Cisco ASA Policy-Based Route

Network Topology:

Requirements: ASA image version 9.4 or higher

First step is to configure an ACL go to Firewall->Advanced->ACL Manager and click Add

The purpose of this ACL is to catch the required traffic for match, here in my example I’ll use the guest network (192.168.7.0/24).

The ACL name is ACL_GUEST_PBR, where the first ACE is to deny internal traffic to be match, Here I deny the guset network to the dev network (192.168.2.0/24):

Then add permit ACE which match guest network to all destinations:

Then go to Device Setup->Routing->Route Maps and click Add to create the route-map, RM_GUEST_PBR.

In the Match Clause tab we will configure the match criteria, in my example the ACL_GUEST_PBR along with route-map name and sequence number:

Go to Policy Based Routing tab, You may get the IP Address Mismatch warning, just click yes and ignore it:

click on Set default next-hop IP address and enter the next hop IP:

Click OK

Next go to Interface Settings->Interfaces, choose the source interface, in my example the Guest interface Gi0/1.7

Click edit and under Route Map choose the PBR route map RM_GUEST_PBR:

Click OK

Don’t forget to configure Firewall access rules and NAT rules as needed.

Here in my example I’ve configured two NAT rules, one for each link:

In order to debug policy-based route use the following command:

debug policy-route

Here is an example of successful PBR, where my client (192.168.7.31) tries to ping outside IP (172.16.0.30):

pbr: policy based route lookup called for 192.168.7.3/1 to 172.16.0.30/0 proto 1 sub_proto 8 received on interface GUEST pbr: First matching rule from ACL(20) pbr: route map RM_GUEST_PBR, sequence 10, permit; proceed with policy routing pbr: 'default' option configured; lookup for an explicit route to 172.16.0.30 pbr: no explicit route to 172.16.0.30 found pbr: evaluating default next-hop 2.2.2.2 pbr: policy based routing applied; egress_ifc = EXTERNAL2 : next_hop = 2.2.2.2

And an example of denied match on PBR, where my client tries to ping internal address (192.168.2.254):

pbr: policy based route lookup called for 192.168.7.3/1 to 192.168.2.254/0 proto 1 sub_proto 8 received on interface GUEST pbr: First matching rule from ACL(20) pbr: found route policy with a matching deny ACL; Check next matching rule. pbr: no route policy found; skip to normal route lookup

Juniper SRX Cluster

This post I will show how to configure Juniper SRX (650) in cluster for HA mode.

In this scenario there are two ISP’s, where I need to peer with each other using BGP.

This is the network topology:

First remove any interface or configuration from the device:

root@% cli root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete root# run show configuration ## Last commit: 2015-10-20 01:14:22 UTC by root version 12.1X44-D35.5; system {     root-authentication {         encrypted-password "fVsds%xw#7NYGHN3VFDS#|EGH6bjuS"; ## SECRET-DATA     } } [edit]

Control link: 

On the SRX650 device, connect ge-0/0/1 on device A to ge-0/0/1 on device B.

The ge-0/0/1 interface on device B will change to ge-9/0/1 after clustering is enabled in step 2. Note: It is strongly recommended that the interfaces used for the control link are connected directly with a cable (instead of a switch).

Fabric (Data) link: 

On the SRX650 device, connect ge-0/0/2 on device A to ge-0/0/2 on device B.

The ge-0/0/2 interface on device B will change to ge-9/0/2 after clustering is enabled in step 2.  

Step 1 - enable chassis cluster:

Note that this is done in the operational mode and not in the configuration mode

root@SRX-A> set chassis cluster cluster-id 1 node 0 reboot

root@SRX-B> set chassis cluster cluster-id 1 node 1 reboot

After that the device will reboot and the interface numbering will change.

Step 2 – set device specific configuration:

{primary:node0} #DEVICE A host-name set groups node0 system host-name SRX-A #Device A's management IP address on fxp0 interface set groups node0 interfaces fxp0 unit 0 family inet address <ip address/mask>  #Device B's host name set groups node1 system host-name SRX-B #Device B's management IP address on fxp0 interface set groups node1 interfaces fxp0 unit 0 family inet address <ip address/mask

Step 3 – configure control and data links:

{primary:node0} set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-9/0/2

Note that control link is configured automatically without any settings, the control and data links are vary from each model.

Step 4 – configure redundancy groups:

In my case I will need 4 different redundancy groups:

Reth0 for the control plan – no interfaces are associated with this group.

Reth1 for LAN side connectivity using VLAN tagging.

Reth2 and Reth3 for each WAN link – hence 2x ISP BGP peer

set chassis cluster reth-count 4 set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1 set chassis cluster redundancy-group 1 interface-monitor ge-2/0/20 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-11/0/20 weight 255 set chassis cluster redundancy-group 2 node 0 priority 100 set chassis cluster redundancy-group 2 node 1 priority 1 set chassis cluster redundancy-group 3 interface-monitor ge-2/0/0 weight 255 set chassis cluster redundancy-group 3 interface-monitor ge-11/0/0 weight 255 set chassis cluster redundancy-group 3 node 0 priority 100 set chassis cluster redundancy-group 3 node 1 priority 1 set chassis cluster redundancy-group 3 interface-monitor ge-2/0/3 weight 255 set chassis cluster redundancy-group 3 interface-monitor ge-11/0/3 weight 255

Step 6 – configure interfaces:

set interfaces ge-2/0/0 gigether-options redundant-parent reth2 set interfaces ge-2/0/3 gigether-options redundant-parent reth3 set interfaces ge-2/0/20 gigether-options redundant-parent reth1 set interfaces ge-11/0/0 gigether-options redundant-parent reth2 set interfaces ge-11/0/3 gigether-options redundant-parent reth3 set interfaces ge-11/0/20 gigether-options redundant-parent reth1 set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-9/0/2 set interfaces reth1 vlan-tagging set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 100 description LAN set interfaces reth1 unit 100 vlan-id 100 set interfaces reth1 unit 100 family inet address 192.168.100.1/24 set interfaces reth1 unit 101 description LAN set interfaces reth1 unit 101 vlan-id 101 set interfaces reth1 unit 101 family inet address 192.168.101.1/24 set interfaces reth2 description EXTERNAL-PRIMARY set interfaces reth2 redundant-ether-options redundancy-group 2 set interfaces reth2 unit 0 family inet address 1.1.1.1/29 set interfaces reth3 description EXTERNAL-SECONDARY set interfaces reth3 redundant-ether-options redundancy-group 3 set interfaces reth3 unit 0 family inet address 2.2.2.1/29

Step 7 – set security parameters:

set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone LAN interfaces reth1.100 set security zones security-zone LAN interfaces reth1.101 set security zones security-zone EXTERNAL host-inbound-traffic system-services ssh set security zones security-zone EXTERNAL host-inbound-traffic system-services https set security zones security-zone EXTERNAL host-inbound-traffic protocols all set security zones security-zone EXTERNAL interfaces reth3.0 set security zones security-zone EXTERNAL interfaces reth2.0

Step 8 – commit changes:

{primary:node0} commit

Few notes regarding Juniper SRX clustering:

When you activate clustering on Juniper SRX, each node has its own data plan but only one control plan which is the active member.

You can’t connect more then one device to each node, in the same redundancy group, that’s because the node aggregate all connected interfaces in this group.

So working with tringles in this setup simply won’t work!

The only way to connect more then one link from switch to the node is using link-aggregation (LACP, 802.3ad, etherchannel)

Also note redundancy group configuration which can be with VLAN tagging (as Cisco routers sub-interfaces with encapsulation) or as L3 interface.

Next posts will be on BGP, firewall filters and security policies.

Poor's man TACACS - Archive

One of the most significant advantages of TACACS over RADIUS is the ability to do accounting, hence logging every activity and configuration change on the device.

For those who doesn’t have TACACS server (such Cisco ACS or ISE) you can use the following archive command, on Cisco devices, and even send it to syslog server for long term archive:

archive log config   logging enable   logging size 500   notify syslog contenttype plaintext   hidekeys

This will allow you to track, who and what, changes your Cisco configurations J

Moving traffic between 2 IPSec tunnels using route-based VPN

Where R2 local network (192.168.20.0/24) can reach R3 local network (192.168.30.0/24) and vice versa but this time using route-based VPN.

The first tunnel is between R1 and R2, the second tunnel is between R1 and R3.

The same network diagram as in the previous post.

R1 configuration:

crypto keyring VPN_KEY_R2   pre-shared-key address 10.1.12.2 key cisco ! crypto keyring VPN_KEY_R3   pre-shared-key address 10.1.13.3 key cisco ! crypto isakmp policy 10  encr aes 256  authentication pre-share  group 5 ! crypto isakmp profile ISAKMP_PROFILE_R2    keyring VPN_KEY_R2    match identity address 10.1.12.2 255.255.255.255 ! crypto isakmp profile ISAKMP_PROFILE_R3    keyring VPN_KEY_R3    match identity address 10.1.13.3 255.255.255.255 ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac ! crypto ipsec profile IPSEC_PROFILE  set transform-set MYSET ! interface Tunnel12  ip address 10.2.0.1 255.255.255.0  tunnel source fa 0/0  tunnel destination 10.1.12.2  tunnel mode ipsec ipv4  tunnel protection ipsec profile IPSEC_PROFILE ! interface Tunnel13  ip address 10.3.0.1 255.255.255.0  tunnel source fa 1/0  tunnel destination 10.1.13.3  tunnel mode ipsec ipv4  tunnel protection ipsec profile IPSEC_PROFILE ! ip route 192.168.20.0 255.255.255.0 10.2.0.2 ip route 192.168.30.0 255.255.255.0 10.3.0.3

R2 configuration:

crypto keyring VPN_KEY   pre-shared-key address 10.1.12.1 key cisco ! crypto isakmp policy 10  encr aes 256  authentication pre-share  group 5 ! crypto isakmp profile ISAKMP_PROFILE    keyring VPN_KEY    match identity address 10.1.12.1 255.255.255.255 ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac ! crypto ipsec profile IPSEC_PROFILE  set transform-set MYSET ! interface Tunnel12  ip address 10.2.0.2 255.255.255.0  tunnel source fa 0/0  tunnel destination 10.1.12.1  tunnel mode ipsec ipv4  tunnel protection ipsec profile IPSEC_PROFILE ! ip route 192.168.10.0 255.255.255.0 10.2.0.1 ip route 192.168.30.0 255.255.255.0 10.2.0.1

R3 configuration:

crypto keyring VPN_KEY   pre-shared-key address 10.1.13.1 key cisco ! crypto isakmp policy 10  encr aes 256  authentication pre-share  group 5 ! crypto isakmp profile ISAKMP_PROFILE    keyring VPN_KEY    match identity address 10.1.13.1 255.255.255.255 ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac ! crypto ipsec profile IPSEC_PROFILE  set transform-set MYSET ! interface Tunnel13  ip address 10.3.0.3 255.255.255.0  tunnel source fa 0/0  tunnel destination 10.1.13.1  tunnel mode ipsec ipv4  tunnel protection ipsec profile IPSEC_PROFILE ! ip route 192.168.10.0 255.255.255.0 10.2.0.1 ip route 192.168.20.0 255.255.255.0 10.2.0.1

Moving traffic between 2 IPSec tunnels using policy-based VPN

Where R2 local network (192.168.20.0/24) can reach R3 local network (192.168.30.0/24) and vice versa.

The first tunnel is between R1 and R2, the second tunnel is between R1 and R3.

This is the network diagram:

R1 configuration:

ip access-list extended ACL_R1_TO_R2  permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255  permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 ! ip access-list extended ACL_R1_TO_R3  permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255  permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 ! crypto keyring VPN_KEY_R2   pre-shared-key address 10.1.12.2 key cisco ! crypto keyring VPN_KEY_R3   pre-shared-key address 10.1.13.3 key cisco ! crypto isakmp policy 10  encr aes 256  authentication pre-share  group 5 ! crypto isakmp profile ISAKMP_PROFILE_R2    keyring VPN_KEY_R2    match identity address 10.1.12.2 255.255.255.255 ! crypto isakmp profile ISAKMP_PROFILE_R3    keyring VPN_KEY_R3    match identity address 10.1.13.3 255.255.255.255 ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac ! crypto map POLICY_VPN_R2 10 ipsec-isakmp  match address ACL_R1_TO_R2  set peer 10.1.12.2  set transform-set MYSET  set isakmp-profile ISAKMP_PROFILE_R2  reverse-route static  set reverse-route distance 10 ! crypto map POLICY_VPN_R3 10 ipsec-isakmp  match address ACL_R1_TO_R3  set peer 10.1.13.3  set transform-set MYSET  set isakmp-profile ISAKMP_PROFILE_R3  reverse-route static  set reverse-route distance 10 ! interface FastEthernet0/0  crypto map POLICY_VPN_R2 ! interface FastEthernet1/0  crypto map POLICY_VPN_R3 !

R2 configuration:

ip access-list extended ACL_R2_TO_R1  permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 ! crypto keyring VPN_KEY   pre-shared-key address 10.1.12.1 key cisco ! crypto isakmp policy 10  encr aes 256  authentication pre-share  group 5 ! crypto isakmp profile ISAKMP_PROFILE    keyring VPN_KEY    match identity address 10.1.12.1 255.255.255.255 ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac ! crypto map POLICY_VPN 10 ipsec-isakmp  match address ACL_R2_TO_R1  set peer 10.1.12.1  set transform-set MYSET  set isakmp-profile ISAKMP_PROFILE  reverse-route static  set reverse-route distance 10 ! interface FastEthernet0/0  crypto map POLICY_VPN !

R3 configuration:

ip access-list extended ACL_R3_TO_R1  permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255  permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 ! crypto keyring VPN_KEY   pre-shared-key address 10.1.13.1 key cisco ! crypto isakmp policy 10  encr aes 256  authentication pre-share  group 5 ! crypto isakmp profile ISAKMP_PROFILE    keyring VPN_KEY    match identity address 10.1.13.1 255.255.255.255 ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac ! crypto map POLICY_VPN 10 ipsec-isakmp  match address ACL_R3_TO_R1  set peer 10.1.13.1  set transform-set MYSET  set isakmp-profile ISAKMP_PROFILE  reverse-route static  set reverse-route distance 10 ! interface FastEthernet0/0  crypto map POLICY_VPN !

DM-VPN VRF aware

Network topology:

R4 is the SP router/cloud with no special configuration,

R1 is the hub while R2 and R3 are the spokes.

R1 (Hub) Configuration:

ip vrf LOCALSP  rd 1:100 ! crypto keyring CCIE vrf LOCALSP   local-address FastEthernet0/0   pre-shared-key address 10.1.24.2 key cisco2   pre-shared-key address 10.1.34.3 key cisco3 ! crypto isakmp policy 10  encr aes  authentication pre-share  group 2 crypto isakmp profile ISAKMPPROFILE    vrf LOCALSP    keyring CCIE    match identity address 10.1.24.2 255.255.255.255 LOCALSP    match identity address 10.1.34.3 255.255.255.255 LOCALSP    local-address FastEthernet0/0 ! crypto ipsec transform-set CCIEXFORM esp-aes  mode transport ! crypto ipsec profile DMVPNPROFILE  set transform-set CCIEXFORM  set isakmp-profile ISAKMPPROFILE ! interface Loopback0  ip address 192.168.11.1 255.255.255.0 ! interface Tunnel0  bandwidth 1000  ip address 172.16.0.1 255.255.255.0  no ip redirects  ip mtu 1400  ip nhrp authentication cisco  ip nhrp map multicast dynamic  ip nhrp network-id 123  ip nhrp holdtime 300  ip nhrp shortcut  ip nhrp redirect  ip tcp adjust-mss 1380  delay 1000  tunnel source FastEthernet0/0  tunnel mode gre multipoint  tunnel vrf LOCALSP  tunnel protection ipsec profile DMVPNPROFILE ! interface FastEthernet0/0  ip vrf forwarding LOCALSP  ip address 10.1.14.1 255.255.255.0 ! router eigrp CCIE  !  address-family ipv4 unicast autonomous-system 123   !   af-interface Tunnel0    no next-hop-self    no split-horizon   exit-af-interface   !   topology base   exit-af-topology   network 172.16.0.1 0.0.0.0   network 192.168.11.1 0.0.0.0  exit-address-family ! ip route vrf LOCALSP 0.0.0.0 0.0.0.0 10.1.14.4

R2 (Spoke) Configuration:

ip vrf LOCALSP  rd 2:100 ! crypto keyring CCIE vrf LOCALSP   local-address FastEthernet0/0   pre-shared-key address 10.1.14.1 key cisco2 ! crypto isakmp policy 10  encr aes  authentication pre-share  group 2 crypto isakmp profile ISAKMPPROFILE    vrf LOCALSP    keyring CCIE    match identity address 0.0.0.0 LOCALSP    local-address FastEthernet0/0 ! crypto ipsec transform-set CCIEXFORM esp-aes  mode transport ! crypto ipsec profile DMVPNPROFILE  set transform-set CCIEXFORM  set isakmp-profile ISAKMPPROFILE ! interface Loopback0  ip address 192.168.12.1 255.255.255.0 ! interface Tunnel0  bandwidth 1000  ip address 172.16.0.2 255.255.255.0  no ip redirects  ip mtu 1400  ip nhrp authentication cisco  ip nhrp network-id 123  ip nhrp holdtime 300  ip nhrp nhs 172.16.0.1 nbma 10.1.14.1 multicast  ip nhrp shortcut  ip nhrp redirect  ip tcp adjust-mss 1380  delay 1000  tunnel source FastEthernet0/0  tunnel mode gre multipoint  tunnel vrf LOCALSP  tunnel protection ipsec profile DMVPNPROFILE ! interface FastEthernet0/0  ip vrf forwarding LOCALSP  ip address 10.1.24.2 255.255.255.0 ! router eigrp CCIE  !  address-family ipv4 unicast autonomous-system 123   !   topology base   exit-af-topology   network 172.16.0.2 0.0.0.0   network 192.168.12.1 0.0.0.0  exit-address-family ! ip route vrf LOCALSP 0.0.0.0 0.0.0.0 10.1.24.4

Few notes to pay attention:

      Tunnel VRF <VRF_NAME> allow the GRE tunnel to look for source/destination address in the VRF routing table.

      

      Using ip address vrf forwarding <IP_ADDRESS> under the tunnel interface binds this interface into the VRF routing table.

     I’ve used different pre-shared key for each spoke which can be replaced with 0.0.0.0 to note all identities/addresses.

        Make sure NBMA ip addresses can ping each other. 

     GNS3 configuration files