The last requirement from my previous post is controlling what kind of traffic a VPN user can send over the tunnel.
On Cisco ASA you can easily add vpn-filter to the group policy:

Asa1(config) group-policy MyGroup attributes
Asa1(config-group-policy) vpn-filter acl_vpn

but here with IOS we don’t have such possibility. The first solution is a radius server and configuration of downloadable ACLs per user. If you don’t have any external server you can change the config a bit and start using VTIs (Virtual Tunnel Interface) along with isakmp and ipsec profiles. Let’s start.

First, I have to add the isakmp profile and match all the setting I configured previously under the crypto map:

!
crypto isakmp profile ISAKMP-PRF
 match identity group CG
 client authentication list USERS
 isakmp authorization list AUTH-LIST
 client configuration address respond
 client configuration group CG

Today I would like to implement remote access VPN (IPsec) on the cisco router. I check all features you can enable/disable.

As for any IPsec VPN we need to add ISAKMP (phase1 ):

!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!

In next step I add pool with IP addresses that will be allocated for users:

!
ip local pool POOL 4.4.4.4 4.4.4.40
!
crypto isakmp client configuration address-pool local POOL
!

Now I add client configuration group:

!
crypto isakmp client configuration group CG
 key cisco
 pool POOL
!

I can now add this group to aaa configuration:

!
aaa new-model
!
aaa authorization network AUTH-LIST local
!

I have to specify where is the user database (local/ACS/etc):

aaa authentication login USERS local

username cisco password 0 cisco

The ISAKMP part is completed and now I can IPsec transform set:

crypto ipsec transform-set TS esp-aes

As I promised in my last post I will add the stateful switchover to the following scenario:

The first step is to remove tunnel1 from r5 and r4 and then add tunnel0 on r4. Next implementation of HSRP and changing ‘tunnel source’ on r3 and r4:

R4:

!
ipc zone default
association 1
  no shutdown
  protocol sctp
   local-port 5000
    local-ip 10.1.0.4
   remote-port 5000
    remote-ip 10.1.0.3
!
redundancy inter-device
scheme standby VPN
!
!
interface FastEthernet0/1
ip address 10.1.0.4 255.255.255.0
standby 0 ip 10.1.0.100
standby 0 preempt
standby 0 name VPN
standby 0 track 1 decrement 10
standby 0 track 2 decrement 10
standby 0 track 3 decrement 10
!

!
interface Tunnel0
ip address 7.7.7.4 255.255.255.0
tunnel source 10.1.0.100
tunnel destination 10.1.0.5
tunnel protection ipsec profile IPSEC-PRF
!

R3:

!
ipc zone default
association 1
  no shutdown
  protocol sctp
   local-port

Today I would like to play with GRE tunnels and their protections by IPsec profiles. Below you can find scenario I use today:

R3:

!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PRF
 set transform-set TS
!
interface Tunnel0
 ip address 7.7.7.3 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 10.1.0.5
 tunnel protection ipsec profile IPSEC-PRF
!
router eigrp 10
 network 7.7.7.0 0.0.0.255
 network 10.2.0.0 0.0.0.255
!

And R5:

!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PRF
 set transform-set TS
!
interface Tunnel0
 ip address 7.7.7.5

Today I would like to set up HA for VPN using a bit different scenario comparing to the one from previous post:

As you see there is only one link from branch router (r5) and in the HQ the routers have the external IP from the same subnet. I can implement HSRP there and I set up the tunnel between r5 and VIP (10.1.0.100). I removed also HRSP from HQ LAN and I add RRI (Reverse Route Injection). For better user experience I add ‘stateful’ option by enabling SSO (Stateful Switchover).

Instead of two peers in crypto map on r5 we need only one IP (VIP):

R5(config-crypto-map)no  set peer 10.1.0.3
R5(config-crypto-map)no  set peer 10.3.0.4
R5(config-crypto-map)set peer 10.1.0.100

I don’t need DPD (Dead Peer Detection) in this scenario:

no crypto isakmp keepalive 10 periodic

I disable HSRP on inside interfaces of r3 and r4:

R3(config)int fa0/0
R3(config-if)no standby 1

R4(config)int

Today I would like to test one scenario of HA for VPN solution. I have one HQ and one branch. In HQ I have two VPN routers and there are two separate links between them.

In this case I configure typical IPsec configuration with two peers on R5:

crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.3
 set peer 10.3.0.4

I need to enable one feature - Dead Peer Detection - DPD (on ASA enabled by default) that allows to switch to second peer if first fail:

crypto isakmp keepalive 10 periodic

This protocol controls peer availability by sending messages (R_U_THERE). More info you find here:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4/sec-ipsec-data-plane-12-4-book/sec-ipsec-dead-peer.html

The primary tunnel is r5 - r3 and secondary one r5 - r4. In my case both have exactly the same eigrp parameters, so I have to change default delay parameter to...

I need to implement a transparent firewall between r1 and r2. Ping and bgp session have to be allowed.

  10.0.0.1        10.0.0.100          10.0.0.2
  /----\            -----             /----\
 |  R1  |----------| ASA1 |----------|  R2  |
  \----/            -----             \----/

          vlan10 ---->| <---- vlan20                    

1) Cisco Adaptive Security Appliance Software Version 8.3(1)

First I configure min requirements to allow on bgp session between r1 and r2

R1:

!
interface GigabitEthernet0/0
  ip address 10.0.0.1 255.255.255.0
!
router bgp 65001
 neighbor 10.0.0.2 remote-as 65001
!  

R2:

!
interface GigabitEthernet0/0
  ip address 10.0.0.2 255.255.255.0
!
router bgp 65001
 neighbor 10.0.0.1 remote-as 65001
!  

ASA is in ‘transparent mode’:

ASA1:

!
firewall transparent
hostname asa1
!
!
interface Ethernet0/0.10
 vlan 10
 nameif outside
 security-level 0
!

Let’s look on my scenario where ASA1 and ASA2 have two contexts and ‘c1’ is primary on on ASA1 and ‘c2’ is primary on ASA2:

          R1                         R4  
       10.0.0.1                  172.16.1.1
          |                          |
          |                          |
       Fa1/0/9                    Fa1/0/15  
       ------------------------------------
      |               sw1                 | 
       ------------------------------------ 
        Fa1/0/3                    Fa1/0/7
         |   |                      |   | 
         |   |                      |   |
 eth0/1.20  eth0/1.30       eth0/1.20  eth0/1.30
 10.0.0.10  172.16.1.11     10.0.0.11  172.16.1.10 
     -------------    folink    ------------- 
    |    asa1     | <--------->|    asa2     |
    | |---| |---| |            | |---| |---| |
    | |c1 | |c2 | |            | |c1 | |c2 | |
    | |-P-|

Today I’d like to implement L2 firewall on cisco router using CBAC. A few months ago I did similar lab but today I’d like to add a new requirement:

• allowing on DHCP packets across the L2 firewall.

              fa1/0/11                     fa1/0/13
  /----\          \ -----------------------  /          /----\
 |  R2  |----------|          SW            |----------|  R3  |
  \----/ \          -----------------------           / \----/
         gig0/0       /\    /----\   / \            fa0/0
 10.0.0.1        fa1/0/9 - |  R1  |-   fa1/0/10       dhcp client
 dhcp server              / \----/  \                     
                      gig0/0  |     gig0/1
                              |                               
             VLAN 10        L2 FW               VLAN 20
   --------------------------->|<----------------------------

At the beginning, to test connectivity and...

In my last post I presented my concept how to secure the IoT. I’m aware that it is not a full specification or a guide how to do that. I wanted to start a discussion because I see many weaknesses, which can threaten the overall concept of the IoT.
As you probably aware every system and network have vulnerabilities. The question is when we discover them. I assume the same scenario will be with the IoT. It doesn’t matter how strong we will secure the end points. There will be always someone who wants to break our protection. Let’s analyze impact of a DDOS attack on the IoT. Today being under attack means you can lose your money, sometimes your reputation, but I don’t think it can really danger your or someone else life. Now, we are just before a big step, which introduces us into the new era. Imagine situation where everything is ‘connected’, what means, it can be targeted by hackers. If...