Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES ON 7600/6500

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Sunil Cherukuri about virtualised IPSec, Firewalling, IDS and SSL services using different service modules on the 7600 platform.

Sunil is a solutions engineer at Cisco's Network Solutions & Test Engineering (NSITE) team, with over five years of experience with network based security services. His current focus is on testing scaling and performance of large scale network based security services. He also assists service providers and major enterprises in the design and deployment of such services.

Remember to use the rating system to let Sunil know if you have received an adequate response.

Sunil might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 21, 2005. Visit this forum often to view responses to your questions and the questions of other community members.

48 REPLIES
New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hi Sunil,

I am tryng to deploy VPN for remote access using -

-Pix 515 IOS 7.01

-cisco vpn client 4.7

-Certificates from windows 2003.

-Two certificates are there one is for CA and another is for Administrator, in pix.

-I am using IPSEC certificate at clients end.

-My active directory domain name is abc.com.

-domain name set on pix is abc.com

Queries:

Autoenrollment of Certificates form windows 2003 is not working, although I enrolled those manually.

.

Now it is attempting to connect , everything runs seems fine in negotiation but it stucks on, FQDN mismatch error,

I have tried all three options in certificates properties i.e

use FQDN of device

use this FQDN

none

but still it is giving me error,

Thanks in Advance......

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Ravinder,

Since this is a PIX reated question, it would get better responses in the VPN->Security forum.

But let me take a stab at it.

If both sides have the correct FQDN and Distinguished name (DN) and have the appropriate certs from the same CA server, then the negotiation should succeed.

I think on the PIX, the default IKE ID used is hostname, so make sure you have the "isakmp identity auto" command on the PIX. (Similarly in IOS we have to use "crypto isakmp identity dn" to work with certs).

Make sure on both sides use the correct hostname and domain name while obtaining the cert.

You also mentioned 2 certs on the PIX, are these from 2 differnet CA servers?

Have found these links which have PIX/VPN Client cert configurations.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800946c0.shtml

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008009468a.shtml

Pls use the above links to see if your config is missing anything.

thnx,

-Sunil.

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

I have 2 Cisco 7600 routers which provides exranet connectivity. I am running the a 12.3 version of IOS with the advance security feature set.

I am having the following issues:

(1) monitor the ipsec tunnel down status status change via the cisco trap.

(2) Place the IPSec tunnels in a nailed up state.

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello,

Did you mean 7200 or 7300 instead of 7600 (since the latest images on 7600 are 12.2.18SXF and not 12.3)?

1) In any case, in IOS we have the following syslog messages to indicate ipsec tunnel coming up or down:

"CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP/DOWN"

To send these messages as traps, you can configure logging, and then do "logging trap "

Since this message is severity 5, you will have to enable traps for notifications.

Look at the following link for more info:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d33e1.html

2) As long as there is interesting traffic, tunnels will be up and renegotiate ipsec/ike SA's as required. [even if the tunnel is not up, you only lose very little traffic while th tunnel is being setup.]

If you do not have interesting traffic to keep tunnels open, then you have a few options to keep them open:

Periodic isakmp keepalives

Increasing ipsec idle-timer and ike/ipsec lifetime

Running NTP (or any other periodic service) between the 2 routers thru the ipsec tunnel

Running scripted periodic pings using Service Assurance Agent (SAA)

thnx,

-Sunil.

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hi Suni,

we are currently redesigning our core network and are intending to install 6500 switches. We also need to secure an application with AES encryption.

Two questions:

1) can we encrypt the traffic by connecting the remote PC’s to the 6500 via the cisco software VPN client.

2) Is there an actual or theoretical limit to the data throughput between the software vpn client and the 6500 with a VPN card installed? I know that the VPN module will support 1.6 – 1.9Gbps, does that mean that we can connect 16 client PC on 100 Mbps tunnels?

I can't find any sort of throughput data for the software client on the cisco site.

Cheers

Bruce

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello Bruce,

1) You can terminate VPN clients into the 6500 using the VPNSM module (which is EOL recently) or the new IPSEC VPN SPA (half wide port adapter that fits into a jacket card - so you cab have 2 SPA's on one card). The SPA supports AES, while the VPNSM does not.

2) The throughput on the 6500 hub side is limited by the crypto accelerator module, and not by the type of tunnel (vpn s/w or h/w client or IOS router). The VPNSM has throughput max around 1.9 GBPS and the IPSEC VPN SPA around 2.2 Gbps. This is with 1400 byte packets, so obviously the throughput goes down with the packet size.

The 2.2 Gbps can be with 1 tunnel, or 4000 tunnels, doesnt matter.

I doubt you can use 16 s/w clients with 100M each though. The PC client uses s/w encyption so the throughput wont be high, although I do not know the lmits. And to be honest, I've never thought of this since in most cases the VPN client is used for home access or road warriors; and in most cases the uplink is cable/dsl at best and the vpn client works fine at these rates.

If you have Application on PC's connected to a 100Mbps LAN, I would recommend using a router in fron of these PC's to be able to get higher throughput. Can use the ISR's (2800,3800 etc) or 7200 and do site-site ipsec or even ezvpn h/w client mode to bring up tunnels to the 6500.

Dont know the ISR throughput off the top of my head, but the 7200 with VAM2+ can do close to ~240 Mbps 1400 bytes.

thnx,

-Sunil.

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hi Suni,

Thanks for the info, we would be using the SPA cards (do you have a link to the data sheet and config guides - I can only find the VPNSM ones).

The application that we need to secure is spread across our LAN and WAN and is well scattered. If we use ISR's we would need to purchase one per client machine (not a option). Do you know if there is any test data on the software vpn client throughput and what affects it (putting two CPU's in the client machine and large amounts of memory would be an option).

final question, do you know what the vpn throughput of the ezvpn h/w client is, again the only documentation I could find was for the 3002 vpn client and it was listed at 1Mbps.

Thanks again for the help.

Cheers

Bruce

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Bruce,

In terms of operation/config/troubleshooting etc, the SPA is almost identical to the VPNSM. The only difference is in specifying the location of the card in the crypto config (since each carrier card can have 2 SPA's).

So for VPNSM we specify "crypto engine slot 2".

For the SPA the difference is that we now specify "crypto engine subslot 2/0" (or 2/1 depending on where the SPA is). Everything else remains the same (other than the ability to use AES).

Can find data sheets and config guides here:

http://www.cisco.com/en/US/partner/products/ps6267/products_data_sheet0900aecd8027cbb2.html

http://www.cisco.com/en/US/partner/products/hw/routers/ps368/module_installation_and_configuration_guides_chapter09186a00804d35a6.html

I'm not aware of any test data for s/w VPN client encryption performance data. If I find any, will reply to your post. I'm sure having faster cpu's and memory will have some impact on perf.

For h/w throughput, ezvpn or site-site does not make much difference in throughput. The number of tunnels does have some impact though.

The following data sheet lists the throughput for various platforms - 3000, Pix, ISR, SOHO etc.

http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns171/netbr09186a00801f0a72.html

Hope this helps.

thnx,

-Sunil.

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Sunil,

Is the VPNSM really end-of-life? I did not finding anything on Cisco.com confirming that.

Thanks,

Jeff

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hi Sunil,

We are now implementing both remote access VPN and site to site VPN. Both the vpn client and remote router(Cisco 877W) terminate on VPNSM in hub site(cat 6513, a MPLS PE router, 12.2SXE).

One VLAN interface(say, vlan 10) is used for outside interface facing internet. The other 2 vlan interfaces(say, vlan 20 and vlan 30 in the same VRF ) are used for remote access and site to site respectively.

Now it works fine for remote access vpn client but it didn't work for site to site. VPN tunnel established, but the traffic cannot pass through.

I would like to know if we can have separate inside interfaces or only one interface.

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello,

I would recommend using one vlan intf in the vrf, and one crypto map (having multiple static sequences for site-site, and dynamic map for ezvpn), since you'll only be using up one vlan per vrf for any numberof tunnels.

However, using multiple vlan intf's in the vrf, will also work; and I have tested this config.

But, you will have to have 2 seperate crypto maps though (cannot apply the same map on 2 vlan intf's).

Also make sure the routing (can use static routes, or use Reverse route Injection on the crypto map) is pointing to the correct vlan intf for each type of tunnel. And make sure the vrf is configured under the isakmp profile. if all the config is fine, then it should work.

Hers's a sample config for 2 vlan intf;s:

crypto keyring sunil

pre-shared-key address 11.1.1.1 key sunil123

crypto isakmp profile sunil

vrf sunil

keyring sunil

match identity address 11.1.1.1 255.255.255.255

crypto isakmp profile sunil-ezvpn

vrf sunil

match identity group sunil

client authentication list vpn

isakmp authorization list vpn

client configuration address respond

crypto dynamic-map dyn-1 10

set transform-set TS

set isakmp-profile sunil-ezvpn

reverse-route

!

crypto map sunil-1 local-address g1/1

crypto map sunil-1 10 ipsec-isakmp dynamic dyn-1

!

crypto map sunil-2 local-address g1/1

crypto map sunil-2 10 ipsec-isakmp

set peer 11.1.1.1

set transform-set TS

set isakmp profile sunil

revers-route

!

crypto engine mode vrf

interface g1/1

desc WAN intf

ip address 22.1.1.1 255.255.255.0

crypto engine slot 2

!

interface Vlan31

ethernet point-to-point

ip vrf forwarding sunil

ip address 1.1.1.1 255.255.255.252

crypto map sunil-1

crypto engine slot 2

!

interface Vlan32

ethernet point-to-point

ip vrf forwarding sunil

ip address 2.1.1.1 255.255.255.252

crypto map sunil-2

crypto engine slot 2

!

ip route 0.0.0.0 0.0.0.0 g1/1 22.1.1.2

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Dear Sunil,

I think it should work, but it didn't. One step left, perhaps.

My config is almost the same as yours.

The tunnel did establish but the traffic did not pass through the tunnel. Owing to a FWSM blade in the same chassis, the routing becomes complicated.

I will post Hub site config in the next message.

****Spoke Site

!

crypto keyring test

pre-shared-key address 2.2.2.2 key xxxxx

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp profile SiteToSite

keyring test

match identity address 2.2.2.2 255.255.255.255

!

!

crypto ipsec transform-set site2site esp-3des esp-md5-hmac

!

crypto map SiteToSite 100 ipsec-isakmp

description Tunnel to Hub site

set peer 2.2.2.2

set transform-set site2site

match address 100

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 0/33

pppoe-client dial-pool-number 1

!

interface FastEthernet3

no ip address

!

interface Vlan1

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username xxxxxx password 7 110D0E120E46535A10

crypto map SiteToSite

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map NAT interface Dialer0 overload

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.240.0.0 0.15.255.255

access-list 101 deny ip 10.10.10.0 0.0.0.255 10.240.0.0 0.15.255.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map NAT permit 1

match ip address 101

!

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Dear Sunil, the message continues...

**********Hub Site

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login vpn_list group radius local

aaa authentication enable default group tacacs+ enable

aaa authorization network vpn_list group radius local

aaa accounting network vpn_list start-stop group radius

!

aaa session-id common

clock timezone TW 8

svclc vlan-group 10 471,490,530-534,560-575,598,599,998,999

firewall multiple-vlan-interfaces

firewall module 4 vlan-group 10

firewall vlan-group 10 471,490,530-534,560-575,598,599,998,999

intrusion-detection module 1 management-port access-vlan 551

intrusion-detection module 1 data-port 1 capture

intrusion-detection module 1 data-port 1 capture allowed-vlan 311-551

analysis module 2 management-port access-vlan 551

analysis module 2 data-port 1 capture

analysis module 2 data-port 1 capture allowed-vlan 1-600

----omitted

!

ip vrf Staff

rd 65000:470

route-target export 65000:470

route-target import 65000:470

!

ip vrf MIS_ACC

rd 65000:481

route-target export 65000:481

route-target import 65000:481

!

crypto keyring test

pre-shared-key address 1.1.1.1 key xxxxx

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 60 30

crypto isakmp xauth timeout 90

crypto isakmp profile MIS_Group

vrf MIS_ACC

match identity group MIS_Group

client authentication list vpn_list

isakmp authorization list vpn_list

client configuration address respond

accounting vpn_list

crypto isakmp profile Staff_Group

vrf Staff

match identity group Staff_Group

client authentication list vpn_list

isakmp authorization list vpn_list

client configuration address respond

accounting vpn_list

crypto isakmp profile SiteToSite

vrf Staff

keyring test

match identity address 1.1.1.1 255.255.255.255

!

!

crypto ipsec transform-set BU_Set esp-3des esp-sha-hmac

crypto ipsec transform-set site2site esp-3des esp-md5-hmac

!

crypto dynamic-map dynaMIS 10

set transform-set BU_Set

set isakmp-profile MIS_Group

reverse-route

!

crypto dynamic-map dynaStaff 10

set transform-set BU_Set

set isakmp-profile Staff_Group

reverse-route

!

crypto map MIS_Map local-address Vlan530

crypto map MIS_Map 1000 ipsec-isakmp dynamic dynaMIS

!

!

crypto map Staff_Map local-address Vlan530

crypto map Staff_Map 1000 ipsec-isakmp dynamic dynaStaff

!

crypto map SiteToSite local-address Vlan530

crypto map SiteToSite 100 ipsec-isakmp

set peer 1.1.1.1

set transform-set site2site BU_Set

set isakmp-profile SiteToSite

match address site2site

reverse-route

!

crypto engine mode vrf

ip route 0.0.0.0 0.0.0.0 10.240.64.11

ip access-list extended site2site

permit ip 10.240.0.0 0.15.255.255 10.10.10.0 0.0.0.255

interface Vlan530

ip address 10.240.64.1 255.255.255.0

ip ospf network point-to-point

standby 10 ip 10.240.64.3

standby 10 priority 105

standby 10 preempt

standby 10 name HSRP

crypto engine slot 3

!

interface Vlan478

description Site-to-Site VPN

ip vrf forwarding Staff

ip address 10.240.252.97 255.255.255.240

ip mtu 1452

crypto map SiteToSite redundancy HSRP

crypto engine slot 3

!

interface Vlan479

description VPNSM point-to-point VLAN

mtu 1600

ip vrf forwarding Staff

ip address 10.240.252.113 255.255.255.240

crypto map Staff_Map redundancy HSRP

crypto engine slot 3

!

interface Vlan481

description VPNSM vrf map MIS

mtu 1600

ip vrf forwarding MIS_ACC

ip address 10.240.252.17 255.255.255.240

crypto map MIS_Map redundancy HSRP

crypto engine slot 3

!

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Dear Sunil, one more information

IP add of interface vlan 530 is nated to a public IP, say 2.2.2.2 here.

******the tunnel is established: sh crypto ipsec sa

Spoke site:

outer#sh crypto ipsec sa

interface: Dialer0

Crypto map tag: SiteToSite, local addr 1.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.240.0.0/255.240.0.0/0/0)

current_peer 2.2.2.2 port 4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 91, #pkts encrypt: 91, #pkts digest: 91

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

path mtu 1452, ip mtu 1452

current outbound spi: 0x73F41F82(1945378690)

inbound esp sas:

spi: 0x55F4F628(1442117160)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2001, flow_id: C87X_MBRD:1, crypto map: SiteToSite

sa timing: remaining key lifetime (k/sec): (4533942/2195)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x73F41F82(1945378690)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2002, flow_id: C87X_MBRD:2, crypto map: SiteToSite

sa timing: remaining key lifetime (k/sec): (4533928/2195)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Hub site:

interface: Vlan478

Crypto map tag: SiteToSite, local addr. 10.240.64.3

protected vrf: Staff

local ident (addr/mask/prot/port): (10.240.0.0/255.240.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer: 1.1.1.1:4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

#pkts decaps: 126, #pkts decrypt: 126, #pkts verify: 126

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 31, #recv errors 0

local crypto endpt.: 10.240.64.3, remote crypto endpt.: 1.1.1.1

path mtu 1452, media mtu 1452

current outbound spi: 55F4F628

inbound esp sas:

spi: 0x73F41F82(1945378690)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 3, conn id: 10923, flow_id: 1, crypto map: SiteToSite

crypto engine type: Hardware, engine_id: 2

sa timing: remaining key lifetime (k/sec): (309693/554)

ike_cookies: CB3EEB9C A2D6A27F AE519C95 86EE72E6

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x55F4F628(1442117160)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 3, conn id: 10924, flow_id: 2, crypto map: SiteToSite

crypto engine type: Hardware, engine_id: 2

sa timing: remaining key lifetime (k/sec): (309707/553)

ike_cookies: CB3EEB9C A2D6A27F AE519C95 86EE72E6

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello again,

The config and sa's look fine. On the hub side the sa says 'Send errors' is 31. Not sure why, and if this is why you do not have traffic. To verify, with this config client tunnel comes up but not site-site ?

Since you mentioned fwsm,nat etc; can you move RA and site-site to one cry map and one vlan intf, to make sure that works.

You say the tunnel is up, but no traffic. Can you determine where the drop is. Clear counters, ping 100 from spoke to hub (preferably an ip behind the HUB), look at vlan 479 and 530 counters and also g3/1 and g3/2 counters. Match these to the SA encr/decr counters and this'll tell where it is dropped.

Can you also send the output of "sh cry vlan", 'sh ip route vrf Staff', 'sh ip route', 'sh ip cef vrf Staff 10.10.10.0 detail' and 'sh ip cef 1.1.1.1 det'; along with the int and sa counters.

If you wish we can take this offline, and you can send the sh output to my cisco id of sunilc.

thnx,

-Sunil.

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello,

The config seems ok to me. Can you see that the vpnsm's internal interfaces, show the correct vlan's.

Since vpnsm is in slot 3, int g3/1 should be allowing vlan's 478,479 and 481; while int g3/2 should be allowing vlan's 530. These should be configured automatically, but checking to see they are correct.

thnx,

-Sunil.

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Sunil,

I checked it before and ,of course, have to confirm again. Thanks for your reminding.

Please see the output.

Karl

-------------------------------------

Building configuration...

Current configuration : 549 bytes

!

interface GigabitEthernet3/1

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,311,321,331,341,351,361,421,431,441,451,461

switchport trunk allowed vlan add 478,479,481,1002-1005

switchport mode trunk

mtu 4500

no ip address

flowcontrol receive on

flowcontrol send off

rmon collection stats 256 owner "root@QRDCS04NMS02 [1112008138593]"

rmon collection stats 6016 owner monitor

rmon collection history 256 owner "root@QRDCS04NMS02 [1112008138640]" buckets 50 interval 30

spanning-tree portfast trunk

end

#sh run int gi3/2

Building configuration...

Current configuration : 450 bytes

!

interface GigabitEthernet3/2

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 530

switchport mode trunk

mtu 4500

no ip address

flowcontrol receive on

flowcontrol send off

rmon collection stats 272 owner "root@QRDCS04NMS02 [1112008138484]"

rmon collection stats 6017 owner monitor

rmon collection history 272 owner "root@QRDCS04NMS02 [1112008138500]" buckets 50 interval 30

spanning-tree portfast trunk

end

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

What image are you running?

One other thing that I noticed is that the outside vlan has HSRP and is Vlan530.

The Inside vlan's are 478,479,481 and have 'cry map redundancy command'.

With this on reload, 478/479 get initialized before 530; so the hsrp group is not known till 530 gets initialized. So the 'cry map redundancy' command will disappear on reload.

So have the Outside (hsrp) vlan defined sequentially before the inside vlan's.

-Sunil.

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hi Sunil,

12.2SXE2 is the version.

One of the reason why I upgraded from SXD train to SXE is the problem you mentioned: the crypto map redundancy command disappears after reloading.

Karl

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hi Suni

I have basic question.

The following example permits 192.108.0.0/16 only

access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0

but it recognised by ISO like this

access-list 101 permit ip host 192.108.0.0 host 255.255.0.0

ISO 12.2T ( C2600, C3600)

do you have any idea about this?

thanks a lot

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello,

Since you're configuring an ACL with all zero wildcard, it will be read as a host address.

if you want any ip in 192.108.0.0/16 to go anywhere, then you would need to config

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

-Sunil.

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Dear Sunil,

Just a small and a Quick question i have to disable all the icmp traffick from internet except for few of our public netwokrm,we have pix-515. Please suggest

EM

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello Ephraim,

You can have an acl on the outside interface, that allows icmp from any to your public n/w, but denies icmp for all other traffic.

access-list OUTSIDE permit icmp any 200.1.1.0 /24

acces-list OUTSIDE deny icmp any any

Is this what you're looking for?

thnx,

-Sunil.

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

We have around 100 site to site VPN connections from various Cisco IOS routers, PIX, and other firewalls connecting back to our main site VPN concentrator. We want to replace this VPN concentrator with a Cisco router preferably; rather than a Cisco 3060. Our main requirement is to have as much of the config for each tunnel pulled from a radius (or Tacacs) server. I canot find any examples on the Cisco web site. Is this possible?

Thanks Much,

Fred

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello Fred,

If it were remote access connections (either from s/w clients, or from IOS ezvpn h/w clients), then it is possible to pull in parts of the config from radius (like preshared keys, username/pwd, pool, framed-ip-addresses etc).

But for site-site tunnels, we have to configure the crypto info on the headend. There is no way to pull this from radius.

We do have enhancements to the ipsec VTI (virtual tunnel interfaces) in the near future that will allow you to configure a virtual-template on the headend, and get other config (vrf, acl's, qos etc) from radius. But again, this is for dynamic VTI (similar to dynamic crymaps or ezvpn server) and not for static VTI (similar to static or site-site crypto maps).

So for site-site tunnels, you will have to configure most of it on the headend.

thnx,

-Sunil.

New Member

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hi Sunilc!

Probably I have a simple question: I would like to realize the reset of a single TCP connection (Ip adress + port number) using a

CISCO IDS 4235,Version 4.1(5)S194, with a

PIX 520, IOS Version 6.3(3) and a

4500 router, IOS Version 12.0(8b).

Is it really possible by this hardware?

I think I need at least ROUTER IOS version 12.2(15), but I cannot do this upgrade on my device. Is it true?

Is the PIX able of resetting the single connection? Maybe IOS Ver 7.00 needed? It's possible to upgrade PIX 520 ?

Thank you in advance, Best regards!

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello,

Since this is a IDS sensor question, you would get better responses on the Security discussion forum.

But I'll take a stab at it.

I'm not sure why you mention PIX and 4500 when talking about tcp-reset. Maybe you are talking about Blocking?

Since the IDS 4235 is not an inline device (IPS) and rather gets a copy of the traffic to be monitored; we have 2 options to block a certain tcp connection when a signature has been detected.

1) Blocking the traffic (SHUN).

Once the signature is detected, the IDS appliance can login to a PIX f/w or IOS router to apply acl's to filter/block that traffic. On the PIX, it configures the SHUN command. On IOS routers it confugures ACL's, and on the 6500 it can configure VACL's for blocking th traffic.

Maybe this is why you mentioned the PIX and 4500?

The PIX 6.3(3) supports SHUN, and I think IOS 12.0 does support this.

Look at this link which explains blocking configuraion, and also has a list of supported devices.

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a008035809d.html#wp88110

2) Resetting the TCP connection

The 4235 appliance can reset the tcp connection, by sending reset messages to both sides.

Look at the following link for more info:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a0080358053.html#wp479205

Hope this answers your question.

thnx,

-Sunil.

Silver

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hi Sunil,

What do you mean by Network based security services, and how is this different from regular security services?

Thanks,

Tom

Bronze

Re: ASK THE EXPERT – DEPLOYING NETWORK BASED SECURITY SERVICES

Hello Tom,

One way to characterise security services (firewll, ipsec, ids etc) is

1) Host based or Endpoint security services

These are services that run on the host's and examples are Zone firewall, Cisco Security Agent, Cisco VPN client, McAfee VirusScan etc.

2) Network based security services

These services run on network devices like PIX f/w, IOS routers etc and provide security services for the downstream n/w (other routers and end-hosts). These are typically deployed on the edge of the n/w, and example are PIX/FWSM/IOS-CBAC providing perimeter firewalling, PIX/VPNSM/IOS providing IPSec encrypted termination for remote spokes/clients, IDSM/IDS-appliance/IOS-IDS providing perimeter IDS/IPS services etc.

Network based security can further be classified as

a) Regular or Global security - The edge device provides security services for the whole n/w behind it. This is a typical Enterprise deployment scenario.

b) Virtualised security services

The edge device has segmented networks behind it (Service Provider device with multiple VPN/VRF's behinf it, or Enterprise device with segmented user groups behinfd it), and provides virtualised scurity services for different n/w's.

By virtualization, the device behaves as a group of virtual security devices and provides different security services for each n/w. For example a SP with an MPLS edge device can provide virtualized IPSec/FW services to each VPN/VRF. Each VRF can have its own independent security policies.

Examples of this are the FWSM with virtual Firewalls, VPNSM with vrf-aware IPSec etc.

111
Views
3
Helpful
48
Replies
CreatePlease to create content