I have been mulling over how to best go about this new CCIE Security lab. I have covered pretty much everything I think I need to cover in a whole bunch of other posts, so doing posts about this is probably needlessly repetitive.
So... what to do? Well, I like blogging, it helps me remember things, it helps me try and formulate ideas in a coherent manner, so it's beneficial to me as the timer keeps ticking down. At the same time, though, I don't want you lovely people to sit there thinking "he wrote that last week..", so the posts leading up to my lab will pretty much just be me working through the labs I am going to create and seeing how my speed increases and how my need to google the answers decreases. The posts will be pretty much lacking in explanation.
The labs will be posted on the forum, and the first one is there already. I think what I will do (IF I pass the lab!) is create some workbook PDFs, which will include the explanations (in depth) and make them available for purchase through the website (probably for about £4.99 or something small like that). I don't want to write a full book for the CCIE Security (I already have people wanting a book on Multicast and QoS, so want to do that after the lab), but they will include the thought process, the gotchas that I faced, and the desired results.
Let me know if you like this idea in the comments section below. If you guys think it's a good idea then I'll do it, if not then I'll save myself the time!
Day 1: 76 days to go
Anyway, I started off the new lab today. Not a bad day, especially as Virgin Media decided to dig u the cable in my street and I was without Internet access from 8:45am till 6pm. At least it meant that I could not Google the answers. It was not a proper lab scenario, as I still had work to do (not easy without Internet access), so is not representative of the 8-hour lab exam. At the moment it's all about building the speed up, so I expect to get quicker with subsequent labs.Today I covered DMVPN, Transparent ASA, Failover ASA, and set up the network ready to implement GETVPN.
Most of the core of this bit is now set up:
I got caught out a couple of times, but am, generally, pretty pleased with the progress. It's certainly nice to put a line through some of the objectives.
So here is the work today.
Lon-2 is the best place to start, it connects the 10.2.0.0/16 network, and the 10.1.0.0/16 network, so really, we only need to add two routes:
Switch(config)#int gi0/0 Switch(config-if)#swi mo acc Switch(config-if)#swi acc vl 21 Switch(config-if)# LON-2(config)#ip route 10.2.0.0 255.255.0.0 10.1.21.200 LON-2(config)#ip route 10.1.0.0 255.255.0.0 10.1.22.254Similarly, LON-1 is an easy configuration:
LON-1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.254 LON-1(config)# LON-1(config)#do ping 10.1.22.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.22.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms LON-1(config)#Because LON-1 does not need to know about the devices behind the GETVPN-Client, we don't need to add any routes for them.
Let's set up DM-Hub1 and DM-Hub2:
DM-Hub1(config)#ip route 10.1.22.0 255.255.255.0 10.1.24.254 DM-Hub1(config)#ip route 10.1.1.0 255.255.255.0 10.1.24.254 DM-Hub1(config)# DM-Hub2(config)#ip route 10.1.22.0 255.255.255.0 10.1.5.254 DM-Hub2(config)#ip route 10.1.1.0 255.255.255.0 10.1.5.254 DM-Hub2(config)# DM-Hub1(config)#do ping 10.1.22.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.22.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/10 ms DM-Hub1(config)#do ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms DM-Hub1(config)# DM-Hub2(config)#do ping 10.1.22.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.22.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/10 ms DM-Hub2(config)#do ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/10 ms DM-Hub2(config)#Let's set up DMVPN!
I am trying to do as much of this from memory as possible, so let's see how far I can get it without looking anything up. This is the configuration I came up with:
LON-2(config-if)#do sh run int tun 0 Building configuration... Current configuration : 355 bytes ! interface Tunnel0 ip address 192.168.1.22 255.255.255.0 no ip redirects ip nhrp authentication CCIE ip nhrp map 192.168.1.1 10.1.24.1 ip nhrp map 192.168.1.2 10.1.5.1 ip nhrp map multicast 10.1.24.1 ip nhrp map multicast 10.1.5.1 ip nhrp network-id 101 ip nhrp nhs 192.168.1.1 ip nhrp nhs 192.168.1.2 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint end LON-2(config-if)#Now for Lon-1
LON-1(config)#interface Tunnel0 LON-1(config-if)# ip address 192.168.1.11 255.255.255.0 LON-1(config-if)# no ip redirects LON-1(config-if)# ip nhrp authentication CCIE LON-1(config-if)# ip nhrp map 192.168.1.1 10.1.24.1 LON-1(config-if)# ip nhrp map 192.168.1.2 10.1.5.1 LON-1(config-if)# ip nhrp map multicast 10.1.24.1 LON-1(config-if)# ip nhrp map multicast 10.1.5.1 LON-1(config-if)# ip nhrp network-id 101 LON-1(config-if)# ip nhrp nhs 192.168.1.1 LON-1(config-if)# ip nhrp nhs 192.168.1.2 LON-1(config-if)# tunnel source GigabitEthernet0/0 LON-1(config-if)# tunnel mode gre multipoint LON-1(config-if)#Our first hub:
DM-Hub1(config)#int tun 0 DM-Hub1(config-if)#ip nhrp map multicast dynamic DM-Hub1(config-if)#ip nhrp network-id 101 DM-Hub1(config-if)#ip add 192.168.1.1 255.255.255.0 DM-Hub1(config-if)#ip nhrp authentication CCIE DM-Hub1(config-if)#tun so gi0/0 DM-Hub1(config-if)#tun mo gre multi DM-Hub1(config-if)# DM-Hub1(config-if)#ip nhrp ? attribute NHRP attribute set authentication Authentication string cache NHRP Cache related commands. connect NHRP resolution request connect holdtime Advertised holdtime interest Specify an access list map Map dest IP addresses to NBMA addresses max-send Rate limit NHRP traffic network-id NBMA network identifier nhs Specify a next hop server path NHRP path specific configuration record Allow NHRP record option redirect Enable NHRP redirect traffic indication registration Settings for registration packets. reject NHRP resolution reject request responder Responder interface server-only Disable NHRP requests shortcut Enable shortcut switching trigger-svc Create NHRP cut-through based on traffic load use Specify usage count for sending requests DM-Hub1(config-if)#ip nhrp shortcut DM-Hub1(config-if)#ip nhrp redirect DM-Hub1(config-if)# DM-Hub1(config-if)#do sh ip nhrp 192.168.1.11/32 via 192.168.1.11 Tunnel0 created 00:00:16, expire 01:59:43 Type: dynamic, Flags: unique registered used nhop NBMA address: 10.1.1.1 192.168.1.22/32 via 192.168.1.22 Tunnel0 created 00:00:20, expire 01:59:39 Type: dynamic, Flags: unique registered used nhop NBMA address: 10.1.22.1 DM-Hub1(config-if)#We have two clients connected to DMHub-1. Let's add the second hub:
DM-Hub2(config)#int tun 0 DM-Hub2(config-if)# ip address 192.168.1.2 255.255.255.0 DM-Hub2(config-if)# no ip redirects DM-Hub2(config-if)# ip nhrp authentication CCIE DM-Hub2(config-if)# ip nhrp map multicast dynamic DM-Hub2(config-if)# ip nhrp network-id 101 DM-Hub2(config-if)# ip nhrp shortcut DM-Hub2(config-if)# ip nhrp redirect DM-Hub2(config-if)# tunnel source GigabitEthernet0/0 DM-Hub2(config-if)# tunnel mode gre multipoint DM-Hub2(config-if)# DM-Hub2(config-if)#do sh ip nhrp 192.168.1.11/32 via 192.168.1.11 Tunnel0 created 00:00:19, expire 01:59:40 Type: dynamic, Flags: unique registered used nhop NBMA address: 10.1.1.1 192.168.1.22/32 via 192.168.1.22 Tunnel0 created 00:00:00, expire 01:59:59 Type: dynamic, Flags: unique registered used nhop NBMA address: 10.1.22.1 DM-Hub2(config-if)#Not bad. I used the context sensitive help, but remembered most of the important commands.
LON-2(config-if)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.1.24.1 192.168.1.1 UP 00:03:23 S
1 10.1.5.1 192.168.1.2 NHRP 00:05:34 S
LON-2(config-if)#
LON-1(config-if)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.1.24.1 192.168.1.1 UP 00:03:35 S
1 10.1.5.1 192.168.1.2 UP 00:01:38 S
LON-1(config-if)#
Let's set up the transparent ASA:
ASAv6(config)# firewall transparent Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate... Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-signed certificate. Trustpoint CA certificate accepted. ciscoasa(config)# firewall transparent WARNING: Context already in transparent mode ciscoasa(config)# ciscoasa(config)# hostname ASAv6 ASAv6(config)# ASAv6(config)# sh firewall Firewall mode: Transparent ASAv6(config)# ASAv6(config)# int bvI 1 ASAv6(config-if)# ip a ASAv6(config-if)# ip add ASAv6(config-if)# ip address 10.1.2.200 255.255.255.0 ASAv6(config-if)# int gi0/0 ASAv6(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ASAv6(config-if)# bridge-group 1 ASAv6(config-if)# no shut ASAv6(config-if)# int gi0/1 ASAv6(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASAv6(config-if)# bridge-group 1 ASAv6(config-if)# no shut LON-1#ping 10.1.2.200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.200, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/3 ms LON-1# GETVPN-Client#ping 10.1.2.200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.200, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/3 ms GETVPN-Client#Now we need to permit ping from LON-1 to GETVPN-Client, to test connectivity:
LON-1#ping 10.1.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
LON-1#
ASAv6(config)# terminal width 255
ASAv6(config)# access-list Outside->Inside extended permit icmp host 10.1.2.1 host 10.1.2.254
ASAv6(config)# int gi 0/0
ASAv6(config)# access-group Outside->Inside in interface outside
ASAv6(config)#
LON-1#ping 10.1.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
LON-1#
ASAv6(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Outside->Inside; 1 elements; name hash: 0x4388e391
access-list Outside->Inside line 1 extended permit icmp host 10.1.2.1 host 10.1.2.254 (hitcnt=1) 0xcbbf5d57
ASAv6(config)#
Now let's give the DM-Hubs access to the 10.1.2.0/24 network, we'll do this through EIGRP across the DMVPN network:
LON-1(config)#router eigrp 1 LON-1(config-router)#eigrp router-id 10.1.1.1 LON-1(config-router)#network 10.1.2.0 0.0.0.255 LON-1(config-router)#network 192.168.1.0 0.0.0.255 LON-1(config-router)# DM-Hub1(config)#router eigrp 1 DM-Hub1(config-router)#eigrp router-id 192.168.1.1 DM-Hub1(config-router)#network 192.168.1.0 0.0.0.255 DM-Hub1(config-router)# %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.11 (Tunnel0) is up: new adjacency DM-Hub1(config-router)# DM-Hub2(config)#router eigrp 1 DM-Hub2(config-router)#eigrp router-id 192.168.1.2 DM-Hub2(config-router)#network 192.168.1.0 0.0.0.255 DM-Hub2(config-router)# %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.11 (Tunnel0) is up: new adjacency DM-Hub2(config-router)# LON-2(config)#router eigrp 1 LON-2(config-router)#eigrp router-id 10.1.22.1 LON-2(config-router)#network 192.168.1.0 0.0.0.255 LON-2(config-router)# %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.2 (Tunnel0) is up: new adjacency %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.1 (Tunnel0) is up: new adjacency LON-2(config-router)# LON-2(config)#router eigrp 1 LON-2(config-router)#eigrp router-id 10.1.22.1 LON-2(config-router)#network 192.168.1.0 0.0.0.255 LON-2(config-router)# %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.2 (Tunnel0) is up: new adjacency %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.1 (Tunnel0) is up: new adjacency LON-2(config-router)#We'l add ISP-2 to EIGRP AS 101:
ISP-2(config)#router eigrp 1 ISP-2(config-router)#eigrp router-id 10.1.9.1 ISP-2(config-router)#network 10.1.25.0 0.0.0.255 ISP-2(config-router)#network 10.1.8.0 0.0.0.255 ISP-2(config-router)#network 10.1.9.0 0.0.0.255 ISP-2(config-router)# DM-Hub1(config-router)#network 10.1.25.0 0.0.0.255 DM-Hub1(config-router)# %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.25.254 (GigabitEthernet0/2) is up: new adjacency DM-Hub1(config-router)# DM-Hub2(config-router)#network 10.1.8.0 0.0.0.255 DM-Hub2(config-router)# %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.8.254 (GigabitEthernet0/2) is up: new adjacency DM-Hub2(config-router)#We can add a static route on GETVPN-Client:
GETVPN-Client(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.1 GETVPN-Client(config)#Now let's set up ASA failover, and here I did miss a command, which cost me some time:
ASA9(config)# sh run | i failover
failover
failover lan unit primary
failover lan interface FOVER Ethernet3
failover key *****
failover replication http
failover link FOVER Ethernet3
failover interface ip FOVER 10.1.250.254 255.255.255.0 standby 10.1.250.252
ASA9(config)#
ciscoasa(config)# sh run | i failover
failover
failover lan unit secondary
failover lan interface FOVER Ethernet3
failover key *****
failover link FOVER Ethernet3
failover interface ip FOVER 10.1.250.254 255.255.255.0 standby 10.1.250.252
ciscoasa(config)#
ciscoasa(config)# .
Detected an Active mate
sh failover | i This
This host: Secondary - Cold Standby
ciscoasa(config)# Beginning configuration replication from mate.
sh failover | i This
This host: Secondary - Sync Config
ciscoasa(config)# ERROR: Password recovery was not changed, unable to access
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.
ASA9(config)#
ASA9(config)# copy run start
Source filename [running-config]?
Cryptochecksum: 7ccb4109 4818a9f7 e94e5e6e 4f52e6ef
3500 bytes copied in 0.240 secs
ASA9(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FOVER Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate 9.1(5)16
Last Failover at: 12:23:20 UTC Jul 15 2016
This host: Primary - Active
Active time: 27 (sec)
Interface Outside (10.1.9.254): Unknown (Waiting)
Interface Inside (10.1.10.254): Unknown (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface Outside (10.1.9.252): Unknown (Waiting)
Interface Inside (10.1.10.252): Unknown (Waiting)
ASA9(config)#
Here I did have to look up to see why failover was showing as disabled, this is because I missed the command "failover lan interface FOVER Ethernet3". Here is the error, and the fix:
ciscoasa(config)# sh run | i failover
failover
failover lan unit secondary
failover key *****
failover link FOVER Ethernet3
failover interface ip FOVER 10.1.250.254 255.255.255.0 standby 10.1.250.252
ciscoasa(config)# sh failover | i This
This host: Secondary - Disabled
ciscoasa(config)# failover lan interface FOVER Ethernet3
ciscoasa(config)# sh failover | i This
This host: Secondary - Disabled
ciscoasa(config)# sh failover | i This
This host: Secondary - Negotiation
ciscoasa(config)# sh failover | i This
This host: Secondary - Negotiation
ciscoasa(config)# sh failover | i This
This host: Secondary - Negotiation
ciscoasa(config)# .sh failover | i This
This host: Secondary - Negotiation
ciscoasa(config)# .
Detected an Active mate
sh failover | i This
This host: Secondary - Cold Standby
ciscoasa(config)# Beginning configuration replication from mate.
sh failover | i This
This host: Secondary - Sync Config
ciscoasa(config)# ERROR: Password recovery was not changed, unable to access
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.
ASA9(config)# Cryptochecksum: 4d2a6fd8 a81dbdb8 959d578a 998d945d
3501 bytes copied in 0.250 secs
Cryptochecksum: 981790ac 765a5b87 086b2a40 368f7100
4169 bytes copied in 0.250 secs
Cryptochecksum: ade50ecf 467dea53 2332768c 88035396
4248 bytes copied in 0.250 secs
ASA9(config)#
Still, not bad so far. The goal today is to get ready to implement everything we need in order to set up GETVPN (which will be in the next post).
Let's set up NAT:
ASA9(config)# object network 10-1-10 ASA9(config-network-object)# subnet 10.1.10.0 255.255.255.0 ASA9(config-network-object)# exi ASA9(config)# object network 10-1-26 ASA9(config-network-object)# subnet 10.1.26.0 255.255.255.0 ASA9(config-network-object)# exit ASA9(config)# object network 10-1-11 ASA9(config-network-object)# subnet 10.1.11.0 255.255.255.0 ASA9(config-network-object)# exit ASA9(config)# object network 10-1-14 ASA9(config-network-object)# subnet 10.1.14.0 255.255.255.0 ASA9(config-network-object)# exit ASA9(config)# object network 10-1-12 ASA9(config-network-object)# subnet 10.1.12.0 255.255.255.0 ASA9(config-network-object)# exit ASA9(config)# object network 10-1-13 ASA9(config-network-object)# subnet 10.1.13.0 255.255.255.0 ASA9(config-network-object)# exit ASA9(config)# ASA9(config)# object-group network INSIDE-SUBNETS ASA9(config-network-object-group)# network-object object 10-1-10 ASA9(config-network-object-group)# network-object object 10-1-26 ASA9(config-network-object-group)# network-object object 10-1-11 ASA9(config-network-object-group)# network-object object 10-1-14 ASA9(config-network-object-group)# network-object object 10-1-12 ASA9(config-network-object-group)# network-object object 10-1-13 ASA9(config-network-object-group)# exit ASA9(config)# nat (Inside,Outside) after-auto source dynamic INSIDE-SUBNETS interface ASA9(config)# ASA9(config)# route outside 0 0 10.1.9.1 ASA9(config)# copy run start Source filename [running-config]? Cryptochecksum: f3bf1259 b6b8509c 2a34bd26 c2cba2b7 4168 bytes copied in 0.230 secs ASA9(config)#Let's test (using packet tracer), and here I am only showing the relevant NAT part of the output:
ASA9(config)# packet-tracer input inside icmp 10.1.11.1 8 0 10.1.25.1 Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (Inside,Outside) after-auto source dynamic INSIDE-SUBNETS interface Additional Information: Dynamic translate 10.1.11.1/0 to 10.1.9.254/51830Looks good so far. Let's add some more routing:
ASA9(config)# router eigrp 1 ASA9(config-router)# eigrp router-id 10.1.9.254 ASA9(config-router)# network 10.1.9.0 255.255.255.0 ASA9(config-router)#Now we need to set up the switch interfaces, and add some more static routing:
Switch(config)#int gi0/0 Switch(config-if)#swi mo acc Switch(config-if)#swi acc vl 26 Switch(config-if)#int gi0/1 Switch(config-if)#swi mo acc Switch(config-if)#swi ac vl 11 Switch(config-if)#int rang gi0/2 - 3 Switch(config-if-range)#swi mo acc Switch(config-if-range)#swi acc vl 10 Switch(config-if-range)#exit Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.10.254 GETVPN-S1(config)#ip route 0.0.0.0 0.0.0.0 10.1.26.200 GETVPN-S1(config)# GETVPN-S2(config)#ip route 0.0.0.0 0.0.0.0 10.1.11.200 GETVPN-S2(config)#We need some access-lists for pings to work:
ASA9(config)# sh run | i access-list access-list Inside->Outside extended permit icmp host 10.1.26.1 host 10.1.1.1 access-list Inside->Outside extended permit icmp host 10.1.26.1 host 10.1.2.1 access-list Inside->Outside extended permit icmp host 10.1.26.1 host 192.168.1.11 access-list Inside->Outside extended permit icmp host 10.1.26.1 host 192.168.1.22 access-list Outside->Inside extended permit icmp host 10.1.1.1 host 10.1.26.1 access-list Outside->Inside extended permit icmp host 10.1.2.1 host 10.1.26.1 access-list Outside->Inside extended permit icmp host 192.168.1.11 host 10.1.26.1 access-list Outside->Inside extended permit icmp host 192.168.1.22 host 10.1.26.1 threat-detection statistics access-list ASA9(config)# sh run | i access-group access-group Outside->Inside in interface Outside access-group Inside->Outside in interface Inside ASA9(config)#At this stage I did scratch my head as to why the pings were failing, but (after some time), remebered that there is no IGP to advertise the routes we need, so I fixed that:
ASA9(config)# route inside 10.1.26.0 255.255.255.0 10.1.10.200 ASA9(config)# route inside 10.1.11.0 255.255.255.0 10.1.10.200 ASA9(config)# route inside 10.1.14.0 255.255.255.0 10.1.10.200 ASA9(config)# route inside 10.1.12.0 255.255.255.0 10.1.10.200 ASA9(config)# route inside 10.1.13.0 255.255.255.0 10.1.10.200 ASA9(config)# GETVPN-S1(config)#do ping 192.168.1.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/27 ms GETVPN-S1(config)#do ping 192.168.1.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/21 ms GETVPN-S1(config)#do ping 10.1.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 13/16/20 ms GETVPN-S1(config)#That's pretty far but not far enough, I still need to be able to get from the GETVPN server to the GETVPN client:
GETVPN-S1(config)#do ping 10.1.2.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.254, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) GETVPN-S1(config)# ASAv6(config)# access-list Outside->Inside extended permit icmp host 10.1.9.254 host 10.1.2.254 ASAv6(config)# ASA9(config)# access-list Inside->Outside extended permit icmp host 10.1.26.1 host 10.1.2.254 ASA9(config)# access-list Outside->Inside extended permit icmp host 10.1.2.254 host 10.1.26.1 ASA9(config)# GETVPN-S1(config)#do ping 10.1.2.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 15/21/31 ms GETVPN-S1(config)#Now we have a very basic form of reachability between one of the GETVPN servers and the client. But we have two servers behind one firewall, so can't do any port forwarding, instead, we'll have to have individual NATs for the two GETVPN-Servers.
I'll save that for another day, though.
Let me know if you like the idea about the workbooks in the comments below. Till next time.