I manage several Cisco IOS devices with alot of VPN connections on them, one device has 100+. So what happens when 1 of the 100 peers is failing to establish. Well, I can tell you, whatever you do, don’t do a debug crypto isakmp or ipsec without any conditions… you will definately give a big tug to the CPU on the device. This tug could be to the point that you can’t recover by issueing u all command. So to this end, a router reload would probably be the only option left which would probably trigger resume updating.
So how do you go about picking the needle out of the haystack? Well, Cisco has given us an excellent tool to solve this issue with VPN conditional debugging. With conditional filtering for VPN’s, we can filter based on several different attributes such as peer, getvpn group, username, spi, or connid to name a few. This has definately helped me out in a pinch and I am now in the habit of using this instead of just debugging everything crypto within the IOS device.
So how do we implement this great feature you may ask. Well, quite easily, but then again everything is easy once you know what you are doing. So let’s head over to command line and take a look… Read more…
Regular expression matching is used for several different applications within the Modular Policy Framework (MPF). Regular expressions is basically text matching, either exact text or multiple variants of a text string. In most cases, whenever you run across named-based policies, you will more than likely need to configure regular expressions. The command “regex” is used to configure regular expressions within the security appliance. We will discuss some of the special characters called metacharacters used to create wildcard matching of text strings below. This is the majority of the metacharacters we will be dealing with.
Read more…
Well, it appears that Cisco IOS is slowly gaining features that I love on the ASA. Although I find the ASA is far superior when it comes to access-list technology, Cisco IOS is starting to make life easier in terms of updating and managing access-lists. One issue I always ran into when working with IOS ACL’s is the addition or deletion of the entries that made up the ACL. So a basic extended access-list would start like this:
Read more…
As per PacketU’s inquiry, static and dynamic VTI, L2TP over IPSec, and SSL VPN configurations work successfully within one router. I had one notebook running 3 different VPN clients at once; Cisco Anyconnect v2.4, Cisco VPN client v5, and Microsoft built-in client. It is interesting to note that with all 3 connected, the connection order in which traffic was encrypted was the Cisco VPN Client first, AnyConnect second, and Microsoft client third. Read more…
DNS Re-Write (DNS Doctoring) on the Cisco ASA
Refer to the following topology
Scenario
Host1 on the inside network and Host4 on the DMZ network use name-server 136.1.122.2 (Host2), which is located on the outside network, to resolve DNS queries. Both hosts are trying to reach DMZ Host3 by name. They send a DNS resolution request to Host2 server for Host3. Host2 responds to the request with the IP address 136.1.122.50. They receive the response and try to connect to Host3 but are unsuccessful. What can be done so that the DNS record stays as is on Host2 and both Host1 and Host4 can reach Host3 by name. Read more…
Enabling Telnet on the lowest security interface of the appliance has been one of things that many people just don’t do, but it is nice to know if it can be done and what is needed to do this in case you do need to utlilize it in your infrastructure. Cisco documentation states that telnet can only be enabled on the lowest security interface as long as IPSec is terminated on that same interface. Hmmm. Keith over at INE posted a blog entry that can be found here – Bob’s Challenge . In one of Keiths solutions (number 4), he does mention to enable IPSec on the tunnel interface, and one of the solutions shows how to do this.
This blog will discuss and show the ways that we can manage the device when connecting to the lowest security interface. Let’s observe the following, simple topology:
Interface F0/0 has been named outside and does have a default security-level of 0. The IP addresses have been configured on the devices as shown in the above diagram Read more…
