Friday, March 27, 2009

What's Next

I read that you could get the CCIE Service Provider in a month with a CCIE Routing and Switching background. And this is exactly what I want to do next: get the CCIE SP in a month! Service Provider is good to get since it is very useful for the CCDE Practical Exam which is my next goal. Currently there are only 3 CCDEs, so my goal is to be among the first 100 people.

Service Provider Lab blue print can be found here: http://www.cisco.com/web/learning/le3/ccie/sp/lab_exam_blueprint.html
Some good information on the SP lab from the Cisco Learning Network

Friday, March 13, 2009

Code Red

Code Red Example

i. Marking traffic
Router(config)#class−map match−any http−hacks
Router(config−cmap)#match protocol http url "*default.ida*"
Router(config−cmap)#match protocol http url "*cmd.exe*"
Router(config−cmap)#match protocol http url "*root.exe*"
Router(config)#policy−map mark−inbound−http−hacks
Router(config−pmap)#class http−hacks
Router(config−pmap−c)#set ip dscp 1
Router(config)#interface serial 0/0
Router(config−if)#service−policy input mark−inbound−http−hacks
ii. ACL to drop traffic
Router(config)#access−list 105 deny ip any any dscp 1
Router(config)#access−list 105 permit ip any any
Router(config)#interface ethernet 0/1
Router(config−if)#ip access−group 105 out
iii. PBR to drop traffic
Router(config)#access−list 106 permit ip any any dscp 1
Router(config)#route−map null_policy_route 10
Router(config−route−map)#match ip address 106
Router(config−route−map)#set interface Null0
Router(config)#interface serial 0/0
Router(config−if)#ip policy route−map null_policy_route
iv. Class-Based Policing to drop traffic
Router(config)#policy−map drop−inbound−http−hacks
Router(config−pmap)#class http−hacks
Router(config−pmap−c)#police 1000000 31250 31250
conform−action drop exceed−action drop violate−action drop
Router(config)#interface serial 0/0
Router(config−if)#service−policy input drop−inbound−http−hacks

ASA Cut-Through Proxy

From the notes given to me by Rob Chee...

Configure authentication using TACACS+

Aaa-server RAD protocol tacacs
Aaa-server RAD (outside) host 192.168.137.10
Key cisco

Configure login prompt:

auth-prompt prompt Enter Your Authentication
auth-prompt accept You are Good
auth-prompt reject Goodbye

Through traffic authentication – This is the default mechanism for authentication. When a user attempts to access a HTTP, HTTPS, FTP, or telnet resource behind the PIX, the PIX redirects users to an authentication page if the traffic matches the cut-through proxy ACL.

Using Telnet

Static (inside,outside) 192.1681.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 23
Access-list AUTH permit tcp any host 192.l68.137.2 eq 23
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RAD

Using Encryption for HTTP

Static (inside,outside) 192.1681.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 80
Access-list AUTH permit tcp any host 192.l68.137.2 eq 80
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RAD
Aaa authentication secure-http-client

Using HTTPS

Static (inside,outside) 192.1681.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 443
Access-list AUTH permit tcp any host 192.l68.137.2 eq 443
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RAD


The authentication listener mechanism is the recommended method of authentication. With the basic configuration, a user must access a specific URL on the PIX to authenticate. Since it relies on accessing a URL, only the HTTP and HTTPS authentication methods are supported for this mechanism.

Static (inside,outside) 192.1681.137.2 10.100.100.2
aaa authentication match AUTH outside RAD
aaa accounting match AUTH outside RAD
aaa authentication listener HTTPS outside port HTTPS redirect
aaa authentication listener HTTP outside port HTTP redirect

Authenticate against a virtual IP address, configured on the PIX, through HTTP, HTTPS, and Telnet by redirecting to the virtual IP address when they try to access a resource, through the PIX, that matches the cut-through proxy ACL.

Virtual HTTP 192.168.137.20
Virtual Telnet 192.168.137.20

Static (inside,outside) 192.168.137.2 10.100.100.2
Access-list OUTSIDE permit tcp any host 192.168.137.20 eq 80
Access-list OUTSIDE permit tcp any host 192.168.137.2 eq 80
Access-list AUTH permit tcp any host 192.168.137.20 eq 80
Access-list AUTH permit tcp any host 192.168.137.2 eq 80
Access-group OUTSIDE in interface outside
Aaa authentication match AUTH outside RADIUS
! If secure authentication to the PIX is required
Aaa authentication secure-HTTP-client

With RADIUS, authentication and authorization are bound together. This means that verifying authentication and providing authorization are handled during the same negotiation when a user logs in. It also means that no further authorization privileges can be granted after the login.

When RADIUS is used for PIX cut-through proxy, the ACS server provides downloadable ACLs as authorization. This downloadable ACL becomes a temporary ACL that is created on the PIX with a dynamically created name. This ACL can be viewed with “show access-list” after successful authentication. Below is an example of this.

access-list #ACSACL#-IP-cutthroughproxy-47b78823; 3 elements (dynamic)
access-list #ACSACL#-IP-cutthroughproxy-47b78823 line 1 extended permit tcp any host 192.168.137.2 eq telnet (hitcnt=0) 0x78ea2fad
access-list #ACSACL#-IP-cutthroughproxy-47b78823 line 2 extended permit tcp any host 192.168.137.2 eq www (hitcnt=0) 0x4519be9a
access-list #ACSACL#-IP-cutthroughproxy-47b78823 line 3 extended permit tcp any host 192.168.137.2 eq https (hitcnt=5) 0x0c281b01

RADIUS Downloadable ACL Authorization

access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius-acct host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1812 host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1813 host 192.168.137.8
access-list AUTH extended permit tcp any any eq www
access-list AUTH extended permit tcp any any eq HTTPS
access-list AUTH extended permit tcp any any eq Telnet
static (inside,outside) 192.168.137.2 10.100.100.2 netmask 255.255.255.255
access-group OUTSIDE in interface outside per-user-override
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host 192.168.137.10
key cisco
aaa authentication match AUTH outside RADIUS
aaa accounting match AUTH outside RADIUS
aaa authentication listener HTTPS outside port HTTPS redirect
auth-prompt prompt Enter Lab Authentication
auth-prompt accept You're In
auth-prompt reject You're Out

TACACS+ Authorization

access-list OUTSIDE extended permit tcp host 192.168.137.10 eq tacacs host 192.168.137.8
access-list AUTH extended permit tcp any any eq www
access-list AUTH extended permit tcp any any eq HTTPS
access-list AUTH extended permit tcp any any eq Telnet
static (inside,outside) 192.168.137.2 10.100.100.2 netmask 255.255.255.255
access-group OUTSIDE in interface outside
aaa-server TAC protocol tacacs
aaa-server TAC (outside) host 192.168.137.10
key cisco
aaa authentication match AUTH outside TAC
aaa authorization match AUTH outside TAC
aaa accounting match AUTH outside TAC
aaa authentication listener HTTPS outside port HTTPS redirect
auth-prompt prompt Enter Lab Authentication
auth-prompt accept You're In
auth-prompt reject You're Out

Thursday, March 5, 2009

PPTP

http://www.cisco.com/en/US/tech/tk82/tk36/technologies_configuration_example09186a00801e51e2.shtml

Server Side 880W Router:


vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
!
ip local pool netcraftsmen 192.168.1.1 - 192.168.1.10
!
interface virtual-template 1
encapsulation ppp
peer default ip address pool netcraftsmen
ip unnumbered FastEthernet4
ppp encrypt mppe auto
ppp authentication pap chap

Tuesday, March 3, 2009

Remote Trigger Black Hole Filtering

Cisco has a real good document on this: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf

It is a technique used to drop bad packets before they get into the network: used for DDOS attack mitigation.
interface Null0
no ip unreachables
!When packet is dropped, an Internet Control Message Protocol (ICMP) unreachable message is !sent back to the source. So it is recommended that ICMP unreachable message is disabled.
!
router bgp 65535
neighbor IBGP peer-group
neighbor IBGP remote-as 701
neighbor IBGP send-community
neighbor IBGP update-source Loopback0
neighbor 1.1.1.1 peer-group IBGP
neighbor 2.2.2.2 peer-group IBGP
!
redistribute static route-map STATIC_TO_BGP
!
! A /32 route used as next-hop to “drop” the packets configured on all routers.
!
ip route 192.0.2.1 255.255.255.255 null0
!
! Route-map to signal RTHB information.
!
route-map STATIC_TO_BGP permit 10
match tag 100
set local-preference 200
set origin igp
set community no-export
set ip next-hop 192.0.2.1
!
route-map STATIC_TO_BGP deny 20

When we know that some server, for example 10.10.10.10, under attack, we would put in the blackhole route on the trigger router and propagate to all edge routers which would drop packets at the edge of the network.
!
ip route 10.10.10.10 255.255.255.255 null0 tag 100

Back scatter analysis could be use to trace back the source of the DDOS attack.
Remove the no ip unreachable from the null0 interface on all the edge routers.
Then from the "sinkhole" router:
Add new route-map entry, to propagate self-originated "interesting" routes.
!
route-map STATIC_TO_BGP permit 15
match tag 200
set local-preference 200
set origin igp
set community no-export
!
ip route 20.0.0.0 255.0.0.0 Null0 tag 200
!Network 20.0.0.0/8 is suspected to be the source of the attack. All ICMP unreachable !messages from the edge routers will be diverted to the sinkhole router for analysis.
!
ip access-list extended UNREACHABLES
permit icmp any any unreachable log
permit ip any any
!
interface WAN
ip access-group UNREACHABLES in

If the rate is big, you might not be able to see all logging line. To tune the ACL too log every hit:
ip access-list log-update threshold 1







Sunday, February 22, 2009

Count down to March 24, 200

I am taking the CCIE Security Lab in RTP on March 24, 2009 which is 4 weeks away. When it's a few months away, you felt like you have lots of time on your hand. But when it's around the corner, you start to feel the pressure building and building and BUILDING!

I will try my best to pass. Failing is okay as long as you try your very best and won't have any regrets or doubts that you could have done a better job.
I need to plan on what to do and have to stick to the schedule.

I set up the VPN concentrator with a public IP address. By the end of February, hopefully I will check it off my to-do list.

Monday, October 27, 2008

The Cisco ASA in CCIE Security Lab

Monday October 27th, 2008...

Basic Initialization

hostname ASA1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0

logging console warnings
logging trap debugging
logging host inside 10.1.1.100
logging enable

Access Management

telnet 10.1.1.100 255.255.255.255 inside

ssh 10.1.1.0 255.255.255.0 outside
ssh timeout 5

Address Translation

access-list NONAT extended permit ip host 8.8.8.8 host 4.4.4.4

global (outside) 1 65.1.200.21-65.1.200.25 netmask 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 65.1.15.251 10.1.1.251 netmask 255.255.255.255 (Access from outside to inside server)
static (outside,inside) 10.1.1.5 65.1.15.5 netmask 255.255.255.255 (Access from inside to outside server)

ACLs

Firewall transparent (transparent firewall mode)

access-list OUTSIDE extended permit eigrp host 150.100.3.4 any
access-list OUTSIDE extended permit icmp any any
access-list INSIDE extended permit tcp 150.100.3.0 255.255.255.0 any eq www
access-list INSIDE extended permit tcp 150.100.3.0 255.255.255.0 any eq https
access-list INSIDE extended permit tcp 150.100.3.0 255.255.255.0 any eq telnet
access-list INSIDE extended permit eigrp host 150.100.3.254 any
access-list INSIDE extended permit icmp any any
access-list INSIDE extended permit udp 150.100.3.0 255.255.255.0 any eq domain

access-group OUTSIDE in interface outside
access-group INSIDE in interface inside

IP Routing

route outside 0.0.0.0 0.0.0.0 192.1.12.2 1
route inside 10.3.3.0 255.255.255.0 10.2.2.5 1

router rip
network 65.0.0.0
network 192.168.6.0
passive-interface default
no passive-interface outside
no passive-interface inside
version 2

router ospf 1
network 65.1.15.101 255.255.255.255 area 2
router-id 11.11.11.11
log-adj-changes
default-information originate always

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.1.15.101 255.255.255.0
ospf message-digest-key 1 md5
ospf authentication message-digest


Object Groups

object-group protocol PROTOS
protocol-object gre
object-group icmp-type ICMP_ECHO
icmp-object echo
icmp-object echo-reply
object-group service MGMT_PORTS tcp
port-object eq telnet
port-object eq ssh

access-list OUTSIDE extended permit icmp any any object-group ICMP_ECHO
access-list OUTSIDE extended permit tcp any any object-group MGMT_PORTS
access-list OUTSIDE extended permit object-group PROTOS any any
!

access-group OUTSIDE in interface outside
VLANs

interface Ethernet0/0.55
vlan 55
nameif DMZ55
security-level 50
ip address 192.168.5.10 255.255.255.0 standby 192.168.5.11
!
interface Ethernet0/2
!
interface Ethernet0/2.10
description LAN Failover Interface
vlan 550
!
interface Ethernet0/2.20
description STATE Failover Interface
vlan 560

AAA

aaa-server TAC protocol tacacs+
aaa-server TAC host 10.1.1.100
key ipexpert
aaa authentication telnet console TAC

aaa authentication include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TAC
aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TAC
aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TAC
aaa authentication include tcp/4515 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TAC

aaa-server RAD protocol radius
aaa-server RAD (dmz) host 10.1.200.251
key cisco

aaa authentication telnet console RAD LOCAL
aaa accounting telnet console RAD

telnet 10.1.33.3 255.255.255.255 inside


VPNs

crypto ipsec transform-set MYTRANS esp-3des esp-sha-hmac
crypto map MYMAP 10 match address L2L
crypto map MYMAP 10 set connection-type answer-only
crypto map MYMAP 10 set peer 192.1.12.15
crypto map MYMAP 10 set transform-set MYTRANS
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.1.12.15 type ipsec-l2l
tunnel-group 192.1.12.15 ipsec-attributes
pre-shared-key *

access-list L2L extended permit ip host 192.1.49.55 10.1.1.0 255.255.255.0

EZVPN

group-policy EZGroup internal
group-policy EZGroup attributes
wins-server value 10.2.2.175
dns-server value 10.2.2.175
vpn-idle-timeout 30
default-domain value ipexpert.net
username cisco password 3USUcOPFUiMCO4Jk encrypted

crypto ipsec transform-set MYTRANSFORM esp-des esp-md5-hmac
crypto dynamic-map MYDYN 5 set transform-set MYTRANSFORM
crypto map MYMAP 50 ipsec-isakmp dynamic MYDYN
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group EZGroup type ipsec-ra
tunnel-group EZGroup general-attributes
address-pool MYpool
default-group-policy EZGroup
tunnel-group EZGroup ipsec-attributes
pre-shared-key *

WebVPN

http server enable
http redirect outside 80

webvpn
enable outside

username lab2 password cisco encrypted

Filtering

filter java 80 10.1.11.0 255.255.255.0 10.1.5.0 255.255.255.0
filter java 8080 10.1.11.0 255.255.255.0 10.1.5.0 255.255.255.0
filter activex 80 10.1.11.0 255.255.255.0 10.1.5.0 255.255.255.0
filter activex 8080 10.1.11.0 255.255.255.0 10.1.5.0 255.255.255.0
Failover

Active/Standby

ASA1

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.1.15.101 255.255.255.0 standby 65.1.15.102
no shut
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 150.100.1.101 255.255.255.0 standby 150.100.1.102
no shut
!
interface GigabitEthernet0/3
description STATE Failover Interface
no shut
!
interface Management0/0
description LAN Failover Interface
no shut

failover lan unit primary
failover lan interface FAILOVER_LAN Management0/0
failover key luan
failover replication http
failover link STATEFUL_LAN GigabitEthernet0/3
failover interface ip FAILOVER_LAN 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip STATEFUL_LAN 1.1.1.5 255.255.255.252 standby 1.1.1.6
failover

ASA2:

failover
failover lan unit secondary
failover lan interface FAILOVER_LAN Management0/0
failover key luan
failover interface ip FAILOVER_LAN 1.1.1.1 255.255.255.252 standby 1.1.1.2

Layer 2 Transparent Firewall

firewall transparent
interface GigabitEthernet0/0.3
vlan 31
!
interface GigabitEthernet0/0.33
vlan 32
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/1.3
vlan 311
!
interface GigabitEthernet0/1.33
vlan 321

context custa
allocate-interface GigabitEthernet0/0.3
allocate-interface GigabitEthernet0/1.3
config-url disk0:/custa.cfg
!
context custb
allocate-interface GigabitEthernet0/0.33
allocate-interface GigabitEthernet0/1.33
config-url disk0:/custb.cfg

ip address 65.1.201.103 255.255.255.0 - Need IP address for L2 Transparent Firewall to work

Security Contexts (Virtual Firewall)

context custa
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/2
config-url disk0:/custa.cfg
!
context custb
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/3
config-url disk0:/custb.cfg

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.1.99.101 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.1.1.101 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.1.101.101 255.255.255.0

custa-context

global (outside) 1 interface
global (dmz) 2 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 access-list DMZ outside
static (dmz,outside) 65.1.99.253 10.1.1.253 netmask 255.255.255.255
static (dmz,outside) 65.1.99.251 10.1.1.251 netmask 255.255.255.255

access-list DMZ extended permit ip any host 65.1.99.253
access-list DMZ extended permit ip any host 65.1.99.251

route outside 0.0.0.0 0.0.0.0 65.1.99.6 1

access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE extended permit tcp any host 65.1.99.253 eq www
access-list OUTSIDE extended permit udp any host 65.1.99.253 eq ntp
access-list OUTSIDE extended permit tcp any host 65.1.99.251 eq tacacs
access-list OUTSIDE extended permit udp any host 65.1.99.251 eq radius
access-list OUTSIDE extended permit udp any host 65.1.99.251 eq radius-acct

access-group OUTSIDE in interface outside

custb-context

access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE extended deny ip any any log

access-list INSIDE extended permit tcp 10.1.101.0 255.255.255.0 host 6.6.6.6 eq www
access-list INSIDE extended permit icmp any any

access-group OUTSIDE in interface outside

access-group INSIDE in interface inside

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 65.1.99.6 1

Modular Policy Framework

class-map FTP
match port tcp eq ftp
class-map inspection_default
match default-inspection-traffic
class-map VOIP-SIG
match dscp af31
class-map VOIP-DATA
match dscp ef

policy-map VOIP-FTP
class VOIP-DATA
priority
class VOIP-SIG
priority
class FTP
police input 1000000 32000

service-policy VOIP-FTP interface outside

priority-queue outside
Application-Aware Inspection
High Availability Scenarios
QoS Policies

class-map class_ftp
match port tcp eq 2021
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
class class_ftp
inspect ftp
!
service-policy global_policy global
Other Advanced Features

arp outside 10.5.5.5 0012.8031.e118
arp inside 10.5.5.100 0003.6beb.1360
arp timeout 14400

MAC Aging

mac-address-table static outside 0012.8031.e118
mac-address-table static inside 0003.6beb.1360

ARP Spoofing

arp-inspection outside enable no-flood
arp-inspection inside enable no-flood

BGP passthrough

access-list OUTSIDE extended permit tcp host 10.1.11.1 host 10.1.11.254 eq bgp

static (inside,outside) 10.1.11.254 150.100.1.254 netmask 255.255.255.255
static (outside,inside) 150.100.1.1 10.1.11.1 netmask 255.255.255.255
access-group OUTSIDE in interface outside

Deny/Inspect SNMP

snmp-map NO_SNMP_V1
deny version 1

policy-map global_policy
inspect snmp NO_SNMP_V1

Contributors