IPexpert vs Internetwork Expert

I have to start by saying that the announcement from Internetwork Expert yesterday was well worth the wait.  In fact, I couldn’t believe how much press they were getting.  Brad Reese speculated that they had been bought by Cisco.  Others thought that they would be announcing their involvement with the new Cisco 360 program.  That wasn’t the case at all.  In fact the announcement was far from all speculation.  In essence I understood to be the general message to be that the way training is delivered today is getting old and stagnant and that needs to change, and is going to change.  People are becoming more dynamic and as a company so is Internetwork Expert.

The good news for me is that I own the end-to-end program.  That means that everything I have will be upgraded at no cost.  The bad news is that I am going on my third attempt, which by the way is the average, and the CCIE Security track is third on their list. No matter though, its still exciting news.

I waited till this morning to finish this post because I wanted to see what Matt Brooks over at IPexpert had to say on the IPexpert blog.  Matt Brooks has a really good way of pointing out the flaws in Brian Dennis’ Announcement. And by-the-way, I have had a few conversations with Matt Brooks and he really is a nice guy!  Still I wanted to put some of the thoughts in my mind down in print, not to point out flaws, but to express my thoughts, my likes, my hopes, and my disappointments.

Ill work in no particular order here.  But lets begin with the claim of certifying the most people.

Continue Reading »

Internetwork Expert has me curious.

The announcement they said would come this week is going to be given over a web cast. Make sure you sign up!

You can read the post and register over at the Internetwork Expert CCIE Blog.

IOS to IOS through an ASA with Digital Certs.

Uploaded with plasq‘s Skitch!

First I set up R1:

r1(config)#ip domain-name internetworkexpert.com
r1(config)#cry key gen rsa general-keys  modulus 1024
The name for the keys will be: r1.internetworkexpert.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys ...[OK]

r1(config)#
Oct 24 06:52:52.114: %SSH-5-ENABLED: SSH 1.5 has been enabled

Set the ISAKMP policy of an existing policy to use RSA Sigs:

r1(config)#cry isa pol 10
r1(config-isakmp)#authen rsa-sig

Now the fun stuff. Define the trustpoint and enroll.

r1(config)#cry ca trustpoint ca
r1(ca-trustpoint)#enrollment url http://10.0.0.100/certsrv/mscep/mscep.dll
r1(ca-trustpoint)#enrollment mode ra
r1(ca-trustpoint)#crl opt
r1(ca-trustpoint)#ex
r1(config)#cry ca authenti ca
Certificate has the following attributes:
Fingerprint: 4AA0BAAF 2A930A0D 2723EDF9 DC440103
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
r1(config)#cry ca enr ca
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:

% The fully-qualified domain name in the certificate will be: r1.internetworkexpert.com
% The subject name in the certificate will be: r1.internetworkexpert.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.

r1(config)#    Fingerprint:  A1A5FE03 0DB033D6 B0787141 904ADAAA

Oct 24 06:54:37.703: %SYS-3-CPUHOG: Task ran for 2160 msec (0/0), process = Crypto PKI RECV , PC = 81D8D4A8.
-Traceback= 81D8D4AC 803CE314
r1(config)#

the biggest issue with certs is making sure the cert is valid and installed. I use the following command to verify:

! Time is current
r1(config)#do sh clock
06:55:15.044 UTC Fri Oct 24 2008

! Verify the cert is valid
r1#sh cry ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 617A2510000000000008
  Certificate Usage: General Purpose
  Issuer:
    CN = sc05-aaa
     O = "Internetwork Expert
     Inc."
     L = Reno
     ST = NV
     C = US
     EA = support@internetworkexpert.com
  Subject:
    Name: r1.internetworkexpert.com
    OID.1.2.840.113549.1.9.2 = r1.internetworkexpert.com
  CRL Distribution Point:

http://sc05-aaa/CertEnroll/sc05-aaa.crl

  Validity Date:
    start date: 06:44:35 UTC Oct 24 2008
    end   date: 06:54:35 UTC Oct 24 2009
    renew date: 00:00:00 UTC Jan 1 1970
  Associated Trustpoints: ca

CA Certificate
  Status: Available
  Certificate Serial Number: 77E11069C4DE5BB6451159DAFA708A39
  Certificate Usage: Signature
  Issuer:
    CN = sc05-aaa
     O = "Internetwork Expert
     Inc."
     L = Reno
     ST = NV
     C = US
     EA = support@internetworkexpert.com
  Subject:
    CN = sc05-aaa
     O = "Internetwork Expert
     Inc."
     L = Reno
     ST = NV
     C = US
     EA = support@internetworkexpert.com
  CRL Distribution Point:

http://sc05-aaa/CertEnroll/sc05-aaa.crl

  Validity Date:
    start date: 12:43:22 UTC Oct 29 2007
    end   date: 12:53:04 UTC Oct 29 2017
  Associated Trustpoints: ca

r1#

Now we test and …success!

ping 150.2.2.2 sour l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1

Oct 24 07:06:32.961: ISAKMP: received ke message (1/1)
Oct 24 07:06:32.961: ISAKMP (0:0): SA request profile is (NULL)
Oct 24 07:06:32.961: ISAKMP: local port 500, remote port 500
Oct 24 07:06:32.961: ISAKMP: set new node 0 to QM_IDLE
Oct 24 07:06:32.965: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82E7FF94
Oct 24 07:06:32.965: ISAKMP (0:3): Can not start Aggressive mode, trying Main mode.
Oct 24 07:06:32.965: ISAKMP: Looking for a matching key for 136.5.122.2 in default : success
Oct 24 07:06:32.965: ISAKMP (0:3): found peer pre-shared key matching 136.5.122.2
Oct 24 07:06:32.965: ISAKMP (0:3): constructed NAT-T vendor-03 ID
Oct 24 07:06:32.965: ISAKMP (0:3): constructed NAT-T vendor-02 ID
Oct 24 07:06:32.965: ISAKMP (0:3): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 24 07:06:32.965: ISAKMP (0:3): Old State = IKE_READY  New State = IKE_I_MM1

Oct 24 07:06:32.965: ISAKMP (0:3): beginning Main Mode exchange
Oct 24 07:06:32.969: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 24 07:06:33.138: ISAKMP (0:3): received packet from 136.5.122.2 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 24 07:06:33.138: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 07:06:33.142: ISAKMP (0:3): Old State = IKE_I_MM1  New State = IKE_I_MM2

Oct 24 07:06:33.142: ISAKMP (0:3): processing SA payload. message ID = 0
Oct 24 07:06:33.142: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.142: ISAKMP (0:3): vendor ID seems Unity/DPD but major 157 mismatch
Oct 24 07:06:33.142: ISAKMP (0:3): vendor ID is NAT-T v3
Oct 24 07:06:33.142: ISAKMP : Scanning profiles for xauth ...
Oct 24 07:06:33.142: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 10 policy
Oct 24 07:06:33.146: ISAKMP:      encryption 3DES-CBC
Oct 24 07:06:33.146: ISAKMP:      hash MD5
Oct 24 07:06:33.146: ISAKMP:      default group 1
Oct 24 07:06:33.146: ISAKMP:      auth RSA sig
Oct 24 07:06:33.146: ISAKMP:      life type. in seconds
Oct 24 07:06:33.146: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Oct 24 07:06:33.146: ISAKMP (0:3): atts are acceptable. Next payload is 0
Oct 24 07:06:33.310: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.310: ISAKMP (0:3): vendor ID seems Unity/DPD but major 157 mismatch
Oct 24 07:06:33.310: ISAKMP (0:3): vendor ID is NAT-T v3
Oct 24 07:06:33.310: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 07:06:33.310: ISAKMP (0:3): Old State = IKE_I_MM2  New State = IKE_I_MM2

Oct 24 07:06:33.314: ISAKMP (0:3): constructed HIS NAT-D
Oct 24 07:06:33.314: ISAKMP (0:3): constructed MINE NAT-D
Oct 24 07:06:33.314: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 24 07:06:33.318: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 07:06:33.318: ISAKMP (0:3): Old State = IKE_I_MM2  New State = IKE_I_MM3

Oct 24 07:06:33.526: ISAKMP (0:3): received packet from 136.5.122.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 24 07:06:33.526: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 07:06:33.526: ISAKMP (0:3): Old State = IKE_I_MM3  New State = IKE_I_MM4

Oct 24 07:06:33.530: ISAKMP (0:3): processing KE payload. message ID = 0
Oct 24 07:06:33.731: ISAKMP (0:3): processing NONCE payload. message ID = 0
Oct 24 07:06:33.735: ISAKMP (0:3): SKEYID state generated
Oct 24 07:06:33.735: ISAKMP (0:3): processing CERT_REQ payload. message ID = 0
Oct 24 07:06:33.735: ISAKMP (0:3): peer wants a CT_X509_SIGNATURE cert
Oct 24 07:06:33.739: ISAKMP (0:3): peer want cert issued by CN = sc05-aaa, O = "Internetwork Expert, Inc.", L = Reno, ST = NV, C = US, EA = support@internetworkexpert.com
Oct 24 07:06:33.7.39: ISAKMP (0:3): Choosing trustpoint ca as default key issuer
Oct 24 07:06:33.739: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.739: ISAKMP (0:3): vendor ID is Unity
Oct 24 07:06:33.739: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.743: ISAKMP (0:3): vendor ID is DPD
Oct 24 07:06:33.743: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.743: ISAKMP (0:3): speaking to another IOS box!
Oct 24 07:06:33.743: ISAKMP:received payload type 17
Oct 24 07:06:33.743: ISAKMP (0:3): Detected NAT-D payload
Oct 24 07:06:33.743: ISAKMP (0:3): NAT match MINE hash
Oct 24 07:06:33.743: ISAKMP:received payload type 17
Oct 24 07:06:33.743: ISAKMP (0:3): Detected NAT-D payload
Oct 24 07:06:33.743: ISAKMP (0:3): NAT match HIS hash
Oct 24 07:06:33.743: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 07:06:33.747: ISAKMP (0:3): Old State = IKE_I_MM4  New State = IKE_I_MM4

Oct 24 07:06:33.759: ISAKMP (3): My ID configured as IPv4 Add.r,but Addr not in Cert!
Oct 24 07:06:33.759: ISAKMP (3): Using FQDN as My ID
Oct 24 07:06:33.759: ISAKMP (0:3): SA is doing RSA signature authentication using id type ID_FQDN
Oct 24 07:06:33.763: ISAKMP (3): ID payload
	next-payload : 6
	type         : 2
	FQDN name    : r1.internetworkexpert.com
	protocol     : 17
	port         : 500
	length       : 29
Oct 24 07:06:33.763: ISAKMP (3): Total payload length: 33
Oct 24 07:06:33.763: ISKAMP: growing send buffer from 1024 to 3072
Oct 24 07:06:33.763: ISAKMP (0:3): using the ca trustpoint's keypair to sign
Oct 24 07:06:34.909: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 24 07:06:34.909: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 07:06:34.909: ISAKMP (0:3): Old State = IKE_I_MM4  New State = IKE_I_MM5

Oct 24 07:06:37.421: ISAKMP (0:3): received packet from 136.5.122.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 24 07:06:37.433: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 07:06:37.433: ISAKMP (0:3): Old State = IKE_I_MM5  New State = IKE_I_MM6

Oct 24 07:06:37.433: ISAKMP (0:3): processing ID payload. message ID = 0
Oct 24 07:06:37.433: ISAKMP (3): Process ID payload
	type         : 2
	FQDN name    : r2.internetworkexpert.com
	protocol     : 17
	port         : 500
	length       : 25
Oct 24 07:06:37.437: ISAKMP (0:3): processing CERT payload. message ID = 0
Oct 24 07:06:37.437: ISAKMP (0:3): processing a CT_X509_SIGNATURE cert
Oct 24 07:06:37.461: ISAKMP (0:3): peer's pubkey isn't cached
Oct 24 07:06:38.687: ISAKMP (0:3): cert approved with warning
Oct 24 07:06:38.723: ISAKMP (0:3): Cert presented by peer contains no OU field.
Oct 24 07:06:38.747: ISAKMP (0:3): processing SIG pa.!
Success rate is 20 percent (1/5), round-trip min/avg/max = 8/8/8 ms
r1#yload. message ID = 0
Oct 24 07:06:38.747: ISAKMP (3): sa->peer.name = , sa->peer_id.id.id_fqdn.fqdn = r2.internetworkexpert.com
Oct 24 07:06:38.819: ISAKMP (0:3): SA has been authenticated with 136.5.122.2
Oct 24 07:06:38.819: ISAKMP (0:3): peer matches *none* of the profiles
Oct 24 07:06:38.819: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 07:06:38.819: ISAKMP (0:3): Old State = IKE_I_MM6  New State = IKE_I_MM6

Oct 24 07:06:38.819: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 07:06:38.823: ISAKMP (0:3): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Oct 24 07:06:38.823: ISAKMP (0:3): beginning Quick Mode exchange, M-ID of -609653415
Oct 24 07:06:38.827: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 24 07:06:38.827: ISAKMP (0:3): Node -609653415, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 24 07:06:38.827: ISAKMP (0:3): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Oct 24 07:06:38.827: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 24 07:06:38.831: ISAKMP (0:3): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Oct 24 07:06:39.088: ISAKMP (0:3): received packet from 136.5.122.2 dport 500 sport 500 Global (I) QM_IDLE
Oct 24 07:06:39.092: ISAKMP (0:3): processing HASH payload. message ID = -609653415
Oct 24 07:06:39.092: ISAKMP (0:3): processing SA payload. message ID = -609653415
Oct 24 07:06:39.092: ISAKMP (0:3): Checking IPSec proposal 1
Oct 24 07:06:39.096: ISAKMP: transform 1, ESP_3DES
Oct 24 07:06:39.096: ISAKMP:   attributes in transform:
Oct 24 07:06:39.096: ISAKMP:      encaps is 1
Oct 24 07:06:39.096: ISAKMP:      SA life type in seconds
Oct 24 07:06:39.096: ISAKMP:      SA life duration (basic) of 3600
Oct 24 07:06:39.096: ISAKMP:      SA life type in kilobytes
Oct 24 07:06:39.096: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Oct 24 07:06:39.096: ISAKMP:      authenticator is HMAC-MD5
Oct 24 07:06:39.096: ISAKMP (0:3): atts are acceptable.
Oct 24 07:06:39.100: ISAKMP (0:3): processing NONCE payload. message ID = -609653415
Oct 24 07:06:39.100: ISAKMP (0:3): processing ID payload. message ID = -609653415
Oct 24 07:06:39.100: ISAKMP (0:3): processing ID payload. message ID = -609653415
Oct 24 07:06:39.104: ISAKMP (0:3): Creating IPSec SAs
Oct 24 07:06:39.104:         inbound SA from 136.5.122.2 to 136.5.121.1 (f/i)  0/ 0
        (proxy 150.2.2.0 to 150.1.1.0)
Oct 24 07:06:39.104:         has spi 0x90C8D932 and conn_id 2000 and flags 2
Oct 24 07:06:39.104:         lifetime of 3600 seconds
Oct 24 07:06:39.108:         lifetime of 4608000 kilobytes
Oct 24 07:06:39.108:         has client flags 0x0
Oct 24 07:06:39.108:         outbound SA from 136.5.121.1     to 136.5.122.2     (f/i)  0/ 0 (proxy 150.1.1.0       to 150.2.2.0      )
Oct 24 07:06:39.108:         has spi 214252587 and conn_id 2001 and flags A
Oct 24 07:06:39.108:         lifetime of 3600 seconds
Oct 24 07:06:39.108:         lifetime of 4608000 kilobytes
Oct 24 07:06:39.108:         has client flags 0x0
Oct 24 07:06:39.108: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 24 07:06:39.112: ISAKMP (0:3): deleting node -609653415 error FALSE reason ""
Oct 24 07:06:39.112: ISAKMP (0:3): Node -609653415, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 24 07:06:39.112: ISAKMP (0:3): Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETEping 150.2.2.2 sour l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
r1#

Final Configs

IOS Lan-to-Lan with PSK through an ASA.
***The Catch: Nat configured and Dynamic Crypto Maps configured.

Uploaded with plasq‘s Skitch!

I ran into an Intersting situation:

r1#sh cry map
Crypto Map "vpn" 10 ipsec-isakmp
	Peer = 136.5.122.2
	Extended IP access list r1tor2
	    access-list r1tor2 permit ip 150.1.1.0 0.0.0.255 150.2.2.0 0.0.0.255
	Current peer: 136.5.122.2
	Security association lifetime: 4608000 kilobytes/3600 seconds
	PFS (Y/N): N
	Transform sets={
		3des-esp,
	}
	Interfaces using crypto map vpn:
		FastEthernet0/0

Pings fail:

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.....
Success rate is 0 percent (0/5)

But it looks like its working based on the stats:

local  ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (150.2.2.0/255.255.255.0/0/0)
   current_peer: 136.5.122.2:4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest 29
    #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 136.5.121.1, remote crypto endpt.: 136.5.122.2
     path mtu 1500, media mtu 1500
     current outbound spi: 674293ED

     inbound esp sas:
      spi: 0xBD012AAD(3170970285)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590553/3219)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x674293ED(1732416493)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590551/3219)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

r1#

A little tweaking on the ASA, clear the ASA and try again:

r1#clear cry sa
r1#
r1#
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     QM_IDLE              2    0
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#

So what was the problem? Access-list on the ACL didn’t allow NAT-T.

On another note the interesting thing about this configuration is that you have to initiate the connection from the inside since R2 is using a dynamic crypto map.

Final Configs (zipped)

For a few days now I have been playing with static route tracking in my SNAF class.  The class is running ASA 8.0 (2).  After reading every document I can find and testing in my lab I have concluded that version 8.0 (2) does not work.  Now I can’t find a bug report on it, but i tested it over and over again.

Finally I decided to upgrade to code 8.0 (3).  Success!  Below is what I did to test and the results:

To begin, here is the topology:

Uploaded with plasq‘s Skitch!

First I set up the interfaces:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.6.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.6.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif backup
security-level 0
ip address 192.168.5.25 255.255.255.0
!

Continue Reading »

I found an interesting article that may give Cisco Resellers a glimmer of hope if they feel they have been given unfair treatment.

In the article, the company “Infra-Comm” is suing based on a claim that Cisco gave a 5-million dollar deal to AT&T. Here is what the judge says:

..the judge found three provisions in Cisco’s ICPA unconscionable: that the partner is not provided with an opportunity to negotiate the terms of the contract when using Cisco’s Web site to renew contracts; that Cisco could terminate a reseller agreement with only a month’s notice, or without notice at the beginning of each year; and that the ICPA limits damages to what a reseller pays Cisco over the course of three months for services and products, which could be unfair to longtime resellers.

-Network World Article

IOS to IOS with PSK thru an ASA without NAT

The topology:

Uploaded with plasq‘s Skitch!

Allow ESP and ISAKMP thru the ASA:

ciscoasa(config-router)# conf t
ciscoasa(config)# access-l outside_in permit esp any any
ciscoasa(config)# access-l outside_in permit udp any any eq isakmp
ciscoasa(config)# access-g outside_in in int outside
ciscoasa(config)#

Over on R2 I create a loopback to encrypt traffic to R1:

r2(config)#int lo0
r2(config-if)#ip add 150.1.2.2 255.255.255.0
r2(config-if)#

Next create and isakmp policy:
Continue Reading »

DISCLAIMER***

The first note I want to make as regards to the VPN topics that I will be blogging is that these are actually my personal notes from Internetwork Experts Volume 1 and 2 Lab Guide and the IPexpert Security Lab Workbook. There are a few topologies that I will be exploring, and I dont plan on taking you through each step of the Lab guide, rather I will be making notes on the tangents I take. If you want to do their labs dont rely on these posts, go buy their workbooks. Its worth every penny.

Site-to-Site between routers with a PIX in the middle

The First VPN configuration is based on one of the IPexpert Security Workbook Labs. It requires that I configure a VPN between two routers, with the VPN traffic passing through a PIX.

The first step was to load the default configs. There were no default for the switches so I had to create them on the fly. You can find the initial configurations here:

Switch1
Switch2
R1
R2
R4
R5
PIX

The next step was to statically map R5 and make sure that IPSec traffic could pass thru the PIX:
Continue Reading »

Some of you know that I just went to San Jose for my second Security Lab attempt.  While I did better than the first attempt I will be taking it one more time.  Yes, one more time.  I know some areas that I really want to nail down.  I think that VPN is taking me too long.  It’s not that I can’t do it, its just that I should do it faster.

So here is the Game Plan:

On the right side of this blog I have placed a countdown timer to my third lab date.  This is the one I am going to pass. (It’s ok, I can delete this post if I fail again)

Between now and then I am resolved to go back through the Internetwork Expert Volume 1 Lab guide and do every VPN lab in it until I can see the configs in my sleep.  Then, I want to firm up the MPF on the PIX and ASA.  Mostly just the ones that use regex in them.  I want to be able to burn through those configs.  Finally, Network Attacks I think I should work on.  What I may end up doing between now and then is ALL of Volume 1 and Volume 2 again.

I am also scheduled for the ipexpert bootcamp.  If work doesn’t hassle me that should put me over the top.

There is however one little catch.  I have a CCNA Wireless Quick Reference Sheet due into Cisco Press by November 1st.  I better go wrap that up.

I just moved GlobalConfig.net.  I hope this goes more smoothly that I think.  If you are subscribed to both you can delete the old feed for GlobalConfig.  This will be the only one updated now.

Thanks

Brandon