SIMOS

Implementing Cisco Secure Mobility Solutions

Instructor: Graham Tuthill

Location: Wokingham

Start Time 9:30

Please check you have access to the electronic course material,details of which would have been emailed to you directly formCisco Check your SPAM folder

Course Times:Monday 9:30 to 4:30Tuesday 9:00 to 4:30Wednesday 9:00 to 4:30Thursday 9:00 to 4:30Friday 9:00 to ?

Breaks:Coffee am 10:45/15 minsLunch 12:30/35 minsCoffee pm 2:45/15 mins

My Websitedefaultgateway.co.uk

Wireless key323-010-323

Local Admin PCPassword =Pa$$w0rd

Here are you license codes for the course material

Monza

ConfidentialityEncryption

Symetric &Asymetric(keys)

Symetricencryption

Alice Bob

DES3DESAESTKIPRC4CAST/SWORDFISH

DES

64Clear Text

Alice Bob

32 32

xor

32!6 Rounds

Cipher Text

Encrypted

Clear Text

56 Key

3DES

56

56

56

Data Intergrity

101

eve

101

SHA/MD5

111111

SHA_HMAC

+ Authentication

Amazon

https://

Public Key

VerisignPubPvt

RC4

Nick/AndreasRalf/Colin

Graham/PaulPhil/Mohamed

AndrejIan

Paul

PerRadoslaw

Internet

London

Wokingham

Lunch to 1:15

IPSEC

AH ESPAuthenticationHeader

Encapsulatingsecurity Payload

Data IntergrityData AuthenticationAnti Replay Data Confidentiality

Data IntergrityData AuthenticationAnti Replay

AES/DES/3DESetc

SHA_HMAC

Sequencenumbers

IPSEC-ESP

IP

Tunnel

Transport

PubPVT PVT

Hashed

Encrypted

ESP

SPI#

Seq #Padding

HASH

IKE V1 & V2(isakmp)

IPSEC/ESP

Diffie Hellman

Auhenticate

DHValue DH

Value

PSKs/Certs

UDP/500

SADs

ESP-DESESP-SHA

1234

POLICY

DES/3DES/AES

Main Mode

Aggresive Mode

Quick Mode

Policy #

Transform set (name)

Complete Lab 2-1 by 9:00 am tomorrow

We will start the theory at 9:00

IKE V1

Phase 1

Phase 2

IKE V2

All in one phase

Child SA mainSA

Policy # (Low is best)

Transform Set (Name) x

DH GroupDES/3DESPSK/CertsLifetimeHashing (HAGLE)

ESP - AESESP -SHA_HMACDefault (Tunnel mode) PFS DH Group #

IOS/ASA

Crypto-Map 10 (name)

Peer IP AddressCrypto ACLTransform-set (name)

Ge0/0

ASAstill uses crypto maps

IPSEC

IOSOld way crypto maps

New way VTIs and or DVTIs

Ge0/0 Tunnel 0 IPSEC

VTI VTI

DVTI

TEMPLATE

DVTI

VTI VTI

DMVPNsSpoke to Spoke (Dymanically)Spoke to Hub is ManualThere are no VTIs or DVTIsGRE & NHRP

192.168.3.0/24 N/H = 10.1.1.3

OSPFOSPF

NHR Request

NHR Response

192.168.2.0/24 N/H = 10.1.1.2

IPSEC

IKEv1

Ph1

Ph2

Policy

D/H

Authc

IkeV2

Complete Lab 3-1 by 12:00 am (maybe :-))

Complete Lab 3-1 by 1:10 pm including a Lunch Break

At 1:10 I will complete the FlexVPN Theory about 20minutes

There will still be 2 labs left 3-2 and 3-3 however wehave to stop and move onto the Remote Access VPNpart of the course.

You can return to the remaining FlexVPNs labs at anytime between now and Friday afternoon as theirconfigration and operation or non operation :-) willhave no impact on any of the labs we will be doing forremote access.

ISPSSL/TLS

WWW

Web Portal

Bookmarks-URL Hyperlinks

HttphttpsFTPCIFS

PLUGINS

RDPVNCCITRIXSSH

Cisco.com & downloadInstall

Smart Tunnels Broker Applet

RDPNatively

TCP (Basic)

ISP

ASA

Clientless SSLSSL IPSEC(IKEV2)

Clients

Server

Connection ProfileAKA Tunnel Groups

Tunnel Groups = CLIConnection Prof = ASDM

A method ofAuthentication

AB Group Policy

DfltGrpPolicy

Hours of Access = 9 - 5

Manchester office/CP

Hours Access 6 - 6

IT Admins 6-12

London 9 - 4/CP

Man Manachester 24

Complete Lab 4-1 by 9:15 Thursday morning

Then straight into the next theory

Lab approx 45/60 minutes

Complete Lab 4-2 by 11:00 am including coffee

Complete Lab 4-3 advanced Clientless Config (Authc/Authz)

Should take you about 30 minutes. With about a 40 Minute Lunchbreak.

I am going to start Module 5 Client SSL & IPSEC VPNs Theory at1:15.

The rest of today will be a mixture of SSL/IPSEC Client theory andlabs. I anticipate completing 2 more labs today 5-1 & 5-2.

This will leave lab 5-3 for tomorrow (IPSEC Client VPN IKEv2)

Tomorrow morning I will start module 6 (DAP) and have the theoryand lab for this module complete around 1:30.

If you then wish to return to Lab 3-2/3-3 you have the rest of thetomorrow afternoon to do this.

ISPPvt Pvt

SSL

Complete Lab 5-1 by 3:00pm including coffee

Complete Lab 5-2 Advanced SSL Client by 9:00 am Friday

Please check the time on the ISE & AD they have to be within5 minutes of each other, show time in the ISE CLI.

If they are not then delete the NTP Server from ISE in the CLIand Add again, this will solve your problem.

To access the ISE CLI click on the icon in the diagram.

The ISE cli is nearly the same as IOS.

Lab 5-3 Completed by 10:35 including coffee

DAP Policy

ActionRich set

AAA Criteria(Local/Remote)

Host Scan

Complete Lab 6-1 (3-2 & 3-3) by 4:00 pm FridayLab 6-1 should only take you about 45 minutes

I will post these drawings to my website now

My email is graham.tuthill@globalknowledge.co.uk

Have a good weekend

Please read the Lab tips for Lab 6-1