Monthly Archives: December 2012

ISE + ASA Home Lab Part 1

Yesterday I have written my plan of setting up a Lab at home to get familiar with the Cisco ISE and ASA (I heard that is going to be in CCIE security test…). Today I have some screen shot and have proved that the basic stuff works.

First of all, follow the links I posted yesterday for the ASA 8.4(2) run on GNS3 first. The next step is to setup a topology in GNS3. I haven’t completed the full lab, but this is what I have done today.

GNS Setup

C1 is the host computer running ADSM GUI to configure the ASA.

C2 is the Virtual Machine running Cisco ISE NFR 1.1.1.

C2 setting map to VMnet1

I setup an Inside interface with ip address in the same subnet as the ISE.

ASA Inside : 10.100.64.100
ISE : 10.100.64.70

I have done some ping test to make sure the connectivity are good. Then I add the ASA in the network device list on the ISE.

adding GNS3-ASA to ISE

The next step is add the AAA server in the ASA. Once this step is completed, I used a “test” username and password to test the radius authentication with ISE from the ASA.

test radius connection with ISE

As I haven’t setup anything on the ISE, I have expected the authentication will be failed. Now we can check the log on the ISE to see if it has captured the fail login.

The fail login was logged

I am happy to the result today. I am going to build a remote VPN lab by using ISE when I have time again. Enjoy!

Creating an ISE, ASA Lab at home without buying any hardware

I created a Lab to simulate a client’s situation yesterday on a ASA using GNS3 simulator. Suddenly, I want to create a Lab using the ability to connect GNS3 to a virtual machine. I am not sure if this will work, but I would like to write down the step here and share to everyone who have time to experiment this..

What you need (at least I believe what you need to have….)
– A powerful PC which you can run a few VMs
– A ISE VM
– A GNS3 installed on the host PC (prefer Windows OS, as all the guides are based on windows 7)

Using the ability to connects real device from GNS3, (in this case will be GNS3 connecting VM machines and host machines), enabling ip routing on the windows and allowing multiple VM networks to communicates…. I am hoping to do the following……

I have the Cisco ISE 1.0 NFR (Which I have upgraded to 1.1.2 by following the steps from Cisco Web Site). You can find my previous post about the Cisco ISE and the upgrade. The Cisco ISE is running in a VM. Now, what I need is the GNS3 and ASA. You can follow the steps from this link to setup an ASA in GNS3.

http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/

Once you have done that, follow the link below to create connection between the ASA in the GNS3 and other real machines. You can get the idea from this link and have it connected to your VM machine interface.

http://www.xerunetworks.com/2012/03/connect-gns3-network-to-real-networks-other-gns3-network/

The next step, I will be following the cisco support forum able setting up the “VPN inline Posture using iPEP ISE and Cisco ASA”.

https://supportforums.cisco.com/docs/DOC-24412

Double NAT on ASA 8.4 ? Thanks for GNS3

Yesterday, I received a task at work to resolve an VPN issue. It wasn’t a straight forward solution. The client want to create a new internet link via a new ASA firewall to connect to a pptp sitting inside of the network. The default route is still going to their old internet link. One suggestion is to create a double nat environment, but how? Thanks for GNS3, I have created a lab using GNS3 with ASA and Cisco 7200 to simulate the situation and was able to find a solution.

So what need to be done is to create double NAT on the ASA, in this way, I don’t have to change the default route.

Simple Network Diagram

C1 is the VPN Client, R1 is the ISP router, ASA is the firewall, R2 is the Core Switch and R3 is the PPTP server.

here are the interface configurations:
R1 G1/0 : 222.111.111.1
R1 G2/0 : 233.111.111.254
C1 : 233.111.111.5
ASA: G1/0 : 222.111.111.2 (Ouside)
ASA: G2/0 : 192.168.2.1 (Inside)
ASA NAT POOL : 192.168.11.1 – 192.168.11.254
R2: G1/0 : 192.168.2.2
R2: G2/0 : 192.168.10.1
R3: G1/0 : 192.168.10.18 (PPTP SERVER)
R3: VPN POOL : 192.168.5.1 – 195.168.5.254

R1 Configuration

int gi1/0
ip add 222.111.111.1 255.255.255.252
int gi2/0
ip add 233.111.111.254 255.255.255.0

R2 Configuration

int gi1/0
ip add 192.168.2.2 255.255.255.252
int gi2/0
ip add 192.168.10.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.2.1

R3 Configuration

int gi1/0
ip add 192.168.10.18 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.10.1

aaa new-model

aaa authentication login VPNAUTHEN local
aaa authorization network VPNAUTHOR local

vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15

interface Virtual-Template1
ip address 192.168.5.1 255.255.255.0
peer default ip address pool vpnpool
no keepalive
ppp authentication pap chap ms-chap ms-chap-v2
!
ip local pool vpnpool 192.168.5.2 192.168.5.255

ASA

interface GigabitEthernet0
nameif Outside
security-level 0
ip address 222.111.111.2 255.255.255.252
!
interface GigabitEthernet1
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.252
!
object network pptp_inside
host 192.168.10.18
object network NAT_POOL
range 192.168.11.1 192.168.11.254
object service pptp
service tcp destination eq pptp
object network Inside-network
subnet 192.168.0.0 255.255.0.0
access-list Outside_access_in extended permit ip any any
access-list Inside_access_in extended permit ip any any
nat (Outside,Inside) source dynamic any NAT_POOL destination static interface pptp_inside service pptp pptp
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 222.111.111.1 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.2 1
!
policy-map global-policy
class class-default
inspect pptp
set connection advanced-options tcp-state-bypass
!
service-policy global-policy global

What I want to achieve is from VPN Client (0.0.0.0) to connect (222.111.111.2), it will be translated to (192.168.11.x) and connect to 192.168.10.18. PPTP will be able to setup, while it won’t be affect people connect via the existing internet link.