Archive for January 2016

MPLS: The big blackhole question

04:17:00 Add Comment
Whilst I don't get many emails from readers of my books saying "I don't understand such-and-such", I have had two referring to the same thing. So I feel that this warrants a deeper explanation.

In section 9.3 of the MPLS for Cisco Networks book we cover Internet access, supplied as a dedicated VRF.

This caused some issues with the network though, namely that R1 and R5 could reach each other, due to having default routes pointing to the IGW router.

The fix itself was a simple two-line affair, but the reasoning behind the fix is not as simple.

So, let's go through a little of the configurations, starting with the IGW router:
IGW#sh run
hostname IGW
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip address 5.5.5.5 255.255.255.255
!
interface Ethernet0/0
 ip address 10.20.1.1 255.255.255.0
!
router bgp 200
 bgp log-neighbor-changes
 network 0.0.0.0
 neighbor 10.20.1.2 remote-as 100
!
ip route 0.0.0.0 0.0.0.0 Null0
!
end

IGW#
Now R1: 
R1#sh run
hostname R1
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
 ip ospf network point-to-point
!
interface Ethernet0/0
 ip address 10.1.1.2 255.255.255.0
!
router bgp 65001
 bgp log-neighbor-changes
 network 10.1.1.0 mask 255.255.255.0
 network 192.168.1.0
 neighbor 10.1.1.1 remote-as 100
!
ip forward-protocol nd
!
end

R1#
R5: 
R5#sh run
hostname R5
!
interface Loopback0
 ip address 192.168.5.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 3 area 0
!         
interface Ethernet0/0
 ip address 10.1.5.2 255.255.255.0
 ip ospf 3 area 0
!
router ospf 3
!
end
          
R5#
And PE1, where all the magic happens: 
PE1(config-router)#do sh run
hostname PE1
!
ip vrf BLUE
 rd 100:3
 export map VRF-BLUE-SUBNETS
 route-target export 100:3
 route-target import 100:3
 route-target import 100:200
!
ip vrf INTERNET
 rd 100:200
 route-target export 100:200
 route-target import 100:201
 route-target import 100:205
!         
ip vrf RED
 rd 100:1
 export map VRF-RED-INTERNET
 route-target export 100:1
 route-target import 100:1
 route-target import 100:200
!
interface Loopback0
 ip address 10.250.3.1 255.255.255.255
!
interface Ethernet0/2
 ip vrf forwarding INTERNET
 ip address 10.20.1.2 255.255.255.0
!
interface Ethernet1/0
 ip vrf forwarding RED
 ip address 10.1.1.1 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet1/2
 ip vrf forwarding BLUE
 ip address 10.1.5.1 255.255.255.0
 ip ospf 3 area 0
!
router ospf 3 vrf BLUE
 router-id 10.250.3.5
 redistribute bgp 100 subnets
 default-information originate
!
router bgp 100
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf BLUE
  redistribute ospf 3
 exit-address-family
 !
 address-family ipv4 vrf INTERNET
  neighbor 10.20.1.1 remote-as 200
  neighbor 10.20.1.1 activate
 exit-address-family
 !
 address-family ipv4 vrf RED
  neighbor 10.1.1.2 remote-as 65001
  neighbor 10.1.1.2 activate
 exit-address-family
!
ip access-list standard VRF_BLUE_SUBNETS
 permit 10.1.5.0 0.0.0.255
 permit 192.168.5.0 0.0.0.255
ip access-list standard VRF_RED_SUBNETS
 permit 10.1.1.0 0.0.0.255
 permit 192.168.1.0 0.0.0.255
!
route-map VRF-RED-INTERNET permit 10
 match ip address VRF_RED_SUBNETS
 set extcommunity rt 100:201 additive
!
route-map VRF-BLUE-SUBNETS permit 10
 match ip address VRF_BLUE_SUBNETS
 set extcommunity rt 100:205 additive
!
end

PE1(config-router)#
With this configuration, R1 and R5 can reach the Internet address (4.4.4.4), which is desired, but also each other, which is not desired: 
R1#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1#
R1#ping 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1#

R5#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R5#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R5#
In the book we go through a couple of attempts at blocking the behaviour, until landing on one that works: 
IGW(config)#access-list 1 perm 0.0.0.0
IGW(config)#int e0/0
IGW(config-if)#ip access-group 1 out
IGW(config-if)#end
IGW#sh access-list
Standard IP access list 1
    10 permit 0.0.0.0
    20 deny   any log (20 matches)
IGW#
This works. But why, as let's face it it does not look like it should.

Before we get into the explanation, if we tack on some logging to the ACLs Default Deny rule, we can see it in action: 
IGW(config)#access-list 1 deny any log
IGW(config)#
%SEC-6-IPACCESSLOGNP: list 1 denied 0 10.1.1.2 -> 192.168.5.1, 1 packet  
IGW(config)#
So by turning the implicit default deny into an explicit default deny, we can use logging, and once we try the ping again, we can see that it is this part of the rule that gets the hits.

The access-list itself permits the address 0.0.0.0, which is any host. So really, it should let it pass. Let's start by clearing up one thing, and by doing so, making life a little easier. This is not an MPLS thing. It's purely an access-list thing. We can test this out with three routers - the configs are below: 


vIOS1(config)#int lo0
vIOS1(config-if)#ip add 1.1.1.1 255.255.255.255
vIOS1(config-if)#int gi0/0
vIOS1(config-if)#ip add 10.1.1.1 255.255.255.0
vIOS1(config-if)#no shut
vIOS1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
vIOS1(config)#

vIOS2(config)#int gi0/0
vIOS2(config-if)#ip add 10.1.1.2 255.255.255.0
vIOS2(config-if)#no sh
vIOS2(config-if)#ip route 1.1.1.1 255.255.255.255 10.1.1.1
vIOS2(config)#int gi 0/1
vIOS2(config-if)#ip add 20.2.2.2 255.255.255.0
vIOS2(config-if)#no shu
vIOS2(config-if)#ip route 3.3.3.3 255.255.255.255 20.2.2.3 
vIOS2(config)#

vIOS3(config)#int lo3
vIOS3(config-if)#ip add 3.3.3.3 255.255.255.255
vIOS3(config-if)#int gi0/0
vIOS3(config-if)#ip add 20.2.2.3 255.255.255.0
vIOS3(config-if)#no shut
vIOS3(config-if)#ip route  0.0.0.0 0.0.0.0 20.2.2.2  
vIOS3(config)#
We have end to end connectivity, because of the static routing: 
vIOS3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
vIOS3#ping 1.1.1.1 source lo3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
vIOS3#
Now let's assume that we don't want vIOS2 to be a transit router. We can use the same access-list as above to do this: 
vIOS2(config)#int lo0                 
vIOS2(config-if)#ip add 2.2.2.2 255.255.255.255
vIOS2(config-if)#
vIOS2(config)#ip access-list standard 1 
vIOS2(config-std-nacl)#perm 0.0.0.0
vIOS2(config-std-nacl)#deny any log 
vIOS2(config-std-nacl)#int gi0/0
vIOS2(config-if)#ip access-group 1 out
vIOS2(config-if)#

vIOS1(config)#do ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
vIOS1(config)#

vIOS2(config-if)#
%SEC-6-IPACCESSLOGNP: list 1 denied 0 3.3.3.3 -> 10.1.1.1, 1 packet  
vIOS2(config-if)#

vIOS1(config)#do ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
vIOS1(config)#
So, whilst we can still get to the IP addresses configured on vIOS2 (and IGW, returning to the book), we are no longer letting the router be a transit between the other two routers.

Weird, right?

Why permit 0.0.0.0 works

Without a mask on the access-list we are specifying a host. We could have used "ip access-list 1 permit 3.3.3.3", and this would allow us to get to the 3.3.3.3 IP address. However, we do not have an 0.0.0.0 IP address, therefore the line is not matched, and we jump down to the next rule, which is an implicit deny rule. Once we make this explicit, and enable logging, we can see that this is the one getting the hits.

Because of the direction of the rule (out) we are still able to reach the addresses local to the router (IGW from the book, or vIOS2 here), but we prevent the router being used as a transit.

References:

https://learningnetwork.cisco.com/thread/31830
https://supportforums.cisco.com/discussion/12400056/access-list-1-permit-0000
CCIE Security v5 Lab Predictions

CCIE Security v5 Lab Predictions

04:34:00 8 Comments
The current version of the CCIE Security lab exam (v4) came in 2012. It is now 2016, so after three to four years, it's probably due for an update shortly.

In fact there are rumours and mentions that there will be an announcement at the Berlin Cisco Live event on the 15th February.

So, what could go out, and what could be in?

This is the current list of software versions:

  • Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
  • Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE
  • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x
  • Cisco IPS Software Release 7.x
  • Cisco VPN Client Software for Windows, Release 5.x
  • Cisco Secure ACS System software version 5.3x
  • Cisco WLC 2500 Series software 7.2x
  • Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
  • Cisco WSA S-series software version 7.1x
  • Cisco ISE 3300 series software version 1.1x
  • Cisco NAC Posture Agent v4.X
  • Cisco AnyConnect Client v3.0X

Let's break it down and see what could be likely contenders! note - this is just my guesses!

Cisco ISR 15.1(x)T and 15.2(x)T

These are still relatively new. The latest version is 16.01, released in November 2015. 15.1 and 15.2 have been around for over a year, so we might see a jump to a newer version.

Probability/Impact: Low-Medium

Cisco Catalyst 3560/3750 Series Switches 12.2SE/15.0(x)SE

The 3560 and 3750's had an announcement in 2013 that they would be End-of-Life starting mid-2016.

The later versions of these (3560-X and 3750-X) had an EOL in October 2015, and shipping these stops in October 2016, however, support does not end until 2021. Support (in terms of patches) does not stop till 2017.

It it more likely that these will move to 3650s. These do MACSec and TrustSec, among other things, or 3850s.

Probability/Impact: Medium

Cisco ASA 5500 (8.2x, 8.4x, 8.6x)

I think there will be big changes here. The majority of the ASAs will move to the ASAv, which makes sense as there will be much more virtualization within the new lab exam. Expect more ASA 9.x and less 8.2.

Probability/Impact: High

Cisco IPS 7.x

Again, there will be big changes here. EOL was announced in 2013! Support will stop in 2019. Therefore it is highly likely that this will be replaced with FirePower/SourceFire.

Probability/Impact: High

Cisco VPN Client 5.x

EOL as of mid-2011, EOS (End-of-Support) mid-2012. Another contender for complete removal, with more focus on AnyConnect.

Probability/Impact: High

Cisco Secure ACS System 5.3x

5.3 went had an EOL (End-of-Life) announcement back in 2014. With the last day to order it being January 31st 2014, and it will no longer be supported by 31st January 2017. Similarly 5.7 is now EOL as well, as of 2nd November 2015. Looks very likely for complete removal.

This will be replaced with ISE 2.0

 Probability/Impact: High

Cisco WLC 2500 Series software 7.2x

The 2500 series line is still going strong, but changes are that the software used will be 8.x (8.2 being the latest).

However, the current trend is to make more use of virtualization, so this may switch to the vWLC, which is also version 8.

Probability/Impact: Medium

Cisco Aironet 1200 series AP 12.4J(x)

This is EOL, so it'll probably move to the 1700 series.

Probability/Impact: High

Cisco WSA S-series software version 7.1x

These are still going strong, so it will stay in the exam, in one form or another. Most likely switching to the vWSA (virtual). Version 7.1 will not be supported beyond August 31st 2016, so expect the version to move to 9.0 (as per the vWSA).

Probability/Impact: High

Cisco ISE 3300 series software version 1.1x

Totally EOL. It'll be ISE 2.0

Probability/Impact: High

Cisco NAC Posture Agent v4.X

4.9 is still going strong, so there probably won't be any change.

Probability/Impact: Low

Cisco AnyConnect Client v3.0X

3.0 will be out and 4.0 will be in.

Probability/Impact: Low

CCIE Security: Multiple context firewalls (Part 2 - the one where it works)

03:06:00 Add Comment
After the issues in the previous post about Multiple context ASAs, I went off and made use of my INE All Access pass subscription, and watched the two videos on the subject. I really couldn't see what I was doing wrong, the steps Brian went through did not look any different to the ones I was doing. Confusion still reigned.

So after a nights sleep (well, a morning's sleep as I stayed up till 1am playing Fallout 4), I decided to scale it back a bit, and (almost) start from scratch.

Now it works!


Here is the configuration for the firewall:
LA-FW# sh run
ASA Version 8.4(2) 
!
hostname LA-FW
!
interface Ethernet0
!
interface Ethernet0.10
 vlan 10
!
interface Ethernet0.20
 vlan 20
!
interface Ethernet0.30
 vlan 30
!
interface Ethernet1
!
interface Ethernet2
!
interface Ethernet3
 shutdown
!             
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!
admin-context admin
context admin
  config-url disk0:/admin.cfg
!
context C1
  allocate-interface Ethernet0.20 outsideC1 
  allocate-interface Ethernet1 insideC1 
  config-url disk0:/C1.cfg
!             
context C2
  allocate-interface Ethernet0.30 outsideC2 
  allocate-interface Ethernet2 insideC2 visible 
  config-url disk0:/C2.cfg
!
prompt hostname context 
: end
LA-FW#
As you can see, the Ethernet1 interface is allocated to the C1 context, without any VLAN information (as it is NOT a shared interface). Similarly, Ethernet2 is allocated to the C2 context.

Here are the configurations for the contexts: 
LA-FW# changeto con C1
LA-FW/C1# sh run
ASA Version 8.4(2) 
!
hostname C1
!
interface outsideC1
 nameif Outside
 security-level 0
 ip address 198.250.20.2 255.255.255.252 
!
interface insideC1
 nameif Inside
 security-level 100
 ip address 20.5.5.1 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network INSIDE-NAT-SUBNETS
 network-object 20.5.5.0 255.255.255.0
 network-object 20.5.6.0 255.255.255.0
 network-object 20.5.7.0 255.255.255.0
access-list outside->in extended permit ip any any 
access-list outside->in extended permit icmp any any 
access-list outside->in extended permit icmp any any echo-reply 
access-group outside->in in interface Outside
route Outside 0.0.0.0 0.0.0.0 198.250.20.1 1
: end
LA-FW/C1# 
LA-FW/C1# changeto con C2
LA-FW/C2# 
LA-FW/C2# sh run
ASA Version 8.4(2) 
!
hostname C2
!
interface outsideC2
 nameif Outside
 security-level 0
 ip address 198.250.30.2 255.255.255.252 
!
interface insideC2
 nameif Inside
 security-level 100
 ip address 20.6.6.1 255.255.255.0 
!
object network Customer2
 subnet 20.6.6.0 255.255.255.0
access-list outside->in extended permit ip any any 
access-list outside->in extended permit icmp any any 
access-group outside->in in interface Outside
route Outside 0.0.0.0 0.0.0.0 198.250.30.1 1
: end
LA-FW/C2# 
LA-FW/C2# 
LA-FW/C2# changeto system
LA-FW#
Now we can ping from the routers in the different contexts, to the LA-FW context IP addresses: 
LA-C1#ping 20.5.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.5.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/16 ms
LA-C1#

LA-C2#ping 20.6.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.6.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
LA-C2#
The LA1 router needs to be set up (again, I thought I had done this, but maybe I didn't save the configuration!): 
LA1(config-if)#int gi 0/0.20
LA1(config-subif)#ip vrf for 802101
LA1(config-subif)#encapsulation dot 20
LA1(config-subif)#ip add 198.250.20.1 255.255.255.252
LA1(config-subif)#no sh
LA1(config-subif)#
LA1(config-subif)#int gi 0/0.30
LA1(config-subif)#ip vrf for 802101
LA1(config-subif)#encap dot 30
LA1(config-subif)#ip add 198.250.30.1 255.255.255.252
LA1(config-subif)#
We now have connectivity from LA-FW to the LA1 router: 
LA-FW/C1# ping 198.250.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.250.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
LA-FW/C1# 
LA-FW/C1# changeto con C2
LA-FW/C2# ping 198.250.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.250.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
LA-FW/C2#
A bit of redistribution 
LA1(config)#router bgp 1
LA1(config-router)#address-family ipv4 vrf 802101
LA1(config-router-af)#red connect metric 1
LA1(config-router-af)#
And we have routes: 
NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      198.240.5.0/30 is subnetted, 1 subnets
D EX     198.240.5.0 [170/2562816] via 128.2.2.2, 00:00:16, GigabitEthernet0/0
      198.250.20.0/30 is subnetted, 1 subnets
D EX     198.250.20.0 
           [170/2562816] via 128.2.2.2, 00:00:16, GigabitEthernet0/0
      198.250.30.0/30 is subnetted, 1 subnets
D EX     198.250.30.0 
           [170/2562816] via 128.2.2.2, 00:00:16, GigabitEthernet0/0
NY2#
We have connectivity from the LA-FW to the 3.3.3.3 loopback: 
LA-FW/C2# ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
LA-FW/C2# changeto con C1
LA-FW/C1# ping 3.3.3.3   
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
LA-FW/C1#
But I do need to fix something (either NAT or routing on the context "hosts"), and packet-tracer is where to start. Unfortunately I did a packet-tracer, and the router crashed. Second time around, packet tracer gave the all-clear: 
LA-FW/C1# packet-tracer input Inside icmp 20.5.5.2 0 0 3.3.3.3 det
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbd1373a0, priority=1, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: IP-OPTIONS
Subtype:      
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbd13b298, priority=0, domain=inspect-ip-options, deny=true
        hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbd47d5a8, priority=70, domain=inspect-icmp, deny=false
        hits=1, user_data=0xbd47c588, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbd13ae70, priority=66, domain=inspect-icmp-error, deny=false
        hits=1, user_data=0xbd13a488, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 6
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

LA-FW/C1#
Notice anything missing though? Yep, no NAT... It looks like when I reconfigured the interfaces, the NAT command was removed. Let's put it back in: 
LA-FW/C1(config)# nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SU$
LA-FW/C1(config)# sh run | i nat
nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interface
LA-FW/C1(config)#
Now we have success!!!! 
LA-C1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/14/22 ms
LA-C1#
Lets fix the other context: 
LA-FW/C2(config)# object-group network INSIDE-NAT-SUBNETS
LA-FW/C2(config-network-object-group)# network-object 20.6.6.0 255.255.255.0
LA-FW/C2(config-network-object-group)# network-object 20.6.7.0 255.255.255.0
LA-FW/C2(config-network-object-group)# network-object 20.6.8.0 255.255.255.0
LA-FW/C2(config-network-object-group)# exi
LA-FW/C2(config)# nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SU$
LA-FW/C2(config)# sh run | i nat
nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interface
LA-FW/C2(config)#
It works for the second context as well: 
LA-C2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/26 ms
LA-C2#
Wonderful! As it turns out, multiple context configuration is not all that hard, it's just a couple of commands per-context, and after that it's no different to setting up a regular ASA. I am glad it worked today, if it had not then I am not sure what my next steps were going to be (apart from asking other people). But now I have end to end connectivity between the two contexts, and the NY2 loopback(s), fron different ASA contexts, through the MPLS cloud, through a transparent firewall and onto the end destination.

Things are shaping up pretty well, and I haven't had to resort to ASDM (yet). Usually I hardly ever touch the ASA CLI, and now this is really starting to push me moe, which it the whole idea behind these studies.

Next up will be the configuration of the London firewalls, but not today. My boys need Lego building and I need another coffee.

Happy weekend all!

Oh, one final tip I picked up from the INE videos - use "wr mem all" under the system context to save everything: 
LA-FW# wr mem all
Building configuration...
Saving context :           system : (000/003 Contexts saved) 
Cryptochecksum: 71b164a0 daea0c41 451c6344 3f3803aa 

1765 bytes copied in 0.160 secs
Saving context :            admin : (001/003 Contexts saved) 
Cryptochecksum: 1fa07e8d c5853280 5cc9f91f 7db4eb43 

1525 bytes copied in 0.170 secs
Saving context :               C1 : (002/003 Contexts saved) 
Cryptochecksum: cc1f9db0 56a702be 6112fb7b 71b13455 

2405 bytes copied in 0.160 secs
Saving context :               C2 : (003/003 Contexts saved) 
Cryptochecksum: 3f8ba835 ca4016d9 7770dcfe e3a4d37d 

2168 bytes copied in 0.170 secs
[OK]                                                         
LA-FW#

CCIE Security: Multiple context firewalls (Part 1)

12:59:00 Add Comment
Multi-context firewalls allow us to have a tenancy-like setup, we can have different "customers" all sharing one firewall.

To set this up we need change the firewall mode, from single to multiple, which leads to a reboot of the firewall: 
ciscoasa(config)# hostname LA-FW
LA-FW(config)# mode ?

configure mode commands/options:
  multiple   Multiple mode; mode with security contexts
  noconfirm  Do not prompt for confirmation
  single     Single mode; mode without security contexts
LA-FW(config)# mode multiple 
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] 
Convert the system configuration? [confirm] 
!
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple 



***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode
Process shutdown finished
Once the firewall has come back up again we can check the mode: 
LA-FW# sh mode
Security context mode: multiple 
LA-FW#
OK, so far so good! Can we connect up to the LA1 router? 
LA-FW(config)# int e0
LA-FW(config-if)# ip add 198.240.5.2 255.255.255.252
                   ^
ERROR: % Invalid input detected at '^' marker.
LA-FW(config-if)# ip add                            
LA-FW(config-if)# ?     

Interface configuration commands:
  channel-group  Etherchannel/port bundling configuration
  default        Set a command to its defaults
  description    Interface specific description
  duplex         Configure duplex operation
  exit           Exit from interface configuration mode
  help           Interactive help for interface subcommands
  lacp           LACP interface subcommands
  no             Negate a command or set its defaults
  shutdown       Shutdown the selected interface
  speed          Configure speed operation
LA-FW(config-if)#
Nope, not when in this mode we cannot. Time to hit the Google. This page use useful:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99131-multiple-context.html

So, it looks like we need to do a bit of a redesign (again)...

We want to have two user contexts, as well as an admin one. These are done under VLANs, so we'll use:

  • VLAN 10 - Admin - VLAN 11
  • VLAN 20 - C1 - VLAN 21
  • VLAN 30 - C2 - VLAn 31
It's all VLAN based, so we need to throw an L2 switch between the FW and the LA1 router, then do more connections, or sub-interfaces.

This is what I ended up with: 
LA-FW(config-ctx)# sh run
ASA Version 8.4(2) 
!
hostname LA-FW
!
interface Ethernet0
!
interface Ethernet0.10
 vlan 10
!
interface Ethernet0.20
 vlan 20
!
interface Ethernet0.30
 vlan 30
!
interface Ethernet1
!
interface Ethernet1.21
 vlan 21
!
interface Ethernet2
!             
interface Ethernet2.31
 vlan 31
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!
admin-context admin
context admin
  config-url disk0:/admin.cfg
!             
context C1
  allocate-interface Ethernet0.20 outsideC1 
  allocate-interface Ethernet1.21 insideC1 
!
context C2
  allocate-interface Ethernet0.30 outsideC2 
  allocate-interface Ethernet2.31 insideC2 
  config-url disk0:/C2.cfg
!
prompt hostname context 
LA-FW(config-ctx)#
I ran into some issues here, notice that I do not have an entry for the the config URL for the C1 context. We do need this: 
LA-FW(config-ctx)# changeto context C1
ERROR: Context hasn't been initialized with 'config-url'
LA-FW(config-ctx)# changeto context C2
LA-FW/C2(config)# exi
LA-FW/C2# changeto system
LA-FW(config)# context C1
LA-FW(config-ctx)# config-url disk0:/C1.cfg

WARNING: Could not fetch the URL disk0:/C1.cfg
INFO: Creating context with default config
LA-FW(config-ctx)# changeto context C1
LA-FW/C1(config)#
LA-FW/C1(config)# interface outsideC1
LA-FW/C1(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
LA-FW/C1(config-if)# ip address 198.250.20.2 255.255.255.252
LA-FW/C1(config-if)# no shut
LA-FW/C1(config-if)#
I still need to get the (new) switch set up: 
Switch(config)#vlan 10
Switch(config-vlan)#name admin-vlan
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name C1-vlan
Switch(config-vlan)#vlan 30
Switch(config-vlan)#name C2-vlan
Switch(config-vlan)#exi
Switch(config)#int gi0/1
Switch(config-if)#swi tru encap dot
Switch(config-if)#swi mo tru
Switch(config-if)#no sh
Switch(config-if)#hostname LA-SW
LA-SW(config)#
Should also get LA1 set up as well: 
LA1(config)#int gi 0/0.10
LA1(config-subif)#encapsulation dot1Q 10
LA1(config-subif)#int gi 0/0.20
LA1(config-subif)#encapsulation dot1Q 20
LA1(config-subif)#int gi 0/0.30         
LA1(config-subif)#encapsulation dot1Q 30
LA1(config-subif)#exi
LA1(config)#int gi 0/0
LA1(config-if)#no sh
LA1(config-if)#int gi 0/0.20
LA1(config-subif)#ip add 198.250.20.1 255.255.255.252
LA1(config-subif)#do sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         198.240.5.1     YES NVRAM  up                    up      
GigabitEthernet0/0.10      unassigned      YES unset  up                    up      
GigabitEthernet0/0.20      198.250.20.1    YES manual up                    up      
GigabitEthernet0/0.30      unassigned      YES unset  up                    up      
GigabitEthernet0/1         134.20.1.6      YES NVRAM  up                    up      
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down    
Loopback0                  4.4.4.4         YES NVRAM  up                    up      
LA1(config-subif)#do ping 198.250.20.2                
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.250.20.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/15/25 ms
LA1(config-subif)#
Back to te C1 context to set up the inside: 
LA-FW/C1(config-if)# int insideC1
LA-FW/C1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
LA-FW/C1(config-if)# ip add 20.5.5.1 255.255.255.0
LA-FW/C1(config-if)# no shut
LA-FW/C1(config-if)#
Because we are using ASA 8.4.2, we cannot use dynamic routing protocols with this version, only static routes: 
LA-FW/C1(config)# route Outside 0.0.0.0 0.0.0.0 198.250.20.1
Because it's ASA 8.4 we need to use the new NAT syntax, and thanks to Peter Revill over at CCIErants for this excellent post: http://www.ccierants.com/2012/06/asa-84-nat-mostly-definitive-guide.html it really helped. 
LA-FW/C1(config)# object network InsideNetwork
LA-FW/C1(config-network-object)# subnet 20.5.0.0 255.255.0.0
LA-FW/C1(config-network-object)# nat (inside,outside) dynamic interface 
LA-FW/C1(config-network-object)#
Again, we need to make sure we are working within the MPLS vrf: 
LA1(config)#int GigabitEthernet0/0.20
LA1(config-subif)#ip vrf forwarding 802101
% Interface GigabitEthernet0/0.20 IPv4 disabled and address(es) removed due to disabling VRF 802101
LA1(config-subif)#ip address 198.250.20.1 255.255.255.252
LA1(config-subif)#exi
LA1(config)#ip route vrf 802101 20.5.0.0 255.255.0.0 198.250.20.2
LA1(config)#router bgp 1
LA1(config-router)#address-family ipv4 vrf 802101
LA1(config-router-af)#red static metric 1
LA1(config-router-af)#redistribute connected metric 1
LA1(config-router-af)#
Now let's set up the C1 router: 
Router(config)#int gi0/0
Router(config-if)#ip add 20.5.5.2 255.255.255.0
Router(config-if)#no sh
Router(config-if)#exi
Router(config)#ip route 0.0.0.0 0.0.0.0 20.5.5.1
Router(config)#hostname LA-C1
LA-C1(config)#
Thanks to the magic of redistribution, we have routes: 
NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets
D EX     10.1.1.0 [170/2562816] via 128.2.2.2, 02:24:38, GigabitEthernet0/0
      20.0.0.0/16 is subnetted, 1 subnets
D EX     20.5.0.0 [170/2562816] via 128.2.2.2, 00:00:10, GigabitEthernet0/0
      21.0.0.0/24 is subnetted, 1 subnets
D EX     21.38.5.0 [170/2562816] via 128.2.2.2, 02:02:39, GigabitEthernet0/0
      198.240.5.0/30 is subnetted, 1 subnets
D EX     198.240.5.0 [170/2562816] via 128.2.2.2, 02:15:44, GigabitEthernet0/0
NY2#
We can even get to NY2 from the LA-FW C1 context: 
LA-FW/C1(config)# ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
LA-FW/C1(config)#
But this is pretty much as far as it goes. Most of the stuff revolved around NAT issues, but I got around these, and packet tracer gave a clean result.

Something is majorly wrong here, and at the most basic of levels:



ARP is failing.

So I tried throwing a switch in between the two LA routers and the LA-FW, little bit of reconfiguration later, and it looks like this:



However, it still does not work.

ARP is still failing, so I need to go and do some digging. Still, I like a challenge.

When you go back to the beginning, really go back to the beginning...

04:06:00 Add Comment
After having success yesterday with a small-scale Transparent ASA lab, I went back the main topology and tried to get it working.

Still no luck. So I changed the ASA image to a later one, still no luck, then changed to an ASAv image, still no luck.

So what is the problem?

Turns out the problem was between the seat and the keyboard.

Because I have spent so long away from this topology, I forgot how it is intended to run. I should have started afresh, and gone through all of my configurations again. Instead I thought I remembered everything and expected stuff to work.

I completely forgot that the three sites; NY, LA and London all hinge around a central MPLS core.



The interfaces I was trying to connect on NY1 were configured under a VRF, and as such, needed the EIGRP configuration to be vrf-aware.

This will not work: 
NY1(config)#do sh run | s router e
router eigrp NY-EIGRP
 !
 address-family ipv4 unicast autonomous-system 100
  !
  topology base
  exit-af-topology
  network 0.0.0.0
  network 128.2.2.0 0.0.0.255
  network 128.2.2.2 0.0.0.0
 exit-address-family
NY1(config)#
Neither will this: 
NY1(config)#no router eigrp NY-EIGRP
NY1(config)#router eigrp 100
NY1(config-router)#eigrp router-id 2.2.2.2
NY1(config-router)#network 128.2.2.2 0.0.0.0 
NY1(config-router)#
NY1(config-router)#
NY1(config-router)#do sh ip eigrp neigh     
EIGRP-IPv4 Neighbors for AS(100)
NY1(config-router)#
This does though: 
NY1(config-router)#no router eigrp 100
NY1(config)#router eigrp NY-EIGRP
NY1(config-router)#address-family ipv4 vrf 802101 auto 100
NY1(config-router-af)#eigrp router-id 2.2.2.2
NY1(config-router-af)#network 128.2.2.2 0.0.0.0
NY1(config-router-af)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 128.2.2.1 (GigabitEthernet0/1) is up: new adjacency
NY1(config-router-af)#
It just goes to show that if you are actually starting again, as I am here, then start from the beginning, don't just try and drop in where you were previously, as vital bits can be missed.

So, this all said and my memory refreshed as to what it is I am supposed to be doing, I should stop fucking about and get the MPLS core finished off so that I don't get caught again.

This also gives me a great opportunity to plug my MPLS book, if you havn't read it, go and get it from Amazon!

To get NY1 talking to the MPLS cloud we need to do the following: 
NY1(config)#router eigrp NY-EIGRP
NY1(config-router)#address-family ipv4 unicast vrf 802101 autonomous-system 100        
NY1(config-router-af)#topology base 
NY1(config-router-af-topology)#redistribute bgp 1 metric 1000 10 100 1 1500
NY1(config-router-af-topology)#exit
NY1(config-router-af)#exit
NY1(config-router)#router bgp 1
NY1(config-router)#address-family ipv4 vrf 802101
NY1(config-router-af)#redistribute eigrp 100 metric 1
NY1(config-router-af)#
We should give NY2 something to advertise: 
NY2(config)#router eigrp 100
NY2(config-router)#network 3.3.3.1 0.0.0.0 
NY2(config-router)#network 3.3.3.2 0.0.0.0
NY2(config-router)#network 3.3.3.3 0.0.0.0
NY2(config-router)#
We can then see these routes on LA1 and LON1: 
LA1#sh ip route vrf 802101 | b Gate
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 3 subnets
B        3.3.3.1 [200/1] via 2.2.2.2, 00:01:50
B        3.3.3.2 [200/1] via 2.2.2.2, 00:01:46
B        3.3.3.3 [200/1] via 2.2.2.2, 00:01:43
      128.2.0.0/24 is subnetted, 1 subnets
B        128.2.2.0 [200/0] via 2.2.2.2, 00:04:29
      128.3.0.0/24 is subnetted, 1 subnets
B        128.3.3.0 [200/1] via 2.2.2.2, 00:04:29
      198.240.5.0/24 is variably subnetted, 2 subnets, 2 masks
C        198.240.5.0/30 is directly connected, GigabitEthernet0/0
L        198.240.5.1/32 is directly connected, GigabitEthernet0/0
LA1#

LON1#sh ip route vrf 802101 | b Gate
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 3 subnets
B        3.3.3.1 [200/1] via 2.2.2.2, 00:05:49
B        3.3.3.2 [200/1] via 2.2.2.2, 00:05:45
B        3.3.3.3 [200/1] via 2.2.2.2, 00:05:41
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, GigabitEthernet0/1
L        10.1.1.1/32 is directly connected, GigabitEthernet0/1
      128.2.0.0/24 is subnetted, 1 subnets
B        128.2.2.0 [200/0] via 2.2.2.2, 00:08:28
      128.3.0.0/24 is subnetted, 1 subnets
B        128.3.3.0 [200/1] via 2.2.2.2, 00:08:28
LON1#
Let's set up LON1: 
LON1(config)#router ospf 100 vrf 802101 
LON1(config-router)#router-id 10.10.10.10
% OSPF: router-id 10.10.10.10 in use by ospf process 1
LON1(config-router)#int lo1
LON1(config-if)#
LON1(config-if)#ip add 10.10.10.100 255.255.255.255
LON1(config-if)#router ospf 100 vrf 802101
LON1(config-router)#router-id 10.10.10.100             
LON1(config-router)#network 10.1.1.0 0.0.0.255 area 0
LON1(config-router)#red bgp 1 subnets
LON1(config-router)#router bgp 1
LON1(config-router)#address-fam ipv4 vrf 802101
LON1(config-router-af)#red ospf 100
LON1(config-router-af)#
From NY2 we can now reach LON1: 
NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets
D EX     10.1.1.0 [170/2562816] via 128.2.2.2, 00:00:29, GigabitEthernet0/0
NY2#
NY2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/14/16 ms
NY2#
We cant get beyond LON1 (into our LON network) as LON-SW is not running OSPF (yet). Let's set up the LA side: 
LA1(config)#router eigrp LA-EIGRP
LA1(config-router)#address-family ipv4 vrf 802101 auto 200
LA1(config-router-af)#eigrp router-id 4.4.4.4
LA1(config-router-af)#network 198.240.5.1 0.0.0.0
LA1(config-router-af)#top base  
LA1(config-router-af-topology)#red bgp 1 metr 1000 10 100 1 1500
LA1(config-router-af-topology)#exi
LA1(config-router-af)#exi
LA1(config-router)#router bgp 1
LA1(config-router)#address-f ipv4 vrf 802101
LA1(config-router-af)#red eigrp 200 metric 1
LA1(config-router-af)#
How does this look? 
LON1#sh ip route vrf 802101 | b Gate
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 3 subnets
B        3.3.3.1 [200/1] via 2.2.2.2, 00:21:10
B        3.3.3.2 [200/1] via 2.2.2.2, 00:21:06
B        3.3.3.3 [200/1] via 2.2.2.2, 00:21:02
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, GigabitEthernet0/1
L        10.1.1.1/32 is directly connected, GigabitEthernet0/1
      128.2.0.0/24 is subnetted, 1 subnets
B        128.2.2.0 [200/0] via 2.2.2.2, 00:23:49
      128.3.0.0/24 is subnetted, 1 subnets
B        128.3.3.0 [200/1] via 2.2.2.2, 00:23:49
      198.240.5.0/30 is subnetted, 1 subnets
B        198.240.5.0 [200/0] via 4.4.4.4, 00:00:17
LON1#

NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets
D EX     10.1.1.0 [170/2562816] via 128.2.2.2, 00:10:18, GigabitEthernet0/0
      198.240.5.0/30 is subnetted, 1 subnets
D EX     198.240.5.0 [170/2562816] via 128.2.2.2, 00:01:24, GigabitEthernet0/0
NY2#ping 198.240.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.240.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms
NY2#
Pretty good!
Let's get LON-SW into OSPF and then we'll turn our attention to the LA-FW and multiple contexts. 
LON-SW(config)#int lo0
LON-SW(config-if)#ip add 10.10.10.110 255.255.255.255
LON-SW(config-if)#router ospf 100
LON-SW(config-router)#router-id 10.10.10.110
LON-SW(config-router)#network 10.1.1.2 0.0.0.0 area 0
LON-SW(config-router)#
%OSPF-5-ADJCHG: Process 100, Nbr 10.10.10.100 on Vlan10 from LOADING to FULL, Loading Done
LON-SW(config-router)#
LON-SW(config-router)#network 21.38.5.1 0.0.0.0 area 0
LON-SW(config-router)#
Should be reachable from the NY and LA offices now: 
NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets
D EX     10.1.1.0 [170/2562816] via 128.2.2.2, 00:22:55, GigabitEthernet0/0
      21.0.0.0/24 is subnetted, 1 subnets
D EX     21.38.5.0 [170/2562816] via 128.2.2.2, 00:00:56, GigabitEthernet0/0
      198.240.5.0/30 is subnetted, 1 subnets
D EX     198.240.5.0 [170/2562816] via 128.2.2.2, 00:14:01, GigabitEthernet0/0
NY2#ping 21.38.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 21.38.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/17/22 ms
NY2#

LA1#sh ip route vrf 802101 | b Gate                                        
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 3 subnets
B        3.3.3.1 [200/1] via 2.2.2.2, 00:36:43
B        3.3.3.2 [200/1] via 2.2.2.2, 00:36:39
B        3.3.3.3 [200/1] via 2.2.2.2, 00:36:36
      10.0.0.0/24 is subnetted, 1 subnets
B        10.1.1.0 [200/0] via 10.10.10.10, 00:24:44
      21.0.0.0/24 is subnetted, 1 subnets
B        21.38.5.0 [200/2] via 10.10.10.10, 00:02:50
      128.2.0.0/24 is subnetted, 1 subnets
B        128.2.2.0 [200/0] via 2.2.2.2, 00:39:22
      128.3.0.0/24 is subnetted, 1 subnets
B        128.3.3.0 [200/1] via 2.2.2.2, 00:39:22
      198.240.5.0/24 is variably subnetted, 2 subnets, 2 masks
C        198.240.5.0/30 is directly connected, GigabitEthernet0/0
L        198.240.5.1/32 is directly connected, GigabitEthernet0/0
LA1#ping vrf 802101 21.38.5.1      
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 21.38.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/11/15 ms
LA1#
Sweet, now let's get going with some multiple context firewalls!
CCIE Security: Transparent ASA

CCIE Security: Transparent ASA

04:34:00 Add Comment
Transparent firewalls act as a bump in the wire. They work at layer-2, instead of layer-3 like a routed firewall does. So, we should be able to get NY1 and NY2 to have an EIGRP adjacency with each other, and have the NY-FW sitting in the middle, looking after the traffic. The emphasis is on should.

We'll start with the basics. first we change the firewall mode from the default of Router to transparent:
ciscoasa(config)# firewall transparent
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# hostname NY-FW
NY-FW(config)# end
NY-FW# sh firewall
Firewall mode: Transparent
NY-FW#
We don't assign IP addresses to the interfaces, instead we have one "management" address, which gets configured under a BVI. The interfaces are then joined together into the bridge group: 
NY-FW(config)# int e1  
NY-FW(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
NY-FW(config-if)# bridge-group 1
NY-FW(config)# int e0
NY-FW(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
NY-FW(config-if)# bridge-group 1
NY-FW(config-if)#
NY-FW(config)# interface bvi 1
NY-FW(config-if)# ip address 128.2.2.100 255.255.255.0
NY-FW(config-if)# http 0.0.0.0 0.0.0.0 inside
WARNING: http server is not yet enabled to allow ASDM access.
NY-FW(config)# http server enable
NY-FW(config)# http 0.0.0.0 0.0.0.0 inside
NY-FW(config)#
In the interest of full-disclosure, I did have issues on my home lab using ASA 8.4.2. It just did not want to play ball. so I created a very small lab (2 routers, called "Inside" and "Outside" and an ASAv running 9.5.1), and it worked fine. Here is the (cut-down) configuration: 
NY-FW(config)# sh run
: Saved

:
: Serial Number: 9AW2F38S6JE
: Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2494 MHz
:
ASA Version 9.5(1)
!
firewall transparent
hostname NY-FW
enable password AVQgTSU8ASliPKq7 encrypted
passwd AVQgTSU8ASliPKq7 encrypted
names
!
interface GigabitEthernet0/0
 nameif Inside
 bridge-group 1
 security-level 100
!
interface GigabitEthernet0/1
 nameif Outside
 bridge-group 1
 security-level 0
!
interface BVI1
 ip address 128.2.2.100 255.255.255.0
!
access-list outside->in extended permit eigrp any any
access-group outside->in in interface Inside
access-group outside->in in interface Outside
Here we can see the successful EIGRP adjacency: 
Inside#sh ip route eigrp | b Gate
Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/130816] via 128.2.2.2, 00:00:13, GigabitEthernet0/0
Inside#
Inside#sh ip eigrp neigh
EIGRP-IPv4 Neighbors for AS(100)
H   Address        Interface   Hold Uptime   SRTT   RTO  Q  Seq 
                                     (sec)         (ms)     Cnt Num
0   128.2.2.2      Gi0/0         10 00:13:44  150   900  0  3
Inside#
I might have screwed up the formatting, but it shows that it works.

The next step is to try the same configuration above on the existing topology, or change the NY-FW in the proper topology for an ASAv, and hope that that works.

Alone, this ACL on the firewall is not enough, it gets us visibility (control plane), but not reachability (data plane). For example, we cannot ping from one router to another: 
Inside#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Inside#
For ping to work we need another ACE (Access list entry): 
access-list outside->in permit icmp any any
Just to give us everything we need, I'll also do IP as well: 
access-list outside->in permit ip any any
Once we set up the other router for telnet: 
Outside(config)#line vty 0 4
Outside(config-line)#
Outside(config-line)#password 802101
Outside(config-line)#login
Outside(config-line)#transport input telnet
We have access: 
Inside#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/11 ms
Inside#telnet 2.2.2.2
Trying 2.2.2.2 ... Open


****************
* banner stuff *
****************

User Access Verification

Password:

Outside>
So there we have a very brief into into Transparent firewalls, and hopefully it'll work in the main lab later on.

CCIE Security lab - recap, redesign, restart

05:13:00 Add Comment
It's been a long time since I have written about the CCIE Security lab I have started. A lot has happened since though. I have completed the CCIE Security written exam, and have (nearly) finished my fourth book, CCNA and Beyond, soon to be on Amazon, looks good doesn't it??


Now it's time to start labbing again.

When I left it last, I had completed the MPLS core which will join the three "sites" together. These sites have now been named NY, LA and LON(don) (and yes, I know that NY and LA should probably be round the other way).

So the MPLS core has been completed. I also set up the AD domain, I also started some VLAN work. After that, loads of other stuff happened.

As a recap, this is what has been decided upon so far:


The MPLS bit is done, and LON1 can see the subnets for NY and LA:
LON1#sh ip route | b Gate
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0
      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/3] via 134.20.1.9, 00:22:58, GigabitEthernet0/0
      4.0.0.0/32 is subnetted, 1 subnets
O        4.4.4.4 [110/3] via 134.20.1.9, 00:22:58, GigabitEthernet0/0
      8.0.0.0/32 is subnetted, 1 subnets
O        8.8.8.8 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0
      10.0.0.0/32 is subnetted, 1 subnets
C        10.10.10.10 is directly connected, Loopback0
      134.20.0.0/16 is variably subnetted, 4 subnets, 2 masks
O        134.20.1.0/30 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0
O        134.20.1.4/30 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0
C        134.20.1.8/30 is directly connected, GigabitEthernet0/0
L        134.20.1.10/32 is directly connected, GigabitEthernet0/0
LON1#

This is not a true MPLS setup at the moment, we should get the other networks involved. So let's do that now. We will start with the London network:
Switch(config)#ho LON-SW
LON-SW(config)#vlan 10
LON-SW(config-vlan)#name MAIN-VLAN
LON-SW(config-vlan)#exi
LON-SW(config)#int gi0/0
LON-SW(config-if)#swi mo acc
LON-SW(config-if)#swi acc vl 10
LON-SW(config-if)#int vlan 10
LON-SW(config-if)#ip add 10.1.1.2 255.255.255.0
LON-SW(config-if)#no shut
LON-SW(config-if)#
LON-SW(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1:
.!!!!
Success rate is 80 percent (4/5)
LON-SW(config-if)#
Now lets move down to our London firewalls. I will be using the subnet 21.38.5.0/24 for the connections between the two firewalls and the LON-SW switch.
LON-SW(config)#line con 0
LON-SW(config-line)#exec-t 0 0
LON-SW(config-line)#exi
LON-SW(config)#vlan 20
LON-SW(config-vlan)#name Inside-VLAN
LON-SW(config-vlan)#exit
LON-SW(config)#int vlan 20
LON-SW(config-if)#ip add 21.38.5.1 255.255.255.0
LON-SW(config-if)#no shut
LON-SW(config)#int ra gi 0/1 - 2  
LON-SW(config-if-range)#swi mode acc
LON-SW(config-if-range)#swi acc vl 20
LON-SW(config-if-range)#no shu
LON-SW(config-if-range)#do sh vlan bri

VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------
1    default                          active    Gi0/3
10   MAIN-VLAN                        active    Gi0/0
20   Inside-VLAN                      active    Gi0/1, Gi0/2
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 
LON-SW(config-if-range)#do sh ip int bri
Interface              IP-Address      OK? Method Status     Protocol
GigabitEthernet0/0     unassigned      YES unset  up         up      
GigabitEthernet0/1     unassigned      YES unset  up         up      
GigabitEthernet0/2     unassigned      YES unset  up         up      
GigabitEthernet0/3     unassigned      YES unset  up         up      
Vlan10                 10.1.1.2        YES manual up         up      
Vlan20                 21.38.5.1       YES manual down       down    
LON-SW(config-if-range)#
*Jan 12 12:26:44.246: %LINK-3-UPDOWN: Interface Vlan20, changed state to up
*Jan 12 12:26:45.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
LON-SW(config-if-range)#
Because it's hard to cut and paste from a VNC session, I have set up SSH access from the LON-SW switch, and have ssh'd onto the LON-FW1, here is the basic IP addressing: 
ASAv1# sh run interface GigabitEthernet 0/0
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 21.38.5.254 255.255.255.0 
ASAv1# conf t
ASAv1(config)# hostname LON-FW1
LON-FW1(config)# exi
LON-FW1# sh run | i ssh
aaa authentication ssh console LOCAL 
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 Inside
ssh 21.38.5.1 255.255.255.255 Outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
LON-FW1#
LON-FW2 has been set up with an Outside address as well, and is reachable from LON-FW1.

We already have some basic internal IP addressing from before, so now we have the network 192.168.10.0/24 network going down from the firewalls to the switches. At the moment, this just the gi0/1 interface, but we'll change this into a redundancy group later on. Let's set them up in a failover pair.

Setting up Active/Standby ASA failover pair

The only difference between the two device is that one uses the command "failover lan unit primary" and the other uses "failover lan unit secondary". The configs for LON-FW1 are here:
LON-FW1(config)# failover
LON-FW1(config)# failover lan unit primary
LON-FW1(config)# failover lan interface FOVER GigabitEthernet0/3
INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces
LON-FW1(config)# failover replication http
LON-FW1(config)# failover interface ip FOVER 10.1.208.1 255.255.255.252 standb$
LON-FW1(config)# 
        No Active mate detected
LON-FW1(config)# 
LON-FW1(config)# failover key fover
LON-FW1(config)# end
LON-FW1# sh failover
Failover On 
Failover unit Primary
Failover LAN Interface: FOVER GigabitEthernet0/3 (Failed - No Switchover)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.4(1), Mate Unknown
Last Failover at: 12:43:42 UTC Jan 12 2016
        This host: Primary - Active 
                Active time: 130 (sec)
                slot 0: empty
                  Interface Inside (192.168.10.254): Unknown (Waiting)
                  Interface Outside (21.38.5.254): Unknown (Waiting)
        Other host: Secondary - Failed 
                Active time: 0 (sec)
                  Interface Inside (0.0.0.0): Unknown (Waiting)
                  Interface Outside (0.0.0.0): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.
              
LON-FW1# conf t
LON-FW1(config)# int gi0/3
LON-FW1(config-if)# no shut
LON-FW1(config-if)# Beginning configuration replication: Sending to mate.
End Configuration Replication to mate

LON-FW1(config-if)#
Setting up interfaces for failover is pretty easy: 
LON-FW1# sh run int gi0/0
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 21.38.5.254 255.255.255.0 standby 21.38.5.253 
LON-FW1# 
LON-FW1# conf t    
LON-FW1(config)# int gi0/1
LON-FW1(config-if)# ip add 192.168.10.254 255.255.255.0 standby 192.168.10.253
LON-FW1(config-if)# end
LON-FW1# sh fail
Failover On 
Failover unit Primary
Failover LAN Interface: FOVER GigabitEthernet0/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.4(1), Mate 9.4(1)
Last Failover at: 12:43:42 UTC Jan 12 2016
        This host: Primary - Active 
                Active time: 540 (sec)
                slot 0: empty
                  Interface Inside (192.168.10.254): Normal (Waiting)
                  Interface Outside (21.38.5.254): Normal (Monitored)
        Other host: Secondary - Standby Ready 
                Active time: 28 (sec)
                  Interface Inside (192.168.10.253): Normal (Waiting)
                  Interface Outside (21.38.5.253): Normal (Monitored)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.
              
LON-FW1#
LON-FW1# copy run start

Source filename [running-config]? 
Cryptochecksum: 8f650365 eb39d041 7e4fbeee d985eb91 

8751 bytes copied in 0.120 secs
LON-FW1#
The switches also have some basic configuration: 
SW1#sh vlan bri

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi1/0
                                                Gi1/1, Gi1/2, Gi1/3, Gi2/0
                                                Gi2/1, Gi2/2, Gi2/3, Gi3/3
8    Internal-HTTP                    active    
10   AD VLAN                          active    Gi0/0
17   Voice_VLAN                       active    
42   VLAN0042                         active    
100  WSA MGMT                         active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 
SW1#
Let's het SW1 and SW2 working with HSRP for VLAN 10: 
SW1(config)#int vlan 10
SW1(config-if)#no shut
SW1(config-if)#
SW1(config-if)#ip add 192.168.10.2 255.255.255.0
SW1(config-if)#standby 10 ip 192.168.10.1
SW1(config-if)#standby 10 pri 110
SW1(config-if)#standby 10 pre del min 60
SW1(config-if)#
%HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active
SW1(config-if)#

SW2(config)#int vlan 10
SW2(config-if)#ip add 192.168.10.3 255.255.255.0
SW2(config-if)#
SW2(config-if)#standby 10 ip 192.168.10.1
SW2(config-if)#standby 10 pri 90
SW2(config-if)#no shu
SW2(config-if)#int gi 0/0
SW2(config-if)#swi mo acc
SW2(config-if)#swi acc vl 10
SW2(config-if)#no sh
SW2(config-if)#
%LINK-3-UPDOWN: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
%HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby

SW1(config-if)#do sh standby
Vlan10 - Group 10
  State is Active
    2 state changes, last state change 00:03:29
  Virtual IP address is 192.168.10.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.688 secs
  Preemption enabled, delay min 60 secs
  Active router is local
  Standby router is 192.168.10.3, priority 90 (expires in 10.032 sec)
  Priority 110 (configured 110)
  Group name is "hsrp-Vl10-10" (default)
SW1(config-if)#

SW2(config-if)#do sh standby
Vlan10 - Group 10
  State is Standby
    1 state change, last state change 00:02:22
  Virtual IP address is 192.168.10.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC Not In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.496 secs
  Preemption disabled
  Active router is 192.168.10.2, priority 110 (expires in 9.520 sec)
  Standby router is local
  Priority 90 (configured 90)
  Group name is "hsrp-Vl10-10" (default)
SW2(config-if)#
Seems pretty stable using vios (vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20150414)), so let's go and set up the ASAs in a redundant group.

ASA redundant interfaces 

For this we start by removing the nameif and IP address from the Gi0/1 interface, then create the redundant group:


In the end the config looks like this:
LON-FW1# sh run int gi0/1
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
LON-FW1# sh run int gi0/2
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
LON-FW1# sh run int redundant 1
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif Inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0 standby 192.168.10.253 
LON-FW1# ping Inside 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
LON-FW1#
Looks like HSRP is stable! (much better than the IOL images!

One final thing before I leave it here for today, some static routing on the LON-FW firewall: 
LON-FW1(config)# route Outside 0.0.0.0 0.0.0.0 21.38.5.1   
LON-FW1(config)# route Inside 192.168.0.0 255.255.0.0 192.168.10.1
LON-FW1(config)#
The network is starting to take shape again. I need to figure out some internal addressing, so I'll do that and pick this up again later in the week.
Subscribe to: Posts (Atom)