Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IOS URL FILTERING

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Arshad Saeed how to troubleshoot advanced security features set on Cisco Integrated Services Routers (ISRs). Arshad is a manager in technical marketing engineering with the IOS security technology group. He has eight years experience in the IP Internetworking and security which includes design, customer deployment and troubleshooting. Currently his expertise is in IOS Security features which include IOS based VPNs, firewall and intrusion prevention. Arshad has a bachelor’s degree in electrical engineering. He is also CCIE certified in security # 2040.

Remember to use the rating system to let Arshad know if you have received an adequate response.

Arshad might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 19, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

64 REPLIES
New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad could u give a configuration example for configuring router and a cisco vpn client using digital certificates with a windows ca server. cause for certificates in vpn client the group name is the value in the OU field of the certificates of the router. but when configuring router for digital certificates it doesn't prompt for setting any OU field. could u pls tell me how to get this working and done. waiting for ur reply.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

sebastan

You should be able define the OU with the "subject-name" option under the trustpoint:

Example:

crypto pki trustpoint xyz

subject-name OU=vpn-client-group

Here are some of the reference documents which will walk you through the step of enrollment and configuration you're looking for

Configuring IPSec Between Cisco IOS Routers and Cisco VPN Client Using Entrust Certificates:

============================================================================================

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800948e3.shtml

Configuring Cisco IOS Software Easy VPN IPsec Functionality:

============================================================

http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a00802341eb.shtml

Digital Certificates/PKI for IPSec VPNs:

=========================================

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns656/c649/cdccont_0900aecd804102a1.pdf

Hope this help.

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad thanks for the links.in the second link to digital certificates over vpns . they are many more links like enrollment over scep to a vpn router. by for those links it's asking me a login . i am working with a partner so i don't have a login. can i view those configuration examples without a login. and also pls tell me what is the minimum ios required for easy vpns to support digital certificates. waiting for ur reply. see ya

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Sebastan,

I suggest use the latest 12.4(6)T and if you're looking for the below links:

Cisco IOS Certification Authority Server Configuration—TAC Tech Tips

1. Backup and Restore Options for your Cisco IOS CA Server

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a008021ac26.shtml

2. Certificate Expiration and Auto-Enroll (Automatic Re-Enrollment) Feature FAQ

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_q_and_a_item09186a00802149a8.shtml

3. Certificate Revocation List Distribution over SCEP Configuration Example

http://www.cisco.com/en/US/partner/tech/tk583/tk372 technologies_configuration_ example09186a008021bc55.shtml

4. Certificate Revocation List Distribution over SCEP FAQ

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_q_and_a_item09186a008021bc50.shtml

5. Cut-n-Paste Style Certificate Enrollment to a Cisco IOS CA Configuration Example

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_ example09186a008021568b.shtml

6. Enrollment over SCEP to a Cisco IOS CA (Headend Aggregrator VPN Router) Configuration Example

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080215686.shtml

These documents are moved and I have to ask the author of the document to put the right links since they no longer are available. However the following URL will help you to read more configurations

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad thanks a lot. hi arshard i have one more query.it's abt auth-proxy. but with auth-proxy the user first needs to accessa telnet or a ftp or a http connection then only we will get access to other network resources through proxy acls. is there a functionality in routers like we have in pix like virtual telnet .by the which the user need to have to open either of these services before having network access.

regards

sebastan

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad i want to know that can be authenticate the users behind a easy vpn client router with 802.1x. cause i read in the documentation that it doesn't support easy vpn. and also that i cannot usea switch between the easy vpn client router and the hosts. it has to be a hub. can u pls clarify on the above details pls. thank u once again for all ur help. waiting for ur reply.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Sebastan,

The documentation you read must be below and unfortunately information is not accurate

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5413/products_feature_guide09186a00801ad9a2.html

Easy VPN is supported with 802.1x , please refer the below documentation. The example shows 831 with special image and if you want to use 870 series routers then you should use the image 12.4(4)XC.

http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a00801fdef9.shtml

Spouse and kids is a layer3 feature hence you can't configure it on layer2 ports.

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad thanks a lot. and pls don't refer me links that need a login. i am not having a cisco login to access the documents u refer to me. ok arshard when i implement 802.1x on a cisco easy vpn client router .can i use a switch between the router and hosts or as the per document i need to use hub between them. can u pls tell me abt this and thanks a lot once again.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Sebastan,

Please check the attached documents and you cannot use a switch between the hosts and Router.

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad thanks once again. arshard if i have to user l2tp vpns.do i need a nas server i mean is it manadatory. or can i use a simple router and configure l2tp vpn. cause in all cisco configuration examples i have seen they are using LAC AND LNS.pls guide me on this. see ya

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Sebastan,

Currently this functionality is not available in IOS Routers.

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad u mean to say i cannot use l2tp vpns on routers without having a nas . icause i saw cisco configuration examples on routers using l2tp vpns. pls confirm on the same. thank u waiting for ur reply.

regards

sebastan

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad can u pls tell the webvpn feature in the 12.4.6 T ios is it equivalent to cisco asa webvpn feature. i mean does it all the benefits as compared to a asa when using webvpn.can u pls guide me on that. i have not yet tried webvpn on cisco ios routers. can u pls help me with some configuration examples also. that will be really helpful .awaiting ur reply. see ya

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

The Cisco IOS WebVPN comprehensive feature set is available with the Advanced Security images or higher starting with Cisco IOS Software Release 12.4(6)T (Base IP image doesn't include this functionality). IOS SSLVPN provides similar functionality to an ASA for features like End-point Security (Cisco Secure Desktop) and Full-tunnel client (SSLVPN Client). For more infromation on IOS SSLVPN config examples please go to: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00805eeaea.html

All IOS SSLVPN features are included in a single, cost-effective license that would be purchased separately. For ordering information goto: http://www.cisco.com/en/US/products/ps6635/products_data_sheet0900aecd80405e25.html under 'ORDERING INFORMATION'.

Visit www.cisco.com/go/ioswebvpn for more details on IOS WebVPN/SSLVPN

Thanks and Regards

Arshad

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Sebastan,

The reply was about "Auth-proxy" question you asked. You can use l2tp vpns on routers without having a NAS.

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad ok sorry abt the misunderstanding . ok so for l2tp vns we don't need nas right. can u tell me pls but as far as i know it's only supported for microsoft vpn clients right. cisco vpn client cant will not support l2tp right. is it only for vdpns i mean do they have to dial a number in the vpn client.or they can connect to a ip of the vpn server.like cisco vpn clients do. and what is the diiference and benefits betweeen L2tp vpns and pure ipsec remote vpns using cisco vpn clients. waiting for reply. if possible pls explain in detail.thank u for all ur help.see ya

regards

sebastan

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad pls clear my doubt abt L2tp vpns. waiting for ur reply. see ya

regards

sebastan

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad i am still waiting for ur reply abt L2vpn. pls guide me on this.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Sebastan,

I hope this will clear some of your doubts about L2tp and IPSec RA

http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_q_and_a_item09186a00800a443e.shtml

Since L2TP is a standard protocol, enterprises can enjoy a wide range of service offerings available from multiple vendors.

Another thing to watch out is the reference below reference document that will provide various business remote access vpn solution. Depends on what customer or end use want to implement:

http://www.cisco.com/en/US/partner/products/hw/routers/ps341/products_configuration_guide_chapter09186a0080518a17.html

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

hi arshad thanks. i can't open the links u referred to me cause they are asking for a login which i don't have. i got the attachment. i just want to verify what i understood from the document u gave me. that L2tp vpns is basically for windows vpn clients right. means i cannot run l2tp vpns with cisco vpn clients. and like cisco vpn clients in l2tp vpns can we assign ip address of the vpn gateway i mean we don;t have to dial a number for the vpn connection right. could u just tell me in short the major differences between pure ipsec remote vpns and L2tp vpns and what are the benefits of L2tp vpns in comparision to pure remote ipsec vpns. pls do reply. waiting for ur reply. see ya and thanks once again.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

You can use both kind of clients at one PC , I mean both windows l2tp vpn client and cisco vpn client can coexist as well. However cisco vpn client software will not support the l2tp vpns.

Please read the attached document, I have converted the html to doc.

Thanks and Regards

Arshad

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Hello,

I have a question also about auth-proxy.

I'd like to know if we can use the IOS firewall feature to provide elementary username/password login to connections going throught the router. We'd like to use the our ISP router as a frontend to our internal network. This router is outside the firewall and we want it to force a login when any outside user attempts to http or https to one of our DMZ WEB servers.

USER - ISP - IOS.ROUTER - OLD.FIREWALL - WEB.SERVER

The firewall is old and We cannot easily modify the firewall. I've seen a auth-proxy for http, ftp and telnet but not for HTTPS in an IOS ROUTER.

thank you for any help you can give.

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Hi,

HTTPS is supported as long as the login page is being thrown from the router.

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Hey Arshad-

I've been exploring DMVPN and think I've read every document available at least once. I'm really impressed with what I've seen and implemented so far.

The following link mentions Phase 3 improvements that will "improve scalability, stability, and manageability of DMVPN networks"

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_q_and_a_item0900aecd802e2cf5.shtml

Any word on what those improvements are, and when they may be available? The article says to e-mail dmvpn-core@cisco.com for more info, but that address bounces back.

I'd also love to see an updated, consolidated "DMVPN best practices" document including info on best routing protocols (I've seen EIGRP, RIP, and OSPF mentioned in different spots), hub router HA configuration, etc.

Thanks in advance!

-Mason

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

Mason,

Thanks for pointing out the "dmvpn-core@cisco.com" error please use "ask-stg-ios-pm" for more detailed DMVPN network design information and guidance.

DMVPN improvements for Phase 3 include several features, and are split over many releases:

a) Shortcut Switching Enhancements for NHRP in DMVPN Networks: Improves the scalability and stability of DMVPN.This feature was released in 12.4 (6)T and below is the reference document:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080641515.html

The following features will be available soon:

b) DMVPN Manageability enhancements:

c) DMVPN Routing scalability improvements: This feature allows EIGRP in DMVPN networks to scale from 350 spokes/interface to 500 spokes/interface.

d) 2547oDMVPN: This feature allows Enterprise network segmentation and DMVPN can be used as a transport to enable segmentation

Thanks for your suggestion for updating the DMVPN collateral, I have already conveyed it to the product marketing team.Just FYI if you want to know about any technology e.g ipsec or dmvpn type http://www.cisco.com/go/ipsec or http://www.cisco.com/go/dmvpn and you'll get your desired documentations.

Hopes this help.

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

That is a great help. Thanks for the overview of the new features.

-Mason

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

The customer'demand:The core has two 6500 with FWSM. IDF has many 3560s, every 3560 has two link to each 6500. vlan 2 is used for network device,including interconnecting to WAN router;vlan5 for users;vlan6 for production.FWSM (transparent)is used for protecting production subnet with failover.The configuration is Following :

1) primary6500:

firewall multiple-vlan-interfaces

firewall vlan-group 1 6,10,16

firewall vlan-module 1 1

inter vlan 2

ip add 10.209.33.3 255.255.252.0

standby 16 10.209.33.2

standby 16 pri 105

standby 16 pre

inter vlan 16

ip add 10.209.40.2 255.255.252.0

standby 16 10.209.40.1

standby 16 pri 105

standby 16 pre

inter vlan 6

inter vlan 10

inter range gig 2/21-24

switch trunk en dot1q

channel-group 1 mode active

ip route 0 0 10.209.32.1

2) secondary6500:

firewall multiple-vlan-interfaces

firewall vlan-group 1 6,10,16

firewall vlan-module 1 1

inter vlan 2

ip add 10.209.33.4 255.255.252.0

standby 16 10.209.33.2

standby 16 pri 85

standby 16 pre

inter vlan 16

ip add 10.209.40.3 255.255.252.0

standby 16 10.209.40.1

standby 16 pri 85

standby 16 pre

inter vlan 6

inter vlan 10

inter range gig 2/21-24

switch trunk en dot1q

channel-group 1 mode active

ip route 0 0 10.209.32.1

3)primary FWSM

transparent

nameif vlan16 outside security0

nameif vlan6 inside security100

ip add 10.209.40.4 255.255.252.0 second 10.209.40.5

monitor-inter inside

monitor-inter outside

router outside 0 0 10.209.40.1 1

access-list BPDU ethertype permit bpdu

access-group BPDU in interface inside

access-group BPDU in interface outside

failover lan interface faillink vlan 10

failover link statelink vlan 11

failover lan unit primary

failover interface ip faillink 10.209.40.33 255.255.255.252 standby 10.209.40.34

failover interface ip statelink 10.209.40.49 255.255.255.252 standby 10.209.40.50

failover interface-policy 1

failover replication http

failover

4)primary FWSM

transparent

failover lan unit secondary

failover lan interface faillink vlan 10

failover interface ip faillink 10.209.40.33 255.255.255.252 standby 10.209.40.34

failover

My question: The log of FWSM shows the failover is Ok .But the channel-port1 and gig 2/21-24 is auto down .The interface gig 2/21-24 of one 6500 shows err-disable ,other 6500 show noncontect .The log of 6500 show channel-misconfig and reduplicate ip add 10.209.40.2 in vlan16 in one 6500,and reduplicate ip add 10.209.40.3 in vlan16 in other 6500. And I shutdown port-channel1 and no shutdown it,the port-channel1 and gig2/21-24 is up .BUt After a few minutes ,the port-channel1 and gig2/21 -24 is auto down again. The trunk and port-channel is used for communicating failover and vlan other informain.if the trunk and port-channel is down,should failover is not work ? Please help me .

And now I test as following:If I only allow vlan 5 through port-channel1 trunk ,namely not allow vlan6,16,10 ,the question is resolved .But now I find many PC auto drop connection to network (the network connection icon on desktop disply Media disconnected ). after a few seconds it auto connect network normal . Why ?

Cisco Employee

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

This question is out of the scope of this particular discussion which is "Router Security, IOS Firewall/IPS and URLF. May I suggest posting this question in the "generic firewall" section?

Thanks and Regards

Arshad Saeed

New Member

Re: ASK THE EXPERT – ROUTER SECURITY, IOS FIREWALL, IOS IPS, IO

AOA Arshad,

I am using ASA 5500 and using software Version 7.1(2).

when ever i change limit of tcp and embryonic connections per host , command is accepted and save in running but it does not limit the user to specific connections.

As i see using the SHow localhost command.

regards

Ahmad

446
Views
33
Helpful
64
Replies
CreatePlease login to create content