IOS ACL interaction w / inspect CBAC

Similar Questions

• IOS 5 123-a 3620 CBAC SMTP issue

  I recently tested a 123-5 has image. Upon restart, my clients external smtp would fail on pop3. Troubleshooting, I found that the access list was fine. When, however, I would apply the firewall even with a wide open access as external smtp clients list would fail. Anyone know about this issue? I checked the notes below and found nothing. Sound on a 3620 16Flash 64 MB of ram. Any help appreciated. I had to roll back to a train of 12.2 T and it works very well.

  http://www.Cisco.com/en/us/partner/products/SW/iosswrel/ps5187/prod_release_note09186a008017d261.html#1672043

  Probably CSCec78231 (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), this is a pretty important IOSFW bug. Basically open to the outside by TCP sessions do not work cause the SYN/ACK coming from inside the host response gets dropped.

• Extended ACL works in both directions?

  Hello

  I would like to know the following, and hopefully one of you can help me:

  If I request an extended ACL that PC1 must not communicate with PC2 and apply to an interface of output like this:

  Cisco(config-ACL-whatever) #-host pc1 pc2 host extended ip access list

  .. is it still possible for PC2 start for example a telnet to PC1 session?

  IOS ACL are not stateful, except if you use CBAC (IOS Firewall). Which means:

  1. your ACL will block the origination of traffic du.1 a.2

  2 hote.2 can come from communication a.1, du.1.2 response packets are blocked, so no tcp sessions can be set up. Stateless protocols that use udp and don't expect answers could work-.2 could syslog a.1, for example

• PIX - ACL order

  Hello

  a year before, this is a conversation about the issue on the agenda in which the PIX - ACL are applied.

  There where some of the different opinions about it.

  Are applied on a basis first match as IOS - ACL or on an adjusted basis?

  I remember someone saying that the old 'led' - statements have been applied to the adjusted basis.

  Is this good? and what does "adjusted"?

  And what of the ACL?

  "If they are not applied" first match "it wouldn't make sense to give them an order in the MDP.

  Another question: I wonder how the PDM can add rules in the middle of the access list without disrupting traffic. In IOS - ACL without sequence numbers, I have to rewrite the entire ACL to change a line in the middle.

  ducts - adjusted

  ACL - first match

  Adjustment of the means that the PIX will scan all lines and choose the one that * best * corresponds to the traffic (source/destination/ports etc...).

  The PIX does not run IOS. You can remove a line of an ACL without removing the entire ACL.

  Scott

• My router supports CBAC?

  It seems that some router IOS versions 12.2 or better to support CBAC and others do not. Is there something that I can look in the NVA SH or SH RUN where I can tell if the operating system supports the IOS Firewall Feature Set?

  OK, let's try again. I know it can be confusing. In 12.1 images and earlier versions (I think), you can identify an IOS image that has the CBAC (or IOS Firewall because it sometimes referred to as) features enabled by finding an 'o' in the name of the image file. Beginning in paragraph 12.2 and later versions, you can identify it with a 'o3' in the name of the image file. They both mean the same thing. The image I posted wasn't c1600-osy56i-l. 121 - 11.bin. Note the "o" in the name of the image after the flag of the platform.

  Now, to the FW part. In the center of software for different IOS images, you will see various lengthy game descriptions. The active CBAC feature sets will have FW in the description. For example, http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?get_crypto=&data_from=&hardware_name=1601-1604&software_name=&release_name=12.2.19a&majorRel=12.2&state=:HW:RL & type = limited % 20Deployment you can see the following: IP/FW MORE IPSEC 56

  Note the above FW. This indicates that this link will take you to an image which has features of firewall enabled and has also a 'o' or 'o3' in the name of the image file.

  Do not confuse the version "bootstrap" in the code with the version of the code that is running on the router. You can go back and review the output. This should be the code of 12.1 (11) for a 1600.

  CBAC has been added to IOS in 12.0 (5) T and later in 12.1 mainline as well. All versions should subsequently have active CBAC IF a 'o' or 'o3' exists in the name of the image file.

  I really hope this helps.

  Scott

• ACL IP and TCP ACL... What is the difference?

  Hello

  I have a few questions on the ACL.

  1. for PIX ACL, let's say I want to host a Web server in the network internally (just to simplify my question), and I do not PAT, but only a static NAT

  public static 202.188.100.1 (Interior, exterior) 10.1.1.1 netmask 255.255.255.0

  acl_out tcp allowed access list all 10.1.1.1 eq 80

  Access-group acl_out in interface outside

  Done the above equivalent to

  public static 202.188.100.1 (Interior, exterior) 10.1.1.1 netmask 255.255.255.0

  ip access list acl_out permit any 10.1.1.1

  Access-group acl_out in interface outside

  2. for IOS ACL, is it possible to block A (10.1.1.0/24) network access to network B (10.1.2.0/24) but to allow access from network B to network A? How can I do?

  Thank you.

  Hello

  1. first of all your ACL is a little bad, you need to enable connections to the public of your devices address and not the private sector when allowing traffic from the outside.

  The answer to your first question is no, if you don't mind the tcp 80 port in your access list then you allow just that, if you allow ip in your access list then you allow all IP protocols based including all TCP ports, UDP and ICMP ports all.

  2. you can do this using either the keyword in your access list or reflexive access lists.

  Network B to an ACL

  ---

  IP 10.1.2.0 allow 0.0.0.255 10.1.1.0 0.0.0.255

  Network from A to B ACL

  ---

  ip licensing 10.1.1.0 0.0.0.255 10.1.2.0 all created 0.0.0.255

  Means that any traffic can pass from network B to network A, however only established connections (packets with the ACK bit value) are admitted from B to A.

  The other method is reflexive-list using access which are with State of access lists. When the traffic moves from one network to the other a dynamic access list is created, traffic is only allowed to enter the network source if a dynamic entry is present in the table with the same source and destination IP information. An access list works in a direct, so from A to B, if you wanted to allow B to talk to A you need to configure specific static access list entries.

  HTH

  PJD

• DMVPN and INTERNET VIA HUB RENTAL ISSUES

  Hello everyone,

  I really wish you can help me with the problem I have.

  I explain. I test a double Hub - double DMVPN Layout for a client before we set it up in actual production.
  The client has sites where routers are behind some ISP routers who do NAT.

  

  How things are configured:

  -All rays traffic must go through the location of the hub if no local internet traffic on the rays.
  -Hub 1 and 2 hub sends a default route to rays through EIGRP. But only Hub 1 is used.
  -Hub 1 is the main router to DMVPN. In case of connection / hardware failure of the Internet Hub 2 become active for DMVPN and Internet.
  -Hub 1 and 2 hub are both connected to an ISP and Internet gateway for rays.
  -Hub 1 and 2 hub are configured with IOS Firewall.
  -On the shelves I used VRF for separate DMVPN routning Global routning table so I could receive a default route of 1 Hub and Hub 2 to carry the traffic of rays to the Internet via the location of the hub

  What works:

  -All rays can have access to the local network to the location of the hub.
  -All the rays can do talk of talk
  -Working for DMVPN failover
  -Rais NOT behind the router NAT ISP (i.e. the public IP address) directly related to their external interface can go Internet via hub location and all packages are inspected properly by the IOS and Nat firewall properly
   
  What does not work:

  -Rays behind the NAT ISP router can not access Internet via Hub location. They can reach a local network to the location of the hub and talk of talks.
  IOS Firewall Router hub shows packages from rays of theses (behind a NAT) with a source IP address that is the router og PSI of public IP address outside the interface. Not the private address LAN IP back spoke.
  In addition, the packets are never natted. If I do some captge on an Internet Server, the private source IP is the IP LAN to the LAN behind the rays. This means that the hub, router nat never these packages.

  How to solve this problem?

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  Well I don't know that's why I need your help/advice :-)

  I don't know that if I have to configure a VRF on the location of the hub gets also like things might mess upward.

  The problem seems to be NAT - T the rays that are not behind a NAT, among which go over the Internet through a Hub and inspection of Cisco IOS and NAT are trying to find.

  I tested today with the customer at the start them talking behind nat could ping different server on the Internet but not open an HTTP session. DNS was to find work. The IOS Firewall has been actually

  inspection of packages with private real IP address. Then I thought it was a MTU issue, so I decided to do a ping on the Internet with the largest MTU size and suddenly the pings were no more.

  I could see on the router Hub1 IOS Firewall was inspecting the public IP of the ISP NAT router again alongside with rays and not more than the actual IP address private. Really strange!

  Attached files:

  I attach the following files: a drawing of configuration called drawing-Lab - Setup.jpeg | All files for HUB1, BRANCH1 and BRANCH2 ISP-ROUTER configs, named respectively: HUB1.txt, BRANCH1.txt, BRANCH2.txt and ISP - ROUTER .txt

  Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch2 (behind the NAT ISP router):

  Branch2 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
  Packet sent with a source address of 192.168.110.1
  .....
  Success rate is 0% (0/5)

  * 06:04:51.017 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (110.10.10.2:8) - answering machine (200.200.200.200:0)

  If the IOS Firewall does not inspect the true private source IP address that can be, in this case: 192.168.110.2. He sess on the public IP address.

  HUB1 #sh ip nat translations
  Inside global internal local outside global local outdoor Pro
  ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
  ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
  UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

  There is no entry for packets of teas present NAT

  Captge on Tunnel 1 on Hub1 interface (incoming packets in):

  7 7.355997 192.168.110.1 200.200.200.200 request ICMP (ping) echo
  So that the firewall controllable IOS to the 110.10.10.2:8 public IP sniffing capture said that the package come from private real IP address

  Inhalation of vapours on the server (200.200.200.200) with wireshark:

  114 14.123552 192.168.110.1 200.200.200.200 request ICMP (ping) echo

  If the private IP address of source between local network of BRANCH2 is never natted by HUB1

  If the server sees the address source IP private not natted although firewall IOS Hub1 inspect the public IP address 110.10.10.2:8

  Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch1 (not behind the NAT ISP router):

  Branch1 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
  Packet sent with a source 192.168.100.1 address
  !!!!!

  * 06:05:18.217 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (192.168.100.1:8) - answering machine (200.200.200.200:0)

  This is so the firewall sees the actual private IP which is 192.168.100.1

  HUB1 #sh ip nat translations
  Inside global internal local outside global local outdoor Pro
  ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
  ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
  UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500
  ICMP 80.10.10.2:22 192.168.100.1:22 200.200.200.200:22 200.200.200.200:22

  The real private source IP address is also find natted 1 Hub outside the public IP address

  Captge on Tunnel 1 on Hub1 interface (incoming packets in):

  8 7.379997 192.168.100.1 200.200.200.200 request ICMP (ping) echo

  Real same as inspected by IOS Firewall so all private IP address is y find.

  Inhalation of vapours on the server (200.200.200.200) with wireshark:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  67 10.441153 80.10.10.2 200.200.200.200 request ICMP (ping) echo

  So, here's all right. The address is natted correctly.

  __________________________________________________________________________________________

  Best regards

  Laurent

  Hello

  Just saw your message, I hope this isn't too late.

  I don't know what your exact problem, but I think we can work through it to understand it.

  One thing I noticed was that your NAT ACL is too general. You need to make it more

  specific.  In particular, you want to make sure that it does not match the coming of VPN traffic

  in to / out of the router.

  For example you should not really have one of these entries in your NAT translation table.

  HUB1 #sh ip nat translations
  Inside global internal local outside global local outdoor Pro
  ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
  ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
  UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

  Instead use:

  Nat extended IP access list
  deny ip any 192.168.0.0 0.0.255.255 connect
  allow an ip
  deny ip any any newspaper

  If you can use:

  Nat extended IP access list
  deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
  IP 192.168.0.0 allow 0.0.255.255 everything
  deny ip any any newspaper

  Also, I would be very careful with the help of the "log" keyword in an ACL, NAT.

  I saw problems.

  What are the IOS versions do you use?

  Try to make changes to the NAT so that you no longer see the entries of translation NAT

  for packages of NAT - T (UDP 4500) in the table of translation NAT on the hub. It may be

  This puts a flag on the package structure, that IOS Firewall and NAT is

  pick up on and then do the wrong thing in this case.

  If this does not work then let me know.

  Maybe it's something for which you will need to open a TAC case so that we can

  This debug directly on your installation.

  Mike.

• VPN IPSec does not work

  I am trying to set up a VPN between a 2901 router and 831, but I'm not having any success.  When I run crypto isakmp sa, I get this:

  cisco831 #sh crypto isakmp his
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  IPv6 Crypto ISAKMP Security Association

  It doesn't seem to be a sign of life.  I can access internet ok on both routers, but the failure of attempts to ping between the routers LAN IP.  I guess it's a problem of nat or access-list, but I don't know what I'm missing at this time.  Here are my configs:

  CISCO 2901
  version 15.0
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime localtime
  Log service timestamps uptime
  encryption password service
  !
  host name 2901
  !
  boot-start-marker
  boot-end-marker
  !
  no logging rate limit
  no console logging
  Select the secret XXXXXXXXXXXXXXX

  !
  No aaa new-model
  !
  No ipv6 cef
  no ip source route
  IP cef
  !
  IP domain name mondomaine.fr
  inspect CBAC tcp IP name
  inspect the name CBAC icmp IP
  inspect the name CBAC udp IP
  !
  Authenticated MultiLink bundle-name Panel

  secret user name me XXXXXXXXXXXXXXX 5!
  redundancy
  !
  crypto ISAKMP policy 3
  BA 3des
  preshared authentication
  Group 2
  ISAKMP crypto key address 173.x.x.x mypassword
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TRANSFORMSET
  !
  MYVPN 10 ipsec-isakmp crypto map
  the value of 173.x.x.13 peer
  game of transformation-TRANSFORMSET
  PFS group2 Set
  match address 199
  !
  interface GigabitEthernet0/0
  Description of the Internet
  IP address 173.x.x.x 255.255.255.248
  NAT outside IP
  IP inspect CBAC out
  IP virtual-reassembly
  automatic duplex
  automatic speed
  card crypto MYVPN
  !
  !
  interface GigabitEthernet0/1
  Description of LAN
  no ip address
  automatic duplex
  automatic speed
  !
  !
  interface GigabitEthernet0/1.1
  encapsulation dot1Q 2
  IP 192.168.1.1 255.255.255.0
  IP access-group 100 to
  penetration of the IP stream
  stream IP output
  IP nat inside
  IP virtual-reassembly
  !
  interface GigabitEthernet0/1.2
  encapsulation dot1Q 3
  IP 192.168.2.1 255.255.255.0
  IP access-group 101 in
  penetration of the IP stream
  IP nat inside
  IP virtual-reassembly
  !
  no ip forward-Protocol nd
  !
  IP http server
  IP http secure server
  IP flow-export GigabitEthernet0/1.1 source
  IP flow-export version 5
  flow IP 192.168.1.5 export destination 9996
  !
  overload of IP nat inside source list NAT interface GigabitEthernet0/0
  IP route 0.0.0.0 0.0.0.0 173.x.x.x
  !
  NAT extended IP access list
  ip permit 192.168.1.0 0.0.0.255 any
  !
  threshold of journal-update of 2147483647 IP access list
  recording of debug trap
  logging 192.168.1.5
  access-list 199 permit ip 192.168.1.0 0.0.0.255 172.20.0.0 0.0.0.255
  !
  control plan
  !
  Line con 0
  line to 0
  line vty 0 4
  exec-timeout 480 0
  password 7 XXXXXXXXXXXXXXX

  local connection
  entry ssh transport
  !
  Scheduler allocate 20000 1000
  end
  ************************************************************************
  CISCO 831
  Version 12.4
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  hostname cisco831
  !
  boot-start-marker
  boot-end-marker
  !
  activate secret XXXXXXXXXXXXXXX!
  AAA new-model
  !
  !
  AAA authentication login me local
  !
  !
  AAA - the id of the joint session
  !
  !
  !
  !
  No dhcp use connected vrf ip
  DHCP excluded-address IP 172.20.0.1
  !
  IP dhcp pool mypool
  network 172.20.0.0 255.255.255.0
  WR domain name
  Server DNS 8.8.8.8
  router by default - 172.20.0.1
  !
  IP cef
  no ip domain search
  IP domain name mondomaine.fr
  !
  Authenticated MultiLink bundle-name Panel
  secret user name me 5 XXXXXXXXXXXXXXX

  !
  crypto ISAKMP policy 3
  BA 3des
  preshared authentication
  Group 2
  ISAKMP crypto key address 173.x.x.x mypassword
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TRANSFORMSET
  !
  MYVPN 10 ipsec-isakmp crypto map
  the value of 173.x.x.x peer
  game of transformation-TRANSFORMSET
  PFS group2 Set
  match address 199
  !
  Archives
  The config log
  hidekeys
  !
  interface Ethernet0
  LAN description
  IP 172.20.0.1 address 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  !
  interface Ethernet1
  Description of the internet
  IP address 173.x.x.13 255.255.255.248
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  card crypto MYVPN
  !
  interface Ethernet2
  no ip address
  Shutdown
  !
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 173.x.x.14
  !
  no ip address of the http server
  no ip http secure server
  !
  overload of IP nat inside source list 100 interface Ethernet1

  Crypto-list extended IP access list
  ip licensing 172.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 100 permit ip 172.20.0.0 0.0.0.255 any
  access-list 199 permit ip 172.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255
  !
  control plan
  !
  Line con 0
  password 7 XXXXXXXXXXXXXXX

  no activation of the modem
  line to 0
  line vty 0 4
  privilege level 15
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  end

  A few things that need to be changed:

  CISCO 2901:

  (1) ACL 100 applies to GigabitEthernet0/1.1, however, I do not see 100 ACL configured on the configuration.

  (2) ACL 101 is applied to GigabitEthernet0/1.2, however, I do not see that ACL 101 exists in the configuration.

  (3) NAT ACL must exempt traffic between 2 local networks as follows:

  NAT extended IP access list
  1 refuse ip 192.168.1.0 0.0.0.255 172.20.0.0 0.0.0.255

  CISCO 831:

  (1) ACL 100 is currently applied to the configuration section 2: NAT and Ethernet0. I would create a new ACL for instruction of NAT that should be added to the deny ACL (NAT exemption) as follows:

  access-list 150 deny ip 172.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 150 permit ip 172.20.0.0 0.0.0.255 any

  overload of IP nat inside source list 150 interface Ethernet1

  no nat ip inside the source list 100 interface Ethernet1 overload

  Hope that helps.

• CCNA security

  I want to know the chapters for ccna security. Can someone help me?

  Thank you

   I want to know the chapters for ccna security.Can someone help me? Thanks

  Hi Chrisandr,

  Here are the details for the CCNA Security course outline: -.

  Exam (CCNA Security) 640-554

  Common security threats

  Describe common security threats

  Security and Cisco routers

  Implement security on Cisco routers

  Describe the security of the control, management and data plan

  Describe the Cisco Security Manager

  Describe of IPv4 to IPv6 transition

  AAA on Cisco devices

  Implement the AAA (authentication, authorization and accounting)

  Describe GANYMEDE +.

  Describe the RADIUS

  Describe the AAA

  Check the functionality of AAA

  IOS ACL

  Describe standards, extended and named IOS IP access lists (ACLs) control to filter packets

  Expose the considerations during the generation of the ACL

  Implement IP ACLs to mitigate threats in a network

  Reports and secure network management

  Describe the management of secure network

  Implement secure network management

  Common attacks of layer 2

  Describe layer 2 security using Cisco switches

  Describe security VLAN

  Implement the VLANS and trunking

  Tree cover to implement

  Cisco firewall technology

  Describe the operational forces and weaknesses of the different firewall technologies

  Describe the stateful firewall

  Describe the types of NAT used in firewall technology

  To implement the policy based firewall using CCP area

  Implement the Cisco Adaptive Security Appliance (ASA)

  Set up the network address Translation (NAT) and Port address translation (PAT)

  Cisco IPS

  Describes the Cisco Intrusion Prevention System (IPS) deployment considerations

  Describe the IPS technology

  Configure Cisco IOS IPS using CCP

  VPN technologies

  Describe the different methods used in Cryptography

  Describe VPN technology

  Describe the components of IPSec

  Set up a VPN site-to site of IOS IPSec with preshared key authentication

  Verify VPN operations

  Implement of VPN Secure Sockets Layer (SSL) using the ASA Device Manager

  It could be that useful...

  -GI

  Rate if this can help...

• ASA VPN Site to Site (WITH the NAT) ICMP problem

  Hi all!

  I need traffic PAT 192.168.1.0/24 (via VPN) contact remote 151.1.1.0/24, through 192.168.123.9 router in the DMZ (see diagram)

  It works with this configuration, with the exception of the ICMP.

  This is the error: Deny icmp src dmz:151.1.1.1 dst foreign entrants: 192.168.123.229 (type 0, code 0)

  Is there a way to do this?

  Thank you all!

  Marco

  ------------------------------------------------------------------------------------

  ASA Version 8.2 (2)
  !
  ciscoasa hostname
  domain default.domain.invalid
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  name 192.168.1.0 network-remote control
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.200.199 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  the IP 10.0.0.2 255.255.255.0
  !
  interface Vlan3
  prior to interface Vlan1
  nameif dmz
  security-level 0
  192.168.123.1 IP address 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  switchport access vlan 3
  !
  passive FTP mode
  DNS server-group DefaultDNS
  domain default.domain.invalid
  the DM_INLINE_NETWORK_1 object-group network
  object-network 151.1.1.0 255.255.255.0
  object-network 192.168.200.0 255.255.255.0
  outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_1 remote ip 255.255.255.0 network
  inside_nat0_outbound to access extended list ip 192.168.200.0 allow 255.255.255.0 255.255.255.0 network-remote control
  VPN_NAT list extended access allow remote-network ip 255.255.255.0 151.1.1.0 255.255.255.0
  dmz_access_in list extended access permit icmp any one
  outside_access_in list extended access permit icmp any one
  pager lines 24
  Enable logging
  notifications of logging asdm
  Within 1500 MTU
  Outside 1500 MTU
  MTU 1500 dmz
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow all dmz
  ASDM image disk0: / asdm - 625.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  Global (dmz) 5 192.168.123.229
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 192.168.200.0 255.255.255.0
  NAT (outside) 5 VPN_NAT list of outdoor access
  Access-group outside_access_in in interface outside
  Access-group dmz_access_in in dmz interface
  Route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
  Dmz route 151.1.1.0 255.255.255.0 192.168.123.9 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 0.0.0.0 0.0.0.0 inside
  remote control-network http 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs Group1
  card crypto outside_map 1 set peer 10.0.0.1
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  tunnel-group 10.0.0.1 type ipsec-l2l
  tunnel-group 10.0.0.1 ipsec-attributes
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  ------------------------------------------------------------------------------------

  Review the link, you have two ways to leave outgoing icmp, good acl or icmp inspection

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

• iPhone and iPad can not connect to iMac

  I can't connect my mobile to my iMac using edge inspect. Inspect Edge runs on my machine and in the browser (the icon lights up in the taskbar of Chrome), but when I try and connect my iOS via the Soft Edge devices inspected on each of them, they do not see my iMac and any attempt to use the results of "Manuel Connect" (with any of the 3 IPS listed in the box to the menu of the Chrome plugin) in an error message :

  "Connection failed, please try again."

  I have the latest version of iOs and the edge inspect running on my iPhone and iPad applications, OS X 10.8.3, Chrome 26.0.1410.65 with the plugin dashboard inspect inspect running on my iMac and the latest version of the app from edge checking 7682 port is open on my iMac. Inspect edge is shown as allowing incoming connections through my firewall. I tried to restart the Mac, nothing helps.

  TL; IND: I have tried everything I can find online to get the app to work, but my devices cannot 'see' my iMac. Can anyone help?

  (If it's important, I'm under a BT Home Hub 3.0 for my home network.)

  Solved the problem - all I had to do, has been turned off my router. Schoolboy error!

• IOS Firewall (CBAC) + Path MTU Discovery

  I was reading just through the 12.2 T documentation CBAC and saw the section on the icmp inspection and how he wildcards outside IP because no matter what a leap could return it with the responses of time exceeded and inaccessible destination.

  See that made me wonder if this was true for TCP as well, especially in situations that involve Path MTU Discovery. If an internal system initiates an outgoing TCP connection that is inspected by the FW IOS, an external host responds with an ICMP Fragmentation needed but DF Bit set to message, the router will consider this part of the session and send it to the host internal?

  Thanks in advance.

  -Mason

  Mason,

  ICMP by CBAC inspection does not include packets 'package-too-great. Therefore, you must explicitly allow these packages in your ACL for PMTUD to work that the router would not consider these packages to be part of the TCP session and drop them.

  See the link below for the types of ICMP packets supported by CBAC.

  http://www.Cisco.com/en/us/products/ps6350/products_configuration_guide_chapter09186a0080455b0d.html

  HTH,

  Sundar

• Traffic generated by router IOS inspect IPv6

  I try to configure the IPv6 packets on a router 2911 deep inspection (IOS 15.1 (2) T5) but I'm not able to inspect the traffic generated by router. It is not an option "ipv6 inspect name xxxx udp router-traffic' as in IPv4. So I am unable to ping to the router to a remote host.

  I could solve the problem of ping by simply adding a "permit any any icmp echo response" on my ACL, but I still can't access TCP or UDP based services (DNS, HTTP,...).

  Anyone knows if it is possible to activate the traffic generated by IPv6 router, or is there another solution for this problem? If so, how can I do that?

  Partial configuration:

  ipv6 unicast-routing
  
  ipv6 inspect name SPI_DIALER1_OUT tcpipv6 inspect name SPI_DIALER1_OUT udpipv6 inspect name SPI_DIALER1_OUT icmpipv6 inspect name SPI_DIALER1_OUT ftp

  interface Dialer1 ipv6 inspect SPI_DIALER1_OUT out ipv6 traffic-filter acl6_dialer1_in in

  ipv6 access-list acl6_dialer1_in sequence 10 permit icmp any any nd-ns sequence 20 permit icmp any any nd-na sequence 30 permit icmp any any router-advertisement sequence 40 permit icmp any any echo-reply deny ipv6 any any log

  Former Cisco's IOS 'inspect' system has indeed been deprecated.  You should use zone based firewall now.

  Here is the guide for the care of the IPv6 zone based firewall.

  http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_data_zbf/configuration/XE-3s/sec-data-ZBF-XE-book/sec-ZBF-IPv6.html

  If you want to go at a faster speed for the area based ipv4 firewall, try to use my Config Wizard and copy the bits you need.

  http://www.IFM.NET.nz/cookbooks/890-ISR-Wizard.html

• IPS/ACL/ZBF precedence on router IOS

  I have a number of 891 routers deployed for VPN connectivity to a central site. Routers have an ACL so focused on the area of firewall and IPS/IPS configured on their public interfaces. They run IOS universal 15.1.1. They have been for more than six months.

  Last week I started having newspapers like that of the instance of IPS:

  Jan 12 09:51:21 ss260 378: Jan 12 15:51:20.551: % 4-IPS-SIGNATURE: Sig:3041 Subsig:0 SEV:100 package of TCP SYN/DEF [Source that I can't identify me - MY-ROUTER:25-> IP - IP:25] VRF: NONE RiskRating:100

  I know that the ACL interface is processed before the ZBF. I was assuming that IPS happens after the ACL as well, but this package should never have gotten past my ACL. The ACL only allows ESP, IKE, SSH and pings and then only if they are from about a half dozen source IPs. The source of the trigger package is NOT among those permitted.

  Because my ACL does not all traffic not encrypted (with the exception of the pings I generate), I really didn't expect the instance of IPS to see whatever it is likely to trigger an alert, and until last week, it was true.

  So far, all the newspapers are for the same signature SYN/DEF. It is a type of special cases for some reason signature any or can I wait to see alerts whenever a packet that will block anyway, the ACL matches a signature?

  Hello

  First of all, I noticed that packages fell by IPS have the port source and destination 25 - weird ;-)

  If you are interested in the operation with new code CEF order you can check 'show cef interface INTERFACE_NAME IFC_NUMBER', it is reliable and in order, they are done, but perhaps more detail you need ;-)

  Router#sh cef interface fa0/0
  
  FastEthernet0/0 is down (if_number 4)
  
    Corresponding hwidb fast_if_number 4
  
    Corresponding hwidb firstsw->if_number 4
  
    Internet address is 10.1.1.1/24
  
    ICMP redirects are always sent
  
    Per packet load-sharing is disabled
  
    IP unicast RPF check is disabled
  
    Input features: Access List
  
    Output features: Firewall (NAT), Firewall (inspect)
  
    Inbound access list is 101
  
    Outbound access list is not set
  
    IP policy routing is disabled
  
    BGP based policy accounting on input is disabled
  
    BGP based policy accounting on output is disabled
  
    Hardware idb is FastEthernet0/0
  
    Fast switching type 1, interface type 18
  
    IP CEF switching enabled
  
    IP CEF switching turbo vector
  
    IP CEF turbo switching turbo vector
  
    IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
  
    Input fast flags 0x1, Output fast flags 0x0
  
    ifindex 3(3)
  
    Slot  Slot unit 0 VC -1
  
    Transmit limit accumulator 0x0 (0x0)
  
    IP MTU 1500
  
  

  HTH,

  Marcin

• CBAC with several inspection rules

  Hello

  My customer places an ASA/Pix IPsec hub and network spoke to a DMVPN network with 2921/881.

  All the security(ACL/CBAC) will be run on the Cisco 2921 Hub site. I have attached a drawing simplified topology of HUB interfaces:

  

  As you can see in the picture there are 5 active interfaces on the Cisco 2921:

  LAN INT

  DMZ INT

  VIRTUAL INT

  INT TUNNEL

  RE INT

  All interfaces have incoming ACL applied to them in the inbound direction. So, I have the following ACL:

  INSIDE_OUT for LAN internal (management traffic from the LAN to DMZ DMVPN, Internet and VPN clients remote)

  DMVPN_INSIDE_OUT for TUNNEL INT (managing the movement of DMVPN LAN and WAN)

  VIRTUAL_INSIDE_OUT for VIRTUAL INT (manage traffic for remote users VPN DMVPN, LAN and WAN)

  DMZ_INSIDE_OUT for DMZ (open for ICMP to internet and a server on the LAN)

  INSIDE_IN for INT WAN (deny all apart form ICMP; ESP, ISAKMP, etc.)

  Currently, I have the 2 following the rules of CBAC:

  Property intellectual CHECK NAME IN_OUT applied on departing on INT WAN

  IP INSPECT NAME applied to inbound on INT WAN OUT_IN_DMZ (to allow traffic initiated Internet DMZ return form)

  But now, I think all the stateful traffic interface, as in an ASA I have to configure a rule to inspect to inbound on each interface or am I completely wrong?

  For example if I want a LAN Server to communicate with a server on the DMZ, I need to inspect the incoming traffic to the right to allow traffic to DMZ from LAN LAN? Which means I need a third inspection rule, no?

  Kind regards

  Laurent

  Laurent,

  Ideally, you'd inspection on all inbound interfaces.

  However, I think that you try to overcomplicate things, (dare I say).

  Your problem would be solved by adding a dynamic firewall on your design and ending for example remote VPN on it.

  This would substantially reduce the burden of DMVPN routers in the case of PPE or future growth and would you allow to dynamically on a device which was supposed to be with State actually lie real packet filtering.

  I will attach a photo in a moment of what I think off the coast.

  Marcin

  Edit: adding hastly does DIA.