Category Archives: Networking

SSL – VPN

After many revisions and test I have finally setup a SSL-VPN with Cisco AnyConnect. There are steps to set this up.

STEP 1: Setting up the Webserver Function

These are simple commands that will turn on the HTTP and HTTPS servers and make the authentication for the HTTPS server to be local.

ip http server
ip http authentication local
ip http secure-server

STEP 2: Setting up Authentication

The first command makes a simple username and password to log into the VPN, this is used if you do not use a radius server.  The next commands creates the authentication is local.

username test password test

aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local

STEP 3: Setting up the IP Pool

This is a simple command to create a local pool for the VPN to use for the clients accessing it.

ip local pool <POOL_NAME> <LOWEST_IP_ADDRESS> <HIGHEST_IP_ADDRESS>

STEP 4: Setting up the Authentication Trustpoint

This set makes the SSL cert and makes it a self-assigned one that is created here on the router and not through a CA server.

crypto pki trustpoint <CERT_NAME>
enrollment selfsigned
crypto pki enroll <CERT_NAME>

STEP 5: Setting up the VPN

The first portion of commands are setting up the gateway, which defines three main things. First, gateway name.  Second, the IP or interface that is going to be the internet facing side.  Third, binding the gateway to the SSL certification made in step 4.

webvpn gateway <GATEWAY>
ip interface <OUTBOUND_INTERFACE OR IP_ADDRESS> port 443
ssl trustpoint <CERT_NAME>
inservice

This portion defines where the anyconnect client is stored on router.  If you don’t have it uploaded you need to.

webvpn install svc flash:/webvpn/anyconnect-version#.pkg sequence 1

This portion just defines the website’s side of things.  It makes the color and the SSL authentication is needed.

webvpn context <VPN_NAME>
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all

This is the final piece and it creates the policies to be used.  It wraps up the IP address pool to be used, the domain name, and the internal DNS server used.  The line split includes tells the VPN what IPs to send through the VPN and what to use the client’s normal IP methods.  Finally it attaches to the gateway that is defined at the top of this step.

policy group <POLICY_NAME>

functions svc-enabled
svc address-pool “<POOL_NAME>” netmask 255.255.255.0
svc default-domain “<DOMAIN_NAME>”
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary <DNS_IP>
default-group-policy <POLICY_NAME>
gateway <GATEWAY>
inservice

 

I had to test this project for many months as there was a bug in the Cisco IOS version 151-3.T that when the router was rebooted it would replace the SSL certificate even if there was an existing one.  The work around was either upgrade IOS versions or make a CA server.  I upgraded.

Enjoy and if you have any questions comment or send me a message on the contact me page

Source:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtpsscer.html#wp1027265

Handy Cisco Commands

Here is a list of some unknown and very helpful Cisco Commands in IOS.

1) Reload after a specific time or after a specific amount of time:

reload [text | in [hh:]mm [text] | at hh:mm [month day | day month] [text] | cancel]

Examples:

Router# reload in 10

-This command will reload the device in 10 minutes.  This is a perfect Cisco command to use if you are not sure if the next set of commands will terminate your connection to it and you need to reverse it without consoling in.

Router# reload at 16:00

-This Cisco command will reload the device at 4:00pm.

Router# reload cancel

-This Cisco command simply cancels the reload if it planned in the future.

2) Resetting an Interface to a Default State

Router(config)# Default interface (Interface)

-This simple cisco command will reset an interface back to the default state for further configuration

3) Show Filters

Router# show run | section interface

-This filter will show the section of the configuration about the keyword, in this case interface.

Router# show run | begin interface

-This filter will find the first time the keyword is used and show the configuration from that point forward.

Router# show run | include ospf

-This filter will show any command that has been entered into the running configuration that includes a command with the work ospf in it.

Router# show run | exclude ospf

-This filter will remove every line with the keyword in it.

4) The Alias Cisco Command

Router(config)#alias exec s show ip interface brief

-The command is powerful. Using the alias command you can specify that when you are in the exec mode and you type “s” it will in turn input the full show ip interface brief command for you. This will save minutes and maybe hours of typing long commands. The alias Cisco command can be used on any letter and make it do any cisco command.

5) Key Cisco Commands

Ctrl+A Move cursor to the beginning of the line
Ctrl+E Move cursor to the end of the line
Up Retrieve last command from history
Down Retrieve next command from history
Ctrl+W Erase previous word
Ctrl+U Erase the entire line
Ctrl+C Exit configuration mode
Ctrl+Z Apply the current command and exit configuration mod

As always leave me a comment or contact me via the contact page.

Cisco Bridging Interfaces

This is a simple how to on bridging interfaces together. To begin this is an example of when you would use this:

Bridged Interfaces

Just as the diagram shows there are two interfaces on different VLANs that need to be merged as one. Here is the simple config to make this happen:

Router(config)#bridge irb
Router(config)#interface fa0/0
Router(config-if)#bridge-group 1
Router(config)#interface fa0/1
Router(config-if)#bridge-group 1

Router(config)#interface BVI1
Router(config-if)#ip address

Router(config)#bridge 1 protocol ieee
Router(config)#bridge 1 route ip

 

Enjoy and if you have any questions comment or send me a message on the contact me page

Sources:
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml

NTP Server

Setting up this NTP server on a linux box is one of the simplest services to install. Here is the walkthrough:

On a linux server:

apt-get install ntp
nano /etc/ntp.conf
Restart ntpd with /etc/init.d/ntp-server restart

On a cisco device:

ntp server <IP OF SERVER>

This is how to setup the cisco device to the right timezone and recalculate for daylight savings time (this is for the America/Central TZ):

clock timezone CST -6 0
clock summer-time CDT recurring last Sun Mar 2:00 last Sun Oct 2:00

Enjoy and if you have any questions comment or send me a message on the contact me page

Source:
http://support.ntp.org/bin/view/Support/InstallingNTP

Cisco Router PPPoE Dialer Commands

Using PPPoE Dialer Commands in a Cisco router

Using PPPoE dialer commands in your Cisco router to authenticate with your ISP is not quite as simple as I once thought it would.  Here is a simple explanation and set of PPPoE dialer commands to get you pointed in the right direction.

This is a simple example doing just that:

vpdn enable

vpdn-group 1
interface FastEthernet0/0
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <username>
 ppp chap password <Password>
 ppp pap sent-username <username> password <Password>

Please comment if you have any questions and I will respond as quickly as possible.

As always leave me a comment or contact me via the contact page.