Friday, December 4, 2009

Configuring QoS for VoIP Traffic on Cisco ASA VPN Tunnels

Based on DSCP:

priority-queue outside
queue-limit 2048
tx-ring-limit 256
!
class-map Voice
match dscp ef
class-map Data
match tunnel-group 10.1.2.1
match flow ip destination-address

policy-map Voicepolicy
class Voice
priority
class Data
police output 200000 37500

service-policy Voicepolicy interface outside


Based on ACL:

access-list 100 extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq h323
access-list 100 extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq sip
access-list 100 extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 2000

access-list 105 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq h323
access-list 105 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq sip
access-list 105 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq 2000

access-group 100 in interface outside

class-map Voice-OUT
match access-list 105
class-map Voice-IN
match access-list 100

inspect h323 h225
inspect h323 ras
inspect skinny
inspect sip

policy-map Voicepolicy
class Voice-IN
class Voice-OUT
priority

service-policy Voicepolicy interface outside

Show commands to verify:

show running-config policy-map
show service-policy interface outside

For more information:

Configuring a Site to Site VPN between two Cisco ASA Firewalls

Local ASA:
access-list vpn_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.2
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA

crypto map vpn_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 IPSec-attributes
pre-shared-key testkey


Remote ASA:
access-list vpn_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.1
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA

crypto map vpn_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key testkey

Show commands to verify:

show crypto isakmp sa
show crypto ipsec sa

Thursday, December 3, 2009

Configuring NTP on Cisco ASA Firewall

List of NIST Internet Time Servers:

ntp server ip-address [key number] [source if-name] [prefer]
ntp server 64.90.182.55 source outside

Configuring Advanced Syslog on Cisco ASA Firewall

In this example I want to change the default severity level at which user login messages get logged.

Step 1: Find the syslog message ID for when a user logs in:

hostname(config)#show log | include admin
Dec 03 2009 17:32:35: %ASA-6-605005: Login permitted from 192.168.202.51/3507 to inside:192.168.2.20/ssh for user "admin"

Step 2: Find the current logging level for message ID 605005:

hostname(config)#show logging message 605005
syslog 605005: default-level informational (enabled)

Step 3: Change the logging level for message ID 605005 to warnings level:

hostname(config)#logging message 605005 level warnings

Step 4: Verify the new logging level for message ID 605005:

hostname(config)#show logging message 605005
syslog 605005: default-level informational, current-level warnings (enabled)

Configuring OSPF on Cisco ASA Firewall over IPsec VPN Tunnel

ASA Local:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (bypass NAT)
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (define interesting traffic)
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2 (define interesting traffic)
mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0

router ospf 100
network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 40.40.40.2 interface outside
log-adj-changes

route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
pre-shared-key cisco

ASA Remote:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 40.40.40.2 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (bypass NAT)
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (define interesting traffic)
access-list crypto extended permit ospf interface outside host 30.30.30.1 (define interesting traffic)

mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0

router ospf 100
network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 30.30.30.1 interface outside
log-adj-changes

route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 match address crypto
crypto map vpn 10 set peer 30.30.30.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
pre-shared-key cisco

Show commands to verify:

ASA#show crypto isakmp sa
ASA#show crypto ipsec sa
ASA#show ospf neighbor
ASA#show ip route

Friday, June 19, 2009

Configure SSH on Cisco Routers and Switches

hostname ernie
ip domain-name rtp.cisco.com
username cisco password 0 cisco

line vty 0 4
login local
transport input ssh

Generate SSH Key:

cry key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2

show cry key mypubkey rsa command must show the generated key

For more information:

Configure Cisco ASA Failover on Management Interface

I sometimes like to configure failover across the management interface so that I don't have to use up one of the other physical interfaces for the failover link.

Primary Unit:

failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

Secondary Unit:

no failover
failover lan unit secondary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

When you are ready to pull down the config from the primary issue the failover command.
Replication should begin and the active light on your secondary asa should turn to orange indicating successful secondary status.

Use the show failover command to verify the failover status.

For more information:

Friday, June 12, 2009

Cisco ASA AnyConnect SSL VPN Base Configuration

ip local pool WebVPNPool 192.168.10.10-192.168.10.100 mask 255.255.255.0

webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2
svc enable
tunnel-group-list enable

group-policy WebVPNPolicy internal
group-policy WebVPNPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol svc
group-lock value WebVPNAccessProfile
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value business.local
address-pools value WebVPNPool
webvpn
svc ask none default svc
hidden-shares none
file-entry disable
file-browsing disable
url-entry disable

tunnel-group WebVPNAccessProfile type remote-access
tunnel-group WebVPNAccessProfile general-attributes
default-group-policy WebVPNPolicy
tunnel-group WebVPNAccessProfile webvpn-attributes
group-alias WebVPN enable

For more information:

Cisco Switch Private VLAN (PVLAN) Configuration

PVLAN Background:
PVLANs provide layer 2 isolation between ports within the same broadcast domain. They can be configured on a Layer 2 or 3 switch.

Please check Cisco's Private VLAN Catalyst Switch Support Matrix to see if your switch supports PVLANs.

PVLANS include three types of ports:
Promiscuous ports - can communicate with all interfaces.
Isolated ports - have complete Layer 2 separation from the other ports within the same PVLAN. Isolated ports can communicate only with promiscuous ports.
Community ports - communicate among themselves and with their promiscuous ports.

Private VLAN ports are associated with a set of supporting VLANs that are used to create the private VLAN structure.
A private VLAN uses VLANs three ways:

Primary VLAN carries traffic from promiscuous ports to isolated, community, and other promiscuous ports
Isolated VLAN carries traffic from isolated ports to promiscuous ports
Community VLAN carries traffic between community ports and to promiscuous ports. You can configure multiple community VLANs in a private VLAN

The following ports are allowed to communicate with each other with the configuration below:
These 3 ports can communicate with each other: Gig2/2 (community 100), Gig2/3 (community 100), Gig2/1 (promiscuous)
These 3 ports can communicate with each other: Gig2/4 (community 200), Gig2/5 (community 200), Gig2/1 (promiscuous)
These 2 ports can communicate with each other: Gig2/6 (isolated), Gig2/1 (promiscuous)
These 2 ports can communicate with each other: Gig2/7 (isolated), Gig2/1 (promiscuous)


Switch(config)#vlan 100
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#vlan 200
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#vlan 86
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 100,200,86
Switch(config-vlan)#exit

Switch(config)#interface gig2/1
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#private-vlan mapping 10 100,200,86

Switch(config)#interface range Gig2/2 - 3
Switch(config-if-range)#switchport private-vlan host-association 10 100

Switch(config)#interface range Gig2/4 - 5
Switch(config-if-range)#switchport private-vlan host-association 10 200

Switch(config)#interface range Gig2/6 - 7
Switch(config-if-range)#switchport private-vlan host-association 10 86

Cisco PIX configuration for logging to a Syslog server

logging on
logging standby
logging timestamp
logging trap notifications (or warnings - notifications will send a ton of info)
logging facility 18
logging host inside/outside ip address
logging device-id string name (tags messages by name so easy to see where they came from in syslog)

Logging severity levels:

emergencies (0)
alerts (1)
critical (2)
errors (3)
warnings (4)
notifications (5)
informational (6)
debugging (7)

The higher the level, the more messages (and types of messages) that are generated.

Refer to Messages Listed by Severity Level for a list of the log message generated at each severity level.

Connecting US Robotics Modem to Cisco Router for Out-of-Band Management

56K* V.92 External Modem + Fax DIP Switches:


By default: 3,5,8 ARE DOWN (ON)

To use with Cisco: 1,4,6,8 ARE DOWN (ON)

INIT String for 56K* V.92 External Modem + Fax to get them working with Cisco: at&f0qle0s0=1&b0&n6&u6&m4&k0&w

Sunday, May 31, 2009

QoS Recommendations for Avaya VoIP Phones

QOS facilities are required to insure that VoIP packets take transmission precedence over data traffic.  These same facilities insure that sufficient bandwidth exists for VoIP traffic so as to minimize packet delay, jitter and discard while preserving sufficient bandwidth for data traffic. 

Layer 3 (Router) – Since it is an IETF standard and it allows the priority markings to be placed on packets by the IP telephony devices themselves, the customer should pursue options that support Differentiated Services (DiffServ) for the Layer 3 routed environment at the network edges. When implementing DiffServ, the recommended value that should be set on all Avaya telephony equipment is a 46 which equates to “EF” (Expedited Forwarding). The Avaya Servers and IP phones should be configured to mark both call control IP packets and audio IP packets with a DiffServ value consistent with the network capabilities of the data infrastructure.  Once the telephony gear has been set to mark all packets with the DiffServ values, the network routers must also be configured to prioritize packets based on this packet marking.   

In cases where IP softphone is used, it may be necessary to prioritize packets based on RTP protocol, IP addresses or destination to MedPro IP addresses.  This is a result of limitations in the operating system being able to properly mark packets with appropriate markings.

In scenario where IP Telephony will traverse the WAN, and to provide optimal audio quality, the routers should be upgraded to support QOS.

Layer 2 (Switch) – In order to mark Layer 2 Ethernet frames on the IP telephony endpoints, as is optimal, usage on switched ports should be configured to support 802.1p/Q on the CLAN/MedPro and IP phone Ethernet interfaces.  802.1p/Q is the IEEE standard for Layer 2 Quality of Service.  The 802.1p priority identifier is customer selectable and the recommended setting is 6.  Most new Ethernet LAN switches have multiple hardware queues for priority frame processing and this support typically has to be enabled on the switches.

VLAN Separation - Avaya C-LAN, MedPro board, Gateway and IP phones should be deployed on their own VLAN to isolate them from network data traffic broadcasts.  The 802.1/Q VLAN identifier is customer selectable.  For IP phones an 802.1Q trunk should be configured on the LAN switch port, with the phone being on the designated voice VLAN and a PC connected through the phone switch base being on the native or designated data VLAN.  Avaya boards and Gateways should be on their own VLAN which is not an 802.1Q trunk with this VLAN being the native one for the switch port.

Configure SSH on Cisco PIX Firewall

hostname erniefirewall
domain-name networkengineerblog.com
ca gen rsa key 1024
ssh 10.4.1.5 255.255.255.255 inside (allows ssh from 10.4.1.5 on inside interface)
ssh timeout 60
passwd YourPasswordGoesHere
ca save all

Other Configurations:
ssh 0.0.0.0 0.0.0.0 outside (allow access from any address on outside interface)
ssh 0.0.0.0 0.0.0.0 outside (allow access from any address on inside interface)

Friday, May 29, 2009

Load a new Cisco PIX software image from a TFTP server

If you don't already have a TFTP server to use I recommend using Solarwinds Free TFTP Server.
  1. Copy bin file to TFTP Server
  2. Configure Ethernet Interface on the firewall so you can connect to the TFTP Server (test by pinging the server)
  3. copy tftp://192.168.100.25/filename.bin flash
  4. Restart firewall using 'reload' command

Reset HP Switch to Factory Default Configuration

  1. Using pointed objects, simultaneously press both the Reset and Clear buttons on the front of the switch.
  2. Continue to press the Clear button while releasing the Reset button.
  3. As soon as the Test LED begins to flash, release the Clear button.
The switch will then complete its self test and begin operating with its
configuration restored to the factory default settings.

Configure 802.1q trunk between HP switches

Goal:
Configure 802.1q trunk between 2 HP switches going over port F21 on both switches.

Switch 1 Config:
vlan 1
tagged F21

vlan 2
tagged F21

Switch 2 Config:
vlan 1
tagged F21

vlan 2
tagged F21

Cisco switch: 802.1q trunk to router (router-on-a-stick)

Switch Config:
vlan 100
name data
state active

vlan 200
name data
state active

interface fastethernet 1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk

Router Config:
interface fastethernet 0/0
no ip address

interface fastethernet 0/0.1
encapsulation dot1q 1 native (native vlan on switch is vlan 1)

interface fastethernet 0/0.100
encapsulation dot1q 100
ip address 192.168.100.1 255.255.255.0

interface fastethernet 0/0.200
encapsulation dot1q 200
ip address 192.168.200.1 255.255.255.0


Thursday, May 28, 2009

Configuring Cisco Hot Standby Router Protocol (HSRP)

Goal:
Configure HSRP.

Config:
Router 1:
interface FastEthernet0/1
ip address 10.1.2.3 255.255.255.0
duplex auto
speed auto
standby preempt
standby 1 ip 10.1.2.1
standby 1 priority 105 (higher priority, will be active)
standby 1 preempt
standby 1 track FastEthernet0/0 (
If fa0/0 goes down, the router priority will be decremented by the default 10)

Router 2:
interface FastEthernet0/1
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
standby preempt
standby 1 ip 10.1.2.1
standby 1 priority 100
standby 1 preempt
standby 1 track FastEthernet0/0 (
If fa0/0 goes down, the router priority will be decremented by the default 10)

Show Commands:
show standby

Enable and password protect telnet logins to Cisco routers

Goal:
Enable telnet login to router and protect with password.

Config:
conf t
line vty 0 4
login
password ernierocks

How to enable local logging on a Cisco router

Goal:
Enable local logging on Cisco router so we can view the log on the router.

Config:
logging buffered

Show Commands:
show log