Fix for ASA multicast issues and PEMU

Not discovered by me, but by JayTee who posted a comment. Thought i’d make it known to everyone. I havent tested it.

<snip>

OK, I got multicast working. It’s a known problem. The fix is to comment out
some qemu code. This really isn’t the “right” way to fix this as the ASA
will apparently get all multicast traffic instead of the multis that it
registers for but it fixes the problem. See explanations here:

http://juniper.cluepon.net/index.php/Olive

http://sioduy.blogsome.com/2009/04/05/install-olive-in-freebsd-71/

</snip>

Static Policy NAT & PAT

Going through a second time today it was still as confusing as the last time I did it. After disecting the configuration, its only slightly different to any other NAT statement when you include the contents of the ACL.

(Real,Fake) Fake, Real, Policy

access-list POLICY extended permit tcp host 136.1.121.1 eq telnet 136.1.122.0 255.255.255.0
static (inside,outside) tcp interface telnet access-list POLICY

With the above configuration, if you tack on the ACL to the static statement its exactly the same structure except you have the ‘policy’ at the end to say what triggers the translation. In this case, any telnet traffic which is sourced from 136.1.122.0/24 destined to the ASA’s interface will be translated to the REAL address of 136.1.121.1 on port 23.

SEC update

Since I posted the problems experienced with PEMU and ASA emulation I decided that I wasnt going to waste any more time dealing with bugs. So I managed to convince my work that they should give me an ASA 5510 for my lab. With no questions asked, I had one two days later :)))

Practical study has been purely Volume I workbooks. I’ve gone through almost every single ver 5.0 lab (except the IPS ones), and gone through 1/3 of the VPN labs a second time. Today i’m working on the ASA labs again.

Some notes on the Volume I labs….they arent all correct. I have come across errors which have sent me down the troubleshooting path for long periods of time. Its not all that bad though, stuff seems to stick better when that happens.

Initially, I was overwhelmed with the amount of VPN variations there are, and I guess without knowing how to configure them all it seemed like every single one was going to take a while to master. Not that i’m a master yet, but when it all boils down…if you know ISAKMP and IPSEC then each variation is really straight forward. Things like, DMVPN and GET VPN are a piece of cake.

For the theory side, since I havent taken my written exam yet I read the entire CCBOOTCAMP written study guide. Its ok, not a bad primer for some topics, and a review of some legacy products etc that will appear on the 2.0 written, but probably not enough on its own. I also purchased the Complete VPN configuration guide & Security troubleshooting handbook; of which i’m halfway through the configuration guide (its quality reading!). SSL Remote Access VPN’s got a bit of a read, but most of its based on ASDM or SDM – The first half is a good intro though.

I’ve read the config guides from time to time, but i’m nowhere near the stage of trying to remember where everything is….that comes later :)

For CoD learning i’ve watched almost all the INE videos once – Unfortunately they pail in comparison to the R&S ones. They were packed full of almost every technology you come across (5 extra days content though!).

A special mention for video content goes to the Cisco Networker 2009 videos. My work purchased a subscription and there are two (so far!) really good 2HR videos:

Advanced Topics in Encryption Standards and Protocols
Presented by Saadat Malik who wrote Network Security Principles and Practices. He explains ISAKMP even better than he does in the book. If you can get access….I highly recommend. Try signing up for a free account, it may be one of the free ones available. reason why I say that is, when I had a free account it seemed to let me add a few videos to my profile then after a while I couldnt add any more. Deffinately worth a go.

Troubleshooting Firewalls
A really good explanation on packet flow through the ASA, troubleshooting tips and shortcuts, etc. Highly worth it. I’ll probably watch it again.

Overall, I think that progress is good. I’m hoping to do my first full scale lab soon.

Remembering NAT statements on the ASA

A guy at my work who acheived his CCIE Security late last year had a good way of remembering the order of doing NAT translations on the ASA. As simple is it may be, I always had trouble deciding what I should use, but since he told me I havent had any problems!

static (Real,Fake) {Fake} {Real}

Real being the interface or IP address of the host and the one that gets translated. Fake being the one that its tranlated to.

Emulated ASA issues

Now that I’ve had a chance to really put the virtual setup to the test, i’ve come across some problems with certain technologies that has forced me to look more toward rack sessions to study them. In case you haven’t read my previous posts, i’m running PEMU which is a variation of QEMU that emulates the physical platform to run ASA code 8.0(2).

When I was studying R&S which was almost entirely on dynamips I quickly learnt that if there was something that should be working that isnt, its probably dynamips being a pig. More often than not these issues we caused by the 16 port NM modules, and a restart of the topology was a quick fix – Maybe sometimes I would have to delete the working directory….but thats it, overall it was pretty solid and pretty much everything it supported worked beautifully.

Unfortunately with the ASA it ain’t the same. I’ve come across two main issues with it, one I have a workaround for, and the other I dont.

1. Multicast

The ASA is able to send multicast out of its interfaces which can be received by other devices in the topology, but it never sees multicast messages sent by other devices. Obviously this is a major problem with testing any multicast routing, but more importantly it affects RIP, EIGRP, and OSPF communication. Even though they aren’t a huge focus in the security lab, a lot of the Volume I labs, and no doubt the Volume II labs include them for obvious reasons. Its more annoying than anything….so to get around it i’ve been using neighbor statements on the routers and always using RIP as the routing protocol.

I’ll just have to make do for Volume I labs, but with this problem  alone I dont want to be doing full scale labs with just RIP – It’s guaranteed that i’ll fall into some kind of habit that will work against me when I go for the real thing.

2. Certificates

I experienced a plethora of issues the other night with getting certificates working with the ASA and a simple L2L tunnel. Errors ranged from getting “Certificate not valid yet” from the CA when enrolling, to “Bad certificate received” on the IOS router when starting IKE P1 negotiations. Clock on the ASA was the same as the IOS router, configurations where scrapped multiple times, the Internetwork expert configurations didnt work, and an entirely new instance of ASA had no joy either. But every single time the IOS device was showing all the right messages. Jumping straight onto a rack I was able to get it running immediately which pretty much confirmed that something was up.

Even with these problems i’m still going to use the QEMU for as much as I possibly can. But just keep in the back of my mind that its far from a perfect study tool – and always maintaining the approach that if it looks right, but it still isnt working, its probably a good idea to try it on real equipment before spending hours troubleshooting something that isnt there :)

Back in action

Its been a while….

Since I posted last, I’ve been really busy with work, some holidays, and non CCIE related study. The company I work for is going for Gold partner status later this year with Cisco so I had to deviate my security study for a while and pass a few exams. So in the last 4 months I certified myself as:

Advanced Routing & Switching Design Specialist
Data Centre Networking Infrastructure Design Specialist
Data Centre Aplication Services Design/Support Specialist

A lot of the topics I knew from the job or my CCIE studies, and the new PEC e-Learning modules are awesome. But to get me over the line they sent me on the WAAS course which I found really interesting. Its also good to get 5 days off work too :)

So anyway, with all of those out of the way, I now have my Security end-to-end self study package from Interenetwork Expert and haven’t wasted any time in getting down to business….

Stay tuned, as I have some notes on my lab setup – I had some major issues with it…..and still do.

Offline

Sorry all, have been offline for a little while (moving house & PC issues). I’ll respond to the requests for the .NET file in the next day or two.

Something I need to edit in my previous post though. I ended up experiencing weird issues running the 2600 XM routers in Dynamips.

Security Home Lab

Still alive, just been busy with work and various other stuff.

For the last couple of months my study has been mainly some light reading here and there. Virtually no labbing yet because for one I don’t have any study material yet (ie: workbooks) and secondly I don’t have a lab to study on. Work are supporting my second IE, but there’s just some finalization to be done before the material is purchased – which will be from Internetwork Expert. With regard to practical study, unless I have a fully functional lab at my disposal anytime I want it, then there’s very little chance I’ll study at all. But that has all changed since yesterday!

A few days ago IE release the specs for their new Security racks. So with some free time off, and using what I already had prepared a few months ago, I’ve now got a fully functioning lab that almost matches their topology exactly. And the best part is that its pretty much all virtual, idling on my Windows XP Quad core 3GB at 30% utilization.

So here’s what I have:

Virtual (Dynamips)

R1 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R2 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R3 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R4 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R5 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R6 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
BB1 – 3640 (c3640-is-mz.124-23)
BB2 – 3640 (c3640-is-mz.124-23)
BB3 – 3640 (c3640-is-mz.124-23)

Virtual (Other)

ACS Server 4.2 Trial – Running on Windows 2003 Server in VMware
IPS 5.1 – Running in VMware
2 x ASA 8.0(2) – Running in QEMU

Real Equipment

Cisco 3548XL Switch
2 x Cisco 3550 24 Port EMI
Test PC (my home laptop)

Now in terms of how I get all this working, I’ll start with a diagram:

The key to getting the whole topology working is in the Intel Server NIC and the 3548XL switch. I created a VLAN (which shows as a logical interface in windows) for every device that needs to ‘physically’ connects to the 3550 switches. In total there are 21 VLAN interfaces.

Each virtual device’s interface is then mapped to one of these VLAN interfaces either through dynamips, Qemu, or VMware.

The physical Intel NIC (which is set to trunk all the VLAN’s) connects to the 3548XL. So now we have 21 separate vlans for 21 seperate interfaces all being trunked through to a physical switch. At this point the devices still have no way of communicating with each other…..

I’ve then configure 21 ports on the 3548XL switch using the same VLAN id’s and then used very short Ethernet cables to patch each port to the corresponding ports on the real 3550’s as per the Internetwork experts racks.

For example, ASA1 port E0/1 is supposed to be on SW Fa0/13. So I assigned it VLAN 113 on on the PC and then assigned port Fa0/13 VLAN 113 on the 3548XL, and then patched it through to SW1 Fa0/13. Oh, and I turned off spanning-tree for all the VLAN’s to make sure BPDU’s dont start coming in on the 3550’s. They are all host ports remember :)

As far as getting the other virtual devices running here’s what I did:

ASA
- http://7200emu.hacki.at/viewtopic.php?t=4936&postdays=0&postorder=asc&start=0 – Look for the posts by ‘thumpercisco’
- QEMU is configured to map ASA interfaces to MS Loopback interfaces (3 for each ASA)

IPS
- http://7200emu.hacki.at/viewtopic.php?t=3095
- 3 VMware virtual adapters (only two required for topology)
- Enable VNC on the VMware instance so you dont need to go though the host machine every time.

ACS
- Trial version from Cisco, just save the VMware image once installed so you can reload it after 90 days
- Enable VNC on the VMware instance so you dont need to go though the host machine every time.

Other Stuff

To make things even easier I purchased a 2 port RS232 PCI card from eBay and installed it in my server. I then use a program called “Serial to Ethernet connector” so that I cant telnet from my Test PC to a TCP port on the server and it maps my session to the Serial ports of the physical switches.

.NET file

If you want a copy of my .NET file please look at more recent posts.

Fully virtual?

I did consider doing the whole thing in dynamips, and it is very possible. The only thing that annoyed me was the switch ports would be different on my setup than they would be in the workbooks (16 ports on the NM modules as opposed to 24). This meant some ports would be changed, meaning the diagrams would all be wrong, and the initial configs would all need to be changed.

——

The CPU’s idle nicely at 30% (full topology), and memory usage is about 1.5GB total.

With this i’ll be able to test most technologies and even be able to do most full scale labs with this setup.

I hope this helps anyone thinking about or pursuing their Security track. Feel free to drop me a line if you have any questions.

Security blueprint, quality books, and general thoughts

For the last two weeks I’ve been working at the new Westfield shopping centre in London. Apart from having Christmas day off I’ve been at work every other day. Fortunately, because its only a very short contract to fill in for the usual guy while he’s on leave I only have a few key things to look after; and if nothing goes wrong I don’t have to do a single thing! So overall its been a pretty quiet two weeks, and because most of management is away its very peaceful on my floor of the building which has given me a LOT of time to get immersed in my new books.

Most of this free time has been spent reading Yusuf Bhaiji’s Network Security Technologies and Solutions which is just fantastic. Considering how many different products, and technologies he covers I think it goes into just the right amount of detail on each one. The book can be used as a quick reference, or it can be used to get a baseline understanding of new security concepts. If you are looking to get a lot of coverage on the written blueprint then this is the book you need, and even if you aren’t studying for the security lab, I would highly recommend it for any budding network professional in the Cisco areana.

In addition to this I got myself a Safari account and started reading Network Security Principals and Practices by Saadat Malik, and after seeing various Amazon reviews I went straight to the IPSEC section to see what all the fuss was about. If you had any doubts about how ISAKMP, IPSEC, ESP, AH or any other related topic function…this book will sort you out. Although it is a few years old, it’s written extremely well and goes into a lot of detail on most of the technologies that make up the 2.0 blueprint.

—-

Considering my progress so far and how much I’m enjoying studying, I anticipate that i’ll be sitting the written a lot sooner than April. February seems more realistic. If I wait 3-4 months before taking the written, its just going to mean that i’ll need do do a lot more review for stuff that I’ve learnt in the last two weeks…its better to strike while the irons hot! And since the written is mostly theory there is no real need to be hammering away on the CLI playing with stuff, which is really what I want to get stuck into.

My Dynamips machine is slowly coming together. I’m probably going to do most of my study on a virtualized system so that I can go at my own pace for next to nothing. Dynamips will run my routers, PEMU will run PIX’s with 8.x images (i’m not going to worry about ASA’s at this stage), and VMware will run both the ACS server on Windows 2003 and IPS with the 5.x image. Obviously i’ll be missing some key things for the 3.x lab, but most of it is going to be there and in the beginning its plenty to start with.

More books

Purchased another couple of books for my security studies.

Cisco Router Firewall Security – Richard Deal
CCSP IPS Exam Certification Guide – Earl Carter

The IPS book was actually hard to track down for a decent price, the cheapest on amazon was $120 US! In the end I managed to find it on ebay. I won the sale for .99 cents, but shipping from the states was $32….still, thats not too bad :)

After doing a fair amount of research I think i’ll be purchasing the following titles aswell:

Cisco Network Security Troubleshooting Handbook – Mynul Hoda
Network Security Principles and Practices – Gregg Schudel