Configure Cisco 1841 router as an Edge Router with NAT and IOS firewall

In small Offices or branch Offices, instead of buying separate devices for edge router and Firewall we can configure the edge router as a firewall and NAT device also. This will reduce the cost of overall IT budget and which will ease the management also.

Here is a step by step configuration example to configure a Cisco 1841 integrated service router as an Edge router with NAT and a basic IOS firewall.

All the router comes with or able to install Cisco SDM, a graphical tool to make the configuration which is very helpful to make the configuration and monitor the device. But in this tutorial we will go through the CLI configuration method.

Topology

We are going to discuss is a very simple topology consists of,

• One Internet connection ends in the WAN interface of the router (FastEthernet0/0).
• One LAN interface (FastEthernet0/1) connects to the internal LAN L3/L2 switch.
• LAN IP address: 10.2.2.1/24
  
• WAN IP address: 2.3.3.2/30

Internet <==> Router <==> LAN


Starting the basic configuration

We will start configure the router through the console port of the router using a console cable, which normally provided with the router itself.

First make sure the router should be clean from older configurations, you can assure this by clearing the existing configurations. If you are sure with your router configuration, you can skip this stage.

router#configure terminal

router(config)#config-register 0x2102 < This register value can be found from sh version command

router(config)#end

router#write erase

router#reload

System configuration has been modified. Save? [yes/no]: n

Proceed with reload? [confirm]

When the router comes up, which will prompt you for doing the initial configuration through the configuration assistant, you can skip this because we will be doing it manually.

Configure the hostname for the router, I am going to put as Edge-01

router>en

router#conf t

router(config)#hostname Edge-01

Configure the external interface of the router with the ip address of 2.3.3.2

Edge-01(config)#interface FastEthernet0/0

Edge-01(config-if)#ip address 2.3.3.2 255.255.255.252

Edge-01(config-if)#speed 100

Edge-01(config-if)#duplex full

Edge-01(config-if)#speed 100

Edge-01(config-if)#no shut

Now configure the internal interface of the router.

Edge-01(config-if)#interface FastEthernet0/1

Edge-01(config-if)#ip address 10.2.2.1 255.255.255.0

Edge-01(config-if)#speed 100

Edge-01(config-if)#duplex full

Edge-01(config-if)#speed 100

Edge-01(config-if)#no shut

Configure the default gateway as 2.3.3.1 (change it accordingly)

Edge-01(config)#ip route 0.0.0.0 0.0.0.0 2.3.3.1

Enabling SSH:

For securely accessing this router, we will be using ssh as a remote access mechanism instead of telnet, so we need to enable ssh now.

Edge-01(config)#aaa new-model

Edge-01(config)#ip domain-name my.domain.com < This need to change with your domain-name

Edge-01(config)#crypto key generate rsa

Edge-01(config)#ip ssh time-out 60

Edge-01(config)#ip ssh authentication-retries 2

Edge-01(config)#ip ssh version 2

Enabling NAT:

For the internal clients to access the internet the router should be configured with NAT especially NAT with overload (PAT). The following commands will enable PAT and all the internal clients will be able to access the internet through this router.

Create an access-list which will be used to include the LAN addresses, the clients will be trying from

Edge-01(config)#access-list 1 permit 10.2.2.0 0.0.0.255

Now we need to tell which is internal and which is external interfaces for doing the nat.

Edge-01(config)#interface FastEthernet0/1

Edge-01(config-if)#ip nat inside

Edge-01(config-if)#interface FastEthernet0/0

Edge-01(config-if)#ip nat outside

Now we have to define the external IP address pool, which will be used by the internal clients to access the internet. Here I have only one public ip address, even if we need to define the pool, but we will use starting and ending as a single address.

Edge-01(config)#ip nat pool MYPOOL 2.3.3.2 2.3.3.2 netmast 255.255.255.252

Now define the nat with overload or PAT (Port Address Translation) as,

Edge-01(config)#ip nat inside source list 1 pool MYPOOL overload

At this point, we have a router which can be acted as the edge router and do the NAT(PAT) for the internal clients to access Internet. But it lacks a firewall so we cannot put this router in production until we configure a firewall on it.

Configure IOS Firewall

Now we are going to explore the zone based firewall functionality of Cisco IOS. Here we can create multiple security zones with various security levels which we can define. And finally we will add our router interfaces in to these security zones as zone members to avail the defined security levels.

Creating Zones and assigning interfaces

In this example we are going to create only two security zones (TRUSTED & INTERNET) and will assign each interfaces in to each of these security zones as zone members. But it is possible to create multiple security zones and also possible to add multiple interfaces (real or virtual) in to same security zones.

TRUSTED: Internal LAN connection

INTERNET: Internet connection

Create the security zones as follows,

Edge-01(config)#zone security Trusted

Edge-01(config-sec-zone)#zone security Internet

There is also a special default zone named "self". This zone applies to traffic which originates from or is destined for the control plane of router itself (e.g. routing protocols, SSH, SNMP, etc.). By default, all traffic is allowed into the self zone.

The interfaces now need to assign to security zones with the command zone-member security

Edge-01(config)#interface FastEthernet0/0

Edge-01(config-if)#zone-member security Internet

Edge-01(config-if)#interface FastEthernet0/1

Edge-01(config-if)#zone-member security Trusted

Edge-01#show zone security

Creating Zone Pairs

Zone pairs apply policy enforcement to traffic flowing from one security zone to another. A zone pair must be defined for each direction in which traffic is allowed to be initiated. For example, a common simple policy is that the internal network can initiate any sort of traffic to the Internet, but no traffic may be initiated from the Internet to the internal network. This policy requires only a single zone pair, from the internal zone to the Internet zone.

We'll create only one zone pair to meet our requirements:

• Trusted to Internet - Allows Internet access from the internal network

The command to configure a zone pair uses the following syntax:

zone-pair security NAME source FROM-ZONE destination TO-ZONE

Here is our zone pair definition:

Edge-01(config)#zone-pair security Trusted->Internet source Trusted destination Internet

Edge-01(config-sec-zone-pair)#

Creating and Applying Security Policies

Finally, we'll define and apply our security policies to the zone pairs. Policies are defined as inspection policy maps, which are very similar in construct to policy maps used for quality of service (QoS) classification and marking. Policy maps reference class maps, which in turn reference access lists or NBAR definitions to classify traffic.

One of three security actions can be taken on traffic matched by a class map:

• Drop - The traffic is dropped.

• Pass - The traffic is permitted.

• Inspect - The traffic is permitted and inspected statefully so that return traffic in the opposite direction is also permitted.

First, we'll create a class map to match all of the traffic we want to allow from the Trusted zone out to the Internet. We want to inspect all traffic outbound to the Internet so that return traffic is allowed statefully. Unfortunately, we can't use the inspect action with the default class map, so we'll need to create a custom class map to match the base protocols TCP, UDP, and ICMP. (This doesn't allow non-TCP/UDP protocols such as IPsec, but meets our needs.)

Edge-01(config)# class-map type inspect match-any All_Protocols
Edge-01(config-cmap)# match protocol tcp
Edge-01(config-cmap)# match protocol udp
Edge-01(config-cmap)# match protocol icmp

Our class maps need to be wrapped into service policies so that they can be associated with security actions. We do this by creating inspection policy maps.

Edge-01(config)#policy-map type inspect Trusted_to_Internet
Edge-01(config-pmap)#class type inspect All_Protocols
Edge-01(config-pmap-c)#inspect 

Lastly, we'll apply the policy maps to their appropriate zone pairs.

Edge-01(config)#zone-pair security Trusted->Internet
Edge-01(config-sec-zone-pair)# service-policy type inspect Trusted_to_Internet
We can verify our configuration using the command show zone-pair security:
Edge-01# show zone-pair security
 Zone-pair name Trusted->Internet
 Source-Zone Trusted  Destination-Zone Internet 
 service-policy Trusted_to_Internet
				
More detail regarding the entire firewall policy hierarchy can be achieved with the command 
Edge-01#show policy-map type inspect zone-pair

Our Zone based firewall configuration is now completed, so its time to test the configuration. If you have lab with separated Internet connection, you can easily do the testing. Otherwise do simulate the scenario by connecting at least two machines in which one will act as LAN machine and other one will act as an Internet server.

OpenVPN Access Server

I am currently evaluating the OpenVPN Access Server for our environment. We are using the opensource version of OpenVPN from last one year and working good without any issues. The good thing with the Access Server is, it is highly self explanatory for the users for the client configuration. Also the management of the same can be done through a nice gui.

As I said the client configuration is self explanatory for the users, but it is good for only Windows and Mac users. Because they are giving client applications only for Mac and Windows clients. For linux users, they are telling to use the native "openvpn" command.

But there is a big caveat for linux users when using it with the openvpn native command, "The server will not be able to push the dhcp-options to clients". The main issue is the clients will not get the "dns server addresses", "default domain name" & "domain search values".

As a result the users connects to the Access server on linux, will not be able to resolve the FQDNs of internal servers or URLs of internal sites.

Also, the client configuration giving from the server "client.ovpn" is the only file which carries the certificates and keys within the configuration file itself. This is preventing to use other openvpn client applications like KVPNC or NetworkManager gui applet.

How to overcome this limitations?

It is easy to make a configuration compatible with the other openvpn clients like NetworkManager or Kvpnc.

Basically we need to split the given configuration "client.ovpn" to five files; "ca.crt", "client.crt", "client.key", "ta.key" and "new-client.ovpn".

We can do all this manually using a text editor, but I have made a simple shell script which will do this for us.

#!/bin/bash
#
sed -n '//,/<\/ca>/ p' client.ovpn |grep -v "" |grep -v "" >ca.crt

sed -n '//,/<\/cert>/ p' client.ovpn |grep -v "" |grep -v "" >client.crt

sed -n '//,/<\/key>/ p' client.ovpn |grep -v "" |grep -v "" >client.key

sed -n '//,/<\/tls-auth>/ p' client.ovpn |grep -v "" |grep -v "" >ta.key

grep -v "#" client.ovpn > client1.ovpn

sed '//,/<\/tls-auth>/ d' client1.ovpn >new-client.ovpn

echo "ca ca.crt" >>new-client.ovpn

echo "cert client.crt" >>new-client.ovpn

echo "key client.key" >>new-client.ovpn

echo "tls-auth ta.key 1" >>new-client.ovpn

rm client.ovpn client1.ovpn

• Copy the above script and save it as "ovpn-split.sh" into your directory holding the "client.ovpn" file.
• Run $ chmod +x ovpn-split.sh
• Run the script as $ sh ovpn-split.sh
• Now you have all the needed files to use with kvpnc or NetworkManager cleints.

How to Backup the Access Server 

The main difference between the AS and opensource version is that, all the configuration in AS is stored in Sqlite database. So there are chances to have corrupt the DB when you archive the entire folder of /usr/local/openvpn_as when the server is running. If the access server is not running a full archive of the /usr/local/openvpn_as directory is good enough for restoring in case of any disaster.

In this case we have a utility "sqlite3" comes with the AS installation. It is easy to create the db backup using the sqlite3 command, which is actually allow the user to store the db files as text files. But for the ease of regular use I have written a script which can be run regularly under cron, so you will have backups of all the DB files in text file format.

#!/bin/bash
#
# This script is to backup the SQLITE db using the sqlite3 utility comes with the OpenVPN AS server.
#Set the script directory
COMMAND=/usr/local/openvpn_as/scripts
#Set the DB directory
DB_DIR=/usr/local/openvpn_as/etc/db
#Set the destination backup directory as it is.
BACKUP_DIR=/root/backup_db
#
    for i in certs.db config.db log.db userprop.db
    do
    $COMMAND/sqlite3 $DB_DIR/$i .dump >$BACKUP_DIR/$i.txt
    done
#Innorder to restore Sqlite DB from text, use the following command syntax:
#
#./sqlite3 <[TEXT_FILE] [DB_FILE]
#
#While the DBs can be dumped while the Access Server is running, you should stop the Access Server before you restore the DBs.

Install (Free) g729 codec on Trixbox CE (asterisk)

g729 is a low bandwidth codec, which can operates at a lower bandwidth of 8Kb/s. This tutorial describes how to install the g729 free codec on trixbox CE.

Download the Codec

Free version of the g729 codecs are available on http://asterisk.hosting.lv/#bin .

Depending on the architecture and the version of asterisk on your machine, download the correct package from the above site.
For finding the asterisk version and system processor architecture we can use the following commands.

astersik -V
uname -a

I have downloaded the following package which worked fine for my Xeon dual core processor and asterisk version 1.4.

[trixbox ~]# wget http://asterisk.hosting.lv/bin/codec_g729-ast14-gcc4-glibc-core2-sse4.so

Rename the codec file

Rename the downloaded file and copy it to /usr/lib/asterisk/modules directory as follows,

[trixbox ~]# cp codec_g729-ast14-gcc4-glibc-core2-sse4.so /usr/lib/asterisk/modules/codec_g729.so

Reload Asterisk

Load the above copied module, by issuing the following command on asterisk console,

[trixbox ~]# asterisk -r

trixbox*CLI> codec load codec_g729

Check the work

Verify the codec has been loaded correctly by the following command on console,

trixbox*CLI> show translation

you will see a line as below for g729,

g729 - 2 2 2 2 2 1 3 - 9 10 2 -

If everything went well as mentioned above, we can test the codec functionality by enabling it in an extension as below,

Test the codec working

Login to the web interface and go to PBX-> PBX Settings-> Extensions, choose one extension you wish to enable the codec for, ensure disallow is set to “all” and allow is set to “g729”.

Once the extension is set up to allow g729, you can test whether it’s working properly by having a test call connected and running the command sip show channels:

trixbox*CLI> sip show channels

It will list the output as below,

192.168.113.35 3245 eefbd3ee-b5 00101/00001 0x100 (g729) No Rx: ACK

We are done.

Troubleshooting

If you didn’t see the codec translation as mentioned above then probably you downloaded the wrong codec, please check again the points mentioned during downloading the codec

Setting Time on Cisco & HP switches

Setting correct time on the network devices is a very important step, when you configure new equipments. But most of the people don't care this in case of switches and other devices.

But be aware, the correct time on the devices will help you a lot when you refer logs to find out the details of any issues or access related items etc.

Here I am putting some simple commands to configure time on Cisco and HP Procurve switches.

Adding NTP server names in these devices is the easier and safer way, but if you don't have an NTP server in house and no interest of using public NTP servers, then you may need to set the time locally.

Cisco

On a Cisco device (switch or router), use the following commands to add an NTP server

switch01(config)# ntp server 131.107.1.10
switch01(config)# ntp server 202.152.74.200 prefer

prefer means this is the preferred one.

And if you want to set it manually on the machine, use the following commands.

switch01(config)#clock timezone IST +5

The above command will set the timezone, my time zone is IST and the +5 denotes it is 5 hour ahead from GMT.

For setting date and time, need to run the command on privileged execution mode (enable#). The following is the syntax of setting the same.

clock set hh:mm:ss <1-31> MONTH <1993-2035>

So we can run the command as follows,

switch01#clock set 18:30:01 26 May 2011

We can check the current time on the switch by show clock command and the output will be similar as below,

switch01#show clock
18:31:19.738 IST Thu May 26 2011

HP Procurve

To setup Procurve to use external NTP servers for time synchronization, use the following commands.

switch02(config)#sntp server 192.43.244.18
switch02(config)#sntp unicast
switch02(config)#timesync sntp

If you prefer to set the time manually, you can use any of the following pair of commands.

time MM/DD[/[YY]YY]
time HH:MM[:SS]
(OR)
clock set MM/DD[/[YY]YY]
clock set HH:MM[:SS]

switch02(config)# clock set 05/26/2011
switch02(config)# clock set 18:35:01

We can use show time command to display the current time on the system and the output will be similar as follows,

switch02(config)#show time
Thu May 26 18:58:12 2011

Hope this will help somebody like me, who need to google several times a day to find valuable informations.

Find dormant accounts on a Linux server

In busy production systems, there will be lot of accounts which may not be using from longer intervals. Finding them we have standard linux utilities like "last" and "lastlog".

The "last" command display the audit details of the users who were logged in the system with time frame. On the other hand "lastlog" display all the user's last logged in details with time frame.

last command uses the log file /var/log/wtmp for getting the user data. As in the modern linux systems, the wtmp file is rotating monthly basis the last command gives only the current month's statistics.

If we want to have the last command output with an yearly statistics, we need to change the rotation configuration in /etc/logrotate.conf as below,

/var/log/wtmp {
missingok
monthly <= change it to "yearly"
create 0664 root utmp
rotate 1
}

The following script will display the users who are not logged in the last 3 calendar months including the current month. I am sure this will be usefull for people like me to get a clear idea of who are not active on the system.

#!/bin/bash
#
#
# Gives a list of users who have not logged in the last 3 calendar months including the current one.
#
umask 077

THIS_MONTH=`date +%h`
LAST_MONTH=`date --date="1 month ago" +%h`
LLAST_MONTH=`date --date="2 months ago" +%h`

last | grep "$THIS_MONTH \|\ $LAST_MONTH \|\ $LLAST_MONTH" | awk '{print $1}' | sort -u > /tmp/users1$$
cat /etc/passwd | awk -F: '{print $1}' | sort -u > /tmp/users2$$
comm -13 /tmp/users[12]$$
rm -f /tmp/users[12]$$


The above script assumes the last command can show the user statistics of more than 3 months.

Using "lastlog"

The simple and dirty way to find the dormant accounts on a linux system is using the"lastlog" command. The following script will do the trick.

#!/bin/bash
#
#
# Gives a list of users who have not logged in the last 90 days.
#
PATH=/bin:/usr/bin;export PATH
umask 077
lastlog -b 90 |grep -iv Never | awk '{print $1}' | sort -u > /tmp/users1$$
lastlog |grep -iv Never | awk '{print $1}' | sort -u > /tmp/users2$$
comm -2 /tmp/users[12]$$ | grep -v Username
rm -f /tmp/users[12]$$

Mediawiki Migration

This is again I have done as part of our datacenter movement from India to US. We are on the recent release of mediawiki (1.15.2), I just need to make the ditto box in US before shutting down the old one in India. There are plenty of help articles on internet which helped me to do the same, again I am detailing here because of my future reference and ofcourse may help somebody like you.

The following are the details of the software versions installed on both the boxes.

MediaWiki 1.15.2
PHP 5.1.6 (apache2handler)
MySQL 5.0.77

Lets start the detailed step of the upgrade as follows,

On Old Server:-

1. Shutdown apache server for stoping further updates to the wiki (#service httpd stop)
2. Backed up all the content of the web folder of apache (mediawiki files) (#tar -zcvf wiki.tar.gz /var/www/html/wiki)
3. Copy the tar file to the new server
   
4. Dump the MySQL database (#mysqldump -u (username) -p (password) wikidb >backup-wikidb.sql )
5. Copy the dump file to the new server

On the New Server:-

• Restore the database from the backup-wikidb.sql file (sql>mysql -u (username) -p (password) wikidb )
• Untar the copied wiki.tar.gz file and copy it in to the documentroot of apache (#tar -zxvf wiki.tar.gz; cp -R wiki /var/www/html)
• Edit the Localsettings.php and Adminsettings.php files to match the wikidb and wiki user credentials
• Restart apache server (#service httpd restart)
• If everything went well go and browse the wiki with existing user credentials.

Yes we have finished the movement of mediawiki from old server to new server...!!!

Bugzilla Migration

As part of datacenter movement from India to US, I had to migrate my Bugzilla installation to a new server in US.

After certain googling I found the steps to do the same, but then also I had to face some issues, thats the reason for this blog.

My current Bugzilla installation (ver. 3.0) is more customized for our company purpose so I had to stick on the same version for now. Following are the steps I followed on both servers.

On new Server:-

1. Download the bugzilla-3.0.tar.gz from bugzilla.org (I had this on my old server, so I just copied from old to new server)
2. Untar the software (#tar -xvf bugzilla-3.2.2.tar.gz )
3. Rename it to bugzilla (#mv bugzilla-3.2.2.tar.gz bugzilla)
4. Copy bugzilla to apache webroot directory (#cp -R bugzilla /var/www/html )
5. Change the permission of bugzilla folder (#chmod -R 655 bugzilla)
6. Change the ownership to apache web user (#chown -R apache bugzilla)

Now login in mysql & create database & username.

mysql> CREATE DATABASE bugs;

mysql>grant all on bugs.* to bugs@localhost identified by 'Your Password';

mysql>commit;

mysql>quit;

Now go to the bugzilla folder and run the checksetup.pl perl script, which will tell what are the prerequisites need to install and how. Here you may need to install lot of perl modules which you can manually download from CPAN and install (perl MakeFile.PL ; make ; make install) or you can use MCPAN shell commands.

#./checksetup.pl

Old Server:-

1. Copy the data folder (/var/www/html/bugzilla/data) to the new server and replace the existing data folder with the same.
2. Copy localconfig file from (/var/www/html/bugzilla) folder to the new server and replace the existing file with the same.
3. Use mysqldump to make a backup of the bugs database. For a typical Bugzilla setup, such a command might look like this:

   mysqldump -u(username) -p(password) bugs > bugzilla-backup.sql

4. Copy the bugzilla-backup.sql file to the new server.

New Server:-

1. Restore the mysql data backup from the bugzilla-backup.sql file with the following command.

   mysql -u (username) -p(password) bugs < /path/to/bugzilla-backup.sql
   

If you get an error about "packet too large" or "mysql server has gone away", you need to adjust the max_allowed_packet setting in your my.cnf (usually in /etc/my.cnf) file to be larger than the largest attachment ever added to your Bugzilla.

If everything went well, run that "./checksetup.pl" file again and double confirm everything smooth.

Now go to web url & try to login with ur existing username password.

Yes now we all done the migration from old server to new.

Cheers !!!!!