Cisco Router Zone Based Firewall Configuation Guide - Video Tutorial

Router - Cisco Router

Saturday, 28 August 2010 17:42

Originally Cisco designed and released a structure for QOS called MQC (Modular QOS CLI). As this was designed mainly for QOS, Cisco decided to rename it (so that they could aim it to the security market) to C3PL (Cisco Common Classification Policy Language).

MQC (or in our case C3PL) is configured and built using the following components :

• Class-map - Class-maps allow you to define which traffic you which to "inspect". This can be done via specifying an interface, ACL or NBAR (Network based Application recognition). NBAR allows you define traffic by application. This works by determining the protocol type based on the application header.
• Policy-map - Policy-maps allows you to define which action you want to perform on your traffic.

1. Create a class-map
2. Assign a policy map and assign the class-map to the policy map. Note: you can only have one policy map per zone pair.
3. Assign Zones to our interfaces
4. Create a Zone pair using these newly created zones and assign the policy map to it.
5. Go into your firewall rule based and define the permitted IP addresses.

Note: To ensure you have all the required firewall rules in place, such as allow management traffic etc, run the firewall wizard which will setup all the rules automatically.

Hint: You can see how to configure and enable SDM on your router here.

Installing GNS3 0.7.2 onto Fedora 13

GNS3 - GNS3 - Linux

Friday, 20 August 2010 10:10

Below shows you how to install GNS3 onto Fedora 13. GNS is a Graphical Network Simulator allowing you to build virtual cisco networks.

yum -y install PyQt4 wget telnet qemu xterm
cd ~
wget http://downloads.sourceforge.net/gns-3/GNS3-0.7.2-src.zip?download
unzip GNS3-0.7.2-src.zip && rm -f GNS3-0.7.2-src.zip
mv GNS3-0.7.2-src /opt/GNS3
cd /opt/GNS3
mkdir Dynamips
mkdir IOS
mkdir Project
mkdir Cache
mkdir tmp
chmod o+rw -R ./Project
chmod o+rw -R ./tmp
cd Dynamips
wget http://www.ipflow.utc.fr/dynamips/dynamips-0.2.8-RC2-x86.bin
chmod +x ./dynamips-0.2.8-RC2-x86.bin

Configuring a Pre-Shared Site to Site VPN between 2 Cisco Routers

Router - Cisco Router

Wednesday, 18 August 2010 17:19

Below shows the configuration for one side of a Site to Site VPN between 2 Cisco routers using pre-shared keys.

router(config)# crypto isakmp enable

router(config)# crypto isakmp policy 10
router(config-isakmp)# authenticaton pre-share
router(config-isakmp)# encryption [?]
router(config-isakmp)# group [?]
router(config-isakmp)# hash [?]
router(config-isakmp)# lifetime 86400

router(config)# crypto isakmp identity address
router(config)# cryption isakmp [key] address [peer ip]

router(config)# crypto ipsec transform-set [name] [?]
router(config)# crypto ipsec lifetime [seconds/kilobytes] [value]
router(config)# ip access-list extended S2S-VPN-TRAFFIC
router(config-ext-nacl)# permit ip [local network] [mask] [remote network] [mask]
router(config)# crypto map S2S-VPN-MAP 100 ipsec-isakmp
router(config-crypto-map)# match address S2S-VPN-TRAFFIC
router(config-crypto-map)# set peer [peer ip]
router(config-crypto-map)# set transform-set [set]

router(config)# int [int name]
router(config-if)# crypto map S2S-VPN-MAP 100

IPv4 Subnetting Notes

General Info - General Info

Tuesday, 17 August 2010 15:23

The other day someone asked me to explain subnetting. It had been a while so I dusted off my CCNA books and attempted to answer his questions. So I thought this would be an ideal time to jot down some notes for future reference.

This isnt a tutorial or guide but just some some notes on how to calulate the different subnetting values (subnet number, number of hosts etc etc).

What is the broadcast address of the network 172.30.233.0 255.255.255.128 ?

• 128 - 256 = 128
• What is the highest number you can make by placing multiple 128`s into 0. None so this is 0.
• (0 + 128) - 1 = 127

Answer : Broadcast address is 172.30.233.127

How many subnets and hosts per subnet can you get from the network 172.30.0.0 255.255.255.240 ?

• 172.30 is a class B RFC 1918 address and has a /12 prefix. So 12 bits of this address we can do nothing with.
• The subnet mask is /28 so this mean we can break the address into the following : 
• 28 bits - 12 bits  = 16 subnet bits
• 28 bits - 32 bits = 4 host bits

• This means that this subnet number will conisist of [12 network ID bits ] [16 subnet bits] [4 host bits]
• With the following power of 2`s in mind we can calculate the hosts and subnets :
  65536 32768 16384 8192 4096 2048 1024 512 256 128 64 32 16 8 4 2 1  

• Host bits = go along 4 and then an extra 1 (saves adding them up) then minus 2 due to the the broadcast and subnetnet zero bits. This gives us 14
• Subnet bits = go along 16 and then 1 extra gives us 65536 subnets.

Answer : 65536 subnets and 14 hosts per subnet.

Which subnet does host 172.24.102.208 255.255.255.224 belong to?

• 224 - 256 = 32
• Whats the highest number we can get by placing 32`s into 208 = 192

Answer : 172.24.102.192.

What valid host range is the IP address 192.168.126.95/26 a part of?

• 192 = 256 = 64
• Highest number that you can get from placing 64's into 95 = 64.
• 64 = Subnet number
• 64 + 1 = First host
• (64 + 64) - 1 = Broadcast
• (64 + 64) - 2 = Last host

Answer : 192.168.126.65-126

What valid host range is the IP address 172.16.93.193/20 a part of?

• 240 = 256 =16
• Highest number that you can get from placing 64's into 93 = 80.
• 80 = Subnet number
• x.x.80.1 = First host
• x.x.80.1 (add 16 to 80 and minus 1), and place .254 into the last octect = Last Host

Answer: 172.16.80.1 through to 172.16.95.254

Types of IDS Alerts

IDS - Snort / Sourcefire

Tuesday, 17 August 2010 11:34

There are 4 main types of IDS alerts. These are :

• False Positive - Good traffic is incorrectly raised as bad.
• False Negative - Bad traffic is incorrectly not raised as bad.
• True Positive - Good traffic is correctly not raised as bad.
• True Negative - Bad traffic is correctly raised as bad.