It's been a long time since I have written about the CCIE Security lab I have started. A lot has happened since though. I have completed the CCIE Security written exam, and have (nearly) finished my fourth book, CCNA and Beyond, soon to be on Amazon, looks good doesn't it??
Now it's time to start labbing again.
When I left it last, I had completed the MPLS core which will join the three "sites" together. These sites have now been named NY, LA and LON(don) (and yes, I know that NY and LA should probably be round the other way).
So the MPLS core has been completed. I also set up the AD domain, I also started some VLAN work. After that, loads of other stuff happened.
As a recap, this is what has been decided upon so far:
The MPLS bit is done, and LON1 can see the subnets for NY and LA:
LON1#sh ip route | b Gate Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0 2.0.0.0/32 is subnetted, 1 subnets O 2.2.2.2 [110/3] via 134.20.1.9, 00:22:58, GigabitEthernet0/0 4.0.0.0/32 is subnetted, 1 subnets O 4.4.4.4 [110/3] via 134.20.1.9, 00:22:58, GigabitEthernet0/0 8.0.0.0/32 is subnetted, 1 subnets O 8.8.8.8 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0 10.0.0.0/32 is subnetted, 1 subnets C 10.10.10.10 is directly connected, Loopback0 134.20.0.0/16 is variably subnetted, 4 subnets, 2 masks O 134.20.1.0/30 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0 O 134.20.1.4/30 [110/2] via 134.20.1.9, 00:23:08, GigabitEthernet0/0 C 134.20.1.8/30 is directly connected, GigabitEthernet0/0 L 134.20.1.10/32 is directly connected, GigabitEthernet0/0 LON1#
This is not a true MPLS setup at the moment, we should get the other networks involved. So let's do that now. We will start with the London network:
Switch(config)#ho LON-SW LON-SW(config)#vlan 10 LON-SW(config-vlan)#name MAIN-VLAN LON-SW(config-vlan)#exi LON-SW(config)#int gi0/0 LON-SW(config-if)#swi mo acc LON-SW(config-if)#swi acc vl 10 LON-SW(config-if)#int vlan 10 LON-SW(config-if)#ip add 10.1.1.2 255.255.255.0 LON-SW(config-if)#no shut LON-SW(config-if)# LON-SW(config-if)#do ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1: .!!!! Success rate is 80 percent (4/5) LON-SW(config-if)#Now lets move down to our London firewalls. I will be using the subnet 21.38.5.0/24 for the connections between the two firewalls and the LON-SW switch.
LON-SW(config)#line con 0 LON-SW(config-line)#exec-t 0 0 LON-SW(config-line)#exi LON-SW(config)#vlan 20 LON-SW(config-vlan)#name Inside-VLAN LON-SW(config-vlan)#exit LON-SW(config)#int vlan 20 LON-SW(config-if)#ip add 21.38.5.1 255.255.255.0 LON-SW(config-if)#no shut LON-SW(config)#int ra gi 0/1 - 2 LON-SW(config-if-range)#swi mode acc LON-SW(config-if-range)#swi acc vl 20 LON-SW(config-if-range)#no shu LON-SW(config-if-range)#do sh vlan bri VLAN Name Status Ports ---- -------------------------------- --------- ----------------------- 1 default active Gi0/3 10 MAIN-VLAN active Gi0/0 20 Inside-VLAN active Gi0/1, Gi0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup LON-SW(config-if-range)#do sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up Vlan10 10.1.1.2 YES manual up up Vlan20 21.38.5.1 YES manual down down LON-SW(config-if-range)# *Jan 12 12:26:44.246: %LINK-3-UPDOWN: Interface Vlan20, changed state to up *Jan 12 12:26:45.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up LON-SW(config-if-range)#Because it's hard to cut and paste from a VNC session, I have set up SSH access from the LON-SW switch, and have ssh'd onto the LON-FW1, here is the basic IP addressing:
ASAv1# sh run interface GigabitEthernet 0/0 ! interface GigabitEthernet0/0 nameif Outside security-level 0 ip address 21.38.5.254 255.255.255.0 ASAv1# conf t ASAv1(config)# hostname LON-FW1 LON-FW1(config)# exi LON-FW1# sh run | i ssh aaa authentication ssh console LOCAL ssh stricthostkeycheck ssh 192.168.0.0 255.255.0.0 Inside ssh 21.38.5.1 255.255.255.255 Outside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 LON-FW1#LON-FW2 has been set up with an Outside address as well, and is reachable from LON-FW1.
We already have some basic internal IP addressing from before, so now we have the network 192.168.10.0/24 network going down from the firewalls to the switches. At the moment, this just the gi0/1 interface, but we'll change this into a redundancy group later on. Let's set them up in a failover pair.
Setting up Active/Standby ASA failover pair
The only difference between the two device is that one uses the command "failover lan unit primary" and the other uses "failover lan unit secondary". The configs for LON-FW1 are here:LON-FW1(config)# failover
LON-FW1(config)# failover lan unit primary
LON-FW1(config)# failover lan interface FOVER GigabitEthernet0/3
INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces
LON-FW1(config)# failover replication http
LON-FW1(config)# failover interface ip FOVER 10.1.208.1 255.255.255.252 standb$
LON-FW1(config)#
No Active mate detected
LON-FW1(config)#
LON-FW1(config)# failover key fover
LON-FW1(config)# end
LON-FW1# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FOVER GigabitEthernet0/3 (Failed - No Switchover)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.4(1), Mate Unknown
Last Failover at: 12:43:42 UTC Jan 12 2016
This host: Primary - Active
Active time: 130 (sec)
slot 0: empty
Interface Inside (192.168.10.254): Unknown (Waiting)
Interface Outside (21.38.5.254): Unknown (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
Interface Inside (0.0.0.0): Unknown (Waiting)
Interface Outside (0.0.0.0): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : Unconfigured.
LON-FW1# conf t
LON-FW1(config)# int gi0/3
LON-FW1(config-if)# no shut
LON-FW1(config-if)# Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
LON-FW1(config-if)#
Setting up interfaces for failover is pretty easy:
LON-FW1# sh run int gi0/0
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 21.38.5.254 255.255.255.0 standby 21.38.5.253
LON-FW1#
LON-FW1# conf t
LON-FW1(config)# int gi0/1
LON-FW1(config-if)# ip add 192.168.10.254 255.255.255.0 standby 192.168.10.253
LON-FW1(config-if)# end
LON-FW1# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: FOVER GigabitEthernet0/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.4(1), Mate 9.4(1)
Last Failover at: 12:43:42 UTC Jan 12 2016
This host: Primary - Active
Active time: 540 (sec)
slot 0: empty
Interface Inside (192.168.10.254): Normal (Waiting)
Interface Outside (21.38.5.254): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 28 (sec)
Interface Inside (192.168.10.253): Normal (Waiting)
Interface Outside (21.38.5.253): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : Unconfigured.
LON-FW1#
LON-FW1# copy run start
Source filename [running-config]?
Cryptochecksum: 8f650365 eb39d041 7e4fbeee d985eb91
8751 bytes copied in 0.120 secs
LON-FW1#
The switches also have some basic configuration:
SW1#sh vlan bri
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi1/0
Gi1/1, Gi1/2, Gi1/3, Gi2/0
Gi2/1, Gi2/2, Gi2/3, Gi3/3
8 Internal-HTTP active
10 AD VLAN active Gi0/0
17 Voice_VLAN active
42 VLAN0042 active
100 WSA MGMT active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW1#
Let's het SW1 and SW2 working with HSRP for VLAN 10:
SW1(config)#int vlan 10
SW1(config-if)#no shut
SW1(config-if)#
SW1(config-if)#ip add 192.168.10.2 255.255.255.0
SW1(config-if)#standby 10 ip 192.168.10.1
SW1(config-if)#standby 10 pri 110
SW1(config-if)#standby 10 pre del min 60
SW1(config-if)#
%HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active
SW1(config-if)#
SW2(config)#int vlan 10
SW2(config-if)#ip add 192.168.10.3 255.255.255.0
SW2(config-if)#
SW2(config-if)#standby 10 ip 192.168.10.1
SW2(config-if)#standby 10 pri 90
SW2(config-if)#no shu
SW2(config-if)#int gi 0/0
SW2(config-if)#swi mo acc
SW2(config-if)#swi acc vl 10
SW2(config-if)#no sh
SW2(config-if)#
%LINK-3-UPDOWN: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
%HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby
SW1(config-if)#do sh standby
Vlan10 - Group 10
State is Active
2 state changes, last state change 00:03:29
Virtual IP address is 192.168.10.1
Active virtual MAC address is 0000.0c07.ac0a (MAC In Use)
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.688 secs
Preemption enabled, delay min 60 secs
Active router is local
Standby router is 192.168.10.3, priority 90 (expires in 10.032 sec)
Priority 110 (configured 110)
Group name is "hsrp-Vl10-10" (default)
SW1(config-if)#
SW2(config-if)#do sh standby
Vlan10 - Group 10
State is Standby
1 state change, last state change 00:02:22
Virtual IP address is 192.168.10.1
Active virtual MAC address is 0000.0c07.ac0a (MAC Not In Use)
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.496 secs
Preemption disabled
Active router is 192.168.10.2, priority 110 (expires in 9.520 sec)
Standby router is local
Priority 90 (configured 90)
Group name is "hsrp-Vl10-10" (default)
SW2(config-if)#
Seems pretty stable using vios (vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20150414)), so let's go and set up the ASAs in a redundant group.ASA redundant interfaces
For this we start by removing the nameif and IP address from the Gi0/1 interface, then create the redundant group:
In the end the config looks like this:
LON-FW1# sh run int gi0/1 ! interface GigabitEthernet0/1 no nameif no security-level no ip address LON-FW1# sh run int gi0/2 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address LON-FW1# sh run int redundant 1 ! interface Redundant1 member-interface GigabitEthernet0/1 member-interface GigabitEthernet0/2 nameif Inside security-level 100 ip address 192.168.10.254 255.255.255.0 standby 192.168.10.253 LON-FW1# ping Inside 192.168.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms LON-FW1#Looks like HSRP is stable! (much better than the IOL images!
One final thing before I leave it here for today, some static routing on the LON-FW firewall:
LON-FW1(config)# route Outside 0.0.0.0 0.0.0.0 21.38.5.1 LON-FW1(config)# route Inside 192.168.0.0 255.255.0.0 192.168.10.1 LON-FW1(config)#The network is starting to take shape again. I need to figure out some internal addressing, so I'll do that and pick this up again later in the week.