Monthly Archives: April 2014

Office 365 – Adding SMTP addresses while DirSync without ADFS/Hybrid

Posted on by

Background

There are limitations, when you deploy Office 365 without ADFS/Hybrid. In this article I would like to write about SMTP addresses.

  • This attribute is synchronized to Office 365
  • You cannot add SMTP addresses on the cloud side, so you have to use attribute editor or Powershell On-Premise instead
  • To use Powershell you need to import module for Server manager and one of the methods to add / remove or replace SMTP addresses is to use Set-ADUser cmdlet, where you add string values to multivalue property “ProxyAddresses”
  • More proxy addresses can be added at the time
get-aduser -identity "stokurev" | set-aduser -add @{'ProxyAddresses'=@("SMTP:anatolij.stokurev@domain.com","smtp:stokurev@domain.com")}

Example

As an example here is the script to double existing aliases with another domain suffix

#Purpose of this script is to double aliases of domain.suffix to domain.suffix2 as secondary SMTP addresses
#Author: Zbynek Salon
#importing needed module
Import-Module Servermanager
#gathering and adding aliases
$x = get-aduser -SearchBase "OU=SUFFIX2,OU=Office365,OU=People,DC=DOMAIN,DC=SUFFIX2" -filter * -pr * | select SAMAccountname,UserPrincipalName,proxyaddresses
foreach ($line in $x){
    foreach ($addr in $line.proxyaddresses){
                if ($addr -like "smtp:*"){
                $addr = $addr.replace("DOMAIN.SUFFIX","DOMAIN.SUFFIX2")
                $addr = $addr.replace("SMTP:","")
                $addr = $addr.replace("smtp:","")
                $addr
                get-aduser -identity "$($line.samaccountname)" | set-aduser -add @{'ProxyAddresses'=@("smtp:$($addr)")}

                }
                }
               
}
#check results
$y = get-aduser -SearchBase "OU=SUFFIX2,OU=Office365,OU=People,DC=DOMAIN,DC=SUFFIX2" -filter * -pr * | select SAMAccountname,UserPrincipalName,proxyaddresses
foreach ($line in $y){
$line.samaccountname
    foreach ($addr in $line.proxyaddresses){
                if ($addr -like "smtp:*"){
                $addr
                }
                }
               
}
Advertisements

Cisco Labs – Network Security (14) – ASA as transparent firewall

Posted on by

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 8.3.3 ASA task definition

ASA as transparent firewall

Goal

  • Configure ASA as transparent firewall.
  • Generate a test message thru HTTP, FTP and ICMP.
  • Apply access list and recheck configuration.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-8.3.3_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig int3 10.0.0.2 netmask 255.255.255.0							;set IP address
route add default gw 10.0.0.1 dev int3								;set default gw

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Firewall settings

ciscoasa(config)# hostname ASA1
ASA1(config)# firewall transparent                          					;set up firewall in transparent mode
ASA1(config)# interface INT1
ASA1(config-if)# nameif outside              
ASA1(config-if)# no shutdown
ASA1(config)# interface INT2
ASA1(config-if)# nameif inside
ASA1(config-if)# no shutdown
ASA1(config)# ip address 10.0.0.253 255.255.255.0               			        ;set management IP address for Firewall device
ASA1(config)# debug icmp trace                          					;turn on debug for icmp traffic thru firewall

Check connection as you can see in Function test before applying access lists.

2)Apply access lists

ASA1(config)# access-list FWRULEIN permit icmp any any
ASA1(config)# access-list FWRULEIN permit udp any any eq 20
ASA1(config)# access-list FWRULEIN permit udp any any eq 21
ASA1(config)# access-list FWRULEIN permit tcp any any eq www 
ASA1(config)# access-list FWRULEIN permit tcp any any eq ftp 

ASA1(config)# access-group FWRULEIN in interface outside

Function test

Pictures are taken from text web browser lynx. You can get similar results from graphical web browser from Linux and Windows.

F1) Before access lists

outside -> inside

ASA1(config)# debug icmp trace									;turn on debugging for icmp
PC1#ping 10.0.0.253										;ping firewall MGMT address
PC1#ping 10.0.0.254										;ping server
PC1#lynx http://10.0.0.254									;iniciate http connection with server - this traffic is permitted by default.
PC1#lynx ftp://10.0.0.254									;iniciate ftp connection with server

Pictures shows result of these commands.

NS2-8.3.3_ASA_DIA1-1

NS2-8.3.3_ASA_DIA1-2

inside -> outside

SERVER#ping 10.0.0.100										;ping PC1 from server

Picture shows result of this command.

NS2-8.3.3_ASA_DIA1-3

F2) After access lists application

outside -> inside

PC1#ping 10.0.0.253										;ping firewall MGMT address
PC1#ping 10.0.0.254										;ping server
PC1#lynx http://10.0.0.254									;iniciate http connection with server
PC1#lynx ftp://10.0.0.254									;iniciate ftp connection with server

Pictures shows result of these commands.

NS2-8.3.3_ASA_DIA2-1

NS2-8.3.3_ASA_DIA2-2

inside -> outside

SERVER#ping 10.0.0.100										;ping PC1 from server

Picture shows result of this command.

NS2-8.3.3_ASA_DIA2-3

Optional tasks

  • Try to configure different types of access lists denying and permitting different types of traffic.

Cisco Labs – Network Security (13) – Easy VPN server on ASA, SW client – physical lab

Posted on by

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.7.1 ASA task definition

Easy VPN server on ASA, SW client

Goal

  • Configure WebVPN server on ASA.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP.
  • Use Anyconnect client in advanced task.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.7.1_ASA_topology1_PHYSICAL

Configuration

PC1

ifconfig INT4 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT4

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT3
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Interface settings, Access lists

ciscoasa(config)# hostname ASA-GATE
ASA-GATE(config)# domain-name test
ASA-GATE(config)# interface INT1
ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0
ASA-GATE(config-if)# nameif outside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# interface INT2
ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0
ASA-GATE(config-if)# nameif inside
ASA-GATE(config-if)# no shutdown

2) WebVPN configuration

ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20				;set IP pool for webvpn clients
ASA-GATE(config)# route inside 0.0.0.0 0.0.0.0 10.0.0.100 1					;set default route
ASA-GATE(config)# webvpn									;configure WebVPN service
ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2023 10.0.0.100 telnet			;configure port forwarding for thin Java client
ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2024 10.0.0.100 ftp								
ASA-GATE(config-webvpn)# enable outside								;select interface on which VebWPN will be available

ASA-GATE(config)# group-policy MYPOLICY internal						;configure WebVPN policy
ASA-GATE(config)# group-policy MYPOLICY attributes
ASA-GATE(config-group-policy)# webvpn
ASA-GATE(config-group-webvpn)# port-forward auto-start PORTFORWARD				;enable port forwarding automatically
ASA-GATE(config-group-webvpn)# default-domain value test.vsb

ASA-GATE(config)# username VPNUSER password cisco						;configure WebVPN profile 
ASA-GATE(config)# tunnel-group WEBVPNGROUP type remote-access
ASA-GATE(config)# tunnel-group WEBVPNGROUP general-attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL
ASA-GATE(config-tunnel-general)# default-group-policy MYPOLICY

Function test

F1) Turn on debugging

ASA-GATE(config)# debug crypto isakmp
ASA-GATE(config)# debug crypto engine
ASA-GATE(config)# debug crypto ipsec
ASA-GATE(config)# logging console debugging

F2) Generate test connection

Execute WEB browser and type https://192.168.0.1 to iys address bar.

Enter username and password to logon screen

See picture

NS2-6.7.1_ASA_DIA1-1

Enter web address to https session and you will see its default web page, my example shows Linux Debian web page.

NS2-6.7.1_ASA_DIA1-2

Check increasing number of SSL encrypted packets by issuing this command

ASA-GATE#sh crypto protocol statistics ssl

NS2-6.7.1_ASA_DIA1-3

And finally check VPN sessions.

ASA-GATE(config)# sh vpn-sessiondb webvpn

F5) Delete tunnel and reinitialize new one

Tunnel could be deleted by pressing logout link in your web browser.

Optional tasks

  • Configure Anyconnect client part of configuration.

Cisco Labs – Network Security (12) – Easy VPN server on ASA, SW client

Posted on by

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.5.9b ASA task definition

Easy VPN server on ASA, SW client

Goal

  • Configure Easy VPN server on ASA.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP, FTP and ICMP.
  • Use text VPN client or Cisco VPN client if you have GUI available on your system.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.5.9b_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig INT4 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT3

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT3
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Interface settings, Access lists

ciscoasa(config)# hostname ASA-GATE
ASA-GATE(config)# domain-name test
ASA-GATE(config)# interface INT1
ASA-GATE(config-if)# switchport mode access
ASA-GATE(config-if)# switchport access vlan 10
ASA-GATE(config-if)# no shutdown
ASA-GATE(config-if)# interface vlan 10
ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0
ASA-GATE(config-if)# nameif outside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# interface INT2
ASA-GATE(config-if)# switchport mode access
ASA-GATE(config-if)# switchport access vlan 20
ASA-GATE(config-if)# no shutdown
ASA-GATE(config-if)# interface vlan 20
ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0
ASA-GATE(config-if)# nameif inside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# access-list OUTSIDEIN permit ip any host 192.168.0.1
ASA-GATE(config)# access-list CRYPTED permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0	;define which traffic will net be translated
ASA-GATE(config)# nat (inside) 0 access-list CRYPTED                                   		;do not translate traffic from access list CRYPTED
ASA-GATE(config)# nat (inside) 1 0 0
ASA-GATE(config)# global (outside) 1 interface
ASA-GATE(config)# access-group OUTSIDEIN in interface outside

ASA-GATE(config)# username VPNUSERNAME password cisco                             		;username and password defined for VPN connection

2)IPSEC and ISAKMP configuration

ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20                		;ip pool for hosts, connected thru RAS VPN 

ASA-GATE(config)# tunnel-group VPNGROUP type IPSec_RA                             		;create tunnel group for RAS connection
ASA-GATE(config)# tunnel-group VPNGROUP general-attributes                        		;and define its attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL                     		;merge with IP pool
ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP ipsec-attributes           		;and define second phase parameters
ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco

ASA-GATE(config)# crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-sha-hmac		;define IKE second phase parameters
ASA-GATE(config)# crypto dynamic-map DYNAMICMAP 10 set transform-set REMOTEVPNTRSET
ASA-GATE(config)# crypto map CLIENTMAP 20 ipsec-isakmp dynamic DYNAMICMAP

3)Applying Crypto map and access list to interface

ASA-GATE(config)# crypto map CLIENTMAP interface outside

Function test

F1) Turn on debugging

ASA-GATE(config)# debug crypto isakmp
ASA-GATE(config)# debug crypto engine
ASA-GATE(config)# debug crypto ipsec
ASA-GATE(config)# logging console debugging

F2) Generate test connection

F2a) on Unix based PC

Run Terminal and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.5.9b_ASA_DIA2-1

F2b) on Windows based PC

browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.5.9b_ASA_DIA2-2

F3) Initialize tunnel

F3a) on Unix – text vpn client

PC1#vpnc											;run text vpn 
- instert gateway - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco
- insert username and password according to your defined group policy -> VPNUSERNAME/cisco

Picture shows result on PC.

NS2-6.5.9b_ASA_DIA3-1

Picture shows ifconfig tun0 command result.

NS2-6.5.9b_ASA_DIA3-2

F3b) on Windows – GUI Cisco VPN client

PC1#run cisco VPN client from shortcut
- connection entries -> new -> fill in:
- name -> TEST
- description -> where it creates tunnel
- host - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco (password and confirm password)
- go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.

Picture shows configuration window and main window on windows client.

NS2-6.5.9b_ASA_DIA3-4

Picture shows result of tunnel initialisation on ASA.

NS2-6.5.9b_ASA_DIA3-3 

ASA-GATE(config)#show vpn-sessiondb remote

Picture shows result of tunnel sessions on ASA.

NS2-6.5.9b_ASA_DIA3-5

F4) generate test connection

F4a) on Unix – text web browser

PC1#lynx ftp://10.0.0.100								;connect via ftp to the server
PC1#lynx http://10.0.0.100								;connect via http to the server - will work with enabled Java only
PC1#ping 10.0.0.100									;ICMP test

Picture shows result on PC.

NS2-6.5.9b_ASA_DIA4-1

F4b) on Windows – graphic web browser

Open web browser and insert following text to address bar

http://10.0.0.100									;establish http connection to the server
ftp://10.0.0.100									;establish ftp connection to the server

Picture shows result on PC.

NS2-6.5.9b_ASA_DIA4-2

Open command line and ftp, then follow result picture for command line refference

ftp									;command line to start ftp connection

Picture shows result on PC (ftp).

NS2-6.5.9b_ASA_DIA4-3

F5) Delete tunnel and reinitialize new one

ASA-GATE(config)#clear crypto isakmp sa
ASA-GATE(config)#clear crypto ipsec sa

Picture shows result on ASA.

NS2-6.5.9b_ASA_DIA5-1

F5a) on Unix based PC – text

PC1#pkill vpnc										;kill vpnc process

F5b) on Windows based PC

Open VPN client and press disconnect button.

Optional tasks

  • Try to configure different policies and VPN groups
    • ASA-GATE(config)# ip local pool VPNADDRESSPOOL2 10.0.0.21-10.0.0.30				;ip pool for hosts, connected thru RAS VPN group 2
    
ASA-GATE(config)# tunnel-group VPNGROUP2 type IPSec_RA						;another tunnel group for optional task
ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL2
ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP2 ipsec-attributes
ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco2

ASA-GATE(config)# group-policy TUNNELPOLICYADDED internal					;create internal policy
ASA-GATE(config)# group-policy TUNNELPOLICYADDED attributes					;and define its attributes
ASA-GATE(config-group-policy)# wins-server value 10.0.0.200					;WINS server IP address  
ASA-GATE(config-group-policy)# dns-server value 10.0.0.201					;DNS server IP address
ASA-GATE(config-group-policy)# default-domain value testdomain.vsb				;domain name

ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes					;connect policy with tunnel group
ASA-GATE(config-tunnel-general)# default-group-policy TUNNELPOLICYADDED				;policy name is specified here

    To test this task connect to VPNGROUP2 and use ipconfig -all on windows. It will show also DNS server and WINS server records for tunnel interface.

    NS2-6.5.9b_ASA_DIA6-3

    In linux browse for file resolve.conf. It will show DNS server record.

    NS2-6.5.9b_ASA_DIA6-1

    NS2-6.5.9b_ASA_DIA6-2

Cisco Labs – Network Security (11) – RAS VPN using HW client (network and client modes)+ pre-shared keys on ASA

Posted on by

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul6 6.4.2 ASA task definition

RAS VPN using HW client (network and client modes)+ pre-shared keys on ASA

Goal

  • Remote access VPN tunnel will be established on ASA 5505 using pre-shared key.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol and static routes.
  • a/ client will be set in client mode (NAT).
  • b/ client will be set in network-extension mode.
  • Do not forget that this task will work only on ASA 5505 – ASA 5510 and higher cannot work as EzVPN clients.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.4.2_ASA_topology1_VIRTLAB

Configuration

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

EzServer – EzVPN server

This configuration is same for both client modes.

1) interface settings + routes 

EzServer(config)# interface INT4
EzServer(config-if)# switchport mode access
EzServer(config-if)# switchport access vlan 10
EzServer(config-if)# no shutdown
EzServer(config-if)# interface vlan 10
EzServer(config-if)# ip address 10.0.0.1 255.255.255.0
EzServer(config-if)# nameif inside
EzServer(config-if)# no shutdown

EzServer(config)# interface INT3
EzServer(config-if)# switchport mode access
EzServer(config-if)# switchport access vlan 20
EzServer(config-if)# no shutdown
EzServer(config-if)# interface vlan 20
EzServer(config-if)# ip address 172.16.0.1 255.255.255.0
EzServer(config-if)# nameif outside
EzServer(config-if)# no shutdown

EzServer(config)# route outside 172.16.1.0 255.255.255.0 172.16.0.2
EzServer(config)# access-list OUTSIDEIN permit ip any host 172.16.0.1
EzServer(config)# access-list CRYPTED permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
EzServer(config)# nat (inside) 0 access-list CRYPTED						 ;this traffic will be crypted
EzServer(config)# nat (inside) 1 0 0
EzServer(config)# global (outside) 1 interface

2)EzVPN server configuration 

EzServer(config)# username EZVPNUSER password cisco						;set username for EzVPN connection
EzServer(config)# isakmp enable outside								;permit isakmp communication on outside interface
EzServer(config)# isakmp identity address							;identity address
EzServer(config)# isakmp policy 10								;isakmp policy configuration
EzServer(config-isakmp-policy)# authentication pre-share					;authenticated thru pre-shared key
EzServer(config-isakmp-policy)# encryption 3des		
EzServer(config-isakmp-policy)# hash sha
EzServer(config-isakmp-policy)# group 2
EzServer(config-isakmp-policy)# lifetime 1000

EzServer(config)# group-policy TUNNELPOLICYADDED internal
EzServer(config)# group-policy TUNNELPOLICYADDED attributes
EzServer(config-group-policy)# nem enable							;enable network extension mode
EzServer(config-group-policy)# password-storage enable						;enable password storage for NEM

EzServer(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20				;set address pool for VPN clients
EzServer(config)# tunnel-group EZVPNGROUP type IPSec_RA						;define tunnel group type
EzServer(config)# tunnel-group EZVPNGROUP general-attributes					;define tunnel group attributes
EzServer(config-tunnel-general)# address-pool VPNADDRESSPOOL
EzServer(config-tunnel-general)# default-group-policy TUNNELPOLICYADDED
EzServer(config-tunnel-general)# tunnel-group EZVPNGROUP ipsec-attributes
EzServer(config-tunnel-ipsec)# pre-shared-key EZVPNKLIC

EzServer(config)# crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-sha-hmac
EzServer(config)# crypto dynamic-map DYNAMICMAP 10 set transform-set REMOTEVPNTRSET
EzServer(config)# crypto map CLIENTMAP 20 ipsec-isakmp dynamic DYNAMICMAP
EzServer(config)# crypto map CLIENTMAP interface outside					;apply configuration on interface

Router3 – internet

This configuration is same for both client modes.

Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#router ospf 1
Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
Router3(rout)#network 172.16.0.0 0.0.0.255 area 0

a/ Client mode configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

EzClient – EzVPN Client

1) interface settings static routes 

ciscoasa(config)# hostname EzClient
EzClient(config)# domain-name test
EzClient(config)# interface INT1
EzClient(config-if)# switchport mode access
EzClient(config-if)# switchport access vlan 10
EzClient(config-if)# no shutdown
EzClient(config-if)# interface vlan 10
EzClient(config-if)# ip address 192.168.0.1 255.255.255.0
EzClient(config-if)# nameif inside
EzClient(config-if)# no shutdown

EzClient(config)# interface INT2
EzClient(config-if)# switchport mode access
EzClient(config-if)# switchport access vlan 20
EzClient(config-if)# no shutdown
EzClient(config-if)# interface vlan 20
EzClient(config-if)# ip address 172.16.1.1 255.255.255.0
EzClient(config-if)# nameif outside
EzClient(config-if)# no shutdown

EzClient(config)# nat (inside) 1 0 0								;define nat translations
EzClient(config)# global (outside) 1 interface
EzClient(config)# route outside 10.0.0.0 255.255.255.0 172.16.1.2
EzClient(config)# route outside 172.16.0.0 255.255.255.0 172.16.1.2
EzClient(config)# access-list outsidein permit icmp any host 172.16.1.1
EzClient(config)# access-list outsidein permit ip any host 172.16.1.1
EzClient(config)# access-group outsidein in interface outside					;apply access list to interface

2) client settings 

EzClient(config)# sysopt connection permit-vpn 
EzClient(config)# vpnclient server 172.16.0.1							;set EzVPN server address
EzClient(config)# vpnclient mode client
EzClient(config)# vpnclient vpngroup EZVPNGROUP password EZVPNKLIC				;set EzVPN group and key
EzClient(config)# vpnclient username EZVPNUSER password cisco					;set EzVPN password and user
EzClient(config)# vpnclient enable								;turn on EzVPN client

Now provide function test and continue or part b/.

b/ Network extension mode configuration

PC1

ifconfig INT7 10.0.1.100 netmask 255.255.255.0
route add default gw 10.0.1.1 dev INT7

Router2 – EzVPN Client

Configuration does not work. Its experimental text could be found in preconfigured file.

Function test

It is same for both parts.

Use debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.

F1)Turn on debug 

Ezserver#debug crypto ipsec								 ;second phase debugging
Ezserver#debug crypto isakmp								 ;first phase debugging
Ezserver#logging console debugging							 ;debug messages to console

F2)check IKE/IPSEC server and client configuration 

EZServer#sh crypto isakmp policy							 ;show isakmp policy configuration
EZServer#sh crypro dynamic-map								 ;show dynamic map configuration
EZServer#sh crypto map									 ;crypto map configuration
EZClient#sh run

F3)initialize tunnel 

PC1>ping 10.0.0.100					 				;inicialize tunnel by pinging remote host

NS2-6.4.2_ASA_DIA3-1

F4)Test initialized tunnel

Check if client has address leased from pool and if ipsec is active.

EZServer#sh ip local pool VPNADDRESSPOOL

NS2-6.4.2_ASA_DIA4-1 

EZClient#sh nat

NS2-6.4.2_ASA_DIA4-2 

EZClient#sh crypto isakmp sa

NS2-6.4.2_ASA_DIA4-3

Show crypto ipsec statistics.

Ezserver#sh crypto ipsec sa

NS2-6.4.2_ASA_DIA4-4

F5)delete tunnel and then repeat steps F3) to initialize tunnel again

First delete tunnel on client

EZClient(config-if)#shutdown								 ;shutdown outside interface
EZClient#clear crypto ipsec sa
EZClient#clear crypto isakmp sa
EZServer#clear crypto ipsec sa
EZServer#clear crypto isakmp sa
EZServer#clear crypto session

Optional tasks

  • Create access list on Router3 which permits only needed traffic.
  • Add one more router to topology and create another tunnel to this router.

Cisco Labs – Network Security (10) – RAS VPN using HW client (network and client modes)+ pre-shared keys on Router

Posted on by

NS2 – Modul6 6.4.1 IOS task definition

RAS VPN using HW client (network and client modes)+ pre-shared keys on Router

Goal

  • Remote access VPN tunnel will be established on IOS router using pre-shared key.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • a/ client will be set in client mode (NAT).
  • b/ client will be set in network-extension mode.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.4.1_IOS_topology1_VIRTLAB

Configuration

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

Router2 – EzVPN server

This configuration is same for both client modes.

1) interface settings + OSPF 

R19@ostrava(config)#hostname EZServer
EZServer(config)#interface INT4
EZServer(config-if)#ip address 10.0.0.1 255.255.255.0
EZServer(config-if)#no shutdown

EZServer(config)#interface INT3
EZServer(config-if)#duplex half								 ;setting for Virtlab compatibility
EZServer(config-if)#ip address 172.16.0.1 255.255.255.0         
EZServer(config-if)#no shutdown

EZServer(config)#router ospf 1
EZServer(config-router)#network 172.16.0.0 0.0.0.255 area 0
EZServer(config-router)#network 10.0.0.0 0.0.0.255 area 0

2) aaa settings 

EZServer(config-router)#aaa new-model							;define aaa authentication model
EZServer(config)#aaa authentication login VPNLIST local					;define local database for authentication
EZServer(config)#aaa authorization network VPNLIST local				;define local database for authorisation
EZServer(config)#username EZVPNUSER password cisco					;define username and password

3)EzVPN server configuration 

EZServer(config)#ip local pool EZVPNPOOL 10.0.0.10 10.0.0.20				;local pool for ezvpn client computers

EZServer(config)#crypto isakmp policy 10						;first phase policy definition
EZServer(config-isakmp)#encryption 3des
EZServer(config-isakmp)#authentication pre-share
EZServer(config-isakmp)#group 2

EZServer(config)#crypto isakmp keepalive 10 10						;tunnel keepalive setting

EZServer(config)#crypto isakmp client configuration group EZVPNGROUP			;client configuration group - this settings will be pushed to client
EZServer(config-isakmp-group)#key EZVPNKLIC						;this key must be configured also in client appliance
EZServer(config-isakmp-group)#pool EZVPNPOOL						;connect with named pool 
EZServer(config-isakmp-group)#save-password						;this option must be present for client auto-connect mode 

EZServer(config)#crypto ipsec transform-set EZVPNTRSET esp-3des esp-sha-hmac		;define transform set

EZServer(config)#crypto dynamic-map DYNAMIC 1						;define dynamic crypto map
EZServer(config-crypto-map)#set transform-set EZVPNTRSET				;define transform set used
EZServer(config-crypto-map)#reverse-route remote-peer 172.16.1.1			;define reverse route for traffic from peer

EZServer(config)#crypto map EZVPNMAP client authentication list VPNLIST			;connect with aaa settings
EZServer(config)#crypto map EZVPNMAP isakmp authorization list VPNLIST
EZServer(config)#crypto map EZVPNMAP 3 ipsec-isakmp dynamic DYNAMIC			;connect with synamic named crypto map 
EZServer(config)#crypto map EZVPNMAP client configuration address respond		;configure to give IP addresss to client

4) applying point 3) to interface 

EZServer(config)#interface INT3
EZServer(config-if)#crypto map EZVPNMAP							;apply crypto map to an interface

Router3 – internet

This configuration is same for both client modes.

Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#router ospf 1
Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
Router3(rout)#network 172.16.0.0 0.0.0.255 area 0

a/ Client mode configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

Router2 – EzVPN Client

1) interface settings + OSPF 

R18@ostrava(config)#hostname EZClient
EZClient(config)#interface INT1
EZClient(config-if)#ip address 192.168.0.1 255.255.255.0
EZClient(config-if)#no shutdown

EZClient(config)#interface INT2
EZClient(config-if)#ip address 172.16.1.1 255.255.255.0
EZClient(config-if)#duplex half								;setting for Virtlab compatibility
EZClient(config-if)#no shutdown

EZClient(config)#router ospf 1								;set routing protocol
EZClient(config-router)#network 172.16.1.0 0.0.0.255 area 0				;set routed network

2) client settings 

EZClient(config-router)#crypto ipsec client ezvpn VPN					;configure named ezvpn client
EZClient(config-crypto-ezvpn)#group EZVPNGROUP key EZVPNKLIC				;server group and key definition
EZClient(config-crypto-ezvpn)#local-address INT2					;include local lan address on selected interface
EZClient(config-crypto-ezvpn)#mode client						;define client mode
EZClient(config-crypto-ezvpn)#peer 172.16.0.1						;set remote peer
EZClient(config-crypto-ezvpn)#connect manual						;set connection to manual

3) applying to interface 

EZClient(config)#interface INT1
EZClient(config-if)#crypto ipsec client ezvpn VPN inside				;apply ezvpn inside profile to inside interface

EZClient(config)#interface INT2
EZClient(config-if)#crypto ipsec client ezvpn VPN outside				;apply ezvpn outside profile to outside interface
											;new virtual interface will be created to which all inside traffic will be NATted

Now provide function test and continue or part b/ or point 4/ – part a/.

4) configure client for auto connection mode

To let client connect automatically you MUST connect manually first time providing xauth as in function test point F3). 

EZClient(config-router)#crypto ipsec client ezvpn VPN
EZClient(config-crypto-ezvpn)#connect auto						;client auto connection setting

b/ Network extension mode configuration

PC1

ifconfig INT7 10.0.1.100 netmask 255.255.255.0
route add default gw 10.0.1.1 dev INT7

Router2 – EzVPN Client

1) interface settings + OSPF 

R18@ostrava(config)#hostname EZClient
EZClient(config)#interface INT1
EZClient(config-if)#ip address 10.0.1.1 255.255.255.0					;set network-extension mode - fully routable address with LAN2
EZClient(config-if)#no shutdown

EZClient(config)#interface INT2
EZClient(config-if)#ip address 172.16.1.1 255.255.255.0
EZClient(config-if)#duplex half								;setting for Virtlab compatibility
EZClient(config-if)#no shutdown		

EZClient(config)#router ospf 1
EZClient(config-router)#network 172.16.1.0 0.0.0.255 area 0

2) client settings 

EZClient(config-router)#crypto ipsec client ezvpn VPN
EZClient(config-crypto-ezvpn)#group EZVPNGROUP key EZVPNKLIC
EZClient(config-crypto-ezvpn)#local-address INT2
EZClient(config-crypto-ezvpn)#mode network-extension					;set network-extension mode
EZClient(config-crypto-ezvpn)#peer 172.16.0.1
EZClient(config-crypto-ezvpn)#connect auto
EZClient(config-crypto-ezvpn)#username EZVPNUSER password cisco

3) applying to interface 

EZClient(config)#interface INT1
EZClient(config-if)#crypto ipsec client ezvpn VPN inside 

EZClient(config)#interface INT2
EZClient(config-if)#crypto ipsec client ezvpn VPN outside

Function test

It is same for both parts.

Use debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.

F1)Turn on debug 

Ezserver#debug crypto ipsec								 ;second phase debugging
Ezserver#debug crypto isakmp								 ;first phase debugging
Ezserver#debug crypto engine								 ;whole crypto engine debugging

F2)check IKE/IPSEC server and client configuration 

EZServer#sh crypto isakmp policy							 ;show isakmp policy configuration
EZServer#sh crypro dynamic-map								 ;show dynamic map configuration
EZServer#sh crypto map									 ;crypto map configuration
EZClient#sh run

F3)initialize tunnel 

EZClient>crypto ipsec client ezvpn connect						 ;connect tunnel
EZClient>crypto ipsec client ezvpn xauth						 ;insert user credentials

NS2-6.4.1_IOS_DIA3-1

Server retransmits xauth requests.

NS2-6.4.1_IOS_DIA3-2

Before xauth request is provided, you can check tunnel status as shown in picture.

NS2-6.4.1_IOS_DIA3-3

Now interface is up and protocol up after providing xauth request.

NS2-6.4.1_IOS_DIA3-4

F4)Test initialized tunnel

Check if client has address leased from pool and if ipsec is active.

EZServer#sh ip local pool

NS2-6.4.1_IOS_DIA4-1

EZClient#sh crypto ipsec client ezvpn

NS2-6.4.1_IOS_DIA4-2

Use ping command to test traffic prom LAN1 to LAN2 (PC1 to PC2).

If PC2 responds, tunnel works fine. You can check functionality further by using sh crypto ? commands in router privileged mode.

PC1#ping 10.0.0.100

NS2-6.4.1_IOS_DIA5-1

And NAT statistics could be found for EzVPN client mode using following syntax:

EZClient# sh ip nat transactions

NS2-6.4.1_IOS_DIA5-2

F5)delete tunnel and then repeat steps F3) to initialize tunnel again

First delete tunnel on client

EZClient(config-if)#shutdown								 ;shutdown outside interface
EZClient#clear crypto session								 ;clear sessions
EZServer#clear crypto session
EZServer#clear crypto ipsec client ezvpn

Optional tasks

  • Create access list on Router3 which permits only needed traffic.
  • Make client in client mode connecting automatically point a/ – part 4.
  • Make client in network extension mode connecting manually point b/ – part 4.
  • Add one more router to topology and create another tunnel to this router.

Cisco Labs – Network Security (9) – Easy VPN server on Router, SW client

Posted on by

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.2.12a IOS task definition

Easy VPN server on Router, SW client

Goal

  • Configure VPN client and VPN concentrator on IOS router.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP, FTP and ICMP.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.2.12a_IOS_topology1_VIRTLAB

Configuration

PC1

ifconfig INT3 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT3

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

Router

1) Interface settings, Access lists, group policy

R18@ostrava(config)#hostname GATE
GATE(config)#interface INT1
GATE(config-if)#ip address 192.168.0.1 255.255.255.0
GATE(config-if)#no shutdown

GATE(config)#interface INT2
GATE(config-if)#ip address 10.0.0.1 255.255.255.0
GATE(config-if)#no shutdown

GATE(config)#access-list 101 permit ip any host 192.168.0.1					;permit traffic only to interface on which tunnel will communicate 

GATE(config)#aaa new-model									;enable local policy lookup
GATE(config)#aaa authentication login VPNAUTHEN local						;enable local user authentication
GATE(config)#aaa authorization network VPNAUTHOR local						;set aaa authorisation at login
GATE(config)#username USERNAME password cisco							;we will use this credentials to secure tunnel connection

2)IPSEC and ISAKMP configuration

GATE(config)#ip local pool VPNADDRESSPOOL 10.0.0.10 10.0.0.20					;connected client will get address from this pool
GATE(config)#crypto isakmp policy 10								;IKE first phase security parameters definition starts here
GATE(config-isakmp)#encryption 3des
GATE(config-isakmp)#hash sha
GATE(config-isakmp)#authentication pre-share
GATE(config-isakmp)#group 2

GATE(config)#crypto isakmp client configuration group VPNGROUP					;specify that we create policy for RAS
GATE(config-isakmp-group)#key VPNKLIC								;and pre-shared key for this policy
GATE(config-isakmp-group)#pool VPNADDRESSPOOL							;local pool
GATE(config-isakmp-group)#domain test								;and domain name specification  

GATE(config)#crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-md5-hmac			;specify transform set for RAS connection

GATE(config)#crypto dynamic-map DYNAMICMAP 10							;create dynamic crypto map    
GATE(config-crypto-map)#set transform-set REMOTEVPNTRSET                      
GATE(config-crypto-map)#reverse-route                                       		  	;enable reverse routing for RAS connection        

GATE(config)#crypto map CLIENTMAP client configuration address respond				;define behavior of client ip address resloving
GATE(config)#crypto map CLIENTMAP isakmp authorization list VPNAUTHOR				;group policy authorization def.
GATE(config)#crypto map CLIENTMAP client authentication list VPNAUTHEN				;group policy authentication def.
GATE(config)#crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNAMICMAP				;assign dynamic crypto map to static

3)Applying Crypto map and access list to interface

GATE(config)#interface INT1
GATE(config-if)#crypto map CLIENTMAP                                          			;apply static crypto map to interface  
GATE(config-if)#ip access-group 101 in                                        			;apply access list to interface

Function test

F1) Turn on debugging

GATE#debug crypto isakmp									;IKE first phase debug
GATE#debug crypto engine									;crypto engine debug
GATE#debug crypto ipsec										;IKE second phase debug
GATE#debug aaa authenticat									;group policy debugs
GATE#debug aaa authoriz

F2) Generate test connection

F2a) on Unix based PC

Run Terminal and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.2.12a_IOS_DIA2-1

F2b) on Windows based PC

browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.2.12a_IOS_DIA2-2

F3) Initialize tunnel

F3a) on Unix – text vpn client

PC1#vpnc											;run text vpn 
- instert gateway - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco
- insert username and password according to your defined group policy -> VPNUSERNAME/cisco

Picture shows result on PC.

NS2-6.2.12a_IOS_DIA3-1

Picture shows ifconfig tun0 command result.

NS2-6.2.12a_IOS_DIA3-4

F3b) on Windows – GUI Cisco VPN client

PC1#run cisco VPN client from shortcut
- connection entries -> new -> fill in:
- name -> TEST
- description -> where it creates tunnel
- host - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco (password and confirm password)
- go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.

Picture shows configuration window and main window on windows client.

NS2-6.2.12a_IOS_DIA3-3

Picture shows result of tunnel initialisation on Router.

NS2-6.2.12a_IOS_DIA3-2 

GATE(config)#show vpn-sessiondb remote

Picture shows result of tunnel sessions on Router.

NS2-6.2.12a_IOS_DIA3-5

F4) generate test connection

F4a) on Unix – text web browser

PC1#lynx ftp://10.0.0.100								;connect via ftp to the server
PC1#lynx http://10.0.0.100								;connect via http to the server - will work with enabled Java only
PC1#ping 10.0.0.100									;ICMP test

Picture shows result on PC.

NS2-6.2.12a_IOS_DIA4-1

F4b) on Windows – graphic web browser

Open web browser and insert following text to address bar

http://10.0.0.100									;establish http connection to the server
ftp://10.0.0.100									;establish ftp connection to the server

Picture shows result on PC (http).

NS2-6.2.12a_IOS_DIA4-2

Open command line and ftp, then follow result picture for command line refference

ftp											;command line to start ftp connection

Picture shows result on PC (ftp).

NS2-6.2.12a_IOS_DIA4-3

F5) Delete tunnel and reinitialize new one

GATE#clear crypto session
GATE#clear crypto isakmp

Picture shows result on GATE router.

NS2-6.2.12a_IOS_DIA5-1

F5a) on Unix based PC – text

PC1#pkill vpnc										;kill vpnc process

NS2-6.2.12a_IOS_DIA5-2

F5b) on Windows based PC

Open VPN client and press disconnect button.

Optional tasks

  • Try to configure different policies and VPN groups