CCIE Security ver 4 Rack Rental

CCIE Security ver 4 Rack Rental:  Rs.2500/- per session (each session is of 6hrs)

List of Equipments:
-Cisco ASA 5512x-2nos
-Cisco ASA 5510- 2nos
-Cisco Routers-6nos
-Cisco Switch 3560-4nos
-Cisco Switch 3750-2nos
-Cisco ISE
-Cisco ACS 5.x
-Cisco WLC 2504
-Cisco LWAP
-Cisco WSA (Ironport)
-Test PC

Interested candidates please send email to info@networkexpert.co

Configuring IOS CA Server

Configuring Cisco Router as CA Server

R1(config)#ip domain-name networkexpert.co
R1(config)#crypto key generate rsa general-keys label netx exportable
R1(config)#crypto key export rsa netx pem url nvram: 3des netx123
!generate and export RSA keys

R1#show crypto key mypubkey rsa

R1(config)#ip http server
R1(config)#crypto pki server netxCA
R1(cs-server)#database url nvram:
!If this command is not specified, all database entries are written to Flash.
R1(cs-server)#database level <minimum | names | complete>
!Minimum: Enough information is stored only to continue issuing new certificates without
conflict; the default value.
!Names: In addition to the information given in the minimal level, the serial number and
subject name of each certificate.
!Complete: In addition to the information given in the minimal and names levels, each issued
certificate is written to the database.
R1(cs-server)#issuer-name CN=iosca.networkexpert.co L=Blr C=In
R1(cs-server)#lifetime ca-certificate 365
!default 3year
R1(cs-server)#lifetime certificate 200  
!default 1 year
R1(cs-server)#cdp-url http://172.18.108.26/netxcdp.netx.crl
R1(cs-server)#lifetime crl 24  
!default 1week
R1(cs-server)#grant auto
R1(cs-server)#no shutdown





R1# show crypto pki server

Configuring Anyconnect on ASA 8.2

Anyconnect Confiuration

domain-name netx.com
!
crypto key generate rsa label sslvpnkeypair modulus 1024
!
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.netx.com
subject-name CN=sslvpn.netx.com
keypair sslvpnkeypair
!
crypto ca enroll localtrust noconfirm
!
ssl trust-point localtrust outside
!Above configuration  is for Self Signed Certificate
copy tftp://172.16.1.66/anyconnect-win-2.0.0343-k9.pkg flash
!copy anyconnect s/w package to flash/disk0
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
enable outside
svc enable
!
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
!
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 172.16.1.95
vpn-tunnel-protocol svc
default-domain value netx.com
address-pools value SSLClientPool
!
sysopt connection permit-vpn
!
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
webvpn
tunnel-group-list enable
!
access-list no_nat extended permit ip host 172.16.1.0 255.255.255.0 192.168.25.0 255.255.255.0
!
nat (inside) 0 access-list no_nat

nat (inside) 1 0 0
global (outside) 1 interface
!
username netx password netx
username netx attributes
service-type remote-access
!

Configuring Network Object NAT in ASA 8.4

Network Object NAT
(ASA 8.4)

-----------------------------

Dynamic NAT 
The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of
outside addresses 2.2.2.1-2.2.2.10:

ASA(config)# object network my-range-obj
ASA(config-network-object)# range 2.2.2.1 2.2.2.10
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic my-range-obj


Dynamic PAT
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address
2.2.2.2:
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic 2.2.2.2


The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic interface


Dynamic NAT with Dynamic PAT backup
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside interface address.

ASA(config)# object network nat-range1
ASA(config-network-object)# range 10.10.10.10 10.10.10.20
!pool of public IP address(Dynamic NAT)

ASA(config-network-object)# object network pat-ip1
ASA(config-network-object)# host 10.10.10.21
!single Public IP for PAT (dynamic PAT)

ASA(config-network-object)# object-group network nat-pat-grp
ASA(config-network-object)# network-object object nat-range1
ASA(config-network-object)# network-object object pat-ip1
!Object grouping of dynamic NAT and then dynamic PAT in order

ASA(config-network-object)# object network my_net_obj5
ASA(config-network-object)# subnet 10.76.11.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface
!private subnet and nat config: first NAT using object group(in order) if full use interface(outside) for PAT

Static NAT
The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.
ASA(config)# object network my-host-obj1
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static 2.2.2.2 dns

The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.
ASA(config)# object network my-mapped-obj
ASA(config-network-object)# host 2.2.2.2
ASA(config-network-object)# object network my-host-obj1
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static my-mapped-obj


Static PAT
The following example configures static NAT with port translation for 1.1.1.1 at TCP port 21 to the
outside interface at port 2121.
ASA(config)# object network my-ftp-server
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static interface service tcp 21 2121


Identity NAT
The following example maps a host address to itself using an inline mapped address:
ASA(config)# object network my-host-obj1
ASA(config-network-object)# host 10.1.1.1
ASA(config-network-object)# nat (inside,outside) static 10.1.1.1

Core Knowledge Questions Removed from the CCIE Security and CCIE Storage Exams

Effective August 15, 2011, CCIE Security Lab Exam and CCIE Storage Networking Lab Exam, in all global locations, will no longer include the four open-ended Core Knowledge questions.  The removal of Core Knowledge questions allow candidates to utilize the total lab time for configuration and troubleshooting. The total lab time will remain eight hours.

NAT 0 statement in Cisco FIrewall (PIX/ASA)

NAT 0 STATEMENT:

nat (inside_interface_name) 0

NAT 0 has two affects:
   

1. nat (inside_interface_name) 0 access-list 101 
   
   This works exactly the same way as static, except it bypasses NAT.  It does not require the connection to be initiated from the higher security interface before the host on the lower security interface can create a connection to the host on the higher security level interface.
2. nat (inside_interface_name) 0 0.0.0.0 0.0.0.0 
   
   This bypasses NAT, but requires the host on the higher security interface to first initiate a connection to the host on the lower security interface before the host on the lower security interface can initiate
   a connection.

NAT Order of Operation in Cisco Firewall (ASA/PIX)

1. nat 0 access-list (nat-exempt)
2. match against existing xlates
3. static statements
   
      
   1. static nat with and without access-list (first match)
   2. static pat with and without access-list (first match) 
      
4. nat
      
   1. nat access-list (first match) 
      
      Note: The nat 0 access-list command is not part of this command.
   2. nat (best match) 
      
      Note: When choosing a global address from multiple pools with the same NAT ID, this order is attempted:
             
      1. If the ID is 0, create an identity xlate.
      2. Use the global pool for the dynamic NAT.
      3. Use the global pool for the dynamic PAT.      
      

Automatic Backup of Cisco Router Configuration using KRON

About KRON:

The Command Scheduler (KRON) Policy for System Startup features enables support for Command Scheduler upon system startup.

Command Scheduler allows customers to schedule fully-qualified EXEC mode CLI commands to run once, at specified intervals, at specified calendar dates and times, or upon system startup. Originally designed to work with CNS commands, Command Scheduler has a broader application. Using the CNS image agent feature, remote routers residing outside a firewall or using Network Address Translation (NAT) addresses can use Command Scheduler to launch CLI at intervals to update the image running in the router.

Command Scheduler has two basic processes. A policy list is configured containing lines of fully-qualified EXEC CLI commands to be run at the same time or interval. One or more policy lists are then scheduled to run after a specified interval of time, at a specified calendar date and time, or upon system startup. Each scheduled occurrence can be set to run once only or on a recurring basis. 

Commands

RX2(config)# kron policy-list netx

RX2(config-kron-policy)# cli sh running-config | redirect tftp://172.16.1.150/backup-cfg

RX2(config-kron-policy)#  exit

RX2(config)#  kron occurrence netx-kron at 10:00 recurring

RX2(config-kron-occurrence)#  policy-list netx

RX2(config-kron-occurrence)#  exit

Verification:

RX2#sh kron schedule

Kron Occurrence Schedule

netx-kron inactive, will run again in 0 days 21:03:06 at 10:00 on

The above configuration can be used to schedule automatic backup of Cisco Router Configuration. As per the configuration given, Router is scheduled to take backup at 10:00AM everyday to TFTP Server specified.

Automatic Backup of Cisco Router Configuration using Archive

RX2(config)#archive

RX2(config-archive)#  path tftp://172.16.1.150/backup-cfg

RX2(config-archive)#  time-period 1440

RX2(config-archive)#  write-memory

RX2(config-archive)#  exit

The above configuration can be used to schedule automatic backup of Cisco Router Configuration. As per the configuration given, Router is scheduled to take backup every 24hrs as well as when ever user saves the changes using write-memory command to TFTP Server specified in path command.

Configuration Change Notification and Logging

About Configuration Log

The Configuration Change Notification and Logging feature tracks changes made to the Cisco IOS software running configuration by maintaining a configuration log. This configuration log tracks changes initiated only through the command-line interface (CLI) or HTTP. Only complete commands that result in the invocation of action routines are logged. The following types of entries are not logged:

•Commands that result in a syntax error message

•Partial commands that invoke the router help system

For each configuration command that is executed, the following information is logged:

•The command that was executed

•The configuration mode in which the command was executed

•The name of the user that executed the command

•The time at which the command was executed

•A configuration change sequence number

•Parser return codes for the command

You can display information from the configuration log through the use of the show archive log config command, with the exception of the parser return codes, which are for use by internal Cisco IOS applications only.

About Configuration Change Notifications and Config Change Logging

You can configure the Configuration Change and Notification Logging feature to send notification of configuration changes to the Cisco IOS software system logging (syslog) process. Syslog notifications allow monitoring of the configuration log information without performing polling and information gathering tasks.

The Configuration Change Notification and Logging feature allows the tracking of configuration changes entered by users on a per-session and per-user basis. This tool allows administrators to track any configuration change made to the Cisco IOS software running configuration, and identify the user that made that change. 

Commands

RX2(config)#archive

RX2(config-archive)#  log config

RX2(config-archive-log-cfg)#  hidekeys

RX2(config-archive-log-cfg)#  logging  enable

RX2(config-archive-log-cfg)#  notify syslog

RX2(config-archive-log-cfg)#  exit

Keyword “hidekeys” suppresses output of password while logging. 

Verification:

RX2#sh archive log config all

 idx   sess           user@line      Logged command

    1     1        console@console  |  logging enable

    2     1        console@console  |  notify syslog

    3     1        console@console  |  exit

    4     1        console@console  |   exit

    5     2        console@console  |router rip

    6     2        console@console  | exit

    7     2        console@console  |no router rip

     8    2        console@console  |enable password *****