I-BLOG

Productivity increase by blocking non-project related sites is one of the myth that I’ve seen a lot on various online forums and as well there are always counter research data as to this has nothing to do with ‘increase in productivity’. I guess, I kinda agree too (Well, I know one of the leading IT companies who doesn’t give computers with internet access to any employee and only the lead/manager has it, that too restricted).

So putting aside the arguments, one of the issues with blocking outgoing connections based on IP has always failed (imagine the cloud of servers, if you were to block say yahoo mail). Now the Modular Policy Framework does support regex checking in the URL header to see which site it is going and block it, if you’d like to.

Here is the Cisco article describing the MPF in details {Here}

Now how do you block say access to facebook or myspace, from being utilized by your employees?? Pete has a good write-up on it and hence I’m not going to write it again here.

In short the configuration you need is; Thanks to Pete for providing such a detailed write-up.

On the Global Policy
————————————————-

regex domainlist1 "facebook.com"
class-map type regex match-any DomainBlockList 
  match regex domainlist1 
class-map type inspect http match-all BlockDomainsClass
  match request header host regex class DomainBlockList
policy-map type inspect http http_inspection_policy 
class BlockDomainsClass
  reset log
policy-map global_policy
  class inspection_default
  inspect http http_inspection_policy
service-policy global_policy global
———————————————-

With its own policy

———————————————–
regex BLOCKED_DOMAIN_1 "www.facebook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
  match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
class-map CLASS_MAP_HTTP_TRAFFIC
  match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
  parameters
  class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  drop-connection log
policy-map POLICY_MAP_OUTSIDE_INTERFACE
class CLASS_MAP_HTTP_TRAFFIC
  inspect http POLICY_MAP_HTTP_INSPECTION
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside

It is not quite unusual where you do a static port map using the IP address assigned on the outside interface in either PIX or ASA to map different services inside your network, something like this;

   1: static (inside,outside) tcp 1.1.1.2 www 10.10.10.2 www 255.255.255.255

   2: static (inside,outside) tcp 1.1.1.2 smtp 10.10.10.3 smtp 255.255.255.255

   3: static (inside,outside) tcp 1.1.1.2 domain 10.10.10.4 domain 255.255.255.255

   4: static (inside,outside) udp 1.1.1.2 domain 1010.10.4 domain 255.255.255.255

It could be either the IP address on the outside interface or an available public IP address as well. Now the problem here is, how do you allow ping to these servers.

The first line; maps HTTP traffic coming over to 1.1.1.2 and redirects to 10.10.10.2 on the inside LAN machine. Now, if I want to allow PING to work for the server 10.10.10.2 from anybody in the Internet, how do I do that?

I’m afraid the answer is ‘You Can’t’ The reason being, there is no 1-1 mapping

Normal Scenario’s where you can do this is, if you do a Static NAT instead of Static PAT as below;

   1: static (inside,outside) 1.1.1.2 10.10.10.4 255.255.255.255

   2:  

   3: access-list Outside-In permit tcp any host 1.1.1.2 eq HTTP

   4: access-list Outside-In permit icmp any host 1.1.1.2 echo

   5:  

   6: access-group Outside-In in interface outside

If you guys know that it can be done in any other way, lemme know as well

One of the most common things in every ASA/PIX firewalls is the nat configuration for outgoing connections; something like this;

hostname(config)# nat(inside) 1 0.0.0.0 0.0.0.0
hostname(config)# global (outside) 1 interface

This tells the firewall that all traffic coming from inside (local lan) interface should be PAT’ed and route before it goes out through the outside (like internet). Now you can also define this with an access-list for much filtered Natting. Say; you have 2 networks in your local lan and want only one of them to be Pat’ed like above;

We call it, 10.0.0.0/8 and 192.168.1.0/24 and only the second one should be natted; This is achieved through the following statements;

hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0
hostname(config)# global (outside) 1 interface

Similarly, you can use an access-list for much controlled Natting like below;

hostname(config)# nat (inside) 1 access-list 10
hostname(config)# global (outside) 1 interface
access-list 10 permit ip 192.168.1.0 255.255.255.0

The beauty is, you can even control this Natting using specific protocols/ports combination. Say, if you want to allow only internet browsing (http & https) to be allowed, then;

hostname(config)# nat (inside) 1 access-list 100
hostname(config)# global (outside) 1 interface
access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq 80
access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq 443

See an advantage here? You can avoid having a separate access-list to be inserted for this purpose on the outside interface. Now, there is another way where you don’t want to nat, achieved through nat(inside)0. Typically this is used for VPN connections. When you have VPN terminated onto ASA/PIX, You won’t be Natting the traffic going through that and you achieve it by adding;

nat(inside)0 access-list 10
access-list 10 permit 10.0.0.0 255.0.0.0

OR

nat(inside)0 10.0.0.0 255.0.0.0

However there is a difference with nat (inside) 0 statements, you cannot control the NAT functionality based on protocols/ports, it is only IP. For example;

nat (inside) 0 access-list 100
access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq 80

The above will not work. This is the limitation and you’d have to go for regular access-lists on your interfaces if you want to stop these traffic.

In Cisco’s own words;

On ASA, the policy nat cannot be applied on nat(0) statements and is not supported;

Identifies the local addresses and destination addresses using an extended access list, also known as policy NAT. Create the access list using the access-list command. You can optionally specify the local and destination ports in the access list using the eq operator. If the NAT ID is 0, then the access list specifies addresses that are exempt from NAT. NAT exemption is not the same as policy NAT; you cannot specify the port addresses, for example.
Note      Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists.

Source : { Here }

If you don’t know especially if you’re a newbie with Cisco Routers, one of the annoying thing is the message;

Translating….. domain server (255.255.255.255)

Well, it is there for a reason and is doing something that may not be obvious. So here is the deal in Cisco’s own words;

By default, when a command in user or enable mode is entered into a router and this command is not recognized, the router believes that this is the host name of a device that the user is attempting to reach using telnet. Therefore, the router tries to resolve the unrecognized command into an IP address by doing an IP domain lookup. If no specific domain server has been configured on the router, the router will issue a broadcast for the command to be translated into an IP address. It can take several seconds for the router prompt to return while the router waits for a response to its Domain Name System (DNS) broadcast.

Simple fix?

Just add ‘no ip domain-lookup’ and save it. It should be gone!

Source : [ Cisco Online Doc ]

I got a question today on how to configure an Cisco ASA for NTP and have all the machines in the LAN sync the time with ASA locally.

Well, first of all if you have an Active Directory setup, I’d recommend to setup your DC’s to sync time from Public NTP Server and have all your domain member computers to sync it up with DC. Say you don’t have a AD setup or for some reason you want ASA to be the time master for your network and have ASA sync the time from NTP Servers, then the following should help you;

ntp server ip-address [key number] [source if-name] [prefer]

The above command in config mode would set the time to be derived from an NTP server.

http://support.ntp.org/bin/view/Servers/LercDnsLercNasaGov

The link above has an NTP server (Open access) from NASA’s Ohio research center. So the command to configure would be;
ntp server 128.156.1.43 source (interface-name)

That should do; now for your internal client machines, point them to ASA for time synchronization.

http://etherealmind.com/2008/06/10/ios-configure-windows-2003-xp-use-ntp-server-sync-time-clock-router/
Look at the above as reference.

There was an interesting post in EE recently about policy based routing. So the network goes this way;

Lan connected to an Cisco router which has 2 ISP connections. The main one is terminated on serial0/0 and another aDSL link at serial0/1. The internal lan is connected to Fe0/1

There are other complexities of VPN and stuff, lets leave that aside. So basic requirement as to route all the traffic through serial0/0 => means the default route on the router would be pointing to serial0/0 and the user wanted all the internet web browsing traffic to go over the aDSL link and save link space on the main link. Something like this is always good to have and actually we can have this done based on policy based routing and include even fault-tolerance by having the aDSL link as backup link in case the main link goes down.

   1: default route & default route with higher metric, so it gets inserted to routing table 

   2: in case the first one goes down.

   3:  

   4: ip route 0.0.0.0 0.0.0.0 serial0/0 

   5: ip route 0.0.0.0 0.0.0.0 serial0/1 10 

   6:  

   7: The above helps in backup-route. 

   8:  

   9: The following route-map decides if the traffic is web browsing and if so then sends

  10: packet out through aDSL link, otherwise traffic goes through the main link.

  11:  

  12: route-map webtraffic permit 10

  13:   match ip address 200

  14:   set ip next-hop <aDSL Interface remote side ip>

  15:  

  16: access-list 200 permit tcp <Internal Network> <Wildcard Mask> any eq 80

  17: access-list 200 permit tcp <Internal Network> <Wildcard Mask> any eq 443

  18:  

  19: It is assigned to the interface, so that it can be evaluated at the entry level in

  20: local lan which is connected to Fe0/1

  21: int Fe0/1

  22: ip policy route-map webtraffic 

At times when ISP drops an internet connection, it is needed to put the router in bridge mode so that the public ip address can be directly assigned on the inside firewall (any brand).

So you can put a cisco router in bridge mode this way;

bridge 1 protocol ieee

int fa0/0   <–connected to ISP (change interface accordingly)
no ip address
bridge-group 1

int fa0/1  <–connected to ASA (change interface accordingly)
no ip address
bridge-group 1

It is nice to use the RDP to be on a different port for security purposes. If a firewall scanner finds out that port 3389 is allowed then it is pretty obvious that it is an RDP hole in the firewall punched in.

So how about port 12345 ?

2 options;

1. Change the port on the windows itself to custom port.

  Lets assume you want it on port 12345, This case you change it to;

static (inside,outside) <Public_IP> <Private_IP>netmask 255.255.255.255
access-list 102 permit tcp any host <Public_IP>eq 12345
access-group 102 in interface outside

http://support.microsoft.com/kb/306759

The link above would show you how to change the port in windows.

2. Change the port on the static nat statement so that you connect to a random port but pix would route it to default  rdp port.

static (inside,outside) tcp <Public_IP> 12345 <Private_IP>3389 netmask 255.255.255.255
access-list 102 permit tcp any host <Public_IP>eq 12345
access-group 102 in interface outside

Then launch Remote Desktop Client and then type in address as <Public_IP>:12345  Kewl…

Juniper has confirmed that its offer of free training to Cisco certified professionals to become Juniper-certified is available to Cisco network pros worldwide. The program was originally reported as only available to qualified folks in Asia Pacific, but inquiries by Cisco Subnet to Juniper corporate HQ in Sunnyvale, Calif., in addition to interest from Cisco Subnet readers, led Juniper’s media relations team to confirm the offer as a worldwide deal and to post details of the program on its Web site.

Read More …

Now that I answered the same question twice @ EE, it would be better that I bookmark it for the sake of others here;

So, the question is when it comes to a platform with Cisco to be a Firewall, do we use Cisco Router or Cisco PIX Firewall ? Both has a lot of similar feature set and the argument of using router as firewall instead of shelling more money on PIX/ASA ?

PIX (Packet Internet Exchange)

These are the firewall series from Cisco Networks (Now moving towards ASA). It is a hybrid firewall with capabilities of stateful firewall, Application proxy etc. The way it works is known as ASA (Adaptive Security Algorithm). This gear is specifically meant for doing firewall functions to much higher level

http://www.examcram2.com/articles/article.asp?p=101741&seqNum=4&rl=1

Cisco Routers

These are general routing engine which is made with different types of interfaces supporting routing in big scale. For example, pix can support only primitive level of routing but Cisco Routers can run almost all routing protocols that are available now. Now if you ask whether the firewall functionalities can be done by these routers? YES. Special image needs to be used and a Cisco Router can work as a vpn endpoint and a firewall. This is called CBAC (Context Based Access Control)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdcbac.htm#wp1000981

So what is the difference. The numbers of throughput, while Routers are meant to have different idea the PIX is made only for the firewall functions. So firewall related outputs (VPN, Encryption speed etc..) are high in the PIX.

If VPN is only what you’re looking at then probably a Cisco Router would do, but *encryption speeds* matter, with PIX/ASA it would be much faster.

As well, application awareness is more in PIX/ASA than a normal Router. You could turn a router into a firewall but it is good only for layer 3 and layer 4 traffic to a major extent, while ASA or PIX would do more that that.