CCIE Security practice lab – Day 1

I have been mulling over how to best go about this new CCIE Security practice lab. I have covered pretty much everything I think I need to cover in a whole bunch of other posts, so doing posts about this is probably needlessly repetitive.

So… what to do? Well, I like blogging, it helps me remember things, it helps me try and formulate ideas in a coherent manner, so it’s beneficial to me as the timer keeps ticking down. At the same time, though, I don’t want you lovely people to sit there thinking “he wrote that last week..”, so the posts leading up to my lab will pretty much just be me working through the labs I am going to create and seeing how my speed increases and how my need to google the answers decreases. The posts will be pretty much lacking in explanation.

The labs will be posted on the forum, and the first one is there already. I think what I will do (IF I pass the lab!) is create some workbook PDFs, which will include the explanations (in depth) and make them available for purchase through the website (probably for about £4.99 or something small like that). I don’t want to write a full book for the CCIE Security (I already have people wanting a book on Multicast and QoS, so want to do that after the lab), but they will include the thought process, the gotchas that I faced, and the desired results.

Let me know if you like this idea in the comments section below. If you guys think it’s a good idea then I’ll do it, if not then I’ll save myself the time!

Day 1: 76 days to go

Anyway, I started off the new lab today. Not a bad day, especially as Virgin Media decided to dig u the cable in my street and I was without Internet access from 8:45am till 6pm. At least it meant that I could not Google the answers. It was not a proper lab scenario, as I still had work to do (not easy without Internet access), so is not representative of the 8-hour lab exam. At the moment it’s all about building the speed up, so I expect to get quicker with subsequent labs.

Today I covered DMVPN, Transparent ASA, Failover ASA, and set up the network ready to implement GETVPN.

Most of the core of this bit is now set up:

CCIE Security Practice labI got caught out a couple of times, but am, generally, pretty pleased with the progress. It’s certainly nice to put a line through some of the objectives.

So here is the work today.

Lon-2 is the best place to start, it connects the 10.2.0.0/16 network, and the 10.1.0.0/16 network, so really, we only need to add two routes:

Switch(config)#int gi0/0
Switch(config-if)#swi mo acc
Switch(config-if)#swi acc vl 21
Switch(config-if)#

LON-2(config)#ip route 10.2.0.0 255.255.0.0 10.1.21.200
LON-2(config)#ip route 10.1.0.0 255.255.0.0 10.1.22.254

Similarly, LON-1 is an easy configuration:

LON-1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.254
LON-1(config)#
LON-1(config)#do ping 10.1.22.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.22.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
LON-1(config)#

Because LON-1 does not need to know about the devices behind the GETVPN-Client, we don’t need to add any routes for them.

Let’s set up DM-Hub1 and DM-Hub2:

DM-Hub1(config)#ip route 10.1.22.0 255.255.255.0 10.1.24.254
DM-Hub1(config)#ip route 10.1.1.0 255.255.255.0 10.1.24.254 
DM-Hub1(config)#

DM-Hub2(config)#ip route 10.1.22.0 255.255.255.0 10.1.5.254
DM-Hub2(config)#ip route 10.1.1.0 255.255.255.0 10.1.5.254 
DM-Hub2(config)#

DM-Hub1(config)#do ping 10.1.22.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.22.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/10 ms
DM-Hub1(config)#do ping 10.1.1.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms
DM-Hub1(config)#

DM-Hub2(config)#do ping 10.1.22.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.22.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/10 ms
DM-Hub2(config)#do ping 10.1.1.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/10 ms
DM-Hub2(config)#

Let’s set up DMVPN!

I am trying to do as much of this from memory as possible, so let’s see how far I can get it without looking anything up. This is the configuration I came up with:

LON-2(config-if)#do sh run int tun 0
Building configuration...

Current configuration : 355 bytes
!
interface Tunnel0
 ip address 192.168.1.22 255.255.255.0
 no ip redirects
 ip nhrp authentication CCIE
 ip nhrp map 192.168.1.1 10.1.24.1
 ip nhrp map 192.168.1.2 10.1.5.1
 ip nhrp map multicast 10.1.24.1
 ip nhrp map multicast 10.1.5.1
 ip nhrp network-id 101
 ip nhrp nhs 192.168.1.1
 ip nhrp nhs 192.168.1.2
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
end

LON-2(config-if)#

Now for Lon-1

LON-1(config)#interface Tunnel0
LON-1(config-if)# ip address 192.168.1.11 255.255.255.0
LON-1(config-if)# no ip redirects
LON-1(config-if)# ip nhrp authentication CCIE
LON-1(config-if)# ip nhrp map 192.168.1.1 10.1.24.1
LON-1(config-if)# ip nhrp map 192.168.1.2 10.1.5.1
LON-1(config-if)# ip nhrp map multicast 10.1.24.1
LON-1(config-if)# ip nhrp map multicast 10.1.5.1
LON-1(config-if)# ip nhrp network-id 101
LON-1(config-if)# ip nhrp nhs 192.168.1.1
LON-1(config-if)# ip nhrp nhs 192.168.1.2
LON-1(config-if)# tunnel source GigabitEthernet0/0
LON-1(config-if)# tunnel mode gre multipoint
LON-1(config-if)#

Our first hub:

DM-Hub1(config)#int tun 0
DM-Hub1(config-if)#ip nhrp map multicast dynamic 
DM-Hub1(config-if)#ip nhrp network-id 101
DM-Hub1(config-if)#ip add 192.168.1.1 255.255.255.0
DM-Hub1(config-if)#ip nhrp authentication CCIE
DM-Hub1(config-if)#tun so gi0/0
DM-Hub1(config-if)#tun mo gre multi
DM-Hub1(config-if)#
DM-Hub1(config-if)#ip nhrp ?
  attribute       NHRP attribute set
  authentication  Authentication string
  cache           NHRP Cache related commands.
  connect         NHRP resolution request connect
  holdtime        Advertised holdtime
  interest        Specify an access list
  map             Map dest IP addresses to NBMA addresses
  max-send        Rate limit NHRP traffic
  network-id      NBMA network identifier
  nhs             Specify a next hop server
  path            NHRP path specific configuration
  record          Allow NHRP record option
  redirect        Enable NHRP redirect traffic indication
  registration    Settings for registration packets.
  reject          NHRP resolution reject request
  responder       Responder interface
  server-only     Disable NHRP requests
  shortcut        Enable shortcut switching
  trigger-svc     Create NHRP cut-through based on traffic load
  use             Specify usage count for sending requests

DM-Hub1(config-if)#ip nhrp shortcut
DM-Hub1(config-if)#ip nhrp redirect
DM-Hub1(config-if)#
DM-Hub1(config-if)#do sh ip nhrp
192.168.1.11/32 via 192.168.1.11
   Tunnel0 created 00:00:16, expire 01:59:43
   Type: dynamic, Flags: unique registered used nhop 
   NBMA address: 10.1.1.1 
192.168.1.22/32 via 192.168.1.22
   Tunnel0 created 00:00:20, expire 01:59:39
   Type: dynamic, Flags: unique registered used nhop 
   NBMA address: 10.1.22.1 
DM-Hub1(config-if)#

We have two clients connected to DMHub-1. Let’s add the second hub:

DM-Hub2(config)#int tun 0
DM-Hub2(config-if)# ip address 192.168.1.2 255.255.255.0
DM-Hub2(config-if)# no ip redirects
DM-Hub2(config-if)# ip nhrp authentication CCIE
DM-Hub2(config-if)# ip nhrp map multicast dynamic
DM-Hub2(config-if)# ip nhrp network-id 101
DM-Hub2(config-if)# ip nhrp shortcut
DM-Hub2(config-if)# ip nhrp redirect
DM-Hub2(config-if)# tunnel source GigabitEthernet0/0
DM-Hub2(config-if)# tunnel mode gre multipoint
DM-Hub2(config-if)#
DM-Hub2(config-if)#do sh ip nhrp
192.168.1.11/32 via 192.168.1.11
   Tunnel0 created 00:00:19, expire 01:59:40
   Type: dynamic, Flags: unique registered used nhop 
   NBMA address: 10.1.1.1 
192.168.1.22/32 via 192.168.1.22
   Tunnel0 created 00:00:00, expire 01:59:59
   Type: dynamic, Flags: unique registered used nhop 
   NBMA address: 10.1.22.1 
DM-Hub2(config-if)#

Not bad. I used the context sensitive help, but remembered most of the important commands.

LON-2(config-if)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.1.24.1           192.168.1.1    UP 00:03:23     S
     1 10.1.5.1            192.168.1.2  NHRP 00:05:34     S

LON-2(config-if)#

LON-1(config-if)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.1.24.1           192.168.1.1    UP 00:03:35     S
     1 10.1.5.1            192.168.1.2    UP 00:01:38     S

LON-1(config-if)#

Let’s set up the transparent ASA:

ASAv6(config)# firewall transparent
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.
ciscoasa(config)# firewall transparent
WARNING: Context already in transparent mode
ciscoasa(config)# 
ciscoasa(config)# hostname ASAv6
ASAv6(config)# 
ASAv6(config)# sh firewall
Firewall mode: Transparent
ASAv6(config)#
ASAv6(config)# int bvI 1
ASAv6(config-if)# ip a
ASAv6(config-if)# ip add
ASAv6(config-if)# ip address 10.1.2.200 255.255.255.0
ASAv6(config-if)# int gi0/0
ASAv6(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASAv6(config-if)# bridge-group 1
ASAv6(config-if)# no shut
ASAv6(config-if)# int gi0/1
ASAv6(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASAv6(config-if)# bridge-group 1
ASAv6(config-if)# no shut

LON-1#ping 10.1.2.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.200, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/3 ms
LON-1#

GETVPN-Client#ping 10.1.2.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.200, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/3 ms
GETVPN-Client#

Now we need to permit ping from LON-1 to GETVPN-Client, to test connectivity:

LON-1#ping 10.1.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
LON-1#

ASAv6(config)# terminal width 255
ASAv6(config)# access-list Outside->Inside extended permit icmp host 10.1.2.1 host 10.1.2.254
ASAv6(config)# int gi 0/0
ASAv6(config)# access-group Outside->Inside in interface outside
ASAv6(config)# 

LON-1#ping 10.1.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
LON-1#

ASAv6(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Outside->Inside; 1 elements; name hash: 0x4388e391
access-list Outside->Inside line 1 extended permit icmp host 10.1.2.1 host 10.1.2.254 (hitcnt=1) 0xcbbf5d57 
ASAv6(config)#

Now let’s give the DM-Hubs access to the 10.1.2.0/24 network, we’ll do this through EIGRP across the DMVPN network:

LON-1(config)#router eigrp 1
LON-1(config-router)#eigrp router-id 10.1.1.1          
LON-1(config-router)#network 10.1.2.0 0.0.0.255
LON-1(config-router)#network 192.168.1.0 0.0.0.255
LON-1(config-router)#

DM-Hub1(config)#router eigrp 1
DM-Hub1(config-router)#eigrp router-id 192.168.1.1
DM-Hub1(config-router)#network 192.168.1.0 0.0.0.255
DM-Hub1(config-router)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.11 (Tunnel0) is up: new adjacency
DM-Hub1(config-router)#

DM-Hub2(config)#router eigrp 1
DM-Hub2(config-router)#eigrp router-id 192.168.1.2
DM-Hub2(config-router)#network 192.168.1.0 0.0.0.255
DM-Hub2(config-router)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.11 (Tunnel0) is up: new adjacency
DM-Hub2(config-router)#

LON-2(config)#router eigrp 1
LON-2(config-router)#eigrp router-id 10.1.22.1
LON-2(config-router)#network 192.168.1.0 0.0.0.255
LON-2(config-router)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.2 (Tunnel0) is up: new adjacency
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.1 (Tunnel0) is up: new adjacency
LON-2(config-router)#

LON-2(config)#router eigrp 1
LON-2(config-router)#eigrp router-id 10.1.22.1
LON-2(config-router)#network 192.168.1.0 0.0.0.255
LON-2(config-router)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.2 (Tunnel0) is up: new adjacency
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.1 (Tunnel0) is up: new adjacency
LON-2(config-router)#

We’l add ISP-2 to EIGRP AS 101:

ISP-2(config)#router eigrp 1
ISP-2(config-router)#eigrp router-id 10.1.9.1
ISP-2(config-router)#network 10.1.25.0 0.0.0.255
ISP-2(config-router)#network 10.1.8.0 0.0.0.255 
ISP-2(config-router)#network 10.1.9.0 0.0.0.255
ISP-2(config-router)#

DM-Hub1(config-router)#network 10.1.25.0 0.0.0.255
DM-Hub1(config-router)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.25.254 (GigabitEthernet0/2) is up: new adjacency
DM-Hub1(config-router)#

DM-Hub2(config-router)#network 10.1.8.0 0.0.0.255
DM-Hub2(config-router)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.8.254 (GigabitEthernet0/2) is up: new adjacency
DM-Hub2(config-router)#

We can add a static route on GETVPN-Client:

GETVPN-Client(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.1
GETVPN-Client(config)#

Now let’s set up ASA failover, and here I did miss a command, which cost me some time:

ASA9(config)# sh run | i failover
failover
failover lan unit primary
failover lan interface FOVER Ethernet3
failover key *****
failover replication http
failover link FOVER Ethernet3
failover interface ip FOVER 10.1.250.254 255.255.255.0 standby 10.1.250.252
ASA9(config)# 

ciscoasa(config)# sh run | i failover
failover
failover lan unit secondary
failover lan interface FOVER Ethernet3
failover key *****
failover link FOVER Ethernet3
failover interface ip FOVER 10.1.250.254 255.255.255.0 standby 10.1.250.252
ciscoasa(config)# 
ciscoasa(config)# .

        Detected an Active mate
sh failover | i This
        This host: Secondary - Cold Standby 
ciscoasa(config)# Beginning configuration replication from mate.
sh failover | i This
        This host: Secondary - Sync Config 
ciscoasa(config)# ERROR: Password recovery was not changed, unable to access 
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.

ASA9(config)# 

ASA9(config)# copy run start

Source filename [running-config]? 
Cryptochecksum: 7ccb4109 4818a9f7 e94e5e6e 4f52e6ef 

3500 bytes copied in 0.240 secs
ASA9(config)# sh failover   
Failover On 
Failover unit Primary
Failover LAN Interface: FOVER Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate 9.1(5)16
Last Failover at: 12:23:20 UTC Jul 15 2016
        This host: Primary - Active 
                Active time: 27 (sec)
                  Interface Outside (10.1.9.254): Unknown (Waiting)
                  Interface Inside (10.1.10.254): Unknown (Waiting)
        Other host: Secondary - Standby Ready 
                Active time: 0 (sec)
                  Interface Outside (10.1.9.252): Unknown (Waiting)
                  Interface Inside (10.1.10.252): Unknown (Waiting)
ASA9(config)#

Here I did have to look up to see why failover was showing as disabled, this is because I missed the command “failover lan interface FOVER Ethernet3”. Here is the error, and the fix:

ciscoasa(config)# sh run | i failover
failover
failover lan unit secondary
failover key *****
failover link FOVER Ethernet3
failover interface ip FOVER 10.1.250.254 255.255.255.0 standby 10.1.250.252
ciscoasa(config)# sh failover | i This
        This host: Secondary - Disabled 
ciscoasa(config)# failover lan interface FOVER Ethernet3
ciscoasa(config)# sh failover | i This                  
        This host: Secondary - Disabled 
ciscoasa(config)# sh failover | i This
        This host: Secondary - Negotiation 
ciscoasa(config)# sh failover | i This
        This host: Secondary - Negotiation 
ciscoasa(config)# sh failover | i This
        This host: Secondary - Negotiation 
ciscoasa(config)# .sh failover | i This
        This host: Secondary - Negotiation 
ciscoasa(config)# .

        Detected an Active mate
sh failover | i This
        This host: Secondary - Cold Standby 
ciscoasa(config)# Beginning configuration replication from mate.
sh failover | i This
        This host: Secondary - Sync Config 
ciscoasa(config)# ERROR: Password recovery was not changed, unable to access 
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.

ASA9(config)# Cryptochecksum: 4d2a6fd8 a81dbdb8 959d578a 998d945d 

3501 bytes copied in 0.250 secs
Cryptochecksum: 981790ac 765a5b87 086b2a40 368f7100 

4169 bytes copied in 0.250 secs
Cryptochecksum: ade50ecf 467dea53 2332768c 88035396 

4248 bytes copied in 0.250 secs

ASA9(config)#

Still, not bad so far. The goal today is to get ready to implement everything we need in order to set up GETVPN (which will be in the next post).

Let’s set up NAT:

ASA9(config)# object network 10-1-10
ASA9(config-network-object)# subnet 10.1.10.0 255.255.255.0
ASA9(config-network-object)# exi
ASA9(config)# object network 10-1-26
ASA9(config-network-object)# subnet 10.1.26.0 255.255.255.0 
ASA9(config-network-object)# exit
ASA9(config)# object network 10-1-11
ASA9(config-network-object)# subnet 10.1.11.0 255.255.255.0
ASA9(config-network-object)# exit
ASA9(config)# object network 10-1-14        
ASA9(config-network-object)# subnet 10.1.14.0 255.255.255.0
ASA9(config-network-object)# exit
ASA9(config)# object network 10-1-12        
ASA9(config-network-object)# subnet 10.1.12.0 255.255.255.0
ASA9(config-network-object)# exit
ASA9(config)# object network 10-1-13        
ASA9(config-network-object)# subnet 10.1.13.0 255.255.255.0
ASA9(config-network-object)# exit
ASA9(config)# 
ASA9(config)# object-group network INSIDE-SUBNETS
ASA9(config-network-object-group)# network-object object 10-1-10
ASA9(config-network-object-group)# network-object object 10-1-26
ASA9(config-network-object-group)# network-object object 10-1-11
ASA9(config-network-object-group)# network-object object 10-1-14
ASA9(config-network-object-group)# network-object object 10-1-12
ASA9(config-network-object-group)# network-object object 10-1-13
ASA9(config-network-object-group)# exit
ASA9(config)# nat (Inside,Outside) after-auto source dynamic INSIDE-SUBNETS interface 
ASA9(config)# 
ASA9(config)# route outside 0 0 10.1.9.1
ASA9(config)# copy run start

Source filename [running-config]? 
Cryptochecksum: f3bf1259 b6b8509c 2a34bd26 c2cba2b7 

4168 bytes copied in 0.230 secs
ASA9(config)#

Let’s test (using packet tracer), and here I am only showing the relevant NAT part of the output:

ASA9(config)# packet-tracer input inside icmp 10.1.11.1 8 0 10.1.25.1

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic INSIDE-SUBNETS interface
Additional Information:
Dynamic translate 10.1.11.1/0 to 10.1.9.254/51830

Looks good so far. Let’s add some more routing:

ASA9(config)# router eigrp 1
ASA9(config-router)# eigrp router-id 10.1.9.254
ASA9(config-router)# network 10.1.9.0 255.255.255.0 
ASA9(config-router)#

Now we need to set up the switch interfaces, and add some more static routing:

Switch(config)#int gi0/0
Switch(config-if)#swi mo acc
Switch(config-if)#swi acc vl 26
Switch(config-if)#int gi0/1
Switch(config-if)#swi mo acc
Switch(config-if)#swi ac vl 11
Switch(config-if)#int rang gi0/2 - 3
Switch(config-if-range)#swi mo acc
Switch(config-if-range)#swi acc vl 10
Switch(config-if-range)#exit
Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.10.254

GETVPN-S1(config)#ip route 0.0.0.0 0.0.0.0 10.1.26.200
GETVPN-S1(config)#

GETVPN-S2(config)#ip route 0.0.0.0 0.0.0.0 10.1.11.200
GETVPN-S2(config)#

We need some access-lists for pings to work:

ASA9(config)# sh run | i access-list
access-list Inside->Outside extended permit icmp host 10.1.26.1 host 10.1.1.1 
access-list Inside->Outside extended permit icmp host 10.1.26.1 host 10.1.2.1 
access-list Inside->Outside extended permit icmp host 10.1.26.1 host 192.168.1.11 
access-list Inside->Outside extended permit icmp host 10.1.26.1 host 192.168.1.22 
access-list Outside->Inside extended permit icmp host 10.1.1.1 host 10.1.26.1 
access-list Outside->Inside extended permit icmp host 10.1.2.1 host 10.1.26.1 
access-list Outside->Inside extended permit icmp host 192.168.1.11 host 10.1.26.1 
access-list Outside->Inside extended permit icmp host 192.168.1.22 host 10.1.26.1 
threat-detection statistics access-list
ASA9(config)# sh run | i access-group
access-group Outside->Inside in interface Outside
access-group Inside->Outside in interface Inside
ASA9(config)#

At this stage I did scratch my head as to why the pings were failing, but (after some time), remembered that there is no IGP to advertise the routes we need, so I fixed that:

ASA9(config)# route inside 10.1.26.0 255.255.255.0 10.1.10.200   
ASA9(config)# route inside 10.1.11.0 255.255.255.0 10.1.10.200
ASA9(config)# route inside 10.1.14.0 255.255.255.0 10.1.10.200
ASA9(config)# route inside 10.1.12.0 255.255.255.0 10.1.10.200
ASA9(config)# route inside 10.1.13.0 255.255.255.0 10.1.10.200
ASA9(config)# 

GETVPN-S1(config)#do ping 192.168.1.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/27 ms
GETVPN-S1(config)#do ping 192.168.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/21 ms
GETVPN-S1(config)#do ping 10.1.2.1    
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 13/16/20 ms
GETVPN-S1(config)#

That’s pretty far but not far enough, I still need to be able to get from the GETVPN server to the GETVPN client:

GETVPN-S1(config)#do ping 10.1.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
GETVPN-S1(config)#

ASAv6(config)# access-list Outside->Inside extended permit icmp host 10.1.9.254 host 10.1.2.254                            
ASAv6(config)# 

ASA9(config)# access-list Inside->Outside extended permit icmp host 10.1.26.1 host 10.1.2.254
ASA9(config)# access-list Outside->Inside extended permit icmp host 10.1.2.254 host 10.1.26.1
ASA9(config)# 

GETVPN-S1(config)#do ping 10.1.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 15/21/31 ms
GETVPN-S1(config)#

Now we have a very basic form of reachability between one of the GETVPN servers and the client. But we have two servers behind one firewall, so can’t do any port forwarding, instead, we’ll have to have individual NATs for the two GETVPN-Servers.

I’ll save that for another day, though.

Let me know if you like the idea about the workbooks in the comments below. Till next time.