VLAN security
I want to connect several hosts (each in a unique VLAN, not VLAN1) to a switch. This switch would be connected to a router used as a gateway to the internet. Question: would this prevent the hosts (VLANS) from communicating as long as there is no trunking protocol running between the switch and router? I don't want them to be able to communicate. I only have one 100 Mbs port on the router. Thanks.
To answer your question by not running trunking protocol it will prevent communication between hosts on the different vlans.
But if you don't run any trunking protocol between the router and switch then only one vlan will be able to access the router and thus the internet(whatever vlan the port connecting to the router is in).
In order to have all the hosts on different vlans access the internet you will need to trunking from the switch to the router. Then you can use access-lists on the router to prevent the vlans from talking to each other either by hosts ip addresses or by using vlan access-lists.
Similar Messages
-
Ip phone and pc VLAN security issue - ISE 1.0
Hello there.
We are about to implement IP phones to our current network and during testing I have found 2 issues.
1- ip phone connects to a protected port using ISE mab authentication for the data network.
The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
Let me know your thoughts...thanks
Port config info....below
interface GigabitEthernet0/2
description Extra port by Camilos Desk
switchport mode access
switchport voice vlan 220
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust cos
snmp trap mac-notification change added
auto qos trust
spanning-tree portfast
endOn # 1
You have the make sure that
"authentication host-mode multi-domain" command is under each port
This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
On #2
I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
Hope this helps. -
Cisco 877W Dual SSID/VLAN Security Issue
Hi All
I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST). The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
P.S config has been pared down to basics below
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
no aaa new-model
dot11 syslog
dot11 ssid PRIVATE@123
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
dot11 ssid VISITOR@123
vlan 200
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 03374C0A08392040420C00
ip source-route
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool GUEST
utilization mark low 70 log
network 172.16.1.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 172.16.1.1
ip dhcp pool PRIVATE
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 192.168.0.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 password 7 073F205F5D1E491713
policy-map type inspect PM-DENYGUEST
class class-default
drop
zone security GUEST
zone security PRIVATE
zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
service-policy type inspect PM-DENYGUEST
bridge irb
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 100
no ip address
interface FastEthernet2
switchport access vlan 100
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 100 change 30
broadcast-key vlan 200 change 30
ssid PRIVATE@123
ssid VISITOR@123
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
zone-member security PRIVATE
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.200
encapsulation dot1Q 200
zone-member security GUEST
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Vlan1
no ip address
interface Vlan100
no ip address
bridge-group 1
interface Vlan200
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 10580A4F1C4005005B
interface BVI1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE
interface BVI2
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
logging 192.168.0.11
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
line con 0
exec-timeout 5 0
no modem enable
transport output all
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
exec-timeout 5 0
login local
transport input telnet ssh
transport output none
endIgnore that. self zone got me. Argh! phew!
-
Campus / Enterprise VLAN Security Integration
Ji Jeal
One of the things that always bothers me about (including the many different ways of) deploying guest wireless is the need to have a VLAN that contains untrusted guest traffic on the same switches that carry trusted corporate traffic.
Given that the deployment model for a site with local internet break-out such as H-REAP requires the VLAN to be on multiple switches what are the recommendations and best practices to make the chance of someone breaking out of this guest VLAN nil?
Is this a viable model for a high security environment (like a bank or defence company)
Whilst my perception is that the biggest risk here is that someone unintentionally / mistakenly creates a L3 interface on the VLAN e.g. to provide DHCP services the same as all the corporate VLANs, I am also concerned that there is the possibility that someone could potentially attack the devices / switches and configure their way out of the VLAN.
I know there are several ways to get around this (like using the anchor controller) but that doesn't always work.
ThanksI am trying to figure out two things;
1) Can I be confident that logical VLAN seperation provides "enough" security and the answer to that really is dependent upon how well and robustly the infrastructure components (AP, WLC, switch) are tested to manage the attack vectors, for example the obvious one being to encapsulate with VLAN tagging, do all the devices "deny" the possibility to spoof the vlan and so on...
2) In terms of configuration - is there something I havent thought of that is a (easy ?) way to not have the untrusted data directly touching the VLAN (e.g. tunnelling or something) between the AP and the local internet break-out (like an anchor controller but without the need to deploy WLCs in every branch) - which would effectively mean it didn't matter if the switch was misconfigured or a bug allowed crafted packets to break the switch or break the security as there's a "buffer" between the guest wireless traffic and the switch.
But I guess as a side question - is there a way to protect against mis-configuration (other than adding a note on the vlan saying "Dont configure a layer 3 address on this VLAN" - VRF Lite could be an option but as you say - quite a bit of overhead.
Thanks -
I wanted to get opinions on an idea I had for port security. Port security is great, but when rolling out large projects it can be a tedious job entering in all those MAC addresses.
Can Cisco look into the possibility of creating a new feature called 'VLAN/PORT Security groups'. Within the groups admins could list chuncks of MAC addresses that are allowed/disallowed on a particular vlan.
It would have the same violation rule set as port-security.
Configuration under interface would look similar to this:
port-security address group 1Check out 802.1x Port Authentication. You use back end RADIUS servers for port authentication (end users) and you can setup static MACs for stuff like servers and printers. No need for MAC address configuration on the switches, but you will need certs and RADIUS servers and maybe a supplicant on the host. The nice thing is, you can move PC's anywhere in the company and they will work! Put a vendor PC on the network and it gets thrown into a dmz where they only get internet access.
-
I set up a second ssid and vlan for guests. The native and original vlan is in place and requires WEP. I set the second vlan to broadcast the SSID and have no encryption. I have clients connect, and almost have everything done. The only thing I cant figure out is how to isolate the traffic from the second vlan to the first. I have the second vlan set up so that the users cannot see anything on the native vlan, but I can ping the servers by IP address and if I try to connect from the second vlan to the first, it lets me with a valid username and password. This tells me that if a guest comes in, and has a virus, that computer can maybe infect computers on the native vlan. How can i truly isolate the traffic from one vlan and have it access only the default gateway?
I need to route the guest vlan to the default gateway. I have multiple access points, so i need to route the guest vlan on the L3 interfaces. I have the route statement added for the guest vlan network addresses pointing to the default gateway, but if i try to connect using the native vlan IP address, i can get to stuff.
-
ASA 5505 Interface Security Level Question
I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: endHi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni -
ASA 5505 9.1(2) NAT/return traffic problems
As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
Network is extremely basic:
DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
^
|----------------------- guest vlan (10.0.1.X)
show running-config:
Result of the command: "show running-config"
: Saved
ASA Version 9.1(2)
hostname border
domain-name mydomain.com
enable password aaa encrypted
passwd bbb encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Guest-VLAN
security-level 10
ip address 10.0.1.1 255.255.255.0
boot system disk0:/asa912-k8.bin
boot system disk0:/asa911-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.104.2.36
domain-name domain
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 255.255.255.0
object network Guest-WLAN
subnet 0.0.0.0 255.255.255.0
description Interent access for guest Wireless
object network xbox-nat-tcp3074
host 192.168.50.54
object network xbox-nat-udp3074
host 192.168.50.54
object network xbox-nat-udp88
host 192.168.50.54
object service xbox-live-88
service udp destination eq 88
object network xbox
host 192.168.50.54
object network obj-inside
subnet 192.168.50.0 255.255.255.0
object network obj-xbox
host 192.168.50.54
object network plex-server
host 192.168.50.5
object network ubuntu-server
host 192.168.50.5
description Ubuntu Linux Server
object network ntp
host 192.168.50.5
object network plex
host 192.168.50.5
object network INTERNET
subnet 0.0.0.0 0.0.0.0
object-group service xbox-live-3074 tcp-udp
port-object eq 3074
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service plex-server-32400 tcp
description Plex Media Server
port-object eq 32400
access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in remark Plex Live access
access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network xbox-nat-tcp3074
nat (inside,outside) static interface service tcp 3074 3074
object network xbox-nat-udp3074
nat (inside,outside) static interface service udp 3074 3074
object network xbox-nat-udp88
nat (inside,outside) static interface service udp 88 88
object network plex
nat (inside,outside) static interface service tcp 32400 32400
object network INTERNET
nat (inside,outside) dynamic interface
nat (Guest-VLAN,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=border
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxx
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxx
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 60
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.132 inside
dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
dhcpd lease 86400 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.19.240.5 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
username xxx password xxx/ encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxx
: endHi,
Configuration seems fine.
With regards to the ICMP, you could also add this
class inspection_default
inspect icmp error
I would probably start by trying out some other software level on the ASA
Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
- Jouni -
Wired Guest in 5.x 4402 - Does it Work???
Anyone get Wired Guest access working using the latest code 5.148 (or any code for that matter). In particular has anyone been sucessful using 1 WLC with ingress and egress on same controller. I have been trying for a week and does not work no matter what.
Thanks for all responses....Armonk-
See next post with attached .doc
This post was trimmed.
4402 config
-Ingress int
Create a new interface <. myguests-ingress> assign it a VLAN ID <44>
Check the box that says Guest LAN
This interface has no IP, it is Layer2 only!
If there is an IP associated with this VLAN (anywhere), create another VLAN.
-Egress int (if you are already using one for wireless guest access, you can skip this step and reuse that one, I did!) It will not be called âEgressâ on the wireless, just interface. If you don't have one already, you need to create it
Create a new interface , assign it a different VLAN <55> than your ingress interface
Assign IP, netmask, and gateway info < 192.168.100.10, 255.255.255.0, 192.168.100.1 > (see Router section below)
I used addresses that were NOT on my business network, so guest IPs are easily distinguished from employees
Also since this traffic is within a VLAN, I need to route this traffic at some point to access my gateway
If you want to give guests DHCP addresses, assign a Primary DHCP Server to this interface (see DHCP section below)
Since I was using the WLC for DHCP, I put the IP of my management interface (or another of your choice)
-Internal DHCP (if you are using your WLC for DHCP this needs to be configured)
Start <192.168.100.100 > (same subnet as "egress")
End <192.168.100.200>
Network <192.168.100.0>
Mask <255.255.255.0>
Lease <86400>
Default router <192.168.100.1> (same as your gateway above)
This is really just an IP to route between VLANs, it may not exist yet
Don't worry if this is on another subnet as your real gateway (it should be), this is just a gateway IP for this subnet
You can route between VLANs (that's what I did) on your router
DNS server <10.10.10.50> (this a local DNS, but you could use anything I guess, even your ISPs DNS server)
Status = Enabled
-WLAN
Create a new WLAN, select Guest LAN as the type
Ingress is a L2 VLAN
Egress is a L3 VLAN or previously configured VLAN
Security Tab, select Web Auth/Pass
Advanced Tab, specify your DHCP
Check override (required for external DHCP)
Was not able to check DHCP Addr. Assignment = Required (bug?)
General Tab, check status = Enabled
Ignore the error; this is a bug!
Core Switch configuration (these commands are in CatOS)
Since wired guest access uses the same interface (in my config,) I did not have to do this step as it was done previously.
You need to configure your core switch to allow VLAN traffic from your WLC interfaces
VTP and VTP domain were previously configured; you may need to do this if you have never done VLANs on this switch
# set vlan 44 name MYGUESTS-INBOUND - - - IOS will be different
# set vlan 55 name MYGUESTS-OUTBOUND - - - IOS will be different
If you already have a vlan for wireless guests this step is already done
Setup trunking on the port coming from the WLC to your switch (I chose mod/port =3/5, yours will be different)
# set trunk 3/5 on dot1q - - - IOS will be different
This allows VLANs to traverse from the WLC to the switch, (you could specify which VLANs only)
I have created VLAN ACLs that restrict the access of guests, but that can be done after this is up and working
Now this next step was required for my environment, but I am not sure that all setups can be done like this. I have another DHCP server on my network, so I wanted to make sure that there was not a conflict. To do this I specified a port on my core switch to accept VLAN traffic for my ingress interface
Configure a port on my core switch to accept wired guest traffic (I chose mod/port =3/6, yours will be different)
# set vlan 44 3/6 - - - IOS will be different
It's possible you may also need to allow your egress VLAN depending on your setup
Dumb switch
Plug switch into the port specified -
Logical vs. Physical Subnetting
Hi All,
Networks that isolate traffic from other networks using separate mediums are more secure than one that isolates via VLAN correct? So having to networks A and B separate with separate routers, switches, and cabling is more secure than creating networks using VLANs correct?Kelly
Short answer is yes, physical separation of devices will generally always be more secure.
Two main issues with vlans are
1) a misconfiguration is much easier as it all to do with just reallocating ports into vlans on the same chassis. Make a mistake and you could just have moved a server into the wrong subnet.
2) vlan hopping and other attacks. See attached link for vlan security white paper
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
To be honest i have always been quite comfortable using vlan segregation with optionally firewalls etc. for internal data centre use etc.. but i always feel more comfortable with physical separation on Internet facing infrastructure.
Jon -
I want to redesgin my company network
Hi
Currently we 180 users in my company headoffice.And we have three branch offices on VPN.
My current network design for headofffice is a follows
ISP------------------------>Router--------------->Pix firewall---------------------->Internal network (1 vlan)
I wan t to divide ny internal network with multiple VLans.Please suggest me any Good guide how i make a multiple vlans and terminate these on my pix firewall.Junaid,
So if you are trying to design a new network and your trying to create some VLAN's, I would look at it as a Tiered approach. So in a tiered approach your Tier1 are your public facing zones, Tier 2 are your application servers, Tier 3 are your database servers, and Tier 4 would be your back end user systems.
If you want to create a DMZ on your firewall you can create a Layer 2 VLAN only on your switch, and assign your firewalls DMZ interface to the switch on this new layer 2 vlan (lets say vlan 100 for example). Now any device you want in this DMZ assign it to VLAN 100 and these devices are now routed through the firewall. The layer 2 VLAN keeps them all in the same network, but the routing exists on the Firewall. Now you can create a management VLAN that will be used for your inside interface on the firewall (lets say vlan 999) as well as all your other networking devices.
Your Tier 2 devices you can number in any manner but using something say in the 200's would
signify these are Tier 2 zones. You can use these for your application servers, jump servers, SNMP management servers, ect... Follow this pattern for each of your zones.
As for the WAN network it was stated above and I second that your VPN solution would probably be better if you used a DMVPN design on your WAN. This would scale better, provide good security, and allow for better management and implementation of you new remote offices.
I am not sure of any single document that I could reference to put all this in place. Most of designing a network comes from a compilation of different documents, corporate policies, architecture standards, and life lessons. If you want a few documents though here are the ones I would recommend:
DMVPN Document:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html
VLAN Security Best Practices
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf
-Toby
Please don't forget to rate any helpful post.
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan -
I am working on taking our ASA5510 into the 21st century and putting a two tiered DMZ into place. I just wanted some advice on how a tiered DMZ is typically configured and used. To start off we 100% virtualized so this will all be done with sub-interfaces and 802.1q trunks on our inside physical interface.
I have laid it out like this........OUTSIDE <--> DMZ_EXTERNAL <--> DMZ_INTERNAL <--> INSIDE (See attached for further clarification)
I would like to know if servers are generally single homed or multi-homed in this architecture. If they are multi-homed then I understand that I would probably NAT to the DMZ_External and create a static route on the server to get from DMZ_Internal back to the Inside network. For example, Microsoft Lync Edge server needs two NIC's. One connected to the external DMZ and one to the internal DMZ (could also go directly on the inside network as well).
I get a bit confused if I am not attaching two nics to a server to bridge these networks.
Should my inside network be able to "route" to both networks? Meaning treat both DMZ's equally and allow public NAT to both as well as internal routing.
Should Inside only route to the DMZ_Internal and go out to the internet to hit the NATed DMZ_External server interfaces?
Should I be using NAT from Outside to DMZ_Internal or not even allow that scenario and only NAT Outside to DMZ_External
Any assistance would be much appreciated. I have uploaded a picture for clarification. Thank you.Marc,
Off late, I have seen a lot of implementations using VLAN for separating the zones and using the same switch. As far as you have tight control to the the device, strict change control process, auditing, Best Practices, up to date software updates on Security Advisories, etc, you should be fine using VLANs. Also, one important factor that is going to drive your decision is the companies "Security Policy".
With that said, below are some white papers that you might find useful.
VLAN Security White Paper
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39832
Data Center Architecture Overview
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_Infra2_5/DCInfra_1.html
Also, check out the the Data Center Sectiion of "Cisco Validated Design" for some good information.
http://www.cisco.com/en/US/netsol/ns742/networking_solutions_program_category_home.html
Regards,
Arul
*Pls rate if it helps* -
Power Controller reports power Imax error detected
Hi,
My 3560 switch w/ IOS 12.2(35)SE have below message last night. Would anyone know what happen?
Sep 23 18:54:58.468 UTC: %ILPOWER-7-DETECT: Interface Fa0/10: Power Device dete
ted: IEEE PD
Sep 23 18:54:58.468 UTC: %ILPOWER-5-INVALID_IEEE_CLASS: Interface Fa0/10: has d
tected invalid IEEE class: 7 device. Power denied
Sep 23 18:57:37.542 UTC: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error,
Interface Fa0/12: Power Controller reports power Imax error detected
Sep 23 18:57:44.580 UTC: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no lon
er detected on port Fa0/12, port set to untrusted.
Sep 23 18:57:48.674 UTC: %ILPOWER-7-DETECT: Interface Fa0/12: Power Device deteted: Cisco PD
Sep 23 18:57:48.741 UTC: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Fa0/12: Power Controller reports power Tstart error detected
Thanks and Regards
ErnestHi Leo
Thank you for your quick response but as I said before that Nortel IP phnoe has a designed fault in power module so it meant to fail and cisco switch generate syslog for this Power Controller reports power Imax error detected. Once we replace with new phone, the error disappear and works all fine.
Now the solution I am looking for this issue as follows:
While the faulty IP phone still pluged in and keep booting, the switch generate error log and our syslog server keep sending out email alert until one of our engineer log into switch and shut the port. Very often if this happen in weekend or at night then we get hundreds of email.
Therfore I think it would be nice if Cisco 3750 put this swithport into errdisable state but it's not happening.
This is the output of errdisable;
#sh errdisable detect
ErrDisable Reason Detection Mode
arp-inspection Enabled port
bpduguard Enabled port
channel-misconfig (STP) Enabled port
community-limit Enabled port
dhcp-rate-limit Enabled port
dtp-flap Enabled port
gbic-invalid Enabled port
inline-power Enabled port
invalid-policy Enabled port
l2ptguard Enabled port
link-flap Enabled port
loopback Enabled port
lsgroup Enabled port
mac-limit Enabled port
pagp-flap Enabled port
port-mode-failure Enabled port
pppoe-ia-rate-limit Enabled port
psecure-violation Enabled port/vlan
security-violation Enabled port
sfp-config-mismatch Enabled port
small-frame Enabled port
storm-control Enabled port
udld Enabled port
vmps Enabled port
===========================================
Another thing that this command "power inline port 2x-mode" is not available in our IOS, I am not sure how this command will help.
Look forward for someone response.
Thank you all. -
Limiting client associations per lightweight AP
Can anyone tell me if it is possible to limit the number of clients that can associate per lightweight AP?
yes, it is possible.
Advanced Primary SSID Setup Link in your access point takes you to the AP Radio Primary SSID page, from which you can configure the primary SSID settings. From this page, you configure IEEE 802.11x authentication, EAP, unicast address filters, and the maximum number of associations for the radio?s primary SSID.
OR, if you have multiple VLANs, you can go to
VLAN Security Policy section. You can define a security policy for each VLAN on the access point. This enables you to define the
appropriate restrictions for each VLAN you configure and you can configure Maximum number of associations?ability to limit maximum number of wireless clients per SSID
hope to help ... rate if it does .... -
Potential Security Hole with 802.1x and Voice VLANs?
I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
Has anyone done any research into this potential security hole?
Thanks
AndyThanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
Andy
Maybe you are looking for
-
Apple ID for home sharing and iTunes Store should be the same?
I've got 2 iTunes Store accounts, my girlfriend has one, and we're just moving in together. A few questions ... Can I create a 4th 'Apple ID' for our home sharing? Would we still be able to listen to each others libraries? Would we still be able to c
-
Oracle 8i/9i and Red Hat Linux version
Hi, Does anyone know, which is the earliest version of Red Hat Linux supported by Oracle 8i or 9i? Regards
-
LSMW-BAPI Method sales contract creation
Hi, I have a requirement to create sales contract through batch input or bapi method or idoc . Please let me know if there are any existing applicable methods for it. with regards, Bharath
-
Hi. How can I change language in Photoshop Elements 12?
I have oryginal product. I want to have Polish language. Can you help me. Thank you
-
Transfer office to Macbook Air
Hi, I would like to know how can I simply (if possible) transfer the Office file (word, excel, power point, ...) from my Powerbook G4 to my new Macbook Air (limited connectivity). I just read on Google that the Migration assistant does not accept to