Configuring Site to Site / Lan to Lan IPsec tunnels between 2 Routers using Certificate from IOS Certificate Server

 Security  No Responses »
May 132012
 

All communication between H1 and H2 must be protected with IPsec.

Tasks to do

  • Synchronize the time
  • Configure IOS CA Server
  • Enroll routers to attain certificates
  • Classify interesting traffic
  • Configure ISAKMP Phase 1 policy and IPsec Phase 2 Transform set
  • Create a crypto map and apply crypto map to interface

Step 1: Time must be synchronized for certificates to work properly. The CA router could be configured as a NTP master which then will provides time to other routers. Continue reading »

ASA Active/Active Failover

 Security  No Responses »
May 122012
 

Task list

  • Change the mode to multiple
  • Context definition and assign interfaces
  • Assign primary and secondary IP address
  • Failover configuration

Step 1: First we have to change the default mode of single to multiple. A reboot is required. Only multiple mode supports contexts, which are needed to build virtual firewalls.

ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]

Step 2: Since the ASA is now in multiple context mode, we could define contexts named CON-A and CON-B. We must also provide the location of configuration file. Finally the interfaces should also be assigned.  The interfaces must be un shut and if needed subinterfaces must be created at the system context. Continue reading »

Configuring Site to Site / Lan to Lan IPsec tunnels between 2 Routers using shared key

 Security  No Responses »
May 062012
 

All communication between H1 and H2 must be protected with IPsec.

Tasks to do

  • Classify interesting traffic
  • Create ISAKMP policy and shared key for Phase 1
  • Create IPsec Transform set for Phase 2
  • Create a crypto map and apply crypto map to interface

Step 1: The Traffic which has to be protected with IPsec must be classified with an ACL. We can now create an ACL which matches packets between the 10.0.100.0/24 and 10.0.200.0/24 networks.

R1(config)#ip access-list extended PROTECTED_TRAFFIC
R1(config-ext-nacl)# permit ip 10.0.100.0 0.0.0.255 10.0.200.0 0.0.0.255

Continue reading »

Role based CLI / Configuring views

 Management  No Responses »
Apr 282012
 

With this feature, a user (view) could be assigned to execute certain command, to configure certain technologies. To configure role based access for users we must consider the following.

  • The aaa new model must be activated.
  • Only the root view can configure other views. The root view has all privileges like level 15 user.
  • The authentication method must not be none. This means enable pass must be configured.
  • Each view must have a password configured.

There are three kinds of views. The root view, normal view, super view.

root view: Only the root view can configure any other views.
normal view: The normal view is a user who has some commands assigned.
super view: A super view could have commands from many views.
Continue reading »

What is ICMP REDIRECT?

 General Routing & Switching  No Responses »
Apr 262012
 

ICMP redirect messages are used by routers to inform hosts in the broadcast domain that a better path exists to the destination. It happens when a router has to switch a packet out of the same interface it received it to reach the destination.

To understand this let’s look at the following topology

The host H1 access internet through its default gateway of 10.0.12.1, which is router R1. The host does not have any other routes other than the default route (gateway). If H1 wants to access the server at 10.0.23.3, it will send the packet to its gateway (10.0.12.1). Router R1 finds that to reach the destination it has to send the packet to R2. R2 is also in the same broadcast domain as the host.
Continue reading »

 Older Entries  Newer Entries