Professional Documents
Culture Documents
Requirements
Topology
Get Started
Scenario 3: FlexConfig
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
● Laptop ● Cisco AnyConnect®
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 1 of 52
Cisco dCloud
Cisco Firepow er is an integrated suite of netw ork security and traffic management products, deployed either on purpose -built
platforms or as a softw are solution. The system is designed to help you handle netw ork traffic in a w ay that complies w ith your
organization’s security policy-your guidelines for protecting your netw ork.
This allow s the Cisco Firepow er NGFW to evolve w ith a focus on enabling enterprises to stop, prioritize, understand, and automate
responses to modern threats in real-time. Firepow er NGFW is unique in its threat-focus, w ith a foundation of comprehensive
netw ork visibility, best-of-breed threat intelligence and highly-effective threat prevention to address both know n and unknow n
threats. Firepow er NGFW also enables retrospective security, through Advanced Malw are Protection, that can “go back in time” to
quickly find and remediate sophisticated attacks that may have slipped through defenses. This has led to a significant reduction in
time-to-detection (TTD) for Cisco customers compared to industry averages.
In this lab you w ill build a multi-site netw ork Next Generation Firew all (NGFW) solution at betw een a corporate and tw o branch
sites. Using the Firepow er Management Console (FMC) you w ill build High Availability NGFW’s at the corporate site, and manage
a branch. In this lab you w ill also configure a NGFW using the FDM (Firepow er Device Manager). You w ill also configure remote
access and site to site VPN’s. You w ill also configure Cisco Threat Intelligence Director to accept and implement third party
updates to your NGFW devices.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 2 of 52
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
dCloud: The Cisco Demo Cloud
components are fully configurable w ith predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 3 of 52
Cisco dCloud
Get Started
BEFORE PRESENTING
dCloud: The Cisco Demo Cloud
Cisco dCloud strongly recommends that you perform the tasks in this document w ith an active session before presenting in front
of a live audience. This w ill allow you to become familiar w ith the structure of the document and content.
It may be necessary to schedule a new session after follow ing this guide in order to reset the environment to its origina l
configuration.
Follow the steps to schedule a session of the content and configure your presentation environment.
2. For best performance, connect to the w orkstation w ith Cisco AnyConnect VPN [Show Me How ] and the local RDP client on
your laptop [Show Me How ]
NOTE: You can also connect to the w orkstation using the Cisco dCloud Remote Desktop client [Show Me How ]. The dCloud
Remote Desktop client w orks best for accessing an active session w ith minimal interaction. How ever, many users experience
connection and performance issues w ith this method.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 4 of 52
Cisco dCloud
Steps
1. On the Jump desktop, open the PuTTY link. Double click on the preconfigured session called NGFW1. Login using userid
adm in, passw ord C1sco12345
NOTE: If you run into issues w ith typing special characters, please open the file on the Jump desktop called Strings to cut and
paste.txt.
i. Managed Locally
3. Read the w arning and answ er yes w hen, or if, asked if you w ant to continue. Do not type y.
NOTE: The NGFW2, NGFW3, NGFWBR1 w ere installed w ith the on-box manager (Firepow er Device Manager or FDM) enabled.
This is the default configuration. This is w hy you are receiving this w arning. You w ill only receive the w arning if the FTD is set to
Managed Locally
But be aw are that you cannot sw itch betw een FMC and FDM w ithout deleting the NGFW configuration.
4. Leave this PuTTY session open, since it w ill be used throughout the lab.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 5 of 52
Cisco dCloud
NOTE: The scripts are for training purposes only, so they are not perfectly polished. If you w ish to inspect the first script, it is
located in /usr/local/bin. It is called register_config.py, and uses a Python module generated by connect.py. The command
runapiscript is a symbolic link to register_config.py.
1. From the Jump desktop, launch PuTTY. Double-click on the Inside Linux server session. Login as root, passw ord
C1sco12345
3. When asked Which firew all do you w ant to register? , enter 1 (NGFW1) and press Enter.
4. When prompted to enter an access control policy nam e , enter a reasonable name, like: Base_Policy Access Control
Policy.
5. You w ill see the script run through the registration process.
6. Open the Firefox Brow ser and on the FMC, click the icon to the right of the Deploy button, and select the Tasks tab.
NOTE: It may take several seconds before any tasks start. If no tasks start for over a minute, check to see if you enabled the demo
Smart license. If you did not, you should enable it, and run the runapiscript1 script again. Be sure to use a different name for the
access control policy, or delete the policy that the script created.
a. Leave this PuTTY session open. You w ill use it throughout the lab.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 6 of 52
Cisco dCloud
The objective of this exercise is to deploy a simple, but effective, NGFW configuration.
Perform file type and malw are blocking on these outbound connections
Steps
c. Enter 198.18.0.0/15. This includes all IP addresses used in the lab pod.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 7 of 52
Cisco dCloud
d. Click Save.
NOTE: There are tw o types of interface objects: security zones and interface groups. The key difference is that interface groups
can overlap. Only security zones can be used in access control policy rules.
3. Create the Netw ork Objects for the Security Zones that w ill be added to the interfaces.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 8 of 52
Cisco dCloud
4. For Nam e, enter OutZone. Select Routed from the Interface Type drop-dow n menu.
a. Select the ISP-Side interface. Click Add and then click Save. (If NGFW1 does not show up click the arrow under
Device > Interfaces) dCloud: The Cisco Demo Cloud
a. For Name, enter InZone. Select Routed from the Interface Type drop-dow n menu.
b. Select the LAN-Side interface. Click Add and then click Save.
6. Go to Devices > Device Managem ent and select the pencil icon on the NGFW1 Line.
1. In the FMC, select Devices > Device Managem ent. Click on the pencil icon to edit the device settings.
2. The Interfaces tab should be selected. Confirm that the REST API script configured the inside and outside interfaces of the
NGFW1
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 9 of 52
Cisco dCloud
3. Select Routing > Static Route, and click the Add Route button.
5. Select any-ipv4 from available netw orks (This is the equivalent of a default route).
6. Click Add.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 10 of 52
Cisco dCloud
a. Select the “+” sign next to the Gatew ay* pull dow n menu.
dCloud: The Cisco Demo Cloud
b. Name the Object “FMC-HQ-WAN_GW (You w ill be able to reuse this object later).
c. Enter the Netw ork IP Address: 198.18.128.1 (This is the outside interface of the Firew all facing the WAN).
d. Click Save.
9. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 11 of 52
Cisco dCloud
1. From the menu, select Policies > Access Control > Access Control. Notice that an access control policy w as created by the
dCloud: The Cisco Demo Cloud
REST API script.
a. Edit the access control policy by clicking the pencil icon to the right of the policy.
NOTE: Rules are divided into sets w ithin a policy. Tw o sets are predefined:
In this exercise, you w ill not create a child policy, but you w ill use the default rule set as a convenient w ay of making sur e this rule
is evaluated last.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 12 of 52
Cisco dCloud
a. Select Dem o Intrusion Policy from the Intrusion Policy drop-dow n list.
dCloud: The Cisco Demo Cloud
b. Select Dem o File Policy from the File Policy drop-dow n list.
NOTE: The demo intrusion and file policies w ere pre-configured to save you time. See Appendix 1 in the Firepow er Advanced Lab
Guide v2.3 for instructions on how to create these.
6. Select System -provided from the Block Response Page drop-dow n list.
8. Click the pencil icon to edit the Transport/Netw ork Layer Preprocessor Settings.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 13 of 52
Cisco dCloud
NOTE: Setting Maximum Active Responses to a value greater than 0 enables the rules that drop packets to send TCP resets to
close the connection. Typically both the client and server are sent TCP resets. With the configuration above, the system can initiate
up to 25 active responses (TCP Resets) if it sees additional traffic from this connection.
In a production deployment, it is probably best to leave this set to the default. Then no resets are sent, and the malicious system
w ill not know that it has been detected. But for testing and demonstrations, it is generally better to send resets w hen packe ts match
drop rules.
11. Click Save to save the changes to the access control policy.
2. Click the New Policy button, and select Threat Defense NAT.
4. Select the NGFW(s). Click Add to Policy and then click Save.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 14 of 52
Cisco dCloud
7. Select In Category and NAT Rules After from the Insert drop-dow n lists. This w ill ensure that this rule w ill be evaluated after
the auto-NAT (object NAT) rules. dCloud: The Cisco Demo Cloud
a. You w ill be at the Interface Objects tab. Select InZone and click Add to Source.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 15 of 52
Cisco dCloud
The FMC is behind the NGFW1, w hich is acting as a NAT device. We need to build a static NAT Policy so that the Branch FTD w ill
dCloud: The Cisco Demo Cloud
be able to communicate w ith the HQ-FMC.
5. Under Translation click the (+) sign and add the name FMC_PRIVATE.
6. For Netw ork enter 198.19.10.120/32 (This is the address of the HQ-FMC).
7. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 16 of 52
Cisco dCloud
8. Click on the (+) sign again and add the name FMC_PUBLIC.
9. For Netw ork enter 198.18.133.120 (An Address on the WAN netw ork).
dCloud: The Cisco Demo Cloud
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 17 of 52
Cisco dCloud
11. Create an Inbound Access List for the Private FMC modifying the Access Control Policy Base_Policy.
dCloud: The Cisco Demo Cloud
a. Select Policies > Access Control Policies .
d. Action Allow .
g. Inspection Tab.
The default netw ork discovery policy is configured to discover all applications, both internal and external. We w ill w ant to add host
and user discovery. In a production environment, this can exceed the FMC Firepow er host license. For this reason, it is best
practice to modify the policy.
a. Click the pencil icon to the right to edit the existing rule.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 18 of 52
Cisco dCloud
3. Click Save.
5. Confirm that NGFW settings, NAT policy netw ork discovery, interface and static route configuration w ill be modified.
a. Click Deploy.
b. Click the icon to the right of the Deploy link in the upper right-hand corner of the FMC. Wait until the deployment is
complete.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 19 of 52
Cisco dCloud
b. Enter ping outside. This should succeed. Enter Ctrl+C to exit ping.
2. Enter cd ~root. You should see the follow ing message: 421 Service not available, remote server has closed
connection. This confirms that IPS is w orking.
NOTE: If the FTP session hangs, you probably forgot to enable active responses in the access control policy. You need not fix this,
as long as you remember to expect this behavior.
NOTE: Observe that Snort rule 336 w as triggered. In the Demo Intrusion Policy, the rule state for this rule is set to Drop and
Generate Events. This rule is disabled in the system-defined intrusion policies such as Balanced Security and Connectivity.
NOTE: In a production environment, if you run into a situation w here events are not appearing, the first thing you should check is
the time synchronization betw een the NGFW and FMC. How ever, in this lab, it is more likely to be an issue w ith the eventing
processes. If this happens, try restarting these processes as follow s.
From the Jumper desktop, connect to the FMC using the pre-defined PuTTY session. Login as adm in/C1sco12345 and run the
follow ing commands.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 20 of 52
Cisco dCloud
5. Click the arrow on the left to drill dow n to the table view of the events. Observe that details of the event are presented.
a. Click the arrow on the left of the event to drill dow n further. Note that you are presented w ith extensive information,
including the details of the Snort rule. dCloud: The Cisco Demo Cloud
b. Expand the Actions and note that you could disable the rule from here - but do not!
6. Test the file and malw are blocking capabilities. These Wget commands can be cut and pasted from the file on the Jump
desktop called Strings in order to cut and paste the text.
b. Next use WGET to attempt to dow nload the file blocked by type. w get -t 1 outside/files/test3.avi.
NOTE: Very little of the file is dow nloaded. This is because the NGFW can detect the file type w hen it sees the first block of data.
The Demo File Policy is configured to block AVI files.
c. Finally use WGET to attempt to dow nload malw are. w get -t 1 outside/files/Zombies.pdf.
NOTE: About 99% of the file is dow nloaded. This is because the NGFW needs the entire file to calculate the SHA. The NGFW
holds onto the last block of data until the hash is calculated and looked up. The Demo File Policy is configured to block malw are
detected in PDF files.
8. In the FMC, select Analysis > Files > Malw are Events .
b. Click the arrow on the left to drill dow n to the table view of the events. Note that the host 198.19.10.200 is
represented by a red icon. This is the Inside Linux Server. The red icon means the host has been assigned an
indication of compromise.
NOTE: The action is reported as Custom Detection Block, instead of Malw are Block. This is because w e added Zombies.pdf to the
custom detection list, just in case the lab has issues connecting to the cloud. See Appendix 1 for details.
9. As an alternative, you can try the follow ing from the inside Linux server:
wget -t 1 outside/malware/Buddy.exe
This should be reported as a Malware Block. How ever, in this particular lab environment, the cloud lookup may fail. Therefore the
file may not be blocked.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 21 of 52
Cisco dCloud
10. Click on the red com puter icon. This w ill open the host profile page. Look over this page and then close it.
11. From the menu, select Analysis > Files > File Events. You should see information about all 3 file events.
dCloud: The Cisco Demo Cloud
a. Login as root/C1sco12345
2. Now w e w ill configure NGFW Branch 1 so it w ill also be managed by the FMC.
3. On the Jump PC Open the Putty Connection to NGFWBR1 (198.18.133.42 : 22) Login adm in Passw ord C1sco12345
4. Type the follow ing command configure manager add 198.18.133.120 C1sco12345 abcde and after the question type yes.
NOTE: You need to add the FMC’s NAT Address and also a specific NAT ID (in this case abcde). The NAT ID w ill need to match
w ith the NAT ID on the FMC w hen you go through the NGFW registration process.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 22 of 52
Cisco dCloud
5. Go back to the FMC w ebpage and go to Devices > Device Managem ent > Add > Add Device .
6. Under Access Control Policy, select the dow n arrow and choose Create New Policy.
7. Name: Branch1access Select Base Policy: None Default Action: Block all traffic. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 23 of 52
Cisco dCloud
9. Select Branch1Access Smart Licensing: Check all boxes Under Advanced Type the NAT code from the FTD: abcde.
NOTE: Now that the ngfw br1 has been added w e need to add interfaces, build the default route, create a NAT policy and update
the Access Policy
12. Go to Devices > Device Managem ent. Click on the pencil icon next to the ngfw br1.
NOTE: The address for the Interfaces are not preconfigured because w e w ere not able to run the deployment script. The REST
API in 6.2.2 does not support the NAT function. This situation should be fixed in a future release.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 24 of 52
Cisco dCloud
15. Name: branch1_Outside Security Zone: Click New Enter a name: branch1_Outzone.
17. IP Address: 198.18.133.142/18 (This is the address of the Outside WAN [ISP]).
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 25 of 52
Cisco dCloud
NOTE: In this scenario, w e used 198.18.133.42/18 for the Managem ent IP Address of the Firew all. You can see this address by
entering the show network command from the command line or by going to expert m ode on the FTD and run the ifconfig
command and look at the br1 interface. The Management IP Address is accessibly only to the Operating dCloud:
System.TheWe therefore
Cisco Demo Cloud
have to build a WAN interface as an outside interface. The Outside Interface can also be configured by DHCP from the ISP, w e did
not w ant to add an additional server to this lab scenario.
20. Go to Routing >Static Route > Add Route > to build a Static route to the Internet.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 26 of 52
Cisco dCloud
22. For Available Netw ork, select any-ipv4 for Gatew ay.
dCloud: The Cisco Demo Cloud
23. Click the green (+) button and configure the New Netw ork Object: 198.18.128.1.
25. Click OK
NOTE: If the Interface branch1_Outside does not show up in the pull dow n box, click on the save button on the top right of the
screen.
27. Go to Devices NAT > New Policy > Threat Defense NAT.
28. Name the Policy Branch1_NAT and under available devices select ngfw br1.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 27 of 52
Cisco dCloud
35. On the Translation Tab under Original Packet Select the (+) and configure New Netw ork Object Name: Branch1_Netw orks
Netw ork: 198.19.11.0/24 (You could also create an Object in the Objects Page that w ould encompass an entire lab netw ork
group such as 198.18.0.0/15).
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 28 of 52
Cisco dCloud
39. To modify the Access Control Policy, go to Policies > Access Control > Branch1Access .
44. On Inspection Policy Select Dem o Intrusion Policy and Dem o File Policy.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 29 of 52
Cisco dCloud
45. Click on Add Click on Save at the top of the w eb page Click Deploy and Select ngfw br1.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 30 of 52
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 31 of 52
Cisco dCloud
1. From the Jump PC, open the Rem ote Desktops Folder.
dCloud: The Cisco Demo Cloud
2. Select Wkstbr2.
3. When the Window s Security Prompt pops up use the passw ord: C1sco12345
4. Click OK.
NOTE: In order to configure the FTD using the on box manager w e need to be on the 192.168.45.0/24 subnet The default FTD
address is 192.168.45.45/32 w ith a default gatew ay of 192.168.45.1. We open the RDP session on a secondary NIC card on the
w orkstation so that w e can simulate local connectivity betw een the w orkstation and the FTD. The IP Address for the w orkstation is
192.168.45.225/32 in order to be on the same subnet as the FTD.
5. On the w orkstation open up putty and type: 192.168.45.45 use Port 22 (SSH) login in adm in/C1sco12345!
NOTE: When changing the passw ord using the GUI you m ust have a special character in the passw ord. That is w hy w e put a “!”
in the passw ord. When configuring the passw ord through the CLI a special character is not needed.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 32 of 52
Cisco dCloud
a. Type yes
dCloud: The Cisco Demo Cloud
b. Wait for prompt to return and type: configure m anager local and press enter
Note: FDM (On Box Manager) w as configured prior in order to upgrade the softw are. By doing the above commands you w ill
clear some of the configuration parameters and also reset the evaluation license. It w ill take some time for the w eb service to
become available.
10. You w ill come to the follow ing screen, w hich displays the FTD connections. Scroll dow n to the Outside Interface Address
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 33 of 52
Cisco dCloud
IP Address: 198.18.133.4
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 34 of 52
Cisco dCloud
17. If you get a message that the connection to w ww.cisco.com failed. That is ok move on to the setting of the NTP services.
c. Address: 198.18.128.1.
d. Click Next.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 35 of 52
Cisco dCloud
19. This w ill bring you to Smart License select Start 90-day evaluation period w ithout registration.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 36 of 52
Cisco dCloud
NOTE: As you can see Interface GigabitEthernet 0/1 is 192.168.45.1. Also, the Outside Interface GigabitEthernet 0/0 has the
outside interface that w e manually configured. We w ill come back to this device later to configure the Site to Site VPN.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 37 of 52
Cisco dCloud
Scenario 3. FlexConfig
This exercise consists of the follow ing tasks.
dCloud: The Cisco Demo Cloud
Create a user defined FlexConfig object
FlexConfig is a feature that allow s the deployment of configuration directly to the Lina (ASA) configuration in the FTD. This can be
used to deploy features that are not yet available in the FTD. There are tw o objectives for this lab exercise:
NOTE: There are separate system defined FlexConfig objects for configuring EIGRP. For configurations that may change over
time, it is better to use these objects. But to demonstrate the simplicity and pow er of FlexConfig, a user defined FlexConfig object
w ill be used.
System defined FlexConfig Objects w ill be used to configure the FTD as a source of NetFlow data.
Steps
2. At the bottom of the left navigation panel, under FlexConfig, select FlexConfig Object.
i. router eigrp 10
c. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 38 of 52
Cisco dCloud
NOTE: The FlexConfig objects are w ritten in the Apache Velocity language. This language supports loops and if statements.
These begin w ith a #. This is not a comment. It indicates that the line is not literal text to be included in the output. Comments
begin w ith ##.
NOTE: That this FlexConfig object loops over a text object called disableInspectProtocolList. You w ill now edit this text object.
2. Click Close.
3. At the bottom of the left navigation pane of the Object Managem ent page, under FlexConfig, select Text Object.
5. Click Save.
1. From the menu, select Devices > FlexConfig. Click New Policy.
2. Click Save.
a. In the left column, under User Defined, select m yEIGRP. Click to add the FlexConfig object to the policy.
b. In the left column, under System Defined, select Default_lnspection_Protocol_Disable. Click to add the
FlexConfig object to the policy.
4. Click Save.
7. Wait a few seconds and the configuration changes w ill appear. Confirm that the commands look correct.
8. Click Close.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 39 of 52
Cisco dCloud
From the NGFW1 CLI run show running-config policy-map. Confirm that SIP inspection is enabled.
dCloud: The Cisco Demo Cloud
1. From the Inside Linux Server session, type ping 204.44.14.1. This should fail.
2. Deploy the changes you made. Wait until the deployment is complete.
3. From the NGFW1 CLI run show running-config policy-m ap. Confirm that SIP inspection is now disabled.
4. From the NGFW1 CLI run show eigrp neighbors. Confirm that an adjacency has been formed betw een the FTD and CSR
router.
5. From the NGFW1 CLI run show eigrp topology. Confirm that the EIGRP routes have been received.
NOTE: You w ill also see some routes that have no successors. These routes w ill be used in the next section BGP
6. Run show route eigrp. Confirm that the NGFW1 now has EIGRP learned routes in its routing table.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 40 of 52
Cisco dCloud
Configure BGP
Deploy the changes and test the configuration There are tw o objectives for this lab exercise:
Configure BGP
The first objective w ill involve creating netw ork objects, creating access control lists. Also, static NAT and dynamic routin g w ill be
configured.
NOTE: The public server w ill be deployed in the inside netw ork. It w ould be more realistic to deploy this in a DMZ, but that w ould
take more w ork. How ever, the lab pod has this capability. See Appendix 4 for information about creating a DMZ in the lab pod.
Steps
1. From the menu, select Objects > Object Managem ent. The Netw ork object page w ill be selected.
d. Click Save.
h. Click Save.
c. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 41 of 52
Cisco dCloud
3. Select Access List > Standard from the left navigation pane.
c. Add the 2 access control entries show n below . The second entry is critical, because of an implicit deny all at the end
of the list.
d. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 42 of 52
Cisco dCloud
b. You w ill be at the Interface Objects tab. Select InZone, and click Add to Source.
b. Select Address and w w w out from the Translated Source drop-dow n list.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 43 of 52
Cisco dCloud
1. From the menu, select Policies > Access Control > Access Control.
dCloud: The Cisco Demo Cloud
2. Edit the NGFW Access Control Policy for example Base_Policy.
d. The Zones tab should already be selected. Select InZone, and click Add to Destination.
h. Select Ports. Under Available Ports type HTTP and select HTTP and HTTPS and add to destination.
i. Under Selected Destination Ports type in the Protocol box ICMP select. Click Add.
NOTE: We use the true IP of the w ebserver, instead of the NAT'ed address that the client w ill connect to.
k. Select Dem o Intrusion Policy from the Intrusion Policy drop-dow n list.
l. Select Dem o File Policy from the File Policy drop-dow n list.
Configure BGP
2. Click on the pencil icon to edit the device settings for the device NGFW1.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 44 of 52
Cisco dCloud
2. On the Jump desktop, open the PuTTY link. Double click on the preconfigured session called Outside Linux Server. Login as
root, passw ord C1sco12345
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 45 of 52
Cisco dCloud
3. On the Jump desktop, open the PuTTY link. Double click on the preconfigured session called CSR. Login as adm in, passw ord
C1sco12345
a. On the CSR CLI, run the command show bgp, and confirm that 4 routes appear. dCloud: The Cisco Demo Cloud
5. Run show route. Confirm that the only routes learned from BGP w ere 62.24.45.0/24 and 62.112.24.0/24. Note that
203.14.10.0/24 w as successfully filtered out of BGP. How ever, if you performed the FlexConfig scenario, you w ill see this
route as an external EIGRP route.
6. Run show bgp and show bgp rib-failure. This show s that the 198.18.128.0/18 route w as not inserted in the routing table
because there w as a better route (connected).
NOTE: You can also run this command from the FMC.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 46 of 52
Cisco dCloud
12. From the Inside Linux server session, type ping 62.24.45.1. This should succeed.
NOTE: You can also run this command from the FMC.
a. Route
b. BGP
c. Eigrp neighbors
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 47 of 52
Cisco dCloud
If there is a clear-text tunnel, the NGFW access control policies apply to the tunneled traffic. Prefilter policies give control over the
tunneling protocol. The follow ing tunneling protocols are supported.
GRE
IP-in-IP
IPv6-in-IP
Teredo
Prefilter policies communicate w ith access control policies via tunnel tags. The prefilter policy assigns tunnel tags to specified
tunnels. The access control policy can then include rules that only apply to traffic tunneled through those specified tunnel.
In this exercise, you w ill create a GRE tunnel betw een the inside and outside CentOS servers.
You w ill then configure the NGFW to block ICMP through this GRE tunnel.
NOTE: This exercise has Scenario 4 as a prerequisite. This is because the exercise assumes the static NAT rule, w hich translates
198.19.10.202 to 198.18.128.202. To understand the configuration of the tunnel interface, you can inspect
/etc/sysconfig/network-scripts/ifcfg-tunO on the inside and outside servers.
Steps
In this task, you w ill confirm that the access control policy rules apply the tunneled traffic.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 48 of 52
Cisco dCloud
1. You should still have the SSH session open to the Inside Linux server.
2. If you do not have an SSH session to the Outside Linux Server, from the Jump desktop, launch PuTTY and double -click on the
pre-definite Outside Linux Server session. Login as root, passw ord C1sco12345 dCloud: The Cisco Demo Cloud
3. Create a GRE tunnel betw een the Inside Linux server and Outside Linux server.
c. On the Inside Linux Server, confirm that you can ping through the tunnel w ith the follow ing command. ping 10.3.0.2.
1. Run the follow ing command from the Inside Linux Server CLI. ftp 10.3.0.2.
2. In the FMC, from the menu, select Analysis > Intrusions > Events .
a. Click the arrow on the left to drill dow n to the table view of the events.
b. Observe that the source and destination IPs are 10.3.0.1 and 10.3.0.2, respectively.
3. Test the file and malw are blocking capabilities by running the follow ing commands on the Inside Linux server CLI.
NOTE: These Wget commands can be cut and pasted from the file on the Jump desktop called Strings to cut and paste.txt.
a. As a control test, use WGET to dow nload a file that is not blocked. w get -t 1 10.3.0.2/files/ProjectX.pdf.
c. Next use WGET to dow nload the file blocked by type. w get -t 1 10.3.0.2/files/test3.avi.
NOTE: Very little of the file is dow nloaded. This is because the NGFW can detect the file type w hen it sees the first block of data .
NOTE: About 99% of the file is dow nloaded. This is because the NGFW needs the entire file to calculate the SHA. The NGFW
holds onto the last block of data until the hash is calculated and looked up.
4. In the FMC, from the menu, select Analysis > Files > File Events .
b. Observe that the sending and receiving IPs are 10.3.0.2 and 10.3.0.1, respectively.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 49 of 52
Cisco dCloud
d. Click Save.
2. From the menu, select Policies > Access Control > Prefilter .
a. Click New Policy. Enter a name such as ngfw Prefilter Policy. Click Save.
c. Select the Encapsulation & Ports tab and check the GRE checkbox.
Analyze - traffic w ill be passed to Snort, and access policy rules w ill apply .
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 50 of 52
Cisco dCloud
NOTE: You can also create prefilter rules for this policy. This gives you the ability to analyze, block or fast path traffic based on
layer 2 through 4 information.
1. From the menu, select Policies > Access Control > Access Control to edit the NGFW Base_Policy Access Control Policy.
2. Click on the link Default Prefilter Policy to the right of the string Prefilter Policy above the policy rules.
4. Click OK.
f. In the Available Zones column, select GRE and click Add to Source .
g. In the Available Applications column, select ICMP and click Add to Rule.
h. Select the Logging tab. Check the Log at Beginning of Connection checkbox.
b. Select into Default from the Insert drop-dow n list. This w ill become the last rule in the access control policy.
c. In the Available Zones column, select GRE and click Add to Source.
e. Select Demo Intrusion Policy from the Intrusion Policy drop-dow n list.
f. Select Demo File Policy from the File Policy drop-dow n list.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 51 of 52
Cisco dCloud
1. Deploy the changes, as you have been. Wait for the deployment to complete.
dCloud: The Cisco Demo Cloud
2. On the Outside Linux Server, run tcpdum p -n -i tun0 to monitor tunnel traffic.
a. Run the follow ing commands on the Inside Linux Server CLI.
c. ping 10.3.0.2
You should see the follow ing output, indicating that the ping is being blocked.
From 10.3.0.2 icmp_seq=1 Packet filtered
3. Inspect the output of the tcpdum p command on the Outside Linux Server to conf irm that the ping is not making it to 10.3.0.2.
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 52 of 52