Defending against lameness since 2008

I just finished the IPExpert audio and video on demand lessons related to ACLs. They provide some good insight into the usage of these access-lists and their place in the CCIE Security lab. In my attempt to improve this blog I have tried my first video recording. It is just a quick look at implementing a time based ACL from the inside network to an outside network during weekly business hours (M-F 8AM to 5PM). Hopefully as I progress down this path I can make more worthwhile videos but hey, we all have to start somewhere.

Related Blogs

• Related Blogs on access control lists

• Introduction to access-lists part 1

So, my project website is basically complete and I have decided to focus on the CCIE Security exam again. I am gonig to try and schedule it for sometime around mid-September. Since I purchased the IPExpert Blended Learning Solution I am going to start preparing for the first lab which is ACLs and IP filtering.  I am going to spend a few days studying online and some books I have scattered around my office focusing only on access control lists, CBAC and IP Spoofing filtering.  It looks like this lab doesn’t have any firewalls so I will only be practicing on routers. Also, since moving my exam date guarantees I will be taking the new version of the lab I will only study on those appropriate IOS versions. Hopefully I can dedicate at least two hours a day for studying.

Off I go.

Related Blogs

• Related Blogs on access control lists
• IPv4 and IPv6 Access Control Lists In Cisco IOS

Since I have been focusing most of my time the last few weeks on launching my new website I haven’t been able to get any studying accomplished. I’m going ot use this as an excuse to push my lab date back a few months from April to September. This will also give me time to adjust my methods to the new lab blueprint.

Related Blogs

• Related Blogs on CCIE Security
• CCIE Security 2.X Verification Commands “Cheat Sheet”

Today is the official start date of my CCIE Security studies. I have taken the last few weeks since my BCSI failure to work on some other projects non-CCIE related. Even though these are not fully completed I feel that 6 months might not be enough time even with a full-time study attitude but I cannot let another day pass without studying. My goal is at least 2 hours a day during the work week and 8 hours a day on the weekends. Obviously due to circumstances related to other business interests this is a lofty goal and I will be struggling to keep my schedule.
Tonight I will start on the Volume I workbook from IPExpert’s Blended Learning Solution and hopefully tomorrow I will be filling you in on my first impression.

Bryan

EDIT: Or so I thought it would begin. I ran into some snags getting the first section working in GNS3. Since I am not so familiar with GNS3 I decided to watch a few of the videos that came with the hard drive. I will have to look at getting some rack time so I dont have to mess with GNS3.

So after struggling with the routing on this particular problem I decided to ask someone for help, that person was Josh over at Blindhog. He worked on it for about 10 minutes and was able to determine what I was doing wrong. So below is the relevant information from the final configuration of the Easy VPN client (1811).

crypto ipsec client ezvpn ASA
connect auto
group ezvpntunnel key cisco
mode network-extension
peer 64.22.228.130
username cisco password cisco
xauth userid mode local

interface Loopback0
ip address 10.2.2.100 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map EzVPN-Routing
crypto ipsec client ezvpn ASA inside

ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 172.17.0.0 255.255.255.0 Loopback0

ip access-list extended EzVPN-Routing
permit ip any 172.17.0.0 0.0.0.255

route-map EzVPN-Routing permit 10
match ip address EzVPN-Routing
set ip next-hop 10.1.1.1

The things that changed from the initial configuration I had are as follows.

• Took off the access-lists on the Loopback0 and FastEthernet0 interfaces
• Added ip nat inside and ip nat outside to their respective interfaces
• Added a route for the remote networking pointing towards the ‘outside’ interface (Loopback0)
• Changed the route-map access-list to allow anything to the remote network
• Set the set ip next-hop 10.1.1.1 (DMZ of the Pix) in the route-map
• Also, on the ASA we had to add a nonat statement for the Loopback0 interface

Again, I would like to thank Josh for his help. Without his assistance I would still be twiddling my thumbs on this one.

Related Blogs

• Related Blogs on Easy VPN
• Easy VPN Combined with VRF Lite
• Cisco - PIX 506E - 3DES/AES Firewall

So I ran through a few of the training videos this weekend and must say I really enjoyed them. Following along was easy the presenter did a good job of keeping the video flowing. I was working on some other projects so I wasn’t using them to study but I did want to run through a few of them to see what I would be dealing with for the next few months. I believe my printed workbooks should arrive tomorrow so I really look forwarded to begin working through some of them this week. As always I will try and keep this blog updated frequently as I move through the workbook and the audio/video provided.  I finished setting up my GNS3 machine and hope to finish my work lab tomorrow.

Related Blogs

• Related Blogs on GNS3
• GNS3:How to Setup CME SIP trunk to VOIP SIP Service Provider - Part 1
• Using GNS3 to Help Master the PIX/ASA – Basic Setup and the First …
• GNS3 - Switching lab part 2 (router on a stick)
• GNS3 : How to lockdown Cisco Router’s Configuration Access

Since the arrival of my IPExpert Blended Learning Solution I have been forced to take the CCIE lab studying a little more serious. Today I decided to start putting together some pieces to help me study. I have a Dell 1435 server that is going ot be my home GNS3 machine, so hopefully with its dual processors and 2GB of memory I will be able to run more virtual devices than my regular home machine. At work I will be setting up a GNS3 lab with a Dell 2850 that currently has 8 physical interfaces thanks to some PCI-E cards and an ASA 5520 and Pix 515. Depending on when they announce the changes to the CCIE Security lab I may need to get a VPN Concentrator since my lab is scheduled in April. I also hope to get access to at least a 4215 but hopefully we can get a 4240 for testing.

With the completion of my home setup I hope to create a few tutorials as I go along in my studying. Hopefully I can make them as good as the ones over at Blindhog. Well, back to the lab build.

Related Blogs

• Related Blogs on ccie home lab
• Cisco CCNA / CCNP Certification Exam: Cabling Your Home Lab
• Obtain CCNP Certification In 7 Days
• The home stretch
• Cisco CCNP / BSCI Exam Tutorial: OSPF Route Redistribution Review
• Cisco CCNA / CCNP Tutorial: Home Lab Assembly Case Study

So lately I have been working on an Easy VPN configuration that requires a Cisco 1811 connected with just one interface to a Pix’s DMZ. I am about 75 percent done with the configuration and I am just waiting on the rest of the local traffic information to finish the tunnel. The ASA will have an external IP address of 12.34.56.78. I currently have the following configured on the ASA:

access-list ezvpn standard permit 172.16.1.0 255.255.255.0
group−policy DfltGrpPolicy attributes
banner none
wins−server none
dns−server none
dhcp−network−scope none
vpn−access−hours none
vpn−simultaneous−logins 3
vpn−idle−timeout 30
vpn−session−timeout none
vpn−filter none
vpn−tunnel−protocol IPSec
password−storage enable
ip−comp disable
re−xauth disable
group−lock none
pfs disablei
psec−udp enable
ipsec−udp−port 10000
split−tunnel−policy tunnelspecified
split−tunnel−network−list value ezvpn
default−domain none
split−dns none
secure−unit−authentication disable
user−authentication disable
user−authentication−idle−timeout 3
ip−phone−bypass disable
leap−bypass disable
nem enable
backup−servers keep−client−config
client−firewall none
client−access−rule none

username alltimedefense password 23DSFLKJlsdkfs9080wr encrypted

crypto ipsec transform-set EZVPN esp-3des esp-sha-hmac
crypto dynamic-map dynEZVPN 10 set transform-set EZVPN
crypto map ezvpn 10 ipsec-isakmp dynamic dynEZVPN
crypto map ezvpn interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 86400

tunnel-group ezvpn-tunnel general-attributes
default-group-policy DfltGrpPolicy

tunnel-group ezvpn-tunnel ipsec-attributes
pre-shared-key cisco

That should be all that is needed on the ASA. The lines in bold are different configuration modes and the italics are any configuration that is custom (where I changed a name or password). Now let me move on to the Cisco 1811 at the remote site. The Fast Ethernet 0 interface will have an ip address of 192.168.1.1 and the loopback interface will have an ip address of 172.16.1.1.

username alltimedefense password 23DSFLKJlsdkfs9080wr
ip route 0.0.0.0 0.0.0.0 192.168.1.2

crypto ipsec client ezvpn EZVPN
connect auto
group ezvpn key cisco
mode network-extension
peer 12.34.56.78
xauth userid mode local

access-list 100 permit ip any any
access-list 110 permit ip any any
access-list 120 permit ip 172.16.1.0 0.0.0.255 any

route-map EZVPN permit 1
match ip address 120

ip nat inside source route-map EZVPN interface FastEthernet0 overload

Now we need to add the access-lists and the crypto ipsec client ezvpn EZVPN to the FastEthernet0 and Loopback interfaces.

interface FastEthernet0
ip access-group 100 in
crypto ipsec client ezvpn EZVPN

interface Loopback0
ip access-group 110 out
crypto ipsec client ezvpn EZVPN inside

After this configuration I was able to bring the tunnel up and ping the loopback interface from my ASA at the 172.16.1.1 ip address. When I am given the remote ip addressing information I will make the necessary changes to the configuration to allow traffic to flow from the remote LAN to my network behind the ASA.

Hopefully I didn’t mistype anything while going back through this and I plan to update the configuration once the project is completed. If anyone catches any mistakes or can give me some criticism or advice please feel free to leave a comment or email me.

So about ten questions into the BSCI exam today I knew the outcome was grim. After I struggled with five or six of the first ten questions I began thinking to myself that I had to drive another 45 minutes home after this disaster was over. Due to the craptacular drive that is required to take a certification exam now that stupid New Horizons has stopped Cisco testing I will not be using my free retake. I thought I had a good enough grasp on the material to pass the test but I missed it pretty bad so I made the decision to just start studying full-time for the CCIE Security and forget about passing the BSCI.

Oh well, I can’t win them all.

So here I am with about five hours left until my BSCI exam. Due to fact I have to drive about 40 minutes to the testing site, thanks for stopping your Cisco tests New Horizon, I have about four hours of studying left. Speaking on New Horizon not providing Cisco tests anymore. How can you offer training for the CCNA and CCENT but not provide your customers with a place to take the exam? This seems like bad business to me but obviously they don’t make any money off the testing so it is a risk they are willing to take it seems.

I will be brushing up on redistribution and IPv6, these seem to be my weakest subjects. Funny I say this because I have a feeling at least one if not all of my labs will be in regards to either of these two subjects. I am really looking forward to finishing up this exam, taking the next week off of studying and then diving into the CCIE Security lab exam.

Hopefully my next post is a success story, if not I have the free retake coupon provided by Cisco.

Related Blogs

• Related Blogs on bsci exam
• Cisco CCNP / BSCI Exam Tutorial: ISIS Router Types
• Cisco 642-901 BSCI
• CCNP BSCI Exam
• BSCI Exam
• Cisco CCNP BSCI Exam Tutorial The BGP Attribute MED
• Related Blogs on Route Redistribution
• Advanced Route Redistribution Scenario (IEWB-RS v4.1 Vol II Lab 2 …
• Pass4side JN0-350 Demo Download
• Cisco CCNP / BSCI Certification: Route Redistribution And The Seed …