Wednesday, January 30, 2013

Resolving Cisco Router/Switch Tftp Problems: Source IP Address - The 'IP TFTP Source-Interface' Command

 
Resolving Cisco Router/Switch Tftp Problems: Source IP Address - The 'IP TFTP Source-Interface' Command
 
   
When working with Cisco equipment that has multiple ip interfaces, a common problem engineers are faced with is trying to successfully tftp to or from the Cisco device. This issue is usually encountered when the Cisco device (router or multi-layer switch) uses a different source IP address which cannot reach our TFTP Server's IP address or is blocked due to access lists.
 
Luckily, there is a way around this problem, and it’s a simple one.
 
To ensure your Cisco router or multi-layer switch uses the correct interface during any tftp session, use the ip tftp source-interface command to specify the source-interface that will be used by the device.
 
The following example instructs our Cisco 3750 Layer 3 switch to use VLAN 5 interface as the source ip interface for all tftp sessions:
 
3750G-Stack(config)# ip tftp source-interface vlan 5
 
As shown below, VLAN 5 has IP address 192.168.131.1 assigned to it, therefore this IP address will be the source interface from now on:
 
  • 3750G-Stack# show ip interface brief
  • Interface IP-Address OK? Method Status Protocol
  • Vlan1 192.168.50.1 YES NVRAM up up
  • Vlan2 192.168.130.1 YES NVRAM up up
  • Vlan3 192.168.135.1 YES NVRAM up up
  • Vlan4 192.168.19.1 YES NVRAM up up
  • Vlan5 192.168.131.1 YES NVRAM up up
  • Vlan6 192.168.141.1 YES NVRAM up up
  • Vlan7 192.168.170.1 YES NVRAM up up
  • Vlan8 192.168.180.1 YES NVRAM up up
 
 

Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode

 
Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode
 
 
 
GRE Tunnels are very common amongst VPN implementations thanks to their simplicity and ease of configuration. With broadcasting and multicasting support, as opposed to pure IPSec VPNs, they tend to be the number one engineers' choice, especially when routing protocols are used amongst sites.
 
The problem with GRE is that it is an encapsulation protocol, which means that while it does a terrific job providing connectivity between sites, it does a terrible job encrypting the data being transferred between them. GRE is stateless, offering no flow control mechanisms (think of UDP). This is where the IPSec protocol comes into the picture.
 
IPSec’s objective is to provide security services for IP packets such as encrypting sensitive data, authentication, protection against replay and data confidentiality. IPSec is extensively covered in our IPSec protocol article.
 
IPSec can be used in conjunction with GRE to provide top-notch security encryption for our data, thereby providing a complete secure and flexible VPN solution. IPSec can operate in two different modes, Tunnel mode and Transport mode. Both of these modes are covered extensively in our Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode article. Additionally, Cisco GRE Tunnel configuration is covered in our Configuring Cisco Point-to-Point GRE Tunnels. We highly recommend reading these articles before proceeding as it is a prerequisite for understanding the information covered here.
 
As with IPSec, when configuring GRE with IPSec there are two modes in which GRE IPSec can be configured, GRE IPSec Tunnel mode and GRE IPSec Transport mode.
 
This article examines the difference between GRE IPSec Tunnel and GRE IPSec Transport mode, and explains the packet structure differences along with the advantages and disadvantages of each mode.
 
GRE IPSec Tunnel Mode
 
With GRE IPSec tunnel mode, the whole GRE packet (which includes the original IP header packet), is encapsulated, encrypted and protected inside an IPSec packet. GRE over IPSec Tunnel mode provides additional security because no part of the GRE tunnel is exposed, however, there is a significant overhead added to the packet. This additional overhead decreases the usable free space for our payload (Original IP packet), that means possibly more fragmentation will occur when transmitting data over a GRE IPSec Tunnel VPN.
 
IPSec Tunnel mode is the default configuration option for both GRE and non-GRE IPSec VPNs. When configuring the IPSec transform set, no other configuration commands are required to enable tunnel mode:
 
  • R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
 
Calculating GRE IPSec Tunnel Mode Overhead
 
Calculating the overhead will help us understand how much additional space GRE over IPSec in Tunnel mode requires and our effective usable space.
 
The packet structure below shows an example of a GRE over IPSec in Tunnel mode:
 
Two important points to keep in mind when calculating the overhead:
 
Depending on the encryption algorithm used in the crypto transform set, the Initialization Vector (IV) shown could be 8 or 16 bytes long. For example DES or 3DES introduces an 8-byte IV field, where as AES introduces a 16-byte IV field. In our example, we are using 3DES encryption, therefore producing a 8-byte IV field.
 
The ESP Trailer will usually vary in size. Its job is to ensure that the Pad Length, Next Header fields (both 1-byte long and contained within the ESP Trailer) & ESP Auth.Trailer are aligned on a 4-byte boundary. This means the total number of bytes, when adding the three fields together, must be a multiple of 4.
 
Following is the calculated overhead:
 
ESP Overhead: 20 (IP Hdr) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12 (ESP Auth) = 52 Bytes
 
Note: ESP Trailer has been calculated as 4 bytes as per above note.
 
GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes
 
Total Overhead: 52 + 24 = 76 Bytes
 
GRE IPSec Transport Mode
 
With GRE IPSec transport mode, the GRE packet is encapsulated and encrypted inside the IPSec packet, however, the GRE IP Header is placed at the front. This effectively exposes the GRE IP Header as it is not encrypted the same way it is in Tunnel mode.
 
IPSec Transport mode is not used by default configuration and must be configured using the following command under the IPSec transform set:
 
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# mode transport
 
 
 
 
 
GRE IPSec transport mode does have a few implementation restrictions. It is not possible to use GRE IPSec transport mode if the crypto tunnel transits a device using Network Address Translation (NAT) or Port Address Translation (PAT). In such cases, Tunnel mode must be used.
 
Finally, if the GRE tunnel endpoints and Crypto tunnel endpoints are different, GRE IPSec transport mode cannot be used.
 
These limitations seriously restrict the use and implementation of the transport mode in a WAN network environment.
 
Calculating GRE IPSec Transport Mode Overhead
 
Calculating the overhead will help us understand how much space GRE over IPSec in Transport mode uses and our effective usable space.
 
 
The packet structure below shows an example of GRE over IPSec in transport mode:
 
 
 
 
 
Again, two important points that must kept in mind when calculating the overhead:
 
Depending on the encryption algorithm used in the crypto transform set, the Initialization Vector (IV) shown could be 8 or 16 bytes long. For example DES or 3DES introduces an 8-byte IV field, where as AES introduces a 16-byte IV field. In our example, we are using 3DES encryption, therefore producing a 8-byte IV field.
 
The ESP Trailer will usually vary in size. Its job is to ensure that the Pad Length, Next Header fields (both 1-byte long and contained within the ESP Trailer) & ESP Auth.Trailer are aligned on a 4-byte boundary. This means the total number of bytes, when adding the three fields together, must be a multiple of 4.
 
Following is the calculated overhead:
 
ESP Overhead: 20 (IP Hrd) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12 (ESP Auth) = 52 Bytes
 
Note: ESP Trailer has been calculated as 4 bytes as per above note.
 
GRE Overhead: 4 (GRE) = 4 Bytes
 
Total Overhead: 52 + 4 = 56 Bytes
 
It is evident that GRE IPSec Transport mode saves approximately 20 bytes per packet overhead. This might save a moderate amount of bandwidth on a WAN link, however, there is no significant increase in CPU performance by using this mode.
 
Conclusion
 
When comparing GRE over IPSec tunnel and GRE over IPSec transport mode, there are significant differences that cannot be ignored.
 
If the GRE tunnels and crypto endpoints are not the same (IP address wise), transport mode in definitely not an option.
 
If packets traverse a device (router) where NAT or PAT is used then again, transport mode cannot be used.
 
On the other hand, tunnel mode seems to pay-off its 20-byte additional overhead by being flexible enough to be used in any type of WAN environment and offering increased protection by encrypting the GRE IP Header inside the ESP packet.
 
Taking in consideration the small additional CPU load the tunnel mode produces and advantages it offers, we don’t believe it’s a coincidence Cisco has selected this mode in IPSec’s default configuration.
 

Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels

 
Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
 
 
 
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that allows the encapsulation of a wide variety of network layer protocols inside point-to-point links.
 
A GRE tunnel is used when packets need to be sent from one network to another over the Internet or an insecure network. With GRE, a virtual tunnel is created between the two endpoints (Cisco routers) and packets are sent through the GRE tunnel.
 
It is important to note that packets travelling inside a GRE tunnel are not encrypted as GRE does not encrypt the tunnel but encapsulates it with a GRE header. If data protection is required, IPSec must be configured to provide data confidentiality – this is when a GRE tunnel is transformed into a secure VPN GRE tunnel.
 
The diagram below shows the encapsulation procedure of a simple - unprotected GRE packet as it traversers the router and enters the tunnel interface:
 
 
 
While many might think a GRE IPSec tunnel between two routers is similar to a site to site IPSec VPN (crypto), it is not. A major difference is that GRE tunnels allow multicast packets to traverse the tunnel whereas IPSec VPN does not support multicast packets. In large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels are your best bet. For this reason, plus the fact that GRE tunnels are much easier to configure, engineers prefer to use GRE rather than IPSec VPN.
 
This article will explain how to create simple (unprotected) and secure (IPSec encrypted) GRE tunnels between endpoints. We explain all the necessary steps to create and verify the GRE tunnel (unprotected and protected) and configure routing between the two networks.
 
 
 
 
Creating a Cisco GRE Tunnel
 
GRE tunnel uses a ‘tunnel’ interface – a logical interface configured on the router with an IP address where packets are encapsulated and decapsulated as they enter or exit the GRE tunnel.
 
First step is to create our tunnel interface on R1:
 
  • R1(config)# interface Tunnel0
  •  
  • R1(config-if)# ip address 172.16.0.1 255.255.255.0
  •  
  • R1(config-if)# ip mtu 1400
  •  
  • R1(config-if)# ip tcp adjust-mss 1360
  •  
  • R1(config-if)# tunnel source 1.1.1.10
  •  
  • R1(config-if)# tunnel destination 2.2.2.10
 
All Tunnel interfaces of participating routers must always be configured with an IP address that is not used anywhere else in the network. Each Tunnel interface is assigned an IP address within the same network as the other Tunnel interfaces.
 
In our example, both Tunnel interfaces are part of the 172.16.0.0/24 network.
 
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of GRE, we must reduce the MTU to account for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary packet fragmentation is kept to a minimum.
 
Closing, we define the Tunnel source, which is R1’s public IP address, and destination – R2’s public IP address
 
As soon as we complete R1’s configuration, the router will confirm the creation of the tunnel and inform about its status:
 
R1#
*May 4 21:30:22.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
 
Since the Tunnel 0 interface is a logical interface it will remain up even if there is no GRE tunnel configured or connected at the other end.
 
Next, we must create the Tunnel 0 interface on R2:
 
  • R2(config)# interface Tunnel0
  •  
  • R2(config-if)# ip address 172.16.0.2 255.255.255.0
  •  
  • R2(config-if)# ip mtu 1400
  •  
  • R2(config-if)# ip tcp adjust-mss 1360
  •  
  • R2(config-if)# tunnel source 2.2.2.10
  •  
  • R2(config-if)# tunnel destination 1.1.1.10
 
R2’s Tunnel interface is configured with the appropriate tunnel source and destination IP address. As with R1, R2 router will inform us that the Tunnel0 interface is up:
 
R2#
*May 4 21:32:54.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Routing Networks Through the GRE Tunnel
 
At this point, both tunnel endpoints are ready and can ‘see’ each other. An icmp echo from one end will confirm this:
 
R1# ping 172.16.0.2
 
Type escape sequence to abort.
 
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
 
!!!!!
 
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
 
R1#
 
Again, this result means that the two tunnel endpoints can see each other. Workstations on either network will still not be able to reach the other side unless a static route is placed on each endpoint:
 
R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.0.2
 
On R1 we add a static route to the remote network 192.168.2.0/24 via 172.16.0.2 which is the other end of our GRE Tunnel. When R1 receives a packet for 192.168.2.0 network, it now knows the next hop is 172.16.0.2 and therefore will send it through the tunnel.
 
The same configuration must be repeated for R2:
 
R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.0.1
 
Now both networks are able to freely communicate with each over the GRE Tunnel.
 
 
Securing the GRE Tunnel with IPSec
 
As mentioned earlier, GRE is an encapsulation protocol and does not perform any encryption. Creating a point-to-point GRE tunnel without any encryption is extremely risky as sensitive data can easily be extracted from the tunnel and viewed by others.
 
For this purpose, we use IPSec to add an encryption layer and secure the GRE tunnel. This provides us with the necessary military-grade encryption and peace of mind. Our example below covers GRE IPSec Tunnel mode.
 
Configuring IPSec Encryption for GRE Tunnel (GRE over IPSec)
 
IPSec encryption involves two steps for each router. These steps are:
 
(1) Configure ISAKMP (ISAKMP Phase 1)
 
(2) Configure IPSec (ISAKMP Phase 2)
Configure ISAKMP (IKE) - (ISAKMP Phase 1)
 
IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA) relationship with the peer.
 
To begin, we’ll start working on R1.
 
First step is to configure an ISAKMP Phase 1 policy:
 
R1(config)# crypto isakmp policy 1
 
R1(config-isakmp)# encr 3des
 
R1(config-isakmp)# hash md5
 
R1(config-isakmp)# authentication pre-share
 
R1(config-isakmp)# group 2
 
R1(config-isakmp)# lifetime 86400
 
The above commands define the following (in listed order):
 
3DES - The encryption method to be used for Phase 1.
 
MD5 - The hashing algorithm
 
Pre-share - Use Pre-shared key as the authentication method
 
Group 2 - Diffie-Hellman group to be used
 
86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default value.
 
Next we are going to define a pre shared key for authentication with R1's peer, 2.2.2.10:
 
R1(config)# crypto isakmp key firewallcx address 2.2.2.10
 
The peer’s pre shared key is set to firewallcx. This key will be used for allISAKMP negotiations with peer 2.2.2.10 (R2).
Create IPSec Transform (ISAKMP Phase 2 policy)
 
Now we need to create the transform set used to protect our data. We’ve named this TS:
 
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# mode transport
 
The above commands defines the following:
 
- ESP-3DES - Encryption method
 
- MD5 - Hashing algorithm
 
- Set IPSec to transport mode
 
Finally, we create an IPSec profile to connect the previously defined ISAKMP and IPSec configuration together. We’ve named our IPSec profile protect-gre:
 
  • R1(config)# crypto ipsec profile protect-gre
  •  
  • R1(ipsec-profile)# set security-association lifetime seconds 86400
  •  
  • R1(ipsec-profile)# set transform-set TS
  •  
  • We are ready to apply the IPSec encryption to the Tunnel interface:
  •  
  • R1(config)# interface Tunnel 0
  • R1(config-if)# tunnel protection ipsec profile protect-gre
  •  
  • Now it's time to apply the same configuration on R2:
  •  
  • R2(config)# crypto isakmp policy 1
  •  
  • R2(config-isakmp)# encr 3des
  •  
  • R2(config-isakmp)# hash md5
  •  
  • R2(config-isakmp)# authentication pre-share
  •  
  • R2(config-isakmp)# group 2
  •  
  • R2(config-isakmp)# lifetime 86400
  •  
  •  
  •  
  • R2(config)# crypto isakmp key firewallcx address 1.1.1.10
  •  
  • R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
  •  
  • R2(cfg-crypto-trans)# mode transport
  •  
  • R2(config)# crypto ipsec profile protect-gre
  •  
  • R2(ipsec-profile)# set security-association lifetime seconds 86400
  •  
  • R2(ipsec-profile)# set transform-set TS
  •  
  • R2(config)# interface Tunnel 0
  •  
  • R2(config-if)# tunnel protection ipsec profile protect-gre
  •  
  •  
  • Verifying the GRE over IPSec Tunnel
 
Finally, our tunnel has been encrypted with IPSec, providing us with the much needed security layer. To test and verify this, all that is required is to ping the other end and force the VPN IPSec tunnel to come up and start encrypting/decrypting our data:
 
R1# ping 192.168.2.1
 
Type escape sequence to abort.
 
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
 
!!!!!
 
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
 
Using the show crypto session command, we can quickly verify the encryption is in place and doing its work:
 
R1# show crypto session
 
Crypto session current status
 
Interface: Tunnel0
 
Session status: UP-ACTIVE
 
Peer: 2.2.2.10 port 500
 
IKE SA: local 1.1.1.10/500 remote 2.2.2.10/500 Active
 
IPSEC FLOW: permit 47 host 1.1.1.10 host 2.2.2.10
 
Active SAs: 2, origin: crypto map
 

Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers

 
Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers
 
 
 
Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video between two sites (e.g offices or branches). The VPN tunnel is created over the Internet public network and encrypted using a number of advanced encryption algorithms to provide confidentiality of the data transmitted between the two sites.
 
This article will show how to setup and configure two Cisco routers to create a permanent secure site-to-site VPN tunnel over the Internet, using the IP Security (IPSec) protocol.
 
ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to build an IPsec security association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.
 
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay services.
IPSec VPN Requirements
 
To help make this an easy-to-follow exercise, we have split it into two steps that are required to get the Site-to-Site IPSec VPN Tunnel to work.
 
These steps are:
 
(1) Configure ISAKMP (ISAKMP Phase 1)
 
(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
 
Our example setup is between two branches of a small company, these are Site 1 and Site 2. Both the branch routers connect to the Internet and have a static IP Address assigned by their ISP as shown on the diagram:
 
 
 
Site 1 is configured with an internal network of 10.10.10.0/24, while Site 2 is configured with network 20.20.20.0/24. The goal is to securely connect both LAN networks and allow full communication between them, without any restrictions.
Configure ISAKMP (IKE) - (ISAKMP Phase 1)
 
IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA) relationship with the peer.
 
To begin, we’ll start working on the Site 1 router (R1).
 
First step is to configure an ISAKMP Phase 1 policy:
 
  • R1(config)# crypto isakmp policy 1
  •  
  • R1(config-isakmp)# encr 3des
  •  
  • R1(config-isakmp)# hash md5
  •  
  • R1(config-isakmp)# authentication pre-share
  •  
  • R1(config-isakmp)# group 2
  •  
  • R1(config-isakmp)# lifetime 86400

 
 
The above commands define the following (in listed order):
 
3DES - The encryption method to be used for Phase 1.
 
MD5 - The hashing algorithm
 
Pre-share - Use Pre-shared key as the authentication method
 
Group 2 - Diffie-Hellman group to be used
 
86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default value.
 
We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.
 
Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the following command:
 
  • R1(config)# crypto isakmp key firewallcx address 1.1.1.2
 
The peer’s pre shared key is set to firewallcx and its public IP Address is 1.1.1.2. Every time R1 tries to establish a VPN tunnel with R2 (1.1.1.2), this pre shared key will be used.
Configure IPSec
 
To configure IPSec we need to setup the following in order:
 
- Create extended ACL
 
- Create IPSec Transform
 
- Create Crypto Map
 
- Apply crypto map to the public interface
 
Let us examine each of the above steps.
Creating Extended ACL
 
Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel. In this example, it would be traffic from one network to the other, 10.10.10.0/24 to 20.20.20.0/24. Access-lists that define VPN traffic are sometimes called crypto access-list or interesting traffic access-list.
 
R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Create IPSec Transform (ISAKMP Phase 2 policy)
 
Next step is to create the transform set used to protect our data. We’ve named this TS:
 
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
 
The above command defines the following:
 
- ESP-3DES - Encryption method
 
- MD5 - Hashing algorithm
Create Crypto Map
 
The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together:
 
  • R1(config)# crypto map CMAP 10 ipsec-isakmp
  •  
  • R1(config-crypto-map)# set peer 1.1.1.2
  •  
  • R1(config-crypto-map)# set transform-set TS
  •  
  • R1(config-crypto-map)# match address VPN-TRAFFIC
 
We’ve named our crypto map CMAP. The ipsec-isakmp tag tells the router that this crypto map is an IPsec crypto map. Although there is only one peer declared in this crypto map (1.1.1.2), it is possible to have multiple peers within a given crypto map.
 
 
Apply Crypto Map to the Public Interface
 
The final step is to apply the crypto map to the outgoing interface of the router. Here, the outgoing interface is FastEthernet 0/1.
 
  • R1(config)# interface FastEthernet0/1
  • R1(config- if)# crypto map CMAP
 
Note that you can assign only one crypto map to an interface.
 
As soon as we apply crypto map on the interface, we receive a message from the router that confirms isakmp is on: “ISAKMP is ON”.
 
At this point, we have completed the IPSec VPN configuration on the Site 1 router.
 
We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being the peer IP Addresses and access lists:
 
  • R2(config)# crypto isakmp policy 1
  •  
  • R2(config-isakmp)# encr 3des
  •  
  • R2(config-isakmp)# hash md5
  •  
  • R2(config-isakmp)# authentication pre-share
  •  
  • R2(config-isakmp)# group 2
  •  
  • R2(config-isakmp)# lifetime 86400
  •  
  • R2(config)# crypto isakmp key firewallcx address 1.1.1.1
  •  
  • R2(config)# ip access-list extended VPN-TRAFFIC
  •  
  • R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
  •  
  • R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
  •  
  • R2(config)# crypto map CMAP 10 ipsec-isakmp
  •  
  • R2(config-crypto-map)# set peer 1.1.1.1
  •  
  • R2(config-crypto-map)# set transform-set TS
  •  
  • R2(config-crypto-map)# match address VPN-TRAFFIC
  •  
  • R2(config)# interface FastEthernet0/1
  •  
  • R2(config- if)# crypto map CMAP
  •  
 
Bringing Up and Verifying the VPN Tunnel
 
At this point, we’ve completed our configuration and the VPN Tunnel is ready to be brought up. To initiate the VPN Tunnel, we need to force one packet to traverse the VPN and this can be achieved by pinging from one router to another:
 
R1# ping 20.20.20.1 source fastethernet0/0
 
Type escape sequence to abort.
 
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
 
Packet sent with a source address of 10.10.10.1
 
.!!!!
 
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/47/48 ms
 
 
 
 
 
The first ping received a timeout, but the rest received a reply, as expected. The time required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first ping to timeout.
 
To verify the VPN Tunnel, use the show crypto session command:
 
R1# show crypto session
 
Crypto session current status
 
Interface: FastEthernet0/1
 
Session status: UP-ACTIVE
 
Peer: 1.1.1.2 port 500
 
IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active
 
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0
 
Active SAs: 2, origin: crypto map
 
 
Network Address Translation (NAT) and IPSec VPN Tunnels
 
Network Address Translation (NAT) is probably configured to provide Internet access to internal hosts. When configuring a Site-to-Site VPN tunnel, it is imperative to instruct the router not to perform NAT (deny NAT) on packets destined to the remote VPN network.
 
This is easily done by inserting a deny statement at the beginning of the NAT access lists as shown below:
 
For Site 1’s router:
 
  • R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload
  •  
  • R1(config)# access-list 100 remark -=[Define NAT Service]=-
  •  
  • R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
  •  
  • R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
  •  
  • R1(config)# access-list 100 remark
 
 
 
And Site 2’s router:
 
  • R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload
  •  
  • R2(config)# access-list 100 remark -=[Define NAT Service]=-
  •  
  • R2(config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
  •  
  • R2(config)# access-list 100 permit ip 20.20.20.0 0.0.0.255 any
  •  
  • R2(config)# access-list 100 remark

Configuring Static Route Tracking using IP SLA (Basic)

 
Configuring Static Route Tracking using IP SLA (Basic)
 
In today's network environment, redundancy is one of the most important aspects, whether its on the LAN side or on the WAN side. In this topic I will be covering WAN redundancy with multiple WAN links terminating on a single router.
 
The best and simplest way to achieve WAN redundancy on Cisco devices is to use Reliable Static backup routes with IP SLA tracking.
 
IP SLAs is a feature included in the Cisco IOS Software that can allow administrators the ability to Analyze IP Service Levels for IP applications and services. IP SLA's uses active traffic-monitoring technology to monitor continuous traffic on the network. This is a reliable method in measuring over head network performance. Cisco Routers provide IP SLA Responders that give accuracy of measured data across a network.
 
With IP SLAs, routers and switches perform periodic measurements. The number and type of available measurements are vast and in this article I will be covering just the ICMP ECHO feature. IP SLA in itself is a very big topic to cover J
 
Let us take an example of a basic redundant WAN link scenario as shown below:
 
 
 
In the above figure the Cisco device is connected to two WAN links ISP1 and ISP2. The most common setup that we use in day to day life is to have to default routes configured on the Cisco router pointing to the respective next hop IPs as shown below:
 
  • R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
  • R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
 
If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
 
The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
 
In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
 
Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
 
IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.

  • R1(config)# ip sla 1
  • R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
  • R1(config)# timeout 1000
  • R1(config)# threshold 2
  • R1(config)# frequency 3
  • R1(config)# ip sla schedule 1 life forever start-time now
 
Please note that the Cisco IP SLA commands have changed from IOS to IOS to know the exact command for IOS check the Cisco documentation. The above commands are for IOS 12.4(4)T, 15.(0)1M, and later releases.
 
The above configuration defines and starts an IP SLA probe.
 
The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
 
Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
 
Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
 
After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
 
R1(config)# track 1 ip sla 1 reachability
 
The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
 
To verify the track status use the use the “show track” command as shown below:
 
  • R1# show track
  •  
  • Track 1
  • IP SLA 1 reachability
  • Reachability is Down
  • 1 change, last change 00:03:19
  • Latest operation return code: Unknown
 
The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
 
Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
 
 
 
  • Tracking
  •  
  • Return Code
  •  
  • Track State
  •  
  •  
  • Reachability
  •  
  • OK or over threshold
  •  
  • (all other return codes)
  •  
  • Up
  •  
  • Down
  •  
 
The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
 
  • R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
  • R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
 
The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
 
 

How to Configure DHCP Server on a Cisco Router

 
How to Configure DHCP Server on a Cisco Router
 
 
Introduction
 
DHCP (Dynamic Host Configuration Protocol) is the protocol used by network devices (such as PCs, network printers, etc) to automatically obtain correct network parameters so they can access network and Internet resources such as IP Address, Default Gateway, Domain Name, DNS Servers and more.
 
A DHCP Server is considered necessary in today's networks. Devices usally found providing this service are Windows servers, routers and layer 3 switches.
 
This article describes how to configure basic DHCP parameters on a Cisco router, enabling it to act as a DHCP server for your network.
Example Scenario
 
For the sake of this article, suppose we have the network shown in the following diagram, for which we would like to enable the DHCP service on our Cisco router.
 
The router will act as a DHCP server for the 192.168.1.0/24 network. IP Addresses already assigned to our switch (192.168.1.2) and File Server (192.168.1.5) will be excluded from the DHCP pool, to ensure they are not given out to other hosts and cause an IP address conflict.
 
First step is to enable the DHCP service on our router, which by default is enabled.
 
 
 
First step is to enable the DHCP service on our router, which by default is enabled:
 
R1# configure terminal
R1(config)# service dhcp
 
Next step is to create the DHCP pool that defines the network of IP addresses that will be given out to the clients. Note that 'NET-POOL' is the name of the DHCP IP Pool we are creating:
 
  • R1(config)# ip dhcp pool NET-POOL
  • R1(dhcp-config)# network 192.168.1.0 255.255.255.0
 
This tells the router to issue IP addresses for the network 192.168.1.0, which translates to the range 192.168.1.1 - 192.168.1.254. We will have to exclude the IP addresses we want later on.
 
We now define the DHCP parameters that will be given to each client. These include the default gateway (default-router), dns servers, domain and lease period (days):
 
  • R1(dhcp-config)# default-router 192.168.1.1
  • R1(dhcp-config)# dns-server 192.168.1.5 195.170.0.1
  • R1(dhcp-config)# domain-name Firewall.cx
  • R1(dhcp-config)# lease 9

The 'domain-name' and 'lease' parameters are not essential and can be left out. By default, the lease time for an IP address is one day.
 
All we need now is to exclude the IP addresses we don't want our DHCP server giving out. Drop back to 'global configuration mode' and enter the following:
 
  • R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.5
  • R1(config)# ip dhcp excluded-address 192.168.1.10
 
This excludes IP addresses 192.168.1.1 - 192.168.1.5 & 192.168.1.10. As you can see, there's an option to exclude a range of IP addresses or a specific address.
 
The above configuration is all you need to get the DHCP server running for your network. We'll provide a few more commands you can use to troubleshoot and ensure it's working correctly.
 
The following command will allow you to check which clients have been served by the DHCP:
 
  • R1# show ip dhcp binding
  • Bindings from all pools not associated with VRF:
  • IP address Client-ID/ Lease expiration Type
  • Hardware address/
  • User name
  • 192.168.1.6 0100.1e7a.c409 Jan 19 2009 03:06 PM Automatic
  • 192.168.1.7 0100.1e7a.c3c1 Jan 19 2009 09:00 PM Automatic
  • 192.168.1.8 0100.1ebe.923b Jan 19 2009 02:25 PM Automatic
  • 192.168.1.9 0100.1b53.5ccc Jan 19 2009 02:03 PM Automatic
  • 192.168.1.11 0100.1e7a.261d Jan 19 2009 07:52 PM Automatic
  • R1#
 
Notice that IP addresses 192.168.1.5 & 192.168.1.10 have not been assigned to the clients.
Article Summary
 
In this article we've covered how a Cisco router can be used as a basic DHCP server and the various options available. We also saw how you can obtain general information about the service. There are more options available with the DHCP service, however this basic article should cover most of your network needs.
 
Future DHCP articles will explore advanced options and debugging for more complex networks containing VLANs and IP Telephony.
 
If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.
 

How to Configure Dynamic DNS Server on A Cisco Router

 
How to Configure Dynamic DNS Server on A Cisco Router
 
 
Introduction
 
Hosting your own webserver or email server would normaly require a static IP address from your ISP. This ensures that your services are always reachable using the same IP address or domain name.
 
If you had a domain name, e.g Firewall.cx, you would then map your static IP address to your domain (via DNS) so when you hit your domain name, you would be directed to your statically assigned IP address and access the resources you need.
 
While this is the recommended setup for most companies doing serious business, it doesn't really apply to home users or small branch offices because of the increased cost for static IP addresses.
 
The solution to the above problem is named 'DDNS' - Dynamic DNS Service. DDNS providers allow the registeration and creation of Fully Qualified Domain Names (FQDN) that can be mapped to home or branch office Internet connections without cost . This eliminates the need for a static IP address, since the DDNS provider will automatically update its DNS records with your dynamic IP address every time it changes.
 
From Cisco IOS version 12.4 onwards, Cisco routers have built-in support for a variety of DDNS providers, making it much easier and a more reliable alternative, as you no longer require a PC in your network that will run the DDNS provider's client program.
 
This article will show you how you can configure your Cisco router so it can support the DDNS service with No-IP.com and DynDNS.com. Detailed Cisco router CLI commands and debugging information is included to ensure correct configuration and results are obtained.
Example Scenario
 
Consider the following network diagram. It shows the simple logic of how DDNS works:
 
 
 
Firstly we need to configure our Cisco router to register and send its periodical updates to the DDNS provider. Once received, the DDNS provider updates the relevant DNS records, in our example, firewallcx.no-ip.info.
 
When an Internet host queries the DDNS provider for the domain firewallcx.no-ip.info, it will then point the host towards the public IP addresses currently assigned to the router, that is, 195.162.29.1. As the ISP changes the IP address it assigned to the Cisco router, the router in turn will also update its DDNS provider. This way, the domain firewallcx.no-ip.info is always updated no matter how many times its IP address changes.
 
So, without further delay, here's how you can configure your Cisco router to register with the following DDNS providers:
 
1) No-ip.com
 
2) Dyndns.com
Case No.1: No-ip.com
 
First step is to enable the DNS service and configure an IP name server (public DNS server) so it can successfully resolve Internet domain names. For our example, we are using Public DNS servers:

  • R1# configure terminal
  • R1(config)# ip dns server
  • R1(config)# ip name-server 4.2.2.6
  • R1(config)# ip name-server 4.2.2.5
 
Next, we need to enable the DDNS update service and give it a name (no-ip), and then select the update method to be used, for this example, it's HTTP:
 
  • R1(config)# ip ddns update method no-ip
  • R1(DDNS-update-method)# HTTP
 
Now we add the authentication details. The router will use this information to authenticate to the DDNS provider so it can then update the necessary hostname. We should note that each DDNS provider uses its own authentication method & parameters. In No-ip.com's case, it makes use of a login name & password, where the login name is your registered email address.
 
The command will look something like this:
 
add http://email:password@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
 
As noted, the login name is the registered email address. This means that the full syntax above will contain two "@" characters, which can create a problem with the URL sent to the DDNS provider. In addition, the question mark "?" character cannot be inserted straight into the command as the router will consider it as a help request and provide a list of parameters and commands. For this reason, it is required to enter CTRL+V, then insert the "?" character. The same procedure applies for the "@" symbol:
 
  • R1(DDNS-HTTP)# add http://user@firewall.cx:password@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
 
Note: The above command is one single line In the above command, the <h> variable will be substituted with the FQDN that needs to be updated (firewallcx.no-ip.info) which we will configure next, and the <a> variable will be substituted with the IP address of the interface we have enabled for the DDNS updates.
 
In the next step, we set the update interval, to ensure the FQDN is updated as frequently possible, but without causing problems to the DDNS provider:
 
  • R1(DDNS-HTTP)# interval maximum 0 0 5 0
 
The above command sets the update interval to 0 Days, 0 Hours, 5 Minutes and 0 Seconds.
 
Last step is to set the FQDN we'll be updating and enable the DDNS service on our public interface (usually the Dialer 0 or public FastEthernet interface):
 
  • R1(DDNS-update-method)# interface dialer0
  • R1(config-if)# ip ddns update hostname firewallcx.no-ip.info
  • R1(config-if)# ip ddns update no-ip
 
This completes the setup and your router should start sending its updates to the DDNS provider.
 
If you see that your FQDN hasn't been updated after 5-10 minutes, then you can also use the following debug commands (hit CTRL-Z first) to get an idea of what's happening in the background:
 
  • R1# debug ip ddns update
 
Here are the results of our debug:
 
  • Jan 23 14:26:51.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
  • Jan 23 12:26:51.859: DYNUPD: SWIF goingdown 'Virtual-Access3'
  • Jan 23 14:27:05.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
  • Jan 23 12:27:05.091: DYNUPD: SWIF comingup 'Virtual-Access3'
  • Jan 23 12:27:07.883: DYNDNSUPD: Adding DNS mapping for firewallcx.no-ip.info<=> 195.162.29.1
  • Jan 23 12:27:07.883: HTTPDNS: Update add called for firewallcx.no-ip.info<=> 195.162.29.1
 
 
 
 
Case No.2: Dyndns.com
 
Dyndns.com requires a similar configuration as our previous DDNS provider, however, the HTTP authentication string is slightly different, and you'll need to adjust your update interval to once a day rather than every 5 minutes. The interval adjustment is very important as Dyndns.com is unfortunately less forgiving than No-ip.com and will lock your account if multiple updates occur without your IP address having been changed!
 
The following cli code is the actual configuration required up till the authentication method:
 
  • R1# configure terminal
  • R1(config)# ip dns server
  • R1(config)# ip name-server 4.2.2.6
  • R1(config)# ip name-server 4.2.2.5
  • R1(config)# ip ddns update method dyndns
  • R1(DDNS-update-method)# HTTP
 
The HTTP authentication string required for Dyndns.com will look something like this:
 
add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
 
In order to insert the "@" and "?" symbol, it is required to enter CTRL+V before each character, as explained previously.
 
  • R1(DDNS-HTTP)# add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
 
Note: The above command is one full line
 
Again, the <h> will be substituted with the FQDN that needs to be updated (firewallcx.dyndns.info) which we will configure next, and the <a> will be substituted with the IP address of the interface we have enabled for the DDNS updates.
 
Next up, we set the update interval to ensure the FQDN is updated as frequently as possible. DynDNS is a bit sensitive on regular update, so we set it to once a day:
 
  • R1(DDNS-HTTP)# interval maximum 1 0 0 0
 
The above command sets the update interval to 1 Day, 0 Hours, 0 Minutes and 0 Seconds.
 
As a final step, we set the FQDN we'll be updating and enable the DDNS service on our public interface (usually your Dialer 0 or public Ethernet interface):
 
  • R1(DDNS-update-method)# interface dialer0
  • R1(config-if)# ip ddns update hostname firewall.dyndns.info
  • R1(config-if)# ip ddns update dyndns
 
This completes the setup and your router should start sending its updates to the DDNS provider.
 
If you see that the your FQDN hasn't been updated after 5-10 minutes, then you can also use the following debug commands (hit CTRL-Z first) to get an idea on what's happening in the background:
 
Jan 24 12:26:51.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
Jan 24 12:26:51.859: DYNUPD: SWIF goingdown 'Virtual-Access3'
Jan 24 12:27:05.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Jan 24 12:27:05.091: DYNUPD: SWIF comingup 'Virtual-Access3'
Jan 24 12:27:07.883: DYNDNSUPD: Adding DNS mapping for firewall.dyndns.info<=> 195.162.49.4
Jan 24 12:27:07.883: HTTPDNS: Update add called for firewall.dyndns.info<=> 195.162.49.4
Article Summary
 
In this article we've covered how to enable and configure Dynamic DNS for popular no-ip.com and dyndns.com. We've seen the process in great depth and analyzed all commands required to get the service up and running, but also debug it in case of problems.
 
Closing, we hope the article comes in handy and answers your questions regarding the configuration of DDNS on Cisco routers.
 
If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

Cisco VPN Client Configuration - Setup for IOS Router

Cisco VPN Client Configuration - Setup for IOS Router
 
Remote VPN access is an extremely popular service amongst Cisco routers and ASA Firewalls. The flexibility of having remote access to our corporate network and its resources literally from anywhere in the world, has proven extremely useful and in many cases irreplaceable. All that is required is fast Internet connection and your user credentials to log in – all the rest are taken care by your Cisco router or firewall appliance.
To initiate the connection, we use the Cisco VPN client, available for Windows operating systems (XP, Vista, Windows 7 - 32 & 64bit), Linux, Mac OS X10.4 & 10.5 and Solaris UltraSPARC (32 & 64bit), making it widely available for most users around the globe. Cisco VPN Clients are available for download from our Cisco Download section.
The Cisco VPN also introduces the concept of ‘Split Tunneling'. Split tunneling is a feature that allows a remote VPN client access the company's LAN, but at the same time surf the Internet. In this setup, only traffic destined to the company's LAN is sent through the VPN tunnel (encrypted) while all other traffic (Internet) is routed normally as it would if the user was not connected to the company VPN.
Some companies have a strict policy that does not allow the remote VPN client access the Internet while connected to the company network (split tunneling disabled) while others allow restricted access to the Internet via the VPN tunnel (rare)! In this case, all traffic is tunnelled through the VPN and there's usually a web proxy that will provide the remote client restricted Internet access.
From all the above, split tunneling is the most common configuration of Cisco VPN configuration today, however for educational purposes, we will be covering all methods.
Setting up a Cisco router to accept remote Cisco VPN clients is not an extremely difficult task. Following each step shown in this article will guarantee it will work flawlessly.
Below is a typical diagram of a company network providing VPN access to remote users in order to access the company's network resources.
The VPN established is an IPSec secure tunnel and all traffic is encrypted using the configured encryption algorithm:
The Cisco IPSec VPN has two levels of protection as far as credentials concern. The remote client must have valid group authentication credential, followed by valid user credential.
The group credentials are entered once and stored in the VPN connection entry, however the user credentials are not stored and requested every time a connection is established:
We should note that configuring your router to support Point-to-Point Tunnel Protocol VPN (PPTP) is an alternative method and covered on our Cisco PPTP Router Configuration article, however PPTP VPN is an older, less secure and less flexible solution. We highly recommend using Cisco IPSec VPN only.
In order to configure Cisco IPSec VPN client support, the router must be running at least the 'Advanced Security' IOS otherwise most of the commands that follow will not be available at the CLI prompt!
To begin, we need to enable the router's 'aaa model' which stands for 'Authentication, Authorisation and Accounting'. AAA provides a method for identifying users who are logged in to a router and have access to servers or other resources.
AAA also identifies the level of access that has been granted to each user and monitors user activity to produce accounting information.
We enable the 'aaa new-model' service followed by X-Auth for user authentication and then group authentication (network vpn_group_ml_1):
  • R1# configure terminal
  • R1(config)# aaa new-model
  • R1(config)# aaa authentication login default local
  • R1(config)# aaa authentication login vpn_xauth_ml_1 local
  • R1(config)# aaa authentication login sslvpn local
  • R1(config)# aaa authorization network vpn_group_ml_1 local
  • R1(config)# aaa session-id common
When trying to establish an IPSec tunnel, there are two main phase negotiations where the remote client negotiates the security policies and encryption method with the Cisco VPN router.
Now we create the user accounts that will be provided to our remote users. Each time they try to connect to our VPN, they will be required to enter this information:
R1(config)# username adminitrator secret $cisco$firewall
R1(config)# username firewallcx secret $fir3w@ll!
We next create an Internet Security Association and Key Management Protocol (ISAKMP) policy for Phase 1 negotiations. In this example, we've create two ISAKMP policies, and configure the encryption (encr), authentication method, hash algorithm and set the Diffie-Hellman group:
  • R1(config)# crypto isakmp policy 1
  • R1(config-isakmp)# encr 3des
  • R1(config-isakmp)# authentication pre-share
  • R1(config-isakmp)# group 2
  • R1(config-isakmp)#
  • R1(config-isakmp)#crypto isakmp policy 2
  • R1(config-isakmp)# encr 3des
  • R1(config-isakmp)# hash md5
  • R1(config-isakmp)# authentication pre-share
  • R1(config-isakmp)# group 2
  • R1(config-isakmp)# exit
We now create a group and configure the DNS server and other parameters as required. These parameters are passed down to the client as soon as it successfully authenticates to the group:
  • R1(config)# crypto isakmp client configuration group CCLIENT-VPN
  • R1(config-isakmp-group)# key firewall.cx
  • R1(config-isakmp-group)# dns 10.0.0.10
  • R1(config-isakmp-group)# pool VPN-Pool
  • R1(config-isakmp-group)# acl 120
  • R1(config-isakmp-group)# max-users 5
  • R1(config-isakmp-group)# exit
  • R1(config)# ip local pool VPN-Pool 192.168.0.20 192.168.0.25
The above configuration is for the 'CCLIENT-VPN' group with a pre-share key (authentication method configured previously) of 'firewall.cx'. Users authenticating to this group will have their DNS set to 10.0.0.10. A maximum of 5 users are allowed to connect simultaneously to this group and will have access to the resources governed by access-list 120.
Lastly, users authenticating to this group will obtain their IP address from the pool named 'VPN-Pool' that provides the range of IP address: 192.168.0.20 up to 192.168.0.25.
Creation of the Phase 2 Policy is next. This is for actual data encryption & IPSec phase 2 authentication:
  • R1(config)# crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
  • R1(cfg-crypto-trans)#
The transformation named 'encrypto-method-1' is then applied to an IPSec profile named 'VPN-Profile-1':
  • R1(config)# crypto ipsec profile VPN-Profile-1
  • R1(ipsec-profile)# set transform-set encrypt-method-1
Note the encryption and authentication method of our IPSec crypto tunnel as shown by a connected VPN client to the router with the above configuration:
Now its time to start binding all the above together by creating a virtual-template interface that will act as a 'virtual interface' for our incoming VPN clients. Remote VPN clients will obtain an IP address that is part of our internal network (see diagram above - 192.168.0.x/24) so we therefore do not require this virtual interface to have an ip address and configure it as an 'ip unnumbered' interface on our router's LAN interface.
Setting an interface as an ip unnumbered enables IP processing through it without assigning an explicit IP address, however you must bind it to a physical interface that does have an IP address configured, usually your LAN interface:
  • R1(config)# interface Virtual-Template2 type tunnel
  • R1(config-if)# ip unnumbered FastEthernet0/0
  • R1(config-if)# tunnel mode ipsec ipv4
  • R1(config-if)# tunnel protection ipsec profile VPN-Profile-1
Above, our virtual template also inherits our configured encryption method via the 'ipsec profile VPN-Profile-1' command which sets the transform method to 'encrypt-method-1' (check previous configuration block) which in turn equals to 'esp-3des esp-sha-hmac'.
Notice how Cisco's CLI configuration follows a logical structure. You configure specific parameters which are then used in other sections of the configuration. If this logic is understood by the engineer, then decoding any given Cisco configuration becomes an easy task.
So far we've enabled the authentication mechanisms (aaa), created an ISAKMP policy, created the VPN group and set its parameters, configured the encryption method (transform-set) and binded it to the virtual template the remote VPN user will connect to.
Second-last step is to create one last ISAKMP profile to connect the VPN group with the virtual template:
  • R1(config)# crypto isakmp profile vpn-ike-profile-1
  • R1(conf-isa-prof)# match identity group CCLIENT-VPN
  • R1(conf-isa-prof)# client authentication list vpn_xauth_ml_1
  • R1(conf-isa-prof)# isakmp authorization list vpn_group_ml_1
  • R1(conf-isa-prof)# client configuration address respond
  • R1(conf-isa-prof)# virtual-template 2
Last step is the creation of our access lists that will control the VPN traffic to be tunnelled, effectively controlling what our VPN users are able to access remotely.
Once that's done, we need to add a 'no NAT' statement so that traffic exiting the router and heading toward the VPN user is preserved with its private IP address, otherwise packets sent through the tunnel by the router, will be NAT'ed and therefore rejected by the remote VPN Client.
When NAT is enabled through a VPN tunnel, the remote user sees the tunnelled traffic coming from the router's public IP address, when in fact it should be from the router's private IP address.
We assume the following standard NAT configuration to provide Internet access to the company's LAN network:
  • R1#show running-config
  • <output omitted>
  • ip nat inside source list 100 interface Dialer1 overload
  • access-list 100 remark -=[Internet NAT Service]=-
  • access-list 100 permit ip 192.168.0.0 0.0.0.255 any
  • access-list 100 remark
Based on the above, we proceed with our configuration. First, we need to restrict access to our remote VPN users, so that they only access our SQL server with IP address 192.168.0.6 (access-list 120), then we deny NAT (access-list 100) to our remote VPN Pool IP range:
  • R1(config)# access-list 120 remark ==[Cisco VPN Users]==
  • R1(config)# access-list 120 permit ip host 192.168.0.6 host 192.168.0.20
  • R1(config)# access-list 120 permit ip host 192.168.0.6 host 192.168.0.21
  • R1(config)# access-list 120 permit ip host 192.168.0.6 host 192.168.0.22
  • R1(config)# access-list 120 permit ip host 192.168.0.6 host 192.168.0.23
  • R1(config)# access-list 120 permit ip host 192.168.0.6 host 192.168.0.24
  • R1(config)# access-list 120 permit ip host 192.168.0.6 host 192.168.0.25
  • R1(config)# no access-list 100
  • R1(config)# access-list 100 remark [Deny NAT for VPN Clients]=-
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.20
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.21
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.22
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.23
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.24
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.25
  • R1(config)# access-list 100 remark
  • R1(config)# access-list 100 remark -=[Internet NAT Service]=-
  • R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any
Note that for access-list 100, we could either 'deny ip host 192.168.0.6' to our remote clients, or as shown, deny the 192.168.0.0/24 network. What's the difference? Practically none. Denying your whole network the NAT service toward your remote clients, will make it easier for any future additions.
If for example there was a need to deny NAT for another 5 servers so they can reach remote VPN clients, then the access-list 100 would need to be edited to include these new hosts, where as now it's already taken care of. Remember, with access-list 100 we are simply controlling the NAT function , not the access the remote clients have (done with access-list 120 in our example.
At this point, the Cisco VPN configuration is complete and fully functional.
Split Tunneling
We mentioned in the beginning of this article that we would cover split tunneling and full tunneling methods for our VPN clients. You'll be pleased to know that this functionality is solely determined by the group's access-lists, which our case is access-list 120.
If we wanted to tunnel all traffic from the VPN client to our network, we would use the following access-list 120 configuration:
  • R1(config)# access-list 120 remark ==[Cisco VPN Users]==
  • R1(config)# access-list 120 permit ip any host 192.168.0.20
  • R1(config)# access-list 120 permit ip any host 192.168.0.21
  • R1(config)# access-list 120 permit ip any host 192.168.0.22
  • R1(config)# access-list 120 permit ip any host 192.168.0.23
  • R1(config)# access-list 120 permit ip any host 192.168.0.24
  • R1(config)# access-list 120 permit ip any host 192.168.0.25
In another example, if we wanted to provide our VPN clients access to networks 10.0.0.0/24, 10.10.10.0/24 & 192.168.0.0/24, here's what the access-list 120 would look like (this scenario requires modification of NAT access-list 100 as well):
  • R1(config)# access-list 120 remark ==[Cisco VPN Users]==
  • R1(config)# access-list 120 permit ip 10.0.0.0 0.0.0.255 host 192.168.0.20
  • R1(config)# access-list 120 permit ip 10.0.0.0 0.0.0.255 host 192.168.0.21
  • R1(config)# access-list 120 permit ip 10.0.0.0 0.0.0.255 host 192.168.0.22
  • R1(config)# access-list 120 permit ip 10.0.0.0 0.0.0.255 host 192.168.0.23
  • R1(config)# access-list 120 permit ip 10.0.0.0 0.0.0.255 host 192.168.0.24
  • R1(config)# access-list 120 permit ip 10.0.0.0 0.0.0.255 host 192.168.0.25
  • R1(config)#
  • R1(config)# access-list 120 permit ip 10.10.10.0 0.0.0.255 host 192.168.0.20
  • R1(config)# access-list 120 permit ip 10.10.10.0 0.0.0.255 host 192.168.0.21
  • R1(config)# access-list 120 permit ip 10.10.10.0 0.0.0.255 host 192.168.0.22
  • R1(config)# access-list 120 permit ip 10.10.10.0 0.0.0.255 host 192.168.0.23
  • R1(config)# access-list 120 permit ip 10.10.10.0 0.0.0.255 host 192.168.0.24
  • R1(config)# access-list 120 permit ip 10.10.10.0 0.0.0.255 host 192.168.0.25
  • R1(config)#
  • R1(config)#
  • R1(config)# access-list 120 permit ip 192.168.0.0 0.0.0.255 host 192.168.0.20
  • R1(config)# access-list 120 permit ip 192.168.0.0 0.0.0.255 host 192.168.0.21
  • R1(config)# access-list 120 permit ip 192.168.0.0 0.0.0.255 host 192.168.0.22
  • R1(config)# access-list 120 permit ip 192.168.0.0 0.0.0.255 host 192.168.0.23
  • R1(config)# access-list 120 permit ip 192.168.0.0 0.0.0.255 host 192.168.0.24
  • R1(config)# access-list 120 permit ip 192.168.0.0 0.0.0.255 host 192.168.0.25
  • R1(config)#
  • R1(config)#
  • R1(config)# no access-list 100
  • R1(config)# access-list 100 remark [Deny NAT for VPN Clients]=-
  • R1(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 host 192.168.0.20
  • R1(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 host 192.168.0.21
  • R1(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 host 192.168.0.22
  • R1(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 host 192.168.0.23
  • R1(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 host 192.168.0.24
  • R1(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 host 192.168.0.25
  • R1(config)#
  • R1(config)#
  • R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.0.20
  • R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.0.21
  • R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.0.22
  • R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.0.23
  • R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.0.24
  • R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.0.25
  • R1(config)#
  • R1(config)#
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.20
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.21
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.22
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.23
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.24
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.25
  • R1(config)# access-list 100 remark
  • R1(config)# access-list 100 remark -=[Internet NAT Service]=-
  • R1(config)# access-list 100 permit ip 10.0.0.0 0.0.0.255 any
  • R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
  • R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any
When the VPN client connects, should we go to the connection's statistics, we would see the 3 networks under the secure routes, indicating all traffic toward these networks is tunnelled through the VPN:
Cisco VPN Configuration Tips
It is evident from our last example with the tunneling of our 3 networks, that should our VPN IP address pool be larger, for example 50 IP addresses, then we would have to enter 50 IPs x 3 Networks = 150 lines of code just for the access-list 120, plus another 150 lines for access-list 100 (no NAT)! That is quite a task indeed!
To help cut down the configuration to just a couple of lines, this is the alternative code that would be used and have the same effect:
Mark VPN Traffic to be tunnelled:
  • R1(config)# access-list 120 remark ==[Cisco VPN Users]==
  • R1(config)# access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
  • R1(config)# access-list 120 permit ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.0.255
  • R1(config)# access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
Do not NAT any traffic from our LANs toward VPN clients, but NAT everything else destined to the Internet:
  • R1(config)# access-list 100 remark [Deny NAT for VPN Clients]=-
  • R1(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
  • R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.0.255
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
  • R1(config)# access-list 100 remark
  • R1(config)# access-list 100 remark -=[Internet NAT Service]=-
  • R1(config)# access-list 100 permit ip 10.0.0.0 0.0.0.255 any
  • R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
  • R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any
The access-list 120 tells the router to tunnel all traffic from the three networks to our VPN clients who's IP address will be in the 192.168.0.0/24 range!
So, if the VPN client received from the VPN Pool, IP address 192.168.0.23 or 192.168.0.49, it really wouldn't matter as the '192.168.0.0 0.0.0.255' statement at the end of each access-list 120 covers both 192.168.0.23 & 192.168.0.49. Even replacing the '192.168.0.0 0.0.0.255' with the 'any' statement would have the same effect.
For 'access-list 100' that controls the NAT service, we cannot use the 'any' statement at the end of the DENY portion of the ACLs, because it would exclude NAT for all networks (public and private) therefore completely disabling NAT and as a result, Internet access.
As a last note, if it was required the VPN clients to be provided with an IP address range different from that of the internal network (e.g 192.168.50.0/24), then the following minor changes to the configuration would have to be made:
  • R1(config)# crypto isakmp client configuration group CCLIENT-VPN
  • R1(config-isakmp-group)# key firewall.cx
  • R1(config-isakmp-group)# dns 10.0.0.10
  • R1(config-isakmp-group)# pool VPN-Pool
  • R1(config-isakmp-group)# acl 120
  • R1(config-isakmp-group)# max-users 5
  • R1(config-isakmp-group)# exit
  • R1(config)#
  • R1(config)# ip local pool VPN-Pool 192.168.50.10 192.168.50.25
  • R1(config)#
  • R1(config)# interface Virtual-Template2 type tunnel
  • R1(config-if)# ip address 192.168.50.1 255.255.255.0
  • R1(config-if)# tunnel mode ipsec ipv4
  • R1(config-if)# tunnel protection ipsec profile VPN-Profile-1
Assuming 3 internal networks
Mark VPN Traffic to be tunnelled:
  • R1(config)# access-list 120 remark ==[Cisco VPN Users]==
  • R1(config)# access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.50.0 0.0.0.255
  • R1(config)# access-list 120 permit ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
  • R1(config)# access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
Do not NAT any traffic from our LANs toward VPN clients, but NAT everything else destined to the Internet:
  • R1(config)# access-list 100 remark [Deny NAT for VPN Clients]=-
  • R1(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 192.168.50.0 0.0.0.255
  • R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
  • R1(config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
  • R1(config)# access-list 100 remark
  • R1(config)# access-list 100 remark -=[Internet NAT Service]=-
  • R1(config)# access-list 100 permit ip 10.0.0.0 0.0.0.255 any
  • R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
  • R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any

Article Summary
 
This article explained the fundamentals of Cisco's VPN client and features it offers to allow the remote and secure connection of users to their corporate networks from anywhere in the world.
 
We examined the necessary steps and commands required on a Cisco router to setup and configure it to accept Cisco VPN client connections. Detailed explanation was provided for every configuration step, along with the necessary diagrams and screenshots.
 
Split tunneling was explained and covered, showing how to configure the Cisco VPN clients access only to the required internal networks while maintaining access to the Internet.
 
Lastly, a few tips were presented to help make the Cisco VPN configuration a lot easier for large and more complex networks.
 
If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.
 
  
 

Configuring Cisco AutoSecure Interactive and Non-Interactive Mode and Exploring Other Cisco AutoSecure Options

 
Configuring Cisco AutoSecure Interactive Mode
 
This happens to be the recommended mode for securing your Cisco router. When using the Cisco AutoSecure Interactive Mode, the router will prompt a number of questions regarding the current topology, how it is connected to the Internet, which interface connects to the Internet and so on. Providing this information is essential because it will be used by AutoSecure to lock-down the router and disable services as required by Cisco’s best security practices.
 
Below is the command required to initiate the AutoSecure Interactive mode feature. You can abort the session anytime by pressing Ctrl-C, or press ? to get help:
 
  • R1# auto secure
 
--- AutoSecure Configuration ---
 
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
 
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
 
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
 
Is this router connected to internet? [no]: yes
 
Enter the number of interfaces facing the internet [1]: 1
 
Interface IP-Address OK? Method Status Protocol
 
FastEthernet0/0 10.0.0.100 YES NVRAM up up
 
FastEthernet0/1 192.168.151.10 YES NVRAM up up
 
NVI0 10.0.0.100 YES unset up up
 
Enter the interface name that is facing the internet: FastEthernet0/1
 
Securing Management plane services...
 
  • Disabling service finger
  • Disabling service pad
  • Disabling udp & tcp small servers
  • Enabling service password encryption
  • Enabling service tcp-keepalives-in
  • Enabling service tcp-keepalives-out
  • Disabling the cdp protocol
  • Disabling the bootp server
  • Disabling the http server
  • Disabling the finger service
  • Disabling source routing
  • Disabling gratuitous arp
  • Configure NTP Authentication? [yes]: no
 
Enter the new enable password: *****
% Invalid Password length - must contain 6 to 25 characters. Password configuration failed
Enter the new enable password: **********
Confirm the enable password: **********
 
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 15
Maximum Login failures with the device: 3
Maximum time period for crossing the failed login attempts: 20
Configure SSH server? [yes]: no
 
Configuring interface specific AutoSecure services
 
  • Disabling the following ip services on all interfaces:
  • no ip redirects
  • no ip proxy-arp
  • no ip unreachables
  • no ip directed-broadcast
  • no ip mask-reply
 
  • Disabling mop on Ethernet interfaces
  • Securing Forwarding plane services...
  • Enabling unicast rpf on all interfaces connected to internet
  •  
  • Configure CBAC Firewall feature? [yes/no]: yes
  •  
This is the configuration generated:
 
  • no service finger
  • no service pad
  • no service udp-small-servers
  • no service tcp-small-servers
  • service password-encryption
  • service tcp-keepalives-in
  • service tcp-keepalives-out
  • no cdp run
  • no ip bootp server
  • no ip http server
  • no ip finger
  • no ip source-route
  • no ip gratuitous-arps
  • no ip identd
  • security passwords min-length 6
  • security authentication failure rate 10 log
  • enable password 7 11584B5643475D
  • aaa new-model
  • aaa authentication login local_auth local
  •  
  • line con 0
  • login authentication local_auth
  • exec-timeout 5 0
  • transport output telnet
  •  
  • line aux 0
  • login authentication local_auth
  • exec-timeout 10 0
  • transport output telnet
  •  
  • line vty 0 15
  • login authentication local_auth
  • transport input telnet
  •  
  • line tty 1
  • login authentication local_auth
  • exec-timeout 15 0
  •  
  • login block-for 15 attempts 3 within 20
  • service timestamps debug datetime msec localtime show-timezone
  • service timestamps log datetime msec localtime show-timezone
  • logging facility local2
  • logging trap debugging
  • service sequence-numbers
  • logging console critical
  • logging buffered
  •  
  • interface FastEthernet0/0
  • no ip redirects
  • no ip proxy-arp
  • no ip unreachables
  • no ip directed-broadcast
  • no ip mask-reply
  • no mop enabled
  •  
  • interface FastEthernet0/1
  • no ip redirects
  • no ip proxy-arp
  • no ip unreachables
  • no ip directed-broadcast
  • no ip mask-reply
  • no mop enabled
  • access-list 101 permit udp any any eq bootpc
  •  
  • interface FastEthernet0/1
  • ip verify unicast source reachable-via rx allow-default 101
  • ip inspect audit-trail
  • ip inspect dns-timeout 7
  • ip inspect tcp idle-time 14400
  • ip inspect udp idle-time 1800
  • ip inspect name autosec_inspect cuseeme timeout 3600
  • ip inspect name autosec_inspect ftp timeout 3600
  • ip inspect name autosec_inspect http timeout 3600
  • ip inspect name autosec_inspect rcmd timeout 3600
  • ip inspect name autosec_inspect realaudio timeout 3600
  • ip inspect name autosec_inspect smtp timeout 3600
  • ip inspect name autosec_inspect tftp timeout 30
  • ip inspect name autosec_inspect udp timeout 15
  • ip inspect name autosec_inspect tcp timeout 3600

  • ip access-list extended autosec_firewall_acl
  • permit udp any any eq bootpc
  • deny ip any any

  • interface FastEthernet0/1
  • ip inspect autosec_inspect out
  • ip access-group autosec_firewall_acl in
  • !
  • end

  • Apply this configuration to running-config? [yes]: yes

  • Applying the config generated to running-config
 
Notice the router rejected the initial enable password as it did not conform to the password security requirements
 
 
 
If at any point you would like to check the configuration changes made by the Cisco AutoSecure feature before saving them, you can use the show auto secure config command:
 
  • R1# show auto secure config
  • no service finger
  •  
  • no service pad
  •  
  • no service udp-small-servers
  •  
  • no service tcp-small-servers
  •  
  • service password-encryption
  •  
  • service tcp-keepalives-in
  •  
  • service tcp-keepalives-out
  •  
  • no cdp run
  •  
  • no ip bootp server
  •  
  • no ip http server
  •  
  • no ip finger
  •  
  • no ip source-route
  •  
  • no ip gratuitous-arps
  •  
  • no ip identd
  •  
  • security passwords min-length 6
  •  
  • security authentication failure rate 10 log
  •  
  • enable password 7 11584B5643475D
  •  
  • aaa new-model
  •  
  • aaa authentication login local_auth local
  •  
  • line con 0
  •  
  • login authentication local_auth
  •  
  • exec-timeout 5 0
  •  
  • transport output telnet
  •  
  • line aux 0
  •  
  • login authentication local_auth
  •  
  • exec-timeout 10 0
  •  
  • transport output telnet
  •  
  • line vty 0 15
  •  
  • login authentication local_auth
  •  
  • transport input telnet
  •  
  • line tty 1
  •  
  • login authentication local_auth
  •  
  • exec-timeout 15 0
  •  
  • login block-for 15 attempts 3 within 20
  •  
  • service timestamps debug datetime msec localtime show-timezone
  •  
  • service timestamps log datetime msec localtime show-timezone
  •  
  • logging facility local2
  •  
  • logging trap debugging
  •  
  • service sequence-numbers
  •  
  • logging console critical
  •  
  • logging buffered
  •  
  • interface FastEthernet0/0
  •  
  • no ip redirects
  •  
  • no ip proxy-arp
  •  
  • no ip unreachables
  •  
  • no ip directed-broadcast
  •  
  • no ip mask-reply
  •  
  • no mop enabled
  •  
  • !
  •  
  • interface FastEthernet0/1
  •  
  • no ip redirects
  •  
  • no ip proxy-arp
  •  
  • no ip unreachables
  •  
  • no ip directed-broadcast
  •  
  • no ip mask-reply
  •  
  • no mop enabled
  •  
  • !
  •  
  • access-list 101 permit udp any any eq bootpc
  •  
  • interface FastEthernet0/1
  •  
  • ip verify unicast source reachable-via rx allow-default 101
  •  
  • ip inspect audit-trail
  •  
  • ip inspect dns-timeout 7
  •  
  • ip inspect tcp idle-time 14400
  •  
  • ip inspect udp idle-time 1800
  •  
  • ip inspect name autosec_inspect cuseeme timeout 3600
  •  
  • ip inspect name autosec_inspect ftp timeout 3600
  •  
  • ip inspect name autosec_inspect http timeout 3600
  •  
  • ip inspect name autosec_inspect rcmd timeout 3600
  •  
  • ip inspect name autosec_inspect realaudio timeout 3600
  •  
  • ip inspect name autosec_inspect smtp timeout 3600
  •  
  • ip inspect name autosec_inspect tftp timeout 30
  •  
  • ip inspect name autosec_inspect udp timeout 15
  •  
  • ip inspect name autosec_inspect tcp timeout 3600
  •  
  • ip access-list extended autosec_firewall_acl
  •  
  • permit udp any any eq bootpc
  •  
  • deny ip any any
  •  
  • interface FastEthernet0/1
  •  
  • ip inspect autosec_inspect out
  •  
  • ip access-group autosec_firewall_acl in
  •  
  • R1#
 
 
 
The Non-interactive mode of Cisco’s AutoSecure is more of an ‘express’ setup feature, bypassing any user input and quickly securing the router using Cisco’s best security practices. Think of it as a quick-and-dirty lockdown mode!
 
Running the Non-Interactive AutoSecure mode is done by entering the auto secure no-interact command as shown below. The router will display some information and continue configuring itself:
 
R1# auto secure no-interact
Below is the expected output once the auto secure non-interactive command is executed:
 
--- AutoSecure Configuration ---
 
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
 
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
 
Securing Management plane services...
 
  • Disabling service finger
  • Disabling service pad
  • Disabling udp & tcp small servers
  • Enabling service password encryption
  • Enabling service tcp-keepalives-in
  • Enabling service tcp-keepalives-out
  • Disabling the cdp protocol
 
  • Disabling the bootp server
  • Disabling the http server
  • Disabling the finger service
  • Disabling source routing
  • Disabling gratuitous arp
 
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
 
  • no ip redirects
  • no ip proxy-arp
  • no ip unreachables
  • no ip directed-broadcast
  • no ip mask-reply
  • Disabling mop on Ethernet interfaces
 
Securing Forwarding plane services...
 
 
This is the configuration generated:
 
  • no service finger
  • no service pad
  • no service udp-small-servers
  • no service tcp-small-servers
  • service password-encryption
  • service tcp-keepalives-in
  • service tcp-keepalives-out
  • no cdp run
  • no ip bootp server
  • no ip http server
  • no ip finger
  • no ip source-route
  • no ip gratuitous-arps
  • no ip identd
  • security passwords min-length 6
  • security authentication failure rate 10 log
  • service timestamps debug datetime msec localtime show-timezone
  • service timestamps log datetime msec localtime show-timezone
  • logging facility local2
  • logging trap debugging
  • service sequence-numbers
  • logging console critical
  • logging buffered
  • interface FastEthernet0/0
  • no ip redirects
  • no ip proxy-arp
  • no ip unreachables
  • no ip directed-broadcast
  • no ip mask-reply
  • no mop enabled
  • interface FastEthernet0/1
  • no ip redirects
  • no ip proxy-arp
  • no ip unreachables
  • no ip directed-broadcast
  • no ip mask-reply
  • no mop enabled
  • !
  • end
  •  
Applying the config generated to running-config
 
  • R1#
 
 
 
Exploring Other Cisco AutoSecure Options
 
For those who like to explore all available options of the Cisco AutoSecure command, use the auto secure command, followed by a question mark ? as shown below:
 
  • R1# auto secure ?
  • firewall AutoSecure Firewall
  • forwarding Secure Forwarding Plane
  • full Interactive full session of AutoSecure
  • login AutoSecure Login
  • management Secure Management Plane
  • no-interact Non-interactive session of AutoSecure
  • ntp AutoSecure NTP
  • ssh AutoSecure SSH
  • tcp-intercept AutoSecure TCP Intercept
 
 
Trying out different parameters and options will help gain a greater understanding of how AutoSecure works and the options it provides to help best secure your network.
 
Using the Cisco AutoSecure feature to secure your router(s) is a very simple task and one that should not be neglected, even by experienced network engineers. With the use of such features, one can create a configuration template with all necessary basic security measures taken into account.
 
Cisco provides a number of features that can help make an engineer’s every-day life more secure and hassle-free. It’s to our advantage to make the best of everything offered!