Download and save as ppsx: Certificate Enrollment Process

, , ,

I would like to sum up important issue regarding ISAKMP and IPsec lifetimes.

ISAKMP life is always set based on the Initiator ISAKMP lifetime even if its higher then ISAKMP lifetime of the responder.

IPsec lifetime is always set to the lowest value of the IPsec peer.

IKE Phase -1 life time should be greater than IKE Phase-2 life time .

86400 sec (1 day) is a common default value for Phase 1 and 3600 (1 hour) is a common value for Phase 2.

A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes were negotiated. In IKEv2, each end of the SA is responsible for enforcing its own lifetime policy on the SA and rekeying the SA when necessary. If the two ends have different lifetime policies, the end with the shorter lifetime will end up always being the one to request the rekeying.

Here you are the first post from the Useful command series.

Have you ever wonder how to figure out under what ports your router is listening, just take a look (try also nice command like show ip sockets detail)

R1#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:443 *:0 HTTP CORE LISTEN
tcp *:22 10.0.12.2:59470 SSH-Server ESTABLIS
udp *:67 *:0 DHCPD Receive LISTEN
udp *:56186 *:0 IP SNMP LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN

 

With pleasure I can share with you our first video post that shows ACS 5.3 integration with external user database based on  Microsoft Active Directory. Presentation has been shared in two parts.

Watch in 720p HD resolution for the best quality.

Part 1

Part 2

,

Here you are very typical architecture. Local Internet access and site to site VPN at the same router – easy case. To deploy this kind of configuration almost always we have to engage IPSec VPN and NAT at one platform. What does NAT imply for IPSec – let’s answer this question.

First we have to take a look at Cisco IOS order of operations. NAT is before encryption, what is means that traffic that needs to be encrypted will be first NATed then encypted. Mostly our crypto ACL that defines interesting traffic for encyption matches our source inside LAN subnet and remote end subnet IP. Once we add default NAT configuration, IPSec will not work properly. Traffic will never match crypto ACL because first will be translated and source IP will change (depends on NAT configuration) to outside interface IP or to dynamic IP defined in NAT pool.

To resolve this issue we have to exclude traffic that needs to be encrypted from NAT translation. Here you are quick configuration example how to proceed.

Assumptions:

Traffic from subnet 10.0.1.0/24 to 10.0.3.0/24 needs to be encrypted. Remaining traffic from 10.0.1.0/24 to Internet needs to be translated to outside interface IP.

Solution:

Define two ACLs. First needs to match VPN traffic (you can leverage of course crypto ACL that is already used by IPSec crypto map), second will define NAT traffic. Then create route map with two statements, in first statement we have to use deny key word and match crypto ACL, second permit statement will match NAT ACL. Route map has to be assigned under to ip nat inside configuration that describes traffic that will be translated. That’s all. Here you are how it looks like from configuration perspective.

ip access-list extended NAT
permit ip 10.0.1.0 0.0.0.255 any
ip access-list extended VPN
permit ip 10.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255
!
route-map NAT deny 10
match ip address VPN
!
route-map NAT permit 20
match ip address NAT
!
ip nat inside source route-map NAT interface FastEthernet0/0 overload
!
interface FastEthernet0/0
ip nat outside
crypto map MAPA

, ,

I can bet that you say that to configure NAT/PAT, ip nat inside and ip nat outside commands are always needed. I will show you example where we can translate IPs just with ip nat outside.

Specific exception is traffic generated from the router itself. Let’s play with NAT, configure PAT with simple ACL and compare difference for traffic generated from host that resides behind the router and for traffic from the router itself.

I would to translate all traffic from LAN network to Internet and will use fa0/0 interface IP. Instead use specific subnet IP I’m going to configure any/any in ACL (this will make me in trouble ;)). I just configure ip nat outside command under fa0/0 interface that simulates internet subnet.

Here you are my base config. R1 and R2 are connected directly via fa0/0 interfaces.

interface FastEthernet0/0
ip address 10.0.12.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.210 255.255.255.0
duplex auto
speed auto
!
ip access-list extended NAT
permit ip any any
!
ip nat inside source list NAT interface FastEthernet0/0 overload

Let’s first generate telnet traffic from the host.
R2#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
66 vty 0 idle 00:00:15 192.168.1.105

As you see user has been connected from 192.168.1.105.

R1#sh ip nat translations
R1#

At R1 no translation appear, so NAT does not work and user’s telnet traffic has been simply routed with translation. To resolve this problem ip nat inside under int fa0/1 needs to be added.
Before we add it let’s generate test traffic from router itself.

R1#telnet 10.0.12.2 /source-interface fa0/1
Trying 10.0.12.2 ... Open
User Access Verification
Password:

R2#sh users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
67 vty 1 idle 00:00:34 10.0.12.1

NAT is working fine without ip nat inside even if we generated traffic with source fa0/1, telnet traffic has been translated to fa0/0 10.0.12.1.

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.0.12.1:28276 192.168.1.210:28276 10.0.12.2:23 10.0.12.2:23

Translation has been added.
What about traffic generated from the router itself. Let’s ping R2.

R1#ping 10.0.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/30/80 ms
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.0.12.1:1 10.0.12.1:1 10.0.12.1:1 10.0.12.1:1

R1 has translated own generated traffic. This test show us one important issue that can influence traffic from and to router. Because NAT is enabled on outside interface via ip nat outside command router verifies NAT policy, traffic matches ACL and source IP is translated to fa0/0 interface IP. For traffic passing thru the router for example from the host behind the router ip nat inside and ip nat outside commands are required to properly NAT traffic. Because NAT works also for traffic generated from the router itself even if we have just ip nat outside configured under outside interface traffic from the router will be translated. Important thing is to properly define source and/or destination traffic in ACL otherwise all traffic that match ACL will be nated. Improper ACL configuration can break our management traffic and thus we lose access to our box.
For example. I have configured simple PAT but didn’t add ip nat outside yet to fa0/0. I was able to established telnet session to the router. Once I added ip nat outside router started translate source TCP port due to PAT configured so port TCP 23 has been translated to TCP 3. Then TCP stack on PC from where I’m trying connect will drop these packets because they are not related to this session (wrong source port). If you would like to establish new telnet session to R1 from R2 you will get the same issue, R2 will sent SYN/ACK to reponse for SYN packet but source port 23 will be translated to different one, R2 will replay via RST packet because of wrong source port. Hope it was interesting post for you.

,

If there is still possibility to do something better I try ;).

Here you are version 3 of QoS Values Calculator.

I have added applications description and DSCP 0.

Do you think that something is still missing? 🙂

QoS Values Calculator v3 in PDF format here.

, , , ,

Cisco has just introduced new nice, fast and friendly use Configuration Tool under Commerce Workspace website. It will replace good old and slow 🙂 Cisco Dynamic Configuration Tool.

Enjoy!

Zone-Based Policy Firewall (ZFW) is a new feature that has replaced the CBAC (Context-Based Access Control) – legacy firewall IOS based feature. The drawback of CBAC was just stateful inspection policy on an interface-based model due of this all traffic passing through the interface was subject to the same inspection policy.
Zone-Based Policy Firewall has changed the IOS Stateful Inspection architecture from interface-based to a more flexible zone-based configuration architecture.
In ZFW router interfaces are assigned to security zones, firewall inspection policy is applied to traffic moving between the zones. By default router cannot pass traffic to interfaces in other security zones until an explicit policy allowing traffic is defined. The firewall rule has to defined what traffic is allowed to pass between interfaces in other security zones.
Firewall policies are configured using Class-Based Policy Language (CPL), which employs a hierarchical structure to define inspection for network protocols and the groups of hosts’ traffic to which inspection will be applied. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to hosts, host groups, or subnets connected to the same router interface.

The following tasks are required to complete the ZFW configuration using the CPL:

  1. Creating class-map(s) that identify the traffic that must have policy applied as it traverses a zone-pair
  2. Define a policy-map to apply action to the traffic in a class-map
  3. Defining zones
  4. Defining zone-pairs
  5. Appling a policy-map to a zone-pair
  6. Assigning interface to zones

Now I’m going to present you short examples of ZFW.

We have 3 routers for test, connected on the row.

We have pure configuration, just OSPF is running between each other. Ping and telnet from R1 to R3 is working fine.

R1#ping 10.0.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/57/112 ms
R1#telnet 10.0.23.3
Trying 10.0.23.3 ... Open
User Access VerificationPassword:

We will configure R2 as ZB firewall router between inside network where R1 is reside and outside network where we have R3. FW will just inspect icmp traffic from inside to outside, thanks to statefull inspection traffic will be allowed back the same like in CBAC.
First, we have to create inspect class-map to match ICMP traffic.
R2(config)#class-map type inspect match-all ICMP
R2(config-cmap)# match protocol icmp

Next, create inspect policy-map and assign ICMP class-map.
R2(config-cmap)#policy-map type inspect POLICY-INSIDE>OUTSIDE
R2(config-pmap)# class type inspect ICMP
R2(config-pmap-c)# inspect

Now, we have to create zones and zone pairs, so source and destination of traffic.
R2(config-pmap-c)#zone security INSIDE
R2(config-sec-zone)#zone security OUTSIDE
R2(config-sec-zone)#zone-pair security ZONE-PAIR-INSIDE>OUTSIDE source INSIDE destination OUTSIDE
R2(config-sec-zone-pair)#service-policy type inspect POLICY-INSIDE>OUTSIDE

Last step is to assign zones to interfaces.
R2(config)#int fa0/0
R2(config-if)#zone-member security INSIDE
R2(config-if)#int fa0/1
R2(config-if)#zone-member security OUTSIDE

OK, now let’s make a test again. First ping.

R1#ping 10.0.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/108/188 ms

Looks fine, so what about telnet.
R1#telnet 10.0.23.3
Trying 10.0.23.3 ...
% Connection timed out; remote host not responding

Good, no response as we have expected as no telnet or tcp inspection defined. Let’s do show policy-map to see inspection statistics.

R2#show policy-map type inspect zone-pair ZONE-PAIR-INSIDE>OUTSIDE
Zone-pair: ZONE-PAIR-INSIDE>OUTSIDE
Service-policy inspect : POLICY-INSIDE>OUTSIDE
Class-map: ICMP (match-all)
Match: protocol icmp
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:10]
Session creations since subsystem startup or last reset 1
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:01:32
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
2 packets, 48 bytes

OK let’s add next class-map with telnet.

R2(config)#class-map type inspect match-all TELNET
R2(config-cmap)# match protocol telnet
R2(config-cmap)#policy-map type inspect POLICY-INSIDE>OUTSIDE
R2(config-pmap)# class type inspect TELNET
R2(config-pmap-c)# inspect

Quick test.

R1#telnet 10.0.23.3
Trying 10.0.23.3 ... Open
User Access Verification
Password:
R3#

We are in :), so see statictis and session details.

R2#show policy-map type inspect zone-pair ZONE-PAIR-INSIDE>OUTSIDE
Zone-pair: ZONE-PAIR-INSIDE>OUTSIDE
Service-policy inspect : POLICY-INSIDE>OUTSIDE
Class-map: ICMP (match-all)
Match: protocol icmp
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:20]
Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:02:10
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
Class-map: TELNET (match-all)
Match: protocol telnet
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:24]
Session creations since subsystem startup or last reset 1
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:00:08
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 1
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
2 packets, 48 bytes

R2#show policy-map type inspect zone-pair ZONE-PAIR-INSIDE>OUTSIDE sessions
Zone-pair: ZONE-PAIR-INSIDE>OUTSIDE
Service-policy inspect : POLICY-INSIDE>OUTSIDE
Class-map: ICMP (match-all)
Match: protocol icmp
Inspect
Class-map: TELNET (match-all)
Match: protocol telnet
Inspect
Established Sessions
Session 666D2AEC (10.0.12.1:31763)=>(10.0.23.3:23) telnet SIS_OPEN
Created 00:02:03, Last heard 00:01:59
Bytes sent (initiator:responder) [31:71]
Class-map: class-default (match-any)
Match: any
Drop (default action)
2 packets, 48 bytes

At this stage all ICMP traffic from the inside is going thru.

R1#ping 10.0.23.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/152/196 ms

Now let’s be more specific. We let just ICMP from 10.0.12.0/24

R2(config)#ip access-list standard INSIDE-SUBNET
R2(config-std-nacl)# permit 10.0.12.0
R2(config-std-nacl)#class-map type inspect match-all ICMP
R2(config-cmap)#match access-group name INSIDE-SUBNET

What about now?

R1#ping 10.0.23.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)

OK is working. Now all traffic from outside to inside is blocked. Let’s add some rules like to allow telnet to 10.0.12.1 from 10.0.23.3 with inspection. We have to create new class, policy and zone-pair.

First test.
R3#telnet 10.0.12.1
Trying 10.0.12.1 ...
% Connection timed out; remote host not responding

Now configuration.

R2(config)#ip access-list extended OUTSIDE-TELNET
R2(config-ext-nacl)#permit ip host 10.0.23.3 host 10.0.12.1
R2(config-ext-nacl)#exit
R2(config)#class-map type inspect OUTSIDE-TELNET
R2(config-cmap)#match access-group name OUTSIDE-TELNET
R2(config-cmap)#exit
R2(config)#policy-map type inspect POLICY-OUTSIDE>INSIDE
R2(config-pmap)#class type inspect OUTSIDE-TELNET
R2(config-pmap-c)#zone-pair security ZONE-PAIR-OUTSIDE>INSIDE source OUTSIDE destination INSIDE
R2(config-sec-zone-pair)#service-policy type inspect POLICY-OUTSIDE>INSIDE

What about now, second try.

R3#telnet 10.0.12.1
Trying 10.0.12.1 ... Open
User Access Verification
Password:
R1#

Cool, working.

R2#show policy-map type inspect zone-pair ZONE-PAIR-OUTSIDE>INSIDE sessions
Zone-pair: ZONE-PAIR-OUTSIDE>INSIDE
Service-policy inspect : POLICY-OUTSIDE>INSIDE
Class-map: OUTSIDE-TELNET (match-all)
Match: protocol telnet
Match: access-group name OUTSIDE-TELNET
Inspect
Established Sessions
Session 666D2AEC (10.0.23.3:38211)=>(10.0.12.1:23) telnet SIS_OPEN
Created 00:00:04, Last heard 00:00:02
Bytes sent (initiator:responder) [31:71]
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes

It was just basic ZFW configuration, there is some more advanced features besides similar to CBAC like sessions limit, max-incomplete, tcp syn or idle time, alert and audit trail we have other like limiting aggregated packet rate for the flows between security zones that I will try to show you in next post. Enjoy!

, ,

Following post will present you how Cisco router handles broadcast IP packets.

We have two types of IP broadcast address:

  • All subnets broadcast IP (255.255.255.255)
  • Directed broadcast – specific subnet broadcast IP (e.g. 10.0.12.255 for 10.0.12.0/24 subnet)

It’s worth to add that all subnets broadcast IP type is not directed broadcast, directed means broadcast sent to all hosts in specific subnets (directed to specific group of hosts).

By default Cisco router does not forward IP packets addressed to any type of broadcast address – router simple drops them or in case it’s ICMP echo to router’s directly connected broadcast subnet respond via echo reply to requestor.

Directed broadcast example

Let’s take a look on the first example. I have generated ping message from R1 to 10.0.23.255. Because R2 is directly connected to the 10.0.23.0/24 subnet will respond to echo via echo reply but will not forward the ICMP packet over Fa0/1 link towards R3 so R3 will never get it.

Here you are debug IP packet from R1 after ping:

R1#ping 10.0.23.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.23.255, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 60/60/60 ms
R1#
*Mar 1 00:24:54.467: IP: tableid=0, s=10.0.12.1 (local), d=10.0.23.255 (FastEthernet0/0), routed via FIB
*Mar 1 00:24:54.471: IP: s=10.0.12.1 (local), d=10.0.23.255 (FastEthernet0/0), len 100, sending
*Mar 1 00:24:54.475: ICMP type=8, code=0
*Mar 1 00:24:54.515: IP: tableid=0, s=10.0.12.2 (FastEthernet0/0), d=10.0.12.1 (FastEthernet0/0), routed via RIB
*Mar 1 00:24:54.519: IP: s=10.0.12.2 (FastEthernet0/0), d=10.0.12.1 (FastEthernet0/0), len 100, rcvd 3
*Mar 1 00:24:54.523: ICMP type=0, code=0

 As you can see R1 gets just R2’s respond.

Let’s add no ip directed-broadcast under Fa0/1 on R2 and see how th debug looks like now on R1:

R2(config-if)#int fa0/1
R2(config-if)#no ip directed-broadcast

R1#ping 10.0.23.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.23.255, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 36/36/36 ms
R1#
*Mar 1 00:03:56.839: IP: tableid=0, s=10.0.12.1 (local), d=10.0.23.255 (FastEthernet0/0), routed via FIB
*Mar 1 00:03:56.843: IP: s=10.0.12.1 (local), d=10.0.23.255 (FastEthernet0/0), len 100, sending
*Mar 1 00:03:56.847: ICMP type=8, code=0
*Mar 1 00:03:56.863: IP: tableid=0, s=10.0.12.2 (FastEthernet0/0), d=10.0.12.1 (FastEthernet0/0), routed via RIB
*Mar 1 00:03:56.867: IP: s=10.0.12.2 (FastEthernet0/0), d=10.0.12.1 (FastEthernet0/0), len 100, rcvd 3
*Mar 1 00:03:56.871: ICMP type=0, code=0
*Mar 1 00:03:56.931: IP: tableid=0, s=10.0.23.3 (FastEthernet0/0), d=10.0.12.1 (FastEthernet0/0), routed via RIB
R1#
*Mar 1 00:03:56.935: IP: s=10.0.23.3 (FastEthernet0/0), d=10.0.12.1 (FastEthernet0/0), len 100, rcvd 3
*Mar 1 00:03:56.939: ICMP type=0, code=0

As you see R1 now gets response from R2 and R3.

Take a look how it looks like on R2 and R3:

R2#*Mar  1 00:10:16.995: IP: tableid=0, s=10.0.12.1 (FastEthernet0/0), d=10.0.23.255 (FastEthernet0/1), routed via RIB
*Mar  1 00:10:16.999: IP: s=10.0.12.1 (FastEthernet0/0), d=10.0.23.255 (FastEthernet0/1), g=255.255.255.255, len 100, forward directed broadcast
*Mar  1 00:10:17.007:     ICMP type=8, code=0

R3#*Mar  1 00:07:20.491: IP: s=10.0.12.1 (FastEthernet0/1), d=255.255.255.255, len 100, rcvd 2
*Mar  1 00:07:20.495:     ICMP type=8, code=0
*Mar  1 00:07:20.499: IP: tableid=0, s=10.0.23.3 (local), d=10.0.12.1 (FastEthernet0/1), routed via FIB
*Mar  1 00:07:20.499: IP: s=10.0.23.3 (local), d=10.0.12.1 (FastEthernet0/1), len 100, sending
*Mar  1 00:07:20.503:     ICMP type=0, code=0

As you can discovered ip directed-broadcast changes the destination directed broadcast address (10.1.23.255) to all subnet broadcast 255.255.255.255.

What in case we would still send directed broadcast to subnet IP? We can use broadcast-address command for this propose.

R2#show run int fa0/1
interface FastEthernet0/1
 ip address 10.0.23.2 255.255.255.0
 ip broadcast-address 10.0.23.255
 ip directed-broadcast

Now R3 gets ICMP packet directed to subnet broadcast 10.0.23.255.

R3#*Mar  1 00:41:35.391: IP: s=10.0.12.1 (FastEthernet0/1), d=10.0.23.255 (FastEthernet0/1), len 100, rcvd 3
*Mar  1 00:41:35.395:     ICMP type=8, code=0

Here you are diagram that shows above tests.

 

 

All subnets broadcast example

In the following example I will show you how router handles typical broadcast packets. The best example is the DHCP address allocation process (more about it you can read here). The first message called as DHCP Discovery is sent to 255.255.255.255 broadcast address. By default router will ignore this packet and drop it. To properly handle it and send as unicast IP toward final destination we have to use ip helper-address command under fa0/0 interface on R2, exactly under interface that receives broadcast packets.

Please check following scheme and take a look on the mentioned post. Enjoy 😉

  

 

,