IOS | Defending against lameness since 2008

CCIE Lab Countdown
- CCIE Security Lab - San Jose:
  in 9 months, 28 days, 16 hours, 53 minutes
Sponsors
Recent Posts
Tags
350-018 642-642 access control lists acronyms asa backup blindhog bsci ccie CCIE Security ccip ccnp ccsp ccvp Cisco crypto diffserv dynamips hard qos intserv IOS ipexpert blended learning solution ipsec ipt IPv6 isakmp kron multicast Networkers pix QoS rdp remote user router rsvp scp security security warning server 2003 switch vista voip vpn wfq wred
RSS Feeds

Subscribe

Subscribe by Email

You are currently browsing the archives for the IOS category.
Pages
- About
Archives
Categories
- Cert Media (1)
- Cisco (38)
  - AAA (1)
  - ASA/Pix (5)
  - BSCI (8)
  - CCIE Security (13)
  - IOS (4)
  - IPsec (3)
  - IPv6 (2)
  - Networkers (1)
  - QoS (6)
- GNS3 (2)
- IPExpert (4)
  - Blended Learning Solution (4)
- Microsoft (1)
- Uncategorized (2)

Time Based Access Control Lists

November 8th, 2008 Bryan Posted in IOS, Uncategorized No Comments »

I just finished the IPExpert audio and video on demand lessons related to ACLs. They provide some good insight into the usage of these access-lists and their place in the CCIE Security lab. In my attempt to improve this blog I have tried my first video recording. It is just a quick look at implementing a time based ACL from the inside network to an outside network during weekly business hours (M-F 8AM to 5PM). Hopefully as I progress down this path I can make more worthwhile videos but hey, we all have to start somewhere.

Related Blogs

Related Blogs on access control lists

Introduction to access-lists part 1

Easy VPN on an 1811 located in DMZ - Part 2

October 12th, 2008 Bryan Posted in ASA/Pix, IOS, IPsec No Comments »

So after struggling with the routing on this particular problem I decided to ask someone for help, that person was Josh over at Blindhog. He worked on it for about 10 minutes and was able to determine what I was doing wrong. So below is the relevant information from the final configuration of the Easy VPN client (1811).

crypto ipsec client ezvpn ASA
connect auto
group ezvpntunnel key cisco
mode network-extension
peer 64.22.228.130
username cisco password cisco
xauth userid mode local

interface Loopback0
ip address 10.2.2.100 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map EzVPN-Routing
crypto ipsec client ezvpn ASA inside

ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 172.17.0.0 255.255.255.0 Loopback0

ip access-list extended EzVPN-Routing
permit ip any 172.17.0.0 0.0.0.255

route-map EzVPN-Routing permit 10
match ip address EzVPN-Routing
set ip next-hop 10.1.1.1

The things that changed from the initial configuration I had are as follows.

Took off the access-lists on the Loopback0 and FastEthernet0 interfaces
Added ip nat inside and ip nat outside to their respective interfaces
Added a route for the remote networking pointing towards the ‘outside’ interface (Loopback0)
Changed the route-map access-list to allow anything to the remote network
Set the set ip next-hop 10.1.1.1 (DMZ of the Pix) in the route-map
Also, on the ASA we had to add a nonat statement for the Loopback0 interface

Again, I would like to thank Josh for his help. Without his assistance I would still be twiddling my thumbs on this one.

Related Blogs

Configuring Easy VPN on a Cisco Router located in a DMZ

October 1st, 2008 Bryan Posted in ASA/Pix, IOS, IPsec No Comments »

So lately I have been working on an Easy VPN configuration that requires a Cisco 1811 connected with just one interface to a Pix’s DMZ. I am about 75 percent done with the configuration and I am just waiting on the rest of the local traffic information to finish the tunnel. The ASA will have an external IP address of 12.34.56.78. I currently have the following configured on the ASA:

access-list ezvpn standard permit 172.16.1.0 255.255.255.0
group−policy DfltGrpPolicy attributes
banner none
wins−server none
dns−server none
dhcp−network−scope none
vpn−access−hours none
vpn−simultaneous−logins 3
vpn−idle−timeout 30
vpn−session−timeout none
vpn−filter none
vpn−tunnel−protocol IPSec
password−storage enable
ip−comp disable
re−xauth disable
group−lock none
pfs disablei
psec−udp enable
ipsec−udp−port 10000
split−tunnel−policy tunnelspecified
split−tunnel−network−list value ezvpn
default−domain none
split−dns none
secure−unit−authentication disable
user−authentication disable
user−authentication−idle−timeout 3
ip−phone−bypass disable
leap−bypass disable
nem enable
backup−servers keep−client−config
client−firewall none
client−access−rule none

username alltimedefense password 23DSFLKJlsdkfs9080wr encrypted

crypto ipsec transform-set EZVPN esp-3des esp-sha-hmac
crypto dynamic-map dynEZVPN 10 set transform-set EZVPN
crypto map ezvpn 10 ipsec-isakmp dynamic dynEZVPN
crypto map ezvpn interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 86400

tunnel-group ezvpn-tunnel general-attributes
default-group-policy DfltGrpPolicy

tunnel-group ezvpn-tunnel ipsec-attributes
pre-shared-key cisco

That should be all that is needed on the ASA. The lines in bold are different configuration modes and the italics are any configuration that is custom (where I changed a name or password). Now let me move on to the Cisco 1811 at the remote site. The Fast Ethernet 0 interface will have an ip address of 192.168.1.1 and the loopback interface will have an ip address of 172.16.1.1.

username alltimedefense password 23DSFLKJlsdkfs9080wr
ip route 0.0.0.0 0.0.0.0 192.168.1.2

crypto ipsec client ezvpn EZVPN
connect auto
group ezvpn key cisco
mode network-extension
peer 12.34.56.78
xauth userid mode local

access-list 100 permit ip any any
access-list 110 permit ip any any
access-list 120 permit ip 172.16.1.0 0.0.0.255 any

route-map EZVPN permit 1
match ip address 120

ip nat inside source route-map EZVPN interface FastEthernet0 overload

Now we need to add the access-lists and the crypto ipsec client ezvpn EZVPN to the FastEthernet0 and Loopback interfaces.

interface FastEthernet0
ip access-group 100 in
crypto ipsec client ezvpn EZVPN

interface Loopback0
ip access-group 110 out
crypto ipsec client ezvpn EZVPN inside

After this configuration I was able to bring the tunnel up and ping the loopback interface from my ASA at the 172.16.1.1 ip address. When I am given the remote ip addressing information I will make the necessary changes to the configuration to allow traffic to flow from the remote LAN to my network behind the ASA.

Hopefully I didn’t mistype anything while going back through this and I plan to update the configuration once the project is completed. If anyone catches any mistakes or can give me some criticism or advice please feel free to leave a comment or email me.

Problems with automatic backup via SCP during kron job

May 25th, 2008 Bryan Posted in Cisco, IOS No Comments »

Stumbled across a problem with certain versions of Cisco IOS ranging from 12.2 and 12.4 running an automatic backup every night by using SCP and kron. A month or so after the initial configuration the router started to have high cpu utilization problems and drop connections. After some research I found the Cisco bug id that went along with this problem, it is CSCsm27467. You can fix these problems by upgrading to or past the following IOS versions.

12.4(19.8)PI8a
12.2(44)SE2

Defending against lameness since 2008

CCIE Lab Countdown

Sponsors

Recent Posts

Tags

RSS Feeds

Pages

Archives

Categories

Time Based Access Control Lists

Related Blogs

Easy VPN on an 1811 located in DMZ - Part 2

Related Blogs

Configuring Easy VPN on a Cisco Router located in a DMZ

Problems with automatic backup via SCP during kron job