Category Archives: Cisco

Cisco Router IOS Policy-based NAT for VPN traffic

2 Comments Posted by on July 9, 2015

I thought I would blog on this. It could be useful for someone who might have an IOS router instead of an ASA and need to create a IPSEC Site-to-Site VPN to a remote peer, then NAT VPN traffic to a different address or subnet if needed, or the local subnets conflict with each other.

Here is a nice little Visio to kind of show what I am going for with the traffic:

vis

Because of duplicate subnets on both sides, I need to nat traffic going to 172.90.0.20 from 192.168.10.10, otherwise traffic should flow normally. How can I achieve conditional nat? By using a route-map and then natting only the traffic in the Route-map. So, lets get our VPN setup first. Remember, we add the NAT network or host IP to our interesting traffic ACL that will be used to define our Phase2

These are my commands:

ip access-list extended VPN-to-Remote
 permit ip host 10.255.232.10 host 172.20.0.192

crypto isakmp policy 50
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp key … address 1.1.1.1 no-xauth

crypto ipsec transform-set Transform esp-3des esp-sha-hmac

crypto map Crypto 6 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set Transform
 match address VPN-to-Remote

That pretty much gets the VPN up and going. Now for the interesting part – we need to create a new ACL, match my private 192.168.10.10 address and the destination address of the remote server, then match that ACL in my Route-map.

ip access-list extended Nat-for-VPN
 permit ip host 192.168.10.10 host 172.20.0.192

route-map VPN-to-REMOTE permit 10
 match ip address Nat-for-VPN
!

Great! So, we now have the route-map created.. so now what? We need to create a NAT statement that references my Route-Map. Then of course with any VPN we need to modify the “NO-NAT” ACL to include the traffic for both the 192.168.10.10, and the 10.255.232.10 to my remote destination.

ip nat inside source static 192.168.10.10 10.255.232.10 route-map VPN-to-HCN extendable

ip access-list extended NO-NAT
 deny   ip host 10.255.232.10 host 172.20.0.192
 deny   ip host 192.168.10.10 host 172.20.0.192

Now, if we try to access the remote side, does it work? Yes it does, but lets check to see if our nat is really working. It is! As you can see, 192.168.10.10 going to 172.20.0.192 is being natted into 10.255.232.10, but all other traffic gets natted out of the WAN interface.

nat1

Lets just check for translations of 10.255.232.10

2

Bingo, everything works great. Lets make sure that we are getting hits on our Route-Map.

route-map

Cisco , , , , , , ,

Cisco Duplicate IP address 0.0.0.0 ERROR – IP Device Tracking/NMSP

Leave a comment Posted by on July 9, 2015

Recently I was seeing this error pop up on many Windows desktop clients:

The system detected an address conflict for IP address 0.0.0.0 with the system having network hardware address Ed-Ef-A9-B8-CC-2E. Network operations on this system may be disrupted as a result. Mac will vary.

After some research I found http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html

To give some highlights : “Cisco IOS® uses the Address Resolution Protocol (ARP) Probe sourced from an address of 0.0.0.0 in order to maintain the IP device-tracking cache when IP device tracking and a feature that uses it is enabled (such as 802.1x) on a Cisco IOS switch.

If the switch sends out an ARP Probe for the client while the Microsoft Windows PC is in its duplicate-address detection phase, Microsoft Windows detects the probe as a duplicate IP address and presents the user with a message that a duplicate IP address was found on the network for 0.0.0.0

So we now know the issue is with IP Device tracking, but what the heck does this do? IP Device tracking keeps an active list of devices that are connected VIA ARP. The function has as Cisco put it “Always been around”, is extremely beneficial when using MAC ACLs or using 802.1x. Recently it has really been used with Network Mobility Services Protocol (NMSP), this feature manages communication between the mobility service engine and the wireless controller in newer switches.

So how it works – When a  link is detected, it sends unicast Address Resolution Protocol (ARP) probe with a default interval of 30 seconds; these probes are sent to the MAC address of the host connected on the other side of the link, and use Layer 2 (L2) as the default source the MAC address of the physical interface out of which the ARP goes and a sender IP address of 0.0.0.0, — Bingo there’s are default IP that pops up.

So how do we remove device tracking? Easy huh.. just “no ip device-tracking” – this currently gives an error in certain firmwares. Firmware 03.02.02.SE and below give, the error is:

% IP device tracking is disabled at the interface level by removing the relevant configs

So, you could upgrade to 3.3 and then use the no ip device-tracking command, or if you cannot upgrade still disable all the features of IP device tracking. To do this:

Under each interface use commands:

nmsp attach suppress

no ip device-tracking max

I would recommend using a range command to get all the ports at once. This has fixed the issue for me.

Cisco , , , ,

Cisco Router with AT&T DSL internet connection

Leave a comment Posted by on March 16, 2015

I would say no one will find this useful, but I have DSL at home .. I know. The following config is how to add a Cisco router use AT&T DSL. I have done this many times but not in the last two years or so, I had trouble finding good documentation on google for exactly what I needed to do, so I thought I would share.

The main parts of the config needed are creating a dialer interface, setting the authentication and user/pass. Then associating that dialer interface with your Physical Ethernet interface, and lastly configuring the default route.

First lets configure the Dialer Interface

config t

interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1460
dialer pool 1
dialer-group 1
ppp authentication chap pap callin optional
ppp chap hostname username@att.net
ppp chap password password
ppp pap sent-username username@att.net password password

Now lets associate that with a real interface:

interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!

Next lets set our default route and point it out of the Dialer interface

ip route 0.0.0.0 0.0.0.0 Dialer1

Given we have all our user/pass correct in a minute you should be able to do a “Show IP int br” and see the ip address passed to us by our ATT DSL Modem in bridge mode on the dialer interface.

Cisco , , , ,

Cisco ASA 9.1+ Static Nat example

7 Comments Posted by on February 20, 2015

Below shows how to configure Static nat for a web server or some kind of application running on a internal host. Basically we are port forwarding port 80 from our public IP of 1.1.1.2 to port 80 of our internal IP at 10.1.1.2. In this example Auto Nat will be used. You could also use Manual nat, I have written another blog entry on this.  This is way different than 8.2 and below. Here we create an object and then modify the object with the Static port forward we want. I

In this example my ASA outside IP is 1.1.1.1, and I want the web server to answer on 1.1.1.2.

object network 1.1.1.2
host 1.1.1.2
exit

object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static 1.1.1.2 service tcp 80 80

Somethings to note- We could name the objects anything, I just chose to use the actual IP address. For example, you could do the command ” object network Webserver-Outside” and use that name to reference the outside IP address.

Next, if I want to allow access to 10.1.1.2 from the outside world, I will need an ACL.

access-list Outside-In permit tcp any 10.1.1.2 eq 80

access-group Outside-In in interface outside

Notice the internal IP specified in the ACL – that is there on purpose. Instead of referencing the External IP  you now reference the internal.

What if the outside address answering for my web server is the outside IP of the ASA?

No problem, just have to modify that one NAT entry. Instead of the public NAT object we use the “interface” keyword.

object network 1.1.1.2
host 1.1.1.2
exit

object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static interface service tcp 80 80

Cisco , , , , ,

Cisco – Combing T1 interfaces to increase speed

Leave a comment Posted by on February 15, 2015

Recently I was working on a project that had a very remote office that could not get high speed connections to its location. So, they wanted to combine 4 T1s that were already in the building to boost throughput. I had done this exact thing with many different ISPs but never Verizon/MCI . They do things just a bit different, so this entry is about what is needed to combine these links on Verizon’s network.

The key here is to use a Multilink Frame relay interface. This is a Virtual interface that will combine the individual interfaces. Its very similar to a BVI in concept. As Cisco says it: The Multilink Frame Relay feature enables you to create a virtual interface called a bundle or bundle interface. The bundle interface serves as the Frame Relay data link and performs the same functions as a physical interface. 

At the bottom of this entry all the parts of the config are listed

First we needed to create the MFR interface itself. The number is up to you, I created 34 – feel free to change that.

interface MFR34
mtu 4470 — MTU Verizon said to set
no ip address
no ip redirects
encapsulation frame-relay IETF – Encapsulation used.
frame-relay multilink bid u11111-11
frame-relay lmi-type ansi
!

Next we need to create the sub interface , which will be used as our DLCI and our L3 interface.
interface MFR34.500 point-to-point
description multilink:MLFR:3xT1
bandwidth 6000
ip address x.x.x.x x.x.x.x
ip nat outside
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!

Then we will bond the interface to our MFR interface.

interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
 encapsulation frame-relay MFR34
load-interval 30
cdp enable
no arp frame-relay
!

The T1 and MFR config are below:

controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/2
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/3
cablelength long 0db
channel-group 0 timeslots 1-24
!

interface MFR34
mtu 4470
no ip address
no ip redirects
encapsulation frame-relay IETF
frame-relay multilink bid u11111-11
frame-relay lmi-type ansi
!
interface MFR34.500 point-to-point
description multilink:MLFR:3xT1
bandwidth 6000
ip address x.x.x.x x.x.x.x
ip nat outside
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!

interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
cdp enable
no arp frame-relay
!
interface Serial0/0/1:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
no arp frame-relay
!
interface Serial0/0/2:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
no arp frame-relay
!
interface Serial0/0/3:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
no arp frame-relay
!

Cisco , , , , ,

Cisco ASA Anyconnect Template 8.3+

Leave a comment Posted by on September 26, 2014

Anyconnect along with webvpn is Cisco’s SSL VPN and portal. It works great.

This is my homegrown template for implementing the Anyconnect VPN. There are somethings to note with it. 1. You need to update your VPN client for the OS you need from Cisco. I know there were many issues with Windows 8, and they all seem to be fixed with the new client. 2. This Template works great on 8.3 and above. The steps are made to work with a pretty vanilla config. If you already have a bunch of config it might take some tweaking to work with your other settings.

I will paste the whole config at the bottom of the entry and you can just copy, rename things and paste in. So, lets review what is needed to get anyconnect up and working, and what these parts actually do.

If anyone has anything to contribute feel free to comment.

1. So, lets create the subnets we want for our VPN. I am choosing to use 10.253.241.0/24 for my “Anyconnect” profile. I like to use objects my networks because you can reference them throughout your config and its a great way to keep organized.
object network Anyconnect-Subnet
 subnet 10.253.241.0 255.255.255.0
object network Internal-Lan
 subnet 10.1.10.0 255.255.255.0

This created my Internal subnet, and Anyconnect Subnet.

2. Create a IP pool for your subnet (Remember, you can have multiple pools if you need to have multiple Groups/Portals)

.ip local pool Anyconnect-VPN-Pool 10.253.241.10-10.253.241.100 mask 255.255.255.0

3. I want to use split tunnel for my VPN users, so I will create an ACL for my internal LAN. Applying this will make any subnet in the ACL get pushed to the clients routing table. This means that only the needed subnets come across the VPN.

access-list Split-Tunnel standard permit 10.1.10.0 255.255.255.0

Speaking of the Split tunnel ACL, you could do a group in the ACL and if you add a lot of networks in your organization you could just drop the new network in the group and everything would get updated dynamically.

Next lets configure the Webvpn options. WebVPN? Whats that, weren’t we configuring Anyconnect? Well true, Anyconnect and WebVPN are completley different. Webvpn is the https://portal that you logged into. By logging into this page you can give the client links/bookmarks to internal resource, and give them a platform to download the Anyconnect client. Anyconnect is the actual VPN client that connects the user to internal resources. So lets get our Webvpn enabled and select the image we want to use. In this case its the newest windows image. Also note – I have the login page show the tunnel groups that are enabled. If I had multiple groups – lets say one for Traveling salesman and one for Internal Employees, each might have different bookmarks/links , different IP subnets, and different resources they are allowed to get to.

webvpn
 enable inside
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable

4. Now lets create the Group policy to use for our Anyconnect session. A Group Policy is “is a set of user-oriented attribute/value pairs for IPSec/SSL connections that are stored either internally (locally) on the device or externally on a RADIUS or LDAP server. A tunnel group uses a group policy that sets terms for user connections after the tunnel is established. ” – From Cisco. The Group policy allows use to specify a lot of settings that any tunnel using the GP will get. For example DNS servers, and the Split-Tunnel policy.
group-policy Anyconnect internal
group-policy Anyconnect attributes
 dns-server value 10.1.10.5 8.8.8.8
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

5. Next we will configure the Tunnel-group for this network. Tunnel groups contain a small number of attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that defines user-oriented attributes. Some of these attributes are the DHCP Pool, what kind of encryption , etc.

tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool Anyconnect-VPN-Pool
 default-group-policy Anyconnect

tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable

6. In this case I am using local authentication – Not using LDAP or Radius. So i will create the user and assign the user to the correct Group Policy

username <value> password <value>
username <value> attributes
 vpn-group-policy Anyconnect
 service-type remote-access

7. One of the most important things to do is make sure our “No-Nat” is there.

nat (inside,outside) source static Internal-Lan Internal-Lan destination static Anyconnect-Subnet Anyconnect-Subnet
nat (inside,outside) source static Anyconnect-Subnet Anyconnect-Subnet destination static Internal-Lan Internal-Lan

Thats it. Everything works great. Below is the template only

ip local pool Anyconnect-VPN-Pool 10.253.241.10-10.253.241.100 mask 255.255.255.0

object network Anyconnect-Subnet
 subnet 10.253.241.0 255.255.255.0
object network Internal-Lan
 subnet 10.1.10.0 255.255.255.0

access-list Split-Tunnel standard permit 10.1.10.0 255.255.255.0

webvpn
 enable inside
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable

group-policy Anyconnect internal
group-policy Anyconnect attributes
 dns-server value 10.1.10.5 8.8.8.8
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool Anyconnect-VPN-Pool
 default-group-policy Anyconnect
tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable
!
username <value> password <value>
username <value> attributes
 vpn-group-policy Anyconnect
 service-type remote-access

nat (inside,outside) source static Internal-Lan Internal-Lan destination static Anyconnect-Subnet Anyconnect-Subnet
nat (inside,outside) source static Anyconnect-Subnet Anyconnect-Subnet destination static Internal-Lan Internal-Lan
!

Cisco , , , , , ,

Copy Files to Cisco ASA with SCP

Leave a comment Posted by on August 25, 2014

Recently I had to upload a new Anyconnect image to a ASA. I was running out of options. I used SCP for the first time, a little slow but worked great.

First enable SCP to be used:

config t

ssh scopy enable

Then use a SCP client like Putty’s PSCP.exe to copy the file over. The command I used was:

pscp.exe image username@ip-of-ASA:Image-on-ASA-Name

pscp.exe anyconnect-win-3.1.05178-k9.pkg admin@1.1.1.1:anyconnect-win-3.1.05178-k9.pkg

I kept getting the error: Fatal: Received unexpected end-of-file from server

I googled for this a long time, and nothing. So a good answer: This meant that the flash was full, and there was not enough room to save the file. I removed the old images, and copied this one just fine.

 

 

 

Cisco

Cisco – Vlan is created but interface still shows down.

1 Comment Posted by on August 8, 2014

I run into this problem a lot. Someone has created a vlan on a cisco device by using the command –

int vlan 100

ip add 192.168.100.1 255.255.255.0

no shut

But nothing with the vlan is working after this. If you do a “show ip int br” does it shown int vlan 100 down? If so there are two causes to this.

The first is the vlan created? This is the most common problem I see.

Newer versions of firmware create the vlan when you create the interface, but older IOS did not. So even though you create the interface, you have not created the corresponding vlan yet.

You can diagnose this by – “show vlan br” – do you see the vlan?

You can create the vlan with the commands

config t

vlan 100

Cause 2 –  there are no ports/trunks in the Vlan. The Vlan interface will not come up if there are no ports with up/up status associated with that vlan. Trunk ports that have up/up status will bring up all vlans that are allowed to go through the trunk. By default that is all vlans.

Cisco

Enabling SSH on Cisco ASA

Leave a comment Posted by on August 6, 2014

Steps needed to add a users, set up SSH authentication to point to Local database, and enable SSH on the outside interface.

 

config t

username Admin password password privilege 15

aaa authentication ssh console LOCAL

For telnet –

aaa authentication telnet console LOCAL

ssh outside 0.0.0.0 0.0.0.0 outside – Enables SSH from anywhere in the world – I would recommend only enabling SSH for networks that you need, for example your home network, or home ISP network.

This is the setup I forget – – Create your cert!

crypto key generate rsa modulus 2048

 

Cisco

Cisco ASA 8.2 and Below – Static Nat

1 Comment Posted by on August 4, 2014

The other day I had to configure a Static nat entry on a 8.2 ASA. It had been a while since I had done this since almost everything I work with is 8.3 and above. I thought I would make an entry for myself and maybe to help someone along the way.

Example – I have public IP 1.1.1.10 and I need to forward in port 443 to my internal server of 192.168.1.10. I have an access-list Outside-IN applied to my outside interface. Note if the 1.1.1.10 is my outside interface IP (lets say I have only one public IP) then we would use the interface key word

ASA config –

config t

static (inside,outside) tcp 1.1.1.10 443 192.168.1.10 443

access-list Outside-IN permit tcp any host 1.1.1.10 eq 443

or

static (inside,outside) tcp interface 443 192.168.1.10 443

access-list Outside-IN permit tcp any host 1.1.1.10 eq 443

That’s it!

Compared to 8.3 and above –

object network 192.168.1.10

host 192.168.1.10

nat (inside,outside) static interface service tcp 443 443

access-list Outside-IN permit tcp any host 192.168.1.10 eq 443Notice the internal IP.

Cisco

Older posts

Newer posts