In the previous post, we deployed a web load balanced solution with three web servers. Out of the box the BIG-IP solution will use Round Robin load balancing and it will treat all Nodes or Pool Members the same, (it assigns a RATIO OF 1).
Everything gets weighted the same, and the F5 will send requests to the Nodes or Pool members one at a time.
But what if one of those web servers was a beast of a machine, with much better CPU/RAM than all the others? How do you ensure that gets sent the ‘Lions share’ of the traffic?
Solution
Well you can simply alter the Ratio for that server, you can do that directly on the Node, or you can do it within the Pool on a Pool Member. (That’s why you can see 6 ratios in the examples I’ve posted).
What if I change the Ratios on Nodes AND Pool Members: You can do that, but the load balancing method uses one or the other. So they wont conflict.
So let’s say 10.2.0.11 is a brand new server and has ten times the processing power of the other two nodes like so;
Local Traffic > Nodes > Select the node in question > Change the Ratio accordingly > Update.
Nothing will happen until you change the load balancing method of the Pool. On the properties of the Pool, change the Load Balancing Method to Ratio (node) > Update.
If you reset the counters and wait a while, you can see now that the server is getting (more or less*) 10 times the amount of traffic.
*Note: The maths will never be perfect, and my web pages are all ‘very slightly’ different, which is amplified over time.
Changing F5 Pool Member Ratios
The process is similar, (if you are following along, you might want to change your Node value back to ‘1, not that it will affect anything, it’s just if you are like me you will forget!) So now let’s say we’ve got a new server and its 10.2.0.13, and we want to change the ratio on the Pool Member like so;
Open the Pool > Select the Node from here.
Change there ratio here > Update.
Now change the Load Balancing Method to Node (member) > Update >Note: Here, ratios are shown on the Pool page.
Reset your counters, and wait a while, you will see the other server is now getting most of the traffic.
In large production environments, you will probably want to use Dynamic Load Balancing methods, so I’ll look at those next.
Related Articles, References, Credits, or External Links
An IP address is the address used on a network to find your PC, Server, Laptop, or Printer etc. It’s the networking equivalent of your house number and post code (or Zip Code for visitors from over the pond).
Do you want your PUBLIC or PRIVATE IP address? As we started to run out of addresses, there were a number of solutions that we came up with, one you will see below (DHCP) the other is NAT (Network Address Translation) that lets many IPs on a network share one (or more) public IP addresses on the internet. If you want to know your PUBLIC address (your address in on the internet) then simply see below;
Your Public IP Address Is: [user_ip]
Where does my IP address come from?
You get an IP address by two methods,
1. Statically Assigned: Your address never changes and is allocated to you manually.
2. Dynamically Assigned: Your machine gets its IP address automatically via a system called DHCP.
What does an IP address look like?
Most IP addresses in use today are IP version 4 and consist of 4 numbers separated by three full stops (or once again, periods, for overseas visitors).
An IP address 192.168.1.100
Is that all my computer needs?
NO! You need FOUR pieces of information to access the internet and work properly;
1. The IP address itself (i.e. 192.168.1.100) this is unique to every machine on the network.
2. The Subnet Mask (i.e. 255.255.255.0) this tells the machine how big the network it is on, is.
3. The Default Gateway, this is another IP address on the network that you need to go through to get off the local network, i.e. to access the internet.
4. The DNS IP address, this is another IP address of a machine that can translate IP addresses into names (e.g. translate www.bbc.co.uk to 212.58.246.159).
What’s my IP address?
1. Windows Key + R > type ‘cmd’ {Enter}
2. A Command Window will open, click within the box and you can type in commands, the command to show your IP address is ipconfig, but this WONT show us the DNS settings as well, to do that the command is “ipconfig /all“.
Note: If you have many network connections you will get results for them all, you may need to scroll up and down to find the right one.>
IP Problems
Problem 1: My machine has got an IP address that is 169.254.x.y (where x and y can be any number from 1 to 254).
Answer: This machine is set to get its IP address automatically via DHCP but it cant speak to the DHCP server, because either the DHCP server is down or there is no connection between the DHCP server and you.
Problem 2: My IP address shows as 0.0.0.0
Answer: You have been given a static IP address and someone on the same network is using the same address, this causes an IP conflict, change one of the IP addresses.
Find out if your IP address is statically assigned of dynamically assigned
The more eagled eyed of you will see on the ipconfig /all results above that this machine is disabled for DHCP so its dynamically assigned however, on your Windows machine do the following.
1. Windows Key + R > Tyoe ‘ncpa.cpl’ {Enter}
2. Your network connections window should open and locate the connection you are connecting with (you might have many, be sure to select the right one, i.e. you might have one for dial up, one for wireless, one for a VPN to the office etc). Right click the connection and select properties.
3. On the window that appears you may have to scroll down the list, we are looking for its TCP/IP (on newer machines it will be called “Internet Protocol Version 4 (TCP/IPv4)”, Select it and click properties.
4. Now you can see if your addresses are set statically or dynamically.
How to change your IP address
To change your IP address you first need to know if you have a static IP address or a Dynamically assigned one. (That’s why this section is below the one above).
1. If you have a static IP address, simply change it on the screen shown (diagram above).
2. If you have a Dynamic IP address, you can either reboot the machine in question or Click Start > run > cmd {enter}
3. A Command Window will open, click within the box and you can type in commands, the command to release your IP address is ipconfig/release
Then to get a new address type in ipconfig /renew
Related Articles, References, Credits, or External Links
Site to Site VPNs are easy enough, define some interesting traffic, tie that to a crypto map, that decides where to send the traffic, create some phase 1 and phase 2 policies, wrap the whole lot up in a tunnel-group, and you’re done! But there needs to be a ‘peer address‘ in the crypto map, and if one end of the VPN is on DHCP that address is likely to change, so you cant supply that?
The solution is quite simple, Cisco had to address this years ago when they had remote IPSec VPN clients, you use a Dynamic Cryptomap, and because you can’t have a tunnel group either, you use the DefaultL2LGroup, (this gets used when a specific IP address is not defined).
It’s been a week for strange VPN shenanigans with Cisco and Azure. I was liaising with an Azure service provider for a customer this week, and trying to get a VPN up from a Cisco ASA in one of our data centres in the UK. This is what we were seeing;
After a conversation with the service provider, it turns out that they are providing a multi tenant solution that utilises many VPNs for multiple clients, because of this they HAVE TO use a security gateway that uses ‘Route Based/Dynamic Routing’.
There are two types of VPNs that you can run out of Azure;
Static routing VPNs – Static routing VPNs or policy-based VPNs. These encrypt and route traffic through an interface based on a customer defined policy. Static routing VPNs require a static routing VPN gateway. With this type of VPN you CAN NOT have multiple site to site VPNs.
Dynamic routing VPNs – Dynamic routing or route-based VPNs. These depend on a tunnel interface specifically created for forwarding traffic. Any traffic arriving on the virtual tunnel interface (VTI) will be forwarded through the correct VPN connection.
Why is this a problem?
If you look on the currently supported VPN devices for Azure;
Route-based is not compatible, this is because VPN’s based on VTI’s are NOT supported on the Cisco ASA platform. If you are a Cisco firewall type, this is the same reason you can’t use an ASA for DMVPN, or to terminate a GRE tunnel on.
What can you do?
In my case I’m going to put a Cisco IOS Router (Cisco ISR 1921), beside the Firewall and route all the Azure traffic via that. As you can see from the table above that IS supported.
Related Articles, References, Credits, or External Links
I know BT are now shipping the BT Business Hub, to their business ADSL clients, but there’s still a few 2Wire routers out there in the wild. Essentially if you have a range of public IP addresses, this is how to allocate one of the public IP addresses to one of your devices. In my case its a Cisco ASA firewall that I need to have a public IP.
Solution
Firstly I’m going to assume the router is working and connected to the internet, if there’s a problem and you need to reset it you will need the following pieces of information.
1. The BT ADSL Username and password.
2. The public IP address range allocated to you by BT (and the IP allocated to the router).
Note: Plug your device into the router before you start, and set it to get its address via DHCP.
1. Connect to the web interface of the 2Wire router (normally http://192.168.1.254) > Settings > Broadband > Link Configuration > Scroll down the page.
2. Locate the ‘Add additional network’ section > Add in the IP address that BT have told you to allocate to the router, the subnet mask will be provided by BT also, but you can work it out with my subnet calculator if you don’t know > Save >Enter the router password if prompted.
Note: By default the password will be the Serial Number of the router, (on the white sticker). If you have forgotten you can reset it.
3. Select the LAN tab > NAT & Address Allocation > Locate your device > Set the firewall to disabled > Address Assignment = Public (Select WAN IP Mapping) > WAN IP Mapping = Public Fixed {The IP address you want to assign} > Save > Enter the password if prompted.
4. This relies on the router providing DHCP, which it will do by default, though you can check on the Private Network tab.
5. Finally either reboot the device you are assigning the IP address to, (or ‘reload’ if it’s a Cisco ASA).
Related Articles, References, Credits, or External Links
If you have a server or host that you want to be publicly addressable and only have one public IP address then port forwarding is what you require.
Solution
Assumptions
1. You have a public IP on the outside of your Router.
2. You are performing NAT from your internal range of IP address to your External IP address.
To Make Sure
1. Run the following command:
[box]PetesRouter#show run | include ip nat inside[/box]
You should see a line like,
[box]ip nat inside source list 101 interface Dialer0 overload[/box]
2. That means NAT all traffic that access-list 101 applies to, to Dialer0 (this is an ADSL router and that’s it’s outside interface). To see what traffic is in access-list 101 is issue the following command:
[box]PetesRouter#show run | include access-list 101[/box]
You should see a line like,
[box]access-list 101 permit ip 10.10.0.0 0.0.255.255 any[/box]
3. This means permit (apply this ACL) to all traffic from 10.10.0.0/16 to anywhere. So its set to NAT all traffic from the inside network to the outside network.
4. Finally to see what IP is on your Dialer0 issue the following command:
[box]PetesRouter#show ip interface brief | exclude unassigned[/box]
You should see something like this
Now we know all traffic from 10.10.0.0/24 (All inside traffic) will be NAT translated to 123.123.123.123
Set up Port Forwarding
In this case Ill port forward TCP Port 443 (HTTPS) and TCP Port 25 (SMTP) to an internal Server (10.10.0.1).
1. First set up the static NAT translations.
[box]
PetesRouter#ip nat inside source static tcp 10.10.0.1 443 123.123.123.123 443 extendable
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 123.123.123.123 extendableOR If you are running with a Public DHCP address
PetesRouter#ip nat inside source static tcp 10.10.0.1 443 interface Dialer0 443
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 interface Dialer0 25
[/box]
2. Second stop that traffic being NATTED with everything else.
[box]
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 443 any
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 25 any
[/box]
3. Save the changes with “copy run start”, then press enter to access the default name of startup-config:
[box]
PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#
[/box]
Setup port forwarding and restrict it to an IP or network
For things like HTTPS and SMTP you might want them accessible from anywhere but you might want to lock down access for something like RDP, (TCP port 3389) if that’s the case then you need to do the following.
1. Create a new ACL that allows traffic from you but denies it from everyone else (remember to put an allow a permit at the end).
[box]
PetesRouter#access-list 199 permit tcp host 234.234.234.234 host 123.123.123.123 eq 3389
PetesRouter#access-list 199 deny tcp any host 123.123.123.123 eq 3389
PetesRouter#access-list 199 permit ip any any
[/box]
Note: To allow a network substitute the first line for,
4. Finally apply the ACL you created inbound on the Dialer0 interface.
[box]
PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#interface Dialer0
PetesRouter(config-if)#ip access-group 199 in
PetesRouter(config-if)#exit
PetesRouter#
[/box]
5. Save the changes with “copy run start”, then press enter to access the default name of startup-config:
[box]
PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#
[/box]
Related Articles, References, Credits, or External Links
A while back I uploaded a run through on how to deploy GRE tunnels and protect those tunnels with IPsec. That point-to-point GRE tunnel is a good solution, but if you have a lot of sites it’s not a solution that scales very well. Yes you can have 2147483647 tunnel interfaces, but good luck manually configuring all those tunnels and even if you did, if you want each of your remote sites to talk to each other you have all those tunnels to configure as well.
To address that we have DMVPN, rather than a point-to-point GRE tunnel it uses multipoint GRE that can have more than two endpoints. In fact it acts like a ‘network overlay’ that joins all the sites together. It is typically deployed in a hub-and-spoke configuration where one router (the hub) sits at the center and each remote site (spoke) joins the multipoint GRE, tunnels back to the hub. The magic part is, if one spoke needs to speak to another spoke, this is done by building a dynamic tunnel between them ‘on the fly’.
Below is the the network topology I’m going to use;
I have a main site that will be the ‘Hub Site’ and at that site MainSiteRTR will be the NHS router. The remaining three hub sites will act as ‘spokes’, so my ‘network overlay’ will be 192.168.1.0/24.
Solution
Configure DMVPN Hub (NHS) Router
Before I start, all the sites are pre-configured as per figure1 above, all the routers can see each other via EIGRP.
1. To begin the setup looks very much like a standard GRE tunnel, but we define a source but no destination (we don’t need to, because we specify tunnel mode gre multipoint). There are two commands for the NHRP setup, ‘ip nhrp map multicast dynamic‘ lets EIGRP information propagate to the ‘spokes’. And ‘ip nhrp network-id 1’ creates a group ID for the DMVPN group. All the spokes will need to share this ID to form tunnels with this NHS Router.<.p>
[box]
MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#interface Tunnel0
MainSiteRTR(config-if)# ip address 192.168.0.1 255.255.255.0
MainSiteRTR(config-if)# ip nhrp map multicast dynamic
MainSiteRTR(config-if)# ip nhrp network-id 1
MainSiteRTR(config-if)# tunnel source 1.1.1.1
MainSiteRTR(config-if)# tunnel mode gre multipoint
*Mar 1 00:02:31.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
MainSiteRTR(config-if)#exit
*Mar 1 00:02:41.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
MainSiteRTR(config)#
[/box]
Configure the Branch ‘Spoke’ Routers
2. There are a few differences here, first ‘ip nhrp map 192.168.0.1 1.1.1.1’ tells the branch router to map the 192.168.0.2 private IPpermanently to the 1.1.1.1 public address. ‘ip nhrp map multicast 1.1.1.1’ tells the router to relay ALL its multicast traffic back to the hub router. ‘ip nhrp nhs 192.168.0.1’ tells the spoke router where the hub router is.
[box]
Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#interface Tunnel0
Branch1(config-if)# ip address 192.168.0.2 255.255.255.0
Branch1(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch1(config-if)# ip nhrp map multicast 1.1.1.1
Branch1(config-if)# ip nhrp network-id 1
Branch1(config-if)# ip nhrp nhs 192.168.0.1
Branch1(config-if)# tunnel source 2.2.2.1
Branch1(config-if)# tunnel mode gre multipoint
*Mar 1 00:07:28.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch1(config-if)#exit
*Mar 1 00:07:38.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch1(config)#
[/box]
3. Then configure each branch router the same, (apart from the tunnel source and the endpoint IP).
[box]
Branch 2 Router Config
Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#interface Tunnel0
Branch2(config-if)# ip address 192.168.0.3 255.255.255.0
Branch2(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch2(config-if)# ip nhrp map multicast 1.1.1.1
Branch2(config-if)# ip nhrp network-id 1
Branch2(config-if)# ip nhrp nhs 192.168.0.1
Branch2(config-if)# tunnel source 3.3.3.1
Branch2(config-if)# tunnel mode gre multipoint
Branch2(config-if)# exit
*Mar 1 00:09:32.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch2(config)#
Branch 3 Router Config
Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#interface Tunnel0
Branch3(config-if)# ip address 192.168.0.4 255.255.255.0
Branch3(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch3(config-if)# ip nhrp map multicast 1.1.1.1
Branch3(config-if)# ip nhrp network-id 1
Branch3(config-if)# ip nhrp nhs 192.168.0.1
Branch3(config-if)# tunnel source 4.4.4.1
Branch3(config-if)# tunnel mode gre multipoint
Branch3(config-if)# exit
*Mar 1 00:11:05.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch3(config)#
*Mar 1 00:11:15.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch3(config)#
[/box]
Verifying and Testing the DMVPN Setup
4. On the main site;
[box]
MainSiteRTR#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 2.2.2.1 192.168.0.2 UP never D
1 3.3.3.1 192.168.0.3 UP never D
1 4.4.4.1 192.168.0.4 UP never D
[/box]
5. On a branch site (Note: There is only one tunnel to the Main Site);
[box]
Branch1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 1.1.1.1 192.168.0.1 UP 00:08:24 S
[/box]
6. But if from the same branch site you ping another branch site, it will dynamically build a tunnel to that site also. (Note: The S denotes static, and the D denotes dynamic).
[box]
Branch1#ping 192.168.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/60/108 ms
Branch1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 1.1.1.1 192.168.0.1 UP 00:08:52 S
1 4.4.4.1 192.168.0.4 UP never D
[/box]
Protect and Encrypt the Tunnel(s) with IPSEC
7. BE AWARE the traffic traveling over these tunnels is still being sent in cleartext, it’s simply been ‘encapsulated’ with GRE. To rectify that we can protect the tunnels with IPSEC.
[box]
MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#crypto isakmp policy 10
MainSiteRTR(config-isakmp)# authentication pre-share
MainSiteRTR(config-isakmp)# encryption aes
MainSiteRTR(config-isakmp)# group 2
MainSiteRTR(config-isakmp)# hash sha
MainSiteRTR(config-isakmp)# crypto isakmp key Sh@reds3cret address 2.2.2.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 3.3.3.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 4.4.4.1
MainSiteRTR(config)# crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
MainSiteRTR(cfg-crypto-trans)# crypto ipsec profile PF-PNL
MainSiteRTR(ipsec-profile)# set transform-set TFS-PNL
MainSiteRTR(ipsec-profile)# interface Tunnel0
MainSiteRTR(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:25:34.055: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
MainSiteRTR(config-if)# exit
MainSiteRTR(config)#
[/box]
8. Then simply repeat on the branch routers, the only difference is the peer addresses.
[box]
Branch 1 Router Config
Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)# authentication pre-share
Branch1(config-isakmp)# encryption aes
Branch1(config-isakmp)# group 2
Branch1(config-isakmp)# hash sha
Branch1(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch1(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch1(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch1(ipsec-profile)# set transform-set TFS-PNL
Branch1(ipsec-profile)#interface Tunnel0
Branch1(config-if)# tunnel protection ipsec profile PF-PNL
Branch1(config-if)#exit
Branch1(config)#
*Mar 1 00:36:47.179: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch1(config)#
Branch 2 Router Config
Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#crypto isakmp policy 10
Branch2(config-isakmp)# authentication pre-share
Branch2(config-isakmp)# encryption aes
Branch2(config-isakmp)# group 2
Branch2(config-isakmp)# hash sha
Branch2(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch2(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch2(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch2(ipsec-profile)# set transform-set TFS-PNL
Branch2(ipsec-profile)#interface Tunnel0
Branch2(config-if)# tunnel protection ipsec profile PF-PNL
Branch2(config-if)#exit
Branch2(config)#
*Mar 1 00:37:57.239: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch2(config)#
Branch 3 Router Config
Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#crypto isakmp policy 10
Branch3(config-isakmp)# authentication pre-share
Branch3(config-isakmp)# encryption aes
Branch3(config-isakmp)# group 2
Branch3(config-isakmp)# hash sha
Branch3(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch3(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch3(ipsec-profile)# set transform-set TFS-PNL
Branch3(ipsec-profile)#interface Tunnel0
Branch3(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:39:10.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch3(config-if)#exit
[/box]
9. To test re-establish the tunnels, and this time you can see they are protected;
[box]
MainSiteRTR#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 3.3.3.1 QM_IDLE 1002 0 ACTIVE
1.1.1.1 4.4.4.1 QM_IDLE 1003 0 ACTIVE
1.1.1.1 2.2.2.1 QM_IDLE 1001 0 ACTIVE
I upgraded a clients firewall and CSC software a couple of weeks ago, and ever since “some” users saw the following errors,
Error 0x800CCC0F
Task ‘{email address} – Sending’ reports error (0x800CCC0F): #The connection to the server was interrupted. If the problem continues, contact your server administrator or Internet service provider (ISP).’
Eventually it would time out altogether with the following error,
All I could discern from Googling the error, was that the AV (In this case the Trend Micro InterScan for Cisco CSC SSM), in the Cisco CSC Module) was probably the culprit.
I tried stopping the POP3 Service on the CSC that did NOT fix the error.
I confirmed that the CSC module was the root cause of the problem, by disabling the entire module with the following command on the Cisco ASA firewall;
[box]hw-module module 1 shutdown[/box]
Warning: If you do this, your CSC settings must be set to “csc fail-open” or web and email traffic will stop! Once you have confirmed this IS the problem you can re-enable the module with the following command.
[box]hw-module module 1 reset[/box]
I tried from my office and it worked fine, I could not replicate the error, I tried from various servers and Citrix box’s from other clients who kindly let me test from their network. Still I could not replicate the error! I went home and that was the first time I could see the same error their users were seeing. Sadly this led me on a wild goose chase, (I use Outlook 2007 at home and Outlook 2010 everywhere else so I (wrongly) assumed that was the problem).
Breakthrough!
As I could now replicate the error, I could at least do some testing, I attempted a send/receive and looked at the CSC Logging.
Note: To view CSC Logging, connect to the ASDM > Monitoring > Logging > Trend Micro Content Security > Continue > Enter the password > OK > View.
Every time it failed, I saw my public IP being logged with a RejectWithErrorCide-550 and RBL-Fail,QIL-NA. At last something I could work with.
This error indicates a problem with the Email Reputation system, I logged into the CSC web management console > and located this.
Then I disabled the ‘SMTP Anti-spam (Email Reputation)’, and everything started to work.
Conclusion
I understand the need for this system, but the nature of POP3 email clients, dictates they can connect in from anywhere, usually from a home ISP account on a DHCP address. I know from experience that major ISP’sIP ranges get put in RBL block lists (I checked by popping my IP in here, and sure enough it was blocked).
If you are going to use POP3 then you need to leave this system disabled, but to be honest, if you have Exchange, simply swap over to Outlook Anywhere and stop using POP3.
Related Articles, References, Credits, or External Links
Special thanks to Jenny Ames for her patience while I fought with this over a number of days.
Regular visitors to PNL will know I much prefer to do things at command line, but I appreciate most people trying to set up a new firewall will want to use the GUI.
Before you start you will need to know what IP addresses you want to use, what password you want to use etc.
Solution
1. You get two network cables in the box, connect your PC/Laptop to Ethernet port 1 (See the photo, that’s the second one in from the right – By default Ethernet port 0 is used for outside on an ASA, though this can be changed). Power on the ASA.
2. Your PC has to be set to get an IP address dynamically, the ASA will lease it an address, and the ASA will take the ip address of 192.168.1.1 on its inside interface. here’s the result of an “ipconfig” command to prove it worked.
3. Open an IE (Or Firefox) window and navigate to https://192.168.1.1
4. Standard stuff, click “Continue to this website”.
5. Leave both box’s blank and click OK.
6.Click “Run Startup Wizard Applet”.
7.Click Yes (Isn’t Java annoying!)
8. More annoying Java just click OK.
9. After some time we will at last arrive at the startup wizard. We want to modify it so > Next.
10. Give the firewall a hostname, domain name and set the password (note it uses the names to generate an RSA Key remember this if you ever change them in future) > Next.
11. We don’t want this > Next.
12. OK We now set the outside IP address, don’t mess with the VLAN information, in this case my outside Interface is going to get its IP address automatically via DHCP, if yours is static then Select “Use the following IP address and type in the IP address and subnet mask > Next.
13 Now the inside interface, TRUST ME leave it on 192.168.1.1. Even if that’s NOT want you want, if you change it here then when you get to the end it will all fail, because you have a DHCP address leased on an IP that’s on a different range. We will change the IP address of this interface at the end! > Next.
14. This page is for setting up a DMZ, which (unless you’ve purchased the Security Plus Licence) you wont be using anyway. > Next.
15. Leave Interface 0 on the outside and everything elapse on the inside VLAN (unless you want to allocate ports to your DMZ) > Next.
16 Tick the bottom option > Next.
17 On the route page – you have the option to enter internal and external routes – if your outside interface gets its IP details by DHCP then you can leave all blank, if your on a static then you will need to supply the IP of your ISP router as the default route outside (route 0.0.0.0 0.0.0.0). If it make more sense think of this as the firewall’s default gateway.
18 Mines DHCP so I’ll just click Next..
19. Once again TRUST ME leave this alone we will change this later > Next.
20. There about 2 chapters of textbook on this subject – we are going to use PAT and use the IP address of the outside interface. (all internal traffic will appear to the outside world to have come from that IP address.) > Next.
21 On administrative access click Add > Now add ASDM access for either a client or the network that the firewall IS GOING TO connect to >OK.
22. You might also want to add Telnet access for the the above as well.
23. Notice we have access for the 192.168.1.0 network AND the network we are going to be on when we are finished. > Next.
24. We are not going to be using this > Next.
25. Have a quick review > Tick “Launch ASDM after configuring ASA” > Finish
Remember when you log into the ASA now you have changed the password! (Leave the username blank)
26. Now we will sort the inside interface out > From the ASDM > Configuration > Properties > DHCP Server > Inside > Edit.
27 Un tick the “Enable DHCP Server” > (Or set according to your DHCP requirements > OK
28. Apply
29. Configuration > Interfaces > Inside > Edit
30. Set the correct IP address and subnet mask > OK.
31. .Apply. > At the warning click OK
32.Settings will be applied. DO NOT TURN OFF THE FIREWALLS POWER SUPPLY.
33. Fair enough we cant talk to it because we changed its IP address :).
34. Change your IP address so you can communicate with the firewall on its new IP address.
35. As before launch your browser and connect to the internal IP address (remember its https).
36. Username = blank > Password you set earlier > OK.
37. File > Save running config to flash.
38. Apply > All Finished.
Do the same thing from command line
[box]
hostname Petes-ASA
domain-name petenetlive.com
interface vlan1
ip address 192.268.1.1 255.255.255.0
interface vlan2
ip address dhcp setroute
http 10.254.254.0 255.255.255.0 inside
telnet 10.254.254.0 255.255.255.0 inside
interface vlan3
no shutdown
ip address 172.16.254.1 255.255.0.0
nameif DMZ
same-security-traffic permit intra-interface
enable password password123
no dhcp address 192.168.1.1-192.168.1.254 inside
[/box]
Related Articles, References, Credits, or External Links
In the following example I’m using 192.168.1.100 as the internal IP address of the View Server and the public IP address of the firewall is 123.123.123.123.
Which solution you use, depends on weather you are allowing access via a dedicated public IP that you will assign to the VMware View server, or if you do not have a spare public IP, you will need to use port forwarding.
Option 1 – You have a public IP that you want to assign to the VMware View Server
As I’m using 123.123.123.123 on the outside of my ASA I’m going to use another public IP address for the VMware View server (123.123.123.124) and I will statically map that to its internal IP address. Then I allow the ports to that IP address, and finally apply the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from).
Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).
Option 2 – You want to use Port Forwarding (And your ASA is pre version 8.3)
Below I’m creating a static PAT entry for all the ports required, then allowing the traffic with an access-list, and finally applying the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from)
Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).
Note: If you port forward https on the outside interface, as I’m doing here, you will not be able to access the ASDM from outside – unless you put it on another port. The following two commands would change the ASDM to port 2345 for example:
Option 3 – You want to use Port Forwarding (And your ASA is version 8.3 or newer)
Below I’m creating a network object for all the ports required and statically NATTING the ports required to them, then I’m allowing the traffic to reach that network object, and finally applying the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from)
Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).
Note: If you port forward https on the outside interface, as I’m doing here, you will not be able to access the ASDM from outside – unless you put it on another port: The following two commands would change the ASDM to port 2345 for example: