CCIE Security Advanced Technologies Class

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	In our next section we are going to talk about our easy VPN feature
0:00:18	that is used for remote access ipsec VPN both on the ios
0:00:23	and on asa
0:00:25	for the ios we are going to look at the easy vpn server configuration
0:00:28	in a couple of different variations
0:00:31	using the original implementation using dynamic cryptomaps
0:00:35	with could be considered the legacy mechanism today
0:00:39	the new implementation of this using the dynamic virtual tunnel interface or the DVTI
0:00:45	along with the isakmp profiles
0:00:49	the easy VPN server configuration on the asa
0:00:52	and then the ios easy VPN
0:00:54	client configuration
0:00:56	both in client mode and in network extension mode
0:01:04	now the overall goal of this easy VPN
0:01:07	is that we are going to be creating an ipsec tunnel that is on demand or that is dynamic
0:01:14	meaning this is going to be a remote access VPN
0:01:17	now what are the key points about this different them with the previous with the LAN to LAN VPN
0:01:23	is that the responder
0:01:24	was receiving the ipsec session
0:01:27	doesn't already know what the ip address of the initiater is going to be in advance
0:01:33	where the lan to lan configurations with the crypto maps
0:01:36	with the static virtual tunnel interfaces and with the
0:01:40	the tunnel groups on the asa
0:01:42	we saw that were always manually find the
0:01:45	peer addresses
0:01:47	inside the crypto maps
0:01:48	or to find the peer addresses inside the tunnel group
0:01:52	but with the easy VPN
0:01:54	the server is essentially going to be listening dynamic for it connection to come in
0:01:59	than based on different phase 1 and phase 2 parameters
0:02:02	is going to offer different services to the client
0:02:06	now in order to accomplish this
0:02:08	there is going to be 2 main portions
0:02:11	or two main components of easy VPN
0:02:13	the first of which is the easy VPN client
0:02:16	this is device whether its the software client
0:02:20	running on like your windows or mac os machine or even on your phone
0:02:25	this is the device that is going to initiate the ipsec tunnel
0:02:29	then we have the easy VPN server
0:02:32	which is the ipsec responder
0:02:34	so the device receiving the tunnel
0:02:36	which is either going to be the ios or the asa
0:02:39	running in the easy VPN server mode
0:02:44	now in order to negotiate the easy VPN tunnel
0:02:48	we are going to start with our normal phase 1 isakmp parameters first
0:02:52	so thing is like the authentication type whether we are doing preshared authentication
0:02:57	or rsa signatures
0:02:59	the encryption whether we are doing single dash triple dash or aes
0:03:03	the hash either mb5 or sha
0:03:06	and then the dc helmen group
0:03:08	to determine how we are going to generate the
0:03:10	keeing material
0:03:11	for encryption and decryption keys of the actual encryption algorithm
0:03:17	in addition to this
0:03:18	the client is going to send a group name
0:03:21	that is ultimately going to determine what is the clients
0:03:24	policy that the server is going to offer him
0:03:28	so we have our normal phase 1 parameters
0:03:31	which the addition of this group name
0:03:34	now if the group authentication is successful
0:03:37	then the server is going to offer different types of options down to the client
0:03:41	like a new address for the tunnel
0:03:43	maybe a split dns server address or wins address
0:03:47	may be split accesslist settings
0:03:50	that are ultimately going to control what traffic does or does not go over the VPN tunnel
0:03:56	where all of these settings are negotiated
0:03:58	by what we consider isakmp
0:04:00	phase one and half or 1.5
0:04:05	now we mentioned this phase 1.5 briefly before
0:04:08	where it is made up of two sub portions that are known as mode configuration
0:04:12	and extended authentication or mode config or exau
0:04:19	now the mode configuration portion of the isakmp
0:04:23	is an extension of 4 new messages
0:04:26	that are the configuration request and reply
0:04:29	and the configuration set and acknowledgement
0:04:32	essentially what these new messages are used to do
0:04:35	is to ask or request for different attributes and to set
0:04:39	or reply with different attributes
0:04:42	for example the client could ask for an ip address
0:04:45	and then the VPN server with mode configuration can reply
0:04:49	with
0:04:49	a local dhcp address or could forward it to a remote
0:04:53	dhcp server or a remote
0:04:55	radio server
0:04:58	in addition to these remote configurations options
0:05:02	we have whats known as xauth or extended authentication
0:05:06	where with our normal isakmp authentication we are only doing authentication
0:05:11	to the device
0:05:12	or in words doing the group
0:05:14	based authentication
0:05:16	where extended authentication is doing to do a two factor authentication
0:05:21	authentication for the group and then a
0:05:23	per user authentication
0:05:27	so what this allow us to do is to have a shared group
0:05:30	user name and password
0:05:32	then individual per user authentications
0:05:35	through protocols like chap
0:05:37	or even the asa secure id things like one time password tokens
0:05:43	but once the user authenticates
0:05:45	we could say on a per user basis
0:05:47	may be i want to assign them from this specific ip address for
0:05:51	or user 1 is going to get a different dns server from dns 2
0:05:55	or user 3 is going to get a different VPN filter
0:05:58	that is going to apply on their tunnel as opposed to someone elses
0:06:04	these are typically the options we saw on the asa
0:06:08	when we look at the output at the show run all, group policy
0:06:12	where these individual options are going to be
0:06:14	assigned through mal configuration
0:06:16	once the extended authentication phase has completed
0:06:23	now in addition to having these new forms of negotiation of the tunnel
0:06:28	the easy VPN remote
0:06:30	which is the client or the initiater
0:06:33	is going to support two different modes of operation
0:06:36	the first of which is considered the client
0:06:40	now the client mode is what we typically think of
0:06:43	when we are thinking of the end
0:06:45	VPN client thats running on your windows machine or thats running on your phone
0:06:50	this is when the easy VPN server
0:06:53	is going to assign a new ip address to the client
0:06:56	then the client is going to run a network address translation
0:06:59	and port address translation to this new ip address
0:07:03	when traffic is sent over the VPN tunnel
0:07:08	now the 2nd we have whats known as the network extension mode or nem
0:07:14	with network extension mode the difference is that we do not have a new address assigned by the server
0:07:20	and the client is not going to perform
0:07:22	network address translation or port address translation
0:07:26	and sometimes this type of designed is called the hardware client or easy VPN remote
0:07:31	hardware client
0:07:33	where the idea of this
0:07:34	is that network extension mode is functioning more like a lan to lan tunnel
0:07:39	but yet it is still on demand dynamic tunnel
0:07:43	where the easy VPN server is not going to initiate on the client
0:07:48	client is always going to be the initiater
0:07:50	but once the tunnel is up
0:07:53	we can send
0:07:54	any type of packets by direction
0:07:57	where with the client mode of operation since we were running
0:08:00	port address translation
0:08:02	there is going to be an issue with someone on the server's side
0:08:06	who is inside the VPN
0:08:08	trying to access services that are on the
0:08:10	the clients side
0:08:13	now typically with network extension mode
0:08:16	its called the hardware client
0:08:18	because we would have some sort of dedicated device
0:08:21	thats doing the VPN connection on behalf
0:08:24	of the rest of the network
0:08:26	now if were to look at the topology here
0:08:30	and were configuring, lets say we have router 3 configured as the
0:08:34	the easy VPN server
0:08:37	and we have two types of clients, one that is on the end client
0:08:41	on the pc
0:08:43	this one is going to be running in client mode
0:08:47	where router 5 is a hardware client
0:08:50	that is running in network extension mode
0:08:55	now the difference between these is that when the client or the test pc
0:08:59	is connecting to the VPN server
0:09:01	we are going to allocating it a new ip address
0:09:04	lets say we give it the address 172
0:09:08	172.16
0:09:10	.255
0:09:12	.1
0:09:14	where the address that it is assigned on the lan is 192.168.1.18
0:09:20	but for any traffic that is going over the VPN
0:09:23	we are going to do a port address translation that goes to this new 172.16 address
0:09:29	now the problem with this that if
0:09:32	there is someone behind the test pc
0:09:34	lets say there is an ip phone
0:09:37	then there is going to be some issue when we try to send the connection from the outside
0:09:42	in to this client
0:09:45	because we know that the network address translation table
0:09:48	work similar to a stateful firewall
0:09:51	were traffic is generally allowed from the inside out and then return
0:09:55	that is not allowed from outside in on solicited
0:10:00	and this is what the network extension mode is going to solve
0:10:04	where if router 5 was running network extension mode
0:10:07	we are not going to be assigned a new address
0:10:10	then anyone who is behind router 3
0:10:13	would be able to reach someone on the 10.0.56.0 network
0:10:18	or 10.0.6.0/
0:10:20	24 network
0:10:22	without having to go through any type of network address translation
0:10:26	now again in our case we are going to look at couple of different examples of this design
0:10:30	where we will have one of the ios routers
0:10:32	run as the
0:10:35	the easy VPN
0:10:36	server
0:10:39	then we have two different types of clients we have the software client on the npc
0:10:43	and also the ios as the client
0:10:47	we will have the asa
0:10:49	as the VPN server
0:10:52	and likewise have both the software client
0:10:55	and the ios as the client
0:10:59	additionally for the ios server configuration on router 3
0:11:03	we will see there is a couple variations of this
0:11:05	one that is using the dynamic crypto maps
0:11:08	which was the original configuration logic for this
0:11:15	then the newer logic that is using the dynamic virtual tunnel interfaces or the devti
0:11:22	regard this for all of these configurations whether we were doing it on the ios or the asa
0:11:25	we will see that there is a lot of individual syntax options that we need to apply
0:11:30	so just like
0:11:31	some of the previous VPN configurations we saw
0:11:34	that is definitely one of the ones that you want to know
0:11:36	where this is located in the documentation
0:11:41	now we saw on the asa that we could look at the show run all tunnel group
0:11:45	the show run all group policy
0:11:46	and the VPN set up command
0:11:51	that going to help us to get some information about what the syntax is supposed to be
0:11:53	but the ios generally we are going to be relying
0:11:56	just on the configuration portion of the documentation
0:12:00

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

Easy VPN Overview

Create Bookmark