Hello All,

I had an interesting and fulfilling day yesterday. Work has been super hectic of-late and i’m getting lesser and lesser time to lab .But when i see people like Keith Barker , Paul , Ryan Schuett , Tolulope,Toyos ,etc , who despite their super busy schedules keep aside time to lab/learn and answer questions , i get inspired and that drives me to work harder. Thanks guys

I studied a couple of things yesterday. I’m going to list them out and also list out what were any interesting points/difficulties i faced during configuration

• CBAC : I read through the doc-cd and i felt like i remember some of the stuff from my previous reading . It was pretty straightforward for most and i enjoyed labbing through some sample scenarios. I initially did some simple TCP, UDP and ICMP inspection. After that i moved onto basic application inspection like inspecting HTTP/FTP traffic. Although i couldn’t test FTP, i’m guessing it would work . Next i went to Deep-packet-inspection using “appfw” for HTTP traffic.  I used the application firewall to raise an alert when the “GET” command was detected and also when p2p traffic was being tunnelled in through TCP port 80.One interesting point which i want to keep in mind is the “ip port-map” command. This command is so beautiful! It instructs the IOS firewall to literally “think outside the box” and look for a particular protocol’s traffic on custom ports.

  Ex : Suppose you have a HTTP server running on TCP 8181 and there’s an IOS firewall sitting between the client and the server. Now, on the client, the usual “ip inspect name XXX http” won’t work, because by default it’ll only look into port 80 and consider only that traffic as HTTP. For the router to look at port 8181 too, we need to insert the command ip port-map followed by the port number. You can even customize it further and put an access-list in there and make this special inspection only applicable to HTTP traffic going to server A and not any other HTTP server. Isn’t this just awesome. BTW, you can also use port-map to define your own custom protocol, which will show up here -> ip inspect name XXX ?

• MPF : I re-read some topics in MPF just to refresh my memory and it’s been very helpful. I configured DNS inspection, FTP command matching, HTTP request method matching ,etc and it worked out pretty well, i must say. The doc-cd has an awesome explanation on what “strict ftp” matching is . That would be a good thing to know , in case Yusuf comes knocking with an OEQ

Apart from this, i was also involved in some discussions on OSL and CLND. If you haven’t joined either/both of them, i’m telling you, DO IT NOW! They’re just awesome, with lotsa very intelligent people who answer questions ( i usually just ask ).  There was a thread started by this dude “kardurai” and he wanted to terminate multiple tunnels on sub-interfaces which have a redundant configuration using HSRP. Keith and I have been posting replies to that and i did a mini-lab and posted the working configs. However he is now facing a new issue and it’s getting super interesting I’m definitely  going to do a quick lab today and post about it there.

Stuff that i’m going to be doing in today’s rack-rental (3:30 PM – 9:00 PM   IST ) are as follows :

• IOS IPS
• IPS VLAN groups ( i had to do this a couple of days ago, but i couldn’t . Hope to get it done today ).
• I’m not confident about DNS rewrite, so i’ll configure that again.
• Spanning tree attacks and how to block them ( BPDU guard , BPDU filter ,etc )

Without delaying this any further, let me explain the title of my post I was trying to insert an ASA between a GETVPN KS and a GM and to see what ports i need to open up to allow full-blown getvpn to work. The GM was connected to the outside interface of the firewall, so what i did was, i permitted GDOI (UDP 848) first. I was about to also open ISAKMP (UDP 500) for it to work, but even without that , the group registration worked. This screwed with my head. Also i’m trying to figure out how to permit the Multicast REKEY traffic through the ASA. I hope to get that done today. Since i couldn’t get it figured out yesterday, i slept with all these doubts and i’m eager to solve it today. Hence the title

I hope you’re all having learning new stuff and having fun at it , i definitely am!

Cheers and happy studying!

TacACK

Hello All,

I was totally swamped by work today. I had many deadlines to meet and i was busy with that. I did some ZBPF configuration in the morning while i was travelling in the bus.

When doing that i had a doubt which i raised on CLND and the awesome folks there answered it HERE’s the link to it.

I thought of doing CBAC tonight, but i’m just unable to concentrate, so i’m going to call it a night.

I hope to get some studies done tomorrow.

Cheers,

TacACK

Hello All,

Here are the ZBF notes . I’m sorry if they’re a little crude. Hopefully this might help refresh your memory when you need to:)

Cheers,

TacACK

Hey all!

I had a good lab session yesterday . There were a couple of scenarios i could do ( because i started the lab a little late ) and here they are!

• Revisited IOS and ASA command authorization : This is one of the topics which have been bothering me for sometime . So i spent approximately 2 hours of the 4.5 hours doing local and remote command authorization on the IOS and the ASA. One note that i’d like to add here is as follows :
• Always remember the CLEAR difference between local command authorization and remote-command authorization.
  1) LOCAL AUTHORIZATION : Here when you specify a user to be of a particular level, the IOS decides that he/she has access to ALL the commands in that particular level. However if you want to move some commands into the privilege level that a user resides in, we use the “privilege ..” command on the router. This just adds commands into the user’s reportoire.
  2) REMOTE AUTHORIZATION : Here we go a little more further and enable the Administrator to add more granular controls on WHAT specific commands the user can choose. So when the user logs in into a privilege level and enters a command, here’s what will happen. First, the IOS determines if the command that he has entered is “APPLICABLE” to the exec level that the user has logged into. Suppose the user has logged into privilege-level “7″ and he enters a command which belongs to “15″. Unless we explicitly MOVE the command down the privilege level 7 by using the command “privilege” , the IOS will not permit him to use that command. So that command is denied right there by the IOS. Now, if the user’s command is permitted by the IOS , then it moves one step further and the TACACS+ request is sent to the ACS to check the user/group profile and see if this command is explicitly permitted to be used by the ACS.
• When i learnt this, i was just so damn happy! It was something new and awesome and it made soooo much sense and i believe that everyperson trying to learn command authorization using the ACS, must understand this concept.
• Another point that i noted was that, when doing command authorization for a certain privilege level ( say “7″ ), make sure you instruct the router/firewall to perform command authorization for privilege levels, 0 , 1 and the specfied privilege level. This will ensure that priv 1, 0 commands are also sent to the ACS to be authorized. Now, in the ACS we also need to add these commands to the user profile . Commands like “exit” , “enable” , “disable” are to be specifically permitted if we need to authorize commands in level 0 and level 1.
• What i found interesting was that, when i entered the command “exit” to be permitted under the user-profile on the ACS, it was still getting denied. So i checked the “permit unmatched arguments” checkbox and it started working. I started a discussion about this on CLND and asked if this was a normal phenomenon. Keith Barker ( of INE fame ) , one of the best instructors EVER , said that it was an anomaly which we should keep in mind during the lab. You can find the discussion HERE!
• I also did some NBAR config that i had done a couple of days back. It was a good revision and thankfully i could recall most of it!
• Also, i did some FPM config. Again, a repetition but it was super cool. I had some problems with regex’s which i figured out later. I hope i remember
• I also did of dot1x cofiguration. Just the same config that i had done initially ( a couple of weeks back ). I could remember some stuff, for the others, i used the doc-cd. Not bad, overall

Today’s sunday! YAY! So here are the things that i’m going to do today.

• Make a drink out of red-bull + coconut water + secret-ingredient ( spices ) .
• Set the room to 24 DegC . Ahhh..
• Listen to some new music.
• Study ZBPF and CBAC and make notes ( which i’ll upload by the end of the day )
• Study about Inline VLAN groups ( IOS ) and make notes.
• Setup ASA on GNS3 using QEMU .

I’ve another interesting post scheduled for later today. Super excited!

Cheers,

TacACK

Hello All!

I hope you’re doing fine and kicking some security ass!:)

Yesterday was a special day. It was BREAK day! I didn’t do anything except watch movies, play Flight simulator and drink coke.  I had a good night’s sleep and it definitely paid off! So we fast-forward to the next-day ( i.e today ).

I started the day with the usual bus-ride. I had read Petr’s awesome article on dmvpn and i was super keen to lab it once. Also, recently i had done a couple of GETVPN labs. So i decided it’s a good time to mix them both and decided to try configuring GETVPN inside DMVPN . Of course the GETVPN would be a fully functioning one with all the bells and whistles like multicast rekeying , COOP KS. etc

Here’s my topology. I initially did not have the redundany DMVPN hub ( HUB 2 ), but i added that later after my configs with 1 hub/KS started working as expected.

I encountered some pretty interesting stuff as i was configuring ( which are not that straight-forward and not explained in most guides/blogposts ). They are as follows :

• After configuring the DMVPN , i was confused about which interface of the KS to use as the GETVPN registration interface. After many trial and errors i find that the “PHYSICAL INTERFACE” of the KS(s) which act as the DMVPN tunnel-sources are a good bet to use as the GETVPN address.
• Also after configuring everything, configure pim on the interface that are being used for GETVPN. Example : If we have used the physical NBMA ip of the physical interface on the KS as the getvpn address, then only configure PIM to run on the physical interface. This will ensure that the multicast packets that are sourced from the KS will have a source IP of the physical interface.
• I had a situation where the KS was sending out rekeys( multicast ) and the GMs where receiving them. But the rekey counter on the GMs was not incrementing. So here’s what i did to debug it. I hope this helps you to debug similar issues too.
  1) I entered the command #debug ip mpacket detail on both the KS and the GM. This was to show the packet details of the multicast messages. I used this to check if the KS was sending multicast rekey messages (evert configured rekey interval ) and if the GM was receiving them. I found that the GM was receiving mcast messages from the source IP=tunnel IP of the KS and the destination = the multicast group address
  2) Next i entered the command #sh crypto isakmp sa to check out the REKEY SA that would have been established between the GM and the KS during registration. I found that the SA had a source address of  the NBMA ip of the KS and the destination as the multicast group. This brought about the revelation. ONLY multicast packets that match the REKEY SA will be treated as “rekey” packets by the GM. All other multicast packets will be treted as normal multicast packets.
  3) So what i did was i disabled PIM on the tunnel interface and i enabled PIM on the physical interface. This ensured that the rekey messages would be sent using the source IP of the physical interface (and not the tunnel interface , like earlier )
  4) I then checked, and it was working! This debugging procedure was so awesome, i had to share it. Most of you might already know this, but it was new to me so i’m really excited to have learned something new today!
• When you have COOP KS configured, if the primary KS fails, the secondary KS waits for sometime after the primary has gone down. After which, it sends a “rekey” message to the GM’s. It also establishes a new rekey isakmp sa with the GMs. This can be verified by checking the output of sh crypto isakmp sa.
• On a COOP KS group, we can configure fast detection by shortening the ISAKMP keepalive period on the COOP peers to a small value using the crypto isakmp keepalive command.
• Also, when the primary comes back up, it PREEMPTS the secondary and sends a new rekey message to the GM, along with a new ISAKMP SA proposal which is accepted by the GM.

As you can see, i’ve learned a lot. I hope this task was equally challenging and fun to you. I hope to do some STP related configuration tomorrow, along with some Identity management topics ( i havent decided what to do yet ). I’ll keep you posted on this!

Thanks for reading through this.

EDIT : I’d totally forgotten to include the configs. HERE you go

Cheers,

TacACK