Menu Close

Category: Practical – Cisco

Statefull NAT64 – simple configuration example on Cisco routers

The example shows a simplified configuration of a Statefull NAT64 demo, without DNS64. I instruct the stateful NAT64 router (CSR-1 – CSR100v) to translate IPv6 packets into IPv4 packets (and vice versa) using algorithmic mapping (defined by RFC 6052) of IPv4 addresses of IPv4 routers to and from IPv6 addresses by using manually defined IPv6 prefix 2001:db8::/96). In a similar manner, the IPv6 addresses of IPv6 routes are translated to and from IPv4 addresses.

Topology

R1/R2 run 7200 IOS image., R1 is pure IPv4 router, on the other site, R2 is IPv6 only.

Configruration L2TP over IPsec

Configuration of L2TP over IPsec tunnel connection with Cisco router as a server and MikroTik router as a client.

Configuration of Cisco server

(config)#int loopback 0 
(config-if)#ip address 192.168.1.1 255.255.255.255
(config-if)#exit
(config)#ip local pool l2tp-pool 192.168.1.5 192.168.1.10
(config)#vpdn enable
(config)#vpdn-group l2tp-group
(config-vpdn)#accept-dialin
(config-vpdn-acc-in)#protocol l2tp
(config-vpdn-acc-in)#virtual-template 1
(config-vpdn-acc-in)#exit
(config-vpdn)#no l2tp tunnel authentication
(config-vpdn)#exit
(config)#interface virtual-template 1
(config-if)#ip unnumbered loopback 0
(config-if)#peer default ip address pool l2tp-pool
(config-if)#ppp authentication ms-chap-v2
(config-if)#exit
(config)#crypto isakmp policy 1
(config-isakmp)#encryption aes 256
(config-isakmp)#hash sha512
(config-isakmp)#authentication pre-share
(config-isakmp)#group 2
(config-isakmp)#lifetime 3600
(config-isakmp)#exit
(config)#crypto isakmp key PRESHARED_KEY address 0.0.0.0 !or peer address 
(config)#crypto ipsec transform-set l2tp-ipsec-transport-esp esp-aes 256 esp-sha512-hmac
(cfg-crypto-trans)#mode transport
(cfg-crypto-trans)#exit
(config)#crypto dynamic-map my-dynamic-map 1
(config-crypto-map)#set nat demux
(config-crypto-map)#set transform-set l2tp-ipsec-transport-esp
(config-crypto-map)#exit
(config)#crypto map my-static-map 1  ipsec-isakmp dynamic my-dynamic-map
(config)#interface fastEthernet 4 ! Your WAN interface
(config-if)#crypto map my-static-map
(config-if)#exit

Now we are able to connect to this router with L2TP/IPsec tunnel.

Enabling traceroute on Cisco ASA

There are three steps to enable traceroute:

  1. In policy map “global_policy” in class “inspection_default” you need to add “inspect icmp” and “inspect icmp error”
  2. In policy map “global_policy” in class “class_default” you need to add “set connection decrement-ttl”
  3. On your oudside interface, you need add access list, that permits ICMP with “time-exceeded” on ingress direction

There is code, that you can paste in your ASA firewall:

policy-map global_policy
  class inspection_default
    inspect icmp
    inspect icmp error
    exit
  class class-default
    set connection decrement-ttl
    exit
  exit
access-list OUTSIDE-IN extended permit icmp any any time-exceeded

 

Port-Mirroring

Port-Mirroring

Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic such as an intrusion detection system, passive probe or real user monitoring (RUM) technology that is used to support application performance management (APM).

In our particular case, the faculty provided us with a Cisco Catalyst 2960 switch. We have configured this switch to mirror all internet-bound data traffic traversing the interface connected to network gateway, to the interface connected to Moloch server. As a result, we can now monitor all inbound and outbound lab traffic.

Switch(config)#monitor session 1 source fa0/1 both  

– This command specifies source interface as fa 0/1. The parameter “both” specifies both directions to be monitored.

Switch(config)#monitor session 1 destination interface fa0/24 

– This command defines the destination interface of mirrored traffic

Port-Mirror

Sources

  • CRZP Komplexný systém pre detekciu útokov a archiváciu dát – Moloch