Here is the topology we will be working with.  I have setup a PC so we can simulate a typical user experience.



Guidelines

• Any user on the 192.0.2.0/24 subnet (Inside) will have to authenticate through to the ASA when accessing the IOS Firewall Router.
• This user authentication through the ASA will be of the most secure form.
• The ASA will use local authentication for the users for the time being

Setup Cut-Through Proxy

So the first step would be to define IP addressing and initialize interfaces as well as routing. The HTTP services have been enabled on the IOS router as well as local authentication/authorization of users to this service. We will focus our efforts on the ASA for our cut through authentication.

So step one is going to make sure we have connectivity to the devices first. So let us make sure we can ping 198.18.0.2 from our PC (PC is 192.0.2.100 in my environment)

Ok, already not a good start. From the ASA I can ping the PC as well as the IOS router. The default gateway of each of these devices points to the ASA. Hmmm. Don’t forget about icmp inspection or allowing icmp echo-replies back through the firewall on the outside interface. Here we will inspect icmp.

Ok, now lets try our ping again

Ok, that looks better. The other test I like to do is access the http server on the IOS Router to make sure that we are able to get the default web page from the router so we know that this worked before we started our configuration. This will make it so there is one less thing to check if it doesn’t work. So let’s define an access-list to classify the interesting traffic for cut-through proxy:

And let’s configure our local username and password as our guidelines say to use the local database:

Now we will enable cut-through proxy with our interesting traffic and local database authentication :

So what should we see at this point is a web authentication box popup that is asking us for credentials. This is the cut through authentication service requesting user credentials before allowing the connection onto the IOS router. So we will enter our credentials of cisco/cisco. Then click on “OK” for the web authentication and we should be allowed to the IOS Router now.

Let’s verify the user on the ASA

With the ASA we have another option in which the user authentication experience occurs. Instead of the popup, we can have a webpage display the authentication prompt. It is a little more user friendly this way and is more like the auth-proxy http web page from an IOS router, only better. To do this we enter the following command.

Using the above option, we could also redirect the authentication to another port if needed using the argument “port ‘#’” in the command shown above.

So in our guidelines we actually wanted the most secure mode of communications. Well, using http in this fashion  is not secure at all. So we will want to change our configuration so that we request the user credentials using https.

To do this, we will install 2 commands.

Now depending on how the ASA is configured for PKI support, you will either come to a page with a certificate warning or you will go right the authentication page. This is now a secure login screen for the user.

This concludes our quick introduction into Cut-Through Authentication on the ASA. There are several more features than can become involved such as including an ACS server for authentication/authorization, virtual telnet/http, and even downloadable access-lists that can override an interface access-list. Join me in feature posts where we will discuss these enhancements. I hope this is useful to you and thank you for visiting this post.

Ryan : Welcome Vybhav, great to have you here, how are you today

I’m doing great , my friend! I hope you’re doing well too!

Ryan : Can you please tell us where you are from?

I’m from Bangalore, India. It’s a gorgeous city, with a great weather and real simple and peaceful crowd!

Ryan : What do you do in your current career?

I code in ADA for a living . I know. It sucks. ADA is not in much use these days except in space/defence. The company I work for deals with marine applications.

Ryan : Well, I hope you company  doesn’t follow my blog! What first sparked your interest in networking, especially the security field?

It started in the 12th grade when I wondered “How does the internet work?!”. That was what sparked my interest in networking. I did a lot of self-study and slowly started figuring out stuff like what TCP/IP meant, how is a router different from a switch , etc. I was slowly gaining interest in this vast and AWESOME field of networks. Then something happened. I ran into www.packetlife.net! I was just fascinated by the world of cisco routers, switches and firewalls and I just wanted to know it all. Plus, I’ve always been in network security and someday I wanted to setup secure networks on my own. Hence the pursuit of the elusive CCIE-sec!

Ryan : Interesting! When and where did you first start dealing with Cisco equipment and technologies?

Where? At home , when I discovered GNS3! When? During my 1st year of B.E ( Equivalent to B.S ). I had attempted by CCNA once by then( and failed miserably ) and i started practicing on GNS3. I took another shot at CCNA soon and I failed again ( by a couple of points ). After a lot of practice, I cleared the CCNA on my third attempt . I’m happy I failed twice because, when i cleared it in my 3rd attempt, I knew I deserved it .

Ryan : Good for you for not giving up! Why are you pursueing the CCIE Security designation?

3 reasons. Firstly, Network security is just so fascinating and interesting! And CCIE Security is one of the best (if not the best) network security certifications in the market. Secondly, the Recognition. To be honest , I’ve never been really good at anything, so it was a challenge for me to master a topic and not be a hack of all trades ( get the geek pun? ) . Thirdly, the money. Lots of it!

Ryan : Haha, money is always nice. What study materials do you currently own?

I own the following material
INE
Vol 1 WB and solutions
Vol 2 WB and solutions
Bootcamp VoD
OEQ sim
IPX
Vol 1 WB and DSG
Vol 2 WB and DSG
Video walkthrough of Vol 1 and Vol 2 labs
OEQ sim
Yusuf’s labs
Cisco OEQ sim

Hopefully with all of this material, I’ll clear the CCIE someday . If not, I’m starting an Indian fast-food chain in Canada

Ryan : Wow, you have all the materials! What does you daily study schedule consist of?

During the weekdays I work from 8:00 AM to 4:00 PM. I’m lucky my office has flexible timings so I take advantage of that. After 4.. I go get something to eat and drink( espresso ) and I sit down to study in my office till about 9 or 10. Of course , I take innumerable breaks/surf the web/ watch my favourite bands on youtube /talk on the phone during this time. If I’m doing Vol 1 labs, I schedule an INE rack-rental which is from 3:30 PM to 9:00 PM IST. If i have an IPX lab, I go home and the lab starts at 6:00 PM and goes into the wee hours of the morning. Also, I spend a lot of time flipping through the Doc-CD because I have a bad memory and it takes me many many many readings of the same topic to remember all the important stuff . Also every Thursday, I take a break . I don’t study at all. It’s my way of relaxing and trust me a mid-week break does wonders! You guys should try it once!

Ryan : Thanks for the advice! Does your study schedule change on the weekends.

Yeah. Contrary to others, I take it relatively easy on weekends. I work on one day , like labs , doc-cd , gns3 ,etc . the other day, I just relax . I don’t do anything

Ryan : What are your strong points on the CCIE Security Blueprint?

I would like to think VPNs are my favourite ( I don’t know if i’m strong at it ) topic and I try and work hard at it. I still miss a lot of stuff but I’m slowly…slowly getting better at it.

Ryan : What are your weak ones?

This is easy. It’s ID MGMT. I get nightmares about NAC and the ACS in general

Ryan : How do you find so much time to study, blog, create youtube videos, tweet, and keep up with your personal life?

I have a very understanding girlfriend Plus , I have almost no social life which gives me a lot of time for other stuff ! Although that would sound like a bad thing, i’m happy! Because for the first time in my life, I’m focussed and working towards a goal, which i might not get in the first try, but I’ll keep trying nonetheless.

Ryan : Do you have any role-models?

I have many and here’s what I like/would like to learn from these people

Jeremy Stretch -> Absolute confidence in his knowledge, which I totally respect and admire.
Paul Stewart -> Totally down to earth, helpful guy. One of the smartest dudes I’ve interacted with and a great CCIE.
You ( Ryan Schuett ) -> Humble and Knowledgeable. The ability to jump into your basement and lab for hours after a hard-days work, is something I admire and try and emulate all the time. Thanks buddy!
Tolulope -> Absolutely no attitude , whatsoever. This dude is a double CCIE at 21. Probably the youngest in the world! And yet he’s so humble and willing to learn something everyday. I’ve tons of respect for him.
Neetha ( the girlfriend ) -> An awesome girl , who’s taught me patience and listens to me , everytime Iwhine about why i’m too dumb to be a CCIE

Ryan : Well thank you Vybhav. Where do you plan to see yourself in 3 years?

Hopefully with a CCIE-security certification and pursuing the CCIE-wireless cert. I also am interested in vendor neutral wireless certs (CWNE) and I hope to be one someday

Ryan : I am sure you will have those in the next year! With that in mind, do you have 5 tips for a CCIE security candidate?

1) Lab everything

2) Find a study partner , keeps you motivated

3) If you don’t have an excellent memory, make up for it by revising the same topic many times

4) Plan ahead. Always think of what you’re going to achieve in the next week or atleast the day

5) When you’re tired and want to quit, think about attending cisco live someday

and keep studying

Ryan : How do you plan to celebrate once you have your number?

Hit the gym Meet friends! Go on vacations…. and most importantly , study more.

So how do you go about picking the needle out of the haystack? Well, Cisco has given us an excellent tool to solve this issue with VPN conditional debugging. With conditional filtering for VPN’s, we can filter based on several different attributes such as peer, getvpn group, username, spi, or connid to name a few. This has definately helped me out in a pinch and I am now in the habit of using this instead of just debugging everything crypto within the IOS device.

So how do we implement this great feature you may ask. Well, quite easily, but then again everything is easy once you know what you are doing. So let’s head over to command line and take a look…

So here is a list in which we can choose or option(s) and get our network straightened out quick and painlessly. So let’s do a basic peer filter. Take a look at peer – there are several more options we can narrow it down to. Isn’t this fantastic!

Ok, so let’s go by our IPV4 address. We will want to debug a peer coming in from an IP address of 192.0.2.1. Let’s get this into the router.

And we will confirm that this is enabled.

Now, all that is left is to enable our regular crypto debugging utilities.

Well, I hope that you found this useful. Of course this is only one example of filtering so I leave it up to you to experiment with the others. I know it has sure improved my troubleshooting skills when looking at information I only want to look at.

 Just a side note, you can use different metacharacters together for matching as well. Some matching patterns maybe simple but others you can make more complex. If you wanted to match file names that start with “sdm”, you can use “^sdm.*” for a little more complex matching as this will match any word starting with sdm has any character after it at any given length.

So, for an example, we have the following scenario. We would like to prevent users from downloading files from our ftp site that  starts with any number and ends in either a .bin or exe. We would have to setup a regex and apply it into MPF. Let’s look at our commands to accomplish this.

One last note in regards to regular expression matching. We need to be able to find this on the doc-cd quickly as possible. If we goto the doc-cd (http://www.cisco.com/cisco/web/psa/configure.html), we can find several instances of this wildcard matching. A few ways are shown below:

1)  Click on Products –> Security –>Firewall –> Firewall Appliances –>Cisco ASA 5500 series adaptive security appliance –>Reference Guides (on the left had side of sub links) –> Cisco ASA 5500 Series Command Reference, 8.2 –> look up the regex command with the command reference and you will see the table there. 

2)  Click on Products –> Security –>Firewall –> Firewall Appliances –>Cisco ASA 5500 series adaptive security appliance –> Configuration Guides and TechNotes amd selecting this link –> ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example

I hope this entry has been helpful for you and look forward to future entries in regards to the powerful MPF and its configuration. I will be coming up with future scenarios in regards to matching so stay tuned.

Now, lets show the access-list which should reveal our line numbers.

Ok, so now we have been asked to deny some things and these entries must be between previous entered entries. On the ASA, it is no problem; we specify our new entry with a line number and can add or remove entries this way. No problem. Well, we can do this on IOS as well as this feature has been around for a while. So, let’s add some entries:

And lets view our new ACL again:

So, the issue I have had is running out of lines between the default line numbers (multiples of 10) in the acl. What happens if we need 9 more lines between entries 10 and 20. Well, we wouldn’t be able to do this because we would be out of line numbers. Now this is an issue since we don’t want to take the ACL off the interface and install the new ACL since downtime will occur and security vulnerabilities may surface during that window, not to mention other issues.

Well, Cisco has given us a command called resequence. By implementing this, our line numbers can be resequenced and changed so we can add more entries if needed. The command syntax is shown below. There are two arguements that we can enter with this command. The first is “starting sequence number” and the second is “step to increment sequence number”. The first arguement determines where in the access-list we want to start the resequence. Most times a number of 1o will be used since this is our first line. The second number is the incremental value that is to be applied to the first line number in the list, resulting in new line numbers for the entry.

So the above line is going to resort our access-list acl_resequenced starting at line 10 and will increment the line numbers by 20. Let’s verify the result

Well, that will work and will solve our issue for needing more than the 9 extra entries we needed between lines 10 and 20 earlier.

So now if only we could implement the addition of remark statements to the extended access-list using line numbers. Unfortunately, the functionality of IOS access-lists has been improved with the use of the resequence sub-command but making our own remarks for managment (ease of use) is still lacking. We can insert remarks, but they will always drop down to the bottom the acl. Look below:

And if we show our access-list extend, we don’t even see the remark statement:

However, it does sh up in our run command:

So the access-list subcommand “resequence” can help us if we need to keep our access-list functional and organized better if many changes are needed in IOS. The ASA on the otherhand, is much more powerful and easier to use. I prefer the ASA in this regard.

The topology consists of 1 – 1811 router (flash:c181x-adventerprisek9-mz.150-1.M.bin) and 1 – 881 router (flash:c880data-universalk9-mz.150-1.M1.bin) as well as a notebook running XP SP3. The 1811 is named R1-headoffice and is basically the “server” for the VPN clients. The 881 router is named R2-branch and is the peer for the static VTI. They are all connected together on a network of 136.1.0.0/24.

______________________________________________________

Final Configuration for 1811 – R1-headoffice

R1-headoffice#sh run
Building configuration…

Current configuration : 6497 bytes
!
! Last configuration change at 20:29:34 UTC Tue Jan 5 2010
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1-headoffice
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$0GNS$Y9ewwhbVl76Qdp8WylEyw.
!
aaa new-model
!
!
aaa authentication login aaa_vty_authen local
aaa authentication login aaa_con0_authen none
aaa authentication login aaa_ezvpn_authen local
aaa authentication login aaa_sslvpn_authen local
aaa authentication ppp default local
aaa authorization console
aaa authorization exec aaa_vty_author local
aaa authorization network aaa_ezvpn_author local
!
!
!
!
!
aaa session-id common
!
!
!
!
crypto pki trustpoint TP-self-signed-3691727871
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3691727871
 revocation-check none
 rsakeypair TP-self-signed-3691727871
!
!
crypto pki certificate chain TP-self-signed-3691727871
 certificate self-signed 01
  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363931 37323738 3731301E 170D3130 30313035 31393536
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36393137
  32373837 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CB26 95A0DBAF CF21E25D B1884067 39F32C5F 699AA22C 83975826 AF1BB0AB
  F6BC0DCB 3E4ABD2A 505BE044 EB293878 86D34A5F 8E22C068 5088CAE3 5CB406F0
  4A0365B2 4638A962 5460475B AA443DB4 AC22E945 6D3B9F86 3E9A9D1E 447C094D
  DA22B54E 14E10ABB 67F98C13 1E1692D2 A7FA061D F5F3B3AA 473CB675 9881C339
  3CB10203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
  551D1104 11300F82 0D52312D 68656164 6F666669 6365301F 0603551D 23041830
  1680146C DF299BAA 99336F8B 70313498 011124A4 14FE9530 1D060355 1D0E0416
  04146CDF 299BAA99 336F8B70 31349801 1124A414 FE95300D 06092A86 4886F70D
  01010405 00038181 00647222 7082103C 51612844 9B7E3156 63DC0228 67A2EAEC
  F08B1D48 5E9AC6B9 25DA65BB F4E07837 4D49286F 819E445A B72B6A5A 770DE2C0
  EA9654A1 2BCD2B5F 589E9546 C3C93C50 C53C0D0C 28B3B92B 459C6D02 5E53AA39
  676B4097 A447F614 DC1D704B D91F5004 F5332A98 24264C87 7FCE2464 3EF07E76
  731FE1E0 29CDF2FC E0
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 10
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 10
 no l2tp tunnel authentication
 l2tp tunnel timeout no-session 15
!
!
!
username ryan privilege 15 password 0 ryan
username l2tpipsec password 0 l2tpipsec.key
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 20
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 30
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key R1-headoffice_R2-br2 address 136.1.0.20
crypto isakmp key l2tp_ipsec_key address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group ezvpn_client
 key ezvpn_key
 pool ippool_ezvpn
 acl acl_ezvpn_splittunnel
crypto isakmp profile isakmp_prof_dvti
   match identity group ezvpn_client
   client authentication list aaa_ezvpn_authen
   isakmp authorization list aaa_ezvpn_author
   client configuration address respond
   keepalive 20 retry 5
   virtual-template 50
!
!
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
crypto ipsec transform-set l2tp_ipsec esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile ipsec_prof_dvti
 set transform-set aes256sha
 set reverse-route tag 50
 set isakmp-profile isakmp_prof_dvti
!
crypto ipsec profile ipsec_prof_svti
 set transform-set aes256sha
!
!
crypto dynamic-map crypto_dynamic_l2tp-ipsec 10
 set nat demux
 set transform-set l2tp_ipsec
!
!
crypto map crypto_map 10 ipsec-isakmp dynamic crypto_dynamic_l2tp-ipsec
!
!
!
!
!
interface Tunnel1
 ip address 172.16.1.1 255.255.255.0
 tunnel source FastEthernet0
 tunnel mode ipsec ipv4
 tunnel destination 136.1.0.20
 tunnel key 1000
 tunnel protection ipsec profile ipsec_prof_svti
 !
!
interface FastEthernet0
 ip address 136.1.0.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map crypto_map
 !
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 !
!
interface FastEthernet5
 !
!
interface FastEthernet6
 !
!
interface FastEthernet7
 !
!
interface FastEthernet8
 !
!
interface FastEthernet9
 !
!
interface Virtual-Template10
 ip unnumbered FastEthernet0
 peer default ip address pool ippool_l2tpipsec
 ppp mtu adaptive
 ppp authentication chap ms-chap ms-chap-v2
 !
!
interface Virtual-Template50 type tunnel
 ip unnumbered FastEthernet0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec_prof_dvti
 !
!
interface Vlan1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Async1
 no ip address
 encapsulation slip
 !
!
ip local pool ippool_ezvpn 10.1.50.100 10.1.50.110
ip local pool ippool_l2tpipsec 10.1.60.100 10.1.60.110
ip local pool ippool_sslvpn 10.1.70.100 10.1.70.110
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list acl_nat_control interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 136.1.0.30
ip route 10.2.1.0 255.255.255.0 Tunnel1
!
ip access-list extended acl_ezvpn_splittunnel
 permit ip 10.1.1.0 0.0.0.255 10.1.50.0 0.0.0.255
!
ip access-list extended acl_nat_control
 deny   ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
 permit ip 10.1.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
 !
!
!
line con 0
 login authentication aaa_con0_authen
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 authorization exec aaa_vty_author
 login authentication aaa_vty_authen
line vty 5 193
 authorization exec aaa_vty_author
 login authentication aaa_vty_authen
!
!
webvpn gateway ssl_vpn_gateway
 ip interface FastEthernet0 port 443
 http-redirect port 80
 ssl trustpoint TP-self-signed-3691727871
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-2.4.0202-k9.pkg sequence 1
 !
webvpn context ssl_vpn_context
 ssl authenticate verify all
 !
 !
 policy group ssl_vpn_group_policy1
   functions svc-required
   svc address-pool “ippool_sslvpn”
   svc keep-client-installed
   svc split include 10.1.1.0 255.255.255.0
 default-group-policy ssl_vpn_group_policy1
 aaa authentication list aaa_sslvpn_authen
 gateway ssl_vpn_gateway
 inservice
!
end_____________________________________________________

______________________________________________________

Final Configuration for 881 – R2-branch

R2-br2#sh run
Building configuration…

Current configuration : 2196 bytes
!
! Last configuration change at 15:32:04 UTC Tue Jan 5 2010
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2-br2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$6mVc$Cax/P/pcepCXsImiFAoBq0
!
aaa new-model
!
!
aaa authentication login aaa_vty_authen local
aaa authentication login aaa_con0_authen none
aaa authorization console
aaa authorization exec aaa_vty_author local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 25
!
!
ip source-route
!
!
!
!
ip cef
ip domain name test.com
no ipv6 cef
!
!
multilink bundle-name authenticated!
!
username ryan privilege 15 password 0 ryan
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key R1-headoffice_R2-br2 address 136.1.0.10
!
!
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
!
crypto ipsec profile ipsec_prof_svti
 set transform-set aes256sha
!
!
!
!
!
!
interface Tunnel1
 ip address 172.16.1.20 255.255.255.0
 tunnel source FastEthernet4
 tunnel mode ipsec ipv4
 tunnel destination 136.1.0.10
 tunnel key 1000
 tunnel protection ipsec profile ipsec_prof_svti
 !
!
interface FastEthernet0
 !
!
interface FastEthernet1
 no cdp log mismatch duplex
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 ip address 136.1.0.20 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface Vlan1
 ip address 10.2.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list acl_nat_control interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 136.1.0.30
ip route 10.1.1.0 255.255.255.0 Tunnel1
!
ip access-list extended acl_nat_control
 deny   ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 10.2.1.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
 !
!
!
line con 0
 login authentication aaa_con0_authen
 no modem enable
line aux 0
line vty 0 4
 authorization exec aaa_vty_author
 login authentication aaa_vty_authen
!
scheduler max-task-time 5000
end___________________________________________________________

______________________________________________________

Very Simple Instructions for Win XP client setup

win XP client configuration

Create new connection

Connect to the network at my workplace

VPN Connection

Give a connection name

Give the IP address of the server – 136.1.0.10

Click finish

Connection window will pop up. Click on properties

Click on the “security” tab. Click the radio button for “Advanced (custom settings). Click on IPSec settings.

Check in “Use pre-shared key for authentication” and enter the same key that you configured the router with – in this case – l2tp_ipsec_key   Click OK

Now click on the “Networking” tab. For the option “Type of VPN”, use the frop down and select “L2TP IPSec VPN”. Click OK

Click OK to exit the Properties Page. You should be back to the connect screen

Log in with your username and password – in this case it can be ryan ryan . I used l2tpipsec and l2tpipsec.key

Click on connect and it should connect just fine.

To enable Split Tunnelling in Windows XP, do the following:

On a Windows XP Pro Computer, you’ll find it this way:

1) Right click the My Network Places icon on the desktop and click Properties.

2) Right click on your VPN client connections in the Network Connections window and click Properties.

3) Click the Networking tab, and then click on the Internet Protocol (TCP/IP) entry and click the Properties button.

4) On the General tab of the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.

5) On the General tab of the Advanced TCP/IP Settings dialog box, note the “Use Default Gateway on Remote Network” option.

______________________________________________________

Verification for l2tp, svti and dvti – Phase 1 and 2

R1-headoffice#sh crypto isa sa det
Codes: C – IKE configuration mode, D – Dead Peer Detection
       K – Keepalives, N – NAT-traversal
       T – cTCP encapsulation, X – IKE Extended Authentication
       psk – Preshared key, rsig – RSA signature
       renc – RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime
 Cap.

2001  136.1.0.10      136.1.0.20               ACTIVE aes  sha  psk  5  19:35:36

       Engine-id:Conn-id =  SW:1

2011  136.1.0.10      136.1.0.100              ACTIVE aes  sha       2  23:59:37
 CDX
       Engine-id:Conn-id =  SW:11

2010  136.1.0.10      136.1.0.100              ACTIVE 3des md5  psk  2  06:34:12

       Engine-id:Conn-id =  SW:10

IPv6 Crypto ISAKMP SA

R1-headoffice#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 136.1.0.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 136.1.0.20 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 136.1.0.10, remote crypto endpt.: 136.1.0.20
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x7175754A(1903523146)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x25A1FCA(39460810)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map
: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4579905/2097)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x7175754A(1903523146)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 39, flow_id: Onboard VPN:39, sibling_flags 80000046, crypto map
: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4579905/2097)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: FastEthernet0
    Crypto map tag: crypto_map, local addr 136.1.0.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (136.1.0.10/255.255.255.255/17/1701)
   remote ident (addr/mask/prot/port): (136.1.0.100/255.255.255.255/17/1701)
   current_peer 136.1.0.100 port 500
     PERMIT, flags={}
    #pkts encaps: 1559, #pkts encrypt: 1559, #pkts digest: 1559
    #pkts decaps: 2329, #pkts decrypt: 2329, #pkts verify: 2329
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 136.1.0.10, remote crypto endpt.: 136.1.0.100
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x883DFB78(2285763448)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x2BE310FB(736301307)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 40, flow_id: Onboard VPN:40, sibling_flags 80000006, crypto map
: crypto_map
        sa timing: remaining key lifetime (k/sec): (4489513/2336)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x883DFB78(2285763448)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 41, flow_id: Onboard VPN:41, sibling_flags 80000006, crypto map
: crypto_map
        sa timing: remaining key lifetime (k/sec): (4489520/2336)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 136.1.0.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.50.103/255.255.255.255/0/0)
   current_peer 136.1.0.100 port 1266
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 136.1.0.10, remote crypto endpt.: 136.1.0.100
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x96A1A0F0(2527174896)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x8BBBE2B1(2344346289)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 42, flow_id: Onboard VPN:42, sibling_flags 80000046, crypto map
: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4486606/3557)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x96A1A0F0(2527174896)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 43, flow_id: Onboard VPN:43, sibling_flags 80000046, crypto map
: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4486606/3557)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

______________________________________________________

Verification for SSL VPN Connection

WebVPN user name = ryan ; IP address = 136.1.0.100 ; context = ssl_vpn_context
    No of connections: 1
    Created 00:01:26, Last-used 00:01:10
    STC IP address 10.1.70.100 netmask 255.255.255.255
    CSTP Started 00:00:55, Last-recieved 00:00:55
    CSTP DPD-Request sent 0
    Client Port: 1227
    User Policy Parameters
      Group name = ssl_vpn_group_policy1
    Group Policy Parameters
      idle timeout = 2100 sec
      session timeout = Disabled
      functions =
                svc-required

      citrix disabled
      address pool name = “ippool_sslvpn”
      dpd client timeout = 300 sec
      dpd gateway timeout = 300 sec
      keepalive interval = 30 sec
      SSLVPN Full Tunnel mtu size = 1406 bytes
      keep sslvpn client installed = enabled
      rekey interval = 3600 sec
      rekey method =
      lease duration = 43200 sec
      split include = 10.1.1.0 255.255.255.0

Refer to the following topology

Scenario

Host1 on the inside network and Host4 on the DMZ network use name-server 136.1.122.2 (Host2), which is located on the outside network, to resolve DNS queries. Both hosts are trying to reach DMZ Host3 by name. They send a DNS resolution request to Host2 server for Host3. Host2 responds to the request with the IP address 136.1.122.50. They receive the response and try to connect to Host3 but are unsuccessful. What can be done so that the DNS record stays as is on Host2 and both Host1 and Host4 can reach Host3 by name.

Discussion

Well, now that we know the problem, what can we do to fix it? In regards to the ASA, we have a few options. The ASA has two commands to rewrite the DNS record. These are the alias and static commands. The alias command is legacy compared to the static command. Another option we have that does not re-write the DNS record is hair-pinning along with dynamic NAT (DNAT). So we will setup this scenario and configure the devices without any of these mentioned solutions. We will then implement each of the 3 proposed solutions mentioned to see if they resolve the issue. We will then discuss different ways of securing these solutions. First, let’s discuss each solution in detail for better understanding.

ASA Configuration

Ok, let’s configure the ASA so we can get connectivity to the devices within our lab. Let’s implement NAT, allow ICMP, and test connectivity. The ASA has a default configuration after the wr erase command was issued.

asa(config)#nat (inside) 1 0 0
asa(config)#nat (dmz) 1 0 0
asa(config)#global (outside) 1 interface
asa(config)#global (dmz) 1 interface
asa(config)#policy-map global_policy
asa (config-pmap)# class inspection_default
asa (config-pmap-c)# inspect icmp

Now let’s test connectivity
Host1#ping 136.1.122.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Host1#ping 10.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Host4#ping 136.1.122.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Ok, it appears that we have reachability throughout the network.
Now let’s try to ping host3 with the name of host3 from host4

host4#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.50, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Now let’s try to ping host3 with the name of host3 from host1

host1#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.50, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

We now know that we need to implement one of the solutions mentioned earlier.

Alias Command Solution

1)      Alias command (This command has 2 functions)

First Function – DNS Doctoring – performs DNS re-writes
Second Function – Destination NAT – changes destination IP address to another address

First, let’s fix Host4 so it can access Host3. Let’s use the alias command:

asa(config)#alias (dmz) 10.0.0.100 136.1.122.50 255.255.255.255

This alias command also creates a proxyarp entry in the ASA. We should disable this for DNS Doctoring purposes using the following command

asa(config)#sysopt noproxyarp dmz

Now let’s try our same ping test as earlier; host4 will try and ping host3 by name

host4#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100 timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

We can see that the alias performed the DNS re-write as host3 is now resolved to 10.0.0.100. We can successfully ping host3 from host4 now. This is great.

Now, what about host1? Lets implement the same alias command but this time apply it to the inside interface and turn off the proxyarp.

asa(config)#alias (inside) 10.0.0.100 136.1.122.50 255.255.255.255
asa(config)#sysopt noproxyarp inside

And let’s try our ping from host1 to the name host3

Host1#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100 timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Well, we can see that host3 resolves to 10.0.0.100 but we don’t have reachability to the device. Hmmm… that is strange. Many people I have run across say that it is because we don’t allow ICMP from DMZ. But how can this be as we are inspecting ICMP globally within the ASA and we had reachability before implementing the alias command. Well, we have actually implemented DNS Doctoring on an interface that the host we are trying to reach is not located on. That is the only difference between the dmz and inside, right? The DNS changes but we have no reachability. Mission failed….

Well, believe it or not, if you want reachability, we cannot use DNS Doctoring with the alias command. Instead, we have to use destination NAT with the alias command. We need to swap around the addresses within the alias command. Let’s try it out and see what happens.

asa(config)#alias (inside) 136.1.122.50 10.0.0.100 255.255.255.255

Let’s see how this works.

Host1#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.50 timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Success, mission accomplished. Even though we don’t doctor the DNS as we see that host3 resolves to 136.1.122.50. It may not be the record that we expect but we do have full reachability to the device.

Although, the alias command is deprecated since version 7 code to the static command, it can still be used as a solution if desired.  It just has to be correctly implemented. The alias command acts like a half functioning static command.

Let’s remove the alias and sysopt commands we issued earlier before proceeding to the next solution, using the static command

asa(config)#no alias (dmz) 10.0.0.100 136.1.122.50 255.255.255.255
asa(config)#no alias (inside) 136.1.122.50 10.0.0.100 255.255.255.255
asa(config)#no sysopt noproxyarp dmz
asa(config)#no sysopt noproxyarp inside

Static with DNS Command Solution

2)      DNS re-write using Static command.

The static command with the DNS keyword performs DNS doctoring. This is by far the best method to make our configuration work. Please note that DNS inspection must be enabled within the Modular Policy Framework. So, using the same scenario earlier, let’s try the static command with the keyword DNS.

asa(config)#static (dmz,outside) 136.1.122.50 10.0.0.100 netmask 255.255.255.255 dns

Let’s perform our ping tests from host4 within the DMZ network.

host4#ping host3

Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100 timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

The static command with DNS re-write works fine for the DMZ. Let’s try host1 on the inside network.

Host1#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100 timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Looking at the result above, the static command works for the host1 dns re-write resolution as well. The MPF re-writes the DNS entry with relation to the static command entry used. This one line command is the recommended solution to this DNS issue.

Let’s remove the alias and sysopt commands we issued earlier before proceeding to the next solution

asa(config)#no static (dmz,outside) 136.1.122.50 10.0.0.100 netmask 255.255.255.255 dns

ASA HairPinning  Solution

3)      Hairpinning traffic with DNAT.

So to start off with, this solution actually does no DNS re-writes. Basically what this solution does is use NAT technology for the traffic flow from querieng host to the host in the DNS reply message (so from host1 to host3)

Prior to code that introduced hairpinning using the same-security-traffic permit intra-interface command, the firewall could not send out traffic on the same interface that it originally came from. The traffic had to flow through the PIX from one interface to another. The same-security-traffic permit intra-interface allows traffic to flow out the same interface in which it was received. So let’s setup the configuration on the ASA to determine what happens.

First, we will configure the ASA to fix the reachability in the inside network. Note that since our traffic should still be flowing through the firewall interfaces, we should not need the same-security-traffic permit intra-interface command as of yet. So we will have change the source and destination addresses via NAT to accomplish this task. Remember, the source IP address is changed with the nat and global command. The destination IP will be changed by the static command.

Let’s start off this test by trying to ping host3 from host1

Host1#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.50 timeout is 2 seconds:
…..

Now let’s add configuration using NAT solutions only to see if we can make this work

asa(config)#static (dmz,inside) 136.1.122.50 10.0.0.100

And let’s try to ping host3 again from host1

Host1#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.50 timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Ok, we now have reachability there. You can see that the host is still at 136.1.122.50 and that DNS re-write is not performed here.

Let’s try to ping the host directly and see what happens

Host1#ping 10.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100 timeout is 2 seconds:
…..

Due to the static NAT translation, if we want to access the device, we will have to use 136.1.122.50 now.

Now let’s try to reach host3 from host4 in the dmz network by name

Host4#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.50 timeout is 2 seconds:
…..

As we can see, we will need to implement a solution here for host4 to reach host3 by name. Let’s configure the ASA a little more.

asa(config)#static (dmz,dmz) 136.1.122.50 10.0.0.100

Let’s try our reachability test.

Host4#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.50 timeout is 2 seconds:
…..

Still the same issue. We will install the hairpinning feature now.

asa(config)# same-security-traffic permit intra-interface

Host4#ping host3
Translating “host3″…domain server (136.1.122.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.50 timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

We can see that by permitting traffic back out the same interface in which it was learned that we can solve the issue with NAT only.

So we have 2 solutions utilizing DNS re-write and one by using NAT along with hairpinning the traffic. So what if we want to turn off DNS re-write. Well, one way we can disable it for both the alias and static commands is to use MPF. We can choose not to inspect dns within the global policy, or we can create our own policy-map with dns inspection with the dns inspection not doing re-write.

If we are using the alias command we also have the command “sysopt nodnsalias (inbound|outbound)”. The inbound flag means that the direction is from a lower security level to a higher security level. The outbound flag is the opposite of the inbound flag, from a higher security level to a lower security level.

Conclusion

Within a topology that is comparable to the one being dissected in this paper, we can see that there are several options to fix DNS infrastructure that is disjoint from hosts around our network domain. Two of these fixes utilize the ASA’s modular policy framework to re-write DNS records. The other solution uses the ASA’s hairpinning feature along with NAT technologies. We also discussed ways to secure the alias command and how to disable DNS re-writes using the MPF functionality. I hope this provides useful to your lab preparation or in real world scenarios.

This blog will discuss and show the ways that we can manage the device when connecting to the lowest security interface. Let’s observe the following, simple topology:

Interface F0/0 has been named outside and does have a default security-level of 0. The IP addresses have been configured on the devices as shown in the above diagram

So most of us will go ahead and enable ssh on the outside interface, and some others who like the GUI will also enable  http (usually a port other than 80 or 443 since we all love to use SSL VPN). So let’s start by using the ssh and http commands to manage these two management protocols before moving onto telnet. These commands will enable R1 to manage the ASA (Although ASDM is not on the router for obvious reasons, we can test to make sure the ASA allows traffic to it’s port)

Let’s make sure that our http port is open to accept ASDM connections:

Everything looks ok with ASDM acces to port 80. So for ssh access, we need to specify a username. The default username is “pix” and password is “cisco”. Let’s make sure this works:

Everything looks fine. Now, for some reason somebody loves telnet and needs it enabled on the outside interface (or an interface with the lowest security level). Let’s setup telnet and try to access the ASA via the outside interface”

So let’s try and access the ASA from the router:

Ok, so we can see that we will have to implement a solution for this. We will terminate an IPSec tunnel between the ASA’s outside interface and the router. Here is the final configurations of both devices. Note that the configurations were cleared before this setup. I have made bold all required commands for the IPSec configuration.

Ok, let’s bring up the IPSec tunnel between the two devices by using ping:

The IPSec tunnel is now up and we are passing encrypted traffic. Let us see if we can telnet to the outside interface now. By default the line password for the ASA is “cisco”:

We see that we can telnet to the lowest security interface on the ASA. I hope this has been helpful!

So I focused largely on the IPS the past few weeks but feel that I still need more time with it. The only hands on I get is when I am going through my lab session which is only 8 hours a week for the next few weeks. I am still reading through the documentation though. I have a bunch of notes that I need to go through and make blog posts out of now. All in due time…

It is definitely a little overwhelming with the study process. I will be posting a new journal section quite soon that will be logging how many hours I am spending for study in the various technologies both labbing and theory.  I would also like to Congratulate Paul Stewart, the latest CCIE Security guru, on completing his journey. He has been a great help/mentor and I enjoy his blog posts and work on the Cisco Learning Network. Please find his blog in regards to his recent success here – Paul Stewart, CCIE 26009

Onto troubleshooting RTBH with Vybhav now… still working on that fun and challenging technology…

I ran into another big benefit of using Anyconnect yesterday… I had a business with several users that I had setup remote access for mention that their IPSec VPNCLient wasn’t working. Doing some investigating, I found they had switched their method of connecting to the Internet now by using wireless air cards. The VPN client would connect just fine over this connection but we were unable to pass any encrypted traffic. It was narrowed down to the ISP  blocking these encrypted packets over that aircard connection. However, we tested with Anyconnect which rides over SSL and it worked just fine.

Just remember that you need a CCO account to download this latest software.