Posts Tagged ‘ios’
Have you ever been on your GradedLabs rack of equipment and wanted to test a particular feature or set of configurations, but you certainly do not want to keep these changes on the rack? Perhaps this is because you are right in the middle of solving a Volume 2 lab and you certainly cannot have that configuration impacted.
Thanks to the very handy config replace command, you can easily rollback almost instantly to your previous saved configuration after your experimenting. Here is a demonstration of just how simple this is. Enjoy, and let us give thanks for all there is to learn on blog.ine.com! I also want to thank my good friend Keith Barker for first showing me this one.
Rack29R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Rack29R1(config)#hostname TEST TEST(config)#interface fastethernet0/0 TEST(config-if)#ip address 18.104.22.168 255.0.0.0 TEST(config-if)#no shut TEST(config-if)#end TEST# TEST#config replace nvram:startup-config force Total number of passes: 1 Rollback Done Rack29R1# Rack29R1#show run interface fa0/0 Building configuration... Current configuration : 83 bytes ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto end Rack29R1#
For many of you geeks and nerds out there like me (I’ll take a poll as to which one is better at another time), you’ve worked with some *NIX flavor for many years now. For others of you, you have most likely dabbled with various Linux distro’s and have come to know commands as needed. One extremely powerful tool that you may or may not have come across during your years is SED or the Stream Editor (sometimes referred to as the String Editor as well). This tool can take input from stdin and manipulate it as it leaves via stdout.
For those of you that have used SED in the past, you will certainly notice some similarities to the Cisco set of commands known fondly to many voice folks as Voice Translation Rules, and given your ability to pick out the differences, may help you in your quick adaptation to Cisco’s iteration of this tool.
For those of you that have not ever used this tool, take no worry. For in these next series of blog posts I will attempt to break down not only the components of Voice Translation Rules, but of the overall science of Digit Manipulation in IOS, into bite-sized chunks that will help you to digest it much easier. Continue Reading
we have just uploaded the initial update of IEWB-SC VOL1 “VPN” section to all subscribed accounts. The update contains 15 new labs listed below:
LAN-to-LAN VPN between IOS and ASA
IPsec and NAT Interaction in ASA Firewall
Peer Authentication using Digital Signatures
ASA Tunnel Group Names
ASA Certificate Mapping Rules
Filtering traffic inside LAN-to-LAN tunnels
LAN-to-LAN tunnel between IOS Routers
IOS IPsec NAT Traversal
IOS IKE Aggressive Mode
VPN between Overlapping Subnets
IOS VPN with Digital Signatures Authentication
IOS Certificate Access Lists
Virtual Tunnel Interfaces
GRE over IPsec
The following labs are in process of being developed should be available soon. Notice that there might be more labs than currently are on the list.
IOS ezVPN Server
IOS ezVPN Server with RADIUS
IOS ezVPN Server with Digital Certificates
IOS ezVPN Remote
ASA ezVPN Server
ASA ezVPN Server with RADIUS
ASA ezVPN Server with Digital Certificates
IOS Clientless SSL VPN
IOS SSL VPN
ASA SSL VPN
ASA Clientless SSL VPN
ASA L2TP over IPsec
IPSec High Availability
The next thing you guys would see updated is the long-awaited IEWB-RS VOL1 v5.0 “BGP” section
General Logic Overview
When establishing a VPN tunnel, ASA firewall matches tunnel-group names based on the following criteria list:
1) Using the IKE ID presented by the remote peer. It may be an IP address (default) or hostname. In some cases this might be an ezVPN group name, for example when you are using Cisco ezVPN client or ezVPN Remote feature.
2) Using the OU (Organization Unit) field from the DN found in digital certificate presented by the peer OR by using the certificate mapping rules. This only works when ISAKMP phase uses digital signatures for authentication. Certificate mapping rules translate the DN (distinguished name) found in the certificate to the tunnel-group name.
3) Using the remote endpoint’s IP address. It’s the last resort rule, and this is the only way to match the identity with PSK (pre-shared keys) and IKE Main Mode.
Recall that IKE uses either of two modes of operation for Phase 1: Main Mode (default) and Aggressive Mode:
a) Main Mode (MM), which is mandatory per the RFC – creates an encrypted channel before exchanging the identities.
b) Aggressive Mode (AM), which is quicker than Main Mode, exchanges endpoint IDs in “clear text”, while performing DH (Diffie Hellman) exchange and establishing the secure channel. AM is less secure than MM is thus should be less preferred. However, there are some properties that make AM uniquely useful.
IKE MM with PSK
There are some important consequences of MM behavior, when implementing authentication based on pre-shared keys (PSK). When pre-shared keys are used for authentication, they are also used to generate the shared encryption key for ISAKMP SA (along with the DH generated key). This feature is very important to prevent man-in-the middle attacks. When ISAKMP responder receives a MM proposal from initiator and choses authentication based on pre-shared keys, it should generate the shared encryption key. This procedure requires knowing the PSK of the remote peer in advance. However, the responder does NOT know the IKE ID of the initiator yet, only its IP address. Therefore, the only way to select the proper pre-shared key in MM is by looking the key in the database based on the initiator’s IP address. Even if you use of hostnames for IKE IDs with PSK authentication, the keys and tunnel-group names are still matched based on the IP addresses. This is the unique “feature” of ISAKMP MM with PSK.
IKE MM with digital signatures
Now consider the case when you are using IKE MM along with digital signatures (RSA sigs) authentication. In this situation, session encryption key is not derived based on the pre-shared authentication key. Thus, the respondent that accepts the policy based on digital signatures may delay the proper tunnel-group selection until it learns the IKE ID of the initiator. More than that, it may use the information from the DN field of the digital certificate presented by the initiator for more detailed matching. With the default configuration, the subject’s OU field in the certificate is used to match the tunnel group names, but it is possible to set up flexible mapping rules.
In ASA firewall, the following default commands enable tunnel-group name lookup based on the OU (first) than IKE-ID (if present) and finally the Peer IP address:
tunnel-group-map enable ou tunnel-group-map enable ike-id tunnel-group-map enable peer-ip
IKE AM and names matching
When the responding node receives an AM proposal, the proposal already contains the initiator’s IKE ID, regardless of the authentication method selected. The IKE ID might be an IP address or hostname or just any text string – e.g. ezVPN group name. The responder may use it to match the local tunnel-group and pre-shared key if needed. Thus, you may utilize tunnel-group names based on hostnames with IKE AM even with PSK authentication.
Activating IKE AM
IKE AM is automatically enabled with some VPN features, such as ezVPN remote. In order to engage AM negotiation in ASA firewalls manually, use the command crypto map [TAG] [SEQ#] set phase1-mode aggressive. Enabling this feature in IOS is a bit more trickier. You should configure an ISAKMP profile first and then use it with a crypto map similar to the following:
crypto isakmp profile AGGRESSIVE initiate mode aggressive self-identity fqdn keyring default ! crypto map VPN isakmp-profile AGGRESSIVE crypto map VPN 10 ipsec-isakmp
You may globally disable AM in Cisco IOS router using the command crypto isakmp aggressive-mode disable or using the command isakmp am-disable in ASA firewall. This will prevent the devices from ever accepting or initiaing any IKE AM connections.
What happens if none of the configured tunnel groups matches? In this case, the firewall would use the default group that is always present in the system: DefaultRAGroup. Thus, if you don’t have a specific group configured for the remote endpoint, but the authentication using the default group succeeds, the system will use the default policy for the new tunnel. In case you wonder, you may change the default tunnel-group name using the command tunnel-group-map default-group <NAME> and specify your own group.
Certificate Mapping Rules
When using digital signatures authentication, ASA firewall supports certificate mapping rules to translate issuer and subject names in the certificate to the tunnel-group name. The rules are configured using the command crypto ca certificate map [<NAME>] <SEQ#>. If no name is specified, the default map named DefaultCertificateMap is used for this purpose. Every entry in this map matches either part of issuer or subject DN in the certificate. For example
crypto ca certificate map MYMAP 10 issuer-name attr cn eq IESERVER1 subject-name co R3
You may match the DN as a whole string, without specifying any particular attribute like the second line in the above example does. When you have the map configured, you need to perform the following two steps:
1) Enable the mapping rules using the command tunnel-group-map enable rules.
2) Configure certificate map to tunnel-group mapping using the global commands tunnel-group-map [<NAME>] <SEQ#> <Tunnel-Group-Name>.
You may repeat the second step how many times you want to map the particular entry to a tunnel group that exists in the sytem. If you don’t specify the name for the certificate map, the default is DefaultCertificateMap used. Notice that OR logic is implemented by mapping multiple certificate map entries to the same group. Thus, any of the matching entries will result in the incoming session being matched on the same group.
As we well know, one of the best features of Cisco IOS is the parser’s context sensitive help and tab-completion when typing in configuration or verification commands. One of the lesser known features related to this, however, is the ability to view all officially supported commands available in the parser on a per-mode basis on the CLI via the show parser dump command.
show parser dump lists all commands in exec mode, global configuration mode, route-map mode, etc. prefixed by the privilege level of the command. This includes the negation (e.g. “no router rip”) and the default (e.g. “default interface”) in addition to the actual command and its arguments. The advantage of this output is that you can quickly find the complete syntax for a command, or set of commands, just by filtering through the parser dump.
For example let’s take a look at the output of the “show parser dump route-map”, which shows us all commands under the route-map subconfiguration mode.
IOS Local AAA is one feature that is often overlooked for some reason. It allows turning your router into almost full-functional AAA server, allowing not only local authentication of remote VPN users but also local authorization for protocols like PPP (used with PPTP/PPPoE or dialup) or IKE (used with ezVPN). Best of all, you can use per-user attribute lists with PPP (alas, it does not seem to work with IKE). With per-user attribute-lists you can apply specific configuration policy with maximum granularity. First, here is the link from Cisco’s documentation site, just for your information:
Next, the syntax for using per-user AAA is relatively straightforward. First, you create an AAA attribute list using the command aaa attribute list:
Although these two articles aren’t CCIE preparation related I think they both are interesting for us Cisco nerds
Hacker writes rootkit for Cisco’s routers
FBI Fears Chinese Hackers Have Back Door Into US Government & Military