Scribd
Upload
30 views

LAB Configuration - Saif Final1.2 Rata - Doc - 0

This document provides configuration steps for setting up NTP synchronization, logging, and failover on routers R1, R2, R15-R17 and firewalls ASA1 and ASA2. It also outlines steps for configuring contexts, interfaces, routing, NAT, and traffic filtering on the ASA firewalls. Finally, it describes configuration of an ASA cluster including interfaces, contexts, routing, NAT, and traffic filtering for ASA3 and ASA4.

Uploaded by

sheraz salim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
30 views

LAB Configuration - Saif Final1.2 Rata - Doc - 0

This document provides configuration steps for setting up NTP synchronization, logging, and failover on routers R1, R2, R15-R17 and firewalls ASA1 and ASA2. It also outlines steps for configuring contexts, interfaces, routing, NAT, and traffic filtering on the ASA firewalls. Finally, it describes configuration of an ASA cluster including interfaces, contexts, routing, NAT, and traffic filtering for ASA3 and ASA4.

Uploaded by

sheraz salim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
You are on page 1/ 20

FINAL LAB Steps:

Server-R1: R2, R15, R16, R17


Clock timezone ccie -8 0 Clock timezone ccie -8 0
ntp authentication-key 12 md5 cisco ntp authentication-key 12 md5 cisco
ntp authenticate ntp authenticate
ntp trusted-key 12 ntp trusted-key 12
ntp source GigabitEthernet3 ntp server 150.1.7.231 key 12
ntp master 1 ntp source GigabitEthernet1
R1: R17:
logging on logging on
logging origin-id hostname logging origin-id string CA
logging source-interface GigabitEthernet3 logging source-interface GigabitEthernet1
logging host 150.1.7.201 logging host 150.1.7.201
logging trap informational logging trap debugging
=============ASA1_V:
hostname ASA1V

interface gig0/0
nameif outside
ip address 20.1.1.1 255.255.255.0 standby 20.1.1.2
no shut
!
interface gi0/1
nameif inside
ip address 10.1.11.1 255.255.255.0 standby 10.1.11.2
no shutdown
!
interface management 0/0
nameif mgmt
security-level 100
ip address 150.1.7.53 255.255.255.0 standby 150.1.7.54
no shutdown
--------- EIGRP_Configuration -----------------
router eigrp 12
no auto
network 10.1.11.0 255.255.255.0
!
interface gig0/1
authentication key eigrp 12 cisco key-id 1
authentication mode eigrp 12 md5
--------- Failover _Configuration --------------
interface gig0/2
no shutdown
!
failover lan unit primary
failover lan interface FO gig0/2
failover link FO gig0/2
failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2
failover
!
monitor-interface inside
monitor-interface mgmt
monitor-interface outside
==========ASA11_V:
interface gig0/2
no shutdown

failover lan unit secondary


failover lan interface FO gig0/2
failover link FO gig0/2
failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2
failover

==========ASA2v:
hostname ASA2_V
interface gig0/0
nameif outside
ip address 20.1.2.1 255.255.255.0 standby 20.1.2.2
no shut
!
interface gi0/1
nameif inside
ip address 10.1.22.1 255.255.255.0 standby 10.1.22.2
no shutdown
!
interface management 0/0
nameif mgmt
security-level 100
ip address 150.1.7.55 255.255.255.0 standby 150.1.7.56
no shutdown
----------------- EIGRP_Configuration ---------
router eigrp 12
no au
network 10.1.22.0 255.255.255.0
!
interface gig0/1
authentication key eigrp 12 cisco key-id 1
authentication mode eigrp 12 md5
----------------- Failover_Configuration --------
interface gig0/2
no shutdown
!
failover lan unit primary
failover lan interface FO gig0/2
failover link FO gig0/2
failover interface ip FO 10.10.22.1 255.255.255.0 standby 10.10.22.2
failover
!
monitor-interface inside
monitor-interface mgmt
monitor-interface outside

*******************************
dns domain-lookup mgmt
dns name-server 150.1.7.200
domain-name cisco.com

http server enable


http 150.1.7.0 255.255.255.0 mgmt
============ASA22_V:
interface gig0/2
no shutdown

failover lan unit secondary


failover lan interface FO gig0/2
failover link FO gig0/2
failover interface ip FO 10.10.22.1 255.255.255.0 standby 10.10.22.2
failover
========================================================================
Task 1.2:
ASA1/ASA2#delete*.cfg
hostname ASA1

interface Gig0/0
no shutdown

interface Gig0/1
no shutdown

interface Gig0/2
no shutdown

Interface Management0/0
no shut

Interface Gig0/0.1
vlan 2

Interface Gig0/0.2
vlan 3

interface Gig0/1.1
vlan 4

interface Gig0/1.2
vlan 5

interface Gig0/2.1
vlan 6

interface Gig0/2.2
vlan 7
----------------Failover_Configuration
interface Gig0/3
no shutdown
interface Gig0/4
no shutdown
!
failover lan unit primary
failover lan interface LAN Gig0/3
failover link STATE Gig0/4
failover interface ip LAN 10.100.201.1 255.255.255.0 standby 10.100.201.2
failover interface ip STATE 10.100.202.1 255.255.255.0 standby 10.100.202.2
!
failover group 1
primary
preempt
failover group 2
secondary
preempt
------------------ Context_Configuration
admin-context admin
!
context admin
allocate-interface mamangement0/0
config-url disk0:/admin.cfg
!
context c1
allocate-interface gig0/0.1 inside_c1
allocate-interface gig0/1.1 dmz_c1
allocate-interface gig0/2.1 outside_c1
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2
allocate-interface gig0/0.2 inside_c2
allocate-interface gig0/1.2 dmz_c2
allocate-interface gig0/2.2 outside_c2
config-url disk0:/c2.cfg
join-failover-group 2
------------------- Admin Context_Config:
changeto context admin
!
interface Management0/0
nameif Management
security-level 100
ip address 150.1.7.57 255.255.255.0 standby 150.1.7.58

-------------------- C1 Context_Config:

changeto context c1
!
interface inside_c1
nameif inside
ip address 10.100.2.1 255.255.255.0 standby 10.100.2.2
!
interface dmz_c1
nameif dmz
security-level 50
ip add 10.100.4.1 255.255.255.0 standby 10.100.4.2
!
interface outside_c1
nameif outside
ip address 10.100.6.1 255.255.255.0 standby 10.100.6.2
!
monitor-interface inside
monitor-interface dmz
monitor-interface outside
!
route outside 192.168.10.0 255.255.255.0 10.100.6.9
route dmz 192.168.105.7 255.255.255.255 10.100.4.7
-------------------------NAT & Traffic Filter:
object network server5_c1
host 192.168.105.7
nat (dmz,outside) static interface
!
access-list server5_c1 extended permit tcp 192.168.10.0 255.255.255.0 object
server5_c1 eq www
access-list server5_c1 extended permit icmp 192.168.10.0 255.255.255.0 object
server5_c1 echo
!
access-group server5_c1 in interface outside

R7:verify routes for testing


Ip http server
Ip route 192.168.10.0 255.255.255.0 10.100.4.1
-----------------------C2 Context_Config:
changeto context c2
!
interface inside_c2
nameif inside
ip address 10.100.3.1 255.255.255.0 standby 10.100.3.2
!
interface dmz_c2
nameif dmz
security-level 50
ip address 10.100.5.1 255.255.255.0 standby 10.100.5.2
!
interface outside_c2
nameif outside
ip address 10.100.7.1 255.255.255.0 standby 10.100.7.2
!
monitor-interface inside
monitor-interface dmz
monitor-interface outside
!
route outside 192.168.11.0 255.255.255.0 10.100.7.9
route dmz 192.168.106.8 255.255.255.255 10.100.5.8

------------------------- NAT & Traffic Filter:


object network server6_c2
host 192.168.106.8
nat (dmz,outside) static interface
!
access-list server6_c2 extended permit tcp 192.168.11.0 255.255.255.0 object
server6_c2 eq www
access-list server6_c2 extended permit icmp 192.168.11.0 255.255.255.0 object
server6_c2 echo
!
access-group server6_c2 in interface outside
======================== ASA2_Configuration:
interface Gig0/3
no shut
!
interface Gig0/4
no shut
!
failover lan unit secondary
failover lan interface LAN Gig0/3
failover link STATE Gig0/4
failover interface ip LAN 10.100.201.1 255.255.255.0 standby 10.100.201.2
failover interface ip STATE 10.100.202.1 255.255.255.0 standby 10.100.202.2
failover

ASA1(config)# Write memory All

R8:verify routes for testing


Ip http server
Ip route 192.168.11.0 255.255.255.0 10.100.5.1
============================================
Task 1.3: Solution
============================================
Cluster ASA 3 & 4: (Mode Multiple)

hostname ASA3
cluster interface-mode spanned force
!
interface Gig0/0
channel-group 1 mode active
no shutdown
!
interface Gig0/1
channel-group 1 mode active
no shutdown

interface Management0/0
no shutdown
!
interface port-channel1
port-channel span-cluster
!
interface port-channel1.8
vlan 8
!
interface port-channel1.9
vlan 9
!
interface port-channel1.10
vlan 10
!
admin-context admin
context admin
allocate-interface Management0/0
allocate-interface port-channel1.8
allocate-interface port-channel1.9
allocate-interface port-channel1.10
config-url disk0:/admin.cfg
!
interface Gig0/2
no shutdown
!
cluster group ccie
local-unit ASA3
cluster-interface Gig0/2 ip 10.100.203.1 255.255.255.0
priority 1
--------------------Admin Context_Config:
changeto context admin
!
ip local pool mgmt-pool 150.1.7.60-150.1.7.61
!
interface Management0/0
management-only
nameif mgmt
ip address 150.1.7.59 255.255.255.0 cluster-pool mgmt-pool
!
interface port-channel1.8
nameif inside
ip address 10.100.8.1 255.255.255.0
!
interface port-channel1.9
nameif outside
ip address 10.100.9.1 255.255.255.0
!
interface port-channel1.10
nameif dmz
security-level 50
ip address 10.100.10.1 255.255.255.0
!
route dmz 192.168.103.14 255.255.255.255 10.100.10.14
route dmz 192.168.104.14 255.255.255.255 10.100.10.14
!
object network server3_t
host 19.16.103.14
object network server4_t
host 19.16.104.14

object network server3


host 192.168.103.14
nat (dmz,inside) static server3_t

object network server4


host 192.168.104.14
nat (dmz,inside) static server4_t
---------------------------TRAFFIC FILTERING:

access-list server3-4 permit tcp security-group name PC1 10.100.8.0 255.255.255.0


host 192.168.103.14 eq 80
access-list server3-4 permit tcp security-group name PC2 10.100.8.0 255.255.255.0
host 192.168.104.14 eq 80
!
access-group server3-4 in interface inside
------------------------ASA4 Cluster Configurastion:
hostname ASA4
!
cluster interface-mode spanned force
!
interface gig0/2
no shutdown
!
cluster group ccie
local-unit ASA4
cluster-interface Gig0/2 ip 10.100.203.2 255.255.255.0
priority 2
enable as-slave
-------------------------ASA3 Cluster enable:
changeto system
cluster group ccie
enable

Verification:
R14:
Ip http server
Ip route 10.100.8.0 255.255.255.0 10.100.10.1

R13:
Ip route 19.16.103.14 255.255.255.0 10.100.8.1
Ip route 19.16.104.14 255.255.255.0 10.100.8.1

Verify server3 & server4 http server before apply ACL

R13#telnet 19.16.103.14 80
R14#sh tcp brief

R13#telnet 19.16.104.14 80
R14#sh tcp brief

=========================================================
Task 2.1/2.2:WCCP (Monitor & Block Policy) R2 & WSA
Hostname R2

ip access-list extended Redirect_List


permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq 8080
permit tcp 172.16.1.0 0.0.0.255 host 192.168.102.3 eq 8080

ip access-list standard Group_List


permit 150.1.7.213

ip wccp 50 redirect-list Redirect_List group-list Group_List password cisco

interface Gi2
ip address 10.1.12.2 255.255.255.0
ip wccp 50 redirect in
=================================================================
Task 3.2: Configure Site-To-Site Certificate Based VPN Between R15,R16 and R17
On R17
#show crypto key mypubkey rsa if No then
#crypto key generate rsa label ccier17 modulus 1024
Ip http server
crypto pki server ccier17
database level complete
issuer-name CN=r17 O=cisco.com
grant auto
shutdown
no shutdown
password cisco123
!
R17#show crypto pki server
R17#show crypto key mypubkey rsa
==========================================
On R15
==========================================
ip domain-name cisco.com
ip name-server 150.1.7.200
!
crypto key generate rsa label ccier15 modulus 1024
!
crypto pki trustpoint ccier15
enrollment url http://172.16.100.17:80
ip-address Loopback0
source interface Loopback0
subject-name CN=r15 O=cisco.com
rsakeypair ccier15

crypto pki authenticate ccier15 --yes password: same as R17


crypto pki enroll ccier15

On R16
!==========================================
ip domain-name cisco.com
ip name-server 150.1.7.200
!
crypto key generate rsa label ccier16 modulus 1024
!
crypto pki trustpoint ccier16
enrollment url http://172.16.100.17:80
ip-address Loopback0
source interface Loopback0
subject-name CN=r16 O=cisco.com
rsakeypair ccier16

crypto pki authenticate ccier16


crypto pki enroll ccier16
==========================================
On R15 IPSEC SITE-TO-SITE VPN
==========================================
ip access-list extended VPN
permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
!
crypto isakmp policy 10
authen rsa-sig
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 20.1.7.16
set transform-set TS
match address VPN
reverse-route static
!
interface Gi3
ip address 20.1.6.15 255.255.255.0
crypto map CMAP
================
! On R16
================
ip access-list extended VPN
permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
!
crypto isakmp policy 10
authen rsa-sig
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 20.1.6.15
set transform-set TS
match address VPN
reverse-route static
!
interface Gi2
ip address 20.1.7.16 255.255.255.0
crypto map CMAP
====================================================================
Task 3.3: Configure VRF-Aware GETVPN Between R3, R4 and R5 On R4 VRF EIGRP
R4/R5 (Both routers may be pre configure check “ccie” as per question)

R4 R5
Key chain ccie ==
Key 1 Key chain ccie
Key-string ccie Key 1
! Key-string ccie
ip vrf mgmt !
rd 20:20 ip vrf mgmt
! rd 20:20
ip vrf site_a !
rd 100:100 ip vrf site_a
! rd 100:100
ip vrf site_b !
rd 200:200 ip vrf site_b
! rd 200:200
interface Loopback100 !
ip vrf forwarding site_a interface Loopback100
ip address 192.168.4.4 255.255.255.0 ip vrf forwarding site_a
! ip address 192.168.5.5 255.255.255.0
interface Loopback200 !
ip vrf forwarding site_b interface Loopback200
ip address 192.168.4.4 255.255.255.0 ip vrf forwarding site_b
! ip address 192.168.5.5 255.255.255.0
interface Gi2.20 !
encapsulation dot1Q 20 interface Gi2.20
ip vrf forwarding mgmt encapsulation dot1Q 20
ip address 10.1.20.4 255.255.255.0 ip vrf forwarding mgmt
! ip address 10.1.20.5 255.255.255.0
interface Gi2.100 !
encapsulation dot1Q 100 interface Gi2.100
ip vrf forwarding site_a encapsulation dot1Q 100
ip address 10.1.45.4 255.255.255.0 ip vrf forwarding site_a
ip authentication mode eigrp 405 md5 ip address 10.1.45.5 255.255.255.0
ip authentication key-chain eigr 405 ccie ip authentication mode eigrp 405 md5
! ip authentication key-chain eigrp 405 ccie
interface Gi2.200 !
encapsulation dot1Q 200 interface Gi2.200
ip vrf forwarding site_b encapsulation dot1Q 200
ip address 10.1.45.4 255.255.255.0 ip vrf forwarding site_b
ip authentication mode eigrp 405 md5 ip address 10.1.45.5 255.255.255.0
ip authentication key-chain eigr 405 ccie ip authentication mode eigrp 405 md5
! ip authentication key-chain eigrp 405 ccie
router eigrp 45 !
address-family ipv4 vrf site_a autonomous- router eigrp 45
system 405 address-family ipv4 vrf site_a autonomous-
network 10.1.45.0 0.0.0.255 system 405
network 192.168.4.0 network 10.1.45.0 0.0.0.255
exit-address-family network 192.168.5.0
! exit-address-family
address-family ipv4 vrf site_b autonomous- !
system 405 address-family ipv4 vrf site_b autonomous-
network 10.1.45.0 0.0.0.255 system 405
network 192.168.4.0 network 10.1.45.0 0.0.0.255
exit-address-family network 192.168.5.0
exit-address-family
On R3 GETVPN (Key Server)
=========================
ip vrf mgmt
rd 20:20
!
interface GigabitEthernet3
ip vrf forwarding mgmt
ip address 10.1.20.3 255.255.255.0
no shut
!
crypto key generate rsa label cciekey modulus 1024
!
crypto keyring mgmt vrf mgmt
pre-shared-key address 10.1.20.0 255.255.255.0 key cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile prof
set transform-set TS
!
ip access-list extended site_a
permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255

ip access-list extended site_b


permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
!
crypto gdoi group site_a
identity number 100
server local
rekey algorithm aes 256
rekey authentication mypubkey rsa cciekey
rekey transport unicast
sa ipsec 1
profile prof
match address ipv4 saite_a
address ipv4 10.1.20.3
!
crypto gdoi group site_b
identity number 200
server local
rekey algorithm aes 256
rekey authentication mypubkey rsa cciekey
rekey transport unicast
sa ipsec 1
profile prof
match address ipv4 site_b
address ipv4 10.1.20.3

==========================================
On R4 R5 GETVPN Group Member
==========================================
crypto keyring mgmt vrf mgmt
pre-shared-key address 10.1.20.3 key cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto gdoi group site_a
identity number 100
server address ipv4 10.1.20.3
client registration interface Gi.20
!
crypto gdoi group site_b
identity number 200
server address ipv4 10.1.20.3
client registration interface Gi2.20
!
crypto map map1 1 gdoi
set group site_a
!
crypto map map2 1 gdoi
set group site_b
!
interface Gi2.100
crypto map map1
!
interface Gi2.200
crypto map map2
======================================================
Task 3.4: Configure FLEXVPN Between R9, R10 and R11
======================================================
On HUB R9
crypto ikev2 keyring key
peer R10
address 20.1.4.10
pre-shared-key ccier10

peer R11
address 20.1.5.11
pre-shared-key ccier11
!
crypto ikev2 profile prof
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local key
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile prof
set transform-set TS
set ikev2-profile prof
!
interface Tunnel34
ip address 172.16.2.9 255.255.255.0
tunnel source Gi3
tunnel destination 20.1.4.10
tunnel protection ipsec profile prof shared
!
interface Tunnel35
ip address 172.16.3.9 255.255.255.0
tunnel source Gi3
tunnel destination 20.1.5.11
tunnel protection ipsec profile prof shared
!
router eigrp 34
network 10.100.6.0 0.0.0.255
network 172.16.2.0 0.0.0.255
network 192.168.9.0 0.0.0.255
passive-interface Gi2.1
no au
!
router eigrp 35
network 10.100.7.0 0.0.0.255
network 172.16.3.0 0.0.0.255
network 192.168.9.0 0.0.0.255
passive-interface Gi2.2
no au
==========================================
On R10
==========================================
crypto ikev2 keyring key
peer R9
address 20.1.3.9
pre-shared-key ccier10
!
crypto ikev2 profile prof
match identity remote address 20.1.3.9 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local key
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile prof
set transform-set TS
set ikev2-profile prof
!
interface Tunnel34
ip address 172.16.2.10 255.255.255.0
tunnel source Gi2
tunnel destination 20.1.3.9
tunnel protection ipsec profile prof
!
router eigrp 34
network 172.16.2.0 0.0.0.255
network 192.168.10.0
===========================
On R11
===========================
crypto ikev2 keyring key
peer R9
address 20.1.3.9
pre-shared-key ccier11
!
crypto ikev2 profile prof
match identity remote address 20.1.3.9 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local key
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile prof
set transform-set TS
set ikev2-profile prof
!
interface Tunnel35
ip address 172.16.3.11 255.255.255.0
tunnel source Gi2
tunnel destination 20.1.3.9
tunnel protection ipsec profile prof
!
router eigrp 35
network 172.16.3.0 0.0.0.255
network 192.168.11.0
Verification:
R10#sh cry ipse sa
R10#ping 10.100.6.1 sou loopback 1 repeat 100
R10#telnet 10.100.6.1 80 /sou loo 1
R11#sh cry ipse sa
R11#ping 10.100.7.1 sou loopback 1 repeat 100
R11#telnet 10.100.7.1 80 /sou loo 1

R7# show tcp brief


R8# show tcp brief

ASA1vc1/c2#sh access-list

===============================================
Task 3.5: Configure SXP between SW2_P and ASA3
==============================================
On SW2_P
show cts credentials
clear cts crddentials
clear cts pac all
clear cts environment-data

aaa authorization network ISE group ISE


cts authorization list ISE

cts credentials id SW2_P password ccie


cts refresh environment-data
!
cts sxp enable
cts sxp default pass ccie
cts sxp dafault source-ip 10.100.8.22
cts sxp conn peer 10.100.8.1 sour 10.100.8.22 password default mode local speaker

On ASA3 SXP on (listener)


clear cts pac all
clear cts environment-data

aaa-ser ISE pro radius


aaa-ser ISE(mgmt) host 150.1.7.212
key ccie
!
cts server-group ISE
cts import-pac tftp://150.1.7.201/ASA3.pac password ccieccie
!
cts sxp enable
cts sxp default pass ccie
cts sxp dafault source-ip 10.100.8.1
cts sxp conn peer 10.100.8.22 sou 10.100.8.1 password default mode local listener
===========================================================================
Task 4.3: Configure R1 For the SSH Authentication
On R1
#show crypto key mypubkey rsa
#sh ntp status
#ip domain name cisco.com
#Crypto key generate rsa modulus 1024
-----------------------------------------------------------------
Pre_config:

aaa new-model
!
No radius-server vsa send authentication
!
aaa authentication login NOAUTH line none
!
line con 0
login authentication NOAUTH
line aux 0
login authentication NOAUTH
!
radius server ISE
address ipv4 150.1.7.212 auth-port 1645 acct-port 1646
key ccie
!
aaa group server radius ISE
server name ISE
!
aaa authentication login FOR_SSH group ISE
aaa authorization exec FOR_SSH group ISE
!
line vty 0 4
authorization exec FOR_SSH
login authentication FOR_SSH
transport input ssh
session-timeout 2880
exec-timeout 2880 0
=========SW2_P Complete Configuration=======
------------Task 1.3: Solution:
vlan 8
vlan 9
vlan 10
vlan 150
vlan 215
vlan 102
!
interface Port-channel1
switchport mode trunk
switchport trunk allowed vlan 8-10
no shut

int ran gi1/0/1-2, gi1/0/4-5


swit mode trunk
swit trunk allow vlan 8-10
cha 1 mode active
!
int ran gi1/0/3, gi1/0/6
swit mode access
swit access vlan 150
!
ip routing
!
int vlan 150
ip address 150.1.7.45 255.255.255.0
!
int vlan 102
ip address 10.100.102.22 255.255.255.0
!
int vlan 215
ip address 10.100.215.22 255.255.255.0
!
int vlan 8
ip address 10.100.8.22 255.255.255.0
!
ip dhcp excluded-add 10.100.8.1
ip dhcp excluded-add 10.100.8.22
ip dhcp excluded-add 10.100.8.11
ip dhcp excluded-add 10.100.8.13
ip dhcp excluded-add 10.100.215.22

ip dhcp pool VLAN8


network 10.100.8.0 255.255.255.0
default-router 10.100.8.1
dns-server 150.1.7.200
lease infinite
!
ip dhcp pool VLAN215
network 10.100.215.0 255.255.255.0
default-router 10.100.215.22
option 150 ip 150.1.7.215
lease infinite

-----------------
aaa new-model
!
!
aaa authentication login NOAUTH line none
line con 0
login authentication NOAUTH
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE


aaa accounting network default start-stop group ISE
!
ip radius source vlan 150
ip radius source-interface Vlan150
ip device tracking
dot1x system-auth-control
!
aaa group server radius ISE
server name ccie
!
radius server ccie
address ipv4 150.1.7.212 auth-port 1812 acct-port 1813
key ccie
pac key ccie
!
aaa server radius dynamic-author
client 150.1.7.212 server-key ccie
server-key ccie
!
radius-server vsa send authentication
radius-server vsa send accounting
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
SXP
===
aaa authorization network ISE group ISE
cts authorization list ISE

cts credentials id SW2_P password ccie


cts refresh environment-data
!
cts sxp enable
cts sxp default pass ccie
cts sxp dafault source-ip 10.100.8.22
cts sxp conn peer 10.100.8.1 sour 10.100.8.22 password default mode local speaker

interface Gigabitethernet1/0/9
shut
switchport mode access
switchport voice vlan 215
authen event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
no shut
!
int gi1/0/7
shut
switchport mode access
switchport access vlan 102
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
mab
no shut
-----------------------------------------
#####
ip dhcp pool VLAN102
default-router 10.100.102.22
network 10.100.215.0 255.255.255.0
option 43 ip 10.100.102.1
!==========================================
On AP CLI console
!==========================================
capwap ap ip address 10.100.102.33 255.255.255.0
capwap ap ip default-gateway 10.100.102.1
capwap ap controller ip address 10.100.102.1

if u face problem
AP#clear lwapp private-config
AP#clear capwap private-con
AP#reload

Save configuration on Controller:


#Save config

cisco/Midhum02 ------> anyconnect vpn


ccie/ccie -----------> ssl-vpn---local ASA account
ccie/Ccie123---------> dot1x
admin1/Cisco123------> ssh
ccie/Cisc0123--------> AD join
Cisco123-------------> AP PSK
Complete ISE Configuration
---------------------------------------------------------------------------
1. Enable the SXP features & disable the Profiling Configurations
---------------------------------------------------------------------------

i) Administration ---> Sytem ---> Deployment ---> Select the ISE ---> Edit ---> General
Settings

Tick the i) Enable SXP Service (ii) Enable Device Admin Service (iii) Enable Passive
Identity Service ---> Save

ii) Administration ---> Sytem ---> Deployment ---> Select the ISE ---> Edit --->
Profiling Configurations

Untick all the options - Services

-------------------------------------------------------------------------------
2. Disable the Restrictions on the User Authentications & System Authentication
-------------------------------------------------------------------------------

Administration ---> Identity Management ---> User Authentication Settings

Untick the tick under below two


i) Password must not contain username
ii) Password must contain atleast one character
iii) Suspended or LockAccount with incorrect login Attempts

AdministrationSystem -> Admin Access-> Authentication-> Password Policy

I) Password lifeTime - Uncheck (Administrators password Expire..


II) Password Lifetime Uncheck (Suspended or LockAccount with incorrect login
Attempts

-----------------------------------------------------
3. Add the AD
-----------------------------------------------------

i) Add the AD (Make Sure the Status is completed)


ii) Retrieve the AD ALL groups

-----------------------------------------------------
4. Add all 4 devices in ISE
-----------------------------------------------------

i) R1 - SSH (Radius Only)—150.1.7.231


ii) ASA1 Anyconnect (Radius Only) 150.1.7.53
iii) SW2_P (Radius & SGT) 150.1.7.45
iv) ASA3 (Radius & SGT and download the PACs) 150.1.7.59/60/61

-----------------------------------------------------
5. Add the PC1 & PC2 Security Group Total = 2
-----------------------------------------------------

i) Administration ---> TurstSec ---> Security Group ---> Add

-----------------------------------------------------
6. Add the Endpoint Identity Groups Total 3:
-----------------------------------------------------

i) Administration ---> Identity Management ---> Groups ---> Endpoint Identity Groups

i) MAB-Phone
ii) MAB-PC
iii) MAB-AP

-----------------------------------------------------
7. Add the Users Identity Groups Total = 3( Anyconnect, Dot1x, Lab_Admin)
-----------------------------------------------------

Administration ---> Identity Management ---> Groups ---> Users Identity Groups

i) Anyconnect
ii) Dot1x
iii) Lab_Admin

-----------------------------------------------------
8. Add the Users Total = 3
-----------------------------------------------------

Administration ---> Identity Management ---> Identities

i) admin1 Password Type:AD Users Group:Lab_Admin Cisco123


ii) ccie Password Type:Internal Users Users Group:Dot1x Ccie123
iii) cisco Password Type:Internal Users Users Group:Anyconnect Midhumo2

-----------------------------------------------------
9. Add the Mac Address of all 3 (MAB-AP, MAB-PC, MAB-PHONE)
-----------------------------------------------------

i) Context Visiability ---> Endpoints ---> + --->


! Go the the SW2_P ---> show cdp neigh int g. For the MAB-PC go the 150.1.7.202 ---> cmd
---> ipconfig

i) MAB-AP - Ways to get the Mac address - From SW2 # show mac address-table dynamic
int g1/0/7 or from AP console

ap# show int g0

MAC address XX:XX:XX:XX:XX


Tick static Assignement
Policy Assignment ---> Cisco-AIR-AP ---> Static Group Assignment ---> Cisco-AIR-AP

ii) MAB-PC ---> Take the RDP of the MAB PC and ipconfig/all - Make sure to copy the
mab-nic mac

MAC address XX:XX:XX:XX:XX


Tick static Assignement
Policy Assignment ---> Window7 Workstation ---> Static Group Assignment --->
Workstation

iii) MAB-PHONE ---> show cdp neigh on the switch and copy last 4 octect

MAC address XX:XX:XX:XX:XX


Tick static Assignement
Policy Assignment ---> Cisco-IP-Phone ---> Static Group Assignment ---> Cisco-IP-
Phone

-----------------------------------------------------------------------------------------
------------
10. Add the Authorization Profiles for 5 - (MAB-AP, MAB-PC, MAB-PHONE, Anyconnect,
Dot1x) for Anyconnect Permitaccess
-----------------------------------------------------------------------------------------
------------

Policy ---> Policy Elements ---> Results ---> Authorization ---> Authorization Profiles

i) MAB-AP
Name: MAB-AP
Common Tasks: Tick the DACL Name ---> PERMIT_ALL_TRAFFIC
Tick the VLAN ---> ID/Name 102

ii) MAB-PC
Name: MAB-PC
Common Tasks: Tick the DACL Name ---> PERMIT_ALL_TRAFFIC
Tick the VLAN ---> ID/Name 8

iii) MAB-PHONE
Name: MAB-PHONE
Common Tasks: Tick the DACL Name ---> PERMIT_ALL_TRAFFIC
Tick the Voice Domain Permission

iv) DOT1X
Name: Dot1x
Common Tasks: Tick the DACL Name ---> PERMIT_ALL_TRAFFIC
Tick the VLAN ---> ID/Name 8

v) SSH
Name: R1-SSH
Common Tasks: Advance Attributes Settings
Cisco:cisco-av-pair (1) = shell:priv-lvl=15 (manually type)
Radius:Service-Type (6) = Login
Radius Idle Timeout: 172800

-----------------------------------------------------------------------------------------
------------
11. Add the Authentication Policies - Total will be 3 (1) MAB (2) Dot1x (3) Anyconnect
& SSH
-----------------------------------------------------------------------------------------
------------
12. Add the Authorization Profiles - Total will be 6 (1) MAB-AP (2) MAB-PC (3) MAB-PHONE
(4) DOt1x (5) Anyconnect (6) SSH
Name Conditions Permissions
Anyconnet if: Anyconnect AND Radius:NAS-IP-Address EQUALS 150.1.7.53 PermitAccess
R1-SSH if: Lab_Admin AND Radius:NAS-IP-Address EQUALS 150.1.7.231 R1-SSH

Dot1x if: Dot1x AND Wired_802.1X AND Radius:NAS-IP-Address EQUALS Dot1x AND PC2
150.1.7.45
MAB_Phone if: MAB_Phone AND Wired_MAB AND Radius:NAS-IP-Address EQUALS MAB_Phone
150.1.7.45 then:
MAB-PC if: MAB_PC AND Wired_MAB AND Radius:NAS-IP-Address EQUALS MAB-PC AND PC1
150.1.7.45

MAB-AP if: MAB_b-PCAP AND Wired_MAB AND Radius:NAS-IP-Address MAB-AP


EQUALS 150.1.7.45

Complete WLC Configuration:

#Show interface summary

Complete WSA Configuration:

Transparent Redirection->WWCP v2 Router


Add Service->
1. Service Profile Name: WWCPv2
2. Dynamic Service IS: 50
3. Port Numbers: 8080
4. Router Ip Add: 150.1.7.232
5. Router Security “cisco” Same as router R2
6. Laod-Balancing Method: Allow Hash or Mask
7. Forwarding Method: Allow GRE only
8. Return Method: Allow GRE only
Web Proxy->enable -> 80,3128,8080

1.Add Custom URL Categories  CCIE Lab Rule __> server1.cisco.com/server2.cisco.com

2.Add Identification Profile  Monitor Profile 172.16.1.0/24 FireFox any


 Block Profile 172.16.1.0/24 IE any
3.Add Access Policies  Monitor Policy  Monitor Profile  Monitor all
Block Policy  Block Profile  Block

Complete FIREAMP Configuration:

Https://151.1.7.217 ([email protected])/Cisco123

Management -> Group  Create Group


Name : ccielab
Description: for Lab windows
FireAMP Windows Policy :Protect Policy
FireAMP MAC Policy :Protect Policy for FireAMP Mac (Save)

Management  Download Connector


Click ccielab  download & save Yes
Install Candidate PC
Click on Icon  FireAMP Connector
Management  Computers check Candidate PC

Complete FMC Configuration:

FMC # ifconfig
NGIPS# show network
# Configure manager add 151.17.211 cisco
# Show managers
  Zone Networks Ports Logging
Rules Sou Des Sou Des Sou Des  
R2(10.1.12.2/32)
R1(10.1.12.1/32)
Rule 1 Ext/Inte Inter/Ext R1(10.1.12.1/32) any Eigrp(88) yes
R2(10.1.12.2/32)
EM(224.0.0.10/32)
Annyconnect S1(192.168.101.3)
Rule 2 External Internal TCP(6):8080 yes
(172.16.10/24) S2(192.168.102.3)
SSL-Clientless S1(192.168.101.3)
Rule 3 External Internal any TCP(6):8080 yes
(10.1.22.0/24) S2(192.168.102.3)

You might also like