Pages

Tuesday, September 28, 2010

Getting started with Cisco ASA

Recently my Company gave a Cisco ASA box to play around.. so, let's get started

I'm using Cisco ASA 5510

console to it, i would like to to start from zero.. so i'll reset it to default setting

vpn-lab# conf t
vpn-lab(config)# conf factory-default
Based on the management IP address and mask, the DHCP address
pool size is reduced to 253 from the platform limit 256
......
ciscoasa(config)#wri mem
ciscoasa(config)#reload

this will reset to default-factory setting, remember to save to startup config and reload

in the mean time, go to cisco.com to download lastest ASA and ASDM software

here i downloaded ASA version 8.2(3) and make sure to download compatible ASDM software (you can read from the description), and save it to your TFTP server's folder

let's upgrade it now, i have TFTP server at address 172.16.1.1

ciscoasa# copy tftp flash

Address or name of remote host []? 10.239.131.3

Source filename []? asa823-k8.bin

Destination filename [asa823-k8.bin]?







do the same for ASDM

ciscoasa# copy tftp disk0:

Address or name of remote host [10.239.131.3]?

Source filename [asa823-k8.bin] asdm-634.bin

Destination filename [asa823-k8.bin]?

now both file should be ready inside your ASA, deploy it

ciscoasa(config)# boot system disk0:/asa823-k8.bin
ciscoasa(config)# asdm image disk0:/asdm-634.bin
ciscoasa(config)# wri mem
ciscoasa(config)# reload

to confirm everything ok

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(3)6
Device Manager Version 6.0(2)

Compiled on Thu 17-Jan-08 17:42 by builders
System image file is "disk0:/asa803-6-k8.bin"
Config file at boot was "startup-config"

...

to access ASDM, configure the management interface

ciscoasa# sh int ip br
...
Management0/0              192.168.1.1     YES CONFIG up                    up

check the interface IP address

ciscoasa# sh run interface management 0/0
!
interface Management0/0
..
 ip address 192.168.1.1 255.255.255.0
 management-only

make sure DHCP enable on the interface, so you just need to plug your RJ-45 from your host to ASA mgt interface without need to set anything

ciscoasa# sh run | i dhcpd
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management

if the line is still not there, just apply those two lines. Now open your browser .. type https://192.168.1.1 .. then run your ASDM

what if you want to access it from your network... ok, for example your subnet is 172.16.1.0/24 and gateway is 172.16.1.99

first set route on Management Interface

ciscoasa# route management 0.0.0.0 0.0.0.0 172.16.1.99

and set the ip for your interface

ciscoasa(config)# int management 0/0
ciscoasa(config-if)# ip address 172.16.1.5 255.255.255.0


last thing to do is to define a range of IP to be allowed access the ASA using HTTPS/ASDM
in this lab i put any IP address

ciscoasa(config-if)# http 0.0.0.0 0.0.0.0 management

Sunday, September 26, 2010

EIGRP route summarization, default gateway, variance and passive-interface

this lab will cover route summarization, default gateway using network-default command, variance and EIGRP passive-interface concept

R1

interface Loopback11
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback12
 ip address 172.16.2.1 255.255.255.0
!
interface Loopback13
 ip address 172.16.3.1 255.255.255.0
!
interface Loopback14
 ip address 172.16.4.1 255.255.255.0
!
interface Loopback15
 ip address 172.16.5.1 255.255.255.0

interface Serial0/0
 ip address 30.30.12.1 255.255.255.252
 clock rate 56000

interface Serial0/1
 ip address 30.30.13.1 255.255.255.252
 clock rate 56000

router eigrp 1
 network 30.0.0.0
 network 172.16.0.0
 no auto-summary

R2
interface FastEthernet0/0
 ip address 30.30.23.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 30.30.12.2 255.255.255.252
 clock rate 2000000

router eigrp 1
 network 30.0.0.0
 no auto-summary

R3
interface FastEthernet0/0
 ip address 30.30.23.2 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 30.30.13.2 255.255.255.252
 clock rate 2000000
router eigrp 1
 network 30.0.0.0
 no auto-summary

Route Summarization 

show ip route on R2 and R3 will show all the route for prefixes 172.16.x.x, what if you have thousands of prefixes? your routing table gonna be a mess. to reduce this, we can summarize it

R2>sh ip rou
..
     172.16.0.0/24 is subnetted, 5 subnets
D       172.16.4.0 [90/2297856] via 30.30.12.1, 00:42:12, Serial0/0
D       172.16.5.0 [90/2297856] via 30.30.12.1, 00:42:12, Serial0/0
D       172.16.1.0 [90/2297856] via 30.30.12.1, 00:42:12, Serial0/0
D       172.16.2.0 [90/2297856] via 30.30.12.1, 00:42:12, Serial0/0
D       172.16.3.0 [90/2297856] via 30.30.12.1, 00:42:12, Serial0/0
..

so we have 172.16.1.0 - 172.16.5.0, the best range to contain all the above prefixes is 172.16.0.0/21 or mask 255.255.248.0.. 172.16.0.0 - 172.16.7.255

summarization is applied on the interface, lets apply this R1 Ser 0/0

interface Serial0/0
 ip address 30.30.12.1 255.255.255.252
 ip summary-address eigrp 1 172.16.0.0 255.255.248.0 5
 clock rate 56000
end


check R2 routing table

R2>sh ip rou
....

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
D       172.16.4.0/24 [90/2323456] via 30.30.23.2, 00:02:51, FastEthernet0/0
D       172.16.5.0/24 [90/2323456] via 30.30.23.2, 00:02:51, FastEthernet0/0
D       172.16.0.0/21 [90/2297856] via 30.30.12.1, 00:02:51, Serial0/0
D       172.16.1.0/24 [90/2323456] via 30.30.23.2, 00:02:51, FastEthernet0/0
D       172.16.2.0/24 [90/2323456] via 30.30.23.2, 00:02:51, FastEthernet0/0
D       172.16.3.0/24 [90/2323456] via 30.30.23.2, 00:02:51, FastEthernet0/0

you see that (in yellow), route to 172.16.x.x summarize into /21 subnet.. but why there's still storing the un-summarize (green)? notice that it is learned via 30.30.12.2 (R3).. and we didn't summarize route from R1 - R3.

*one more thing we need to remember, above Administrative Distance, the highest priority always the smallest prefix.. even it's learned from RIP, it's still the preferred route compare to EIGRP, OSPF... 

ok, now let's summarize those network on R1 Ser0/1 (connected to R3)

ip summary-address eigrp 1 172.16.0.0 255.255.248.0 5

check routing table on both R2 and R3


R2>sh ip rou
...
     172.16.0.0/21 is subnetted, 1 subnets
D       172.16.0.0 [90/2297856] via 30.30.12.1, 00:00:41, Serial0/0

now looks good :)

Default Route

let's assume 192.168.99.0/24 is gateway to outside network, and it's connected to R1

create a static route to this gateway on R1 and point it to NULL 0

ip route 192.168.99.0 255.255.255.0 Null0

and advertise it in EIGRP 1

router eigrp 1
 network 30.0.0.0
 network 172.16.0.0
 network 192.168.99.0
 no auto-summary

and make it default gateway for R2 and R3

ip default-network 192.168.99.0

show routing table on R2 and R3

R3>sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 30.30.13.1 to network 192.168.99.0

     172.16.0.0/21 is subnetted, 1 subnets
D       172.16.0.0 [90/2297856] via 30.30.13.1, 00:15:21, Serial0/0
D*   192.168.99.0/24 [90/2169856] via 30.30.13.1, 1d06h, Serial0/0
     30.0.0.0/8 is variably subnetted ....

yes.. that's correct :)

un-equal load balance using Variance

show R1 routing table

R1#sh ip rou
...
D       30.30.23.0/24 [90/2195456] via 30.30.13.2, 02:05:56, Serial0/1
                      [90/2195456] via 30.30.12.2, 02:05:56, Serial0/0
1

there's two route with same metric from R1 to network 30.30.23.0/24.. let's change this to simulate un-equal load balance

up the bandwith on R1 Ser0/1 to make the preferred path is via R3

interface Serial0/1
 bandwidth 256
 ip address 30.30.13.1 255.255.255.252
 ip summary-address eigrp 1 172.16.0.0 255.255.248.0 5
 clock rate 56000
end

and make R1 Ser0/0 to have half of Ser0/1 bandwidth
.. 
 bandwidth 256
..

show routing table again now and you should only see on path

R1#sh ip rou
..
D       30.30.23.0/24 [90/2195456] via 30.30.12.2, 00:01:47, Serial0/0

now check metric to 30.30.23.0/24 on EIGRP topology table

R1#sh ip ei top
..
P 30.30.23.0/24, 1 successors, FD is 2195456
        via 30.30.13.2 (10537472/281600), Serial0/1
        via 30.30.12.2 (20537600/281600), Serial0/0

now you see the thru R3 has the lower metric.. and value is almost two times

now apply this line

router eigrp 1
 variance 2
 network 30.0.0.0
 network 172.16.0.0
..

this line actually saying that, for every backup path.. where the primary link has twice metric value compare to it, will be load balanced

show routing table should see both path again now.. with un-equal load balance

R1#sh ip route
..
D       30.30.23.0/24 [90/10537472] via 30.30.13.2, 00:06:07, Serial0/1
                      [90/20537600] via 30.30.12.2, 00:06:07, Serial0/0

see... that's cool isn't it :)

passive-interface

check your EIGRP configuration on R1

router eigrp 1
 variance 2
 network 30.0.0.0
 network 172.16.0.0
 network 192.168.99.0
 no auto-summary

the line in yellow saying that
-send hello packet to all this network
-advertise all this network

actually it is a security hole to have all interface to be able to send hello packet, any time bad guy can plug in to it and form a neighbor and they can manipulate your network .. 

the best practice is to make all the interface passive (not send hello but still being advertised) and only open for the interface that connected to your other EIGRP router

do this on R1

router eigrp 1
 variance 2
 passive-interface default
 network 30.0.0.0

now you will loose all neighbor... now open again for R1 Ser0/0 and Ser0/1

router eigrp 1
 no passive-interface Serial0/0
 no passive-interface Serial0/1

do the same for R2 and R3, now your router a lot more safer :) happy routing !

Thursday, September 23, 2010

EIGRP filtering route - GNS3

R1

router eigrp 1
 network 10.0.0.0
 network 30.0.0.0
 no auto-summary

R2
router eigrp 1
 network 30.30.12.2 0.0.0.0
 network 172.16.0.0
 no auto-summary

R3
router eigrp 1
 network 30.30.13.2 0.0.0.0
 network 192.168.0.0 0.0.255.255
 no auto-summary

*we didn't advertise direct link between R2 and R3, just let it be that way for now

make sure show ip route on R1, R2 and R3 can show all the network advertised by all the 3 routers.

Distribute List + Access list

we'll start with filtering certain route that EIGRP receive on particular interface 
let's stop 192.168.1.0 - 192.168.5.0 from being learned on Serial 0/1 on R1, R2 also should not see this since R2 learn it via R1

show current IP route
R1#sh ip rou
...
D    192.168.4.0/24 [90/2297856] via 30.30.13.2, 00:12:16, Serial0/1
D    192.168.5.0/24 [90/2297856] via 30.30.13.2, 00:12:16, Serial0/1
..
D    192.168.1.0/24 [90/2297856] via 30.30.13.2, 00:12:17, Serial0/1
D    192.168.2.0/24 [90/2297856] via 30.30.13.2, 00:12:17, Serial0/1
D    192.168.3.0/24 [90/2297856] via 30.30.13.2, 00:12:17, Serial0/1
...

R2#sh ip rou
D    192.168.4.0/24 [90/2809856] via 30.30.12.1, 00:12:57, Serial0/0 notice that R2 learned via R1 interface
D    192.168.5.0/24 [90/2809856] via 30.30.12.1, 00:12:57, Serial0/0
..
D    192.168.1.0/24 [90/2809856] via 30.30.12.1, 00:12:58, Serial0/0
D    192.168.2.0/24 [90/2809856] via 30.30.12.1, 00:12:58, Serial0/0
D    192.168.3.0/24 [90/2809856] via 30.30.12.1, 00:12:58, Serial0/0
..

first we need to create access list to define the what IP to be filtered on R1 Ser 0/1 (another way to define it is by using ip prefix-list, will show you below )

access-list 10 deny   192.168.0.0 0.0.255.255
access-list 10 permit any

then apply it on EIGRP 1, in mean 'incoming'

router eigrp 1
 network 10.0.0.0
 network 30.0.0.0
 distribute-list 10 in Serial0/1 
 no auto-summary

now try again show ip route on R1 and R2, all the route above should be gone :)

now let's try filter on out interface, mean stop the route from go out on particular interface

let's filter 172.16.0.0 on R2 from received by R3, will stop this route at R1 ser 0/1

first, make sure show ip route on R3 have this IPs
R3>sh ip rou
..

     172.16.0.0/24 is subnetted, 5 subnets
D       172.16.4.0 [90/2809856] via 30.30.13.1, 00:43:31, Serial0/0
D       172.16.5.0 [90/2809856] via 30.30.13.1, 00:43:31, Serial0/0
D       172.16.1.0 [90/2809856] via 30.30.13.1, 00:43:31, Serial0/0
D       172.16.2.0 [90/2809856] via 30.30.13.1, 00:43:31, Serial0/0
D       172.16.3.0 [90/2809856] via 30.30.13.1, 00:43:31, Serial0/0
..

create an access-list (another way to define it is by using ip prefix-list, will show you below )

access-list 20 deny   172.16.0.0 0.0.255.255
access-list 20 permit any

apply it on EIGRP 1 

..
 distribute-list 20 out Serial0/1
..

now show ip route on R3 see 172.16.0.0 anymore, but R1 still can see it because it only stop it from going out on ser0/1, but it still learn it from Ser0/0 :)


distribute-list + prefix-list + gateway 

by right R2 and R3 should be able to see route to 10.1.x.x on R1

R2#sh ip rou
..
D       10.1.3.0 [90/2297856] via 30.30.12.1, 00:01:46, Serial0/0
D       10.1.2.0 [90/2297856] via 30.30.12.1, 00:01:46, Serial0/0
D       10.1.1.0 [90/2297856] via 30.30.12.1, 00:02:15, Serial0/0
D       10.1.5.0 [90/2297856] via 30.30.12.1, 00:01:46, Serial0/0
D       10.1.4.0 [90/2297856] via 30.30.12.1, 00:01:46, Serial0/0
..

R3#sh ip rou
..
D       10.1.3.0 [90/2297856] via 30.30.12.1, 00:01:46, Serial0/0
D       10.1.2.0 [90/2297856] via 30.30.12.1, 00:01:46, Serial0/0
D       10.1.1.0 [90/2297856] via 30.30.12.1, 00:02:15, Serial0/0
D       10.1.5.0 [90/2297856] via 30.30.12.1, 00:01:46, Serial0/0
D       10.1.4.0 [90/2297856] via 30.30.12.1, 00:01:46, Serial0/0
..

what we'll do is, to make R2 only can see 10.1.1.0 and 10.1.2.0, and R3 only can see 10.1.3.0 and 10.1.4.0 on his routing table

create the prefix list for the interesting traffic

ip prefix-list PREFIX2 seq 5 permit 10.1.1.0/24 le 32
ip prefix-list PREFIX2 seq 10 permit 10.1.2.0/24 le 32
ip prefix-list PREFIX2 seq 15 deny 0.0.0.0/8 le 32

create prefix list to allow only specific gateway to advertise route to this router

ip prefix-list NEG2 seq 5 permit 30.30.12.1/32
ip prefix-list NEG2 seq 10 deny 0.0.0.0/0 le 32

apply it on EIGRP 1

 distribute-list prefix PREFIX2 gateway NEG2 in

now show route, you should only see the allowed prefixes 

R2#sh ip rou
..
     10.0.0.0/24 is subnetted, 2 subnets
D       10.1.2.0 [90/2297856] via 30.30.12.1, 00:20:06, Serial0/0
D       10.1.1.0 [90/2297856] via 30.30.12.1, 00:20:36, Serial0/0
..

now, do the same on R3 to allow only specific route from R1 into his routing table :)


Tuesday, September 21, 2010

EIGRP metric


prepare the config as below 

R1



interface Loopback0
 ip address 10.10.10.1 255.255.255.255
!
interface Loopback1
 ip address 10.239.1.1 255.255.255.0
!
interface Loopback2
 ip address 10.239.2.1 255.255.255.0
!
interface Loopback3
 ip address 10.239.3.1 255.255.255.0
!
interface Loopback4
 ip address 10.239.4.1 255.255.255.0
!
interface Loopback5
 ip address 10.239.5.1 255.255.255.0
!
interface Loopback6
 ip address 10.239.6.1 255.255.255.0
!
interface Loopback7
 ip address 10.239.7.1 255.255.255.0
!
interface Loopback8
 ip address 10.239.8.1 255.255.255.0
!
interface Loopback9
 ip address 10.239.9.1 255.255.255.0
!
interface Serial0/0
 bandwidth 128
 ip address 10.1.12.1 255.255.255.252
 clock rate 128000
!
interface Serial0/1
 bandwidth 128
 ip address 10.1.13.1 255.255.255.252
 clock rate 128000
!
router eigrp 1
 network 10.1.0.0 0.0.255.255
 network 10.10.10.1 0.0.0.0
 network 10.239.0.0 0.0.255.255
 no auto-summary

R2



interface Loopback0
 ip address 10.10.10.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.151.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 bandwidth 128
 ip address 10.1.12.2 255.255.255.252
!
router eigrp 1
 network 10.1.12.2 0.0.0.0
 network 10.10.10.2 0.0.0.0
 network 10.151.1.0 0.0.0.255
 no auto-summary

R3



interface Loopback0
 ip address 10.10.10.3 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.151.1.3 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 bandwidth 128
 ip address 10.1.13.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.232.1.3 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 1
 network 10.1.13.2 0.0.0.0
 network 10.10.10.3 0.0.0.0
 network 10.151.1.0 0.0.0.255
 network 10.232.1.0 0.0.0.255
 no auto-summary

----------------------------------------------------------------------

let's get started.. ROUTING TABLE !!

start with 'sh ip route' on R1 make sure you can see all route below

     10.0.0.0/8 is variably subnetted, 17 subnets, 3 masks
C       10.1.13.0/30 is directly connected, Serial0/1
D       10.1.13.0/24 [90/21026560] via 10.1.12.2, 07:02:08, Serial0/0
C       10.1.12.0/30 is directly connected, Serial0/0
D       10.10.10.2/32 [90/20640000] via 10.1.12.2, 00:00:52, Serial0/0
D       10.10.10.3/32 [90/20640000] via 10.1.13.2, 00:00:52, Serial0/1
C       10.10.10.1/32 is directly connected, Loopback0
D       10.151.1.0/24 [90/20514560] via 10.1.12.2, 00:00:52, Serial0/0
                      [90/20514560] via 10.1.13.2, 00:00:52, Serial0/1
C       10.239.5.0/24 is directly connected, Loopback5
C       10.239.4.0/24 is directly connected, Loopback4
C       10.239.7.0/24 is directly connected, Loopback7
C       10.239.6.0/24 is directly connected, Loopback6
D       10.232.1.0/24 [90/20514560] via 10.1.13.2, 00:00:53, Serial0/1
C       10.239.1.0/24 is directly connected, Loopback1
C       10.239.3.0/24 is directly connected, Loopback3
C       10.239.2.0/24 is directly connected, Loopback2
C       10.239.9.0/24 is directly connected, Loopback9
C       10.239.8.0/24 is directly connected, Loopback8

basically, from the diagram, you can see that from R1 there are two routes to all the network that connected to R2 and R3, but from the routing table.. only network 10.151.1.0 have two routes

actually only one and the best route installed into Routing Table, that explain why there's only one route for every network 


..EXCEPT 10.151.1.0.. ok, that's is because this network has a same metric value, so routing table install both.. so, which route R1 will pick to go to that network.. well.. (I haven't figured it out yet, ha2. why don't u figured it out)

EIGRP TOPOLOGY TABLE


there's another table storing the routing information.. SHOW IP EIGRP TOPO, remember. Only EIGRP has this !! EIGRP store all the available routing path inside this table



....
P 10.1.12.0/30, 1 successors, FD is 20512000
        via Connected, Serial0/0
P 10.10.10.2/32, 1 successors, FD is 20640000
        via 10.1.12.2 (20640000/128256), Serial0/0
        via 10.1.13.2 (20642560/156160), Serial0/1
P 10.10.10.3/32, 1 successors, FD is 20640000, U
        via 10.1.13.2 (20640000/128256), Serial0/1
        via 10.1.12.2 (20642560/156160), Serial0/0
P 10.10.10.1/32, 1 successors, FD is 128256
        via Connected, Loopback0
P 10.151.1.0/24, 2 successors, FD is 20514560, U
        via 10.1.13.2 (20514560/28160), Serial0/1
        via 10.1.12.2 (20514560/28160), Serial0/0
P 10.239.5.0/24, 1 successors, FD is ...


notice that if a network have two routes(blue), only the smallest metric(or cost) make it to the routing table(green).. unless all the route has the same value. there's a term for this


  • successor - the best route that goes into the routing table (red)
  • feasible successor - all the backup route only reside inside the EIGRP topology table (lite red)
  • feasible distance (FD) - overall cost ; cost between R1 and network 10.151.1.0 (orange)
  • advertise distance (AD) - cost from neighbor to destination network ; cost between R2 and 10.151.1.0 (lite orange)
let's adjust some the metric, there's a few method to do this

let's start with OFFSET-LIST to modify metric of routes that learned thru particular interface, what we gonna do is, add metric value of 10000 on R1 for every route learned via serial 0/1



R1(config)#router ei 1
R1(config-router)#offset-list 22 in 10000 serial 0/1

by right, now only one route to 10.151.1.0 installed into ROUTING TABLE because one of the interface configured to have additional metric 10000, SHOW IP ROUTE



C       10.10.10.1/32 is directly connected, Loopback0
D       10.151.1.0/24 [90/20514560] via 10.1.12.2, 00:00:35, Serial0/0
C       10.239.5.0/24 is directly connected, Loopback5

SHOW IP TOPO to confirm the value now is different, compare the metric value for every route learn via serial 0/1 (compare with previous EIGRP topology table on top of the page) all have extra 10000

P 10.10.10.2/32, 1 successors, FD is 20640000
        via 10.1.12.2 (20640000/128256), Serial0/0
        via 10.1.13.2 (20652560/166160), Serial0/1
P 10.10.10.3/32, 1 successors, FD is 20640000
        via 10.1.12.2 (20642560/156160), Serial0/0
        via 10.1.13.2 (20650000/138256), Serial0/1
P 10.10.10.1/32, 1 successors, FD is 128256
        via Connected, Loopback0
P 10.151.1.0/24, 1 successors, FD is 20514560
        via 10.1.12.2 (20514560/28160), Serial0/0
        via 10.1.13.2 (20524560/38160), Serial0/1

but remember, this only apply one way only, for example in this config, only R1 see the different.. there's no affect on route learned by R2 and R3. but you still can modify the outgoing traffic just replace IN with OUT in the command