Detailed Steps -solutions.com



Q1. Tell me about yourself.Q2. How does a ping/ traceroute / tracert window works ?1. Firstly, Traceroute creates a UDP packet from the source to destination with a TTL value of 1.2. Packet reaches the first router where the router decrements the value of TTL by 1, making packet’s TTL value 0 because of which the packet gets dropped.3. As the packet gets dropped, it sends an ICMP message [Hop/Time exceeded] back to the source.4. This is how Traceroute comes to know the first router’s address and the time taken for the round-trip.5. It sends two more packets in the same way to get average round-trip time. First round-trip takes longer than the other two due to the delay in ARP finding the physical address, the address stays in the ARP cache during the second and the third time and hence the process speeds up.6. These steps Takes place again and again until the destination has been reached. The only change that happens is that the TTL is incremented by 1 when the UDP packet is to be sent to next router/host.7. Once the destination is reached, Time exceeded ICMP message is NOT sent back this time because the destination has already been reached.8. But, the UDP packet used by Traceroute specifies the destination port number that is not usually used for UDP. So, when the destination verifies the headers of the UDP packet, the packet gets dropped because of improper port being used and an ICMP message [Destination Unreachable] is sent back to the source.9. When Traceroute encounters this message, it understands that the destination is reached. Also, The destination is reached 3 times to get the average round-trip time.Why there are three columns in traceroute results?Three probes (change with -q flag) are sent at each ttl setting and a line ***is printed showing the ttl, address of the gateway and round trip time of each probe( so three * ).Which ICMP message confirms the traceroute is completed?Destination Unreachable MessageQ3. How does routing loop/ switch loop occurs in a router/ switch ?A routing loop is a serious network problem which happens when a data packet is continually routed through the same routers over and over. The data packets continue to be routed within the network in an endless circle. A routing loop can have a catastrophic impact on a network, and in some cases, completely disabling the network. Normally Routing Loop is a problem associated with Distance Vector Protocols. Routing loops occur when a router incorrectly forwards packets, that is: to a wrong next hop router. This is most easily detected with traceroute where you will see the same hops recurring over and over, or ping where you will see a message like "ttl expired in transit".Routing loops are always caused by misconfiguration although it is not always as obvious as two static routes that point to eachother. Redistribution of routing information is a notorious source of routing loops. Q4. TCP handshake? Give some ex. Of troubleshooting. You did in your company? For Reliable connection the Transmitting device first establishes a connection-oriented (reliable) session with its peer system, which is called three-way handshake. Data is then transferred. When the Data transfer is finished, connection is terminated and virtual circuit is teared down.1.In the First Part of Three way Handshake, Source sends a TCP SYN Segment with the initial sequence number X indicating the desire to open the connection.2.In Second Part, When Destination receives TCP SYN, It acknowledges this with Ack (X+1)? as well as its own SYN Y (It informs Source what sequence number it will start its data with and will use in further messages). This response is called SYN/ACK.3.In Third Part, Source Sends an ACK (ACK = Y+1) Segment to the destination indicating that the connection is set up. Data transfer can then begin.Q5. Why there is requirement first needed to set up 3-way handshake : For reliable and ensuration of packet delivery.Q6. What does SSL mean?SSL VPN provides remote access connectivity from any internet enabled device through a standard web browser and its native SSL encryption. It does not require any special client software at a remote site.At which Layer does SSL VPN operates?SSL is an Application layer (Layer 7) cryptographic protocol that provides secure communications over the Internet for web browsing, e-mail and other traffic. It uses TCP port 443.What are different SSL VPN Modes?SSL VPN can be deployed in one of the following three modes:-1.Clientless mode - It works at Layer 7, Clientless mode provides secure access to web resources and web-based content. This mode can be used for accessing most content that you would expect to access in a web browser such as Internet, databases and online tools. Clientless mode also supports common Internet file system (CIFS). Clientless mode is limited to web-based content only. It does not provide access to TCP connections such as SSH or Telnet.2.Thin client mode - It works at Layer 7 and is also known as port forwarding. Thin client mode provides remote access to TCP-based services such as Telnet, Secure Shell (SSH), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Post Office Protocol (POP3) applications. Thin client is delivered via a Java applet that is dynamically downloaded from the SSL VPN appliance upon session establishment.3.Thick client mode - It works at Layer 3 and is also known as tunnel mode or full tunneling client. The thick client mode provides extensive application support through dynamically downloaded SSL VPN Client software or the Cisco AnyConnect VPN client software from the VPN server appliance. This mode delivers a lightweight, centrally configured, and easy-to-support SSL VPN tunneling client that provides full network layer (Layer 3) access to virtually any application.Q7. Modes of IPSECIKE is a two-phase protocol-Phase 1 IKE phase 1 negotiates the following:-1.It protects the phase 1 communication itself (using crypto and hash algorithms).2.It generates Session key using Diffie-Hellman groups.3.Peers will authenticate each other using pre-shared, public key encryption, or digital signature.4.It also protects the negotiation of phase 2 communication.There are two modes in IKE phase 1:-Main mode - Total Six messages are exchanged in main mode for establishing phase 1 SA.Aggressive mode - It is faster than the main mode as only three messages are exchanged in this mode to establish phase 1 SA. It is faster but less secure.At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established for IKE communication.Phase 2IKE phase 2 protects the user data and establishes SA for IPsec.There is one mode in IKE phase 2:-Quick mode - In this mode three messages are exchanged to establish the phase 2 IPsec SA.At the end of phase 2 negotiations, two unidirectional IPsec SAs (Phase 2 SA) are established for user data—one for sending and another for receiving encrypted data.Q8. Hashing mechanism, MD5, SHA1, SHA2Q9. In TCP 3-way hand shakes. What are the contents present in the Syn packet.PAGE 1 - Q4Q10. Basic function of firewall.Deny unwanted trafficFirewall is a device that is placed between a trusted and an untrusted network. It deny or permit traffic that enters or leaves network based on pre-configured policies. Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other. For example - By keeping a Management network separate from a user network.Firewalls work at layer 3, 4 & 7.Q11. STP, PVST+.Spanning Tree Protocol (STP) is a protocol which prevents layer 2 loops. STP enables switches to become aware of each other so that they can negotiate a Loop-Free path through network. In practical Scenario, Redundant links are created to avoid complete network failure in an event of failure of one link.How STP works?STP chooses a Reference point (Root Bridge) in the network and calculates all the redundant paths to that reference point. Than it picks one path by which to forward frames and blocks other redundant paths.Q12. OSPFEvery OSPF router within the network will have a 32 bit number router ID that uniquely identifies it to the other routers on the network. Unlike EIGRP, OSPF prevents neighborships between routers with duplicate RIDs. All OSPF RIDs in a domain should be unique. OSPF Router ID should not be changed after the OSPF process is started and the ospf neighborships are established. If you change the OSPF router ID, we need to either reload the IOS or use "clear ip ospf process" command (restart the OSPF process) for changed RID to take effect.To manually configure the router IDR1(config)# router ospf 5R1(config-router)# router-id 5.5.5.5Open shortest path first is an Open Standard Link State routing protocol which works by using Dijkastra algorithm to initially construct the shortest paths and follows that by populating the routing table with resulting best paths.Q13. Troubleshooting on firewallAfter incredible response on 1st Blog on IPSec important Debugging and logging” thought of coming up with this new blog on Ipsec troubleshooting and scenarios. I will cover this in 2 parts.In this part I will be discussing the following problem scenarios----IKE SA not establishedIPSec SA’s not establishedMTU/Fragmentation IssuesProblem Scenario 1: No IKE SAs If we are unable to establish IPSec tunnel from Branch location to? Hub locationCheck for Routing. Ping the Branch (using HUB’s IKE endpoint)HUB# ping ip 40.10.1.1 source 30.3.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 40.10.1.1, timeout is 2 seconds:Packet sent with a source address of 30.3.1.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Check for IKE SAHUB# sh crypto isakmp sa IPv4 Crypto ISAKMP SAdst???????????? src???????????? state????????? conn-id slot status30.3.1.1??????? 40.10.1.1?????? MM_NO_STATE????????? 0??? 0 ACTIVE (deleted)IPv6 Crypto ISAKMP SAUse IKE Debugs to troubleshoot? [ debug crypto isakmp ]Problem Scenario 1a:No IKE SAsISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policyISAKMP:????? encryption 3DES-CBCISAKMP:????? hash SHAISAKMP:????? default group 2ISAKMP:????? auth pre-shareISAKMP:????? life type in secondsISAKMP:????? life duration (basic) of 7200ISAKMP:(0):Encryption algorithm offered does not match policy!ISAKMP:(0):atts are not acceptable. Next payload is 0ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policyISAKMP:????? encryption 3DES-CBCISAKMP:????? hash SHAISAKMP:????? default group 2ISAKMP:????? auth pre-shareISAKMP:????? life type in secondsISAKMP:????? life duration (basic) of 7200ISAKMP:(0):Encryption algorithm offered does not match policy!ISAKMP:(0):atts are not acceptable. Next payload is 0ISAKMP:(0):no offers accepted!ISAKMP:(0): phase 1 SA policy not acceptable! (local 30.3.1.1 remote 40.10.1.1)Check the IKE PoliciesHUB# sh crypto isakmp policy Global IKE policyProtection suite of priority 10???????? encryption algorithm:??? AES - Advanced Encryption Standard (128 bit keys).???????? hash algorithm:??????????? Secure Hash Standard???????? authentication method:? Pre-Shared Key???????? Diffie-Hellman group:?? #2 (1024 bit)???????? lifetime:??????????????????????? 7200 seconds, no volume limitDefault protection suite???????? encryption algorithm:?? DES - Data Encryption Standard (56 bit keys).??????????????????? ?????????????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????? So once we change the encryption algorithm at spoke side to aes, phase 1 will come up.Problem Scenario 1b:No IKE SAsISAKMP:(1017): sending packet to 40.10.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCHISAKMP:(1017):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEISAKMP:(1017):Old State = IKE_R_MM3? New State = IKE_R_MM4 ISAKMP (0:1017): received packet from 40.10.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCHISAKMP: reserved not zero on ID payload!%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 40.10.1.1 failed its sanity check or is malformedIt means we have a mismatch in pre-shared key, on correcting it our IKE SA should come up.HUB# sh cry isa sa IPv4 Crypto ISAKMP SAdst???????????? src???????????? state????????? conn-id slot status30.3.1.1??????? 40.10.1.1?????? QM_IDLE?????????? 1019??? 0 ACTIVEProblem Scenario 2: No IPSec SAsIf you notice that there is? no traffic is being received through the IPSec tunnelIKE SAs exist, but no IPSec SAs Check for IPSEC SA (look for inbound and outbound SPI’s)HUB# sh crypto ipsec sa? peer 40.10.1.1interface: GigabitEthernet0/1???? Crypto map tag: CMAP, local addr 30.3.1.1??? protected vrf: (none)??? local? ident (addr/mask/prot/port): (3.1.1.0/255.255.255.0/0/0)??? remote ident (addr/mask/prot/port): (4.1.1.0/255.255.255.0/0/0)??? current_peer 40.10.1.1 port 500????? PERMIT, flags={origin_is_acl,}???? #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0???? #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0???? #pkts compressed: 0, #pkts decompressed: 0???? #pkts not compressed: 0, #pkts compr. failed: 0???? #pkts not decompressed: 0, #pkts decompress failed: 0???? #send errors 0, #recv errors 0????? local crypto endpt.: 30.3.1.1, remote crypto endpt.: 40.10.1.1????? path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1????? current outbound spi: 0x0(0)??? ? inbound esp sas:????? inbound ah sas: ????? outbound esp sas:????? outbound ah sas:HUB#Use IPSec Debugs to troubleshoot [ debug crypto ipsec ]Problem Scenario 2a: No IPSec SAsISAKMP (0:1022): received packet from 40.10.1.1 dport 500 sport 500 Global (R) QM_IDLE????? ISAKMP:(1022): processing SA payload. message ID = -549695704ISAKMP:(1022):Checking IPSec proposal 1ISAKMP: transform 1, ESP_3DESISAKMP:?? attributes in transform:ISAKMP:????? encaps is 1 (Tunnel)ISAKMP:????? SA life type in secondsISAKMP:????? SA life duration (basic) of 1800ISAKMP:????? SA life type in kilobytesISAKMP:????? SA life duration (VPI) of? 0x0 0x46 0x50 0x0 ISAKMP:????? authenticator is HMAC-SHAISAKMP:(1022):atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,?? (key eng. msg.) INBOUND local= 30.3.1.1, remote= 40.10.1.1, ???? local_proxy= 3.1.1.0/255.255.255.0/0/0 (type=4), ???? remote_proxy= 4.1.1.0/255.255.255.0/0/0 (type=4),???? protocol= ESP, transform= NONE? (Tunnel), ???? lifedur= 0s and 0kb, ???? spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0Crypto mapdb : proxy_match???????? src addr???? : 3.1.1.0???????? dst addr???? : 4.1.1.0???????? protocol???? : 0???????? src port???? : 0???????? dst port???? : 0IPSEC(ipsec_process_proposal): transform proposal not supported for identity: ???? {esp-3des esp-sha-hmac }ISAKMP:(1022): IPSec policy invalidated proposal with error 256ISAKMP:(1022): phase 2 SA policy not acceptable! (local 30.3.1.1 remote 40.10.1.1)Check the IPSec Transform SetsHUB# sh cry ips transform-set Transform set TS: { esp-aes esp-sha-hmac? } ??? will negotiate = { Tunnel,? },On Correcting encryption algorithm in tranform-set , tunnel should come up.Problem Scenario 2b: No IPSec SAsCheck the Crypto ACLs HUB# sh access-list SPOKE-10-ACLExtended IP access list SPOKE10-ACL???? 10 permit ip 3.1.1.0 0.0.0.255 5.1.1.0 0.0.0.255HUB# On Correcting crypto access-list , tunnel should come? up.Problem Scenario 3: Anti-Replay IssuesIf you notice that some of the? applications are losing intermittent traffic, or that Voice quality? through tunnel is bad.Check if the IPSec SA is showing anti-replay dropsHUB# sh cry ips sa peer 40.10.1.1 detailinterface: GigabitEthernet0/1???? Crypto map tag: CMAP, local addr 30.3.1.1??? protected vrf: (none)??? local? ident (addr/mask/prot/port): (3.1.1.0/255.255.255.0/0/0)??? remote ident (addr/mask/prot/port): (4.1.1.0/255.255.255.0/0/0)??? current_peer 40.10.1.1 port 500????? PERMIT, flags={origin_is_acl,}???? #pkts encaps: 2900, #pkts encrypt: 2900, #pkts digest: 2900???? #pkts decaps: 1909, #pkts decrypt: 1909, #pkts verify: 1909???? #pkts compressed: 0, #pkts decompressed: 0???? #pkts not compressed: 0, #pkts compr. failed: 0???? #pkts not decompressed: 0, #pkts decompress failed: 0???? #pkts no sa (send) 0, #pkts invalid sa (rcv) 0???? #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0???? #pkts invalid prot (recv) 0, #pkts verify failed: 0???? #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0???? #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0???? ##pkts replay failed (rcv): 1000??? #pkts internal err (send): 0, #pkts internal err (recv) 0????? local crypto endpt.: 30.3.1.1, remote crypto endpt.: 40.10.1.1????? path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1????? current outbound spi: 0xC37422AA(3279168170)????? inbound esp sas:?????? spi: 0x135E76B1(324957873)???????? transform: esp-3des esp-sha-hmac ,???????? in use settings ={Tunnel, }???????? conn id: 41, flow_id: SW:41, crypto map: CMAP???????? sa timing: remaining key lifetime (k/sec): (4419198/860)???????? IV size: 8 bytes???????? replay detection support: Y??????? Status: ACTIVEDefault IPSec Anti-Replay window is 64Packets received outside the window are droppedRe-ordering of packets could happen due to QoS on the encrypting router (Spoke) or in the Transit NetworkIn current Cisco IOS versions, the Anti-Replay window can be increased up to 1024, or diabled altogether???????????????? crypto ipsec security-association window-size???????????????? crypto ipsec security-association replay disableNot recommended to disable anti-replay; first try to fix the QoS issue in the network or encrypting router; give better QoS to Voice traffic, or use crypto LLQ; then try to increase the anti-replay window size.This blog is in continuation with my If incase you are a new user then I would highly encourage you to go through first 2 blogs as well, to have a better understanding.I also want to thank you for your incredible responses on other blogs.In this part 2 will be discussing the following problem scenarios----Routing? Issues (Reverse Route Injection)DPD Anti-ReplayProblem Scenario 1: Routing IssuesUser complains there is no traffic received through the IPSec tunnel. On further checking you find that IKE and IPSec SAs exist, but no end-end traffic; spoke shows its encrypting traffic however no decrpyt.Check for IPSec SA on Hub Site (look for inbound and outbound SPIs, encr/decr counts)HUB# sh crypto session remote 40.10.1.1 detailCrypto session current statusCode: C - IKE Configuration mode, D - Dead Peer Detection???? K - Keepalives, N - NAT-traversal, X - IKE Extended AuthenticationInterface: GigabitEthernet0/1Profile: SPOKE10-PROFUptime: 00:01:49Session status: UP-ACTIVE???? Peer: 40.10.1.1 port 500 fvrf: (none) ivrf: (none)?????? Phase1_id: 40.10.1.1?????? Desc: (none)?? IKE SA: local 30.3.1.1/500 remote 40.10.1.1/500 Active ?????????? Capabilities:D connid:1029 lifetime:01:58:10?? IPSEC FLOW: permit ip 3.1.1.0/255.255.255.0 4.1.1.0/255.255.255.0 ???????? Active SAs: 2, origin: crypto map???????? Inbound:? #pkts dec'ed 9949 drop 60 life (KB/Sec) 4483560/1690???????? Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4485046/1690HUB# sh crypto ipsec sa peer 40.10.1.1 interface: GigabitEthernet0/1???? Crypto map tag: CMAP, local addr 30.3.1.1??? protected vrf: (none)??? local? ident (addr/mask/prot/port): (3.1.1.0/255.255.255.0/0/0)??? remote ident (addr/mask/prot/port): (4.1.1.0/255.255.255.0/0/0)??? current_peer 40.10.1.1 port 500????? PERMIT, flags={origin_is_acl,}???? #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0???? #pkts decaps: 9949, #pkts decrypt: 9949, #pkts verify: 9949???? #pkts compressed: 0, #pkts decompressed: 0???? #pkts not compressed: 0, #pkts compr. failed: 0???? #pkts not decompressed: 0, #pkts decompress failed: 0???? #send errors 0, #recv errors 60????? local crypto endpt.: 30.3.1.1, remote crypto endpt.: 40.10.1.1????? path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1????? current outbound spi: 0xF6278D63(4129787235)????? inbound esp sas:?????? spi: 0x16C58DD4(382045652)???????? transform: esp-3des esp-sha-hmac ,???????? in use settings ={Tunnel, }???????? conn id: 27, flow_id: SW:27, crypto map: CMAP???????? sa timing: remaining key lifetime (k/sec): (4483560/1659)???????? IV size: 8 bytes???????? replay detection support: Y???????? Status: ACTIVE????? inbound ah sas:????? inbound pcp sas:????? outbound esp sas:?????? spi: 0xF6278D63(4129787235)???????? transform: esp-3des esp-sha-hmac ,???????? in use settings ={Tunnel, }???????? conn id: 28, flow_id: SW:28, crypto map: CMAP???????? sa timing: remaining key lifetime (k/sec): (4485046/1657)???????? IV size: 8 bytes???????? replay detection support: Y???????? Status: ACTIVE????? outbound ah sas:????? outbound pcp sas:Check the Routes (for the Spoke protected networks)HUB# sh ip route 4.1.1.1% Network not in tableHUB#HUB# sh ip cef 4.1.1.10.0.0.0/0, version 80, epoch 0, attached, default route handler0 packets, 0 bytes?? via 0.0.0.0, 0 dependencies???? valid no route adjacencyHUB#Check the Crypto Map for Reverse-Route Injection. This is needed for the Hub to inject a route for the Spoke protected subnets into its local routing table. The route is created when the IPSec SA is established. Since 12.4T, for this route to be created (based on the Crypto ACL) before the IPSec SA is established (so that the router can initiate the tunnel), we need the “reverse-route static” configuration.In the VRF-Aware IPSec scenario, it is better to use the “reverse-route remote-peer <next-hop-gateway>” configuration under the crypto map.Old Crytpo Map was----crypto map CMAP 10 ipsec-isakmp ? set peer 40.10.1.1? set transform-set TS ? set isakmp-profile SPOKE10-PROF? match address SPOKE10-ACLLets add reverse route---crypto map CMAP 10 ipsec-isakmp ? set peer 40.10.1.1? set transform-set TS ? set isakmp-profile SPOKE10-PROF? match address SPOKE10-ACLreverse-route <static>IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 40.10.1.1IPSEC(rte_mgr): VPN Route Event create SA based on crypto ACL in real time for 40.10.1.1IPSEC(rte_mgr): VPN Route Refcount 1 GigabitEthernet0/1IPSEC(rte_mgr): VPN Route Added 4.1.1.0 255.255.255.0 via 0.0.0.0 in IP DEFAULT TABLE with tag 0 distance 1HUB# sh ip route 4.1.1.1Routing entry for 4.1.1.0/24?? Known via "static", distance 1, metric 0? Redistributing via ospf 1?? Advertised by ospf 1 subnets?? Routing Descriptor Blocks:?? * 40.10.1.1?????? Route metric is 0, traffic share count is 1HUB# sh ip cef 4.1.1.1? 4.1.1.0/24, version 83, epoch 0, cached adjacency 30.3.1.20 packets, 0 bytes?? via 40.10.1.1, 0 dependencies, recursive???? next hop 30.3.1.2, GigabitEthernet0/1 via 40.0.0.0/8??? valid cached adjacencyComplete Crypto MapHUB# show crypto map Crypto Map "CMAP" 10 ipsec-isakmp ??????? Peer = 40.10.1.1??????? ISAKMP Profile: SPOKE10-PROF??????? Extended IP access list SPOKE10-ACL??????????? access-list SPOKE10-ACL permit ip 3.1.1.0 0.0.0.255 4.1.1.0 0.0.0.255??????? Current peer: 40.10.1.1??????? Security association lifetime: 4608000 kilobytes/1800 seconds??????? PFS (Y/N): N??????? Transform sets={ ??????????????? TS, ??????? }??????? Reverse Route Injection Enabled??????? Interfaces using crypto map CMAP:??????????????? GigabitEthernet0/1Problem Scenario 2:DPDThis is a scenario where HUB keeps sending encrypted traffic, but it is not receiving any encrypted traffic from Spoke.? IKE and IPSec SAs are up.Please perform the following steps------Check if the Spoke is reachable (ping tunnel endpoint address)HUB# ping 40.10.10.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 40.10.10.1, timeout is 2 seconds:…..Success rate is 0 percent (0/5)No replies.Check if Dead peer Detection is turned onHUB# sh cry isa sa detailCodes: C - IKE configuration mode, D - Dead Peer Detection??????? K - Keepalives, N - NAT-traversal??????? X - IKE Extended Authentication??????? psk - Preshared key, rsig - RSA signature??????? renc - RSA encryptionIPv4 Crypto ISAKMP SAC-id??? Local?????????? Remote????????? I-VRF??? Status????? Encr? Hash? Auth? DH???? Lifetime?????? Cap.1035? 30.3.1.1???? 40.10.1.1???????????????????? ACTIVE??? 3des? sha??? psk????? 2????? 01:59:45???? ??????? Engine-id:Conn-id =? SW:35So Under Cap, its not listing anything, hence it is disabled.Check the IPSec SAHUB#sh cry ips sainterface: GigabitEthernet0/1???? Crypto map tag: CMAP, local addr 30.3.1.1??? protected vrf: (none)??? local? ident (addr/mask/prot/port): (3.1.1.0/255.255.255.0/0/0)??? remote ident (addr/mask/prot/port): (4.1.1.0/255.255.255.0/0/0)??? current_peer 40.10.1.1 port 500????? PERMIT, flags={origin_is_acl,}??? #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100???? #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4???? #pkts compressed: 0, #pkts decompressed: 0???? #pkts not compressed: 0, #pkts compr. failed: 0???? #pkts not decompressed: 0, #pkts decompress failed: 0???? #send errors 0, #recv errors 0????? local crypto endpt.: 30.3.1.1, remote crypto endpt.: 40.10.1.1????? path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1????? current outbound spi: 0x8BDBBA86(2346433158)????? inbound esp sas:?????? spi: 0x67C89AAD(1741200045)We notice very few decaps, lets go ahead and configure DPD.Configure DPD ??????????? crypto isakmp keepalive 60 10???????????? crypto isakmp keepalive 60 periodic If DPD had been configured earlier, then you would have seen following-----HUB# sh cry isakmp peer de??????? Peer: 40.10.1.1 Port: 500 Local: 30.3.1.1? Phase1 id: 40.10.1.1?? flags: ? NAS Port: 0 (Normal) DPD information, struct 0x6727E0E8:?? Last_received: 237, dpd threshold (elapsed) 0?? my_last_seq_num: 0x5B72ECCC, peers_last_seq_num: 0x0?? sent_and_waiting: TRUE? IKE SAs: 1 IPSec SA bundles: 1?? last_locker: 0x62FE32FC, last_last_locker: 0x0?? last_unlocker: 0x0, last_last_unlocker: 0x0HUB# sh cry isa sa detail?? Codes: C - IKE configuration mode, D - Dead Peer Detection??????? K - Keepalives, N - NAT-traversal??????? X - IKE Extended Authentication??????? psk - Preshared key, rsig - RSA signature??????? renc - RSA encryptionIPv4 Crypto ISAKMP SAC-id? Local?????????? Remote????????? I-VRF??? Status Encr Hash Auth DH Lifetime? Cap.1037? 30.3.1.1??????? 40.10.1.1??????????????? ACTIVE 3des sha? psk? 2? 01:59:43???? D?? ??????? Engine-id:Conn-id =? SW:37 PS: It shows D under Cap now.ISAKMP:(1036):DPD incrementing error counter (4/5)ISAKMP: set new node 1992211651 to QM_IDLE????? ISAKMP:(1036):Sending NOTIFY DPD/R_U_THERE protocol 1???????? spi 1718567840, message ID = 1992211651ISAKMP:(1036): seq. no 0x5B72ECCDISAKMP:(1036): sending packet to 40.10.1.1 my_port 500 peer_port 500 (R) QM_IDLE????? ISAKMP:(1036):Sending an IKE IPv4 Packet.ISAKMP:(1036):purging node 1992211651ISAKMP:(1036):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVEISAKMP:(1036):Old State = IKE_P1_COMPLETE? New State = IKE_P1_COMPLETE ISAKMP:(1036):DPD incrementing error counter (5/5)ISAKMP:(1036):peer 40.10.1.1 not responding!ISAKMP:(1036):peer does not do paranoid keepalives.ISAKMP:(1036):deleting SA reason "P1 errcounter exceeded (PEERS_ALIVE_TIMER)" state (R) QM_IDLE?????? (peer 40.10.1.1)It is always better to use DPD instead of Periodic Keepalives. DPD works well in conjunction with IPSec HA – geographically distributed peers (multiple ‘set peer’ under crypto map), or HSRP adjacent peers (peer to VIP address). Problem Scenario 3: Anti-Replay IssuesUsers complain that application is losing intermittent traffic, or that Voice quality through tunnel is bad. Check if the IPSec SA is showing anti-replay dropsHUB# sh cry ips sa peer 40.10.1.1 detailinterface: GigabitEthernet0/1???? Crypto map tag: CMAP, local addr 30.3.1.1?? protected vrf: (none)??? local? ident (addr/mask/prot/port): (3.1.1.0/255.255.255.0/0/0)??? remote ident (addr/mask/prot/port): (4.1.1.0/255.255.255.0/0/0)??? current_peer 40.10.1.1 port 500????? PERMIT, flags={origin_is_acl,}???? #pkts encaps: 2900, #pkts encrypt: 2900, #pkts digest: 2900???? #pkts decaps: 1909, #pkts decrypt: 1909, #pkts verify: 1909???? #pkts compressed: 0, #pkts decompressed: 0???? #pkts not compressed: 0, #pkts compr. failed: 0??? #pkts not decompressed: 0, #pkts decompress failed: 0???? #pkts no sa (send) 0, #pkts invalid sa (rcv) 0???? #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0???? #pkts invalid prot (recv) 0, #pkts verify failed: 0???? #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0???? #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0???? ##pkts replay failed (rcv): 1000???? #pkts internal err (send): 0, #pkts internal err (recv) 0????? local crypto endpt.: 30.3.1.1, remote crypto endpt.: 40.10.1.1????? path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1????? current outbound spi: 0xC37422AA(3279168170)????? inbound esp sas:?????? spi: 0x135E76B1(324957873)???????? transform: esp-3des esp-sha-hmac ,???????? in use settings ={Tunnel, }???????? conn id: 41, flow_id: SW:41, crypto map: CMAP???????? sa timing: remaining key lifetime (k/sec): (4419198/860)???????? IV size: 8 bytes???????? replay detection support: Y???????? Status: ACTIVESo we can see there is a good number of packets replay failed in above show commands.By Default IPSec Anti-Replay window size is 64. Hence, Packets received outside the window will be dropped. Normally Re-ordering of packets could happen due to QoS on the encrypting router (Spoke) or in the Transit Network. In current Cisco IOS versions, the Anti-Replay window can be increased up to 1024, or diabled altogether???????????? crypto ipsec security-association window-size < Size>???????????? crypto ipsec security-association replay disableIt is not recommended to disable anti-replay. Hence first try to fix the QoS issue in the network or encrypting router; give better QoS to Voice traffic, or use crypto LLQ; then try to increase the anti-replay window size by above mentioned command.That sums up my problem scenarios blog. Hope you liked these scenarios and you will be able to implement these best practices in your infrastructure to have a seamless network.Q14. Proxy firewall/ cluster firewallAn early type of firewall device, a proxy firewall serves as the gateway from one network to another for a specific application. Proxy servers can provide additional functionality such as content caching and security by preventing direct connections from outside the network. However, this also may impact throughput capabilities and the applications they can support.Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.Q15. Types of NAT & basic diff of NAT & PAT.Static NAT - A consistent mapping between a real and mapped IP address. It allows Bidirectional traffic initiation.Dynamic NAT - A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses on a first come first served basis. It allows only Unidirectional traffic initiation.Dynamic Port Address Translation (PAT) - A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.Identity NAT - A real address is statically translated to itself, essentially bypassing NAT.What is Policy NAT?Policy NAT allows you to NAT by specifying both the source and destination addresses in an extended access list. We can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, not the destination address.In Static NAT it is called as Static Policy NAT.In Dynamic NAT it is called as Dynamic Policy NAT.Give the order of preference between different types of NAT?1.Nat exemption.2.Existing translation in Xlate.3.Static NAT- Static Identity NAT- Static Policy NAT- Static NAT- Static PAT4.Dynamic NAT- NAT Zero- Dynamic Policy NAT- Dynamic NAT- Dynamic PATWhat is the difference between Auto NAT & Manual NAT?Auto NAT (Network Object NAT) - It only considers the source address while performing NAT. So, Auto NAT is only used for Static or Dynamic NAT. Auto NAT is configured within an object.Manual NAT (Twice NAT) - Manual NAT considers either only the source address or the source and destination address while performing NAT. It can be used for almost all types of NAT like NAT exempt, policy NAT etc.Unlike Auto NAT that is configured within an object, Manual NAT is configured directly from the global configuration mode.Give NAT Order in terms of Auto NAT & Manual NAT?NAT is ordered in 3 sections.Section 1 – Manual NATSection 2 – Auto NATSection 3 – Manual Nat After-AutoQ16. Why we need DMZ in firewall?ASA uses Security levels to determine the Trustworthiness of a network attached to the respective interface. The security level can be configured between 0 to 100 where higher numbers are more trusted than lower. By default, the ASA allows traffic from a higher security level to a lower security level only.If we need some network resources such as a Web server or FTP server to be available to outside users we place these resources on a separate network behind the firewall called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the inside network.Q17. What do you know about IPSEC?IP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec provides data confidentiality, data integrity and data authentication between participating peers.At what layer IPsec works?IPsec secures IP traffic at the Layer 3 (Network Layer) of the OSI model.Name a major drawback of IPSec?IPSec only supports unicast IP traffic.Q18. Network Architecture? How much you big was the N/W on which you have worked?NET-APPQ1. Transparent firewall.What is Tranparent Firewall?In Transparent Mode, ASA acts as a Layer 2 device like a bridge or switch and forwards Ethernet frames based on destination MAC-address.What is the need of Transparent Firewall?If we want to deploy a new firewall into an existing network it can be a complicated process due to various issues like IP address reconfiguration, network topology changes, current firewall etc. We can easily insert a transparent firewall in an existing segment and control traffic between two sides without having to readdress or reconfigure the devices.What are the similarities between switch and ASA (in Transparent mode) ?Both learns which mac addresses are associated with which interface and store them in local mac address table.What are the differences between switch and ASA (in Transparent mode) ?ASA does not floods unknown unicast frames that are not found in mac address table.ASA does not participate in STP.Switch process traffic at layer 1 & layer 2 while ASA can process traffic from layer 1 to layer 7.What are the features that are not supported in Transparent mode?1.Dynamic Routing.2.Multicasting.3.QOS.4.VPNs like IPSec and WebVPN cannot be terminated.5.ASA cannot act as DHCP relay agent.Q2. Same security level. How they can communicate with each other.Q3. IPSEC/ SSLVPNPage 15 – Q17Page2 – Q6 Q4. Types of NAT ( Order of NAT), STATIC NAT configuration.Page 13 – Q15Q5. IPSEC troubleshoot phase I and II.Page 3 - Q13Q6. External client want to communicate then web server situated inside in company.Q7. Frame( preamble).The Data Link layer formats the message into pieces, each called a data frame, and adds a customized header containing the hardware source and destination address.Q8 Tell us about your company project.Q9 DNSDNS is a very popular and well known protocol. It is used for resolving host names and domain names to IP addresses. example when we type the name is translated into an IP address via a number of queries that take place from your PC towards the DNS server.HPQ1. What is firewall. What is statefull firewall.Firewall is a device that is placed between a trusted and an untrusted network. It deny or permit traffic that enters or leaves network based on pre-configured policies. Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other. For example - By keeping a Management network separate from a user network.Stateful firewall - A?Stateful firewall is aware of the connections that pass through it. It adds and maintains information about users connections in state table, referred to as a connection table. It than uses this connection table to implement the security policies for users connections. Example of stateful firewall are PIX, ASA, Checkpoint.Stateful firewall maintains following information in its State table:-1.Source IP address.2.Destination IP address.3.IP protocol like TCP, UDP.4.IP protocol information such as TCP/UDP Port Numbers, TCP Sequence Numbers, and TCP Flags.Q2. Natting definition, Static Nat, Dynamic Nat, Identity Nat, Nat exemption, Nat-Control.Page 13 – Q15Q3. Mechanism of NAT and how nat work Address Translation translates the private addresses into public addresses before packets are routed to public network. It allows a network device such as Router to translate addresses between the private and public network.What are the Situations where NAT is required?1.When we need to connect to internet and our hosts doesn't have globally unique IP addresses.2.When we want to hide internal IP addresses from outside for security purpose.3.A company is going to merge in another company which uses same address space.What are the advantages of Nat?1.It conserves legally registered IP addresses.2.It prevents address overlapping.3.Provides security by hiding internal (private) IP addresses.4.Eliminates address renumbering as a network evolves.Q4. Nat Order.Page 13 – Q15Q5. How does packet flow works. If from inside, packet is getting dropped while going outside, than how will be trace.How does a firewall process a packet?When a packet is received on the ingress interface, the ASA checks if it matches an existing entry in the connection table. If it does, protocol inspection is carried out on that packet.----------------------------------------------------------------------------------------------------------------------If it does not match an existing connection and the packet is either a TCP-SYN packet or UDP packet, the packet is subjected to ACL checks.The reason it needs to be a TCP-SYN packet is because a SYN packet is the first packet in the TCP 3-way handshake. Any other TCP packet that isn’t part of an existing connection is likely an attack.----------------------------------------------------------------------------------------------------------------------If the packet is allowed by ACLs and is also verified by translation rules, the packet goes through protocol inspection.----------------------------------------------------------------------------------------------------------------------Then, the IP header is translated if NAT is used and if the NAT rule specifies an egress interface, the ASA will virtually forward the packet to this egress interface and then perform a route lookup.----------------------------------------------------------------------------------------------------------------------If a route is found that specifies the egress interface, then the Layer-2 header of the packet is re-written and the packet is forwarded out the egress interface.Q6. Active ftp and passive ftp concept in ASA.Q7. What is inspection and MPF.Q8. How we can know whether our inspection is working on nat. Tell command.Q9. IPSEC : i phase and modes Ii Tshoot on tunnel down ( phase I is up) Iii Aggressive modeExplain how IKE/ISAKMP Works?page 2 q7Q10. SSL Vpn.Page 2 – Q6Q11. Same security level ping will happen or not.Not pingQ12. IP spoofing.Firewall rules can be based on Source and Destination IP addresses. Attackers use IP spoofing to change a packet's IP address and make a packet look like it is from a trusted source. If your network is not protected against IP spoofing, attackers can exploit the vulnerability in the Firewall rules and gain access to the networkQ13. DNS Doctoring.DNS doctoring enables an internal host on a LAN to receive the Private ip of aninternal server as an answer from a DNS query when using a DNS? server that is outside the LAN, such as on the internet.? A static NAT translation must also exist to translate the public IP to the private IP.? Without DNSdoctoring, the external DNS server will reply with the public IP address of the host on the internal LAN.Q14. Site-to-Site vpn configuration on ASA.Q15. On which port SSL VPN works.443Q16. Difference between SSL VPN and WEB VPN.Round 2 in HPQ17. Statefull firewall.Page 16 – Q1Q18. What is packet tracer.Page 17 q9Q19. What is ip add? Private ip address.An IP address is a is a software address assigned to each machine on an IP network. It specifies the location of a device on the network. It allows hosts on one network to communicate with a host on a different network.It is a 32 bits of information. These 32 bits are divided into four sections referred to as octets or bytes. Each octet contains 1 byte (8 bits).An IP address can be depicted using one of three methods:1. Dotted - decimal, example - 172.16.30.562. Binary - 10101100.00010000.00011110.001110003. Hexadecimal - AC.10.1E.38These addresses can be used only on private network. They cannot be routed through the Internet. Private IP addresses are designed for security and they also saves valuable IP address space.Class A - 10.0.0.0 to 10.255.255.255Class B - 172.16.0.0 to 172.31.255.255Class C - 192.168.0.0 to 192.168.255.255Q20. Does switch works on mac-address/ ip address.Mac addressQ21. 10.1.1.0/24 which class it belongs.PrivateQ22. FWSM (ASA- Firewall service module).The Firewall Services Module (FWSM) is a firewall module integrated by Cisco into its Komodo blade on Catalyst 6500 Switches and 7600 Series Routers. First Stage in NAT-APP testQ1. Stuck in Active.Q2. FTP definition.Q3. What is subnet mask. Why we are using subnet mask.A subnet mask is a 32-bit value that allows the recipient of IP packets to distinguish the network ID portion of the IP address from the host ID portion of the IP address.Q4. OSI LayerList the Layers of OSI Model?Application Layer, Presentation Layer, Session Layer, Transport Layer, Network Layer, Data Link Layer, Physical Layer.What are the Functions of Transport, Network and Data Link Layer?Transport layer1.It segments and reassemble data from upper-layer applications and combine it into the same data stream.2.It provides end-to-end data transport services.3.Establishes logical connection between the sending host and destination host on an internetwork.4.It ensures Data integrity at the Transport layer by maintaining flow work layer1.The Network layer (layer 3) manages device addressing.2.It tracks the location of devices on the network.3.It determines the best way to move data between devices that are not locally attached.4.Routers Functions at the Network layer to provide the routing services within an internetwork.Data link layer1.The Data Link layer is responsible for physical transmission of the data.2.It handles error notification, flow control.3.Data Link layer ensures that messages are delivered to the proper device on a LAN using mac addresses.4.It translates messages from the Network layer into bits for the Physical layer to transmit.5.The Data Link layer formats the message into data frame, and adds a customized header containing the hardware destination and source address.Q5. TCP/IP Layer.1.It segments and reassemble data from upper-layer applications and combine it into the same data stream.2.It provides end-to-end data transport services.3.Establishes logical connection between the sending host and destination host on an internetwork.4.It ensures Data integrity at the Transport layer by maintaining flow control.Q6. What is DOSQ7. What is private ip and rangeThese addresses can be used only on private network. They cannot be routed through the Internet. Private IP addresses are designed for security and they also saves valuable IP address space.Class A - 10.0.0.0 to 10.255.255.255Class B - 172.16.0.0 to 172.31.255.255Class C - 192.168.0.0 to 192.168.255.255Q8. What is VPN.Virtual Private Network (VPN) creates a secure network connection over a public network such as the internet.What is Authentication, Confidentiality & Integrity?Authentication - Verifies that the packet received is actually from the claimed sender. It verifies the authenticity of sender. Pre-shared Key, Digital Certificate are some methods that can be used for authentication.Integrity - Ensures that the contents of the packet has not been altered in between by man-in-middle. Hashing Algorithm includes MD5, SHA.Confidentiality - Encrypts the message content through encryption so that data is not disclosed to unauthorized parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-DES), AES (Advanced Encryption Standard).Q9. What is the use of tunnel in vpn.What is the difference between Transport and Tunnel mode?Tunnel mode - Protects data in network-to-network or site-to-site scenarios. It encapsulates and protects the entire IP packet—the payload including the original IP header and a new IP header (protects the entire IP payload including user data).Transport mode - Protects data in host-to-host or end-to-end scenarios. In transport mode, IPsec protects the payload of the original IP datagram by excluding the IP header (only protects the upper-layer protocols of IP payload (user data)).IPSec protocols AH and ESP can operate in either transport mode and tunnel mode.IBMQ1. What is vlan.A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. VLAN divides the Broadcast Domain So, the frames that will be broadcasted onto the network are only switched between the ports logically grouped within the same VLAN.Q2. Function of HSRP.HSRP is a routing protocol that provides backup to a router in the event of failure. Using HSRP, several routers are connected to the same segment of an Ethernet, FDDI or token-ring network and work together to present the appearance of a single virtual router on the LAN.Q3. Stuck in Active.Q4. AD of OSPF.110Q5. A.D. and F.D. of EIgrp.90Q6. Role of area 0.While configuring multi-area OSPF, one area must be called area 0, referred to as backbone area. All other areas must connect to backbone area as inter-area traffic is send through the backbone area.Q7. In this scenario. Host should be communicating with server. What will be routing.Q8. Downtime zero in ASA firewall.In this post I will describe how I upgraded the software of my Active/Standby Failover Cisco ASA 5512X from 8.6 to 9.1. Additionally, I will upgrade the ASDM to the latest version.When upgrading the software of your Cisco ASA it’s important to read the release notes beforehand. Go through each major and minor release version. According to Cisco, you should upgrade to the latest minor release version before upgrading to the next major version.This is important if you want to maintain a zero downtime upgrade.A minor release upgrade is, for example, going from 8.3 to 8.4. Which means zero downtime is not supported from 8.3 to 8.6.A major release upgrade is going from the base version to the next release. For example, 8.6 to 9.0. This would be supported for zero downtime. It would NOT be supported if you were to go from 8.6 to 9.1.In my process, I went from 8.6 to 9.0 and then from 9.0 to 9.1.Before we do any sort of upgrades on the ASA, we need to make a backup. After the backups, we will upload the bin file to the primary ASA and secondary ASA. The same goes for ASDM. After the bin is uploaded, you change the active and standby ASA boot system order. You can have multiple boot systems and the ASA will pick from the top. Then you reboot the ASA and it should be on the latest version.Detailed StepsStep 1Back up your configuration either by TFTP or using command and copy the output:asa#more system:running-configStep 2Copy ASA software to the active unit flash memory.asa#copy t disk0:/asa901-smp-k8.binStep 3Copy the software to the standby unit. Use the same path as the active unit.asa#failover exec mate copy /noconfirm t disk0:/asa901-smp-k8.binStep 4Copy ASDM image to the active ASA unit’s flash memory.asa#copy t disk0:/asdm-711.binStep 5Copy ASDM image to the standby ASA unit. Use the same path as the active unit.asa#failover exec mate copy /noconfirm t disk0:/asdm-711.binStep 6Enter global configuration modeasa#conf tasa(config)#Step 7Verify current boot images configured. ASA uses these images in order. To make the ASA boot to the new image, remove the existing entries and enter the image URLs in the order desired.asa(config)#show running-config boot systemStep 8Remove any existing boot image.asa(config)#no boot system disk0:/asa861-smp-k8.binStep 9Set the ASA image to boot. Repeat command for backup images.asa(config)#boot system disk0:/asa901-smp-k8.binasa(config)#boot system disk0:/asa861-smp-k8.binStep 10Set the ASDM image to use. Only one can be configured.asa(config)#asdm image disk0:/asdm-711.binStep 11Save settings to startup config.wr memStep 12Reload the standby unit to boot the new image. Wait for the standby to finish loading and use show failover command to verify the standby unit is in Standby Ready state.asa#failover reload-standbyStep 13Force the active unit to fail over to the standby unit.asa#no failover activeStep 14Reload the former active unit. Log into active unitasa# reloadAfter upgrading to the major version, verify both ASAs have the same software version. Then you can begin the process again to upgrade to the next minor release version.VerificationIf all is good you will see the standby ASA running a newer version than the active ASA. The firewall also displays a message about the mismatch.Running show version will determine if your ASA booted with the latest image.After reloading both ASAs, run show failover to ensure there is an Active and a Standby.asa# sh failoverFailover OnFailover unit PrimaryFailover LAN Interface: FAILOVER GigabitEthernet0/0 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 5 of 114 maximumfailover replication httpVersion: Ours 9.0(1), Mate 9.0(1)Last Failover at: 14:51:20 PDT Jun 19 2014This host: Primary - ActiveActive time: 266969 (sec)slot 0: ASA5512 hw/sw rev (1.0/9.0(1)) status (Up Sys)Interface Inside (192.168.254.254): Normal (Monitored)Interface DMZ (10.1.254.254): Normal (Monitored)Interface OutsideTWO (172.16.254.254): Normal (Monitored)Interface OutsideONE (172.16.253.254): Normal (Monitored)Interface MGMT (10.10.10.254): Link Down (Monitored)Other host: Secondary - Standby ReadyActive time: 0 (sec)slot 0: ASA5512 hw/sw rev (1.0/9.0(1)) status (Up Sys)Interface Inside (192.168.254.253): Normal (Monitored)Interface DMZ (10.1.254.253): Normal (Monitored)Interface OutsideTWO (172.16.254.253): Normal (Monitored)Interface OutsideONE (172.16.253.253): Normal (Monitored)Interface MGMT (10.10.10.253): Normal (Monitored)slot 1: IPS5512 hw/sw rev (N/A/) status (Unresponsive/Up)There is specific state information that is passed/not passed to the standby ASA. It’s important to know what these are and how they pertain to your environment. Otherwise, schedule a maintenance window outside of normal business hours.State Information Passed:NAT TableTCP Connection StatesUDP Connection StatesARP TableHTTP Connection StatesISAKMP and IPSec SA tableSIP signalling sessionsState Information Not Passed:User authentication (uauth) table.Routing tables.State information for Security Service Modules.DHCP server address leases.Q9. Site –to – site VPN ( Modes and 9 packet negotiation).Modes - Page 2 q 7Explain the messages exchange between the peers in IKE/ISAKMP?Phase 1 - Main ModeMESSAGE 1: Initiator offers Policy proposal which includes encryption, authentication, hashing algorithms (like AES or 3DES, PSK or PKI, MD5 or RSA).MESSAGE 2: Responder presents policy acceptance (or not).MESSAGE 3: Initiator sends the Diffie-Helman key and nonce.MESSAGE 4: Responder sends the Diffie-Helman key and nonce.MESSAGE 5: Initiator sends ID, preshare key or certificate exchange for authentication.MESSAGE 6: Responder sends ID, preshare key or certificate exchange for authentication.Only First Four messages were exchanged in clear text. After that all messages are encrypted.Phase 2 - Quick ModeMESSAGE 7: Initiator sends Hash, IPSec Proposal, ID, nonce.MESSAGE 8: Responder sends Hash, IPSec Proposal, ID, nonce.MESSAGE 9: Initiator sends signature, hash, ID.All messages in Quick mode are encrypted.Q10. SSL VPN packets transfer.1.Client initiates by sending a CLIENT HELLO message which contains SSL version that the client supports, in what order the client prefer the versions, Ciphersuits (Cryptographic Algorithms) supported by the client, Random Number.2.Server will send back a SERVER HELLO message Which contains Version Number (Server selects SSL version that is supported by both the server and the client), Cipher Suits (selected by server the best cipher suite version that is supported by both of them), Session ID, Random Data.3.Server also sends PKI certificate for authenticating himself signed and verified by Certificate Authority along with the public key for encryption.4.Server will than send Server Hello Done indicating that the server has finished sending its hello message, and is waiting for a response from the client.5.Client will sends its certificate if the server has also requested for client authentication in server hello message.6.Client will sends Client Key Exchange message after calculating the premaster secret with the help of the random values of both the server and the client. This message is sent by encrypting it with the server's public key which was shared through the hello message.Server will decrypt the premaster secret with its private key. Now both client and server will perform series of steps to generate session keys (symmetric) which will be used for encryption and decryption of data exchanges during SSL session and also to verify its integrity.7.Client will send CHANGE CIPHER SUITE message informing the server that future messages will be encrypted using session key.8.Client will send CLIENT FINISH (DONE) message indicating that client is done.9.Server will also send CHANGE CIPHER SUITE message.10.Client will also send CLIENT FINISH (DONE) message.Q11. In Below scenario PC wants to ping internet but it is dropping. What will be tshoot. Scenario is belowQ12. Difference between ABR and ASBR.It is the router that connects other areas to the backbone area within an autonomous system. ABR can have its interfaces in more than one area.It is the Router that connects different Autonomous Systems.Q13. What is AD value of OSPF110Q14. In below scenario How PC A will communication with PCB.NOQ15. In this scenario will inside communicate or ping to outside.CSS CORPQ1. TCP Windowing.It is 16-bit Window field which indicates the number of bytes a sender will send before receiving an acknowledgment from the receiver.Q2. MTU and MSS.5.MTU - Maximum transmission unit (MTU) defines the maximum Layer 3 packet that can be sent over a medium.Q3. DHCP DORA.DHCP works on DORA Process (DISCOVER - OFFER - REQUEST - ACKNOWLEDGEMENT).1.When a Client needs an IP configuration, it tries to locate a DHCP server by sending a broadcast called a DHCP DISCOVER. This message will have a Destination IP of 255.255.255.255 and Destination MAC of ff:ff:ff:ff:ff:ff.[Source IP - 0.0.0.0 , Destination IP - 255.255.255.255, Source Mac - Mac address of Host, Destination Mac - FF:FF:FF:FF:FF:FF]————————————————2.On Receiving DHCP Discover, Server sends a DHCP OFFER message to the client. The DHCPOFFER is a proposed configuration that may include IP address, DNS server address, and lease time. This message will be unicast and have the destination mac address of DHCP client's mac address. The source mac address will be that of the DHCP server.[S.Mac - Mac address of Server , D.Mac - Mac address of Host]————————————————3.If the Client finds the Offer agreeable, it sends DHCP REQUEST Message requesting those particular IP parameters. This message will be a Broadcast message.[Source Mac - Mac address of Host, Destination Mac - FF:FF:FF:FF:FF:FF]————————————————4.The Server on receiving the DHCP REQUEST makes the configuration official by sending a unicast DHCP ACK acknowledgment.[Source Mac - Mac address of Server, Destination Mac - Mac address of Host]Q4. TCP sequence number.Sequence Number is a 32-bit field which indicates the amount of data that is sent during a TCP session. By Sequence Number sender can be assured that the receiver received the data because the receiver uses this sequence number as the acknowledgment number in the next segment it sends to acknowledge the received data. When the TCP session starts, the initial sequence number can be any number in the range 0–4,294,967,295.Acknowledgment number is used to acknowledge the received data and is equal to the received sequence number plus 1Q5. VPN 9 packets.Page 24 – Q9Q6. DORA Packets type.page 26 – Q4Q7. Does UDP packet has sequence number.UDP does not insert sequence numbers. The packets are expected to arrive as a continuous stream or they are dropped. The receiver can signal the sender to slow down. ACKs, which are used in TCP to control packet flow, are not returned.Q8. After windowing. If one segment gets dropped from the receiver end then what does the receiver send to the sender so as to get the dropped packet.Q9. In this scenario PC-3 getting APIPA address. What will be tshoot.Q10. Difference between NACK and ACK.Q11. Difference between Main Mode and Aggressive Mode.Page 24 Q9Q12. SSL Handshake.Page 24 – Q10 Q13. Why do we use VPN?Page 19 – Q8Q14. In this Scenario how does c comes to know that each fragment put has been reject and how c will come yo know which one is first bit/last bitIBMQ1. Tell me about yourself and day by day job responsibility.Q2. What is the difficult troubleshoot u faced in previous company.Q3. One site is India and other site s USA. Create site to site tunnel and tell us the configuration part.Q4. How to check the command that the tunnel is up.Q5. VPN:=> show vpn connected session.Q6. In firewall how to check the configuration of cluster i.e. context.Q7. There are two firewall ASA 5520 and ASA 5510. We are trying to make these cluster but it is not done. What will be tshoot.Q8. Why are you leaving this job.Q9. Difference between 5505 and 5510 firewall.ACCENTUREQ1 In this scenario, Before I was able to work with printer. I updated firmware of printer. After this task now I am not able to work with printer. Condition is that I am able to ping ip address of printer.Q2. What is packet capture command.An incoming packet will hit the capture before any ACL or NAT or other processing. An outgoing packet will hit a capture last before being put on the wire.Q3. What is Hair pinning.The term hairpinning comes from the fact that the traffic comes from one source into a router or similar devices, makes a U-turn and goes back the same way it came.Visualize this and you see something that looks like a hairpin.Hairpinning is only relevant when the firewall is in routed mode since the “turnaround” of traffic is a routing decision. Also there needs to be another routerinvolved. If the firewall is setup to only pass traffic between interfaces no hairpinning will be taking place. Typical hairpinning is done when there is a routerinside of the firewall beyond which there is another network that needs to be reached to/from the inside networkQ4. In this scenario, my ip 10.10.10.1 and 20.20.20.1 is natted. And I want to communicate with destination ip 30.30.30.1 and 40.40.40.1. What will type of natting I will useQ5. What is DNS doctoring.Page 17 – q 13Q6. What is nat exemption.NAT Exemption is basically a similar config to Dynamic Identity NAT, but it restricts it to an access-list. Dynamic Identity NAT: Only connections from the inside to elsewhere are translated. ciscoasa(config)# nat (inside) 0 192.168.0.0 255.255.255.0Q7. Identity NAT .Identity NAT - A real address is statically translated to itself, essentially bypassing NAT.Q8. Types of NAT and NAT order.Page 13 q8Q9. OSPF LSA.The LSAs (Link-State Advertisements) are used by OSPF routers to exchange routing and topology information. When two neighbors decide to exchange routes, they send each other a list of all LSA in their respective topology database. Each router then checks its topology database and sends Link State Request (LSR) message requesting all LSAs that was not found in its topology table. Other router responds with the Link State Update (LSU) that contains all LSAs requested by the neighbor.What are different OSPF LSA types ?1. Router LSA (Type1) - Each router generates a Type 1 LSA that lists its active interfaces, IP addresses, neighbors and the cost. LSA Type 1 is flooded only within an area.2. Network LSA (Type2) - Type 2 LSA is sent out by the designated router (DR) and lists all the routers on the segment it is adjacent to. Type 2 LSA are ?ooded only within an area. It contains the information about DR's.3. Summary LSA (Type3) - Type 3 LSAs are generated by Area Border Routers (ABRs) to advertise networks from one area to the rest of the areas in Autonomous System. It contains the information about inter-area routes.4. Summary ASBR LSA (Type4) - It is generated by the ABR and contain routes to ASBRs.5. External LSA (Type5) - External LSAs are generated by ASBRs and contain routes to networks that are external to current AS.6. Not-So-Stubby Area LSA (Type7) - Stub areas do not allow Type 5 LSAs.? A Not So Stubby Area (NSSA) allows advertisement of Type 5 LSA as Type 7 LSAs. Type LSA is generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. ?Q10. F5 –Load Balancer (i-rule, static load balancing, dynamic load balancing, http and https i-rule).CGIQ1. EIGRP, OSPF, STP, VLAN, RSTP.Enhanced Interior Gateway Routing Protocol (EIGRP Protocol) is an enhanced distance vector routing protocol which Uses Diffused Update Algorithm (DUAL) to calculate the shortest path. It is also considered as a Hybrid Routing Protocol because it has characteristics of both Distance Vector and Link State Routing Protocols.EIGRP supports classless routing and VLSM, route summarization, incremental updates, load balancing and other featuresOpen shortest path first is an Open Standard Link State routing protocol which works by using Dijkastra algorithm to initially construct the shortest paths and follows that by populating the routing table with resulting best paths.Spanning Tree Protocol (STP) is a protocol which prevents layer 2 loops. STP enables switches to become aware of each other so that they can negotiate a Loop-Free path through network.In practical Scenario, Redundant links are created to avoid complete network failure in an event of failure of one link.How STP works?STP chooses a Reference point (Root Bridge) in the network and calculates all the redundant paths to that reference point. Than it picks one path which to forward frames and blocks other redundant paths. When blocking happens, Loops are prevented.Q2. Firewall hardening.Q3. Difference between L3 and L2 switch.A L2 switch does switching only. This means that it uses MAC addresses to switch the packets from a port to the destination port (and only the destination port). It therefore maintains a MAC address table so that it can remember which ports have which MAC address associated.A L3 switch also does switching exactly like a L2 switch. The L3 means that it has an identity from the L3 layer. Practically this means that a L3 switch is capable of having IP addresses and doing routing. For intra-VLAN communication, it uses the MAC address table. For extra-VLAN communication, it uses the IP routing table.This is simple but you could say "Hey but my Cisco 2960 is a L2 switch and it has a VLAN interface with an IP !". You are perfectly right but that VLAN interface cannot be used for IP routing since the switch does not maintain an IP routing table.Q4. Difference between MPLS and L2.Q5. Site to Site VPN and IPSEC vpn.A site-to-site VPN allows offices in multiple locations to establish secure connections with each other over a public network such as the InternetIP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec provides data confidentiality, data integrity and data authentication between participating peers.At what layer IPsec works?IPsec secures IP traffic at the Layer 3 (Network Layer) of the OSI model.Q6. Failover is running between two firewall. These two firewall connected with switch. How will switch find out that which firewall is in active and standby.Q7. 3 tier architecture of checkpoint.Smart consoleSmart consoleEnforcementQ8. How to add policy in checkpoint.Q9. Packet flow of checkpoint.The following events take place:The external device generates an IP packet with a source IP address of 200.1.1.1 (itself) and a destination IP address of 199.1.1.1 (the valid IP address for the internal device).The packet is received on the external interface of the enforcement module (HPTX2) and is passed to the VPN-1/FireWall-1 INSPECT module for inspection.The INSPECT module checks the IP packet against the connection table (to determine whether the packet is part of an existing connection), followed by the security rule base (if the packet represents a new connection). Assuming the packet represents a new connection, the packet is matched against a security rule that permits the connection, and the packet is forwarded to the operating system TCP/IP stack for routing.The operating system TCP/IP stack now routes the packet. Routing is based on destination IP address—at this time, the destination IP address of the packet is still 199.1.1.1. If the destination IP address is part of the external segment from which the packet arrives, the operating system will attempt to route the packet back out the ingress interface. For example, in Figure, if the external interface of the enforcement module is configured with an IP address of 199.1.1.100 and a subnet mask of 255.255.255.0, with the default routing table generated by the operating system, the IP address of 199.1.1.1 will be considered attached to the external interface, and the packet will be routed back out the external interface. Therefore, a host route must exist that associates the destination IP address of 199.1.1.1 with the correct egress interface (a host route is simply a route that refers to an individual host rather than a network). The route for 199.1.1.1 points to the internal device 10.1.1.1, which ensures the correct egress interface (HPTX0) is selected for routing.The packet is routed towards the egress interface and is passed to the INSPECT module once again. At this point, network address translation occurs. Based on a static destination NAT rule configured on the enforcement module, the destination IP address of the packet is rewritten from 199.1.1.1 to 10.1.1.1, ensuring the packet will reach the internal device.The packet is forwarded out the egress interface towards the internal device. The packet now contains a destination IP address of the private IP address of the internal device (10.1.1.1), ensuring the packet reaches the internal device.In Figure, notice that address translation is performed within the INSPECT module at the egress interface, after the outing decision made by the operating system, meaning the operating system has to have a host route configured for the valid IP address that represents the internal device. This requirement means incurs extra administrative overhead on VPN-1/FireWall-1 enforcement modules prior to NG, and is also prone to misconfiguration errors. Notice in Figure 8.7 the terms client side and server side. These terms describe the point at which the INSPECT module receives a packet. The client side refers to when the INSPECT module receives a packet immediately after it has been first received on the ingress interface—the term client side is used because the packet is received from the interface facing the source of the packet (i.e., the client). The server side refers to when the INSPECT module receives a packet that has been routed by the operating system to the appropriate egress interface—the term server side is used because the packet is about to be sentout the interface facing the destination of the packet (i.e., the server). In previous versions of VPN-1/FireWall-1, destination NAT is referred to as server-side destination NAT, because destination NAT is performed on the server side. In VPN-1/FireWall-1 NG, you now have the option of performing destination NAT within the INSPECT module at the ingressinterface (i.e., at the client side), which means that the operating system now routes based on the private IP address of internal devices, as opposed to the valid IP address. Figure 8.8 demonstrates this.In Figure, the destination NAT is performed at the ingress interface (step 2), before the packet is passed to the TCP/IP stack for routing. This means that the operating system receives a packet with a destination IP address of an internal device (step 3), as opposed to the valid IP address, and therefore only requires a route to the internal device. You would normally expect all internal routes to be already configured on your enforcement modules, as the enforcement module needs to know where to route packets for internal devices. The requirement to configure a host route for each valid IP address (as shown in Figure) is counterintuitive, and often is overlooked when configuring address translation. The ability of VPN-1/FireWall-1 NG to perform destination NAT at the ingress interface before the packet is routed means thatyou don’t need to update the operating system route table each time you configure NAT. In VPN-1/FireWall-1 NG, this feature is referred to as client-side destination NAT, because destination NAT occurs at the client sideWIPROQ1. Day to day job responsibilities.Q2. Cisco ASA:- Difference (8.2,8.4,8.6)Q3. Checkpoint version.Q4. What is SIC. Why we need SIC. Where we configure SIC in checkpoint? How many SIC can form.It stands for Secure Internal Communication and it is a Checkpoint Propertiory Protocol.It is a where a secured tunnel is created with enforcement module and management server and from management server to management console.Q5. Difference between OSI model s vs TCP/IP models.OSI(Open System Interconnection)TCP/IP(Transmission Control Protocol / Internet Protocol) 1. OSI is a generic, protocol independent standard, acting as a communication gateway between the network and end user.1. TCP/IP model is based on standard protocols around which the Internet has developed. It is a communication protocol, which allows connection of hosts over a network.2. In OSI model the transport layer guarantees the delivery of packets.2. In TCP/IP model the transport layer does not guarantees delivery of packets. Still the TCP/IP model is more reliable.3. Follows vertical approach.3. Follows horizontal approach.4. OSI model has a separate Presentation layer and Session layer.4. TCP/IP does not have a separate Presentation layer or Session layer.5. OSI is a reference model around which the networks are built. Generally it is used as a guidance tool.5. TCP/IP model is, in a way implementation of the OSI model.6. Network layer of OSI model provides both connection oriented and connectionless service. 6. The Network layer in TCP/IP model provides connectionless service.7. OSI model has a problem of fitting the protocols into the model.7. TCP/IP model does not fit any protocol8. Protocols are hidden in OSI model and are easily replaced as the technology changes. 8. In TCP/IP replacing protocol is not easy.9. OSI model defines services, interfaces and protocols very clearly and makes clear distinction between them. It is protocol independent.9. In TCP/IP, services, interfaces and protocols are not clearly separated. It is also protocol dependent.10. It has 7 layers10. It has 4 layersQ6. TCP flags and 3 way handshake.TCP Flags are used to influence the Flow of Data across a TCP Connection.1.PUSH (PSH) - It Pushes the Buffered data to the receivers application. If data is to be send on immediate Basis we will push it.2.Reset (RST) - It Resets the connection.3.Finish (FIN) - It finishes the session. It means No More Data from the Sender.4.Urgent (URG) - It is use to set the priority to tell the receiver that this data is important for you.5.Acknowledgement (ACK) - All packets after SYN packet sent by Client should have this Flag Set. ACK=10 means Host has received 0 through 9 and is expecting Byte 10 Next.6.Synchronize (SYN) - It Initiates a Connection. It Synchronizes the sequence number.Page 1 Q4Q7. What is proxy server.A proxy or proxy server is basically another computer which serves as a hub through which internet requests are processed. By connecting through one of these servers, your computer sends your requests to the proxy server which then processes your request and returns what you were wanting.What is a Proxy Server?A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to other network services. A client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The proxy provides the resource either by connecting to the specified server or by serving it from a cache. In some cases, the proxy may alter the client's request or the server's response for various purposes.Q8. What is forward proxy and reverse proxy.A Reverse proxy is a single entry point that serves multiple backend servers, a forward proxy serves clients behind it. Both are single points of entry that are a "proxy" on behalf of either servers (reverse) or clients (forward).A forward proxy is a proxy configured to handle requests for a group of clients under the local Administrators control to an unknown or arbitrary group of resources that are outside of their control. Usually the word “forward” is dropped and it is referred to simply as a proxy, this is the case in Microsoft’s topology. A good example is a web proxy appliance which accepts web traffic requests from client machines in the local network and proxies them to servers on the internet. The purpose of a forward proxy is to manage traffic to the client systemsA reverse proxy is a proxy configured to handle requests from a group of remote or arbitrary clients to a group of known resources under the control of the local Administrator. An example of this is a load balancer (a.k.a. application delivery controller) that provides application high availability and optimization to workloads like as Microsoft Skype, Exchange and SharePoint. The purpose of a reverse proxy is to manage the server systems.Q9 What is DNS and how does it work.Page 15 q 9Q10 Password recover on router.Q11. Chassis of nexus switch.UNKNOWNQ1. Packet flow between PC and Internet.Q2. Packet flow in checkpoint firewall.The following events take place:The external device generates an IP packet with a source IP address of 200.1.1.1 (itself) and a destination IP address of 199.1.1.1 (the valid IP address for the internal device).The packet is received on the external interface of the enforcement module (HPTX2) and is passed to the VPN-1/FireWall-1 INSPECT module for inspection.The INSPECT module checks the IP packet against the connection table (to determine whether the packet is part of an existing connection), followed by the security rule base (if the packet represents a new connection). Assuming the packet represents a new connection, the packet is matched against a security rule that permits the connection, and the packet is forwarded to the operating system TCP/IP stack for routing.The operating system TCP/IP stack now routes the packet. Routing is based on destination IP address—at this time, the destination IP address of the packet is still 199.1.1.1. If the destination IP address is part of the external segment from which the packet arrives, the operating system will attempt to route the packet back out the ingress interface. For example, in Figure, if the external interface of the enforcement module is configured with an IP address of 199.1.1.100 and a subnet mask of 255.255.255.0, with the default routing table generated by the operating system, the IP address of 199.1.1.1 will be considered attached to the external interface, and the packet will be routed back out the external interface. Therefore, a host route must exist that associates the destination IP address of 199.1.1.1 with the correct egress interface (a host route is simply a route that refers to an individual host rather than a network). The route for 199.1.1.1 points to the internal device 10.1.1.1, which ensures the correct egress interface (HPTX0) is selected for routing.The packet is routed towards the egress interface and is passed to the INSPECT module once again. At this point, network address translation occurs. Based on a static destination NAT rule configured on the enforcement module, the destination IP address of the packet is rewritten from 199.1.1.1 to 10.1.1.1, ensuring the packet will reach the internal device.The packet is forwarded out the egress interface towards the internal device. The packet now contains a destination IP address of the private IP address of the internal device (10.1.1.1), ensuring the packet reaches the internal device.In Figure, notice that address translation is performed within the INSPECT module at the egress interface, after the outing decision made by the operating system, meaning the operating system has to have a host route configured for the valid IP address that represents the internal device. This requirement means incurs extra administrative overhead on VPN-1/FireWall-1 enforcement modules prior to NG, and is also prone to misconfiguration errors. Notice in Figure 8.7 the terms client side and server side. These terms describe the point at which the INSPECT module receives a packet. The client side refers to when the INSPECT module receives a packet immediately after it has been first received on the ingress interface—the term client side is used because the packet is received from the interface facing the source of the packet (i.e., the client). The server side refers to when the INSPECT module receives a packet that has been routed by the operating system to the appropriate egress interface—the term server side is used because the packet is about to be sentout the interface facing the destination of the packet (i.e., the server). In previous versions of VPN-1/FireWall-1, destination NAT is referred to as server-side destination NAT, because destination NAT is performed on the server side. In VPN-1/FireWall-1 NG, you now have the option of performing destination NAT within the INSPECT module at the ingressinterface (i.e., at the client side), which means that the operating system now routes based on the private IP address of internal devices, as opposed to the valid IP address. Figure 8.8 demonstrates this.In Figure, the destination NAT is performed at the ingress interface (step 2), before the packet is passed to the TCP/IP stack for routing. This means that the operating system receives a packet with a destination IP address of an internal device (step 3), as opposed to the valid IP address, and therefore only requires a route to the internal device. You would normally expect all internal routes to be already configured on your enforcement modules, as the enforcement module needs to know where to route packets for internal devices. The requirement to configure a host route for each valid IP address (as shown in Figure) is counterintuitive, and often is overlooked when configuring address translation. The ability of VPN-1/FireWall-1 NG to perform destination NAT at the ingress interface before the packet is routed means thatyou don’t need to update the operating system route table each time you configure NAT. In VPN-1/FireWall-1 NG, this feature is referred to as client-side destination NAT, because destination NAT occurs at the client sideQ3. Packet flow in cisco ASAPage 16 q5Q4. TCP states.Page 1 Q4Q5. Example of session layer.In the Open Systems Interconnection (OSI) communications model, the Session layer (sometimes called the "port layer") manages the setting up and taking down of the association between two communicating end points that is called a connection.Q6. Which OSI model decides. When a packets to move outside or to remain insideNetwork layerQ7 How will you troubleshoot if your PC is not getting connected with internet.TEK SYSTEMQ1. Tell me about yourself and day by day job resposiblity.Q2. In 8.2 we want to upgrade to 9.0 with zero downtime.In this post I will describe how I upgraded the software of my Active/Standby Failover Cisco ASA 5512X from 8.6 to 9.1. Additionally, I will upgrade the ASDM to the latest version.When upgrading the software of your Cisco ASA it’s important to read the release notes beforehand. Go through each major and minor release version. According to Cisco, you should upgrade to the latest minor release version before upgrading to the next major version.This is important if you want to maintain a zero downtime upgrade.A minor release upgrade is, for example, going from 8.3 to 8.4. Which means zero downtime is not supported from 8.3 to 8.6.A major release upgrade is going from the base version to the next release. For example, 8.6 to 9.0. This would be supported for zero downtime. It would NOT be supported if you were to go from 8.6 to 9.1.In my process, I went from 8.6 to 9.0 and then from 9.0 to 9.1.Before we do any sort of upgrades on the ASA, we need to make a backup. After the backups, we will upload the bin file to the primary ASA and secondary ASA. The same goes for ASDM. After the bin is uploaded, you change the active and standby ASA boot system order. You can have multiple boot systems and the ASA will pick from the top. Then you reboot the ASA and it should be on the latest version.Detailed StepsStep 1Back up your configuration either by TFTP or using command and copy the output:asa#more system:running-configStep 2Copy ASA software to the active unit flash memory.asa#copy t disk0:/asa901-smp-k8.binStep 3Copy the software to the standby unit. Use the same path as the active unit.asa#failover exec mate copy /noconfirm t disk0:/asa901-smp-k8.binStep 4Copy ASDM image to the active ASA unit’s flash memory.asa#copy t disk0:/asdm-711.binStep 5Copy ASDM image to the standby ASA unit. Use the same path as the active unit.asa#failover exec mate copy /noconfirm t disk0:/asdm-711.binStep 6Enter global configuration modeasa#conf tasa(config)#Step 7Verify current boot images configured. ASA uses these images in order. To make the ASA boot to the new image, remove the existing entries and enter the image URLs in the order desired.asa(config)#show running-config boot systemStep 8Remove any existing boot image.asa(config)#no boot system disk0:/asa861-smp-k8.binStep 9Set the ASA image to boot. Repeat command for backup images.asa(config)#boot system disk0:/asa901-smp-k8.binasa(config)#boot system disk0:/asa861-smp-k8.binStep 10Set the ASDM image to use. Only one can be configured.asa(config)#asdm image disk0:/asdm-711.binStep 11Save settings to startup config.wr memStep 12Reload the standby unit to boot the new image. Wait for the standby to finish loading and use show failover command to verify the standby unit is in Standby Ready state.asa#failover reload-standbyStep 13Force the active unit to fail over to the standby unit.asa#no failover activeStep 14Reload the former active unit. Log into active unitasa# reloadAfter upgrading to the major version, verify both ASAs have the same software version. Then you can begin the process again to upgrade to the next minor release version.VerificationIf all is good you will see the standby ASA running a newer version than the active ASA. The firewall also displays a message about the mismatch.Running show version will determine if your ASA booted with the latest image.After reloading both ASAs, run show failover to ensure there is an Active and a Standby.asa# sh failoverFailover OnFailover unit PrimaryFailover LAN Interface: FAILOVER GigabitEthernet0/0 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 5 of 114 maximumfailover replication httpVersion: Ours 9.0(1), Mate 9.0(1)Last Failover at: 14:51:20 PDT Jun 19 2014This host: Primary - ActiveActive time: 266969 (sec)slot 0: ASA5512 hw/sw rev (1.0/9.0(1)) status (Up Sys)Interface Inside (192.168.254.254): Normal (Monitored)Interface DMZ (10.1.254.254): Normal (Monitored)Interface OutsideTWO (172.16.254.254): Normal (Monitored)Interface OutsideONE (172.16.253.254): Normal (Monitored)Interface MGMT (10.10.10.254): Link Down (Monitored)Other host: Secondary - Standby ReadyActive time: 0 (sec)slot 0: ASA5512 hw/sw rev (1.0/9.0(1)) status (Up Sys)Interface Inside (192.168.254.253): Normal (Monitored)Interface DMZ (10.1.254.253): Normal (Monitored)Interface OutsideTWO (172.16.254.253): Normal (Monitored)Interface OutsideONE (172.16.253.253): Normal (Monitored)Interface MGMT (10.10.10.253): Normal (Monitored)slot 1: IPS5512 hw/sw rev (N/A/) status (Unresponsive/Up)There is specific state information that is passed/not passed to the standby ASA. It’s important to know what these are and how they pertain to your environment. Otherwise, schedule a maintenance window outside of normal business hours.State Information Passed:NAT TableTCP Connection StatesUDP Connection StatesARP TableHTTP Connection StatesISAKMP and IPSec SA tableSIP signalling sessionsState Information Not Passed:User authentication (uauth) table.Routing tables.State information for Security Service Modules.DHCP server address leases.Q3. Difference between Site to Site Vpn and Ipsec VPNA site-to-site VPN allows offices in multiple locations to establish secure connections with each other over a public network such as the InternetIP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec provides data confidentiality, data integrity and data authentication between participating peers.At what layer IPsec works?IPsec secures IP traffic at the Layer 3 (Network Layer) of the OSI model.Q4. How does phase 1 works.Page 2 q7Q5. What will be tshoot when we will get MM_MO_ACTIVE in VPN.Q6. Is it necessary to create phase-1 for phase-2.Yes for managementQ7. In my network, duplicate ip address is detecting. What will be tshoot for it.Q8. When does you felt offended in your previous organization.Q9. How does network know that router is in stuck in active?Q10. LSA 7.Not-So-Stubby Area LSA (Type7) - Stub areas do not allow Type 5 LSAs.? A Not So Stubby Area (NSSA) allows advertisement of Type 5 LSA as Type 7 LSAs. Type LSA is generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. ?Q11. In our network BPDU Guard is enable. IF we add a new switch in our network what type of massage display on switch.Q12. In this scenario, One hour ago my PC was able to get internet. After one hour PC is not able to access . What will be tshootQ13. What are the phase of Site-to-site VPN Q14. What are the modes of IPSec Vpn.There are two modes in IKE phase 1:-Main mode - Total Six messages are exchanged in main mode for establishing phase 1 SA.Aggressive mode - It is faster than the main mode as only three messages are exchanged in this mode to establish phase 1 SA. It is faster but less secure.At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established for IKE communication.Phase 2IKE phase 2 protects the user data and establishes SA for IPsec.There is one mode in IKE phase 2:-Quick mode - In this mode three messages are exchanged to establish the phase 2 IPsec SA.At the end of phase 2 negotiations, two unidirectional IPsec SAs (Phase 2 SA) are established for user data—one for sending and another for receiving encrypted data.Q15. What are the parameter of Phase I"Interesting traffic" initiates the IPSec process. Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.IKE phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase 2.IKE phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.Data transfer. Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.Q16. What is MD5.MD5 is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input (which may be a message of any length) that is claimed to be as unique to that specific data as a fingerprint is to the specific individual.Q17. Three important thing to run a network of company.Q18. What is ip spoofing? And what is spoof attack.Firewall rules can be based on Source and Destination IP addresses. Attackers use IP spoofing to change a packet's IP address and make a packet look like it is from a trusted source. If your network is not protected against IP spoofing, attackers can exploit the vulnerability in the Firewall rules and gain access to the networkQ19. How can we use spoofing in ASA.Q20. What is stealth rule. Why we need and purpose of stealth rule.The firewall stealth rule is the explicit rule near the top of the policy denying access to the firewall beyond what is required to manage the deviceQ21. Packet tracer command inASA.The packet-tracer command provides detailed information about the packets and how they are processed by the ASA. If a command from the configuration did not cause the packet to drop, the packet-tracer command provides information about the cause in an easily readable format. For example if a packet was dropped because of an invalid header validation, the following message appears: “packet dropped due to bad ip header (reason).”HP (KPIT)Q1. Failover is running between two firewall. These two firewall connected with switch. How will switch find out that which firewall is in active and standby.Q2. Packet flow of checkpoint.The following events take place:The external device generates an IP packet with a source IP address of 200.1.1.1 (itself) and a destination IP address of 199.1.1.1 (the valid IP address for the internal device).The packet is received on the external interface of the enforcement module (HPTX2) and is passed to the VPN-1/FireWall-1 INSPECT module for inspection.The INSPECT module checks the IP packet against the connection table (to determine whether the packet is part of an existing connection), followed by the security rule base (if the packet represents a new connection). Assuming the packet represents a new connection, the packet is matched against a security rule that permits the connection, and the packet is forwarded to the operating system TCP/IP stack for routing.The operating system TCP/IP stack now routes the packet. Routing is based on destination IP address—at this time, the destination IP address of the packet is still 199.1.1.1. If the destination IP address is part of the external segment from which the packet arrives, the operating system will attempt to route the packet back out the ingress interface. For example, in Figure, if the external interface of the enforcement module is configured with an IP address of 199.1.1.100 and a subnet mask of 255.255.255.0, with the default routing table generated by the operating system, the IP address of 199.1.1.1 will be considered attached to the external interface, and the packet will be routed back out the external interface. Therefore, a host route must exist that associates the destination IP address of 199.1.1.1 with the correct egress interface (a host route is simply a route that refers to an individual host rather than a network). The route for 199.1.1.1 points to the internal device 10.1.1.1, which ensures the correct egress interface (HPTX0) is selected for routing.The packet is routed towards the egress interface and is passed to the INSPECT module once again. At this point, network address translation occurs. Based on a static destination NAT rule configured on the enforcement module, the destination IP address of the packet is rewritten from 199.1.1.1 to 10.1.1.1, ensuring the packet will reach the internal device.The packet is forwarded out the egress interface towards the internal device. The packet now contains a destination IP address of the private IP address of the internal device (10.1.1.1), ensuring the packet reaches the internal device.In Figure, notice that address translation is performed within the INSPECT module at the egress interface, after the outing decision made by the operating system, meaning the operating system has to have a host route configured for the valid IP address that represents the internal device. This requirement means incurs extra administrative overhead on VPN-1/FireWall-1 enforcement modules prior to NG, and is also prone to misconfiguration errors. Notice in Figure 8.7 the terms client side and server side. These terms describe the point at which the INSPECT module receives a packet. The client side refers to when the INSPECT module receives a packet immediately after it has been first received on the ingress interface—the term client side is used because the packet is received from the interface facing the source of the packet (i.e., the client). The server side refers to when the INSPECT module receives a packet that has been routed by the operating system to the appropriate egress interface—the term server side is used because the packet is about to be sentout the interface facing the destination of the packet (i.e., the server). In previous versions of VPN-1/FireWall-1, destination NAT is referred to as server-side destination NAT, because destination NAT is performed on the server side. In VPN-1/FireWall-1 NG, you now have the option of performing destination NAT within the INSPECT module at the ingressinterface (i.e., at the client side), which means that the operating system now routes based on the private IP address of internal devices, as opposed to the valid IP address. Figure 8.8 demonstrates this.In Figure, the destination NAT is performed at the ingress interface (step 2), before the packet is passed to the TCP/IP stack for routing. This means that the operating system receives a packet with a destination IP address of an internal device (step 3), as opposed to the valid IP address, and therefore only requires a route to the internal device. You would normally expect all internal routes to be already configured on your enforcement modules, as the enforcement module needs to know where to route packets for internal devices. The requirement to configure a host route for each valid IP address (as shown in Figure) is counterintuitive, and often is overlooked when configuring address translation. The ability of VPN-1/FireWall-1 NG to perform destination NAT at the ingress interface before the packet is routed means thatyou don’t need to update the operating system route table each time you configure NAT. In VPN-1/FireWall-1 NG, this feature is referred to as client-side destination NAT, because destination NAT occurs at the client sideQ3. In Automatic nat how many rules will be created.Q4. By using CLI how we will make backup.Using upgrade_export command in gatewayFor Policy backup dbbackup or database revision controlHow you can take manual backup CP and which folders are necessary?$fwdir/bin$fwdir/bin/upgrade-tools/objects.c$fwdir/confQ5. When a packet enters in router , than how works router with a packet.When I was scanning the list of topics I had in mind for my first blog, I decided to start off by answering one of popular question that we initially get when we are introduced to the world of networking. What happened, when router receives packet? Upon receiving the Packet, router has to follow three generic steps before its routes the packets:-> Routing-> Forwarding (Switching)-> EncapsulationLet’s discuss each one of them in detailRouting Process: Routing process is nothing but routers control plane. Router records a routing table listing what route should be used to forward a data packet, and through which physical interface connection. Router learns your network routes information either by static configuration or by using dynamically configure routing protocol like IGP (OSPF, EIGRP, RIP, IS-IS) or though Exterior routing protocol like BGP.When router receives any packet it has to remove Layer 2 header information present on packet(Example:In Ethernet, source and destination Mac address present on L2 header). Once router remove L2 information it looks for Layer 3 information available on packet that is source and destination IP address.For moving L3 packet between interfaces, router checks destination address and finds longest-prefix match in IP routing table to find outgoing interface. In IPv4 router uses longest mask to identify best routing entry for forwarding packet. Example: Let’s assume we have configured 3 different static routes with different subnet mask.Sh ip route 1.1.1.1 ip route 1.1.1.0 255.255.255.0 fa0/2ip route 1.1.0.0 255.255.0.0 fa0/1ip route 1.0.0.0 255.0.0.0 fa0/0In above example when router does route lookup for destination address 1.1.1.1 out of 3 entries router will choose longest-prefix length match entry i.e. 1.1.1.0/24 , because destination address has most common bits matches with selected route and will forward packet out fa0/2.Destination prefixBinary Splitting1.1.1.100000001 00000001 00000001 000000011St Entry 1.1.1.0/2400000001 00000001 00000001 000000002nd Entry 1.1.0.0/1600000001 00000001 00000000 000000003rd Entry 1.0.0.0/800000001 00000000 00000000 00000000Now for any other destination prefix like 1.1.2.0 longest match is 1.1.0.0/16 and for 1.2.0.0 it would be 1.0.0.0/8Longest match possible in IPv4 routing is /32 (255.255.255.255) and shortest match possible is default route i.e. 0.0.0.0->If there are multiple routes with same subnet mask learned via same protocol by router then router chooses lowest metric between them. For Example: Eigrp use composite “metric” and Ospf uses “Cost” for comparison.->If there is multiple routes with same subnet mask learn via different protocol on router then router chooses lowest administrative distance (AD).->Last and important point is recursive lookup: which states that whenever there is route lookup more than once it will be termed as recursive lookup. It has to be done by router till destination address point towards any physical or logical interface.Example: We have a network 1.1.1.1 connected somewhere and we are reaching it by interface fa0/0 having next-hop IP address 2.2.2.2.So we can configure static route in two different ways either we can define next-hop IP address i.e.2.2.2.2 or we can mention interface number fa0/0 as gateway shown below.ip route 1.1.1.1 255.255.255.255 2.2.2.2ip route 1.1.1.1 255.255.255.255 FastEthernet0/0Both statements look same although both have different meaning.When you point destination address to next hop as exit interface you don’t need further route lookup as router assume destination address is directly connected to that interface. But when you point destination address to any next hop ip address, we need another route lookup also for next hop ip address is referring as recursive lookup.To get more information on how static route work when you set gateway as Next-Hop IP address or to Next-Hop interface please refer this document. Forwarding process: It is also known as switching process. Once router finds outgoing interface, packet move between interfaces by switching process. This is done by process switching, fast switching or cef switching. Forwarding can be done by using adjacency tables reside on the route processor or on interface cards that support switching.->Process switching requires the device CPU to be involved for every forwarding decision.->Fast switching still uses the CPU for initially packets and to fill cache table in router. Once initial packet has been forwarded, the information about how to reach the destination is stored in a fast-switching cache’s .when another packet going to the same destination, the next hop information can be re-used from the cache and so the router processor doesn’t have to look into it, but if the information is not cached the CPU will have to process entire packets.->When CEF mode is enabled it build the CEF FIB and adjacency tables reside on the route processor, and the route processor performs the express forwarding.In switching process device do actual packet link load balancing depending on the methodology we use.Encapsulation process: L3 header will remain intact unchanged except for nating, vpn etc. layer 2 headers keep changing on hop by hop basis, depending on transmission media. For transmitting L3 packet on wire router need to find out l2 information for packets and it’s depending on the type of media we are using for transmission.To explain encapsulation process in bit detail, I have created a small topology shown as below in diagram.As discussed above, depending on the transmission media (In this example transmission media is Ethernet) MAC address in layer 2 headers will keep changing on hop by hop basis.To generate some traffic, Lets ping from R3 to R2 interface address.As soon as R1 receives the packet from R3, It will remove the L2 information sent by R3 and check the L3 information that is source (20.1.1.2) and destination address (10.1.1.1) available on packet. Then it will look into its routing table to find out going interface i.e. fa0/0 in above example. Once router identify outgoing interface it will attach L2 header before putting the packet on the wire. So now R1 will attach its own interface Mac address as source and R2’s as destination mac address.Address resolution protocol (ARP) table on R1:To get closer packet level overview, I have also attached some packet capture taken on R1's interfaces.Packet capture on R1’s Fa0/1:Packet capture on R1’s Fa0/0:Well!!!! There ends my first blog and I think i managed to brief how routers handle the packet.Thank you for reading and Hope that is informative?????????????????????????????????????????????? Destination?? prefix? Binary Splitting? 1.1.1.1? 00000001 00000001 00000001 00000001? 1St?? Entry 1.1.1.0/24? 00000001 00000001 00000001 00000000? 2nd?? Entry 1.1.0.0/16? 00000001 00000001 00000000 00000000? 3rd?? Entry 1.0.0.0/8? 00000001 00000000 00000000 00000000BARQ1. TCP 3 way handshake.Page 1 Q4Q2. Packet level – which bit is getting set.Q3. Difference between push and urgent.The PSH flag in the TCP header informs the receiving host that the data should be pushed up to the receiving application immediately. The URG flag is used to inform a receiving station that certain data within a segment is urgent and should be prioritized.Q4. Packet flow between two PCs.Q5. Arp header sizen this scenario, the packet has 48-bit fields for the sender hardware address (SHA) and target hardware address (THA), and 32-bit fields for the corresponding sender and target protocol addresses (SPA and TPA). Thus, the ARP packet size in this case is 28 bytes. The EtherType for ARP is 0x0806.Q6. DHCPDHCP works on DORA Process (DISCOVER - OFFER - REQUEST - ACKNOWLEDGEMENT).1.When a Client needs an IP configuration, it tries to locate a DHCP server by sending a broadcast called a DHCP DISCOVER. This message will have a Destination IP of 255.255.255.255 and Destination MAC of ff:ff:ff:ff:ff:ff.[Source IP - 0.0.0.0 , Destination IP - 255.255.255.255, Source Mac - Mac address of Host, Destination Mac - FF:FF:FF:FF:FF:FF]————————————————2.On Receiving DHCP Discover, Server sends a DHCP OFFER message to the client. The DHCPOFFER is a proposed configuration that may include IP address, DNS server address, and lease time. This message will be unicast and have the destination mac address of DHCP client's mac address. The source mac address will be that of the DHCP server.[S.Mac - Mac address of Server , D.Mac - Mac address of Host]————————————————3.If the Client finds the Offer agreeable, it sends DHCP REQUEST Message requesting those particular IP parameters. This message will be a Broadcast message.[Source Mac - Mac address of Host, Destination Mac - FF:FF:FF:FF:FF:FF]————————————————4.The Server on receiving the DHCP REQUEST makes the configuration official by sending a unicast DHCP ACK acknowledgment.[Source Mac - Mac address of Server, Destination Mac - Mac address of Host]Q7. Ipsec packet level.Q8. Difference between ASA and router.Q9. SSL how SSL VPN works in application layer.SSL VPN provides remote access connectivity from any internet enabled device through a standard web browser and its native SSL encryption. It does not require any special client software at a remote site.In IPsec VPN connection is initiated using a preinstalled VPN client software so it requires installation of a special client software. In SSL VPN connection is initiated through a web browser so it does not requires any special purpose VPN client software, only a web browser is required.At which Layer does SSL VPN operates?SSL is an Application layer (Layer 7) cryptographic protocol that provides secure communications over the Internet for web browsing, e-mail and other traffic. It uses TCP port 443.Q10. Proxy arp.Proxy ARP is the process in which one system responds to the ARP request for the another system.Example - Host A sends an ARP request to resolve the IP address of Host B. Instead of Host B, Host C responds to this ARP request.Q11. NAT-ASA.PAGE 13 – Q8Q12. DNS DoctoringPage 17 – q13Q13. FTPQ14. Where will we implement this is firewall i.e. active ftp and passive ftp and what are the problems.Q15. Ip fragmentationFragmentation is a process of breaking the IP packets into smaller pieces (fragments). Fragmentation is required when the datagram is larger than the MTU. Each fragment than becomes a datagram in itself and transmitted independently from source. These datagrams are reassembled by the destination.Q16. Ip header- identification, offset field.This is used to identify each fragmented packet so that destination device can rearrange the whole communication in order.1.When a host receives an IP fragment, it stores this fragment in a reassembly buffer based on its fragment offset field.Q17. CSR- SSL vpnQ18. HTTPQ19. DHCP relay agentA DHCP relay agent is any host that forwards DHCP packets between clients and servers if server is not on the same physical subnet. Relay agents are used to forward requests and replies between clients and servers when they are not on the same physical subnet.DHCP relay agent can be configured using the ip helper-address command.Q20.Configuration parameter DHCPQ21 what will indicate phase I failure on an IOS device.Q22. What can be various reason for IPSEC negotiation Q23. What is NAT T.NAT traversal (or network address translation traversal) is a computer networking methodology with the goal of establishing and maintaining Internet protocol connections across gateways that implement network address translation (NAT).FNFQ1. How to change or reset pwd in cisco switches.Q2. How to tshoot when smartview tracker is not showing log by cli.Q3. How to make backup from checkpoint cli.Using upgrade_export command in gatewayFor Policy backup dbbackup or database revision controlHow you can take manual backup CP and which folders are necessary?$fwdir/bin$fwdir/bin/upgrade-tools/objects.c$fwdir/confQ4. Where log store?Q5. Where Backup file will be store.Using upgrade_export command in gatewayFor Policy backup dbbackup or database revision controlHow you can take manual backup CP and which folders are necessary?$fwdir/bin$fwdir/bin/upgrade-tools/objects.c$fwdir/confQ6. What is HSRP (All discuss)HSRP is a routing protocol that provides backup to a router in the event of failure. Using HSRP, several routers are connected to the same segment of an Ethernet, FDDI or token-ring network and work together to present the appearance of a single virtual router on the LAN.Q7. What is the etherchannel, why we need etherchannel.EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco switches. It allows grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers.Q8. What are protocol of etherchannel.Q9. How can we configure etherchannel.Q10. Command for port-security.Q11. What is AD value of Eigrp and OSPF.90 n 110Q12. What are value of AD in Eigrp.90 Q13. What is OSPF.Every OSPF router within the network will have a 32 bit number router ID that uniquely identifies it to the other routers on the network. Unlike EIGRP, OSPF prevents neighborships between routers with duplicate RIDs. All OSPF RIDs in a domain should be unique. OSPF Router ID should not be changed after the OSPF process is started and the ospf neighborships are established. If you change the OSPF router ID, we need to either reload the IOS or use "clear ip ospf process" command (restart the OSPF process) for changed RID to take effect.To manually configure the router IDR1(config)# router ospf 5R1(config-router)# router-id 5.5.5.5Open shortest path first is an Open Standard Link State routing protocol which works by using Dijkastra algorithm to initially construct the shortest paths and follows that by populating the routing table with resulting best paths.Q14. What is difference between OSPF and EIGRP.?RIPEIGRPOSPFTypeDistance VectorAdvanced Distance VectorLink stateSubnet MaskClassfull (By Default)Classfull (By Default)ClasslessAlgorithmBellman-FordDiffusing Update (DUAL)DijkastraAD Value12090110Maximum Hops15100 to 255UnlimitedLayerWorks on Transport LayerWorks on Network LayerWorks on Network LayerPort/ Protocol No5208889MetricHop CountsK-ValuesCostMulticast Address224.0.0.9224.0.0.10224.0.0.5, 224.0.0.6NeighborshipRequirements????? --------------------------AS, K-Values, Authentication.Area ID, Hello Interval,Dead Time, Authentication.TimersUpdate - 30 sec, Hold - 180 secInvalid - 180 sec, Flush - 240secHello - 5 sec, Hold - 15 secHello -10 sec, Dead - 40 secAuthenticationVersion1- No AuthenticationVersion 2 - Plain Text & MD5MD5Type 0, Plain Text, MD5Q15. What is different between ABR and ASBR.It is the router that connects other areas to the backbone area within an autonomous system. ABR can have its interfaces in more than one area.What is Autonomous System Border Router (ASBR)?It is the Router that connects different Autonomous Systems.Q16. What are the states of OSPF. Explain.OSPF routers need to go through several states before establishing a neighbor relationship:-1.Down? - No Hello packets have been received on the interface.2.Attempt - In Attempt state neighbors must be configured manually. It applies only to nonbroadcast multi-access (NBMA) networks.3.Init state - Router has received a Hello message from the other OSFP router.4.2way state - The neighbor has received the Hello message and replied with a Hello message of his own. Bidirectional Communication has been established. In Broadcast network DR-BDR election can occur after this point.5.Exstart state – DR & BDR establish adjacencies with each router in the network. Master-slave election will takes place (Master will send its DBD first).6.Exchange state – Routing information is exchanged using DBD (Database Descriptor) packets, Link-State Request (LSR). Link-State Update packets may also be sent.7.Loading state – LSRs (Link State Requests) are send to neighbors for every network it doesn't know about. The Neighbor replies with the LSUs (Link State Updates) which contain information about requested networks. The requested information have been received, other neighbor goes through the same process8.Full state - All neighbor routers have the synchronized database and adjacencies has been established.Q17. What is multicast ip address of OSPF.What multicast address does OSPF use?OSPF use the multicast address of 224.0.0.5 & 224.0.0.6 Q18. What is ACL.Access Control List is a packet filtering method that filters the IP packets based on source and destination address. It is a set of rules and conditions that permit or deny IP packets to exercise control over network traffic.Q19. Difference between Standard and extended acl.Standard Access List examines only the source IP address in an IP packet to permit or deny that packet. It cannot match other field in the IP packet. Standard Access List can be created using the access-list numbers 1-99 or in the expanded range of 1300-1999. Standard Access List must be applied close to destination. As we are filtering based only on source address, if we put the standard access-list close to the source host or network than nothing would be forwarded from source.Example:-R1(config)# access-list 10 deny host 192.168.1.1R1(config)# int fa0/0R1(config-if)# ip access-group 10 inExplain Extended Access List?Extended Access List filters the network traffic based on the Source IP address, Destination IP address, Protocol Field in the Network layer, Port number field at the Transport layer. Extended Access List ranges from 100 to 199, In expanded range 2000-2699. Extended Access List should be placed as close to source as possible. Since extended access list filters the traffic based on specific addresses (Source IP, Destination IP) and protocols we don’t want our traffic to traverse the entire network just to be denied wasting the bandwidth.Example:-R1(config)# access-list 110 deny tcp any host 192.168.1.1 eq 23R1(config)# int fa0/0R1(config-if)# ip access-group 110 inQ20. What are type of ACL.There are two main types of Access lists:-1.Standard Access List.2.Extended Access List.Q21. Configuration of Switch ACL.TTNIQ1. What is difference between cisco ASA and Checkpoint.Cisoco ASACheckpotin Firewall1CISCO ASA - Firewall throughput ranges from 5 Gbps upto 20 Gbps ( Low end device - on 5500 Series supports 5Gbps, High end Device supports 20Gbps), with VPN Throughput reduces to 1Gbps to 5Gbps, with IPS Performance would further reduce.Checkpoint Firewall - Firewall through ranges from 3Gbps upto 200 Gbps ( Low end device 2200 Appliance supprts 3Gbps , High end Device 61000 supports 200Gbps), with IPS, throughput reduces to 2Gbps (on the lower end device) to 85 Gbps ( on the higher end device).2Context based mode available in Cisco Checkpoint has a similar offering which is Security Gateway Virtual Edition (VE) 3Context based mode in Cisco has the following limitations:1.VPN Services will not work such as Remote access or Site to Site VPN Tunnels2.In context mode dynamic routing protocols not supported, you have to use static routes only3. Threat Detection ( IDS/IPS) not supported4.QOS not supported5.ASA Resources are shared for various contexts within the Hardware platformCheckpoint will not have his limitation since you can scale up the base hardware based on requirement on number of Virtual firewalls you would want to implement and also easily portable to new hardware4Cisco ASA can have only 2 gateways in a active/active Cluster Checkpoint Cluster XL can support upto 5 Gateways in a cluster5Cisco ASA active/active is not a true cluster(active/active) since it is available or is of use only if you are running multiple contexts ( one context will will be active on one gateway and another context is active in another gateway)where as Checkpoint Cluster XL is a true cluster, you can utilize all the 5 gateways simulatenously6Cisco is base of routing later as per market demands they develop securityStateful firewall was first invented by checkpoint (Nir ZUK)7ASA doesn't support FQDNFQDN is supported in checkpoint 8not possible in ASAUser based access can be provided in checkpoint ( Identity awareness blade) based on active directory login information 9this is not possible in ASAAccess can be granted based on the system name or destination domain object rather than the IP in checkpoint 10Cisco ASA doesnt provide this information other than this Cisco ASA requires seperate syslog server for logging in ciscoLogging and tracking is easy and comprehensive in checkpoint, with identity awareness blade, you would have machined details along with user ID information logged. Q2. What is SIC. What is purpose of its.It stands for Secure Internal Communication and it is a Checkpoint Propertiory Protocol.It is a where a secured tunnel is created with enforcement module and management server and from management server to management console.Q3. Process for backup.Q4. Difference between snapshot and backup.Q5. What is stealth rule and what Is purpose of its.The firewall stealth rule is the explicit rule near the top of the policy denying access to the firewall beyond what is required to manage the deviceQ6. What is cleanup rule and what is purpose of its.?A Cleanup Rule to drop all traffic that is not permitted by the previous rules.Clean up is a explicit deny rule with logging enabled, this needs to be the last rule in the rulebaseQ7. What is FWM.The FWM process is responsible for the execution of the database activities of the SmartCenter server. It is; therefore, responsible for Policy installation, Management High Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log Display, etc.Q8. What is cdp.CPD is a high in the hierarchichal chain and helps to execute many services, such as SecureInternal Communcation (SIC), Licensing and status report.Q9. What is RTM.Q10. What is tcpdump.It captures at position i & O of firewall monitor, and you can be sure the traffic has left the firewall. This is similar to the way captures work on a Cisco PIX/ASA.So, which one you use ?Consider you run tcpdump and see the incoming traffic but don’t see the traffic leaving the exit interface. You can guess it’s a routing or a NAT issue. But to make a sure shot without wasting time by looking in routes or the NAT rules you could run fw monitor and know what the issue is.Q11. How can we check the log between two gateways.Q12. What is mode of firewall.Routed Mode Overview HYPERLINK "" \l "wp1201980" Transparent Mode OverviewQ13. What is context.Explain Security Context?We can partition a Single ASA into multiple virtual devices, known as Security Contexts. Each Context acts as an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices.What features are supported in multiple context mode?Routing tables, Firewall features, IPS, and Management.What features are not supported in multiple context mode?VPN and Dynamic Routing Protocols.Q14. How we create context.Q15. Where we create context in routed firewall or transparent firewall.Q16. What is transparent firewall.In Transparent Mode, ASA acts as a Layer 2 device like a bridge or switch and forwards Ethernet frames based on destination MAC-address.What is the need of Transparent Firewall?If we want to deploy a new firewall into an existing network it can be a complicated process due to various issues like IP address reconfiguration, network topology changes, current firewall etc. We can easily insert a transparent firewall in an existing segment and control traffic between two sides without having to readdress or reconfigure the devices.Q17. What is difference between switch and transparent firewall.SA does not floods unknown unicast frames that are not found in mac address table.ASA does not participate in STP.Switch process traffic at layer 1 & layer 2 while ASA can process traffic from layer 1 to layer 7.Q18. Can we create context in routed mode.Q19. What is ipsec.IP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec provides data confidentiality, data integrity and data authentication between participating peers.At what layer IPsec works?IPsec secures IP traffic at the Layer 3 (Network Layer) of the OSI model.Name a major drawback of IPSec?IPSec only supports unicast IP traffic.Q20. By default which mode is available in ipsec.MIND TREEQ1. Suppose a switch is connected to a router and two PC are connected to switch. How will Communicate PCA and PCB. Here is ScenarioQ2. Suppose four pc (A,B,C,D) are connected to a switch1 and four PCs(E,F,G,H) are connected to Switch 2. In this scenario I want to communicate PCA to PCE. What will be steps for this task.Q3. In this Scenario Router R1 and Router R2 connected to Sw1 and Sw2. PC1 and PC2 are connected to SW1 and Sw2. Pc1 and Pc2 want to communicate with each other. What will be Steps. Scenario is below.Q4. What is dynamic configuration of Vlan.Q5. What is ipv4 and discuss in detail.Q6. What is tcp flags.TCP Flags are used to influence the Flow of Data across a TCP Connection.1.PUSH (PSH) - It Pushes the Buffered data to the receivers application. If data is to be send on immediate Basis we will push it.2.Reset (RST) - It Resets the connection.3.Finish (FIN) - It finishes the session. It means No More Data from the Sender.4.Urgent (URG) - It is use to set the priority to tell the receiver that this data is important for you.5.Acknowledgement (ACK) - All packets after SYN packet sent by Client should have this Flag Set. ACK=10 means Host has received 0 through 9 and is expecting Byte 10 Next.6.Synchronize (SYN) - It Initiates a Connection. It Synchronizes the sequence number.Q7. What is reset flag and what is purpose of Reset flag.Q8. What is three way handshake.Page 1 Q4Q9. What is four way handshake.Q10. What Is nat.Q11. What is the order of NAT.Page 13 q8Q12. What is dynamic NAT and Dynamic PAT and syntax.Q13. What is packet tracer command?. How it check the packet.The packet-tracer command provides detailed information about the packets and how they are processed by the ASA. If a command from the configuration did not cause the packet to drop, the packet-tracer command provides information about the cause in an easily readable format. For example if a packet was dropped because of an invalid header validation, the following message appears: “packet dropped due to bad ip header (reason).”Q14. What are the security parameter of ipsec phase1.HaggleQ15. By default which mode available in phase 1 mode.Q16. Phase 1 and phase 2 are active, data is encrypting but data not decrypting . What is tshoot for that.CAPGEMINIQ1. In network there are two router. At router R1 protocol Eigrp is running and at router R2 protocol OPSF is running. Pc which are connected to router R1 and R2. PC1 and PC2 are want to communicate with internet. Which protocol PCs will prefer. Scenario is belowQ2. Now in this scenario network of R1 is 192.1.1.0/24 and network of R2 192.1.1.0/28. Now which protocol will pc prefer.Q3 In this scenario PC1 is connect to sw1 and there is vlan 10 on pc and PC2 is connected to SW2 and vlan is 20. How these PC will communicate.Q4 what is difference between NAT and PAT.CGIQ1. All EIGRP, OSPF, SWITCHING(STP, RSTP,ETHERCHANNEL, HSRP)Q2. Mode of IPSECThere are two modes in IKE phase 1:-Main mode - Total Six messages are exchanged in main mode for establishing phase 1 SA.Aggressive mode - It is faster than the main mode as only three messages are exchanged in this mode to establish phase 1 SA. It is faster but less secure.At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established for IKE communication.Phase 2IKE phase 2 protects the user data and establishes SA for IPsec.There is one mode in IKE phase 2:-Quick mode - In this mode three messages are exchanged to establish the phase 2 IPsec SA.At the end of phase 2 negotiations, two unidirectional IPsec SAs (Phase 2 SA) are established for user data—one for sending and another for receiving encrypted data.Q3 Negotiation of Packets between Site-to-Site VPN.CIGITALQ1. What are difference between 5510 and 5512.Q2. What is Layer3 Switch.Q3. What are difference between Layer2 and Layer3 Swicth.Q4. What is difference between EIGRP and OSPF.?RIPEIGRPOSPFTypeDistance VectorAdvanced Distance VectorLink stateSubnet MaskClassfull (By Default)Classfull (By Default)ClasslessAlgorithmBellman-FordDiffusing Update (DUAL)DijkastraAD Value12090110Maximum Hops15100 to 255UnlimitedLayerWorks on Transport LayerWorks on Network LayerWorks on Network LayerPort/ Protocol No5208889MetricHop CountsK-ValuesCostMulticast Address224.0.0.9224.0.0.10224.0.0.5, 224.0.0.6NeighborshipRequirements????? --------------------------AS, K-Values, Authentication.Area ID, Hello Interval,Dead Time, Authentication.TimersUpdate - 30 sec, Hold - 180 secInvalid - 180 sec, Flush - 240secHello - 5 sec, Hold - 15 secHello -10 sec, Dead - 40 secAuthenticationVersion1- No AuthenticationVersion 2 - Plain Text & MD5MD5Type 0, Plain Text, MD5Q5. What is zone based firewall.Zone Based Firewall is the most advanced method of a stateful firewall that is available on Cisco IOS routers. The idea behind ZBF is that we don’t assign access-lists to interfaces but we will create different zones. Interfaces will be assigned to the different zones and security policies will be assigned to?traffic between zones.Q6. Do you know about log of checkpoint.Q7 Are you working with checkpoint right now.Q8. On Which protocol you are working.Q9. Difference between ipsec vpn and ssl vpn.SSL VPN provides remote access connectivity from any internet enabled device through a standard web browser and its native SSL encryption. It does not require any special client software at a remote site.In IPsec VPN connection is initiated using a preinstalled VPN client software so it requires installation of a special client software. In SSL VPN connection is initiated through a web browser so it does not requires any special purpose VPN client software, only a web browser is required. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download