— pissing into the wind

Archive
Cisco

So I had an issue at work that went like this:  We recently put in new managed switches at our remote sites.  One of them failed and was replaced by our 3rd party subcontractor.  They just do a hardware replacement and my team does the configuration.  By default, the switches are configured to use 192.168.1.254 with no gateway info set.  There is only a web UI enabled by default as well.  I have to somehow open a browser and get access to that web console so I can configure the new switch.  I have an 1841 or 1921 router at the other end to configure to make this work.  NAT voodoo time.

The scenario:

NATNAT

The fix:

conf t

int f0/0
ip add 192.168.1.253 255.255.255.0
ip nat inside

int s0/0/0
ip nat inside

int l1
ip address 10.15.4.249 255.255.255.252
no shut

exit

router bgp 65000
network 10.15.4.248 mask 255.255.255.252

exit

ip nat outside source static 192.168.1.254 10.15.4.250
ip nat inside source static 10.210.23.8 192.168.1.100
ip route 10.15.4.250 255.255.255.255 f0/0 1

end

Now I can open a browser to 10.15.4.250 and it works.  When doing any commands reaching back to my computer (tftp), I used 192.168.1.100 as the server (tftp://192.168.1.100/startup-config) and that worked.

That’s it.

Read More

The antivirus server at work was pissing me off and saturating our OC3.  I policed it down to 50mbps.

ip access-list extended traffic-police
permit ip host 192.168.0.100 any

class-map traffic-police
match access-group name traffic-police

policy-map traffic-police
    class traffic-police
        police 50000000 conform-action transmit exceed-action drop

int po1/0
service-policy output traffic-police

Read More

ip wccp version 2
ip access-list standard WCCP_Proxies
10 permit host 192.168.10.80
20 permit host 192.168.11.80

ip access-list extended WCCP_Redirect
10 deny ip host 192.168.10.80 any
20 deny ip host 192.168.11.80 any
30 permit ip 10.16.0.100 0.15.255.0 any

ip wccp 0 group-list WCCP_Proxies redirect-list WCCP_Redirect

int vlan 10
ip wccp 0 redirect in

Read More

I upgraded ASDM from 6.4.(5)106 to 6.4(5)204 and the launcher broke.  Running it as a web app still worked though, so I figured it had to do with the way the shortcut was setup.  Here’s a comparison of the two:

106:

C:\Windows\SysWOW64\javaw.exe -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher

204:

"C:\Program Files (x86)\Cisco Systems\ASDM\asdm-launcher.jar" -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar

I changed the shortcut back to the old format and it worked.

Read More

Setting up VPNs is always a PIA, but Juniper really dumbs it down and I have to say really spoiled me.  So when it came time to setup another VPN with a partner who is running an ASA, I had to shake off the rust and think of what could go wrong.  Most of the time I set up tunnels with non-Juniper devices, it ends up being a wrong proxy-id on either side.  You can usually tell this when you see “DOI 1 18 INVALID-ID-INFORMATION” or “No policy exists for the proxy ID: local(local ip/netmask/0/0) remote(remote ip/netmask/0/0)”.   ScreenOS derives the proxy-id from the tunnel, so I normally don’t worry about setting this up, but of course it only works as designed when you connect to other ScreenOS devices.  I don’t know if the SRX platform behaves the same way since it’s running JunOS.  I caught this error message and we managed to get the tunnel going, but no traffic was passing through.  Being a Friday night and this not being a critical issue at the moment, both sides decided to come back to it later.

I have a couple Cisco routers and Juniper SSGs at home for a lab.  I recently picked up an ASA 5505 off of eBay as well and decided to give the configuration on both sides a try to figure out what is going wrong.  Beyond setting up AAA, ntp, and the rest of the management stuff, I have not really had time to do anything with the ASA.  I have experience with IOS from a router and switch perspective, but I’ve never touched PIX.  All of my firewall experience is with Fortinet, ScreenOS, and whatever linux distros I’ve tried (Astaro comes to mind).

Cisco’s documentation being as awesome as it is, that is the first place I went to figure out what to do:

I’m not one to use a GUI with Cisco devices, so I went through some configuration examples and the cli configuration guide as a first pass to get the tunnel up and running.  I managed to do this, but I couldn’t connect anything beyond the inside interfaces on either gateway and only gateway to gateway.

So I wiped the ACLs and crypto config I put in and fired up ASDM.  I used the IPSEC VPN Wizard and kept flipping back to my console to see what changes it was making.  One of the first things that caught my eye was the option to “Enable inbound IPSEC sessions to bypass interface access list.”  Not having experience with setting up Cisco VPNs before, I thought, “Why on God’s green Earth would I not have policies to control that traffic?” Yes, it’s implied that I trust the other side to some degree if I’m setting up a VPN tunnel, but I still want fine grain control of the communication.  That checkbox leaves the default setting “sysopt connection permit-vpn” intact.  This does exactly what the description says on the checkbox.  Without it, you have to setup multiple ACLs to get tunnel traffic working properly because the traffic terminates on the outside interface of the ASA.

gp01

I setup a working VPN with and without that box checked, and I decided to go with it checked.  As it turns out, you can use filters on the connection group policy to control exactly what passes through the tunnel.  In this basic lab without the box checked, I had to add an additional 3 policies to get traffic moving through the tunnel.  This might not seem like a hassle, but this is just a lab with a single site to site.  Extrapolate that complexity when you start adding multiple sites.  There may be some scenarios where filters just won’t be sufficient, but for what I need to do at work, they will accomplish the task.

gp02

Excerpt from Troubleshooting Guide:

Note: If you do not wish to use the sysopt connection command, then you must explicitly permit the required traffic, which is interesting traffic from source to destination, for example, from LAN of remote device to LAN of local device and “UDP port 500” for outside interface of remote device to outside interface of local device, in outside ACL.

http://networking-forum.com/viewtopic.php?f=35&t=3310

According to chapter 21 of The Complete Cisco VPN Configuration Guide, the way to do what I am asking is to write manual access lists to permit ipsec/isakmp traffic.

Using this method, one must manually write access lists to permit all ports used by ipsec/isakmp components to allow this traffic into a firewall. This method makes it so packets are checked against access lists twice: once when coming in as ipsec traffic, and again once decrypted as plaintext packets. This allows one to match only desired traffic using the second, more stringent access list.

The alternative is using the “sysopt connection permit-vpn” command. This is also known as ACL bypassing, hence, you cannot restrict traffic further, since the access lists are written for you using this command.

Another method (usable only for 7.0 and higher) is using the “sysopt connection permit-vpn” command on an outside interface, and writing more restrictive access lists outgoing on an inside interface. This method enables one to allow all ipsec/isakmp traffic into the firewall while restricting where the traffic can go from there.

The second thing that caught my eye was a NAT policy that gets added:  nat (any,any) source static local local destination static remote remote.  This command makes no sense to me, and I most of the online research I did regarding NAT had a different syntax.  Cisco changed the NAT syntax in 8.3.  Prior to, it was the same as PIX.

Again, Juniper just completely dumbs this down and I never had to configure anything like this.  I’m not a big fan of any-any policies, so I’m going to do some further research on tightening this down later.

For now, here is the setup and working configs for an SSG5 to ASA5505 VPN with and without sysopt enabled.

vpn

Configs:
ASA sysopt
ASA no sysopt
SSG

Read More