restrictive but still better than something I.e instead of having the acl like you mentioned Permit tcp vpn ip host 10.20.30.40 23 Use this acl Permit tcp VPN ip gt 1023 host 10.20.30.40 23 FNK On Wednesday, May 2, 2012, Kingsley Charles wrote: ASA VPN filter is tricky, but one think to remember is that is directional. permit tcp any host 10.20.30.40 eq 23 Now this ACL will permit outside user to connect to 10.20.30.40@23 (inbound/post decrypt) and at the same time allow 10.20.30.40@23 (outbound/pre-encrypt) to any one outside. Have your tried the match acl in GETVPN crypto map? Seems it also bears a similar property. We can add an ACL with only deny entries and precedes the donwloaded acl from KS and those traffic are bypassed. This bypass is for outbound. What about inbound? The mirror traffic should also be bypassed,right? Whether the same ACE is going to the job. It has not been the case for me. With regards Kings On Wed, May 2,
Re: [OSL | CCIE_Security] Dotlx with voice vlan
Hi Kings, That is lab 15 right? I Did that one today. Why is it multi-domain? Shouldnt it be multi-host? I finished the lab and I have to review over the solution but it just said If authenticated, pleace it on vlan x. That is all I did. Like I said, I have to compare both configs, but I guess if not specified then just use the authenticated vlan. Mike Date: Sun, 6 May 2012 01:39:07 +0530 From: kingsley.char...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Dotlx with voice vlan Hi all I have never got a chance to try this practically hence theoritically I need confirmatioin :-) Ok the scenario is that the port f0/15 is carrying both data and voice. Now, I need to configure that for dotx and hence I have put in multi-domain mode. Now, the PC authenticates and gets the data vlan for the ACS. No issues, it is working. What about the IP Phone? It just authenticates and starts using voice vlan configured on the port or should it also downloaded vlan from ACS. Inputs please... interface FastEthernet0/15 description XP PC switchport access vlan 49 switchport mode access switchport voice vlan 500 dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-domain dot1x violation-mode protect dot1x timeout reauth-period server dot1x max-reauth-req 1 dot1x reauthentication dot1x auth-fail vlan 490 spanning-tree portfast With regards Kings ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Dotlx with voice vlan
Kingsley, Interesting, that is exactly what I was looking for: multi-domain-Both a host and a voice device (like an IP phone, Cisco or non-Cisco), to authenticate on an IEEE 802.1X-authorized port. Thanks a lot for the information. Did you check the solution, is that how the configured it? Mike Date: Mon, 7 May 2012 10:21:54 +0530 Subject: Re: [OSL | CCIE_Security] Dotlx with voice vlan From: kingsley.char...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Multihost mode is meant for case where the port is connected to a hub which has many PCs connected. The first one needs to authenticate and the port is authorized. The others need not authorize. In this mode, IP phone will be treated as a normal node. In Multi-domain, we tell the switch that there is IP phone also connected and it should be given a special treatment. In single-host mode, only one device is allowed. Now, if you have the PC connected via IP phone to port, then you have two devices and the port with fall into violation mode. Thus we need to configure multi-domain mode. Snippet from 802.1X Violation Modehttp://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1376150 You can use the authentication violation interface configuration command to configure the violation mode: restrict or shutdown. In single-host mode, a security violation is triggered when more than one device are detected on the data vlan. In multidomain authentication mode, a security violation is triggered when more than one device are detected on the data or voice VLAN. Security violation cannot be triggered in multiple-host mode or multiauthentication mode. When security violation occurs, the port is protected depending on the configured violation action: Shutdown—Errdisables the port; the default behavior on a port. Restrict—The port state is unaffected. However the platform is notified to restrict the traffic from offending MAC-address. With regards Kings On Mon, May 7, 2012 at 7:56 AM, Mike Rojas mike_c...@hotmail.com wrote: Hi Kings, That is lab 15 right? I Did that one today. Why is it multi-domain? Shouldnt it be multi-host? I finished the lab and I have to review over the solution but it just said If authenticated, pleace it on vlan x. That is all I did. Like I said, I have to compare both configs, but I guess if not specified then just use the authenticated vlan. Mike Date: Sun, 6 May 2012 01:39:07 +0530 From: kingsley.char...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Dotlx with voice vlan Hi all I have never got a chance to try this practically hence theoritically I need confirmatioin :-) Ok the scenario is that the port f0/15 is carrying both data and voice. Now, I need to configure that for dotx and hence I have put in multi-domain mode. Now, the PC authenticates and gets the data vlan for the ACS. No issues, it is working. What about the IP Phone? It just authenticates and starts using voice vlan configured on the port or should it also downloaded vlan from ACS. Inputs please... interface FastEthernet0/15 description XP PC switchport access vlan 49 switchport mode access switchport voice vlan 500 dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-domain dot1x violation-mode protect dot1x timeout reauth-period server dot1x max-reauth-req 1 dot1x reauthentication dot1x auth-fail vlan 490 spanning-tree portfast With regards Kings ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Dotlx with voice vlan
Hi Kings, Thanks, I was unsure about the Voice Vlan once you explained it. I'll make a note. Thanks. Date: Mon, 7 May 2012 18:42:19 +0530 Subject: Re: [OSL | CCIE_Security] Dotlx with voice vlan From: kingsley.char...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Yes that was the solution Mike... With regards Kings On Mon, May 7, 2012 at 5:46 PM, Mike Rojas mike_c...@hotmail.com wrote: Kingsley, Interesting, that is exactly what I was looking for: multi-domain-Both a host and a voice device (like an IP phone, Cisco or non-Cisco), to authenticate on an IEEE 802.1X-authorized port. Thanks a lot for the information. Did you check the solution, is that how the configured it? Mike Date: Mon, 7 May 2012 10:21:54 +0530 Subject: Re: [OSL | CCIE_Security] Dotlx with voice vlan From: kingsley.char...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Multihost mode is meant for case where the port is connected to a hub which has many PCs connected. The first one needs to authenticate and the port is authorized. The others need not authorize. In this mode, IP phone will be treated as a normal node. In Multi-domain, we tell the switch that there is IP phone also connected and it should be given a special treatment. In single-host mode, only one device is allowed. Now, if you have the PC connected via IP phone to port, then you have two devices and the port with fall into violation mode. Thus we need to configure multi-domain mode. Snippet from 802.1X Violation Modehttp://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1376150 You can use the authentication violation interface configuration command to configure the violation mode: restrict or shutdown. In single-host mode, a security violation is triggered when more than one device are detected on the data vlan. In multidomain authentication mode, a security violation is triggered when more than one device are detected on the data or voice VLAN. Security violation cannot be triggered in multiple-host mode or multiauthentication mode. When security violation occurs, the port is protected depending on the configured violation action: Shutdown—Errdisables the port; the default behavior on a port. Restrict—The port state is unaffected. However the platform is notified to restrict the traffic from offending MAC-address. With regards Kings On Mon, May 7, 2012 at 7:56 AM, Mike Rojas mike_c...@hotmail.com wrote: Hi Kings, That is lab 15 right? I Did that one today. Why is it multi-domain? Shouldnt it be multi-host? I finished the lab and I have to review over the solution but it just said If authenticated, pleace it on vlan x. That is all I did. Like I said, I have to compare both configs, but I guess if not specified then just use the authenticated vlan. Mike Date: Sun, 6 May 2012 01:39:07 +0530 From: kingsley.char...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Dotlx with voice vlan Hi all I have never got a chance to try this practically hence theoritically I need confirmatioin :-) Ok the scenario is that the port f0/15 is carrying both data and voice. Now, I need to configure that for dotx and hence I have put in multi-domain mode. Now, the PC authenticates and gets the data vlan for the ACS. No issues, it is working. What about the IP Phone? It just authenticates and starts using voice vlan configured on the port or should it also downloaded vlan from ACS. Inputs please... interface FastEthernet0/15 description XP PC switchport access vlan 49 switchport mode access switchport voice vlan 500 dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-domain dot1x violation-mode protect dot1x timeout reauth-period server dot1x max-reauth-req 1 dot1x reauthentication dot1x auth-fail vlan 490 spanning-tree portfast With regards Kings ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] IOS IPS bypassed
Did you uploaded the key to the Router? Mike Date: Tue, 8 May 2012 15:02:48 -0300 From: carlos.jar...@cpmbraxis.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] IOS IPS bypassed IOS IPS bypassed Hi guys, I configured my IOS IPS the way Cisco mentioned but I get the following error: ios ips subscription has been bypassed When I issue show ip ips configuration I see that 0 (zero) signatures have been activated and my attacks are successful.. Any idea what is going on here? Thanks! ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] IOS IPS bypassed
Ok, second then, did you compile the signature definition using the idconf ? Mike Subject: RE: [OSL | CCIE_Security] IOS IPS bypassed Date: Tue, 8 May 2012 16:51:11 -0300 From: carlos.jar...@cpmbraxis.com To: mike_c...@hotmail.com; ccie_security@onlinestudylist.com RE: [OSL | CCIE_Security] IOS IPS bypassed Yes I did, but no progress! As I said, I see: Total Compiled Signatures: 0 -Original Message- From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Tue 8/5/2012 16:48 To: Carlos Alberto Campos Jardim; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] IOS IPS bypassed Did you uploaded the key to the Router? Mike Date: Tue, 8 May 2012 15:02:48 -0300 From: carlos.jar...@cpmbraxis.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] IOS IPS bypassed IOS IPS bypassed Hi guys, I configured my IOS IPS the way Cisco mentioned but I get the following error: ios ips subscription has been bypassed When I issue show ip ips configuration I see that 0 (zero) signatures have been activated and my attacks are successful.. Any idea what is going on here? Thanks! ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] DMVPN over GETVPN with multicast rekey/Different server than the Hub.
Hi, I was doing lab 17 IPexpert. I did the configuration accordingly and I tried to apply the crypto map for GETVPN on the same interface as the tunnel interface on the spokes. Now, checking the solution, I dont see where they applied the crypto map for the GETVPN. Another thing that happened is that my GRE tunnel didnt come up that easy, I had to delete the tunnel like 4 times and even use another IP scheme. When I applied the capture on the ASA firewall I was able to see the GRE traffic with no issues. I am just scared that this latency would happen on the lab. I stopped there and that took me like 1 and a half of troubleshooting (plus I missed some commands for multicast traffic to work correctly) I just wanted to check if anyone had a similar issue while configuring this lab. Mike. ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] FW: DMVPN over GETVPN with multicast rekey/Different server than the Hub.
Ohh Another question, it did said something about to not encrypt the multicast rekey and they created an ACL on the spkes and applied a Match address. Would it make any difference if I applied the denies for the multicast address on the same IPsec rule as the one that is pushed from the KS? Mike From: mike_c...@hotmail.com To: ccie_security@onlinestudylist.com Subject: DMVPN over GETVPN with multicast rekey/Different server than the Hub. Date: Wed, 9 May 2012 14:02:18 -0600 Hi, I was doing lab 17 IPexpert. I did the configuration accordingly and I tried to apply the crypto map for GETVPN on the same interface as the tunnel interface on the spokes. Now, checking the solution, I dont see where they applied the crypto map for the GETVPN. Another thing that happened is that my GRE tunnel didnt come up that easy, I had to delete the tunnel like 4 times and even use another IP scheme. When I applied the capture on the ASA firewall I was able to see the GRE traffic with no issues. I am just scared that this latency would happen on the lab. I stopped there and that took me like 1 and a half of troubleshooting (plus I missed some commands for multicast traffic to work correctly) I just wanted to check if anyone had a similar issue while configuring this lab. Mike. ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] pass CCIE egzam
Man, CONGRATS ! Excellent for you. I´m going May 25 Best wishes from now on!! Mike Date: Thu, 10 May 2012 21:31:01 +0200 From: piotr.tokarzew...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] pass CCIE egzam Hi all, I've just passed CCIE Lab exam:) Thanks everyone for useful information on this forum. I wish you good luck in yours egzam. Regards Piotr CCIE 35406 ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] FPM example
Hi everyone, I have the following question: Service-policy access-control input: STACK Class-map: TCP-80 (match-all) 15 packets, 2441 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 6 next TCP Service-policy access-control : ACCESS Class-map: URI (match-all) 3 packets, 1101 bytes 5 minute offered rate 0 bps Match: field TCP dest-port eq 80 Match: start TCP payload-start offset 0 size 32 string /reload drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 6 packets, 852 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R1# The exercise explained that I needed to block the GET request from when someone tried to send the reload on an HTTP packet. Noe that What I did on the type stack, it was as simple Match IP protocol eq 6 next TCP. Now, on the solution, it appears as 0x6 but I've seen both applied. This one in this case is showing packets there. Is this a good approach or do I need to use the hex value? Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Version 4 Thoughts
I think you can still do the written if you study hard. I mean is something that can be done in 6-8 months... I dont think you may need to re-do the CCNP. Just get the material from IPexpert, workbooks and the labs and I think that would do it. It covers all the info and to make sure, grab the blue print and go over it. Mike Date: Sun, 20 May 2012 13:40:44 -0400 From: jasonlmayn...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Version 4 Thoughts Thought is was time to join the thread. Here are my thoughts around the upcoming change to v4 and my approach to it. Really like to hear if you would approach it another way. My timeline is 1 year from today - Do the written in v3 (if I can get it complete before the change) - Start practice labs - Redo the CCNP Security with the latest material (I believe the latest material is v4) - Continue with practice labs - Do the written in v4 - Continue with the practice labs - Attempt the lab ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Frame Relay in Lab
Only how routing will function into it... Network types of OSPF something on that fashion nothing too fancy I assume. Mike Date: Fri, 1 Jun 2012 03:35:00 +1000 From: veeduby...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Frame Relay in Lab Hi All should I expect to see some sort of frame relay backbone in the lab exam? FR isn't listed in the extended blueprint but I seem to have noticed it in the past in some topologies. I am just not sure if it is something I need to brush up on. Thanks Ben ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] FPM Question
As well it bounces from standard to extended for different types of features inside of the IOS... in case of FPM, in some parts, it doesnt matter if you establish the hex value or the decimal value, it will match either way. Kingsley answer that for me couple of days ago. Mike From: mman...@firstrate.com Date: Thu, 31 May 2012 17:23:35 -0500 To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] FPM Question All, ?I am working through FPM right now and they keep bouncing back and forth from decimal to hex.? Apparently it does not matter if we use hex or decimal in FPM.? Please confirm. ?Example: ?Router(config)# class-map type stack match-all ip-tcpRouter(config-cmap)# match field ip protocol eq 0x6 next tcp Router(config)# class-map type stack match-all ip-udpRouter(config-cmap)# match field ip protocol eq 0x11 next udpRouter(config)# class-map type access-control match-all blaster1 Router(config-cmap)# match field tcp dest-port eq 135Router(config-cmap)# match start l3-start offset 3 size 2 eq 0x0030Router(config)# class-map type access-control match-all blaster2 Router(config-cmap)# match field tcp dest-port eq ? Thanks,? Matt Manire CCSP, CCNP, CCDP, MCSE 2003 MCSE 2000 Information Systems Security Manager mman...@firstrate.com t: 817.525.1863 f:?817.525.1903 m: 817.271.9165 First Rate | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com ACCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] FPM ICMP large Packets
I just want to recall one of the Replies from Kingsley... BTW I failed the test http://onlinestudylist.com/archives/ccie_security/2012-February/029078.html Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] FPM ICMP large Packets
Oh no Kings, I failed it because I suck at it... a got an FPM question where you had to do something about the ICMP packet size... I was looking a question more like finding something inside of the payload... some you win some you loose... Cheers! Mike Date: Sun, 3 Jun 2012 10:56:59 +0530 Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets From: kingsley.char...@gmail.com To: mike_c...@hotmail.com Mike, did you fail in the CCIE lab? And is it due to the wrong solution of FPM? With regards Kings On Sun, Jun 3, 2012 at 3:08 AM, Mike Rojas mike_c...@hotmail.com wrote: I just want to recall one of the Replies from Kingsley... BTW I failed the test http://onlinestudylist.com/archives/ccie_security/2012-February/029078.html Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] And…
You totally deserve it Congrats! Mike Date: Sun, 3 Jun 2012 08:34:11 -0400 From: fawa...@gmail.com To: aspa...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] And… Thank you everyone. Those who are preparing I wish them best of luck. If there is any help needed please let me know directly.No offense to the proctor of RTP but I liked San Jose proctor more :) On Sunday, June 3, 2012, Adil Pasha wrote: Congratulations Fawad. Best Regards.__Adil On Jun 3, 2012, at 1:23 AM, Fawad Khan wrote: I did it finally,it was tough and brutal to be honest. Had to get away from my personal life for sometime (15 months). But in the end it's worth it, I feel great. I failed the exam by 1 mark, which I was not expecting, I had to challenge the score, Cisco just announced in my favor. This wasn't my first attempt either. I would like to thank IPexpert for making a wonderful BLS solution which is just superb to learn about the technology. The videos and the work books are all you need to get ready for the challenge(the other important thing is luck) I would also like to thank all the members of this forum who share and discuss their problems and thoughts. Special thanks goes to Piotr, Adil and Kingsley and many more like Mark, Bruno, Mike, Matt. The list is definitely long. You guys have no idea how much I have learned from your posts. If there is anything I can do to help any one who is pursuin the exam or is appearing very soon, then guys I am just an email away. I can share my personal experience and techniques that I used to get this important cert in my life. Regards,FNK -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Planning for lab in Sydney or San Jose
Hi Kings, I took it over RTP. I got the visa rejected 1 time... but that is because I didnt really have much time working for the company at the time I requested it. I dont think it should be hard for you.. I am given the understanding that you have a family already... so for the interview with the council, bring every title of property that you have, for example, house, cars... The most important thing is to convince the council that you have strong attachments to your country and that you plan to go back... You can bring even the receipt from when you pay the exam to prove that you are going to be there taking the exam only. Make sure you bring the address of the hotel you are going to stay... the address of the Cisco building (If Sanjose I think it is Tasman drive) and so on.. The second time I got it, I brought the receipt, my car title and so on... that time I got it. Mike Date: Mon, 4 Jun 2012 16:17:29 +0530 From: kingsley.char...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Planning for lab in Sydney or San Jose Hi I am planning to take my lab next month either in Sydney or San Jose. I need people's experience who have gone there from other countries. I am hearing from travel agencies that Visa processing takes about 3 weeks and also they are strict in processing. I guess, I should apply for Tourist Visa but there are chances for getting rejected. How do I convince them to get through the Visa? Should I book the slot and show that confirmation mail. What if my Visa get's rejected. Both my flight ticket and lab payment will go in vain. Guys, please share your experience. What type Visa should we apply for? With regards Kings ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Blocking flood attack on an interface
I dont think it would work, if the attack corresponds to the local network rate limiting can do the trick on this one...of the protocol... if the attack comes to the router a rate limit to the protocol in question can mitigate the attack... Either on the interface or the CoPP Mike From: elizabeth...@hotmail.co.uk To: kingsley.char...@gmail.com; mayd...@gmail.com Date: Tue, 5 Jun 2012 12:59:35 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Blocking flood attack on an interface how about using the 'ip verify unicast reverse-path' command on the input interface on the router at the upstream end of the connection Regards, Elizabeth Date: Tue, 5 Jun 2012 16:30:43 +0530 From: kingsley.char...@gmail.com To: mayd...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Blocking flood attack on an interface Not ACL but some interface command should be the answer. I just saw this question floating... With regards Kings On Tue, Jun 5, 2012 at 2:58 PM, Matt Hill mayd...@gmail.com wrote: Off the top of my head... An ACL with the broadcast address as the destination? (???) Cheers, Matt CCIE #22386 CCSI #31207 On 5 June 2012 18:03, Kingsley Charles kingsley.char...@gmail.com wrote: Hi all How do we block smurf attacks on an interface other than using no ip directed-broadcast? I can't think of any other commands. With regards Kings ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding
I made that mistake on the test, the question clearly said, make sure it survives upon reload Mike Date: Tue, 5 Jun 2012 20:04:27 -0400 From: fawa...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding For the dhcp snooping I learned the hard way the difference between the two commands.The below command is done at exec level and binding will be removed afte a reload3560# ip dhcp snooping binding cccd.1233.3422 vlan 101 1.11.1.1 interface gi0/3 The following is permenant and will not be removed from the config or binding database after reboot 3560(config)# ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 Are you able to pick the difference between the two commands.Hope this helps. -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] SMTP inspection on non-standard port
Correct, The only difference is that when you match it against an access list, you can specify the source and destinations and the rest of the traffic can be continuously being inspected on regular port 25... On the one at the bottom, no matter source or destination, will try to be inspected against SMTP... Funny thing is that when you use ACls, you have to be very careful, cuz if something gets messed up on the ACL, it may end up dropping everything. Mike From: eug...@koiossystems.com To: ccie_security@onlinestudylist.com Date: Sat, 9 Jun 2012 21:44:55 + Subject: [OSL | CCIE_Security] SMTP inspection on non-standard port If I were to inspect non-standard SMTP on port 2525 on ASA will these two achieve the same results? access-list SMTP-2525-ACL extended permit tcp any host XXX.XXX.XXX.XXX eq 2525 class-map SMTP-2525-CM match access-list SMTP-2525-ACL class-map SMTP-2525-CM match port tcp eq 2525 Eugene ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] CTP-Auth Proxy Tricky questions.
Hello All, I have a mayor doubt in regards when you have to configure either CTP or Auth-Proxy. I've seen the question formulated 10 thousand times, but they all differ in the solution and on the methods to accomplish it. For example, when they ask you to do things like: 1-Make sure that the client authenticates before gathering access to the internal network (CTP) Now, I can use either Virtual HTTP, Virtual Telnet or Match command... which one do I use? On this same one, if using match command, I need to allow something in within the interesting traffic so CTP can catch it right? If so, which traffic any http? To specific one host? 2-Allow traffic after being authenticated to the Network x and y (Auth-Proxy) I've seen many exercises when they put an ACL on the interface denying all the traffic and just permitting one specific type of traffic in order to trigger the Auth-proxy, shall I use this approach or match the traffic they ask using a triggering acl? Thanks in advanced. Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] CTP-Auth Proxy Tricky questions.
Hello Kings, Thanks, but as Eugene stated, is not which feature to use rather than what to allow on the trigger ACL, for example on the router, I can use a trigger ACL on the interface to catch the traffic to be authenticated, if No ACLs applied that would be Easy cake, but on the ASA? I mean I need to allow traffic, which traffic and to where should I allow? As well on the router, what if there is an acl on the interface? I need allow specific traffic in order to accomplish the auth-proxy question. In my first attempt I didnt get any of this, I am just taking precautions :D. Mike Date: Sun, 10 Jun 2012 12:52:33 +0530 Subject: Re: [OSL | CCIE_Security] CTP-Auth Proxy Tricky questions. From: kingsley.char...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com virtual telnet and http is required for non-telnet/http/ftp applications. Auth-proxy, mostly that is the way it will be asked. With regards Kings On Sun, Jun 10, 2012 at 6:52 AM, Mike Rojas mike_c...@hotmail.com wrote: Hello All, I have a mayor doubt in regards when you have to configure either CTP or Auth-Proxy. I've seen the question formulated 10 thousand times, but they all differ in the solution and on the methods to accomplish it. For example, when they ask you to do things like: 1-Make sure that the client authenticates before gathering access to the internal network (CTP) Now, I can use either Virtual HTTP, Virtual Telnet or Match command... which one do I use? On this same one, if using match command, I need to allow something in within the interesting traffic so CTP can catch it right? If so, which traffic any http? To specific one host? 2-Allow traffic after being authenticated to the Network x and y (Auth-Proxy) I've seen many exercises when they put an ACL on the interface denying all the traffic and just permitting one specific type of traffic in order to trigger the Auth-proxy, shall I use this approach or match the traffic they ask using a triggering acl? Thanks in advanced. Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Menus vs Authorizing commands.
Hello All, I have another question in regards when to use the menu command in exercises referring to Authorizing commands. What if I just authorized the commands as needed on the excercise instead of configuring the Menu? Is there a difference between them? Mike Rojas Security Technical Lead ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Rekey address
Nope, a Server address is not needed when configuring GET, I guess Kings already responded to this. Ill look for his e-mail Date: Wed, 13 Jun 2012 08:48:08 -0400 From: fawa...@gmail.com To: eug...@koiossystems.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Rekey address Asa will not pass multicast in a multiconext mode. GRE tunnel will be needed between the routers to handle the multicast rekeying if needed. On Wednesday, June 13, 2012, Eugene Pefti wrote: Then it matches to what Cisco guide says about address ipv4 x.x.x.x. You'd need it only for unicast rekeying to specify the source of unicasts. Since you used multicast your key server ID was showing 0.0.0.0 Interesting fact with the ASA passing multicasts. Is KS on the outside of ASA or inside ? From: Deepak N depp3...@yahoo.com Date: Tuesday, June 12, 2012 6:00 PM To: OSL CCIE-Security ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Rekey address What is the significance of the 'address ipv4 x.x.x.x' in the gdoi group configuration. I was trying out a multicast rekey setup with the following rekey acl - access-list 150 permit udp any eq 848 host 239.0.1.2 eq 848. And i didnt have the local server address configured. So the Key server ID was displayed as 0.0.0.0, and everything worked. So i was wondering when you really need the KS address configured? And the traffic between the KS and the GM travels through an ASA context , and i havent done any kind of multicast configs on it. Still, the GM's receive the rekey requests. How does that work? -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Rekey address
Yeah, but I was referring to the KS server ipv4 address.. I agree without the Multicast address rekey is not gonna work... in fact is going to tell you that the configuration is incomplete. Date: Thu, 14 Jun 2012 08:07:37 +0530 Subject: Re: [OSL | CCIE_Security] Rekey address From: kingsley.char...@gmail.com To: mike_c...@hotmail.com CC: fawa...@gmail.com; eug...@koiossystems.com; ccie_security@onlinestudylist.com Mike, we need an address for multicast as I observed that the GMs didn't accept the rekeys, if there address is different. On safer side always configure address for both modes. With regards Kngs On Wed, Jun 13, 2012 at 8:42 PM, Mike Rojas mike_c...@hotmail.com wrote: Nope, a Server address is not needed when configuring GET, I guess Kings already responded to this. Ill look for his e-mail Date: Wed, 13 Jun 2012 08:48:08 -0400 From: fawa...@gmail.com To: eug...@koiossystems.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Rekey address Asa will not pass multicast in a multiconext mode. GRE tunnel will be needed between the routers to handle the multicast rekeying if needed. On Wednesday, June 13, 2012, Eugene Pefti wrote: Then it matches to what Cisco guide says about address ipv4 x.x.x.x. You'd need it only for unicast rekeying to specify the source of unicasts. Since you used multicast your key server ID was showing 0.0.0.0 Interesting fact with the ASA passing multicasts. Is KS on the outside of ASA or inside ? From: Deepak N depp3...@yahoo.com Date: Tuesday, June 12, 2012 6:00 PM To: OSL CCIE-Security ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Rekey address What is the significance of the 'address ipv4 x.x.x.x' in the gdoi group configuration. I was trying out a multicast rekey setup with the following rekey acl - access-list 150 permit udp any eq 848 host 239.0.1.2 eq 848. And i didnt have the local server address configured. So the Key server ID was displayed as 0.0.0.0, and everything worked. So i was wondering when you really need the KS address configured? And the traffic between the KS and the GM travels through an ASA context , and i havent done any kind of multicast configs on it. Still, the GM's receive the rekey requests. How does that work? -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Passed the Written
Well Done!! Now the fun starts!! Enjoy! Mike Date: Thu, 14 Jun 2012 19:48:34 -0400 From: jasonlmayn...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Passed the Written Time to start labbing ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Best option to drop ICMP unreachables
Question, What is the best option to drop ICMP unreachable on the switch itself? I saw that one exercise they created an IP local policy and send it out to the Null 0 interface. What I did was to configure a vlan filter matching all ICMP unreachable... Both work fine... It said because it was process switched, they needed to be sent to Null 0, I didnt quite understood why... would my solution work? Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Best option to drop ICMP unreachables
Ohh, but you can put vlan-list all... So that is why I wonder if they do the same thing... Mike From: eug...@koiossystems.com To: mike_c...@hotmail.com; ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Best option to drop ICMP unreachables Date: Fri, 15 Jun 2012 08:09:32 + I think ip local policy is for the global setting not to send unreachables. VLAN filter may address only specific VLANs From: Mike Rojas mike_c...@hotmail.com Date: Thursday, June 14, 2012 8:13 PM To: ccie_security@onlinestudylist.com ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Best option to drop ICMP unreachables Question, What is the best option to drop ICMP unreachable on the switch itself? I saw that one exercise they created an IP local policy and send it out to the Null 0 interface. What I did was to configure a vlan filter matching all ICMP unreachable... Both work fine... It said because it was process switched, they needed to be sent to Null 0, I didnt quite understood why... would my solution work? Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Role Based
It was on the username and the privilege is 15... the list is attached to local database. Mike Date: Fri, 15 Jun 2012 06:47:46 -0400 Subject: Re: [OSL | CCIE_Security] Role Based From: fawa...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Do you mean the '' prompt, then yes it's normal. It's dependent inwhere you are applying the privilege 15 I.e at the privilege level box I the user profile or through the aaa attribute priv-lvl=15? On Thursday, June 14, 2012, Mike Rojas wrote: Hello, Is the user sign normal when configuring Role based access? Router1conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)? Configure commands: doTo run exec commands in config mode exit Exit from configure mode ipGlobal IP configuration subcommands Router1(config)ip ? Global IP configuration subcommands: http HTTP server configuration Router1(config)ip I have authorization applied on the line vty and the user privi is 15... -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] IOS IPS Sig Category
What I do, (Prior compiling of course is retire all the signatures) IP ips signature category Category all enable false retire true Compile the signautres IP ips signature category category ios_ips basic enable true retired false If I dont remember wrong, on the old IPS exam it explained that you needed to do that process in order to avoid the router to become unresponsive. Mike From: eug...@koiossystems.com To: kingsley.char...@gmail.com; ccie_security@onlinestudylist.com Date: Fri, 15 Jun 2012 19:44:52 + Subject: Re: [OSL | CCIE_Security] IOS IPS Sig Category This is a list of all IOS IPS signature categories R6(config-ips-category)#category ? adware/spyware Adware/Spyware (more sub-categories) allAll Categories attack Attack (more sub-categories) ddos DDoS (more sub-categories) dosDoS (more sub-categories) email Email (more sub-categories) instant_messaging Instant Messaging (more sub-categories) ios_ipsIOS IPS (more sub-categories) l2/l3/l4_protocol L2/L3/L4 Protocol (more sub-categories) network_services Network Services (more sub-categories) os OS (more sub-categories) other_services Other Services (more sub-categories) p2pP2P (more sub-categories) reconnaissance Reconnaissance (more sub-categories) viruses/worms/trojans Viruses/Worms/Trojans (more sub-categories) web_server Web Server (more sub-categories) ios_ips itself has basic and advanced subcategories R6(config-ips-category)#category ios_ips ? advanced Advanced basic Basic Yusuf is right, you need to retire everything except ios_ips basic Eugene From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley Charles Sent: Friday, June 15, 2012 4:58 AM To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] IOS IPS Sig Category Hi all If we are asked to enable ios_basic_sigs, then first thing we need to retire all sigs and then enable the basic set. Now that can be in the following ways: ip ips signature-category category all retired true category ios_ips basic retired false ip ips signature-category category ios_ips retired true category ios_ips basic retired false The sh ip ips signature count o/p shows that the retired sigs o/p are different for the two above configs. Yusuf has used the first one in his labs. With regards Kings ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Flexible Netfflow
Should Flexible netflow something that we should really focus in? Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Protecting Against Fragmentation Attacks
I like it, Very useful, although I dont know why the title Day 21 Time-Based ACLs on IOS and ASA ;) From: anthony.seque...@stormwind.com To: ccie_security@onlinestudylist.com Date: Mon, 18 Jun 2012 02:22:25 + Subject: [OSL | CCIE_Security] Protecting Against Fragmentation Attacks Here is a post I did today on this topic. http://blog.ipexpert.com/2012/06/17/ccie-security-challenge-–-day-22-of-120-–-fragment-attacks/ See anything I am missing? Thanks in advance! ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Role Based
Exec should do the trick, and I did it, but still gave me the user mode, either way all the configuration commands where correctly authorized, it was just the user prompt which bugged me. They clarify that it is expected. Cheers, Mike From: auranpr...@gmail.com Date: Mon, 18 Jun 2012 03:21:03 -0300 To: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Role Based Hi Mike, did you configure the aaa authorizarion exec command and aaa authorization command [level] ? Br, Bruno Silva Enviado via iPhone Em 15/06/2012, às 16:40, Mike Rojas mike_c...@hotmail.com escreveu: It was on the username and the privilege is 15... the list is attached to local database. Mike Date: Fri, 15 Jun 2012 06:47:46 -0400 Subject: Re: [OSL | CCIE_Security] Role Based From: fawa...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Do you mean the '' prompt, then yes it's normal. It's dependent inwhere you are applying the privilege 15 I.e at the privilege level box I the user profile or through the aaa attribute priv-lvl=15? On Thursday, June 14, 2012, Mike Rojas wrote: Hello, Is the user sign normal when configuring Role based access? Router1conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)? Configure commands: doTo run exec commands in config mode exit Exit from configure mode ipGlobal IP configuration subcommands Router1(config)ip ? Global IP configuration subcommands: http HTTP server configuration Router1(config)ip I have authorization applied on the line vty and the user privi is 15... -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] FPM matching
This is a question in regards IP to IP tunnel matching on FPM. class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match layer 2 IP protocol eq 4 next IP match layer 3 IP protocol eq 6 next TCP First, what is the difference between the last line and match field IP protocol eq 6 next TCP And second, where in that specific stack we are saying that we will see an IP header and then another one? I was first believing that when we do something like match field ETHER type eq 0x800 next IP and then we say match layer 3 IP protocol eq 6 next TCP we will be saying match IP header twice, but I see this match layer 2 IP protocol eq 4 next IP and that is where I get lost. Any clarification would be appreciated. Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] FPM matching
Ok but here is my question, match field IP protocol eq 0x4 next IP We are saying there, in the IP protocol it will come IP again wouldnt it? The main idea if I understand correctly is to match and IP header twice... So, I would think that this line match field IP protocol eq 0x4 next IP and this line, match field IP protocol eq 0x6 next TCP Would match it twice, wouldnt it? Regarding to your quiz, Class-map type stack match-all GRE-stack match field IP protocol eq 0x2f next ? Mike From: eug...@koiossystems.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 02:45:27 + My $0.02 to what I have always thought about it. First, I’d stay away from “stack-start l2-start” if I know for sure that IP-TCP runs over ETHER and doesn’t encapsulates it somehow differently, i.e. I’d start my stack type class-map with IP matching thus making router’s life easier. But it’s perfectly OK to start from L2 in the lab to show that we do it the right way ;) Then right to your question. Take a look at this capture (IP_in_IP.cap) http://packetlife.net/captures/category/tunneling/ To match on the first IP header following after Ethernet II header we’d need to use match layer 2 IP protocol eq 4 next IP to define the sequence of how they are enclosed into each other. Then you use layer 3 digit to tell the router that next goes TCP protocol which is already layer 4. match field layer 3 IP protocol eq 6 next My class-map would look like this and I think it is the same as yours class-map type stack match-all ETHER-IP-IP-TCP-STACK stack-start l2-start match field ETHER type eq 0x800 next IP match field IP protocol eq 0x4 next IP match field IP protocol eq 0x6 next TCP Now a quiz ;) How would we define the stack class-map for GRE.cap traffic (see example on the same page) Eugene From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Monday, June 18, 2012 6:44 PM To: Eugene Pefti Subject: RE: [OSL | CCIE_Security] FPM matching Hey, Sorry, class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match field layer 2 IP protocol eq 4 next IP match field layer 3 IP protocol eq 6 next TCP From: eug...@koiossystems.com To: mike_c...@hotmail.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 01:20:48 + Hey Miky, Am I missing something? How can you say “match layer ” under the type stack class-map? It doesn’t except it. R3(config-cmap)#match layer ? % Unrecognized command You can only provide “layer” keyword after “field” one. From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Mike Rojas Sent: Monday, June 18, 2012 3:29 PM To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] FPM matching This is a question in regards IP to IP tunnel matching on FPM. class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match layer 2 IP protocol eq 4 next IP match layer 3 IP protocol eq 6 next TCP First, what is the difference between the last line and match field IP protocol eq 6 next TCP And second, where in that specific stack we are saying that we will see an IP header and then another one? I was first believing that when we do something like match field ETHER type eq 0x800 next IP and then we say match layer 3 IP protocol eq 6 next TCP we will be saying match IP header twice, but I see this match layer 2 IP protocol eq 4 next IP and that is where I get lost. Any clarification would be appreciated. Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] FPM matching
Ohhh, But that is the catch, they payload is not encrypted, is encapsulated, not quite sure if the Router would be able to see the next header, cuz if you open the file there, you clearly see the next header which is ICMP... on ESP, yet there is no way to see it cuz it is in fact encrypted. I would say that if we are just matching rather than crafting the packet, I dont see why we wouldnt be able to match it... Mike From: eug...@koiossystems.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 04:38:28 + I’d rather say that “match field IP protocol eq 0x4 next IP” will match the first IP header that goes after ETHER header and “match field IP protocol eq 0x6 next TCP” Will match for the second IP header that goes after the first IP header. As for the quiz I was not 100 percent sure myself because there’s no GRE protocol phdf files loaded to say “match field IP protocol eq 0x2f next GRE” ;))) Eugene From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Monday, June 18, 2012 9:26 PM To: Eugene Pefti Cc: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM matching Ok but here is my question, match field IP protocol eq 0x4 next IP We are saying there, in the IP protocol it will come IP again wouldnt it? The main idea if I understand correctly is to match and IP header twice... So, I would think that this line match field IP protocol eq 0x4 next IP and this line, match field IP protocol eq 0x6 next TCP Would match it twice, wouldnt it? Regarding to your quiz, Class-map type stack match-all GRE-stack match field IP protocol eq 0x2f next ? Mike From: eug...@koiossystems.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 02:45:27 + My $0.02 to what I have always thought about it. First, I’d stay away from “stack-start l2-start” if I know for sure that IP-TCP runs over ETHER and doesn’t encapsulates it somehow differently, i.e. I’d start my stack type class-map with IP matching thus making router’s life easier. But it’s perfectly OK to start from L2 in the lab to show that we do it the right way ;) Then right to your question. Take a look at this capture (IP_in_IP.cap) http://packetlife.net/captures/category/tunneling/ To match on the first IP header following after Ethernet II header we’d need to use match layer 2 IP protocol eq 4 next IP to define the sequence of how they are enclosed into each other. Then you use layer 3 digit to tell the router that next goes TCP protocol which is already layer 4. match field layer 3 IP protocol eq 6 next My class-map would look like this and I think it is the same as yours class-map type stack match-all ETHER-IP-IP-TCP-STACK stack-start l2-start match field ETHER type eq 0x800 next IP match field IP protocol eq 0x4 next IP match field IP protocol eq 0x6 next TCP Now a quiz ;) How would we define the stack class-map for GRE.cap traffic (see example on the same page) Eugene From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Monday, June 18, 2012 6:44 PM To: Eugene Pefti Subject: RE: [OSL | CCIE_Security] FPM matching Hey, Sorry, class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match field layer 2 IP protocol eq 4 next IP match field layer 3 IP protocol eq 6 next TCP From: eug...@koiossystems.com To: mike_c...@hotmail.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 01:20:48 + Hey Miky, Am I missing something? How can you say “match layer ” under the type stack class-map? It doesn’t except it. R3(config-cmap)#match layer ? % Unrecognized command You can only provide “layer” keyword after “field” one. From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Mike Rojas Sent: Monday, June 18, 2012 3:29 PM To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] FPM matching This is a question in regards IP to IP tunnel matching on FPM. class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match layer 2 IP protocol eq 4 next IP match layer 3 IP protocol eq 6 next TCP First, what is the difference between the last line and match field IP protocol eq 6 next TCP And second, where in that specific stack we are saying that we will see an IP header and then another one? I was first believing that when we do something like match field ETHER type eq 0x800 next IP and then we say match layer 3 IP protocol eq 6 next TCP we will be saying match IP header twice, but I see this match layer 2 IP protocol eq 4 next IP and that is where I get lost. Any clarification would be appreciated. Mike
Re: [OSL | CCIE_Security] FPM matching
Just one more input, that one will drop ICMP messages with code 0 on them :D Any other traffic wont match... From: mike_c...@hotmail.com To: eug...@koiossystems.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 00:11:59 -0600 Annnd Bingo, I was right, since it is encapsulated and not Encrypted, we can match whatever it is inside on the GRE packet... we are matching, not crafting Here is the example of dropping ICMP encapsulated on GRE... Class Map type access-control match-all ICMP (id 2) Match field ICMP code eq 0 mask 0x1 Class Map type stack match-all STACK-GRE (id 1) Match field IP protocol eq 0x2F next ICMP Policy Map type access-control STACK-GRE Class STACK-GRE service-policy ICMP-DROP-GRE Policy Map type access-control ICMP-DROP-GRE Class ICMP drop Router1#sh policy-map type access-control interface fa 0/1 FastEthernet0/1 Service-policy access-control input: STACK-GRE Class-map: STACK-GRE (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x2F next ICMP Service-policy access-control : ICMP-DROP-GRE Class-map: ICMP (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field ICMP code eq 0 mask 0x1 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 2 packets, 1236 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any From: mike_c...@hotmail.com To: eug...@koiossystems.com Date: Mon, 18 Jun 2012 22:25:53 -0600 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] FPM matching Ok but here is my question, match field IP protocol eq 0x4 next IP We are saying there, in the IP protocol it will come IP again wouldnt it? The main idea if I understand correctly is to match and IP header twice... So, I would think that this line match field IP protocol eq 0x4 next IP and this line, match field IP protocol eq 0x6 next TCP Would match it twice, wouldnt it? Regarding to your quiz, Class-map type stack match-all GRE-stack match field IP protocol eq 0x2f next ? Mike From: eug...@koiossystems.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 02:45:27 + My $0.02 to what I have always thought about it. First, I’d stay away from “stack-start l2-start” if I know for sure that IP-TCP runs over ETHER and doesn’t encapsulates it somehow differently, i.e. I’d start my stack type class-map with IP matching thus making router’s life easier. But it’s perfectly OK to start from L2 in the lab to show that we do it the right way ;) Then right to your question. Take a look at this capture (IP_in_IP.cap) http://packetlife.net/captures/category/tunneling/ To match on the first IP header following after Ethernet II header we’d need to use match layer 2 IP protocol eq 4 next IP to define the sequence of how they are enclosed into each other. Then you use layer 3 digit to tell the router that next goes TCP protocol which is already layer 4. match field layer 3 IP protocol eq 6 next My class-map would look like this and I think it is the same as yours class-map type stack match-all ETHER-IP-IP-TCP-STACK stack-start l2-start match field ETHER type eq 0x800 next IP match field IP protocol eq 0x4 next IP match field IP protocol eq 0x6 next TCP Now a quiz ;) How would we define the stack class-map for GRE.cap traffic (see example on the same page) Eugene From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Monday, June 18, 2012 6:44 PM To: Eugene Pefti Subject: RE: [OSL | CCIE_Security] FPM matching Hey, Sorry, class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match field layer 2 IP protocol eq 4 next IP match field layer 3 IP protocol eq 6 next TCP From: eug...@koiossystems.com To: mike_c...@hotmail.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 01:20:48 + Hey Miky, Am I missing something? How can you say “match layer ” under the type stack class-map? It doesn’t except it. R3(config-cmap)#match layer ? % Unrecognized command You can only provide “layer” keyword after “field” one. From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Mike Rojas Sent: Monday, June 18, 2012 3:29 PM To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] FPM matching This is a question in regards IP to IP tunnel matching on FPM. class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match
Re: [OSL | CCIE_Security] FPM matching
I put it with and without the mask same result. Mike... From: eug...@koiossystems.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 17:11:04 + A quick question, Mike. Did you manually entered mask (0x1) in the access-control class or IOS automatically added it ? Will it work without the mask? From: Mike Rojas mike_c...@hotmail.com Date: Monday, June 18, 2012 11:47 PM To: Eugene Pefti eug...@koiossystems.com Cc: ccie_security@onlinestudylist.com ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM matching Just one more input, that one will drop ICMP messages with code 0 on them :D Any other traffic wont match... From: mike_c...@hotmail.com To: eug...@koiossystems.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 00:11:59 -0600 Annnd Bingo, I was right, since it is encapsulated and not Encrypted, we can match whatever it is inside on the GRE packet... we are matching, not crafting Here is the example of dropping ICMP encapsulated on GRE... Class Map type access-control match-all ICMP (id 2) Match field ICMP code eq 0 mask 0x1 Class Map type stack match-all STACK-GRE (id 1) Match field IP protocol eq 0x2F next ICMP Policy Map type access-control STACK-GRE Class STACK-GRE service-policy ICMP-DROP-GRE Policy Map type access-control ICMP-DROP-GRE Class ICMP drop Router1#sh policy-map type access-control interface fa 0/1 FastEthernet0/1 Service-policy access-control input: STACK-GRE Class-map: STACK-GRE (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x2F next ICMP Service-policy access-control : ICMP-DROP-GRE Class-map: ICMP (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field ICMP code eq 0 mask 0x1 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 2 packets, 1236 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any From: mike_c...@hotmail.com To: eug...@koiossystems.com Date: Mon, 18 Jun 2012 22:25:53 -0600 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] FPM matching Ok but here is my question, match field IP protocol eq 0x4 next IP We are saying there, in the IP protocol it will come IP again wouldnt it? The main idea if I understand correctly is to match and IP header twice... So, I would think that this line match field IP protocol eq 0x4 next IP and this line, match field IP protocol eq 0x6 next TCP Would match it twice, wouldnt it? Regarding to your quiz, Class-map type stack match-all GRE-stack match field IP protocol eq 0x2f next ? Mike From: eug...@koiossystems.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 02:45:27 + My $0.02 to what I have always thought about it. First, I’d stay away from “stack-start l2-start” if I know for sure that IP-TCP runs over ETHER and doesn’t encapsulates it somehow differently, i.e. I’d start my stack type class-map with IP matching thus making router’s life easier. But it’s perfectly OK to start from L2 in the lab to show that we do it the right way ;) Then right to your question. Take a look at this capture (IP_in_IP.cap) http://packetlife.net/captures/category/tunneling/ To match on the first IP header following after Ethernet II header we’d need to use match layer 2 IP protocol eq 4 next IP to define the sequence of how they are enclosed into each other. Then you use layer 3 digit to tell the router that next goes TCP protocol which is already layer 4. match field layer 3 IP protocol eq 6 next My class-map would look like this and I think it is the same as yours class-map type stack match-all ETHER-IP-IP-TCP-STACK stack-start l2-start match field ETHER type eq 0x800 next IP match field IP protocol eq 0x4 next IP match field IP protocol eq 0x6 next TCP Now a quiz ;) How would we define the stack class-map for GRE.cap traffic (see example on the same page) Eugene From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Monday, June 18, 2012 6:44 PM To: Eugene Pefti Subject: RE: [OSL | CCIE_Security] FPM matching Hey, Sorry, class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match field layer 2 IP protocol eq 4 next IP match field layer 3 IP protocol eq 6 next TCP From: eug...@koiossystems.com To: mike_c...@hotmail.com
Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 75
Oszkar, You are right. I sent a clarification on this exercise it will drop any ICMP message within GRE that has a code 0 on them. Seems that there is a problem with FPM because it cannot match types correctly. If I match code 0 it will drop both ICMP echo and echo reply because they both have code 0 on them. Mike Date: Wed, 20 Jun 2012 13:40:32 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: ccie_security@onlinestudylist.com CC: mike_c...@hotmail.com Hi Mike, Why did you choose to look for code 0? Code 0 means different thing for each ICMP type. I think for echo messages you should look for icmp type 8 . Now the interesting part is that if you try to match icmp type 8 instead of code 8 your solution won't work. Oszkar Annnd Bingo, I was right, since it is encapsulated and not Encrypted, we can match whatever it is inside on the GRE packet... we are matching, not crafting Here is the example of dropping ICMP echo messages encapsulated on GRE... Class Map type access-control match-all ICMP (id 2) Match field ICMP code eq 0 mask 0x1 Class Map type stack match-all STACK-GRE (id 1) Match field IP protocol eq 0x2F next ICMP Policy Map type access-control STACK-GRE Class STACK-GRE service-policy ICMP-DROP-GRE Policy Map type access-control ICMP-DROP-GRE Class ICMP drop Router1#sh policy-map type access-control interface fa 0/1 FastEthernet0/1 Service-policy access-control input: STACK-GRE Class-map: STACK-GRE (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x2F next ICMP Service-policy access-control : ICMP-DROP-GRE Class-map: ICMP (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field ICMP code eq 0 mask 0x1 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 2 packets, 1236 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 75
Hey, Yeah, weird isnt it? Most people think that is mandatory to have a next GRE when mounting the stack, if you are not going to match anything on that specific header, why would you mount it? I dont know... I ended up liking it a lot, of course it can get really nasty. Mike Date: Wed, 20 Jun 2012 15:52:05 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Hi Mike, Code 0 means no code, and majority of the ICMP types have code 0. As a result you will drop much more than echo/echo reply. And you are right, for some reason matching types for ICMP is not working in this case. On Wed, Jun 20, 2012 at 3:37 PM, Mike Rojas mike_c...@hotmail.com wrote: Oszkar, You are right. I sent a clarification on this exercise it will drop any ICMP message within GRE that has a code 0 on them. Seems that there is a problem with FPM because it cannot match types correctly. If I match code 0 it will drop both ICMP echo and echo reply because they both have code 0 on them. Mike Date: Wed, 20 Jun 2012 13:40:32 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: ccie_security@onlinestudylist.com CC: mike_c...@hotmail.com Hi Mike, Why did you choose to look for code 0? Code 0 means different thing for each ICMP type. I think for echo messages you should look for icmp type 8 . Now the interesting part is that if you try to match icmp type 8 instead of code 8 your solution won't work. Oszkar Annnd Bingo, I was right, since it is encapsulated and not Encrypted, we can match whatever it is inside on the GRE packet... we are matching, not crafting Here is the example of dropping ICMP echo messages encapsulated on GRE... Class Map type access-control match-all ICMP (id 2) Match field ICMP code eq 0 mask 0x1 Class Map type stack match-all STACK-GRE (id 1) Match field IP protocol eq 0x2F next ICMP Policy Map type access-control STACK-GRE Class STACK-GRE service-policy ICMP-DROP-GRE Policy Map type access-control ICMP-DROP-GRE Class ICMP drop Router1#sh policy-map type access-control interface fa 0/1 FastEthernet0/1 Service-policy access-control input: STACK-GRE Class-map: STACK-GRE (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x2F next ICMP Service-policy access-control : ICMP-DROP-GRE Class-map: ICMP (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field ICMP code eq 0 mask 0x1 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 2 packets, 1236 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 75
Hey, Basically, If we want to be really specific into the protocol, we we will need to create our own PHDF for GRE.. There are 16 bits for protocol type we would mostlikely specify the next IP header (0x800) in order to match the stack on the exact order. On our stack we are saying, look in the first IP header that the protocol number is 0x2f, which is GRE and then jump off to ICMP header. So, it would be check _ | | protocol 0x2fNext look for ICMP header. OUTER_IP | GRE | INNER_IP | ICMP. We are not doing anything with the in-between headers. Based on experience, that next doesnt mean expect the next protocol to be x, it means, jump off to the following header... and if you find the header there, it will be consider a match. “First I want you to look at the IP header for this, then we go look at the TCP header for this.” It doesnt mean you have to match each and every header on a packet. http://blog.ipexpert.com/2010/05/12/introduction-to-fpm/ Mike Date: Wed, 20 Jun 2012 19:37:28 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Hi Mike, I still don't understand how can we jump from GRE to the ICMP without matching the inner IP header first.In GRE we have OUTER_IP | GRE | INNER_IP | ICMP. Class Map type stack match-all STACK-GRE (id 1) Match field IP protocol eq 0x2F next ICMPIn your stack class-map you are matching the OUTER_IP which is followed by GRE then the next protocol should be ICMP but what happens with the INNER_IP? Actually this is why I have started to play with this. Please comment! On Wed, Jun 20, 2012 at 7:10 PM, Mike Rojas mike_c...@hotmail.com wrote: Hey, Yeah, weird isnt it? Most people think that is mandatory to have a next GRE when mounting the stack, if you are not going to match anything on that specific header, why would you mount it? I dont know... I ended up liking it a lot, of course it can get really nasty. Mike Date: Wed, 20 Jun 2012 15:52:05 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Hi Mike, Code 0 means no code, and majority of the ICMP types have code 0. As a result you will drop much more than echo/echo reply. And you are right, for some reason matching types for ICMP is not working in this case. On Wed, Jun 20, 2012 at 3:37 PM, Mike Rojas mike_c...@hotmail.com wrote: Oszkar, You are right. I sent a clarification on this exercise it will drop any ICMP message within GRE that has a code 0 on them. Seems that there is a problem with FPM because it cannot match types correctly. If I match code 0 it will drop both ICMP echo and echo reply because they both have code 0 on them. Mike Date: Wed, 20 Jun 2012 13:40:32 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: ccie_security@onlinestudylist.com CC: mike_c...@hotmail.com Hi Mike, Why did you choose to look for code 0? Code 0 means different thing for each ICMP type. I think for echo messages you should look for icmp type 8 . Now the interesting part is that if you try to match icmp type 8 instead of code 8 your solution won't work. Oszkar Annnd Bingo, I was right, since it is encapsulated and not Encrypted, we can match whatever it is inside on the GRE packet... we are matching, not crafting Here is the example of dropping ICMP echo messages encapsulated on GRE... Class Map type access-control match-all ICMP (id 2) Match field ICMP code eq 0 mask 0x1 Class Map type stack match-all STACK-GRE (id 1) Match field IP protocol eq 0x2F next ICMP Policy Map type access-control STACK-GRE Class STACK-GRE service-policy ICMP-DROP-GRE Policy Map type access-control ICMP-DROP-GRE Class ICMP drop Router1#sh policy-map type access-control interface fa 0/1 FastEthernet0/1 Service-policy access-control input: STACK-GRE Class-map: STACK-GRE (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x2F next ICMP Service-policy access-control : ICMP-DROP-GRE Class-map: ICMP (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field ICMP code eq 0 mask 0x1 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 2 packets, 1236 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any
Re: [OSL | CCIE_Security] WEBVPN
It has been removed: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1935301 Mike From: jo...@isc.co.za To: ccie_security@onlinestudylist.com Date: Thu, 21 Jun 2012 04:37:52 +0200 Subject: [OSL | CCIE_Security] WEBVPN I am looking for the functions command: group-policy WEBVPN attributes vpn-tunnel-protocol webvpnwebvpn functions port-forward ASA(config-group-webvpn)# ? Group-policy WebVPN commands: activex-relayEnable or disable activex relay auto-signon Configure auto-sign to allow login to certain applications using the WebVPN session credentials customization Configure a customization object deny-message Configure the Deny message download-max-sizeSet maximum object size to download exit Exit from user or group policy webvpn configuration mode file-browsing Allow browsing for file servers and shares file-entry Allow user entry of file server names to access filter Configure the name of the webtype access-list help Help for group policy webvpn commands ………. I don’t see it on my ASA. ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 75
No I mean, if the packet is not mounted correclty, why would it have matches? Saying, Ok it sees the Layer 2 header, fine, looks for the ethertype... 0x800 thats correct, but then.. then the IP header is missing... why would the stack match.. if the IP header is missing? Mike Date: Thu, 21 Jun 2012 00:09:36 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Not sure if I understand you right but the stack it is supposed to match the traffic. On Wed, Jun 20, 2012 at 11:59 PM, Mike Rojas mike_c...@hotmail.com wrote: Something funny is happening to your class maps.. The stack does have a match.. why would it match? Mike Date: Wed, 20 Jun 2012 23:51:40 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Hmm...if we follow that logic then the following example should work as well right? We say first to match all the Ethernet packets with ethertype IP then jump to TCP header. Something like this: class-map type stack match-all TCP_STACKstack-start l2-start match field ETHER type eq 0x800 next TCP class-map type access-control match-all TELNET match field TCP dest-port eq 0x17 policy-map type access-control TELNET_DROP class TELNET drop policy-map type access-control FPM2 class TCP_STACK service-policy TELNET_DROP But in this case Telnet traffic is not matched: R5#sh policy-map type access-control interface FastEthernet0/0 Service-policy access-control input: FPM2 Class-map: TCP_STACK (match-all) 29 packets, 1817 bytes 5 minute offered rate 0 bps Match: field ETHER type eq 0x800 next TCP Service-policy access-control : TELNET_DROP Class-map: TELNET (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: field TCP dest-port eq 0x17 drop Class-map: class-default (match-any) 29 packets, 1817 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any If I define/match all the protocols/headers in order, as they come, telnet traffic is matched and dropped as expected: class-map type stack match-all TCP_STACK2stack-start l2-start match field ETHER type eq 0x800 next IP match field IP protocol eq 0x6 next TCP class-map type access-control match-all TELNET match field TCP dest-port eq 0x17 policy-map type access-control TELNET_DROP class TELNET drop policy-map type access-control FPM3 class TCP_STACK2 service-policy TELNET_DROP R5#sh policy-map type access-control interface FastEthernet0/0 Service-policy access-control input: FPM3 Class-map: TCP_STACK2 (match-all) 2 packets, 120 bytes 5 minute offered rate 0 bps Match: field ETHER type eq 0x800 next IP Match: field IP protocol eq 0x6 next TCP Service-policy access-control : TELNET_DROP Class-map: TELNET (match-all) 2 packets, 120 bytes 5 minute offered rate 0 bps Match: field TCP dest-port eq 0x17 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 8 packets, 852 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any On Wed, Jun 20, 2012 at 8:07 PM, Mike Rojas mike_c...@hotmail.com wrote: Hey, Basically, If we want to be really specific into the protocol, we we will need to create our own PHDF for GRE.. There are 16 bits for protocol type we would mostlikely specify the next IP header (0x800) in order to match the stack on the exact order. On our stack we are saying, look in the first IP header that the protocol number is 0x2f, which is GRE and then jump off to ICMP header. So, it would be check _ | | protocol 0x2fNext look for ICMP header. OUTER_IP | GRE | INNER_IP | ICMP. We are not doing anything with the in-between headers. Based on experience, that next doesnt mean expect the next protocol to be x, it means, jump off to the following header... and if you find the header there, it will be consider a match. “First I want you to look at the IP header for this, then we go look at the TCP header for this.” It doesnt mean you have to match each and every header on a packet. http://blog.ipexpert.com/2010/05/12/introduction-to-fpm/ Mike Date: Wed, 20 Jun 2012 19:37:28 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Hi Mike, I still don't understand how can we jump from GRE to the ICMP
Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 75
I guess what I am trying to say is that it should be consistent, if the Stack has missing information the stack class map should not have matches... Here: Class-map: TCP_STACK (match-all) 29 packets, 1817 bytes 5 minute offered rate 0 bps Match: field ETHER type eq 0x800 next TCP Why if the packets come incorrectly (based on what we mounted) why would it have matches then? I tried the same example using telnet, doing it with the GRE tunnel I build yesterday and it didnt work either, now it is more interesting, why yesterday, it saw the codes in ICMP Header, but it wont see anything on the TCP header itself... I will give it a few more hours and try to find the bottom of this. Mike From: mike_c...@hotmail.com To: oszk...@gmail.com Date: Thu, 21 Jun 2012 01:14:22 -0600 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 75 No I mean, if the packet is not mounted correclty, why would it have matches? Saying, Ok it sees the Layer 2 header, fine, looks for the ethertype... 0x800 thats correct, but then.. then the IP header is missing... why would the stack match.. if the IP header is missing? Mike Date: Thu, 21 Jun 2012 00:09:36 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Not sure if I understand you right but the stack it is supposed to match the traffic. On Wed, Jun 20, 2012 at 11:59 PM, Mike Rojas mike_c...@hotmail.com wrote: Something funny is happening to your class maps.. The stack does have a match.. why would it match? Mike Date: Wed, 20 Jun 2012 23:51:40 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: oszk...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Hmm...if we follow that logic then the following example should work as well right? We say first to match all the Ethernet packets with ethertype IP then jump to TCP header. Something like this: class-map type stack match-all TCP_STACKstack-start l2-start match field ETHER type eq 0x800 next TCP class-map type access-control match-all TELNET match field TCP dest-port eq 0x17 policy-map type access-control TELNET_DROP class TELNET drop policy-map type access-control FPM2 class TCP_STACK service-policy TELNET_DROP But in this case Telnet traffic is not matched: R5#sh policy-map type access-control interface FastEthernet0/0 Service-policy access-control input: FPM2 Class-map: TCP_STACK (match-all) 29 packets, 1817 bytes 5 minute offered rate 0 bps Match: field ETHER type eq 0x800 next TCP Service-policy access-control : TELNET_DROP Class-map: TELNET (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: field TCP dest-port eq 0x17 drop Class-map: class-default (match-any) 29 packets, 1817 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any If I define/match all the protocols/headers in order, as they come, telnet traffic is matched and dropped as expected: class-map type stack match-all TCP_STACK2stack-start l2-start match field ETHER type eq 0x800 next IP match field IP protocol eq 0x6 next TCP class-map type access-control match-all TELNET match field TCP dest-port eq 0x17 policy-map type access-control TELNET_DROP class TELNET drop policy-map type access-control FPM3 class TCP_STACK2 service-policy TELNET_DROP R5#sh policy-map type access-control interface FastEthernet0/0 Service-policy access-control input: FPM3 Class-map: TCP_STACK2 (match-all) 2 packets, 120 bytes 5 minute offered rate 0 bps Match: field ETHER type eq 0x800 next IP Match: field IP protocol eq 0x6 next TCP Service-policy access-control : TELNET_DROP Class-map: TELNET (match-all) 2 packets, 120 bytes 5 minute offered rate 0 bps Match: field TCP dest-port eq 0x17 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 8 packets, 852 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any On Wed, Jun 20, 2012 at 8:07 PM, Mike Rojas mike_c...@hotmail.com wrote: Hey, Basically, If we want to be really specific into the protocol, we we will need to create our own PHDF for GRE.. There are 16 bits for protocol type we would mostlikely specify the next IP header (0x800) in order to match the stack on the exact order. On our stack we are saying, look in the first IP header that the protocol number is 0x2f, which is GRE and then jump off to ICMP header
Re: [OSL | CCIE_Security] Need help understanding no-alias NAT option
Hey Eugene, Are you familiar with proxyARP? Basically, the router will answer arp for any address that is on its range assigned to a particular interface associated with a NAT right? well, this command will stop the router so it doesnt do it anymore. Mike From: eug...@koiossystems.com To: ccie_security@onlinestudylist.com Date: Fri, 22 Jun 2012 02:44:22 + Subject: [OSL | CCIE_Security] Need help understanding no-alias NAT option What are use cases of this “no-alias” NAT option. All references I found in Cisco docs say little to me. Quoting: • Autoaliasing of Pool Addresses: Many customers want to configure the NAT software to translate their local addresses to global addresses allocated from unused addresses from an attached subnet. This requires that the router answer ARP requests for those addresses so that packets destined for the global addresses are accepted by the router and translated. (Routing takes care of this packet delivery when the global addresses are allocated from a virtual network which isn't connected to anything.) When a NAT pool used as an inside global or outside local pool consists of addresses on an attached subnet, the software will generate an alias for that address so that the router will answer ARPs for those addresses. This automatic aliasing also occurs for inside global or outside local addresses in static entries. It can be disabled for static entries can be disabled by using the no-alias keyword:. ip nat inside source static local-ip-address global-ip-address no-alias Why would the router NOT reply on behalf of those global addresses ? Eugene ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Need help understanding no-alias NAT option
Hi, Assuming that the router 2 is not on transparent mode, taking it out it wouldnt make much difference, because the packet will be routed to the next hop (R2), assuming that there is a route for the network of the ASA to be behind router2 on the HSRP routers. It would make sense if they are all on the same broadcast domain. Mike. From: eug...@koiossystems.com To: mike_c...@hotmail.com; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Need help understanding no-alias NAT option Date: Fri, 22 Jun 2012 03:05:49 + Hi Mike, Yes, I’m familiar with it. It’s the same as you say “sysopt noproxyarp” on the ASA. My question is about why would you do it? Can someone will give me a good example? I’m doing a task and it asks to configure a peer for a pair of HSRP routers. I’ll have to give a sketch of the topology to make it more or less clear: R1+--- R2-(163.1.132.0)-ASA-R6 R3| So to be precise R1 and R3 should have their IPSec peer set to 163.1.132.113 which is ASA interface. The solution configures static NAT on R2 binding 163.1.132.113 to R6 loopback: ip nat inside source static 6.0.0.1 163.1.132.113 no-alias If R2 will stop responding to ARP requests sent to 163.1.132.113 how the whole thing will work ? Eugene From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Thursday, June 21, 2012 7:54 PM To: Eugene Pefti; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Need help understanding no-alias NAT option Hey Eugene, Are you familiar with proxyARP? Basically, the router will answer arp for any address that is on its range assigned to a particular interface associated with a NAT right? well, this command will stop the router so it doesnt do it anymore. Mike From: eug...@koiossystems.com To: ccie_security@onlinestudylist.com Date: Fri, 22 Jun 2012 02:44:22 + Subject: [OSL | CCIE_Security] Need help understanding no-alias NAT option What are use cases of this “no-alias” NAT option. All references I found in Cisco docs say little to me. Quoting: • Autoaliasing of Pool Addresses: Many customers want to configure the NAT software to translate their local addresses to global addresses allocated from unused addresses from an attached subnet. This requires that the router answer ARP requests for those addresses so that packets destined for the global addresses are accepted by the router and translated. (Routing takes care of this packet delivery when the global addresses are allocated from a virtual network which isn't connected to anything.) When a NAT pool used as an inside global or outside local pool consists of addresses on an attached subnet, the software will generate an alias for that address so that the router will answer ARPs for those addresses. This automatic aliasing also occurs for inside global or outside local addresses in static entries. It can be disabled for static entries can be disabled by using the no-alias keyword:. ip nat inside source static local-ip-address global-ip-address no-alias Why would the router NOT reply on behalf of those global addresses ? Eugene ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Need help understanding no-alias NAT option
Yep, Anyone who think differently is very appreciated... Mike From: eug...@koiossystems.com To: mike_c...@hotmail.com; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Need help understanding no-alias NAT option Date: Fri, 22 Jun 2012 03:17:55 + Unfortunately it doesn’t make sense to me either because R2 runs in the routed mode. I believe it’s just the faulty solution in the first place. I’m not going to point fingers who the solution provider is but it’s not IPExperts ;) From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Thursday, June 21, 2012 8:13 PM To: Eugene Pefti; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Need help understanding no-alias NAT option Hi, Assuming that the router 2 is not on transparent mode, taking it out it wouldnt make much difference, because the packet will be routed to the next hop (R2), assuming that there is a route for the network of the ASA to be behind router2 on the HSRP routers. It would make sense if they are all on the same broadcast domain. Mike. From: eug...@koiossystems.com To: mike_c...@hotmail.com; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Need help understanding no-alias NAT option Date: Fri, 22 Jun 2012 03:05:49 + Hi Mike, Yes, I’m familiar with it. It’s the same as you say “sysopt noproxyarp” on the ASA. My question is about why would you do it? Can someone will give me a good example? I’m doing a task and it asks to configure a peer for a pair of HSRP routers. I’ll have to give a sketch of the topology to make it more or less clear: R1+--- R2-(163.1.132.0)-ASA-R6 R3| So to be precise R1 and R3 should have their IPSec peer set to 163.1.132.113 which is ASA interface. The solution configures static NAT on R2 binding 163.1.132.113 to R6 loopback: ip nat inside source static 6.0.0.1 163.1.132.113 no-alias If R2 will stop responding to ARP requests sent to 163.1.132.113 how the whole thing will work ? Eugene From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Thursday, June 21, 2012 7:54 PM To: Eugene Pefti; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Need help understanding no-alias NAT option Hey Eugene, Are you familiar with proxyARP? Basically, the router will answer arp for any address that is on its range assigned to a particular interface associated with a NAT right? well, this command will stop the router so it doesnt do it anymore. Mike From: eug...@koiossystems.com To: ccie_security@onlinestudylist.com Date: Fri, 22 Jun 2012 02:44:22 + Subject: [OSL | CCIE_Security] Need help understanding no-alias NAT option What are use cases of this “no-alias” NAT option. All references I found in Cisco docs say little to me. Quoting: • Autoaliasing of Pool Addresses: Many customers want to configure the NAT software to translate their local addresses to global addresses allocated from unused addresses from an attached subnet. This requires that the router answer ARP requests for those addresses so that packets destined for the global addresses are accepted by the router and translated. (Routing takes care of this packet delivery when the global addresses are allocated from a virtual network which isn't connected to anything.) When a NAT pool used as an inside global or outside local pool consists of addresses on an attached subnet, the software will generate an alias for that address so that the router will answer ARPs for those addresses. This automatic aliasing also occurs for inside global or outside local addresses in static entries. It can be disabled for static entries can be disabled by using the no-alias keyword:. ip nat inside source static local-ip-address global-ip-address no-alias Why would the router NOT reply on behalf of those global addresses ? Eugene ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] dual armed EZVPN
That is his question, why would it be needed, I mean the technical explanation. Im sure if you run the debug, without having a crypto map applied on the host facing interface, it will tell you no atts acceptable. I am assuming if this has something to do with the identity or if the IP address is correctly put on the client and so on. Mike From: eug...@koiossystems.com To: oszk...@gmail.com Date: Fri, 22 Jun 2012 05:56:45 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] dual armed EZVPN Is having only one crypto map a requirement? I’d have two different crypto maps applied to Fa0/1 and Ser0/1/0. From: Imre Oszkar [mailto:oszk...@gmail.com] Sent: Thursday, June 21, 2012 9:29 PM To: Eugene Pefti Cc: ccie security Subject: Re: [OSL | CCIE_Security] dual armed EZVPN R6#sh run | sec crypto crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp client configuration group EZ key cisco pool remote acl split crypto isakmp profile EZ match identity group EZ client authentication list EZ isakmp authorization list EZ client configuration address respond crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac crypto dynamic-map DYN 10 set transform-set ESP3DES set reverse-route tag 99 reverse-route crypto map VPN 10 ipsec-isakmp dynamic DYN interface FastEthernet0/1 ip address 8.9.6.6 255.255.255.0 crypto map VPN interface Serial0/1/0 ip address 8.9.56.6 255.255.255.0 crypto map VPN R6#sh crypto map Crypto Map VPN 10 ipsec-isakmp Dynamic map template tag: DYN Crypto Map VPN 65536 ipsec-isakmp Peer = 8.9.11.4 Extended IP access list access-list permit ip any host 20.0.0.7 dynamic (created from dynamic map DYN/10) Current peer: 8.9.11.4 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ESP3DES, } Reverse Route Injection Enabled Crypto Map VPN 65537 ipsec-isakmp Peer = 8.9.6.10 Extended IP access list access-list permit ip any host 20.0.0.8 dynamic (created from dynamic map DYN/10) Current peer: 8.9.6.10 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ESP3DES, } Reverse Route Injection Enabled Interfaces using crypto map VPN: FastEthernet0/1 Serial0/1/0 First session has the peer with the facing interface, second session with the non facing interface: R6#sh crypto session detail Interface: Serial0/1/0 Username: cisco Profile: EZ Group: EZ Assigned address: 20.0.0.7 Uptime: 00:03:19 Session status: UP-ACTIVE Peer: 8.9.11.4 port 500 fvrf: (none) ivrf: (none) Phase1_id: EZ Desc: (none) IKE SA: local 8.9.56.6/500 remote 8.9.11.4/500 Active Capabilities:CX connid:1007 lifetime:23:56:33 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.0.0.7 Active SAs: 2, origin: dynamic crypto map Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 4489498/3400 Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4489498/3400 Interface: Serial0/1/0 Username: cisco Profile: EZ Group: EZ Assigned address: 20.0.0.8 Uptime: 00:01:57 Session status: UP-ACTIVE Peer: 8.9.6.10 port 7348 fvrf: (none) ivrf: (none) Phase1_id: EZ Desc: (none) IKE SA: local 8.9.56.6/500 remote 8.9.6.10/7348 Active Capabilities:CX connid:1008 lifetime:23:58:01 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.0.0.8 Active SAs: 2, origin: dynamic crypto map Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4503015/3482 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4503016/3482 On Thu, Jun 21, 2012 at 9:07 PM, Eugene Pefti eug...@koiossystems.com wrote: Can you show the crypto maps applied to R6 interfaces? From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Imre Oszkar Sent: Thursday, June 21, 2012 8:48 PM To: ccie security Subject: [OSL | CCIE_Security] dual armed EZVPN Hi guys, R4 (EZ remote) -R6(EZ SERVER) -- (EZ vpn client) The crypto map on R6 is applied to both interfaces (the one facing R4 and the one facing test pc) Both EzVPN clients are able to connect, however I noticed one interesting thing. The peer address on the clients must be the ip address of the facing interface otherwise the returning traffic from the server to the client will black holed by the server. The received packets are decrypted by the server but the returning traffic won't be encrypted.
Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3
Souldnt it try to use its available trustpoints? The problem is that it does not sees it. Other thing, if we have the CA as a tunnel endpoint, what is the right procedure? What I normally do is to create a different trustpoint and request a certificate to itself.-.. Mike. From: pi...@howto.pl To: veeduby...@gmail.com Date: Sat, 23 Jun 2012 20:48:37 +0200 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Where’s CA? Is it on the same router? To force the router to use a particular certificate you must assign ISAKMP profile to the crypto map. Regards, Piotr From: Ben Shaw Sent: Saturday, June 23, 2012 4:23 PM To: Piotr Matusiak Cc: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Hi Piotr thanks for the assistance. Yes, that is what it seems to me also. It says it can't find a PSK or RSA Cert but the R5 router is enrolled with a CA as shown below already, it doesn't seem to be using it though. R5#show crypto ca certificates Certificate Status: Available Certificate Serial Number: 0x6 Certificate Usage: General Purpose Issuer: cn=myCA.cisco.com Subject: Name: R5.cisco.com IP Address: 10.5.5.5 ipaddress=10.5.5.5+hostname=R5.cisco.com cn=R5 Validity Date: start date: 17:22:04 UTC Jun 20 2012 end date: 06:46:42 UTC Jun 20 2013 Associated Trustpoints: myCA Storage: nvram:myCAciscocom#6.cer CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=myCA.cisco.com Subject: cn=myCA.cisco.com Validity Date: start date: 06:46:42 UTC Jun 20 2012 end date: 06:46:42 UTC Jun 20 2013 Associated Trustpoints: myCA Storage: nvram:myCAciscocom#1CA.cer I was looking at trying to specify the CA name in the configuration via an ISAKMP profile but I believe that setting a trustpoint in an ISAKMP profile is only performed based on the match statements in the profile for IPSec connections inbound to the router not inbound and outbound. Is there a way to specify what CA to use for outbound L2L IPsec tunnels that you are aware of? This may enable me to force the router to use the ID cert it has under the myCA trustpoint. Thanks Ben On Sat, Jun 23, 2012 at 9:37 PM, Piotr Matusiak pi...@howto.pl wrote: Hi Ben, It seems R5 doesn’t use it’s Identity Certificate. Wher’s CA? Did you enroll a certificate for it? If CA is on R5 you must create a trustpoint and enroll a certificate from it (even tho the CA is local). Regards, Piotr From: Ben Shaw Sent: Saturday, June 23, 2012 11:27 AM To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Hi All I am doing Lab 1 from Yusuf's book but cannot get the VPN to negotiate in question 2.3 with certificates. I originally got it to work fine with PSK but after changing the configuration to RSA I get a failure which to me seems to be an issue on the router side as I get the following debugs when I initiate the VPN from the router (R5) R5#ping 10.8.8.8 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.5.5.5 Jun 23 09:13:20.092: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10, local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1), remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 Jun 23 09:13:20.116: ISAKMP:(0): SA request profile is (NULL) Jun 23 09:13:20.116: ISAKMP: Created a peer struct for 192.168.9.10, peer port 500 Jun 23 09:13:20.120: ISAKMP: New peer created peer = 0x673AFE78 peer_handle = 0x8012 Jun 23 09:13:20.124: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for isakmp_initiator Jun 23 09:13:20.124: ISAKMP: local port 500, remote port 500 Jun 23 09:13:20.128: ISAKMP: set new node 0 to QM_IDLE Jun 23 09:13:20.132: insert sa successfully sa = 67EEFFC8 Jun 23 09:13:20.132: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. Jun 23 09:13:20.136: ISAKMP:(0):No pre-shared key with 192.168.9.10! Jun 23 09:13:20.140: ISAKMP:(0): No Cert or pre-shared address key. Jun 23 09:13:20.144: ISAKMP:(0): construct_initial_message: Can not start Main mode Jun 23 09:13:20.144: ISAKMP: Unlocking peer struct 0x673AFE78 for isadb_unlock_peer_delete_sa(), count 0 Jun 23 09:13:20.148: ISAKMP: Deleting peer node by peer_reap for 192.168.9.10: 673AFE78 Jun 23 09:13:20.152: ISAKMP:(0):purging SA., sa=67EEFFC8, delme=67EEFFC8 Jun 23
Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3
Gotcha!... Yeah, I was a bit curious as well. Mike From: pi...@howto.pl To: mike_c...@hotmail.com; veeduby...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Date: Sat, 23 Jun 2012 22:16:02 +0200 You’re correct Mike. That’s why I asked if R5 is CA or not. If so, then you must have two trustopoints configurad and I see only one in the command output. Regards, Piotr From: Mike Rojas Sent: Saturday, June 23, 2012 8:58 PM To: pi...@howto.pl ; veeduby...@gmail.com Cc: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Souldnt it try to use its available trustpoints? The problem is that it does not sees it. Other thing, if we have the CA as a tunnel endpoint, what is the right procedure? What I normally do is to create a different trustpoint and request a certificate to itself.-.. Mike. From: pi...@howto.pl To: veeduby...@gmail.com Date: Sat, 23 Jun 2012 20:48:37 +0200 CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Where’s CA? Is it on the same router? To force the router to use a particular certificate you must assign ISAKMP profile to the crypto map. Regards, Piotr From: Ben Shaw Sent: Saturday, June 23, 2012 4:23 PM To: Piotr Matusiak Cc: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Hi Piotr thanks for the assistance. Yes, that is what it seems to me also. It says it can't find a PSK or RSA Cert but the R5 router is enrolled with a CA as shown below already, it doesn't seem to be using it though. R5#show crypto ca certificates Certificate Status: Available Certificate Serial Number: 0x6 Certificate Usage: General Purpose Issuer: cn=myCA.cisco.com Subject: Name: R5.cisco.com IP Address: 10.5.5.5 ipaddress=10.5.5.5+hostname=R5.cisco.com cn=R5 Validity Date: start date: 17:22:04 UTC Jun 20 2012 end date: 06:46:42 UTC Jun 20 2013 Associated Trustpoints: myCA Storage: nvram:myCAciscocom#6.cer CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=myCA.cisco.com Subject: cn=myCA.cisco.com Validity Date: start date: 06:46:42 UTC Jun 20 2012 end date: 06:46:42 UTC Jun 20 2013 Associated Trustpoints: myCA Storage: nvram:myCAciscocom#1CA.cer I was looking at trying to specify the CA name in the configuration via an ISAKMP profile but I believe that setting a trustpoint in an ISAKMP profile is only performed based on the match statements in the profile for IPSec connections inbound to the router not inbound and outbound. Is there a way to specify what CA to use for outbound L2L IPsec tunnels that you are aware of? This may enable me to force the router to use the ID cert it has under the myCA trustpoint. Thanks Ben On Sat, Jun 23, 2012 at 9:37 PM, Piotr Matusiak pi...@howto.pl wrote: Hi Ben, It seems R5 doesn’t use it’s Identity Certificate. Wher’s CA? Did you enroll a certificate for it? If CA is on R5 you must create a trustpoint and enroll a certificate from it (even tho the CA is local). Regards, Piotr From: Ben Shaw Sent: Saturday, June 23, 2012 11:27 AM To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Hi All I am doing Lab 1 from Yusuf's book but cannot get the VPN to negotiate in question 2.3 with certificates. I originally got it to work fine with PSK but after changing the configuration to RSA I get a failure which to me seems to be an issue on the router side as I get the following debugs when I initiate the VPN from the router (R5) R5#ping 10.8.8.8 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.5.5.5 Jun 23 09:13:20.092: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10, local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1), remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 Jun 23 09:13:20.116: ISAKMP:(0): SA request profile is (NULL) Jun 23 09:13:20.116: ISAKMP: Created a peer struct for 192.168.9.10, peer port 500 Jun 23 09:13:20.120: ISAKMP: New peer created peer = 0x673AFE78 peer_handle = 0x8012 Jun 23 09:13:20.124: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for isakmp_initiator Jun 23 09:13:20.124: ISAKMP: local port 500, remote port 500 Jun
Re: [OSL | CCIE_Security] outbound ACL
In any case, it should be the PBR applied on the global configurion mode, that is the one that affects the router traffic...Or cControl plane Date: Sun, 24 Jun 2012 13:26:02 +0530 From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] outbound ACL With PBR, it is routed from the loopback interface to the egress interface hence acl with process the traffic. But, if you ping sourced from loopback, it still considered as router self generated traffic With regards Kings On Sun, Jun 24, 2012 at 1:02 PM, waleed ' walleed...@hotmail.com wrote: why to use PBR , there is no difference if I sourced my traffic from loopback : R1---R2 R1: f0/0 10.0.0.1 lo0 1.1.1.1 R2: f0/0 10.0.0.2 lo0 2.2.2.2 and there is outbound access-list on R2: f0/0 and if I use access-list 120 deny ip any any as outbound on R2 f0/0 , I can ping from the R2 to R1 using lo0 as source . so can you please clarify the work of PBR here ? regards Date: Sun, 24 Jun 2012 12:57:45 +0530 Subject: Re: [OSL | CCIE_Security] outbound ACL From: kingsley.char...@gmail.com To: walleed...@hotmail.com CC: ccie_security@onlinestudylist.com Use local PBR and a loopback intf should do the trick. With regards Kings On Sun, Jun 24, 2012 at 12:41 PM, waleed ' walleed...@hotmail.com wrote: is there way to make interface outbound access-list affect router traffic ? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Proctor Labs support
There is an offline support... have you tried that ? Date: Fri, 29 Jun 2012 09:58:34 +1000 From: mayd...@gmail.com To: ccie_security@onlinestudylist.com; ccie...@onlinestudylist.com Subject: [OSL | CCIE_Security] Proctor Labs support Hello, I've emailed a whole bunch of people (support@PL, support@IPX, info@PL) and (tried to) raise a ticket on the PL site about scheduling a rack at US time. For some silly reason the system wont accept my shceduling request. No one is answering. Is there a number I can ring or some other means to make contact with PL support? The timeslot I want is about 4 hours away now and I would just like to sort it out. Cheers, Matt CCIE #22386 CCSI #31207 ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] IP dhcp snooping information option
Hey Guys, Do you know if the fact that the IOS servers do not support the Giaddr in 0.0.0.0 with the dhcp snooping information option should be an issue within the test? I mean, shall we put it? I noticed that without this command, on regular scenarios with DHCP relay wont work, but in case of directly connected hosts, if I have it (with IOS DHCP server) the device wont get an address. Mike... ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Static Policy NAT with L4 ACL
Ben, You actually can do it with a port, however as you rightly mentioned it would be for the source port. Static PAT is always for source port translations so something like the following scenario should work fine. Real Address 10.10.10.10 Translated Address 20.20.20.20 Port to be used 23 access-list pnat1 permit tcp host 10.10.10.10 eq 23 any static (inside,outside) tcp 20.20.20.20 23 access-list pnat1 That would allow anyone to access server 10.10.10.10 with port 23 using address 20.20.20.20 Let me know if you have doubts. Mike Date: Wed, 4 Jul 2012 01:02:17 +1000 From: veeduby...@gmail.com To: kingsley.char...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Static Policy NAT with L4 ACL I'm using 8.0(4)23 ASA1/c1# show version Cisco Adaptive Security Appliance Software Version 8.0(4)23 context Device Manager Version 6.1(5)51 I'm not using 8.0(3) but if that error appears on that version I would expect it would appear in 8.0(4) also considering it is later version. On Wed, Jul 4, 2012 at 12:58 AM, Kingsley Charles kingsley.char...@gmail.com wrote: What image are you using? Use 8.0.3 and you will see that it will not be allowed to be configured in the first place. The following error will be thrown. asa1(config)# static (inside,outside) 20.10.30.40 access-list tel ERROR: Protocol mismatch between the static and access-list With regards Kings On Tue, Jul 3, 2012 at 7:20 PM, Ben Shaw veeduby...@gmail.com wrote: Hi Guys, I'm a bit confused as it seems to me you are agreeing with each other but yet saying different things. Kings says matching on protocol can't be done with static policy NAT and Bruno seems to say it can. I now with some other forms of policy NAT if I try and use an ACL with ports defined I get an error message that a port based ACL can't be used. I don't get that error when I use an ACL with ports with static NAT and when I check the NAT configuration between interfaces as shown below the particular configuration seems to be applied just as I want it to be ASA1/c1(config)# access-list acl1 extended permit tcp host 10.1.1.1 host 10.4.4.4 eq telnet ASA1/c1(config)# static (inside,outside) 192.168.6.61 access-list acl1 ASA1/c1# show nat inside outside match tcp inside host 10.1.1.1 outside host 10.4.4.4 eq 23 static translation to 192.168.6.61/50961 translate_hits = 0, untranslate_hits = 0 So according to the output above the command did 'take' and traffic from 10.1.1.1 to 10.4.4.4:23 is being SNAT'd to 192.168.6.61. Now I'll agree that I did not see the firewall operating in this way and the NAT operation did not seem to actually work but why would it 1) accept my static command with a port based ACL if it couldn't (especially when in other NAT statements it will return an error) and 2) show entries in the show nat inside outside command that seem to confirm that it will translate the traffic I want it to? Thanks Ben On Mon, Jul 2, 2012 at 9:31 PM, Bruno Silva auranpr...@gmail.com wrote: What Kings is saying is correct, you can only use an access-list matching TCP when you are going to match the protocol on the static translation. 2012/7/2 Kingsley Charles kingsley.char...@gmail.com The following is incorrect. With static policy rule, you can't use destination port numbers. You can do it only with policy nat (nat/global commands) access-list acl1 extended permit tcp host 10.1.1.1 host 10.4.4.4 eq telnet static (inside,outside) 192.168.6.61 acl1 With regards Kings On Mon, Jul 2, 2012 at 2:28 PM, Ben Shaw veeduby...@gmail.com wrote: Hi All one of the requirements in Yusuf's second Lab is to source NAT the address 10.1.1.1 to 192.168.6.61 for telnet connections to 10.4.4.4. To do so I configured the following access-list acl1 extended permit tcp host 10.1.1.1 host 10.4.4.4 eq telnet static (inside,outside) 192.168.6.61 acl1 However this did not translate the source address and the connection was allowed to pass to 10.4.4.4 using the untranslated source address of 10.4.4.4. I performed a packet tracer and got the following output: ASA1/c1# packet-tracer input inside tcp 10.1.1.1 5 10.4.4.4 telnet snip Phase: 9 Type: NAT Subtype: host-limits Result: ALLOW Config: static (inside,outside) 192.168.6.61 access-list acl1 match tcp inside host 10.1.1.1 outside host 10.4.4.4 eq 23 static translation to 192.168.6.61/33135 translate_hits = 0, untranslate_hits = 0 Additional Information: snip Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow ASA1/c1# From this output it looks as though the translation will work as desired but when I try actually perform the connection I get the following: R1#show ip interface brief | i Loopback0 Loopback0 10.1.1.1YES NVRAM upup
Re: [OSL | CCIE_Security] Packet tracer from out to in with multicontext
Correct, Try with real traffic if it doesnt work, use NAT which is the second method that the firewall uses for packet classification, a regular self translation should do it. Mike Date: Wed, 4 Jul 2012 16:00:31 +0200 From: pio...@ipexpert.com To: kingsley.char...@gmail.com CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Packet tracer from out to in with multicontext Kings, Packet Tracer is buggy in multiple context mode (some certain scenarios). Maybe they fixed it in 8.2, but not 100% of that. Regards,-- Piotr KaluznyCCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc.URL: http://www.IPexpert.com On Wed, Jul 4, 2012 at 3:49 PM, Fawad Khan fawa...@gmail.com wrote: How does the Nat control and statics look like? On Wednesday, July 4, 2012, Kingsley Charles wrote: Typo, the dest port is 23... On Wed, Jul 4, 2012 at 5:45 PM, Kingsley Charles kingsley.char...@gmail.com wrote: Hi all When I run packet tracer from out to in, I get the following O/P. Now the outside interface is shared between contexts but I have configured for mac address-auto. Traffic is passing without any issues. Thoughts please. asa1/admin(config)# packet-tracer input outside tcp 20.10.30.40 1024 10.20.30.40 23 Result: input-interface: outside input-status: up input-line-status: up Action: drop Drop-reason: (ifc-classify) Virtual firewall classification failed With regards Kings -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] FTP
Johan, By default the ASA has the inspection for FTP configure, so the data port will open the data channel dynamically, hence you only need FTP. Mike From: jo...@isc.co.za To: ccie_security@onlinestudylist.com Date: Thu, 5 Jul 2012 08:02:04 +0200 Subject: [OSL | CCIE_Security] FTP Hi, When asked to allow ftp to a host. Do I allow ftp-data and ftp or only ftp. I see some solutions allow both others only ftp. Thanks Johan ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Web traffic
Normally it will say which type of site is it. If it asks you for web traffic, I will assume both. Mike Date: Thu, 5 Jul 2012 14:27:52 +0200 From: mohammed.ab...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Web traffic Dears, When we got a question say permit web traffic to a server does this mean only http or http and https? Regards, Mohamed Abdin ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] FTP
It aint matter. The ASA would open both. Mike From: walleed...@hotmail.com To: mike_c...@hotmail.com; jo...@isc.co.za; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] FTP Date: Thu, 5 Jul 2012 17:00:10 + I think he must to tell type of ftp service passive or active Regards From: mike_c...@hotmail.com To: jo...@isc.co.za; ccie_security@onlinestudylist.com Date: Thu, 5 Jul 2012 10:56:05 -0600 Subject: Re: [OSL | CCIE_Security] FTP Johan, By default the ASA has the inspection for FTP configure, so the data port will open the data channel dynamically, hence you only need FTP. Mike From: jo...@isc.co.za To: ccie_security@onlinestudylist.com Date: Thu, 5 Jul 2012 08:02:04 +0200 Subject: [OSL | CCIE_Security] FTP Hi, When asked to allow ftp to a host. Do I allow ftp-data and ftp or only ftp. I see some solutions allow both others only ftp. Thanks Johan ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] My dream comes true
I think I speak for all of us in OSL, you deserved it, you have helped a lot of people over here and cleared your studies. Congratulations man, and of course, best wishes in your future.. With regards, Mike Rojas. Date: Fri, 6 Jul 2012 07:02:56 +0530 From: kingsley.char...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] My dream comes true Hi all 8 years dream and 5 years hard work comes true. Took my lab yesterday and just saw that I have cleared it. Thanks to all for your support. I love OSL. Special thanks to Tyson, who was always there for everyone. Thanks to Brandon for his support. With regards Kings CCNA, CCSP, CCNP, CCIP, CCIE#35914 ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Yusuf - Role-based access control
Exec should do the trick, and I did it, but still gave me the user mode, either way all the configuration commands where correctly authorized, it was just the user prompt which bugged me. They clarify that it is expected. Cheers, Mike From: auranpr...@gmail.com Date: Mon, 18 Jun 2012 03:21:03 -0300 To: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Role Based Hi Mike, did you configure the aaa authorizarion exec command and aaa authorization command [level] ? Br, Bruno Silva Enviado via iPhone Em 15/06/2012, às 16:40, Mike Rojas mike_c...@hotmail.com escreveu: It was on the username and the privilege is 15... the list is attached to local database. Mike Date: Fri, 15 Jun 2012 06:47:46 -0400 Subject: Re: [OSL | CCIE_Security] Role Based From: fawa...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Do you mean the '' prompt, then yes it's normal. It's dependent inwhere you are applying the privilege 15 I.e at the privilege level box I the user profile or through the aaa attribute priv-lvl=15? On Thursday, June 14, 2012, Mike Rojas wrote: Hello, Is the user sign normal when configuring Role based access? Router1conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)? Configure commands: doTo run exec commands in config mode exit Exit from configure mode ipGlobal IP configuration subcommands Router1(config)ip ? Global IP configuration subcommands: http HTTP server configuration Router1(config)ip I have authorization applied on the line vty and the user privi is 15... -- FNK From: radim.jur...@gmail.com Date: Fri, 6 Jul 2012 23:08:11 +0200 To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Yusuf - Role-based access control Hello,anybody working now on Yusuf's Configurations Practice Labs, question 5.2 Role-based access control? In Lab debrief, when testing the CLI view solution he connect directly into priv EXEC (#) but I think it should be in user EXEC () When I configure CLI View using parser feature it should be always in user EXEC, is it right? Thanx in advance, Radim ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Lab dates
That is true... We went to check for available dates and there are none as this point It took more than I thought.. but it finally did... Date: Fri, 6 Jul 2012 20:51:48 -0400 From: fawa...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Lab dates Recently a friend told me that suddenly there are no lab dates available any where in the world. Has someone from you heard the same thing or tried to book a lab ? -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding
Fawad, Retaking this thread, If you save the database to flash, the ip dhcp snooping binding will remain there after reload, actually until the lease expires. The other, does not have a timeout, so that means it will remain there as well (since it is a config command) after reload. I remember now that I did the source binding, and I am pretty sure that I had that question wrong. Date: Tue, 5 Jun 2012 20:04:27 -0400 From: fawa...@gmail.com To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding For the dhcp snooping I learned the hard way the difference between the two commands.The below command is done at exec level and binding will be removed afte a reload3560# ip dhcp snooping binding cccd.1233.3422 vlan 101 1.11.1.1 interface gi0/3 The following is permenant and will not be removed from the config or binding database after reboot 3560(config)# ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 Are you able to pick the difference between the two commands.Hope this helps. -- FNK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Certificate maps,
Hey Guys, Just wanted to throw this one out. Sometimes I got freaked out about my certificate map not matching against what I am looking for on the Certificate of the peer, for example: 7 23:06:51.734: ISAKMP:(4003): processing ID payload. message ID = 0 Jul 7 23:06:51.734: ISAKMP (0:4003): ID payload next-payload : 6 type : 9 Dist. name : hostname=ASA2 protocol : 0 port : 0 length : 31 Jul 7 23:06:51.734: ISAKMP:(0):: UNITY's identity FQDN but no group info Jul 7 23:06:51.734: ISAKMP:(0):: peer matches *none* of the profiles Jul 7 23:06:51.734: ISAKMP:(4003): processing CERT payload. message ID = 0 Jul 7 23:06:51.734: ISAKMP:(4003): processing a CT_X509_SIGNATURE cert Jul 7 23:06:51.738: ISAKMP:(4003): peer's pubkey is cached Jul 7 23:06:51.738: ISAKMP:(4003): Unable to get DN from certificate! Jul 7 23:06:51.738: ISAKMP:(4003): Cert presented by peer contains no OU field. But later on, you see that it continues looking into the Certificate payload and then: Jul 7 23:06:51.742: ISAKMP:(0): certificate map matches L2L profile Jul 7 23:06:51.742: ISAKMP:(0): Trying to re-validate CERT using new profile Jul 7 23:06:51.742: ISAKMP:(0): CERT validity confirmed. Jul 7 23:06:51.742: ISAKMP:(4003):Profile has no keyring, aborting key search Jul 7 23:06:51.742: ISAKMP:(4003): processing SIG payload. message ID = 0 Jul 7 23:06:51.746: ISAKMP:received payload type 17 Jul 7 23:06:51.746: ISAKMP:(4003): processing vendor id payload Jul 7 23:06:51.746: ISAKMP:(4003): vendor ID is DPD Jul 7 23:06:51.746: ISAKMP:(4003):SA authentication status: Mainly it tries to match it against known fields following the procedure, then it checks for the certificate map. Annnyyway... just wanted to throw it out in case someone freaks out as well. Mike Rojas ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] NAR explanation
Hello, I need a brief explanation of NAR. The only one to make it work is using asterisks. The documentation is no way near clear on how to put the permitted addresses. This is because I need to permit a user coming from certain IP addresses. I think that what I dont understand is how to put the permitted addresses. Any explanation will be great. Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] NAR explanation
I did 10.* and it didnt work, I will try it again and let you know, Thanks Kings. Mike Date: Sun, 8 Jul 2012 11:07:03 +0530 Subject: Re: [OSL | CCIE_Security] NAR explanation From: kingsley.char...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com Do as Yusuf as mentioned in his practice labs. For example for any all 10.0.0.0/8 addresses, use 10.* or 10* With regards Kings On Sun, Jul 8, 2012 at 9:06 AM, Mike Rojas mike_c...@hotmail.com wrote: Hello, I need a brief explanation of NAR. The only one to make it work is using asterisks. The documentation is no way near clear on how to put the permitted addresses. This is because I need to permit a user coming from certain IP addresses. I think that what I dont understand is how to put the permitted addresses. Any explanation will be great. Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Commands authorization
The command hostname is being denied on the tacacs? This looks fine: privilege configure level 10 hostname privilege exec level 10 configure terminal privilege exec level 10 configure privilege exec level 10 show running-config privilege exec level 10 show Just add aaa authorization config-commands and deny it on the tacacs. Mike From: eug...@koiossystems.com To: walleed...@hotmail.com; ccie_security@onlinestudylist.com Date: Sun, 8 Jul 2012 18:03:17 + Subject: Re: [OSL | CCIE_Security] Commands authorization Sorry for coming back to the same topic again. Now I have a question if I can do a mix of the below said authorizations, namely having certain commands available at a particular level, e.g. 10 and authorizing commands with a shell command set on a TACACS server. It looks like the command set from TACACS is not pushed to the user. I moved few commands to privilege level 10: privilege configure level 10 hostname privilege exec level 10 configure terminal privilege exec level 10 configure privilege exec level 10 show running-config privilege exec level 10 show And I want to deny the user the ability to change the hostname. So my shell command authorization set looks like this: Cmd = “configure” , Args = “permit terminal” Cmd = “show” , Args = “permit running-config” With all this I expect the user is allowed to run show commands and see the hostname in the config but deny him from changing the hostname because it’s not listed in the commands set but it doesn’t work this way. Eugene From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Eugene Pefti Sent: Friday, July 06, 2012 8:48 PM To: waleed '; CCIE Security Subject: Re: [OSL | CCIE_Security] Commands authorization Thanks, pal. Yeah... I realize it now. Just to recap. I did commands authorization two ways. First was assigning a user priv 15 level via TACACS and assigning him a certain commands set. The attempt to run the unassigned command ended up in “Command authorization failed” Second was assigning a user priv X level (let’s say 7) via TACACS and assign exec and configure commands locally on the router with “privilege exec ...” and “privilege configure ...”. The attempt to run the command that doesn’t exist in level 7 ended up with the “Invalid input detected at ^ marker” Eugene From: waleed ' [mailto:walleed...@hotmail.com] Sent: Friday, July 06, 2012 8:35 PM To: Eugene Pefti; CCIE Security Subject: RE: [OSL | CCIE_Security] Commands authorization you have to check what you configured for commands authorization and for exec authorization , you will have this message % Invalid input detected at '^' marker. for not found command in this level From: eug...@koiossystems.com To: ccie_security@onlinestudylist.com Date: Sat, 7 Jul 2012 03:30:26 + Subject: [OSL | CCIE_Security] Commands authorization Folks, I’m honing my skills in commands authorization and ran into something that put me on guard. I have a number of commands defined in a command authorization set and the router and TACACS user settings are configured for a particular privilege level. When I run the command that is not allowed the router says that command is not available, e.g. R3(config)#int Fa0/1 ^ % Invalid input detected at '^' marker. I remember previously I saw a different message when tried to execute a non-allowed command, namely, “Command authorization failed” Why do you think there’s a difference ? Eugene ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Certificate maps,
Hey, It was L2L to IOS, the tunnel group was with the IP address but it had to land there based on certificate maps, it only creeped me out that first none of the profiles but that is one of the first checks that it does, later on it matches the certificate map and it lands to the correct tunnel group. Mike Rojas Security Technical Lead From: eug...@koiossystems.com To: mike_c...@hotmail.com; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Certificate maps, Date: Sun, 8 Jul 2012 18:31:09 + Hi Mike, Is it ASA to ASA lan2lan tunnel ? What’s the tunnel-group name ? Eugene From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Mike Rojas Sent: Saturday, July 07, 2012 4:12 PM To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] Certificate maps, Hey Guys, Just wanted to throw this one out. Sometimes I got freaked out about my certificate map not matching against what I am looking for on the Certificate of the peer, for example: 7 23:06:51.734: ISAKMP:(4003): processing ID payload. message ID = 0 Jul 7 23:06:51.734: ISAKMP (0:4003): ID payload next-payload : 6 type : 9 Dist. name : hostname=ASA2 protocol : 0 port : 0 length : 31 Jul 7 23:06:51.734: ISAKMP:(0):: UNITY's identity FQDN but no group info Jul 7 23:06:51.734: ISAKMP:(0):: peer matches *none* of the profiles Jul 7 23:06:51.734: ISAKMP:(4003): processing CERT payload. message ID = 0 Jul 7 23:06:51.734: ISAKMP:(4003): processing a CT_X509_SIGNATURE cert Jul 7 23:06:51.738: ISAKMP:(4003): peer's pubkey is cached Jul 7 23:06:51.738: ISAKMP:(4003): Unable to get DN from certificate! Jul 7 23:06:51.738: ISAKMP:(4003): Cert presented by peer contains no OU field. But later on, you see that it continues looking into the Certificate payload and then: Jul 7 23:06:51.742: ISAKMP:(0): certificate map matches L2L profile Jul 7 23:06:51.742: ISAKMP:(0): Trying to re-validate CERT using new profile Jul 7 23:06:51.742: ISAKMP:(0): CERT validity confirmed. Jul 7 23:06:51.742: ISAKMP:(4003):Profile has no keyring, aborting key search Jul 7 23:06:51.742: ISAKMP:(4003): processing SIG payload. message ID = 0 Jul 7 23:06:51.746: ISAKMP:received payload type 17 Jul 7 23:06:51.746: ISAKMP:(4003): processing vendor id payload Jul 7 23:06:51.746: ISAKMP:(4003): vendor ID is DPD Jul 7 23:06:51.746: ISAKMP:(4003):SA authentication status: Mainly it tries to match it against known fields following the procedure, then it checks for the certificate map. Annnyyway... just wanted to throw it out in case someone freaks out as well. Mike Rojas ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
Re: [OSL | CCIE_Security] Switches in the lab
IME is another application that is installed on the machine itself that will control the IPS, by default if you start a connection to the IPS it will open you IDM, the application is on the OS of the IPS, there is no way to rip it off. Anyhow, whatever connection you start to the Device itself using the webserver service port will throw you IDM. Cheers, From: eug...@koiossystems.com To: mike_c...@hotmail.com; mayd...@gmail.com CC: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Switches in the lab Date: Mon, 9 Jul 2012 00:46:16 + Hm... Never used it before but it seemed to accept it, thanks, pal. What about “rx” and “both” ? And one more thing. I don’t have any preference whether to use IDM or IME but still want to be fully prepared. The blueprint says it is going to be and IDM and Marta previously mentioned that IME is an application to manage the IPS. From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Sunday, July 08, 2012 5:42 PM To: Eugene Pefti; mayd...@gmail.com Cc: ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] Switches in the lab It always does that, set it up as replicate Mike From: eug...@koiossystems.com To: mayd...@gmail.com Date: Mon, 9 Jul 2012 00:38:19 + CC: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Switches in the lab Thanks, Matt and sorry for being lazy and not looking into the blueprint ;) Since we touched SPAN sessions to be setup on the switch a quick question, maybe two. 1) If we configure the source interface/vlan do we have to explicitly set it to both or having rx is enough. 2) I'm configuring the physical interface on the switch as the destination, i.e. SW2(config)#monitor session 1 dest int Fa0/10 encap dot1q % Warning: One or more specified dest port does not support requested encapsulation. Why does the switch warns me about this? I have my Fa0/10 setup as dot1q trunk. Eugene -Original Message- From: Matt Hill [mailto:mayd...@gmail.com] Sent: Sunday, July 08, 2012 5:23 PM To: Eugene Pefti Cc: ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] Switches in the lab From the blueprint - which I just happened to have opened :) Cisco 3800 Series Integrated Services Routers (ISR) * Cisco 1800 Series Integrated Services Routers (ISR) * Cisco Catalyst 3560 Series Switches * Cisco ASA 5500 Series Adaptive Security Appliances * Cisco IPS Series 4200 Intrusion Prevention System sensors * Cisco Secure Access Control Server for Windows Note: The IPS sensor can be configured using CLI and managed through the IPS Device Manager. Software Versions * Cisco ISR Series running IOS Software Version 12.4T Advanced Enterprise Services feature set is used on all routers * Cisco Catalyst 3560 Series Switches running Cisco IOS Software Release 12.2(44)SE or above * Cisco ASA 5500 Series Adaptive Security Appliances OS Software Version 8.x * Cisco IPS Software Release 6.1.x * Cisco VPN Client Software for Windows, Release 5.x * Cisco Secure ACS for Windows Version 4.1 So go for it with the 3560s. 3750 is pretty much the same beast. Cheers, Matt CCIE #22386 CCSI #31207 On 9 July 2012 10:16, Eugene Pefti eug...@koiossystems.com wrote: Can you guys confirm that we will have 3560/3750 switches in the lab and not 3550. I just hate to remember that we need a reflector port to setup a SPAN session on 3550 switch Eugene ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
[OSL | CCIE_Security] Yusuf Lab1 Debrief
Experts, Yusuf Lab1 debrief for multiple context verification, when it says that you need to check the show nameif, it appears like this: ASA1/abc1(config)# sh nameif InterfaceName Security Ethernet0/3 inside100 Ethernet0/0 outside 0 ASA1/abc1(config)# However, in my configuration, it appears as: ASA1/abc1(config)# sh nameif InterfaceName Security outside outside0 inside inside 100 ASA1/abc1(config)# Two questions, does the order matter? Second question, In the configuration or the tasks, it didnt say that the interface needed to be visible, however in the solution appears the interface instead of the configured virtual name, is the solution incorrect? Mike ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com