Bridge domains on Cisco IOS-XE

I was recently tasked to set up a layer 2 cross connect to another city from a HQ to another branch. The ISP gave 2 interconnects on each end that connect to two physical routers on their side but provide the same layer 2 service on a vlan. We only had 1 cisco ASR router on either end. My idea was to bridge the two interfaces into a single bridge and switch across to the other city. Simple task, but I did not realize that the routers i had to work with was IOS-XE. I have not worked on IOS-XE yet.

Bridge domain layout

 

The configuration for this scenario used to be something like this:

bridge 1 protocol ieee
bridge 1 route ip
!
interface GigabitEthernet0/1.999
encapsulation dot1q 999
bridge-group 1
!
interface GigabitEthernet0/2.999
encapsulation dot1q 999
bridge-group 1
!
interface BVI 1
ip address 1.1.1.1 255.255.255.252
!

This configuration has now changed. Took me almost an hour to figure it out. Configuration for bridge domain and sub interfaces on cisco ASR running ios-xe:

bridge irb

!
interface Gig0/1
no ip address
negotiation auto
service instance 999 ethernet
encapsulation dot1q 999
bridge-domain 999
!
interface Gig0/2
no ip address
negotiation auto
service instance 999 ethernet
encapsulation dot1q 999
bridge-domain 999
!
interface BDI1
ip address 1.1.1.1 255.255.255.252

AS you can see, its the same idea and you get the same result, its just put together differently.

Cisco patches vulnerabilities in some security appliances, switches and routers

It always fascinates me when I hear about vulnerabilities in Cisco Equipment. For a long time I thought Cisco was the be all and end all of Networking.

My paradigm has shifted and Cisco is now just another Network vendor who is on top of the vendor list.

A new security patch for Cisco ASA firewalls is always recommended. The ASA’s are supposed be the best at security.

IDG News Service – Cisco Systems has released security patches for authentication bypass, command execution and denial-of-service vulnerabilities affecting products that use its Adaptive Security Appliance (ASA) software, as well as the Cisco Catalyst 6500 series switches and Cisco 7600 series routers.

Cisco released new versions of its ASA software to address six denial-of-service vulnerabilities in various components and three authentication bypass vulnerabilities in remote access services.

Attackers could cause a device to reload, resulting in denial of service, by exploiting flaws in the way the IPsec VPN service handles ICMP packets; in the SQL*Net inspection engine, and in code for HTTP deep packet inspection, DNS inspection, or clientless SSL VPN, Cisco said Wednesday in a security advisory.

In addition, they could gain access to the internal network or gain management access to the affected system via the Cisco Adaptive Security Device Management (ASDM) by exploiting flaws in the digital certificate or remote access VPN authentication procedures, the company said.

Read more: Cisco patches vulnerabilities in some security appliances, switches and routers

Forwarding a range of ports to internal server | Cisco IOS

Have you ever entered line after line of ip nat rules on your cisco router? I’ve done that way too many times to count. Luckily there is a better way to forward a whole range of ports to a destination ip inside your network.

This guide assumes that you have your internal/external nat configured with overload.

We will be creating a nat pool to host our address we want our ports to forward to.

R1 (Config)# ip nat PRTFORWARD 172.16.1.100 172.16.1.100 netmask 255.255.255.0 type rotary

We need to define the ports that we want to forward to that device. Here we will use an access list. I like using Named access-lists
R1 (config)# ip access-list extended PORTSFORWARDING
R1 (config-nacl)# permit tcp any any range 2000 2100

With the access list and the nat pool set up, we then continue to put our configuration into practice:
R1 (config)# ip nat inside destination list PORTSFORWARDING pool PORTFWD

Thats it!

I used this config on my Cisco 837 router with ios 12.4(15)T3 and worked like a charm. I used this to forward all “console” connections to my GNS3 server at home.

Bugs found in Cisco ASA 8.4(5) ios

I had the pleasure of installing a brand new Cisco ASA 5510 with IOS 8.4(5).

I firstly had a problem creating some nat rules. I ended up issueing command “clear config nat” and  copied CLI commands from another firewall.

All the configuration was done correctly, and the tests I did on the firewall worked like a charm.

I created a port-channel group on the ASA to plug into a switch. The channel-group was configured for LACP and routed traffic for multiple vlans. (created some sub port-channel interfaces.)

The config looked good and all was well.

When I mounted the asa and plugged into the switch, I could not get a layer 1 connection.

I eventually got the port-channel up and running by statically configuring speed on the switch. I didn’t like this.

I upgraded the Cisco ASA 5510 firmware from 8.4(5) to 8.4(6) and all my problems went away.

Download: Cisco ASA 5510 8.4(6)

 

Block Facebook on a Cisco router.

 

Blocking Facebook has become quite a thing to do lately. With Facebook being so popular alot of companies want the whole website blocked. There are many ways of doing it with cisco. I found this to be quite stable and works 100%. This is also not very resource intensive. This will work on any cisco router that can do ACL’s. I’m using it on a cisco 837, cisco 877 and a cisco 1941.
This is what you have to do:

 

Create an access-list t0 deny all Facebook ip addresses on the cisco router.

I like using named access-lists.

Router>enable

Router#configure terminal

router(config)#ip access-list extended Block_FaceBook

router(config-ext-nacl)#

deny   ip 192.168.13.0 0.0.0.255 host 173.252.100.16
deny   ip 192.168.13.0 0.0.0.255 173.252.64.0 0.0.63.255
deny   ip 192.168.13.0 0.0.0.255 31.13.24.0 0.0.7.255
deny   ip 192.168.13.0 0.0.0.255 31.13.64.0 0.0.63.255
eny   ip 192.168.13.0 0.0.0.255 66.220.144.0 0.0.15.255
deny   ip 192.168.13.0 0.0.0.255 69.63.176.0 0.0.15.255
deny   ip 192.168.13.0 0.0.0.255 69.171.224.0 0.0.31.255
deny   ip 192.168.13.0 0.0.0.255 74.119.76.0 0.0.3.255
deny   ip 192.168.13.0 0.0.0.255 103.4.96.0 0.0.3.255
deny   ip 192.168.13.0 0.0.0.255 204.15.20.0 0.0.3.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip any any

Add the newly created “BlockFacebook” access list to an interface on your local LAN.

router(config)#interface fasethernet 0/1
router(config-if)#ip access-group Block_FaceBook in

 

So the process is simple.

Create an ACL with all the facebook ip addresses to block.
Add that access list to the interface on your local network.

For reference, the ip address list for facebook is:
31.13.24.0/21
31.13.64.0/18
66.220.144.0/20
69.63.176.0/20
69.171.224.0/19
74.119.76.0/22
103.4.96.0/22
173.252.64.0/18
204.15.20.0/22

2401:db00::/32
2620:0:1c00::/40
2a03:2880::/32

ADSL failover config on Cisco router.

In today’s times we cannot afford to lose connectivity to the internet for long periods of time. Even 10 minutes is a long time for me. So we make use of redundant connections and use it as a failover.

This is how you would setup ADSL failover on a Cisco router.

Define and configure your internet facing interfaces and your local interface. Configure NAT on the cisco router on both interfaces.

Setup route for a connection to monitor.

(config)#ip sla1

(config-ip-sla)# icmp-echo <IP-Address-To-Monitor> source-interface <local-Interface>

(config-ip-sla)#timeout  <milliseconds-timeout>

(config-ip-sla)# frequency <Time-in-Seconds>

(config)# ip sla schedule 1 life forever start-time now

Map ip sla just created to a track.

 (config)# track 1 ip sla 1

Create routes to internet and define primary and secondary route:

(config)# ip route 0.0.0.0 0.0.0.0 <next-hop-ip> track 1
(config)# ip route 0.0.0.0 0.0.0.0 <Interface> 5

 

Thats it. now the primary internet connection via <next-hop-ip> will be used and  if it fails it will fail over to the second one.

 

Block Facebook on a cisco 887Router

As you might have found out, you cannot simple tell a cisco 887 Router to block facebook.com. You need to do it using ip addresses.

It is actually quite simple. If you guessed access-lists, you are spot on.

Here it is:

 

access-list 100 remark Outside NAT
access-list 100 deny ip 192.168.1.0 0.0.0.255 66.220.144.0 0.0.15.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 69.63.176.0 0.0.15.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 204.15.20.0 0.0.7.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 69.171.224.0 0.0.31.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

 

**Change the 192.168.1.0 with your local ip address range.

All these are ip addresses associated with facebook.com. Block all of them, and you block facebook. yay!

 

Static Nat cisco configurationg

There are often times that I need to access certain devices in my local network at home. Whether I want to see whats happening on my linux server or cisco firewall. Its very simple to create a Nat rule to forward traffic from the outside (Internet) to a device on the inside (Local LAN).

I have a linux server on the inside of my network that monitors all my network devices as well as traffic graphing. This server is on ip address 192.168.10.200 So the rules I need on my cisco router look like this:

ip nat inside source static tcp 192.168.10.200 81 interface dialer0 81

ip nat inside source static tcp 192.168.10.200 80 interface dialer0 80

This means you want to nat to the inside ip address of 192.168.10.200 using the tcp protocol on port 80. The outside interface it will come from is dialer0 from port 80.

You can also do a nat and replace the “interface dialer0″ with an ip address. I use the interface as this is a cisco 837 router and the address changes from time to time. So by using the interface of the cisco router to do the Static Nat translation, you don’t need static public ip addresses.

 

Simple hey?

Cisco looking to buy Citrix ADCs?

Cisco could buy Citrix’s networking business if an expected OEM deal involving the latter’s application delivery controller product bears fruit, Oppenheimer analysts said this week.

Oppenheimer & Co. issued bulletins stating that Cisco is expected to fill its recent ADC holewith Citrix’s NetScaler product under an OEM arrangement. Cisco killed its own Application Control Engine (ACE) product but left open the possibility of revisiting the ADC market once it re-evaluates its strategy.

Source: Network World

Cisco VPN working only one way.

I had some issues with a Cisco VPN not working correctly a few weeks ago. After about 2 weeks of fighting with this IPSec VPN I realised it was something small that had to be done to fix it.

The traffic would go out the vpn tunnel, get to the other side’s vlan on the router, and them come back via an external interface. It turns out that the returning taffic was being Nat’ed.

It came down to access lists.

I will post more details and configuration fix for it later this week.