regex domlist1 "facebook.com"
regex domlist2 "myspace.com"
!
class-map type regex match-any DomainBlockList
  match regex domlist1
  match regex domlist2
!
class-map type inspect http match-all BlockDomainsClass
  match request header host regex class DomainBlockList
!
policy-map type inspect http http_inspection_policy
  class BlockDomainsClass
  reset log
!
policy-map global_policy
  class inspection_default
  inspect http http_inspection_policy
!
service-policy global_policy global
wr mem

tcp-map BGP_FIX
  tcp-options range 19 19 allow
!
access-list BGP permit tcp any any eq 179
!
class BGP
  match access-list BGP
  !! could also use match protocol tcp eq bgp
!
policy-map global_policy
  class BGP
    set connection advanced-options BGP_FIX
    set connection random-sequence-number disable
!

aaa-server ACS_SERVER protocol tacacs+
aaa-server ACS_SERVER (inside) host 1.2.3.4
    key myACSkey
!
access-list outbound_auth permit tcp any any eq 23
access-list outbound_auth permit tcp any any eq 80
!
aaa authentication match outbound_auth inside ACS_SERVER

There are additional options to configure HTTP vs. HTTPS and redirection vs. basic HTTP authentication.  The documentation is a bit confusing, so I will be labbing this up shortly.

The 8.0 release of the ASA software solves this problem by introducing an enhanced Service object group that allows a mix of multiple protocols within the same group.  Unfortunately, the 8.0 and 8.2 ASA configuration guides don’t appear to cover this new type of service group or show an example.

object-group network DMZ_NET
  network-object 1.2.3.0 255.255.255.0
!
object-group service DMZ_SERVICES
  service-object tcp eq 80
  service-object udp eq 53
  service-object tcp eq 53
  service-object icmp
!
access-list DMZ extended permit object-group DMZ_SERVICES any object-group DMZ_NET

I’ll be using a mix of both IPexpert and InternetworkExpert materials for my preparation.  Both vendors’ new technology-focused lab releases look terrific.  Hopefully, by the time I work through them they’ll have some updated 8-hour full mock labs available.

For the most part, I’ll be relying on Dynamips for lab work, since now that the VPN 3000 is no longer in the lab everything except for the switches can be simulated.  I’ll have to rent some rack time to review the switch-based security stuff from R&S, but for the most part I’m not worried there.

A more detailed post to come…

Plans for this week:

• IE just released their first v.5 full labs (lab 1 and lab 10).  I’ll probably skip Lab 1, since it’s only a level 5 and I’ve already watched the live Lab Meetup, but I’ll definitely be hitting lab 10 since it’s an 8.
• I have IE rack rentals Tue-Thu.  My goal is to hit two full IE labs (v.5 lab 10 and probably v.4 lab 7)
• IPexpert rack rentals Fri, Sat, Sun, Mon.  I want to get some solid lab hours in before the Christmas break.  Haven’t picked a set of labs yet, but at least book 3, labs 9 and 10.
• I may try to pay for another IE mock lab during my current Christmas break.  My lab 4 attempt went pretty well (77, with a couple of sections I disagreed with the proctor on).
• Reading:
  • Finish the QoS self-study book
  • Start the Cisco Press multicast and IPv6 books
  • IE workbook 1 v.5 solution guides.  These are terrific for individual technology focus.

• beware of pruning issues when some switches are transparent and some aren’t.  If not otherwise specified, make all switches transparent if one is.

IP Telephony

• macro apply cisco-phone $access_vlan 5 $voice_vlan 4 sets most things properly
• To change the CoS applied to traffic coming from the PC connected to a phone: switchport priority extend cos 1
• Don’t forget to enable mls qos globally or nothing will work

PPP

• as a general rule, use no peer neighbor-route on all PPP interfaces to avoid random /32 routes showing up in IGPs and redistributions.  They’re only needed if you have different subnets at each end of the link.

IGP’s — RIP

• use the distribute-list gateway option along with a prefix-list to specify the routers from which we will accept routes.
• don’t forget the prefix option (e.g. distribute-list prefix FOO not distribute-list FOO when filtering routing updates
• remember, though, that a distribute-list doesn’t have to use a prefix-list.  It also works just fine with a regular ACL (useful for permit any or deny any).

• IPexpert BLS class-on-demand
• IPexpert v.10 Workbook 2
• InternetworkExpert ATS CoD v4.5

Notes — PPP General:

• By default, PPP will inject a directly-connected /32 route for the remote end into each device’s routing table.  Can be safely disabled unless both ends of the link are not on the same logical IP subnet (e.g. one side or both sides are using ‘ip unnumbered’).  To disable, use the ‘no peer-neighbor-route' interface-level command.
• The ‘ppp quality‘ interface-level command enables Link Quality Monitoring (LQM), which will bring down the interface if the number of bytes transmitted vs. received over a link falls below a given percentage.
• The ‘ppp reliable-link‘ command enables LAP-B numbered mode to negotiate a reliable link.

Notes — PPP Multilink

• The ‘ppp multilink links minimum‘ interface option (under the Multilink interface) specifies how many physical circuits must be up before the bundle comes up.  The ‘mandatory‘ option brings the bundle down if the number of active links falls below the minimum.

Notes — PPP Authentication:

• The ‘ppp authentication <protocol>‘ command is only required on the side of the link that is issuing the challenge (the “server” side).  This may also be referred to as the side that’s “doing authentication” or that is “authenticating <OtherRouter>”
• CHAP (and EAP) will use the hostname of the router as the username, by default.  PAP requires the username to be explicitly specified with the ‘ppp pap sent-user‘ command. If you need to use a different username, you can specify it using the ‘ppp chap hostname‘ or ‘ppp eap identity‘ commands.
• For CHAP, if you don’t want to specify the global username/password combo on the client (or you don’t know the server’s hostname), you can specify just the password to be sent to any remote authentication challenge with the ‘ppp chap password‘ command at the interface level.
• If you want to use the same username in both directions with CHAP, use the ‘no ppp chap ignoreus‘ interface-level command, since by default CHAP will refuse to authenticate with “ourself” if the hostname matches.
• EAP is an additional “secure” protocol distinct from CHAP.  MS-CHAP and MS-CHAPv2 probably aren’t “different enough” from CHAP to satisfy a lab requirement of two different secure protocols.
• You must specify ‘ppp eap local‘ for EAP to work unless you have a radius server available.
• EAP doesn’t use the shared password from the ‘username‘ statement when responding to a challenge.  You need to specify the password using ‘ppp eap password <pass>‘