Archive for January, 2010

T-50 | More videos + Big doubts cleared!

Posted by TacAck in CCIE-Security on January 30th, 2010

Hello All,

I’m really relieved that i’m done with all the Group-locking/Group authorization/Xauth of EZVPNs using ACS and local configuration. These fall under task numbers 2.18 to 2.28 of the INE vol1 lab workbook.

Today i’m going to share with you a video i made regarding the Group-locking feature on the ASA. Today i’m only going to be posting the local group-lock configuration. But tomorrow i’m going to be posting the one where we use the ASA as well.

Here you go!

I hope this helps! Thanks a lot for watching and i’d appreciate any comments! :)

And, here’s the config for the ASA :

PIX Version 8.0(4)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif out
security-level 0
ip address 11.0.0.12 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 136.1.120.12 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 136.1.100.12 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list VPN_ACL extended permit ip any any
access-list VPN_ACL extended permit ip 136.1.120.0 255.255.255.0 any
pager lines 24
mtu inside 1500
mtu out 1500
mtu dmz 1500
ip local pool VPN_POOL 20.0.0.1-20.0.0.254
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group VPN_ACL in interface out
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN_TRANS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map VPN_DYNA 10 set transform-set VPN_TRANS
crypto dynamic-map VPN_DYNA 10 set security-association lifetime seconds 28800
crypto dynamic-map VPN_DYNA 10 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 10 ipsec-isakmp dynamic VPN_DYNA
crypto map VPN_MAP interface out
crypto isakmp enable out
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GP_1 internal
group-policy GP_1 attributes
vpn-tunnel-protocol IPSec
group-lock value VPN_USERS_2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ACL
username tacack password QSJpFq2FSZtsqs5L encrypted
username tacack attributes
group-lock value VPN_USERS_1
tunnel-group VPN_USERS_1 type remote-access
tunnel-group VPN_USERS_1 general-attributes
address-pool VPN_POOL
default-group-policy GP_1
tunnel-group VPN_USERS_1 ipsec-attributes
pre-shared-key *
tunnel-group VPN_USERS_2 type remote-access
tunnel-group VPN_USERS_2 general-attributes
address-pool VPN_POOL
default-group-policy GP_1
tunnel-group VPN_USERS_2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global

Cheers,

TacACK

No Comments

T-52 | IOS VPN TOUGH TASKS!

Posted by TacAck in 90 Day countdown on January 27th, 2010

Wow, i’d so much fun yesterday. I’d set out to learn certain hard-aspects of VPN configuration. The difficult concepts that i wanted to learn were :

IOS

  • EZVPN using ACS for Group Authorization and XAUTH
  • EZVPN using ACS for Group-lock features
  • EZVPN using PKI for per-user AAA
  • Anyconnect VPN

ASA

  • EZVPN using ACS for Group Authorization and XAUTH
  • EZVPN using ACS for Group-lock features
  • EZVPN using PKI for per-user AAA
  • Anyconnect VPN

Unfortunately, because these were hard topics i took more time than expected and i could only complete 2 of the tasks under the IOS section. I tried doing the EZVPN using PKI lab scenario but i kept facing an error when i tried to enroll the Cisco VPN client to the CA. I’ll get this resolved and post my config soon!

TOPOLOGY

Setting up basic EZVPN between TEST and R1 was pretty straightforward . The parameters that i used were :

Encryption : 3DES

Hash : MD5

Group : 2

Authentication : PSK

Address-pool : 20.0.0.1 – 20.0.0.254

Split ACL -> Tunnel traffic to subnet 136.1.120.0/24.

Firstly, what i did was i established an EZVPN tunnel using “LOCAL” Group authentication and XAUTH. Later i added on local “group-locking”. Till yesterday, this feature was always a source of confusion and luckily i figured it out yesterday. So here’s something i wrote. I hope this helps.

Here’s the simple concept . I’ll explain it using an example

  • Let’s assume that you have 2 GROUPS that the users VPN’ing in can connect to . Namely, VPN_USERS_1 and VPN_USERS_2
  • Let’s also assume that you have 2 users. tacack and tacack_2. Both with a password of cisco
  • By default, when you configure EZVPN, both the users can pick whichever group they want to connect to and if they know the Group’s password, they can connect to the group.
  • But sometimes, we might have some access restrictions placed on certain groups and we might only want tacack to connect to VPN_USERS_1 and tacack_2 to connect to VPN_USERS_2.
  • Here , is where GROUP-LOCK comes into picture.
  • The steps that we need to follow to enable GROUP-LOCK are simple. Here they are:
    • Configure the usernames to be used for XAUTH. By default we would configure the username as “tacack” with any password. But now, to ensure that group-lock is activated, we need a way of “ATTACHING” the username to a single group-name. That’s done by using the @ character. So now we need to configure the username as “tacack@GROUP_NAME” with the same password. When entering the XAUTH credentials during login, we need to enter the username as “tacack@GROUP_NAME”. When the router receives username from the VPN client, and when group-lock is turned on ( Check Next step ), it strips the group-name from the string and compare that with the groupnames already present in the EZVPN server. If both the group-names match, then the EZVPN tunnel is allowed.
    • Enter into the “group” configuration and enter the keyword “group-lock” . What this command does it, it instructs the EZVPN server (R1 ) to “check” if the user trying to connect to the GROUP , is actually ALLOWED or AUTHORIZED to connect to that particular group.This tells the ezvpn server to strip the incoming username and authenticate the group-name present in that username. Once you configure this command, the users that are trying to connect to this group, MUST have their username configured in the username@group-name format, otherwise it fails authentication. The beauty of this is that, because of this enforcement, users can only now connect to 1 particular group for which they’re authorized to connect to.
      • #crypto isakmp client configuration group VPN_USERS_1
        • #group-lock
      • #crypto isakmp client configuration group VPN_USERS_2
        • #group-lock

I really hope that made sense, if not please feel free to send me an e-mail and i’ll gladly provide a better explanation.

Next came EZVPN Group and XAUTH using the ACS. I simply thought that explaining this would be cumbersome and i made a crude video. The production,narration is pretty poor, so please forgive me :) . You can that below ( Part1 and Part2)

Now, for implementing Group-lock using ACS, i made a small video and i’ve split it into 2 parts . You can find those below

Yesterday was awesome! Although i could manage to do only 2 tasks, i still felt like i made a lot of progress ‘coz these were all “TABOO” topics for me and i’ve managed to understand them well :)

Today i’ll be doing the ASA config + Anyconnect VPN configuration ( As i’d promised yesterday ) .

I hope this helps and i hope you’re as excited as i am to nail VPN’s! :) .

Cheers,

TacACK

P.S : I’ll be on Google Wave everyday between 6 PM to 12 PM IST ( i.e 12:30 PM to 6:30 PM UTC ). You can catch me there . My wave id is “ybnmts at googlewave.com”. Ryan (www.routsec.com fame) will be there too and he’s a very knowledgeable and helpful guy! Catch you there!

8 Comments

T-53 | Waving and VPNing!

Posted by TacAck in 90 Day countdown on January 26th, 2010

Ah, feels great to be blogging again! Couldn’t wait for this. I’ve a couple of things planned out for today :

  • I spent some time in the morning, making a little video about Google WAVE and how i use it for effective communication and collaboration during my practice labs. I’ve found it to be a very very useful tool and i would urge you to give it a try :) . Here’s the little video i made .
  • Please feel free to comment/mail me regarding any questions on how to effectively lab using Google WAVE.
  • For the rest of the day, i want to focus on some aspects of VPNs which have been troubling me for a long time. They are as follows:
    • EZVPN
      • Group Locking.
      • Authorization and XAUTH using ACS
      • Certificate based authentication between the VPN client and the EZVPN server
      • Try this on both IOS and the ASA
    • ANYCONNECT VPN
      • Iron-out some of the doubts that i have regarding these.
      • I had a couple of people asking me some doubts regarding this, so i’ll try and document my efforts as best as possible :)
      • Try this on both IOS and the ASA
    • CONTROL PLANE SECURITY
      • I want to revise and study some of the stuff that i’ve already done and hopefully post some interesting stuff that i found here.

You can catch you on the WAVE most of the time, if i’m not there, either Ryan ( www.routsec.com) or Paul ( www. packetu.com) will be there and they’re super helpful guys :)

I’ll update this post again this evening.

Cheers,

TacACK

No Comments

Written Done!

Posted by TacAck in 90 Day countdown, CCIE-Security, Into My Mind on January 24th, 2010

I’m happy today! I’ve cleared the first hurdle towards a dream i’ve had for a long time now.

I passed the CCIE-Security written yesterday! :)

I’m not going to get into what i saw in the exam today. I’d suggest going through this IPexpert blogpost for guidelines on nailing the written .It’s very useful and i wanna thank Rick for writing such an awesome article! :)

Today, i’m going to just tell you what’s running on my mind. So the rest of the post is going to be emotional,personal and totally non-technical!

I feel really thankful. That’s the one word to perfectly describe how i’m feeling. Thankful to my parents for giving me a great childhood. Thankful to GOD for giving me enough maturity to understand that i know nothing and i always need to keep learning. Thankful to my twitter pals for their constant support and encouragement. I’m now so pepped up to kill the lab! Thankful for all of you who wish the best for me, ‘coz all the good energy sent to me by all of you, definitely contributed to this pass.

My personal belief is that any exam has 3 parts to it:

50% -> Preparedness

25% -> Luck, GOD , Calmness during the exam, call it whatever you want..

25% -> Good wishes, good energy from people who care for you.

Luckily i had all three this time and that’s why i passed. The times i failed, were only because i didn’t prepare enough :)

I can assure you 2 things today. One, I will  try my hardest to become a CCIE-security someday. Two, i’ll be sharing every aspect of my journey with all of you and i’ll try and do my best to get you interested and motivated to kick some CCIE ass :)

Cheers,

TacACK

2 Comments

Reason for inactivity

Posted by TacAck in 90 Day countdown, CCIE-Security on January 22nd, 2010

Hey folks!

First of all, i wanna apologize for not blogging for the last week or so. It’s just that i’ve been busy with the CCIE written prep. I’ve put a counter on the TOP-RIGHT corner of the screen, which’ll give you a picture of how many days i’ve left. :)

Hope i clear the written. But, after 24th, regardless of whether i clear or not, i’m going to be posting articles like it’s no-one’s business.

Thank you all.

Cheers,

TacACK

P.S : I’ve many articles / new ideas planned. So keep watching this blog :)

No Comments