It is time to create a new CCIE Security lab. I have 78 days left before the real thing, so can do at least 2 "large" labs in that time.
So, let's start a new one. I start by throwing a bunch of stuff into the lab and make a list of things to achieve. I need to focus on VRF-aware VPNs more this time and basically, get faster with the different VPNs, I seem to be OK with most of the other topics. So, this new lab will be very VPN-centric, as such, the Telnet servers should only be reachable through the different VPNs.
Topology
After a short while, this is what I ended up with:Now, I need to work out some IP addressing. There should be different ranges for the VPNs and the basic connectivity, so I will use 10.1.X.0/24 for the interlinks, 10.2.X.0/24 for the devices at the top right and 192.168.X.0/24 for the VPNs. Routers will all use .1 or .2 (or sometimes .254) as the last octet, firewalls will use .254, end devices (the Windows box, WWW server, WSA etc etc), will all have their last octet as .10). Switches (where they are providing a VLAN interface will use .200 (and .201 if required). Loopbacks will all be /32 and denoted on the topology.
But, where to start?
Let's go for the middle and go (relatively) clockwise. This gives us something like this:
Now for the rules of the game!
Instructions
System Hardening and Availability:•Every routing protocol must be secured with a password of CCIE
•Unused switch ports must be shut down and placed in VLAN 999
•ISP-1 should be set as an authoritative NTP server (Stratum 2). All devices (apart from the WSA should peer to this)
Threat Identification and Mitigation
•All ASAs should protect against IP spoofing attacks
•Switches should protect against MAC spoofing
•Win should receive it’s IP address through DHCP from ASAv7 and DHCP should be inspected by the switch
•The network should be protected against VLAN hopping attacks
•NetFlow should be enabled to track the top 5 talkers for ICMP traffic on ASAv7 (might change this later on)
Intrusion Prevention and Content Security
•Initialize the IPS and create a VLAN pair for VLANs 10.2.1.0 and 10.1.21.0
•Create a custom signature to alert high on ICMP traffic between the Win box and Lon-1
•Implement WCCP on the WSA and make sure all traffic to WWW goes through this and ASAv7.
•Block access to www.bad.com using a custom category
Identity Management
•Access to ASA v7 should be controlled through the ACS using TACACS+
•Access to the DMZ server (using Telnet) should be controlled through ACS
•Set ISE for the AP, creating CCIE-Sec and CCIE-Guest WLANs on the WLC
Perimeter Security and Services
•Set up ASAv7 in routed mode with VLAN 12 for the DMZ, VLAN 20 for the Inside
•Addresses should be NATted.
•Setup ASAv6 in transparent mode
•Setup ASA8 and ASA9 in failover mode
•Set up LON-2 as a ZBFW
•Map Telnet-3’s Telnet port to 23000
•May DMZ’s HTTP port to 8080
•Permit access to Telnet-3’s telnet port to just the VPN traffic
Confidentiality and Secure Access
•Create an IKEv1 tunnel between NYC and IKEv1 advertising the route to Telnet-2
•Create an IKEv2 tunnel between NYC and Easy-Server. Easy-Server should know about Telnet-2’s network only through this VPN
•Create a LAN-to-LAN IPSec tunnel between ASAv7 & NYC – ASAv7 should know about Telnet-2 through IPSec
•Set up the DMVPN network as a dual-hub network
•Set up Flex VPN between Telnet-1 and Telnet-2
•Set up Remote Access between Win & Easy-Server. Win should only know about Telnet-1 through VPN
•Set up AnyConnect between Win and ASA8/9
•Set up Easy VPN between Easy-Server & ASA9 and also between Easy-Server and Win
•The GETVPN should be VRF aware
•Set up ISP-1 as the CA for certificates. Use certificates for Easy VPN
I have tried and made it a little difficult for myself, in as much as I cannot go from top to bottom, some of the tasks require other tasks to be completed first (i.e. most of the VPNs need to be in place first. Let's do the intial IP addressing. I'll work out the routing afterwards.
IP addressing
Because there is a lot of config, I have put it behind a clicky-button, so click if you want to see the configs, or not!Switch(config)#vlan 20,2,3,21,4 Switch(config-vlan)#int vlan 1 Switch(config-if)#ip add 10.2.1.200 255.255.255.0 Switch(config-if)#no sh Switch(config-if)# Switch(config-if)#int vlan 20 Switch(config-if)#ip add 10.1.20.200 255.255.255.0 Switch(config-if)#no shut Switch(config-if)# Switch(config)#vlan 20,2,3,21,4 Switch(config-vlan)# Switch(config-vlan)#int vlan 2 Switch(config-if)#ip add 10.2.2.200 255.255.255.0 Switch(config-if)#no shut Switch(config-if)#int vlan 3 Switch(config-if)#ip add 10.2.3.200 255.255.255.0 Switch(config-if)#no shut Switch(config)#int vlan 4 Switch(config-if)#ip add 10.2.4.200 255.255.255.0 Switch(config-if)#no shut Switch(config-if)#int vlan 21 Switch(config-if)#ip add 10.1.21.200 255.255.255.0 Switch(config-if)#no shut Switch(config-if)# ASAv7(config)# int gi0/0 ASAv7(config-if)# exit ASAv7(config)# int gi0/0.20 ASAv7(config-subif)# vlan 20 ASAv7(config-subif)# ip add 10.1.20.254 255.255.255.0 ASAv7(config-subif)# no shut ASAv7(config-subif)# exit ASAv7(config)# int gi0/2.19 ASAv7(config-subif)# no shut ASAv7(config-subif)# vlan 19 ASAv7(config-subif)# ip add 10.1.19.254 255.255.255.0 ASAv7(config-subif)# exit ASAv7(config)# int gi0/1 ASAv7(config-if)# ip add 10.1.18.254 255.255.255.0 ASAv7(config-if)# no shut ASAv7(config-if)# int gi0/2 ASAv7(config-if)# no shut ASAv7(config-if)# sh int ip bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/0.20 10.1.20.254 YES manual up up GigabitEthernet0/1 10.1.18.254 YES manual up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/2.19 10.1.19.254 YES manual up up ASAv7(config-if)# DMZ(config)#int gi0/0 DMZ(config-if)#ip add 10.1.19.1 255.255.255.0 DMZ(config-if)#no shut DMZ(config-if)# IKEv1(config)#int gi0/0 IKEv1(config-if)#ip add 10.1.18.1 255.255.255.0 IKEv1(config-if)#no shut IKEv1(config-if)#int gi0/1 IKEv1(config-if)#ip add 10.1.17.1 255.255.255.0 IKEv1(config-if)#no shut IKEv1(config-if)# Chicago(config)#int gi0/0 Chicago(config-if)#ip add 10.1.17.2 255.255.255.0 Chicago(config-if)#no shut Chicago(config-if)#int gi0/2 Chicago(config-if)#ip add 10.1.16.2 255.255.255.0 Chicago(config-if)#no shut Chicago(config-if)#int gi0/1 Chicago(config-if)#ip add 10.1.15.2 255.255.255.0 Chicago(config-if)#no shut Chicago(config-if)# Telnet-3(config)#int gi0/0 Telnet-3(config-if)#ip add 10.1.16.1 255.255.255.0 Telnet-3(config-if)#no shut Telnet-3(config-if)#int lo0 Telnet-3(config-if)#ip add 3.3.3.3 255.255.255.255 Telnet-3(config-if)# LON-2(config)#int gi0/0 LON-2(config-if)#no shut LON-2(config-if)#ip add 10.1.21.1 255.255.255.0 LON-2(config-if)#int gi0/1 LON-2(config-if)#ip add 10.1.22.1 255.255.255.0 LON-2(config-if)#no shut LON-2(config-if)# ISP-1(config)#int gi0/2 ISP-1(config-if)#ip add 10.1.22.254 255.255.255.0 ISP-1(config-if)#no shut ISP-1(config-if)#int gi0/3 ISP-1(config-if)#ip add 10.1.1.254 255.255.255.0 ISP-1(config-if)#no shut ISP-1(config-if)#int gi0/0 ISP-1(config-if)#ip add 10.1.24.254 255.255.255.0 ISP-1(config-if)#no shut ISP-1(config-if)#int gi0/1 ISP-1(config-if)#ip add 10.1.5.254 255.255.255.0 ISP-1(config-if)#no shut ISP-1(config-if)# LON-1(config)#int gi0/0 LON-1(config-if)#ip add 10.1.1.1 255.255.255.0 LON-1(config-if)#no shut LON-1(config-if)#int gi0/1 LON-1(config-if)#ip add 10.1.2.1 255.255.255.0 LON-1(config-if)#no shut LON-1(config-if)# GETVPN-Client(config)#int gi0/0 GETVPN-Client(config-if)#ip add 10.1.2.254 255.255.255.0 GETVPN-Client(config-if)#no shut GETVPN-Client(config-if)#int gi0/1.3 GETVPN-Client(config-subif)#encapsulation dot1Q 3 GETVPN-Client(config-subif)#ip add 10.1.3.254 255.255.255.0 GETVPN-Client(config-subif)#no shut GETVPN-Client(config-subif)#int gi0/1 GETVPN-Client(config-if)#no shut GETVPN-Client(config-if)#int gi0/1.4 GETVPN-Client(config-subif)#encapsulation dot1Q 4 GETVPN-Client(config-subif)#ip add 10.1.4.254 255.255.255.0 GETVPN-Client(config-subif)#no shut GETVPN-Client(config-subif)# DM-Hub1(config)#int gi0/0 DM-Hub1(config-if)#ip add 10.1.24.1 255.255.255.0 DM-Hub1(config-if)#no shut DM-Hub1(config-if)#int gi0/2 DM-Hub1(config-if)#ip add 10.1.25.1 255.255.255.0 DM-Hub1(config-if)#no shut DM-Hub2(config)#int gi0/0 DM-Hub2(config-if)#ip add 10.1.5.1 255.255.255.0 DM-Hub2(config-if)#no shut DM-Hub2(config-if)#int gi0/1 DM-Hub2(config-if)#ip add 10.1.6.1 255.255.255.0 DM-Hub2(config-if)#no shut DM-Hub2(config-if)#int gi0/2 DM-Hub2(config-if)#ip add 10.1.8.1 255.255.255.0 DM-Hub2(config-if)#no shut DM-Hub2(config-if)# Easy-Server(config)#int gi0/0 Easy-Server(config-if)#ip add 10.1.6.254 255.255.255.0 Easy-Server(config-if)#no shut Easy-Server(config)#int gi0/1 Easy-Server(config-if)#ip add 10.1.7.254 255.255.255.0 Easy-Server(config-if)#no shut Easy-Server(config-if)# Telnet-1(config)#int gi0/0 Telnet-1(config-if)#ip add 10.1.7.1 255.255.255.0 Telnet-1(config-if)#no shut Telnet-1(config-if)#int lo0 Telnet-1(config-if)#ip add 1.1.1.1 255.255.255.255 Telnet-1(config-if)# ISP-2(config)#int gi0/0 ISP-2(config-if)#ip add 10.1.25.254 255.255.255.0 ISP-2(config-if)#no shut ISP-2(config-if)#int gi0/1 ISP-2(config-if)#ip add 10.1.8.254 255.255.255.0 ISP-2(config-if)#no shut ISP-2(config-if)#int gi0/3 ISP-2(config-if)#ip add 10.1.9.1 255.255.255.0 ISP-2(config-if)#no shut ISP-2(config-if)# ASA9(config-if)# ip add 10.1.9.254 255.255.255.0 ASA9(config-if)# no shut ASA9(config-if)# int eth3 ASA9(config-if)# ip add 10.1.250.254 255.255.255.0 ASA9(config-if)# no shut ASA9(config-if)# int eth0 ASA9(config-if)# ip add 10.1.10.254 255.255.255.0 ASA9(config-if)# no shut ASA9(config-if)# Switch(config)#vlan 10,26,11 Switch(config-vlan)#exit Switch(config)#int vlan 10 Switch(config-if)#ip add 10.1.10.200 255.255.255.0 Switch(config-if)#no shut Switch(config-if)#int vlan 26 Switch(config-if)#ip add 10.1.26.200 255.255.255.0 Switch(config-if)#no shut Switch(config-if)#int vlan 11 Switch(config-if)#ip add 10.1.11.200 255.255.255.0 Switch(config-if)#no shut Switch(config-if)#int rang gi0/2 - 3 Switch(config-if-range)#swi mo acc Switch(config-if-range)#swi acc vl 10 Switch(config-if-range)# Switch(config-if-range)#int gi0/0 Switch(config-if)#swi mo acc Switch(config-if)#swi acc vl 26 Switch(config-if)#int gi 0/1 Switch(config-if)#swi mo acc Switch(config-if)#swi acc vl 11 Switch(config-if)# GETVPN-S1(config)#int gi0/2 GETVPN-S1(config-if)#ip add 10.1.15.1 255.255.255.0 GETVPN-S1(config-if)#no shut GETVPN-S1(config-if)#int gi0/1 GETVPN-S1(config-if)#ip add 10.1.26.1 255.255.255.0 GETVPN-S1(config-if)#no shut GETVPN-S1(config)#int gi0/0 GETVPN-S1(config-if)#ip add 10.1.14.1 255.255.255.0 GETVPN-S1(config-if)#no shut GETVPN-S1(config-if)# GETVPN-S2(config)#int gi0/0 GETVPN-S2(config-if)#ip add 10.1.11.1 255.255.255.0 GETVPN-S2(config-if)#no shut GETVPN-S2(config-if)#int gi0/1 GETVPN-S2(config-if)#ip add 10.1.12.1 255.255.255.0 GETVPN-S2(config-if)#no shut GETVPN-S2(config-if)# NYC(config)#int gi0/0 NYC(config-if)#ip add 10.1.14.254 255.255.255.0 NYC(config-if)#no shut NYC(config-if)#int gi 0/1 NYC(config-if)#ip add 10.1.12.254 255.255.255.0 NYC(config-if)#no shut NYC(config-if)#int gi0/2 NYC(config-if)#ip add 10.1.13.254 255.255.255.0 NYC(config-if)#no shut NYC(config-if)# Telnet-2(config)#int gi0/0 Telnet-2(config-if)#ip add 10.1.13.1 255.255.255.0 Telnet-2(config-if)#no shut Telnet-2(config-if)#int lo0 Telnet-2(config-if)#ip add 2.2.2.2 255.255.255.255 Telnet-2(config-if)#
4 comments
commentsHi Stuart,
ReplyYou have done a great job.
Actually I need to build the whole lab so have you git steps?
thanks
Hassan
Hi Hassan
ReplyIf you are running UNL, then you can download the file in the link under "Click for configs".
Hello, good job... what is the hardware that you are running it? Thank you!
ReplyHello Stuart,
Replyi am preparing for CCIE Sec v5. i find your website very helpful and keep visiting and will do labs accordingly. thank you very much for your effect and sharing the knowledge.