DENY IP – road to CCIE security

Technology MiniLab ASA part I.

Posted in ASA firewall, Firewalling, Technology Minilabs by denyip on December 28, 2008

This Mini Lab focuses on various Cisco ASA technologies and its part of DENYIPs CCIE Security technology minilab
If you have any question or suggestion feel free to post in the discussion or contact me on milsir(at)gmail.com
Lab is based on following setup

asa-technology-tab-i3

Following HW is needed :
1x Cisco ASA or PIX
1x Switch dot1q capable
4x Router with at least one Ethernet interface

Dynamips can be use as well – I tried both LAB and Dynamips for Dynamips I used following NET file

[localhost:7200]
workingdir = C:\path to your working directory
[2621]]
 image = C:\path to your IOS
 ram = 92
 idlepc = your idle PC

 [[Router R1]]
  model = 2621
  Fa0/0 =  S1 1

 [[Router R2]]
  model = 2621
  Fa0/0 =  S1 2

 [[Router R3]]
  model = 2621
  Fa0/0 =  S1 3

 [[Router R4]]
  model = 2621
  Fa0/0 =  S1 4

[[ethsw S1]]
    1 = access 10
    2 = access 20
    3 = access 30
    4 = access 40
    5 = dot1q 1
    6 = dot1q 1

[pemu localhost]
[[525]]
serial=<removed>
key=<removed>
image = path to yout PIX image
[[fw FW1]]
 e0 = S1 5
 e1 = S1 6

TASKS

TASK1 – Addressing and basic connectivity

Configure interface (sub-interface) of FW in following way

e1.10 – nameif R10, VLAN10, security level 10, IP 10.10.10.1

e1.20 – nameif R20, VLAN20, security level 20, IP 10.10.20.1

e0.30 – nameif R30, VLAN30, security level 30, IP 10.10.30.1

e0.40 – nameif R40, VLAN40, security level 40, IP 10.10.40.1

Configure IP addressing of routers according drawing (including loopbacks)

R40 interface is DHCP client… Configure R30 to be DHCP server for this router.. make sure this interface will be always assigned IP 10.10.40.2

TASK2 – routing , ACL

Delete all static routers and run RIP v2 between all devices, propagate all networks including loopbacks,  use MD5 authentication  .. Permit ICMP between all routers and verify connectivity with ping (you should be able to ping all loopbacks from all routers) , use only one line in your ACL

TASK3 – SSH access
Enable SSH with local authentication on all routers do not use domain command on routers , enable SSH access through firewall

TASK4 – NAT control
On firewall enable  NAT-control  .. Configure FW to allow access like without NAT control (ping, ssh)

SOLUTIONS

TASK1  Solution

You need create vlans 10,20,30,40 on switch , assign vlans membership for routers  R10,R20,R30,R40 and configure do1q trunks for ASA port


ASA configuration

interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
! For me is good to use nameif like R20, R30 and not traditional
! inside, outside, dmz - It helps me think out of the box
interface Ethernet0/0.30
 vlan 30
 nameif R30
 security-level 30
 ip address 10.10.30.1 255.255.255.0
!
interface Ethernet0/0.40
 vlan 40
 nameif R40
 security-level 40
 ip address 10.10.40.1 255.255.255.0
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.10
 vlan 10
 nameif R10
 security-level 10
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1.20
 vlan 20
 nameif R20
 security-level 20
 ip address 10.10.20.1 255.255.255.0
!R40 will get DHCP IP from R30 so dhcp relay needs to be
!configured 
dhcprelay server 10.10.30.2 R30
dhcprelay enable R40
dhcprelay setroute R40
dhcprelay timeout 60

R3 configuration
! create pool for R40 use client-identifier for reservation
!(client-identifier uses 01 prefix for ethernet + client MAC)
ip dhcp pool R40
   host 10.10.40.2 255.255.255.0
   client-identifier 0100.e01e.7dc7.61

interface Ethernet0/0
 ip address 10.10.30.2 255.255.255.0
! Static route for R40 network is needed
ip route 10.10.40.0 255.255.255.0 10.10.30.1

R40 configuration

! IP on interface will be DHCP and client-id e0/0 is sent
! it didn't work for me without client-id command

interface Ethernet0/0
 ip address dhcp client-id Ethernet0/0

! Static route for R30 network is needed
ip route 10.10.30.0 255.255.255.0 Ethernet0/0

TASK2  Solution


ASA configuration

! rip authentication on all subinterfaces
interface Ethernet0/0.30
 vlan 30
 nameif R30
 security-level 30
 ip address 10.10.30.1 255.255.255.0
 rip authentication mode md5
 rip authentication key cisco key_id 1
!
interface Ethernet0/0.40
 vlan 40
 nameif R40
 security-level 40
 ip address 10.10.40.1 255.255.255.0
 rip authentication mode md5
 rip authentication key cisco key_id 

!
interface Ethernet0/1.10
 vlan 10
 nameif R10
 security-level 10
 ip address 10.10.10.1 255.255.255.0
 rip authentication mode md5
 rip authentication key cisco key_id 1
!
interface Ethernet0/1.20
 vlan 20
 nameif R20
 security-level 20
 ip address 10.10.20.1 255.255.255.0
 rip authentication mode md5
 rip authentication key cisco key_id 1
!
!RIP configuration on ASA 
router rip
 network 10.0.0.0
 version 2
 no auto-summary
!For allowing of outside communication i created one object group
! with all IPs (interface IP + loopback IP)
object-group network ROUTERS
 network-object host 10.10.10.2
 network-object host 10.10.20.2
 network-object host 10.10.30.2
 network-object host 10.10.40.2
 network-object host 192.168.10.1
 network-object host 192.168.20.1
 network-object host 192.168.30.1
 network-object host 192.168.40.1
!and permitted ICMP between those IPs
access-list Routers_in extended permit icmp object-group ROUTERS object-group ROUTERS
!and applied on interface
access-group Routers_in in interface R10
access-group Routers_in in interface R20
access-group Routers_in in interface R30

ROUTER3 configuration
! router rip configuration
router rip
 version 2
 network 10.0.0.0
 network 192.168.30.0
 no auto-summary

! router key chain configuration
key chain ccie
 key 1
  key-string cisco

! router rip authenication on interface configuration
interface Ethernet0/0
 ip address 10.10.30.2 255.255.255.0
 ip rip authentication mode md5
 ip rip authentication key-chain ccie

TASK3  Solution


ROUTER3 configuration
!Its not actually ASA task...
!thanks to Francois for the idea for this task

crypto key generate rsa general-keys label TEST
username admin password 0 cisco
line vty 0 4
 login local
 transport input ssh

ASA Configuration
! add line to ACL to permit SSH communication 
access-list Routers_in extended permit tcp object-group ROUTERS object-group ROUTERS eq ssh 


TASK4 Solution


! enable nat control and create static mapping
! to allow traffic between interfaces 


nat-control

static (R40,R30) 10.10.40.2 10.10.40.2 netmask 255.255.255.255

static (R40,R20) 10.10.40.2 10.10.40.2 netmask 255.255.255.255

static (R40,R10) 10.10.40.2 10.10.40.2 netmask 255.255.255.255

static (R30,R20) 10.10.30.2 10.10.30.2 netmask 255.255.255.255

static (R30,R10) 10.10.30.2 10.10.30.2 netmask 255.255.255.255

static (R20,R10) 10.10.20.2 10.10.20.2 netmask 255.255.255.255

1 comment

One Response

Subscribe to comments with RSS.

  1. Rajesh said, on April 27, 2009 at 9:58 am

    It was a nice attempt – i’m a ccie wannabie, i started with your labs… keep posting

    Thanks

    Reply

Leave a comment