Tag Archives: Cisco

Cisco – Combing T1 interfaces to increase speed

Recently I was working on a project that had a very remote office that could not get high speed connections to its location. So, they wanted to combine 4 T1s that were already in the building to boost throughput. I had done this exact thing with many different ISPs but never Verizon/MCI . They do things just a bit different, so this entry is about what is needed to combine these links on Verizon’s network.

The key here is to use a Multilink Frame relay interface. This is a Virtual interface that will combine the individual interfaces. Its very similar to a BVI in concept. As Cisco says it: The Multilink Frame Relay feature enables you to create a virtual interface called a bundle or bundle interface. The bundle interface serves as the Frame Relay data link and performs the same functions as a physical interface. 

At the bottom of this entry all the parts of the config are listed

First we needed to create the MFR interface itself. The number is up to you, I created 34 – feel free to change that.

interface MFR34
mtu 4470 — MTU Verizon said to set
no ip address
no ip redirects
encapsulation frame-relay IETF – Encapsulation used.
frame-relay multilink bid u11111-11
frame-relay lmi-type ansi
!

Next we need to create the sub interface , which will be used as our DLCI and our L3 interface.
interface MFR34.500 point-to-point
description multilink:MLFR:3xT1
bandwidth 6000
ip address x.x.x.x x.x.x.x
ip nat outside
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!

Then we will bond the interface to our MFR interface.

interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
 encapsulation frame-relay MFR34
load-interval 30
cdp enable
no arp frame-relay
!

The T1 and MFR config are below:

controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/2
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/3
cablelength long 0db
channel-group 0 timeslots 1-24
!

interface MFR34
mtu 4470
no ip address
no ip redirects
encapsulation frame-relay IETF
frame-relay multilink bid u11111-11
frame-relay lmi-type ansi
!
interface MFR34.500 point-to-point
description multilink:MLFR:3xT1
bandwidth 6000
ip address x.x.x.x x.x.x.x
ip nat outside
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!

interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
cdp enable
no arp frame-relay
!
interface Serial0/0/1:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
no arp frame-relay
!
interface Serial0/0/2:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
no arp frame-relay
!
interface Serial0/0/3:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
no arp frame-relay
!

Cisco ASA Anyconnect Template 8.3+

Anyconnect along with webvpn is Cisco’s SSL VPN and portal. It works great.

This is my homegrown template for implementing the Anyconnect VPN. There are somethings to note with it. 1. You need to update your VPN client for the OS you need from Cisco. I know there were many issues with Windows 8, and they all seem to be fixed with the new client. 2. This Template works great on 8.3 and above. The steps are made to work with a pretty vanilla config. If you already have a bunch of config it might take some tweaking to work with your other settings.

I will paste the whole config at the bottom of the entry and you can just copy, rename things and paste in. So, lets review what is needed to get anyconnect up and working, and what these parts actually do.

If anyone has anything to contribute feel free to comment.

1. So, lets create the subnets we want for our VPN. I am choosing to use 10.253.241.0/24 for my “Anyconnect” profile. I like to use objects my networks because you can reference them throughout your config and its a great way to keep organized.
object network Anyconnect-Subnet
 subnet 10.253.241.0 255.255.255.0
object network Internal-Lan
 subnet 10.1.10.0 255.255.255.0

This created my Internal subnet, and Anyconnect Subnet.

2. Create a IP pool for your subnet (Remember, you can have multiple pools if you need to have multiple Groups/Portals)

.ip local pool Anyconnect-VPN-Pool 10.253.241.10-10.253.241.100 mask 255.255.255.0

3. I want to use split tunnel for my VPN users, so I will create an ACL for my internal LAN. Applying this will make any subnet in the ACL get pushed to the clients routing table. This means that only the needed subnets come across the VPN.

access-list Split-Tunnel standard permit 10.1.10.0 255.255.255.0

Speaking of the Split tunnel ACL, you could do a group in the ACL and if you add a lot of networks in your organization you could just drop the new network in the group and everything would get updated dynamically.

Next lets configure the Webvpn options. WebVPN? Whats that, weren’t we configuring Anyconnect? Well true, Anyconnect and WebVPN are completley different. Webvpn is the https://portal that you logged into. By logging into this page you can give the client links/bookmarks to internal resource, and give them a platform to download the Anyconnect client. Anyconnect is the actual VPN client that connects the user to internal resources. So lets get our Webvpn enabled and select the image we want to use. In this case its the newest windows image. Also note – I have the login page show the tunnel groups that are enabled. If I had multiple groups – lets say one for Traveling salesman and one for Internal Employees, each might have different bookmarks/links , different IP subnets, and different resources they are allowed to get to.

webvpn
 enable inside
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable

4. Now lets create the Group policy to use for our Anyconnect session. A Group Policy is “is a set of user-oriented attribute/value pairs for IPSec/SSL connections that are stored either internally (locally) on the device or externally on a RADIUS or LDAP server. A tunnel group uses a group policy that sets terms for user connections after the tunnel is established. ” – From Cisco. The Group policy allows use to specify a lot of settings that any tunnel using the GP will get. For example DNS servers, and the Split-Tunnel policy.
group-policy Anyconnect internal
group-policy Anyconnect attributes
 dns-server value 10.1.10.5 8.8.8.8
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

5. Next we will configure the Tunnel-group for this network. Tunnel groups contain a small number of attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that defines user-oriented attributes. Some of these attributes are the DHCP Pool, what kind of encryption , etc.

tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool Anyconnect-VPN-Pool
 default-group-policy Anyconnect

tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable

6. In this case I am using local authentication – Not using LDAP or Radius. So i will create the user and assign the user to the correct Group Policy

username <value> password <value>
username <value> attributes
 vpn-group-policy Anyconnect
 service-type remote-access

7. One of the most important things to do is make sure our “No-Nat” is there.

nat (inside,outside) source static Internal-Lan Internal-Lan destination static Anyconnect-Subnet Anyconnect-Subnet
nat (inside,outside) source static Anyconnect-Subnet Anyconnect-Subnet destination static Internal-Lan Internal-Lan

Thats it. Everything works great. Below is the template only

ip local pool Anyconnect-VPN-Pool 10.253.241.10-10.253.241.100 mask 255.255.255.0

object network Anyconnect-Subnet
 subnet 10.253.241.0 255.255.255.0
object network Internal-Lan
 subnet 10.1.10.0 255.255.255.0

access-list Split-Tunnel standard permit 10.1.10.0 255.255.255.0

webvpn
 enable inside
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable

group-policy Anyconnect internal
group-policy Anyconnect attributes
 dns-server value 10.1.10.5 8.8.8.8
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool Anyconnect-VPN-Pool
 default-group-policy Anyconnect
tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable
!
username <value> password <value>
username <value> attributes
 vpn-group-policy Anyconnect
 service-type remote-access

nat (inside,outside) source static Internal-Lan Internal-Lan destination static Anyconnect-Subnet Anyconnect-Subnet
nat (inside,outside) source static Anyconnect-Subnet Anyconnect-Subnet destination static Internal-Lan Internal-Lan
!

Cisco Preshared Key recovery options

The other day I had to copy the config of an ASA and a PIX to other devices. They both had VPNS to different sites and I had to have those keys as no one documented them.

A few different ways to get those keys are:

ASA

Option 1: Login using ASDM and make a full backup including preshared keys

Option 2: Run the cli command :

more system:running-config

Option 3: Copy running config to a TFTP/FTP server

PIX

The above options exist for the PIX as well. I have read that the more command will work , but it did not for me. Then I found this option to get the Keys on the pix:

Enable http server, create a username and go to https://pix-ip/config  the key is then shown in clear text.

Commands to do that:

config t

http server enable

http 0.0.0.0 0.0.0.0 inside

username admin password password

The go to the web interface.

 

Time based Policy-map for traffic policing

Recently I was tasked to resolve a problem where a video stream on Saturday and Sunday would get very choppy. This video stream is for a church and as you would expect needs to be perfect. There are multiple remote sites each connected to an MPLS back to the core site which is where the video stream originates. Each site has a 100Mb MPLS link back to the core site.

We wanted to make sure that on Saturday and Sunday that normal traffic (web, file shares) would be capped at around half the useable bandwidth, and the other half was for the stream. This is much more bandwidth than what the stream needs, but we want to make sure its plenty.

So, what we did was implement time based ACLs for both the traffic we want to prioritize, and another ACL for all default traffic that we want to police. We used a ‘any-any’ ACL instead of the class-default because we have to make it time based.

Some of the things to note – the Burst rate really mattered here. I followed the formula from Cisco RATE-SPEED/8 * 1.5. Using this formula solved my issues and things flowed exactly the way I wanted them to.

To test I changed the time on the router to look like Saturday, and then used Iperf to push traffic.

The system clock on the router has to be correct, else everything can be very screwed up. You might be saying why did you use a policer instead of a shaper? good question. I would have used a shaper if my 3750’s supported it. A shaper would have been a better solution here.

Steps

– Create Time-range

– Create ACLs using time range

– create class maps

– create policy maps

– apply policy-map to interface

 

First to create the time-range to match the times we wanted we used the following commands:

config t

time-range Weekend-Service

periodic Saturday 13:00 to Sunday 15:00

exit

Next I created the ACL to match the priority traffic and default traffic

ip access-list ext Priority-traffic

10 permit ip host 10.0.0.1 any time-range Weekend-Service

exit

ip access-list ext Default-Traffic

10 permit ip any any time-range Weekend-Service

exit

Then I created the class and policy map, and attached it to the interface.

Class-map match any Priority-Traffic
match access-group Priority-Traffic
exit

class-map match-any Default-Traffic
match access-group Default-Traffic
exit

policy-map Stream
class Priority-Traffic
set ip dscp ef
exit

class Default-Traffic
police 50000000 937500
set ip dscp default
exit

int gig 1/0
policy-map input stream
exit

There are many commands to test the status, one command is “show policy-map interface”

HP vs Cisco Vlan trunking

Whenever I talk to networking people about integrating or replacing Cisco switches with HP they always talk about how difficult it was to get them to pass vlan info. This is because the terminology is totally different between the two.

In the Cisco world a “Trunk” port will pass all vlan tags by default. What does this mean? It means that the port can accept/pass IP packets with different Vlan tags. Basically the trunk port is a member of every vlan, and therefore will pass traffic from every vlan its a member of. In HP the word Trunk means link aggregation example is LACP. Basically taking 2 or more links and combining them. HP uses the phrase “tagged”.

So what is a VLAN tag?

Image

The “Vlan ID” is a 12-bit value in the IP header of the Ethernet frame that specifies which vlan that frame belongs, and thus virtually separates traffic.

So to configure a port as a trunk in Cisco the command is “switchport mode trunk”. This will allow the port to access every vlan , and understand/pass the frames with any tag.

In HP world you would “tag” multiple vlans on a single port. The “tag” command basically means that the port can pass/understand frames in those “tagged” vlans on that port. So lets say we have 2 vlans, and we want a switch to pass frames on both vlans to another port, then we would configure the port as tagged in both Vlans. Commands would be:

int 24

tagged vlan 120,140

Now that port will accept tags from both vlans and pass them along.

 

Access ports or Untagged

An access port in Cisco is a port who’s traffic will be tagged by the switch for the vlan the port is set to access. For example if the command on the port is “Switchport access vlan 120” then all untagged (default) traffic will be tagged for vlan 120 by the switch. This is done because the host itself is not tagging frames, but sending everything untagged.

In HP this access port would be “untagged”. This means that the traffic leaving the port will come in untagged, but will be tagged with vlan X by the switch. So the command – “untagged vlan 120” means all traffic will be in vlan 120.

Commands:

Trunk ports

Trunk (cisco)

int gig 1/0/24

switchport mode trunk

exit

Trunk (HP)

int 24

tagged 120,140

exit

Access ports (this port is in this vlan)

Access (cisco)

int gig 1/0/24

switchport mode access

switchport access vlan 120

Access (HP)

int 24

untagged 120

 

Cisco ACL Logging: log-input

Using ACL logging can be a very useful tool not only to get info about whats going on, but also for troubleshooting. One way to get much more robust logging is to use the log-input at the end of the ACE.

The log-input command shows the normal things such as source ip/port and destination ip/port but will also so the ingress interface and mac address of the source. Very cool! The following is and example of the output:

*May  1 22:33:38.799: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
   tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 1 packet 
*May  1 22:39:15.075: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
   tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 9 packets

Cisco ASA IPSEC site to site VPN IOS 8.3+

There are multiple parts to the IPSEC SIte-to-Site VPN config.

– Create access list to specify what will be encrypted

– Create access list to specify what should go over the VPN, and not be natted

– Create Phase 1 (IKE) settings and apply it to the selected interface.

– Create our transformation set (what encryption settings we will use for phase 2).

– Create Phase 2 (ESP) settings otherwise known as a Crypto map.

– Apply Crypto map settings specifying interface.

– Create the tunnel object for peer.

 

Config:

ASA 1 Core

Create Objects

First create the objects representing what will be found on each side of the VPN.

config t

object network Local-Subnet
 subnet 10.100.1.0 255.255.255.0

object network Remote-Subnet
 subnet 10.100.2.0 255.255.255.0

 

Encryption Access-list

Next I will create the Access list to tell the firewall what to Encrypt

access-list VPN-to-Remote extended permit ip object Local-Subnet Remote-Subnet

Now we need to make sure traffic is not being forwarded out of our WAN interface, and that the firewall knows to send it over the VPN. We do this with a “No-Nat” statement. This is different than what it once was in 8.2 and below. We will specify this with a different kind of nat statement.

No NAT

nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet

 

IKE Settings

Now its time for the VPN settings!

First lets create our IKE settings and enable it on the outside interface.

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

 

Create the IPSEC transformation

crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac

 

Crypto MAP (Phase 2)

Now lets create our Crypto map and put it all together.

crypto map VPN 10 match address VPN-to-Remote
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.2
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000

There are a few optional settings like the lifetime, by default its 28800. In this config I am just making it known that’s what its set on. Also you can set “reverse-route” which will add the route to the remote subnet into the routing table. This way you can push it out in a routing protocol.

We will also need to apply the Crypto map to the interface.

crypto map VPN interface outside

 

Tunnel Group/PSK

Our last step is to create the tunnel group with our Peer IP/DNS name and set the PSK.

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
 ikev1 pre-shared-key presharedkey

 

Below is the config for the Remote side

config t

object network Local-Subnet
 subnet 10.100.2.0 255.255.255.0

object network Core-Subnet
 subnet 10.100.1.0 255.255.255.0

access-list VPN-to-Remote extended permit ip object Local-Subnet Core-Subnet

nat (inside,outside) source static Local-Subnet Local-Subnet destination static Core-Subnet Core-Subnet

crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto map VPN 10 match address VPN-to-Core
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.1
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000

crypto map VPN interface outside

tunnel-group 1.1.1.1type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key presharedkey

Cisco ASA Packet capture

Within the Cisco ASA you can capture packets within the CLI or ASDM. Here I will be demonstrating the CLI Method. You can find the ASDM method under – wizards – packet capture

The other day I had a botnet on a internal client that would start communicating at strange hours, so it was hard to get info without a syslog server. I created a ACL within the ASA with the destination IP and then started a capture to get all traffic going to that destination. Below are the steps

1. Create ACL to grab traffic you want to capture

access-list Botnet ext per ip any host x.x.x.x

2. Start the capture to grab the ACL traffic

capture Botnet-traffic interface inside access-list Botnet

3. Check the traffic capture:

show capture Botnet-traffic

All commands show below:

config t

access-list Botnet ext per ip any host x.x.x.x
capture Botnet-traffic interface inside access-list Botnet

show capture Botnet-traffic