Nov 182012

Initially there were about 250 hosts in the network attached to switch SW1. The Gateway router HSRP_A is the active router for the network. As the number of hosts increased in the network attached to SW1, a new subnet (10.0.2/24) is introduced as a secondary address in the gateway routers. To achieve some load sharing HSRP_B will be the active router for the group 1 for the network 10.0.1/24 and HSRP_A active for the group 2 which is the 10.0.2/24 network.

The ospf cost advertised from HSRP_A is better than the one advertised from HSRP_B. Thus the return traffic from the network attached to R5 will always take the path via HSRP_A. now let’s look at this scenario where some traffic filtering is in place.

HSRP_A has a filtering rule which states only to allow inbound TCP sessions if it was originated from the networks attached to SW1. For this HSRP_A has an outbound access-list attached to f0/1 named OUTBOUND_ACL_OUT which reflects the outgoing tcp sessions to a reflexive access-list named TCP.

Continue reading »

May 132012

All communication between H1 and H2 must be protected with IPsec.

Tasks to do

  • Synchronize the time
  • Configure IOS CA Server
  • Enroll routers to attain certificates
  • Classify interesting traffic
  • Configure ISAKMP Phase 1 policy and IPsec Phase 2 Transform set
  • Create a crypto map and apply crypto map to interface

Step 1: Time must be synchronized for certificates to work properly. The CA router could be configured as a NTP master which then will provides time to other routers. Continue reading »

May 122012

Task list

  • Change the mode to multiple
  • Context definition and assign interfaces
  • Assign primary and secondary IP address
  • Failover configuration

Step 1: First we have to change the default mode of single to multiple. A reboot is required. Only multiple mode supports contexts, which are needed to build virtual firewalls.

ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]

Step 2: Since the ASA is now in multiple context mode, we could define contexts named CON-A and CON-B. We must also provide the location of configuration file. Finally the interfaces should also be assigned.  The interfaces must be un shut and if needed subinterfaces must be created at the system context. Continue reading »

May 062012

All communication between H1 and H2 must be protected with IPsec.

Tasks to do

  • Classify interesting traffic
  • Create ISAKMP policy and shared key for Phase 1
  • Create IPsec Transform set for Phase 2
  • Create a crypto map and apply crypto map to interface

Step 1: The Traffic which has to be protected with IPsec must be classified with an ACL. We can now create an ACL which matches packets between the and networks.

R1(config)#ip access-list extended PROTECTED_TRAFFIC
R1(config-ext-nacl)# permit ip

Continue reading »