ASA site-to-site redux

this failed… i’m beginning to think ikev2 won’t work on gns3 asa’s…i know ikev1 does… below are the running configs… perhaps you’ll have a go at it… i need to move on…

down arrow smaller

asa1_ikev2_gns3_fail asa2_ikev2_gns3_fail


asa site2site 082715


enable ikev1 or v2 on the outside interface. this is done in global configuration mode:

crypto ikev2 enable outside

configure isakmp. this is the phase 1 policy and it must match for both peers. isakmp (phase 1 policy) negotiates encryption as well as other parameters to authenticate the peer and establish a secure channel for the vpn.

asa-2(config-ikev2-policy)# sh run crypto ikev2
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400

the policy number can be between 1 and 65535, wherein 1 is evaluated first, and so on.

define encryption. advanced encryption standard, as above, is chosen as preferred.

define integrity: the hash algrithm provides data integrity by ensuring the packet hasn’t changed in transit. here the sha (secure hash algorithm) is chosen. md5 is an option, however sha provides better security with fewer hash collisions.

group 5 represents the diffie-hellman group (D-H). this group derives a shared secret for the vpn peers.

PRF (pseudo random function). this contructs the keying material for the crypto algorithms used by the SA’s (security associations)

lifetime. the lifetime in seconds between 120 and 2,147,483,647. the lifetime specifies the interval at which a new set of isakmp keys may be renogotiated. the default is 86400.

tunnel group:

a tunnel group (aka connection profile) defines a site-to-site or remote access tunnel in order to map attributes assigned to ipsec peers. a remote-access connection profile may terminate vpn tunnels including, ipsec, l2tp over ipsec and ssl.

note: for identification purposes it is a good idea to configure the tunnel-group name with the peer ip address. also note the pre-shared-key falls under the ipsec attributes header.

asa tunnel-group config

asa-2(config)# tunnel-group type ipsec-l2l
asa-2(config)# tunnel-group ipsec-attributes
asa-2(config-tunnel-ipsec)# ikev2 remo
asa-2(config-tunnel-ipsec)# ikev2 remote-authentication pre
asa-2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key ccie
INFO: You must configure ikev2 local-authentication pre-shared-key
or certificate to complete authentication.
asa-2(config-tunnel-ipsec)# ikev2 loc
asa-2(config-tunnel-ipsec)# ikev2 local-authentication pre
asa-2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ccie

define the ipsec policy:

a transform set specifies the encryption and hashing for use with the data packets after the establishment of a secure connection (data authentication, confidentiality, integrity)

name: specify a locally specific name. (the name is not transmitted during tunnel negotiation.

encryption: aes-256 is recommended.

integrity hash: (ikev2 only) sha-512 is recommended.

crypto ipsec ikev2 ipsec-proposal ASA-1-proposal
protocol esp encryption aes-256
protocol esp integrity sha-1

note: my version of code does not support sha-256.

asa-1(config)# sh run crypto ipsec
crypto ipsec ikev2 ipsec-proposal ASA-1-proposal
 protocol esp encryption aes-256
 protocol esp integrity sha-1


assign an acl to allow interesting traffic (permit the inside subnet of asa-1 to communicate with the inside subnet of asa-2)






3.7.d Implement optimize and troubleshoot routing policies

3.7.d [i] Attribute manipulation


bgp path manipulation local-pref

if you have followed the instructions from the diagram up to the local-preference configuration, your output should look like this:

bgp table before local pref

prefer the the path from r1 to r4′s loopback using local-preference:

R3(config-router)#route-map LOCAL-PREF permit 10
R3(config-route-map)#set local-preference 200
R3(config-route-map)#router bgp 100
R3(config-router)#neigh route-map LOCAL-PREF in

bgp local pref lab trace

3.7.d Implement optimize and troubleshoot routing policies

3.7.d [i] Attribute manipulation



download addressed topology below:

down arrow smaller


bgp path manipulation to 4 net

r2 wins the path contest for the 4 network by virtue of being the older next hop in the table since all else is equal. we can fix that by clearing r2′s table.

now r3′s path is older:


clear r3 and give it back to r2.

we want to weight r3 so that it controls the path to the 4 network. higher is better but weight is only locally significant and cisco proprietary.

method 1:

bgp neighbor weight

that’s the easy yet clumsy method because we have also weighted all it’s other paths.

get rid of the weight statement under router bgp 100.

bgp back to r2

now we’ll use a route map and acl to single out the 4 network and set the weight:

R1#sh access-list 1
Standard IP access list 1
    10 permit (2 matches)

route-map WEIGHT permit 10
 match ip address 1
 set weight 500

then add it to bgp:

R1#sh run | b bgp
router bgp 100
no synchronization
bgp log-neighbor-changes
network mask
neighbor remote-as 200
neighbor remote-as 300
neighbor route-map WEIGHT in
no auto-summary

bgp sh ip bgp


i’ve reorganized a bit, but i still have a ways to go… i’ve now mapped ccie v5 blueprint to categories by heading… it should prove easier for navigaion than the tags. see below:


ASA VMNET Adapter GNS3 TFTPD32 Syslog

set up a cloud to a switch in GNS3. connect vmnet adapter to same subnet as asa. establish connectivity. tftp asdm software to flash on asa. username xxx password xxx privilege 15 on asa. connect to asa via browser at https://x.x.x.x. and you are there… also use tftpd as syslog server, or asdm…





SWITCH 300-115 2.1 Configure and verify switch security features

2.1.a DHCP snooping

first a word from ethan banks about the wonders of dhcp snooping, and the perils of the information option…

global configuration (from running-config):

ip dhcp snooping vlan 300
ip dhcp snooping

note: I added the command:

ip dhcp snooping information option

but it didn’t show up in the running config (it is the default). see above link.

set the trusted port

ip dhcp snooping trust

there is little configuration to set on the untrusted ports, however, as ethan suggests you might want to rate limit the rquests so the dhcp server doesn’t get bombarded:

sw dhcp snoop int

that is pps in the figure which would be 600 a minute.

note below: i have configured int f0/21 as the trusted port which is connected to the dhcp server. also note the criteria that snooping imposes, ie ingress port, vlan, mac address.

switch sh dhcp snoop