tag:blogger.com,1999:blog-41646449254543469232023-11-16T08:11:42.974-05:00iromNetwork, Security and Auditiromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-4164644925454346923.post-922743158056260282010-01-11T20:13:00.001-05:002010-01-11T20:15:01.819-05:00Blog moved to squarespace.com<span style="background-color: white;">I've moved my blog to </span><a href="http://irom.squarespace.com/"><span style="background-color: white;">here</span></a>. Thank you<br />
<br />
iromiromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-83852187330167976582010-01-09T13:13:00.000-05:002010-01-09T13:13:34.485-05:00Can firewall or router modify data?I’ve heard someone saying that firewall corrupted a file sent by FTP and they have to deliver it on tapes… so can firewall or router modify/change data ? Cisco Flexible Packet Matching (FPM) can match every bit of the payload but cannot modify it. So it’s not possible to configure per say a substitute regex. But Firewall or IOS packet inspection feature can drop certain packets not compliant with corresponding RFC. <br />
<a name='more'></a>For example Java filtering has that functionality where you can remove applets from the packet. To see it I would setup the following debug scenario for PIX:<br />
<span style="font-size: x-small;">PIX(config) # logging list mylist message 711001</span><br />
<span style="font-size: x-small;">PIX(config) # logging buffered mylist</span><br />
<span style="font-size: x-small;">PIX(config) # logging debug-trace</span><br />
<span style="font-size: x-small;">PIX(config) # debug fixup tcp</span><br />
<span style="font-size: x-small;">PIX(config) # debug pix process</span><br />
This is from my favorite book Cisco Network Security Troubleshooting Handbook by Mynul Hodairomhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-22356298008141719442009-12-29T18:02:00.001-05:002009-12-29T18:02:27.959-05:00Auditing routers and firewall configs<div style="font-family:arial, helvetica, sans-serif;font-size:10pt"><DIV><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: Arial; FONT-SIZE: 10pt">There are several free tools available on net for router and firewall config auditing. I focus on tools which are able to work on the config file pulled from the router/firewall and placed in the local directory of the PC. See the short list below:</SPAN></FONT></DIV> <DIV style="FONT-FAMILY: arial, helvetica, sans-serif; FONT-SIZE: 10pt"> <DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt"> <P class=MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"> </SPAN></FONT></P> <DIV class=Section1> <UL style="MARGIN-TOP: 0in" type=disc> <LI class=MsoNormal><FONT size=3 face="Times New Roman"><SPAN style="FONT-SIZE: 12pt" lang=EN><SPAN style="FONT-FAMILY: Arial; FONT-SIZE: 9pt" lang=EN>NIPPER – can be downloaded from <A href="https://www.titania.co.uk/" rel=nofollow target=_blank><FONT color=#0000ff>https://www.titania.co.uk</FONT></A> after free registration. It can be used to audit configuration files of Cisco, Juniper and Checkpoint, SonicWall, and many others. It produces nice reports.</SPAN></SPAN></FONT></LI> <LI class=MsoNormal><FONT size=3 face="Times New Roman"><SPAN style="FONT-SIZE: 12pt" lang=EN>CCSAT (Cisco Configuration Security Auditing Tool) see http://freshmeat.net/projects/ccsat/ The tool is based upon industry best practices, including Cisco, NSA, and SANS security guides and recommendations</SPAN></FONT><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"></SPAN></FONT></LI> <LI class=MsoNormal><FONT size=1 face=Arial><SPAN style="FONT-FAMILY: Arial; FONT-SIZE: 9pt" lang=EN>RATS - Rough Auditing Tool for Security - is an open source tool developed and maintained by Secure Software security engineers acquired by Fortify, see <A href="http://www.fortify.com/security-resources/rats.jsp">http://www.fortify.com/security-resources/rats.jsp</A></SPAN></FONT></LI></UL></DIV> <P class=MsoNormal><FONT size=1 face=Arial><SPAN style="FONT-FAMILY: Arial; FONT-SIZE: 9pt" lang=EN></SPAN></FONT></P> <P class=MsoNormal><FONT size=1 face=Arial><SPAN style="FONT-FAMILY: Arial; FONT-SIZE: 9pt" lang=EN>It is easy and practical to put configuration files in local directory and run ad hoc 'grep' command. I did it once with simple </SPAN></FONT><B><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: Arial; FONT-SIZE: 10pt; FONT-WEIGHT: bold">grep 'any\|telnet\|timeout\|floodguard\|server\|logging\|auth\|audit\|pdm' * > output</SPAN></FONT></B> . And if network admin is reluctant to send config files for auditing he can run such command by himself. And send you just 'output' file for further analysis. Or provide you 'nipper' report or 'ccsat' output. Good luck !</P></DIV></DIV></div>iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-50049940533429809392009-12-29T15:11:00.001-05:002009-12-29T17:54:41.147-05:00What is Auto-MDIX ?<div class="Section1"><span style="font-family: Arial; font-size: x-small;"><span style="font-family: Arial; font-size: 10pt;">Always surprised …, to be honest I’ve never heard about Auto-MDIX. I thought that this is important to remember which cable to use: </span></span><span style="color: black;"><span style="color: black;">straight-through or crossover. So automatic medium-dependent interface crossover (Auto-MDIX) is a feature that allows the switch interface to detect the required cable connection type (straight-through or crossover) and automatically configure the connection appropriately. With Auto-MDIX enabled, you can use either a straight-through or crossover type cable to connect to the other device, and the interface automatically corrects for any incorrect cabling. It works on 2940, 2970 and 3750 Series Switches. </span></span><br />
<br />
<div class="MsoNormal"><br />
</div></div>iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-54684590038709013902009-12-26T14:47:00.002-05:002009-12-26T14:48:57.027-05:00How to write up Network Security , part II ?This is continuation of part <a href="http://infotechaudit.blogspot.com/2009/12/how-to-write-up-network-security.html">I</a><br />
<ul><li>Consultant/guest access to network - How they separate guest/consultant subnet from the rest of the network ? Well, VLAN is not a good answer. One of the best is probably use of VRF Lite (creating virtual routers, virtual routing tables for guest traffic) for traffic and host segmentation. It's very important from PCI standpoint </li>
</ul><a name='more'></a><ul><li>Internet vlan -Are servers connected to the same switch where internet is ? How they mitigate the 'risk of mistyping'(sounds funny, isn't it:) vlan name or number and moving the server to Internet, in front of firewall..? Let's say internet is connected to the outside interface on vlan 100 , server assigned to port on vlan 101. The good answer is change control (very often routers and firewalls are in scope, not switches;) , but better is to have segmentation in place (internet, backbone routers on separate switch and VTP setup correctly)</li>
<li>Packet storms - What is the strategy to avoid 'miscabling' (technician connecting two switches, instead plugging PC to a switch), is STP on ? Look for storm-control command at the interface level, see example below (3560 switch g0/1 interface):</li>
</ul><blockquote><strong><b>interface gigabitethernet0/1 </b></strong><br />
<strong><b>storm-control unicast level 89 67 </b></strong><br />
<strong><b>storm-control broadcast level 20</b></strong><br />
</blockquote><blockquote>It enables Unicast Storm-Control on a switch port with an 89% rising suppression level and a 67% falling suppression. It´ll also enable Broadcast Storm-Control on a port to a level of 20%. When the Broadcast exceeds the configured level of 20% of the total available bandwidth of the port within the traffic-storm-control interval, the switch drops all broadcast traffic until the end of the traffic-storm-control interval<br />
</blockquote><ul><li>NOC access - How Network Operating Center operators access routers ? What accounts are they using ? They shouldn't be able to see full configuration file, only part of it (i.e. interface configuration). Verify their privileges.</li>
<li>BGP adjacency security – TCP based BGP is vulnerable to TCP spoofing attacks, for example a <a href="http://en.wikipedia.org/wiki/TCP%20reset%20attack">TCP reset attack</a> which exploits the fact that TCP considers valid any packet with a sequence number within a session's current receive window. You should see keywords like 'bgp ttl 2' in configuration files (under ‘bgp router’) to mitigate BGP DOS attacks</li>
<li>Rogue AP - The presence of <em>rogue access points</em> is a major threat to company. Employees have relatively free access to a company's facility, which makes it possible for them to inadvertently (or mischievously) install a rogue access point. An employee, for example, may purchase an access point at an office supply store and install it without coordinating with their IT organization in order to support wireless printing or access to the network from a conference room. Are regular scans for rogue AP performed ? One method of detecting rogues involves the use of wireless sniffing tools (e.g., <a href="http://www.80211-planet.com/reviews/ST/article.php/1403641">AirMagnet</a> or <a href="http://www.netstumbler.com/">NetStumber</a>) that capture information regarding access points that are within range of where you're using the tool.</li>
<li>Are configuration changes logged ? This could be achieved either by enabling AAA accounting and logging changes to Tacacs server (i.e. Cisco ACS) or enabling ‘archive’ and sending changes to syslog server:</li>
</ul><blockquote>archive <br />
log config <br />
logging enable <br />
logging size 1000 <br />
notify syslog contenttype plaintext <br />
hidekeys<br />
</blockquote>‘hidekeys’ suppress output (e.g. passwords) when displaying logged commands<br />
To be continued…iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-47122230758504100712009-12-26T14:05:00.003-05:002009-12-26T14:06:52.522-05:00IOS IPSIn order to setup IPS on IOS follow instructions <a href="http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html">here</a>. My tftp server is at the address 192.10.1.200 and dynamips router has interface 192.10.1.6. The first step is to transfer signature files from tftp server to router. <br />
<a name='more'></a><br />
<a href="http://lh5.ggpht.com/_-rzywtjVRAY/SzZeXroEcvI/AAAAAAAAGuk/2fU9KJ3qknE/s1600-h/clip_image002%5B3%5D.jpg"><img alt="clip_image002" border="0" height="204" src="http://lh6.ggpht.com/_-rzywtjVRAY/SzZeYtyJVRI/AAAAAAAAGuo/KkF7QGI1gSA/clip_image002_thumb.jpg?imgmax=800" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="clip_image002" width="244" /></a><br />
<a href="http://lh3.ggpht.com/_-rzywtjVRAY/SzZeZbGTd7I/AAAAAAAAGus/5xuTrCkuX7w/s1600-h/clip_image004%5B3%5D.jpg"><img alt="clip_image004" border="0" height="157" src="http://lh3.ggpht.com/_-rzywtjVRAY/SzZeaIc0ucI/AAAAAAAAGuw/BxW8Y7sq7Xo/clip_image004_thumb.jpg?imgmax=800" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="clip_image004" width="244" /></a><br />
<a href="http://lh3.ggpht.com/_-rzywtjVRAY/SzZebIFU1jI/AAAAAAAAGu0/Yl69_3Rka9A/s1600-h/clip_image006%5B3%5D.jpg"><img alt="clip_image006" border="0" height="155" src="http://lh5.ggpht.com/_-rzywtjVRAY/SzZecAjyuJI/AAAAAAAAGu4/G6SkA_iHXwc/clip_image006_thumb.jpg?imgmax=800" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="clip_image006" width="244" /></a><br />
<a href="http://lh6.ggpht.com/_-rzywtjVRAY/SzZecluVzdI/AAAAAAAAGu8/r_y6eJSqp5g/s1600-h/clip_image008%5B3%5D.jpg"><img alt="clip_image008" border="0" height="91" src="http://lh4.ggpht.com/_-rzywtjVRAY/SzZedo-_thI/AAAAAAAAGvA/ZBAkl_dE-w0/clip_image008_thumb.jpg?imgmax=800" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="clip_image008" width="244" /></a><br />
The signature files are stored in the router flash.<br />
Rack1R6#dir<br />
Directory of flash:/<br />
1 -rw- 7697112 Mar 1 2002 03:03:17 +00:00 IOS-S313-CLI.pkg<br />
16777212 bytes total (9080036 bytes free)<br />
Now setp public key and load signatures .<br />
<a href="http://lh6.ggpht.com/_-rzywtjVRAY/SzZeecniNeI/AAAAAAAAGvE/lnBOx4hRTWk/s1600-h/clip_image010%5B3%5D.jpg"><img alt="clip_image010" border="0" height="155" src="http://lh5.ggpht.com/_-rzywtjVRAY/SzZefdMl6FI/AAAAAAAAGvI/s6-rYVzKqUQ/clip_image010_thumb.jpg?imgmax=800" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="clip_image010" width="244" /></a><br />
<a href="http://lh4.ggpht.com/_-rzywtjVRAY/SzZegLBBrGI/AAAAAAAAGvM/dPUo2wlUNDQ/s1600-h/clip_image012%5B3%5D.jpg"><img alt="clip_image012" border="0" height="155" src="http://lh4.ggpht.com/_-rzywtjVRAY/SzZeg1mSuMI/AAAAAAAAGvQ/U3q7Pns2BZw/clip_image012_thumb.jpg?imgmax=800" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="clip_image012" width="244" /></a><br />
Rack1R6#show ip ips signature count | i Total<br />
Signature Micro-Engine: multi-string: Total Signatures 8<br />
Signature Micro-Engine: service-http: Total Signatures 622<br />
Signature Micro-Engine: string-tcp: Total Signatures 961<br />
Signature Micro-Engine: string-udp: Total Signatures 75<br />
Signature Micro-Engine: state: Total Signatures 28<br />
Signature Micro-Engine: atomic-ip: Total Signatures 275<br />
Signature Micro-Engine: string-icmp: Total Signatures 3<br />
Signature Micro-Engine: service-ftp: Total Signatures 3<br />
Signature Micro-Engine: service-rpc: Total Signatures 75<br />
Signature Micro-Engine: service-dns: Total Signatures 38<br />
Signature Micro-Engine: normalizer: Total Signatures 9<br />
Signature Micro-Engine: service-smb-advanced: Total Signatures 35<br />
Signature Micro-Engine: service-msrpc: Total Signatures 26<br />
Total Signatures: 2158<br />
Total Enabled Signatures: 930<br />
Total Retired Signatures: 2158<br />
Total Compiled Signatures: 0<br />
Total Obsoleted Signatures: 11<br />
Rack1R6#iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-18483988779443195192009-12-01T18:00:00.000-05:002009-12-01T18:00:50.239-05:00How to write up Network Security ?Most network security audit programs are written by people with risk or audit background and very little technical and operational experience. So there are a many risks and controls listed there which seem to make sense at first glance, but in fact always one of the below rules apply to them: <br />
<ul><li>Every network will comply with controls </li>
<li>Controls cannot to be tested for effectiveness </li>
</ul><a name='more'></a>I don’t believe that it’s possible to write good standard network security audit program, so I’m not going to try it here. I just want to show a few high risk items which are rarely asked for and covered by any control, but easy to test for effectiveness.<br />
<br />
<ul><li>Rogue route injection - it’s hard to see routing protocol authentication in place. Such rogue routes could be easily (accidentally) learned by router from user/administrator workstation running GNS3/Dynamips or Zebra </li>
<li>Control Plan Security- router hardware architectures are vulnerable to DoS attacks, which cause failures in a network infrastructure by flooding it with worthless traffic. </li>
<li>Router Compliance Program – router and switches hardening standards are not in place or they are not verified on a regular basis (i.e. Cisco Works Compliance manager or Nipper). Does password comply with company security policy (routers are always forgotten) </li>
<li>DoS/worm mitigation – Networks are not ready to ‘black hole’ DoS traffic (or any suspicious traffic), but it could be easily done (in less than 1 sec) by implementing internal BGP </li>
<li>Network reconnaissance - Networks are open to reconnaissance penetration. Simple Sinkhole/Netflow in place will detect unusual traffic flows (i.e. destined to not existing subnet) and mitigate noisy reconnaissance. </li>
<li>Traffic inspection - only standard tcp ports (http or ftp) are inspected. Most of the time inspection of not standard ports is not performed on firewall , so if ftp is using port 2021 it will not be inspected by default </li>
<li>HSRP Hijacking– virtual gateways are not password protected and rogue gateway address can be injected by sending just one packet using packet crafting tools like ‘scapy’. VRRP and GLBP are also vulnerable. </li>
<li>Network ingress filtering RFC2827 (BCP38) – Spoofing attacks and preventing them. Too many perimeter routers accept traffic on outside interfaces with source addresses which are inside. I would expect Unicast Reverse Path Forwarding (uRPF) in place and at least private addresses filtered (RFC 1918) </li>
<li>DAI/DHCP snooping – Dynamic Arp Inspection and DHCP snooping are not implemented so it’s possible to redirect network traffic to workstation and sniff clear text passwords </li>
</ul>To be continued ...iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-43140985337088984222009-10-17T08:39:00.004-04:002009-10-17T09:30:51.389-04:00Dynamic Virtual Tunnel Interface Easy VPN Server and ClientSee below two scenarios:<br />
1) SW1 ezVPN client connected to router R1 ezVPN server<br />
2) SW1 ezVPN client connected to firewall ASA ezVPN server <br />
<a name='more'></a><table border="1" cellpadding="0" cellspacing="0"><tbody>
<tr><td valign="top" width="331"><b>SW1 Client </b><br />
</td><td valign="top" width="612"><a href="http://www.blogger.com/" name="wp1084040"></a><b>R1 Server</b><br />
</td></tr>
<tr><td valign="top" width="331"><pre>hostname SW1 – CLIENT</pre><br />
<pre>int f1/1</pre><pre>switchport access vlan 10
</pre><pre>interface loopback 0
ip address 2.2.2.2 255.255.255.0
interface vlan 10
ip address 10.0.0.1 255.255.255.0
</pre>crypto isakmp policy 10<br />
authentication pre-share<br />
encryption 3des<br />
hash sha<br />
group 2<br />
<pre>crypto ipsec client ezvpn Server
connect auto
group IPSECGROUP key cisco1234
mode client
peer 10.0.0.2</pre><pre>!local-address loopback 0
username IPSECUSER password cisco</pre><pre>!xauth userid mode local </pre><br />
<br />
<pre>interface loopback 0
crypto ipsec client ezvpn Server inside
interface vlan 10
crypto ipsec client ezvpn Server outside
</pre><pre>ip route 0.0.0.0 0.0.0.0 10.0.0.2</pre><br />
<br />
<br />
<pre> </pre><br />
<br />
<pre></pre><br />
<br />
<pre> </pre><br />
</td><td valign="top" width="612"><br />
<pre>hostname R1 - SERVER
</pre><pre>int loopback 0
ip address 1.1.1.1 255.255.255.0
int f0/0
ip address 10.0.0.2 255.255.255.0</pre><pre>ip route 0.0.0.0 0.0.0.0 10.0.0.1
</pre><pre>username IPSECUSER password cisco
aaa new-model
aaa authentication login default local
aaa authentication login ezvpn-authentication local
!define xauth authentication list.
aaa authorization network ezvpn-authorization local
!define the authorization list.
ip local pool IPSECPOOL 192.168.1.1 192.168.1.254
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
exit
</pre><pre>ip access-list extended SPLIT_TUNNEL </pre><pre>permit ip 1.1.1.0 0.0.0.255 any</pre><pre>exit
</pre><pre>crypto isakmp client configuration group IPSECGROUP
key cisco1234
dns 100.100.100.100</pre><pre>wins 200.200.200.200
domain cisco.com
pool IPSECPOOL
acl SPLIT_TUNNEL
!the acl is split tunnel acl.
save-password
!allow the client save xauth password locally.
exit
crypto ipsec transform-set SET esp-3des esp-sha-hmac
exit
</pre><pre>crypto dynamic-map DYNAMIC 10
set transform-set SET
reverse-route
crypto map VPN client authentication list ezvpn-authentication
!choose the xauth authentication list.
crypto map VPN isakmp authorization list ezvpn-authorization
!choose the authorization list.
crypto map VPN client configuration address respond
!respond the client address request.
crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC
</pre><pre>int f0/0</pre><pre>crypto map VPN</pre></td></tr>
<tr><td valign="top" width="331"><br />
<pre><b>SW1 Client</b></pre></td><td valign="top" width="612"><br />
<pre><b>PIX1 Server</b></pre></td></tr>
<tr><td valign="top" width="331"><br />
<pre>hostname SW1 – CLIENT
</pre><pre>int f1/8 </pre><pre>switchport access vlan 10</pre><pre>int f1/1 </pre><pre>switchport access vlan 10</pre><pre>interface loopback 0
ip address 2.2.2.2 255.255.255.0
interface vlan 10
ip address 10.0.0.1 255.255.255.0</pre><pre>exit</pre><br />
<pre>ip route 0.0.0.0 0.0.0.0 10.0.0.2</pre>crypto isakmp policy 10<br />
authentication pre-share<br />
encryption 3des<br />
hash sha<br />
group 2<br />
<pre>crypto ipsec client ezvpn Server
connect auto
group IPSECGROUP key cisco1234
mode client
peer 10.0.0.2</pre><pre>!local-address loopback 0
username IPSECUSER password cisco</pre><pre>!xauth userid mode local </pre><br />
<br />
<br />
<pre>interface loopback 0
crypto ipsec client ezvpn Server inside
interface vlan 10
crypto ipsec client ezvpn Server outside
</pre><pre> </pre></td><td valign="top" width="612"><br />
<pre>hostname PIX1 – SERVER</pre><br />
<pre>int e0</pre><pre>ip address 10.0.0.2 255.255.255.0</pre><pre>nameif outside</pre><pre>no sh
</pre><pre>int e1</pre><pre>nameif inside</pre><pre>ip address 1.1.1.1 255.255.255.0</pre><pre>no sh
</pre><pre>route outside 0 0 10.0.0.1
</pre><pre>username IPSECUSER password cisco privilege 15
</pre><pre>access-list SPLIT_TUNNEL permit ip 1.1.1.0 255.255.255.0 any
</pre><pre>ip local pool IPSECPOOL 192.168.1.1-192.168.1.254
</pre><pre>group-policy IPSECPOLICY internal</pre><pre>group-policy IPSECPOLICY attributes</pre><pre> split-tunnel-policy tunnelspecified</pre><pre>dns-server value 100.100.100.100</pre><pre>wins-server value 200.200.200.200
</pre><pre>address-pools value IPSECPOOL</pre><pre>split-tunnel-network-list value SPLIT_TUNNEL</pre><pre>password-storage enable
</pre><pre>tunnel-group IPSECGROUP type ipsec-ra</pre><pre>tunnel-group IPSECGROUP general-attributes</pre><pre> default-group-policy IPSECPOLICY</pre><pre> authentication-server-group LOCAL ?</pre><pre>exit
</pre><pre>Tunnel-group IPSECGROUP ipsec-attributes</pre><pre> Pre-shared-key cisco1234</pre><pre>Exit </pre><br />
<pre>crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
</pre><pre>Crypto isakmp enable outside</pre><pre>crypto ipsec transform-set SET esp-3des esp-sha-hmac </pre><pre>crypto dynamic-map DYNAMIC 10 set transform-set SET
</pre><pre>crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC</pre><pre>crypto map VPN client authentication LOCAL ?
!choose the xauth authentication list.
</pre><pre>crypto map VPN interface outside</pre><pre>sysopt connection permit-vpn</pre></td></tr>
</tbody></table><br />
<br />
<br />
<b>VERIFICATION</b><br />
<strong></strong><br />
<br />
<b>1) SW1 ezVPN client connected to R1 ezVPN server</b><br />
<b>SW1#</b><br />
*Mar 1 00:08:08.811: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=IPSECUSER Group=IPSECGROUP Client_public_addr=10.0.0.1 Server_public_addr=10.0.0.2 Assigned_client_addr=192.168.1.1<br />
SW1#sh ip int b<br />
Vlan10 10.0.0.1 YES manual up up<br />
NVI0 10.0.0.1 YES unset up up<br />
Loopback0 2.2.2.2 YES manual up up<br />
<b>Loopback10000 192.168.1.1 YES manual up up</b><br />
<br />
<b>SW1#sh crypto ipsec client ezvpn</b><br />
Easy VPN Remote Phase: 6<br />
Tunnel name : Server<br />
Inside interface list: Loopback0<br />
Outside interface: Vlan10<br />
Current State: IPSEC_ACTIVE<br />
Last Event: MTU_CHANGED<br />
<b>Address: 192.168.1.1 (applied on Loopback10000)</b><br />
Mask: 255.255.255.255<br />
DNS Primary: 100.100.100.100<br />
NBMS/WINS Primary: 200.200.200.200<br />
Default Domain: cisco.com<br />
Save Password: Allowed<br />
Split Tunnel List: 1<br />
Address : 1.1.1.0<br />
Mask : 255.255.255.0<br />
Protocol : 0x0<br />
Source Port: 0<br />
Dest Port : 0<br />
Current EzVPN Peer: 10.0.0.2<br />
<br />
<br />
<b>SW1#ping 1.1.1.1 source <u>loopback 10000</u></b><br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.1.1<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 236/307/356 ms<br />
SW1#sh crypto ipsec sa<br />
interface: Vlan10<br />
Crypto map tag: Vlan10-head-0, local addr 10.0.0.1<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)<br />
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)<br />
current_peer 10.0.0.2 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
<b>#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10</b><br />
<b>#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10</b><br />
#pkts compressed: 0, #pkts decompressed: <br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 0, #recv errors 0<br />
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb Vlan10<br />
current outbound spi: 0x1207E6F1(302507761)<br />
<br />
<br />
<b>SW1#sh crypto session</b><br />
Crypto session current status<br />
Interface: Vlan10<br />
Session status: UP-ACTIVE<br />
Peer: 10.0.0.2 port 500<br />
IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active<br />
IPSEC FLOW: permit ip host 192.168.1.1 0.0.0.0/0.0.0.0<br />
Active SAs: 2, origin: crypto map<br />
<br />
<br />
<b>2) SW1 ezVPN client connected to ASA ezVPN server</b><br />
<br />
<br />
SW1#<br />
*Mar 1 00:28:45.287: %CRYPTO-6-<b>EZVPN_CONNECTION_DOWN: (Client) </b>User= Group=IP_public_addr=10.0.0.2<br />
*Mar 1 00:28:47.463<b>: EZVPN(Server) Server does not allow save password option,</b><br />
<b>enter your username and password manually</b><br />
*Mar 1 00:28:47.467: EZVPN(Server): *** Logic Error ***<br />
*Mar 1 00:28:47.471: EZVPN(Server): Current State: READY<br />
*Mar 1 00:28:47.471: EZVPN(Server): Event: MODE_CONFIG_REPLY<br />
*Mar 1 00:28:47.475: EZVPN(Server): Resetting the EZVPN state machine to recove<br />
SW1#<br />
*Mar 1 00:28:47.499: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=IP_public_addr=10.0.0.2<br />
*Mar 1 00:28:52.535: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10<br />
<b>*Mar 1 00:28:52.803: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=IPSECUSER G Server_public_addr=10.0.0.2 Assigned_client_addr=192.168.1.1</b><br />
SW1#<br />
*Mar 1 00:28:53.203: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, chan<br />
<pre>Password storage had to be added on ASA ‘password-storage enable’
</pre><b>SW1#sh ip int b</b><br />
<br />
<br />
Vlan10 10.0.0.1 YES manual up up<br />
NVI0 10.0.0.1 YES unset up up<br />
Loopback0 2.2.2.2 YES manual up up<br />
<b>Loopback10000 192.168.1.1 YES manual up up </b><br />
<b>SW1#sh crypto session</b><br />
Crypto session current status<br />
Interface: Vlan10<br />
Session status: UP-ACTIVE<br />
Peer: 10.0.0.2 port 500<br />
IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active<br />
IPSEC FLOW: permit ip host 192.168.1.1 0.0.0.0/0.0.0.0<br />
Active SAs: 2, origin: crypto map<br />
<br />
<br />
<b>SW1#sh crypto ipsec client ezvpn</b><br />
Easy VPN Remote Phase: 6<br />
Tunnel name : Server<br />
Inside interface list: Loopback0<br />
Outside interface: Vlan10<br />
Current State: IPSEC_ACTIVE<br />
Last Event: MTU_CHANGED<br />
<b>Address: 192.168.1.1 (applied on Loopback10000)</b><br />
Mask: 255.255.255.255<br />
DNS Primary: 100.100.100.100<br />
NBMS/WINS Primary: 200.200.200.200<br />
Save Password: Allowed<br />
Split Tunnel List: 1<br />
Address : 1.1.1.0<br />
Mask : 255.255.255.0<br />
Protocol : 0x0<br />
Source Port: 0<br />
Dest Port : 0<br />
Current EzVPN Peer: 10.0.0.2<br />
<br />
<br />
<b>SW1#sh crypto isakmp sa</b><br />
IPv4 Crypto ISAKMP SA<br />
dst src state conn-id slot status<br />
10.0.0.2 10.0.0.1 QM_IDLE 1039 0 ACTIVE<br />
IPv6 Crypto ISAKMP SA<br />
<b>PIX1# sh route</b><br />
Gateway of last resort is 10.0.0.1 to network 0.0.0.0<br />
C 1.1.1.0 255.255.255.0 is directly connected, inside<br />
C 10.0.0.0 255.255.255.0 is directly connected, outside<br />
S 192.168.1.1 255.255.255.255 [1/0] via 10.0.0.1, outside<br />
S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside<br />
<br />
<br />
<b>SW1#ping 1.1.1.1 source loopback 10000</b><br />
<br />
<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:<br />
Packet sent with a source address of 192.168.1.1<br />
.....<br />
Success rate is 0 percent (0/5)<br />
Hm.. doesn’t work;( Someone tell my why ?<br />
<b>PIX1# sh vpn-sessiondb remote</b><br />
Session Type: IPsec<br />
Username : IPSECUSER Index : 39<br />
Assigned IP : 192.168.1.1 Public IP : 10.0.0.1<br />
Protocol : IKE IPsec<br />
License : IPsec<br />
Encryption : 3DES Hashing : SHA1<br />
Bytes Tx : 0 Bytes Rx : 2500<br />
Group Policy : IPSECPOLICY Tunnel Group : IPSECGROUP<br />
Login Time : 14:36:13 UTC Fri Oct 16 2009<br />
Duration : 0h:13m:38s<br />
NAC Result : Unknown<br />
VLAN Mapping : N/A VLAN : none<br />
<b>PIX1# ping 192.168.1.1</b><br />
<br />
<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/210/260 ms<br />
Ok, at least work from ASA;) <br />
<br />
<br />
<b>PIX1# sh vpn-sessiondb remote</b><br />
Session Type: IPsec<br />
Username : IPSECUSER Index : 39<br />
Assigned IP : 192.168.1.1 Public IP : 10.0.0.1<br />
Protocol : IKE IPsec<br />
License : IPsec<br />
Encryption : 3DES Hashing : SHA1<br />
Bytes Tx : 500 Bytes Rx : 3500<br />
Group Policy : IPSECPOLICY Tunnel Group : IPSECGROUP<br />
Login Time : 14:36:13 UTC Fri Oct 16 2009<br />
Duration : 0h:15m:07s<br />
NAC Result : Unknown<br />
VLAN Mapping : N/A VLAN : none<br />
<br />
<br />
<b>DYNAMIPS NET FILE:</b><br />
<br />
<br />
autostart=false<br />
[localhost:7200]<br />
workingdir = C:\Documents and Settings\Dynamips\sec-iewb\wrk<br />
[[3745]]<br />
image = C:\Documents and Settings\Dynamips\images\C3745-AD.BIN<br />
ram = 128<br />
mmap = false<br />
ghostios = true<br />
sparsemem = true<br />
[[Router R1]]<br />
model = 3745<br />
console = 2001<br />
F0/0 = SW1 F1/1<br />
[[Router SW1]]<br />
model = 3745<br />
console = 2012<br />
slot1 = NM-16ESW <br />
# pix1<br />
F1/8 = PIX1 e0 # outside<br />
F1/9 = PIX1 e1 # inside<br />
[pemu localhost] <br />
[[525]] <br />
image = C:\Documents and Settings\\Dynamips\images\pix804.bin<br />
serial = <br />
key =<br />
[[FW PIX1]]iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-9780156987233443632009-10-09T16:26:00.002-04:002009-10-09T16:27:27.510-04:00VRF-aware IPSEC Virtual Interface TunnelsR3 (f0/0 and f0/1) is connected to SW1 (f1/3 and f1/13) on two Fast Ethernet interfaces (R3 f0/0-SW1 f/13 and R3 f0/1 to SW1 f1/13). IPSEC Tunnel 100 and 200 are originating from both pairs of Fast Ethernet interfaces. Network 1.1.1.0 and 3.3.3.0 are routed over Tunnel 100 and 2.2.2.0 and 4.4.4.0 over Tunnel 200. See configurations below:<br />
<a name='more'></a><br />
<b>R3</b><br />
hostname R3<br />
ip vrf vtl1<br />
ip vrf vtl2<br />
crypto isakmp policy 1<br />
encr 3des<br />
authentication pre-share<br />
group 2<br />
crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0<br />
crypto IPsec transform-set T1 esp-3des esp-sha-hmac<br />
crypto IPsec profile P1<br />
set transform-set T1<br />
!<br />
interface Tunnel100<br />
ip vrf forwarding vtl1<br />
ip address 100.100.100.200 255.255.255.0<br />
tunnel source 10.10.10.20<br />
tunnel destination 10.10.10.10<br />
tunnel mode IPsec ipv4<br />
tunnel protection IPsec profile P1<br />
interface Tunnel200<br />
ip vrf forwarding vtl2<br />
ip address 200.200.200.200 255.255.255.0<br />
tunnel source 20.20.20.20<br />
tunnel destination 20.20.20.10<br />
tunnel mode IPsec ipv4<br />
tunnel protection IPsec profile P1<br />
!<br />
interface f0/0<br />
ip address 10.10.10.20 255.255.255.0<br />
int f0/1<br />
ip address 20.20.20.20 255.255.255.0<br />
!<br />
interface loopback 0<br />
ip vrf forwarding vtl1<br />
ip address 3.3.3.3 255.255.255.0<br />
interface loopback 1<br />
ip vrf forwarding vtl2<br />
ip address 4.4.4.4 255.255.255.0<br />
router rip<br />
version 2<br />
!<br />
address-family ipv4 vrf vtl1<br />
network 100.100.100.0<br />
network 3.0.0.0<br />
no auto-summary<br />
exit-address-family<br />
!<br />
address-family ipv4 vrf vtl2<br />
network 200.200.200.0<br />
network 4.0.0.0<br />
no auto-summary<br />
exit-address-family<br />
line con 0<br />
logging sync<br />
no exec-timeout<br />
line aux 0<br />
line vty 0 4<br />
end<br />
<b>SW1</b><br />
hostname SW1<br />
ip vrf vtl1<br />
ip vrf vtl2<br />
int f1/3<br />
switchport access vlan 10<br />
int f1/13<br />
switchport access vlan 20<br />
crypto isakmp policy 1<br />
encr 3des<br />
authentication pre-share<br />
group 2<br />
crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0<br />
crypto IPsec transform-set T1 esp-3des esp-sha-hmac<br />
crypto IPsec profile P1<br />
set transform-set T1<br />
!<br />
interface Tunnel100<br />
ip vrf forwarding vtl1<br />
ip address 100.100.100.100 255.255.255.0<br />
tunnel source 10.10.10.10<br />
tunnel destination 10.10.10.20<br />
tunnel mode ipsec ipv4<br />
tunnel protection ipsec profile P1<br />
interface Tunnel200<br />
ip vrf forwarding vtl2<br />
ip address 200.200.200.100 255.255.255.0<br />
tunnel source 20.20.20.10<br />
tunnel destination 20.20.20.20<br />
tunnel mode ipsec ipv4<br />
tunnel protection ipsec profile P1<br />
!<br />
interface vlan 10<br />
ip address 10.10.10.10 255.255.255.0<br />
interface vlan 20<br />
ip address 20.20.20.10 255.255.255.0<br />
!<br />
interface loopback 0<br />
ip vrf forwarding vtl1<br />
ip address 1.1.1.1 255.255.255.0<br />
interface loopback 1<br />
ip vrf forwarding vtl2<br />
ip address 2.2.2.2 255.255.255.0<br />
router rip<br />
version 2<br />
!<br />
address-family ipv4 vrf vtl1<br />
network 100.100.100.0<br />
network 2.0.0.0<br />
no auto-summary<br />
exit-address-family<br />
!<br />
address-family ipv4 vrf vtl2<br />
network 200.200.200.0<br />
network 1.0.0.0<br />
no auto-summary<br />
exit-address-family<br />
!<br />
line con 0<br />
logging sync<br />
no exec-timeout<br />
line aux 0<br />
line vty 0 4<br />
end<br />
<b>SW1#sh ip route vrf vtl1</b><br />
Routing Table: vtl1<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
Gateway of last resort is not set<br />
1.0.0.0/24 is subnetted, 1 subnets<br />
C 1.1.1.0 is directly connected, Loopback0<br />
100.0.0.0/24 is subnetted, 1 subnets<br />
C 100.100.100.0 is directly connected, Tunnel100<br />
3.0.0.0/24 is subnetted, 1 subnets<br />
R 3.3.3.0 [120/1] via 100.100.100.200, 00:00:02, Tunnel100<br />
<b>SW1#sh ip route vrf vtl2</b><br />
Routing Table: vtl2<br />
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
o - ODR, P - periodic downloaded static route<br />
Gateway of last resort is not set<br />
C 200.200.200.0/24 is directly connected, Tunnel200<br />
2.0.0.0/24 is subnetted, 1 subnets<br />
C 2.2.2.0 is directly connected, Loopback1<br />
4.0.0.0/24 is subnetted, 1 subnets<br />
R 4.4.4.0 [120/1] via 200.200.200.200, 00:00:09, Tunnel200<br />
<b>SW1#ping vrf vtl2 4.4.4.4</b><br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/263/388 ms<br />
SW1#ping vrf vtl1 3.3.3.3<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 216/264/388 ms<br />
<b>SW1#sh crypto ipsec sa vrf vtl1</b><br />
interface: Tunnel100<br />
Crypto map tag: Tunnel100-head-0, local addr 10.10.10.10<br />
protected vrf: vtl1<br />
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)<br />
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)<br />
current_peer 10.10.10.20 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
<b>#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11</b><br />
<b>#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20</b><br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 0, #recv errors 0<br />
local crypto endpt.: 10.10.10.10, remote crypto endpt.: 10.10.10.20<br />
path mtu 1514, ip mtu 1514, ip mtu idb Tunnel100<br />
current outbound spi: 0xCACD729B(3402461851)<br />
inbound esp sas:<br />
spi: 0x4E2CDBB0(1311562672)<br />
transform: esp-3des esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: 1, crypto map: Tunnel100-head-0<br />
sa timing: remaining key lifetime (k/sec): (4412590/2591)<br />
IV size: 8 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
inbound ah sas:<br />
inbound pcp sas:<br />
outbound esp sas:<br />
spi: 0xCACD729B(3402461851)<br />
transform: esp-3des esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: 2, crypto map: Tunnel100-head-0<br />
sa timing: remaining key lifetime (k/sec): (4412591/2591)<br />
IV size: 8 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
outbound ah sas:<br />
outbound pcp sas:<br />
<b>SW1#sh crypto ipsec sa vrf vtl2</b><br />
interface: Tunnel200<br />
Crypto map tag: Tunnel200-head-0, local addr 20.20.20.10<br />
protected vrf: vtl2<br />
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)<br />
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)<br />
current_peer 20.20.20.20 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
<b>#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11</b><br />
<b>#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20</b><br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 0, #recv errors 0<br />
local crypto endpt.: 20.20.20.10, remote crypto endpt.: 20.20.20.20<br />
path mtu 1514, ip mtu 1514, ip mtu idb Tunnel200<br />
current outbound spi: 0x58CC871F(1489798943)<br />
inbound esp sas:<br />
spi: 0x505FB91C(1348450588)<br />
transform: esp-3des esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 3, flow_id: 3, crypto map: Tunnel200-head-0<br />
sa timing: remaining key lifetime (k/sec): (4574817/2843)<br />
IV size: 8 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
inbound ah sas:<br />
inbound pcp sas:<br />
outbound esp sas:<br />
spi: 0x58CC871F(1489798943)<br />
transform: esp-3des esp-sha-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 4, flow_id: 4, crypto map: Tunnel200-head-0<br />
sa timing: remaining key lifetime (k/sec): (4574818/2843)<br />
IV size: 8 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
outbound ah sas:<br />
outbound pcp sas:iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-56587580213542272162009-10-07T17:55:00.002-04:002009-10-07T17:57:59.643-04:00IPsec using IOS CA ServerConnecting R1 f0/0 to SW1 f1/1 (vlan 10). See configs:<br />
<b>R1</b><br />
interface Loopback0<br />
ip address 10.10.10.10 255.255.255.0<br />
!<br />
interface FastEthernet0/0<br />
ip address 1.1.1.1 255.255.255.0<br />
duplex auto<br />
speed auto<br />
!<br />
router rip<br />
version 2<br />
network 1.0.0.0<br />
network 10.0.0.0<br />
ntp master 2 ß-R1 is master NTP<br />
<b><a name='more'></a><br />
<b>SW1:</b><br />
interface Loopback0<br />
ip address 20.20.20.20 255.255.255.0<br />
interface FastEthernet1/1<br />
switchport access vlan 10<br />
spanning-tree portfast<br />
interface Vlan10<br />
ip address 1.1.1.2 255.255.255.0<br />
!<br />
router rip<br />
version 2<br />
network 1.0.0.0<br />
network 20.0.0.0<br />
ntp server 1.1.1.1<br />
Checking time sync with R1:<br />
SW1#sh ntp associations<br />
address ref clock st when poll reach delay offset disp<br />
~1.1.1.1 0.0.0.0 16 - 64 0 0.0 0.00 16000.<br />
* master (synced), # master (unsynced), + selected, - candidate, <b>~ configured</b><br />
SW1#sh ntp status<br />
<b>Clock is synchronized</b>, stratum 3, reference is 1.1.1.1<br />
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18<br />
reference time is C0294479.4E9966A2 (00:06:17.307 UTC Fri Mar 1 2002)<br />
clock offset is 13.6786 msec, root delay is 120.03 msec<br />
root dispersion is 947.17 msec, peer dispersion is 933.47 msec<br />
Setup CA server on R1:<br />
#ip http server (first enable http server)<br />
#crypto pki server R1-CA<br />
grant auto<br />
no sh<br />
R1#sh crypto pki server<br />
Certificate Server R1-CA:<br />
<b>Status: enabled</b><br />
<b>State: enabled</b><br />
Server's configuration is locked (enter "shut" to unlock it)<br />
Issuer name: CN=R1-CA<br />
CA cert fingerprint: E37C8415 EE363946 A7DFD807 71D2F531<br />
Granting mode is: auto<br />
Last certificate issued serial number: 0x1<br />
CA certificate expiration timer: 00:11:22 UTC Feb 28 2005<br />
CRL NextUpdate timer: 06:11:23 UTC Mar 1 2002<br />
Current primary storage dir: nvram:<br />
Database Level: Minimum – no<br />
Then setup CA trustpoint on R1<br />
crypto pki trustpoint R1<br />
enrollment url http://1.1.1.1:80<br />
revocation-check none<br />
Authenticate and Enroll<br />
R1(config)#crypto pki authenticate R1<br />
Certificate has the following attributes:<br />
Fingerprint MD5: E37C8415 EE363946 A7DFD807 71D2F531<br />
Fingerprint SHA1: B26D366F E5DF350D C4371198 9E293668 8976FF12<br />
% Do you accept this certificate? [yes/no]: yes<br />
Trustpoint CA certificate accepted.<br />
R1(config)#<br />
R1(config)#crypto pki enroll R1<br />
%<br />
% Start certificate enrollment ..<br />
% Create a challenge password. You will need to verbally provide this<br />
password to the CA Administrator in order to revoke your certificate.<br />
For security reasons your password will not be saved in the configuration.<br />
Please make a note of it.<br />
Password:<br />
Mar 1 00:17:40.875: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair<br />
Re-enter password:<br />
% The subject name in the certificate will include: R1<br />
% Include the router serial number in the subject name? [yes/no]:<br />
Request certificate from CA? [yes/no]: yes<br />
% Certificate request sent to Certificate Authority<br />
% The 'show crypto ca certificate R1 verbose' commandwill show the fingerprint.<br />
R1(config)#<br />
Mar 1 00:18:20.107: CRYPTO_PKI: Certificate Request Fingerprint MD5: 93133E70 830422FF 8A00C3CE 81E82BE4<br />
Mar 1 00:18:20.119: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 269D2E24 31BFA4B1 96777F4B 86533B81 BD40CB45<br />
R1(config)#<br />
Mar 1 00:18:23.075: %PKI-6-CERTRET: <b>Certificate received from Certificate Authority</b><br />
R1(config)#<br />
Authenticate and enroll SW1 to R1:<br />
SW1(config)#crypto pki authenticate R1<br />
Certificate has the following attributes:<br />
Fingerprint MD5: E37C8415 EE363946 A7DFD807 71D2F531<br />
Fingerprint SHA1: B26D366F E5DF350D C4371198 9E293668 8976FF12<br />
% Do you accept this certificate? [yes/no]: yes<br />
Trustpoint CA certificate accepted.<br />
SW1(config)#<br />
SW1(config)#crypto pki enroll R1<br />
%<br />
% Start certificate enrollment ..<br />
% Create a challenge password. You will need to verbally provide this<br />
password to the CA Administrator in order to revoke your certificate.<br />
For security reasons your password will not be saved in the configuration.<br />
Please make a note of it.<br />
Password:<br />
Mar 1 00:20:30.131: RSA key size needs to be atleast 768 bits for ssh version 2<br />
Mar 1 00:20:30.151: %SSH-5-ENABLED: SSH 1.5 has been enabled<br />
Mar 1 00:20:30.167: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair<br />
Re-enter password:<br />
% The subject name in the certificate will include: SW1<br />
% Include the router serial number in the subject name? [yes/no]: no<br />
% Include an IP address in the subject name? [no]:<br />
Request certificate from CA? [yes/no]: yes<br />
% Certificate request sent to Certificate Authority<br />
% The 'show crypto ca certificate R1 verbose' commandwill show the fingerprint.<br />
SW1(config)#<br />
Mar 1 00:20:52.007: CRYPTO_PKI: Certificate Request Fingerprint MD5: D4849C4C FAB9547D 13B0FB07 FF0C2C54<br />
Mar 1 00:20:52.019: CRYPTO_PKI: Certificate Request Fingerprint SHA1: B7E7067A 691283EC C739E45D 179AEEA9 6D3033B3<br />
SW1(config)#<br />
Mar 1 00:20:56.428: %PKI-6-CERTRET: <b>Certificate received from Certificate Authority</b><br />
Then configure IPsec on R1 and SW1:<br />
R1:<br />
access-list 100 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255<br />
crypto isakmp policy 10<br />
!<br />
!<br />
crypto ipsec transform-set SET esp-3des esp-md5-hmac<br />
!<br />
crypto map VPN 10 ipsec-isakmp<br />
match address 100<br />
set peer 1.1.1.2<br />
set transform-set SET<br />
interface FastEthernet0/0<br />
crypto map VPN<br />
SW1:<br />
access-list 100 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255<br />
crypto isakmp policy 10<br />
!<br />
!<br />
crypto ipsec transform-set SET esp-3des esp-md5-hmac<br />
!<br />
crypto map VPN 10 ipsec-isakmp<br />
set peer 1.1.1.1<br />
set transform-set SET<br />
match address 100<br />
and basically that’s it:<br />
R1#ping 20.20.20.20 source loopback 0<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:<br />
Packet sent with a source address of 10.10.10.10<br />
..!!!<br />
Success rate is 60 percent (3/5), round-trip min/avg/max = 168/181/188 ms<br />
R1#sh crypto isakmp sa<br />
IPv4 Crypto ISAKMP SA<br />
dst src state conn-id slot status<br />
1.1.1.2 1.1.1.1 QM_IDLE 1001 0 <b>ACTIVE</b><br />
IPv6 Crypto ISAKMP SA<br />
R1#sh crypto ipsec sa<br />
interface: FastEthernet0/0<br />
Crypto map tag: VPN, local addr 1.1.1.1<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)<br />
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)<br />
current_peer 1.1.1.2 port 500<br />
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}<br />
<b>#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3</b><br />
<b>#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3</b><br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 2, #recv errors 0<br />
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2<br />
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0<br />
current outbound spi: 0x410281BA(1090683322)<br />
inbound esp sas:<br />
spi: 0xB5EAB4B4(3052057780)<br />
transform: esp-3des esp-md5-hmac ,<br />
And from SW1<br />
SW1#ping 10.10.10.10 source loopback 0<br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:<br />
Packet sent with a source address of 20.20.20.20<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/162/260 ms<br />
SW1#sh crypto ipsec sa<br />
interface: Vlan10<br />
Crypto map tag: VPN, local addr 1.1.1.2<br />
protected vrf: (none)<br />
local ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)<br />
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)<br />
current_peer 1.1.1.1 port 500<br />
PERMIT, flags={origin_is_acl,}<br />
<b>#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28</b><br />
<b>#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28</b><br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 0, #pkts compr. failed: 0<br />
#pkts not decompressed: 0, #pkts decompress failed: 0<br />
#send errors 0, #recv errors 0<br />
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1<br />
path mtu 1500, ip mtu 1500, ip mtu idb Vlan10<br />
current outbound spi: 0xB5EAB4B4(3052057780)<br />
inbound esp sas:<br />
spi: 0x410281BA(1090683322)<br />
transform: esp-3des esp-md5-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 1, flow_id: 1, crypto map: VPN<br />
sa timing: remaining key lifetime (k/sec): (4492899/3251)<br />
IV size: 8 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
inbound ah sas:<br />
inbound pcp sas:<br />
outbound esp sas:<br />
spi: 0xB5EAB4B4(3052057780)<br />
transform: esp-3des esp-md5-hmac ,<br />
in use settings ={Tunnel, }<br />
conn id: 2, flow_id: 2, crypto map: VPN<br />
sa timing: remaining key lifetime (k/sec): (4492899/3251)<br />
IV size: 8 bytes<br />
replay detection support: Y<br />
Status: ACTIVE<br />
outbound ah sas:<br />
outbound pcp sas:<br />
</b>iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-88233118238914643492009-10-01T18:56:00.006-04:002009-10-02T21:13:51.515-04:00Fun with Dynamips – router broken by VRF-lite and PIXSee nice and simple VRF-lite exercise splitting SW1 router into R1 and R2 routers and connecting them by PIX firewall. I was able to ping from R2 (connected to inside interface of PIX) to R1 which is connected to outside interface of PIX firewall.<br />
<br />
<a href="http://lh6.ggpht.com/_-rzywtjVRAY/SsUzoWSnCpI/AAAAAAAAGeg/vAQZVySvgTM/s1600-h/image%5B3%5D.png"><img alt="image" border="0" height="99" src="http://lh5.ggpht.com/_-rzywtjVRAY/SsUzo9XIB0I/AAAAAAAAGek/-S4A75qHC2U/image_thumb%5B1%5D.png?imgmax=800" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto;" title="image" width="432" /></a> <br />
<b></b><br />
<a name='more'></a><strong> </strong><strong>SW1</strong><br />
<br />
<b></b><br />
vtp file nvram:vlan.dat<br />
<b></b><br />
ip vrf R1<br />
description Router R2<br />
!<br />
ip vrf R2<br />
description Router R2<br />
interface Vlan10<br />
ip vrf forwarding R1<br />
ip address 1.1.1.1 255.255.255.0<br />
!<br />
interface Vlan20<br />
ip vrf forwarding R2<br />
ip address 2.2.2.2 255.255.255.0<br />
router rip<br />
version 2<br />
!<br />
address-family ipv4 vrf R2<br />
network 2.0.0.0<br />
no auto-summary<br />
exit-address-family<br />
!<br />
address-family ipv4 vrf R1<br />
network 1.0.0.0<br />
no auto-summary<br />
exit-address-family<br />
no cdp log mismatch duplex<br />
<b>SW1#sh vlan-switch</b><br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3<br />
Fa1/4, Fa1/5, Fa1/6, Fa1/7<br />
Fa1/10, Fa1/11, Fa1/12, Fa1/13<br />
Fa1/14, Fa1/15<br />
10 VLAN0010 active Fa1/8<br />
20 VLAN0020 active Fa1/9<br />
<b>PIXFIREWALL</b><br />
<b></b><br />
PIX Version 8.0(4)<br />
!<br />
hostname pixfirewall<br />
!<br />
interface Ethernet0<br />
nameif outside<br />
security-level 0<br />
ip address 1.1.1.12 255.255.255.0<br />
!<br />
interface Ethernet1<br />
nameif inside<br />
security-level 100<br />
ip address 2.2.2.12 255.255.255.0<br />
<b>!</b><br />
router rip<br />
network 1.0.0.0<br />
network 2.0.0.0<br />
version 2<br />
<b></b><br />
<b>SW1#ping vrf R2 1.1.1.1</b><br />
<b></b><br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/228/356 ms<br />
SW1#<br />
<b></b><br />
<b>pixfirewall# sh service-policy global</b><br />
Global policy:<br />
Service-policy: global_policy<br />
Class-map: inspection_default<br />
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0<br />
Inspect: ftp, packet 0, drop 0, reset-drop 0<br />
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0<br />
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0<br />
Inspect: rsh, packet 0, drop 0, reset-drop 0<br />
Inspect: rtsp, packet 0, drop 0, reset-drop 0<br />
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0<br />
Inspect: sqlnet, packet 0, drop 0, reset-drop 0<br />
Inspect: skinny , packet 0, drop 0, reset-drop 0<br />
Inspect: sunrpc, packet 0, drop 0, reset-drop 0<br />
Inspect: xdmcp, packet 0, drop 0, reset-drop 0<br />
Inspect: sip , packet 0, drop 0, reset-drop 0<br />
Inspect: netbios, packet 0, drop 0, reset-drop 0<br />
Inspect: tftp, packet 0, drop 0, reset-drop 0<br />
Inspect: icmp, <b>packet 20</b>, drop 0, reset-drop 0<br />
<b>Dynamips configuration file used:</b><br />
autostart=false<br />
[localhost:7200]<br />
workingdir = C:\Documents and Settings\Dynamips\sec-iewb\wrk<br />
[[3745]]<br />
image = C:\Documents and Settings\Dynamips\images\C3745-AD.BIN<br />
ram = 128<br />
mmap = false<br />
ghostios = true<br />
sparsemem = true<br />
[[Router SW1]]<br />
model = 3745<br />
console = 2012<br />
slot1 = NM-16ESW<br />
# pix1<br />
F1/8 = PIX1 e0 # outside<br />
F1/9 = PIX1 e1 # inside<br />
F1/14 = PIX1 e2 # dmz<br />
[pemu localhost] <br />
[[525]] <br />
image = C:\Documents and Settings\\Dynamips\images\pix804.bin<br />
serial = <br />
key =<br />
[[FW PIX1]]iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-34706990819211286532009-09-16T20:12:00.006-04:002009-10-02T18:35:13.842-04:00Internetwork Expert CCIE Security Lab on DynamipsI was able to perform most of INE CCIE Security Lab 1 tasks (<a href="http://members.internetworkexpert.com/courses/iewb-sc-vol2-v5/index.php">Security Lab Workbook Volume II v5.0 Beta</a>) on Dynamips, see my configuration sec-iewb.net file below:<br />
<a name='more'></a><span style="font-size: 85%;">autostart=false</span><br />
<span style="font-size: 85%;">[localhost:7200]</span><br />
<span style="font-size: 85%;">workingdir = C:\Program Files\Dynamips\security\lab1\wrk</span><br />
<span style="font-size: 85%;">[[3745]]</span><br />
<span style="font-size: 85%;">image = C:\Program Files\Dynamips\images\C3745-AD.BIN</span><br />
<span style="font-size: 85%;">ram = 128</span><br />
<span style="font-size: 85%;">ghostios = true</span><br />
<span style="font-size: 85%;">[[Router R1]]</span><br />
<span style="font-size: 85%;">model = 3745</span><br />
<span style="font-size: 85%;">console = 2001</span><br />
<span style="font-size: 85%;">F0/0 = SW1 F1/1</span><br />
<span style="font-size: 85%;">S1/0 = FRSW 1</span><br />
<span style="font-size: 85%;">[[Router R2]]</span><br />
<span style="font-size: 85%;">model = 3745</span><br />
<span style="font-size: 85%;">console = 2002</span><br />
<span style="font-size: 85%;">F0/0 = SW1 F1/2</span><br />
<span style="font-size: 85%;">S1/0 = FRSW 2</span><br />
<span style="font-size: 85%;">[[Router R3]]</span><br />
<span style="font-size: 85%;">model = 3745</span><br />
<span style="font-size: 85%;">console = 2003</span><br />
<span style="font-size: 85%;">F0/0 = SW1 F1/3</span><br />
<span style="font-size: 85%;">F0/1 = SW2 F1/3</span><br />
<span style="font-size: 85%;">S1/0 = FRSW 3</span><br />
<span style="font-size: 85%;">S1/1 = FRSW 13</span><br />
<span style="font-size: 85%;"></span><br />
<span style="font-size: 85%;">[[Router R4]]</span> <br />
<span style="font-size: 85%;">model = 3745</span><br />
<span style="font-size: 85%;">console = 2004</span><br />
<span style="font-size: 85%;">F0/0 = SW1 F1/4</span><br />
<span style="font-size: 85%;">F0/1 = SW2 F1/4</span><br />
<span style="font-size: 85%;">S1/0 = FRSW 4</span><br />
<span style="font-size: 85%;">[[Router R5]]</span><br />
<span style="font-size: 85%;">model = 3745</span><br />
<span style="font-size: 85%;">console = 2005</span><br />
<span style="font-size: 85%;">F0/0 = SW1 F1/5</span><br />
<span style="font-size: 85%;">F0/1 = SW2 F1/5</span><br />
<span style="font-size: 85%;">S1/0 = FRSW 5</span><br />
<span style="font-size: 85%;">[[Router R6]]</span><br />
<span style="font-size: 85%;">model = 3745</span><br />
<span style="font-size: 85%;">console = 2006</span><br />
<span style="font-size: 85%;">F0/0 = SW1 F1/6</span><br />
<span style="font-size: 85%;">F0/1 = SW2 F1/6</span><br />
<span style="font-size: 85%;">S1/0 = FRSW 6</span><br />
<span style="font-size: 85%;">[pemu localhost] </span><br />
<span style="font-size: 85%;">[[525]] </span><br />
<span style="font-size: 85%;">image = C:\Program Files\Dynamips\images\pix804.bin</span><br />
<span style="font-size: 85%;">serial = </span><br />
<span style="font-size: 85%;">key =</span><br />
<span style="font-size: 85%;">[[FW PIX1]]</span><br />
<span style="font-size: 85%;">[[FW PIX2]] </span><br />
<span style="font-size: 85%;">[localhost:7201] </span><br />
<span style="font-size: 85%;">workingdir = C:\Program Files\Dynamips\security\lab1\wrk</span><br />
<span style="font-size: 85%;">[[3640]]</span><br />
<span style="font-size: 85%;">image = C:\Program Files\Dynamips\images\c3640-jk9o3s-mz.123-14.T7.bin</span><br />
<span style="font-size: 85%;">ram = 128</span><br />
<span style="font-size: 85%;">ghostios = true</span><br />
<span style="font-size: 85%;">[[3745]]</span><br />
<span style="font-size: 85%;">image = C:\Program Files\Dynamips\images\C3745-AD.BIN</span><br />
<span style="font-size: 85%;">ram = 128</span><br />
<span style="font-size: 85%;">ghostios = true</span><br />
<span style="font-size: 85%;">[[Router BB1]]</span><br />
<span style="font-size: 85%;">model = 3640</span><br />
<span style="font-size: 85%;">console = 2007</span><br />
<span style="font-size: 85%;">slot1 = NM-4T</span><br />
<span style="font-size: 85%;">slot2 = NM-4T</span><br />
<span style="font-size: 85%;">S1/0 = BB3 S1/0</span><br />
<span style="font-size: 85%;">S1/1 = FRSW 21</span><br />
<span style="font-size: 85%;">[[Router BB2]]</span><br />
<span style="font-size: 85%;">model = 3640</span><br />
<span style="font-size: 85%;">console = 2008</span><br />
<span style="font-size: 85%;">slot0 = NM-4E</span><br />
<span style="font-size: 85%;">e0/0 = SW1 F1/15</span><br />
<span style="font-size: 85%;">[[Router BB3]]</span><br />
<span style="font-size: 85%;">model = 3640</span><br />
<span style="font-size: 85%;">console = 2009</span><br />
<span style="font-size: 85%;">slot0 = NM-4E</span><br />
<span style="font-size: 85%;">slot1 = NM-4T</span><br />
<span style="font-size: 85%;">e0/0 = SW2 F1/15</span><br />
<span style="font-size: 85%;">[[Router SW1]]</span><br />
<span style="font-size: 85%;">model = 3745</span><br />
<span style="font-size: 85%;">console = 2012</span><br />
<span style="font-size: 85%;">slot1 = NM-16ESW</span><br />
<span style="font-size: 85%;"># Inter-Switch trunk</span><br />
<span style="font-size: 85%;">F1/0 = SW2 F1/0</span><br />
<span style="font-size: 85%;"># VMWare IPS Control</span><br />
<span style="font-size: 85%;">F1/7 = NIO_gen_eth:\Device\NPF_{536501F5-B971-4928-93B1-C33F737F1429} # lo2 </span><br />
<span style="font-size: 85%;"># pix1</span><br />
<span style="font-size: 85%;">F1/8 = PIX1 e3</span><br />
<span style="font-size: 85%;">F1/9 = PIX1 e0</span><br />
<span style="font-size: 85%;"># pix2</span><br />
<span style="font-size: 85%;">F1/10 = PIX2 e3</span><br />
<span style="font-size: 85%;">F1/11 = PIX2 e0</span><br />
<span style="font-size: 85%;"># AAA/CA</span><br />
<span style="font-size: 85%;">F1/12=NIO_gen_eth:\Device\NPF_{28042AFE-9EF5-4599-837F-FF9714E840E1} #lo1</span><br />
<span style="font-size: 85%;"># Trunk to SW2</span><br />
<span style="font-size: 85%;">F1/13=SW2 F1/13</span><br />
<span style="font-size: 85%;">F1/14=SW2 F1/14 </span><br />
<span style="font-size: 85%;">[[Router SW2]]</span><br />
<span style="font-size: 85%;">model = 3745</span><br />
<span style="font-size: 85%;">console = 2013</span><br />
<span style="font-size: 85%;">slot1 = NM-16ESW</span><br />
<span style="font-size: 85%;"># VMWare IPS Sensing</span><br />
<span style="font-size: 85%;">F1/7 = NIO_gen_eth:\Device\NPF_{0C2A39A6-9BAE-46BB-8BF6-52EB674203AB} # lo3</span><br />
<span style="font-size: 85%;"># pix1</span><br />
<span style="font-size: 85%;">F1/8 = PIX1 e1</span><br />
<span style="font-size: 85%;">F1/9 = PIX1 e2</span><br />
<span style="font-size: 85%;"># pix2</span><br />
<span style="font-size: 85%;">F1/10 = PIX2 e1</span><br />
<span style="font-size: 85%;">F1/11 = PIX2 e2</span><br />
<span style="font-size: 85%;"># Test PC</span><br />
<span style="font-size: 85%;">F1/12=NIO_gen_eth:\Device\NPF_{BB0DFDA4-4757-4526-BD9E-58CCD4C4DA4C} #lo0</span><br />
<span style="font-size: 85%;">[[FRSW FRSW]]</span><br />
<span style="font-size: 85%;"># R1 to FRSW</span><br />
<span style="font-size: 85%;">1:102 = 2:201</span><br />
<span style="font-size: 85%;"># 1:103 = 3:301</span><br />
<span style="font-size: 85%;"># 1:113 = 13:311</span><br />
<span style="font-size: 85%;"># 1:104 = 4:401</span><br />
<span style="font-size: 85%;"># 1:105 = 5:501</span><br />
<span style="font-size: 85%;"># R2 to FRSW</span><br />
<span style="font-size: 85%;">2:203 = 3:302</span><br />
<span style="font-size: 85%;"># 2:213 = 13:312</span><br />
<span style="font-size: 85%;"># 2:204 = 4:402</span><br />
<span style="font-size: 85%;"># 2:205 = 5:502</span><br />
<span style="font-size: 85%;"># R3 to FRSW</span><br />
<span style="font-size: 85%;"># 3:304 = 4:403</span><br />
<span style="font-size: 85%;"># 3:305 = 5:503</span><br />
<span style="font-size: 85%;"># 13:314 = 4:413</span><br />
<span style="font-size: 85%;">13:315 = 5:513</span><br />
<span style="font-size: 85%;"># R4 to FRSW</span><br />
<span style="font-size: 85%;">4:405 = 5:504</span><br />
<span style="font-size: 85%;"># R6 to FRSW</span><br />
<span style="font-size: 85%;"># 6:51 = 21:51</span><br />
<span style="font-size: 85%;"># 6:100 = 21:100</span><br />
<span style="font-size: 85%;"># 6:101 = 21:101</span><br />
<span style="font-size: 85%;">6:201 = 21:201</span><br />
<span style="font-size: 85%;"># 6:301 = 21:301</span><br />
<span style="font-size: 85%;"># 6:401 = 21:401</span><br />
Dynamips is running on Win XP with VMware workstation 6.5 where I’ve Win2k3 and IPSv5 installed in VMware. Win2k3 is running Cisco ACS 4.2 (90-day<b> </b>trial<b> </b>version), Certificate Authority (CA&IIS) and tftp/syslog (simple freeware from tftpd32.jounin.net). <a href="http://www.zengl.net/Cisco_IPS/">IPSv5</a> doesn’t work with new Cisco IPS Manager Express or even IDM. I’ve used PIX 8.0(4) which is compatible with ASA. Cisco VPN client sessions are established from XP. <br />
I’m using DELL Studio notebook Intel Core2 Duo 2.4 CPU with 4GB (XP is using only 3GB). See also <a href="http://inetpro.org/wiki/CCIE_Security_Home_Lab_with_dynamips">CCIE Security Home Lab with dynamips</a> which is for INE workbook version 1.iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-71056585845415827612009-07-30T07:54:00.007-04:002009-10-02T18:36:04.964-04:00PIX Active/Active Failover in Dynamips/PemuPIX active/active failover configuration involves using groups and assigning firewall contexts to groups. On the both firewalls only one group is active at the time. See below the .net file used to run both firewalls in Dynamips/Pemu<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFSw4I36izGIMY6h8HhO1eQ4esm9UtDCxMcOtWhyBAGlJu3wiJ-9nCHJbgFo5YHLVuXaX-q0UkROhlkdYU6eJPfq62e08UpvZFkYmwCbgwikmllo2b1wgArfAK9I4zkKmpaJyGYJkhyphenhyphenKM/s1600-h/pemu-pix-context.jpg"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5364220818685882898" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFSw4I36izGIMY6h8HhO1eQ4esm9UtDCxMcOtWhyBAGlJu3wiJ-9nCHJbgFo5YHLVuXaX-q0UkROhlkdYU6eJPfq62e08UpvZFkYmwCbgwikmllo2b1wgArfAK9I4zkKmpaJyGYJkhyphenhyphenKM/s320/pemu-pix-context.jpg" style="cursor: hand; display: block; height: 320px; margin: 0px auto 10px; text-align: center; width: 294px;" /></a><span style="font-size: 78%;"></span><br />
<span style="font-size: 78%;"><a name='more'></a><br />
</span><span style="font-size: 78%;">autostart = False<br />
<br />
[localhost:7200]<br />
workingdir = C:\Documents and Settings\j017903\Dynamips\PIX_Context\wrk<br />
<br />
[[3745]]<br />
image = C:\Documents and Settings\j017903\Dynamips\images\C3745-AD.BIN<br />
ram = 128<br />
ghostios = True<br />
<br />
[[router R1]]<br />
model = 3745<br />
f0/0 = SW1 1<br />
<br />
[[Router R2]]<br />
model = 3745<br />
f0/0 = SW1 2<br />
<br />
[[Router R3]]<br />
model = 3745<br />
f0/0 = SW1 3<br />
<br />
[[ETHSW SW1]]<br />
1 = access 121 # R1<br />
2 = access 122 # R2<br />
3 = access 123 # R3<br />
4 = access 123 # outside PIX1<br />
5 = access 123 # outside PIX2<br />
6 = access 999 # failover PIX1<br />
7 = access 999 # failover PIX2<br />
8 = access 121 # PIX1 inside<br />
9 = access 121 # PIX2 inside<br />
<br />
[pemu localhost]<br />
[[525]]<br />
image = C:\Documents and Settings\j017903\Dynamips\images\pix804.bin<br />
<br />
[[FW PIX1_context]]<br />
e0 = SW1 4 # outside PIX1<br />
e1 = SW1 8 # PIX1 inside<br />
e2 = SW1 6 # failover PIX1<br />
<br />
[[FW PIX2_context]]<br />
e0 = SW1 5 # outside PIX2<br />
e1 = SW1 9 # PIX2 inside<br />
e2 = SW1 7 # failover PIX2<br />
</span>Configuration of PIX1<br />
<br />
<span style="font-size: 78%;">pix1# sh run<br />
: Saved<br />
:<br />
PIX Version 8.0(4) <system></system></system><//system><br />
!<br />
hostname pix1<br />
enable password 8Ry2YjIyt7RRXU24 encrypted<br />
no mac-address auto<br />
!<br />
interface Ethernet0<br />
!<br />
interface Ethernet1<br />
!<br />
interface Ethernet1.121<br />
vlan 121<br />
!<br />
interface Ethernet1.122<br />
vlan 122<br />
!<br />
interface Ethernet2<br />
description LAN/STATE Failover Interface<br />
<br />
<br />
pix1# sh mode<br />
Security context mode: multiple<br />
pix1# sh context<br />
Context Name Class Interfaces URL<br />
*admin default flash:/admin.cfg<br />
CustomerA default Ethernet0,Ethernet1.121 flash:/CustomerA.cfg<br />
CustomerB default Ethernet0,Ethernet1.122 flash:/CustomerB<br />
<br />
Total active Security Contexts: 3<br />
<br />
<br />
pix1# sh run failover<br />
failover<br />
failover lan unit primary<br />
failover lan interface failover Ethernet2<br />
failover lan enable<br />
failover link failover Ethernet2<br />
failover interface ip failover 100.100.100.12 255.255.255.0 standby 100.100.100.13<br />
failover group 1<br />
preempt<br />
failover group 2<br />
secondary<br />
preempt<br />
<br />
failover group 1<br />
preempt<br />
failover group 2<br />
secondary<br />
preempt<br />
<br />
admin-context admin<br />
context admin<br />
config-url flash:/admin.cfg<br />
!<br />
<br />
context CustomerA<br />
description CustomerA<br />
allocate-interface Ethernet0<br />
allocate-interface Ethernet1.121<br />
config-url flash:/CustomerA.cfg<br />
join-failover-group 1<br />
!<br />
<br />
context CustomerB<br />
description CustomerB<br />
allocate-interface Ethernet0<br />
allocate-interface Ethernet1.122<br />
config-url flash:/CustomerB<br />
join-failover-group 2<br />
</span><br />
The other unit is not yet configured :<br />
<br />
<span style="font-size: 78%;">No Response from Mate<br />
<br />
Group 1 No Response from Mate, Switch to Active<br />
<br />
Group 2 No Response from Mate, Switch to Active<br />
<br />
pix1# sh failover state<br />
<br />
State Last Failure Reason Date/Time<br />
This host - Primary<br />
Group 1 Active None<br />
Group 2 Active None<br />
Other host - Secondary<br />
Group 1 Failed Comm Failure 17:27:31 UTC Jul 28 2009<br />
Group 2 Failed Comm Failure 17:27:31 UTC Jul 28 2009<br />
<br />
====Configuration State===<br />
====Communication State===<br />
</span><br />
After configuring and starting PIX2:<br />
<br />
<span style="font-size: 78%;">pix2# sh run failover<br />
failover<br />
failover lan unit secondary<br />
failover lan interface failover Ethernet2<br />
failover lan enable<br />
failover link failover Ethernet2<br />
failover interface ip failover 100.100.100.12 255.255.255.0 standby 100.100.100.13<br />
</span><br />
The following messages appear on secondary unit:<br />
<br />
<span style="font-size: 78%;">pix2#<br />
State check detected an Active mate<br />
Beginning configuration replication from mate.<br />
Removing context 'admin' (1)... Done<br />
INFO: Admin context is required to get the interfaces<br />
Creating context 'admin'... Done. (2)<br />
<br />
WARNING: Skip fetching the URL flash:/admin.cfg<br />
INFO: Creating context with default config<br />
INFO: Admin context will take some time to come up .... please wait.<br />
Creating context 'CustomerA'... Done. (3)<br />
<br />
WARNING: Skip fetching the URL flash:/CustomerA.cfg<br />
INFO: Creating context with default config<br />
Creating context 'CustomerB'... Done. (4)<br />
<br />
WARNING: Skip fetching the URL flash:/CustomerB<br />
INFO: Creating context with default config<br />
<br />
<br />
Group 1 Detected Active mate<br />
<br />
Group 2 Detected Active mate<br />
End configuration replication from mate.<br />
<br />
Group 2 preempt mate<br />
</span><br />
And finally<br />
<br />
<span style="font-size: 78%;">pix1# sh failover<br />
Failover On<br />
Cable status: N/A - LAN-based failover enabled<br />
Failover unit Primary<br />
Failover LAN Interface: failover Ethernet2 (up)<br />
Unit Poll frequency 15 seconds, holdtime 45 seconds<br />
Interface Poll frequency 5 seconds, holdtime 25 seconds<br />
Interface Policy 1<br />
Monitored Interfaces 2 of 250 maximum<br />
Version: Ours 8.0(4), Mate 8.0(4)<br />
Group 1 last failover at: 17:30:56 UTC Jul 28 2009<br />
Group 2 last failover at: 17:35:07 UTC Jul 28 2009<br />
<br />
This host: Primary<br />
Group 1 State: Active<br />
Active time: 450 (sec)<br />
Group 2 State: Standby Ready<br />
Active time: 405 (sec)<br />
<br />
CustomerA Interface outside (136.1.130.253): Normal (Waiting)<br />
CustomerA Interface inside (10.0.0.254): Normal (Not-Monitored )<br />
CustomerB Interface outside (0.0.0.0): Normal (Waiting)<br />
CustomerB Interface inside (0.0.0.0): Normal (Not-Monitored)<br />
<br />
Other host: Secondary<br />
Group 1 State: Standby Ready<br />
Active time: 0 (sec)<br />
Group 2 State: Active<br />
Active time: 45 (sec)<br />
<br />
CustomerA Interface outside (0.0.0.0): Normal (Waiting)<br />
CustomerA Interface inside (0.0.0.0): Normal (Not-Monitored)<br />
CustomerB Interface outside (136.1.130.254): Normal (Waiting)<br />
CustomerB Interface inside (10.0.0.254): Normal (Not-Monitored)<br />
<br />
Stateful Failover Logical Update Statistics<br />
Link : failover Ethernet2 (up)<br />
Stateful Obj xmit xerr rcv rerr<br />
General 7 0 7 0<br />
sys cmd 7 0 7 0<br />
up time 0 0 0 0<br />
RPC services 0 0 0 0<br />
TCP conn 0 0 0 0<br />
UDP conn 0 0 0 0<br />
ARP tbl 0 0 0 0<br />
Xlate_Timeout 0 0 0 0<br />
SIP Session 0 0 0 0<br />
<br />
Logical Update Queue Information<br />
Cur Max Total<br />
Recv Q: 0 1 7<br />
Xmit Q: 0 1 9<br />
<br />
</span><br />
Group 1 is active on primary unit and Group 2 on Secondary Unit<br />
<br />
<br />
Full config of PIX1:<br />
<br />
<span style="font-size: 78%;">PIX Version 8.0(4) <system></system></system><//system><br />
!<br />
hostname pix1<br />
enable password 8Ry2YjIyt7RRXU24 encrypted<br />
no mac-address auto<br />
!<br />
interface Ethernet0<br />
!<br />
interface Ethernet1<br />
!<br />
interface Ethernet1.121<br />
vlan 121<br />
!<br />
interface Ethernet1.122<br />
vlan 122<br />
!<br />
interface Ethernet2<br />
description LAN/STATE Failover Interface<br />
!<br />
interface Ethernet3<br />
shutdown<br />
!<br />
interface Ethernet4<br />
class default<br />
limit-resource All 0<br />
limit-resource ASDM 5<br />
limit-resource SSH 5<br />
limit-resource Telnet 5<br />
!<br />
<br />
ftp mode passive<br />
pager lines 24<br />
failover<br />
failover lan unit primary<br />
failover lan interface failover Ethernet2<br />
failover lan enable<br />
failover link failover Ethernet2<br />
failover interface ip failover 100.100.100.12 255.255.255.0 standby 100.100.100.13<br />
failover group 1<br />
preempt<br />
failover group 2<br />
secondary<br />
preempt<br />
no asdm history enable<br />
arp timeout 14400<br />
admin-context admin<br />
context admin<br />
config-url flash:/admin.cfg<br />
!<br />
<br />
context CustomerA<br />
description CustomerA<br />
allocate-interface Ethernet0<br />
allocate-interface Ethernet1.121<br />
config-url flash:/CustomerA.cfg<br />
join-failover-group 1<br />
!<br />
<br />
context CustomerB<br />
description CustomerB<br />
allocate-interface Ethernet0<br />
allocate-interface Ethernet1.122<br />
config-url flash:/CustomerB<br />
join-failover-group 2<br />
!<br />
<br />
prompt hostname context</span>iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-70589725576566511052009-07-23T22:12:00.009-04:002009-10-02T18:37:34.077-04:00PIX/ASA contexts – virtual firewalls emulation on PCThe below example is based on <a href="http://ine.com/">Internetwork Expert CCIE workbook</a> . It shows how to emulate firewall virtualization using <a href="http://dynagen.org/tutorial.htm">Dynamips</a> and QEMU on windows PC. Dynamips is a Cisco router emulator which emulates 1700, 2600, 3600, 3700, and 7200 hardware platforms, and runs standard IOS images. QEMU is processor emulator (using a portable dynamic translator), emulates a full system (usually a PC). Routers R1 of CustomerA and Router R2 of CustomerB each connect to one PIX firewall through interfaces InsideA and InsideB and are allocated to two virtual contexts. Customers have their own virtual interfaces in DMZ and OUTSIDE <br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFib05VHkKWp3R4nnnqHT4ItB6rDYpH7IQd9MplHJRdDQe9EQtWYwtodBubbFrmwMZ1EMFpnG-Ja0Pim3sZYbHejAh4SNHVTx2SqGp8ajN7Xna8LSCzHOBOIMpC9lCdZnJQsqcfVE12Z4/s1600-h/pemu-pix.jpg"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5361844830434401346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFib05VHkKWp3R4nnnqHT4ItB6rDYpH7IQd9MplHJRdDQe9EQtWYwtodBubbFrmwMZ1EMFpnG-Ja0Pim3sZYbHejAh4SNHVTx2SqGp8ajN7Xna8LSCzHOBOIMpC9lCdZnJQsqcfVE12Z4/s320/pemu-pix.jpg" style="cursor: hand; display: block; height: 254px; margin: 0px auto 10px; text-align: center; width: 320px;" /></a> <br />
<a name='more'></a><br />
<div>The PIX firewall can be emulated using <a href="http://7200emu.hacki.at/viewtopic.php?t=5383">PEMU</a> (customized version of QEMU) which will run PIX image. It starts using the below script on windows: <br />
</div><div><span style="font-size: 78%;">@echo off <br />
ECHO Telnet to 127.0.0.1 on port 4000 to access PIX Console <br />
ECHO ------------------------------------------------------- <br />
ECHO * * * * * * *DO NOT CLOSE THIS WINDOWS* * * * * * * * <br />
pemu.exe -net nic,vlan=1,macaddr=00:00:00:00:00:01 -net udp,vlan=1,sport=3000,dport=3001,daddr=127.0.0.01 -net nic,vlan=2,macaddr=00:00:00:00:00:02 -net udp,vlan=2,sport=3002,dport=3003,daddr=127.0.0.01 -net nic,vlan=3,macaddr=00:00:00:00:00:03 -net udp,vlan=3,sport=3004,dport=3005,daddr=127.0.0.01 -m 128 -serial telnet::4000,server,nowait FLASH_context </span><br />
</div><br />
<span style="font-size: 78%;"><br />
</span><br />
<div><br />
</div>After it starts you can telnet to port 4000 on your machine to get access to PIX console. PEMU uses Cisco PIX image pix804.bin and put it in the FLASH file, see sh version below. PIX interfaces e0,e1 and e2 are available by encapsulation of Ethernet packets into udp (- net udp method). They have configured MAC addresses 00:00:00:00:00:01,02 and 03 respectively. Communication between Dynamips and PEMU is through source and destination ports (sport and dport pairs 3000-3005) on local machine. See fragments for ‘sh ver’ below <br />
<div><br />
<span style="font-size: 78%;">Config file at boot was "startup-config" <br />
pixfirewall up 6 secs <br />
Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz <br />
Flash E28F128J3 @ 0xfff00000, 16MB <br />
BIOS Flash AM29F400B @ 0xfffd8000, 32KB <br />
0: Ext: Ethernet0 : address is 0000.0000.0001, irq 9 <br />
1: Ext: Ethernet1 : address is 0000.0000.0002, irq 11 <br />
2: Ext: Ethernet2 : address is 0000.0000.0003, irq 11 <br />
Licensed features for this platform: <br />
Security Contexts : 2 <br />
This platform has an Unrestricted (UR) license. <br />
And assignment of interfaces on PIX <br />
PIX Version 8.0(4) <system></system></system><//system><br />
hostname pixfirewall <br />
interface Ethernet0 <br />
interface Ethernet1 <br />
interface Ethernet1.121 <br />
vlan 121 <br />
interface Ethernet1.122 <br />
vlan 122 <br />
interface Ethernet2 </span><br />
</div><span style="font-size: 78%;"></span><br />
<div><br />
</div>Dynamips .net file used to start 4 cisco 3640 routers R1, R2, R3 and R4 (IOS 12.3.14) is shown below. Routers R1 and R2 are connected to virtual switch SW1 vlans 121 and 122. Those two vlans connect to switch trunk port 5 which is connected to PIX interface e1 (e1.121 and e1.122). Routers R3 and R4 connect directly to PIX emulated by PEMU using NIO_udp adapters. Virtual dynamips switch can be replaced by emulating the NM-16ESW card <br />
<div><br />
<span style="font-size: 78%;">autostart = False <br />
[localhost:7200] <br />
workingdir = C:\Program Files\Dynamips\PIX\wrk <br />
[[3640]] <br />
image = C:\Program Files\Dynamips\images\c3640-jk9o3s-mz.123-14.T7.bin <br />
ram = 128 <br />
ghostios = True <br />
[[router R1]] <br />
model = 3640 <br />
f0/0 = SW1 1 <br />
[[Router R2]] <br />
model = 3640 <br />
f0/0 = SW1 2 <br />
[[Router R3]] <br />
model = 3640 <br />
f0/0 = NIO_udp:3001:127.0.0.1:3000 # outside PIX e0 <br />
[[Router R4]] <br />
model = 3640 <br />
f0/0 = NIO_udp:3005:127.0.0.1:3004 # dmz PIX e2 <br />
[[ETHSW SW1]] <br />
1 = access 121 <br />
2 = access 122 <br />
5 = dot1q 1 NIO_udp:3003:127.0.0.1:3002 #inside PIX e1 (TRUNK) </span><br />
</div><br />
<div><span style="font-size: 78%;"><br />
</span>There is no difference between PIX and ASA in terms of contex configuration (at least since PIX version 7). The PIX firewall is configured using two context CustomerA and CustomerB, see below: <br />
<br />
<span style="font-size: 78%;">pixfirewall# sh context <br />
Context Name Class Interfaces URL <br />
*admin default flash:/admin.cfg <br />
CustomerA default Ethernet0,Ethernet1.121, flash:/CustomerA.cfg Ethernet2 <br />
CustomerB default Ethernet0,Ethernet1.122, flash:/CustomerB.cfg Ethernet2 <br />
Total active Security Contexts: 3 <br />
R1 (f0/0 136.1.0.1) can ping R4 loopback (150.1.4.4) in dmz and R3 fast ethernet interface 136.1.123.3 located outside <br />
R1#ping 150.1.4.4 <br />
Type escape sequence to abort. <br />
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: <br />
!!!!! <br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/116/148 ms </span><br />
</div><br />
<br />
<div><span style="font-size: 78%;"><br />
</span>R1 address is translated on PIX to 136.1.124.121 in dmz which is assigned to CustomerA (R2 will be translated to 136.1.124.122 – dmz context interface for CustomerB) <br />
</div><br />
<br />
<div><br />
<span style="font-size: 78%;">pixfirewall/CustomerA# sh x <br />
2 in use, 2 most used <br />
PAT Global 136.1.123.100(80) Local 136.1.0.1(80) <br />
PAT Global 136.1.124.121(1) Local 136.1.0.1 ICMP id 0 </span><br />
</div><br />
<br />
<div><span style="font-size: 78%;"><br />
</span>Outside router R3 can ping R1 through PAT translated 136.1.123.121 which is outside interface for CustomerA (R2 could be reached by 136.1.123.122 – outside context interface for CustomerB) <br />
</div><br />
<br />
<div><br />
<span style="font-size: 78%;">R3#ping 136.1.123.121 <br />
Type escape sequence to abort. <br />
Sending 5, 100-byte ICMP Echos to 136.1.123.121, timeout is 2 seconds: <br />
!!!!! <br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/46/72 ms <br />
pixfirewall/CustomerA# sh x <br />
2 in use, 2 most used <br />
PAT Global 136.1.123.100(80) Local 136.1.0.1(80) <br />
PAT Global 136.1.123.121(1) Local 136.1.0.1 ICMP id 1 </span><br />
</div><br />
<br />
<div><span style="font-size: 78%;"><br />
</span>As you can see from the output of ‘sh x’ on PIX there is also static translation to Global 136.1.123.100 port www from Local 136.1.0.1(80) allowing connect to Customer A internal web server (simulated here by http server on router R1) <br />
</div><br />
<br />
<div><br />
<span style="font-size: 78%;">R3#telnet 136.1.123.100 80 <br />
Trying 136.1.123.100, 80 ... Open <br />
GET / <br />
</span><br />
<h1><span style="font-size: 78%;">Cisco Systems</span></h1><br />
<h2><span style="font-size: 78%;">Accessing Cisco 3640 "R1"</span></h2><br />
<br />
Same for Customer B , R2 can ping R4 loopback (150.1.4.4) in dmz and R3 fast ethernet interface 136.1.123.3 located outside. This is PAT translated on PIX to 136.1.124.122 in dmz and 136.1.123.122 outside (dmz and outside interfaces for CustomerB) <br />
</div><br />
<div><br />
<span style="font-size: 78%;">R2#ping 150.1.4.4 <br />
Type escape sequence to abort. <br />
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: <br />
!!!!! <br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/122/144 ms <br />
pixfirewall/CustomerB# sh x <br />
3 in use, 3 most used <br />
PAT Global 136.1.123.101(23) Local 136.1.0.2(23) <br />
PAT Global 136.1.124.122(2) Local 136.1.0.2 ICMP id 1 <br />
PAT Global 136.1.124.122(1) Local 136.1.0.2 ICMP id 0</span> <br />
<span style="font-size: 78%;">R2#ping 136.1.123.3 <br />
Type escape sequence to abort. <br />
Sending 5, 100-byte ICMP Echos to 136.1.123.3, timeout is 2 seconds: <br />
!!!!! <br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/122/144 ms <br />
pixfirewall/CustomerB# sh x <br />
2 in use, 5 most used <br />
PAT Global 136.1.123.101(23) Local 136.1.0.2(23) <br />
PAT Global 136.1.123.122(3) Local 136.1.0.2 ICMP id 4 <br />
R3#ping 136.1.123.122 <br />
Type escape sequence to abort. <br />
Sending 5, 100-byte ICMP Echos to 136.1.123.122, timeout is 2 seconds: <br />
!!!!! <br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/78/132 ms</span> <br />
</div><br />
<div><br />
Because of static Global 136.1.123.101(23) Local 136.1.0.2(23) dmz R3 can telnet to inside R2 <br />
</div><br />
<div><br />
<span style="font-size: 78%;">R3#telnet 136.1.123.101 <br />
Trying 136.1.123.101 ... Open <br />
User Access Verification <br />
Password: <br />
R2></span> <br />
</div><br />
<div><br />
In the above scenario PC (Windows XP) with CPU of 2.66Ghz with 2GB RAM was used. During this lab CPU was 100% which resulted in relatively big response time. But this didn’t impact quality of typing or using browser on this computer. <br />
</div><br />
<div><br />
<strong>Configuration of interfaces on pix firewall : </strong><br />
</div><strong></strong><br />
<div><br />
</div><span style="font-size: 78%;">pixfirewall# changeto context CustomerA <br />
pixfirewall/CustomerA# sh int ip b <br />
Interface IP-Address OK? Method Status Protocol <br />
outside 136.1.123.121 YES CONFIG up up <br />
insideA 136.1.0.12 YES CONFIG up up <br />
dmz 136.1.124.121 YES CONFIG up up <br />
pixfirewall/CustomerA# changeto context CustomerB <br />
pixfirewall/CustomerB# sh int ip b <br />
Interface IP-Address OK? Method Status Protocol <br />
outside 136.1.123.122 YES CONFIG up up <br />
insideB 136.1.0.12 YES CONFIG up up <br />
dmz 136.1.124.122 YES CONFIG up up</span> <br />
<br />
and translations <br />
<br />
<span style="font-size: 78%;">pixfirewall# changeto context CustomerA <br />
pixfirewall/CustomerA# sh run nat <br />
nat (inside) 1 0.0.0.0 0.0.0.0 <br />
pixfirewall/CustomerA# sh run static <br />
static (inside,outside) tcp 136.1.123.100 www 136.1.0.1 www netmask 255.255.255.255 <br />
pixfirewall/CustomerA# sh run global <br />
global (outside) 1 interface <br />
global (dmz) 1 interface <br />
pixfirewall/CustomerA# changeto context CustomerB <br />
pixfirewall/CustomerB# sh run nat <br />
nat (inside) 1 0.0.0.0 0.0.0.0 <br />
pixfirewall/CustomerB# sh run static <br />
static (inside,outside) tcp 136.1.123.101 telnet 136.1.0.2 telnet netmask 255.255.255.255 <br />
pixfirewall/CustomerB# sh run global <br />
global (outside) 1 interface <br />
global (dmz) 1 interface <br />
</span><br />
<strong>Configuration of interfaces on routers :</strong> <br />
<div><br />
<span style="font-size: 78%;"><strong>R1#sh ip int b</strong> <br />
Interface IP-Address OK? Method Status Protocol <br />
FastEthernet0/0 136.1.0.1 YES NVRAM up up <br />
<strong>R1#sh ip route <br />
</strong>Gateway of last resort is 136.1.0.12 to network 0.0.0.0 <br />
136.1.0.0/24 is subnetted, 1 subnets <br />
C 136.1.0.0 is directly connected, FastEthernet0/0 <br />
S* 0.0.0.0/0 [1/0] via 136.1.0.12 <br />
<strong>R2#sh ip int b <br />
</strong>Interface IP-Address OK? Method Status Prot <br />
FastEthernet0/0 136.1.0.2 YES NVRAM up up <br />
<strong>R2#sh ip route</strong> <br />
Gateway of last resort is 136.1.0.12 to network 0.0.0.0 <br />
136.1.0.0/24 is subnetted, 1 subnets <br />
C 136.1.0.0 is directly connected, FastEthernet0/0 <br />
S* 0.0.0.0/0 [1/0] via 136.1.0.12 <br />
<strong>R3>sh ip int b <br />
</strong>Interface IP-Address OK? Method Status Prot <br />
FastEthernet0/0 136.1.123.3 YES NVRAM up up <br />
<strong>R4>sh ip int b</strong> <br />
Interface IP-Address OK? Method Status Protocol <br />
FastEthernet0/0 136.1.124.4 YES NVRAM up up <br />
Loopback0 150.1.4.4 YES NVRAM up up <br />
</span><br />
</div>iromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com0tag:blogger.com,1999:blog-4164644925454346923.post-89159462209953587922008-12-06T21:49:00.000-05:002008-12-06T21:50:37.741-05:00This is a test onlyQwertyiromhttp://www.blogger.com/profile/14939615461930905691noreply@blogger.com