Friday 29 January 2016
vtp config on cisco switch
You won't find vtp settings in sh run
You need sh vtp status on a working switch and copy settings
Set your vtp domain
password
vtp pruning
cisco ASA site to site VPN config
By defining a VPN tunnel-group the ASA allows the remote peer in the outside interface and get to where its going as defined in your ACL. IKE negotiation happens over UDP port 4500 and that is allowed without having to edit your outside ACL. You can change this with no sysopt connection permit-vpn. If you do that you will need entries in your from_outside ACL. Protocol 50 is esp.
Show all the tunnel-groups
sh run all tunnel-group
L2L (S2S) IP address
RA VPN group
The tunnel group sets the peer and calls the group policy
Show the group policy
sh run all group-policy
Normally if you don't change anything the default group policy will be used
Make sure ikev1 is enabled in the default or what ever group policy you are using
group-policy DfltGrpPolicy attributes
ISAKMP policy (Phase 1)
Use IKEv1 because only newest versions of code support IKEv2
Encryption
Authentication
Hashing
Diffie Hellman group
Phase 2
Who is the tunnel going to (outside interface of ASA)?
What traffic do we want to encrypt (ACL) ?
How are we going to encrypt (transform set) ?
Show isakmp policy
sh run | section isakmp
ACLs need to match on both sides for the VPN to come up.
The pre-shared key needs to match on both sides in IKEv1
We want to make sure there is a matching transform set on both sides too (aes sha etc)
ASDM config
Configuration -> Site to Site VPN
Add connection profile
Uncheck IKEv2
Show all the ikev1 policies and transform sets
sh run crypto
The ASA will go from top down in the transform sets until it finds one that matches. Common reason for the VPN not coming up is that there is no matching transform set. Often its a security best practice to remove transform-sets that we are not using. Having a large number of transform sets adds processing time too.
Its possible to define more than one tranform set in the crypto map but not advised.
crypto map S2SMAP 10 set ikev1 tranforset esp-aes esp-sha esp-aes-123 esp-des-sha
Sh the tunnel-group
sh run tunnel-group
Turn logging on, enable logging to the console at level 7
Or tail your syslog
conf t
logging on
logging con 7
end
no logging on to switch off
Initiate the tunnel
Send a ping (or what ever traffic is allowed from one end of the VPN to the other)
Check if phase 1 is up
sh crypto isakmp sa
QM_IDLE is good, it means phase 1 went into quick mode and moved on to phase 2
Status should be ACTIVE
Check phase 2
show crypto ipsec sa
show crypto ipsec sa peer 100.100.100.100
you should see pkts encaps and decaps increasing at the same rate.
There should be a separate sa for each network in the ACL
Look for the spi (security parameter index)
Its the sequence number for the tunnel inbound and outbound
If we don't have an SPI the tunnel is not up, we can see the transform used here)
Tunnel negotiation
Packed recieved on 20.0.0.254:5000 (UDP IKE)
IKE SA Proposal acceptable Matches global IKE entry
Connection landed on tunnel_group xx.xx.xx.xx
L2LPOLICY
Phase 1 completed
IPSec SA Proposal acceptable
Security nego is complete
Phase 2 complete
Built inbound ICMP/TCP connection for
SPIs should match on both ends
sh crypto ipsec sa peer xx.xx.xx.xx | i spi
Each entry in the ACL gets a separate SPI created
If we look at connections
show local-host all
show connection detail
We see traffic is still subject to inspection. ASA does decryption then inspection.
Clear P2 (clear a specific p2 sa)
clear crypto ipsec sa peer xx.xx.xx.xx
Clear P1 (clears all P1)
clear crypto isakmp sa
MM_WAIT_MSG_6
Usually means PSK mismatch
group-policy DfltGrpPolicy attributes
Enable it on outside interface
crypto ikev1 enable outside
Create a name so you know who it is
Transform set
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
Objects for use ACLs
object-group network DMZ-10.255.1.16s-28
network-object 10.255.1.16 255.255.255.240
ACL to match traffic for the VPN
access-list gby-crypto-200 extended permit ip object DMZ-10.255.1.16-28 10.55.1.0 255.255.255.0
Phase2 Crypto map
crypto map MAP-OUTSIDE 20 match address gby-crypto-200
crypto map MAP-OUTSIDE 20 set peer 172.19.140.200
crypto map MAP-OUTSIDE 20 set ikev1 transform-set ESP-AES-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
crypto map needs to be applied to outside interface
crypto map MAP-OUTSIDE interface outside
Tunnel Group
tunnel-group 172.19.140.200 type ipsec-l2l
tunnel-group 172.19.140.200 ipsec-attributes
ikev1 pre-shared-key secretpw
No Nat
Show all the tunnel-groups
sh run all tunnel-group
L2L (S2S) IP address
RA VPN group
The tunnel group sets the peer and calls the group policy
Show the group policy
sh run all group-policy
Normally if you don't change anything the default group policy will be used
Make sure ikev1 is enabled in the default or what ever group policy you are using
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
ISAKMP policy (Phase 1)
Use IKEv1 because only newest versions of code support IKEv2
Encryption
Authentication
Hashing
Diffie Hellman group
Phase 2
Who is the tunnel going to (outside interface of ASA)?
What traffic do we want to encrypt (ACL) ?
How are we going to encrypt (transform set) ?
Show isakmp policy
sh run | section isakmp
ACLs need to match on both sides for the VPN to come up.
The pre-shared key needs to match on both sides in IKEv1
We want to make sure there is a matching transform set on both sides too (aes sha etc)
ASDM config
Configuration -> Site to Site VPN
Add connection profile
Uncheck IKEv2
Show all the ikev1 policies and transform sets
sh run crypto
The ASA will go from top down in the transform sets until it finds one that matches. Common reason for the VPN not coming up is that there is no matching transform set. Often its a security best practice to remove transform-sets that we are not using. Having a large number of transform sets adds processing time too.
Its possible to define more than one tranform set in the crypto map but not advised.
crypto map S2SMAP 10 set ikev1 tranforset esp-aes esp-sha esp-aes-123 esp-des-sha
Sh the tunnel-group
sh run tunnel-group
Turn logging on, enable logging to the console at level 7
Or tail your syslog
conf t
logging on
logging con 7
end
no logging on to switch off
Initiate the tunnel
Send a ping (or what ever traffic is allowed from one end of the VPN to the other)
Check if phase 1 is up
sh crypto isakmp sa
QM_IDLE is good, it means phase 1 went into quick mode and moved on to phase 2
Status should be ACTIVE
Check phase 2
show crypto ipsec sa
show crypto ipsec sa peer 100.100.100.100
you should see pkts encaps and decaps increasing at the same rate.
There should be a separate sa for each network in the ACL
Look for the spi (security parameter index)
Its the sequence number for the tunnel inbound and outbound
If we don't have an SPI the tunnel is not up, we can see the transform used here)
Tunnel negotiation
Packed recieved on 20.0.0.254:5000 (UDP IKE)
IKE SA Proposal acceptable Matches global IKE entry
Connection landed on tunnel_group xx.xx.xx.xx
L2LPOLICY
Phase 1 completed
IPSec SA Proposal acceptable
Security nego is complete
Phase 2 complete
Built inbound ICMP/TCP connection for
SPIs should match on both ends
sh crypto ipsec sa peer xx.xx.xx.xx | i spi
Each entry in the ACL gets a separate SPI created
If we look at connections
show local-host all
show connection detail
We see traffic is still subject to inspection. ASA does decryption then inspection.
Clear P2 (clear a specific p2 sa)
clear crypto ipsec sa peer xx.xx.xx.xx
Clear P1 (clears all P1)
clear crypto isakmp sa
MM_WAIT_MSG_6
Usually means PSK mismatch
CLI Config
Make sure ikev1 is enabled in the default or what ever group policy you are usinggroup-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
Enable it on outside interface
crypto ikev1 enable outside
Create a name so you know who it is
name 172.19.140.200 Remote_Peer
Transform set
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
Objects for use ACLs
object-group network DMZ-10.255.1.16s-28
network-object 10.255.1.16 255.255.255.240
object-group
network REMOTE_NETS
network-object 192.168.24.0 255.255.255.0ACL to match traffic for the VPN
access-list gby-crypto-200 extended permit ip object DMZ-10.255.1.16-28 10.55.1.0 255.255.255.0
Phase2 Crypto map
crypto map MAP-OUTSIDE 20 match address gby-crypto-200
crypto map MAP-OUTSIDE 20 set peer 172.19.140.200
crypto map MAP-OUTSIDE 20 set ikev1 transform-set ESP-AES-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
crypto map needs to be applied to outside interface
crypto map MAP-OUTSIDE interface outside
Tunnel Group
tunnel-group 172.19.140.200 type ipsec-l2l
tunnel-group 172.19.140.200 ipsec-attributes
ikev1 pre-shared-key secretpw
No Nat
nat
(DMZ,OUTSIDE) source static DMZ-10.255.1.16-28 DMZ-10.255.1.16-28 destination
static REMOTE_NETS REMOTE_NETS no-proxy-arp route-lookup
Make sure the source/destination interfaces are correct. Use show route to see. You may need to add more than one NAT statement for different interfaces
Routes
There must be a route to your peer (usually 0.0.0.0 default GW) and to the destination network you want to reach usually directly connected (inside/lan/etc) but not always.
Make sure the source/destination interfaces are correct. Use show route to see. You may need to add more than one NAT statement for different interfaces
Routes
There must be a route to your peer (usually 0.0.0.0 default GW) and to the destination network you want to reach usually directly connected (inside/lan/etc) but not always.
Troubleshooting
WAIT_MSG2 = We can't reach the other side or no matching ike p1 policy
Whats the problem ? Host A can't reach Host B. Is it a problem for all hosts or just one host ?
If a VPN won't come up its usually a settings problem. PSK mismatch, missing NAT, ACL mismatch etc. If a VPN has been up and goes down its usually because something has changed. Write ALL settings down for both peers side by side and compare. Check the encryption domain on both sides is traffic being generated to bring the VPN up ?
Use ping to make sure the host has network connectivity and can reach the default GW
Check out device and confirm is has internet connectivity
Traceroute between the two ASA's to rule out internet routing issue
Check logging on the console or tail/grep your syslog for any errors
On the client
ipconfig (have we got an IP)
ping 8.8.8.8 (have we got internet access)
try to reach host on other side
On ASA
ping other ASA 192.168.1.171
tail/grep your syslog, or use ASDM event viewer, you can also use console logging (cpu intensive)
logging enable
logging console 7
Try again on the client, watch the log for errors and denies.
You should see details why the connectivity is failing.
Debug commands
Setup the debugs and then try the traffic
ikev1
debug crypto condition peer x.x.x.x
debug crypto ikev1 platform 250
debug crypto ikev1 protocol 250
ikev2
debug crypto condition peer x.x.x.x
debug crypto ikev2 platform 250
debug crypto ikev2 protocol 250
If a VPN won't come up its usually a settings problem. PSK mismatch, missing NAT, ACL mismatch etc. If a VPN has been up and goes down its usually because something has changed. Write ALL settings down for both peers side by side and compare. Check the encryption domain on both sides is traffic being generated to bring the VPN up ?
Use ping to make sure the host has network connectivity and can reach the default GW
Check out device and confirm is has internet connectivity
Traceroute between the two ASA's to rule out internet routing issue
Check logging on the console or tail/grep your syslog for any errors
On the client
ipconfig (have we got an IP)
ping 8.8.8.8 (have we got internet access)
try to reach host on other side
On ASA
ping other ASA 192.168.1.171
tail/grep your syslog, or use ASDM event viewer, you can also use console logging (cpu intensive)
logging enable
logging console 7
Try again on the client, watch the log for errors and denies.
You should see details why the connectivity is failing.
Debug commands
Setup the debugs and then try the traffic
ikev1
debug crypto condition peer x.x.x.x
debug crypto ikev1 platform 250
debug crypto ikev1 protocol 250
ikev2
debug crypto condition peer x.x.x.x
debug crypto ikev2 platform 250
debug crypto ikev2 protocol 250
changing the peer on a VPN on the ASA
Information to ask for
Old peer x.x.x.x
New peer y.y.y.y
Your firewall that they are peering with z.z.z.z
host that you can ping (or other tests) on the other side to verify connectivity
Find the crypto map number and tunnel group
sh run | i x.x.x.x
Get the pre-shared key from the old peer tunnel group
more system:running-config | b tunnel-group x.x.x.x
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key s3cr3tp@55w0rd
Make a new tunnel group for the new peer
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
ikev1 pre-shared-key s3cr3tp@55w0rd
View the settings on the crypto map
sh run | i crypto map MYMAP 10
crypto map MYMAP 10 match address CUST_VPN_ACL
crypto map MYMAP 10 set peer x.x.x.x
crypto map MYMAP 10 set ikev1 transform-set MEDIUM
crypto map MYMAP 10 set security-association lifetime seconds 28800
crypto map MYMAP 10 set security-association lifetime kilobytes 4608000
Check the crypto map works on the new interface
If not you can assign it to the interface or make another crypto map
crypto map MYMAP interface Outside
crypto map MYMAP interface WAN
Check the crypto is enabled on the interface
sh run | i crypto ikev1
crypto ikev1 enable Outside
crypto ikev1 enable WAN
Update the route to go out the correct interface
sh run | i x.x.x.x
no route outside 10.40.0.0 255.255.0.0 2.2.2.2 1
route VPN 10.40.0.0 255.255.0.0 3.3.3.3 1
Remove the old peer and set the new peer
conf t
no crypto map MYMAP 10 set peer x.x.x.x
crypto map MYMAP 10 set peer y.y.y.y
Update the interface on the NAT
no nat (REMOTE-DMZ,Outside) source static MY_LAN MY_LAN destination static CUST_LAN CUST_LAN no-proxy-arp route-lookup
nat (REMOTE-DMZ,VPN) source static MY_LAN MY_LAN destination static CUST_LAN CUST_LAN no-proxy-arp route-lookup
Check for phase 1
We will see an entry is phase 1 has come up. State should be MM_ACTIVE.
sh crypto isakmp sa | b y.y.y.y
Check for phase 2
Run the command a few times. We should see encaps and decaps increasing. If we see that its looking good, ask the user to test. You might have to generate the traffic. So from your side of the VPN try to reach something on the other side that you should be able to get to.
ASA# sh crypto ipsec sa peer y.y.y.y | i pkts
#pkts encaps: 29312, #pkts encrypt: 29312, #pkts digest: 29312
#pkts decaps: 33273, #pkts decrypt: 33273, #pkts verify: 33273
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 29312, #pkts comp failed: 0, #pkts decomp failed: 0
ASA# sh crypto ipsec sa peer 137.191.231.82 | i pkts
#pkts encaps: 29421, #pkts encrypt: 29421, #pkts digest: 29421
#pkts decaps: 33382, #pkts decrypt: 33382, #pkts verify: 33382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 29421, #pkts comp failed: 0, #pkts decomp failed: 0
If its still not working you need to troubleshoot the VPN maybe they have changed some settings on the new peer or have a new inside network etc. Follow VPN troubleshooting steps.
Thursday 28 January 2016
update/upgrade cisco router image
*** Download image from Cisco website (you need a valid contract)
*** Backup
Your config
Your current image file
Your vlan.dat file
*** Make sure we have enough free space (Flash and RAM)
show flash
sh mem
dir
*** Connect to the inside interface or configure a free interface
Make sure you have an IP on the same network on your laptop you may need do a static assign
conf t
interface fa 0/0
ip address 172.17.19.219 255.255.255.0
wr
*** Copy the image file onto the router
copy tftp flash
IP of TFTP server (you can use serva or tftpd)
Source file name the full filename as it appears on the TFTP server
Destination file name what it will be saved on the router (leave the same)
Erase flash before copying ? N (if you have free space)
sh flash (verify your new image has been uploaded)
*** Set the boot variable
conf t
boot system flash file-name-of-ios-image.bin
eg
boot system disk0:c7200p-adventerprisek9-mz.152-4.M9.bin
sh run | i boot
If there is two remove the old one
no boot system flash old-ios-image.bin
copy run start
*** Reload the router
Before rebooting its a good idea to connect via console cable with logging turned on
This way if there is an issue you have a log file to upload to Cisco TAC
You can also watch the upgrade/boot progress and not panic while you are waiting ;)
reload
*** Verify
Once booted back up do
sh ver (to verify)
sh ver | i System image
Wednesday 20 January 2016
VPN encrypt drop
Everything looks good but packet tracer gives vpn encrypt drop.
Will always happen the first time run the PT again.
Look at the encryption domain on the VPN. Is the network you are trying to reach in there ?
Some people have mentioned its because the ACLs aren't a mirror image / don't match.
Will always happen the first time run the PT again.
Look at the encryption domain on the VPN. Is the network you are trying to reach in there ?
Some people have mentioned its because the ACLs aren't a mirror image / don't match.
Wednesday 13 January 2016
Allowing access to an fqdn on cisco ASA
You need to set up the DNS first
don't forget domain-name DomainYouWantToLook.Up
Create the object network myobj
fqdn domain.com
Check its resolving correctly with show dns
Create the ACL as normal use the fqdn keyword to insert your fqdn object
Run a packet tracer as a test.
Full details here
https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting
don't forget domain-name DomainYouWantToLook.Up
Create the object network myobj
fqdn domain.com
Check its resolving correctly with show dns
Create the ACL as normal use the fqdn keyword to insert your fqdn object
Run a packet tracer as a test.
Full details here
https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting
Tuesday 12 January 2016
setting up a span port
Connect with the console cable
Setup source and destination ports
https://supportforums.cisco.com/document/13891/how-configure-port-monitoring-span-catalyst-2940-2950-2955-2970-3550-or-3750-series
Run wire shark as admin
This example shows how to set up a SPAN session (session 1) for monitoring source port traffic to a destination port. First, any existing SPAN configuration for session 1 is cleared and then bidirectional traffic is mirrored from source port 1 to destination port 10:
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports 802.1q encapsulation:
This example shows how to clear any existing RSPAN configuration for session 1, configure RSPAN session 1 to monitor multiple source interfaces, and configure the destination RSPAN VLAN and the reflector-port:
Setup source and destination ports
https://supportforums.cisco.com/document/13891/how-configure-port-monitoring-span-catalyst-2940-2950-2955-2970-3550-or-3750-series
Run wire shark as admin
This example shows how to set up a SPAN session (session 1) for monitoring source port traffic to a destination port. First, any existing SPAN configuration for session 1 is cleared and then bidirectional traffic is mirrored from source port 1 to destination port 10:
Switch(config)# no monitor session 1 Switch(config)# monitor session 1 source interface fastEthernet0/1 Switch(config)# monitor session 1 destination interface fastEthernet0/10 encapsulation dot1q Switch(config)# end
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports 802.1q encapsulation:
Switch(config)# monitor session 1 destination interface Fa 0/5 encapsulation dot1q ingress vlan 5
This example shows how to clear any existing RSPAN configuration for session 1, configure RSPAN session 1 to monitor multiple source interfaces, and configure the destination RSPAN VLAN and the reflector-port:
Switch(config)# no monitor session 1 Switch(config)# monitor session 1 source interface fastEthernet0/10 tx Switch(config)# monitor session 1 source interface fastEthernet0/2 rx Switch(config)# monitor session 1 source interface fastEthernet0/3 rx Switch(config)# monitor session 1 source interface port-channel 102 rx Switch(config)# monitor session 1 destination remote vlan 901 reflector-port fastEthernet0/1 Switch(config)# end
This example shows how to configure VLAN 901 as the source remote VLAN and port 5 as the destination interface:
Switch(config)# monitor session 1 source remote vlan 901 Switch(config)# monitor session 1 destination interface fastEthernet0/5 Switch(config)# end
Monday 11 January 2016
Friday 8 January 2016
Subscribe to:
Posts (Atom)