Menu Close

Category: Practical – Cisco

Configruration L2TP over IPsec

Configuration of L2TP over IPsec tunnel connection with Cisco router as a server and MikroTik router as a client.

Configuration of Cisco server

(config)#int loopback 0 
(config-if)#ip address 192.168.1.1 255.255.255.255
(config-if)#exit
(config)#ip local pool l2tp-pool 192.168.1.5 192.168.1.10
(config)#vpdn enable
(config)#vpdn-group l2tp-group
(config-vpdn)#accept-dialin
(config-vpdn-acc-in)#protocol l2tp
(config-vpdn-acc-in)#virtual-template 1
(config-vpdn-acc-in)#exit
(config-vpdn)#no l2tp tunnel authentication
(config-vpdn)#exit
(config)#interface virtual-template 1
(config-if)#ip unnumbered loopback 0
(config-if)#peer default ip address pool l2tp-pool
(config-if)#ppp authentication ms-chap-v2
(config-if)#exit
(config)#crypto isakmp policy 1
(config-isakmp)#encryption aes 256
(config-isakmp)#hash sha512
(config-isakmp)#authentication pre-share
(config-isakmp)#group 2
(config-isakmp)#lifetime 3600
(config-isakmp)#exit
(config)#crypto isakmp key PRESHARED_KEY address 0.0.0.0 !or peer address 
(config)#crypto ipsec transform-set l2tp-ipsec-transport-esp esp-aes 256 esp-sha512-hmac
(cfg-crypto-trans)#mode transport
(cfg-crypto-trans)#exit
(config)#crypto dynamic-map my-dynamic-map 1
(config-crypto-map)#set nat demux
(config-crypto-map)#set transform-set l2tp-ipsec-transport-esp
(config-crypto-map)#exit
(config)#crypto map my-static-map 1  ipsec-isakmp dynamic my-dynamic-map
(config)#interface fastEthernet 4 ! Your WAN interface
(config-if)#crypto map my-static-map
(config-if)#exit

Now we are able to connect to this router with L2TP/IPsec tunnel.

Enabling traceroute on Cisco ASA

There are three steps to enable traceroute:

  1. In policy map “global_policy” in class “inspection_default” you need to add “inspect icmp” and “inspect icmp error”
  2. In policy map “global_policy” in class “class_default” you need to add “set connection decrement-ttl”
  3. On your oudside interface, you need add access list, that permits ICMP with “time-exceeded” on ingress direction

There is code, that you can paste in your ASA firewall:

policy-map global_policy
  class inspection_default
    inspect icmp
    inspect icmp error
    exit
  class class-default
    set connection decrement-ttl
    exit
  exit
access-list OUTSIDE-IN extended permit icmp any any time-exceeded

 

Port-Mirroring

Port-Mirroring

Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic such as an intrusion detection system, passive probe or real user monitoring (RUM) technology that is used to support application performance management (APM).

In our particular case, the faculty provided us with a Cisco Catalyst 2960 switch. We have configured this switch to mirror all internet-bound data traffic traversing the interface connected to network gateway, to the interface connected to Moloch server. As a result, we can now monitor all inbound and outbound lab traffic.

Switch(config)#monitor session 1 source fa0/1 both  

– This command specifies source interface as fa 0/1. The parameter “both” specifies both directions to be monitored.

Switch(config)#monitor session 1 destination interface fa0/24 

– This command defines the destination interface of mirrored traffic

Port-Mirror

Sources

  • CRZP Komplexný systém pre detekciu útokov a archiváciu dát – Moloch

Configuring simple MPLS network

Objective

Create a simple MPLS network and observe partial parts of MPLS functionality. MPLS network consist of four routers, two edge routers - LSE1 and LSE2 whose fastEthernet interfaces are not parts of the MPLS network and two Label Switch Routers - LSR1 and LSR2 interconnected through serial lines.

Topology

Four routers are connected in a chain line topology: