tag:blogger.com,1999:blog-39491235738803134382024-03-13T14:09:18.195-07:00Information TechnologyGerardo Marcialeshttp://www.blogger.com/profile/02539937911933559463noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-3949123573880313438.post-9030456855974476592017-10-25T03:13:00.000-07:002017-10-25T09:01:58.739-07:00Turning off IPv4/IPv6 in Synology DiskStation (DSM 6.1.3-15152 Update 8)<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiepUOkbvcizwxZQ4aO75-j1tv2mpr0HwehVe0tULHsEXX_SAJsuT-6zCBhu5LqWD9BYxmO0MiFsvga3SgMZtEc5yVLdDkK50BgT5gjyHuvjinK6jo5FNnS6FvhF3bL2Q3lFajqy1IAWS7s/s1600/header.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="744" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiepUOkbvcizwxZQ4aO75-j1tv2mpr0HwehVe0tULHsEXX_SAJsuT-6zCBhu5LqWD9BYxmO0MiFsvga3SgMZtEc5yVLdDkK50BgT5gjyHuvjinK6jo5FNnS6FvhF3bL2Q3lFajqy1IAWS7s/s400/header.jpg" width="400" />
</a>
</div>
<br />
<br />
<br />
<br />
<br />
I would like to share a short but useful experience that I had a few days ago when I was running a project for a customer. The project consisted of installing and configuring a Synology NAS. The given NAS has some interesting capabilities such a virtualization through a QEMU engine, among others. So, I dedicated a NIC for the NAS's I/O, and the others for the I/O of the VMs. The challenge started when I was configuring the physical NICs for the VMs due to I wanted to configure those just as an ethernet-passthrough, without the presence of IP by the host (NAS). Synology DSM has a straightforward option for disabling IPv6 through the GUI. It is very intuitive, just follow the path <i>"Control Panel -> Network -> Network Interface -> LAN X -> Edit -> IPv6 -> IPv6 setup = Off."</i>, that is it. But, the behavior changes for IPv4. That is to say, when speaking of IPv4 on Synology DSM, it offers only two options through the GUI (getting an IPv4 by DHCP and static assignment). But, I didn’t want to set a static IPv4 address for the dedicated physical NICs for the VMs, nor getting an IP by DHCP. In addition, as expected if a NIC is placed in a VLAN without a DHCP server (DMZ, for instance), the given NIC sets an APIPA address (even when the interface is disconnected).
<br />
<br />
Refer to the following screen-shoots to get a better idea of it.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg31TtrwVaM8U8qiHZEJ49yE-g8Vs72pSe8y6wZ7AxH1sVaGs6kO96A5i53dBThIQYdlrXxeqyeLI1FyZ4zOnQUoTOoMf3Zd-fdo6SfJG0LaB2Lf2aWQ1ZzSyOSf29vdd4dH9PTIsMi3DC/s1600/A01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1293" data-original-width="1600" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg31TtrwVaM8U8qiHZEJ49yE-g8Vs72pSe8y6wZ7AxH1sVaGs6kO96A5i53dBThIQYdlrXxeqyeLI1FyZ4zOnQUoTOoMf3Zd-fdo6SfJG0LaB2Lf2aWQ1ZzSyOSf29vdd4dH9PTIsMi3DC/s400/A01.png" width="400" />
</a>
</div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoWHEk5fcOelFmKRz3GcuupVhgUV7XKChJrAI1phVqmzdBggQQx8WXwgyHvKewZT8rphz7FeSERs0jIr6DZsVkPhYphBtq2ybF-qLDCvTYJG7zeWxGF1Bh3Ghf2sQiVV1D8NyTLlrUcdut/s1600/A02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1096" data-original-width="1381" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoWHEk5fcOelFmKRz3GcuupVhgUV7XKChJrAI1phVqmzdBggQQx8WXwgyHvKewZT8rphz7FeSERs0jIr6DZsVkPhYphBtq2ybF-qLDCvTYJG7zeWxGF1Bh3Ghf2sQiVV1D8NyTLlrUcdut/s400/A02.png" width="400" />
</a>
</div>
<br />
<br />
Therefore, after some researching without any positive results, I fixed this inconvenient through the following steps (DISCLAIMER: the procedure is NOT described by Synology)
<br />
<br />
My first attempt was setting up a script to flush any IPv4 address from the VM's dedicated NICs. The script was run during the NAS boot-up process. It worked, but only for a few seconds due to SDM sends a DHCP Discover every 60 secs.
<br />
<br />
<i>ip addr flush dev ovs_eth1<br />
ip addr flush dev ovs_eth2<br />
ip addr flush dev ovs_eth3</i>
<br />
<br />
<br />
Eventually, I was forced to disabling the DHCLIENT in a abrupt manner. I did it by removing the DHCLIENT “executable”.
<br />
<br />
<i>cp /usr/sbin/dhclient /usr/sbin/dhclient-COPY && rm /usr/sbin/dhclient</i>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheUbFaPNHLYO9NKzutvBzSP6sTNDMhu2axJfGwXh1FN_a_nuq-D9wMmwhJpHMlogn41WdsRIM8iYDZobCdfPYIgzEKo4L7ebN15XRQhJwyHvj9DtIo-cLm91kJB2ynAz9Tqc4Bpcnui0iS/s1600/B01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheUbFaPNHLYO9NKzutvBzSP6sTNDMhu2axJfGwXh1FN_a_nuq-D9wMmwhJpHMlogn41WdsRIM8iYDZobCdfPYIgzEKo4L7ebN15XRQhJwyHvj9DtIo-cLm91kJB2ynAz9Tqc4Bpcnui0iS/s400/B01.png" width="400" height="322" data-original-width="1600" data-original-height="1288" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEwk62U1prlWazt98isW6yyo3rINNLKi8mJsL0yDifKEaEnfFybBVzXkcx6xTMFA-pw832yhSurhfQpAklkrT9J7ZbVpqfd8nszc1G4BBJReDp0KZfGO9a27Ys_llhd8Rr9vPjtVus3eIa/s1600/B02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEwk62U1prlWazt98isW6yyo3rINNLKi8mJsL0yDifKEaEnfFybBVzXkcx6xTMFA-pw832yhSurhfQpAklkrT9J7ZbVpqfd8nszc1G4BBJReDp0KZfGO9a27Ys_llhd8Rr9vPjtVus3eIa/s400/B02.png" width="400" height="296" data-original-width="1375" data-original-height="1018" /></a></div>
<br />
<br />
In conclusion, it is working, but if somebody has a suggestion please share to improve it.Gerardo Marcialeshttp://www.blogger.com/profile/02539937911933559463noreply@blogger.com0tag:blogger.com,1999:blog-3949123573880313438.post-69785891772294367072017-08-08T13:34:00.002-07:002017-08-08T15:49:48.659-07:00Performing a Transparent Proxy by running PFSense Firewall + Cisco Route-Maps.<style media="screen" type="text/css">
<!--
.text_area { color: yellow; background-color: black; scroll: yes }
-->
</style>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-pLCfgUbhN2rpH1uBufBv9TMK2OSv5KtDI7PgnpBr89ekoIdxlWShL5nQZg6th6iVJkv8MU9bZBKVzVMuutJKiooxMwTOyKa1q39yENK9bXiKk82KYedqY4AiO7YxnMbxIzYmFtC5f166/s1600/Topology.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-pLCfgUbhN2rpH1uBufBv9TMK2OSv5KtDI7PgnpBr89ekoIdxlWShL5nQZg6th6iVJkv8MU9bZBKVzVMuutJKiooxMwTOyKa1q39yENK9bXiKk82KYedqY4AiO7YxnMbxIzYmFtC5f166/s400/Topology.png" width="400" height="277" data-original-width="1600" data-original-height="1106" /></a></div>
<p>
<p>
Also known as an intercepting proxy, inline proxy, or forced proxy, a transparent proxy intercepts normal communications at the network layer without requiring any special client configuration. <a href="https://en.wikipedia.org/wiki/Proxy_server#Transparent_proxy" target="_blank">(Wiki)</a>
<p>
<p>
There are several options to perform a transparent proxy, being Squid one of the most popular software to implement it. The easiest way to implement a transparent proxy is setting it up as a default gateway. Nevertheless, it is not possible to implement it in a whole scenario. So, The Web Cache Communication Protocol (WCCP) was developed by Cisco Systems and adopted by other vendors. WCCP is one of the best choice to do a transparent proxy, however, it increases the complexity setup at the server side. Therefore, to simplify its implementation, I decided to do it in a different manner by running Route-Maps.
<p>
<p>
Let’s check the following configuration in order to accomplish this job.
<p>
Lab resources:<br>
GNS3 (2.0.3) and VMWare WorkStation (12.5.7) as the framework.<br>
Router image. (vios-adventerprisek9-m)<br>
MLS Switch image. (vios_l2-adventerprisek9-m)<br>
PFSense (community 2.3.4)<br>
PC client. (Linux box 3.16.6-tinycore)<br>
<p>
<p>
The focus of this configuration is the interactivity between PFSense and the MLS Switch.
<p>
<p>
PFSense was started from a fresh installation. Only one NIC was add, therefore the VLAN sub-interfaces had to be configured. VLAN10 has a subnet 172.16.0.0/27, while VLAN20 has a subnet 172.16.1.0/31. The default route was placed at the VLAN 20, so packets coming from VLAN10 are forwarded through VLAN20. In addition, NAT was completely disabled. Then, Squid and iftop packages were installed. Once Squid was installed and started, some basic changes were necessary to enable the transparent proxy feature.
<p>
<p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEoa7WOyDwrBkRWNgUk4iGdzVDmT-xDxAJRMyv3GSuYsVAiaetkSQtnfrdfSlumFi1FTa9-SMwDY1EOUlUXCTC7JmVucT0e73oDIR2_Is5CpSFg60umoPBuqssDnRWpDhqx6lLB0bh5SBo/s1600/PF01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEoa7WOyDwrBkRWNgUk4iGdzVDmT-xDxAJRMyv3GSuYsVAiaetkSQtnfrdfSlumFi1FTa9-SMwDY1EOUlUXCTC7JmVucT0e73oDIR2_Is5CpSFg60umoPBuqssDnRWpDhqx6lLB0bh5SBo/s400/PF01.png" width="400" height="309" data-original-width="1600" data-original-height="1236" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoHubYPCGtb9tZPeUwJXWdjl-Vw24n5_RkzWzSC2F0E-F47PjTVgRXVeZM2HHUOHZlHk_qIdb0xiA4eyTIumLx1DdBqThRrsiMHQJyGBGRwfRTuLolxQtxYyghaPLnhU650BxsGuxVcTvJ/s1600/PF02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoHubYPCGtb9tZPeUwJXWdjl-Vw24n5_RkzWzSC2F0E-F47PjTVgRXVeZM2HHUOHZlHk_qIdb0xiA4eyTIumLx1DdBqThRrsiMHQJyGBGRwfRTuLolxQtxYyghaPLnhU650BxsGuxVcTvJ/s400/PF02.png" width="400" height="309" data-original-width="1600" data-original-height="1234" /></a></div>
<p>
<p>
The next step was configuring the MLS Switch (or router). IP Policy was enabled on the SVI 10, so that the packets that meet the IP policy be forwarded to PFSense, otherwise packets have to continue the established path by the routing table.
Below, the router and MLS's configurations to get a better standpoint of the exposed so far
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
Building configuration...
Current configuration : 4568 bytes
!
! Last configuration change at 20:05:50 UTC Tue Aug 8 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname mls
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
vtp mode transparent
!
ip dhcp excluded-address 172.16.0.29 172.16.0.30
!
ip dhcp pool DHCP-POOL-VLAN10
network 172.16.0.0 255.255.255.224
default-router 172.16.0.1
dns-server 10.10.10.1
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge default
spanning-tree portfast edge bpdufilter default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10,20
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
switchport access vlan 10
switchport mode access
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0
no switchport
ip address 10.10.10.0 255.255.255.254
negotiation auto
!
interface GigabitEthernet1/0
switchport access vlan 10
switchport mode access
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
switchport access vlan 10
switchport mode access
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
switchport access vlan 10
switchport mode access
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
!
interface Vlan10
ip address 172.16.0.1 255.255.255.224
ip policy route-map RM-PROXY
!
interface Vlan20
ip address 172.16.1.0 255.255.255.254
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1 254
!
ip access-list extended ACL-ROUTE-MAP
permit tcp 172.16.0.0 0.0.0.31 any eq www 443
!
ip sla 1
icmp-echo 172.16.0.29 source-ip 172.16.0.1
threshold 500
timeout 1000
frequency 1
ip sla schedule 1 start-time now
ip sla logging traps
!
route-map RM-PROXY permit 10
match ip address ACL-ROUTE-MAP
set ip next-hop verify-availability 172.16.0.29 20 track 1
!
route-map RM-PROXY permit 20
match ip address ACL-ROUTE-MAP
set ip next-hop 172.16.0.29
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
</textarea>
</div>
<p>
<p>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
sh runn
Building configuration...
Current configuration : 3402 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip name-server 172.16.118.2
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.254
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 172.16.118.254 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list ACL-PAT-VLAN10 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 172.16.118.2 254
ip route 172.16.0.0 255.255.255.224 10.10.10.0
ip route 172.16.1.0 255.255.255.254 10.10.10.0
!
ip access-list extended ACL-PAT-VLAN10
permit ip 172.16.0.0 0.0.0.31 any
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end
</textarea>
</div>
<p>
<p>
Results:<br>
As the screenshots show, once the IP Policy is up, every packet addressed to a L4 port defined on the extended ACL, will be forwarded to the PFSense box in order to be allowed or denied, according the Squid policy already defined. For example, the first screenshot shows that the browser got access to Google. Take a look the certificate is not the Google valid certificate, instead it is a self-signed certicate, but the access was permitted. Then, the next screenshot shows that even when Facebook is carried over SSL, the access was denied.
<p>
<p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNl7W3HarF9DndcGIigv-JS4Em3BdM1ecv_Ppv7tCECKdUawy4VVFGd8RFlp9pWh9jw7BSWINlzyGKAsLhF4EOr9m_Cj-wXBETznWGCyYeswikUL5THUL2UvtL9S9gLyFSfduujzgSKzK0/s1600/results01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNl7W3HarF9DndcGIigv-JS4Em3BdM1ecv_Ppv7tCECKdUawy4VVFGd8RFlp9pWh9jw7BSWINlzyGKAsLhF4EOr9m_Cj-wXBETznWGCyYeswikUL5THUL2UvtL9S9gLyFSfduujzgSKzK0/s400/results01.png" width="400" height="225" data-original-width="1600" data-original-height="900" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9ILyxjdsov39LuwRJW-5NzBLflXPj3lstAMy27WD9AVRbU52IVS-bh6edjHhUAhPDkf7H70oA7QpTStmYCFLt47Ii4f-PJ6pA9jW5e8cDcn_b2W825pyd0whqJdlq1bwCqAmLYP3nFBtG/s1600/results02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9ILyxjdsov39LuwRJW-5NzBLflXPj3lstAMy27WD9AVRbU52IVS-bh6edjHhUAhPDkf7H70oA7QpTStmYCFLt47Ii4f-PJ6pA9jW5e8cDcn_b2W825pyd0whqJdlq1bwCqAmLYP3nFBtG/s400/results02.png" width="400" height="225" data-original-width="1600" data-original-height="900" /></a></div>
<p>
<p>
Then, the boxes show current status of the IP Policy and each one of its elements.
<p>
<p>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="15">
sh ip sla statistics details
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Latest RTT: 1 milliseconds
Latest operation start time: 21:05:48 UTC Tue Aug 8 2017
Latest operation return code: OK
Over thresholds occurred: FALSE
Number of successes: 3542
Number of failures: 29
Operation time to live: 0
Operational state of entry: Inactive
Last time this entry was reset: Never
</textarea>
</div>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="10">
sh track
Track 1
IP SLA 1 reachability
Reachability is Up
2 changes, last change 01:44:47
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
Route Map 0
</textarea>
</div>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="15">
sh route-map
route-map RM-PROXY, permit, sequence 10
Match clauses:
ip address (access-lists): ACL-ROUTE-MAP
Set clauses:
ip next-hop verify-availability 172.16.0.29 20 track 1 [up]
Policy routing matches: 6105 packets, 458966 bytes
route-map RM-PROXY, permit, sequence 20
Match clauses:
ip address (access-lists): ACL-ROUTE-MAP
Set clauses:
ip next-hop 172.16.0.29
Policy routing matches: 0 packets, 0 bytes
</textarea>
</div>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="5">
sh ip policy
Interface Route map
Vlan10 RM-PROXY
</textarea>
</div>
<p>
<p>
Troubleshooting:<br>
Adding a new statement that include ICMP protocol on the top of the Route-Map ACL, and launching a traceroute from the client host, can gives a step by step of how the packets are been carried. Also, iftop be launched in the PFSense box to displays the packets incoming and outgoing on each VLAN subinterface.
<p>
<p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxzGkume38wZxTPTXtI6IigO_AVjU0gwwZkkCrLQY6Bl_rp6RvBqYUmMDdzHkLYsKcVOBZBkdZdCEYc7GtcXNoj_1ASy0Ae3XUl88TrBiyo9vq2Inw_oRYsAsr5uZXX9n8-ApZ0lbLO_I3/s1600/TS01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxzGkume38wZxTPTXtI6IigO_AVjU0gwwZkkCrLQY6Bl_rp6RvBqYUmMDdzHkLYsKcVOBZBkdZdCEYc7GtcXNoj_1ASy0Ae3XUl88TrBiyo9vq2Inw_oRYsAsr5uZXX9n8-ApZ0lbLO_I3/s400/TS01.png" width="400" height="225" data-original-width="1600" data-original-height="900" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIvcSkZXISmbrhTbh6J4mBJ2eMlHFzWMp5JzeE6YAUs2XAXbqJQB4Kb_Y-Z5G6ALg-ZhF-MjiDMyoxr7e6ybp8WIZJwXxSul0lEqgnHgFRkuV6rmUuDC4ThyphenhyphenHZMv7DHbT4WgFjIRq72pvp/s1600/TS02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIvcSkZXISmbrhTbh6J4mBJ2eMlHFzWMp5JzeE6YAUs2XAXbqJQB4Kb_Y-Z5G6ALg-ZhF-MjiDMyoxr7e6ybp8WIZJwXxSul0lEqgnHgFRkuV6rmUuDC4ThyphenhyphenHZMv7DHbT4WgFjIRq72pvp/s400/TS02.png" width="400" height="236" data-original-width="1444" data-original-height="851" /></a></div>
<p>
<p>
<p>
Conclusion:<br>
As we can see, it is an option when a transparent-proxy needs to be run. It does not need any configuration at the client side. Also if the transparent-proxy stops, the clients still reach their destination, and the most important is, HTTP/HTTPS policies can be applied.
Gerardo Marcialeshttp://www.blogger.com/profile/02539937911933559463noreply@blogger.com0tag:blogger.com,1999:blog-3949123573880313438.post-77690248305301053842017-06-10T14:33:00.001-07:002017-06-10T14:33:46.346-07:00Graylog GNS3 VMWare Cisco Systems Ubuntu Linux<iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/BgyGcAaorIU" width="480"></iframe>Gerardo Marcialeshttp://www.blogger.com/profile/02539937911933559463noreply@blogger.com0tag:blogger.com,1999:blog-3949123573880313438.post-13824919641009902862017-01-30T12:52:00.001-07:002017-01-30T20:26:18.682-07:00Implementing VLAN ACLs in a Cisco Systems Switch<head>
<meta content=‘Information Technology - Gerardo Marciales’ name='description'/>
<meta content=‘Information Technology - Gerardo Marciales, Cisco Systems, Microsoft, Apple, Kerio, Router, Switch, VLAN, VPN, IPSec, Security, Seguridad, Routing, Oracle, VirtualBox, Parallels, MAC OS X, PPTP, TCP/IP, Mikrotik, PFSense, Wireshark, Sniffer, GNS3' name='keywords'/>
<meta content='Information Technology - Gerardo Marciales' name='author'/>
<meta content='index,follow' name='robots'/>
</head>
<style media="screen" type="text/css">
<!--
.text_area { color: yellow; background-color: black; scroll: yes }
-->
</style>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtiOp0kmFXEDu2sFnK4ErI8pVrIR6W3yEs0xTEWDVJyhLYYNlHdkRvGK-1x-6OKc_GLQR8m9NkHwnbZAO6BSttYJ1FvxJxy1Grnh3QTH6i6st_81HrRKCaNVJbawm_Xa5xh6WtFho4W-3Z/s1600/VACL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtiOp0kmFXEDu2sFnK4ErI8pVrIR6W3yEs0xTEWDVJyhLYYNlHdkRvGK-1x-6OKc_GLQR8m9NkHwnbZAO6BSttYJ1FvxJxy1Grnh3QTH6i6st_81HrRKCaNVJbawm_Xa5xh6WtFho4W-3Z/s320/VACL.png" width="320" height="318"/>
</a>
</div>
</p>
</p>
How many times have we needed to protect a given host from its neighbors of the same Broadcast Domain (VLAN)? As is widely known this kind of practice is often performed by implementing local Firewalls on Workstation and Servers. For example, Linux has IPTables, Windows since the release XP includes Windows Firewall and Apple OS-X has a Firewall service as well. Also, the requirement can be performed by third party vendors such as Symantec, F-Secure and so on.
</p>
The coming example wants to demonstrate how a Cisco Systems Switch is able to perform this goal by implementing VLAN ACLs (VACL). Please keep in mind there is not any routing process involved, even more, the switch has not IP routing enabled.
</p>
The given topology has not anything specialized, only three computers connected to a switch. One of those computers runs Linux, other runs Windows and the other one runs OS-X. The Switch is a Cisco Systems Catalyst 3560, which runs IOS c3560-ipservicesk9-mz.122-55.SE11.bin. In addition, the Switch has almost its default configuration, I only added VLAN11 and some more commands, nothing special. The initial configuration is shared below.
</p>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switch01
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 11
name Lab
!
!
!
!
interface FastEthernet0/1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/21
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/22
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/24
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/25
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/26
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/27
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/28
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/29
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/30
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/31
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/32
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/33
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/34
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/35
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/36
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/37
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/38
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/39
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/40
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/41
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/42
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/43
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/44
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/45
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/46
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/47
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/48
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
no ip address
shutdown
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
!
line con 0
line vty 5 15
!
end
</textarea>
</div>
</p>
Each computer has a static IP address assigned:
<br/>
192.168.11.1/24 - - > Windows computers
<br/>
192.168.11.11/24 - - > Linux box
<br/>
192.168.11.111/24 - - > Apple computer
<br/>
</p>
By the way, the switch has not a IP address assigned, because it is not required.
</p>
The Windows computer has Windows Firewall disabled, and the service of File and Printer Sharing (SMB) enabled.
</p>
The Linux box is publishing three folders by running <span style="font-weight:bold;color:orange">python -m SimpleHTTPServer TCP-PORT</span>. The web publishing service is assigning an unique TCP port to each folder, from 10001 to 10003.
</p>
The OS-X computer manages the switch through a serial port, sends some pings to Windows (192.168.11.1) and the Linux box (192.168.11.11), displays the content of each web folder (Text01, Text02...) and connects to the Windows computer through SMB. Everything happens as expected, everything is normal, nothing fancy.
</p>
The interesting thing starts once the VACL commands are introduced to the switch. As you can noticed in the video below, the Windows computer continues working normally. That is to say, Windows continues answering PING and sharing folders.
</p>
The lab has been focused on the Linux box. So, after introducing the VACLs commands in the switch, the Linux box stopped answering PING, also the administrator has decided to disable the TCP port 10003 to be reachable by the hosts in the same VLAN.
</p>
Let's watch a video to get a visual idea, step by step of the described topology.
</p>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="yes" frameborder="0" height="344" src="https://www.youtube.com/embed/egLXZXzQTI0" width="459">
</iframe>
</div>
</p>
The commands used by the VLAN ACL are shared below:
</p>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
vlan access-map VACCESS-MAP-11 10
action forward
match ip address VACL11-webfolder01
vlan access-map VACCESS-MAP-11 20
action forward
match ip address VACL11-webfolder02
vlan access-map VACCESS-MAP-11 30
action drop
match ip address VACL11-Ubuntu
vlan access-map VACCESS-MAP-11 40
action forward
ip access-list extended VACL11-webfolder01
permit tcp any any eq 10001
permit tcp host 192.168.11.11 any established
ip access-list extended VACL11-webfolder02
permit tcp any any eq 10002
permit tcp host 192.168.11.11 any established
ip access-list extended VACL11-Ubuntu
permit ip any host 192.168.11.11
vlan filter VACCESS-MAP-11 vlan-list 11
</textarea>
</div>
</p>
</br>
In addition to the first example, I would like to share one more example.
</p>
The next example consists of only two computers connected to a Cisco Systems switch. The switch has its configuration almost by default, only the switch ports have been modified as access ports. So, everything is running in VLAN1.
</p>
Each computer has two IP address statically assigned:
<br/>
192.168.100.11/24 and 192.168.200.11/24 - - > Apple computer
<br/>
192.168.100.12/24 and 192.168.200.12/24 - - > Linux box
</br>
As the coming video shows, each computer can PING request and reply without any problem. But, as soon the VACL commands are deployed in the Switch, the normal development changes, and the addresses corresponding to the network 192.168.200.0/24 are sudenly stopped.
</p>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="yes" frameborder="0" height="344" src="https://www.youtube.com/embed/33-NvWesGPs" width="459">
</iframe>
</div>
</p>
The commands used by the VLAN ACL are shared below:
</p>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="10">
ip access-list standard VACL-VLAN1
permit 192.168.100.0 0.0.0.255
vlan access-map VACCESS-MAP-1 10
action forward
match ip address VACL-VLAN1
vlan filter VACCESS-MAP-1 vlan-list 1
</textarea>
</div>
</p>
Conclusion:
</p>
Deploying VACLs could be considered an important security feature for our networks. Also, in this manner, an administrator can avoid applying features locally in servers and workstations, instead running this features in specialized equipment for saving performance to the host and getting a more granular control.
Gerardo Marcialeshttp://www.blogger.com/profile/02539937911933559463noreply@blogger.com0tag:blogger.com,1999:blog-3949123573880313438.post-82453036956921221862015-08-09T19:06:00.000-07:002015-08-09T19:10:45.923-07:00Application layer inspection firewall<head>
<meta content=‘Information Technology - Gerardo Marciales’ name='description'/>
<meta content=‘Information Technology - Gerardo Marciales, Cisco Systems, Microsoft, Apple, Kerio, Router, Switch, VLAN, VPN, IPSec, Security, Seguridad, Routing, Oracle, VirtualBox, Parallels, MAC OS X, PPTP, TCP/IP, Mikrotik, PFSense, Wireshark, Sniffer, GNS3' name='keywords'/>
<meta content='Information Technology - Gerardo Marciales' name='author'/>
<meta content='index,follow' name='robots'/>
</head>
<style media="screen" type="text/css">
<!--
.text_area { color: yellow; background-color: black; scroll: yes }
-->
</style>
Routers are equipment layer 3 OSI model, currently routers are able of operate on higher layers of OSI model, such as layer 7 (Application Layer).
</br>
Among the new characteristics, vendors have introduced security features, such as application inspection.
</br>
The improvements allow us to have more control on the communication process, breaking the established HTTP = TCP 80, VNC = TCP 5900, Microsoft Terminal Server = TCP 3389...
</br>
</br>
I would like to demonstrate application inspection of two networks vendors: Cisco Systems and Kerio Technologies.
</br>
Cisco Systems introduced Zone Based Firewall on 2006, Kerio Technologies introduced Content Filter on 2013.
</br>
</br>
Below two environment labs.
</br>
</br>
Scenario:
</br>
A network admin did a typical configuration, using L3/L4 extended ACL allowing only TCP traffic with destination port = TCP 80 from network A to network B, next the network admin discovered a security risk, some users changed the Microsoft Terminal Server TCP service port for from default TCP 3389 to TCP 80, this is the reason to carry out a new security level through application inspectors.
</br>
</br>
Elements of this laboratory (Cisco Systems Zone Based Firewall):
</br>
- Host computer capable to virtualize
</br>
- GNS3
</br>
- - 01 router running Cisco IOS K9 (c2691-adventerprisek9-mz.124-15.T14)
</br>
- Oracle VirtualBox
</br>
- - 03 guests
</br>
</br>
Router configured with L2/L3 extended ACL:
</br>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip access-group Network-A->B in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended Network-A->B
permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq www
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
</textarea>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgivWmsXhR67-lOibkbAQOI3eIugcGE6f0s9K3wucldgt-8P2KMUDFa0tB8dronVA6qmi_NSg1TgThIECvGRoY3cfnssnn1zkB02QmKu2Tubh67D96OrNOh6s8fB7h-NK1zXE2nVs6YJxU4/s1600/ACLs01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgivWmsXhR67-lOibkbAQOI3eIugcGE6f0s9K3wucldgt-8P2KMUDFa0tB8dronVA6qmi_NSg1TgThIECvGRoY3cfnssnn1zkB02QmKu2Tubh67D96OrNOh6s8fB7h-NK1zXE2nVs6YJxU4/s400/ACLs01.png" width="400" />
</a>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2H3wdO09myU_Lv4Z_M8OiAb-S_JxvGCtj84xunlM8xGcpBpQLxthktaw-De14sc0TOplJ3nCETrSoMUls4VvZJjqlYALpP78jMIaHgrj3156jk2OFe5y76x-RQuINgzxsLD3ck5xVYqLd/s1600/ACLs02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2H3wdO09myU_Lv4Z_M8OiAb-S_JxvGCtj84xunlM8xGcpBpQLxthktaw-De14sc0TOplJ3nCETrSoMUls4VvZJjqlYALpP78jMIaHgrj3156jk2OFe5y76x-RQuINgzxsLD3ck5xVYqLd/s400/ACLs02.png" />
</a>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUKkTPoTAH4w4wyPbWvn2YA6qALbjb1Eup70JvvbEbQWyJ4L2ISm-XYBwLzaOf20YIwiShlmTKNmPLNii6mnz5vkl6foS3QIZxgJYFXrchzBvdU4ERMo4-YMTqvC_v6Al33htG30lTD-9a/s1600/ACLs03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUKkTPoTAH4w4wyPbWvn2YA6qALbjb1Eup70JvvbEbQWyJ4L2ISm-XYBwLzaOf20YIwiShlmTKNmPLNii6mnz5vkl6foS3QIZxgJYFXrchzBvdU4ERMo4-YMTqvC_v6Al33htG30lTD-9a/s400/ACLs03.png" />
</a>
</div>
</br>
Router configured as Application layer Firewall:
</br>
</br>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
class-map type inspect match-all protocol-http
match protocol http
class-map type inspect http match-any http-blockparam
match req-resp protocol-violation
class-map type inspect http match-any app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
!
!
policy-map type inspect http action-http
class type inspect http http-blockparam
log
reset
class type inspect http app-httpmethods
log
reset
policy-map type inspect PolicyMapInspect_ZA->ZB
class type inspect protocol-http
inspect
service-policy http action-http
class class-default
!
zone security Network-A
zone security Network-B
zone-pair security ZA->ZB source Network-A destination Network-B
service-policy type inspect PolicyMapInspect_ZA->ZB
!
!
!
!
interface FastEthernet0/0
description Network A
ip address 192.168.1.1 255.255.255.0
zone-member security Network-A
duplex auto
speed auto
!
interface FastEthernet0/1
description Network B
ip address 192.168.2.1 255.255.255.0
zone-member security Network-B
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
</textarea>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMbg3oZpAjweu_lSCX99vyiT5IFOaCw1yzAPJMuWQhp3_kZcvtH4sv_1gjm4fyBY-_MOB_0_Lrx2n6jrMZZOQpX6a-xBMnikn_QzpapomD-5ZnBq7No00QEFbK_VHstSj1R2IVFTFrYmAS/s1600/ZBF01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMbg3oZpAjweu_lSCX99vyiT5IFOaCw1yzAPJMuWQhp3_kZcvtH4sv_1gjm4fyBY-_MOB_0_Lrx2n6jrMZZOQpX6a-xBMnikn_QzpapomD-5ZnBq7No00QEFbK_VHstSj1R2IVFTFrYmAS/s400/ZBF01.png" />
</a>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7Fltskdkj1B4QJqjzrne0qHRPe4hDYTJONbfrXklO-9dkFGPH9PVMFIrJqQUd3vtX18t2GSU6YB5_o_BFtRdV7EVlgQvWdp3vpeMxgTFlWvz6THq_MmNYfMCbBFnpl1C_853mrLLaz6lX/s1600/ZBF02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7Fltskdkj1B4QJqjzrne0qHRPe4hDYTJONbfrXklO-9dkFGPH9PVMFIrJqQUd3vtX18t2GSU6YB5_o_BFtRdV7EVlgQvWdp3vpeMxgTFlWvz6THq_MmNYfMCbBFnpl1C_853mrLLaz6lX/s400/ZBF02.png" />
</a>
</div>
</br>
</br>
Elements of this laboratory (Kerio Control - Version 8.6.0 3693P1):
</br>
- Host computer capable to virtualize
</br>
- Oracle VirtualBox
</br>
- - Guests
</br>
</br>
Application inspection on Kerio Control is supported on differentes zones only (Trusted Vs Internet), application inspection is not able through internal routing right now.
</br>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjusdNEFo5UfZjPs1NTBE97_3E47WRADF-cb-L55TWcLkQT7Znh8rfLqO_mPZB_oARta8HfuCnm35NLnLIMX5j7i9iodKqU3wA6ZR1Xfjq3K-8ZuR_-FjlF5e2MoOtshtykWlFFxVblwRw2/s1600/Kerio01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjusdNEFo5UfZjPs1NTBE97_3E47WRADF-cb-L55TWcLkQT7Znh8rfLqO_mPZB_oARta8HfuCnm35NLnLIMX5j7i9iodKqU3wA6ZR1Xfjq3K-8ZuR_-FjlF5e2MoOtshtykWlFFxVblwRw2/s400/Kerio01.png" />
</a>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8ePna1RPqFV8dbkTZuAxYBvl2jnNmV_V8_fnX4cSkfoFHjdimMBRCjS3cjVCZZtMtRdcRM6zh8ixu5kgDo8uTGiPmlc_tlwzwymJf7RM-1iQlJF2S9HmX8K71wADp0k4Ax9QZW89AUm1E/s1600/Kerio02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8ePna1RPqFV8dbkTZuAxYBvl2jnNmV_V8_fnX4cSkfoFHjdimMBRCjS3cjVCZZtMtRdcRM6zh8ixu5kgDo8uTGiPmlc_tlwzwymJf7RM-1iQlJF2S9HmX8K71wADp0k4Ax9QZW89AUm1E/s400/Kerio02.png" />
</a>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtySCxz-RxS6TEjvcIREAYPBxiXXmzYF0H2ImwBNY1Jp15KTkLy4twjKGgiYA3ILNm2eygI_GRCqzIytZPu-yI7aBvjjMCebj8J1X3EmS4TT7Ij74bfW8qjVYI9bn_NlepT4TtwszO5GR5/s1600/Kerio03-A.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtySCxz-RxS6TEjvcIREAYPBxiXXmzYF0H2ImwBNY1Jp15KTkLy4twjKGgiYA3ILNm2eygI_GRCqzIytZPu-yI7aBvjjMCebj8J1X3EmS4TT7Ij74bfW8qjVYI9bn_NlepT4TtwszO5GR5/s400/Kerio03-A.png" />
</a>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQW7oLrQZgJdVbvQvQknY1dg_iah2VIEZAJ4Fq9B0fKgHJuD4lRTa6XT__4MLtWQG7mCAb3hV1PepGQEUj5pipm8e5wKU17xKQGnHdKOARWsBROmONUKRLk8OpIhNDzdDwFIL1gFSJQIJH/s1600/Kerio03-B.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQW7oLrQZgJdVbvQvQknY1dg_iah2VIEZAJ4Fq9B0fKgHJuD4lRTa6XT__4MLtWQG7mCAb3hV1PepGQEUj5pipm8e5wKU17xKQGnHdKOARWsBROmONUKRLk8OpIhNDzdDwFIL1gFSJQIJH/s400/Kerio03-B.png" />
</a>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdPX-fZ0yFoFUHmH1Mi9os4F62FPxbpLUZC2_LHUUYKeFNFJ4yMWdweD0tQ8jHgxziI6IHffWl7ipzyXSzEQl_mESd5l3PRru4Na8m-nxbfdUTWZ4-oJ_uFCP9xl8nTCoWQWeYYJTHlNhK/s1600/Kerio04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdPX-fZ0yFoFUHmH1Mi9os4F62FPxbpLUZC2_LHUUYKeFNFJ4yMWdweD0tQ8jHgxziI6IHffWl7ipzyXSzEQl_mESd5l3PRru4Na8m-nxbfdUTWZ4-oJ_uFCP9xl8nTCoWQWeYYJTHlNhK/s400/Kerio04.png" />
</a>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitdkRlmrxyOChWsuN3iO0UV3U41as6ckYky2JnnqIbCSmZsepu7YWC9rt_30OwG5PGWqlvsqlYaJ7AXk_ccSIdXa0DwlUChABV3E86t6ztIskvmy-1joLHIRoYCPwGSe6SfuJJf6Q7bW6A/s1600/Kerio05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitdkRlmrxyOChWsuN3iO0UV3U41as6ckYky2JnnqIbCSmZsepu7YWC9rt_30OwG5PGWqlvsqlYaJ7AXk_ccSIdXa0DwlUChABV3E86t6ztIskvmy-1joLHIRoYCPwGSe6SfuJJf6Q7bW6A/s400/Kerio05.png" />
</a>
</div>
</br>
</br>
Below two screenshots to give us a visual idea how an application inspector determine the type of traffic.
</br>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIlS48b3TkFMwayHUnc-9kvtJRFNoVSSzg_4iwApZPF5YWvAFM9LloTC87IRz1FVEu4wMtnE8up07UhiS3VgOKlJ2sc54thncpeiXA5OksYTRgH1Nkl8JKBkD0FDvUkcRf2-RRh8KTAau7/s1600/WS01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIlS48b3TkFMwayHUnc-9kvtJRFNoVSSzg_4iwApZPF5YWvAFM9LloTC87IRz1FVEu4wMtnE8up07UhiS3VgOKlJ2sc54thncpeiXA5OksYTRgH1Nkl8JKBkD0FDvUkcRf2-RRh8KTAau7/s400/WS01.png" />
</a>
</div>
</br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJCrw5gdfbuVgXJ7h6lT16sIhZmX1RWJpFt5Zegfd9sTTVGtt3zmpIq194MDTSepl_mHIp6P3leg4b2joSPjg6sQr7et_SMfKTzYWnn5gnWrC3dx1nBbaHbHwWXoPGWxfHFbnyDmXKLn3L/s1600/WS02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJCrw5gdfbuVgXJ7h6lT16sIhZmX1RWJpFt5Zegfd9sTTVGtt3zmpIq194MDTSepl_mHIp6P3leg4b2joSPjg6sQr7et_SMfKTzYWnn5gnWrC3dx1nBbaHbHwWXoPGWxfHFbnyDmXKLn3L/s400/WS02.png" />
</a>
</div>
</br>
</br>
</br>
Conclusion:
</br>
Application inspection is not an easy job, often the results are unexpected, it requires strong knowledge about networking and software running on the network, but it necessary to guarantee security.Gerardo Marcialeshttp://www.blogger.com/profile/02539937911933559463noreply@blogger.com0tag:blogger.com,1999:blog-3949123573880313438.post-79724734421012732132015-05-11T12:21:00.000-07:002015-08-09T19:10:35.973-07:00Site to Site VPN NAT Traversal (simple Lab, Cisco Systems alternative)<head>
<meta content=‘Information Technology - Gerardo Marciales’ name='description'/>
<meta content=‘Information Technology - Gerardo Marciales, Cisco Systems, Microsoft, Apple, Kerio, Router, Switch, VLAN, VPN, IPSec, Security, Seguridad, Routing, Oracle, VirtualBox, Parallels, MAC OS X, PPTP, TCP/IP, Mikrotik, PFSense, Wireshark, Sniffer, GNS3' name='keywords'/>
<meta content='Information Technology - Gerardo Marciales' name='author'/>
<meta content='index,follow' name='robots'/>
</head>
<style media="screen" type="text/css">
<!--
.text_area { color: green; background-color: black; scroll: yes }
-->
</style>
<br/>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf0QAQuvEwx42yXD4kAOgYblyuLFdx2HQISjOBO0ls9AA5uG9ziIUFQZpgKe_URGfImoj16oocRlWoWYFTGm6QRSzMD-uLXK8FgpfTEDCJtke1S0dTP-B3DLKPRAitYSlCwH_IJrvKtYya/s1600/VPN_SITE_TO_SITE_ON_INTERNET_BEHIND_NATED_NETWORK.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf0QAQuvEwx42yXD4kAOgYblyuLFdx2HQISjOBO0ls9AA5uG9ziIUFQZpgKe_URGfImoj16oocRlWoWYFTGm6QRSzMD-uLXK8FgpfTEDCJtke1S0dTP-B3DLKPRAitYSlCwH_IJrvKtYya/s1600/VPN_SITE_TO_SITE_ON_INTERNET_BEHIND_NATED_NETWORK.png" height="377" width="400" />
</a>
</div>
<br/>
<br/>
<br/>
Based on the two first post
<br/>
<br/>
<br/>
Problem:
<br/>
Often we establish VPN site to site on the internet using public IPs as the tunnel source and destination, but if one of the nodes do not have public IP from the ISP?<br />
In these cases we can use tools SSL VPN like Teamviewer, Logmein or other, but if one side we have equipment such as PLC, CCTV systems or other we must seek alternatives, for example the question below.
<br/>
<br/>
<br/>
Elements of this laboratory:
<br/>
- Host computer capable to virtualize.
<br/>
- GNS3
<br/>
- - 04 routers running Cisco IOS K9 (c2691-adventerprisek9-mz.124-15.T14)
<br/>
- Oracle VirtualBox
<br/>
- - 02 guests
<br/>
<br/>
<br/>
Below the configuration of each router:
<br/>
<br/>
<br/>
main_branch router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname main_branch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key abc address 2.2.2.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CMAP_Site_to_Site 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
set pfs group2
match address ACL-Site_to_Site
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP_Site_to_Site
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1 254
!
!
no ip http server
no ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet0/1 overload
!
ip access-list extended ACL-NAT
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL-Site_to_Site
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
</textarea>
</div>
<br/>
<br/>
<br/>
internet router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname internet
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 2.2.2.1 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
</textarea>
</div>
<br/>
<br/>
<br/>
front_nat_network router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname front_nat_network
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.1 254
!
!
no ip http server
no ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet0/1 overload
!
ip access-list extended ACL-NAT
permit ip 172.16.1.0 0.0.0.255 any
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
</textarea>
</div>
<br/>
<br/>
<br/>
remote_branch router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname remote_branch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key abc address 1.1.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CMAP_Site_to_Site 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set ESP-3DES-SHA
set pfs group2
match address ACL-Site_to_Site
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.1.254 255.255.255.0
duplex auto
speed auto
crypto map CMAP_Site_to_Site
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.1.1 254
!
!
no ip http server
no ip http secure-server
!
ip access-list extended ACL-Site_to_Site
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
</textarea>
</div>Gerardo Marcialeshttp://www.blogger.com/profile/02539937911933559463noreply@blogger.com0tag:blogger.com,1999:blog-3949123573880313438.post-47827385023700013712015-03-13T22:39:00.001-07:002015-08-09T19:09:49.424-07:00VPN SITE TO SITE ON INTERNET BEHIND NATED NETWORK (Mikrotik - alternative)<head>
<meta content=‘Information Technology - Gerardo Marciales’ name='description'/>
<meta content=‘Information Technology - Gerardo Marciales, Cisco Systems, Microsoft, Apple, Kerio, Router, Switch, VLAN, VPN, IPSec, Security, Seguridad, Routing, Oracle, VirtualBox, Parallels, MAC OS X, PPTP, TCP/IP, Mikrotik, PFSense, Wireshark, Sniffer, GNS3' name='keywords'/>
<meta content='Information Technology - Gerardo Marciales' name='author'/>
<meta content='index,follow' name='robots'/>
</head>
<style media="screen" type="text/css">
<!--
.text_area { color: green; background-color: black; scroll: yes }
-->
</style>
<br/>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf0QAQuvEwx42yXD4kAOgYblyuLFdx2HQISjOBO0ls9AA5uG9ziIUFQZpgKe_URGfImoj16oocRlWoWYFTGm6QRSzMD-uLXK8FgpfTEDCJtke1S0dTP-B3DLKPRAitYSlCwH_IJrvKtYya/s1600/VPN_SITE_TO_SITE_ON_INTERNET_BEHIND_NATED_NETWORK.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf0QAQuvEwx42yXD4kAOgYblyuLFdx2HQISjOBO0ls9AA5uG9ziIUFQZpgKe_URGfImoj16oocRlWoWYFTGm6QRSzMD-uLXK8FgpfTEDCJtke1S0dTP-B3DLKPRAitYSlCwH_IJrvKtYya/s1600/VPN_SITE_TO_SITE_ON_INTERNET_BEHIND_NATED_NETWORK.png" height="377" width="400" />
</a>
</div>
<br/>
<br/>
<br/>
Based on the first post
<br/>
<br/>
<br/>
Problem:
<br/>
Often we establish VPN site to site on the internet using public IPs as the tunnel source and destination, but if one of the nodes do not have public IP from the ISP?<br/>
In these cases we can use tools SSL VPN like Teamviewer, Logmein or other, but if one side we have equipment such as PLC, CCTV systems or other we must seek alternatives, for example the question below.
<br/>
<br/>
<br/>
Scenario:
<br/>
One network located behind another nated network initiates a VPN client that will establish a secure tunnel enabling bidirectional IP traffic between the sites.
<br/>
<br/>
<br/>
Elements of this laboratory:
<br/>
- Host computer capable to virtualize.
<br/>
- Oracle VirtualBox
<br/>
- - 04 routers running Mikrotik RouterOS (version 6.27)
<br/>
- Oracle VirtualBox
<br/>
- - 03 guests
<br/>
<br/>
<br/>
Below the configuration of each router:
<br/>
<br/>
<br/>
main_branch router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">/
interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether2 ] speed=1Gbps
/ppp profile
set 0 use-compression=yes use-encryption=yes use-vj-compression=yes
set 1 use-compression=yes use-vj-compression=yes
/interface pptp-server server
set authentication=mschap2 default-profile=default enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=1.1.1.2/30 interface=ether2 network=1.1.1.0
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=10.0.0.1/32 interface=ether1 network=10.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add distance=254 gateway=1.1.1.1
add distance=1 dst-address=192.168.2.0/24 gateway=10.0.0.2
/ppp secret
add local-address=10.0.0.1 name=pptp_username password=pptp_password remote-address=10.0.0.2 service=pptp
add local-address=192.168.1.1 name=vpn_remote_user password=vpn_remote_pass remote-address=192.168.1.254 service=pptp
/system identity
set name=main_branch
</textarea>
</div>
<br/>
<br/>
<br/>
internet router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">/
interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether2 ] speed=1Gbps
set [ find default-name=ether3 ] speed=1Gbps
/ip address
add address=3.3.3.1/30 interface=ether3 network=3.3.3.0
add address=2.2.2.1/30 interface=ether2 network=2.2.2.0
add address=1.1.1.1/30 interface=ether1 network=1.1.1.0
/system identity
set name=internet
</textarea>
</div>
<br/>
<br/>
<br/>
front_nat_network router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
/interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether2 ] speed=1Gbps
/ip address
add address=2.2.2.2/30 interface=ether2 network=2.2.2.0
add address=172.16.1.1/24 interface=ether1 network=172.16.1.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add distance=254 gateway=2.2.2.1
/system identity
set name=front_nat_network
</textarea>
</div>
<br/>
<br/>
<br/>
remote_branch router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
/interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether2 ] speed=1Gbps
/ppp profile
set 0 use-compression=yes use-encryption=yes use-vj-compression=yes
set 1 use-compression=yes use-vj-compression=yes
/interface pptp-client
add allow=mschap2 connect-to=1.1.1.2 disabled=no mrru=1600 name=pptp-out password=pptp_password profile=default user=pptp_username
/ip address
add address=192.168.150.114/24 interface=ether3 network=192.168.150.0
add address=172.16.1.254/24 interface=ether2 network=172.16.1.0
add address=192.168.2.1/24 interface=ether1 network=192.168.2.0
/ip route
add distance=254 gateway=172.16.1.1
add distance=1 dst-address=192.168.1.0/24 gateway=10.0.0.1
/system identity
set name=remote_branch
</textarea>
</div>
<br/>
<br/>
<br/>
remote users config (routing table, avoid default route)
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
===========================================================================
Routing table Windows client (only one link)
===========================================================================
C:\>ROUTE PRINT
===========================================================================
Interface List
11...08 00 27 38 12 cb ......Intel(R) PRO/1000 MT Desktop Adapter
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
18...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 3.3.3.1 3.3.3.2 266
3.3.3.0 255.255.255.252 On-link 3.3.3.2 266
3.3.3.2 255.255.255.255 On-link 3.3.3.2 266
3.3.3.3 255.255.255.255 On-link 3.3.3.2 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 3.3.3.2 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 3.3.3.2 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 3.3.3.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
18 1010 2002::/16 On-link
18 266 2002:303:302::303:302/128
On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
===========================================================================
Routing table Windows client (one link + PPTP)
===========================================================================
C:\>ROUTE PRINT
===========================================================================
Interface List
19...........................VPN
11...08 00 27 38 12 cb ......Intel(R) PRO/1000 MT Desktop Adapter
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
18...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 3.3.3.1 3.3.3.2 266
1.1.1.2 255.255.255.255 3.3.3.1 3.3.3.2 11
3.3.3.0 255.255.255.252 On-link 3.3.3.2 266
3.3.3.2 255.255.255.255 On-link 3.3.3.2 266
3.3.3.3 255.255.255.255 On-link 3.3.3.2 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.254 11
192.168.1.254 255.255.255.255 On-link 192.168.1.254 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 3.3.3.2 266
224.0.0.0 240.0.0.0 On-link 192.168.1.254 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 3.3.3.2 266
255.255.255.255 255.255.255.255 On-link 192.168.1.254 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 3.3.3.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
18 1010 2002::/16 On-link
18 266 2002:303:302::303:302/128
On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
===========================================================================
Routing table Windows client (adding remote_branch)
===========================================================================
C:\>ROUTE ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.254 METRIC 11
OK!
===========================================================================
Routing table Windows client (one link + PPTP + remote_branch)
===========================================================================
C:\>ROUTE PRINT
===========================================================================
Interface List
19...........................VPN
11...08 00 27 38 12 cb ......Intel(R) PRO/1000 MT Desktop Adapter
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
18...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 3.3.3.1 3.3.3.2 266
1.1.1.2 255.255.255.255 3.3.3.1 3.3.3.2 11
3.3.3.0 255.255.255.252 On-link 3.3.3.2 266
3.3.3.2 255.255.255.255 On-link 3.3.3.2 266
3.3.3.3 255.255.255.255 On-link 3.3.3.2 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.254 11
192.168.1.254 255.255.255.255 On-link 192.168.1.254 266
192.168.2.0 255.255.255.0 On-link 192.168.1.254 21
192.168.2.255 255.255.255.255 On-link 192.168.1.254 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 3.3.3.2 266
224.0.0.0 240.0.0.0 On-link 192.168.1.254 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 3.3.3.2 266
255.255.255.255 255.255.255.255 On-link 192.168.1.254 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 3.3.3.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
18 1010 2002::/16 On-link
18 266 2002:303:302::303:302/128
On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\>
</textarea>
</div>
<br/>
<br/>
<br/>
Graphical about secure protocol Vs non secure
<br/>
<br/>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhH-7kfKX9ygFliVS4UIPD_yPRdysAdjlg_GXWvZvfBdi9uSt32RaowApT3ERFwOcJUbwhHhwJMN8eY13sqDEGhCVAp5Jw1AowMNtLDPxulolA6MmjWvlXRaEFIYqJR7iOVe3-4ZqEVN-F/s1600/WireShark_PPP_MSCHAPV2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhH-7kfKX9ygFliVS4UIPD_yPRdysAdjlg_GXWvZvfBdi9uSt32RaowApT3ERFwOcJUbwhHhwJMN8eY13sqDEGhCVAp5Jw1AowMNtLDPxulolA6MmjWvlXRaEFIYqJR7iOVe3-4ZqEVN-F/s1600/WireShark_PPP_MSCHAPV2.png" height="140" width="400" />
</a>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9k7yKPFs8-sBlCMtEMNyjGE8lxEv15JnXB5WQHj89oryfCLH-mw3S24MTWsmsqetFgFimAwkkJl5R-yXFx8ZqHjQlc_aIOQ9UpDXUIurnJnCa3nSmInSdh84D7_hA3pdvvYV_IyBdnr8a/s1600/WireShark_PPP_PAP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9k7yKPFs8-sBlCMtEMNyjGE8lxEv15JnXB5WQHj89oryfCLH-mw3S24MTWsmsqetFgFimAwkkJl5R-yXFx8ZqHjQlc_aIOQ9UpDXUIurnJnCa3nSmInSdh84D7_hA3pdvvYV_IyBdnr8a/s1600/WireShark_PPP_PAP.png" height="143" width="400" />
</a>
</div>Gerardo Marcialeshttp://www.blogger.com/profile/02539937911933559463noreply@blogger.com0tag:blogger.com,1999:blog-3949123573880313438.post-73292547682772362842015-03-08T09:01:00.002-07:002015-08-09T19:10:03.620-07:00VPN SITE TO SITE ON INTERNET BEHIND NATED NETWORK (Cisco Systems - alternative)<head>
<meta content=‘Information Technology - Gerardo Marciales’ name='description'/>
<meta content=‘Information Technology - Gerardo Marciales, Cisco Systems, Microsoft, Apple, Kerio, Router, Switch, VLAN, VPN, IPSec, Security, Seguridad, Routing, Oracle, VirtualBox, Parallels, MAC OS X, PPTP, TCP/IP, Mikrotik, PFSense, Wireshark, Sniffer, GNS3' name='keywords'/>
<meta content='Information Technology - Gerardo Marciales' name='author'/>
<meta content='index,follow' name='robots'/>
</head>
<style media="screen" type="text/css">
<!--
.text_area { color: green; background-color: black; scroll: yes }
-->
</style>
<br/>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf0QAQuvEwx42yXD4kAOgYblyuLFdx2HQISjOBO0ls9AA5uG9ziIUFQZpgKe_URGfImoj16oocRlWoWYFTGm6QRSzMD-uLXK8FgpfTEDCJtke1S0dTP-B3DLKPRAitYSlCwH_IJrvKtYya/s1600/VPN_SITE_TO_SITE_ON_INTERNET_BEHIND_NATED_NETWORK.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf0QAQuvEwx42yXD4kAOgYblyuLFdx2HQISjOBO0ls9AA5uG9ziIUFQZpgKe_URGfImoj16oocRlWoWYFTGm6QRSzMD-uLXK8FgpfTEDCJtke1S0dTP-B3DLKPRAitYSlCwH_IJrvKtYya/s1600/VPN_SITE_TO_SITE_ON_INTERNET_BEHIND_NATED_NETWORK.png" height="377" width="400" />
</a>
</div>
<br/>
<br/>
<br/>
Problem:
<br/>
Often we establish VPN site to site on the internet using public IPs as the tunnel source and destination, but if one of the nodes do not have public IP from the ISP?<br />
In these cases we can use tools SSL VPN like Teamviewer, Logmein or other, but if one side we have equipment such as PLC, CCTV systems or other we must seek alternatives, for example the question below.
<br/>
<br/>
<br/>
Scenario:
<br/>
One network located behind another nated network initiates a VPN client that will establish a secure tunnel enabling bidirectional IP traffic between the sites.
<br/>
<br/>
<br/>
Elements of this laboratory:
<br/>
- Host computer capable to virtualize.
<br/>
- GNS3
<br/>
- - 04 routers running Cisco IOS K9 (c2691-adventerprisek9-mz.124-15.T14)
<br/>
- Oracle VirtualBox
<br/>
- - 03 guests
<br/>
<br/>
<br/>
Below the configuration of each router:
<br/>
<br/>
<br/>
main_branch router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname main_branch
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login CISCO_VPN_XAUTH local
aaa authorization network CISCO_VPN_GROUP local
!
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 0 password 0 cisco
username user privilege 0 password 0 user
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group REMOTE_BRANCH
key KEY_REMOTE_BRANCH
pool POOL_REMOTE_BRANCH
acl ACL_REMOTE_BRANCH
save-password
max-users 1
netmask 255.255.255.0
!
crypto isakmp client configuration group REMOTE_USERS
key KEY_REMOTE_USERS
pool POOL_REMOTE_USERS
acl ACL_REMOTE_USERS
save-password
max-users 4
netmask 255.255.255.0
crypto isakmp profile IKE_PROFILE
match identity group REMOTE_BRANCH
match identity group REMOTE_USERS
client authentication list CISCO_VPN_XAUTH
isakmp authorization list CISCO_VPN_GROUP
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSec_PROFILE
set transform-set ESP-3DES-SHA
set isakmp-profile IKE_PROFILE
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSec_PROFILE
!
ip local pool POOL_REMOTE_BRANCH 192.168.1.254
ip local pool POOL_REMOTE_USERS 192.168.1.250 192.168.1.253
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1 254
ip route 192.168.2.0 255.255.255.0 192.168.1.254
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list ACL-NAT interface FastEthernet0/1 overload
!
ip access-list extended ACL-Client-Access
permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended ACL-NAT
deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_REMOTE_BRANCH
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_REMOTE_USERS
permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
!
!
end
</textarea>
</div>
<br/>
<br/>
<br/>
internet router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname internet
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 2.2.2.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 3.3.3.1 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
</textarea>
</div>
<br/>
<br/>
<br/>
front_nat_network router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname front_nat_network
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.1 254
!
!
no ip http server
no ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet0/1 overload
!
ip access-list extended ACL-NAT
permit ip 172.16.1.0 0.0.0.255 any
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
</textarea>
</div>
<br/>
<br/>
<br/>
remote_branch router config
<br/>
<br/>
<div align="center">
<textarea class="text_area" cols="90" name="textarea" readonly="" rows="20">
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname remote_branch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
crypto ipsec client ezvpn MAIN_BRANCH
connect auto
group REMOTE_BRANCH key KEY_REMOTE_BRANCH
mode client
peer 1.1.1.2
virtual-interface 1
username cisco password cisco
xauth userid mode local
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn MAIN_BRANCH inside
!
interface FastEthernet0/1
ip address 172.16.1.254 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn MAIN_BRANCH
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.1.1 254
!
!
no ip http server
no ip http secure-server
!
ip sla 1
icmp-echo 192.168.1.1 source-ip 192.168.2.1
timeout 1000
threshold 40
frequency 5
ip sla schedule 1 life forever start-time now
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
</textarea>
</div>
<br/>
<br/>
<br/>
remote users config
<br/>
<br/>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw25PbfcX1R9E6K6a50PwxmMT_VuM4q_ra3EJ3tv_S3YNDJ7JbNtDBN1QMHNPW2NL95rQNUyjZpZYUqWf-D3d9EL3tnNOKlOLrkxz7t0lpW243c2QIUcpcQSWEoVnWeInuxMFD7vN4bWhu/s1600/Screen+Shot+2015-03-08+at+4.36.27+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw25PbfcX1R9E6K6a50PwxmMT_VuM4q_ra3EJ3tv_S3YNDJ7JbNtDBN1QMHNPW2NL95rQNUyjZpZYUqWf-D3d9EL3tnNOKlOLrkxz7t0lpW243c2QIUcpcQSWEoVnWeInuxMFD7vN4bWhu/s1600/Screen+Shot+2015-03-08+at+4.36.27+PM.png" height="362" width="400" /></a>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv4q4FOWqBH_GHB-aOQvpfJxuuEdH6kvXbnzNemRWdbhvOr6BjYAWgmHnG046a4XHaWmf8_2ela_JP_moGOmQbgHKpPSn3IScilmQJZ447cVH_fI3ierBW2npNTpXebAoaJlSZ8qwCAbQN/s1600/Screen+Shot+2015-03-08+at+4.41.53+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv4q4FOWqBH_GHB-aOQvpfJxuuEdH6kvXbnzNemRWdbhvOr6BjYAWgmHnG046a4XHaWmf8_2ela_JP_moGOmQbgHKpPSn3IScilmQJZ447cVH_fI3ierBW2npNTpXebAoaJlSZ8qwCAbQN/s1600/Screen+Shot+2015-03-08+at+4.41.53+PM.png" height="337" width="400" />
</a>
</div>Gerardo Marcialeshttp://www.blogger.com/profile/02539937911933559463noreply@blogger.com0