Scheduled certification will resume shortly - back to CCIE.Sec!

OK, so I have been a bit preoccupied recently, I am putting the finishing touches to CCNA and Beyond, which is currently in the hands of the previewers, and took a side step to get the Check Point Certified Security Administrator (CCSA) exam - which I passed today. And as I am in a good mood, it's time to crank up the volume and play music. So here is Ash performing "Burn Baby Burn":

Love that song. And now, here is Red Kite performing "Montreal":

Anyway, it's time to crack on with the CCIE Security. It'sMarch now and I want to sit the exam in December. So I best be getting on with it.

Despite losing the existing topology, I rebuilt most of it using REST calls, but need to finish quite a bit by hand. It's nearly done! I have had to change the LA-FW to ASA (8.4.2) if you are following along at home and need to use the same REST calls.

It's actually proving much harder to re-do all of this than I thought, which is my fault as I did not rename devices, or come up with a proper IP address scheme early on. But, like my lack of backing up, I only have myself to blame.

I will post the topology (as it is at the moment) at the end of this post, and it will have IP addressing and so on and so forth. Lots of people have asked for it, so i't about time I shared it - also it means that this post will be a new starting point, and be all IP'd up (or nearly all).

I will start with the multi-context firewalls first, then do the transparent firewalls, then the MPLS core. If I am luck y then I'll even be able to get the tabbed thing working as it should do...

Multi-context firewalls

The code for the firewalls is below:

• LA2
• LA3
• LA-FW
• LA-FW-C1
• LA-FW-C2
• LA-SW
• LA1

hostname LA2
interface GigabitEthernet0/0
 ip address 20.5.5.254 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
ip route 0.0.0.0 0.0.0.0 20.5.5.1

hostname LA3
interface GigabitEthernet0/0
 ip address 20.6.6.254 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
ip route 0.0.0.0 0.0.0.0 20.6.6.1

hostname LA-FW
interface Ethernet0
!
interface Ethernet0.10
 vlan 10
!
interface Ethernet0.20
 vlan 20
!
interface Ethernet0.30
 vlan 30
!
admin-context admin
context admin
  config-url disk0:/admin.cfg
!
context C1
  allocate-interface Ethernet0.20 outsideC1 
  allocate-interface Ethernet2 insideC1 
  config-url disk0:/C1.cfg
!             
context C2
  allocate-interface Ethernet0.30 outsideC2 
  allocate-interface Ethernet3 insideC2 visible 
  config-url disk0:/C2.cfg
!
prompt hostname context

hostname C1
interface outsideC1
 nameif Outside
 security-level 0
 ip address 198.250.20.2 255.255.255.0 
!
interface insideC1
 nameif Inside
 security-level 100
 ip address 20.5.5.1 255.255.255.0 
!

hostname C2
interface outsideC2
 nameif Outside
 security-level 0
 ip address 198.250.30.2 255.255.255.0 
!
interface insideC2
 nameif Inside
 security-level 100
 ip address 20.6.6.1 255.255.255.0 
!

hostname LA-SW
interface GigabitEthernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto

Remember to recreate the VLANs! (10,20 and 30)

hostname LA1
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 198.240.5.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 198.250.20.1 255.255.255.252
!
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 198.250.30.1 255.255.255.0
!

Make sure that the interfaces are not shut off, and save the work!

Transparent ASA

• NY2
• NY-FW
• NY1

hostname NY2
interface Loopback0
 ip address 3.3.3.0 255.255.255.255
!
interface Loopback1
 ip address 3.3.3.1 255.255.255.255
!
interface Loopback2
 ip address 3.3.3.2 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 128.2.2.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!

firewall transparent
hostname NY-FW
interface GigabitEthernet0/0
 nameif Inside
 bridge-group 1
 security-level 100
!
interface GigabitEthernet0/1
 nameif Outside
 bridge-group 1
 security-level 0
!
interface BVI1
 ip address 128.2.2.254 255.255.255.0 
!
ftp mode passive
access-list outside->in extended permit eigrp any any 
access-list outside->in extended permit icmp any any 
access-list outside->in extended permit ip any any 
!
access-group outside->in in interface Inside
access-group outside->in in interface Outside
!
http server enable
http 0.0.0.0 0.0.0.0 Inside

hostname NY1
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 128.2.2.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 198.240.3.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!

MPLS Core

• NY1
• ISP
• LA1
• LON1

router ospf 1
router-id 2.2.2.2
network 198.240.3.1 0.0.0.0 a 0
network 2.2.2.2 0.0.0.0 a 0
mpls ldp autoconfig
mpls label protocol ldp
mpls ldp router-id lo0 force
router bgp 1
bgp router-id 2.2.2.2
no bgp def ipv4-unicast 
neigh 4.4.4.4 remote 1
neigh 3.3.3.3 remote 1
neigh 4.4.4.4 update lo0
neigh 3.3.3.3 update lo0
address-family vpnv4 
neigh 4.4.4.4 activate
neigh 3.3.3.3 activ
neigh 4.4.4.4 send-community extended 
neigh 3.3.3.3 send-community extended 
!
ip vrf 802101
rd 1:1
route-target bo 1:1
!
int gi0/0
ip vrf for 802101
ip add 128.2.2.1 255.255.255.0
!
router bgp 1
add ipv4 vrf 802101

hostname ISP
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 198.240.3.254 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 198.240.5.254 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 ip address 198.240.1.254 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router ospf 1
router-id 1.1.1.1
network 0.0.0.0 0.0.0.0 a 0
mpls ldp autoconfig
mpls label protocol ldp
mpls ldp router-id lo0 force

router ospf 1
router-id 4.4.4.4
network 198.240.5.1 0.0.0.0 a 0
network 4.4.4.4 0.0.0.0 a 0
mpls ldp autoconfig
mpls label protocol ldp
mpls ldp router-id lo0 force
router bgp 1
bgp router-id 4.4.4.4
no bgp def ipv4-unicast 
neigh 2.2.2.2 remote 1
neigh 3.3.3.3 remote 1
neigh 2.2.2.2 update lo0
neigh 3.3.3.3 update lo0
address-family vpnv4 
neigh 2.2.2.2 activate
neigh 3.3.3.3 activ
neigh 2.2.2.2 send-community extended 
neigh 3.3.3.3 send-community extended
!
ip vrf 802101
rd 1:1
route-target bo 1:1
!
int gi0/1.20
ip vrf for 802101
ip add 198.250.20.1 255.255.255.0
int gi 0/1.30 
ip vrf for 802101
ip add 198.250.30.1 255.255.255.0
!
router bgp 1
add ipv4 vrf 802101

hostname LON1
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 198.240.1.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router ospf 1
router-id 3.3.3.3
network 198.240.1.1 0.0.0.0 a 0
network 3.3.3.3 0.0.0.0 a 0
mpls ldp autoconfig
mpls label protocol ldp
mpls ldp router-id lo0 force
!
router bgp 1
bgp router-id 3.3.3.3
no bgp def ipv4-unicast 
neigh 2.2.2.2 remote 1
neigh 4.4.4.4 remote 1
neigh 2.2.2.2 update lo0
neigh 4.4.4.4 update lo0
address-family vpnv4 
neigh 2.2.2.2 activate
neigh 4.4.4.4 activ
neigh 2.2.2.2 send-community extended 
neigh 4.4.4.4 send-community extended
!
ip vrf 802101
rd 1:1
route-target bo 1:1
!
int gi 0/1
ip vrf for 802101
ip add 163.4.4.1 255.255.255.0
!
router bgp 1
add ipv4 vrf 802101

The last step is to do some redistribution, so that our end points (what we have so far) can all talk to each other.

IGPs and redistribution into MPLS

• NY2
• NY1
• LA1
• LON1

router eigrp 100
 network 3.3.3.0 0.0.0.0
 network 3.3.3.1 0.0.0.0
 network 3.3.3.2 0.0.0.0
 network 128.2.2.2 0.0.0.0
 eigrp router-id 3.3.3.0

router eigrp NY
 !
 address-family ipv4 unicast vrf 802101 autonomous-system 100
  !
  topology base
   redistribute bgp 1 metric 1000 10 100 1 1500
  exit-af-topology
  network 128.2.2.1 0.0.0.0
 exit-address-family
!
router bgp 1
 address-family ipv4 vrf 802101
  redistribute eigrp 100 metric 1
 exit-address-family

ip route vrf 802101 20.5.5.0 255.255.255.0 198.250.20.2
ip route vrf 802101 20.6.6.0 255.255.255.0 198.250.30.2
router eigrp LA
 !
 address-family ipv4 unicast vrf 802101 autonomous-system 300
  !
  topology base
   redistribute bgp 1 metric 1000 10 100 1 1500
  exit-af-topology
  network 198.250.20.0
  network 198.250.30.0
 exit-address-family
!
router bgp 1
 address-family ipv4 vrf 802101
  redistribute eigrp 300 metric 1
  red static metric 1
 exit-address-family

router eigrp LON
 !
 address-family ipv4 unicast vrf 802101 autonomous-system 200
  !
  topology base
   redistribute bgp 1 metric 1000 10 100 1 1500
  exit-af-topology
  network 163.4.4.0 0.0.0.255
 exit-address-family
!
router bgp 1
 address-family ipv4 vrf 802101
  redistribute eigrp 200 metric 1
 exit-address-family

We don't really need EIGRP on LA1. LA-FW (because it is running ASA 8.4 and in multiple-context mode) does not support routing protocols, so we can do with redistributing the static routes only. We really dont need these anyway, as they will be behind NAT. So take them or leave them!

Still missing a few bits, such as ACLs on the LA-FW. So, while we are on a good run, let's just save the work so far, and add those in. This is for the C1 context:

object-group network INSIDE-NAT-SUBNETS
network-object 20.5.5.0 255.255.255.0
network-object 20.5.10.0 255.255.255.0
network-object 20.5.20.0 255.255.255.0
access-list outside->in extended permit ip any any 
access-list outside->in extended permit icmp any any 
access-list outside->in extended permit icmp any any echo-reply 
access-group outside->in in interface Outside
nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interface

And this is for the C2 context:

object-group network INSIDE-NAT-SUBNETS
network-object 20.6.5.0 255.255.255.0
network-object 20.6.10.0 255.255.255.0
network-object 20.6.20.0 255.255.255.0
access-list outside->in extended permit ip any any 
access-list outside->in extended permit icmp any any 
access-list outside->in extended permit icmp any any echo-reply 
access-group outside->in in interface Outside
nat (Inside,Outside) after-auto source dynamic INSIDE-NAT-SUBNETS interface

We can test connectivity now:

LA2#ping 3.3.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/17/32 ms
LA2#

LA3#ping 3.3.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/20 ms
LA3#

NY2#ping 163.4.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 163.4.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/9/13 ms
NY2#

Excellent, all seems to be working again.

This is what the lab looks like at the moment:

You can find the topology file under the Security link on the "Labs" drop down menu at the top.

Author : Unknown

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

• CCIE Security lab: Access to the WWW serverThis will be a short post, there are lot's of little things that I am finding need to be
• CCIE Security Lab: Dual-Hub DMVPNNow that OSPF is all fixed I can set up the Dual-Hub DMVPN. I need to decide on an addres
• UNetLab 0.9.0-68 is out, with cool new stuff!I feel like a kind of voyeur watching the UNL guys at work. I am kind of at the periphery
• CCIE Security: Transparent ASATransparent firewalls act as a bump in the wire. They work at layer-2, instead of layer-3