If you try and change a ports status, to make it a trunk port, you may see this error;
[box]
Petes-Switch(config-if)#switchport mode trunkCommand rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
[/box]
Trunk Settings
I don’t know if this is a throwback to when we had ISL trunking and 802.1q, but you need to specify the encapsulation before you can specify a trunk.
[box]
Petes-Switch(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
Petes-Switch(config-if)#switchport trunk encapsulation dot1q
Petes-Switch(config-if)#switchport mode trunk
Petes-Switch(config-if)#
[/box]
Related Articles, References, Credits, or External Links
I’ve spent years setting up VPN tunnels between firewalls. The only time I’ve ever dealt with GRE is for letting VPN client software though firewalls. GRE’s job is to ‘encapsulate’ other protocols and transport those protocols inside a virtual point to point link. Below is the topology, I’m going to use.
The tunnel will run form Router R1 to Router R3, once complete I should be able to ping Host2 from Host1.
Solution
Configure Router R1 for GRE
1. Create and configure a tunnel interface on the R1 Router. It will need an IP address, (here I’m using 10.0.0.1/30). Then you need to specify the source and destination of the GRE tunnel. Finally I’ve changed some MTU settings because typically MTU’s are set to 1500 and GRE adds an overhead, I’m dropping the MTU to 1400 and setting the maximum segment size to 1360.
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface Tunnel0
*Mar 1 00:01:27.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#ip mtu 1400
R1(config-if)#ip tcp adjust-mss 1360
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel destination 2.2.2.1
R1(config-if)#exit
[/box]
2. Then we need to add a static route to the router’s routing table so it knows to use that tunnel for traffic destined for the 192.168.2.0/24 network.
3. This is simply a mirror image, of the configuration you carried our on router R1.
[box]
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface Tunnel0
*Mar 1 00:01:30.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#ip address 10.0.0.1 255.255.255.252
R3(config-if)#ip mtu 1400
R3(config-if)#ip tcp adjust-mss 1360
R3(config-if)#tunnel source 2.2.2.1
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#exit
R3(config)#ip route 192.168.1.0 255.255.255.0 Tunnel0
[/box]
Verify GRE Tunnel
4. Use the following command to check the status of the GRE tunnel.
[box]
R1# show interface tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.0.0.1/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 1.1.1.1, destination 2.2.2.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
[/box]
5. Then make sure that traffic passes over the tunnel.
[box]
R1#ping 192.168.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/64/88 ms
R1#
[/box]
Securing the Tunnel with IPsec
6. Our traffic is now going where we want it to, and it’s encapsulated, but it’s still being ‘sent in clear’ if traffic is intercepted ‘in flight’ it can be read. So we need to secure that traffic by encrypting it. First Job is to create an ISAKMP policy that will establish ‘phase-1’ of our secure tunnel. I’m using AES, with Diffie Hellman group 2, and SHA hashing. Ive specified that I will be using a pre-shared-key so that’s been created with the last command, and is assigned to the IP of the ‘other end’ of the VPN tunnel.
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 Sh@reds3cret address 2.2.2.1
[/box]
7. Phase 2 of our tunnel (IPsec) is encrypted and hashed with a ‘transform set’ again I’m using AES and SHA, then I create a profile that uses my transform set.
8. The last job is to apply the profile I created above, to our GRE tunnel interface.
[box]
R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
*Mar 1 00:20:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:20:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:20:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]
9. Again configure router 3 as a mirror image.
[box]
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes
R3(config-isakmp)#group 2
R3(config-isakmp)#hash sha
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 0 Sh@reds3cret address 1.1.1.1
R3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec profile PF-PNL
R3(ipsec-profile)#set transform-set TFS-PNL
R3(ipsec-profile)#exit
R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
R3(config-if)#
*Mar 1 00:25:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:25:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:25:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]
Cisco IOS Verify IPsec VPN Tunnel Is Up
Note: To bring up the tunnel simply send some traffic over it by pinging something on the other side of the tunnel. If you get a reply then the tunnel is up! But to check it status firstly make sure phase 1 has established.
[box]
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 2.2.2.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R3#
[/box]
QM_IDLE means that phase 1 has established (in Quick Mode), and is in an idle state (this is what you want to see, if you see any other state message you may need to start debugging things).
Once you know phase 1 is established you need to check phase 2.
[box]
R3#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 2.2.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x3AA3F6B0(983824048)
inbound esp sas:
spi: 0x5C5C5EF1(1549557489)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4559832/3506)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3AA3F6B0(983824048)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4559832/3506)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
[/box]
Related Articles, References, Credits, or External Links
You can take the physical interface of a Cisco ASA firewall, (or an ether channel) and split it down into further sub-interfaces. This way you can set multiple VLANs to use this interface as a gateway at the same time whilst still separating the traffic.
In this scenario I’m going to have two VLANs, one for my wired clients, and one for a ‘Guest WiFi’ that I’m setting up. I want the guest WiFi to run in its own separate VLAN, so it can’t touch my corporate network. And I want to NAT both networks to my public IP.
Maximum number of sub interfaces, depends on the hardware model maximum number of VLANs so;
Model
Max VLANS
5506-X
5 (30 with Security Plus)
5506-W-X
5 (30 with Security Plus)
5506-H-X
30
5508-X
50
5510
50 (100 with Security Plus)
5512-X
10 (100 with Security Plus)
5515-X
100
5516-X
100
5520
150
5525-X
200
5540
200
5545-X
300
5550
250
5555-X
500
5580
250
5585-X
1024
Note: Sub interfaces are NOT supported on the ASA 5505. (But you can have up to 20 VLANs with a ‘security-plus‘ licence, or 3 (DMZ restricted) with a ‘base‘ licence).
Solution
To create sub interfaces on a physical interface, that interface must have no settings on it (other than it should not be shutdown).
[/box] Then create a sub-interface for each of my VLANs. [box]
Create Sub interface for VLAN 2
Petes-ASA(config)# interface gigabitEthernet 1.2
Petes-ASA(config-subif)# vlan 2
Petes-ASA(config-subif)# nameif Corp-LAN
INFO: Security level for "Corp-LAN" set to 0 by default.
Petes-ASA(config-subif)# security-level 100
Petes-ASA(config-subif)# ip address 10.2.2.254 255.255.0.0
Petes-ASA(config-subif)# exit
Petes-ASA(config)#
Create Sub interface for VLAN 3
Petes-ASA(config)# interface gigabitEthernet 1.3
Petes-ASA(config-subif)# vlan 3
Petes-ASA(config-subif)# nameif Corp-WiFi
INFO: Security level for "Corp-Wifi” set to 0 by default.
Petes-ASA(config-subif)# security-level 90
Petes-ASA(config-subif)# ip address 10.3.3.254 255.255.0.0
Petes-ASA(config-subif)# exit
Petes-ASA(config)#
[/box]
Note: I’ve manually set the security levels and made the corp-lan interface more trusted.
So my firewall config now looks like this;
[box]
!
interface GigabitEthernet1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1.2
vlan 2
nameif Corp-LAN
security-level 100
ip address 10.2.2.254 255.255.0.0
!
interface GigabitEthernet1.3
vlan 3
nameif Corp-WiFi
security-level 90
ip address 10.3.3.254 255.255.0.0
!
[/box]
NAT/PAT Traffic From Your Sub-Interfaces
Taking all traffic from both subnets (10.2.0.0/16 and 10.3.0.0/16), and I’m going to NAT both of these to my public IP. (Note: I’m actually going to PAT the addresses, but that’s just semantics).
If you have ACLs you will need to allow the traffic out, and if you want to test connectivity by pinging a public IP address you will need to have ICMP inspection configured on the firewall.
What if you want the WiFi VLAN to have a different Public IP?
If you want to use another public IP from your public range, here is an example of the config;
This will depend upon the vendor, but essentially if it’s a Cisco Switch you make the uplink switch port a ‘trunk-port’, and either allow ALL or VLAN 2 and 3. Then every wired connection will connect to a port you have setup as a ‘access-port’ on VLAN 2. All the wireless equipment will plug into ports that you have made ‘access-ports’ on VLAN 3.
For other vendors you would need to ‘tag’VLANs 2 and 3 onto the firewall uplink port. Then ‘untag’VLAN 2 on all the wired ports. Then finally ‘untag‘ VLAN 3 on all the wireless ports.