CCIE Security lab – recap, redesign, restart

It’s been a long time since I have written about the CCIE Security lab I have started. A lot has happened since though. I have completed the CCIE Security written exam, and have (nearly) finished my fourth book, CCNA and Beyond, soon to be on Amazon, looks good doesn’t it??

Now it’s time to start labbing again.

When I left it last, I had completed the MPLS core which will join the three “sites” together. These sites have now been named NY, LA and LON(don) (and yes, I know that NY and LA should probably be around the other way).

So the MPLS core has been completed. I also set up the AD domain, I also started some VLAN work. After that, loads of other stuff happened.

As a recap, this is what has been decided upon so far:

The MPLS bit is done, and LON1 can see the subnets for NY and LA:

LON1#sh ip route | b Gate
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0
      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/3] via 134.20.1.9, 00:22:58, GigabitEthernet0/0
      4.0.0.0/32 is subnetted, 1 subnets
O        4.4.4.4 [110/3] via 134.20.1.9, 00:22:58, GigabitEthernet0/0
      8.0.0.0/32 is subnetted, 1 subnets
O        8.8.8.8 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0
      10.0.0.0/32 is subnetted, 1 subnets
C        10.10.10.10 is directly connected, Loopback0
      134.20.0.0/16 is variably subnetted, 4 subnets, 2 masks
O        134.20.1.0/30 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0
O        134.20.1.4/30 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0
C        134.20.1.8/30 is directly connected, GigabitEthernet0/0
L        134.20.1.10/32 is directly connected, GigabitEthernet0/0
LON1#

This is not a true MPLS setup at the moment, we should get the other networks involved. So let’s do that now. We will start with the London network:

Switch(config)#ho LON-SW
LON-SW(config)#vlan 10
LON-SW(config-vlan)#name MAIN-VLAN
LON-SW(config-vlan)#exi
LON-SW(config)#int gi0/0
LON-SW(config-if)#swi mo acc
LON-SW(config-if)#swi acc vl 10
LON-SW(config-if)#int vlan 10
LON-SW(config-if)#ip add 10.1.1.2 255.255.255.0
LON-SW(config-if)#no shut
LON-SW(config-if)#
LON-SW(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1:
.!!!!
Success rate is 80 percent (4/5)
LON-SW(config-if)#

Now let’s move down to our London firewalls. I will be using the subnet 21.38.5.0/24 for the connections between the two firewalls and the LON-SW switch.

LON-SW(config)#line con 0
LON-SW(config-line)#exec-t 0 0
LON-SW(config-line)#exi
LON-SW(config)#vlan 20
LON-SW(config-vlan)#name Inside-VLAN
LON-SW(config-vlan)#exit
LON-SW(config)#int vlan 20
LON-SW(config-if)#ip add 21.38.5.1 255.255.255.0
LON-SW(config-if)#no shut
LON-SW(config)#int ra gi 0/1 - 2  
LON-SW(config-if-range)#swi mode acc
LON-SW(config-if-range)#swi acc vl 20
LON-SW(config-if-range)#no shu
LON-SW(config-if-range)#do sh vlan bri

VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------
1    default                          active    Gi0/3
10   MAIN-VLAN                        active    Gi0/0
20   Inside-VLAN                      active    Gi0/1, Gi0/2
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 
LON-SW(config-if-range)#do sh ip int bri
Interface              IP-Address      OK? Method Status     Protocol
GigabitEthernet0/0     unassigned      YES unset  up         up      
GigabitEthernet0/1     unassigned      YES unset  up         up      
GigabitEthernet0/2     unassigned      YES unset  up         up      
GigabitEthernet0/3     unassigned      YES unset  up         up      
Vlan10                 10.1.1.2        YES manual up         up      
Vlan20                 21.38.5.1       YES manual down       down    
LON-SW(config-if-range)#
*Jan 12 12:26:44.246: %LINK-3-UPDOWN: Interface Vlan20, changed state to up
*Jan 12 12:26:45.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
LON-SW(config-if-range)#

Because it’s hard to cut and paste from a VNC session, I have set up SSH access from the LON-SW switch, and have ssh’d onto the LON-FW1, here is the basic IP addressing:

ASAv1# sh run interface GigabitEthernet 0/0
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 21.38.5.254 255.255.255.0 
ASAv1# conf t
ASAv1(config)# hostname LON-FW1
LON-FW1(config)# exi
LON-FW1# sh run | i ssh
aaa authentication ssh console LOCAL 
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 Inside
ssh 21.38.5.1 255.255.255.255 Outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
LON-FW1#

LON-FW2 has been set up with an Outside address as well, and is reachable from LON-FW1.

We already have some basic internal IP addressing from before, so now we have the network 192.168.10.0/24 network going down from the firewalls to the switches. At the moment, this just the gi0/1 interface, but we’ll change this into a redundancy group later on. Let’s set them up in a failover pair.

Setting up Active/Standby ASA failover pair

The only difference between the two devices is that one uses the command “failover lan unit primary” and the other uses “failover lan unit secondary”. The configs for LON-FW1 are here:

LON-FW1(config)# failover
LON-FW1(config)# failover lan unit primary
LON-FW1(config)# failover lan interface FOVER GigabitEthernet0/3
INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces
LON-FW1(config)# failover replication http
LON-FW1(config)# failover interface ip FOVER 10.1.208.1 255.255.255.252 standb$
LON-FW1(config)# 
        No Active mate detected
LON-FW1(config)# 
LON-FW1(config)# failover key fover
LON-FW1(config)# end
LON-FW1# sh failover
Failover On 
Failover unit Primary
Failover LAN Interface: FOVER GigabitEthernet0/3 (Failed - No Switchover)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.4(1), Mate Unknown
Last Failover at: 12:43:42 UTC Jan 12 2016
        This host: Primary - Active 
                Active time: 130 (sec)
                slot 0: empty
                  Interface Inside (192.168.10.254): Unknown (Waiting)
                  Interface Outside (21.38.5.254): Unknown (Waiting)
        Other host: Secondary - Failed 
                Active time: 0 (sec)
                  Interface Inside (0.0.0.0): Unknown (Waiting)
                  Interface Outside (0.0.0.0): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.
              
LON-FW1# conf t
LON-FW1(config)# int gi0/3
LON-FW1(config-if)# no shut
LON-FW1(config-if)# Beginning configuration replication: Sending to mate.
End Configuration Replication to mate

LON-FW1(config-if)#

Setting up interfaces for failover is pretty easy:

LON-FW1# sh run int gi0/0
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 21.38.5.254 255.255.255.0 standby 21.38.5.253 
LON-FW1# 
LON-FW1# conf t    
LON-FW1(config)# int gi0/1
LON-FW1(config-if)# ip add 192.168.10.254 255.255.255.0 standby 192.168.10.253
LON-FW1(config-if)# end
LON-FW1# sh fail
Failover On 
Failover unit Primary
Failover LAN Interface: FOVER GigabitEthernet0/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.4(1), Mate 9.4(1)
Last Failover at: 12:43:42 UTC Jan 12 2016
        This host: Primary - Active 
                Active time: 540 (sec)
                slot 0: empty
                  Interface Inside (192.168.10.254): Normal (Waiting)
                  Interface Outside (21.38.5.254): Normal (Monitored)
        Other host: Secondary - Standby Ready 
                Active time: 28 (sec)
                  Interface Inside (192.168.10.253): Normal (Waiting)
                  Interface Outside (21.38.5.253): Normal (Monitored)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.
              
LON-FW1#
LON-FW1# copy run start

Source filename [running-config]? 
Cryptochecksum: 8f650365 eb39d041 7e4fbeee d985eb91 

8751 bytes copied in 0.120 secs
LON-FW1#

The switches also have some basic configuration:

SW1#sh vlan bri

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi1/0
                                                Gi1/1, Gi1/2, Gi1/3, Gi2/0
                                                Gi2/1, Gi2/2, Gi2/3, Gi3/3
8    Internal-HTTP                    active    
10   AD VLAN                          active    Gi0/0
17   Voice_VLAN                       active    
42   VLAN0042                         active    
100  WSA MGMT                         active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 
SW1#

Let’s het SW1 and SW2 working with HSRP for VLAN 10:

SW1(config)#int vlan 10
SW1(config-if)#no shut
SW1(config-if)#
SW1(config-if)#ip add 192.168.10.2 255.255.255.0
SW1(config-if)#standby 10 ip 192.168.10.1
SW1(config-if)#standby 10 pri 110
SW1(config-if)#standby 10 pre del min 60
SW1(config-if)#
%HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active
SW1(config-if)#

SW2(config)#int vlan 10
SW2(config-if)#ip add 192.168.10.3 255.255.255.0
SW2(config-if)#
SW2(config-if)#standby 10 ip 192.168.10.1
SW2(config-if)#standby 10 pri 90
SW2(config-if)#no shu
SW2(config-if)#int gi 0/0
SW2(config-if)#swi mo acc
SW2(config-if)#swi acc vl 10
SW2(config-if)#no sh
SW2(config-if)#
%LINK-3-UPDOWN: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
%HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby

SW1(config-if)#do sh standby
Vlan10 - Group 10
  State is Active
    2 state changes, last state change 00:03:29
  Virtual IP address is 192.168.10.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.688 secs
  Preemption enabled, delay min 60 secs
  Active router is local
  Standby router is 192.168.10.3, priority 90 (expires in 10.032 sec)
  Priority 110 (configured 110)
  Group name is "hsrp-Vl10-10" (default)
SW1(config-if)#

SW2(config-if)#do sh standby
Vlan10 - Group 10
  State is Standby
    1 state change, last state change 00:02:22
  Virtual IP address is 192.168.10.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC Not In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.496 secs
  Preemption disabled
  Active router is 192.168.10.2, priority 110 (expires in 9.520 sec)
  Standby router is local
  Priority 90 (configured 90)
  Group name is "hsrp-Vl10-10" (default)
SW2(config-if)#

Seems pretty stable using vios (vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20150414)), so let’s go and set up the ASAs in a redundant group.

ASA redundant interfaces

For this we start by removing the nameif and IP address from the Gi0/1 interface, then create the redundant group:


In the end, the config looks like this:

LON-FW1# sh run int gi0/1
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
LON-FW1# sh run int gi0/2
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
LON-FW1# sh run int redundant 1
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif Inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0 standby 192.168.10.253 
LON-FW1# ping Inside 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
LON-FW1#

Looks like HSRP is stable! (much better than the IOL images!

One final thing before I leave it here for today, some static routing on the LON-FW firewall:

LON-FW1(config)# route Outside 0.0.0.0 0.0.0.0 21.38.5.1   
LON-FW1(config)# route Inside 192.168.0.0 255.255.0.0 192.168.10.1
LON-FW1(config)#

The network is starting to take shape again. I need to figure out some internal addressing, so I’ll do that and pick this up again later in the week.