CCIE Security lab: WSA Setup

The new server is built, UNL is imported, an issue with the swap location is sorted (VM is on an SSD, which didn’t leave enough room to create the swap file), and started. Let’s start configuring the lab. Today will be the WSA setup. Please note that this is a work in progress, so there will be a number of edits as we go through!

Today I plan to cover part 1 and some of part 2 from my CCIE Security study plan.

First off, let’s spend a couple of minutes thinking about the IP addressing scheme.

We need to manage the WSA. We have to configure the switches (3 and 6), the Windows PC, and the WSA.

CCIE security v4 toplogy

By default, the WSA will use the IP address 192.168.42.42, with a /24 subnet. It makes sense, then, that we have a management VLAN of 192.168.42.0/24. We have our first requirement. We also need some trunks, and I’ll use MST across the board. The VLAN VIP will live on Switch 3, at least for the moment, and will use an IP address of 192.168.42.1. The Windows host will use 192.168.42.7.

Now we have a start to the network.

I do have to make quite a major edit to the topology, though. At the moment it has Arista switches. The port count makes it easier to match the INE topology, and the syntax is 90% the same (hence the court case). However, I get this error:

localhost login:

localhost login: admin

Warning: the following filesystems have less than 10% free space left:
tmpfs                (on /var/log)      0% (948 1K-blocks Available)
Please remove configuration such as tracing and clean up the space.

Unable to connect: Connection refused

localhost login:

So let’s replace them with some IOS switches instead.

Back in a minute…

OK, back now. I have swapped the Arista switches (SW3 and SW6) for vIOS (L2).

CCIE security v4 toplogy

Already I hit a road-block – not enough ports to cover my configuration:

Switch>en
Switch#conf t
Switch(config)#ho SW3
SW3(config)#vlan 42
SW3(config-vlan)#exi
SW3(config)#int vlan 42
SW3(config-if)#ip add 192.168.42.1 255.255.255.0
SW3(config-if)#no shut
SW3(config-if)#exi
SW3(config)#int gi3/0
SW3(config-if)#swi tru enc dot
SW3(config-if)#swi mo tru
SW3(config-if)#no sh
SW3(config-if)#int gi 5/0

% Invalid input detected at '^' marker.

SW3(config-if)#

So, I need to make another edit.

CCIE security v4 toplogy

OK, now we can proceed:

SW3(config)#int gi 0/3
SW3(config-if)#swi mo acc
SW3(config-if)#swi acc vl 42
SW3(config-if)#no shu
SW3(config-if)#desc Link to TestPC-B
SW3(config-if)#

Let’s set up SW6:

Switch#conf t
Switch(config)#ho SW6
SW6(config)#vlan 42
SW6(config-vlan)#exi
SW6(config)#int gi 3/0
SW6(config-if)#swi trun enc do
SW6(config-if)#swi mo tru
SW6(config-if)#no sh
SW6(config-if)#exit
SW6(config)#int gi 1/1
SW6(config-if)#swi mo acc
SW6(config-if)#swi acc vl 42
SW6(config-if)#int gi 1/0 
SW6(config-if)#swi mo acc
SW6(config-if)#swi acc vl 42
SW6(config-if)#exi
SW6(config)#exi
SW6#

Let’s start adding some spanning-tree:

SW3(config)#spanning-tree mode mst
SW3(config)#spanning-tree mst configuration 
SW3(config-mst)#rev 1  
SW3(config-mst)#instance 1 vlan 42
SW3(config-mst)#name 802101-Sec
SW3(config-mst)#exi
SW3(config)#spanning-tree mst 1 root pri
SW3(config)#

SW6(config)#spanning-tree mo mst
SW6(config)#span mst con
SW6(config-mst)#rev 1
SW6(config-mst)#name 802101-Sec
SW6(config-mst)#instance 1 vl 42
SW6(config-mst)#exi
SW6(config)#spanning-tree mst 1 root sec
SW6(config)#

Now we should be able to get to the WSA from our test PC.

WSA Setup

From the console we need to browse to http://192.168.42.42:8080:

AsyncOS starting services ...
..............................................................................................................................................................

AsyncOS ironport.example.com (cuau0)

login: admin
Password:
Last login: Tue Aug  4 12:02:30 on cuau0
AsyncOS 8.6.0 for Web build 025

Welcome to the Cisco S000V Web Security Virtual Appliance
Please wait while appliance services start up..................
Please run System Setup Wizard at http://192.168.42.42:8080
ironport.example.com>

Woo hoo! Looks good so far:

WSA Setup

I log in with the username admin, and password of ironport and get this:

Cisco vWSA running on UNetLab

OK, so I need to get a license. This part is not going too well:

Licensing Cisco vWSA for UNetLab

Licensing Cisco vWSA for UNetLab

Balls.

Let’s look on the bright side, I have actually covered the first part of my 17 step CCIE Security study plan, the WSA setup.

I just need to get a working license.

Stay tuned!

3 Comments

  1. Tom August 21, 2015
  2. Stuart Fordham August 21, 2015
  3. Stuart Fordham August 22, 2015