Thursday, August 9, 2012

Securing SSH - Tips & Tricks

Strong Usernames/Passwords
To most of us, this comes as a no-brainer.  To others, not so much...  Regardless, the strength of username/password combinations is extremely important.  If the password being used is a dictionary word or could be derived from the username, there may as well be no password at all...  Ideally, passphrases should be used.  A passphrase is just like a password except for instead of using a word, a phrase would be used.  Passwords and passphrases alike should also be mangled.

iPhone Home - Remote Access to iPhone

Often I have wanted a reliable way to access the contents of my phone remotely (incase I misplace my phone or if my phone gets stolen).  While there are other apps to determine the location of the phone, remotely lock or wipe, etc...  But I still want MORE!  So I decided to try this on my own.

Lets start by simply SSHing into the iPhone...  NOPE!  Wait, you mean to say that you can’t SSH directly into an iPhone connected only to mobile broadband? Yes, it’s sad but true.  Fortunately, we already know how to bypass those pesky firewalls using Reverse SSH!

By following the tutorial “Bypassing Firewalls - Reverse SSH Tunneling” the iPhone can be forced to phone home.  On jailbroken iPhones, this can be achieved manually by running the following command in the terminal or by running the script provided previously.  Currently, there is no way to accomplish such a task on a non-jailbroken device.

Friday, June 22, 2012

Configuring Cisco ZFW - Cisco Zone Based Firewall

The concept of Cisco Zone Based Firewall (ZFW) is very simple yet can quickly turn into a giant two headed dog if you don't understand how to design it. ZFW basically classifies interfaces into security zones and Intra-zone interfaces can pass traffic freely between each other however traffic between Inter-zone interfaces is restricted by default. A quick example can shed more light on this concept.

Consider the simple topology below and let's get started.

Thursday, June 14, 2012

Configuring CBAC - Context Based Access Control

When it comes to security, I think you should always implement an actual firewall such as an ASA. However if you are a small business and you needed to get a stateful firewall up and running then Cisco Context Based Access Control is the way to go. It's lightweight, easy to configure and it gets the job done.

Consider this topology below and let's see how easily we can get it configured.

Sunday, June 10, 2012

Configuring BGP - ORF (Outbound Route Filtering)

Outbound route filtering (ORF) in BGP reminds me of SPAM which I get in my mail everyday. Even though, I end up throwing (filtering) most of it away in the garbage, I still have to spend time looking at it, opening it and/or reading it which in turns wastes my time and my brain cycles. Wouldn't it be much more efficient if I can just tell the post office not to even send it? Well in BGP we can actually do this. We can tell our BGP neighbor what to filter-out before sending updates so we do not have to waste (CPU) time processing it. Ideally this would be implemented in ISPs peering so ISPs do not have to deal with customer requests on what needs to be advertised and what needs to be filtered.

For example, if you are BGP peered with an ISP and you had a route-map to filter all the routes except the default route, the ISP is still sending you the whole internet routing table and your CPU is processing the entire internet table before filtering it down to the default route.

Consider this topology and let's see how we can efficiently perform BGP filtering and conserve our router's resource.

Saturday, June 9, 2012

Configuring BGP - Soft Reconfiguration Inbound

We live in a world filled with instant updates. Where you are going? What you are eating? What you did last night? Everything is instantly "updated", "tweeted", and "posted". So why is it that when we make a routing policy change to BGP we have to clear the entire state of the BGP neighbor and tear down BGP peering before it can take effect?

To keep up-to-date with the world we live in we can configure 'BGP Soft Reconfiguration' which will allow us to make routing policy changes to BGP without having to tear down the peering. 

Consider the simple topology below and let's get started. 

Friday, June 8, 2012

Configuring BGP - Local AS - One router multiple ASN

Wouldn't it be awesome if you had two first names and you had the choice to use whichever one you wanted based on some criteria? Well in BGP your first names are your ASN (Autonomous System Numbers). In BGP you can only spin up one instance of BGP with an ASN unlike OSPF or other routing protocols. For example, you will get this error message if you try to spin up more than one instance.

R2(config)#router bgp 200
R2(config)#router bgp 201
BGP is already running; AS is 200

So what do you do when you need to have more than one ASN number on the same router? This is where local-as comes in handy. 

Consider this simple topology below and let's get started. 

Thursday, June 7, 2012

Configuring MPLS - MPLS ttl-propagation

Would you disclose anything less than what you had to about your network? Certainly I follow the logic that the more I disclose the less secure my network becomes.

This post is a follow up from my 'Configuring MPLS - Easiest L3VPN Ever' and in that post I stated that when we do a traceroute from the CE (Customer Edge) router, we can see inside the MPLS cloud and all the next hop routers are exposed to the customers. Check out the screenshot below.

Tuesday, June 5, 2012

Configuring BGP - Remove Private AS

Most of you are familiar with private IP addresses. Right? Well the basic concept behind private IP address is that they should not be in the global ISP routing table. Private IP addresses were created to conserve IPv4 space and not to be routed globally. There is something very similar in the BGP world called Private ASN. Bascially, these ASNs should never be advertised from one ISP to another ISP. BGP Private ASNs are to be used within an organization for internal purposes only.

In this blogtorial we will see how we can remove these private AS before sending our update to an ISP.

Consider this simple topology below and let's begin.

Bypassing Firewalls - Reverse SSH Tunneling

Have you ever found yourself in the situation where you need remote access to internal resources but don’t have the time (or maybe authority) to make changes to the network firewall?  If so, you are in luck!

This tutorial shows how SSH can be used to connect to machines that are not accessible via the internet without 1-to-1 NAT, firewall exceptions, etc...  With this you can bypass NAT and incoming FIREWALL restrictions.  Examples of when this would be used include: getting a remote shell on a firewall’d server (see diagram below), establishing VNC or RDP sessions to NAT’d servers (see guide below), etc...

Configuring BGP - BGP Backdoor

At one point or another we have all sneaked into our parent's house through the backdoor. Well we are going to be talking about something very similar, however instead of parents house and a sneaking teenager ;) we are going to be discussing about sneaking routes into the routing table via BGP backdoor.

Our objective is to prefer a IGP learned route instead of a eBGP learned route. As we all know that for the most part AD (Administrative distance) dictates what routes gets installed in the routing table.

Consider this simple topology and let's get started.

Saturday, June 2, 2012

Configuring NAT - NAT Stateful Failover with HSRP

If you work in a high availability environment (largest options exchange in the world) like I do, then you know the value of redundant design. I dislike being caught off-guard and putting out fires. Therefore, I try to make redundancy a part of my design and when "it" hits the fan users aren't breathing down on my neck. And I can actually concentrate on fixing the issue rather than grabbing a bucket of water to put out a house fire. That is the basis for this blogtorial which is how do we configure NAT Stateful Failover with HSRP.

Please read my previous NAT posts if you need a refresher on NAT. At this point, I am assuming you are fairly familiar with NAT and its concepts, so I will get right down to business and spare you the usual 'abc' of NAT'ng. 

Consider this simple topology and let's get started.

Thursday, May 31, 2012

Configuring MPLS VPN - Easiest L3VPN Ever

When I used to hear the term MPLS, it would strike fear through my heart. Why? Natural reaction of humans is to fear the unknown or dislike the unknown. In this blogtorial, I will attempt to simplify MPLS as much as possible. And hopefully after going through this blogtorial you'll feel much more comfortable with MPLS and how to configure it.

I will present a brief overview of the router roles involved in MPLS and create a checklist for 'How to configure MPLS L3VPN'. I have browsed various articles and read numerous books on MPLS and none of which gave me what I was looking for -- a basic checklist that went step by step and configured MPLS. Most of them jumped around and wasn't organized in any fashion I liked. So I created my own and I hope you find it as useful as I did. 

Consider this topology and let's get started. 

Wednesday, May 30, 2012


Imagine you have 2 ISPs coming into a single router and you have a BGP relationship with both ISPs. One is a 100meg connection from AT&T and the other is a slower internet connection from a local ISP. Your manager requests that we should be using the 100meg connection for outgoing and incoming traffic.Well the outgoing traffic is very easy to manipulate using IGP, metric, PBR, route-maps or whatever your heart desires. But how do we control the inbound traffic? There are a few options available to us, however in this blogtorial we will see how we can manipulate inbound traffic using as path-prepend.

Consider this simple topology and let's get started. 

Wednesday, May 23, 2012

Configuring NAT - NAT with route-maps

Fourth post in this NAT series is the 'NAT with route-maps'. In my opinion, using route-map to manipulate NAT is a fairly advanced topic. Therefore make sure to do plenty of labs and read up on docs to understand the concepts. With that being said, let's get started.

Topology we will be using.

Tuesday, May 22, 2012

Configuring NAT - Dynamic NAT with PAT

Third post in this NAT series is "Dynamic NAT with Port Address Translation". Port Address Translation (PAT) works by translating not just the IP address but the ports associated with the connection. It was mainly created to allow many-to-one NAT, so a single public IP can be shared between 1000s of hosts.

Topology we will be using is similar to the ones from my previous posts on this series. 

Saturday, May 19, 2012

Configuring NAT - Dynamic Nat w/o PAT

Second post in this NAT series is "Dynamic NAT without Port Address Translation". I will go more into detail about PAT in my next post so for now let's take a quick look at how to configure Dynamic NAT.

Dynamic NAT without Port Address Translation is very similar to Static 1 to 1 NAT in that it still creates a 1 to 1 mapping however it dynamically allocates the NAT IP from a pool of addresses. 

Topology we will be using. 

Configuring NAT - Static 1-1 NAT

In this series of NAT blogtorials, we will start with a simple static 1 to 1 NAT mapping. Consider the simple topology below and let's dive into the world of NAT.

Tuesday, May 8, 2012

Cisco to Cisco IPsec-manual Decrypt packets - Part 2

Now let's get into decrypting ICMP packets between R1 and R2.

First let's capture some packets between R1 and R2.
  • Right click on the line between R1 and R2
  • Choose R1 f1/0 
  • Click "OK"

Cisco to Cisco IPsec-manual Decrypt packets - Part 1

We will split this blogtorial into 2 parts. Part 1 will concentrate on how to setup up the IPsec-manual tunnel and Part 2 will concentrate on how to decrypt the traffic between the two VPN end points. Reason we are setting up a ipsec-manual instead of a ipsec-isakmp VPN is because we cannot get the IPsec session keys to decrypt the packet if isakmp is used.

Consider this simple 2 router topology and let's get started. 

Saturday, May 5, 2012

Decrypt IPsec packets - Linux to Cisco VPN

In this blogtorial I will demonstrate how to decrypt IPsec packets on a VPN between a Linux machine and a Cisco router. We will be using the setup from my previous blogtorial 'Configuring IPSEC VPN between Linux and Cisco'.

Let's begin.

Wednesday, May 2, 2012

Configuring ACLs - ACL Resequence

In this blogtorial we will see how ACLs are sequenced and how we can resequence if we need to. ACL's initially start with sequence number of 10 and increments each entry by 10 unless specified.

Let's take a look.

Monday, April 30, 2012

Propagating Default Routes - OSPF

How to get default routes into OSPF routing domain? Well, there is really just about one way to do it. It is by using default-information originate.

Consider this simple topology below and follow the screenshots.

Troubleshooting - Loop-back detected - %PM-4-ERR_DISABLE

Recently, I was tasked with troubleshooting a weird problem where one of the interfaces was err-disabled. Fun Monday mornings :) and sifting through the logs I came up on this error message. 

%PM-4-ERR_DISABLE: loopback error detected on Fa1/0/20, putting Fa1/0/20 in err-disable state
%ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on FastEthernet1/0/20.

Turns out that this was because of an interface somewhere in our network was configured incorrectly which then created a loop in our network. The STP topology in our network corrected/recovered itself within a few seconds and fa1/0/20 should have "err-disabled recovered", however "errdisable recovery cause loopback" was not configured. 

Basically this error message states that the keepalives which are on by default are looping back to the source interface.  

For example, if a keepalive was sent on fa1/0/20 and if that keepalive packet loops around the network and shows up at the source interface then that must mean that there is a loop in our network and the interface which sent out the keepalive will be err-disable.  

Notice that the keepalive are set to 10sec by default on all interfaces. 
  • Fix the underlying misconfigured interface downstream and/or upstream.
  • Disable keepalives on interfaces. 
Many more articles to come so stay tuned. "Join this site" on the right / click +1 below ------->

Friday, April 27, 2012

Propagating Default Routes - EIGRP

There are 4 ways to get default routes into EIGRP topology. We will take a look at all of them. Consider a simple 2 router topology and let's begin.

Configuring /31 - P2P or Segment with 2 endpoints

In general, most ISPs will assign a /30 on point-to-point interfaces which gives you 4 IP addresses and 2 of which are usable resulting in 50% of addresses in that subnet being wasted. For example yields and as your usable IP addresses and is the subnet number and is the broadcast address. And as you can see only 2 out of the 4 IP addresses are usable. So how we can be more efficient? The use of a /31 subnet mask which gives you 2 IP addresses and 100% of them will be utilized.

Consider a very simple topology below and let's get started.

Configuring OSPF FAST hellos

The sooner we detect OSPF neighbor failure the faster the network can converge when there is a failure. In this blogtorial we will see how we can achieve fast detection of OSPF neighbor failure. Consider this simple 2 router topology and let's get started.

Monday, April 2, 2012

Preventing Sub-optimal routing in mutual redistribution - Part 1

Following from my previous redistribution post. Let's explore a few ways we can prevent sub-optimal routing from redistributing routes at multiple routers.

Consider the topology from my previous redistribution post and let's continue.

Configuring Mutual Redistribution - OSPF to RIP

In this blogtorial we will take a look at how to configure mutual redistribution between OSPF and RIP. Though it is very easy to configure, tweaking it and preventing suboptimal routing is tricky. However, we will save "Preventing Sub-optimal routing in mutual redistribution" for the next post.

Consider a very simple topology below and let's get started.

Configuring Frame Relay Point to Point and Point to Multipoint

It has been a while since I have written a blog. I have been very busy with life, new job and my CCIE studies. That's right folks, I have started my pursuit of the digits!! I will post my study materials, my schedule, and study plan on another post. In this blogtorial we will configure Frame Relay Point to Point and Point to Multipoint. We will build on this topology and configure EIGRP and explore topics such as split horizon and see how it affects route advertisments. Consider the simple topology below and lets get started.