I thought I would blog on this. It could be useful for someone who might have an IOS router instead of an ASA and need to create a IPSEC Site-to-Site VPN to a remote peer, then NAT VPN traffic to a different address or subnet if needed, or the local subnets conflict with each other.
Here is a nice little Visio to kind of show what I am going for with the traffic:
Because of duplicate subnets on both sides, I need to nat traffic going to 172.90.0.20 from 192.168.10.10, otherwise traffic should flow normally. How can I achieve conditional nat? By using a route-map and then natting only the traffic in the Route-map. So, lets get our VPN setup first. Remember, we add the NAT network or host IP to our interesting traffic ACL that will be used to define our Phase2
These are my commands:
ip access-list extended VPN-to-Remote
permit ip host 10.255.232.10 host 172.20.0.192
crypto isakmp policy 50
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key … address 1.1.1.1 no-xauth
crypto ipsec transform-set Transform esp-3des esp-sha-hmac
crypto map Crypto 6 ipsec-isakmp
set peer 1.1.1.1
set transform-set Transform
match address VPN-to-Remote
That pretty much gets the VPN up and going. Now for the interesting part – we need to create a new ACL, match my private 192.168.10.10 address and the destination address of the remote server, then match that ACL in my Route-map.
ip access-list extended Nat-for-VPN
permit ip host 192.168.10.10 host 172.20.0.192
route-map VPN-to-REMOTE permit 10
match ip address Nat-for-VPN
!
Great! So, we now have the route-map created.. so now what? We need to create a NAT statement that references my Route-Map. Then of course with any VPN we need to modify the “NO-NAT” ACL to include the traffic for both the 192.168.10.10, and the 10.255.232.10 to my remote destination.
ip nat inside source static 192.168.10.10 10.255.232.10 route-map VPN-to-HCN extendable
ip access-list extended NO-NAT
deny ip host 10.255.232.10 host 172.20.0.192
deny ip host 192.168.10.10 host 172.20.0.192
Now, if we try to access the remote side, does it work? Yes it does, but lets check to see if our nat is really working. It is! As you can see, 192.168.10.10 going to 172.20.0.192 is being natted into 10.255.232.10, but all other traffic gets natted out of the WAN interface.
Lets just check for translations of 10.255.232.10
Bingo, everything works great. Lets make sure that we are getting hits on our Route-Map.
Recently I was seeing this error pop up on many Windows desktop clients:
The system detected an address conflict for IP address 0.0.0.0 with the system having network hardware address Ed-Ef-A9-B8-CC-2E. Network operations on this system may be disrupted as a result. Mac will vary.
After some research I found http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html
To give some highlights : “Cisco IOS® uses the Address Resolution Protocol (ARP) Probe sourced from an address of 0.0.0.0 in order to maintain the IP device-tracking cache when IP device tracking and a feature that uses it is enabled (such as 802.1x) on a Cisco IOS switch. ”
“If the switch sends out an ARP Probe for the client while the Microsoft Windows PC is in its duplicate-address detection phase, Microsoft Windows detects the probe as a duplicate IP address and presents the user with a message that a duplicate IP address was found on the network for 0.0.0.0”
So we now know the issue is with IP Device tracking, but what the heck does this do? IP Device tracking keeps an active list of devices that are connected VIA ARP. The function has as Cisco put it “Always been around”, is extremely beneficial when using MAC ACLs or using 802.1x. Recently it has really been used with Network Mobility Services Protocol (NMSP), this feature manages communication between the mobility service engine and the wireless controller in newer switches.
So how it works – When a link is detected, it sends unicast Address Resolution Protocol (ARP) probe with a default interval of 30 seconds; these probes are sent to the MAC address of the host connected on the other side of the link, and use Layer 2 (L2) as the default source the MAC address of the physical interface out of which the ARP goes and a sender IP address of 0.0.0.0, — Bingo there’s are default IP that pops up.
So how do we remove device tracking? Easy huh.. just “no ip device-tracking” – this currently gives an error in certain firmwares. Firmware 03.02.02.SE and below give, the error is:
% IP device tracking is disabled at the interface level by removing the relevant configs
So, you could upgrade to 3.3 and then use the no ip device-tracking command, or if you cannot upgrade still disable all the features of IP device tracking. To do this:
Under each interface use commands:
nmsp attach suppress
no ip device-tracking max
I would recommend using a range command to get all the ports at once. This has fixed the issue for me.
I would say no one will find this useful, but I have DSL at home .. I know. The following config is how to add a Cisco router use AT&T DSL. I have done this many times but not in the last two years or so, I had trouble finding good documentation on google for exactly what I needed to do, so I thought I would share.
The main parts of the config needed are creating a dialer interface, setting the authentication and user/pass. Then associating that dialer interface with your Physical Ethernet interface, and lastly configuring the default route.
First lets configure the Dialer Interface
config t
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1460
dialer pool 1
dialer-group 1
ppp authentication chap pap callin optional
ppp chap hostname username@att.net
ppp chap password password
ppp pap sent-username username@att.net password password
Now lets associate that with a real interface:
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
Next lets set our default route and point it out of the Dialer interface
ip route 0.0.0.0 0.0.0.0 Dialer1
Given we have all our user/pass correct in a minute you should be able to do a “Show IP int br” and see the ip address passed to us by our ATT DSL Modem in bridge mode on the dialer interface.
Below shows how to configure Static nat for a web server or some kind of application running on a internal host. Basically we are port forwarding port 80 from our public IP of 1.1.1.2 to port 80 of our internal IP at 10.1.1.2. In this example Auto Nat will be used. You could also use Manual nat, I have written another blog entry on this. This is way different than 8.2 and below. Here we create an object and then modify the object with the Static port forward we want. I
In this example my ASA outside IP is 1.1.1.1, and I want the web server to answer on 1.1.1.2.
object network 1.1.1.2
host 1.1.1.2
exit
object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static 1.1.1.2 service tcp 80 80
Somethings to note- We could name the objects anything, I just chose to use the actual IP address. For example, you could do the command ” object network Webserver-Outside” and use that name to reference the outside IP address.
Next, if I want to allow access to 10.1.1.2 from the outside world, I will need an ACL.
access-list Outside-In permit tcp any 10.1.1.2 eq 80
access-group Outside-In in interface outside
Notice the internal IP specified in the ACL – that is there on purpose. Instead of referencing the External IP you now reference the internal.
What if the outside address answering for my web server is the outside IP of the ASA?
No problem, just have to modify that one NAT entry. Instead of the public NAT object we use the “interface” keyword.
object network 1.1.1.2
host 1.1.1.2
exit
object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static interface service tcp 80 80
Recently I was working on a project that had a very remote office that could not get high speed connections to its location. So, they wanted to combine 4 T1s that were already in the building to boost throughput. I had done this exact thing with many different ISPs but never Verizon/MCI . They do things just a bit different, so this entry is about what is needed to combine these links on Verizon’s network.
The key here is to use a Multilink Frame relay interface. This is a Virtual interface that will combine the individual interfaces. Its very similar to a BVI in concept. As Cisco says it: The Multilink Frame Relay feature enables you to create a virtual interface called a bundle or bundle interface. The bundle interface serves as the Frame Relay data link and performs the same functions as a physical interface.
At the bottom of this entry all the parts of the config are listed
First we needed to create the MFR interface itself. The number is up to you, I created 34 – feel free to change that.
interface MFR34
mtu 4470 — MTU Verizon said to set
no ip address
no ip redirects
encapsulation frame-relay IETF – Encapsulation used.
frame-relay multilink bid u11111-11
frame-relay lmi-type ansi
!
Next we need to create the sub interface , which will be used as our DLCI and our L3 interface.
interface MFR34.500 point-to-point
description multilink:MLFR:3xT1
bandwidth 6000
ip address x.x.x.x x.x.x.x
ip nat outside
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!
Then we will bond the interface to our MFR interface.
interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
encapsulation frame-relay MFR34
load-interval 30
cdp enable
no arp frame-relay
!
The T1 and MFR config are below:
controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/2
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/3
cablelength long 0db
channel-group 0 timeslots 1-24
!
interface MFR34
mtu 4470
no ip address
no ip redirects
encapsulation frame-relay IETF
frame-relay multilink bid u11111-11
frame-relay lmi-type ansi
!
interface MFR34.500 point-to-point
description multilink:MLFR:3xT1
bandwidth 6000
ip address x.x.x.x x.x.x.x
ip nat outside
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!
interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
cdp enable
no arp frame-relay
!
interface Serial0/0/1:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
no arp frame-relay
!
interface Serial0/0/2:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
no arp frame-relay
!
interface Serial0/0/3:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR34
load-interval 30
no arp frame-relay
!
Anyconnect along with webvpn is Cisco’s SSL VPN and portal. It works great.
This is my homegrown template for implementing the Anyconnect VPN. There are somethings to note with it. 1. You need to update your VPN client for the OS you need from Cisco. I know there were many issues with Windows 8, and they all seem to be fixed with the new client. 2. This Template works great on 8.3 and above. The steps are made to work with a pretty vanilla config. If you already have a bunch of config it might take some tweaking to work with your other settings.
I will paste the whole config at the bottom of the entry and you can just copy, rename things and paste in. So, lets review what is needed to get anyconnect up and working, and what these parts actually do.
If anyone has anything to contribute feel free to comment.
1. So, lets create the subnets we want for our VPN. I am choosing to use 10.253.241.0/24 for my “Anyconnect” profile. I like to use objects my networks because you can reference them throughout your config and its a great way to keep organized.
object network Anyconnect-Subnet
subnet 10.253.241.0 255.255.255.0
object network Internal-Lan
subnet 10.1.10.0 255.255.255.0
This created my Internal subnet, and Anyconnect Subnet.
2. Create a IP pool for your subnet (Remember, you can have multiple pools if you need to have multiple Groups/Portals)
.ip local pool Anyconnect-VPN-Pool 10.253.241.10-10.253.241.100 mask 255.255.255.0
3. I want to use split tunnel for my VPN users, so I will create an ACL for my internal LAN. Applying this will make any subnet in the ACL get pushed to the clients routing table. This means that only the needed subnets come across the VPN.
access-list Split-Tunnel standard permit 10.1.10.0 255.255.255.0
Speaking of the Split tunnel ACL, you could do a group in the ACL and if you add a lot of networks in your organization you could just drop the new network in the group and everything would get updated dynamically.
Next lets configure the Webvpn options. WebVPN? Whats that, weren’t we configuring Anyconnect? Well true, Anyconnect and WebVPN are completley different. Webvpn is the https://portal that you logged into. By logging into this page you can give the client links/bookmarks to internal resource, and give them a platform to download the Anyconnect client. Anyconnect is the actual VPN client that connects the user to internal resources. So lets get our Webvpn enabled and select the image we want to use. In this case its the newest windows image. Also note – I have the login page show the tunnel groups that are enabled. If I had multiple groups – lets say one for Traveling salesman and one for Internal Employees, each might have different bookmarks/links , different IP subnets, and different resources they are allowed to get to.
webvpn
enable inside
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
anyconnect enable
tunnel-group-list enable
4. Now lets create the Group policy to use for our Anyconnect session. A Group Policy is “is a set of user-oriented attribute/value pairs for IPSec/SSL connections that are stored either internally (locally) on the device or externally on a RADIUS or LDAP server. A tunnel group uses a group policy that sets terms for user connections after the tunnel is established. ” – From Cisco. The Group policy allows use to specify a lot of settings that any tunnel using the GP will get. For example DNS servers, and the Split-Tunnel policy.
group-policy Anyconnect internal
group-policy Anyconnect attributes
dns-server value 10.1.10.5 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel
5. Next we will configure the Tunnel-group for this network. Tunnel groups contain a small number of attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that defines user-oriented attributes. Some of these attributes are the DHCP Pool, what kind of encryption , etc.
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
address-pool Anyconnect-VPN-Pool
default-group-policy Anyconnect
tunnel-group Anyconnect webvpn-attributes
group-alias Anyconnect enable
6. In this case I am using local authentication – Not using LDAP or Radius. So i will create the user and assign the user to the correct Group Policy
username <value> password <value>
username <value> attributes
vpn-group-policy Anyconnect
service-type remote-access
7. One of the most important things to do is make sure our “No-Nat” is there.
nat (inside,outside) source static Internal-Lan Internal-Lan destination static Anyconnect-Subnet Anyconnect-Subnet
nat (inside,outside) source static Anyconnect-Subnet Anyconnect-Subnet destination static Internal-Lan Internal-Lan
Thats it. Everything works great. Below is the template only
ip local pool Anyconnect-VPN-Pool 10.253.241.10-10.253.241.100 mask 255.255.255.0
object network Anyconnect-Subnet
subnet 10.253.241.0 255.255.255.0
object network Internal-Lan
subnet 10.1.10.0 255.255.255.0
access-list Split-Tunnel standard permit 10.1.10.0 255.255.255.0
webvpn
enable inside
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy Anyconnect internal
group-policy Anyconnect attributes
dns-server value 10.1.10.5 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
address-pool Anyconnect-VPN-Pool
default-group-policy Anyconnect
tunnel-group Anyconnect webvpn-attributes
group-alias Anyconnect enable
!
username <value> password <value>
username <value> attributes
vpn-group-policy Anyconnect
service-type remote-access
nat (inside,outside) source static Internal-Lan Internal-Lan destination static Anyconnect-Subnet Anyconnect-Subnet
nat (inside,outside) source static Anyconnect-Subnet Anyconnect-Subnet destination static Internal-Lan Internal-Lan
!
The other day I had to copy the config of an ASA and a PIX to other devices. They both had VPNS to different sites and I had to have those keys as no one documented them.
A few different ways to get those keys are:
ASA
Option 1: Login using ASDM and make a full backup including preshared keys
Option 2: Run the cli command :
more system:running-config
Option 3: Copy running config to a TFTP/FTP server
PIX
The above options exist for the PIX as well. I have read that the more command will work , but it did not for me. Then I found this option to get the Keys on the pix:
Enable http server, create a username and go to https://pix-ip/config the key is then shown in clear text.
Commands to do that:
config t
http server enable
http 0.0.0.0 0.0.0.0 inside
username admin password password
The go to the web interface.
Recently I was tasked to resolve a problem where a video stream on Saturday and Sunday would get very choppy. This video stream is for a church and as you would expect needs to be perfect. There are multiple remote sites each connected to an MPLS back to the core site which is where the video stream originates. Each site has a 100Mb MPLS link back to the core site.
We wanted to make sure that on Saturday and Sunday that normal traffic (web, file shares) would be capped at around half the useable bandwidth, and the other half was for the stream. This is much more bandwidth than what the stream needs, but we want to make sure its plenty.
So, what we did was implement time based ACLs for both the traffic we want to prioritize, and another ACL for all default traffic that we want to police. We used a ‘any-any’ ACL instead of the class-default because we have to make it time based.
Some of the things to note – the Burst rate really mattered here. I followed the formula from Cisco RATE-SPEED/8 * 1.5. Using this formula solved my issues and things flowed exactly the way I wanted them to.
To test I changed the time on the router to look like Saturday, and then used Iperf to push traffic.
The system clock on the router has to be correct, else everything can be very screwed up. You might be saying why did you use a policer instead of a shaper? good question. I would have used a shaper if my 3750’s supported it. A shaper would have been a better solution here.
Steps
– Create Time-range
– Create ACLs using time range
– create class maps
– create policy maps
– apply policy-map to interface
First to create the time-range to match the times we wanted we used the following commands:
config t
time-range Weekend-Service
periodic Saturday 13:00 to Sunday 15:00
exit
Next I created the ACL to match the priority traffic and default traffic
ip access-list ext Priority-traffic
10 permit ip host 10.0.0.1 any time-range Weekend-Service
exit
ip access-list ext Default-Traffic
10 permit ip any any time-range Weekend-Service
exit
Then I created the class and policy map, and attached it to the interface.
Class-map match any Priority-Traffic
match access-group Priority-Traffic
exit
class-map match-any Default-Traffic
match access-group Default-Traffic
exit
policy-map Stream
class Priority-Traffic
set ip dscp ef
exit
class Default-Traffic
police 50000000 937500
set ip dscp default
exit
int gig 1/0
policy-map input stream
exit
There are many commands to test the status, one command is “show policy-map interface”
Whenever I talk to networking people about integrating or replacing Cisco switches with HP they always talk about how difficult it was to get them to pass vlan info. This is because the terminology is totally different between the two.
In the Cisco world a “Trunk” port will pass all vlan tags by default. What does this mean? It means that the port can accept/pass IP packets with different Vlan tags. Basically the trunk port is a member of every vlan, and therefore will pass traffic from every vlan its a member of. In HP the word Trunk means link aggregation example is LACP. Basically taking 2 or more links and combining them. HP uses the phrase “tagged”.
So what is a VLAN tag?
The “Vlan ID” is a 12-bit value in the IP header of the Ethernet frame that specifies which vlan that frame belongs, and thus virtually separates traffic.
So to configure a port as a trunk in Cisco the command is “switchport mode trunk”. This will allow the port to access every vlan , and understand/pass the frames with any tag.
In HP world you would “tag” multiple vlans on a single port. The “tag” command basically means that the port can pass/understand frames in those “tagged” vlans on that port. So lets say we have 2 vlans, and we want a switch to pass frames on both vlans to another port, then we would configure the port as tagged in both Vlans. Commands would be:
int 24
tagged vlan 120,140
Now that port will accept tags from both vlans and pass them along.
Access ports or Untagged
An access port in Cisco is a port who’s traffic will be tagged by the switch for the vlan the port is set to access. For example if the command on the port is “Switchport access vlan 120” then all untagged (default) traffic will be tagged for vlan 120 by the switch. This is done because the host itself is not tagging frames, but sending everything untagged.
In HP this access port would be “untagged”. This means that the traffic leaving the port will come in untagged, but will be tagged with vlan X by the switch. So the command – “untagged vlan 120” means all traffic will be in vlan 120.
Commands:
Trunk ports
Trunk (cisco)
int gig 1/0/24
switchport mode trunk
exit
Trunk (HP)
int 24
tagged 120,140
exit
Access ports (this port is in this vlan)
Access (cisco)
int gig 1/0/24
switchport mode access
switchport access vlan 120
Access (HP)
int 24
untagged 120
Using ACL logging can be a very useful tool not only to get info about whats going on, but also for troubleshooting. One way to get much more robust logging is to use the log-input at the end of the ACE.
The log-input command shows the normal things such as source ip/port and destination ip/port but will also so the ingress interface and mac address of the source. Very cool! The following is and example of the output:
*May 1 22:33:38.799: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 1 packet
*May 1 22:39:15.075: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 9 packets
Recent Comments