Cisco CCIE Security-IP Routing on the PIX/ASA
This post was created using GNS3 and follows what I thought was some of the most lab and real-world relevant content from the Cisco ASA documentation in the area of IP Routing: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html
Here is the topology used:
Initial Setup
First, we place the necessary IP configurations on the devices for our initial connectivity:
R0:
en
conf t
host R0
line con 0
exec-time 0 0
logg synch
!
int fa0/0
no shut
ip address 192.168.1.100 255.255.255.0
endR1:
en
conf t
host R1
line con 0
exec-time 0 0
logg synch
int fa0/0
no shut
ip address 10.10.10.100 255.255.255.0
!
interface loopback 20
ip address 10.10.20.100 255.255.255.0
endR2:
en
conf t
host R2
line con 0
exec-time 0 0
logg synch
int fa0/0
no shut
ip address 172.16.1.100 255.255.255.0
endFW0:
en
conf t
host FW0
!
int e0
ip address 192.168.1.1 255.255.255.0
nameif outside
no shut
!
int e1
ip address 10.10.10.1 255.255.255.0
nameif inside
no shut
!
int e2
ip address 172.16.1.1 255.255.255.0
nameif DMZ
security-level 50
no shut
!
endAt this point, I will be sure to ping each connected router from the PIX to ensure IP connectivity. Remember, by default you can ping from the PIX and to the PIX, but you cannot ping through the PIX.
Static Routing
First,?I will create a?simple static route to the “remote” loopback network that I have created on R1. Notice that to create a static route we simply use the route command, followed by the interface name, then the network and mask, and finally the next hop. Notice how?similar this is to the syntax for a static route on a router, although one major difference is the command?does not begin with?ip.
FW0:
conf t
route inside 10.10.20.0 255.255.255.0 10.10.10.100
end ?Verification of this static route can be accomplished with a show route and a ping of the remote destination address 10.10.20.100.
Default Static Routing
In order to configure a default static route, use the route command but with an all 0’s network prefix and mask. The PIX/ASA allow a shortcut of 0 and 0 to represent 0.0.0.0 and 0.0.0.0. Here I configure a default static route pointing to our outside router.
FW0:
conf t
route outside 0 0 192.168.1.100
endVerification for this configuration is a quick show route. The PIX/ASA should now show a gateway of last resort and the static route should be marked as a candidate default.
Static Route Tracking
An issue with the static route we just configured is the fact that if the destination gateway of last resort is down, the route is not removed from the routing table. This issue can be circumvented with the static route tracking capability.
First, I use the Cisco IOS IP Service Level Agreements (SLAs) monitor feature to track the availability of the gateway. This is done with the following commands:
FW0:
conf t
sla monitor 1
type echo protocol ipIcmpEcho 192.168.1.100 interface outside
exit
sla monitor schedule 1 life forever start-time now
endNotice these commands instruct the SLA monitor to ping the gateway starting now and to do this forever. I picked an SLA_ID of 1 to bind these commands together.
Next, I will associate a tracked static route with the SLA monitoring process using the following commands. Notice here that I have used a Track_ID of 20 and I have recreated our default static route so that it includes the Track_ID. Notice also here that the track command is tied to the SLA monitor with the SLA_ID of 1.
FW0:
conf t
track 20 rtr 1 reachability
route outside 0 0 192.168.1.100 track 20
endA nifty verification at this point is to move to R0 (the gateway of last resort) and run debug ip icmp. You will find that this router is being pinged every minute by the firewall now as a reachability test.
Next, I?create a backup default static route. This is simply another default static route entry that possesses a higher administrative distance than the original static default route:
FW0:
conf t
route outside 0 0?192.168.1.55 22For verification, you can shut the interface on the default gateway and run a show route on the PIX/ASA to ensure the backup is installed.
Dynamic Routing – OSPF
Now it is time to tackle a dynamic routing protocol configuration. Here I configure an MD5 authenticated neighborship between R2 and FW0. Notice that the network command on the PIX/ASA requires a subnet mask as opposed to a wildcard mask.
R2:
conf t
router ospf 1
network 172.16.1.100 0.0.0.0 area 0
!
interface fastethernet 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
!
endFW0:
conf t
router ospf 1
network 172.16.1.1 255.255.255.255 area 0
!
interface e2
ospf authentication message-digest
ospf message-digest-key 1 md5 cisco
!
endFor verification, simply run show ospf neighbor on FW0.
Dynamic Routing – RIP version 2
Next, we will run RIP version 2 on the PIX/ASA and advertise the DMZ subnet to the internal router R1. Here are the configurations:
R1:
conf t
router rip
version 2
no auto-summary
passive-interface default
network 10.0.0.0
no passive-interface fa0/0
endFW0:
conf t
router rip
version 2
no auto-summary
network 172.16.0.0
network 10.0.0.0
end?Verification for RIP in this example would include show ip route on R1 and debug rip on FW0. ?
Conclusion
I certainly hope you have enjoyed this blog on IP routing with the PIX/ASA. While my goal was to hit the highlights, please keep in mind the fact that there are many features of the dynamic routing protocols that are available and not covered here. In fact, there are even some static routing features that were omitted in this discussion. Just remember that these features should be very easy to find in the documentation link?when you are in the heat of battle.
640-802 CCNA Cisco Certified Network Associate Exam Braindump Decription
The 640-802 Cisco Certified Network Associate (CCNA) is the composite exam associated with the Cisco Certified Network Associate certification. Candidates can prepare for this exam by taking the Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 and the Interconnecting Cisco Networking Devices Part 2 (ICND2) v1.0 courses. This exam tests a candidate’s knowledge and skills required to install, operate, and troubleshoot a small to medium size enterprise branch network. The topics include connecting to a WAN; implementing network security; network types; network media; routing and switching fundamentals; the TCP/IP and OSI models; IP addressing; WAN technologies; operating and configuring IOS devices; extending switched networks with VLANs; determining IP routes; managing IP traffic with access lists; establishing point-to-point connections; and establishing Frame Relay connections.
Exam Topics
The following topics are general guidelines for the content likely to be included on the Cisco Certified Network Associate exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.
Topic-1 Describe how a network works
• Describe the purpose and functions of various network devices
• Select the components required to meet a network specification
• Use the OSI and TCP/IP models and their associated protocols to explain how data flows in a network
• Describe common networked applications including web applications
• Describe the purpose and basic operation of the protocols in the OSI and TCP models
• Describe the impact of applications (Voice Over IP and Video Over IP) on a network
• Interpret network diagrams
• Determine the path between two hosts across a network
• Describe the components required for network and Internet communications
• Identify and correct common network problems at layers 1, 2, 3 and 7 using a layered model approach
• Differentiate between LAN/WAN operation and features
Topic-2 Configure, verify and troubleshoot a switch with VLANs and interswitch communications
• Select the appropriate media, cables, ports, and connectors to connect switches to other network devices and hosts
• Explain the technology and media access control method for Ethernet networks
• Explain network segmentation and basic traffic management concepts
• Explain basic switching concepts and the operation of Cisco switches
• Perform and verify initial switch configuration tasks including remote access management
• Verify network status and switch operation using basic utilities (including: ping, traceroute, telnet, SSH, arp, ipconfig), SHOW & DEBUG commands
• Identify, prescribe, and resolve common switched network media issues, configuration issues, auto negotiation, and switch hardware failures
• Describe enhanced switching technologies (including: VTP, RSTP, VLAN, PVSTP, 802.1q)
• Describe how VLANs create logically separate networks and the need for routing between them
• Configure, verify, and troubleshoot VLANs
• Configure, verify, and troubleshoot trunking on Cisco switches
• Configure, verify, and troubleshoot interVLAN routing
• Configure, verify, and troubleshoot VTP
• Configure, verify, and troubleshoot RSTP operation
• Interpret the output of various show and debug commands to verify the operational status of a Cisco switched network.
• Implement basic switch security (including: port security, trunk access, management vlan other than vlan1, etc.)
Topic-3 Implement an IP addressing scheme and IP Services to meet network requirements in a medium-size Enterprise branch office network.
• Describe the operation and benefits of using private and public IP addressing
• Explain the operation and benefits of using DHCP and DNS
• Configure, verify and troubleshoot DHCP and DNS operation on a router.(including: CLI/SDM)
• Implement static and dynamic addressing services for hosts in a LAN environment
• Calculate and apply an addressing scheme including VLSM IP addressing design to a network
• Determine the appropriate classless addressing scheme using VLSM and summarization to satisfy addressing requirements in a LAN/WAN environment
• Describe the technological requirements for running IPv6 in conjunction with IPv4 (including: protocols, dual stack, tunneling, etc).
• Describe IPv6 addresses
• Identify and correct common problems associated with IP addressing and host configurations
Topic-4 Configure, verify, and troubleshoot basic router operation and routing on Cisco devices
• Describe basic routing concepts (including: packet forwarding, router lookup process)
• Describe the operation of Cisco routers (including: router bootup process, POST, router components)
• Select the appropriate media, cables, ports, and connectors to connect routers to other network devices and hosts
• Configure, verify, and troubleshoot RIPv2
• Access and utilize the router to set basic parameters.(including: CLI/SDM)
• Connect, configure, and verify operation status of a device interface
• Verify device configuration and network connectivity using ping, traceroute, telnet, SSH or other utilities
• Perform and verify routing configuration tasks for a static or default route given specific routing requirements
• Manage IOS configuration files. (including: save, edit, upgrade, restore)
• Manage Cisco IOS.
• Compare and contrast methods of routing and routing protocols
• Configure, verify, and troubleshoot OSPF
• Configure, verify, and troubleshoot EIGRP
• Verify network connectivity (including: using ping, traceroute, and telnet or SSH)
• Troubleshoot routing issues
• Verify router hardware and software operation using SHOW & DEBUG commands.
• Implement basic router security
Topic-5 Explain and select the appropriate administrative tasks required for a WLAN
• Describe standards associated with wireless media (including: IEEE WI-FI Alliance, ITU/FCC)
• Identify and describe the purpose of the components in a small wireless network. (Including: SSID, BSS, ESS)
• Identify the basic parameters to configure on a wireless network to ensure that devices connect to the correct access point
• Compare and contrast wireless security features and capabilities of WPA security (including: open, WEP, WPA-1/2)
• Identify common issues with implementing wireless networks. (Including: Interface, missconfiguration)
Topic-6 Identify security threats to a network and describe general methods to mitigate those threats
• Describe today’s increasing network security threats and explain the need to implement a comprehensive security policy to mitigate the threats
• Explain general methods to mitigate common security threats to network devices, hosts, and applications
• Describe the functions of common security appliances and applications
• Describe security recommended practices including initial steps to secure network devices
Topic-7 Implement, verify, and troubleshoot NAT and ACLs in a medium-size Enterprise branch office network.
• Describe the purpose and types of ACLs
• Configure and apply ACLs based on network filtering requirements.(including: CLI/SDM)
• Configure and apply an ACLs to limit telnet and SSH access to the router using (including: SDM/CLI)
• Verify and monitor ACLs in a network environment
• Troubleshoot ACL issues
• Explain the basic operation of NAT
• Configure NAT for given network requirements using (including: CLI/SDM)
• Troubleshoot NAT issues
Topic-8 Implement and verify WAN links
• Describe different methods for connecting to a WAN
• Configure and verify a basic WAN serial connection
• Configure and verify Frame Relay on Cisco routers
• Troubleshoot WAN implementation issues
• Describe VPN technology (including: importance, benefits, role, impact, components)
• Configure and verify a PPP connection between Cisco routers
12.9.09Cisco SSL VPN and ASDM Configuration – Port Conflict
In addition to IPSEc VPN support, Cisco firewalls support also the SSL Web VPN technology for providing access to resources for remote users. The main difference between IPSEc VPN and SSL VPN is that the first one requires a VPN client installed on the user’s computer while the SSL VPN requires only a secure browser (HTTPs). Another difference is that IPSEc VPN provides full network connectivity to the central site for the remote user with the ability for the user to have full access to applications just like local LAN access. On the other hand, SSL VPN provides limited application access compared with IPSEc VPN. The applications that can be accessed by SSL VPN include Internal websites, Web-enabled applications, NT/Active Directory file shares, E-mail proxies, including POP3S, IMAP4S, and SMTPS, MS Outlook Web Access, and port forwarding access to some other TCP-based applications.
The diagram below shows a high level network topology for SSL VPN connectivity:
As you can see, the remote users can establish a secure SSL tunnel over the Internet and access application resources located in their central Enterprise LAN using a web browser (HTTPs).
Next we will describe how to enable SSL VPN on the firewall, and discuss how you can avoid a port conflict with ASDM (Web GUI management) when both are enabled on the same firewall interface.
Both SSL VPN and ASDM use the HTTPs protocol for communication which uses port 443 by default. If we need to enable ASDM management access on the same interface as SSL VPN (usually the “outside” interface), then we must change the listening port of either the SSL VPN or the ASDM. In our example below we will describe both scenarios.
A. Change the port of ASDM
ASA(config)# http server enable 444
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# enable outside
Cisco CCIE Certifications in 2008 – CCIE Salary
Back in 2004-2005, the most prestigious Cisco certification, the Cisco Certified Internetwork Expert (CCIE) was considered the biggest cash cow of IT certification. The average salary of a CCIE professional in USA was around $110,000 per year.
However, employers recently are seeking IT professionals with business-oriented certifications in such areas as project management and Six Sigma (six sigma is a technique that applies statistical tools to measure, analyze and fix problems). This new trend has caused the CCIE certification to drop to the fifth position in salary earnings.
The top 6 paying certifications in 2008 are:
1. PMI Project Management Professional (PMP) – $102,000 average salary in 2008
2. PMI Certified Associate in Project Management
3. ITIL v. 2 – Foundation
4. (ISC)2’s Certified Information Systems Security Professional (CISSP)
5. Cisco CCIE – $93,500 average Salary in 2008
6. Cisco Certified Voice Professional – $88,600 average Salary in 2008
Just for comparison purposes, the highest paying Microsoft certification is the Microsoft Certified Solution Developer ($84,522).
UPDATE:
An update to the above post is an interesting post I was reading from http://www.itworld.com about the salary range of CCIEs in different world regions. It seems like UK guys get the most money from all !!
Salary Range of CCIEs in different world regions
South America/Mexico from $30k – $70k
Canada from $65k – $110k
United States from $80k – $150k
United Kingdom from $90k to $190k
As Eman (itworld) mentions in his post, your real salary value as a CCIE really depends on your interview skills and your ability to convince your employer that you are worth the money and that you can meet his expectations.
