Friday, December 4, 2009

Configuring QoS for VoIP Traffic on Cisco ASA VPN Tunnels

Based on DSCP:

priority-queue outside
queue-limit 2048
tx-ring-limit 256
!
class-map Voice
match dscp ef
class-map Data
match tunnel-group 10.1.2.1
match flow ip destination-address

policy-map Voicepolicy
class Voice
priority
class Data
police output 200000 37500

service-policy Voicepolicy interface outside


Based on ACL:

access-list 100 extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq h323
access-list 100 extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq sip
access-list 100 extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 2000

access-list 105 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq h323
access-list 105 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq sip
access-list 105 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq 2000

access-group 100 in interface outside

class-map Voice-OUT
match access-list 105
class-map Voice-IN
match access-list 100

inspect h323 h225
inspect h323 ras
inspect skinny
inspect sip

policy-map Voicepolicy
class Voice-IN
class Voice-OUT
priority

service-policy Voicepolicy interface outside

Show commands to verify:

show running-config policy-map
show service-policy interface outside

For more information:
Posted by Ernie at 3:21 PM 0 comments

Configuring a Site to Site VPN between two Cisco ASA Firewalls

Local ASA:
access-list vpn_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.2
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA

crypto map vpn_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 IPSec-attributes
pre-shared-key testkey


Remote ASA:
access-list vpn_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.1
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA

crypto map vpn_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key testkey

Show commands to verify:

show crypto isakmp sa
show crypto ipsec sa

Posted by Ernie at 2:48 PM 0 comments

Thursday, December 3, 2009

Configuring NTP on Cisco ASA Firewall

List of NIST Internet Time Servers:

ntp server ip-address [key number] [source if-name] [prefer]
ntp server 64.90.182.55 source outside
Posted by Ernie at 6:16 PM 0 comments

Configuring Advanced Syslog on Cisco ASA Firewall

In this example I want to change the default severity level at which user login messages get logged.

Step 1: Find the syslog message ID for when a user logs in:

hostname(config)#show log | include admin
Dec 03 2009 17:32:35: %ASA-6-605005: Login permitted from 192.168.202.51/3507 to inside:192.168.2.20/ssh for user "admin"

Step 2: Find the current logging level for message ID 605005:

hostname(config)#show logging message 605005
syslog 605005: default-level informational (enabled)

Step 3: Change the logging level for message ID 605005 to warnings level:

hostname(config)#logging message 605005 level warnings

Step 4: Verify the new logging level for message ID 605005:

hostname(config)#show logging message 605005
syslog 605005: default-level informational, current-level warnings (enabled)
Posted by Ernie at 6:05 PM 0 comments

Configuring OSPF on Cisco ASA Firewall over IPsec VPN Tunnel

ASA Local:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (bypass NAT)
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (define interesting traffic)
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2 (define interesting traffic)
mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0

router ospf 100
network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 40.40.40.2 interface outside
log-adj-changes

route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
pre-shared-key cisco

ASA Remote:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 40.40.40.2 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (bypass NAT)
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (define interesting traffic)
access-list crypto extended permit ospf interface outside host 30.30.30.1 (define interesting traffic)

mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0

router ospf 100
network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 30.30.30.1 interface outside
log-adj-changes

route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 match address crypto
crypto map vpn 10 set peer 30.30.30.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
pre-shared-key cisco

Show commands to verify:

ASA#show crypto isakmp sa
ASA#show crypto ipsec sa
ASA#show ospf neighbor
ASA#show ip route
Posted by Ernie at 1:48 AM 0 comments

Friday, June 19, 2009

Configure SSH on Cisco Routers and Switches

hostname ernie
ip domain-name rtp.cisco.com
username cisco password 0 cisco

line vty 0 4
login local
transport input ssh

Generate SSH Key:

cry key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2

show cry key mypubkey rsa command must show the generated key

For more information:
Posted by Ernie at 12:40 PM 0 comments

Configure Cisco ASA Failover on Management Interface

I sometimes like to configure failover across the management interface so that I don't have to use up one of the other physical interfaces for the failover link.

Primary Unit:

failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

Secondary Unit:

no failover
failover lan unit secondary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

When you are ready to pull down the config from the primary issue the failover command.
Replication should begin and the active light on your secondary asa should turn to orange indicating successful secondary status.

Use the show failover command to verify the failover status.

For more information:
Posted by Ernie at 12:04 PM 0 comments
Subscribe to: Posts (Atom)