Sunday, December 20, 2009

OPENING NETMEETING ON INTERNET

Hi, in this tutorial I will explain how to open netmeeting connections between two remote sites across internet. For this I am using 256 kbps connection by applying Committed Access Rate (CAR). consider the scenario:


Here  I have used two routers as  shown in diagram. Ports I used to map statically to public are as follows:

To establish outbound NetMeeting connections through a natting, the natting must be configured to do the following:


* Pass through primary TCP connections on ports 522, 389, 1503, 1720 and 1731.
* Pass through secondary UDP connections on dynamically assigned ports (1024-65535).
 
For furhtur info. u can access this site: http://support.microsoft.com/kb/158623
 
 
 
static natting configuration on both routers are nearly same:
 
On R0:
 
ip nat inside source static tcp 192.168.1.3 389 10.1.1.1 389 extendable

ip nat inside source static tcp 192.168.1.3 522 10.1.1.1 522 extendable
ip nat inside source static tcp 192.168.1.3 1503 10.1.1.1 1503 extendable
ip nat inside source static tcp 192.168.1.3 1720 10.1.1.1 1720 extendable
ip nat inside source static tcp 192.168.1.3 1731 10.1.1.1 1731 extendable
 
 
On R1:
 
ip nat inside source static tcp 192.168.56.200 389 10.1.1.2 389 extendable
ip nat inside source static tcp 192.168.56.200 522 10.1.1.2 522 extendable
ip nat inside source static tcp 192.168.56.200 1503 10.1.1.2 1503 extendable
ip nat inside source static tcp 192.168.56.200 1720 10.1.1.2 1720 extendable
ip nat inside source static tcp 192.168.56.200 1731 10.1.1.2 1731 extendable
 
Note:
 
I didn't check audio after configuring these above commands on routers. Pls, feel free to give comments on if you have any update on this
 
Commands for applying CAR on both routers on serial interfaces:
 
 
interface Serial1/0

ip address 10.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
rate-limit input access-group 1 256000 64000 64000 conform-action transmit exceed-action drop
rate-limit output access-group 1 256000 64000 64000 conform-action transmit exceed-action drop
serial restart-delay 0
end





































Posted by at No comments:
Labels:

Tuesday, December 15, 2009

Cisco Password Encryption Published 

Hey Programmer's, need to know something. Dont take this in a destructive
way, it is just provided for recovery purposes. 

Cisco PIX passwords are limited to a length of 16 Bytes, so in theory
 there are 255^16 possible passwords, but in real life there are about
 80^16 useful password combinations, take a look at your keyboard to
 verify, even if strong passwords are used.

 Cisco's password encryption is based on base64 encoded MD5 hashes.
 Routers IOS uses 1000 MD5 Update rounds to make password brute forcing
 attacks harder, but the PIX firewall uses only one MD5 update and then 
 the digest is base64 encoded.

 For base64 encoding Cisco uses the _crypt_to64() Function of the 
 FreeBSD libcrypt library.

 Here's the code to compute PIX password hashes:

         MD5Context ctx1;
         unsigned char final[MD5_SIZE+1];
         unsigned char cleartext [16+1];
         unsigned char cisco_encoded [16+1];

         memset(cisco_encoded,0,sizeof(cisco_encoded));
         memset(cleartext,0,sizeof(cleartext));
         strcpy((char*) cleartext,"test");

         MD5Init2(&ctx1);
         MD5Update2(&ctx1,(unsigned char*) cleartext,16);
         MD5Final2(final,&ctx1);

         char* p = (char*) cisco_encoded;
         _crypt_to64(p,*(unsigned long*) (final+0),4); p += 4;
         _crypt_to64(p,*(unsigned long*) (final+4),4); p += 4;
         _crypt_to64(p,*(unsigned long*) (final+8),4); p += 4;
         _crypt_to64(p,*(unsigned long*) (final+12),4); p += 4;
Regards,
Ashish Saretia.
+919893876066











Posted by



at





No comments:
  






































          

        

          

        

Sunday, December 13, 2009


          

        










Use of GLBP, HSRP and Active/Standby FAILOVER










Consider this type of scenario shown below:









Components used:



Cisco PIX 525 with 8.0 version.

c3600 router with  16ESW module for emulating as layer 3 switch.





Lower half is configured with GLBP and upper half is configured with HSRP.



Why I used both protocols? So that anybody wants to know about the mechanics how they work can able to check  configuration of both protocols. ethernet 2 of both firewalls is used as management interface.



Briefings of both protocols:




  • Both are cisco proprietory.
    • 

  • They can do interface monitoring so that is any interface fails  or active router or L3 switch goes down switchover will take place.
    • 

  •  GLBP is somewhat different than HSRP in one feature that it provides loadbalancing among gateways. Can be on host based mac address, Round Robin Loadbalancing(default) or weighted.
    • 

Ofcourse, I have used failover on both firewalls FW0(Active) and FW1(Standby) for redundancy purpose.



Before configuring firewall always remember these points:




  • Firewall model should be same
    • 

  • No. of interfaces must be same
    • 

  • OS version should be same
    • 

  • Memories should be same
    • 

  • For more you can refer to http://www.cisco.com/
    • 





You can go through BCMSN guide for further studies. I will not explain too much.



Configuration part:





FW0(PRIMARY) configuration:



!





hostname FW0



enable password 8Ry2YjIyt7RRXU24 encrypted



names



!



interface Ethernet0



nameif Outside



security-level 0



ip address 192.168.10.250 255.255.255.0



!



interface Ethernet1



nameif Inside



security-level 100



ip address 192.168.200.1 255.255.255.0



!



interface Ethernet2



nameif mgmt



security-level 99



ip address 192.168.4.253 255.255.255.0 standby 192.168.4.254



management-only



!



interface Ethernet3



!



interface Ethernet4



!



interface Redundant1



description LAN/STATE Failover Interface



member-interface Ethernet3



member-interface Ethernet4



!



passwd 2KFQnbNIdI.2KYOU encrypted



ftp mode passive



access-list Outside_access_in extended permit icmp any any



pager lines 24



mtu Outside 1500



mtu Inside 1500



mtu mgmt 1500



failover



failover lan unit primary



failover lan interface fail_int Redundant1



failover lan enable



failover polltime unit msec 200 holdtime msec 800



failover polltime interface msec 500 holdtime 5



failover key *****



failover link fail_int Redundant1



failover interface ip fail_int 1.1.1.1 255.255.255.252 standby 1.1.1.2



no monitor-interface mgmt



icmp unreachable rate-limit 1 burst-size 1



asdm image flash:/asdm-602.bin



no asdm history enable



arp timeout 14400



nat-control



global (Outside) 1 interface



nat (Inside) 1 0.0.0.0 0.0.0.0



access-group Outside_access_in in interface Outside



route Outside 0.0.0.0 0.0.0.0 192.168.10.254 1



route Inside 192.168.56.0 255.255.255.0 192.168.200.100 1



timeout xlate 3:00:00



timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02



timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00



timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00



timeout uauth 0:05:00 absolute



dynamic-access-policy-record DfltAccessPolicy



http server enable



http 192.168.4.0 255.255.255.0 mgmt



no snmp-server location



no snmp-server contact



snmp-server enable traps snmp authentication linkup linkdown coldstart



no crypto isakmp nat-traversal



telnet timeout 5



ssh timeout 5



console timeout 0



dhcp-client broadcast-flag



threat-detection basic-threat



threat-detection statistics access-list



!



!



prompt hostname context



Cryptochecksum:2dba6cd4479e3e98aa10893eec4c2862



: end 

  

FW1(SECONDARY) configuration: 

  

  

 PIX Version 8.0(2)





!



hostname FW0



enable password 8Ry2YjIyt7RRXU24 encrypted



names



!



interface Ethernet0



nameif Outside



security-level 0



ip address 192.168.10.250 255.255.255.0



!



interface Ethernet1



nameif Inside



security-level 100



ip address 192.168.200.1 255.255.255.0



!



interface Ethernet2



nameif mgmt



security-level 99



ip address 192.168.4.253 255.255.255.0 standby 192.168.4.254



management-only



!



interface Ethernet3



!



interface Ethernet4



!



interface Redundant1



description LAN/STATE Failover Interface



member-interface Ethernet3



member-interface Ethernet4



!



passwd 2KFQnbNIdI.2KYOU encrypted



ftp mode passive



access-list Outside_access_in extended permit icmp any any



pager lines 24



mtu Outside 1500



mtu Inside 1500



mtu mgmt 1500



failover



failover lan unit secondary



failover lan interface fail_int Redundant1



failover lan enable



failover polltime unit msec 200 holdtime msec 800



failover polltime interface msec 500 holdtime 5



failover key *****



failover link fail_int Redundant1



failover interface ip fail_int 1.1.1.1 255.255.255.252 standby 1.1.1.2



no monitor-interface mgmt



icmp unreachable rate-limit 1 burst-size 1



asdm image flash:/asdm-602.bin



no asdm history enable



arp timeout 14400



nat-control



global (Outside) 1 interface



nat (Inside) 1 0.0.0.0 0.0.0.0



access-group Outside_access_in in interface Outside



route Outside 0.0.0.0 0.0.0.0 192.168.10.254 1



route Inside 192.168.56.0 255.255.255.0 192.168.200.100 1



timeout xlate 3:00:00



timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02



timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00



timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00



timeout uauth 0:05:00 absolute



dynamic-access-policy-record DfltAccessPolicy



http server enable



http 192.168.4.0 255.255.255.0 mgmt



no snmp-server location



no snmp-server contact



snmp-server enable traps snmp authentication linkup linkdown coldstart



no crypto isakmp nat-traversal



telnet timeout 5



ssh timeout 5



console timeout 0



dhcp-client broadcast-flag



threat-detection basic-threat



threat-detection statistics access-list



!



!



prompt hostname context



Cryptochecksum:da40a422579a902a3ccf7899907ba015



: end







R0(GLBP ACTIVE) configuration: 

  



!





version 12.4



service timestamps debug datetime msec



service timestamps log datetime msec



no service password-encryption



!



hostname Router



!



boot-start-marker



boot-end-marker



!



!



no aaa new-model



memory-size iomem 5



!



!



ip cef



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



spanning-tree vlan 1 priority 8192



spanning-tree vlan 99 priority 8192



!



!



!



!



!



!



!



interface Port-channel1



switchport trunk native vlan 99



switchport mode trunk



!



interface FastEthernet0/0



no ip address



shutdown



duplex auto



speed auto



!



interface FastEthernet0/1



no ip address



shutdown



duplex auto



speed auto



!



interface FastEthernet1/0



switchport access vlan 99



!



interface FastEthernet1/1



!



interface FastEthernet1/2



!



interface FastEthernet1/3



!



interface FastEthernet1/4



!



interface FastEthernet1/5



!



interface FastEthernet1/6



!



interface FastEthernet1/7



!



interface FastEthernet1/8



!



interface FastEthernet1/9



!



interface FastEthernet1/10



!



interface FastEthernet1/11



!



interface FastEthernet1/12



!



interface FastEthernet1/13



no switchport



ip address 192.168.56.2 255.255.255.0



glbp 1 ip 192.168.56.254



glbp 1 priority 150



glbp 1 preempt



!



interface FastEthernet1/14



switchport trunk native vlan 99



switchport mode trunk



channel-group 1 mode on



!



interface FastEthernet1/15



switchport trunk native vlan 99



switchport mode trunk



channel-group 1 mode on



!



interface Vlan1



no ip address



!



interface Vlan99



ip address 192.168.200.254 255.255.255.0



glbp 2 ip 192.168.200.100



glbp 2 priority 150



glbp 2 preempt



glbp 2 authentication md5 key-string cisco



!



!



ip http server



no ip http secure-server



ip route 0.0.0.0 0.0.0.0 Vlan99 192.168.200.1



!



!



!



mac-address-table static 0007.b400.0202 interface FastEthernet1/15 vlan 99



!



!



!



!



control-plane



!



!



!



!



!



!



!



!



!



line con 0



exec-timeout 0 0



logging synchronous



line aux 0



line vty 0 4



login



!



!



end



R1(GLBP STANDBY) Configuration: 

  

  

! 





version 12.4



service timestamps debug datetime msec



service timestamps log datetime msec



no service password-encryption



!



hostname Router



!



boot-start-marker



boot-end-marker



!



!



no aaa new-model



memory-size iomem 5



!



!



ip cef



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



vtp file nvram:vlan.dat







!



!



!



!



!



!



!



interface Port-channel1



switchport trunk native vlan 99



switchport mode trunk



!



interface FastEthernet0/0



no ip address



shutdown



duplex auto



speed auto



!



interface FastEthernet0/1



no ip address



shutdown



duplex auto



speed auto



!



interface FastEthernet1/0



switchport access vlan 99



!



interface FastEthernet1/1



!



interface FastEthernet1/2



!



interface FastEthernet1/3



!



interface FastEthernet1/4



!



interface FastEthernet1/5



!



interface FastEthernet1/6



!



interface FastEthernet1/7



!



interface FastEthernet1/8



!



interface FastEthernet1/9



!



interface FastEthernet1/10



!



interface FastEthernet1/11



!



interface FastEthernet1/12



!



interface FastEthernet1/13



no switchport



ip address 192.168.56.3 255.255.255.0



glbp 1 ip 192.168.56.254



glbp 1 timers 1 2



glbp 1 preempt



!



interface FastEthernet1/14



switchport trunk native vlan 99



switchport mode trunk



channel-group 1 mode on



!



interface FastEthernet1/15



switchport trunk native vlan 99



switchport mode trunk



channel-group 1 mode on



!



interface Vlan1



no ip address



!



interface Vlan99



ip address 192.168.200.253 255.255.255.0



glbp 2 ip 192.168.200.100



glbp 2 preempt



glbp 2 authentication md5 key-string cisco



!



!



ip http server



no ip http secure-server



ip route 0.0.0.0 0.0.0.0 Vlan99 192.168.200.1



!



!



!



mac-address-table static 0007.b400.0201 interface FastEthernet1/15 vlan 99



!



!



!



!



control-plane



!



!



!



!



!



!



!



!



!



line con 0



exec-timeout 0 0



logging synchronous



line aux 0



line vty 0 4



login



!



!



end 

  

  

R3(HSRP ACTIVE) Configuration: 

  

  

! 





version 12.4



service timestamps debug datetime msec



service timestamps log datetime msec



no service password-encryption



!



hostname Router



!



boot-start-marker



boot-end-marker



!



!



no aaa new-model



memory-size iomem 5



!



!



ip cef



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



spanning-tree vlan 1 priority 8192



spanning-tree vlan 99 priority 8192



vtp file nvram:vlan.dat







!



!



!



!



!



!



!



interface Port-channel1



switchport trunk native vlan 99



switchport mode trunk



!



interface FastEthernet0/0



no ip address



shutdown



duplex auto



speed auto



!



interface FastEthernet0/1



no ip address



shutdown



duplex auto



speed auto



!



interface FastEthernet1/0



switchport access vlan 99



!



interface FastEthernet1/1



!



interface FastEthernet1/2



!



interface FastEthernet1/3



!



interface FastEthernet1/4



!



interface FastEthernet1/5



!



interface FastEthernet1/6



!



interface FastEthernet1/7



!



interface FastEthernet1/8



!



interface FastEthernet1/9



!



interface FastEthernet1/10



!



interface FastEthernet1/11



!



interface FastEthernet1/12



!



interface FastEthernet1/13



no switchport



ip address 192.168.1.252 255.255.255.0



standby 3 ip 192.168.1.254



standby 3 timers 1 3



standby 3 priority 150



standby 3 preempt



!



interface FastEthernet1/14



switchport trunk native vlan 99



switchport mode trunk



channel-group 1 mode on



!



interface FastEthernet1/15



switchport trunk native vlan 99



switchport mode trunk



channel-group 1 mode on



!



interface Vlan1



no ip address



!



interface Vlan99



ip address 192.168.10.1 255.255.255.0



standby 4 ip 192.168.10.254



standby 4 timers 1 3



standby 4 priority 150



standby 4 preempt



standby 4 authentication md5 key-string cisco



!



!



ip http server



no ip http secure-server



ip route 0.0.0.0 0.0.0.0 192.168.1.1



!



!



!



mac-address-table static 0000.0c07.ac04 interface FastEthernet1/15 vlan 99



!



!



!



!



control-plane



!



!



!



!



!



!



!



!



!



line con 0



exec-timeout 0 0



logging synchronous



line aux 0



line vty 0 4



login



!



!



end



R2(HSRP STANBY) Configuration: 

  

! 





version 12.4



service timestamps debug datetime msec



service timestamps log datetime msec



no service password-encryption



!



hostname Router



!



boot-start-marker



boot-end-marker



!



!



no aaa new-model



memory-size iomem 5



!



!



ip cef



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



!



vtp file nvram:vlan.dat







!



!



!



!



!



!



!



interface Port-channel1



switchport trunk native vlan 99



switchport mode trunk



!



interface FastEthernet0/0



no ip address



shutdown



duplex auto



speed auto



!



interface FastEthernet0/1



no ip address



shutdown



duplex auto



speed auto



!



interface FastEthernet1/0



switchport access vlan 99



!



interface FastEthernet1/1



!



interface FastEthernet1/2



!



interface FastEthernet1/3



!



interface FastEthernet1/4



!



interface FastEthernet1/5



!



interface FastEthernet1/6



!



interface FastEthernet1/7



!



interface FastEthernet1/8



!



interface FastEthernet1/9



!



interface FastEthernet1/10



!



interface FastEthernet1/11



!



interface FastEthernet1/12



!



interface FastEthernet1/13



no switchport



ip address 192.168.1.253 255.255.255.0



standby 3 ip 192.168.1.254



standby 3 timers 1 3



standby 3 preempt



!



interface FastEthernet1/14



switchport trunk native vlan 99



switchport mode trunk



channel-group 1 mode on



!



interface FastEthernet1/15



switchport trunk native vlan 99



switchport mode trunk



channel-group 1 mode on



!



interface Vlan1



no ip address



!



interface Vlan99



ip address 192.168.10.2 255.255.255.0



standby 4 ip 192.168.10.254



standby 4 timers 1 3



standby 4 preempt



standby 4 authentication md5 key-string cisco



!



!



ip http server



no ip http secure-server



ip route 0.0.0.0 0.0.0.0 192.168.1.1



!



!



!



!



!



!



!



control-plane



!



!



!



!



!



!



!



!



!



line con 0



exec-timeout 0 0



logging synchronous



line aux 0



line vty 0 4



login



!



!



end









Posted by



at





1 comment:
  






































          

        

          

        

Sunday, December 6, 2009


          

        










Cut Through Proxy











This is not full fledged Proxy. This I call it Stateful Proxy. Here right side of firewall is inside network. Left side is unsecure connection. Test was done with VMWARE host as inside host. and outside network was accessed via DSL connection with host host OS windows XP. And was successful. When accessing any website traffic was intercepted by security appliance. Asking for username and password. If not correct drop the connections. Here in this configuration cut thru proxy is used to intercept egress tcp connections only. 
 
Configuration of Firewall:
 

hostname pixfirewall
domain-name default.domain.invalid
enable password oyM4X.DeOBQWUivD encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet2
nameif inside
security-level 100
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd Q6PcEw0JPNC8SDNU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list icmp_in extended permit icmp any any
access-list private_ip_from_outside extended deny ip 10.0.0.0 255.0.0.0 any
access-list private_ip_from_outside extended deny ip 172.16.0.0 255.248.0.0 any
access-list private_ip_from_outside extended permit icmp any any
access-list private_ip_from_outside extended deny tcp any any eq 445
access-list private_ip_from_outside extended deny tcp any any eq 137
access-list deny_inside_to_outside extended deny tcp 192.168.0.0 255.255.0.0 any eq 445
access-list deny_inside_to_outside extended permit ip any any
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
! for letting data traffic flow from inside to outside
global (outside) 1 192.168.1.100
global (outside) 1 192.168.1.101
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group private_ip_from_outside in interface outside
access-group deny_inside_to_outside in interface inside
! default route to outside hop ip i.e. 192.168.1.1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 3:00:00 absolute
dynamic-access-policy-record DfltAccessPolicy
! authentication based on service accessed in this case all tcp based services(i.e. http , ftp, telnet etc)
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
aaa authentication secure-http-client
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.56.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
!
!










Posted by



at





No comments:
  






















Labels:

























Limiting Number of TCP and UDP Connections on Firewall










Dear All,
I somehow know about configuring natting on cisco firewall. But how about cool feature of controlling TCP and UDP connections on your security appliance. Remember when you try to configure nat on internal network or static natting for internal/DMZ server on outside interface for persistent connection from server to outside, you have an option for limiting TCP and UDP connections.

This is like this:
nat (inside) 1 0 0 tcp 25 25 udp 25
Irrespective of global command used, u can only control tcp and udp connections when using nat command.
Explaination:
Above nat command tells that any number of hosts from any hosts can xlated but each host will only can make 25 tcp established connections, 25 tcp embryonic connections can be made(those connections whose sys flag is on), and 25 udp connections. Remember, this configuration applies to each and every hosts trying to initiate connection from inside(Egress Traffic).


What About Static natting:
I take an example:

static (dmz,outside) tcp 1.1.1.1 21 192.168.1.3 21 netmask 255.255.255.255 tcp 0 25 udp 0

Here you see that mapping is done of inside host 192.168.1.3 which is ftp server with mask 255.255.255.255 i.e. only one host mapped on 1.1.1.1 which is outside ip. tcp 0 25 instructs that unlimited connections from outside can be made(0 means unlimited). Ebryonic connections cannot be more than 25. after 25 embryonic connections.

What happens after limit reaches:

Security appliance uses tcp cookie and behaves as proxy between host to host connection. when see's any emryonic connection more than 25 connections from any host, will intercept and behalf of that connecting host security appliance will recalculate the syn segment and send it to target host. If it gets syn ack segment it redirects to connecting host, can be called as source host. If security appliance gets ack segment back then it will allow connection or else drop that traffic.

By virtue of tcp cookie technology, tcp connections are not stored in DRAM. On the fly security appliance does processing. So by this, DoS can be mitigated.









Posted by



at





No comments:
  






















Labels:


























Deploying Networks by using IGPs (OSPF and EIGRP) Redistribution BASIX ONLY











This is my simple network but intuitive.  Hear I will not explain too much but some lit on it. 
Upper half of the network is configured with OSPF(R1, R2, R3).
Lower half is configured with EIGRP(R3, R4, R5). You might be thinking why R3 is common in this network configuration. Coz it is only router where redistribution taking place. 
  There is one thing more in R3 configuration. The cloud C1 which is connected to R3. What is the purpose of this. This is your assignment to understand. LOL! 
Configuration of R3 is:

!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex half
!
interface Ethernet1/0
ip address 192.168.3.6 255.255.255.252
ip nat inside
ip virtual-reassembly
ip ospf 1 area 0
duplex half
!
interface Ethernet1/1
ip address 192.168.3.2 255.255.255.252
ip nat inside
ip virtual-reassembly
ip ospf 1 area 0
duplex half
!
interface Ethernet1/2
ip address 192.168.2.6 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex half
!
interface Ethernet1/3
ip address 192.168.2.2 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex half
!
router eigrp 1
redistribute static
redistribute ospf 1 metric 10000 1000 255 1 1500
network 192.168.2.0 0.0.0.7
auto-summary
!
router ospf 1
log-adjacency-changes
redistribute static subnets
redistribute eigrp 1 subnets
default-information originate
!
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
 
Configuration of R4:
 
 

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
ip address 192.168.2.9 255.255.255.252
half-duplex
!
interface Ethernet1/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/2
no ip address
shutdown
half-duplex
!
interface Ethernet1/3
ip address 192.168.2.1 255.255.255.252
half-duplex
!
!
router eigrp 1
network 192.168.2.1 0.0.0.0
network 192.168.2.9 0.0.0.0
auto-summary
!
ip http server
no ip http secure-server
no ip classless
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
 
R5 Configurtion:
 

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
ip address 192.168.2.10 255.255.255.252
half-duplex
!
interface Ethernet1/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/2
ip address 192.168.2.5 255.255.255.252
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
!
router eigrp 1
network 192.168.2.5 0.0.0.0
network 192.168.2.10 0.0.0.0
auto-summary
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
 
R1 Configuration:
 

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
interface Ethernet1/1
ip address 192.168.3.1 255.255.255.252
ip ospf 1 area 0
half-duplex
!
interface Ethernet1/2
ip address 192.168.3.10 255.255.255.252
ip ospf 1 area 0
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
!
router ospf 1
log-adjacency-changes
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
 
R2 Configuration:
 

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
ip address 192.168.3.5 255.255.255.252
ip ospf 1 area 0
half-duplex
!
interface Ethernet1/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/2
ip address 192.168.3.9 255.255.255.252
ip ospf 1 area 0
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
!
router ospf 1
log-adjacency-changes
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
 
 
 










Posted by



at





No comments:
  






















Labels:
































How to configure FAILOVER on cisco pix in GNS3.












Configuration according to diagram.

As with all cisco firewall the rule of thumb is traffic traverse from higher security level to lower security level, without applying any ACL whereby applying only nat or no nat-control(i.e. only with routing suffices without any translation). If outside hosts(lower security level) want to initiate connection to inside host(higher security level), appliance must have static nat and ACL configured. As of above scenario, I used nat-control. Inside network in network diagram is right side of firewalls (security level 100) and outside network is left side of firewalls(security level 0). Failover is configured on FW0 and FW1.

How is host on the same computer is connected in inside network?

This was done via VMWARE OS and given default gateway ip of failover ip of firewalls. Interesting feature of failover is when you try to configure Active appliance(FW1) and save it. It replicates to standby firewall(FW0) for e.g. ip addresses of interfaces, routing, natting etc. In other words, they are mirror of each other.

So here is the configuration for FW1(Active):
PIX Version 8.0(2)
!
hostname PIXDOWN
domain-name domain.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.250 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.56.2 255.255.255.0
!
interface Ethernet2
description Management Interface
nameif MGMT_INT
security-level 99
ip address 192.168.200.1 255.255.255.0
management-only
!
interface Ethernet3
nameif DMZ
security-level 50
ip address 10.81.200.1 255.255.255.252 standby 10.81.200.2
!
interface Ethernet4
description LAN/STATE Failover Interface
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner motd This is CISCO PIX 525
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name domain.local
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any traceroute
pager lines 24
logging enable
logging standby
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu MGMT_INT 1500
mtu DMZ 1500
failover
failover lan unit primary
failover lan interface LANFAIL Ethernet4
failover lan enable
failover polltime unit 5 holdtime 15
failover replication http
failover link LANFAIL Ethernet4
failover interface ip LANFAIL 10.81.199.1 255.255.255.252 standby 10.81.199.2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 192.168.1.20
global (outside) 1 192.168.1.21
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 0 25 udp 25
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.56.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.56.1 255.255.255.255 outside
telnet timeout 5
ssh scopy enable
ssh 192.168.56.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.200.10-192.168.200.254 MGMT_INT
dhcpd enable MGMT_INT
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
<--- More --->.
No Response from Mate
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp authenticate
ntp server 207.46.232.182 prefer
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
prompt hostname context
Cryptochecksum:27b6669bbc3bab31a8254dca80e44377
: end

Here is the configuration for FW0(Standby):


PIX Version 8.0(2)
!
hostname PIXDOWN
domain-name domain.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.250 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.56.2 255.255.255.0
!
interface Ethernet2
description Management Interface
nameif MGMT_INT
security-level 99
ip address 192.168.200.1 255.255.255.0
management-only
!
interface Ethernet3
nameif DMZ
security-level 50
ip address 10.81.200.1 255.255.255.252 standby 10.81.200.2
!
interface Ethernet4
description LAN/STATE Failover Interface
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner motd This is CISCO PIX 525
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name domain.local
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any traceroute
pager lines 24
logging enable
logging standby
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu MGMT_INT 1500
mtu DMZ 1500
failover
failover lan unit secondary
failover lan interface LANFAIL Ethernet4
failover lan enable
failover polltime unit 5 holdtime 15
failover replication http
failover link LANFAIL Ethernet4
failover interface ip LANFAIL 10.81.199.1 255.255.255.252 standby 10.81.199.2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 192.168.1.20
global (outside) 1 192.168.1.21
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 0 25 udp 25
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.56.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.56.1 255.255.255.255 outside
telnet timeout 5
ssh scopy enable
ssh 192.168.56.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.200.10-192.168.200.254 MGMT_INT
dhcpd enable MGMT_INT
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp authenticate
ntp server 207.46.232.182 prefer
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
prompt hostname context
Cryptochecksum:a1c86e0759da13e6ca07ec971350e88a
: end

And on both routers I configured bridging on interfaces F0/0 and vlan 1
Here is the configuration for both router and is nearly same for both. Oh! by the way used cisco 3660 with ESW module
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bridge irb
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
bridge-group 1
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
bridge-group 1
!
interface BVI1
ip address dhcp
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end










Posted by



at





No comments:
  






















Labels:

















        

      









Subscribe to:
Posts (Atom)