Sunday, April 15, 2012

CCIE Security vLab: Management


Management IP Addressing:

Cisco ASA 1: 150.1.4.11 /24
Cisco ASA 2: 150.1.4.12 /24
Cisco IPS: 150.1.4.13 / 24
Switch 1 (SW1): VLAN 4 -- 150.1.4.1 / 24
Switch 1 (SW1): VLAN 1 – 192.168.245.1 / 24
Windows XP (Management and Test Host): 192.168.245.10 /24, Default Gateway: 192.168.245.1
Windows 2003 Server (Cisco ACS 4.0): 192.168.245.11 /24, Default Gateway: 192.168.245.1

SW1 Switch Configuration, this Switch will enable the Management Network Routing:
 
 
hostname SW1
!
interface FastEthernet1/0
description TRUNK to SW2
switchport mode trunk
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/5
switchport mode trunk
!
interface FastEthernet1/6
switchport mode trunk
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!        
interface FastEthernet1/9
!
interface FastEthernet1/10
description VL4:IPS-MGMT0/0
switchport access vlan 4
!
interface FastEthernet1/11
description VL1:PC-MGMT
!
interface FastEthernet1/12
description VL4:ASA1-E0/0
switchport access vlan 1
!
interface FastEthernet1/13
description VL2:ASA1-E0/1
switchport access vlan 2
!
interface FastEthernet1/14
description VL4:ASA2-E0/2
switchport access vlan 3
!
interface FastEthernet1/15
description VL6:ASA2-E0/3-MGMT
switchport access vlan 4
!
interface Vlan1
ip address 192.168.245.1 255.255.255.0
!
interface Vlan4
ip address 150.1.4.1 255.255.255.0
!
interface Vlan9
ip address 150.1.9.1 255.255.255.0
!
end

The Switch 2 (SW2) Configuration is:

 
 
hostname SW1
!
interface FastEthernet1/0
description TRUNK to SW1
switchport mode trunk
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/5
switchport mode trunk
!
interface FastEthernet1/6
switchport mode trunk
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!        
interface FastEthernet1/9
!
interface FastEthernet1/10
description VL4:IPS-DATA0/0
switchport mode trunk
!
interface FastEthernet1/11
description VL1:ACS-MGMT
switchport access vlan 1
!
interface FastEthernet1/12
description VL1:ASA2-E0/0
switchport access vlan 1
!
interface FastEthernet1/13
description VL2:ASA2-E0/1
switchport access vlan 2
!
interface FastEthernet1/14
description VL3:ASA2-E0/2
switchport access vlan 3
!
interface FastEthernet1/15
description VL4:ASA2-E0/3-MGMT
switchport access vlan 4
!
end

Installing Cisco ASDM 6.4.7 for ASA 8.4.2:

Install 3cDaemon (Syslog, TFTP) Server on Windows XP VM.
In the default C:\TFTP Directory, place the ASDM 6.4.7 binary file.
Issue the following at the ASA Firewall:

# copy tftp: flash:
Address or name of remote host []? 192.168.245.10
Source filename []? asdm-647.bin
Destination filename [asdm-647.bin]?

Pressing Enter, will start the file transfer from the Windows XP VM which has the asdm image in the specified directory.

Once everything has been setup, the ASDM window will be displayed similar to the one below:




 That is the final configuration for ASA and ASDM.


Configuring IDM:

The IPS requires a Management IP in order for the Windows Management Station to connect and start the IPS Device Manager. The IPS Configuration is as follows:

service host
network-settings
host-ip 10.150.4.13/24, 150.1.4.1
access-list 0.0.0.0/0