Tuesday, December 9, 2014

IINS 640-554 passed (CCNA Sec, WGU Course CNV1)

Passed. Only with a 918 out of a 1000.

Thoughts: This was a test with a high bar to reach. as stated in other notes, make sure you read the documents from the Cisco site beyond the book and the videos from CBTNuggets and Boson's tests. The books and videos will get you close, but the material from the others will get you the rest. I spent a lot of time in the CCP GUI and console the 2 days before the test. I re-reviewed my notes the night before.

GNS3 is almost required. I'm am using the most current version 1.2.1. Here is the practice I used (over and over and over).



  • The Win7client was a VirtualBox Machine. It was used to manage all devices, ASDM and CCP. CCP IS dog-ass slow discovering. 
    • One Proc, 2Gigs of RAM, 40G HDD
    • Installed Apps included 
      • ASDM -- for the ASA
      • CCP -- for the routers
      • Notepad++ -- cause i can't remember anything two seconds after i see it
      • Chrome (w/adblock) -- my preferred
      • Tftpd64
        • to move asdm image back and forth to the ASA
        • to provide file downloads for the IOS IPS
      • default gateway was the IOS router (NOT THE ASA)
  • Local/Host workstation
    • Quad core Intel, 16gigs of RAM
    • Connected to ISP router with physical connection. Physical connection is the Local Area Connection 2
    • Served as VPN connection to the ASA.
  • Routers
    • 7200 series with IOS 15.0.x
    • All routers had a 1GE Interface
      • WANFU
        • had qty 2 -- 2 port 100FE cards
        • Was a DHCP client on g0/0 to get internet routable IP address. I hate looking at the damn yellow ! network icon on win7client box.
        • did NAT (hey! a test objective) for other networks.
        • Was known to blow up once IOS firewall was turned on (hey, another test objective!)
      • Area4 & Area5 Routers
        • Single 2 port 100fe cards
        • Not shown interface was the interface used for vpn (f1/1 on both)
    • Ran OSPF as the IGP. Redistributed on WANFU for default route.
  • ASA used the known working image within GNS3. It spent most of its life OFF. It WILL eat a single core of your processor when it is on. Plus it is very fickle about keeping configs between reboots. As this is an entry-level course, redoing the interfaces didn't take long, and was good practice.
  • The VMWare cloud hosted the ACS box. I'll figure out how to reconnect it. 
My practice labs I did a lot to get the commands down. Seeing enable secret level 6 0 level6pwd looks weird if you don't know what you are seeing. Test related info in bold. Maybe I'll write out a full step by step or some sort of solutions. Right now, please verify your work as you go. I just used this lab to reinforce what Keith Barker's Nuggets taught. I broke most of this out into sections. They can be done independently of each other AFTER the initialization section. 
  • Initialization: basic connectivity 
    • Give the routers IP addresses. I like loopbacks, so I added some. Mine were 10.0.255.25x/32. Also, make sure to set the g0/0 to DHCP client on WANFU
    • Get IPv4 routing working. I used OSPF, everything in area0. Don't advertise the 192.168.xx.y nets. They are your site-to-site VPN networks. Notice you don't have to advertise them to get VPN working.
    • Enable IPv6. Give the routers IPv6 addresses on all interfaces. 
    • Get some sort of IPV6 routing working.
    • Check your IPV6 interfaces and routing
      • show ipv6 int brief
      • ping 2001:... source 2001:..
    • Configure NTP . Make WANFU master (ha!). use encryption. Set Area4 to use WANFU. Area5 will be done later. 
  • Configure Users and CCP Login
    • Create the users listed at the privilege listed
    • enable secrets at the appropriate level with correct passwords
      • TEST; login; give some rights.
    • give all the boxes a domain-name (ip domain-name gns3.local is the syntax I used)
    • turn on the web server on each router 
      • turn on both insecure and secure methods
      • use local authentication
    • generate your certs for SSH
    • On all but Area5 Router, turn on AAA authentication, authorization. Area5 gets it in the GUI. that sounds wrong
      • Authorized exec and commands. Again use the user accounts for levels. practice with both default and NAMED method lists. I always set my lists to use local, then 2 or 3 of the other options (group tacacs, enable, local-case, etc). Heck create 2 types, MYTAC and MYLOCAL for authentication.
      • configure vty lines to use the aaa authentication and authorization, using the methods just created
    • On Area5 Router
      • configure login on the vty terminals WITHOUT AAA.
    • Turn on CCP. CCP FUN time. 
      • Create a group of nodes, MYGNS3 is what i called them.
      • I used loopback interfaces. Good practice in RL, but...up to you
      • Discover your nodes! (good time to drink, use the facilities, talk to your family, order dinner). Yeah, it can be slow.
      • Manage Area5 router's AAA in CCP
        • Turn on AAA
        • Configure the exact same method lists as WANFU and Area4
        • Push the config out
      • Manage NTP in CCP for Area5 Router. WANFU is the reference.
    • Back to the consoles. Sad, so sad....
      • enable views and login in with the root view. You did read what it told you when you turned it on?
      • create more views! Assign some rights. commands exec all show ip; show ipv6; etc. test that bad boy. 
    • Test everything now. Login right and wrong. 
      • Debug AAA authentication/authorization
      • test aaa group (yeah, no server, so what?). It fails, what a shock.
All right, i think we got most of the basics going and tested. CCP should work. AAA should work using local for SSH/Telnet. All routers are accessible. Life is good. NTP might work. I found NTP  tended to cause WANFU to suffer an emotional breakdown and have to be deleted and re-added. Saving would be good if all works in a way you like. Let's move on!


  • All right! more fun! Lets go out of order and do VPN! Why? Cause the longer before I make WANFU do a whole lot, the better off I was. Back to CCP! If you don't understand the jargon, read the study guide, watch Keith Barkers videos. These are just practice labs to reinforce.
    • Rediscover Area4 and Area5 Routers
    • Create an new site-to-site VPN on area4 router
      • DO NOT USE Defaults. be wild, be crazy, just dont DES. friends don't let friends DES. For your HAGLE, lets pick...AES192, MD5, Pre-shared (ilikevpn), DH group 5. Leave the lifetime alone. Seriously, pick your own options. copy-cat.
      • for the phase 2 portion, lets pick MD5-HMAC, and AES 256.
      • Your interest traffic will be....????
        • (192.168.40.x going to 192.168.50.x)
        • Your interface will be??? (f1/0)
      • Push that bad boy out. 
      • Ok, go clear the phase 1 that is pushed out by default by CCP. Defaults suck (well, not really, but what fun is letting someone else pick?)
    • And lets go Area5 router and do the same thing! Fun. Switch nodes in CCP to Area5.
      • Create a new site-to-site VPN. match it up with your others. 
      • your interest traffic might need an adjustment? (the answer is yes)
      • Push out the config. Destroy the default Phase 1 it sends. You are remembering what screen on CCP all this stuff is buried as you do this?
    • To the console. About time. keep the CCP up tho. You'll want to view both
      • Generate some interesting traffic. On Area4 Router; ping 192.168.50.1 source 192.168.40.1. If you did it right, the establishment of the tunnel might eat one or two packets, but otherwise work. nomnomnom. If not, well, crud. You get to troubleshoot! Haha! (or reboot the boxes and retry. i wont judge you. much. You have to suffer through a rediscovery in CCP. Another 5 minutes of your life lost waiting.).
      • Practice your show commands
        • show crypto ipsec ?; show crypto isakmp ?; show crypto map; show run. what does the map do and have in it? what does the sa option show you? Where is everything applied
        • go to the GUI. check the tunnel status. Answer all the questions you had in the console via the GUI. 
        • If you are feeling really spicy, turn on your debugs. debug crypto...bring the tunnels up/down etc.
        • Do a show run. see what is in the crypto map. what is in the isakmp part. what is in the ipsec part. what does the ACL do and which one is it?
  • We'll put off the ASA VPNs for a bit. Your host workstation will thank you.
Did your VPN work? if so, save it! we are moving on! Let do some more security, a security audit.
  • Is CCP up and everything discovered. Yep. do it. Pull up your favorite 3-5 minute youtube video while you wait.
  • Lets manage WANFU. Lets do a security audit!
    • OMG! what should you trust and not trust
      • No one trusts their internet. 
      • Although i don't trust the guy configuring the rest of this lab, lets say the rest of we do for now (f/x interfaces and loopback0)
      • DNS, use google 8.8.8.8, 8.8.4.4
    • Run the security audit! go ahead and let it do service password-encryption, and some others if you feel it.
    • Push it out if you are feeling lucky
  • ALright! lets do a one step lock-down. save your config before you start (and gns environment)
    • You'll need to see the screens.
    • let it push out one time. I've always had craptacular luck and had to reload the OS at this point.
  • read the screen. see what options you can turn up/down. 
That was fun? easy? simple? Onward. IOS based firewall next on WANFU
  • get CCP going. manage WANFU.
  • go ahead and turn up the down dmz interface, f1/1. 172.31.255.1/24 is good. I like using the boundary addresses to reinforce. everyone puts the lower bounds, practice on the upper. 
  • you'll have to do this one a couple of times
    • do a basic firewall
    • do an advance firewall
      • This is all virtual, so make up a virtual server for the dmz. if you are really feeling it, go ahead and connect it to the switch in a different vlan and attach some magic box running whatever service you let through
To be continued...


Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)