Network technologies and trends


December 28, 2015  4:12 AM

How to configure Site-to-Site IPSec VPN on Cisco Routers? – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ACL, Cisco, CRYPTO, IPsec, VPN

In my previous post we talked briefly about IPSec. We will be using the below topology for our set up.

Site to Site IPSEC VPN

The whole topology was built using Cisco VIRL , in the above example we will built a Site-to-Site IPSec VPN between Router R1 and R2 and allow the communication between R1 Lan Subnet 192.168.1.0 to R2 Lan Subnet 10.10.2.0.

Before starting make sure you have reachability to peer routers, i.e you can ping R2 WAN IP 2.2.2.2 from R1 and vice versa

Site-to-Site VPN1

Step 1: Configure an Interesting traffic which you want to encrypt on the public domain using the ACL.

R1

ip access-list extended VPN-ACL

permit ip 192.168.1.0 0.0.0.255 10.10.2.0 0.0.0.255

R2

ip access-list extended VPN-ACL

permit ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Step 2 : Configure  NAT exemption ( If you are using NAT on the  Routers for internet access then this step is must, if you not using NAT then you can skip this step and proceed to step 4.). Basically we use ACLs to exclude the NATing for the VPN traffic passing through VPN tunnel from Site 1 to Site 2

R1

ip access-list extended NO-NAT-ACL

deny   ip 192.168.1.0 0.0.0.255 10.10.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

R2

ip access-list extended NO-NAT-ACL

deny   ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.2.0 0.0.0.255 any

Step  3: Configure the NAT on both the routers and enable the NAT functionality ( Use this step if step 2 was configured if not proceed to step 4)

R1

ip nat inside source list NO-NAT-ACL interface GigabitEthernet0/1 overload

interface GigabitEthernet0/1

ip nat outside

interface GigabitEthernet0/2

ip nat inside

 

R2

ip nat inside source list NO-NAT-ACL interface GigabitEthernet0/1 overload

interface GigabitEthernet0/1

ip nat outside

interface GigabitEthernet0/2

ip nat inside

Step 4:  Configure Phase 1 (ISAKAMP) of IPSec so that a secure tunnel is established between R1 and R2, we will be using following parameter for phase 1 part

Encryption 3DES ( we can use DES and AES as well)
Hash MD5 (SHA can also be used)
Pre-Shared key itke
Group Deffie-Helman Group 2 ( Other options are also available )

Site-to-Site VPN2

R1

crypto isakmp policy 1

encryption 3des

hash md5

authentication pre-share

group 2

exit

 

crypto isakmp key itke address 2.2.2.1

 

R2

crypto isakmp policy 1

encryption 3des

hash md5

authentication pre-share

group 2

exit

crypto isakmp key itke address 1.1.1.1

Step 4 : Lets configure  Phase 2 (IPSEC) , in this phase IPSec security parameter are negotiated

 R1

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

exit

crypto map MYVPN 10 ipsec-isakmp

set peer 2.2.2.1

set transform-set MYSET

match address VPN-ACL

exit

 

interface gi 0/1

crypto map MYVPN

R2

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

exit

crypto map MYVPN 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set MYSET

match address VPN-ACL

exit

interface gi 0/1

crypto map MYVPN

By following above steps one can configure Site-to-Site IP Sec VPN. Now lets try verify if the IPSEC tunnel is established between Site 1 and Site 2

The most important command to verify the Security Association establishment between two router is use “show  crypto isakmp sa

Site-to-Site VPN 3

We could see from the above output the Security Association is not established , why is this so?

Unless the traffic is not initiated from either of site the SA will never come up, let try to ping Site 1 IP 192.168.1.1 from R2 sourcing its Lan network

Site-to-Site VPN3

After initiating the traffic we could SA is established , the state QM_IDLE and status : ACTIVE are very important parameters, these  two parameters ensure the IPSec tunnel is established successfully.

One more verification command “show crypto ipsec sa” verifies and reports weather the data transmitted over the tunnel is encrypted and decrypted

Site-to-Site VPN4

The above output ensures that both encryption and decryption is occurring over the tunnel and our traffic is safe over the internet. If some one wants the VIRL topology they can ping me I can email the VIRL topology file by email.

December 27, 2015  5:26 PM

How to configure Site-to-Site IPSec VPN on Cisco Routers? – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ACL, Cisco, Cisco Routers, IPsec, IPsec VPN, Topology, VPN

IPSec is the protocol one can use to establish a Site-to-Site VPN , as it is widely used because its an open standard protocol which offers secure and encrypted communication over the public internet domain. IPSec works at Network later and only pass unicast traffic. I will brief you all about how IPSec works

IPSEC works on 5 parameters

  1. Interesting Traffic
    1. ACL
  2. Phase 1 (ISAKMP/ IKEv1)
    1. IPSec device negotiate an IKE Security Policy & establish a secure channel for communication
  3. Phase 2 (IPSEC)
    1. IPSec devices negotiate an IPSec security policy to protect data
  4. Data Transfer
    1. Data is transferred based
      1. IPSec  parameters
      2. Keys negotiated
  5. IPSec Tunnel Terminated
    1. IPSec SAs terminate when timing out or a certain data volume is reached

Site to Site IPSEC VPN

We will be using the following topology to configure site-to-site IPSec VPN between two Cisco Routers. In the upcoming post lets see how to configure the Site-to-Site IPSec VPN using Cisco Routers

 


December 27, 2015  5:03 AM

How to configure a Login Banner in Palo Alto Networks Firewall?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, application, Default route, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, Security policy, Services, Static route, tunnel, URL, Users, VLAN

When it comes to following the best practices for any Network Security Appliances, one should configure a Login Banner. Configuring a Login Banner in Palo Alto Networks Firewall is quite simple . Lets see how we can configure a login banner in Palo Alto Networks Firewall

Step 1:Device>Setup>Management>General Settings(Edit Icon)

PA - Login Banner 1

Step 2 : Device>Setup>Management>General Settings(Edit Icon)>Login Banner

Type the Organization approve banner in the Banner Box as shown below and click ok

PA - Login Banner 2

By following these simple step one can configure a Login Banner in Palo Alto Network Firewall. When ever someone tries to SSH or login using a browser  he/she will see the below screen with Login Banner

PA - Login Banner 3


December 26, 2015  4:31 AM

What is Palo Alto Security Policy – Series 1?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, application, Default route, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, Security policy, Services, Static route, tunnel, URL, Users, VLAN, YouTube

Palo Alto Firewalls uses security policies to either allow or deny an access, Security Policies comprises of a list of security policy rules. Each Security policy rule comprises of objects  like

  • Address both source and destination
  • Applications
  • Users
  • Services
  • Url Category
  • Action
  • Profile

PA Security Policy

One can either use all the objects or some of the objects to configure a Security Policy rule (depends on the purpose of the policy). The Palo Alto Firewall takes an action for configured security policy only when a session matches all the defined fields of the security policy.

Palo Alto Security Policy

The above shown Security Policy will  block YouTube access only when the session is sourced from trust zone  with users alldevelopers and yasir, and destined towards untrust zone with an attempt to access YouTube, then the action the Palo Alto Firewall take is to block the YouTube access.

Like any other firewall, Palo Alto Networks Firewalls adopts the top down approach to evaluate the security polices and takes an action based on the matching policy, if the policy is found no further  rules are evaluate,  if not it keeps on looking for match until the last rule is evaluated. If there were no matches found the session will be dropped.

In our next post we will discuss more about Security Policy rules types.


December 24, 2015  6:15 AM

How to configure a static route in Palo Alto Firewall?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Default route, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, Static route, tunnel, VLAN

In one of my previous post we discussed about Palo Alto Networks Firewall Virtual Router , how it works and what kind of protocols its capable of supporting.  Configuring a static route in Palo Alto Firewall Virtual Router is quite simple, in this post lets see how we can configure a static route.

We will be using the following topology for our example

Palo Alto in V Router

We have LAN with the subnet 172.16.32.0 which is the trust zone will accessing the Internet from the Network 192.168.1.0  which is untrust zone.

In order allow the internet access you should ensure that  there is a default route toward the Internet gateway 192.168.1.1 and the Palo Alto Layer 3 interface s of both trust and untrust zone are configured with the following

IP Address

Security-Zone

Virtual Router

PA VR- 1

In order to configure a default route in the Palo Alto Networks Firewall we need to do the following

Step 1 :Go to Network>Virtual Routers

Click Virtual Routers> default>Static Routes>Add

PA VR 2

(Palo Alto firewall comes a Virtual Router default, if you want you can create a new virtual router and name according to your needs)

Step 2: Configure the default route towards Internet Gateway IP address as shown below

PA VR 3

In our case any traffic sourcing from trust zone will be sent to the Internet Router IP Address as it default gateway ,

PA VR 4

We will name the route as Static Route

Destination field will be 0.0.0.0/0  as any traffic that don’t have any specific route will be forwarded to Internet Gateway.

Select  IP Address radio button in the Next Hop Field

Enter the IP address and mask 192.168.1.1/24

Click OK and save the configuration.

Make sure you configure a Security- Policy to allow the traffic from trust zone to untrust zone as shown below.

PA VR 5

You can see from my laptop with an IP Address 172.16.32.2 I can ping the Inter gateway  192.168.1.1 and can also access internet.

PA VR 6

You could see it s very to configure a static route in Palo Alto Firewall and one can see the routing table  as shown below.

PA VR 7


December 20, 2015  4:49 AM

How to capture packets in Cisco VIRL?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, Packet capture, Packet Sniffing, router, SSH, Telnet, Wireshark

With the introduction of Cisco VIRL 1.0.0,capturing the  traffic has become quite simpler. One can now directly click the link on a device and do a packet capture. , in this post lets see how we can capture the traffic in Cisco VIRL and analyse it.

Step 1: Login in to VRIL server form your web browser and you should see below screen, click on User Workspace Management  (UMW)

VIRL- Traffic capture -1

Step 2 : Login to  UWM portal using  default credentials

Username: umwadmin

Password: password

VIRL-Traffic Capture 2

Step 3:  Select Overview and look out for active simulations and click the simulation you want to do the packet capture

VIRL - Traffic Capture 4

Step 4: Select the node and interface you can to do the pack capture and click the eye shaped icon as demonstrated below

VIRL- Traffic Capture 5

Step 5: Select Offline Capture and apply any filter needed  and click create, in my case I am capturing all the traffic no filters are applied

VIRL - Traffic Capture 6

Step 6: Download the capture data and analyze it using Wireshark

VIRL-Traffic Capture 7

Below is the  Wireshark snap shot of packet capture I did

VIRL - Packet Capture -8

The new Cisco VIRL 1.0.0  is really offering some cool Packet capturing features which are very easy to use


December 18, 2015  6:34 PM

How to configure Cisco VIRL – VMMaestro to use external telnet and SSH Client?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
router, SSH, Telnet

Cisco VIRL comes with an internal SSH and Telnet client which is quite good and it opens all the SSH and telnet sessions within VMMaestro GUI, but if some one wants to use Secure CRT on  their MAC as external client, one can easily configure the changes in VIRL VMMaestro,

VMMaestro-1

Terminal>Cisco Terminal

Step 1

Change the title format to : %s

Step 2

Select : Use external terminal applications

Step3

Use the following fields show below

Telnet command:

/Applications/SecureCRT.app/contents/MacOS/SecureCRT

Telnet arguments:

/T /N %t /TELNET %h %p

SSH Command:

/Applications/SecureCRT.app/contents/MacOS/SecureCRT

SSH arguments:

/T /N %t /TELNET %h %p

VMMaestro-2

By doing these minor changes you can use Secure CRT to SSH or Telnet VIRL Devices

telnet VIRL

VIRL telnet 1


December 16, 2015  9:01 AM

What is Palo Alto Virtual Router?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, tunnel, VLAN

When it comes to routing traffic between different networks one needs a router. Palo Alto Networks Firewalls are capable of routing the traffic between networks. Palo Alto uses a concept of “Virtual Routers” to route the traffic be it static routing or dynamic routing. Virtual Router uses virtualized or partitioned routing tables to do the routing job. Palo Alto Firewalls uses virtual routers to obtain the routes and uses best route to populates its routing table.

 Virtual Router

Palo Alto Networks Firewall is capable of supporting Dynamic routing protocols like RIP v2, OSPF ( OSPF v2 and V3) and BGP v4. The Palo Alto Network Firewalls comes with a Virtual router named default which can be used for routing provided the layer 3 interfaces or VLANs are part of that default Virtual router. One can also create a new Virtual Router and name it according to his/her organization standards and use it for both static routing and dynamic routing.


December 11, 2015  3:48 PM

Palo Alto Networks Firewalls – Management Profile

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, tunnel, VLAN

Palo Alto Networks Firewalls does comes with a dedicated out -of-band Management (MGT) Interface which is used to manage the Palo Alto Network Firewalls. By default SSH , HTTPS and ping is enabled to manage the Palo Alto Network Firewalls, apart from dedicated out-of-band management interface one can use any Layer 3 interface for the management of the Palo Alto Network Firewalls.

large_29951

In order to manage the Palo Alto Network Firewalls using a Layer 3 interface one must enable a management profile . In order to configure the management interface follow the below mentioned steps

Network>Network Profiles > Interface Mgmt > Add

Management profile

Configure the management profile by giving the name you like and select the services you want permit along with the IP address if you want.

Screen Shot 2015-12-11 at 6.28.19 PM

Assign the Management Profile to any Layer 3 interface from where you want to manage the Palo Alto Networks Firewall as shown below.

Network>Interfaces>Ethernet> ethernet1/1>Advance>Management Profile

Screen Shot 2015-12-11 at 6.30.47 PM

Management Profile is a quite good option, which comes quite handy when you want to allow management functions on  any layer 3 interface.


December 7, 2015  5:17 AM

Palo Alto Networks Firewall Interface Types – Layer 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, Spanning Tree Protocol, STP, tunnel, VLAN

Like any other firewalls, Palo Alto Networks Firewall can be deployed in Layer 2 mode. In a Layer 2 deployment mode, the  Palo Alto Networks Firewalls provides switching between two or more networks.  In Layer 2 deployment mode,  a Vlan must be assigned each interface or Vlan object and additional layer 2 sub interfaces must  be assigned to group of interfaces.  The Palo Alto Networks Firewall will perform VLAN tag switching when Layer 2 sub interfaces are attached to a common VLAN object.

Palo Alto Layer 2 Deployment mode

Palo Alto Networks Firewalls Layer interfaces are only capable of supporting 802.1Q  trunks, however they are not capable of supporting any spanning tree protocols (STP) nor do they participate in spanning tree  process. Palo Alto Networks Firewalls simply  forwards the BPDUs, it receives from the peer Switch.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: