It’s not everyday that i’m happy with GNS3 . But today, i couldn’t be happier!

It worked like a charm yesterday. I did ASA VPN Vol 1 labs, TASK 1 to 10 yesterday. It went well and i made some notes . Here are the notes!

1.2 RIP v2

• This task asked for configuring RIP and authentication between peers running RIP. I thought i’d configured it correctly, but i kept getting  ” invalid authentication” on the “debug ip rip” command output on both the peers.
• Everything looked fine.
  • I’d configured the key chain
  • The keys and the key-id on both the peers were matching
• I happened to notice that the key-id i had configured was “0″ ( well theoretically, the range is 0-255 ). So just for kicks, i changed the key-id to “1″ on both the RIP peers. It started working!
• So this is where i make a note to myself : NEVER USE a key-id value of “0″. Again, i do not know if this is a problem on other IOS’s, Platforms, but on the 3725 running 12.4-18(AdvancedIPServices) IOS, it doesn’t work!

1.3 OSPF

• I always get a warm feeling ( like the feeling you get when you bite into a honey glzed ,warm, blackberry jelly donut with powdered sugar on it ) when i finish configuring OSPF and it works!
• After configuring them , i was playing around with the DR election and it was awesome.
• OSPF  first checks the interface priority, the one with the highest priority becomes the DR.
  • #int fa 0/0
    • #ospf priority <priority>
• If the priority is the same, the one with the highest-router ID becomes the DR.
  • #router ospf 1
    • #router-id <router-id>

1.6 IP ACCESS-LIST

• I now have an awesome way of approaching this problem, i’ll make a video of this tonight and i’ll post here! I hope this’ll help you.

1.7 OBJECT GROUPS

• This task was pretty vague
• They asked me to reduce the size of the previous ACL, but they don’t say anything about adding additional ACL statements/keeping the old ACL’s which are not configured on the object-groups..
• So i assumed that the original ACL should be maintained. They can be replaced by object-groups wherever possible, but if not possible, ( ex : NTP ) , i have configured an ACL entry explictly permitting that traffic
• If i got this topic in the exam , i would definitely ask for clarification.

1.8 ADMINISTRATIVE ACCESS

• One quick note here regarding granting SSH access to manage the firewall.
• Ensure that you have a license which allows you to create DES/3-DES keys. If you don’t what happens is, despite correct configuration, SSH access will still not work!
• I found this out the hard-way , as i spent about 15 mins trying to find what was wrong
• And i would also suggest specifying the SSH version when you’re trying to SSH into the firewall ( or any device, for that matter )
  • #ssh -l <username> -v <version> <ip address>

1.9 ICMP TRAFFIC

• I did some configuration, but i’m not satisfied as it don’t know how to permit pMTU replies…even the solution doesn’t address this..i was thinking we might have to permit maybe ” fragmentation needed ” or size-too-big packets..but since they don’t figure in the ICMP list, i’m thinking as to how this can be done. Please let me know if you have a solution for this. I’d really appreciate it!

1.10 URL FILTERING

• After configuring URL-filtering, when i tried to test it using the “sh url-server statistics” command, it was showing that my URL requests were getting dropped.
• I didn’t have a websense URL filtering server configured, but i had configure url filtering with the “allow” keyword at the end , so that if the URL-server wasn’t detected, the URL requests would automatically get granted.
• But the requests are getting dropped
• Not even blocked, they are getting “dropped”. Again if any of you can shed any light on this, i’d be super grateful!

I’m looking forward to finishing the rest of the labs! This is just awesome!

More on this tonight, tomorrow and the day-after ( Please check schedule on the side-bar )

Cheers,

TacACK

All!

What is up! I missed writing stuff here and now i’m back. I had a pretty successful week at work and now i’m ready to focus on the tasks at hand. I’ve some interesting articles for you which i’m going to be blogging about for the next couple of days. So watch this space!

Today, i’m going to be doing the ASA Vol 1 lab. I promise this is going to be my last revision! I’ve decided to move onto Vol 2 labs come Monday ‘coz this is taking a lot of time!

I’m really excited about my studies today and i’m going to live-blogging on WAVE. Great to be back!

Cheers,

TacACK

The Day before yesterday, i finished the IOS F/w Vol 1 lab. Those who were following me on Google wave would’ve seen me labbing live! Now onto some of the points that i noticed. As per an excellent suggestion that i received recently, i’ll be labelling the tasks in as per the INE workbook section number. This might help you when you have to lab-up these tasks. Thanks to the person who suggested this!

2.1 BASIC ACCESS LISTS

• When dealing with Cisco equipment,  think beyond the usual traceroute that happens in windows ( ICMP echo request with TTL values beingincrememnted, and ttl-exceeded replies)
• In cisco, the traceroute requests are sent as UDP messages to port numbers 33434 , 33464, and the replies include port-unreachable , time-exceeded. There are the ports that i need to permit
• OUTBOUnd -> UDP 33434 to 33464
• INBOUND -> time-exceeded, port-unreachable.
• Only then , trace-route will work.
• And when they say, permit all “terminal” access to a certain device on the other side of the IOS f/w, here are the traffic that you need to permit
  • telnet ( tcp 23 )
  • ssh ( tcp 22 )
  • http ( tcp 80 )
  • https ( tcp 443 ).
• I had only configured telnet and ssh ( FAIL! )
• When the task asks you to configure free email access to the inside users , where the email server is located on the outside, here are the list of protocols that needs to be allowed
  • SMTP ( tcp 25 )
  • POP3 ( tcp 110 )
  • IMAP ( tcp 143 )
• I had just configured SMTP. i totally forgot about the other 2 protocols.
• One note to all : After configuring these ACL’s. MAKE SURE YOU TEST THEM! They can be really simple to look at, but believe you me, the extra 10 mins spent in testing can save you precious, sweet points.

2.2 REFLEXIVE ACCESS-LISTS

• I suck at this.
• The first task is ok, no problems, i create an ACL oubound on the outside interface and i reflect the TCP, UDP and ICMP traffic
• I then apply an acl on the inbound direction on the outside interface and “evaluate” the traffic
• The next configuration item is to permit RIP .The task also tells me not to use “permit udp any any eq rip” on the inbound ACL on the outside interface.
• So , after thinking, i didn’t figure out the solution and i checked the solution in the INE workbook and here’s what i found
  • By default, router generated traffic ( like RIP updates ) aren’t subject to reflection as they get out of an interface.
  • To trick the router, we can divert the traffic to the loopback 0 interface , thus making them ingress. THat’s what we do in the previous task
  • We make use of route-maps for this purpose.
  • After creating the route-maps, they are applied to the local routing policy.

2.3 DYNAMIC ACCESS-LISTS

• This was pretty straight-forward
• The only thing to watch out for, is the “make sure the contrl-plane traffic doesn’t get affected”.
• This referes to the routing messages between R2 and R1, R3.
• To make sure they are permitted, we need to manually add a permit “udp any any eq rip” entry in the inbound access-list on the outside interface.

2.4 BASIC CBAC

• This task also asks me to maintain IP routing through the network, so i’m going to permit RIP on the firewall by default.
• Allow the firewall to ping any destination. I’m thinking we inspect the “router-traffic” on the CBAC lists to achieve this.
• It asks me to inspect FTP application traffic. Is it referring to active or passive? Do i assume ACTIVE? This is certainly an item which you might wanna ask the proctor for confirmation.
• Remember, the OLD CBAC used to allow the traffic from the outside to the inside, by creating temporary ACL’s on the outside interface.
• But now, the latest CBAC ( or new name SPI ) does an “ACL-BYPASS” and creates an entry in the session table.
• So, to check if inspection is working correctly, use the command ” sh ip inspect sessions”

2.5 CBAC PAM

• This was pretty basic except for one little issue that i wanted to share with you
• By default, there are some ports which belong to a particular protocol. Ex: FTP -> TCP 21 , HTTP -> TCP 80,etc.
• Now when the task asks you to configure FTP inspection on TCP port 80, we cannot directly add #ip port-map ftp port 80″
• This would give us an error as the port is already in use by HTTP. To workaround this , there are 2 solutions
  • Delete port 80 from HTTP, and then add it under FTP.
    • #no ip port-map http port 80
    • #ip port-map ftp port 80
    • The disadvantage of this method is that, from this point on, even the HTTP traffic which flows on port 80 will not be inspected by HTTP.
    • The next method’s the better solution
  • Create an “Exception” ACL
    • We can specify an exception “host” for whom the port-map works a little differently.
    • ex : Let’s say that we have make sure FTP also works on TCP 80 from our local router to router R1 ( 192.168.1.2 )
    • But to the rest of the network, HTTP inspection should work on traffic on port-80. This can be achieved by defining an ACL  which points to the “special” router to which the port 80 needs to be mapped to FTP and apply it using this command.
      • #access-list 99 permit host 192.168.1.2
      • #ip port-map ftp port 80 list 99
    • So, only for host 192.168.1.2 , the FTP inspection also works on port 99, but for the rest of the network, it’s good ‘ol HTTP! Cool isn’t it?!

2.6 CBAC TCP/UDP INTERCEPT

• I didn’t face any issues here, this was pretty straightforward.

2.7 CBAC PERFORMANCE OPTIMIZATION

• The commands are straight-forward, but i suggest reading throught the explanation in the workbook solutions once after finishing the task.
• Remember, there are 2 ways CBAC inspection performance can be improved:
  • Modifying the Hash-table ( session table ) size to match the approximate number of TCP connections that will be intercepted.
  • Switching off alerts/audit-trails and only turning it on when needed.

2.8 IOS URL FILTERING

• One thing i didnt know here was how to capture traffic .. i assumed that no access-list was required for URL filtering. But it turns out that we need to specify an access-list specifying the traffic that needs to be “URL-FILTERED”.
  • #access-list 1 deny any
  • #ip inspect name HTTP_FILTER http java-list 1 urlfilter
• The rest of this configuration is pretty simple.

2.9 IOS AUTHENTICATION PROXY

• This involves some ACS configuration, So let’s head over into our beloved ACS! <3
• Ok, this works fine! I tried it with TACACS+ , but it seems to working well with RADIUS
• Now , there were some Issues i faced with TACACS+. I thought auth-proxy could be done using TACACS+ as well, but i tried hard to configure it and it didn’t work.
• So i switched to Radius and i used AV pairs “auth-proxy:priv-lvl=15, auth-proxy;proxy-acl#1=permit icmp any any” , etc to permit the ACL’s to be download on successful authentication.
• However when i tried achieving the same using LOCAL authentication/authorization, it failed! < INSERT DRAMATIC MUSIC! >
• Everything looked fine on the surface untill Ryan “The MAN” Schuett  ( www.routsec.com ) and i started debugging the issue.
• Here’s what we found, this is SUPER AWESOME!
  • When you create a username in the IOS using the “username xxx password yyy” command, i thought the username get’s a privilege level of 15.
  • WRONG!
  • The username initially get’s a privilege level of “1″ . That’s right,  a measly “1″ . So when we log in using a username of “xxx” we are in the user exec mode. I confirmed this by doing a “show priv” command.
  • Upon entering the “enable” command, we are immediately into priv-exec with a priv-level of 15.
  • So here’s the hidden detail, the username needs to have enough privilege, for the IOS to insert the ACL’s after successful authentication to the Auth-proxy device.
  • This was achieved in the earlier RADIUS based configuration by using the AV pair of “auth-proxy:priv-lvl=15″.
  • On the router, for local authentication/authorization,  we can get it to start working by adding the “privilege” keyword to the username and specifying a priv-level of 15
  • #username gotcha privilege 15 password i_told_you_so
• Thanks to Ryan for pointing this out to me. Ryan, thanks bro!

2.10 FLEXIBLE PACKET MATCHING

• FPM is pretty straightforward.
• I’ve written about matching the VLAN ID in the BPDU’s in an earlier post. Do refer that.
• Also, if you’re new to FPM, check THIS out. It’s an article by Petr Lapukhov, who is hands-down, the best tutorial writer to have ever walked the earth.

2.11 ZONE BASED FIREWALL

• Always remember to draw the zones on a piece of paper and form the mappings there.
• I’ll post a short article on how i do this. You need’nt follow it , but i’m guessing it might be of use to some Atleast , if you have a bad memory like i do!
• We match the traffic that we like using ACL’s under the type inspect class-map, apply it to a type inspect policy-map and now apply that under the zone-pair.
• Also note that, policing under the zone-pair is not allowed when one of the zone-pair member is a self-zone.
• Traffic to and from a particular zone and the self-zone(router generated trafffic) is permitted by default, even if you don’t create a zone-pair and apply a policy-map to it. But when we do that, the trafic which is permitted by the policy-map gets passed on, but the rest of the traffic is blocked.
• This prevents routing updates from getting exchanged, so what @infosecsamurai suggested was, to permit routing protocols between the self-zone and the otherzones who are part of zone-pairs ( ie. ( SELF , ZONE A) -> zone-pair A ), you must permit the routing protocol on both the directions. ZONE A to SELF , SELF to ZONE A. We cannot apply an “inspect” action on the routing protocol traffic,it has to only be pass. Therefore we have to explicitly create matching entries on zone-pairs which are in the opposite direction to one another.

2.14 CLASSIC IOS TRANSPARENT FIREWALL

• I was initially scared of configuring a router to operate in bridge mode . This was the first time i ever did that configuration and i think it’s pretty easy once you get the hang of it and once you start figuring out how it works!
• Always remember that IOS F/w operaetes after the input ACL, but before the output acl. So if we wanna block any traffic on an interface on which inspection is enabled, we can place an input ACL there.This ACL will block traffic prior to being inspected by the CBAC.
• The Ethertype of IPv6 is 0x86dd. To block IPv6 we use this ethertype value in the ACL :  #access-list 203 deny 0x86dd.
• But ensure that you permit the rest of the traffic, otherwise everything will get blocked. “access-list 203 permit 0×0 0xFFFF” ( address and mask )
• To apply this ACL on an interface , we have to enter the command “#bridge-group 1 input-type-list 203″. This is because , ACL 203 is not an ip acl, and the regular “ip access-group” command will not work.

2.15 ZFW-BASED IOS TRANSPARENT FIREWALL

• It’s exactly like 2.14 when it comes to configuring the interfaces as part of a bridge-group and enable bridge routing, and bridge irb mode.
• The zone-based configuration , is unchanged. Its the same regardless whether it’s operating on L3 interfaces or L2 interfaces. As long as they have ip routing enabled, it’s happy and it works just fine!
• Remember, TEST , TEST and TEST!

2.16 IOS IP VIRTUAL REASSEMBLY

• Not much to discuss here, just note the difference between max-reassemblies(The maximum number of simultenous BIG packets that we wanna reassemble) and max-fragments(The maximum number of fragments of EACH BIG packet that the IOS needs to track ).

2.17 IOS ACL SELECTIVE IP OPTION DROP

• Simple commands, simple job

That’s the end of a long blog post Today i’m going to be doing the VPN Vol 1 Lab. Join me on the wave. My wave id is “ybnmts at googlewave dot com”

Thanks everyone for your help and please have fun while you study I certainly am!

Cheers,

TacACK