CCIE Security Advanced Technologies Class - ASA Reliable Static Routing

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:00
0:00:12	In our next section here we're going to look at the reliable static routing feature on the ASA
0:00:18	That's used in the conjuction with the ip service level agreement
0:00:22	and the enhanced object tracking in order to allow static routes to figure out
0:00:27	default gateway on the particular land segment is up or down
0:00:32	and in the case the gateway goes down
0:00:34	the static route can be removed from the routing table
0:00:37	in order to re-route around a failure in the topology
0:00:44	Now just like the IOS implementation of this
0:00:47	The reliable static routing using enhanced object tracking
0:00:51	its going to use two main portions to acomplish it
0:00:54	The first one called the service level agreement or the response time reporter the SLA or the RTR
0:01:02	Now what the SLA does
0:01:04	is check the reachability to a particular address on the segment
0:01:08	with an ICMP Echo
0:01:10	or simple ICMP pank
0:01:12	unlike the IOS we do not have an advance service level agreement metrics
0:01:18	things like the voice or IP delay
0:01:21	or DHCP servers or DNS servers response time
0:01:25	in the case of ASA it is going to be the basic thing
0:01:28	so we're going to ping this address to figure out is it up or is it down
0:01:33	the next section is based on enhanced object tracking feature or EOT
0:01:39	enhanced object tracking
0:01:41	is going to creature an object
0:01:44	that references the SLA configuration that is doing the pinging
0:01:48	so the SLA is doing the ping trying to figure out is the host alive or not
0:01:56	now in the case that the ping is successful
0:02:00	the object is going to report its status as true or up
0:02:04	if the ping fails
0:02:08	the enhanced object is going to report its status as false or down
0:02:12	now based on the status whether the object is up or down
0:02:17	is how we can use the realibility
0:02:21	or i should arealibility into the static routing feature
0:02:25	and the way we do this
0:02:27	is the have to static rout reference the object
0:02:30	so the primary route
0:02:32	that were using the reliable check
0:02:35	can only be installed in the routing table if the object is up
0:02:39	if the object proports itself is as false or reports itself as down
0:02:43	the route is not valid and it has to be removed from the routing table
0:02:49	so the final result for this
0:02:51	is that we are able to do either floating static routes or equal cost multi path
0:02:57	in a way that the router is going to able figure out in this case actually ASA
0:03:02	is going to figure out is the next not value is actually valid
0:03:05	on that particular length
0:03:08	the reason that you going to want in the first place
0:03:12	is that ethernet that the ASA is using to connect to the rest of the topology
0:03:17	is not reliable
0:03:19	in the terms of being able to detect failures in the topology
0:03:24	so for example, We if w're look at a case
0:03:27	were we had
0:03:29	ASA 1
0:03:32	that is attached to lets to different providers
0:03:36	we have interface outside 1
0:03:38	and we have interface outside 2
0:03:41	outside 1 may be this is connecting to
0:03:45	our service provider using a cable modem
0:03:48	and outside 2
0:03:50	this is our backup ISP w're using
0:03:53	DSL for this one
0:03:56	now the potential issue with either of these tecnologies
0:04:00	is that the local loop
0:04:02	were the connection between the ASA and the service provider edge
0:04:06	is using ethernet
0:04:09	so we have ethernet on our side
0:04:12	then on there side in the case of cable this would be either
0:04:16	a coax or fibre depending on how they are doing their
0:04:19	errrr physical
0:04:21	loop into the segment
0:04:23	then over DSL this is going to be the pstl or the legacy network
0:04:28	this is actually a ATM PBC that is multiplex over the PSTN network
0:04:35	now the potential issue that we run into these access technologies
0:04:39	is that if the cable modem loses its connectivity to the upstream neighbour
0:04:46	or like wise if the ATM PBC
0:04:49	between the DSL modem and the Deslam
0:04:52	which is the DSL aggregation
0:04:55	if either of these links goes down
0:04:59	so the cable side on the esl side
0:05:01	it is not going to update
0:05:03	the status of the ethernet interface on the ASL
0:05:08	and this type of design is going to be true while wer using a firewall on the edge or ur using router on the edge or a just sort of layer 2 device or an ethernet switch or bridge
0:05:19	so that ur trying to do
0:05:21	is add some additional application level tracking
0:05:25	which is in this case is the application ICBP ping
0:05:28	to figure out is not only the local segment up
0:05:34	but is the actually the end to end conectivity from us
0:05:37	to the service provider working
0:05:40	where in cae the ASA
0:05:42	we would want to test our connectivity
0:05:45	to whatever the applicable modem termination system the CMTS
0:05:50	or the case of
0:05:52	DSL may be ping an address that's on the DSCAM
0:05:56	that the DSl aggregation multiplexer
0:05:59	where in this case if the ASA
0:06:02	is able to send the ping all the way into the service provider network and then get the reply
0:06:08	we can asume that this link is fine
0:06:10	and this link is fine
0:06:13	like wise to see to be true with the DSL i send ping all the way into the netwok
0:06:18	cast the local loop and get reply back
0:06:21	i know my local interface
0:06:24	that's connecting the DSL modem
0:06:26	that from the DSL upto
0:06:28	the actual DSL activation and beyond is worth
0:06:33	then again the promise failed on the local loop is not going to
0:06:36	impact the line protocol of the ethernet interface
0:06:41	this is what
0:06:44	protocol's like ethernet
0:06:46	operations OEM
0:06:49	are designed to solve
0:06:50	or the protocol known as the BFD Birdirectional forwarding detection
0:06:55	so these are additional layer two keep alives
0:06:57	that are going to tell us is the end to end segment actually working
0:07:02	but the issue is that u have to as a customer
0:07:05	to have to cordinate with the service provider in order to do this
0:07:09	to do a basic IPSP ping u dont' have to talk to anybody
0:07:12	if i can ping my gateway
0:07:13	i can see that my local loop is up
0:07:16	if there is something wrong beyond that then its really out of my control
0:07:20	the least i know that i can check on the local interface that everything working OK
0:07:26	so now lets take a lot at this
0:07:29	our case here
0:07:32	on the connection from the ASA
0:07:34	to the outside
0:07:36	we are using a interface ethernet zero slash zero
0:07:39	that's on the same
0:07:41	be that as router 2
0:07:45	now what iam going to do additionally is add an other interface
0:07:50	that is.....
0:07:53	to go to router 2 actually you don't have to do another interface you can do the same link
0:07:57	iam just going to put a secondary address
0:08:00	on router 2
0:08:02	so we will see that the routing logic is going to work as same
0:08:05	whether we doing the multiple satic route of the same interface
0:08:10	or multiple static routes out different interfaces
0:08:14	so router 2 is going to behave as if it two seperate physcial gateways on the segment
0:08:19	its our primary gateway and our secondary gateway
0:08:22	we'r going check this with the ping
0:08:24	if the ping goes down
0:08:26	we want to change the route from the primary gateway to the secondary
0:08:31	so say the secondary address is dot 1
0:08:34	or the primary address is going to be dot 2
0:08:40	so configuration wise
0:08:42	the first thing we need to do
0:08:44	is to define the SLA
0:08:48	then again the SLA is what we are using to track
0:08:52	whether the ping is actually working or not
0:08:55	the SLA is actually generated the ping
0:08:59	so in global configure say SLA monitor
0:09:03	and give a number
0:09:05	say SLA intance that we'r creating
0:09:09	i want to generate an echo that is using the protocol
0:09:12	IpIcmpEcho
0:09:16	now it uses the syntax format it might look like its kind going out of my way
0:09:20	ever though there is one option here
0:09:22	if you look this under the routers IOS when u look at protocol
0:09:26	there is bunch of differnt options we have here beside just an ICMP ping
0:09:30	so thing is like
0:09:32	a UDP to measure the delay of the voice or IP call
0:09:36	or a DHCP and DNS request to figure out
0:09:40	is like DHCP server up like DNS server up
0:09:44	but here in case its just he basic thing
0:09:48	so here i am going to ping router 2s primary address
0:09:52	which again is 200.0.122.2
0:09:57	200.0.122.2
0:10:02	and the interface that's going out of this is outside
0:10:07	thats where router 2 is reachable
0:10:10	now have some other minor options here like how often we r going to send a pings
0:10:14	i will say send them every 3 secs
0:10:17	how long iam going to wait for the response to come back in
0:10:21	i will say the time out is going to be
0:10:24	let say one second or 1000 m/sc
0:10:27	we re sending the pings every 3 secs
0:10:35	now technically i could leave all the defaults
0:10:38	other than the find the address that iam pinging
0:10:42	but go to router 2 now
0:10:45	and make a few changes
0:10:47	the first one i am going to say debug icmp
0:10:50	so i want to see are the pings actually coming in
0:10:53	from the ASA
0:10:55	now they are not yet because i didnt tell her to start
0:10:57	the SLA instance
0:10:59	its configured that its not actually initialised yet
0:11:03	next thing iam going to do is on the ethernet interface
0:11:07	im going to configure an other address
0:11:10	200.0.122.1
0:11:15	and again this is going to be
0:11:17	a secondary address
0:11:25	next on ASA im going to schedule the SLA instance
0:11:29	so we will say SLA monitor schedule
0:11:34	instance no 1 i want to start it now
0:11:38	and i want the lifetime to be forever
0:11:42	so im going to cancel the thing its never going to time up
0:11:45	we will look to router 2 now we should see every 3 secs
0:11:49	the ICMP echo is coming in from the ASA
0:11:55	if we'r to look at the
0:11:57	log time stamps and debug time stamps
0:11:59	we will see then
0:12:01	being sent 3 secs apart
0:12:03	we did the same thing on the ASA
0:12:05	we should see that the time out
0:12:07	is less than 1 sec
0:12:10	so if i say log in console 7
0:12:18	if we have the time stamps on
0:12:22	if we looked at the time between more building the connection and tearing it down
0:12:26	that would tell us how long is extra taking us to get the reply
0:12:30	even in general the reply should be fairly quick becuase we are on the same lansec
0:12:34	i ping route2 again
0:12:37	or router that 2
0:12:41	we could see the average response time is 2 msec
0:12:43	so the 1000 m/sec definitely a feasible value to have as the time out here
0:12:50	now i have the SLA instance running
0:12:52	i want to tie it to an enhanced object
0:12:55	so the object
0:12:59	not the object true
0:13:03	this is going to be the track object
0:13:06	so track or say track no 2
0:13:09	is going to call the RTR or the SLA
0:13:13	so they are same feature they are RTR & SLA
0:13:16	instance no 1
0:13:18	i want to check the reachablility
0:13:21	and in the case of the ASA the no other sub options here so were try to get on
0:13:25	if now look at the show trap
0:13:29	it says that the SLA instance
0:13:32	is giving us the return code of OK
0:13:36	which means that our object is now up
0:13:41	so the object is reporting true
0:13:44	as long as the object reports true
0:13:47	any routes that are referencing the object
0:13:49	can then be installed in the routing table
0:13:53	then the flip side of the object who is reporting down or false
0:13:57	routes that reference the routs cannot be installed on the table
0:14:02	so now what w're going to do is have two seperate statics routes
0:14:07	and these static routes are just going to be the default ones we say route outside
0:14:11	00
0:14:15	the next hub is router 2
0:14:19	but i want to call a tracked object here
0:14:23	this is object no. 2
0:14:25	try to find it there
0:14:29	so this is going to be my primary default route
0:14:32	iam going to have a secondary default route bascially a backup
0:14:36	that has a higher administrative distance
0:14:39	so any thing that is 2 or more
0:14:42	because the first one
0:14:44	has an administrative distance of one
0:14:48	if now look at the show route outside
0:14:54	we should see that the static default route
0:14:57	is pointing towards the next hub of router 2
0:15:04	so now lets look at the result of this
0:15:06	from router 5 on the inside
0:15:09	iam going to generate a traffic flow
0:15:11	so iam going to tell from router 5
0:15:14	to some address that has router 2
0:15:17	one of these for example would be
0:15:19	the look back address of router 3
0:15:21	200.0.0.3
0:15:29	and from here im going to generate a bunch of traffic lets say
0:15:32	show tec-support
0:15:35	so this going to generate a lot of traffic over the telnet session
0:15:39	now what i want to see
0:15:41	is that when i go to router 2
0:15:44	and i remove the primary address
0:15:49	im i actually going to able to heal around the failure
0:15:53	and is this telnet session is going to drop or is it keep going
0:15:57	now what we should see at the ASA when we look at the route
0:16:02	is that this static route should change from point to dot 2
0:16:06	to dot 1
0:16:10	so on router 2 lets go to
0:16:14	this main ethernet interface
0:16:16	or say no IP address
0:16:18	200.0.122.2
0:16:25	must leave the secondary before the primary lets try this thing let say
0:16:30	no IP address
0:16:32	and im going to paste this one in
0:16:35	immediately
0:16:38	so i change the primary address to the dot 1
0:16:41	if u look at router 5
0:16:43	notice that the connection is still going
0:16:49	on the ASA we should see the change is
0:16:52	to the new next hub to the dot 1 address
0:16:57	also if we look at the show track
0:17:00	or the show
0:17:04	show SLA monitor operational state
0:17:09	the SLA instance is reporting that timeout has occured
0:17:15	and the return code is timeout
0:17:20	now you really don't need to know
0:17:22	all the details about what out here means
0:17:24	basically this return code is anything besides OK
0:17:29	it means that the object is down
0:17:32	now if i were to bring the old address back
0:17:36	so as change to back to the dot 2
0:17:44	once the ICMP pings
0:17:46	come back
0:17:49	say now the return is OK
0:17:52	if we look at the routing table
0:17:54	we see now we switch back to the original primary route
0:18:00	so three its three pieces total for this configuration
0:18:03	its going to be the SLA
0:18:16	let look at this all together
0:18:19	so its the combination of these 3 features together
0:18:23	its the SLA instance thats say im going to ping this address
0:18:27	and im sending the ping every 3 secs
0:18:30	if it goes for a 1000 miliseconds before getting response in
0:18:36	i have report my status is down
0:18:38	what then in turn tells its object to go down
0:18:42	which means that a route that is tracking the object
0:18:46	can no longer be installed in the routing table
0:18:50	so wer essentially giving a dynamic type of behaviour
0:18:54	to a static routing configuration
0:18:57	and in the case of IOS this is called the reliable static routing
0:19:01	with the ASA its called the static route track
0:19:07	and there is a question is it possible in multiple context mode
0:19:11	im not 100% sure if it is
0:19:13	i head to try out when u get to the
0:19:15	multiple context mode which we talk about
0:19:18	tomorrow morning that will we one of the first topics we will get to
0:19:23	so there most of the features u will see
0:19:26	are not in multiple context mode
0:19:28	other than just the basic
0:19:31	inspecting type configuration the basic MPF type stuff
0:19:35

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

ASA Reliable Static Routing

Create Bookmark