|
0:00:13
|
In our next section here for the ASA
|
|
0:00:16
|
we are going to look at its port for IP version 4 routing protocols
|
|
0:00:20
|
we will take a look at some examples doing static routing and dynamic routing
|
|
0:00:25
|
dynamic routing is going to be with RIP version 2
|
|
0:00:28
|
OSPF and EIGRP
|
|
0:00:30
|
then we will look at the feature using enhanced object tracking and the IP service level agreement
|
|
0:00:36
|
they can add reliability to our static routing with an enroute ?? tracking towards static routing
|
|
0:00:45
|
now overall the ASA is going to support routing
|
|
0:00:48
|
as imagine with staticly configured routes
|
|
0:00:51
|
RIP version1 and version2
|
|
0:00:53
|
OSPF and EIGRP
|
|
0:00:56
|
it does also have limited support for multicast routing
|
|
0:01:01
|
with PAN ??? and IGMP
|
|
0:01:05
|
it does not support BGP routing nor does it support IS - IS ???
|
|
0:01:09
|
so for any other protocol that are transending over the device
|
|
0:01:14
|
we will need to make sure these are
|
|
0:01:16
|
encapsulated in tunnels like IPSEC or grp ???
|
|
0:01:19
|
or that the ASA does have a route
|
|
0:01:22
|
to where the traffic is going to
|
|
0:01:25
|
now we will see when we get to the transparent load firewall
|
|
0:01:29
|
this can be more of an issue that we need to address
|
|
0:01:32
|
beacuse other protocols like IS - IS or MKLS ?????
|
|
0:01:36
|
are they transending over the bridge interfaces
|
|
0:01:39
|
it can be problematic for the much ??? of the policy framework
|
|
0:01:43
|
so in general the ASA is only going to pass IP version 4 traffic
|
|
0:01:48
|
all other none IP or IPV6 traffic is going to be dropped by default
|
|
0:01:55
|
unless we maually configure to route the IP Version 6
|
|
0:01:58
|
or we do some extra provisions
|
|
0:02:00
|
as i work around for the non IP protocols normally that stuff is going to be dropped
|
|
0:02:06
|
now some of the miscelleneous stuff that the
|
|
0:02:08
|
the ASA supports
|
|
0:02:10
|
it does have the ability to run multiple routing processes
|
|
0:02:15
|
so we wanted to run OSPF on our inside network and on our outside network
|
|
0:02:20
|
we can configure two different processes
|
|
0:02:23
|
redistribute between the two of them
|
|
0:02:25
|
and then do filtering they give us more control as to what particular destinations
|
|
0:02:30
|
they end host would have reachability to
|
|
0:02:34
|
because with the nature of OSPF being a linked state protocol
|
|
0:02:38
|
we are not able to filter within a linked state area
|
|
0:02:42
|
we are only able to filter between areas with a LSA type refilter
|
|
0:02:47
|
or at redistribution
|
|
0:02:51
|
with EIGRP or with RIP
|
|
0:02:53
|
its much more straight forwarding
|
|
0:02:55
|
much more straight forward from a filtering point of view
|
|
0:02:58
|
because those distance vector protocols have no limitation
|
|
0:03:01
|
as to where
|
|
0:03:02
|
are the routing updates
|
|
0:03:05
|
need to be sent
|
|
0:03:08
|
with you ??? ofcourse also support routing authentication
|
|
0:03:11
|
i will talk about this more when we get to the protection of the routing control plane
|
|
0:03:15
|
and the other control plane features of the router and the ASA
|
|
0:03:19
|
in the case of OSPF its going to support clear text and MB5 ??? authentication
|
|
0:03:23
|
in RIP its going to support clear text and MB5 ????
|
|
0:03:26
|
and in eigrp it supports MP5 authentication
|
|
0:03:31
|
so i mention it does also support route filtering
|
|
0:03:34
|
either one we are doing it on the interface as it distribute list ?? with rip or eigrp
|
|
0:03:39
|
or if we are doing redistribution
|
|
0:03:41
|
and then filtering redistribution with a route plan ??
|
|
0:03:46
|
now one of the minor limitations here
|
|
0:03:49
|
with the redistribution and redistribution filtering
|
|
0:03:52
|
is that the route map and the ASA
|
|
0:03:54
|
can only call a standard
|
|
0:03:56
|
access list
|
|
0:03:59
|
now if you are familiar with how IP prefix lists work on the wireless
|
|
0:04:03
|
and how they are diiferent than standard or standard access lists
|
|
0:04:07
|
the shortcoming of this
|
|
0:04:09
|
feature
|
|
0:04:11
|
is that when we are doing redistribution filtering
|
|
0:04:14
|
with a standard acl we can only math on the address
|
|
0:04:18
|
we cannot match on the address and its subnet mask
|
|
0:04:22
|
or what we call the prefix and its lan
|
|
0:04:25
|
so there can be certain designs where you are not able to
|
|
0:04:28
|
filter the correct network
|
|
0:04:30
|
if you have overlapping addresses that have different subnet masks
|
|
0:04:35
|
so for example if i would have the network
|
|
0:04:37
|
10.0.0.0/16
|
|
0:04:41
|
plus in aggregate there was 10.0.0.0/14
|
|
0:04:45
|
the ASA would not be able to tell the difference between the two routes
|
|
0:04:49
|
based on a redistribution filter
|
|
0:04:53
|
because the standard acl is only matching the address portion of the route
|
|
0:04:57
|
its not matching the address and
|
|
0:04:59
|
the prefix line which is the subnet mask
|
|
0:05:05
|
it does also support equal cost multipath
|
|
0:05:09
|
but its only supported over the same interface
|
|
0:05:13
|
so this design would be that if you had an outside interface
|
|
0:05:17
|
that is attached to a
|
|
0:05:19
|
multi point ethernet segment
|
|
0:05:22
|
so for example if we were to have
|
|
0:05:24
|
the
|
|
0:05:28
|
ASA having
|
|
0:05:30
|
an outside link
|
|
0:05:34
|
that is a multipoint segment it goes to router 1
|
|
0:05:37
|
and router 2
|
|
0:05:39
|
we could configure multiple static routes
|
|
0:05:42
|
one that points to the outer sub router 1
|
|
0:05:44
|
one that points to the outer sub router 2
|
|
0:05:47
|
since they are both on the same interface we can do equal cost multipath
|
|
0:05:50
|
between the two of them
|
|
0:05:53
|
but if we were to have the case where
|
|
0:05:55
|
the ASA has multiple
|
|
0:05:58
|
inside interfaces
|
|
0:06:00
|
we have in 1 and in 2
|
|
0:06:04
|
we have router 3
|
|
0:06:06
|
router 4
|
|
0:06:08
|
may be attached to the same lan segment back here that were trying to route to
|
|
0:06:13
|
we would not be able to point a route out
|
|
0:06:15
|
in 1 to router 3
|
|
0:06:17
|
and the same routes
|
|
0:06:19
|
out in to router 4
|
|
0:06:23
|
so it does support low balancing
|
|
0:06:26
|
with equal cost multipath but it has to be on the same interface
|
|
0:06:30
|
so the design on the right thats going to router 1 and 2 that is valid
|
|
0:06:33
|
but the design on the left going to router 3 and 4 is not valid
|
|
0:06:36
|
you can only use one of those routes at a time
|
|
0:06:42
|
it also supports the route tracking feature
|
|
0:06:45
|
which is going to be with the IP ??? service level agreement
|
|
0:06:49
|
and the enhanced object tracking
|
|
0:06:54
|
and as i mention it does have
|
|
0:06:56
|
limited support for multicast routing
|
|
0:06:59
|
so now does many of the
|
|
0:07:01
|
the bells and whistles are multicast like you see in IOS
|
|
0:07:04
|
like you can run kemp on the interfaces
|
|
0:07:06
|
it does support IGMP for
|
|
0:07:09
|
a house that is trying to receive multicast traffic
|
|
0:07:12
|
and
|
|
0:07:13
|
just like the rest of the interfaces
|
|
0:07:16
|
multicast traffic will be allowed to move
|
|
0:07:18
|
from the higher security level to the lower security level
|
|
0:07:23
|
so if we are trying to get multicast traffic from the outside to come in
|
|
0:07:28
|
we would have to use a manual
|
|
0:07:30
|
access list exception there
|
|
0:07:38
|
now configuration wise for this
|
|
0:07:40
|
the routing process is
|
|
0:07:42
|
a fairly simple
|
|
0:07:43
|
as compared to a fairly very similar i should say
|
|
0:07:46
|
as compared to the IOS configuration
|
|
0:07:49
|
so if we were to go in the docuentation down to products
|
|
0:07:53
|
security
|
|
0:07:55
|
firewall
|
|
0:07:58
|
appliances ASA
|
|
0:08:02
|
configuration guides
|
|
0:08:04
|
8.0
|
|
0:08:06
|
then under configuring the firewall
|
|
0:08:10
|
actually probably under getting started
|
|
0:08:13
|
geting started configuring IP routing
|
|
0:08:18
|
now you see it does support some of the more advanced design options
|
|
0:08:22
|
like in the case of OSPF
|
|
0:08:24
|
we can configure stub areas
|
|
0:08:27
|
NSSA we can do summarization
|
|
0:08:29
|
for inter area summarize
|
|
0:08:31
|
for type 3 inter area LSA
|
|
0:08:35
|
we can do summarization of our type 5 LSA which are the external routes that get redistributed
|
|
0:08:41
|
we could run the network type non broadcast
|
|
0:08:45
|
which would mean that we are unicasting updates
|
|
0:08:48
|
to someone that is on the lan
|
|
0:08:51
|
we could do default route generation
|
|
0:08:54
|
we could change the
|
|
0:08:55
|
the route calculation time is this would be for
|
|
0:08:58
|
the
|
|
0:08:59
|
this should be for the spf timers
|
|
0:09:04
|
which is separate than the
|
|
0:09:07
|
hello and dead timers
|
|
0:09:09
|
so this timers spf this would control
|
|
0:09:12
|
how quickly you adapt to a change of the topology
|
|
0:09:15
|
where the timers and the neighbour
|
|
0:09:18
|
would most likely be an interface
|
|
0:09:21
|
parameter so here that the OSPF hello interval and OSPF dead interval
|
|
0:09:25
|
so most of the basic routing features
|
|
0:09:27
|
are going to be supported on the ASA when you compare it to the IOS
|
|
0:09:33
|
so again i am not going to go over a lot of details on this
|
|
0:09:36
|
if you understand how OSPF works in general
|
|
0:09:39
|
you should understand how it is applied on the ASA
|
|
0:09:42
|
only difference is going to be some minor syntax changes
|
|
0:09:46
|
when you look at the actual configuration of this
|
|
0:09:50
|
lets see configuring OSPF
|
|
0:09:58
|
so as you start the OSPF process
|
|
0:10:05
|
start the OSPF process and issue the network statement
|
|
0:10:07
|
this is one key difference that you need to be aware of here
|
|
0:10:11
|
that the network statement
|
|
0:10:14
|
is using a subnet mask
|
|
0:10:17
|
as opposed to a wild card maps
|
|
0:10:22
|
where in the case of the regular router IOS we would say network 10.0.0.0
|
|
0:10:27
|
0.255.255.255
|
|
0:10:31
|
the same is going to be true of our access list configuration
|
|
0:10:35
|
so the ASA always uses subnet masks
|
|
0:10:39
|
so regular maps as opposed to wild card maps which are the inverse maps
|
|
0:10:45
|
so in this case we are trying to match the network 10.0.0.0/8
|
|
0:10:49
|
so its giving the actual subnet mask of 255.0.0.0
|
|
0:10:57
|
so beyond this
|
|
0:10:59
|
if you just spend some time reading through this
|
|
0:11:03
|
document it should be pretty self explanatory as to what
|
|
0:11:06
|
are the particular features that are available
|
|
0:11:08
|
for the routing process
|
|
0:11:10
|
now in our particular case
|
|
0:11:12
|
i have
|
|
0:11:15
|
3 interfaces again on the
|
|
0:11:19
|
the ASA
|
|
0:11:23
|
and the routers are preconfigured
|
|
0:11:26
|
with the rest of the routing protocols
|
|
0:11:28
|
so i have 3 different routing domains . I have the RIP domain, the OSPF domain and the EIGRP domain
|
|
0:11:34
|
ASA too specifically
|
|
0:11:36
|
is going to be running RIP on its link to the dmz
|
|
0:11:40
|
its going to run OSPF on its link to the outside
|
|
0:11:43
|
and its going to run EIGRP on its link to the inside
|
|
0:11:48
|
so we have 3 separate unrelated routing processes
|
|
0:11:52
|
then to exchange the routing information between them
|
|
0:11:55
|
we are going to need to redistribute between the processes
|
|
0:11:59
|
so just like on the router
|
|
0:12:02
|
if i redistribute from RIP to OSPF
|
|
0:12:05
|
then redistribute from OSPF to EIGRP
|
|
0:12:08
|
it does not imply that i am redistributing from RIP to EIGRP
|
|
0:12:12
|
so i am going to need
|
|
0:12:14
|
3 bidirectional redistributions here
|
|
0:12:17
|
from the RIP process i need to redistribute OSPF and EIGRP in the RIP
|
|
0:12:23
|
on ospf i need to redistribute rip and eigrp
|
|
0:12:26
|
and likewise on eigrp i need to redistribute ospf and rip
|
|
0:12:33
|
now this traffic since it is locally destined to the control plane on the ASA
|
|
0:12:38
|
it is not going to be filtered and it is not going to be inspected
|
|
0:12:43
|
by the marginal policy framework
|
|
0:12:45
|
now where this is going to be problem
|
|
0:12:48
|
we will see later as we get into the transparent firewall
|
|
0:12:52
|
where the control plane traffic is not automatically allowed
|
|
0:12:56
|
as we move from the inside to the outside network
|
|
0:13:00
|
where we saw previously in this case
|
|
0:13:02
|
from the inside out router 5 was able to telnet
|
|
0:13:06
|
and router 5 was able to ping
|
|
0:13:09
|
after we did the inspection of the ICMP
|
|
0:13:11
|
because we are moving from the higher security level to the lower security level
|
|
0:13:16
|
when we do transparent firewall the rules are going to change a little bit
|
|
0:13:22
|
so lets look at the command line
|
|
0:13:25
|
and go to this configuration
|
|
0:13:27
|
again on the inside we are going to be running eigrp
|
|
0:13:30
|
and in this particular case
|
|
0:13:32
|
the eigrp as number is
|
|
0:13:34
|
1256
|
|
0:13:39
|
so globally we would say router eigrp 1256
|
|
0:13:44
|
just like on the router the auto summary
|
|
0:13:46
|
feature is on by default
|
|
0:13:49
|
so assuming i do not want to automatically summarize between major nertworks
|
|
0:13:54
|
between major network boundaries then i would say no auto summary
|
|
0:14:00
|
the interface that i want the process on
|
|
0:14:04
|
is this interface that is 10.0.125.12
|
|
0:14:10
|
i will say exactly that interface
|
|
0:14:15
|
and we can see a large message comes up on router 5
|
|
0:14:18
|
says the eigrp neighbour is up
|
|
0:14:20
|
from router 5 if we look at the show ip eigrp neighbours
|
|
0:14:26
|
we can see the address of the asa here 10.0.125.12
|
|
0:14:30
|
is running the eigrp
|
|
0:14:32
|
on the asa if we look at the show route inside
|
|
0:14:39
|
we can see that we are learning some internal eigrp routes
|
|
0:14:44
|
specifically i have a lan interface that is connected to router 6
|
|
0:14:49
|
which is this vlan 6 interface
|
|
0:14:52
|
and the transit link between router 5 and 6
|
|
0:14:55
|
so router 5 is advertising these to the ASA
|
|
0:14:58
|
asa is learning it on its inside interface
|
|
0:15:02
|
so with point i now should be able to go to router 6
|
|
0:15:06
|
and be able to send traffic to the inside interface
|
|
0:15:10
|
of the asa which i can
|
|
0:15:12
|
now i won't be able to telnet to it or i won't be able to ssh to it
|
|
0:15:18
|
because i don't have any of the management setup yet
|
|
0:15:21
|
we could see just based on the basic icmp ping
|
|
0:15:25
|
i know that the basic layer 3 connectivity is working
|
|
0:15:32
|
so next lets enable ospf on the outside interface
|
|
0:15:36
|
we will run the ospf process
|
|
0:15:40
|
on the outside interface
|
|
0:15:43
|
this is
|
|
0:15:46
|
200.0.122.12
|
|
0:15:51
|
and noticing any i am using a subnet mask not a wild card mask
|
|
0:15:56
|
and i want this to be an area 0
|
|
0:16:01
|
router 2 is logging on the console here it says
|
|
0:16:05
|
the process for this particular neighbour is up
|
|
0:16:07
|
we look at the show ip
|
|
0:16:10
|
show ip ospf neighbours
|
|
0:16:14
|
with you have a jcc ???? with an asa
|
|
0:16:17
|
from the asa s perspective we would say simply show ospf neighbours
|
|
0:16:22
|
or say show eigrp neighbours
|
|
0:16:25
|
instead of show ip eigrp it would show ip ospf
|
|
0:16:29
|
well like wise now if we were to look at the show route outside
|
|
0:16:37
|
we can see those number of internal and external ospf routes being learnt
|
|
0:16:43
|
so now if i were to send traffic to any of these destinations
|
|
0:16:46
|
lets say for example 200.0.0.1
|
|
0:16:51
|
this is a loop back interface that i configure it on
|
|
0:16:55
|
router 1
|
|
0:16:57
|
so router 1 is 200.0.0.1
|
|
0:17:00
|
router 3 has 200.0.0.3
|
|
0:17:04
|
router 2 has 200.0.0.2
|
|
0:17:10
|
so at this point we now know the routing information about the inside network
|
|
0:17:14
|
we also know about the outside network
|
|
0:17:18
|
i have not redistributed between the two
|
|
0:17:22
|
so it should now mean that devices on the inside
|
|
0:17:26
|
they do not know about devices on the outside
|
|
0:17:30
|
and devices on the outside likewise do not know about the inside
|
|
0:17:33
|
so i have routing upto the asa
|
|
0:17:37
|
upto the asa but i do not have any redistribution going on
|
|
0:17:42
|
now also as i side note here when i initialize the ospf process
|
|
0:17:46
|
this process id
|
|
0:17:48
|
number
|
|
0:17:50
|
is only locally significant
|
|
0:17:53
|
so it does not matter what this number is here for ospf
|
|
0:17:55
|
the only one that really does matter
|
|
0:17:57
|
is the eigrp asa number
|
|
0:18:00
|
because in eigrp you cannot establish ?? since the ??? as number is the same as the other devices
|
|
0:18:07
|
for ospf it is just locally significant if you want to run multiple processes
|
|
0:18:16
|
ok so next lets go on the ospf process again
|
|
0:18:19
|
and we are going to redistribute
|
|
0:18:22
|
the eigrp routes
|
|
0:18:24
|
specifically this is eigrp asa 1256
|
|
0:18:29
|
and i want to include the subnets
|
|
0:18:36
|
under the eigrp process
|
|
0:18:38
|
i want to redistribute
|
|
0:18:41
|
the ospf process
|
|
0:18:44
|
and just like in the ios we do not have the default metric value here
|
|
0:18:48
|
if i would simply say redistribute ospf 1 and hit enter
|
|
0:18:52
|
it should give me a warning message
|
|
0:18:54
|
saying that this configurtaion is actually not going to work
|
|
0:18:57
|
and so we define a metric value
|
|
0:19:00
|
so i can either say default metric
|
|
0:19:04
|
default - metric
|
|
0:19:07
|
which is going to apply to all redistributed routes
|
|
0:19:10
|
or when i say specifically redistributed ospf 1
|
|
0:19:13
|
i do give the metric right here
|
|
0:19:17
|
so say the metric is bandwith of
|
|
0:19:19
|
100 megabits / second
|
|
0:19:21
|
well say a delay of
|
|
0:19:24
|
100 micro seconds in 10s of microseconds units
|
|
0:19:27
|
which is actually a 1000 there
|
|
0:19:30
|
100% reliable
|
|
0:19:32
|
will be 255
|
|
0:19:36
|
the minimum loads of 1 would be
|
|
0:19:38
|
100 255 for load
|
|
0:19:41
|
and we will say the mtu is 1500
|
|
0:19:45
|
now technically these numbers for the metric are arbitrary
|
|
0:19:49
|
because when we look at the routing topology
|
|
0:19:52
|
there is only one possible way
|
|
0:19:55
|
for router 5 and router 6
|
|
0:19:57
|
to reach anyone on this side of the network
|
|
0:20:01
|
so we got this word metric value
|
|
0:20:04
|
the asa is reporting in
|
|
0:20:06
|
|
|
0:20:07
|
they always going to end up in the same calculation
|
|
0:20:09
|
but the asa is the only device physically that we can use in order to get to that portion of the topology
|
|
0:20:15
|
so i could use all 1 or basically any arbitrary values doesn't really matter
|
|
0:20:20
|
now the only case that this will make a difference
|
|
0:20:23
|
is lets say i had another link between router 1 and router 6
|
|
0:20:27
|
that i was running ospf on
|
|
0:20:30
|
then doing redistribution here as well
|
|
0:20:34
|
then the redistribution metric is going to control what exit point do i use
|
|
0:20:38
|
in order to get out of the network
|
|
0:20:41
|
but in this since we have only one exit point its not going to really matter
|
|
0:20:46
|
for the eigrp redistribtuion into ospf
|
|
0:20:50
|
just like in ios we were using a default
|
|
0:20:53
|
metric value here of 20
|
|
0:20:57
|
so if i were to go
|
|
0:21:01
|
to router 2 and say show ip route ospf
|
|
0:21:07
|
i can see those routes that came from the asa
|
|
0:21:14
|
as a metric of 20
|
|
0:21:17
|
that were to go on the inside of router 5 and say show ip route eigrp
|
|
0:21:23
|
i can see those routes that originally were ospf
|
|
0:21:26
|
on the asa
|
|
0:21:28
|
now they are being learnt as external eigrp route
|
|
0:21:34
|
so at this point essentially i should be able to go to
|
|
0:21:37
|
my devices on the inside which are router 5 and router 6
|
|
0:21:41
|
and then send traffic through the asa
|
|
0:21:44
|
to any one on this portion of the network that i have a route to
|
|
0:21:50
|
now we didn't configure this other asa 1 yet so these devices won't have connectivity
|
|
0:21:54
|
but i should not have any problems going to lets say router 6
|
|
0:21:59
|
and then telnetting to
|
|
0:22:02
|
router 4
|
|
0:22:03
|
one of the addresses on router 4 is 172.16.4.4
|
|
0:22:13
|
we look at the show users
|
|
0:22:15
|
we can see the source of where the traffic came from 10.0.56.6
|
|
0:22:20
|
which is router 6
|
|
0:22:23
|
on the asa if we look at the show connections
|
|
0:22:28
|
we see it is inspecting that particular tcp session
|
|
0:22:32
|
its going to that lan interface on router 4
|
|
0:22:35
|
it came from router 6
|
|
0:22:38
|
as the asa is expecting it back in on the outside interface
|
|
0:22:44
|
it says the traffic should be sourced
|
|
0:22:47
|
from 172.16.4.4
|
|
0:22:51
|
where they source port of tcp 23
|
|
0:22:55
|
going to 10.0.56.6 with a destination port that is random
|
|
0:23:02
|
so that value 50287
|
|
0:23:05
|
thats whatever the random port number that router 6 and router 4 negotiated
|
|
0:23:09
|
when they were doing the 3 way tcp handshake
|
|
0:23:13
|
ok now lets look at the routing
|
|
0:23:16
|
to the dmz interface
|
|
0:23:19
|
so under dmz we are going to enable rip version 2
|
|
0:23:25
|
in particular this link is 10.0.0.0/24
|
|
0:23:31
|
which is used to connect to the acs server
|
|
0:23:34
|
and then also the management interface of the ips sensor
|
|
0:23:41
|
so under the asa lets start the rip process
|
|
0:23:44
|
just like on the router we can choose are we running version 1 or version 2
|
|
0:23:50
|
are we doing automatic summarization or not
|
|
0:23:53
|
i want to not do auto summary
|
|
0:23:56
|
then the network statement here
|
|
0:23:59
|
just like under the routers process is going to be a classful network
|
|
0:24:05
|
so even though i only want to enable the rip process on
|
|
0:24:08
|
the dmz interface
|
|
0:24:11
|
the network here obtained the major network which is 10.0.0.0
|
|
0:24:17
|
is actually going to overlap on this inside interface
|
|
0:24:21
|
so if i say network
|
|
0:24:23
|
10.0.0.0
|
|
0:24:27
|
when we look at the show
|
|
0:24:30
|
rip database
|
|
0:24:33
|
now that it is including both of the connected lanes
|
|
0:24:36
|
so the link that goes to the dmz and the link that goes to the inside network
|
|
0:24:42
|
now this is not necessarily a problem as long as i know
|
|
0:24:45
|
specifically what interfaces i am running the process on
|
|
0:24:49
|
if i now to send rip updates out the inside interface
|
|
0:24:53
|
i can simply say that is a passive interface
|
|
0:24:55
|
so passive interface ethernet0/1.25
|
|
0:25:02
|
where actually passive interface on inside so confirm for the name there ??????
|
|
0:25:12
|
so the other similar features like the ios supports
|
|
0:25:15
|
we can advertise a default route
|
|
0:25:18
|
we can do route filtering
|
|
0:25:20
|
we can do redistribution
|
|
0:25:23
|
when we go to the interface level
|
|
0:25:27
|
e0/1.10
|
|
0:25:32
|
we can do authentication
|
|
0:25:34
|
or we could change whats the version that we are sending or receiving
|
|
0:25:38
|
we want to do some complex
|
|
0:25:40
|
our desire ???? may be we are receiving version 1 and 2 but only sending version 1 or only sending version 2
|
|
0:25:46
|
or we could do that at the link level
|
|
0:25:48
|
as opposed to the version that i
|
|
0:25:51
|
configured under the global process
|
|
0:25:56
|
so again these type of features there they wouldn't expect you to be an expert on this
|
|
0:26:00
|
in the ccie lab exam
|
|
0:26:02
|
its not a routing exam
|
|
0:26:04
|
where you do need to understand how the basic layer 2 and layer 3 processes work
|
|
0:26:08
|
because without basic connectivity none of the security stuff is going to work
|
|
0:26:15
|
so now under my ospf process i will say redistribute
|
|
0:26:19
|
my rip subnets
|
|
0:26:21
|
same thing under
|
|
0:26:23
|
eigrp redistribute rip
|
|
0:26:26
|
and i need to give it a metric
|
|
0:26:32
|
so if i look at the previous statement i'll say show run include redistribute
|
|
0:26:38
|
i will say redistribute
|
|
0:26:40
|
rip
|
|
0:26:42
|
and then just use the same metric value
|
|
0:26:48
|
redistribute rip metric
|
|
0:26:54
|
so now on router 5 if i look at the
|
|
0:26:56
|
routing table
|
|
0:26:59
|
i should also now have the route to the 10.0.0.0/24 network which i gave
|
|
0:27:06
|
since i modified the inspection engine
|
|
0:27:10
|
to allow me to match the icmp traffic
|
|
0:27:14
|
on router 5 i should be able to test this connection
|
|
0:27:17
|
in case by simply sending a ping
|
|
0:27:20
|
to the acs server
|
|
0:27:22
|
so if i can ping
|
|
0:27:24
|
10.0.0.100
|
|
0:27:27
|
i can tell now that the routing is working
|
|
0:27:29
|
but also that the inspection engine is working
|
|
0:27:33
|
likewise i should be able to ping from the inside to the outside network
|
|
0:27:40
|
if i were to go to the dmz itself
|
|
0:27:44
|
which in this case is on the asa well not , excuse me on the aaa server
|
|
0:27:55
|
if we look at the properties here
|
|
0:27:58
|
the aaa server has that address 10.0.0.100
|
|
0:28:01
|
its default gateway is the asa 10.0.0.12
|
|
0:28:06
|
so if i would ping
|
|
0:28:08
|
towards the outside thats ping 200.0.122.2
|
|
0:28:16
|
hey again thats router 2s address
|
|
0:28:20
|
if we look at the asa
|
|
0:28:24
|
and again we are going to try logging on
|
|
0:28:26
|
in global config i'll say logging console 7
|
|
0:28:30
|
on console 7
|
|
0:28:32
|
and logging on
|
|
0:28:38
|
it says i denied the traffic as it came inbound
|
|
0:28:42
|
on the dmz interface
|
|
0:28:46
|
as i was going towards the outside interface
|
|
0:28:51
|
where previously when we looked at this problem before i did the inspection
|
|
0:28:55
|
it said the traffic was dropped
|
|
0:28:57
|
as it went to 2 and then tried to return back in
|
|
0:29:03
|
so the icmp flow was dropped in on the outside interface
|
|
0:29:07
|
here in this case
|
|
0:29:09
|
the asa is saying its being dropped as it comes in on the dmz
|
|
0:29:18
|
so why would the asa drop the traffic as its coming
|
|
0:29:21
|
in the dmz trying to leave out of the outside interface
|
|
0:29:32
|
remember whats going to contol
|
|
0:29:34
|
if the traffic can move between the lanes by default
|
|
0:29:40
|
assuming we are not doing any access lists or we are not doing any special modifications to the policies
|
|
0:29:47
|
its going to be based on the security level
|
|
0:29:50
|
if we look at the show ip
|
|
0:29:53
|
and the show
|
|
0:30:00
|
show interface
|
|
0:30:11
|
i thought there was a command that shows you the
|
|
0:30:17
|
security levels briefly
|
|
0:30:20
|
that may have done under all packets ??? syntax lets just look at the show run interface
|
|
0:30:24
|
the dmz right now is configured as web security
|
|
0:30:30
|
configured as 0
|
|
0:30:33
|
the outside interface
|
|
0:30:35
|
is also 0
|
|
0:30:38
|
by default moving between the same security levels
|
|
0:30:43
|
this traffic is going to be denied
|
|
0:30:48
|
so i have two possible options here
|
|
0:30:50
|
i can either configure an exception to this
|
|
0:30:54
|
to say its ok for the traffic to move between the same security level
|
|
0:30:58
|
or i could raise one of the security levels
|
|
0:31:00
|
like if i change the dmz to 50
|
|
0:31:03
|
i would be able to go from high to low and then return
|
|
0:31:07
|
but i wouldn't be able to go from the low to the high
|
|
0:31:12
|
so you need to think about when you are signing the security levels
|
|
0:31:15
|
is really what is the end goal of the design
|
|
0:31:19
|
do i always want to allow traffic from the outside to the dmz
|
|
0:31:23
|
probably not probably there may be some special services that i want to match
|
|
0:31:27
|
like may be just
|
|
0:31:29
|
a web traffic or just mail traffic or
|
|
0:31:32
|
whatever other services are public
|
|
0:31:34
|
i mean not want to inspect everything and then allow everything for
|
|
0:31:38
|
so may be it would make more sense to have the dmz as the higher security level
|
|
0:31:43
|
so outside the dmz is blocked
|
|
0:31:46
|
what the exception of whatever
|
|
0:31:48
|
manual holes i open the firewall by using the access lists
|
|
0:31:55
|
now if i did not want to change the security levels again i can
|
|
0:31:58
|
allow this i could say
|
|
0:32:00
|
same security traffic i am going to permit as it goes
|
|
0:32:03
|
inter interface
|
|
0:32:06
|
so between two different links that are of the same security level
|
|
0:32:10
|
if we look back on the
|
|
0:32:13
|
acl server we can see now these things are going through
|
|
0:32:19
|
likewise if i were to telnet
|
|
0:32:23
|
outer router 2
|
|
0:32:28
|
this traffic is allowed
|
|
0:32:31
|
so router 2 sees its coming from the address 10.0.0.100
|
|
0:32:37
|
from router 2
|
|
0:32:39
|
if i were to ping
|
|
0:32:41
|
10.0.0.100
|
|
0:32:44
|
notice that the allowed to come
|
|
0:32:47
|
in the outside interface
|
|
0:32:50
|
and go to the dmz
|
|
0:32:53
|
we are fine going from the outside interface to the inside interface
|
|
0:32:59
|
this is denied
|
|
0:33:02
|
because in the first case here
|
|
0:33:04
|
am going from
|
|
0:33:06
|
two interfaces of the same security level
|
|
0:33:09
|
whereas in
|
|
0:33:12
|
the later case am going from a
|
|
0:33:14
|
lower security level
|
|
0:33:16
|
to a higher security level
|
|
0:33:18
|
because i have outside configured as 0 i have inside configured as 100
|
|
0:33:22
|
so this is going to be dropped
|
|
0:33:24
|
the same security traffic is being allowed
|
|
0:33:27
|
because i manually defined that here
|
|
0:33:34
|
now just for clarity the rest of the configuration
|
|
0:33:36
|
am going to remove this
|
|
0:33:40
|
and i am going to change on the dmz interface
|
|
0:33:44
|
i'll set the security level to be higher
|
|
0:33:46
|
than the outside
|
|
0:33:50
|
so now again i should be able to go from
|
|
0:33:53
|
the dmz
|
|
0:33:56
|
and get out
|
|
0:33:59
|
i cannot go from the dmz
|
|
0:34:02
|
to in
|
|
0:34:09
|
then if i were on the outside if i telnet to router 2
|
|
0:34:15
|
from router 2 i cannot go to the dmz
|
|
0:34:22
|
nore can i go to
|
|
0:34:24
|
the inside
|
|
0:34:26
|
which should be 10.0.125.5 for example
|
|
0:34:32
|
so the keypoint being here that
|
|
0:34:34
|
if you are not 100% sure exactly why the traffic is being dropped
|
|
0:34:39
|
you can use the logging process on the asa
|
|
0:34:43
|
they tell you exactly why thats happened
|
|
0:34:45
|
is the drop based on an acess list that we manually configured
|
|
0:34:49
|
is it based on the
|
|
0:34:51
|
the default security level
|
|
0:34:53
|
which in this case when it said it was being dropped
|
|
0:34:56
|
it didn't say it was because of an acl
|
|
0:35:01
|
if we had an acl that was may be dmz in
|
|
0:35:06
|
and that was discarding the traffic
|
|
0:35:08
|
its going to specifically tell us that was the reason why it is being dropped
|
|
0:35:14
|
lets look at the show run all
|
|
0:35:17
|
actually first lets look at the show run router
|
|
0:35:20
|
then show run
|
|
0:35:22
|
all router
|
|
0:35:25
|
the first one is showing the options that i changed
|
|
0:35:30
|
the second one is showing the options that i changed plus all of the defaults
|
|
0:35:36
|
we are in the case of the eigrp
|
|
0:35:39
|
its not running eigrp stub
|
|
0:35:41
|
there is no passive interfaces there is no redistribution of connected or static
|
|
0:35:49
|
if i say show run all interface
|
|
0:35:57
|
we could see some of the routing protocol options
|
|
0:36:00
|
in the case of eigrp split horizon is on
|
|
0:36:03
|
the hello interval is 5 seconds the whole time is 15 seconds
|
|
0:36:09
|
and we can see no authentication is configured
|
|
0:36:13
|
so even without having to look at the command reference
|
|
0:36:16
|
we configure our what are the lot of different possible options on the asa
|
|
0:36:20
|
simply by looking at the show run all
|
|
0:36:24
|
so we continue to look through this as we go through the different topics like the network address translation
|
|
0:36:29
|
the context the fail over ??
|
|
0:36:32
|
if i said show run all match, show run all global , show run all fail over ???
|
|
0:36:36
|
its going to show me not only the things that i have changed
|
|
0:36:38
|
but what are the default options in there
|
