Category Archives: Networking
SSL – VPN
After many revisions and test I have finally setup a SSL-VPN with Cisco AnyConnect. There are steps to set this up.
STEP 1: Setting up the Webserver Function
These are simple commands that will turn on the HTTP and HTTPS servers and make the authentication for the HTTPS server to be local.
ip http server
ip http authentication local
ip http secure-server
STEP 2: Setting up Authentication
The first command makes a simple username and password to log into the VPN, this is used if you do not use a radius server. The next commands creates the authentication is local.
username test password test
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
STEP 3: Setting up the IP Pool
This is a simple command to create a local pool for the VPN to use for the clients accessing it.
ip local pool <POOL_NAME> <LOWEST_IP_ADDRESS> <HIGHEST_IP_ADDRESS>
STEP 4: Setting up the Authentication Trustpoint
This set makes the SSL cert and makes it a self-assigned one that is created here on the router and not through a CA server.
crypto pki trustpoint <CERT_NAME>
enrollment selfsigned
crypto pki enroll <CERT_NAME>
STEP 5: Setting up the VPN
The first portion of commands are setting up the gateway, which defines three main things. First, gateway name. Second, the IP or interface that is going to be the internet facing side. Third, binding the gateway to the SSL certification made in step 4.
webvpn gateway <GATEWAY>
ip interface <OUTBOUND_INTERFACE OR IP_ADDRESS> port 443
ssl trustpoint <CERT_NAME>
inservice
This portion defines where the anyconnect client is stored on router. If you don’t have it uploaded you need to.
webvpn install svc flash:/webvpn/anyconnect-version#.pkg sequence 1
This portion just defines the website’s side of things. It makes the color and the SSL authentication is needed.
webvpn context <VPN_NAME>
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
This is the final piece and it creates the policies to be used. It wraps up the IP address pool to be used, the domain name, and the internal DNS server used. The line split includes tells the VPN what IPs to send through the VPN and what to use the client’s normal IP methods. Finally it attaches to the gateway that is defined at the top of this step.
policy group <POLICY_NAME>
functions svc-enabled
svc address-pool “<POOL_NAME>” netmask 255.255.255.0
svc default-domain “<DOMAIN_NAME>”
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary <DNS_IP>
default-group-policy <POLICY_NAME>
gateway <GATEWAY>
inservice
I had to test this project for many months as there was a bug in the Cisco IOS version 151-3.T that when the router was rebooted it would replace the SSL certificate even if there was an existing one. The work around was either upgrade IOS versions or make a CA server. I upgraded.
Enjoy and if you have any questions comment or send me a message on the contact me page
Source:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtpsscer.html#wp1027265
Handy Cisco Commands
Here is a list of some unknown and very helpful Cisco Commands in IOS.
1) Reload after a specific time or after a specific amount of time:
reload [text | in [hh:]mm [text] | at hh:mm [month day | day month] [text] | cancel]
Examples:
Router# reload in 10
-This command will reload the device in 10 minutes. This is a perfect Cisco command to use if you are not sure if the next set of commands will terminate your connection to it and you need to reverse it without consoling in.
Router# reload at 16:00
-This Cisco command will reload the device at 4:00pm.
Router# reload cancel
-This Cisco command simply cancels the reload if it planned in the future.
2) Resetting an Interface to a Default State
Router(config)# Default interface (Interface)
-This simple cisco command will reset an interface back to the default state for further configuration
3) Show Filters
Router# show run | section interface
-This filter will show the section of the configuration about the keyword, in this case interface.
Router# show run | begin interface
-This filter will find the first time the keyword is used and show the configuration from that point forward.
Router# show run | include ospf
-This filter will show any command that has been entered into the running configuration that includes a command with the work ospf in it.
Router# show run | exclude ospf
-This filter will remove every line with the keyword in it.
4) The Alias Cisco Command
Router(config)#alias exec s show ip interface brief
-The command is powerful. Using the alias command you can specify that when you are in the exec mode and you type “s” it will in turn input the full show ip interface brief command for you. This will save minutes and maybe hours of typing long commands. The alias Cisco command can be used on any letter and make it do any cisco command.
5) Key Cisco Commands
Ctrl+A | Move cursor to the beginning of the line |
Ctrl+E | Move cursor to the end of the line |
Up | Retrieve last command from history |
Down | Retrieve next command from history |
Ctrl+W | Erase previous word |
Ctrl+U | Erase the entire line |
Ctrl+C | Exit configuration mode |
Ctrl+Z | Apply the current command and exit configuration mod |
As always leave me a comment or contact me via the contact page.
Cisco Bridging Interfaces
This is a simple how to on bridging interfaces together. To begin this is an example of when you would use this:
Just as the diagram shows there are two interfaces on different VLANs that need to be merged as one. Here is the simple config to make this happen:
Router(config)#bridge irb
Router(config)#interface fa0/0
Router(config-if)#bridge-group 1
Router(config)#interface fa0/1
Router(config-if)#bridge-group 1Router(config)#interface BVI1
Router(config-if)#ip addressRouter(config)#bridge 1 protocol ieee
Router(config)#bridge 1 route ip
Enjoy and if you have any questions comment or send me a message on the contact me page
Sources:
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml
NTP Server
Setting up this NTP server on a linux box is one of the simplest services to install. Here is the walkthrough:
On a linux server:
apt-get install ntp
nano /etc/ntp.conf
Restart ntpd with /etc/init.d/ntp-server restart
On a cisco device:
ntp server <IP OF SERVER>
This is how to setup the cisco device to the right timezone and recalculate for daylight savings time (this is for the America/Central TZ):
clock timezone CST -6 0
clock summer-time CDT recurring last Sun Mar 2:00 last Sun Oct 2:00
Enjoy and if you have any questions comment or send me a message on the contact me page
Source:
http://support.ntp.org/bin/view/Support/InstallingNTP
Cisco Router PPPoE Dialer Commands
Using PPPoE Dialer Commands in a Cisco router
Using PPPoE dialer commands in your Cisco router to authenticate with your ISP is not quite as simple as I once thought it would. Here is a simple explanation and set of PPPoE dialer commands to get you pointed in the right direction.
This is a simple example doing just that:
vpdn enable
vpdn-group 1interface FastEthernet0/0 no ip address pppoe enable group global pppoe-client dial-pool-number 1 no cdp enableinterface Dialer1 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname <username> ppp chap password <Password> ppp pap sent-username <username> password <Password>
Please comment if you have any questions and I will respond as quickly as possible.