Booches.nl

GNS3 supports JunOS

A lot of you will know GNS3. GNS3 is a graphical network simulator that allows simulation of complex networks. With GNS3 you can simulate multiple Cisco routers and the Cisco PIX firewall. GNS3 allows you to emulate real Cisco IOS images, design and experiment with complex networks, connect the virtual lab to the real world and capture packets with tools like Wireshark. I often use GNS3 to test my designs for customers or use it for training and workshop purposes.

As mentioned before GNS3 only supported some Cisco routers and the Cisco PIX firewall. In GNS3 0.7RC1 the emulation of Junipers JunOS is added. Just like the emulation of the Cisco ASA firewall. This makes GNS3 even more powerful. The preparation of a JunOS image is not as straightforward as an IOS one, but GNS3 wrote this excellent article for emulating a JunOS image.

I recommend GNS3 for everyone how is playing and likes to play with Cisco routers and firewalls, and from now on also Juniper routers.

Barracuda – Mail Protocol Violation

A customer updated the firmware from a Barracuda SPAM &Virus 300 firewall. The firmware was upgraded from version 3.4 to version 3.5.12.024. After the upgrade no email was coming in or going out through the Barracuda firewall.

All email was blocked and the following reason was visible in the message log:

Mail Protocol Violation

At first I couldn’t find a reason why all mail was blocked, so I contacted Barracuda and established a remote connection with Barracuda for remote troubleshooting. (I really like that feature). Finally the engineer found the problem. The Maximum Message Size value under Advanced – Email Protocol – SMTP Configuration was set to:

100000000000000000000000000000000000000 bytes

Yep, you read that correctly. I have no idea where that value came from. So I changed it back to the recommended value of 100 MB. After changing the value, mail started coming in and going out again through the Barracuda.

Secret Barracuda Spam firewall options

While troubleshooting a Barracuda Spam Firewall 300 I found a forum on internet, which shows you how to get an extra tab under the Advanced configuration of the Barracuda Spam Firewall. The “secret” configuration page is enabled with the following steps:

1. Logon to the Barracude Spam Firewall 300;
2. Click on the Advanced tab;
3. Add &expert=1 at the end of the URL and hit enter;

You will now get the extra tab Expert Variables like shown below.

Failed to establish VPN through PIX

We migrated our Internet connection lately and reconfigured our PIX firewall. We added some memory to install the latest firmware version (8.0(4)). After putting the PIX firewall in production some of the employees were complaining they couldn’t establish any PPTP VPN Tunnels anymore to customers.

Every time when some one called me, I tried it myself and I was always able to connect using a PPTP VPN Tunnel, but every time I was working remote and not at the office. So I always thought that something was wrong with there laptops, but today I encountered the problem myself.

Looking at the logging of the PIX firewall, I saw the following error message:

%ASA-3-305006: regular translation creation failed for protocol 47 src inside:<IP address> dst outside:<IP address>

The error message indicates that there is no NAT mapping for the specified traffic, which could direct you in the wrong direction. I checked the NAT mappings to be sure, but as I already thought, this couldn’t be the cause of the problem.

PPTP uses a TCP connection that uses port 1723 and an extension of generic routing encapsulation (GRE) [protocol 47] to carry the actual data (PPP frame). The TCP connection is initiated by the client, followed by the GRE connection that is initiated by the server. Because the PPTP connection is initiated as TCP on one port and the response is GRE protocol, the PIX Adaptive Security Algorithm (ASA) does not know that the traffic flows are related.

The PPTP fixup feature in version 6.3 allows the PPTP traffic to traverse the PIX when configured for PAT. Stateful PPTP packet inspection is also performed in the process. The fixup protocol pptp command inspects PPTP packets and dynamically creates the GRE connections and translations necessary to permit PPTP traffic. Specifically, the firewall inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP control channel is disabled if the version announced by either side is not Version 1. In addition, the outgoing call request and reply sequence is tracked. Connections and/or translations are dynamically allocated as necessary to permit subsequent secondary GRE data traffic. The PPTP fixup feature must be enabled for PPTP traffic to be translated by PAT.

So I had to configure the fixup protocol pptp feature with the following command:

fw01(config)# fixup protocol pptp 1723

As stated before, we are using fireware version 8.0(4). This version doesn’t support the fixup protocol pptp command and the converts the command an inspect pptp command as shown below.

fw01(config)# fixup protocol pptp 1723
INFO: converting ‘fixup protocol pptp 1723′ to MPF commands

!

!

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect pptp

Cisco IOS Authentication Proxy

Today I have been playing a little with my router at home. I was looking at different websites and stumbled on a Cisco website about Cisco IOS Firewall Authentication Proxy. So I thought by myself, lets give it a try.

Cisco IOS Authentication Proxy is a feature with the following discription:

“The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access was associated with a user’s IP address, or a single security policy had to be applied to an entire user group or subnet. Now, users can be identified and authorized on the basis of their per-user policy, and access privileges tailored on an individual basis are possible, as opposed to general policy applied across multiple users.

With the authentication proxy feature, users can log into the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users.

The authentication proxy is compatible with other Cisco IOS security features such as Network Address Translation (NAT), Context-based Access Control (CBAC), IP Security (IPSec) encryption, and VPN client software.”

I already have my router configured with RADIUS for authenticating the CLI sessions. I configured the following commands to enable the Authentication Proxy Service:

aaa authentication login AD group radius local none
aaa authorization auth-proxy default group radius local
!
ip auth-proxy auth-proxy-banner http ^C AUTHENTICATION PROXY FOR ENTERING
THE INTERNET - WWW.BOOCHES.NL ^C
ip auth-proxy name PROXY http inactivity-time 60
ip admission auth-proxy-banner http ^C AUTHENTICATION PROXY FOR ENTERING
THE INTERNET - WWW.BOOCHES.NL ^C
!
interface BVI10
 description Default LAN
 ip address
 ip access-group  in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip auth-proxy PROXY
end

!
ip http server
ip http authentication aaa
!
radius-server host  auth-port 1812 acct-port 1813 key
radius-server retry method reorder
radius-server transaction max-tries 2
radius-server timeout 4
radius-server deadtime 2
radius-server vsa send authentication

After configuring the above configuration I opened Internet Explorer and received the following page:

After I insert the correct user credentials from the RADIUS server, which are my Active Directory credentials, I am granted access to the internet.

When I look at the Authentication Proxy feature, I would never implement it for one of my customers. Or maybe I would implement it for a INTERNET-ONLY VLAN segment or public work places. But I can image it would help in SOHO environments.