Escolar Documentos
Profissional Documentos
Cultura Documentos
(Troubleshooting)
Ch. 9 Troubleshooting Security
Implementations
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Fall 2010
Materials
Book:
Troubleshooting and Maintaining
Cisco IP Networks (TSHOOT)
Foundation Learning Guide:
Foundation learning for the CCNP
TSHOOT 642-832
By Amir Ranjbar
Book
ISBN-10: 1-58705-876-6
ISBN-13: 978-1-58705-876-9
eBook
ISBN-10: 1-58714-170-1
ISBN-13: 978-1-58714-170-6
OSPF Authentication
Sometimes a useful diagnostic technique is to temporarily disable the
security feature and see if that fixes the problem.
Caution: You may be creating a situation that is not compliant with the
security policy
Risk of opening the network to an attack.
Example: Two OSPF routers cannot establish an OSPF adjacency and are
using MD5 authentication.
Disable authentication to see if that is the problem? Workaround?
Management Plane:
The management plane represents all the functions and protocols involved
in managing the device.
Includes accessing information about:
Device configuration
Device operation
Device statistics
Securing this plane is vital to the overall security of the device.
If the management plane is compromised, the other planes are also
exposed
Control Plane:
Represents all the functions and protocols that are used between network
devices to control the operation of the network, such as:
Routing protocols
Spanning Tree Protocol (STP)
Other signaling and control protocols
Because the control plane affects the behavior of the data plane, the control
plane protocols need to be secured.
If unauthorized devices are allowed to participate in the control plane
protocols, this opens up possibilities for an attacker to block or divert traffic.
Data Plane:
Represents all the functions involved in forwarding traffic through the device.
Routers and switches can inspect and filter traffic as part of the implementation
of a security policy.
ACLs
Route maps
Note: All management and control plane traffic flow through the data plane as
well.
Consequently, security features on the data plane can be used to secure the
management and control planes too.
Also means failures on the management and control plane may be caused by
the implementation of security features on the data plane.
interfaceserial0/0/1
ipnatoutside
interfacefastethernet0/0
ipnatinside
ipaccesslistextendedBRANCHNATACL
permitip192.168.1.00.0.0.255any
ipnatpoolBRANCHNATPOOL209.165.200.249
209.165.200.253prefixlength29
ipnatinsidesourcelistBRANCHNATACLpool
BRANCHNATPOOL
ipnatinsidesourcestatic192.168.1.254
209.165.200.254
11
Other than the static translation to the inside web server, there are no
dynamic translations listed in the NAT cache.
12
Displays the number of active translations, which in this case is one static
and zero dynamic translation.
Lists the interfaces involved in the NAT translations
The specifics of the BRANCH-NAT-POOL in use, including the BRANCHNAT-ACL access list used for the traffic to be translated.
13
telnet
15
IPsec Encapsulation
17
The VPN routers at Branch and HQ are responsible for this encapsulation
and decapsulation tasks (the tunnel).
The IPsec encapsulation process:
Adds an additional IP header to the original packet
Can performs security functions (confidentiality, integrity, authentication)
18
19
Configuration commands associated with IPsec VPNs are beyond the scope
of this chapter.
We will focus on the commands to verify proper configuration and operation.
The details of cryptographic services such as confidentiality, integrity, and
VPN end-point authentication will be transparent to us.
20
Scenario, so far
?
21
Although the ping was successful, it appears that the tunnel is down.
Recall that we also implemented NAT.
Perhaps this is causing some problems with the IPsec tunnel being created.
To test this, we will enable the debug ip nat command and reissue the
extended ping
22
23
This presentation
Created our broadband connection
Configured NAT for traffic over Internet
Changes private source IP address for traffic over the Internet
Configured IPsec
Want all traffic including LAN-to-LAN to use Internet (ISP)
Want to secure LAN-to-LAN traffic between Branch and HQ over the
Internet using IPsec
Problem: LAN-to-LAN traffic is being sent over Private WAN
Solution: Modify NAT to create a NAT exemption
Problem: IPsec does not support broadcasts and multicasts so cannot
send EIGRP routing updates
Solution: Use GRE tunnel Encapsulate traffic inside a GRE pointto-point tunnel, then inside an IPsec tunnel
Must add GRE tunnel network to EIGRP so all LAN-to-LAN traffic
uses GRE tunnel
24
25
NAT exemption
Existing command
26
The ping is successful, but it appears that NAT still translated the inside
LAN address.
Lets verify the NAT translation
27
28
29
Verify
30
This presentation
Created our broadband connection
Configured a floating static route
If Private WAN is down use Internet (ISP)
Configured NAT for traffic over Internet
Changes private source IP address for traffic over the Internet
Configured IPsec
Want all traffic including LAN-to-LAN to use Internet (ISP)
Want to secure LAN-to-LAN traffic between Branch and HQ over the
Internet using IPsec
Problem: LAN-to-LAN traffic is being sent over Private WAN
Solution: Modify NAT to create a NAT exemption
Problem: IPsec does not support broadcasts and multicasts so
cannot send EIGRP routing updates
Solution: Use GRE tunnel Encapsulate traffic inside a GRE pointto-point tunnel, then inside an IPsec tunnel
Must add GRE tunnel network to EIGRP so all LAN-to-LAN traffic
uses GRE tunnel
31
Multicast and
Broadcast
Impact on Routing
A significant drawbacks of an IPsec VPN is that it cannot route multicast
and broadcast packets.
Routing protocols (IGPs) such as EIGRP and OSPF that use multicast
packets cannot send routing advertisements through an IPsec VPN.
However, IPsec can be combined with Generic Routing Encapsulation
(GRE) to create a tunnel to circumvent the issue with IGP routing within
VPN tunnels.
32
There are four options to route dynamic routing protocols through an IPsec
tunnel:
Point-to-point generic routing encapsulation (P2P GRE)
Virtual tunnel interface (VTI)
Dynamic multipoint VPN (DMVPN)
Group encrypted transport VPN (GET VPN)
In this section, we focus on P2P GRE
33
EIGRP traffic
35
Configuring
GRE
These following three configuration steps will help us accomplish our goal:
1. Create tunnel interfaces for GRE.
First configure the tunnel interfaces with GRE encapsulation.
Make sure that the tunnel is up and running.
2. Change the crypto ACL to encrypt GRE traffic.
Make a change to the IPsec configuration to include GRE traffic to the
crypto ACL.
This will cause GRE traffic (routing updates) to be channeled
across the IPsec VPN tunnel like other interesting traffic.
3. Configure routing protocols to route through the GRE tunnel.
Last configure our routing protocol to use the tunnel interface.
36
37
38
Tunnel is up and up
Tunnel IP address
39
We must now change the crypto ACL to make the GRE traffic interesting
to enable the IPsec tunnel.
Remove the current crypto ACL and replace it
We will address the LAN-to-LAN tunnel in a moment.
The new crypto map ACL specifies that whenever the public IP address of
the branch router attempts to send a GRE update to the public IP
address of the HQ router an IPsec VPN should be enabled.
The reciprocating crypto map is configured
40
41
42
X
Default
?
We have the 172.16.100.0 network connected to the Tunnel 0 interface.
Still have the default static route we configured earlier pointing to the ISP.
However, the branch LAN does not know about the HQ LAN located on
Private address space of 10.10.10.0 /24 via the VPN tunnel.
43
Configure EIGRP to propagate the LAN and the tunnel routing information between the
sites
LAN-to-LAN traffic will now use the Tunnel, encapsulated by GRE and therefore will use
IPsec
44
Verify
This confirms that packets are indeed traversing the IPsec VPN.
45
46
Summary
Created our broadband connection
Configured a floating static route
If Private WAN is down use Internet (ISP)
Configured NAT for traffic over Internet
Changes private source IP address for traffic over the Internet
Configured IPsec
Want all traffic including LAN-to-LAN to use Internet (ISP)
Want to secure LAN-to-LAN traffic between Branch and HQ over the
Internet using IPsec
Problem: LAN-to-LAN traffic is being sent over Private WAN
Solution: Modify NAT to create a NAT exemption
Problem: IPsec does not support broadcasts and multicasts so cannot
send EIGRP routing updates
Solution: Use GRE tunnel Encapsulate traffic inside a GRE pointto-point tunnel, then inside an IPsec tunnel
Must add GRE tunnel network to EIGRP so all LAN-to-LAN traffic
uses GRE tunnel
48
49
50
Troubleshooting Examples
51
52
The examples presented in this section are all based on the network
topology diagram shown
There is a private WAN and an Internet option for branch connectivity. There
is also a remote-access service for mobile users and traveling users.
53
Public IP address
Public IP address
54
It seems reasonable to look at the NAT changes and start from there.
On the branch router we use the show ip nat statistics command to
display NAT information
55
Notice that all traffic is being correctly translated into a public address range: PUBLIC
PUBLIC pool contains public IP addresses (172.16.0.0 is assumed to be public)
Source IP addresses (10.1.10/24 is translated to a public IP address (172.16.1.100 to .200)
This looks fine
NAT configuration however, includes more translation entries
There is another access list called VPN is being translated into something else...
VPN traffic is exempted from public NAT because it remains private as it goes through the
56
tunnel.
Change to
Source IP: 10.1.3.0/24
Source IP: 10.1.4.0/24
show ip nat statistics - traffic matching the VPN access list is being statically
translated into an address from the range 10.1.10.10 to 10.1.10.200.
This doesn't seem correct.
Based on the information on the diagram:
Traffic leaving the branch towards the headquarters (destination 10.1.4.0/24) should
have its source address translate to an address from the 10.1.3.0/24 subnet.
The traffic leaving the headquarters network should have its source address
translated to an address from the 10.1.4.0/24 subnet.
58
Change to
Source IP: 10.1.3.0/24
The branch traffic's source address is being translated to 10.1.10.x instead of 10.1.3.x as it
goes through the IPsec tunnel.
This does matter.
The translated VPN traffic must be tunneled through the IPsec VPN.
The source IP address must match the crypto access list or it won't go through the VPN
tunnel.
You can verify this information using the show crypto map
The crypto map contains a crypto access control list (ACL) which defines the traffic that it
will accept to the VPN tunnel.
ACL 106 and it only matches traffic with source address of 10.1.3.x and destination address
of 10.1.4.x.
Therefore, if the source address of the traffic from the branch translates to anything other
than 10.1.3.x, it will not go through the VPN tunnel
59
Fix: Remove the old VPN_NAT and adding the new definition which
translates the source IP addresses to 10.1.3.10-200.
Make a similar fix on HQ.
To test that the problem is solved, we ping an address from the 10.1.4.0
pool (headquarters), and notice that now the ping is successful and the
issue is indeed taken care of.
60
This time that there is no subnet overlapping between the branch and
headquarters networks (LANs are different subnets).
The symptoms of this troubleshooting example are similar to the last one:
The VPN connection is down, but the Internet connection is working
well.
The culprit could be anything from incorrect DHCP pools to routing issues
and VPN configurations.
61
62
63
Next, check the VPN configuration using the show crypto map on the Branch
router.
The ACL 106 used in the crypto map states that only the traffic with source
address 10.1.3.x and destination address 10.2.2.y will go through the VPN tunnel.
That is not correct, because the traffic from the branch going to the headquarters
(which is not subject to NAT) will have source address of 10.1.1.x, which is
furnished by the DHCP server.
66
Problem: the source IP addresses of the packets from the branch office are
not matching the crypto ACL.
You can test this hypothesis simply by changing the crypto ACL 106 and
using ping to verify connectivity.
The ping from branch to the headquarters is successful and the problems is
fixed.
67
Public IP address
Public IP address
68
192.168.1.2172.16.1.1
Check for the status of the VPN tunnel and look for the IP address of the
branch router as a destination using the show crypto isakmp sa
The status of the tunnel to branch at 172.16.1.1 is ACTIVE.
The same command at the Branch router shows an ACTIVE status as well.
69
No route
70
71
HQ#
72
We return to the Branch router to fix the tunnel destination address error.
We first enter the debug ip routing command to see the EIGRP routes
popping up in our routing table as a result of repairing the tunnel.
tunnel 0 interface
Remove the incorrect tunnel destination address
Enter the correct tunnel destination address (10.200.200.2)
73
EIGRP neighbor session going up, and almost immediately you see the
routing table being populated across the tunnel.
To confirm end to end connectivity, you then try an extended ping from the
Branch router using its Fa0/0 interface as the source, to the address
10.2.2.1, which resides at the Headquarters
74
Public IP address
Public IP address
The IPsec tunnel was established and tested, and it was carrying user traffic
with no problem.
Then suddenly tunnel interface went down and EIGRP was no longer able to
advertise routes.
Resetting the interfaces didnt help.
Tunnels get established, only to go down after a few seconds every time.
75
Branch#showipprotocols
Verify the EIGRP configuration and learn the autonomous system number
and the networks that belong to this routing process.
The show ip protocols command provides all that information.
76
Check the status of the GRE tunnel interface using the show interfaces
tunnel command.
The results show that interface tunnel0s line protocol is down, however:
The source and destination of the tunnel, based on the network diagram,
are correct.
The same command on the HQ router shows correct configuration, but the
line protocol is down there as well.
77
noshutdown
78
X
HQ(config)# interface tunnel 0
HQ(config-if)# shutdown
HQ(config-if)# exit
HQ(config)# ip route 10.100.100.1 255.255.255.255 172.16.1.1
HQ(config)# interface tunnel 0
HQ(config-if)# no shutdown
One way to fix this issue is to make sure that there is always a path to the tunnel
destination (10.100.100.1) via the public IP address (or other) and that not through
the tunnel itself.
In other words the router needs a path directly to the public IP address of the tunnel
(172.16.1.1) and that path can not be through the tunnel
A static route is a way to do this.
ip route 10.200.200.2 255.255.255.255 192.168.1.2
Enter a similar command on the Branch router mirroring the one entered at the HQ
router
Problem solved
79