IPSec VPN sample configuration

int fa0/0

ip address 192.168.1.33 255.255.255.224

no shut

int se0/0

ip address 61.0.0.5 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 se0/0

cry isakmp policy 1                                >>>>>>>>>>>>>>>>>Phase-1
!--- Defines an IKE policy. Use the crypto isakmp policy command in global configuration mode.

!--- IKE policies define a set of parameters that are used during the IKE phase I negotiation.

authentication pre-share

encryption 3des

hash sha 

group 2

!--- Specifies preshared keys as the authentication method.

cry isakmp key abc123 address 71.0.0.5           >>>>>>>>>>>>> Defining key

!--- Configures a preshared authentication key, used in global configuration mode. 

cry ipsec transform-set abc1 esp-3des esp-sha-hmac  >>>>>>> Phase-2

!--- Defines a transform-set. This is an acceptable combination of security protocols and algorithms, which has to be matched on the peer router.

mode tunnel  >>>>defining tunel mode

access-list 120 permit ip 192.168.1.32 0.0.0.31 192.168.1.64 0.0.0.31 >>>> defining interesting traffic

crypto map vpnmap 10 ipsec-isakmp     >> creating a crypto map using ipsec and isakmp  

set transform-set abc1

set peer 71.0.0.5
!--- Sets the IP address of the remote end

match address 120

!--- This is used to assign an extended access list to a crypto map entry which is used by IPSec to determine which traffic should be protected by crypto and which traffic does not 

need crypto protection.

int se0/0   >>>>>>apply the cryptomap on the exit interface/ WAN interface

crypto map vpnmap

#### change the addresses accordingly to configure the other end.  WAN Interfaces are not directly connected for the above topology.

Parameters and Accepted values:

=========================

 1.Message encryption algorithm:

56 bit DES

168 bit 3DES

AES 128 bit key

AES 192 bit key

AES 256 bit key

default: 3DES

2. Message integrity (hash) algorithm:

SHA-1 (HMAC variant) 160 bit

 sha

MD5 (HMAC variant) 128 bit   

default: SHA-1

3. Peer Authentication method:

Preshare keys

RSA signature

CRACK 

default: preshared

4. Key exchange parameters (DH group ID):

768 bit DH group 1

1024 bit DH group 2

1536 bit DH group 5

Elliptical curve field size: 163 bits group 7

default: 1024 bit DH group2

5. ISAKMP established life time  :

default: 86400 seconds

Checkpoint

1)What is the difference between CP NG and CP NGX?

2)In how many mode we can install the checkpoint?

3)What is architecture of Checkpoint?

4)What is SIC ?

5)What is NAT and how many type of NAT supported by CP explain ?

6)What is the unicast and multicast?

7)What is the rules define Stealth and Clean up rule ?

8)Can we configure rules above stealth rule?

9)What is the purpose of clean up rule ?

10)How you can configure smart view client in new pc?

11)How you are taking backup of CP?

12)How you can take manual backup and which folders are necessary ?

13)How you can configure Log server and where in CP we configure it?

14)How you use smart view tracker tell about three pannes of it.

15)Have you ever configure smart defence if yes tell us the few feature of it.

16)What are the important communication ports of the checkpoint ?

17)Tell me about licence part of the CP and types of it.

18)How to integrate gateway boxes with CP like Nokia and Nortel or UTM boxes?

19)How you can bring up Nokia box integration with CP server.

20)How to configure Cluster in CP?

21)What is VRRP?

22)What is FW monitor ?

23)Try to give 5 important CLI commands which are helpful for CP admin ?

24)Have you done CCSA if yes then what is the career path for it and how many question were there .

25)What is Bi directional NAT?

26)If log folder is crossed the threshold value which you had defined in CP server then what will happen?

27)What is the use of database revision control?

28)Have you ever configure VPN if yes then tell us about Site to Site with IPSEC in CP?

29)Have you ever upgrade the R60 to R62 or R65 if yes then tell us the process?

30)What is FW unloadlocal

31)If log tracker is showing green means accepted even though defined rule is not working then what causes might be tell us.?

32)What is SYNC in cluster ?

33)What is statefull inspection technology ?

34)Apart from Statefull which other technology firewall belongs too?

35)Difference between ASA and Checkpoint firewall?

36)What is ICMP default setting in global properties of CP?

37)How you can reconfigure SIC password ?

38)If you restarted the remote gateway then what will happen in CP network ?

IPSec VPN concepts

IPsec is defined in RFC 2401 and a frame work of protocols.

The IPsec protocol suite provides three overall pieces:

1.  A protocol negotiation and key exchange process, Internet key exchange (IKE), that allows to agree on authentication methods, encryption methods, the keys to use, how long to use the keys before changing them, and that allows smart, secure key exchange.

2. An encapsulating security payload (ESP) format for IP that scrambles the data (and even certain sensitive IP addresses) in each packet using hard core encryption — so a sniffer somewhere on the network doesn't get anything usable.

3. An authentication header (AH) for IP that lets communicating parties verify that data was not modified in transit and that it genuinely came from its apparent source.

IKE phase 1: (exchanging policies)

=============

Negotiate IKE policy sets and authenticate each other and create secure channel to exchange information

2 modes:

Main mode:

=========

The first step, securing an IKE SA using main mode, occurs in three two-way exchanges between the SA initiator and the recipient.

In the first exchange, the two agree on basic algorithms and hashes.

In the second, they exchange public keys for a DiffieHellman exchange, and pass each other nonces — random numbers the other party must sign and return to prove their identity.

In the third, they verify those identities.

Aggressive Mode:

================

Aggressive mode provides the same services as main mode. It establishes the original IKE SA. It looks much the same as main mode except that it is accomplished in two exchanges, rather than three, with only one round trip, and a total of three packets rather than six.

In aggressive mode, the proposing party generates a Diffie-Hellman pair at the beginning of the exchange, and does as much as is practical with that first packet — proposing an SA, passing the DiffieHellman public value, sending a nonce for the other party to sign, and sending an ID packet which the responder can use to check their identity with a third party. The responder then sends back everything needed to complete the exchange — really an amalgamation of all three response steps in main mode, and all that’s left for the initiator to do is to confirm the exchange.

IKE2: Transormsets (clear text to cypher text)

====

PFS : Perfrect forward Secrecy

main mode

aggressive mode >default >

Quick Mode:

===========

Once two communicating parties have established an IKE SA using aggressive mode or main mode, they can use quick mode.

Quick mode has two purposes —

negotiating general IPSec security services and generating fresh keying material.

Quick mode is less complex than either main or aggressive mode. Since it’s already inside a secure tunnel (every packet is encrypted), it can also afford to be a little more flexible. Quick mode packets are always encrypted, and always start with a hash payload. 

The hash payload is composed using the agreed-upon PRF and the derived authentication key for the IKE SA. The hash payload is used to authenticate the rest of the packet.

Quick mode defines which parts of the packet are included in the hash.

Security Basics

1. Firewall Basics:A firewall is a device that connects two or more networks together and restricts the flow of information between the two or more networks according to rules configured in firewall rule base.

Three types of firewall technologies are using.

·         Packet Filtering

·         Proxy Server

·         Stateful Packet Filtering

2. Interfaces and security levels

Each physical or logical (VLANed from ver 6.3) interface has a security level assigned.

There are two interfaces whose names cannot be changed and are present by default in any system:

Outside interface is always defined as interface no. 0 (ie ethernet0) and has the security level 0 assigned (the least secure)

Inside interface is always defined as interface no. 1 (ie ethernet1) and has the security level 100 assigned (the most secure)

Other interfaces can be defined and named as desired and must have a security level between 1 and 99.

3. Naming convention

Outbound data flow: initiated from a higher security interface toward a lower security interface.

Inbound data flow: initiated from a lower security interface toward a higher security interface.

Inbound and outbound concepts are used in the logging messages generated by the firewall.

4. Default security mechanism

PIX firewall allows by default any sessions or data flows to pass from a higher security interface to a lower security interface without restrictions. This approach is no longer a valid feature in today’s security developments when an already compromised host may initiate outbound sessions and infect other hosts. It is strongly recommended to disable this feature by using access-list on all interfaces and define the legitimate traffic while dropping anything else.

5. Defining and enforcing the security policy

The default security policy ensures that the packets originating from higher security interfaces are allowed to flow through lower security interfaces and any packets originating from lower security interfaces are not allowed to flow through higher security interfaces.

Packet Flow Sequence:

When a packet passes through an appliance configured for address translation, the following sequence of events occurs:

Ø      The packet arrives at the ingress interface from the end host.

Ø      The security appliance checks the packet against the inbound ACL.

Ø      If the packet is allowed in, the security appliance consults the routing table to determine the outbound physical interface.

Ø      If address translation is enabled and the packet matches the translation criteria, the security appliance creates a translation for the host.

Ø      The security appliance creates a stateful connection entry for the TCP and UDP packets. The security appliance can, optionally, create a stateful connection entry for the ICMP traffic if ICMP inspection is turned on.

Ø      The packet is routed to the egress interface and is checked against the outbound ACL.

Ø      If allowed, the packet is transmitted.

ACE (Access Control Entry):

Each permit or deny statement in the ACL is called an access control entry (ACE).

Types of ACLs

The security appliance supports five different types of ACLs to provide a flexible and scalable solution to filter unauthorized packets into the network:

·         Standard ACLs

·         Extended ACLs

·         IPv6 ACLs

·         EtherType ACLs

·         WebVPN ACLs

Standard ACLs: 

Standard ACLs are used to identify packets based on the destination IP addresses. These ACLs, however, cannot be applied on an interface to filter packets. In routed mode, the Cisco ASA routes packets from one subnet to another subnet by acting as an extra layer 3 hop in the network.

Extended ACLs:

An extended ACL can be used for interface packet filtering, QoS packet classification, packet identification for NAT and VPN encryption. These ACLs can be set up on the security appliance in the routed and the transparent mode.

·         Source and destination IP addresses

·         Layer 3 protocols

·         Source and/or destination TCP and UDP ports

·         Destination ICMP type for ICMP packets

Advanced ACL Features:Cisco ASA provides many advanced packet-filtering features to suit any network environments. These features include:

·         Object grouping

·         Standard ACLs

·         Time-based ACLs

·         Downloadable ACLs

·         ICMP Filtering

NAT:

It defines a one-to-one address mapping when a packet passes through the security appliance and matches criteria for translation. The security appliance either assigns a static IP address (static NAT) or allocates an address from a pool of addresses (dynamic NAT).

Cisco ASA supports the following five types of address translation, each of which is configured uniquely:

·         Static NAT

·         Dynamic NAT

·         Static PAT

·         Dynamic PAT

·         Policy NAT/PAT

·         NAT exemption when multiple NAT types/rules are set up, the security appliance tries to match traffic against the ACL in the NAT exemption rules. If there are overlapping entries in the ACL, the security appliance analyzes the ACEs until a match is found.

·         Static NAT: If there is no match found in the NAT exemption rules, the security appliance analyzes the static NAT entries in sequential order to determine a match.

·         Static PAT: If the security appliance does not find a match in NAT exemption or static NAT entries, it goes through the static PAT entries until it locates a match.

·         Policy NAT/PAT: The security appliance evaluates the policy NAT entries if it is still not able to find a match on the packet flow.

·         Identity NAT: The security appliance tries to find a match using the identity NAT statement, if one is set up to do so.

·         Dynamic NAT: If the security appliance fails to find a match using the first five rules, it checks to see if the packets need to be translated using dynamic NAT.

·         Dynamic PAT: The packets are checked against the dynamic PAT rules as the last resort, if all the previously mentioned rules fail.

Few more questions:

1. What is a firewall?

2. Describe, genrally, how to manage a firewall

3. What is a Denial of Service attack?

 4. What is a “spoofed” packet?

5. What is a SYN Flood?

6. What do you do if you are a victim of a DoS?

7. What is GPG/PGP?

8. What is SSH?

9. What is SSL? How do you create certificates?

10. What would you do if you discovered a UNIX or Network device on your network has been compromised?

11. What would you do if you discovered a Windows system on your network has been comrpromised?

12. What is DNS Hijacking?

13. What is a log host?

14. What is IDS or IDP, and can you give me an example of one?

15. Why are proxy servers useful?

16. What is web-caching

17. Explain packet flow in a firewall

18. Basic configuration required in a firewall to allow data to pass through.

19. What is Nat0?

20. What is natting?

21. What is PAT?

22. Explain intial configuration in firewalls

23. Explain difference between IPSec and GRE tunneling.

Basics in Switching -> Vlan ->L3 Switching -> STP

1) What is unicast and how does it work?

A) Unicast is a one-to-one transmission method. A single frame is sent from the source to a destination on a network. When this frame is received by the switch, the frame is sent on to the network, and the network passes the frame to its destination from the source to a specific destination on a network.
2) What is multicast and how does it work? A) Multicast is a one-to-many transmission method. A single frame is sent from the source to multiple destinations on a network using a multicast address. When this frame is received by the switch, the frame is sent on to the network and the network passes the frame to its intended destination group.
3) What is broadcast and how does it work? A) Broadcast is a one-to-all transmission method. A single frame is sent from the source to a destination on a network using a multicast address. When this frame is received by the switch, the frame is sent on to the network. The network passes the frame to all nodes in the destination network from the source to an unknown destination on a network using a broadcast address. When the switch receives this frame, the frame is sent on to all the networks, and the networks pass the frame on to all the nodes. If it reaches a router, the broadcast frame is dropped.
4) What is fragmentation? A) Fragmentation in a network is the breaking down of a data packet into smaller pieces to accommodate the maximum transmission unit (MTU) of the network.
5) What is MTU? What's the MTU for traditional Ethernet? A) MTU is the acronym for maximum transmission unit and is the largest frame size that can be transmitted over a network. Messages longer than the MTU must be divided into smaller frames. The network layer (Layer 3) protocol determines the MTU from the data link layer (Layer 2) protocol and fragments the messages into the appropriate frame size, making the frames available to the lower layer for transmission without further fragmentation. The MTU for Ethernet is 1518 bytes.
6) What is a MAC address?
A) A MAC address is the physical address of a network device and is 48 bits (6 bytes) long. MAC addresses are also known as physical addresses or hardware addresses.
7) What is the difference between a runt and a giant, specific to traditional Ethernet? A) In Ethernet a runt is a frame that is less than 64 bytes in length, and a giant is a frame that is greater than 1518 bytes in length. Giants are frames that are greater than the MTU used, which might not always be 1518 bytes.
8) What is the difference between store-and-forward and cut-through switching?
A) Cut-through switching examines just the frame header, determining the output switch port through which the frame will be forwarded. Store-and-forward examines the entire frame, header and data payload, for errors. If the frame is error free, it is forwarded out its destination switch port interface. If the frame has errors, the switch drops the frame from its buffers. This is also known as discarding the frame to the bit bucket.
9) What is the difference between Layer 2 switching and Layer 3 switching? A) Layer 2 switches make their forwarding decisions based on the Layer 2 (data link) address, such as the MAC address. Layer 3 switches make their forwarding decisions based on the Layer 3 (network) address.
10) What is the difference between Layer 3 switching and routing?
A) The difference between Layer 3 switching and routing is that Layer 3 switches have hardware to pass data traffic as fast as Layer 2 switches. However, Layer 3 switches make decisions regarding how to transmit traffic at Layer 3 in the same way as a router. A Layer 3 switch cannot use WAN circuits or use routing protocols; a router is still required for these functions.

V-LAN:

What is a VLAN? When is it used?

Answer: A VLAN is a group of devices on the same broadcast domain, such as a logical subnet or segment. VLANs can span switch ports, switches within a switch block, or closets and buildings. VLANs group users and devices into common workgroups across geographical areas. VLANs help provide segmentation, security, and problem isolation.
2. When a VLAN is configured on a Catalyst switch port, in how much of the campus network will the VLAN number be unique and significant?
The VLAN number will be significant in the local switch. If trunking is enabled, the VLAN number will be significant across the entire trunking domain. In other words, the VLAN will be transported to every switch that has a trunk link supporting that VLAN.
3. Name two types of VLANs in terms of spanning areas of the campus network.
Local VLAN
End-to-end VLAN
4. What switch commands configure Fast Ethernet port 4/11 for VLAN 2?
interface fastethernet 4/11
switchport mode access
switchport access vlan 2

5. Generally, what must be configured (both switch and end-user device) for a port-based VLAN?
 The switch port
6. What is the default VLAN on all ports of a Catalyst switch?
VLAN 1
7. What is a trunk link?
A trunk link is a connection between two switches that transports traffic from multiple VLANs. Each frame is identified with its source VLAN during its trip across the trunk link.
8. What methods of Ethernet VLAN frame identification can be used on a Catalyst switch trunk?
802.1Q
ISL
9. What is the difference between the two trunking methods? How many bytes are added to trunked frames for VLAN identification in each method?
Answer: ISL uses encapsulation and adds a 26-byte header and a 4-byte trailer. 802.1Q adds a 4-byte tag field within existing frames, without encapsulation.
10. What is the purpose of the Dynamic Trunking Protocol (DTP)?
Answer: DTP allows negotiation of a common trunking method between endpoints of a trunk link.
11. What commands are needed to configure a Catalyst switch trunk port Gigabit 3/1 to transport only VLANs 100, 200 through 205, and 300 using IEEE 802.1Q? (Assume that trunking is enabled and active on the port already. Also assume that the interface gigabit 3/1 command already has been entered.)
Answer: switchport trunk allowed vlan 100, 200-205, 300

12. Two neighboring switch trunk ports are set to the auto mode with ISL trunking encapsulation mode. What will the resulting trunk mode become?
Answer: Trunking will not be established. Both switches are in the passive auto state and are waiting to be asked to start the trunking mode. The link will remain an access link on both switches.
13. Complete the following command to configure the switch port to use DTP to actively ask the other end to become a trunk: switchport mode ____ ?
Answer: switchport mode dynamic desirable

14. Which command can set the native VLAN of a trunk port to VLAN 100 after the interface has been selected?
Answer: switchport trunk native vlan 100

15. What command can configure a trunk port to stop sending and receiving DTP packets completely?
  switchport nonegotiate
16. What command can be used on a Catalyst switch to verify exactly what VLANs will be transported over trunk link gigabitethernet 0/0?
 show interface gigabitethernet 0/0 switchport
or
show interface gigabitethernet 0/0 switchport trunk
17. Suppose that a switch port is configured with the following commands. A PC with a nontrunking NIC card then is connected to that port. What, if any, traffic will the PC successfully send and receive?
Interface fastethernet 0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 1-1005
switchport mode trunk
Answer: The PC expects only a single network connection, using a single VLAN. In other words, the PC can't participate in any form of trunking. Only untagged or unencapsulated frames will be understood. Recall that an 802.1Q trunk's native VLAN is the only VLAN that has untagged frames. Therefore, the PC will be capable of exchanging frames only on VLAN 10, the native VLAN.

Layer 3 Switching:

1. What might you need to implement interVLAN routing?
** One or more Layer 3 interfaces
One or more SVIs
Static routes
A dynamic routing protocol
2. Can interVLAN routing be performed over a single trunk link?
** Yes. Packets can be forwarded between the VLANs carried over the trunk.
3. To configure an SVI, what commands are needed?
** First, make sure the VLAN is defined on the switch.
interface vlan vlan-id
ip address ip-address mask
no shutdown
4. What command can verify the VLAN assignments on a Layer 2 port?
** show interface type mod/num switchport
or
show interface status
5. A switch has the following interface configurations in its running configuration:
interface fastethernet 0/1
switchport access vlan 5
!
interface vlan 5
ip address 192.168.10.1 255.255.255.0
no shutdown
what is necessary for packets to get from the FastEthernet interface to the VLAN 5 SVI?
Answer: Nothing. Both are assigned to VLAN 5, so normal Layer 2 transparent bridging will take care of all forwarding between the two.
6. What is the source of FIB information?
** The routing table, as computed by the Layer 3 engine portion of a switch.
7. How often is the FIB updated?
** As needed. It is downloaded or updated dynamically by the Layer 3 engine whenever the routing topology changes or an ARP entry changes.
8. What is meant by the term "CEF punt"?
** A packet can't be forwarded or switched by CEF directly because it needs further processing. The packet is "punted" to the Layer 3 engine, effectively bypassing CEF for a more involved resolution.
9. What happens to the FIB when distributed CEF (dCEF) is used?
** It is simply replicated to each of the independent CEF engines. The FIB itself remains intact so that each engine receives a duplicate copy.
10. What happens during a "CEF glean" process?
** The MAC address (ARP reply) for a next-hop FIB entry is not yet known. The Layer 3 engine must generate an ARP request and wait for a reply before CEF forwarding can continue to that destination.
11. What does a multilayer switch do to the IP TTL value just before a packet is forwarded?
** The TTL is decremented by one, as if a router had forwarded the packet.
12. What is fallback bridging?
** On switch platforms that cannot multilayer-switch (route) all routable protocols, those protocols can be bridged transparently between VLANs instead.
13. Is it possible for an SVI to go down? If so, for what reasons?
** Yes. The SVI can be shut down administratively with the shutdown command, as with any other interface. Also, if the VLAN associated with the SVI is not defined or active; the SVI will appear to be down.

Spanning Tree Protocol:

1. What three link types have been defined for Rapid Spanning-Tree Protocol? (Choose three.)
shared
edge-type
point-to-point
2. What Rapid Spanning Tree Protocol (RSTP) role is assigned to the forwarding port elected for every switched Ethernet LAN segment?
Designated
3. How can a network administrator influence which STP switch become the root bridge?
Set the switch priority to a smaller value than that of the other switches in the network.
4. Refer to the exhibit. What can be determined from the output shown?
The priority was statically configured to identify the root.
5. Which three statements are accurate regarding RSTP and STP? (Choose three.)
Both RSTP and STP use the portfast command to allow ports to immediately transition to forwarding state.
Configuration commands to establish primary and secondary root bridges are identical for STP and RSTP.
Because of the format of the BPDU packet, RSTP is backward compatible with STP.
6. What is the first step in the process of convergence in a spanning tree topology?
Election of the root bridge
7. Which two statements are true about the default operation of STP in a Layer 2 switched environment that has redundant connections between switches? (Choose two.)
Decisions on which port to block when two ports have equal cost depend on the port priority and identity.
Non-root switches each have only one root port.
8. What two elements will exist in a converged network with one spanning tree? (Choose two.)
One root bridge per network
one root port per non-root bridge
9. Which statement or set of paired statements correctly compares STP with RSTP?
STP waits for the network to converge before placing ports into forwarding state. RSTP places alternate ports into forwarding state immediately.
10. Refer to the exhibit. Server sends an ARP request for the MAC address of its default gateway. If STP is not enabled, what will be the result of this ARP request?
Switch A and Switch B will continuously flood the message onto the network.
11. In which two ways is the information that is contained in BPDUs used by switches? (Choose two.)
To identify the shortest path to the root bridge
to determine which ports will forward frames as part of the spanning tree
12. Which two statements describe the BIDs used in a spanning tree topology? (Choose two.)
They consist of a bridge priority and MAC address.
They are used by the switches in a spanning tree topology to elect the root bridge.
13. Which two actions does an RSTP edge port take if it receives a BPDU? (Choose two.)
Immediately loses its edge status
becomes a normal spanning-tree port
14. Which two items are true regarding the spanning-tree portfast command? (Choose two.)
PortFast is Cisco proprietary.
If an access port is configured with PortFast, it immediately transitions from a blocking to a forwarding state.
15. Refer to the exhibit. The spanning-tree port priority of each interface is at the default setting. The network administrator enters the spanning-tree vlan 1 root primary command on S4. What is the effect of the command?
Gi0/2 on S3 transitions to a root port.
16. What two features of the Spanning-Tree Protocol contribute to the time it takes for a switched network to converge after a topology change occurs? (Choose two.)
the max-age timer
the forward delay
17. In which STP state does a port record MAC addresses but not forward user data?
Learning
18. When PVST+ was developed, the Bridge ID was modified to include which information?
VLAN ID
19. Refer to the exhibit. All switches in the network have empty MAC tables. STP has been disabled on the switches in the network. How will a broadcast frame that is sent by host PC1 be handled on the network?
Switch SW1 will forward the broadcast out all switch ports, except the originating port. This will generate an endless loop in the network.
20. Which two criteria does a switch use to select the root bridge? (Choose two.)
Bridge priority
base MAC address