Booches.nl

Configure VPN client on IOS router

One way to remotely access a network is using the Cisco VPN client. Nowadays more and more implementations of SSL VPN are being done and Cisco stopped their development on their VPN client and pushes their Cisco AnyConnect client.

Still the Cisco VPN client is often used to remotely gain access to a network. The Cisco VPN client supports:

• Windows XP, Vista (x86/32-bit only) and Windows 7 (x86/32-bit only);
• Linux (Intel);
• Mac OS X 10.4 & 10.5;
• Solaris UltraSparc (32 and 64-bit);

The Cisco VPN client is available for download if you have a SMARTnet support contract and encryption entitlements. The client can be used in conjunction with VPN concentrators, PIX and ASA firewall and IOS routers. Below you can find a template configuration for enabling the Cisco VPN client on an IOS router (all used IP addresses and credentials are chosen randomly and don’t represent a real configuration). I used the setup from the picture below:

The configuration uses the local database to authenticate users and split-tunneling is configured to only encrypt traffic destined for the LAN network. With split-tunneling enabled you still can access all local resources and the internet.

aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group booches-vpn-client
key pr3sh@r3dk3y
dns 192.168.1.10 192.168.1.11
domain booches.local
pool vpnpool
acl 110
netmask 255.255.255.0
!
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
!
crypto dynamic-map dynamicmap 10
set transform-set vpn-ts-set
reverse-route
!
crypto map client-vpn-map client authentication list userauthen
crypto map client-vpn-map isakmp authorization list groupauthor
crypto map client-vpn-map client configuration address initiate
crypto map client-vpn-map client configuration address respond
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
!
interface FastEthernet0/0
ip address 83.137.194.62 255.255.255.240
ip nat outside
crypto map client-vpn-map
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
!
ip local pool vpnpool 10.10.1.1 10.10.1.254
!
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255

Cisco router: determine amount of memory/flash

Somebody asked me how he could determine the amount of DRAM and flash memory on a Cisco router. I always thought that everybody would know how to determine this information, but since this isn’t matter, I will tell you how you can determine the values.

You use the show version command to retrieve the requested information. Below you see an example output of the command on a Cisco 876 router.

Router#show version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)
If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 876 (MPC8272) processor (revision 0×200) with 118784K/12288K bytes of memory.
Processor board ID FCZ121160T5
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0×10
4 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0×2102

The first highlighted line tells you how much Dynamic RAM (DRAM) and Packet memory are installed in your router. Some platforms use a fraction of their DRAM as Packet memory. The memory requirements take this into account, so you have to add both numbers to find the amount of DRAM available on your router (from a memory requirement point of view).

Some types of routers have separate DRAM and Packet memory, so you only need to look at the first number. Other routers use a fraction of DRAM as Packet memory, so you need to add both numbers to find out the real amount of DRAM.

The second highlighted line tells you how much flash memory is installed in your router. This amount can also be determined by using the command show flash:.

Router#show flash:
24576K bytes of processor board System flash (Intel Strataflash)

Directory of flash:/

2  -rwx    18934284   Mar 1 2002 01:33:35 +01:00  c870-advipservicesk9-mz.124-15.T6.bin

23482368 bytes total (4542464 bytes free)

Maybe I can imagine why somebody doesn’t know where to look, because a show version actually gives you a lot of information. So I hope this posts helps all of you who don’t know where to look.

Cisco IOS 15 licensing

I just read an interesting article about the new licensing on Cisco hardware, especially after the End-of-Sale and End-of-Life Announcement for Cisco IOS Software Release 12.4.

In short the article tells the following:

IOS 12.4 is replaced by IOS 15. IOS 15 is a single software package for the hardware platform that your are using. You have one image with all the features and there’s no need to copy multiple images for different features. By default you can use all the base features and you need a license key to use the Advanced IP feature set.

This licensing can be compared to the licensing of a Cisco PIX, ASA or IPS. Maybe this will be hard for some of you, especially in situations where you replace a broken hardware component (License Transfer Between Two Working Devices).

So pay attention and take some time to dig into the new developments in Cisco IOS 15 licensing.

GNS3 supports JunOS

A lot of you will know GNS3. GNS3 is a graphical network simulator that allows simulation of complex networks. With GNS3 you can simulate multiple Cisco routers and the Cisco PIX firewall. GNS3 allows you to emulate real Cisco IOS images, design and experiment with complex networks, connect the virtual lab to the real world and capture packets with tools like Wireshark. I often use GNS3 to test my designs for customers or use it for training and workshop purposes.

As mentioned before GNS3 only supported some Cisco routers and the Cisco PIX firewall. In GNS3 0.7RC1 the emulation of Junipers JunOS is added. Just like the emulation of the Cisco ASA firewall. This makes GNS3 even more powerful. The preparation of a JunOS image is not as straightforward as an IOS one, but GNS3 wrote this excellent article for emulating a JunOS image.

I recommend GNS3 for everyone how is playing and likes to play with Cisco routers and firewalls, and from now on also Juniper routers.

Cisco Aironet: multiple SSID’s

I have been playing with some Cisco Aironet’s today. Configuration is quite simple and straightforward, but maybe not for everyone:

• Broadcast two SSID’s, unsecure and secure
• Authentication via WPA version 2 pre-shared key
• Management IP adres in management VLAN

You are maybe thinking: “stand-alone access points, why no WLAN controller?” I agree, but be honest. Would you use a WLAN controller for less then 5 access points?

The snippet below shows the most important configuration for such a scenario.

dot11 mbssid
dot11 vlan-name secure vlan 11
dot11 vlan-name default vlan 1
dot11 vlan-name unsecure vlan 13
dot11 vlan-name management vlan 10
!
dot11 ssid unsecure
vlan 13
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <wpa pre-shared key>
!
dot11 ssid secure
vlan 11
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <wpa pre-shared key>
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 13 mode ciphers aes-ccm tkip
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 11 mode ciphers aes-ccm tkip
!
ssid unsecure
!
ssid secure
!
speed  basic-1.0 basic-11.0 basic-54.0
channel 2412
station-role root
!
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 11
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface Dot11Radio0.13
encapsulation dot1Q 13
ip access-group internet-only in
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 13
bridge-group 13 subscriber-loop-control
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
bridge-group 13 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.11
encapsulation dot1Q 11
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
!
interface FastEthernet0.13
encapsulation dot1Q 13
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 13
no bridge-group 13 source-learning
bridge-group 13 spanning-disabled
!
interface BVI10
ip address 10.1.1.200 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.1.1
!
bridge 1 route ip

I hope this helps when you are configuring a Cisco Aironet with multiple SSID support.