04 Jul

BGP as-path regular expressions

A regular expression is the character pattern that can be matched against an input string. Regular expressions can be built using letters (A through Z, a through z), numbers (0 through 9) and other keyboard characters, such as the exclamation point (!) or a tilde (~). A regular expression can be a single-character pattern or a multiple-character pattern. Certain keyboard characters such as caret (^) and dollar sign ($) have special meaning and allow complex regular expressions to be built. Characters with special meaning can be used as simple keyboard characters by preceding them with a backslash (\). When a Border Gateway Protocol (BGP) update exits an Autonomous System (AS), the AS path attribute of the route gets updated. The AS number of the AS is prepended to an existing list of AS numbers. BGP can be configured to use regular expressions for route filtering based on the AS path attribute.

Range

A range is a sequence of characters contained within left and right square brackets. For example: [abcd]

Atom

An atom is a single character, such as the following:

. (Matches any single character)

^ (Matches the beginning of the input string)

$ (Matches the end of the input string)

\ (Matches the character)

– (Matches a comma (,), left brace ({), right brace (}), the beginning of the input string, the end of the input string, or a space.

Piece

A piece is an atom followed by one of the following symbols:

* (Matches 0 or more sequences of the atom)

+ (Matches 1 or more sequences of the atom)

? (Matches the atom or the null string)

Branch

A branch is a 0 or more concatenated pieces.

Examples of regular expressions follow:

a* (Any occurrence of the letter “a”, including none)

a+ ( At least one occurrence of the letter “a” should be present)

ab?a (This matches “aa” or “aba”)

_100_ (Via AS100)

_100$ (Origin AS100)

^100 .* (Coming from AS100)

^$ (Originated from this AS)

Refer to Using Regular Expressions in BGP for sample configurations on regular expression filtering

To test in live network using public looking glass server:
https://www.netdigix.com/servers.html

Additional readings:

http://www.quagga.net/docs/docs-multi/AS-Path-Regular-Expression.html

http://www.cisco.com/warp/public/459/26.html

http://www.avici.com/documentation/HTMLDocs/02223-06_revBA/Routing_Pol7.html

18 Mar

VPN Ports

 

PPTP:
To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.

L2TP over IPSec
To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 4500.
To allow L2TP traffic, open UDP 1701.

OpenVPN:

OpenVPN uses port 1194 udp and tcp:

Here’s the Cisco access list: (gre=Protocol ID 47, pptp=1723, isakmp=500, non500-isakmp=4500):

permit gre any any
permit tcp any any eq 1194
permit udp any any eq 1194
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 5500
permit tcp any any eq 1723
permit udp any any eq 1701

If natted address is being used by any of the peer then you need to open up the UDP port 4500 for ISAKMP.

If no natting is there then you need to open up the UDP port 500 for ISAKMP

For Phase 2: you need to explicitly open up the port for specific protocol like port 50 for AH and port 51 for ESP

IPSec can use ESP (protocol 50), or AH (protocol 51).   AH breaks if used with any type of NAT with IPv4, so it is rarely ever used in a transform set.

Common Cisco ACL for allowing VPN traffic:

remark Allow VPN Traffic
permit udp any host [IPSec Headend] eq 500
permit udp any host [IPSec Headend] eq 4500
permit 50 any host [IPSec Headend]
permit 51 any host [IPSec Headend]
permit 47 any host [IPSec Headend]
permit 57 any host [IPSec Headend]
deny   ip any host [IPSec Headend]

11 Feb

FIB vs RIB

Terminology:
RIB – Routing Information Base
FIB – Forwarding Information Base

RIB
This is a routing protocols database of routing prefixes that could potentially be installed in the routing table.
Derived from the control plane, it is not used for forwarding.
Every protocol such as OSPF, EIGRP, BGP has its own RIB and select their best candidates to try to install to global RIB so that it can then be selected for forwarding.
Is a selection of routing information learned via static definition or a dynamic routing protocol.
EX: show ip ospf databse show ip eigrp topology show ip bgp etc

FIB
The actual information that a routing/switching device uses to choose the interface that a given packet will use for egress.
Used for forwarding, information is derived from the RIB and from adjacency tables so that the packet can be rewritten with the correct encapsulation.
Is programmed by one or more RIB.
EX: show ip cef

Incoming search terms:

  • fib vs rib
  • fib vs rib que es
  • fiffrent betwen rib and fib
  • palo alto rib vs fib
  • rib vs fib
  • rib x fib
10 Apr

Allowing tracert in Cisco ASA firewall

I was under impression that allowing icmp in the service policy will enable tracert to work. I was wrong. After scouting around I found below tweaks that will enable tracert to run correctly.

1. Set decrement TTL
ASA# configure terminal
ASA(config)# policy-map global_policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# set connection decrement-ttl
ASA(config-pmap-c)# exit

2. Permit icmp control messages
ASA(config)# access-list inbound permit icmp any any time-exceeded
ASA(config)# access-list inbound permit icmp any any unreachable

3. Permit icmp connection, which you should already have 😀
ASA(config)# access-list outbound permit icmp any any

References:
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_fwall_icmp_insp.html

http://www.petenetlive.com/KB/Article/0000753.htm

Incoming search terms:

  • asa tracertrt
  • cisco asa 5508 gui enable tracert
  • cisco asa 9 1 windows traceroute
  • unifi allow tracert
  • tracert not working asa the address translation slot was deleted
  • enable traceroute on asa
  • enable tracert on cisco ASA
  • allow trace route asa
  • allow traceroute through asa
  • allow tracert asa
  • asa tracert
  • can i tracert from asa
  • can you trace route from a cisco asa
  • cisco allow trace route asa
  • Cisco ASA 5525X allowing trace route
01 Dec

Microsoft VPN PPTP client through Cisco ASA Firewall

Scenario:

Using Microsoft Windows built in VPN Client to connect to remote PPTP VPN server through Cisco ASA firewall.

Symptom:

Error 619

Solution:

In ASA Firewall, enter below command.
ASA-active#conf t
ASA-active(config)#policy-map global_policy
ASA-active(config-pmap)# class inspection_default
ASA-active(config-pmap-c)#inspect pptp
ASA-active(config-pmap-c)#exit
ASA-active(config)#access-list $Inbound_Interface_ACL permit gre $source_ip/network any
ASA-active(config)#access-list $Inbound_Interface_ACL permit permit tcp $source_ip/network any eq pptp

Common Troubleshooting in Windows VPN Client

1. Open VPN Properties window, go to Security tab.
2. Change “Type of VPN” to PPTP

Incoming search terms:

  • afteri53
  • cisco asa 5505 allow outbound pptp
  • https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1824 9gQOlAAQU8Ge1EAhKP2VZUIc2q-WZOPpgk2L5vc5h8a6hy9E0_6eGzzEaY1d0eFX 330323684685c4a6eaf848b4d4f0838c3e68e5c5&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
  • use windows vpn client asa firewall