Hello everyone, video walk-through of configuring DVTI for remote access and doing NAT while disabling split tunneling , aka hairpinning configuration.
Dynamic Virtual Tunnel Interface on IOS
Uncategorized
Comments Off
Aug 132011
Jul 152011
Not sure if it may appear in the lab itself, but won’t hurt to know anyway.
Feb 192011
This was one of the rare cases when Cisco.com was not of any help – my client installed new Cisco 1941 with Security features and needed to configure Zone Based Firewall, URL Content filtering and VPN IPsec site-to-site.
I could find plenty of configuration examples for Zone-Based Firewall … but none of them included VPN site to site ! What a shame. As this was upgrade installation and client was already working on some other router there was no rush and after much of trial and error I made it work. The resulting configuration you can see below.
Here, I cleared out meantime URL-filtering stuff cause I will write an article dedicated to it only.
Task at hand :
- Allow router management by ssh/https from 19.190.21.13 and 192.168.15.0/24
- Allow VPN IPsec site-to-site created with crypto map applied to WAN interface. Router should accept
VPN negotiation requests from any (not necessity with site-to-site when you know IPs of peers beforehand, but for future VPN client to site I’d have to do it anyway)
- Site-to-site(s) will be preshared key based . It only influences whether to allow NTP (for sync) and http (for Ca enrolment) from router outbound;
- Cisco should be pingable from LAN , and pings should be allowed from the router itself (helps in debugging).
Behold ! Next comes the configuration.
// Match protocols allowed to pass from LAN outbound for further inspection. Take note there is no http protocol
cause URL-filtering requires it to be in a separate class-map, which I left out here.
class-map type inspect match-any INSIDE_TO_OUTSIDE_PROTOS
match protocol icmp
match protocol ftp
match protocol dns
match protocol https
match protocol imap
match protocol icq
match protocol imaps
match protocol pop3
match protocol lotusnote
match protocol microsoft-ds
match protocol ms-sql
match protocol msnmsgr
match protocol net8-cman
match protocol netshow
match protocol nfs
match protocol oracle
match protocol oracle-em-vp
match protocol oraclenames
match protocol orasrv
match protocol sql-net
match protocol lotusmtap
// In the beginning I allowed any udp/tcp protocols to see what they needs are, later to be limited to only specific ones. In this case local IT guy wasn’t sure what protocols are in use so it was the way …
match protocol tcp
match protocol udp
// This is the class-map that allows outgoing and incoming IPSec protocols from any – esp, isakmp,ah (does anyone use it at all?), NAT-T (4500) . I use here only ACL and match by ports and later just do PASS action cause as of now Cisco does not support INSPECT action on these protocols.
class-map type inspect match-all VPN_PROTOS
match access-group name ALLOW_VPN
//Let poor users also do something
class-map type inspect match-all INSIDE_TO_OUTSIDE_PASS
match class-map INSIDE_TO_OUTSIDE_PROTOS
// Allow pinging, later to be used in outbound from router direction and from ALN to the router
class-map type inspect match-all CMAP_ICMP
match protocol icmp
// Provide for management access . Again I can not set later action to INSPECT on these protocols specifically
// but do inspection on them as TCP protocols (there is no specific SSH inspection available)
class-map type inspect match-all CMAP_MANAGE_PORTS
match access-group name MANAGE_PORTS
match protocol tcp
match access-group name MANAGE
// Next are policy-maps binding together multiple class-maps for different kind of traffic
// As the name suggests this one is for traffic traversing the router from LAN to da Internet
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class type inspect INSIDE_TO_OUTSIDE_PASS
inspect
// From Mr. Router outbound
policy-map type inspect PMAP_SELF_TO_ANY
class type inspect CMAP_ICMP
inspect
class type inspect VPN_PROTOS
pass
// From somehwre to the router itself . Managemnt and VPN negotiations.
policy-map type inspect PMAP_TO_ITSELF
class type inspect CMAP_MANAGE_PORTS
inspect
class type inspect VPN_PROTOS
pass
// Manage the router from LAN and ping it freely
policy-map type inspect PMAP_INSIDE_TO_ITSELF
class type inspect CMAP_MANAGE_PORTS
inspect
class type inspect CMAP_ICMP
inspect
// Let’s go wild with security zone naming
zone security INSIDE
zone security DMZ
zone security OUTSIDE
// Zone pairs applying defined earlier policy-maps to the desired direction of the traffic
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
zone-pair security ZP_INSIDE_TO_SELF source INSIDE destination self
service-policy type inspect PMAP_INSIDE_TO_ITSELF
zone-pair security ZP_OUTSIDE_TO_ITSELF source OUTSIDE destination self
service-policy type inspect PMAP_TO_ITSELF
zone-pair security SELF_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect PMAP_SELF_TO_ANY
zone-pair security SELF_TO_INSIDE source self destination INSIDE
service-policy type inspect PMAP_SELF_TO_ANY
ip access-list extended MANAGE
permit ip 192.168.15.0 0.0.0.255 any
permit ip host 19.190.21.13 any
ip access-list extended MANAGE_PORTS
permit tcp any any eq 443
permit tcp any any eq 22
ip access-list extended ALLOW_VPN
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit ahp any any
The session itself has ended but be sure to read it to get a feeling of forthcoming changes to CCIE Security Lab blueprint.
https://supportforums.cisco.com/thread/2062301
Few tips about the location itself.
I stayed at Holiday Inn. that is located some 5 minutes of calm walk from the Cisco building.I ordered beforehand directly from the Holiday Inn. website so probably not the cheapest deal and all that but I didn’t actually care so it came out something of 112 Euro a night.
The overall impression is very positive – clean rooms, all the facilities are equipped as supposed to, free wireless Internet connection. When some little trouble happened – leakage in the bathroom, they offered another room of the same level immediately. One warning about the food though – don’t order steaks at the hotel’s restaurant, ever. I paid 140 Euro for dinner for 3 and could only force myself eat 1/3 of the steak - that much it was rough. My guess is that only King Kong can eat it, or even better – Rex, but not human. The setup there is like that: you have continental breakfast during weekdays (of very good quality I should say) at Charlie’s restaurant and you have duty restaurant at the entrance floor on weekends (the Charlie’s rest. is closed for weekends) . Eating at the restaurant in the evening is quite expensive so I went for the 3rd option that is available 7/24 – they have at the entrance floor a stand with take-away snacks (sandwiches, beacons, etc) that cost some 7 Euro and I can bet the average adult won’t have more than one of such, so much it is filling.
Phone calls are expensive from the hotel. I just took my mobile with me so could use it anywhere and whenever I needed it.Also as hotel has free Internet Skype may be of help. As an alternative you can rent a mobile at the Brussels airport (Belgians call mobile phones GSM) for a deposit of 100 euro and local phone rates.
If you are thinking of touring Brussels as well, then be advised that this location is some 10-13 kilometers away from the city itself. And Diegem , where all this is actually located, is a remote suburb if not a small separate town from the Brussels. Taking a train (5 mins walking distance) gets you straight to the Central railway station of Brussels, heart of the city, but going by train each morning if you have few days to spare isn’t a big fun. The train passes every 30 minutes on weekdays and once an hour at weekends.
In case of need use taxi. If you want a taxi for a specific hour – order through the reception beforehand. As I understand each hotel has own arrangement with some taxi company and especially in Diegem that is in the middle of nowhere, you don’t have any passing cab to catch ( I almost learned this lesson hard way). There are lots of taxi in the city, probably because common Bruxellois don’t use this expensive way of moving around.
Bonjour everyone,
the long awaited date came and I sat for my first attempt on CCIE Security Lab in Brussels. Unfortunately I failed and this is the reason for “Tips on failing…” instead of “Tips on passing CCIE Security…” that I hope to write next time I return from Brussels. Don’t get me wrong, while failure isn’t fun ever, I did enjoy the experience and still think it was worth it. So let’s cut to it.
- Tasks isn’t the one to break you, the time-management is. When I first opened the tasks brochure and skimmed though all the pages I was pleasantly surprised – no ultra-c complexity drills involving rewriting on the fly IOS code. What I did miss was the whole picture – when you have N simple tasks they add up to a sum of time that may easily overflow your time budget. So , in general, I guess if I had not 8 hours for the lab , but 12 I might have succeeded.
- While there is such thing as ‘partial credit’ it is not going to PASS you. Cisco say you are rewarded points per task, truly is. The naive of us (including me) may go further and deduct from it that it is enough to reach a passing grade, that is also true , BUT … MOST of the tasks are closely interdependant on each other. So there should be NO task that just left undone intentionally as it was not worth the points. Therefore not configuring properly IPS protection may cost just 3 -4 points now, but in later tasks it will destroy your connectivity in ASA and IOS firewall tasks and make all your sweating in 6-7 different tasks worthless energy loss.
- Topics you practice less you know less, period. The correlation was staggering – the tasks/topics I practiced prior to the lab were awarded points in direct proportion to the number of times I did the drill for specific topic. As if someone at Cisco was spying on my practice labs, no kidding ! So , if you know for example how to configure ezvpn client from memory and do not practice it enough – be sure you will fail in this task, be it a complete failure or just wasted time on making this thing to work.
- Proctor is there to help you, may be … This my personal opinion so take it as is, but I have an impression that proctor is there to help with obvious and insurmountable problems – hardware failure, cable got disconnected, session stuck and so on. On the other hand if you see some problem in the backbone that can be fixed by configuration change, I would go for it . But at least tell this to him - ’ Look, I see here link is flapping because of this and that I can solve it changing this config – is it ok with you ?’ And always remember there is nothing as good for debug as restart to a router.
- Don’t be shy to report obvious problems to the proctor – if session stuck and you are trying to debug it for 5 minutes, you just lost 5 mins of your time. On the other hand with problems like that proctor will stop timer and solve this problem at his expense.
- Scout the place of exam a day before, when doing it for the 1st time. I stayed at Holiday Inn, 5 mins of slow walk from the Cisco, but when I came for exam at 7:45 I discovered there were 3 Cisco buildings, all of them tightly closed and sealed with no sign “CCIE wannabes go here!” , in the end I did stumble upon some Cisco employee that kindly told where to go.
That is it for the 1st post. see you soon.
Cheers,
CCIE Security wannabe
Yuri.
