CCIE Security v6 Practice Lab v1.

1|Page

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Workbook Description
Author: CCIE Lab Center (CLC)
Focus: Practice
Level: Expert (CCIE)
Stream: CCIE Security v6: NAT & VPN Technology
Lab: Practice Lab v 2.0
Content: Topology, Questions, Initial Configuration, Solutions, Verifications.
Format: PDF
Protection: DRM Protected
Price/Cost: $150 USD

2|Page

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Table of Contents Page No

1. Lab Details 4
1.1 Lab Summary 4
1.2 Initial Configuration 10

2. Taxas DC Site Deployment 24

2.1 CONFIGURE ASA1 & 2 FOR ACTIVE/STANDBY 24
2.2 Configure Static routing on ASA1 28
2.3 Configure telnet & SSH access on ASA1 from inside 29
2.4 Configure OSPF on ASA1 for MPLS link 30
2.5 Web server 10.10.10.254 should accessible from New Jersey ,Virginia & New York using MPLS Link 31
2.6 telnet-ssh should accessible from Virginia & New York using MPLS Link 34

3. Deployment of California 35
3.1 Configuring ASA3 interfaces with below configuration 35
3.2 Configuring ASA3 with Static routes 10.10.30.0/24 & 10.10.40.0/24—Next hop is 172.16.20.2 36
Default routes—Next hop is 192.168.200.1
3.3 Configuring ASA3 for SNMP with inside host 10.10.40.254 37
3.4 Configuring ASA3 for logging with inside host 10.10.40.254 37
3.6 Configuring Banner for ASA3 with below message 38
3.6 Configuring Static NAT for Web(HTTP,HTTPS) & FTP-RDP. 38
3.7 Configuring Internet access on 10.10.30.0/24 & 10.10.40.0/24 Network 44

4. Deployment of Virginia & New 45

4.1 Configuring Internet access for 10.20.20.0/24 on R2 45
4.2 Configuring Internet access for 10.30.10.0/24 on R3 router 47
4.3 Configuring single Gateway IPSec VPN between R2 & R3 with internet access 49
4.4 Configuring Dual Gateway IPSec VPN between R2 & R3 with internet access 54

5. Deployment of Virginia & New York 63

5.1 Configuring IPSec VPN between ASA4 & 5 63

3|Page

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

1: LAB Details
3.

1.1: LAB Summary

1.1. a: Hardware details

1) Active/Standby Failover
2) Local Internet Access
3) Static & Dynamic NAT
4) Policy NAT
5) IPSec VPN
6) Dual IPSEC VPN+NAT (PAT) on Router
7) Dynamic Routing in ASA

dsdsdsdsd
CPU 8 core
RAM 32 GB
HDD 500 GB

Note: After starting all nodes wait for 10 minutes for CPU utilization getting back to normal.

4|Page

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

1.1. b: How to upload images into EVE-NG

server
Step1: After starting eve-ng instance Login with filezilla (with your displayed ip address using username &
password as root & eve respectively)

Step2: Upload qemu images as shown below

Step3: Login to your eve-ng server/hypervisor/vmware/etc. with username root & password eve

Step4: Run below command using cli

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

5|Page

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Step5: Uploading IOL images as shown below

Step6: Run below command using cli

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

For more details on uploading images you can visit the below link.
https://www.eve-ng.net/index.php/documentation/howtos/howto-add-cisco-iol-ios-on-linux/

6|Page

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

1.1. c: Lab Topology in Light Mode

7|Page

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

1.1. d: Lab Topology in Dark Mode

8|Page

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Host
1.1. e: IPLocation
S/N name Details IP's
Outside Inside
1 ASA1 Taxas 192.168.2.2/29 80.100.10.2/29 172.16.10.1/29
2 ASA3 California NA 192.168.200.2/29 172.16.20.1/29
New
3 ASA4 Jersey 60.100.10.2/29 NA 172.16.30.1/29
4 ASA5 RTP 60.100.10.1/29 NA 172.16.40.1/29

1.1. f: Lab Nodes Used

Image versions used in Lab.

 Cisco v:ASA Cisco Adaptive Security Appliance Software Version 9.4(4)37
 MPLS Router: i86bi_LinuxL3-AdvEnterpriseK9-M2_15.bin
 Internet Router: i86bi_LinuxL3-AdvEnterpriseK9-M2_15.bin
 L2 Switch: i86bi_linux_l2-adventerprisek9-15.2b.bin
 Host system: EVE Docker GUI-Server
 Windows10: FTP/RDP
 Virtual PC:Testing

9|Page

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

1.2 : Initial Configuration

For ISP Router, Switches, Hosts and Servers configurations are given below.

Startup Configuration

I. Internet Router
hostname internet
ip name-server 8.8.8.8
ip name-server 1.1.1.1

ip domain-name ccielabcenter.com
interface Ethernet0/0
description *** Connected to ASA3 ***
ip address 192.168.200.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
!
interface Ethernet0/1
description *** Connected to SW2 ***
ip address 60.100.20.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
!
!
interface Ethernet0/3
description *** Connected to R3 ISP1 ***
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
!
interface Ethernet1/0
description *** Connected to R3 ISP2 ***
ip address 192.168.250.1 255.255.255.248
ip nat inside

10 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

ip virtual-reassembly in
duplex auto
!
interface Ethernet1/1
description *** Connected to R2 ***
ip address 192.168.100.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
!
interface Ethernet1/2
description *** Connected to internet ***
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
!
interface Ethernet1/3
ip address 192.168.150.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
!
ip nat inside source list NAT interface Ethernet1/2 overload
ip route 80.100.10.0 255.255.255.248 60.100.20.2
!
ip access-list standard NAT
permit 60.100.20.0 0.0.0.7
permit 80.100.10.0 0.0.0.7
permit 192.168.200.0 0.0.0.7
permit 192.168.100.0 0.0.0.7
permit 192.168.150.0 0.0.0.7
permit 192.168.250.0 0.0.0.7
!
II. MPLS

hostname MPLS

ip domain name ccielabcenter.com

interface Ethernet0/3
description *** Connected to R1 ***
ip address 192.168.3.1 255.255.255.248
duplex auto

11 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

!
interface Ethernet1/0
description *** Connected to R3 ***
ip address 192.168.4.1 255.255.255.248
duplex auto
!
interface Ethernet1/1
description *** Connected to ASA4 ***
ip address 192.168.1.1 255.255.255.248
duplex auto
!
interface Ethernet1/2
description *** Connected to SW1 ***
ip address 192.168.2.1 255.255.255.248
duplex auto
!
router ospf 10
redistribute connected subnets
network 192.168.1.0 0.0.0.7 area 0
network 192.168.2.0 0.0.0.7 area 0
network 192.168.3.0 0.0.0.7 area 0
network 192.168.4.0 0.0.0.7 area 0

III. SW1

hostname SW1

vlan 100
name MPLS
ip domain name ccielabcenter.com

interface Ethernet0/0
description *** Connected to MPLS ***
no switchport
ip address 192.168.2.2 255.255.255.248
duplex auto
!
interface Ethernet0/1
description *** Connected to SW2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet0/2
description *** Connected to ASA1 Gi0/0 Active ***
switchport access vlan 100
switchport mode access
duplex auto
!
!
interface Ethernet1/0
description *** Connected to ASA2 Gi0/0 SEC ***
switchport access vlan 100
switchport mode access
!

12 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

interface Vlan100
description *** COnnected to MPLS ***
ip address 192.168.10.1 255.255.255.248
!
router ospf 10
redistribute connected subnets
network 192.168.2.0 0.0.0.7 area 0
network 192.168.10.0 0.0.0.7 area 0

IV. SW2

hostname SW2
vlan 200
name INT
ip domain name ccielabcenter.com

interface Ethernet0/1
description *** Connected to SW1 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/2
no switchport
ip address 60.100.20.2 255.255.255.248
duplex auto
!
interface Ethernet0/3
description *** Connected to ASA2 Gi0/1 SEC ***
switchport access vlan 200
switchport mode access
!
interface Ethernet1/0
description *** Connected to ASA1 Gi0/1 Active ***
switchport access vlan 200
switchport mode access
duplex auto
!!
interface Vlan200
description *** INT Link ***
ip address 80.100.10.1 255.255.255.248
!

ip route 0.0.0.0 0.0.0.0 60.100.20.1

V. SW3
hostname SW3

vtp domain clc

vtp version 2
vtp mode server
ip domain name ccielabcenter.com

vlan 10
name web

13 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

vlan 20
name telnet-ssh

interface Port-channel10
description *** Created for SW4 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
interface Ethernet0/2
description *** Connected to ASA1 Gi0/2 Active ***
switchport access vlan 200
switchport mode access
!
interface Ethernet0/3
description *** Connected to Sw5 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan10
description *** Web ***
ip address 10.10.10.2 255.255.255.0
vrrp 10 ip 10.10.10.1
vrrp 10 priority 200
!
interface Vlan20
description *** FTP ***
ip address 10.10.20.2 255.255.255.0
vrrp 20 ip 10.10.20.1
vrrp 20 priority 200
!
interface Vlan200
description *** Inside ***
ip address 172.16.10.4 255.255.255.248
vrrp 200 ip 172.16.10.2
vrrp 200 priority 200

ip route 0.0.0.0 0.0.0.0 172.16.10.1

VI. SW4

hostname SW4
vtp domain clc
vtp version 2
vtp mode client
ip domain name ccielabcenter.com
interface Port-channel10
description *** Created for SW3 ***

14 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

switchport trunk encapsulation dot1q

switchport mode trunk
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
interface Ethernet0/2
description *** Connected to ASA1 Gi0/2 Backup ***
switchport access vlan 200
switchport mode access
!
interface Ethernet0/3
description *** Connected to Sw5 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan10
description *** Web ***
ip address 10.10.10.3 255.255.255.0
vrrp 10 ip 10.10.10.1
!
interface Vlan20
description *** Ftp ***
ip address 10.10.20.3 255.255.255.0
vrrp 20 ip 10.10.20.1
!
interface Vlan200
description *** Inside ***
ip address 172.16.10.5 255.255.255.0
vrrp 200 ip 172.16.10.2

ip route 0.0.0.0 0.0.0.0 172.16.10.1

VII. SW5

hostname SW5
vtp domain clc
vtp version 2
vtp mode client

ip domain name ccielabcenter.com

interface Ethernet0/0
description *** Connected to SW3 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
description *** Connected to SW4 ***

15 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

switchport trunk encapsulation dot1q

switchport mode trunk
!
interface Ethernet0/2
description *** Connected to WEB ***
switchport access vlan 10
switchport mode access
!
interface Ethernet0/3
description *** Connected to TELNET-SSH ***
switchport access vlan 20
switchport mode access

VIII. WEB (for Pro version)

16 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

ifconfig eth0 10.10.10.254 netmask 255.255.255.0

route add default gw 10.10.10.1 eth0

IX. Web (for Community version)

hostname web

username clc privilege 15 password 0 clc

interface Ethernet0/0
ip address 10.10.10.254 255.255.255.0
no shut

ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.10.1

X. Telnet-SSH

hostname SW7

ip domain name ccielabcenter.com

crypto key generate rsa
1024
username clc privilege 15 password clc

interface Ethernet0/0
ip address 10.10.20.254 255.255.255.0

17 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

ip default-gateway 10.10.20.1

line vt 0 4
transport input ssh telnet
login local

on SW6

vtp domain clc

vtp version 2
vtp mode server

hostname SW6
vlan 10
name HTTP-HTTPS
vlan 20
name FTP-RDP
ip domain name ccielabcenter.com

interface Ethernet0/0
description *** Connected to ASA3 Inside ***
no switchport
ip address 172.16.20.2 255.255.255.248
duplex auto
!
interface Ethernet0/1
description *** Connected to SW8 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/2
description *** Connected to SW9 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan10
description *** Created for HTTP-HTTPS ***
ip address 10.10.30.1 255.255.255.0
!
interface Vlan20
description *** Created for FTP-RDP ***
ip address 10.10.40.1 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 172.16.20.1

on SW8

hostname SW8
vtp domain clc
vtp version 2
vtp mode client
ip domain name ccielabcenter.com

18 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

interface Port-channel10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/0
description *** Connected to SW6 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
description ** COnnected to to SW9 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
interface Ethernet0/2
description ** COnnected to to SW9 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
interface Ethernet0/3
description *** Connected to SW10 ***
switchport trunk encapsulation dot1q
switchport mode trunk

on SW9

hostname SW9
vtp domain clc
vtp version 2
vtp mode client
ip domain name ccielabcenter.com

interface Port-channel10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/0
description *** Connected to SW6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
description *** Connected to SW8 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
interface Ethernet0/2
description *** COnnected to SW8 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!

19 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

interface Ethernet0/3
description *** Connected to SW10 ***
switchport trunk encapsulation dot1q
switchport mode trunk

on SW10

vtp domain clc

vtp version 2
vtp mode client
ip domain name ccielabcenter.com

hostname SW10
interface Ethernet0/0
description *** Connected to SW8 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
description *** Connected to SW9 ***
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/2
description *** Connected to HTTP-HTTPS ***
switchport access vlan 10
switchport mode access
!
interface Ethernet0/3
description *** Connected to FTP-RDP ***
switchport access vlan 20
switchport mode access

XI. FTP-RDP(Windows10)

20 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

XII. R1

ip domain name ccielabcenter.com

Hostname R1
interface Ethernet0/0
description *** Connected to MPLS ***
ip address 192.168.3.2 255.255.255.248
duplex auto
!
interface Ethernet0/1
description *** Connected to SW12 ***
ip address 10.20.10.1 255.255.255.0
!
!
router ospf 10
redistribute connected subnets
network 192.168.3.0 0.0.0.7 area 0

XIII. R2
ip domain name ccielabcenter.com
Hostname R2
interface Ethernet0/0
description *** Connected to Internet ***
ip address 192.168.200.2 255.255.255.248
!
interface Ethernet0/1
description *** Connected to SW11 ***
ip address 10.20.20.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.200.1

!

XIV. SW11,SW12,SW13
Hostname SW11
Hostname SW12
Hostname SW13
ip domain name ccielabcenter.com

XV. VIP

hostname vip

interface Ethernet0/0

ip address 10.20.10.254 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.20.10.1

XVI. Vendor (for Pro version)

Go to Application > system tools >MATE Terminal

ifconfig eth0 10.20.20.254 netmask 255.255.255.0

21 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

route add default gw 10.20.20.1 eth0

vim /etc/resolv.conf

nameserver 1.1.1.1
nameserver 8.8.8.8

esc>:wq

Vendor (for Community version)

hostname vendor

interface Ethernet0/0
ip address 10.20.20.254 255.255.255.0
no shut

ip route 0.0.0.0 0.0.0.0 10.20.20.1

XVII. R3

Hostname R3
interface Ethernet0/2
description *** Connected to SW14 ***
ip domain name ccielabcenter.com

ip address 10.30.10.1 255.255.255.0

interface Ethernet0/3
description *** Connected to MPLS ***
ip address 192.168.4.2 255.255.255.248
duplex auto
!
interface Ethernet1/0
description *** Connected to ISP1 ***
ip address 192.168.150.2 255.255.255.248

router ospf 10
redistribute connected subnets
network 192.168.4.0 0.0.0.7 area 0

ip route 0.0.0.0 0.0.0.0 192.168.150.1

XVIII. SW14

Hostname SW14
ip domain name ccielabcenter.com

XIX. IT ( for Pro version)

Go to Application > system tools >MATE Terminal

ifconfig eth0 10.30.10.254 netmask 255.255.255.0
route add default gw 10.30.10.1 eth0

22 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

vim /etc/resolv.conf

nameserver 1.1.1.1
nameserver 8.8.8.8

esc>:wq

for Community version

hostname IT

username clc privilege 15 password 0 clc

interface Ethernet0/0
ip address 10.30.10.254 255.255.255.0
no shut

ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.30.10.1

XX. R4

Hostname R4
ip domain name ccielabcenter.com

interface Loopback10
ip address 10.40.10.1 255.255.255.0
!
interface Ethernet0/0
description *** Connected to ASA4 Inside ***
ip address 172.16.30.2 255.255.255.248
duplex auto

ip route 0.0.0.0 0.0.0.0 172.16.30.1

XXI. R5

Hostname R4
ip domain name ccielabcenter.com

interface Loopback10
ip address 10.40.20.1 255.255.255.0
!
interface Ethernet0/0
description *** Connected to ASA5 Inside ***
ip address 172.16.40.2 255.255.255.248
duplex auto

ip route 0.0.0.0 0.0.0.0 172.16.40.1

23 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

2: Taxas DC site Deployment

2.1: CONFIGURE ASA1 & 2 FOR ACTIVE/STANDBY

 Configure hostname as ASAv1 and ASAv2

 Configure ASAv2 device to back up ASAv2 in the event of failure
 Configure gi0/3 as the failover link
 Configure gi0/4 as the Stateful link
 Authenticate the failover control messages using a key “clc”
 Monitor all interfaces

ASA1 & ASA2 IP information

hostname Interface SEC Level Nameif PRI IP SEC IP
Gi0/0 0 internet 80.100.10.2/29 80.100.10.3/29
Gi0/1 0 mpls 192.168.2.2/29 192.168.2.3/29
ASA1 Gi0/2 100 inside 172.16.10.1/29 172.16.10.3/29
Gi0/3 NA fo 1.1.1.1/30 1.1.1.2/30
Gi0/4 NA stateful 2.2.2.1/30 2.2.2.2/30

Solution
On ASA1
hostname ASA1

interface g 0/0
no shut
nameif mpls
ip address 192.168.10.2 255.255.255.248 standby 192.168.10.3
interface g0/1
no shut
nameif internet
ip address 80.100.10.2 255.255.255.248 standby 80.100.10.3

interface g0/2
no shut
nameif inside
ip address 172.16.10.1 255.255.255.248 standby 172.16.10.3

24 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

interface g 0/3
no shut
description failover link
interface g0/4
no shut
description statefull link

failover lan unit primary

failover lan interface FO GigabitEthernet0/3
failover key clc
failover link STATE GigabitEthernet0/4
failover interface ip FO 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip STATE 2.2.2.1 255.255.255.252 standby 2.2.2.2

On ASA2

interface g 0/3
no shut

interface g0/4
no shut

failover lan unit secondary

failover lan interface FO GigabitEthernet0/3
failover key clc
failover link STATE GigabitEthernet0/4
failover interface ip FO 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip STATE 2.2.2.1 255.255.255.252 standby 2.2.2.2

Output on Primary

25 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Output on Secondary

26 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

27 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

2.2: Configure Static routing on ASA1

10.10.10.0.24 & 10.10.20.0/24 Next hop IP is 172.16.10.2

Solution
route inside 10.10.10.0 255.255.255.0 172.16.10.2

route inside 10.10.20.0 255.255.255.0 172.16.10.2

28 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

2.3:Configure telnet & SSH access on ASA1 from inside

Solution
passwd cisco
domain-name ccielabcenter.com
crypto key generate rsa modulus 1024
username admin password cisco privilege 15
aaa authentication ssh console LOCAL
ssh 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside

SSH access from telnet-ssh system

29 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

2.4: Configure OSPF on ASA1 for MPLS link

On ASA1
router ospf 10
network 192.168.10.0 255.255.255.248 area 0
redistribute static subnets

output

30 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

2.5: Web server 10.10.10.254 should accessible from

New Jersey ,Virginia & New York using MPLS Link

Solution
object network web-server
host 10.10.10.254
access-list mpls permit tcp any object web-server eq 80
access-group mpls in interface mpls

Output
on New York (IT System)

31 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

On Virginia R1 router

On New Jersey R4 can be try once after configuring ASA4

On ASA4

router ospf 10
network 192.168.1.0 255.255.255.248 area 0
redistribute connected subnets

access-list in extended permit tcp any host 10.10.10.254 eq www

access-group in in interface inside

32 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

33 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

2.6: telnet-ssh should accessible from Virginia &

New York using MPLS Link

34 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

3: Deployment of California

3.1 Configuring ASA3 interfaces with below configuration

ASA3 IP information
SEC
hostname Interface Level Nameif IP
Gi0/0 0 outside 192.168.200.2/29
ASA3 Gi0/2 100 inside 172.16.20.1/29

Solution

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.200.2 255.255.255.248

interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 172.16.20.1 255.255.255.248

35 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

3.2: Configuring ASA3 with Static routes

10.10.30.0/24 & 10.10.40.0/24—Next hop is 172.16.20.2 Default
routes—Next hop is 192.168.200.1

TASK2 Configuring ASA3 with Static routes

10.10.30.0/24 & 10.10.40.0/24—Next hop is 172.16.20.2

Solution
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
route inside 10.10.30.0 255.255.255.0 172.16.20.2 1
route inside 10.10.40.0 255.255.255.0 172.16.20.2 1

36 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

3.3: Configuring ASA3 for SNMP with inside host 10.10.40.254

solution

snmp-server community clc

snmp-server enable traps
snmp-server host inside 10.10.40.254
snmp-server location california
snmp-server contact clcadmin

3.4: Configuring ASA3 for logging with inside host 10.10.40.254

Solution

logging enable
logging buffer-size 4096
logging host inside 10.10.40.254
logging facility 16

37 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

3.5: Configuring Banner for ASA3 with below message

banner motd *
banner motd Welcome to ccielabcenter.com
banner motd Only authorized users are allowed to connect
banner motd *

3.6: Configuring Static NAT for Web(HTTP,HTTPS) & FTP-RDP.

PartA

object network web-server

host 10.10.30.254
nat (inside,outside) static 192.168.200.4
access-list out permit tcp any object web-server eq 80
access-list out permit tcp any object web-server eq 443
access-group out in interface outside

Verification from IT PC (New York)

For HTTP

38 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

For HTTPs

39 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

PartB 10.10.40.254

Configuration of ASA3
object network RDP
host 10.10.40.254

object network RDP

nat (inside,outside) static 192.168.200.5
access-list out extended permit tcp any object RDP eq 3389
access-list out extended permit tcp any object RDP range 20 21

Configuration of RDP server

Steps1: Download filezilla server for windwos
https://filezilla-project.org/download.php?type=server

steps2:configuring listen port on 21

40 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Steps: create user admin & password clc

41 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Steps 4:disable windows firewall

Verification

On IT system (New York)

42 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

43 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

3.7 :Configuring Internet access on 10.10.30.0/24 & 10.10.40.0/24

Network

Solution
On ASA3

object network web

subnet 10.10.30.0 255.255.255.0
nat (inside,outside) dynamic interface

object network ftp

subnet 10.10.40.0 255.255.255.0
nat (inside,outside) dynamic interface

access-list out permit ip any object web

access-list out permit ip any object ftp

on Windows PC

44 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

4: Deployment of Virginia & New york

4.1 Configuring Internet access for 10.20.20.0/24 on R2

router
Solution
interface Ethernet0/0
description *** Connected to Internet ***
ip address 192.168.100.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
description *** Connected to SW11 ***
ip address 10.20.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in

ip nat inside source list NAT interface Ethernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
ip access-list extended NAT
permit ip 10.20.20.0 0.0.0.255 any

Output

45 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

46 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

4.2 : Configuring Internet access for 10.30.10.0/24 on R3 router

On R3
interface Ethernet0/1
description *** Connected to ISP2 ***
ip address 192.168.250.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
!
interface Ethernet0/2
description *** Connected to SW14 ***
ip address 10.30.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in

ip nat inside source list NAT interface Ethernet0/1 overload

ip route 0.0.0.0 0.0.0.0 192.168.250.1

!
ip access-list extended NAT
permit ip 10.30.10.0 0.0.0.255 any

47 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

48 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

4.3 : Configuring single Gateway IPSec VPN

between R2 & R3 with internet access.

VPN Configuration on R2

crypto isakmp policy 5

encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.250.2
!
!
crypto ipsec transform-set CLC esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map SITE 10 ipsec-isakmp
set peer 192.168.250.2
set transform-set CLC
match address 101

interface Ethernet0/0
description *** Connected to Internet ***
ip address 192.168.100.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
crypto map SITE

ip nat inside source list NAT interface Ethernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
ip access-list extended NAT
deny ip 10.20.20.0 0.0.0.255 10.30.10.0 0.0.0.255
permit ip 10.20.20.0 0.0.0.255 any
!
!
!
access-list 101 permit ip 10.20.20.0 0.0.0.255 10.30.10.0 0.0.0.255

49 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

VPN Configuration on R3
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.100.2
!
!
crypto ipsec transform-set CLC esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map SITE 10 ipsec-isakmp
set peer 192.168.100.2
set transform-set CLC
match address 101

interface Ethernet0/1
description *** Connected to ISP2 ***
ip address 192.168.250.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
crypto map SITE

ip nat inside source list NAT interface Ethernet0/1 overload

ip route 0.0.0.0 0.0.0.0 192.168.250.1

ip access-list extended NAT

deny ip 10.30.10.0 0.0.0.255 10.20.20.0 0.0.0.255
permit ip 10.30.10.0 0.0.0.255 any

access-list 101 permit ip 10.30.10.0 0.0.0.255 10.20.20.0 0.0.0.255

50 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Output on R3

51 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

From IT system

52 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

53 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

4.4 : Configuring Dual Gateway IPSec VPN

between R2 & R3 with internet access.

On R2
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.250.2
crypto isakmp key cisco123 address 192.168.150.2
!
!
crypto ipsec transform-set CLC esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map SITE 10 ipsec-isakmp
set peer 192.168.250.2
set peer 192.168.150.2
set transform-set CLC
match address 101

interface Ethernet0/0
description *** Connected to Internet ***
ip address 192.168.100.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
crypto map SITE

ip nat inside source list NAT interface Ethernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
ip access-list extended NAT
deny ip 10.20.20.0 0.0.0.255 10.30.10.0 0.0.0.255
permit ip 10.20.20.0 0.0.0.255 any
!
!
access-list 101 permit ip 10.20.20.0 0.0.0.255 10.30.10.0 0.0.0.255

54 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

On R3

Configuring Dual Internet connection

interface Ethernet0/1
description *** Connected to ISP1 ***
ip address 192.168.250.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
crypto map SITE
!
interface Ethernet0/2
description *** Connected to SW14 ***
ip address 10.30.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR
duplex auto

track 10 ip sla 1 reachability

delay down 2 up 2
!
track 20 ip sla 2 reachability
delay down 2 up 2
!
interface Ethernet1/3
ip address 192.168.150.2 255.255.255.248
description *** Connected to ISP2 ***
ip nat outside
ip virtual-reassembly in
duplex auto

ip nat inside source route-map ISP1 interface Ethernet0/1 overload

ip nat inside source route-map ISP2 interface Ethernet1/3 overload
ip route 0.0.0.0 0.0.0.0 192.168.250.1 name ISP1 track 10
ip route 0.0.0.0 0.0.0.0 192.168.150.1 name ISP2 track 20
!
ip access-list extended NAT
deny ip 10.30.10.0 0.0.0.255 10.20.20.0 0.0.0.255

55 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

permit ip 10.30.10.0 0.0.0.255 any

!
ip sla 1
icmp-echo 192.168.250.1
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.168.150.1
frequency 5
ip sla schedule 2 life forever start-time now
ipv6 ioam timestamp
!
route-map PBR permit 10
match ip address 130
set ip next-hop verify-availability 192.168.250.1 1 track 10
set ip next-hop verify-availability 192.168.150.1 2 track 20
!
route-map ISP2 permit 10
match ip address NAT
match interface Ethernet1/3
!
route-map ISP1 permit 10
match ip address NAT
match interface Ethernet0/1
!
!
access-list 130 permit ip any any

for Dual VPN gateway

interface Ethernet1/3
ip address 192.168.150.2 255.255.255.248
description *** Connected to ISP2 ***
crypto map SITE
ip nat outside
ip virtual-reassembly in
duplex auto

56 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Internet verification

Case1
Shutdown PRI ISP

Going from Secondary ISP

57 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Case 2
Shutdown Secondary Link

58 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Dual IPSec Verification,

Case1 when both ISP’s are up

Case2 when both ISP1 is down

59 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

R3#clear crypto session

Start ping from IT system 10.20.20.1

60 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

Case3 when both ISP2 is down

R3#clear crypto session

Start ping from IT system 10.20.20.1

61 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

62 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

5: Deployment of Virginia & New york

5.1 Configuring IPSec VPN between ASA4 & 5

On ASA4
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 60.100.10.2 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.30.1 255.255.255.248
!
interface GigabitEthernet0/2
nameif mpls
security-level 0
ip address 192.168.1.2 255.255.255.248

router ospf 10
network 192.168.1.0 255.255.255.248 area 0
log-adj-changes
redistribute connected subnets
route outside 0.0.0.0 0.0.0.0 60.100.10.1 1
route inside 10.40.10.0 255.255.255.0 172.16.30.2 1

VPN Configuration

crypto ikev1 enable outside

crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

access-list 1 extended permit ip 10.40.10.0 255.255.255.0 10.40.20.0 255.255.255.0

63 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

crypto ipsec ikev1 transform-set ipsec-vpn esp-aes esp-sha-hmac

crypto map site-a 10 match address 1
crypto map site-a 10 set pfs
crypto map site-a 10 set peer 60.100.10.1
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a interface outside

tunnel-group 60.100.10.1 type ipsec-l2l

tunnel-group 60.100.10.1 ipsec-attributes
ikev1 pre-shared-key cisco123

on ASA5

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 60.100.10.1 255.255.255.248
no shutdown
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.40.1 255.255.255.248
no shutdown

route outside 0.0.0.0 0.0.0.0 60.100.10.2 1

route inside 10.40.20.0 255.255.255.0 172.16.40.2 1

VPN configuration

access-list 1 extended permit ip 10.40.20.0 255.255.255.0 10.40.10.0 255.255.255.0

crypto ikev1 enable outside

crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

64 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

crypto ipsec ikev1 transform-set ipsec-vpn esp-aes esp-sha-hmac

crypto map site-b 10 match address 1
crypto map site-b 10 set pfs
crypto map site-b 10 set peer 60.100.10.2
crypto map site-b 10 set ikev1 transform-set ipsec-vpn
crypto map site-b interface outside

tunnel-group 60.100.10.2 type ipsec-l2l

tunnel-group 60.100.10.2 ipsec-attributes
ikev1 pre-shared-key cisco123

Verification on R4

Verification on ASA4

65 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

66 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup

 CCIE Security v6 Practice Lab v1.0

67 | P a g e

Web: https://ccielabcenter.com Mail: [email protected] Study Group: https://t.me/cciestudygroup