Thursday, August 30, 2012

Tunnels and DMVPN


  • GRE over IPSec with static crypto
    • Standard tunnels with an IPSec overlay. Just create access-list to match the GRE traffic. You ISAKMP keys will be based on the physical address. Seemed pretty straight forward if you have ever created a tunnel and turned up a L2L VPN before.
  • GRE over IPSec with profiles
    • The difference with profiles is IPSec is initiated from the loopbacks hence you need to configure your keys for the loopback address and not the physical address. You create a profile 'crypto ipsec profile VPN' and attach the transform set 'set transform-set 3DES_MD5_TRANS' and then apply the profile to the tunnel 'tunnel protection ipsec profile VPN'
  • DMVPN w/ PSK
    • Now on to something new I have not done before. I did take a few classes on DMVPN at Cisco Live this year in preparation for my exam.
    • DMVPN basic -
      • Dynamic next-hop resolution using NHRP
      • Ability to build dynamic site-to-site tunnels instead of the hub and spoke model
      • Utilizes multipoint GRE
    • I need to go back and read some more about DMVPN - mainly the NHRP. Just to get familiar again with what the various commands mean such as 'ip nhrp map'.
    • Wildcard IKE keys are necessary for dynamic tunnels
    • ip nhrp map multicast dynamic  - allows NHRP to automatically add spoke routers to multicast NHRP mappings
    • NHRP network IDs are locally significant although it makes sense to use unique IDs
    • ip nhrp map x.x.x.x y.y.y.y maps the tunnel address (x.x.x.x) to the physical address (y.y.y.y) on the spoke
      • Statically configures the IP-to-NBMA address mapping of IP destinations connected to an MBMA network.
        • hub-tunnel-ip-address --Defines the NHRP server at the hub, which is permanently mapped to the static public IP address of the hub.
        • hub-physical-ip-address --Defines the static public IP address of the hub.
    • ip nhrp map multicast y.y.y.y - enables the use of dynamic routing protocols and sends multicast packets to the hub router
    • DMVPN Monitoring commands
      • clear dmvpn session
      • clear dmvpn statistics
      • debug dmvpn
      • debug nhrp condition
      • debug nhrp error
      • logging dmvpn
      • show dmvpn
      • show dmvpn traffic
      • Other standard IPSec/ISAKMP monitoring commands
    • An important note is split-horizon in a DMVPN network. You will need to disable this on the hub tunnel to ensure full EIGRP routing table

Monday, August 27, 2012

VPNs


I have actually worked a fair amount with IOS VPNs and even some VPN3K in the past. It will be interesting to see how the configuration is adapted to the ASA platform.
  • IOS and ASA LAN-to-LAN w/ PSK
    • Setting ISAKMP policy is the same as IOS. You must explicitly enable isakmp on the firewall interface
    • sysopt connection permit-vpn is what allows VPNs to bypass ACL checking
    • You use tunnel-group to attach the PSK to the host address
    • The crypto map configuration is slightly different than IOS, but if you have done it on IOS, you will get it.
    • This all of course through a pretty basic firewall - no nat.
  • LAN-to-LAN w/ PSK & NAT
    • Different than IOS - you cannot use a deny access-list statement in a nat (inside) statement
    • Instead, you must use nat exempt - nat (inside) 0 access-list EXEMPT
    • Outside of this, nothing special
  • LAN-to-LAN w/ Digital Certificates (as opposed to paper certificates?!)
    • This is certainly something new for me as far as configuration goes. I've read a decent about about setting up a ca and issuing certificates, but I've never actually configured it
    • I had way too many issues, but mainly on the CA side (never setup a windows CA before)
    • IKE Authentication will be rsa-sig as opposed to pre-shared key
    • You must configure the CA, authenticate the CA and then enroll with the CA. This is where I ran in to problems on the CA side. Took a while to get the SCEP up and going. For anyone that had problems like I did, here is the latest link on where to download the SCEP add-on : http://www.microsoft.com/en-us/download/details.aspx?id=2178
    • After finally configuring everything, including CA - it didn't work! What now? I got this error on my IOS box 
Translating "ciscoacs-bzykjz"

Aug 26 11:46:46.803: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 136.1.123.12 is bad: CA request failed!
R3#
Aug 26 11:46:46.807: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 136.1.123.12
R3#
Aug 26 11:46:47.859: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 136.1.123.12 failed its sanity check or is malformed
R3#                 
Translating "ciscoacs-bzykjz"

Aug 26 11:47:16.702: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 136.1.123.12 is bad: CA request failed!
    • So it looked like the name resolution was failing as I recognized the "ciscoacs-bzykjz" as the hostname of my Windows 2003 server. Added an 'ip host ciscoacs-bzykjz x.x.x.x" on my IOS box and like magic - it worked!
    • You can also create a tunnel-group based on the FQDN. To work, you need to set both identities to be the hostname. These must also be the name you used to request your certificate from the CA.
  • When configuring L2L between IOS devices across the firewall with NAT, you need to make some adjustments.
      • Wildcard key on outside peer as the traffic will be NAT'ed from the inside host ( could by interface, but could also be POOL)
      • Creation of a dynamic map since you aren't defining a specific peer due to the nat
        • crypto dynamic-map DYNAMIC 10
        • set transform-set 3DES_MD5
        • crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC
        • interface Fa0/0
        • crypto map VPN
  • Overlapping NAT - this is a real world scenario where there is overlapping address space at both endpoints. A simple 'ip nat inside source static network x.x.x.x y.y.y.y /zz' at both sides, with routes pointed to the global address at both endpoints.
      • You must also configure the ACL for the L2L appropriately as well.
      • Spent way too much time troubleshooting this one. I did not apply my access-list on the ASA but both endpoints believed the tunnel to be up but no traffic would pass. I applied the access-list and things began to flow.
  • Lan-to-Lan with aggressive mode
    • The main advantage of IKE aggressive mode is the identity is present during IKE negotiation, allowing flexible policy lookup.
    • When tied in with NAT, we can use the hostname as the identity to avoid using the previously used wildcard key on the outside host
    • This is where you use ISAKMP profiles - to define the ISAKMP mode and configure self-identity.
    • You must also configure the key as hostname and not IP.
    • You have to apply the ISAKMP profile to the crypto map - 'crypto map VPN isakmp-profile AGGRESSIVE'
    • On the outside, you would not need the AGGRESSIVE profile - just 'crypto isakmp identity hostname'
    • You think you need an 'ip host R1 x.x.x.x' here, but that is not the case. This type of configured tunnel can only be created from inside -> outside.
    • Again here, you use the dynamic map. The is very little the outside host knows about the inside.
    • Here you will see that from the inside, we are actually authenticated with the outside peer address 'ISAKMP:(1001):SA has been authenticated with 136.1.122.2
    • 'local crypto endpt.: 136.1.121.1, remote crypto endpt.: 136.1.122.2'
    • On the outside, you will see we are authenticated/peered with the ASA outside address ' local crypto endpt.: 136.1.122.2, remote crypto endpt.: 136.1.122.12'
  • IOS Lan-to-Lan across ASA w/ Digital Certificates
    • I didn't see how this was any different other than allowing traffic for NTP and WWW for certificate enrollment
Ok, next on the plate is DMVPN. The VPN section was pretty straight forward and I did a little better than I thought I would. I've made good progress now - over 1/3 of the way through volume one. 

Thursday, August 23, 2012

System Monitoring and advanced inspection


  • System Monitoring
    • Similar to IOS level commands. The instructions did ask to deny snmp version 1 via a 'snmp-map'. If you look, there is a default global-policy. You just create the snmp-map and then reference it in the global policy.
snmp-map TST
 deny version 1
!
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect snmp TST 
    • You could also do this without creating a new map with 'snmp deny version 1'
  • DHCP Server
    • Nothing outside of the normal when compared to IOS, it's just dhcpd commands instead of ip dhcp-server
    • Interesting, but I couldn't get to work in my lab. I saw the DHCP Discover come into my ASA interface, but it never went anywhere from there
  • HTTP Inspection with MPF
    • Similar to IOS MQC but with additional class-maps and policy-maps for granular filtering.
    • Very easy to get confused but easy once you see it in action. Create access-list and class-map just like IOS. From there, you can create 'type inspect http' policy-maps. Inside the inspect policy-map, under 'parameters' you can do things like reset on protocol violations and spoof the server header. 
    • You can now apply this to a regular policy-map with the 'inspect' keyword. 
    • Under the policy map, within the class, you can also 'set' connection options like max connections, max half open, etc.
    • Finally, you attach to the interface with 'service-policy'. Only difference from IOS is this is not completed from the interface context, but from the global.
  • Advanced FTP Inspection using Regex
    • You can define regex with 'regex NAME regex_string'
    • You can then reference these with 'class-type regex'. This is namely used to match FTP file names.
    • You can create a policy-map type inspect ftp - similar to HTTP above and reference in a parent policy-map. Lots of nesting here

class-map FTP
 match port tcp eq ftp
class-map type inspect ftp match-any DENIED_COMMANDS
 match request-command dele 
 match request-command site 
 match request-command rmd 
class-map type regex match-any DENIED_FILES
 match regex REG_26XX
 match regex REG_28XX
 match regex REG_36XX
policy-map OUTSIDE
 class FTP
  inspect ftp strict FTP_INSPECT 
policy-map type inspect ftp FTP_INSPECT
 parameters
  mask-banner
  mask-syst-reply
 match filename regex class DENIED_FILES
  reset
 class DENIED_COMMANDS
  reset
  • Authenticating BGP through Firewall
    • TCP Protocol Option 19 is used for BGP authentication. You need to create a custom TCP-Map allowing option 19. You then create a class that matches BGP, reference in the global policy, disable TCP random sequencing (which doesn't work with BGP) and apply your custom TCP Map.
    • Validate with 'show connection detail'
    • Again, i see this as another simple task, but if you don't pay attention you could lose the points!
  • TCP Normalization
    • Creating a custom TCP Map - you have several options.
      • check-retransmission  
      • checksum-verification 
      • default               
      • exceed-mss                            
      • no                    
      • queue-limit                               
      • reserved-bits                             
      • syn-data                                 
      • tcp-options           
      • ttl-evasion-protection                     
      • urgent-flag                               
      • window-variation    
  • Radius Account Inspection
    • Must remember to use the right class types and policy types. I find that if a certain option isn't there for what you are trying to configure, you probably have specified a wrong class-map type or policy-map type - or no type at all.
  • ICMP Inspection
    • Will enable ICMP across the FW interfaces without an access-list being defined
And with that, I've completed what I call the first section of INE Volume 1. Now it's time to move on to VPN! I feel like I've been moving at a good pace today. I'm also not worried about how far along I've made it through the 800+ page guide. After browsing through the guide, there is easily 100 pages or more dedicated to VPN3k, which is no longer on the version 3 blueprint.

Not sure if anyone out there is reading my blog. In short, I originally created this to keep my own notes and help out other CCIE candidates. I will continue to do this on the security track.  

Tuesday, August 21, 2012

Topics better suited to physical hardware



Below is a running list of items I come across that are better suited to being practiced on physical hardware as opposed to GNS3/Qemu/Vbox/etc...
  • Failover modes - for obvious reasons
  • Transparent Firewall - just couldn't get this to work correctly in GNS, and other people have indicated the same
  • ASDM related tasks
  • WebVPN related tasks (namely SSL VPN)
  • QoS - for some reason crashed my firewalls?!?
  • NAC
  • IPS
Here is also a list of what is pertinent for me to revisit
And that pretty much completes the list, more than I expected but still a fair amount that can be competed in GNS3. With that, I am off to purchases some Rack Rental tokens from INE.

Failover and transparent mode


  • You can configure failover on an emulated ASA, but it doesn't appear to work 100%.
    • You can create 'failover' groups and attach contexts to each failover group. This enabled one firewall to be active for x contexts and another firewall to be secondary for y contexts.
    • This is where it would be nice to have access to physical ASAs
    • You can enable link based and/or lan based failover. 
    • When configure the link IP, you configure the IP address as the same on both boxes, with the standby configured as well. The priority/preemption will determine the master
    • For the most part, failover seemed pretty straight forward
  • Transparent firewall
    • Enabled with 'firewall transparent'
    • 8.4 (and possibly 8.3) changes the configuration. Instead of just 'ip address x.x.x.x', you attach interfaces to bridge groups, and then give the ARP ip address to interface BVI
      • I say 'ARP ip address' because even though the firewall is operating in transparent mode, you must still configure an IP address on the ASA for the purpose of ARP. 
      • You can configure the Management interface independently of the bridge IP address - this is used for management access only.
    • I've realized that transparent firewall just doesn't work very well in GNS3. I will be renting rack time to practice transparent firewall and coming back to this and failover later.
  • Fragmented Traffic
    • To disable fragment traffic, you set the maximum fragments to 1.
      • By default, the security appliance accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the security appliance to prevent fragmented packets from traversing the security appliance by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented. - Cisco ASA 8.0 Command Reference - Fragment
    • To test, simply send a packet larger than the MTU
  • Handling Application Issues
    • DNS Doctoring
      • Domain lookup to servers on the inside will reply with outside address - doctoring can fix this issue by way of the 'alias' command. You must also disable proxy arp with the 'sysopt noproxyarp inside' command.
      • Example
      • alias (inside) 10.10.10.10 99.99.99.99 255.255.255.255
        
        !--- This command sets up DNS Doctoring. It is initiated from the clients in
        !--- the "inside" network. It watches for DNS replies that contain
        !--- 99.99.99.99. Then it replaces the 99.99.99.99 address with the 10.10.10.10
        !--- address in the "DNS reply" sent to the client PC. - Cisco - Understanding the Alias command
    • IDENT queries over new TCP connection (FTP/SMTP)
      • To permit these queries for inside users, enable 'service resetinbound'
      • To permit these queries for inside servers, enable 'service resetoutside'
      • I see these two as being important - something that will be snuck in the requirements, and easily forgotten, thus missing out on the points for two simple commands!
  • BGP through the FW
    • BGP is not supported on the firewall but there are certainly instances where you need to establish BGP through the firewall
    • R1 is the inside host - 136.1.121.1. R2 is the outside host 136.1.122.2. Configure eBGP peering between R1 and R2.
    • The scenario had you build a static nat for the inside interface
      • static (inside,outside) 136.1.122.1 136.1.121.1
    • From the outside, you then establish a BGP peering to the NAT address
    • This obviously requires ebgp multi-hop
    • The peering comes up without an issue, but your routes are un-reachable - the next-hop of the routes received on the outside peer, are the inside address of the inside host - 136.1.121.1.
    • You create a route-map that sets the next-hop to the NAT address (136.1.122.1) and apply to the neighbor
  • Multicast Routing across the FW
    • Enabled with multicast-routing
    • PIM enabled by default
    • Configure RP with 'pim rp-address x.x.x.x'
    • There is nothing specific needed to do outside of what is already done on an IOS device - although this scenario is showing my 'rust' when it comes to multicast
      • Make sure to enable pim on relevant interfaces
      • Make sure to advertise the RP loopback address
    • I wasn't getting my S,G , my pings were failing and my incoming/outgoing interfaces were NULL. Guess I should have checked to make sure the routes were there first - forgot to enable RIP on the FW!
I think I will stop here. Was still hoping to be farther along, but I realize you can't rush these things. Being only 15% of the way through is tough to swallow - especially when I just go confirmation that my payment for my lab went through! I hope to make a serious dent on Thursday when I study from home, and Sunday morning. More updates to come.

Wednesday, August 15, 2012

NAT NAT NAT and more NAT....


  • ASA can filter ICMP with a simple 'icmp' command. With this, you can permit/deny ICMP based on the ICMP type and interface. This applies to traffic traversing the firewall.
  • Filtering services was next ...
    • url-server (dmz) host 10.0.0.100 -  configures a websense filtering server on the specified interface
    • The filter command configures filtering services with many options. Interesting note - you can shorthand the any address - filter activex www 0 0 0 0 - which is source network, mask foreign network, mask.
    • There are options to allow the traffic in the event the URL Server is down. There are other options like proxy-block, interact-block, etc. I have read a lot of the cisco documentation on ASA but I would say this is an initial weak point. I will be hitting the documentation on filtering.
  • NAT is a very tricky subject. The lab blueprint states ASA 8.x, but with NAT there are different configurations depending on if it is 8.2 and below, or 8.3 or 8.4. It appears that 8.0.x is the version that is used in the lab....great, my ASA is running 8.4....now off to create 4 ASAs in my lab - two 8.0 and two 8.4...
    • nat-control requires that all traffic from a higher security interface to a lower security interfaces requires a nat rule before being allowed 
    • nat (global) creates pools
    • You assign NAT identifiers to the global pools
    • To complete the dynamic nat, just say what you want to nat, use the same NAT identifier and off you go..
      • global (outside) 1 136.1.122.100-136.1.122.110
      • nat (inside) 1 136.1.121.0 255.255.255.0
    • Static NAT has a similar configuration using the 'static' keyword
    • For some reason, I always transpose either the interfaces or the networks in a NAT statement. Taking a break from hands-on, and going to re-read the NAT configuration guide.
      • "static NAT allows a remote host to initiate a connection to a translated host (if an access list exists that allows it), while dynamic NAT does not. "
      • "clear local-host" is used to remove static NAT translations that are currently in use "clear xlate" is only used for dynamic translations
These were just some of the notes I took over a few days of studying. Other items such as failover and multi context firewalls seemed pretty straight forward. I still need to hunker down on NAT, because I still get confused with whats inside/outside and the syntax.
Still way to much time building/configuring/fixing things in my lab outside of the actual devices. I've made it through about 10% of INE volume 1. Overall, not too bad but the typos/mistakes/whatever-you-want-to-call them are extremely frustrating when you are trying to get something to work.
I hope to be back at it this Sunday for a couple of hours...

Saturday, August 11, 2012

Continuing INE Security Volume 1

I hate nothing more than having to spend time doing something other than studying. Turns out, I needed IIS/FTP/Telnet servers installed on the Windows 2003 box. Problem is, I am not where the server is and couldn't get the 2003 CD in the server. Anyway, I installed a couple of free utilities and moved on.

  • Access lists - these are similar to IOS, but without the 'ip access-list' context.
  • Object Groups - When creating a service group, you need to specify tcp, udp, tcp-udp or default. Under default, you can specify other protocols than tcp and udp or a combination of such.
    • The syntax threw me for a loop as it is something I haven't really dealt with before. 
    • You can also nest the object groups
    • After creating the object-group, you add the objects such as service-object, port-object, etc.
    • You can then reference these object groups in the ACL - but you need to place them in the correct location.
ASA1# sh run object-group 
object-group network SERVERS
 network-object host 10.0.0.100
object-group network ROUTERS
 network-object 136.1.121.0 255.255.255.0
object-group icmp-type COMMON_ICMP
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object unreachable
object-group service TRC_PORTS udp
 port-object range 33434 33464
object-group service SERVER_PORTS tcp
 port-object eq www
 port-object eq ftp
object-group service ROUTER_PORTS tcp
 port-object eq telnet
 port-object eq ssh
 port-object eq 7001
ASA1# sh run access-list 
access-list OUTSIDE_IN extended permit icmp any any object-group COMMON_ICMP 
access-list OUTSIDE_IN extended permit udp any any object-group TRC_PORTS 
access-list OUTSIDE_IN extended permit tcp any object-group SERVERS object-group SERVER_PORTS 
access-list OUTSIDE_IN extended permit tcp any object-group ROUTERS object-group ROUTER_PORTS 
access-list OUTSIDE_OUT extended permit icmp any any object-group COMMON_ICMP 
access-list OUTSIDE_OUT extended permit udp any any object-group TRC_PORTS 
access-list OUTSIDE_OUT extended permit tcp any any object-group ROUTER_PORTS 
access-list OUTSIDE_OUT extended permit tcp any any object-group SERVER_PORTS 
    • For those of you that have never worked on an ASA before, you can't just 'no ip access-list TST'. You have to use the 'clear configure access-list TST' instead.
  • There is no access-group like command like IOS for vty/remote access. There is just a simple 'telnet' and 'ssh' command. You configure what networks on what interfaces are allowed to access that particular service. ADSM is similar using the 'http' command. Don't think to use an access-list here, which was my mistake. And weird...
And with that...I didn't make it much farther. After fighting with my windows server, and then fighting with ASDM, I only made it through another 12 pages. Hoping to get some more work in tomorrow.

Thursday, August 2, 2012

August 2012 Update

Looks like it is time to knock the cobwebs off this blog.....


As an overall update, I abandoned my CCIE Service Provider after failing my exam last year. With the recent update, and being unable to get my hands on the equipment required, it seemed an uphill battle at the time. Now that the workbooks are upgraded, and various vendors have equipment ready to rent, I would like to re-visit CCIE-SP in the future but....


For now, I am indeed working on my CCIE security. I do seem doomed to these things. When I first started my R&S, the test was changed right after my first attempt. As you may already know, I got real close on that attempt. I was forced to start back at page one to prepare for CCIE R&S 4.0. I started down the SP track, only to have the exam completely overhauled before I really even started. Now shortly after I start studying for Security, they have announced another refresh. 


I am not complaining here - I think updating the exams to reflect today's requirements of a network engineer is important. My timing just stinks! With that being said, I have started to study the security track based on the current blueprint and I have scheduled my lab exam for November.


I passed my Security written back in April. Did not do much following that other than setting up my lab. Here are some details on my lab...


1 - Quad Processor Dual Core Opteron Server w/ 16GB of memory running FC16
1 - Cisco 3750 Breakout switch
1 - Cisco 3560
1 - Cisco 3550


With this hardware, I run GNS3 on the server. GNS3, in combination with other tools, is capable of running 3725 Routers, Cisco ASA, Cisco IPS as well as several VMs to function as ACS and a XP workstation.


It took me quite some time to get this up and working and I didn't keep great notes, but if there is something specific you need help me, let me know and I will see what I can do to help.


I have made it about 20 pages into the INE Security Workbook Volume 1. So far, it just covers basic security like setting security levels, setting up routing protocols with security, etc. Nothing that different that the R&S track, just adapting to the ASA infrastructure. I hope to really start making a dent but right now I am in the middle of a major code upgrade to our Nexus infrastructure at work - scheduled for next weekend.


Other than that, I passed the Cisco Data Center Unified Fabric Solutions Design exam at Cisco Live in San Diego. Making me Cisco Data Center Networking Infrastructure Design Specialist. I was excited to pass, but ultimately it was just about using my free voucher at Cisco Live.


For now, I am off. Hopefully to return in a few weeks with some lab study notes!