The previous post showed the steps necessary to enable DLP. This post describes the workflow to configure DLP. I needed DLP to relay outbound messages to a specific mail relay based on header information.
At first I create a DLP rule to define the matching conditions. I match specific header information, which is added to a message by the internal MS Exchange server.
You can match multiple conditions, like subject, recipient, sender, body or attachments and you can also use regular expressions. This makes it very powerful to match specific or multiple characteristics from a message. You can also add exceptions to the DLP rule.
The next steps involves creating a DLP Profile. The DLP profile sets the action, when the DLP rule is matched. You need to specify a default action and you can overwrite is by defining specific actions for specific DLP rules. I create an action to deliver mail to an alternate host. The action can be configured from the DLP profile pane or you can configure the action under the Content Profile Actions. I needed to configure an outbound action, which needs to be created under the Content Profile Action.
I use the above action as default in the DLP Profile and set my scan rule to use the default action.
The DLP profile can be assigned to an IP Policy or Recipient Policy. I need to relay message in the outbound direction, so I create an Outbound Recipient Policy and assign the DLP profile.
One way to remotely access a network is using the Cisco VPN client. Nowadays more and more implementations of SSL VPN are being done and Cisco stopped their development on their VPN client and pushes their Cisco AnyConnect client.
Still the Cisco VPN client is often used to remotely gain access to a network. The Cisco VPN client supports:
The Cisco VPN client is available for download if you have a SMARTnet support contract and encryption entitlements. The client can be used in conjunction with VPN concentrators, PIX and ASA firewall and IOS routers. Below you can find a template configuration for enabling the Cisco VPN client on an IOS router (all used IP addresses and credentials are chosen randomly and don’t represent a real configuration). I used the setup from the picture below:
The configuration uses the local database to authenticate users and split-tunneling is configured to only encrypt traffic destined for the LAN network. With split-tunneling enabled you still can access all local resources and the internet.
aaa authentication login userauthen local
aaa authorization network groupauthor local
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
crypto isakmp policy 1
crypto isakmp client configuration group booches-vpn-client
dns 192.168.1.10 192.168.1.11
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
crypto dynamic-map dynamicmap 10
set transform-set vpn-ts-set
crypto map client-vpn-map client authentication list userauthen
crypto map client-vpn-map isakmp authorization list groupauthor
crypto map client-vpn-map client configuration address initiate
crypto map client-vpn-map client configuration address respond
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
ip address 18.104.22.168 255.255.255.240
ip nat outside
crypto map client-vpn-map
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip local pool vpnpool 10.10.1.1 10.10.1.254
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
There are multiple ways to get back from the running-configuration to the startup-configuration on a Cisco router. One of the simplest ways is just rebooting the router, but this takes a couple of minutes. You can also issue a copy startup-config running-config, but that doesn’t actually replace the configuration, but merges both together.
A very powerful command to revert to the startup-configuration is:
configure replace nvram:startup-config
This command saves you some time because a reboot is not required.
When configuring a router I often use different show commands to check or troubleshoot the configuration. I always hate to type in the whole show command, so I use aliases instead. Aliases are also used in the Open Source community, when working with a terminal.
There are multiple options for the alias command, lets take a closer look:
Cisco IOS includes some built-in command aliases (of course, the Cisco IOS always accepts the shortest unique command). Default command aliases are for example:
|p for ping||h for help|
|lo for logout||u and un for undebug|
|w for where||r for resume|
Next are some alias command, which I use very often:
Router(config)# alias exec s show ip int brie | exclu unass
Router(config)# alias exec si show int status
Router(config)# alias exec r show run
Router(config)# alias exec rr show ip route
Router(config)# alias configure vl1 interface vlan1
Router(config)# alias configure eigrp router eigrp 1024
Router(config)# alias interface ns no shutdown
Router(config)# alias interface load load-interval 30