Monday, July 20, 2009
GRE over IPSec with EIGRP to Route Through Two Remote Sites Configuration Example
Let's consider the scenario when our company has two sites. They are equally big and some users require accessing other network devices directly by using its local IPs, or maybe you even have to replicate domain controllers over this tunnel. Let's say you want to access OWA and not too often check some shared files. The reason why I said not too often is because this will create some serious traffic over internet, if file is big.
Cisco GRE-Based VPN is the best choice for use, because it supports routing, QoS, Multicast and also non-IP protocols. You can configure it using SDM or CLI. The main downside is that this configuration is not multivendor. So both routers has to be Cisco routers with IOS that support VPN.
Refer here for differences between VPNs:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure0900aecd80582078.pdf
Network Diagram
Please check the diagram before you start to read further.
Components Used
- 2 Cisco routers 3745 running Cisco IOS (C3745-ADVIPSERVICESK9-M), Version 12.4(9)T1
- 2 Windows XP
- 1 Windows Server 2003 Enterprise
Configuration
This process has 3 steps:
- Configure the Generic Routing Encapsulation (GRE) Tunnels
- Configure Encryption for the GRE Tunnels
- Configure the Routing Protocol
Configure the GRE Tunnels
R1:
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
R2:
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
Check if you can ping by interface IP and by Tunnel IPs.
R2#ping 172.31.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
R2#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/48 ms
R1#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 172.31.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Configure the Encryption for the GRE Tunnels
First create a access list to define which traffic to encypt:
R1:
access-list 100 permit gre host 172.16.0.1 host 172.16.0.2
R2:
access-list 100 permit gre host 172.16.0.2 host 172.16.0.1
Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.
R1 & R2:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
Configure the crypto map
R1:
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100
R2:
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100
Apply on BOTH:
R1 & R2:
interface FastEthernet0/1
crypto map vpn
interface Tunnel0
crypto map vpn
Enable EIGRP
R1:
router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
R2:
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes
Full config
R1:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$JZ2K$15BvDKP555bzNmcnoxc2D.
!
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
username cisc0 privilege 15 password 0 cisc0
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
crypto map vpn
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
!
!
access-list 100 permit gre host 172.16.0.1 host 172.16.0.2
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
alias exec sr show run
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
!
!
end
R2:
Building configuration...
Current configuration : 1412 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aIoH$XR1H76kiRYuPGtAV07ST3.
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
crypto map vpn
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 100 permit gre host 172.16.0.2 host 172.16.0.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
This post is based on:
GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites Configuration
Other Examples:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
Monday, July 13, 2009
Teleworker: Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM
One of the key portion of that advanced product is SSL VPN. It used to be called in the past Web VPN. It is usefull in the situations where you need to reach network resources in your company LAN from remote location. Most likely it will be home, cofee shop etc. In this post we will focus on how to access your computer at work from home using Remote Desktop, OWA (Outlook Web Access) and internal website with News and Anouncements, it can be even Sharepoint site.
Take a look at the logical diagram:
As you can see we have 2 Routers. One of them for your remote location (R2) and one of them (R1) at our company site. R2 does not have to be cisco router, it just has to provide internet connection. The network between R1 and R2 (172.16.0.0/16) acts as an internet in this lab environment. In this lab both routers are Cisco 3745 with IOS C3745-ADVIPSERVICESK9-M 12.4 (9) T1.
The configuration can be done via SDM (GUI software to configure Cisco Devices) or CLI.
R2 config:
R2#show run
Building configuration...
Current configuration : 935 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret s
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit 10.0.0.0 0.255.255.255
!
control-plane
!
alias exec s show ip inter brief
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
login
!
!
end
Below is a R1 config:
Current configuration : 3841 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret s
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
!
!
crypto pki certificate chain TP-self-signed-998521732
certificate self-signed 01
!---- output cut ---
ED20B032 D4BDEF14 5A114136 4C9F1794 3C3AA01E E670BC18 FC19B9B5
quit
username cisc0 privilege 15 password 0 cisc0
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address 172.16.0.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-998521732
inservice
!
webvpn context First
title-color #FFFF00
secondary-color white
text-color black
ssl authenticate verify all
!
url-list "First"
heading "Web Sites"
url-text "OWA" url-value "http://192.168.0.10/owa/exchange"
url-text "News" url-value "http://192.168.0.10/news"
!
port-forward "portforward_list_1"
local-port 3000 remote-server "192.168.0.100" remote-port 3389 description "XP1 RD"
local-port 3001 remote-server "192.168.0.10" remote-port description "DC1 Remote Desktop"
!
policy group policy_1
url-list "First"
port-forward "portforward_list_1"
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway gateway_1 domain mydomain
inservice
!
!
end
If you accomplish that config on the XP2 you can connect using web browser. After you login you need to Start Application access. The Java applet will create a VPN and using IP 127.0.0.1:3000 you will be able to connect to your computer at work while being at home!
Login screen from XP2:
After you login and click Start Application Access you will see:
More info:
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
Thursday, July 9, 2009
cisco show running-configuration filter
There are mainly three widely used filter in the running config. BEGIN, EXCLUDE and INCLUDE. We can see this issuing the show running-configuration (sh run since we're trying to save time here) followed by the vertical bar key (|). We hit the question mark to see our options.
R1#sh run | ?
append Append redirected output to URL (URLs supporting append operation
only)
begin Begin with the line that matches
exclude Exclude lines that match
include Include lines that match
redirect Redirect output to URL
section Filter a section of output
tee Copy output to URL
The begin command filters through the configuration until it hits the first line that matches whatever word you put in after. Having an understanding of how lines are expressed in the configuration comes in handy when choosing what to type in.
As an example, here is the running-configuration of a router I am currently working on
R1#sh run
Building configuration...
Current configuration : 1238 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
username R2 password 0 lanwan
!
!
!
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial0/0.2 point-to-point
ip address 10.0.12.1 255.255.255.0
no cdp enable
frame-relay interface-dlci 102
!
interface Serial0/1
ip address 10.1.12.1 255.255.255.0
encapsulation ppp
serial restart-delay 0
no dce-terminal-timing-enable
ppp authentication chap
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
!
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
If we only wanted informatin on the configured static routes, using the begin command we can filter to the exact line.
R1#sh run | begin ip route
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
and we see that this begins the display with the first line that has the words "ip route"
We can use the include command to only display lines that have the words "ip route"
R1#sh run | include ip route
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
This is much more succint output and gives a much neater and pleasing to the eye display.
The Exclude command eliminates all the lines that have the word you put in. For example, if you wanted to remove all the lines that have the word "line".
R1#sh run | exclude line
Building configuration...
Current configuration : 1238 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
username R2 password 0 lanwan
!
!
!
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial0/0.2 point-to-point
ip address 10.0.12.1 255.255.255.0
no cdp enable
frame-relay interface-dlci 102
!
interface Serial0/1
ip address 10.1.12.1 255.255.255.0
encapsulation ppp
serial restart-delay 0
no dce-terminal-timing-enable
ppp authentication chap
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
!
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
exec-timeout 0 0
logging synchronous
!
!
end
Personally , I prefer the BEGIN and INCLUDE commands as they are more effective. Further more the output of the EXCLUDE command leaves some information hanging and that may be a bit confusing.
Monday, June 29, 2009
configuring cisco catalyst switch VTP modes
Server mode is the default setting for Cisco catalyst switches. Within any VTP domain, there must contain at least one switch configured in server mode. When in this mode, the switch can be used to add, modify or delete VLAN related infrormation. These changes are then advertised to other switches in the same domain that are configured as either servers or clients. The receiving switches then compare the revision number from the received update and if the revision number is higher, then it changes its configuration
Client mode is simply a receiver of VTP information configured from a server. when in client mode, no changes can be mad to the switch.
Transparent mode is where a switch will not listen to VTP information being advertised but will pass on the information to other switches. It acts as a standalone device and any VLAN information can be configured.
Configuring the modes:
First we get into the vlan database.
SWITCH#vlan database
We can then type in the vtp command followed by a question mark to see the different options.
SWITCH(vlan)#vtp ?
client Set the device to client mode.
domain Set the name of the VTP administrative domain.
password Set the password for the VTP administrative domain.
pruning Set the administrative domain to permit pruning.
server Set the device to server mode.
transparent Set the device to transparent mode.
v2-mode Set the administrative domain to V2 mode.
for now we shall only concentrate on the three vtp mode options: Server, client and transparent.
To configure as a Server simply type in the vtp server command and you get a notification that the device is switching into server mode.
SWITCH(vlan)#vtp server
Setting device to VTP SERVER mode.
The same goes for configuring as a vtp client.
SWITCH(vlan)#vtp client
Setting device to VTP CLIENT mode.
as well as transparent mode.
SWITCH(vlan)#vtp transparent
Setting device to VTP TRANSPARENT mode
To save and exit into the vlan database, simply type in "exit".
SWITCH(vlan)#exit
APPLY completed.
Exiting....
To verify the VTP mode configured, we can use the "show vtp status" command.
SWITCH#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 256
Number of existing VLANs : 7
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x1A 0x47 0x70 0xB8 0xD1 0x2F 0x7E 0x32
Configuration last modified by 10.1.35.2 at 3-1-02 00:48:56
In this instance, the switch is in Transparent VTP operating mode.
Tuesday, June 23, 2009
Part 1: Which Routing Protocol Should I Choose? RIPv2 vs. OSPF
As you can see, OSPF looks to be the more beneficial routing protocol of the two to use. In a later article, I will discuss the similarities and differences between OSPFv2 and EIGRP (Enhanced Interior Gateway Routing Protocol) and from there, we can determine which of the two, under your network's circumstances, would be the most beneficial routing protocol to use for your network.
Monday, June 22, 2009
Configuring NAT Part 2: Static Translation
Let's do a concise review of Dynamic NAT configuration before moving on.
Step 1: Determine inside and outside networks.- GatewayRouter(config)#int s0/0
GatewayRouter(config-if)#ip nat outside
GatewayRouter(config-if)#int fa1/0
GatewayRouter(config-if)#ip nat inside
Step 2: Ensure that the connectivity exists between the routers.
- GatewayRouter(config)#ip route 0.0.0.0 0.0.0.0 s0/0
Step 3: Configure a pool private IP addresses.
- GatewayRouter(config)#access-list 1 permit 10.0.0.0 0.0.0.255
Step 4: Configure a pool public IP addresses.
- GatewayRouter(config)#ip nat pool OUTSIDE 216.116.120.250 216.116.120.254 net 255.255.255.248
- GatewayRouter(config)#ip nat inside source list 1 pool OUTSIDE
----------------------------------------------------------------------------------------
What is Static NAT
A type of Network Address Translation where an one-to-one map exists between a public IP address and an internal, private IP address. This method is manual and static; as a result, it is more time consuming and does not automatically react to changes in networks.
So, what is its purpose? When you publish your webservers or Front-end Exchange servers, you will need to associate those servers with a public IP address so that the clients and users can access the servers from external networks. Likewise, the above servers will also require a private IP address for internal users to access them. Instead of using two NIC's to resolve the above issue, it's recommended to use Static NAT to more securely kill two birds with one stone. Here are the general steps when configuring a Static NAT:- Step 1: Determine inside and outside networks. Label each interface as “inside” or “outside” using the ip nat inside and ip nat outside commands at the interface or subinterface configuration mode.
- Step 2: Ensure that the connectivity exists between the routers. By using either static routes or dynamic routing protocols, make sure that your inside global network can connect to the outside network.
- Step 3: Configure Static Network Address Translation. Define components that will be translated.
- Step 4: Verify your work
In the below network diagram, let's configure a static NAT for the front-end Exchange Server.
Step 1: Determine inside and outside networks. Label each interface as “inside” or “outside” using the ip nat inside and ip nat outside commands at the interface or subinterface configuration mode.GatewayRouter#conf t
GatewayRouter(config)#int s0/0
GatewayRouter(config-if)#ip nat outside
GatewayRouter(config-if)#int fa1/0
GatewayRouter(config-if)#ip nat inside
Step 2: Ensure that the connectivity exists between the routers. By using either static routes or dynamic routing protocols, make sure that your inside global network can connect to the outside network.
GatewayRouter(config)#ip route 0.0.0.0 0.0.0.0 s0/0
Step 3: Configure Network Address Translation. Define components that will be translated.
GatewayRouter(config)#ip nat inside source static 10.1.0.25 216.116.120.252Note that for Static NAT, you do not need to configure a pool or an access-list.
Thursday, June 18, 2009
Are you late? Synchronize cisco router with Network Time Protocol (NTP)
One of the first thing you do when you purchase your desktop, laptop, cell phone, your PDA, server or mp3 player etc. is to check the calendar, check the time and hour. Is that right? I hope it is. Why should we not do the same with Cisco router (or switch). It is very important especially if you are about to read log information and understand them, or if you have VoIP system, this setting will be displayed on all phones. Yes, including your boss.
In this post, I will show you how to:
- check your current router clock
- synchronize using ntp to one of the public NTP server
- verify updated router clock
Cisco Router 2621 with IOS Version 12.3(19) was used during setup.
First let's check what is your current router clock setting:
Router#show clock
*07:34:56.011 UTC Sat Mar 20 1993
As we can see not so current. Check the date of this post to compare.
Find NTP server that you can synchronize to (http://support.ntp.org/bin/view/Servers/StratumOneTimeServers).
Try to ping it.
Router#ping selected.ntp.server
Translating "selected.ntp.server"...domain server (1.2.3.4) [OK]
If it works, you are ready to establish NTP peer. Which means you will be a client and selected host an NTP server.
It can be done by:
Router(config)#clock timezone PST -8
Router(config)#ntp peer selected.ntp.server
Router(config)#ntp source fa0/1
First line will setup you time zone. The second one is specifying source that will be used to synchronize your router time. In the last line, as you can see, we have specified a port in order to make sure that source IP is our public IP so NTP server can reach us.
At this point we would like to verify our work, by:
Router#show clock
17:18:57.505 PDT Thu Jun 18 2009
Great job!
I hope in your case it worked too. If not please check : http://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd303.html#wp1001612
or just go to:
http://www.cisco.com/univercd/home/home.htm
to find specific information about your particular model of device.
Wednesday, June 10, 2009
How to secure remote access to the cisco router (replace telnet with ssh)
This post essentially was going to be about how to enable ssh on the cisco router. But.. I realized that in many cases when I say to someone:
- You should stop using telnet while accessing your cisco device via public network (internet), because traffic is not encrypted and it is easy to sniff and see your passwords, your running config and anything you type and your router response. It is like having keylogger on your system. Use ssh instead, so traffic is encrypted and you are much safer.
That "someone" (you?) often says:
- Really? Oh.. probably it is not so easy to sniff, come on!
Because of this I will show how "safe" you are using telnet. The second reason is because I can see the analogy from martial arts (I hope you like it). Before you learn how to block/protect yourself, you need to know how to strike first!
Please take a look at Figure 1. We will telnet from Microsoft Windows "XP" to Router "R", sniff the telnet traffi using wireshark, decode and read.
Below are scary results:
No way! You might say. As you can see if you use telnet someone can learn your passwords and your config, and if someone has bad day that time may wipe out your router config and reboot... You probably do not want to come to work and see this in the morning do you?
Let's fix it and enable ssh:
en
conf t
username cisco password cisco
aaa new-model
ip domain-name mydomain.com
cry key generate rsa
!
! --- use 2048 bit as a key length, and allow couple minutes for your router to generate key
!
line vty 0 4
!--- enable ssh service only
transport input ssh
end
wr
It will look like:
We are done, now we should use ssh client, from windows we will use putty. Take a look what can we sniff this time:
Try to guess my password now!
As we can see the security level has been improved a lot. It did not take too much effort either. I hope it will help to understand that telnet should be replaced by ssh usage, unless you do no care about security of your passwords or running config. It is possible if you are just using the router for quick and dirty testing or learning purposes.
Note: Please note that after you changed your connection type from telnet to ssh, you should change all passwords since someone could already sniff the current one.
Make sure your IOS support ssh using Ciso IOS advisor:
http://tools.cisco.com/ITDIT/ISTMAIN/servlet/index
(IOS used in this post was 12.4(9)T1 with Cisco 3745 router.)
More info:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
Friday, June 5, 2009
Whats the purpose of Cisco-Loopback ip addresses?
Most people with a background in working with desktop computers have come across a loopback address, the most common being 127.0.0.1 that loops you back to your machine and checks pinging it checks if your TCP/IP stack is up and running.
With cisco devices, loopback addresses are virtual and are not assigned to physical interfaces that you can see. It can be a very powerful tool in any infrastructure as its strongest characteristic is that it never goes down unless the whole device goes down. This is very significant to processes that use IP addresses to point to a particular device. One example is ospf that uses router id's to establish neighbor addresses. The router ID is determined as the highest active loopback address. If this is not available then the highest IP address is chosen. In a situation where a physical port goes down that happens to be the root-id then the router is deemed to be unavailable, resulting in a whole election process for all routes through that router, even though in reality the other routes are still available. Another example of the use of loopback addresses is in lab environments to simulate networks behind a router. Assignig a loopback address is a simple task as shown below:
Router(config)#interface loopback 1
Router(config-if)#ip address 192.168.0.1 255.255.255.0
Router(config-if)#exit
Where the the number "1" is the loopback interface number and is locally significant. The address can be verified on the running config as well as usinig the "show ip interface brief command"
Serial0/0 unassigned YES unset administratively down down
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset administratively down down
Loopback1 192.168.0.1 YES manual up up
As we can see, the interface immediately shows up as up and up even when all the other interfaces are down. Loopback addresses are great for management and if utilized properly can be a great tool to ping and check if your routers are up and running as well as for remote connection to a device.
What other uses can you think of ?
Wednesday, June 3, 2009
Configuring NAT Part 1: Dynamic Translation
The term NAT is used by many vendors, and it may differ slightly depending on which equipment you are using to configure NAT. In this blog, we will be exploring NAT used by Cisco IOS.
Here are general steps when configuring a NAT:- Step 1: Determine inside and outside networks. Label each interface as “inside” or “outside” using the ip nat inside and ip nat outside commands at the interface or subinterface configuration mode.
- Step 2: Ensure that the connectivity exists between the routers. By using either static routes or dynamic routing protocols, make sure that your inside global network can connect to the outside network.
- Step 3: Configure a pool private IP addresses that will be allowed to access the external network
- Step 4: Configure a pool public IP addresses that will be used by your internal network to access the external network
- Step 5: Configure Network Address Translation. Define components that will be translated.
- Step 6: Verify your work
Let's configure the Gateway Router from the below diagram so that the PC's in the internal network can communicate with the devices in external networks.
Step 0: Configure base configuration and assign IP addresses according to above diagram
Router>enable
Router#configure terminal
Router(config)#hostname GatewayRouter
GatewayRouter(config)#interface s0/0
GatewayRouter(config-if)#ip add 216.116.120.250 255.255.255.248
GatewayRouter(config-if)#no shutdown
GatewayRouter(config-if)#int fa1/0
GatewayRouter(config-if)#ip add 10.0.0.1 255.255.255.0
GatewayRouter(config-if)#no shut
Always verify that IP addresses are inputted properly and the Status and Protocol are both up.
-------------------------------------------------------
Step 1: Determine inside and outside networks. Label each interface as “inside” or “outside” using the ip nat inside and ip nat outside commands at the interface or subinterface configuration mode.GatewayRouter#conf t
GatewayRouter(config)#int s0/0
GatewayRouter(config-if)#ip nat outside
GatewayRouter(config-if)#int fa1/0
GatewayRouter(config-if)#ip nat inside
-------------------------------------------------------
GatewayRouter(config)#ip route 0.0.0.0 0.0.0.0 s0/0
-------------------------------------------------------
You need to specify the source addresses that will be translated. In this exercise, you will be using an access-list to specify a pool of IP addresses. We will be allowing all internal IP addresses to pass through the gateway router.
GatewayRouter(config)#access-list 1 permit 10.0.0.0 0.0.0.255
-------------------------------------------------------
Next step is to specify the pool of IP addresses that will be used as Inside Global IP Addresses. Ensure that the pool name specified in the previous command matches the pool name you will be creating in the below command line. Please note that pool name is case-sensitive.
GatewayRouter(config)#ip nat pool OUTSIDE 216.116.120.250 216.116.120.254 net 255.255.255.248
Note that the first IP address marks the starting point of the Inside Global IP Address and the second IP address marks the last Inside Global IP Address to be used for NAT.
-------------------------------------------------------Step 5: Configure Network Address Translation. Define components that will be translated.
GatewayRouter(config)#ip nat inside source list 1 pool OUTSIDE
As you can see there are many options to choose from. Let’s go over the options that we chose.-------------------------------------------------------
Step 6: VerificationThe last step is to verify that the Network Address Translation works. You can login to one of your PCs and ping out to the internet. If you have a DNS set up, you can ping a known websites such as google.com or yahoo.com. If your internet network does not have a DNS setup, try to ping an external DNS such as 4.2.2.3. Once you have successfully pinged an external entity, you can revert to GatewayRouter to verify the translation.
Translation is successful. Please note that port number from the output will vary, but the port numbers from Inside global and Inside local will generally match.
Thursday, May 21, 2009
How Are IP Addresses and Subnet Masks Related?
Now let’s break down our computer’s IP. Every IP consists of four, 8-bit octets that range in decimal value from 0 to 255. For instance, 192 (our IP’s 1st octet) in decimal translates to 11000000 in binary (for more information on binary to decimal translation, see this article: http://www.wikihow.com/Convert-from-Binary-to-Decimal). This next step is key. ANY BINARY ‘1’ IN OUR SUBNET DEFINES THE NETWORK, and ANY ‘0’ IN OUR SUBNET DEFINES OUR HOST. Because our subnet mask’s 1ST, 2nd, and 3rd octets are 255 (or 11111111 in binary), this means that our network address that our IP exists in is 192.168.1.0. The 4th octet, thus, defines the host number in this network. So in this one particular network, 192.168.1.0, we can have up to 254 host computers. You may wonder why not 255?? This is because the host address 255 (192.168.1.255) is reserved for the network’s broadcast address. Therefore, we can only host 254 addresses on our network (1-254).
Let’s try a little harder example this time. Say we go to the command line on our computer and do an “ipconfig” command to display our IP and subnet mask. The output displays our IP address being 192.168.1.193 with a subnet mask of 255.255.255.192. The first thing to do is break the IP address into each octet. Luckily for us, the 1st three octets are all our network address as defined by the subnet being all 1’s (255 = 11111111 in binary). Now all we need to worry about is our last octet! The 192 in our subnet mask translates to 11000000 in binary (All ‘0s’ being possible host IP addresses). Because our network is defined by 1’s in the subnet, the first 2 bits of the last octet of our IP are still part of the network address. So, if we translate 193 to binary, we get 11000001. 193 ends up being the first host in the network 192.168.1.192! So in this case, our network address is 192.168.1.192 in which hosts in this network will range from 192.168.1.193 – 192.168.1.254!
Fortunately for us, IPv6 has been created which voids the need for differentiating the network address from the host address using a subnet mask. I will post this topic in a later article, but for now, IPv4 takes practice, practice, and even more practice to understand the concept of the relationship between your IP address and subnet mask. Try it yourself on your computer at home and let me know how things go!
Wednesday, May 20, 2009
IP Multicast Technology Overview
Most of us are very familiar with p2p networks concept. They help to share or download files from many different sources at the same time, some of them are determining the closest source location before the download process starts. Even though the IP multicast works a little bit different than that, the concept and the goal is the same: to optimize the traffic and to utilize network connection more efficient if possible.
IP communication allows a host to send packets in two manner:
1. To a single host (called unicast transmission)
2. To all hosts (called broadcast transmission)
IP multicast provides a third possibility:
3. To a subset of all hosts (called a group transmission)
IP multicast is a bandwidth conserving technology that redueces traffic by simultaneously delivering a single stream of information to potentially thousands of corporate recipients and homes. Applications that take advantage of multicast include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news.
IP multicast delivers application source traffic to multiple receivers without burdening the source or the receivers while using a minimum of network bandwidth. Multicast packets are replicated in the network at the point where paths diverge by Cisco routers enabled with Protocol Independent Multicast (PIM) and other supporting multicast protocols, resulting in the most efficient delivery of data to multiple receivers.
Many alternatives to IP multicast require the source to send more than one copy of the data. Some, such as application-level multicast, require the source to send an individual copy to each receiver. Even low-bandwidth applications can benefit from using Cisco IP multicast when there are thousands of receivers. High-bandwidth applications, such as MPEG video, may require a large portion of the available network bandwidth for a single stream. In these applications, IP multicast is the only way to send to more than one receiver simultaneously.
IP multicast addresses specify a “set” of IP hosts that have joined a group and are interested in receiving multicast traffic designated for that particular group. The Internet Assigned Numbers Authority (IANA) controls the assignment of IP multicast addresses. IANA has assigned the IPv4 Class D address space to be used for IP multicast. Therefore, all IP multicast group addresses fall in the range from 224.0.0.0 through 239.255.255.255.
The most important terms are:
RP (Rendezvous Point) - it is designated router in your network that is usually the "center" of it. It receives and decides which path to choose to deliver packet to all receivers that are interested.
PIM (Protocol Independent Multicast) - is IP routing protocol-independent and can leverage whichever unicast routing protocols are used to populate the unicast routing table, including Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), and static routes. PIM uses this unicast routing information to perform the multicast forwarding function. Although PIM is called a multicast routing protocol, it actually uses the unicast routing table to perform the RPF check function instead of building up a completely independent multicast routing table. Unlike other routing protocols, PIM does not send and receive routing updates between routers.
PIM-DM (PIM Dense Mode) - uses a push model to flood multicast traffic to every corner of the network. This push model is a brute force method for delivering data to the receivers. This method would be efficient in certain deployments in which there are active receivers on every subnet in the network.
PIM-SM (PIM Sparse Mode) - uses a pull model to deliver multicast traffic. Only network segments with active receivers that
have explicitly requested the data will receive the traffic.
Bidir-PIM (Bidirectional PIM) - is an enhancement of the PIM protocol that was designed for efficient many-to-many communications within an individual PIM domain. Multicast groups in bidirectional mode can scale to an arbitrary number of sources with only a minimal amount of additional overhead.
More information visit a Cisco documentation page, for a configuration guides click here.
Thursday, May 14, 2009
Etherchannel in a Nutshell: Understanding and Configuring the Cisco Technology
Ever feel like your internet connection isn’t as fast as you think it could be? Along with that, shouldn’t there be a way to create fault tolerance between your computers and the internet in the case that one of your cables happens to go bad? Fortunately for you, there is a way to kill two birds with one stone. It’s called EtherChannel, an easily-configurable technology used primarily on Cisco switches.
Etherchannel allows the grouping of multiple, physical Ethernet links into one logical link. This provides both increased bandwidth as well as fault tolerance between your routers, switches, servers, hosts, etc. Each Etherchannel can consist of between two and eight Fast Ethernet, Gigabit, or 10 Gigabit Ethernet channels. This means that, depending on how many Ethernet links you create, you can create multiplied bandwidth as well as fault tolerance without losing connection on your newly created, grouped Ethernet link.
For example, let’s say you have two Cisco switches, both which have four Gigabit Ethernet ports. You have already established connectivity using one Gigabit port on each switch, but users are saying it is taking them too long to transport large, necessary files to each other. Each of our switches has 3 additional Gigabit Ethernet ports, but unfortunately all they are doing right now is collecting dust. Creating 3 additional physical Gigabit Ethernet links allow us to group these all together into one logical link using Etherchannel to multiple our original Gigabit speed by four AND create backup links at the same time in case one of them fails! So in essence, our previous bandwidth of 1 Gbps is now 4 Gbps including fault tolerance!!!
Monday, May 11, 2009
Using Question Mark For Secret Password With Cisco Routers and Switches
If you use it here is what will show:
Router(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
Even if you type the beginning of it:
Router(config)#enable secret qm?
LINE
Router(config)#enable secret qm
It still comes back to just "qm". So how can we use it? You need to press CTRL+v prior to pressing "?":
Router(config)#enable secret qm?
Whoala! The magic combination was CTRL+v.
By the way you may have the idea to cut and paste a "?" from the notepad into terminal try it... and let us know.