Cisco Site to Site + Remote Access VPN

There are some small office brunches needing both remote access to the office itself,
The remote access clients, like configured HERE and a permanent connection to another SITE (to the HQ for example).
Here is a quick guide for configuring multiple VPN types on a Cisco Router.

In this case I have configured a tunnel to a Fortinet FW (1.1.1.1),
For the authentication I used 3DES and SHA1 for the hashing.
Cisco Lan 10.100.100.0/24, Forti Lan 192.168.0.0/24

Here is my configuration:

Set a password for the tunnel ( may use a certificate instead )

crypto keyring Site-Key
  pre-shared-key address 1.1.1.1 key 0 Cisco2Forti

Configure VPN Phase 1 Policy

crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
lifetime 28800

crypto isakmp profile Site-PH1
   keyring Site-Key
   match identity address 1.1.1.1 255.255.255.255

Configure VPN Phase 2

crypto ipsec transform-set Site_Set esp-3des esp-sha-hmac

Set Split-tunnel - what will be routed through

IP access-list Extended Site_ACL
permit ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255

combine all the Settings to a VPN Tunnel :

crypto map clientmap 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set Site_Set
 set isakmp-profile Site-PH1
 match address Site_ACL

Almost same thing for the Client access

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group Client-Access
key Client2Site
pool ippool
acl Client_ACL

crypto isakmp profile Client
   match identity group alicenet
   client authentication list auth
   isakmp authorization list auth
   client configuration address respond

crypto ipsec transform-set Client_Set esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10
 set transform-set Client_Set
 set isakmp-profile Client

IP access-list Extended Client_ACL
permit ip 10.100.100.0 0.0.0.255 172.16.0.0 0.0.0.3

crypto map clientmap 100 ipsec-isakmp dynamic dynmap

Client to site VPN will also require configuring an ip pool - Basically DHCP for VPN

ip local pool ippool 172.16.0.0 172.16.0.3

For both of them to work we need to enable the Crypto (VPN) on the external interface,
in my case FastEthernet4

interface FastEthernet4
ip address 2.2.2.2 255.255.255.255
crypto map clientmap 

And one last thing, in case there is NAT enabled – make sure to disable the NAT in the VPN
for example:

ip access-list extended NAT
deny ip 10.100.100.0 0.0.0.255 172.16.0.0 0.0.0.3
deny ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 10.100.100.0 0.0.0.255 any

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

NAT (Network Address Translation)

Although there are many guides and lots of mater I believe NAT is a very important topic and understanding it is very important for advancing on the Networking-security field.
First thing we have to understand is IPv4 is very limited and about to run out (if it did not by now)
In order to last a bit longer prior changing to a new standard (IPv6) was developed a concept of "Private IP"  it's segment that is known only to the LAN there are well known segments which are reserved for this purpose only according to RFC1918 – 10.0.0.0/8, 172.0.0.0/20, 192.168.0.0/16
When we see an IP from one of the private subsets we can safely assume it's not "Route-able" (known only to the LAN).

It's all nice and easy till the point we need to use one of those addresses to access the internet, for example:
We have a PC with the IP of 192.168.0.10 connected to a Router that has internet access and we want the PC to access some website
So a packet originating from the PC will travel up to the server and the server will not know who to send it back because he is not familiar with 192.168.x.x (only the local router Is)
The solution was to "Hide" the IP 192.168.x.x with the well known IP  of the Router (his internet IP)
In that case the packet from the PC will arrive at the router which will replace the source IP with its own and send it to the server, then the server will reply to the IP of the router,
The packet will travel back till the router which will replace the Destination IP (seeing as it's the way back) to the original one (the 192.168.x.x) and send it back to the PC.

Seems easy, now think of a network of 100 or even better 1000 devices, who can the router keep track of all the translations ..?
For this purpose there was developed a mechanism of PAT (port address translation), simply put
A table containing all the translations made by the router, the PAT table contains Source IP (the originating device) destination IP (end server) source port (random port chosen by the PC for one specific session) and destination port (decided by the server, most of the time according to the well known port's).

Up to now I spoke about the way out, but what about a scenario of a server with an internal IP, for example a Web server with an IP of 172.20.20.80
When a client will wish to establish a connection to the server he will not be able to find 172.20.20.80 as it's not  a well known IP
So we have to use NAT to translate the internet IP, In this case a simple Hide NAT (like the previous scenario) may not work ( there will not be a PAT entry talking about this case), there are 2 ways creating a permanent entry, port forwarding or One to One NAT (also known by Static NAT).
Port forwarding creates an entry sais a packet with ANY source address and port going to a SPECIFIC destination address and port – will go to the internal IP with a specific port (may be changed in the moment of translation).
One to One NAT create a similar  rule, in this case it will be – a packet with ANY source IP and port going to the destination IP on ANY port – go to preset the internal IP.
In other words translate only the destination IP.
Static NAT is a good solution when there are many Port forwarding to create and more than one available internet IP.

So we discussed when we need NAT on the internal and external links, there are also times we need NOT to NAT.
Most routers purchased today not only has the NAT function but it's also enabled by default, but we may have a direct link between few sites or a VPN tunnel or even servers with internet IP's where implementing NAT can be a long unnecessary set of rules.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

Internet Debug

I would like to devote a post to explaining basic debug methods for internet issues,
First of all I want to explain my approach to the process itself, I believe that in order to solve the problem we have to first understand why it occurs
Then find a solution, and most important try to avoid this in the future.

Slow / unstable connection or complete disconnections

Often an issue like this comes from a user uses a specific service that does not work properly
Most of my cases was regarding VOIP or VPN (the most sensitive connection types).
After eliminating the station by checking another one (or few to be sure) I'll start with
Usually this type of problems occurs as a result of Packet loss or latency on the path a packet travels.
to verify whether it's the case I would use a trace route to both sides illustrating the path,
from the trace output we can learn if there is latency (the hop starting exponential growth is most likely the cause)
let's say the trace did not show anything and the time it took for the packet to reach the end was reasonable
then I will try to ping each hop to verify if I get any packet loss, there is  – it's the problem and the solution is checking this device (and one before him)
there is none – look for other causes, I will look for Bandwidth overload or system resources of the gateway (Router / FW)
if all fails, every test show perfect results and the issue still persists consult with the destination for same tests on the other side.

To try and avoid the issue in the future I would most likely implement QOS when configured properly manages to overcome this type of an issue

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

Cisco ASA Device Manager

Hi all,

working with a Cisco firewall (PIX / ASA) we can get lost in the CLI to make our job a bit easyer we can use the GUI management tool provided by Cisco - the ASDM.

enabling this is very simple, two steps
First enable the feature and configure the port on witch the Cisco will listen to requests
http server enable 4430
In my case i wanted to use port 4430

allow access for the end Host / Network
http 10.10.10.0 255.255.255.0 inside
so basically i allow all host's coming from 10.10.10.0/24 to access the ASDM (as long as they arrive via interface 'inside' ).


Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

LAB - Recursive Routing

I would like to share an interesting case I encountered, I had a network that looks something like this  :

From the bottom up, a switch with the LAN hosts connected to a Firewall. The firewall is connected to 2 router's each with its own WAN access ( with 2 different ISP's).

For the routing there is eBGP from each routers to his ISP and iBGP between the firewall to the routers (there is no peer between the routers themselves).

I will post the configuration from a simulation I did to illustrate this using Cisco routers:

FW: 

interface FastEthernet0/0
 description To Router-1 ip address 192.168.12.1 255.255.255.0!interface FastEthernet0/0description To Router-2 ip address 192.168.12.1 255.255.255.0!router bgp 1 no synchronization bgp log-neighbor-changes neighbor 192.168.12.2 remote-as 1 neighbor 192.168.13.3 remote-as 1 no auto-summary

Router-1

interface FastEthernet0/0 description To FW ip address 192.168.12.2 255.255.255.0!interface FastEthernet0/1 description To ISP-1 ip address 172.24.24.2 255.255.255.0!router bgp 1 no synchronization bgp log-neighbor-changes neighbor 172.24.24.4 remote-as 2 neighbor 192.168.12.1 remote-as 1 no auto-summary

basically same thing on Router-2.

From the FW : 

Gateway of last resort is 192.167.24.4 to network 0.0.0.0

C    192.168.13.0/24 is directly connected, FastEthernet0/1C    192.168.12.0/24 is directly connected, FastEthernet0/0B    192.167.24.0/24 [200/0] via 192.167.24.4, 00:00:48B*   0.0.0.0/0 [200/0] via 192.167.24.4, 00:00:48

The issue occurred After a hardware failure one of the router's went down, as a result the firewall lost the wan access.

While debugging the issue found there is no default route on the firewall routing table, but there is one in its BGP table, the route being learned by the BGP was pointing to the IP of ISP2 (the one still up), later discovered there is no route for this destination as well.

The reason for this was very basic, we had a BGP peer that taught us both the default route and the path to the network in which it resides.

There was a few methods of solving this issue, adding "next-hop-self" to the neighbor settings of firewalls pear in the router.
Advertising the P2P network originating from the local router "redistribute connected" or just "network 172.24.24.0 mask 255.255.255.0" in the "router bgp 1"

And also there is a workaround solution – in the FW create a static route for network 172.24.24.0, "ip route 172.24.24.0 255.255.255.0 FastEthernet0/0 192.168.12.2"

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

Check Point - Basic Config

After few requests I received from a colleague of mine I would like to upload a brief guide on the basic use configuration and troubleshooting of a Check Point firewall.

So let's start from the beginning, most of the configuration is done via the GUI client of the FW, the Smart Dashboard, to use it we just use our Login credentials and the IP of the "Management" server ( the device responsible of managing the actual Gateways – firewalls).

As soon as we enter the first thing we see is the Policy, like most firewall's out there here we'll find most of the "rules" we wish to apply on our network, by default we get a Firewall with one purpose in life – block all traffic, at this point we need to change that and add Rules that will pass some traffic ( by the Security policy of our organization ) and off course block all other.

For example – we wish to allow web access from one host in our network to any destination out there.
To create the new rule use the Rules > Add Rule > TOP 
Lets hang here for a moment, The position of the rule in the policy is very important, the firewall will look at the rules top to bottom till the first match, so if we position a rule in the wrong order we may not get the desired result.

After we create the rule, we get one that says "any source with any destination on any service/port gets dropped"
To change it simply click each section and change to the desired content, in our case we click the source the new (for new host) and put a name and IP for the host we wish to allow the web access, when we click OK the rule will become 
"New Host to any destination on any service/port get dropped". 

Now let's add one more Object, the Service, click on the service section and add the HTTP and click the Action and change to Accept.
Now we have the following rule: "from New Host to any destination on TCP Port 80 Pass" .

So basically at the moment we have 2 rules at the moment – one that allows "New Host" to use HTTP to any destination and another to block any other traffic.

Now we'll assume "New Host" is a PC in Our LAN network, and it has a privet IP, for example 192.168.0.1
As we all know a privet IP can't be router along the internet and we have to add NAT (make the firewall hide the IP for the sake of web browsing).

So we need to create a NAT statement for this type of traffic, to do so – use the NAT section.
A big surprise – another Policy page, use it same as the Firewall policy, create a new rule (remember the position is very important)

change the original source to contain our "New Host" to match our traffic, the service to HTTP and the Translated source to any Host that has Routable IP.
So that the new NAT rule will say "look for any HTTP packet with the source of New Host and change the source IP to Routable IP"

So now New Host can browse the internet, but let's say that after a few hours we saw that the user is overloading the internet line and we decided to limit the browsing a bit and block the access to youtube.com and block all Facebook application (only allow the site itself)

To do so, get to the " Application & URL filtering" section, add our gateway here (to allow thin on our Gateway) and navigate to Applications/Sites, here we'll create a new group, name it, and click add, now add all content we wish to block, in our case search for "facebook" and select everything, for Youtube we need to create a site so New > Site and add "youtube.com" and "*.youtube.com" 

Now to the Policy, in here we also create a new rule, Source will be our host (New Host) destination will be the Internet, application will be both application we just created, and of course action will be Block.

To ensure allowing all other sites, create another rule to allow everything from New Host to the internet.

This should cover some of the basic configuration on the Check Point Firewall.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

Fortigate v4 SSL-VPN

Even though it's one of the simplest features to setup here is a configuration guide, just in case

first, via the CLI :

• create a user for the connections:

config user local
    edit "test"
        set type password
        set passwd qwe123
    next
end

• create user group :

config user group
    edit "SSL_USERS"
        set sslvpn-portal "full-access"
            set member "test"
    next
end

• create an address range for the users :

config firewall address
    edit "SSLVPN_ADDR1"
        set subnet 10.212.134.0 255.255.255.0
    next
end

• add the Pool to SSL settings :

config vpn ssl settings
    set idle-timeout 500
        set tunnel-ip-pools "SSLVPN_ADDR1"      
end

• finally the policy few rules, from the internet to the Portal, and from Portal to where you need and back, in my case :

edit 1
        set srcintf "EXT"
        set dstintf "ssl.FGT"
            set srcaddr "all"          
            set dstaddr "LAN1" "LAN2"          
        set action ssl-vpn
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                        set groups "SSL_USERS"                      
                        set service "ANY"                      
                next
            end
    next
    edit 2
        set srcintf "ssl.FGT"
        set dstintf "INT"
            set srcaddr "SSLVPN_TUNNEL_ADDR1"          
            set dstaddr "LAN1" "LAN2"          
        set action accept
        set schedule "always"
            set service "ANY"          
    next
    edit 3
        set srcintf "INT"
        set dstintf "ssl.FGT"
            set srcaddr "LAN1" "LAN2"          
            set dstaddr "SSLVPN_TUNNEL_ADDR1"          
        set action accept
        set schedule "always"
            set service "ANY"          
    next
end

now same thing but via the GUI:

User :

User group :

Firewall - address :

SSL-VPN settings:

 Firewall policy, rules :

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR