New CCIE Security lab

It is time to create a new CCIE Security lab. I have 78 days left before the real thing, so can do at least 2 “large” labs in that time.

So, let’s start a new one. I start by throwing a bunch of stuff into the lab and make a list of things to achieve. I need to focus on VRF-aware VPNs more this time and basically, get faster with the different VPNs, I seem to be OK with most of the other topics. So, this new lab will be very VPN-centric, as such, the Telnet servers should only be reachable through the different VPNs.

Topology

After a short while, this is what I ended up with:
CCIE Security lab

Now, I need to work out some IP addressing. There should be different ranges for the VPNs and the basic connectivity, so I will use 10.1.X.0/24 for the interlinks, 10.2.X.0/24 for the devices at the top right and 192.168.X.0/24 for the VPNs. Routers will all use .1 or .2 (or sometimes .254) as the last octet, firewalls will use .254, end devices (the Windows box, WWW server, WSA etc etc), will all have their last octet as .10).  Switches (where they are providing a VLAN interface will use .200 (and .201 if required). Loopbacks will all be /32 and denoted on the topology.

But, where to start?

Let’s go for the middle and go (relatively) clockwise. This gives us something like this:

new CCIE Security lab topology

Now for the rules of the game!

Instructions

System Hardening and Availability:
•Every routing protocol must be secured with a password of CCIE
•Unused switch ports must be shut down and placed in VLAN 999
•ISP-1 should be set as an authoritative NTP server (Stratum 2). All devices (apart from the WSA should peer to this)
Threat Identification and Mitigation
•All ASAs should protect against IP spoofing attacks
•Switches should protect against MAC spoofing
•Win should receive it’s IP address through DHCP from ASAv7 and DHCP should be inspected by the switch
•The network should be protected against VLAN hopping attacks
•NetFlow should be enabled to track the top 5 talkers for ICMP traffic on ASAv7 (might change this later on)
Intrusion Prevention and Content Security
•Initialize the IPS and create a VLAN pair for VLANs 10.2.1.0 and 10.1.21.0
•Create a custom signature to alert high on ICMP traffic between the Win box and Lon-1
•Implement WCCP on the WSA and make sure all traffic to WWW goes through this and ASAv7.
•Block access to www.bad.com using a custom category
Identity Management
•Access to ASA v7 should be controlled through the ACS using TACACS+
•Access to the DMZ server (using Telnet) should be controlled through ACS
•Set ISE for the AP, creating CCIE-Sec and CCIE-Guest WLANs on the WLC
Perimeter Security and Services
•Set up ASAv7 in routed mode with VLAN 12 for the DMZ, VLAN 20 for the Inside
•Addresses should be NATted.
•Setup ASAv6 in transparent mode
•Setup ASA8 and ASA9 in failover mode
•Set up LON-2 as a ZBFW
•Map Telnet-3’s Telnet port to 23000
•May DMZ’s HTTP port to 8080
•Permit access to Telnet-3’s telnet port to just the VPN traffic
Confidentiality and Secure Access
•Create an IKEv1 tunnel between NYC and IKEv1 advertising the route to Telnet-2
•Create an IKEv2 tunnel between NYC and Easy-Server. Easy-Server should know about Telnet-2’s network only through this VPN
•Create a LAN-to-LAN IPSec tunnel between ASAv7 & NYC – ASAv7 should know about Telnet-2 through IPSec
•Set up the DMVPN network as a dual-hub network
•Set up Flex VPN between Telnet-1 and Telnet-2
•Set up Remote Access between Win & Easy-Server. Win should only know about Telnet-1 through VPN
•Set up AnyConnect between Win and ASA8/9
•Set up Easy VPN between Easy-Server & ASA9 and also between Easy-Server and Win
•The GETVPN should be VRF aware
•Set up ISP-1 as the CA for certificates. Use certificates for Easy VPN

I have tried and made it a little difficult for myself, in as much as I cannot go from top to bottom, some of the tasks require other tasks to be completed first (i.e. most of the VPNs need to be in place first. Let’s do the intial IP addressing. I’ll work out the routing afterwards.

IP addressing

Because there is a lot of config, I have put it behind a clicky-button, so click if you want to see the configs, or not!

Switch(config)#vlan 20,2,3,21,4 
Switch(config-vlan)#int vlan 1
Switch(config-if)#ip add 10.2.1.200 255.255.255.0
Switch(config-if)#no sh
Switch(config-if)#
Switch(config-if)#int vlan 20
Switch(config-if)#ip add 10.1.20.200 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#

Switch(config)#vlan 20,2,3,21,4
Switch(config-vlan)#
Switch(config-vlan)#int vlan 2
Switch(config-if)#ip add 10.2.2.200 255.255.255.0 
Switch(config-if)#no shut
Switch(config-if)#int vlan 3
Switch(config-if)#ip add 10.2.3.200 255.255.255.0
Switch(config-if)#no shut
Switch(config)#int vlan 4
Switch(config-if)#ip add 10.2.4.200 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#int vlan 21
Switch(config-if)#ip add 10.1.21.200 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#

ASAv7(config)# int gi0/0
ASAv7(config-if)# exit
ASAv7(config)# int gi0/0.20
ASAv7(config-subif)# vlan 20
ASAv7(config-subif)# ip add 10.1.20.254 255.255.255.0
ASAv7(config-subif)# no shut
ASAv7(config-subif)# exit
ASAv7(config)# int gi0/2.19
ASAv7(config-subif)# no shut
ASAv7(config-subif)# vlan 19
ASAv7(config-subif)# ip add 10.1.19.254 255.255.255.0
ASAv7(config-subif)# exit
ASAv7(config)# int gi0/1 
ASAv7(config-if)# ip add 10.1.18.254 255.255.255.0
ASAv7(config-if)# no shut
ASAv7(config-if)# int gi0/2
ASAv7(config-if)# no shut
ASAv7(config-if)# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset  up                    up  
GigabitEthernet0/0.20      10.1.20.254     YES manual up                    up  
GigabitEthernet0/1         10.1.18.254     YES manual up                    up  
GigabitEthernet0/2         unassigned      YES unset  up                    up  
GigabitEthernet0/2.19      10.1.19.254     YES manual up                    up  
ASAv7(config-if)# 

DMZ(config)#int gi0/0 
DMZ(config-if)#ip add 10.1.19.1 255.255.255.0
DMZ(config-if)#no shut
DMZ(config-if)#

IKEv1(config)#int gi0/0
IKEv1(config-if)#ip add 10.1.18.1 255.255.255.0
IKEv1(config-if)#no shut
IKEv1(config-if)#int gi0/1
IKEv1(config-if)#ip add 10.1.17.1 255.255.255.0
IKEv1(config-if)#no shut
IKEv1(config-if)#

Chicago(config)#int gi0/0
Chicago(config-if)#ip add 10.1.17.2 255.255.255.0
Chicago(config-if)#no shut
Chicago(config-if)#int gi0/2
Chicago(config-if)#ip add 10.1.16.2 255.255.255.0
Chicago(config-if)#no shut
Chicago(config-if)#int gi0/1
Chicago(config-if)#ip add 10.1.15.2 255.255.255.0
Chicago(config-if)#no shut
Chicago(config-if)#

Telnet-3(config)#int gi0/0
Telnet-3(config-if)#ip add 10.1.16.1 255.255.255.0
Telnet-3(config-if)#no shut
Telnet-3(config-if)#int lo0
Telnet-3(config-if)#ip add 3.3.3.3 255.255.255.255
Telnet-3(config-if)#

LON-2(config)#int gi0/0
LON-2(config-if)#no shut
LON-2(config-if)#ip add 10.1.21.1 255.255.255.0
LON-2(config-if)#int gi0/1
LON-2(config-if)#ip add 10.1.22.1 255.255.255.0
LON-2(config-if)#no shut
LON-2(config-if)#

ISP-1(config)#int gi0/2
ISP-1(config-if)#ip add 10.1.22.254 255.255.255.0
ISP-1(config-if)#no shut
ISP-1(config-if)#int gi0/3
ISP-1(config-if)#ip add 10.1.1.254 255.255.255.0
ISP-1(config-if)#no shut
ISP-1(config-if)#int gi0/0
ISP-1(config-if)#ip add 10.1.24.254 255.255.255.0
ISP-1(config-if)#no shut
ISP-1(config-if)#int gi0/1
ISP-1(config-if)#ip add 10.1.5.254 255.255.255.0
ISP-1(config-if)#no shut
ISP-1(config-if)#

LON-1(config)#int gi0/0
LON-1(config-if)#ip add 10.1.1.1 255.255.255.0
LON-1(config-if)#no shut
LON-1(config-if)#int gi0/1
LON-1(config-if)#ip add 10.1.2.1 255.255.255.0
LON-1(config-if)#no shut
LON-1(config-if)#

GETVPN-Client(config)#int gi0/0
GETVPN-Client(config-if)#ip add 10.1.2.254 255.255.255.0
GETVPN-Client(config-if)#no shut
GETVPN-Client(config-if)#int gi0/1.3
GETVPN-Client(config-subif)#encapsulation dot1Q 3
GETVPN-Client(config-subif)#ip add 10.1.3.254 255.255.255.0
GETVPN-Client(config-subif)#no shut
GETVPN-Client(config-subif)#int gi0/1
GETVPN-Client(config-if)#no shut
GETVPN-Client(config-if)#int gi0/1.4
GETVPN-Client(config-subif)#encapsulation dot1Q 4          
GETVPN-Client(config-subif)#ip add 10.1.4.254 255.255.255.0
GETVPN-Client(config-subif)#no shut
GETVPN-Client(config-subif)#

DM-Hub1(config)#int gi0/0
DM-Hub1(config-if)#ip add 10.1.24.1 255.255.255.0
DM-Hub1(config-if)#no shut
DM-Hub1(config-if)#int gi0/2
DM-Hub1(config-if)#ip add 10.1.25.1 255.255.255.0
DM-Hub1(config-if)#no shut
DM-Hub2(config)#int gi0/0
DM-Hub2(config-if)#ip add 10.1.5.1 255.255.255.0
DM-Hub2(config-if)#no shut
DM-Hub2(config-if)#int gi0/1
DM-Hub2(config-if)#ip add 10.1.6.1 255.255.255.0
DM-Hub2(config-if)#no shut
DM-Hub2(config-if)#int gi0/2
DM-Hub2(config-if)#ip add 10.1.8.1 255.255.255.0
DM-Hub2(config-if)#no shut
DM-Hub2(config-if)#

Easy-Server(config)#int gi0/0
Easy-Server(config-if)#ip add 10.1.6.254 255.255.255.0
Easy-Server(config-if)#no shut
Easy-Server(config)#int gi0/1
Easy-Server(config-if)#ip add 10.1.7.254 255.255.255.0
Easy-Server(config-if)#no shut
Easy-Server(config-if)#

Telnet-1(config)#int gi0/0
Telnet-1(config-if)#ip add 10.1.7.1 255.255.255.0
Telnet-1(config-if)#no shut
Telnet-1(config-if)#int lo0
Telnet-1(config-if)#ip add 1.1.1.1 255.255.255.255
Telnet-1(config-if)#

ISP-2(config)#int gi0/0
ISP-2(config-if)#ip add 10.1.25.254 255.255.255.0
ISP-2(config-if)#no shut
ISP-2(config-if)#int gi0/1
ISP-2(config-if)#ip add 10.1.8.254 255.255.255.0
ISP-2(config-if)#no shut
ISP-2(config-if)#int gi0/3
ISP-2(config-if)#ip add 10.1.9.1 255.255.255.0
ISP-2(config-if)#no shut
ISP-2(config-if)#

ASA9(config-if)# ip add 10.1.9.254 255.255.255.0    
ASA9(config-if)# no shut
ASA9(config-if)# int eth3
ASA9(config-if)# ip add 10.1.250.254 255.255.255.0
ASA9(config-if)# no shut
ASA9(config-if)# int eth0
ASA9(config-if)# ip add 10.1.10.254 255.255.255.0
ASA9(config-if)# no shut
ASA9(config-if)# 

Switch(config)#vlan 10,26,11
Switch(config-vlan)#exit
Switch(config)#int vlan 10
Switch(config-if)#ip add 10.1.10.200 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#int vlan 26
Switch(config-if)#ip add 10.1.26.200 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#int vlan 11
Switch(config-if)#ip add 10.1.11.200 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#int rang gi0/2 - 3
Switch(config-if-range)#swi mo acc
Switch(config-if-range)#swi acc vl 10
Switch(config-if-range)#
Switch(config-if-range)#int gi0/0
Switch(config-if)#swi mo acc
Switch(config-if)#swi acc vl 26
Switch(config-if)#int gi 0/1
Switch(config-if)#swi mo acc
Switch(config-if)#swi acc vl 11
Switch(config-if)#

GETVPN-S1(config)#int gi0/2
GETVPN-S1(config-if)#ip add 10.1.15.1 255.255.255.0
GETVPN-S1(config-if)#no shut
GETVPN-S1(config-if)#int gi0/1
GETVPN-S1(config-if)#ip add 10.1.26.1 255.255.255.0
GETVPN-S1(config-if)#no shut
GETVPN-S1(config)#int gi0/0
GETVPN-S1(config-if)#ip add 10.1.14.1 255.255.255.0
GETVPN-S1(config-if)#no shut
GETVPN-S1(config-if)#

GETVPN-S2(config)#int gi0/0
GETVPN-S2(config-if)#ip add 10.1.11.1 255.255.255.0
GETVPN-S2(config-if)#no shut
GETVPN-S2(config-if)#int gi0/1
GETVPN-S2(config-if)#ip add 10.1.12.1 255.255.255.0 
GETVPN-S2(config-if)#no shut
GETVPN-S2(config-if)#

NYC(config)#int gi0/0
NYC(config-if)#ip add 10.1.14.254 255.255.255.0
NYC(config-if)#no shut
NYC(config-if)#int gi 0/1
NYC(config-if)#ip add 10.1.12.254 255.255.255.0
NYC(config-if)#no shut
NYC(config-if)#int gi0/2
NYC(config-if)#ip add 10.1.13.254 255.255.255.0
NYC(config-if)#no shut
NYC(config-if)#

Telnet-2(config)#int gi0/0
Telnet-2(config-if)#ip add 10.1.13.1 255.255.255.0
Telnet-2(config-if)#no shut
Telnet-2(config-if)#int lo0
Telnet-2(config-if)#ip add 2.2.2.2 255.255.255.255
Telnet-2(config-if)#

If you want to play along at home, then you can download the file here.

4 Comments

  1. Unknown July 26, 2016
  2. Stuart Fordham July 26, 2016
  3. Fabio Silva July 29, 2016
  4. Sheraz Malik August 17, 2016