Wednesday 2 november 2011

Generally speaking, the Cisco switches are the best in the market. Versatile, reliable, flexible and powerful, the Cisco switch product line (such as the 2960, Cisco 3560, Cisco 3750, 4500, 6500, etc.) offer unparalleled performance and features.

 

Cisco-switchess---3750S.jpgAlthough a Cisco switch is a much simpler network device compared with other devices (e.g. routers and firewalls), many people have difficulties in configuring aCisco Catalyst Switch. Unlike other lower class switch vendors (which are plug-and-play), the Cisco switch needs some initial basic configuration in order to enable management, security and some other important features.

 

How to configure a Cisco switch from scratch? Basic steps help you finish the Cisco switch configuration.

 

STEP1: Connect to the device via console

Use a terminal emulation software such as PuTTY and connect to the console of the switch. You will get the initial command prompt “Switch>

Type “enable” and hit enter. You will get into privileged mode (“Switch#”) 

Now, get into Global Configuration Mode:

Switch# configure terminal
Switch(config)#

 

STEP2: Set up a hostname for the particular switch to distinguish it in the network

Switch(config)# hostname access-switch1
access-switch1(config)#

 

STEP3: Configure an administration password (enable secret password)

access-switch1(config)# enable secret somestrongpass

 

STEP4: Configure a password for Telnet access

access-switch1(config)# line vty 0 15
access-switch1(config-line)# password strongtelnetpass
access-switch1(config-line)# login
access-switch1(config-line)# exit
access-switch1(config)#

 

STEP5: Define which IP addresses are allowed to access the switch via Telnet

access-switch1(config)# ip access-list standard TELNET-ACCESS
access-switch1(config-std-nacl)# permit 10.1.1.100
access-switch1(config-std-nacl)# permit 10.1.1.101
access-switch1(config-std-nacl)# exit

 

!Apply the access list to Telnet VTY Lines
access-switch1(config)# line vty 0 15
access-switch1(config-line)# access-class TELNET-ACCESS in
access-switch1(config-line)# exit
access-switch1(config)#

 

STEP6: Assign IP address to the switch for management

!Management IP is assigned to Vlan 1 by default
access-switch1(config)# interface vlan 1
access-switch1(config-if)# ip address 10.1.1.200 255.255.255.0
access-switch1(config-if)# exit
access-switch1(config)#

 

STEP7: Assign default gateway to the switch

access-switch1(config)# ip default-gateway 10.1.1.254

 

STEP8: Disable unneeded ports on the switch

! This step is optional but enhances security
! Assume that we have a 48-port switch and we don’t need ports 25 to 48

access-switch1(config)# interface range fe 0/25-48
access-switch1(config-if-range)# shutdown
access-switch1(config-if-range)# exit
access-switch1(config)#

 

STEP9: Save the configuration

access-switch1(config)# wr

 

The above are some steps that can be followed for basic set-up of Cisco switches. Of course there are more things you can configure (such as SNMP servers, NTP, AAA etc) but those depend on the requirements of each particular network.

Set up NAT using the Cisco IOS

Network address translation (NAT) has become one of the key components of today's corporate networks attached to the Internet. See how to set up and manage NAT using the Cisco Internetwork operating system. 

Network address translation (NAT) is one of those rare information technology buzzwords that does exactly what its name implies. In this case, it translates one network address into another network address. The most popular use for NAT is to connect an internal network to the Internet. The proliferation of hosts that now connects to the Internet is causing a shortage of IP addresses, so NAT is a key tool for connecting corporate networks using private IP addresses to the Internet. Since Cisco provides the bulk of the routers that connects to the Internet, we’re going to show you how to set up NAT using the Cisco Internetwork Operating System (IOS).

Understanding NAT
Using NAT to connect to the Internet allows you to:
  • ·        Use only one public, registered IP address for Internet access for many thousands of private IP addresses at your site.
  • ·        Change Internet service providers (ISPs) easily, without readdressing the majority of hosts on your network.
  • ·        Hide the identity of hosts on your local network behind the single public IP address to keep outside hosts from easily targeting them.

The most difficult part of using NAT in the Cisco IOS is getting a handle on these four key terms:
  • ·        Inside Local—This is the local IP address of the private host on your network (i.e., your PC’s IP address).
  • ·        Inside Global—This is the public, legal, registered IP address that the outside network sees as the IP address of your local host.
  • ·        Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
  • ·        Outside Global—This is the public, legal, registered IP address of the remote host (i.e., the IP address of the remote Web server that your PC is connecting to).

My first reaction after reading Cisco’s definitions for these terms was nearly total confusion, so don’t feel bad if you feel the same thing. But after seeing a diagram of these terms, it started to click for me. Take a look at Figure A for a logical diagram of these terms.

Figure A


Configuring NAT
To configure the standard NAT scenario I mentioned in the opening paragraph, refer to Figure Band then look at the simple steps that need to be taken if you are using a Cisco router between your local network and the Internet.

Figure B

  1. ·        Configure your pool of legal, public IP addresses that the router can use to represent your local addresses on the Internet. This pool can contain as few as one or as many addresses as you would like to provide. For a small to medium-size network, one address is typically fine. The syntax is:
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
  1. ·        Define an access-list to specify what range of IP addresses is allowed to be translated from your local network to the remote network. This is, basically, a security feature asking you, “Who (what range of IP addresses) can use the NAT service?” The syntax is:
access-list access-list-number permit source [source-wildcard]
  1. ·        Specify that you want a dynamic translation from the source IP address to the pool and that you want to overload the pool address (or addresses). The syntax is:
ip nat inside source list access-list-number pool name overload
  1. ·        Specify which of the router’s interfaces will be the “inside” address. The syntax for the Ethernet 0 interface is:
int en0
ip nat inside
  1. ·        Specify which of the router’s interfaces will be the “outside” address. The syntax for the Serial 0 interface is:
int s0
ip nat outside
  1. ·        Add a static route to your router to send any traffic not destined for your local network to the Internet interface. (In our case, I will use a default route to send traffic out the serial interface.) Here’s the syntax:
ip route 0.0.0.0 0.0.0.0 serial0

Listing A  shows the resulting configuration for the router. One way to examine this on your router would be to issue the command show run.

How is this possible?
This configuration would allow any host on your local network (such as a desktop PC) to connect to the Internet using the single registered IP address that is being overloaded. Thus, any traffic from that local PC will have the source IP address of the router’s external interface.

If you think about this for a minute, you might wonder how multiple hosts can share the same IP address in the overload configuration, since we are taught that one IP address is assigned to one host and there is no sharing (anymore than there is sharing of a social security number).

The answer to that question is that NAT gets around this rule by making an entry in a translation table for every host using a port. In this translation table, there is a map between the inside local, a port on the inside global, another port on the outside local, and the outside global. By assigning these ports and keeping track of them in the table, the router is able to “overload” a single IP address with multiple hosts. This allows them to share a single IP address among them.

You can learn more about NAT and how to configure the other two possible uses of NAT from the Cisco Tech Tips pages and from the online Cisco IOS documentation pages on configuring IP addressing and IP addressing commands.

Context-Based Access Control (CBAC): Introduction and Configuration

Introduction

The Context-Based Access Control (CBAC) feature of the Cisco IOS® Firewall Feature Set actively inspects the activity behind a firewall. CBAC specifies what traffic needs to be let in and what traffic needs to be let out by using access lists (in the same way that Cisco IOS uses access lists). However, CBAC access lists include ip inspect statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes to the systems behind the firewall.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Background Information

CBAC can also be used with Network Address Translation (NAT), but the configuration in this document deals primarily with pure inspection. If you perform NAT, your access lists need to reflect the global addresses, not the real addresses.

Prior to configuration, consider these questions.

What Traffic Do You Want to Let Out?

What traffic you want to let out depends on your site security policy, but in this general example everything is permitted outbound. If your access list denies everything, then no traffic can leave. Specify outbound traffic with this extended access list:

access-list 101 permit ip [source-network] [source-mask] any
access-list 101 deny ip any any

What Traffic Do You Want to Let In?

What traffic you want to let in depends on your site security policy. However, the logical answer is anything that does not damage your network.

In this example, there is a list of traffic that seems logical to let in. Internet Control Message Protocol (ICMP) traffic is generally acceptable, but it can allow some possibilities for DOS attacks. This is a sample access list for incoming traffic:

Extended IP Access List 101

permit tcp 10.10.10.0 0.0.0.255 any (84 matches)
permit udp 10.10.10.0 0.0.0.255 any
permit icmp 10.10.10.0 0.0.0.255 any (3 matches)
deny ip any any

Extended IP Access List 102

permit eigrp any any (486 matches)
permit icmp any 10.10.10.0 0.0.0.255 echo-reply (1 match)
permit icmp any 10.10.10.0 0.0.0.255 unreachable
permit icmp any 10.10.10.0 0.0.0.255 administratively-prohibited
permit icmp any 10.10.10.0 0.0.0.255 packet-too-big
permit icmp any 10.10.10.0 0.0.0.255 echo (1 match)
permit icmp any 10.10.10.0 0.0.0.255 time-exceeded
deny ip any any (62 matches)

access-list 101 permit tcp 10.10.10.0 0.0.0.255 any
access-list 101 permit udp 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp 10.10.10.0 0.0.0.255 any
access-list 101 deny ip any any

access-list 102 permit eigrp any any
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 echo-reply
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 unreachable
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 administratively-prohibited
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 packet-too-big
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 echo
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 time-exceeded
access-list 102 deny ip any any

Access list 101 is for the outbound traffic. Access list 102 is for the inbound traffic. The access lists permit only a routing protocol, Enhanced Interior Gateway Routing Protocol (EIGRP), and specified ICMP inbound traffic.

In the example, a server on the Ethernet side of the router is not accessible from the Internet. The access list blocks it from establishing a session. To make it accessible, the access list needs to be modified to allow the conversation to occur. To change an access list, remove the access list, edit it, and reapply the updated access list.

Note: The reason that you remove the access-list 102 before edit and reapply, is due to the "deny ip any any" at the end of the access list. In this case, if you were to add a new entry before you remove the access-list, the new entry appears after the deny. Therefore, it is never checked.

This example adds the Simple Mail Transfer Protocol (SMTP) for 10.10.10.1 only.

Extended IP Access List 102

permit eigrp any any (385 matches)
permit icmp any 10.10.10.0 0.0.0.255 echo-reply
permit icmp any 10.10.10.0 0.0.0.255 unreachable
permit icmp any 10.10.10.0 0.0.0.255 administratively-prohibited
permit icmp any 10.10.10.0 0.0.0.255 packet-too-big
permit icmp any 10.10.10.0 0.0.0.255 echo
permit icmp any 10.10.10.0 0.0.0.255 time-exceeded
permit tcp any host 10.10.10.1 eq smtp (142 matches)

!--- In this example, you inspect traffic that has been
!--- initiated from the inside network.

What Traffic Do You Want to Inspect?

The CBAC within Cisco IOS supports:

Keyword NameProtocol
cuseeme CUSeeMe Protocol
ftp File Transfer Protocol
h323 H.323 Protocol (for example Microsoft NetMeeting or Intel Video Phone)
http HTTP Protocol
rcmd R commands (r-exec, r-login, r-sh)
realaudio Real Audio Protocol
rpc Remote Procedure Call Protocol
smtp Simple Mail Transfer Protocol
sqlnet SQL Net Protocol
streamworks StreamWorks Protocol
tcp Transmission Control Protocol
tftp TFTP Protocol
udp User Datagram Protocol
vdolive VDOLive Protocol

Each protocol is tied to a keyword name. Apply the keyword name to an interface that you want to inspect. For example, this configuration inspects FTP, SMTP, and Telnet:

router1#configure
Configuring from terminal, memory, or network [terminal]? Enter configuration
commands, one per line. End with CNTL/Z.
router1(config)#ip inspect name mysite ftp
router1(config)#ip inspect name mysite smtp
router1(config)#ip inspect name mysite tcp
router1#show ip inspect config
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500]connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50.
Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name mysite

ftp timeout 3600
smtp timeout 3600
tcp timeout 3600

This document addresses what traffic you want to let out, what traffic you want to let in, and what traffic you want to inspect. Now that you are prepared to configure CBAC, complete these steps:

  1. Apply the configuration.

  2. Enter the access lists as configured above.

  3. Configure the inspection statements.

  4. Apply the access lists to the interfaces.

After this procedure, your configuration appears as shown in this diagram and configuration.

32.gif

Context-Based Access Control Configuration
!
version 11.2
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname router1
!
!
no ip domain-lookup
ip inspect name mysite ftp
ip inspect name mysite smtp
ip inspect name mysite tcp
!
interface Ethernet0
ip address 10.10.10.2 255.255.255.0
ip access-group 101 in
ip inspect mysite in


no keepalive
!
interface Serial0
no ip address
encapsulation frame-relay
no fair-queue
!
interface Serial0.1 point-to-point
ip address 10.10.11.2 255.255.255.252
ip access-group 102 in
frame-relay interface-dlci 200 IETF
!
router eigrp 69
network 10.0.0.0
no auto-summary
!
ip default-gateway 10.10.11.1
no ip classless
ip route 0.0.0.0 0.0.0.0 10.10.11.1
access-list 101 permit tcp 10.10.10.0 0.0.0.255 any
access-list 101 permit udp 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp 10.10.10.0 0.0.0.255 any
access-list 101 deny ip any any
access-list 102 permit eigrp any any
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 echo-reply
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 unreachable
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 administratively-prohibited
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 packet-too-big
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 echo
access-list 102 permit icmp any 10.10.10.0 0.0.0.255 time-exceeded
access-list 102 permit tcp any host 10.10.10.1 eq smtp
access-list 102 deny ip any any
!
line con 0
line vty 0 4
login
!
end

Set up a PIX 501 firewall from scratch

Use this tutorial to learn how to set up a Cisco PIX Firewall from start to finish. 

Cisco’s PIX firewall is one of the more common hardware devices used to protect small- to medium-size networks from outside attacks. A correctly configured PIX also helps you maintain some level of control over resources that internal users can access. In this article, I’ll walk through the steps to get a PIX firewall up and running in a useful configuration.

I’ll be using the relatively lightweight PIX 501 for my example setup. (This unit will run you somewhere around $450 for a 10-user license bundle.) The PIX 501 includes a console port, a WAN port, four 10/100 Ethernet ports, and it supports up to 10 internal IP addresses as well as optional DES encryption. I’ll be installing under PIX management software version 6.2(1). Your configuration steps may differ slightly from the ones presented in this article if you’re using a different version of the software.

Getting started
First of all, physically install your PIX where you’ll be able to connect it to both the network and directly to a Windows-basedPC via a serial cable. The new PIX operating system includes two methods of management, either from the command line or the Pix Device Manager (PDM), a Web-based GUI that can handle almost the entire configuration process. Of course, you’ll have to use the command line to set up an IP address for the PIX before you actually are able to use the PDM.

The default IP address
The PIX 501 assigns an address of 192.168.1.1 to the PIX to be accessed from the internal network. In the likely case that I was willing to accept this default, I could skip thecommand line setup on this particular unit. I’ll walk through the IP assignment process here to give a more thorough overview of the configuration steps for other PIX models.

To begin the configuration process, you must connect your administrative PC to the PIX via HyperTerminal. Simply link the PIX’s console port to the PC via the serial cable. In HyperTerminal, set the baud rate to 9600. Once connected, the PIX asks you to do some basic configuration via a number of prompts at the command line.

Connecting via HyperTerminal
For more information on connection to Cisco equipment via HyperTerminal, check out Jack Wallen, Jr’s. article, Taking your first steps with a Cisco router.

The command line setup process
Listing A provides a transcript of my sample setup routinefor my PIX 501. The items in bold are my responses to the prompts. I’ve also included a few notes about some of the questions.

Getting current
If you have a new PIX, you should check the version of the management software installed on it using the version command at the command prompt. To do an upgrade, you’ll need to download the newest images from the Cisco support Web site. You’ll need a support contract on your firewall to successfully download the upgrade. I always recommend support contracts on single points of failure in a network; the contracts aren’t terribly expensive considering how much they can end up saving you. If you do not have a support contract, you’ll have to register your product and purchase a contract on the Customer Registration page.

As of this writing, the most current PIX software image available is 6.2.1 (login required) and thePIX Device Manager is in version 2.0.1 (login required). Going to the new PDM is critical if you want to use VPNs because version 1.x does not support their configuration. The files are namedpix621.bin and pdm-201.bin, respectively.

The PIX software
Installing the newest version of the PIX software is as easy as following these steps:
  1. 1.      Save the PIX files into a directory accessible by your TFTP server. If you need a TFTP server, Cisco provides one for free.
  2. 2.      Connect via HyperTerminal to make sure the serial link is still working.
  3. 3.      Reboot the PIX by either power cycling it or issuing a reboot command at the command line.
  4. 4.      When a message appears indicating that the configuration is about to load from flash, press [Esc] to put the PIX into monitor mode.
  5. 5.      Provide the PIX with some information about its addressing and where it can find your TFTP server, as well as the name of the binary to install. I entered the information in Table A for my set up.

Table A
Value Purpose
address 192.168.1.20 Internal address of the PIX.
server 192.168.1.2 IP address of my TFTP server.
file pix621.bin Name of the file to download.
tftp Starts the TFTP transfer of the new image.

When the install routine is complete, elect to save this image to flash. The unit will reboot with the new PIX software loaded.

Updating the PDM software
My PIX 501 came with version 1.x of the PDM, which is out-of-date. To upgrade it, I used thecopy tftp://192.168.1.2/pdm-201.bin flash:pdm command at the PIX prompt to update the GUI tool.

Move to the GUI
Once you’ve completed the basic configuration, you’ll be able to use the PDM to complete the installation. From the workstation with the IP address that you provided in the command-line configuration, you can browse to your PIX using HTTPS. For my installation, I will browse tohttps://192.168.1.20. The PDM works with any browser that supports Java and JavaScript, but Internet Explorer 5.0 or higher is recommended.

You’ll be asked to provide a username and password to access the PDM. The PIX PDM does not use a username, but it does use the password field, which needs to match the enablepassword that we configured during the command-line setup. For my configuration, this password is “admin”.

The PDM will ask you whether or not you want to install the PDM software. Choosing either Grant Always or Grant This Session will allow the connection either every time or just this once, respectively. The other option is to deny the session by clicking Deny. I’ll choose the Grant Always option.

Next, the PDM informs me that since this is the first time the PDM has been used, it must do a one-time configuration. I’ll allow this by choosing the Proceed button. The PDM then loads the configuration from your PIX and populates the various GUI screens with that information. The final result is the opening screen for the PDM, shown in Figure A.

Figure A
The PDM provides a number of configuration screens.


The tabs
Each of the PDM’s tabs represent a different service.
  • ·        Access Rules: Shows your network access policy listed as rules. If you have used Checkpoint’s policy editor software, the look and feel of this tab will be somewhat familiar.
  • ·        Translation Rules: Shows your NAT and PAT (port address translation) rules.
  • ·        VPN: Lets you set up your VPN configuration.
  • ·        Hosts/Networks: Lets you edit the list of hosts and networks defined for a selected interface. Access rules reference these hosts and networks.
  • ·        System Properties: Lets you make changes to the configuration of network interfaces.
  • ·        Monitoring: Lets you watch various aspects of the system.

Basic configuration
The PIX needs to have certain parameters supplied to it before it can begin its work. While some of these parameters, such as the internal IP address, were defined during the initial command line configuration, the PIX still needs some vital information, such as the outside interface IP address and Access rules.

Setting up the outside interface
On my PIX 501, the inside interface is set to 192.168.1.20 and the outside interface is configured to obtain an IP address from my ISP’s DHCP server. I want to assign a static IP address to this interface, however. I can do this from the PDM’s System Properties tab, as shown in Figure B.

Figure B
You can configure the interface from the System Properties tab.


As you can see in the Interfaces table shown in Figure B, I have two interfaces on my PIX 501: inside and outside. These interface names were assigned during the initial system configuration; the inside interface name can be changed to anything you want. To change the IP address of an interface, select the interface entry in the list and then click the Edit button at the bottom of the screen to open the Edit Interface screen shown in Figure C. I’ve set the IP address of the WAN interface to 10.10.10.1 and retained the name “outside.”

Figure C
Making addressing changes is easy with the PDM.


I click OK and return to the main PDM window, where the now-active Apply To PIX button will let me save my changes in this session. To make my changes permanent, I’ll need to save them to flash on the PIX. As shown in Figure D, the PDM lets you know when a flash save is needed; simply clicking the message will write the new configuration to the PIX. Once you save to flash, the message goes away.

Figure D
The PDM lets you know when you need to save to flash.


Access rules
Access rules form the basis of the PIX’s security policies and need to be carefully administered. Many organizations have access rules that allow certain traffic, such as SMTP, to traverse the firewall from the outside, or they block the use of a specific service, such as IM, from inside the firewall.

Let’s suppose you want to block access to a specific Web site, such as www.whitehouse.com. First, you need to look up the IP address for www.whitehouse.com, which happens to be 209.67.27.248. On the PDM’s Access Rules tab, right-click anywhere and choose Add from the shortcut menu.

In Figure E, I have configured the PIX to deny all traffic from the inside interface to the IP address 209.67.27.248 on the outside.

Figure E
Blocking access to a Web site is a snap with the PDM.


When I click OK, I get a message indicating that the host does not exist on the outside network, and PDM offers to let me set it up, as you can see in Figure F.

Figure F
The PDM helps you set up a new external host.


To check this operation, I can click on Outside Interface in the Hosts/Network tab and see (Figure G) that the White House has been added as a host.

Figure G
Whitehouse.com is now on the hosts list.


Compatibility and responsibility
Remember to administer your PIX responsibly by saving your configuration every so often and keeping a hard copy. I’ve had to rebuild a PIX configuration from scratch in the middle of a frantic day as a result of a very simple mistake.