Cisco IOS – Enabling LLDP

KB ID 0001289 

Problem

If you’re running Cisco IOS on all you devices then you can use CDP  to see what’s directly connected, (unless you are on a Cisco firewall, but I did say IOS devices). 

[box]

Petes-Switch#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Petes-CPE.petenetlive.com
                 Gig 1/0/19        148             R S I  CISCO2901 Gig 0/0
Petes-Switch#

[/box]

But just about every other vendor uses LLDP (Link Layer Discovery Protocol,) to do the same job. So how do you discover what ports you are plugged into on them, or what they are?

 

Solution

Well in most cases, (depending on your code) your devices also support LLDP, it’s just disabled by default. You simply turn it on with an ‘lldp run’ command.

[box]

Petes-Switch(config)#lldp run
Petes-Switch(config)#exit
Petes-Switch#show lldp ?
  entry      Information for specific neighbor entry
  errors     LLDP computational errors and overflows
  interface  LLDP interface status and configuration
  neighbors  LLDP neighbor entries
  traffic    LLDP statistics
  |          Output modifiers
  

[/box]

Now I see my neighbours, (yes that is how it’s spelt I’m English!) In my example below the neighbour is a Dell Switch.

[box]

Petes-Switch#show lldp neighbors
Capability codes:
    (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
    (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID           Local Intf     Hold-time  Capability      Port ID
90b1.1cf4.39e1      Gi1/0/11       120                        ManagementEthernet 0/0
90b1.1cf4.39e1      Gi1/0/14       120                        TenGigabitEthernet 1/45
90b1.1cf4.39e1      Gi2/0/13       120                        TenGigabitEthernet 0/44
90b1.1cf4.39e1      Gi1/0/13       120                        TenGigabitEthernet 1/44
90b1.1cf4.39e1      Gi2/0/14       120                        TenGigabitEthernet 0/45
90b1.1cf4.39e1      Gi1/0/16       120                        TenGigabitEthernet 1/47
90b1.1cf4.39e1      Gi2/0/16       120                        TenGigabitEthernet 0/46
90b1.1cf4.39e1      Gi1/0/15       120                        TenGigabitEthernet 1/46
90b1.1cf4.39e1      Gi2/0/15       120                        TenGigabitEthernet 0/47

Total entries displayed: 9

[/box]

 

Related Articles, References, Credits, or External Links

HP Networking – Tracing Networks and Locating IP addresses

Microsoft Azure To Cisco ISR Router Site to Site VPN

KB ID 0001220 

Problem

Last week I was having problems getting a VPN up from a client’s Cisco ASA into Azure. This was because the Azure estate was using ‘route-based‘ or a ‘dynamic routing VPN‘. See the following article;

Azure to Cisco VPN – ‘Failed to allocate PSH from platform’

So the firewall was a non-starter, but Cisco ISR routers are supported, and they can handle virtual tunnel interfaces (VTI’s). So I used a Cisco ISR 1921 router, sat that beside the firewall, and gave that a public IP. Note: I did have to route the traffic to Azure, to use this router instead of the firewall but that’s easy. 

Now we just need to  get the VPN Tunnel up.

 

Solution

OK, before you get started your router needs to be able to support crypto/VPN’s. That means you should be running a ‘security’ license (show license should say you have a securityk9 licence installed and running, or K8 if you live in North Korea, or 1986). If you don’t, the router will not recognise any of the crypto commands.

To establish ‘Phase 1‘ of the VPN tunnel we need an IKE proposal. Note I’m using IKEv2, that is a requirement for route-based, or dynamic routing from Azure.

[box]

Petes-ISR#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Petes-ISR(config)#crypto ikev2 proposal IKE-PROP-AZURE 
IKEv2 proposal should have atleast an encryption algorithm, an integrity algorithm and a dh group configured 
Petes-ISR(config-ikev2-proposal)# encryption aes-cbc-256 aes-cbc-128 3des 
Petes-ISR(config-ikev2-proposal)# integrity sha1 
Petes-ISR(config-ikev2-proposal)# group 2 
Petes-ISR(config-ikev2-proposal)# exit

[/box]

Then add the proposal we created above to an IKEv2 Policy, (Note: a policy can have multiple proposals).

[box]

Petes-ISR(config)#crypto ikev2 policy IKE-POLICY-AZURE
IKEv2 policy should have atleast one complete proposal attached 
Petes-ISR(config-ikev2-policy)# proposal IKE-PROP-AZURE
Petes-ISR(config-ikev2-policy)# exit

[/box]

Create a keyring, (in IKEv2 you can have multiple keys), and specify your VPN pre shared key, (PSK or shared secret).

[box]

Petes-ISR(config)#crypto ikev2 keyring KEYRING-AZURE
Petes-ISR(config-ikev2-keyring)# peer 40.113.16.195
Petes-ISR(config-ikev2-keyring-peer)# address 40.113.16.195
Petes-ISR(config-ikev2-keyring-peer)# pre-shared-key 1234567890asdfg
Petes-ISR(config-ikev2-keyring-peer)# exit
Petes-ISR(config-ikev2-keyring)# exit

[/box]

Now all the ‘Phase 1‘ settings get tied together in a Phase 1 profile. (Note: GigabitEthernet0/0 is the public facing port, yours may be different).

[box]

Petes-ISR(config)#crypto ikev2 profile PROFILE-PH1-AZURE
% IKEv2 profile MUST have match identity or match certificate statements
Petes-ISR(config-ikev2-profile)# match address local interface GigabitEthernet0/0
Petes-ISR(config-ikev2-profile)# match identity remote address 40.113.16.195 255.255.255.255
Petes-ISR(config-ikev2-profile)# authentication remote pre-share
Petes-ISR(config-ikev2-profile)# authentication local pre-share
Petes-ISR(config-ikev2-profile)# keyring KEYRING-AZURE
Petes-ISR(config-ikev2-profile)# exit

[/box]

For ‘Phase 2‘ (IPSEC) you create a ‘transform set’.

[box]

Petes-ISR(config)#crypto ipsec transform-set TRANSFORM-AZURE esp-aes 256 esp-sha-hmac
Petes-ISR(cfg-crypto-trans)# mode tunnel
Petes-ISR(cfg-crypto-trans)# exit

[/box]

Then you tie all the ‘Phase 2‘ settings together with a ‘Phase 2’ profile, and link that back to the ‘Phase 1‘ profile.

[box]

Petes-ISR(config)#crypto ipsec profile PROFILE-PH2-AZURE
Petes-ISR(ipsec-profile)# set transform-set TRANSFORM-AZURE
Petes-ISR(ipsec-profile)# set ikev2-profile PROFILE-PH1-AZURE
Petes-ISR(ipsec-profile)# exit

[/box]

You then need to create a tunnel, that will use all these settings.

Note: Yes you can use 169.254.x.x (I know it’s an APIPA address, but it will work fine).

[box]

Petes-ISR(config)#int tunnel 1
Petes-ISR(config-if)# ip address 169.254.0.1 255.255.255.0
Petes-ISR(config-if)# ip tcp adjust-mss 1350
Petes-ISR(config-if)# tunnel source GigabitEthernet0/0
Petes-ISR(config-if)# tunnel mode ipsec ipv4
Petes-ISR(config-if)# tunnel destination 40.113.16.195
Petes-ISR(config-if)# tunnel protection ipsec profile PROFILE-PH2-AZURE
Petes-ISR(config-if)# exit

[/box]

Finally the router needs to ‘know’ that traffic destined for Azure is sent down the VPN tunnel.

[box]

Petes-ISR(config)#ip route 10.0.0.0 255.255.255.0 tunnel 1

[/box]

Do I Need To Worry About NAT?

No, (even if you are doing NAT Overload). Unlike an IPSEC VPN on a firewall you do not need to exempt the traffic for the VPN, from NAT translation. That’s because it leaves the router through the tunnel interface and not the public facing interface.

Below are all the commands you can copy and paste and change accordingly;

[box]

Assumptions

192.168.100.0/24 is behind the router
10.0.0.0/16 is the Azure network
40.113.16.195 is the Azure Gateway IP
1234567890asdfg is the pre shared key
GigabitEthernet0/0 is the ‘public facing interface on the router’


!
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255
!
crypto ikev2 proposal IKE-PROP-AZURE
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
 exit
!
crypto ikev2 policy IKE-POLICY-AZURE
 proposal IKE-PROP-AZURE
 exit
!
crypto ikev2 keyring KEYRING-AZURE
 peer 40.113.16.195
   address 40.113.16.195
   pre-shared-key 1234567890asdfg
   exit
 exit
!
crypto ikev2 profile PROFILE-PH1-AZURE
 match address local interface GigabitEthernet0/0
 match identity remote address 40.113.16.195 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring KEYRING-AZURE
 exit
!
crypto ipsec transform-set TRANSFORM-AZURE esp-aes 256 esp-sha-hmac
 mode tunnel
 exit
!
crypto ipsec profile PROFILE-PH2-AZURE
 set transform-set TRANSFORM-AZURE
 set ikev2-profile PROFILE-PH1-AZURE
 exit
!
int tunnel 1
 ip address 169.254.0.1 255.255.255.0
 ip tcp adjust-mss 1350
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 40.113.16.195
 tunnel protection ipsec profile PROFILE-PH2-AZURE
 exit
!
ip route 10.0.0.0 255.255.255.0 tunnel 1

[/box]

 

Related Articles, References, Credits, or External Links

Microsoft Azure To Cisco ASA Site to Site VPN

PPTP VPN – Enable Split Tunneling

 

KB ID 0000997 

Problem

I was asked yesterday, “When you get five minutes, I need split tunneling setup, when I VPN into a network I lose Internet connectivity”. On inspection he was using the Microsoft VPN client, I jumped on the VPN device to discover it was a Cisco IOS router.

What I discovered was, unlike the firewall VPN’s I’m used to, you DONT set split tunneling up on the VPN device, you set it up on the client, (and its a bit clunky – sorry!)

Solution

1. Windows Key + R > ncpa.cpl {Enter} > Locate the VPN connection > Right Click > Properties > Networking > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced.

2. Untick “Use default gateway on remote network” > OK > OK > OK.

BE AWARE: There is a downside to doing this, as site visitor Clayton Webb points out;

“Unchecking that default gateway is a godsend, until end users use their laptops for torrents, malware, etc. If you have the time I’d recommend a direct access setup for company equipment. VPN w/ NPS health validators for non-company equipment.”

I agree, I would only ever see this as a temporary solution for the ‘technically savvy’.

3. WARNING: At this point you may find you can connect to the VPN, and your Internet now works, (hooray!) But you can no longer talk to any servers or systems on the site you are VPN’d into. This is a Windows routing problem, lets take a look at what IP address I’m getting from the VPN Device.

Above you can see Ive got an IP address of 192.168.2.207, and in my case I don’t have a default gateway (this is not unusual, yours may be the same or you may have a default gateway as well).

4. If you open a command window and issue a ‘route print’ command, you can see the reason I don’t have a default gateway is my gateway is may actual IP address (again this is not unusual, In my case I need to remember 192.168.2.207, if you have a different gateway listed thats the one you need to take notice of).

5. Run a command window (as administrator) and issue a ‘route add‘, command like below.

Note: -P Adds the route persistently (will remain after a reboot). The network you are trying to get to will probably be a different network, to the network IP you are being leased to you by the VPN device. If you have multiple networks you will need a ‘route add’ for each one.

6. To demonstrate; below I can’t get to 192.168.1.1, I then enter the ‘route add’ command, and after that I can get to 192.168.1.1.

Note: I’m not adding my route as persistent!

 

Related Articles, References, Credits, or External Links

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

GNS3 – Error ‘ghostsize is to small for device’

KB ID 0000935 

Problem

While doing a quick lab in GNS3, I tried to add NAT to a router, and it fell over with the following error;

[box]

R3(config-if)#ip nat outside
% NBAR ERROR: parsing stopped
% NBAR Error : Activation failed due to insufficient dynamic memory
% NBAR Error: Stile could not add protocol node
%NAT: Error activating CNBAR on the interface FastEthernet0/0
R3(config-if)#
*Mar 1 00:01:11.655: %SYS-2-MALLOCFAIL: Memory allocation of 10260 bytes failed
from 0x62915CD4, alignment 0
Pool: Processor Free: 28660 Cause: Memory fragmentation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Exec", ipl= 0, pid= 93, -Traceback= 0x6148BFF8 0x60016604 0x6001C564 0x6001CBBC 0x636756E4 0x62915CDC 0x628F468C 0x628F9DA0 0x628F5968 0x628FA474 0x628F5968 0x628F8344 0x628F5968 0x628F5B2C 0x62928FBC 0x62933A20
*Mar 1 00:01:11.659: %NBAR-2-NOMEMORY: No memory available for StILE lmalloc, -Traceback= 0x6148BFF8 0x62915CF8 0x628F468C 0x628F9DA0 0x628F5968 0x628FA474 0x628F5968 0x628F8344 0x628F5968 0x628F5B2C 0x62928FBC 0x62933A20 0x62920BD0 0x6293DF70 0x6293E2F0 0x61C77C70
R3(config-if)#
*Mar 1 00:01:12.231: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R3(config-if)#

[/box]

A quick Google told me, this was because I didn’t have enough memory assigned to the router, and I was supposed to change this, save the new setting, and reload the router. But as soon as I did that, this happened. (Note: Seen in GNS3, I could not console to the router).

[box]

GNS3 management console. Running GNS3 version 0.8.6.
Copyright (c) 2006-2013GNS3 Project.

=> *** Warning: ghostsize is to small for device R3. Increase it with the ghostsize option.

[/box]

Solution

1. Locate the filename.net file for your project, and open it.

Note: Usually in C:Users{user-name}GNS3Projects

2. Locate the section that contains your router settings, (you should see the IOS image name). Below that change the RAM value, here I changed it from 128 to 256, then save the file and reopen your GNS3 project.

3. To stop this happening again, whilst in GNS3 > Edit > IOS Images and Hypervisors > Locate the router image, and set the default RAM figure here > Save > Click Test settings to make sure.

Related Articles, References, Credits, or External Links

NA

Cisco Router – Configure Site to Site IPSEC VPN

KB ID 0000933

Problem

I’ve done thousands of firewall VPN’s but not many that terminate on Cisco Routers. It’s been a few years since I did one, and then I think I was a wuss and used the SDM. So when I was asked to do one last week thankfully I had the configs ready to go.

I’m going to use the IP addresses above, and my tunnel will use the following settings;

  • Encryption: AES.
  • Hashing: SHA.
  • Diffie Hellman: Group 2.
  • PFS: Enabled.
  • Authentication method: Pre-Shared Key.

Solution

1. Setup a policy for phase 1 of the tunnel (ISAKMP).

[box]

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#crypto isakmp key SecretK3y address 1.1.1.2

[/box]

2. Setup an ACL to define what traffic will be encrypted, and a ‘Transform set’ that will dictate the encryption and hashing for phase 2 (IPSEC).

[box]

R1(config)#ip access-list extended VPN-ACL
R1(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config-ext-nacl)#crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

[/box]

3. Create a ‘Crypto map’ that is used to apply the phase 2 settings to an interface.

[box]

R1(config)#crypto map VPN-C-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 1.1.1.2
R1(config-crypto-map)#set transform-set VPN-TS
R1(config-crypto-map)#match address VPN-ACL

[/box]

4. Apply that crypto map to an interface, (usually the Internet facing one).

[box]

R1(config-crypto-map)#interface Serial0/1/0
R1(config-if)#crypto map VPN-C-MAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#exit
R1(config)#

[/box]

5. In most cases your router will be doing NAT, if so you will need to change the ACL that is looking after the NAT for you, look in your running config for something that looks like the following;

[box]

R1#show run
Building configuration...

Current configuration : 1249 bytes
------------output removed for the sake of space------------
!

ip nat inside source list 100 interface Serial0/1/0 overload
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!

------------output removed for the sake of space------------
!
line aux 0
!

[/box]

6. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:

  • Permit=Perform NAT
  • Deny=Don’t perform NAT

On this router (unlike the ASA‘s that I’m more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#exit
R1#
%SYS-5-CONFIG_I: Configured from console by console

R1#write mem
Building configuration...
[OK]

[/box]

7. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.

[box]

crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP

no access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any

[/box]

8. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!

[box]

show crypto isakmp sa
show crypto ipsec sa

[/box]

WARNING: If you have an ACL applied to the routers outside interface, you will need to allow in the Peer IP, like so;

[box]

ip access-list extended outside-in
 permit esp host 1.1.1.1 any
 permit udp host 1.1.1.1 any eq isakmp
 permit udp host 1.1.1.1 any eq non500-isakmp

[/box]

If you do not, the other end will fail Phase 1 with a WAIT_MSG_3 Error!

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Setup Remote Telnet/SSH Management

KB ID 000093

Problem

Having the ability to remotely administer network devices, means I don’t have to get my lazy carcass out of my chair and start fishing console cables out of my bag, also it saves on shoe leather, and travelling time.

Solution

Cisco Router / Switch – Setup Telnet Access

These days people frown at Telnet. It’s an insecure protocol so your password is sent in clear text over the wire, and can be seen by anyone sniffing traffic. For that reason SSH is preferred, but for completeness I’ll start with Telnet.

1. Log in the the device > Go to enable mode > Go to configuration mode > Enable Telnet and set a password.

[box]

Router0>enable
Router0#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#line vty 0 4
Router0(config-line)#transport input telnet 
Router0(config-line)# password P@ssword123

[/box]

2. Save the changes and test.

[box]

Router0(config)#exit
Router0#write mem 
Building configuration...
[OK]
Router0#

[/box]

Cisco Router / Switch – Setup SSH Access

1. SSH is a little more involved, before you can connect via SSH, you need a certificate, and before you can generate a certificate, you need a host name and a domain name.

[box]

Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)

Petes-Router(config)#

[/box]

2. Another prerequisite is you need usernames and passwords, these can be managed by a separate AAA solution like RADIUS, TACACS+, or Active Directory. But for this example I’ll simply set them up on the device, and use local authentication.

Note: I set myself up with privilege 15, this means when I log on, I automatically log on at enable mode, the other user account does not, and needs to know the enable password to make any changes.

[box]

Petes-Router(config)#username testuser password testpassword
Petes-Router(config)#username petelong privilege 15 password P@ssword123

[/box]

3. Finally allow remote management via SSH, and save the changes.

[box]

Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input ssh
Petes-Router(config-line)#exit
Petes-Router(config)#exit
Petes-Router#write mem 
Building configuration...
[OK]
Petes-Router#

[/box]

4. Finally you need to enable AAA Authentication to use the local database;

[box]

Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default local
Petes-Router(config)#aaa authorization exec default local

[/box]

WARNING

This also will enable username/password authentication for ‘console‘ (rollover cable) access. I dont like that, so I remove that with the following commands;

[box]

Switch(config)#aaa authentication login CONSOLE none
Switch(config)#line console 0
Switch(config-line)#login authentication CONSOLE

[/box]

Cisco Router – Restricting Telnet and SSH Access via Access List

You can lock down access further to remote management, by allowing or denying access from an ACL.

WARNING: If doing this remotely, and just using SSH remember to generate the key and create users FIRST, or you may lock yourself out. If you are worried schedule a reload in twenty minutes, do the work, if it works cancel the reload, if it all explodes, go have a coffee, when you come back it will have reverted back!

Schedule a Router Reload

[box]

Petes-Router#reload in 20
Reload scheduled in 20 minutes by petelong on vty0 (123.123.123.123)
Reload reason: Reload Command
Proceed with reload? [confirm] {Enter}
Petes-Router#

---CARRY OUT THE CHANGES---

Petes-Router#reload cancel
Petes-Router#

***
*** --- SHUTDOWN ABORTED ---
***

[/box]

1. From the top let’s create a user, and setup the RSA key, (skip this step if you have already done this).

[box]

Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)
Petes-Router(config)#

[/box]

2. Now create an access-list to allow and deny access, (usual ACL rules apply).

Note: Port 23 is Telnet and port 22 is SSH

[box]

Petes-Router(config)#ip access-list extended VTY_ACCESS
Petes-Router(config-ext-nacl)#10 permit tcp 123.123.123.123 0.0.0.0 any eq 23
Petes-Router(config-ext-nacl)#20 permit tcp 123.123.123.123 0.0.0.0 any eq 22
Petes-Router(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23
Petes-Router(config-ext-nacl)#100 deny ip any any
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#

[/box]

2. In this example I will set the transport input to all (that’s Telnet AND SSH), then lock access down the the ACL we have just created.

[box]

Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input all
Petes-Router(config-line)#login local
Petes-Router(config-line)#access-class VTY_ACCESS in
Petes-Router(config-line)#exit
Petes-Router(config)#exit

[/box]

3. Save your changes and test.

[box]

Petes-Router#write mem 
Building configuration...
[OK]
Petes-Router#

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco Router – CBAC and Zone Based Firewall Setup

KB ID 0000937 

Problem

IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS).

Solution

Run the following command to see if you have the correct license installed.

[box]

Petes-Router#show license features 

[/box]

Cisco IOS Setup CBAC (IOS Firewall Classic)

1. Declare the protocols you want to inspect.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ip inspect name IOS-FW tcp
Petes-Router(config)#ip inspect name IOS-FW udp
Petes-Router(config)#ip inspect name IOS-FW icmp

[/box]

2. Apply that inspection inbound on the inside interface (that’s traffic going out).

[box]

Petes-Router(config)#interface FastEthernet 0/1
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#

[/box]

4. Apply the inspection inbound on the outside interface (for traffic coming in). And then save the changes.

Note: If you have VPN traffic this will NOT break it.

[box]

Petes-Router(config)#interface Dialer0
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#exit
*Mar 1 00:05:29.875: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#wr mem
Building configuration...
[OK]
Petes-Router#

[/box]

Cisco Zone Based Firewall Setup

The config on ZBF can get quite complicated, I’m simply going to allow traffic out, and block all traffic coming in (apart from traffic that will be coming in over VPN).

Note: CBAC Settings (if used), must be removed before configuring ZBF.

1. The first thing to do is setup the zones, I only have a LAN an WAN to worry about.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#zone security SZ-INSIDE
Petes-Router(config-sec-zone)#description Local Area Network
Petes-Router(config-sec-zone)#zone security SZ-OUTSIDE
Petes-Router(config-sec-zone)#description Wide Area Network (Internet)
Petes-Router(config-sec-zone)#exit

[/box]

2. Create two ACLs to decide which traffic you want to allow in and out. Note: I’ve also added the subnets for my remote VPN network. I will allow out www (TCP 80), https (TCP 443), and DNS (TCP 53). Inbound everything is blocked apart from my VPN traffic.

Note: I’m not covering setting up the VPN, if you want to know how to do that, see the following article;

Cisco Router – Configure Site to Site IPSEC VPN

Then for each ACL I’m creating a class-map, it’s the class-map that decides what traffic will be inspected, (by inspected, in ZBF terms we mean allowed).

[box]

Petes-Router(config)#ip access-list extended ACL-OUTBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq www
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 443
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 53
Petes-Router(config-ext-nacl)#class-map type inspect match-all CM-OUTBOUND
Petes-Router(config-cmap)#match access-group name ACL-OUTBOUND
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#ip access-list extended ACL-INBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

[/box]

3. Define what to do with the (matched) traffic with a policy-map, this can be set to inspect, log , or drop. We set it to inspect our traffic, and drop, then log everything else.

[box]

Petes-Router(config)#policy-map type inspect PM-OUTBOUND
Petes-Router(config-pmap)#class type inspect CM-OUTBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-OUTBOUND for inspection. All protocols will be inspected

Note: The Above is not really true - we have defined the port in the ACL

Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
Petes-Router(config)#policy-map type inspect PM-INBOUND
Petes-Router(config-pmap)#class type inspect CM-INBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-INBOUND for inspection. All protocols will be inspected

Note: The Above is fine, it drops everything that's not VPN traffic anyway.

Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit

[/box]

4. The last task is to create zone-pairs for the outbound and inbound traffic, then apply our policy-map to them with a service-policy.

[box]

Petes-Router(config)#security ZP-OUTBOUND source SZ-INSIDE destination SZ-OUTSIDE
Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-OUTBOUND
Petes-Router(config-sec-zone-pair)#exit
Petes-Router(config)#security ZP-INBOUND source SZ-OUTSIDE destination SZ-INSIDE
Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-INBOUND
Petes-Router(config-sec-zone-pair)#exit

[/box]

5. Save the changes, sit back, light your pipe, and admire your handiwork.

[box]

Petes-Router(config)#exit
Petes-Router#write mem
Building configuration...
[OK]

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco Router – Configure NAT (NAT Overload)

KB ID 0000971 

Problem

NAT is the process of taking one or more IP adresses and tranlsating it/them into differnet IP addreses. You may require your router to translate all your internal IP addresses to your public (ISP allocated) IP address. To do that we use a process called NAT Overload.

Solution

1. Connect to the router, and got to enable mode, then global configuration mode.

[box]

PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#

[/box]

2. Setup the WAN (outside facing) interface.

[box]

PetesRouter(config)#interface GigabitEthernet0/0
PetesRouter(config-if)#ip address 123.123.123.123 255.255.255.0
PetesRouter(config-if)#ip nat outside
PetesRouter(config-if)#no shutdown
PetesRouter(config-if)#exit

[/box]

3. Setup the LAN (inside facing) interface.

[box]

PetesRouter(config)#interface GigabitEthernet0/1
PetesRouter(config-if)#ip address 192.168.1.1 255.255.255.0
PetesRouter(config-if)#ip nat inside
PetesRouter(config-if)#no shutdown
PetesRouter(config-if)#exit

[/box]

4. You will need a ‘default route’ which will be the routers ‘next hop’ towards the internet.

[box]

PetesRouter(config)#ip route 0.0.0.0 0.0.0.0 123.123.123.2

[/box]

5. Create an ACL that wil match any trafic coming from inside (remember permit means match).

[box]

PetesRouter(config)#access-list 100 remark NAT-ACL
PetesRouter(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any

[/box]

6. Then tie it all together with the following command;

[box]

PetesRouter(config)#ip nat inside source list 100 interface GigabitEthernet 0/0 overload

[/box]

7. Save the changes.

[box]

PetesRouter(config)#exit
PetesRouter#write mem
Building configuration...
[OK]
PetesRouter#

[/box]

 

Related Articles, References, Credits, or External Links

NA

VPN Error – ‘CRYPTO-4-RECVD_PKT_NOT_IPSEC’

KB ID 0000936 

Problem

While setting up a simple site to site to site VPN, I was unable to get ISAKMP phase 1 to establish. When I had a look on the device at the far end. I saw this error logged in the console, every time I tried to bring up the tunnel.

[box]

*Mar 1 00:21:42.811: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.2.3, src_addr= 192.168.1.2, prot= 1

[/box]

Solution

After about 40 minutes of staring at the configs, I realised I’d applied the crypto-map (on the router I was trying to bring the tunnel up from), to the inside interface and not the outside one – Doh!

Related Articles, References, Credits, or External Links

NA

Cisco – Error opening tftp://255.255.255.255/cisconet.cfg

KB ID 0001099 

Problem

A friend was rolling out some PC’s for a client and wanted me to give him a network with the same subnet etc so he could build everything on the bench.

I grabbed a router and set it up for DHCP, and to NAT all traffic for him, but annoyingly it kept doing this;

%Error opening tftp://255.255.255.255/cisconet.cfg (timed out)

%SYS-4-CONFIG_RESOLVE_FAILIURE: System config parse from (tftp://255.255.255.255/cisconet.cfg) failed

Solution

Quite a simple one to fix, whilst connected via console/SSH do the following;

[box]

 Petes-Router#configure terminal
 Enter configuration commands, one per line.

Petes-Router(config)#no service config
 Petes-Router(config)#exit
 Petes-Router#copy running-config startup-config [/box]

Related Articles, References, Credits, or External Links

NA