IT Security, HackLAB challenges and general blogging blurb
TwitterLinkedInRSS

Category Archives: Cisco

formats

Cisco IPsec site-to-site VPN Configuration

Posted on by Posted in Cisco, Networking, Palo Alto Networks Leave a comment

The below is a step-by-step guide on creating an IPsec VPN connection to/from a Cisco router. This particular configuration has been tested working with a Palo Alto firewall as a VPN endpoint device.

RED highlights areas that need to be defined by the user.

1. Create Internet Key Exchange (IKE) policy

CiscoRouter(config)#crypto isakmp policy 6

CiscoRouter(config-isakmp)#authentication pre-share

CiscoRouter(config-isakmp)#hash md5

2. Enter the pre-shared key & VPN endpoint address

CiscoRouter(config)#crypto isakmp key PRE-SHARED-KEY address VPN-ENDPOINT-IP

3. Set the IPsec lifetime

CiscoRouter(config)#crypto ipsec security-association lifetime seconds 86400

4. Specify the transform set name & encryption type (esp-xxx – you can select the appropriate transforms for your configuration)

CiscoRouter(config)#crypto ipsec transform-set YOUR-SET-NAME esp-3des esp-md5-hmac

5. Configure an extended access-list. In this case 192.168.0.0/24 is the local network and 10.0.0.0/8 is the remote network

CiscoRouter(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

6. Create a cypto-map

CiscoRouter(config)#crypto map MAPNAME PRIORITY ipsec-isakmp

CiscoRouter(config-crypto-map)#set peer VPN-ENDPOINT-IP

CiscoRouter(config-crypto-map)#set transform-set SETNAME

CiscoRouter(config-crypto-map)#set pfs group2

CiscoRouter(config-crypto-map)#match address 100

7. Link the crypto-map to external (or VPN endpoint) interface

CiscoRouter(config-if)#crypto map MAPNAME


Troubleshooting commands

show crypto isakmp sa / show crypto ipsec sa / show crypto map / show crypto session

formats

Setting up Telnet & a basic access-list using Cisco IOS (CCNA knowledge)

Posted on by Posted in Cisco, SysAdmin Leave a comment

 The following briefly describes how to enable telnet on a Cisco device

Router(config)#line vty 0 ?

                <1-1180>  Last Line number

<cr>

Router(config)#line vty 0 1180
Router(config-line)#password telnet
Router(config-line)#login

Below is an example of a very basic access list that only allows the host 192.168.1.254 telnet access to the Cisco device

Router(config)#access-list 4 permit host 192.168.1.254
Router(config)#line vty 0 1180
Router(config-line)#access-class 4 in

Remember telnet is an inherently insecure protocol as all data is sent in the clear (including passwords) so where possible use SSH or local console access.