Tag Archives: Network

Static IP and Dynamic IP Point-to-Point VPNs

I used to use a router for each P2P VPN tunnel before I realized that these can be kept on one router. So I have move all of our P2P VPNs (besides one) to a Cisco ISR 2811 and any new VPNs are terminated here. So recently, I was tasked with getting a Home user a constant connection to allow their hard phone to connect to our internal 3com NBX. The phones use a network connection to talk to the NBX through the data link layer (layer 2) by default, but can be programmed to communicate through IP (layer 3). So a constant connection that uses Layer 3 and is external pretty much says VPN tunnel all over it, and I want to keep the same design of using one end point to terminate the VPN tunnels.

I’ve setup many a VPN tunnel for clients and a few to our call centers through the web, but never a P2P to a home user. The problem here is that the home user may not always come from the same IP address. So I need to find a way to allow connections from any IP address using a specific key, while allowing connections from specific IPs using their own keys. Searching for this I found a few Cisco sites using ISAKMP profiles. I configured this and got it to work for the home P2P tunnel, but the other client P2P tunnels failed. The reason for this is that profiles take precedence over ISAKMP policies and the profile is setup to accept connections from 0.0.0.0 0.0.0.0. Therefore, the client P2P VPNs would try to match their key to the key setup for the home P2P, which would obviously fail. Did some more looking and profiles are good for allowing more than one type of authentication, where here I am only using one type of authentication, pre-shared keys (PSK).

Nonetheless, after a lot of trial and error and googling I finally found the one command I was looking for: crypto isakmp key $key address [b]0.0.0.0[/b]

Apparently, the term for this is called “wildcard keys”, where any end point meeting the Phase1 parameters with the proper key can create a VPN tunnel. Using this allowed both the current P2P VPN sessions and the home session to connect at the same time. If you want some more info and bit more of the walk through of my through process you can have a look see at the networking-forum.com post: . Also, here’s the final code that I used to get this connection working on my side:


crypto isakmp policy 200
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 900
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key $KEY address 65.x.x.x
crypto isakmp key $KEY address 113.x.x.x
crypto isakmp key $KEY address 190.x.x.x
crypto isakmp key $KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 20 periodic
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto dynamic-map ZachHome 1000
set transform-set esp-3des-sha
!
!
crypto map external_ipsec 200 ipsec-isakmp
set peer 65.x.x.x
set transform-set esp-3des-sha esp-3des-md5
match address
crypto map external_ipsec 900 ipsec-isakmp
set peer 113.x.x.x
set transform-set esp-aes-sha
match address
crypto map external_ipsec 65000 ipsec-isakmp
set peer 190.x.x.x
set transform-set esp-3des-sha
match address
crypto map external_ipsec 65500 ipsec-isakmp dynamic ZachHome
!
!
!
interface FastEthernet0/0
ip address 10.30.110.250 255.255.255.252
ip access-group inside_allowed_in in
ip access-group outbound_to_inside out
ip nat inside
!
interface FastEthernet0/1
ip address 64.x.x.x 255.255.255.240
ip access-group inbound_from_outside in
ip nat outside
crypto map external_ipsec


Digi Etherlite 32 As A Terminal Server

So building my lab at work, I have read many posts on forums about others using a terminal server. Namely they use a Cisco 2500 series router with an async module.

Since we don’t have any spares of this lying around at work and my place of employment will only spend money on *necessary* equipment that will keep production going, I had to look for another solution. So I started doing some looking and found these “network serial concentrators” (http://www.digi.com) that sounded like they would work. From my understandings, we used these at terminals to allow users to connect to our call manager to allow them to make calls.

I started looking into them and they sounded like something that would work for my situation. I jumped on google to see if anyone else has used these to connect to the console ports of Cisco gear previously, but the best I could find was the pinout. When using T568B as the wiring scheme for the Digi side the wiring scheme will look like:

Digi Cisco Pinout

Now that we know the pinout of the cable connections, we now need to find how to administer this box. From looking at the box, the only connections it has are the 32 serial ports and one “10BASE-T” uplink port:

Digi Etherlite 32

So that means no console connections :(. Looking through Digi’s documentation, looks like I need to download two packages: one to re-ip the box and one add virtual com ports to my machine to connect to the Digi’s serial ports.

*NOTE: Prior to downloading and running either of these applications, you will need to find the MAC address of the Digi. Normally it will be labeled on the bottom of the device; however, if it is not (which is my case), just plug it into a managed switch and find the MAC address found on the port.

The first program can be found here. Just unzip it and run dgipserv.exe and follow the on-screen instructions.

*NOTE: It is required to unplug the Digi’s power and *only* resupply the power when the program requires it. This is because the Digi will only request an IP address when it first receives power.

Once that is completed and you can ping the IP of the digi from your machine, you are now ready to install the digi software. I use Windows at work, so here is the link for the windows installer. Digi also has installs for other operating systems. It is pretty straight forward from here, at least for the windows setup.

Once the install completes and you have everything cabled up, you will need to just open up your favorite serial terminal (putty for me) and open the com port associated with your device.

Photobucket

I didn’t see much documentation in ways of using a Digi Etherlite product in the manner that I am, so I thought that writing a blog about it and documenting it would do good for others :).

If the download links for the Digi applications no longer work, I have them on my dropbox account:


Barracuda Web Application Firewall

Recently, we purchased a Barracuda Web Application Firewall (WAF) 460 to parse user input for a couple of our critical web-applications. Namely, those that need to touch our Credit Card environment. Now just for clarification purposes, I am NOT a web application administer in the least bit. Yes, I can write scripts in PHP with MySQL in the back-end. Nonetheless, I was tasked with setting up this appliance.

So I get the device, push a trunk to my desktop switch, and start digging into the device. Basically, out-of-the-box the WAF will work and will stop users from issuing SQL Injections, Cross Site Scripting (XSS), Data Mining (CC / SSN Numbers), Cookie Poisoning, etc. Yet, this may not be what is needed in your environment.
Continue reading