Skip to content

    Notes to Self: IPexpert Security Lab A

    These are mostly notes for my own benefit as I work through various labs. In this case, I only worked on specific sections of lab A, as I was a bit short on time.

    Section 1: Layer 2 configuration

    - when creating an SVI for a given VLAN, always make sure the VLAN itself exists on all switches in the transit path for that VLAN.

    - if the lab specifies restricting “management access”, don’t forget to check if the HTTP server is enabled and add a similar access class to it as to the VTY’s.

    - Filtering traffic by ethertype

    mac access-list extended F0_15
  deny   any any 0x1234 0x0
  permit any any
!
int fa0/15
  mac access-group F0_15 in
!

    - VLAN filtering by MAC address

    mac access-list extended VL123
  permit host 0000.1234.4321 host 0000.4321.1234
!
vlan access-map VL123 10
  action forward
  match mac address VL123
vlan access-map VL123 999
  action drop
!
vlan filter VL123 vlan-list 123

    No real problems with this section other than interpretation on the VLAN filtering. In a lab, I’d ask the proctor if they meant traffic from this *range* of MAC addresses or just between the two.

    Section 2: Pix / ASA Configuration

    - When originating a default route and running RIP on both inside & outside, use a route-map with ‘match interface’ to control which side we send the default route to.

    - don’t be so quick to assume an answer. Configured HTTP/HTTPS and missed that the question said a “Web/SMTP/DNS” server so left out a bunch of the ACL.

    - when configuring AAA through a firewall, don’t forget to set the source int on the remote device if required.

    - remember that a transparent firewall will not pass anything inbound by default (except ARP) without an access-list. Just like a routed firewall.

    - a transparent firewall must have a management IP address configured or it will not pass any traffic, even if that traffic would otherwise be allowed.

    - always check for required single/multiple changes, since it needs a reboot of the device and wastes time.

    - basic process for setting up contexts

    admin-context FOO
context FOO
  config-url disk0:/FOO.txt
!
context BAR
  config-url disk0:/BAR.txt
  allocate-interface eth0/0
  allocate-interface eth0/1
!

    - when configuring local authentication on the ASA, don’t forget to explicitly enable it, for ssh/telnet

    hostname ASA1
domain-name ipexpert.com
crypto key generate rsa general-keys
ssh 1.2.3.0 255.255.255.0 inside
username cisco password cisco
aaa authentication ssh console LOCAL

    Section 3: IDS Configuration

    - I need to spend time learning the IDS command line. I’m fairly solid through IDM but not through the CLI.

    - IOS IPS basic config

    ip ips name FOO
ip ips notify log
logging host 1.2.3.4
logging on
int se0/1/0
ip ips FOO in
!

    Section 7: VPN Configuration

    - when configuring L2L VPN’s on the VPN3000 through the GUI, be careful when configuring the interesting traffic. The mask is specified as a *wildcard* mask, e.g. 0.0.0.255, not a subnet mask.

    Posted in Uncategorized.

    No comments

    By Brian Landers February 9, 2009

    0 Responses

    Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



    Some HTML is OK

    or, reply to this post via trackback.

    « »