Security

How to configure time-based ACL on Cisco router

2010-04-03T02:16:23Z

1. Create time period

Cisco-Router#
Cisco-router(config)# time-range WEB-time
Cisco-router(config-time-range)# periodic Monday friday 8:00 to 17:00
Cisco-router(config-time-range)# periodic Saturday 8:00 to 12:00

2. Create ACL

Cisco-router(config)# access-list 150 permit tcp any any eq www time-range WEB-time

3. Applying ACL

Cisco-router(config)# interface fa0/0
Cisco-router(config-if)# ip access-group 150 in

How to configure conditional ACL is called Lock & Key

2010-04-03T00:09:13Z

This is a sample configuration for conditional ACL is often called Lock & Key. By the authenticating, router will allow traffic for certain time.

Host IP = 10.10.12.1
Cisco-router = Fa0/0:10.10.12.2
Server IP = 10.10.23.3

1. Create Account

Cisco-router(config)# username ACCESS password cisconet

2. Create ACL

Cisco-router(config)# access-list 101 permit tcp any host 10.10.12.2 eq telnet
Cisco-router(config)# access-list 101 dynamic ACCESS timeout 2 permit ip any any

* Timeout in minute.
** dynamic ACL name ; ACCESS

3. Apply ACL

Cisco-router(config)# interface fa0/0
Cisco-router(config-if)# ip access-group 101 in

4. Configure vty

Cisco-router(config)# line vty 0 4
Cisco-router(config-line)# login local
Cisco-router(config-line)# autocommand access-enable host timeout 1

* timeout in minute

5. Verifying

From host/10.10.12.1, telnet into 10.10.12.2 to get authentication. After authenticating, router will allow traffic for host 10.10.12.1

Cisco-router#sh ip access-lists 101
Extended IP access list 101
    10 permit tcp any host 10.10.12.2 eq telnet (75 matches)
    20 Dynamic telnet permit ip any any
       permit ip host 10.10.12.1 any (49 matches) (time left 54)

Access-list(ACL) for Traceroute and Tracert

2010-03-09T03:30:29Z

Here is the sample configuration to allow traceroute(Unix or Network devices) and tracert(MS Windows)

"TraceRoute" commands of Unix and Cisco devices send UDP packets, while "TraceRT" commands in MS Windows is sending ICMP packets.
In both cases the returning packets are only ICMP. For "TraceRT".

Cisco Router#
Cisco Router#conf t
Cisco Router(config)#access-list 111 permit icmp any any time-exceeded
Cisco Router(config)#access-list 111 permit icmp any any unreachable or port-unreachable

If you want to accept ping (ICMP echo-reply), it would be like below

Cisco Router#
Cisco Router#conf t
Cisco Router(config)#access-list 111 permit icmp any any echo-reply ; (ICMP type 0)
Cisco Router(config)#access-list 111 permit icmp any any time-exceeded
Cisco Router(config)#access-list 111 permit icmp any any unreachable or port-unreachable ; (ICMP type 3)

Then, apply WAN Serial interface(in this example)

Cisco Router#
Cisco Router#conf t
Cisco Router(config)#interface serial1/1
Cisco Router(config-if)#ip access-group 111 in

* If you have outbound ACL, you need to allow UDP and ICMP echo. If you have inbound policy, then you don't need below.

Cisco Router(config)#access-list 111 permit UDP any any gt 3000
Cisco Router(config)#access-list 111 permit icmp any any echo ; Echo request (type 8)

** If you see below output, it is evidence of missing "time-exceeded (ICMP type 11)"

Cisco Router#tr 200.200.200.1

Type escape sequence to abort.
Tracing the route to 200.200.200.1

1 100.100.100.2 24 msec 24 msec 8 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 200.200.200.1 44 msec 52 msec *
Cisco Router#

Security Warning - Exposed WAN Link Identity by reverse lookup

2009-09-22T02:05:30Z

If someone knows what is your IP address of WAN link, if someone knows what ISP you are currently using, if someone knows where your link is connected, isn't that scary ? Of course, that is definitely "NO GOOD". Your traffic would be the easy target for hackers.

How they know all the information? It's quit simple. Most of ISP assigns /30 IP address block for connectivity between their edge device and CPE(Customer Premises Equipment) from big chunk of reserved IP block such as /16, B class IP block. So easy to recognize WAN IP address by traceroute. I don't want to make a list of the IP blocks that ISP reserves for customer WAN link here. However, just googling the information, you will get it easily.

Another security warning on reverse-lookup data. Some of ISP update customer account#, interface and customer name on DNS reverse-lookup zone file.

Try reserve-lookup data on your WAN IP address, what information comes to you.

DOS prompt> nslookup x.x.x.x

You might surprise with the output.

If you are allocated IP block from your upstream provider, try reserve-lookup date for your IP block. It might expose your company name or IP assignment information.

Security hole is where you never expect!

How to configure Pix 515 for connecting PDM

2009-06-22T02:11:24Z

This is a quick guide for configuring Cisco PIX 515 which is discontinued model. Even though Cisco PIX 515 is kinds of old model, it provides GUI interface thru built-in software in the box. That is called PDM stands for PIX Device Manager. Definitely GUI is benefits for network admin.

First of all, here is a device I am configuring

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

pixfirewall up 1 min 9 secs

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0004.9ad0.d058, irq 11
1: ethernet1: address is 0004.9ad0.d059, irq 10
2: ethernet2: address is 0090.2710.3b1c, irq 9
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES:           Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

Serial Number: 406080307 (0x18344b33)
Running Activation Key: 0x78118d39 0xf5e9f2bb 0xdb93e47e 0xd401763e
Configuration last modified by enable_15 at 02:28:10.920 UTC Mon Jun 22 2009
pixfirewall# 111009: User 'enable_15' executed cmd: show version

Here are the steps.

1. Need to console to assign IP address on Ethernet 0 port. I am using Putty.exe which is free utility you can download from Internet. From Putty configuration mode, choose Serial and Speed 9600(default). I hope you know the login info and enable password. If you don't, you need to try password recovery procedure.

2. Check name of interfaces first.

PIX-515# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security0
nameif ethernet2 intf2 security10

While you are configuring PIX 515, you will get asked ''. I thought it meant interface name such as 'Ethernet 0' or 'Ethernet 1'. Actually that is hardware-id in PIX firewall world. It means 'outside' or 'inside' as above output. Personally, I don't like the expression, but what I can do...

3. Configuring IP address on Ethernet1

As you can see the name of interface, which is 'inside'. This port will be connected to probably your switch / your network.

PIX-515(config)# ip address inside 192.168.77.1 255.255.255.0

PIX-515# sh int ethernet1
interface ethernet1 "inside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0004.9ad0.d059
IP address 192.168.77.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/0) software (0/0)
PIX-515#

4. Changing interface speed

It is very very important port to get proper performance. Especially, PIX 515 is connecting different vendors. Duplex mis-matching often causes performance issue.

Default setup is 'auto' (If line is not connected, it showed 'shutdown')

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown

If you want to make hard coded speed and duplex, specific interface can be configured like below

PIX-515(config)#interface ethernet1 100full

5. Allow your device to access PDM

PIX-515(config)#http 192.168.77.101 255.255.255.255 inside

**Important: 192.168.77.101 is your device which is attempting to access PDM.

If you are put a wrong IP address. You will see below on Cisco log

%PIX-6-605001: HTTP daemon interface int_name: connection denied from x.x.x.x

6. Enable HTTP server

PIX-515(config)#http server enable

7. Create user and password

When you access PDM, you will get asked login prompt. It is different from enable or login password for accessing PIX 515 box

PIX-515(config)# username cisco password xxxxx

8. Access PDM from your browser

Even though we are enable http, when you browse PDM, you MUST use "HTTPS".

HTTPS://192.168.77.1

Extra configurations

Map address to name

name 192.168.77.22 InternetPHONEname 192.168.77.31 Linux64
name 192.168.77.55 CiscoNET_PC

NAT

global (outside) 1 10.1.1.51-10.1.1.100 netmask 255.255.255.0global (outside) 1 10.1.1.50 netmask 255.255.255.0nat (inside) 0 access-list 101nat (inside) 1 100.1.1.0 255.255.255.0 0 0nat (management) 1 100.2.2.0 255.255.255.0 0 0

Static route

static (dmz,outside) 1.1.1.22 10.3.3.22 netmask 255.255.255.255 0 0static (inside,management) 10.1.1.13 10.1.1.13 netmask 255.255.255.255 0 0route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Access-list

access-list from-management-coming-in permit tcp host 192.168.1.1 host 172.16.1.1 eq 9100
access-group from-inside-coming-in in interface inside

Reference:

- PIX message index : http://www.cisco.com/en/US/docs/security/pix/pix61/system/message/pixemsgs.html#wp1032267

Modifying Access list and Prefix list

2009-05-25T03:34:03Z

Question:

Modifying Access list and Prefix list

Any one knows how to modify and update a HUGE access list and prefix list on Cisco router ?
I have about 2000 new IP blocks to add to current prefix list.
I am looking for fastest way to do it.
Any trick and tips would be help.
Thanks

Answer:

Modifying "Huge" access list & prefix list ?

Probably, there are multiple way to achieve your goal.
Here is one of simple way that I knew and used in my work. (using vi editor)

For example, you have IP blocks below. Current prefix list name = Hello

-- Raw list --
1.1.1.1/24
2.2.2.2/23
3.3.3.3/22
4.4.4.4/21
5.5.5.5/20
6.6.6.6/19
:
:
:

1. Create new file with vi editor = from prompt "vi acl" (on unix or linux)
2. Copy and paste entire list of new IP blocks into the new file just created
3. To add "ip prefix-list Hello permit" in front of raw IP blocks, follow below steps

:%s/^/ip prefix-list Hello permit /g <Enter>
(If you are not familiar with vi editor, search 'vi editor' on Internet)

Now, you will see the below

ip prefix-list Hello permit 1.1.1.1/24
ip prefix-list Hello permit 2.2.2.2/23
ip prefix-list Hello permit 3.3.3.3/22
ip prefix-list Hello permit 4.4.4.4/21
ip prefix-list Hello permit 5.5.5.5/20
ip prefix-list Hello permit 6.6.6.6/19
:
:

4. To add "le 32" or any option, follow below steps

:%s/\/24/\/24 le 32/g <------- it will modify /24 IP block

ip prefix-list Hello permit 1.1.1.1/24 le 32
ip prefix-list Hello permit 2.2.2.2/23
ip prefix-list Hello permit 3.3.3.3/22
ip prefix-list Hello permit 4.4.4.4/21
ip prefix-list Hello permit 5.5.5.5/20
ip prefix-list Hello permit 6.6.6.6/19

5. Using the blow commands, complete modifying entire IP blocks.

:%s/\/32/\/32 orlonger;/g
:%s/\/30/\/30 orlonger;/g
:%s/\/29/\/29 orlonger;/g
:%s/\/28/\/28 orlonger;/g
:%s/\/27/\/27 orlonger;/g
:%s/\/26/\/26 orlonger;/g
:%s/\/25/\/25 orlonger;/g
:%s/\/24/\/24 orlonger;/g
:%s/\/23/\/23 orlonger;/g
:%s/\/22/\/22 orlonger;/g
:%s/\/21/\/21 orlonger;/g
:%s/\/20/\/20 orlonger;/g
:%s/\/19/\/19 orlonger;/g
:%s/\/18/\/18 orlonger;/g
:%s/\/17/\/17 orlonger;/g
:%s/\/16/\/16 orlonger;/g
:%s/\/15/\/15 orlonger;/g
:%s/\/14/\/14 orlonger;/g
:%s/\/13/\/13 orlonger;/g
:%s/\/12/\/12 orlonger;/g
:%s/\/11/\/11 orlonger;/g
:%s/\/10/\/10 orlonger;/g

Final IP blocks look like below

ip prefix-list Hello permit 1.1.1.1/24 le 32
ip prefix-list Hello permit 2.2.2.2/23 le 32
ip prefix-list Hello permit 3.3.3.3/22 le 32
ip prefix-list Hello permit 4.4.4.4/21 le 32
ip prefix-list Hello permit 5.5.5.5/20 le 32
ip prefix-list Hello permit 6.6.6.6/19 le 32

It is help only huge huge huge list of access list or prefix list.
After modifed raw IP list, add it to current access list or prefix

[Cisco] How to configure Dyanmic Access List with time-range

2009-05-07T21:50:19Z

This daynamic access-list is not commonly used, but it is good to know. Below scenario indicated once a client get authrized by telnet login then, the client can access boyond the port(Ethernet in this case)

[Router Configuration]

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CPE
!
boot-start-marker
boot-end-marker
!
ip cef
no ip domain lookup
!
username acl password 0 acl
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
load-interval 30
shutdown
duplex auto
speed auto
!
interface FastEthernet2/0
no ip address
load-interval 30
shutdown
duplex auto
speed auto
!
interface FastEthernet3/0
no ip address
load-interval 30
shutdown
duplex auto
speed auto
!
interface FastEthernet5/0
ip address 200.200.1.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
interface FastEthernet6/0
no ip address
shutdown
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
access-list 101 permit tcp any any eq telnet
access-list 101 dynamic access permit ip any any log time-range work-hour
!
control-plane
!
no alias exec r
no alias exec s
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
privilege level 15
login local
autocommand access-enable timeout 1
!
time-range work-hour
periodic daily 7:30 to 8:00
!
end

[ Verifying output]

** Simulate Cisco 3660 as PC in this sample configuration

1. Tried ping to IP on Ethernet interface of CPE router, before authorized access by Telnet login.

pc1# ping 200.200.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pc1#

2. Tried to telnet into CPE. It got failed, however it triggered open a ACL for next traffic from PC1

CPE#sh clock
07:59:31.447 UTC Fri Mar 1 2002
CPE#

CPE#sh ip access-lists 101
Extended IP access list 101
10 permit tcp any any eq telnet (339 matches)
20 Dynamic access permit ip any any log time-range work-hour (active)
CPE#

pc1#telnet 200.200.1.1
Trying 200.200.1.1 ... Open

User Access Verification

Username: acl
Password:
[Connection to 200.200.1.1 closed by foreign host]
pc1#

CPE#sh ip access-lists 101
Extended IP access list 101
10 permit tcp any any eq telnet (396 matches)
20 Dynamic access permit ip any any log time-range work-hour (active)
permit ip any any log time-range work-hour (active) (5 matches) (time left 56)
CPE#

Now, CPE allow a traffic from PC1

pc1#ping 200.200.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/25/76 ms
pc1#
3. If traffic is idle over 120 seconds, ACL will be closed due to configuration specified 120 sec idle allowance time.
pc1#ping 200.200.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pc1#
CPE#sh clock
08:01:41.283 UTC Fri Mar 1 2002
CPE#sh ip access-lists 101
Extended IP access list 101
10 permit tcp any any eq telnet (396 matches)
20 Dynamic access permit ip any any log time-range work-hour (inactive)
CPE#

TACACS Plus installation

2009-05-06T13:31:47Z

To describe how to install TACACS application on step by step. Specifically we are install tac-plus in this article.

1. Download TACACS+
2. Install Tac-plus application
3. Configure TACACS.conf
4. configure Network device(Cisco router)

1. Download TACACS+

Get lastest tacacs+ binary rpm file from http://www.gazi.edu.tr/tacacs.

2. Install Tac-plus application

and type

rpm -ivh tac_plus.xxx.i386.rpm

By this command tacacs+ must install your system and to verify your installation type below

rpm -q tac_plus

If you see below output, you are good to go.

tac_plus-F4.0.3.alpha-7

3. Configure TACACS.conf

# Created by Devrim SERAL(devrim@gazi.edu.tr)
# It's very simple configuration file
# Please read user_guide and tacacs+ FAQ to more information to do more
# complex tacacs+ configuration files.

key = CISCONET

# Use /etc/passwd file to do authentication

default authentication = file /etc/passwd.log

# Now tacacs+ also use default PAM authentication
#default authentication = pam pap

#If you like to use DB authentication
#default authentication = db "db_type://db_user:db_pass@db_hostname/db_name/db_table?name_field&pass_field
# db_type: mysql or null
# db_user: Database connect username
# db_pass: Database connection password
# db_hostname : Database hostname
# db_name : Database name
# db_table : authentication table name
# name_field and pass_field: Username and password field name at the db_table

# Accounting records log file

accounting file = /var/log/tacacs/tacacs.log

# Would you like to store accounting records in database..
# db_accounting = "db_type://db_user:db_pass@db_hostname/db_name/db_table"
# Same as above..

# Permit all authorization request

default authorization = permit

# Profile for enable access, username is $enab15$. Used to be $enable$

user = $enab15$ {
login = cleartext Pr1celess
}

# Profiles for user accounts

user = Superman {
login = cleartext SuperPOP40
}

In this case, username; Superman and password; SuperPOP40

4. configure Network device(Cisco router)

aaa new-model
aaa authentication login default tacacs+ line enable none
aaa authentication login defaut tacacs+ line enable none

tacacs-server host 65.222.247.53
tacacs-server host 65.222.247.37
tacacs-server key CISCONET

Or another sample (if tacacs login is failed, local database will be used)

aaa new-model
username CiscoNET password xxx-CiscoNet
aaa authentication login default enable
aaa authentication login access1 local
aaa authentication login access2 tacacs+ local

tacacs-server host 65.222.247.53
tacacs-server host 65.222.247.37
tacacs-server key CISCONET
!
!
Line console 0
   login authentication access 2
!
!
Line vty 0 4
   password yyy-CiscoNET
   login

Modifying Huge ACL & prefix- list ?

2009-05-06T13:26:25Z

Probably, there are multiple way to achieve your goal.
Here is one of simple way that I knew and used in my work. (using vi editor)

For example, you have IP blocks below. Current prefix list name = Hello

-- Raw list --
1.1.1.1/24
2.2.2.2/23
3.3.3.3/22
4.4.4.4/21
5.5.5.5/20
6.6.6.6/19
:
:
:

1. Create new file with vi editor = from prompt "vi acl" (on unix or linux)
2. Copy and paste entire list of new IP blocks into the new file just created
3. To add "ip prefix-list Hello permit" in front of raw IP blocks, follow below step

:%s/^/ip prefix-list Hello permit /g
(If you are not familiar with vi editor, search 'vi editor' on Internet)

Now, you will see the below

ip prefix-list Hello permit 1.1.1.1/24
ip prefix-list Hello permit 2.2.2.2/23
ip prefix-list Hello permit 3.3.3.3/22
ip prefix-list Hello permit 4.4.4.4/21
ip prefix-list Hello permit 5.5.5.5/20
ip prefix-list Hello permit 6.6.6.6/19
:
:

4. To add "le 32" or any option, follow below steps

:%s/\/24/\/24 le 32/g <------- it will modify /24 IP block

ip prefix-list Hello permit 1.1.1.1/24 le 32
ip prefix-list Hello permit 2.2.2.2/23
ip prefix-list Hello permit 3.3.3.3/22
ip prefix-list Hello permit 4.4.4.4/21
ip prefix-list Hello permit 5.5.5.5/20
ip prefix-list Hello permit 6.6.6.6/19

5. Using the blow commands, complete modifying entire IP blocks.

:%s/\/32/\/32 orlonger;/g
:%s/\/30/\/30 orlonger;/g
:%s/\/29/\/29 orlonger;/g
:%s/\/28/\/28 orlonger;/g
:%s/\/27/\/27 orlonger;/g
:%s/\/26/\/26 orlonger;/g
:%s/\/25/\/25 orlonger;/g
:%s/\/24/\/24 orlonger;/g
:%s/\/23/\/23 orlonger;/g
:%s/\/22/\/22 orlonger;/g
:%s/\/21/\/21 orlonger;/g
:%s/\/20/\/20 orlonger;/g
:%s/\/19/\/19 orlonger;/g
:%s/\/18/\/18 orlonger;/g
:%s/\/17/\/17 orlonger;/g
:%s/\/16/\/16 orlonger;/g
:%s/\/15/\/15 orlonger;/g
:%s/\/14/\/14 orlonger;/g
:%s/\/13/\/13 orlonger;/g
:%s/\/12/\/12 orlonger;/g
:%s/\/11/\/11 orlonger;/g
:%s/\/10/\/10 orlonger;/g

Final IP blocks look like below

ip prefix-list Hello permit 1.1.1.1/24 le 32
ip prefix-list Hello permit 2.2.2.2/23 le 32
ip prefix-list Hello permit 3.3.3.3/22 le 32
ip prefix-list Hello permit 4.4.4.4/21 le 32
ip prefix-list Hello permit 5.5.5.5/20 le 32
ip prefix-list Hello permit 6.6.6.6/19 le 32

It is help only huge huge huge list of access list or prefix list.
After modifed raw IP list, add it to current access list or prefix

How to setup FreeRADIUS server?

2009-05-06T13:14:05Z

Here is a simple documentation how to setup FreeRADIUS server.

It's written by Korean.

http://www.ibm.com/developerworks/kr/library/l-radius/