18 Mar

VPN Ports

 

PPTP:
To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.

L2TP over IPSec
To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 4500.
To allow L2TP traffic, open UDP 1701.

OpenVPN:

OpenVPN uses port 1194 udp and tcp:

Here’s the Cisco access list: (gre=Protocol ID 47, pptp=1723, isakmp=500, non500-isakmp=4500):

permit gre any any
permit tcp any any eq 1194
permit udp any any eq 1194
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 5500
permit tcp any any eq 1723
permit udp any any eq 1701

If natted address is being used by any of the peer then you need to open up the UDP port 4500 for ISAKMP.

If no natting is there then you need to open up the UDP port 500 for ISAKMP

For Phase 2: you need to explicitly open up the port for specific protocol like port 50 for AH and port 51 for ESP

IPSec can use ESP (protocol 50), or AH (protocol 51).   AH breaks if used with any type of NAT with IPv4, so it is rarely ever used in a transform set.

Common Cisco ACL for allowing VPN traffic:

remark Allow VPN Traffic
permit udp any host [IPSec Headend] eq 500
permit udp any host [IPSec Headend] eq 4500
permit 50 any host [IPSec Headend]
permit 51 any host [IPSec Headend]
permit 47 any host [IPSec Headend]
permit 57 any host [IPSec Headend]
deny   ip any host [IPSec Headend]

11 Feb

FIB vs RIB

Terminology:
RIB – Routing Information Base
FIB – Forwarding Information Base

RIB
This is a routing protocols database of routing prefixes that could potentially be installed in the routing table.
Derived from the control plane, it is not used for forwarding.
Every protocol such as OSPF, EIGRP, BGP has its own RIB and select their best candidates to try to install to global RIB so that it can then be selected for forwarding.
Is a selection of routing information learned via static definition or a dynamic routing protocol.
EX: show ip ospf databse show ip eigrp topology show ip bgp etc

FIB
The actual information that a routing/switching device uses to choose the interface that a given packet will use for egress.
Used for forwarding, information is derived from the RIB and from adjacency tables so that the packet can be rewritten with the correct encapsulation.
Is programmed by one or more RIB.
EX: show ip cef

Incoming search terms:

  • palo alto rib vs fib
  • rib x fib
10 Apr

Allowing tracert in Cisco ASA firewall

I was under impression that allowing icmp in the service policy will enable tracert to work. I was wrong. After scouting around I found below tweaks that will enable tracert to run correctly.

1. Set decrement TTL
ASA# configure terminal
ASA(config)# policy-map global_policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# set connection decrement-ttl
ASA(config-pmap-c)# exit

2. Permit icmp control messages
ASA(config)# access-list inbound permit icmp any any time-exceeded
ASA(config)# access-list inbound permit icmp any any unreachable

3. Permit icmp connection, which you should already have 😀
ASA(config)# access-list outbound permit icmp any any

References:
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_fwall_icmp_insp.html

http://www.petenetlive.com/KB/Article/0000753.htm

Incoming search terms:

  • asa tracertrt
  • cisco asa 5508 gui enable tracert
  • cisco asa 9 1 windows traceroute
  • unifi allow tracert
  • tracert not working asa the address translation slot was deleted
  • enable traceroute on asa
  • enable tracert on cisco ASA
  • allow traceroute through asa
  • allow tracert asa
  • asa tracert
  • can i tracert from asa
  • can you trace route from a cisco asa
  • cisco allow trace route asa
  • Cisco ASA 5525X allowing trace route
  • how enable traceroute on asa
01 Dec

Microsoft VPN PPTP client through Cisco ASA Firewall

Scenario:

Using Microsoft Windows built in VPN Client to connect to remote PPTP VPN server through Cisco ASA firewall.

Symptom:

Error 619

Solution:

In ASA Firewall, enter below command.
ASA-active#conf t
ASA-active(config)#policy-map global_policy
ASA-active(config-pmap)# class inspection_default
ASA-active(config-pmap-c)#inspect pptp
ASA-active(config-pmap-c)#exit
ASA-active(config)#access-list $Inbound_Interface_ACL permit gre $source_ip/network any
ASA-active(config)#access-list $Inbound_Interface_ACL permit permit tcp $source_ip/network any eq pptp

Common Troubleshooting in Windows VPN Client

1. Open VPN Properties window, go to Security tab.
2. Change “Type of VPN” to PPTP

Incoming search terms:

  • cisco asa 5505 allow outbound pptp
  • https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1824 9gQOlAAQU8Ge1EAhKP2VZUIc2q-WZOPpgk2L5vc5h8a6hy9E0_6eGzzEaY1d0eFX 330323684685c4a6eaf848b4d4f0838c3e68e5c5&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
15 Jan

IOS Tips

A very useful IOS tips from PacketLife

Keyboard shortcuts

These shortcuts can be used to speed up operating with the CLI:

Ctrl+B or Left Move the cursor one character to the left
Ctrl+F or Right Move the cursor one character to the right
Esc, B Move the cursor one word to the left
Esc, F Move the cursor one word to the right
Ctrl+A Move cursor to the beginning of the line
Ctrl+E Move cursor to the end of the line
Ctrl+P or Up Retrieve last command from history
Ctrl+N or Down Retrieve next command from history
Ctrl+T Swap the current character with the one before it
Ctrl+W Erase one word
Ctrl+U Erase the entire line
Ctrl+K Erase all characters from the current cursor position to the end of the line
Ctrl+X Erase all characters from the current cursor position to the beginning of the line
Ctrl+L Reprint the line
Ctrl+C Exit configuration mode
Ctrl+Z Apply the current command and exit configuration mode

Filter output

Most show commands support filtering with the pipe (|) character, allowing a user to display only the information he’s looking for.

Switch# show interface status | include notconnect
Gi1/0/7                         notconnect   1          auto   auto 10/100/1000BaseTX
Gi1/0/9                         notconnect   1          auto   auto 10/100/1000BaseTX
Gi1/0/22                        notconnect   1          auto   auto 10/100/1000BaseTX

Filter options are include, exclude, and begin. The remaining characters after one of these filter types is processed as a regular expression, which could be a simple string (as in the example above) or something a bit more complex. The example below demonstrates filtering for interface numbers and any assigned IP addresses.

Switch# show run | include interface|ip address
interface FastEthernet0
 ip address 192.168.0.1 255.255.255.0
interface FastEthernet1
interface FastEthernet2
 ip address 192.168.1.1 255.255.255.0
 ip address 192.168.2.1 255.255.255.0 secondary
interface FastEthernet3

You can also filter by section. Thanks to Carl Baccus to reminding me to include this.

R1# show run | section bgp
router bgp 100
 no synchronization
 redistribute connected
 neighbor 172.16.0.2 remote-as 200
 neighbor 172.16.0.9 remote-as 300
 no auto-summary

Skip through the configuration

You can begin viewing a configuration with the begin filter:

Router# show run | begin interface
interface FastEthernet0/0
 no ip address
 shutdown
...

You can also skip forward to a certain line once you’ve already begun viewing the configuration by hitting / at the --More-- prompt, followed by the string you want to match:

Router# sh run
Building configuration...

Current configuration : 601 bytes
!
version 12.4
...
!
!
/interface
filtering...
interface FastEthernet0/0
 no ip address
 shutdown
...

Do the do

Exec commands can be issued from within configuration mode via the do command. This can be handy for double-checking the current configuration before applying any changes.

Switch(config-if)# do show run int f0
Building configuration...

Current configuration : 31 bytes
!
interface FastEthernet0
description Internal LAN
ip address 172.16.0.1 255.255.0.0
end

Insert question marks

You can insert question marks into literal strings (such as interface descriptions) by typing CTRL+V immediately before the question mark. This acts as an escape character and prevents the command line from summoning the help menu.

Switch(config-if)# description Where does this go[ctrl+v]?

The interface description will appear as “Where does this go?”

Disable domain lookup on typos

Don’t you hate it when this happens?

Switch# shrun
Translating "shrun"...domain server (255.255.255.255)
% Unknown command or computer name, or unable to find computer address

You can disable automatic DNS lookups with no ip domain-lookup, which will remove the delay before returning a new console prompt. However, this will also prevent you from referencing remote hosts by name, for example when telneting.

Switch(config)# no ip domain-lookup
...
Switch# shrun
Translating "shrun"
% Unknown command or computer name, or unable to find computer address

Another option is to leave DNS enabled, but configure your console ports and vtys to have no preferred transport for logging in to remote devices.

Router(config)# line console 0
Router(config-line)# transport preferred none
...
Router# asdfxyz
              ^
% Invalid input detected at '^' marker.

Router#

You can no longer telnet by typing an IP address on the console, instead use the “telnet” or “ssh” commands for connecting to the desired hostname or ip address.

Synchronous logging

When logging to the console is enabled, a Cisco device will often dump messages directly to the screen. This can become irritating when it interrupts you in the midst of typing a command. (FYI, you can continue typing normally and the command will still take, but this still throws some people off.)

Synchronous logging can be enabled to “clean up” the CLI when this happens, outputting a fresh prompt below the message, along with any partially completed command.

Switch(config)# line con 0
Switch(config-line)# logging synchronous
Switch(config)# line vty 0 15
Switch(config-line)# logging synchronous

Revert a configuration to its default

The default command, called from global configuration, can be used to revert any part of a configuration to its default value (which is often nothing). For example, it can be used to remove all configuration from a particular interface:

Switch(config)# default g1/0/5
Interface GigabitEthernet1/0/5 set to default configuration
Switch(config)# ^Z
Switch# show run int g1/0/5
Building configuration...

Current configuration : 38 bytes
!
interface GigabitEthernet1/0/5
end

Show only applied access lists

For reasons unknown to me, IOS doesn’t include a command to view what interfaces have ACLs applied. The closest we can get is drudging through the entire output of show ip interface. But, with a little ingenuity and the help of regular expressions, we can summon an efficient view of where our ACLs are applied.

Switch# sh ip int | inc line protocol|access list is [^ ]+$
FastEthernet0 is up, line protocol is down
FastEthernet1 is up, line protocol is up
  Inbound  access list is prohibit-web
FastEthernet2 is up, line protocol is up
  Inbound  access list is 42
FastEthernet3 is up, line protocol is down
FastEthernet4 is up, line protocol is up

For those curious, the regex above matches a line which either a) contains the string “line protocol”, or b) contains the string “access list is ” followed by a single word. This matches an ACL number or name (which can’t contain spaces) but not “not set”.

Speed up running-config display

When the show running-config command is issued, the output has to be assembled from numerous values in memory into the human-friendly display you see on the CLI. Unfortunately, the longer your configuration is, the more time this takes. IOS 12.3T introduced a feature to cache the running configuration text for quicker output:

Router(config)# parser config cache interface

Changing the break character to Ctrl+C

Router(config)# line vty 0 15
Router(config-line)# escape-character 3
Router(config)# line con 0
Router(config-line)# escape-character 3

Show running configuration with all defaults

Append the full command to show running-config to include all the default statements which are normally hidden for brevity.

Reload command

One of the classic mistakes is to incorrectly update an access-list on an interface when you are connected to the device remotely. And suddenly, the Telnet connection is dropped to the router because of a forgotten list entry that would permit your incoming connection.

When you are doing something tricky, you can use the following feature of the reload command, which causes the router to reboot in a certain number of minutes. For example, let’s tell the router to reboot in three minutes.

Router# reload in 3
    Reload scheduled in 3 minutes
Proceed with reload? [confirm]

Now, we have three minutes to do what we need to do. Let’s say we are applying an access-list to serial0.

Router# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface serial0
Router(config-if)# ip access-group 110 in
Router(config-if)# ^Z

We made the change and everything still works. (Well, at least our connection wasn’t dropped.) Now all we have to do cancel the impending reload with the following command:

Router# reload cancel

If the reload is not canceled, all the changes made will be discarded since they only exist in the running configuration.

Decrypting type-7 passwords in house on a device

A good way to catch trailing spaces within passwords

Router(config)#username user1 password 0 pass1word
Router#sh run | inc username
username user1 password 0 pass1word

Router(config)#service password-encryption
Router#sh run | inc username
username user1 password 7 06160E325F1F1E161713

then

Router(config)# key chain TEST
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string 7 06160E325F1F1E161713

Router(config-keychain-key)#sh key chain TEST
Key-chain TEST:
    key 1 -- text "pass1word"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

Using command aliases

You can speed up your routine operations in IOS if you create aliases to often used commands, for exmaple:

Router(config)# alias exec sip show ip interface brief
Router(config)# exit
Router#  sip
Interface           IP-Address            OK? Method Status              Protocol
FastEthernet0/0     192.168.0.1           YES manual up                  up