Posts tagged Security

Cisco IOS Firewall Tutorial

Jan 25th

Posted by Colby in Tutorials

3 comments

Awhile ago a friend asked me for a write up on IOS Firewall/CBAC. At the time I hadn’t felt like writing about it as I don’t use it much, but I recently had to configure it, so I thought I may as well take a break from Juniper posts and do the article.

The IOS Firewall uses CBAC (Context-Based Access Control) to inspect traffic flows at the upper layers. CBAC will inspect the outgoing traffic while maintaining stateful intformation for each session. It will then open pinholes in the firewall/incoming ACL to allow appropriate traffic back in. Something I forgot to point out, CBAC can be very CPU intensive, your traffic. Keep that in mind before and do some testing before deploying it on your network. Here’s the topology:


We have our router running IOS firewall, its WAN connection is on Fa0/1 out to the internet, and its LAN connection is on Fa0/0, which connects to some servers and workstations. Let’s configure the firewall:

Read more...

, , , ,

GRE/IPSEC Tutorial

Aug 26th

Posted by Colby in Tutorials

No comments

In this article we will configure GRE/IPSEC tunnels. These are used in cases where there is a desire to run routing protocols across a VPN connection. This article is useful for CCNP (ISCW) and CCSP studies.

First we will create our ISAKMP Policy, then we will create a key and associate it with a peer, next we build our Transform Set, then the ACL with traffic to be encrypted, followed by the Crypto Map and finally to the Tunnel interface configuration.

Here’s our ISAKMP Policy:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5

We set the encryption to an AES 256 bit key, use pre-shared authentication (keys) and Diffie-Hellman Group 5.

Next we create a key and associate it with a peer:

crypto isakmp key  Sup3rS3cr3tK3y address 5.5.5.5

Now we build the Transform Set:

crypto ipsec transform-set secure_transform esp-aes esp-sha-hmac

Next we make our ACL:

ip access-list extended GRE_IPSEC_TRAFFIC
 permit gre host 4.4.4.4 host 5.5.5.5

This is catching GRE traffic from 4.4.4.4 (us, the source) to 5.5.5.5 (our peer, the destination).

Read more...

, , , , , , ,