Cisco Companion Topics

Transcription

1 Cisc Cmpanin Tpics CHAPTER I 3 Cnfiguring Cisc PIX Firewalls 3 Netwrk Address Translatin (NAT).. 3 Accessing the PIX cmmand line... 3 Sample PIX Cnfiguratin: DHCP.. 5 Hw T Get Static IPs Fr DSL Cheaply... 7 Sample PIX cnfiguratin: DSL - Static Ips.. 7 Hw T Cnfigure Yur PIX T Accept Telnet. 8 Hw T Make Yur PIX A DHCP Server.. 8 Basic PIX Trubleshting.. 9 CHAPTER Cnfiguring Cisc DSL Ruters 11 An Intrductin t Netwrk Address Translatin (NAT) 11 Intrductin t accessing the ruter cmmand line.. 11 Sample Cnfiguratins.. 14 Other NAT Tpics Basic Trubleshting Tpics.. 22 CHAPTER Cnfiguring SOHO VPNs 25 Scenari 25 VPN Terminlgies. 26 Site 1 Cnfiguratin Example 29 Site 2 Ruter VPN Cnfiguratin Steps (Scenari A) 31 Site 2 PIX Firewall VPN Cnfig. Steps (Scenari B). 34 i

2 APPENDIX 4 1 Miscellaneus Cisc Tpics 41 Syslg Cnfiguratin and Cisc Devices 41 Linux Hme Netwrking & Silicn Valley CCIE Help Guides - Peter Harrisn All rights reserved. ii

3 Chapter I Cnfiguring Cisc PIX Firewalls = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = In This Chapter Chapter I Cnfiguring Cisc PIX Firewalls Netwrk Address Translatin (NAT) Accessing the PIX cmmand line Sample PIX Cnfiguratin: DHCP Hw T Get Static IPs Fr DSL Cheaply Sample PIX cnfiguratin: DSL - Static IPs Hw T Cnfigure Yur PIX T Accept Telnet Hw T Make Yur PIX A DHCP Server Basic PIX Trubleshting Peter Harrisn, = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Smetimes yu may have a Cisc PIX 501 firewall prtecting yur DSL based hme netwrk. This chapter cvers hw t cnfigure it and in additin, there are a number f fully cmmented sample PIX cnfiguratins in the appendix in which each line is explained. It is imprtant t remember that the PIX 501 has tw Ethernet interfaces. The named utside shuld always be cnnected t the Internet and the ne labeled inside shuld be cnnected t yur hme netwrk. The utside interface may smetimes be referred t as the unprtected interface and the inside interface is frequently referred t as the prtected ne. Netwrk Address Translatin (NAT) Netwrk address translatin is a methd used t help cnserve the limited number f IP addresses available fr internet purpses. The intrductin t netwrking page explains the cncept in mre detail in additin t ther fundamental tpics. We will return t the NAT discussin, specifically hw t cnfigure it, later n this page, but first a very basic intrductin n hw t cnfigure and use the PIX. Accessing the PIX cmmand line Via The Cnsle Prt Yur Cisc PIX will cme with a cnsle cable that will allw yu t cnfigure yur PIX using terminal emulatin sftware such as Hyperterm. Once yu ve set up all yur PIX with an IP address yu ll be able t access it via Telnet

4 Via Telnet One easy way t get access t any device n yur netwrk is using the /etc/hsts file. Here yu list all the IP addresses f imprtant devices that yu may want t access with a crrespnding nickname. Here is a sample in which the PIX firewall "pixfw" has the default IP address f n its inside prtected interface: # # D nt remve the fllwing line, r varius prgrams # that require netwrk functinality will fail. # lcalhst.lcaldmain lcalhst pixfw bigby mail.my-site.cm Once cnnected t the netwrk yu can access the PIX via telnet [rt@bigby tmp]# telnet pixfw Trying Cnnected t pixfw. Escape character is '^]'. Yu'll be prmpted fr a passwrd and will need anther passwrd t get int the privileged "enable" mde. If yu are directly cnnected t the cnsle, yu shuld get a similar prmpt t. There is n passwrd in a fresh ut f the bx PIX and simply hitting the "Enter" key will be enugh. User Access Verificatin Passwrd: Type help r '?' fr a list f available cmmands. pixfw> enable Passwrd: ******** pixfw# Use the "write terminal" cmmand t see the current cnfiguratin. Yu will want t change yur "passwrd" and "enable passwrd" right after cmpleting yur initial cnfiguratin. # wr term Building cnfiguratin... : Saved : PIX Versin 6.2(2) nameif ethernet0 utside security0 nameif ethernet1 inside security100 enable passwrd dsjf5sdfgsjrgjwk encrypted passwd sdffg8324dgrggjd encrypted hstname pixfw fixup prtcl ftp

5 ALL PIX cnfiguratin cmmands need t be dne in cnfiguratin mde, by issuing the "cnfigure terminal" cmmand frm enable mde prmpt. pixfw# cnf t pixfw(cnfig)# "Enter cmmands here" pixfw(cnfig)# exit pixfw# Yu can usually delete cmmands in the cnfiguratin by adding the wrd n t the beginning f the cmmand yu want t delete. Sme cmmands that can nly have a single value wn t accept a n t change them and will just be ver-written when yu issue the new cmmand. In the example belw, we change the PIX s name and then delete ne f many access cntrl list (ACL) entries attached t the utside (Internet) interface. pixfw# cnf t pixfw(cnfig)# n access-list inbund permit tcp any any eq www pixfw(cnfig)# hstname firewall firewall(cnfig)# exit firewall# One f the first things yu shuld d is change the default passwrds fr the PIX. pixfw# cnf t pixfw(cnfig)# enable passwrd enable-passwrd-here pixfw(cnfig)# passwd telnet-passwrd-here pixfw(cnfig)# exit pixfw# Nte: The cnsle passwrd is the ne used t gain access frm the cnsle r thrugh telnet. When yu've finished cnfiguring, yu can permanently save yur changes by using the "write memry" cmmand: pixfw# wr mem Building cnfiguratin... Cryptchecksum: 3af43873 d35d6f06 51f8c c2342 [OK] pixfw# Sample PIX Cnfiguratin: DHCP Cnfiguring DSL PPPE DHCP DHCP and DSL require yu t get a pppe passwrd and username frm yur ISP. Mst ISPs have a hmepage where yu can register t get the username and passwrd, ask custmer service fr the URL. Yu shuld substitute this username and passwrd fr "dsl-username" and "dsl-passwrd" belw. The VPDN grup statements - 5 -

6 just assign a username, passwrd, authenticatin type t a prfile, in this case "ISP". The cnfiguratin steps are relatively straight frward. (Remember t be in cnfig mde) ip address utside pppe setrute ip address inside vpdn grup ISP request dialut pppe vpdn grup ISP lcalname dsl-username vpdn grup ISP ppp authenticatin pap vpdn username dsl-username passwrd dsl-passwrd In this example, the IP address f the PIX is As the PIX will be acting as yur default gateway t the internet, yu will have t set the default gateway n all yur servers t be Yu must be using PIX IOS versin 6.2 r greater fr this t wrk. Cnfiguring Cable Mdem DHCP DHCP cnfiguratin fr cable mdems is much simpler, there is n passwrd requirement like with regular DSL. The cmmand t let yur PIX get a DHCP IP address frm yur ISP is as fllws: ip address utside dhcp setrute ip address inside In this example, the IP address f the PIX is As the PIX will be acting as yur default gateway t the internet, yu will have t set the default gateway n all yur servers t be NAT Cnfiguratin with DHCP Here we allw any traffic cming in n the inside (private/prtected) interface t be NAT-ted t the IP address f the utside (Public/unprtected) interface f the firewall. If DSL - DHCP has assigned an address f then the traffic passing thrugh the firewall, frm yur prtected PCs, will appear t be cming frm address glbal (utside) 1 interface nat (inside) Dynamic DNS Prt Frwarding Entries Here we allw all incming www traffic (n TCP prt 80) destined fr the firewall's interface t be frwarded t the web server at n prt 80 (www). Once cnfigured, yu may be able t hit yur website using PCs behind yur firewall using the firewall's utside interface's IP address as the destinatin. eg: access-list inbund permit icmp any any access-list inbund permit tcp any any eq www access-grup inbund in interface utside static (inside,utside) tcp interface www www netmask

7 Hw T Get Static IPs Fr DSL Cheaply Many ISP DSL prviders ffer cheap DHCP (dynamic IP) service. Due t cmpetitin they'll even thrw in a DSL mdem and even a ruter fr free. This service frequently isn't available fr users with static IPs which the ISPs frequently feel are businesses. If yu really want static IP addresses and are willing t pay the higher mnthly fee, then yu can reduce yur installatin csts by: Ordering DHCP DSL first with the free mdem and/r ruter Upgrade t static IPs a week later. They prbably wn't ask abut the mdem and/r ruter, and it becmes bundled in free. Sample PIX cnfiguratin: DSL - Static IPs PPOE authenticatin is nly required fr DSL DHCP. Once yu g fr static IPs, the vpdn statements wn t be required. In this example internet subnet that has been assigned is with a mask f (/29). The IP address selected fr the PIX is , the default gateway is If yu are cnverting frm dynamic t static IP addresses, yu d nt need the vpdn PIX cmmand statements fr static IPs ip address utside ip address inside rute utside In this example, the IP address f the PIX is As the PIX will be acting as yur default gateway t the internet, yu will have t set the default gateway n all yur servers t be Outging Cnnectins NAT Cnfiguratin Here we allw cnnectins riginating cming frm servers cnnected t the inside (private/prtected) interface with an IP address in the range t t be NAT-ted t the IP address f the utside (Public/unprtected) interface f the firewall which is : glbal (utside) 1 interface nat (inside) Incming Cnnectins NAT Cnfiguratin Here we allw the firewall t handle traffic t a secnd IP address, namely , we then allw all incming traffic t be frwarded t the prtected web server which has an IP address f Only www and DNS (Prt 53) traffic is allwed t access it via an access cntrl list applied t the utside interface. Once cnfigured, yu wn't be able t hit yur website frm PCs behind yur firewall using the public IP address assigned t yur web server as the destinatin. Yu'll have t ask a friend t check it ut. access-list inbund permit icmp any any access-list inbund permit tcp any hst eq www - 7 -

8 access-list inbund permit tcp any hst eq 53 access-list inbund permit udp any hst eq 53 access-grup inbund in interface utside static (inside,utside) netmask Here are sme additinal TCP prts yu may be interested in: Prtcl Prt FTP 20, 21 SMTP Mail 25 POP3 Mail 110 HTTPS / SSL 443 Hw T Cnfigure Yur PIX T Accept Telnet The telnet cmmand can be used t cnfigure yur PIX t accept telnet sessins. By default, it allws cnnectins n the inside interface frm the netwrk, as seen belw: telnet inside Of curse, if yu change the IP address f the inside interface, yu may have t change the statement abve. Yu can als allw access t the utside interface with a similar cmmand. In the case belw we re allwing access frm the netwrk I generally wuldn t recmmended this, but in sme cases the need t d it is unavidable. telnet utside As an added precautin, yu can set the PIX t autmatically lg ut telnet sessins that have been inactive fr a perid f time. Here is an example f a 15 minute timeut perid. telnet timeut 15 Hw T Make Yur PIX A DHCP Server Enabling yur PIX t be a DHCP server requires very few statements. First yu have t enable the feature n the desired interface, which is usually the inside interface. The next step is t set the range f IP addresses the PIX s inside interface will manage, and finally, yu need t state the IP address f the DNS server the DHCP clients will use. The default DNS address the PIX prvides its DHCP clients is the IP address f the inside prtected interface. If the PIX is cnfigured t get it s Internet IP address frm yur ISP, then the PIX will autmatically becme a caching DNS server fr yur hme netwrk. This means that in this case yu dn t have t use the DNS statement

9 dhcpd enable inside dhcpd address inside dhcpd dns Basic PIX Trubleshting The shw interfaces Cmmand The shw interfaces cmmand will shw yu the basic status f the PIX s interfaces. I ve included sme sample utput belw: pixfw# shw interface interface ethernet0 "utside" is up, line prtcl is up Hardware is i82559 ethernet, address is 0009.e89c.fdaa IP address , subnet mask MTU 1500 bytes, BW Kbit half duplex packets input, bytes, 0 n buffer Received bradcasts, 0 runts, 0 giants 0 input errrs, 0 CRC, 0 frame, 0 verrun, 0 ignred, 0 abrt packets utput, bytes, 0 underruns 0 utput errrs, 3988 cllisins, 0 interface resets 0 babbles, 0 late cllisins, 6978 deferred 2 lst carrier, 0 n carrier input queue (curr/max blcks): hardware (128/128) (0/77) utput queue (curr/max blcks): hardware (0/53) sftware (0/1) pixfw# Yur basic physical cnnectivity shuld be OK if the interfaces are seen as being in an up state with line prtcl being up. If line prtcl is dwn, yu prbably have yur PIX incrrectly cabled t the Internet r yur hme netwrk. If the interfaces are seen as administratively dwn, then the PIX cnfiguratin will mst likely have the interfaces cnfigured as being shutdwn like this: interface ethernet0 10baset shutdwn This can be easily crrected. First use the write terminal cmmand t cnfirm the shutdwn state. Then yu shuld enter cnfig mde and reenter the interface cmmand withut the wrd shutdwn at the end. pixfw(cnfig)# interface ethernet0 10baset - 9 -

10 The shw interfaces is als imprtant as it shws yu whether yu have the crrect IP addresses assigned t yur interfaces and als the amunt f traffic and errrs assciated with each. The shw xlate Cmmand This cmmand will shw whether the PIX is ding NAT crrectly. Duble check yur cnfiguratin if there are n translatins immediately after trying t access the Internet. NAT failure culd als be due t bad cabling which will prevent Internet bund traffic frm reaching the PIX at all. aquapix# sh xlate 3 in use, 463 mst used PAT Glbal (38448) Lcal (3367) PAT Glbal (25838) Lcal (2971) PAT Glbal (26306) Lcal (3610) aquapix# Using syslg A really gd methd fr trubleshting access cntrl lists (ACLs) and als t view the types f methds peple are using t access yur site is t use syslg. The Appendix has sample cnfiguratins fr the PIX. Other Things T Check Always make sure yur PIX has a: crrect default rute. The default is the ne with the lts f zers. aquapix# shw rute utside DHCP static utside CONNECT static inside CONNECT static aquapix# default gateway that yu can ping. In the case abve the gateway is

11 Chapter 2 Cnfiguring Cisc DSL Ruters = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = In This Chapter Chapter 2 Cnfiguring Cisc DSL Ruters An Intrductin t Netwrk Address Translatin (NAT) Intrductin t accessing the ruter cmmand line Sample Cnfiguratins Other NAT Tpics Basic Trubleshting Tpics Peter Harrisn, = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = This is a simple guide n hw t set up yur Cisc DSL ruter fr DHCP using PPPE. The examples in this chapter als shw hw t cnfigure NAT s yu can als have a hme / SOHO based website. This page shuld be suitable fr the fllwing Cisc ruters: With Built In DSL Mdems 800 series 1700 / 2600 / 3600 series with the ADSL WIC installed With External DSL Mdems 1700 / 2600 / 3600 series An Intrductin t Netwrk Address Translatin (NAT) Netwrk address translatin is a methd used t help cnserve the limited number f IP addresses available fr internet purpses. The intrductin t netwrking page explains the cncept in mre detail in additin t ther fundamental tpics. We will return t the NAT discussin, specifically hw t cnfigure it, later in this chapter, but first a very basic intrductin n hw t cnfigure and use Cisc DSL ruters. Intrductin t accessing the ruter cmmand line Via The Cnsle Prt Yur Cisc ruter will cme with a cnsle cable that will allw yu t cnfigure it using terminal emulatin sftware such as Hyperterm. Once yu ve set up yur ruter with an IP address yu ll be able t access it via Telnet

12 Via Telnet One easy way t get access t any device n yur netwrk is using the /etc/hsts file. Here yu list all the IP addresses f imprtant devices that yu may want t access with a crrespnding nickname. Here is a sample in which the ruter "ciscruter" has the IP address : # D nt remve the fllwing line, r varius prgrams # that require netwrk functinality will fail. # lcalhst.lcaldmain lcalhst ciscruter bigby mail.my-site.cm Once cnnected t the netwrk yu can access the ruter via telnet [rt@bigby tmp]# telnet ciscruter Trying Cnnected t ciscruter. Escape character is '^]'. Yu'll be prmpted fr a passwrd and will need anther passwrd t get int the privileged "enable" mde. If yu are directly cnnected t the cnsle, yu shuld get a similar prmpt t. There is n passwrd in a fresh ut f the bx Cisc ruter and simply hitting the "Enter" key will be enugh. User Access Verificatin Passwrd: Type help r '?' fr a list f available cmmands. ciscruter> enable Passwrd: ******** ciscruter# Use the "shw running" cmmand t see the current cnfiguratin. Yu will want t change yur "passwrd" and "enable passwrd" right after cmpleting yur initial cnfiguratin. ciscruter# shw run Building cnfiguratin... versin 12.1 n service pad service timestamps debug uptime service timestamps lg datetime lcaltime service passwrd-encryptin hstname ciscruter n lgging cnsle n lgging mnitr

13 lgging trap debugging ALL ruter cnfiguratin cmmands need t be dne in cnfiguratin mde, by issuing the "cnfigure terminal" cmmand frm enable mde prmpt. ciscruter# cnf t ciscruter(cnfig)# "Enter cmmands here" ciscruter(cnfig)# exit ciscruter# Yu can usually delete cmmands in the cnfiguratin by adding the wrd n t the beginning f the cmmand yu want t delete. Sme cmmands that can nly have a single value, wn t accept a n t change them and will just be ver-written when yu issue the new cmmand. In the example belw, we change the ruter s name and then delete ne f its many access cntrl list (ACL) entries. ciscruter# cnf t ciscruter(cnfig)# n access-list 150 deny ip hst hst ciscruter(cnfig)# hstname sh-ruter sh-ruter(cnfig)# exit sh-ruter # One f the first things yu shuld d is change the default paswrds fr the ruter. ciscruter# cnf t ciscruter(cnfig)# enable secret "enable passwrd here" ciscruter(cnfig)# line cn 0 ciscruter(cnfig-line)# passwrd "cnsle passwrd here" ciscruter(cnfig-line)# line vty 0 4 ciscruter(cnfig-line)# passwrd "telnet passwrd here" ciscruter(cnfig-line)# ^z ciscruter# When yu've finished cnfiguring, yu can permanently save yur changes by using the "write memry" cmmand: ciscruter# wr mem Building cnfiguratin... Cryptchecksum: 3af43873 d35d6f06 51f8c c2342 [OK] ciscruter#

14 Sample Cnfiguratins DSL Ruter With Built-In Mdem - DHCP DHCP and DSL requires yu t get a pppe passwrd and username frm yur ISP. Mst ISPs have a hmepage where yu can register t get the username and passwrd, ask custmer service fr the URL. Yu shuld substitute this username and passwrd fr PPP "username" and "passwrd" listed belw. Cisc IOS desn t supprt DHCP DSL and NAT. If this is s, then putting an Internet accessible web server n yur hme netwrk wuld be impssible using the ruters mentined abve in this cnfiguratin. Here is a sample cnfiguratin fr a Cisc hme ruter. Sme f the cmmands listed are part f Cisc's default settings. D the "shw run" cmmand befre starting t cnfigure yur ruter t see what cmmands yu'll really need. Remember t be in "cnfig" mde t enter these cmmands and remember t d a "write memry" at the end t permanently save the cnfiguratin vpdn enable n vpdn lgging Cisc DSL Ruter With Built-in Mdem Cnfiguratin (DHCP) --- Cnfigure the ruter's PPPE client s that it --- can setup a sessin with the ISP vpdn-grup pppe request-dialin prtcl pppe --- Cnfigure the hme / SOHO netwrk interface's --- IP address --- The "ip nat" statement tells yur ruter that --- this interface: --- 1) uses NAT --- 2) is the inside "private" interface interface FastEthernet0 ip address ip nat inside --- Cnfigure the DSL interface --- Yur ISP may prvide yu with a different pvc --- value nt necesarily "1/1"

15 interface ATM0 n ip address n atm ilmi-keepalive bundle-enable dsl perating-mde aut hld-queue 224 in interface ATM0.1 pint-t-pint pvc 1/1 pppe-client dial-pl-number Cisc prefers t run the PPPE client n a virtual --- "dialer" interface --- This is tied t the real ATM DSL interface with the --- "dialer pl" cmmand. The default ethernet MTU --- size has been reduced frm 1500 t accmmdate --- the PPPE header verhead. --- The "ip nat" statement tells yur ruter that --- this interface: --- 1) uses NAT --- 2) is the utside "public" interface interface Dialer1 ip address negtiated ip mtu 1492 ip nat utside encapsulatin ppp dialer pl Here are the cmmands t cnfigure authenticatin --- with with yur ISP. This example uses the "CHAP" --- methd. --- Cmmands fr using the "PAP" methd are included at --- the end f this bx ppp authenticatin chap callin ppp chap hstname <username> ppp chap passwrd <passwrd> --- Tells the ruter t NAT all traffic that passes --- thrugh it: --- 1) Frm the inside t the utside,

16 --- 2) And whse IP address is in the netwrk --- as given in access list ) Giving it an utside "public" address that is the --- same as interface Dialer1 gets frm the PPPE --- cnnectin ip nat inside surce list 1 interface Dialer1 verlad ip classless ip rute dialer1 n ip http server access-list 1 permit If yur ISP tells yu that yu need t d the PAP, and nt the CHAP, type f authenticatin then yu'll have t replace the lines: ppp authenticatin chap callin ppp chap hstname <username> ppp chap passwrd <passwrd> with nly these tw: ppp authenticatin pap callin ppp pap sent-username <username> passwrd <passwrd> DSL Ruter With Built-In Mdem - Static IP Here is a sample cnfiguratin fr a Cisc hme ruter with a built-in mdem. Sme f the cmmands listed are part f Cisc's default settings. D the "shw run" cmmand befre starting t cnfigure yur ruter t see what cmmands yu'll really need. This example als shws hw t use NAT s yu can have a web server / mail server / FTP server etc. in yur hme netwrk. Remember t be in "cnfig" mde t enter these cmmands and remember t d a "write memry" at the end t permanently save the cnfiguratin Cisc DSL Ruter With Built-in Mdem Cnfiguratin (Static IP) Current Cnfiguratin: versin 12.1 service timestamps debug uptime service timestamps lg uptime hstname ciscruter

17 ip subnet-zer n ip dmain-lkup bridge irb --- Cnfigure the hme / SOHO netwrk interface's IP address --- The "ip nat" statement tells yur ruter that this --- interface: --- 1) uses NAT --- 2) is the inside "private" interface interface Ethernet0 ip address ip nat inside interface ATM0 n ip address n atm ilmi-keepalive pvc 0/35 encapsulatin aal5snap bundle-enable dsl perating-mde aut bridge-grup Cisc prefers t run the PPPE client n a virtual --- "BVI" interface --- This is tied t the real ATM DSL interface with the --- "bridge-grup" cmmand abve. --- (The BVI number always matches the bridge-grup number) --- The "ip nat" statement tells yur ruter that --- this interface: --- 1) uses NAT --- 2) is the utside "public" interface interface BVI1 ip address ip nat utside --- Tells the ruter t NAT all traffic that passes --- thrugh it: --- 1) Frm the inside t the utside, --- 2) And whse IP address is in the netwrk

18 --- as given in access list ) Must get an utside "public" address that is the --- same as interface BVI1 ip nat inside surce list 1 interface BVI1 verlad --- This statement perfrms the static address --- translatin fr the Web server. With this statement, --- users trying t reach prt 80 (www) will be --- autmatically redirected t prt (www), which in this case is the Web server. --- ip nat inside surce static tcp extendable --- Set yur default gateway as prvided by yur ISP ip classless ip rute access-list 1 permit bridge 1 prtcl ieee bridge 1 rute ip end DSL Ruter With External Mdem - Static IP Here is a sample cnfiguratin fr a Cisc hme ruter with an external mdem. Sme f the cmmands listed are part f Cisc's default settings. D the "shw run" cmmand befre starting t cnfigure yur ruter t see what cmmands yu'll really need. This example als shws hw t use NAT s yu can have a web server / mail server / FTP server etc. in yur hme netwrk. Remember t be in "cnfig" mde t enter these cmmands and remember t d a "write memry" at the end t permanently save the cnfiguratin Cisc Ruter Cnnected t DSL via External Mdem Cnfiguratin (Static IP) Current Cnfiguratin: versin 12.1 service timestamps debug uptime

19 service timestamps lg uptime hstname ciscruter ip subnet-zer n ip dmain-lkup --- Cnfigure the hme / SOHO netwrk interface's IP address --- The "ip nat" statement tells yur ruter that --- this interface: --- 1) uses NAT --- 2) is the inside "private" interface interface Ethernet0 ip address ip nat inside interface Ethernet1 ip address ip nat utside --- Tells the ruter t NAT all traffic that passes --- thrugh it: --- 1) Frm the inside t the utside, --- 2) And whse IP address is in the netwrk --- as given in access list ) Must get an utside "public" address that is the --- same as interface ethernet1 ip nat inside surce list 1 interface ethernet1 verlad --- This statement perfrms the static address translatin --- fr the Web server. --- With this statement, users trying t reach prt 80 (www) will be autmatically redirected t prt 80 (www), which in this case --- is the Web server. --- ip nat inside surce static tcp extendable

20 --- Set yur default gateway as prvided by yur ISP ip classless ip rute access-list 1 permit end Other NAT Tpics Cmmnly Used TCP And UDP Prts Here are sme additinal TCP prts yu may be interested in fr NAT "ip nat inside surce static" statements: Prtcl Prt Type FTP 20, 21 TCP SMTP Mail 25 TCP POP3 Mail 110 TCP HTTPS / SSL 443 TCP DNS 53 UDP S fr example, the cmmand fr SMTP mail wuld be: ip nat inside surce static tcp DNS requires a UDP type NAT statement such as: ip nat inside surce static udp T have all traffic trying t reach , regardless f prt, t be NAT-ted t , then yu can use the cmmand: ip nat inside surce static

21 Hw T Verify That NAT Is Wrking Crrectly Yu can use the shw ip nat translatin cmmand t determine whether NAT is actually ccurring as expected: ciscruter> enable Passwrd: ******** ciscruter#shw ip nat translatin Pr Inside glbal Inside lcal Outside lcal Outside glbal tcp : : tcp : : : : 5698 ciscruter# Cisc uses the fllwing terms fr the varius IP addresses yu ll find in any NAT translatin prcess. The Inside lcal address is the actual IP address f the lcal server n yur hme netwrk. The Inside glbal address is the IP address f the server presented t the Internet after NAT. The Outside lcal the actual IP address f the remte cmputer n its lcal netwrk. The Outside glbal the IP address f the remte cmputer as presented n the Internet. As yu can see, in this case, NAT seems t be functining prperly fr the web server n the hme netwrk Hw T Trublesht NAT T trublesht NAT after yu have lgged int the ruter via Telnet requires yu t first activate lgging t the telnet terminal with the terminal mnitr cmmand and then using the debug ip nat detailed cmmand t visualize the translatin prcess. The example belw shws that translatin ccurs fr prt 80 traffic (HTTP / www) frm address t , and mre specifically that remte hst was cmmunicating with the inside glbal address f ciscruter> enable Passwrd: ******** ciscruter#term mn ciscruter#debug ip nat detailed IP NAT detailed debugging is n ciscruter# 03:29:49: NAT: creating prtlist prt 6 glbaladdr :29:49: NAT: Allcated Prt fr > : wanted 80 gt

22 03:29:49: NAT: : tcp ( , 5698) -> ( , 80) [0] Basic Trubleshting Tpics The shw interfaces Cmmand The shw interfaces cmmand will shw yu the basic status f the ruter s interfaces. I ve included sme sample utput belw: ciscruter>shw interface Ethernet0/0 is up, line prtcl is up Hardware is AmdP2, address is 0008.e3a0.7e80 (bia 0008.e3a0.7e80) Internet address is /24 MTU 1500 bytes, BW Kbit, DLY 1000 usec, Encapsulatin ARPA, lpback nt set Keepalive set (10 sec) ARP type: ARPA, ARP Timeut 04:00:00 Last input 00:00:00, utput 00:00:00, utput hang never Last clearing f "shw interface" cunters never Input queue: 1/75/0/0 (size/max/drps/flushes); Ttal utput drps: 0 Queueing strategy: fif Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 1 packets/sec 5 minute utput rate 0 bits/sec, 0 packets/sec 303 packets input, bytes, 0 n buffer Received 13 bradcasts, 0 runts, 0 giants, 0 thrttles 1 input errrs, 1 CRC, 1 frame, 0 verrun, 0 ignred 0 input packets with dribble cnditin detected packets utput, bytes, 0 underruns 0 utput errrs, 0 cllisins, 2 interface resets 0 babbles, 0 late cllisin, 0 deferred 0 lst carrier, 0 n carrier 0 utput buffer failures, 0 utput buffers swapped ut ciscruter> Yur basic physical cnnectivity shuld be OK if the interfaces are seen as being in an up state with line prtcl being up. If line prtcl is dwn, yu prbably have yur ruter incrrectly cabled t the Internet r yur hme netwrk. If the interfaces are seen as administratively dwn, then the ruter cnfiguratin will mst likely have the interfaces cnfigured as being shutdwn like this:

23 interface ethernet0 shutdwn This can be easily crrected. First use the shw running cmmand t cnfirm the shutdwn state. Then yu shuld enter cnfig mde and enter the n shutdwn cmmand. Here is an example fr interface ethernet0. ciscruter(cnfig)# interface ethernet0 ciscruter(cnfig-if)# n shutdwn ciscruter(cnfig-if)#end ciscruter# write memry The shw interfaces is als imprtant as it shws yu whether yu have the crrect IP addresses assigned t yur interfaces and als the amunt f traffic and errrs assciated with each. Using syslg A really gd methd fr trubleshting access cntrl lists (ACLs) and als t view the types f methds peple are using t access yur site is t use syslg. The Appendix has sample cnfiguratins fr Cisc ruters. Other Things T Check Always make sure yur ruter has a: crrect default rute. The default is the ne with the lts f zers. ciscruter>sh ip rute Cdes: C - cnnected, S - static, I - IGRP, R - RIP, M - mbile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static rute, - ODR P - peridic dwnladed static rute Gateway f last resrt is t netwrk /24 is subnetted, 1 subnets C is directly cnnected, Ethernet1 S* /0 [1/0] via ciscruter> default gateway that yu can ping. In the case abve the gateway is

24 - 24 -

25 Chapter 3 Cnfiguring Cisc SOHO VPNs = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = In This Chapter Chapter 3 Cnfiguring Cisc SOHO VPNs Scenari VPN Terminlgies Site 1 Cnfiguratin Example Site 2 Ruter VPN Cnfiguratin Steps (Scenari A) Site 2 PIX Firewall VPN Cnfig. Steps (Scenari B) Peter Harrisn, = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Here is a brief explanatin n hw t cnfigure a permanent Small Office / Hme Office (SOHO) VPN using lw end Cisc ruters and PIX firewalls. There is a sample PIX cnfiguratin in the appendix in which remte users can use Windws based VPN sftware n their ntebk cmputers t access the SOHO site by first dialing int their ISP and then cnnecting t the PIX with the sftware such as Cisc s EasyVPN suite. As yu can imagine, this temprary VPN setup can be quite useful. Scenari In this example we have tw SOHO ffices. A VPN needs t be created between the tw sites s that they can cmmunicate with each ther withut the fear f eavesdrpping. Fr simplicity, neither site is site wants t invest in a CA certificate service r RSA infrastructure. They prefer t use pre-shared keys. The netwrk administratrs at bth sites are aware that permanent site t site VPNs require fixed Internet IP addresses and have upgraded frm their basic DHCP services riginally prvided by their ISPs. Site1 uses a private netwrk f has a ruter with an external Internet IP address f uses a Cisc DSL ruter with a built in DSL mdem like the Cisc 800 series f ruters

26 Site2 uses a private netwrk f uses a Cisc ruter with an external DSL mdem r a PIX firewall. uses a ruter (Scenari A) r firewall (Scenari B) with an external Internet IP address f Other Infrmatin The administratr at Site 1 wants t be able t access all the prtected servers at site 2 by using their real IP addresses and vice versa. Fr example; Site 1 will refer t Site 2 servers with their X IP addresses, nt the Internet NAT addresses n the X netwrk. VPN Terminlgies Befre we begin, it is best t review sme basic VPN terminlgies in the Linux Hme Netwrking guide. Site 1 - Ruter VPN Cnfiguratin Steps There are a number f steps that need t be dne t create the VPN. IKE Phase 1 f the creatin f a VPN tunnel first requires an exchange f the encryptin capabilities f the VPN devices at bth ends f the tunnel. The secnd phase invlves encrypting the data by either using either: Pre-shared keys knwn t bth VPN devices (This is what we ll be using in all the examples belw) r Keys generated via the RSA methdlgy r Keys btained frm Certificatin Authrities (CAs) Cisc ruter / firewall devices usually require yu t cnfigure each f the varius cmbinatins f key encryptin capabilities available. The device will then send all f the cmbinatins t the remte VPN as part f the negtiatin t decide which ne t use. Create an IKE key plicy. The plicy number "9" identifies it frm all ther IKE plicies that may be cnfigured. This plicy requires a pre-shared key. crypt isakmp plicy 9 hash md5 authenticatin pre-share I ve chsen nly ne cmbinatin fr the sake f simplicity, but yu culd add mre like this. If yur device is licensed apprpriately, and yu intend t establish a cnnectin with a Linux VPN device, then yu shuld cnsider a 3DES ptin which Linux

27 FreeS/WAN prefers. Here is a snippet that includes 3DES and may ther plicy capabilities. crypt isakmp plicy 1 encr 3des authenticatin pre-share crypt isakmp plicy 4 encr 3des authenticatin pre-share grup 2 crypt isakmp plicy 5 encr 3des hash md5 authenticatin pre-share grup 2 crypt isakmp plicy 10 authenticatin pre-share grup 2 crypt isakmp plicy 12 authenticatin pre-share crypt isakmp plicy 20 hash md5 authenticatin pre-share grup 2 crypt isakmp plicy 23 encr 3des hash md5 authenticatin pre-share Yu ll then need t cnfigure a VPN shared key that can be used between this site and the VPN site at IPSec crypt isakmp key VPNsecretPASSWORD address Set a lifetime fr the IPSec Security Assciatins. A security assciatin is the equivalent f a site t site VPN relatinship. crypt ipsec security-assciatin lifetime secnds Cnfigure an access list t define the valid traffic t be directed thrugh the VPN frm t access-list 101 permit ip

28 Define which encryptin transfrmatins will be used t shield the VPN traffic as it passes ver the Internet with the "crypt ipsec transfrm-set" cmmand. Each single line set can be given its wn name. In this case we ve chsen set s1s2trans t use ne f the mst cmmn cmbinatins, esp-des and esp-md5-hmac. crypt ipsec transfrm-set s1s2trans esp-des esp-md5-hmac If the remte site prefers t use the mre secure 3DES methd, (Linux FreeS/WAN nly des 3DES) then yu may want t replace the abve statement with this ne: crypt ipsec transfrm-set s1s2trans esp-3des esp-md5-hmac Yu can create multiple transfrm sets depending n yur security requirements. Fr example; yu culd create a transfrm set named weak with regular DES encryptin and anther named strng using the better 3DES methd. Create a crypt-map t match the valid traffic defined by the ACL with the transfrm set we want t use with VPN peer ruter/firewall at the ther site. This example is creating a map entry f pririty 10. crypt map t-site2 10 ipsec-isakmp set peer set transfrm-set s1s2trans match address 101 Yu can add additinal map entries t crrespnd with tunnels t ther remte sites with additinal pririties. Just remember t create the apprpriate access cntrl lists and pre-shared keys. Here is an example f additinal map entries using tw different transfrm sets: crypt map t-site2 150 ipsec-isakmp set peer set transfrm-set s1s2trans match address 101 crypt map t-site2 153 ipsec-isakmp set peer set transfrm-set s1s2trans-strng match address 102 crypt map t-site2 158 ipsec-isakmp set peer set transfrm-set s1s2trans-strng set pfs grup2 match address 103 Bind the crypt-map t the external interface f the ruter. interface BVI1 crypt map t-site2-28 -

29 This example assumes yu are using a ruter with a built in DSL mdem. In such a case, the external Internet facing interface wuld mst likely be called BVI1 with a sister interface ATM0. Make sure bth are cnfigured crrectly. If yu are using a ruter with an external DSL / Cable mdem, then there will nly be ne Internet facing interface t cnfigure. This interface wuld be usually named either Ethernet0 r Ethernet1 depending n the type f ruter. The Site 2 cnfiguratin uses an external DSL / Cable mdem. Site 1 Cnfiguratin Example Current Cnfiguratin: versin 12.1 service timestamps debug uptime service timestamps lg uptime hstname sh1 ip subnet-zer n ip dmain-lkup bridge irb Our SOHO Ruter (Site #1) * Cnfigure IKE prperties crypt isakmp plicy 9 authenticatin pre-share hash md5 crypt isakmp key VPNsecretPASSWORD address * Cnfigure IPSec prperties crypt ipsec security-assciatin lifetime secnds crypt ipsec transfrm-set s1s2trans esp-des esp-md5-hmac * If the remte site prefers t use 3DES, (Linux FreeS/WAN nly des 3DES) then yu may want t * replace the abve statement with this ne: crypt ipsec transfrm-set s1s2trans esp-3des esp-md5-hmac * Define the Site1 t Site2 traffic t be encrypted crypt map t-site2 10 ipsec-isakmp set peer set transfrm-set s1s2trans match address 101 * Give the prtected interface an IP address and * and let it knw that it shuld d NAT as a prtected * inside interface

30 interface Ethernet0 ip address ip nat inside interface ATM0 n ip address n atm ilmi-keepalive pvc 0/35 encapsulatin aal5snap bundle-enable dsl perating-mde aut bridge-grup 1 * Encryptin will be dne n interface BVI1 accrding t * the crypt map statement interface BVI1 ip address ip nat utside crypt map t-site2 ip mtu 1412 * Tells the ruter t NAT all traffic that passes thrugh it: * 1) Frm the inside t the utside, * 2) And whse IP address matches thse in rute map "nnat" * 3) Must get an utside "public" address that is the same as * interface BVI1 * * Replaces the fllwing cmmand used n the basic DSL ruter page * * ip nat inside surce list 1 interface BVI1 verlad ip nat inside surce rute-map nnat interface BVI1 verlad * This statement perfrms the static address translatin * fr the Web server. * With this statement, users trying t reach * will be autmatically redirected t * which in this case is the Web server. ip nat inside surce static * Set yur default gateway as prvided by yur ISP * Set a rute t Site2 via the Tunnel IP f the * ruter at Site2 ip classless ip rute * Encrypt all traffic passing ver the tunnel * interface between the tw sites access-list 101 permit ip * ACL used by rute map "nnat" t exclude traffic * between Site1 and Site2 frm NAT prcess as this

31 * will pass thrugh the VPN tunnel access-list 150 deny ip access-list 150 permit ip any * Use a rute map t define which traffic frm the private * netwrk shuld be included in the NAT prcess: rute-map nnat permit 10 match ip address 150 Site 2 - Ruter VPN Cnfiguratin Steps (Scenari A) IKE Create an IKE key plicy. The plicy number "9" identifies it frm all ther IKE plicies that may be cnfigured. This plicy requires a pre-shared key crypt isakmp plicy 9 hash md5 authenticatin pre-share Cnfigure a VPN shared key that can be used between this site and the VPN site at IPSec crypt isakmp key VPNsecretPASSWORD address Set a lifetime fr the IPSec Security Assciatins crypt ipsec security-assciatin lifetime secnds Cnfigure an access list t define the valid traffic t be directed thrugh the VPN frm t access-list 101 permit ip Define which transfrmatins will be used t shield the VPN traffic with the "crypt ipsec transfrm-set" cmmand. Each set can be given its wn name. crypt ipsec transfrm-set s2s1trans esp-des esp-md5-hmac If the remte site prefers t use the mre secure 3DES methd, (Linux FreeS/WAN nly des 3DES) then yu may want t replace the abve statement with this ne:

32 crypt ipsec transfrm-set s1s2trans esp-3des esp-md5-hmac Create a crypt-map t match the valid traffic, the transfrm set, the securityassciatin lifetime with the VPN peer ruter/firewall at the ther site crypt map t-site1 10 ipsec-isakmp set peer set transfrm-set s1s2trans match address 101 Bind the crypt-map t the external interface f the ruter interface Ethernet1 crypt map t-site1 Site 2 Cnfiguratin Example (Scenari A) Current Cnfiguratin: versin 12.1 service timestamps debug uptime service timestamps lg uptime hstname sh2 ip subnet-zer n ip dmain-lkup Their SOHO Ruter (Site #2) * Cnfigure IKE prperties crypt isakmp plicy 9 authenticatin pre-share hash md5 crypt isakmp key VPNsecretPASSWORD address * Cnfigure IPSec prperties crypt ipsec security-assciatin lifetime secnds crypt ipsec transfrm-set s2s1trans esp-des esp-md5-hmac * If the remte site prefers t use 3DES, (Linux FreeS/WAN nly des 3DES) then yu may want t * replace the abve statement with this ne: * * crypt ipsec transfrm-set s2s1trans esp-3des esp-md5-hmac

33 * Define the Site1 t Site2 traffic t be encrypted crypt map t-site1 10 ipsec-isakmp set peer set transfrm-set s2s1trans match address 101 * Encryptin will be dne accrding t the crypt * map statement interface Ethernet1 ip address ip nat utside crypt map t-site1 * Give the prtected interface an IP address and * and let it knw that it shuld d NAT as a prtected * inside interface interface Ethernet0 ip address ip nat inside * Tells the ruter t NAT all traffic that passes thrugh it: * 1) Frm the inside t the utside, * 2) And whse IP address matches thse in rute map "nnat" * 3) Must get an utside "public" address that is the same as * interface ethernet1 * * Replaces the fllwing cmmand used n the basic DSL ruter page * * ip nat inside surce list 1 interface ethernet1 verlad ip nat inside surce rute-map nnat interface ethernet1 verlad * Set yur default gateway as prvided by yur ISP * Set a rute t Site2 via the Tunnel IP f the ruter * at Site2 ip classless ip rute * Encrypt all traffic passing ver the tunnel interface * between the tw sites access-list 101 permit ip * ACL used by rute map "nnat" t exclude traffic between * Site1 and Site2 * frm NAT prcess as this will pass thrugh the VPN tunnel access-list 150 deny ip access-list 150 permit ip any

34 * Use a rute map t define which traffic frm the private * netwrk shuld be included in the NAT prcess: rute-map nnat permit 10 match ip address 150 Site 2 PIX Firewall VPN Cnfig. Steps (Scenari B) IKE Plan n creating an IPSec plicy with a unique identifier number. The PIX will check each set f cnfigured numbered plicies fr IKE till it achieves success. In this case we ll nly use ne plicy 20. Define the type f encryptin t be used (DES r 3DES) isakmp plicy 20 encryptin des Define the hashing methd fr authenticatin (SHA r MD5) isakmp plicy 20 hash md5 Define the verall authenticatin methd (Pre-shared key r rsa-sig). We'll use the simpler pre-shared methd. isakmp plicy 20 authenticatin pre-share Define the shared key t be used. isakmp key VPNsecretPASSWORD address netmask Specify hw the hsts will identify themselves t ne anther (By address r hstname). The same methd shuld be used n bth ends. isakmp identity address Enable ISAKMP n the external interface f the PIX isakmp enable utside

35 IPSec Cnfigure an access list t define the valid traffic t be directed thrugh the VPN frm t access-list ipsec permit ip Define which transfrmatins will be used t shield the VPN traffic with the "crypt ipsec transfrm-set" cmmand. Each set can be given its wn name, in this case "s2s1trans". crypt ipsec transfrm-set s2s1trans esp-des esp-md5-hmac If the remte site prefers t use the mre secure 3DES methd, (Linux FreeS/WAN nly des 3DES) then yu may want t replace the abve statement with this ne: crypt ipsec transfrm-set s1s2trans esp-3des esp-md5-hmac Create a crypt map t match the valid traffic, the transfrm set, the securityassciatin lifetime with the VPN peer ruter/firewall at the ther site. crypt map s2s1ipsec 10 match address ipsec crypt map s2s1ipsec 10 set peer crypt map s2s1ipsec 10 set transfrm-set s2s1trans crypt map s2s1ipsec 10 set security-assciatin lifetime secnds In this case the crypt map is named "s2s1ipsec" and each statement has a sequence number r "ranking" f "10". Statements with lwer "sequence numbers" are cnsidered befre thse with higher values. Just like the ruters, yu can add mre statements fr tunnels t ther remte VPN devices. Yu just have t remember t make sure that: the crypt map statements referring t each remte site uses a unique sequence number, that the shared secrets match and that crrespnding ACLs are created. Bind the crypt-map t the external interface n which VPN traffic will riginate crypt map s2s1ipsec interface utside Let the PIX's ASA always implicitly allw IPSec traffic thrugh syspt cnnectin permit-ipsec

36 Site 2 Cnfiguratin Example (Scenari B) Here is a sample cnfiguratin fr Site 2 when using a PIX firewall. There are a number f fully cmmented sample PIX cnfiguratins in the appendix in which each line is explained. PIX Versin 6.2(2) nameif ethernet0 utside security0 nameif ethernet1 inside security100 enable passwrd ur0zsmumgz09cmpz encrypted passwd ur0zsmumgz09cmpz encrypted hstname ciscpix dmain-name stcla1.sfba.hme.cm fixup prtcl ftp 21 fixup prtcl http 80 fixup prtcl h323 h fixup prtcl h323 ras fixup prtcl ils 389 fixup prtcl rsh 514 fixup prtcl rtsp 554 fixup prtcl smtp 25 fixup prtcl sqlnet 1521 fixup prtcl sip 5060 fixup prtcl skinny 2000 names Our SOHO PIX (Site #2) * Allw IPSec traffic frm Site2's private * netwrk t Site1's private netwrk access-list ipsec permit ip * D nt Netwrk Address Translate (NAT) traffic * riginating n Site2's private netwrk destined * t Site1's private netwrk. This ACL is the first * step. access-list nnat permit ip pager lines 25 lgging n lgging timestamp lgging trap warnings lgging histry warnings lgging facility 22 lgging hst inside interface ethernet0 10baset interface ethernet1 10full icmp deny any utside mtu utside 1500 mtu inside 1500 * Setup the IP addresses f the interfaces ip address utside ip address inside ip audit inf actin alarm ip audit attack actin alarm

37 pdm lgging infrmatinal 100 pdm histry enable arp timeut glbal (utside) 1 interface * D nt NAT traffic that matches access list "nnat", * NAT everything else nat (inside) 0 access-list nnat nat (inside) rute utside timeut xlate 0:05:00 timeut cnn 1:00:00 half-clsed 0:10:00 udp 0:02:00 timeut uauth 0:05:00 abslute aaa-server TACACS+ prtcl tacacs+ aaa-server RADIUS prtcl radius aaa-server LOCAL prtcl lcal filter java filter activex filter java filter activex ntp server surce inside http server enable http inside snmp-server hst inside n snmp-server lcatin n snmp-server cntact snmp-server cmmunity passwdb snmp-server enable traps tftp-server inside /ciscpix-cnfg fldguard enable n syspt rute dnat telnet inside telnet timeut 15 ssh inside ssh timeut 15 dhcpd address inside dhcpd lease 3600 dhcpd ping_timeut 750 dhcpd aut_cnfig utside * IPSec plicies: syspt cnnectin permit-ipsec crypt ipsec transfrm-set s2s1trans esp-des esp-md5-hmac * If the remte site prefers t use the mre secure 3DES methd, (Linux FreeS/WAN nly des 3DES) * then yu may want t replace the abve statement with this ne: * crypt ipsec transfrm-set s2s1trans esp-3des esp-md5-hmac crypt map s2s1ipsec 10 set security-assciatin lifetime secnds crypt map s2s1ipsec 10 ipsec-isakmp crypt map s2s1ipsec 10 match address ipsec crypt map s2s1ipsec 10 set peer crypt map s2s1ipsec 10 set transfrm-set s2s1trans