Active/Standby Data Centre Network Design using GNS3/Virtualbox/JUNOS and Cisco – Part-4

You can see the previous tutorial Part-3 of this design series to understand the work I have done so far.

I this tutorial, I am going to add vpn12745 at both lahorir3 and karair3 PE routers. This is stretched VPN so this will need to be configured at both PE lahorir3 & karair3. vpn12745 will host incoming routes from subnets behind the virtual data center firewalls. I will use eBGP between karacf3/lahorcf3 Cisco ASAv firewalls and karair3/lahorir3 PE routers in vpn12745 to allow customer’s offices to reach their subnets in their virtual cloud hosted in Karachi and Lahore data centers.

I will add 2nd VPN vpn12725 at both PE routers (karair3/lahorir3). This is again stretched VPN and will carry incoming routes from two different locations of customer’s office (PTCL Karachi and Lahore office). These customer’s offices are connected via a WAN link provider to the PE routers (karair3/lahorir3). Customer use their routers (lahoregw1 and karachigw1) to establish eBGP connectivity to these PE routers (karair3/lahorir3) to reach their subnets in virtual clouds dc-lahore/dc-karachi, hosted in Karachi & Lahore data centres.

As part of adding above two VPN, I will also leak routes between above two vpn (vpn12725 and vpn12745) and filter the routes passing via these two VPN.

Final Topology

 

LAN users in customer’s offices in Lahore & Karachi will be connected to the Layer-3 Ethernet switch (ESW1 & ESW2). I am using 3700 series switch in this design. R1 & R2 will provide failover protection hence HSRP will be used between R1 & R2. Similarly; gateway routers karachigw1 & lahoregw1 will also provide failover protection and run HSRP between them.

Once configured, customer’s router lahoregw1/karachigw1 should be able to ping their relevant firewall interfaces in their data centers karacf3 (dc-karachi interface service vlan 102) and lahorcf3 (dc-lahore interface service vlan 103).

So I will go through following steps to build further as discussed above.

  1. Add vpn12745 layer-3 vpn on karair3/lahorir3 and establish eBGP peering with karair3/lahorir3 virtual data centre firewalls.
root@karair3> show configuration groups vpn12745 | display set 
set groups vpn12745 interfaces em3 unit 112 description vpn=12745
set groups vpn12745 interfaces em3 unit 112 vlan-id 112
set groups vpn12745 interfaces em3 unit 112 family inet address 10.236.7.169/29
set groups vpn12745 interfaces em3 unit 112 family mpls
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 0 then next term
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from interface em3.112
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then community add vpn12745
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 then preference 4
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from community vpn12725
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 from route-filter 0.0.0.0/0 exact
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 2 then reject
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 2 then reject
set groups vpn12745 policy-options community vpn12745 members target:65000:12745
set groups vpn12745 policy-options community vpn12725 members target:65000:12725
set groups vpn12745 routing-instances vpn12745 description vpn=12745
set groups vpn12745 routing-instances vpn12745 instance-type vrf
set groups vpn12745 routing-instances vpn12745 interface em3.112
set groups vpn12745 routing-instances vpn12745 route-distinguisher 65000:12745
set groups vpn12745 routing-instances vpn12745 vrf-import vpn12745-import-vrf
set groups vpn12745 routing-instances vpn12745 vrf-export vpn12745-export-vrf
set groups vpn12745 routing-instances vpn12745 vrf-table-label
set groups vpn12745 routing-instances vpn12745 routing-options auto-export
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 type external
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 import vpn12745-import-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 authentication-key cisco123
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 export vpn12745-export-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 peer-as 65119
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 neighbor 10.236.7.171
root@lahorir3> show configuration groups vpn12745 | display set 
set groups vpn12745 interfaces em3 unit 113 description vpn=12745
set groups vpn12745 interfaces em3 unit 113 vlan-id 113
set groups vpn12745 interfaces em3 unit 113 family inet address 10.236.7.177/29
set groups vpn12745 interfaces em3 unit 113 family mpls
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 0 then next term
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from interface em3.113
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then community add vpn12745
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 then preference 4
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from community vpn12725
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 from route-filter 0.0.0.0/0 exact
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 2 then reject
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 2 then reject
set groups vpn12745 policy-options community vpn12745 members target:65000:12745
set groups vpn12745 policy-options community vpn12725 members target:65000:12725
set groups vpn12745 routing-instances vpn12745 description vpn=12745
set groups vpn12745 routing-instances vpn12745 instance-type vrf
set groups vpn12745 routing-instances vpn12745 interface em3.113
set groups vpn12745 routing-instances vpn12745 route-distinguisher 65000:12745
set groups vpn12745 routing-instances vpn12745 vrf-import vpn12745-import-vrf
set groups vpn12745 routing-instances vpn12745 vrf-export vpn12745-export-vrf
set groups vpn12745 routing-instances vpn12745 vrf-table-label
set groups vpn12745 routing-instances vpn12745 routing-options auto-export
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 type external
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 import vpn12745-import-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 authentication-key cisco123
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 export vpn12745-export-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 peer-as 65119
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 neighbor 10.236.7.179

2. Add vpn12725 layer-3 vpn on karair3/lahorir3 and establish eBGP peering with customer’s routers karachigw1 and lahoregw1.

root@lahorir3> show configuration groups vpn12725 | display set    
set groups vpn12725 interfaces em0 vlan-tagging
set groups vpn12725 interfaces em0 unit 117 description vpn=12725
set groups vpn12725 interfaces em0 unit 117 vlan-id 117
set groups vpn12725 interfaces em0 unit 117 family inet address 19.19.19.1/29
set groups vpn12725 interfaces em0 unit 117 family mpls
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 0 then next term
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from interface em0.117
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then community add vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 then preference 4
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12745
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 2 then reject
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 2 then reject
set groups vpn12725 policy-options community vpn12725 members target:65000:12725
set groups vpn12725 policy-options community vpn12745 members target:65000:12745
set groups vpn12725 routing-instances vpn12725 description vpn=12725
set groups vpn12725 routing-instances vpn12725 instance-type vrf
set groups vpn12725 routing-instances vpn12725 interface em0.117
set groups vpn12725 routing-instances vpn12725 route-distinguisher 65000:12725
set groups vpn12725 routing-instances vpn12725 vrf-import vpn12725-import-vrf
set groups vpn12725 routing-instances vpn12725 vrf-export vpn12725-export-vrf
set groups vpn12725 routing-instances vpn12725 vrf-table-label
set groups vpn12725 routing-instances vpn12725 routing-options auto-export
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 type external
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 import vpn12725-import-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 authentication-key cisco123
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 export vpn12725-export-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 peer-as 65120
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 neighbor 19.19.19.2
root@karair3> show configuration groups vpn12725 | display set    
set groups vpn12725 interfaces em1 vlan-tagging
set groups vpn12725 interfaces em1 unit 116 description vpn=12725
set groups vpn12725 interfaces em1 unit 116 vlan-id 116
set groups vpn12725 interfaces em1 unit 116 family inet address 18.18.18.1/29
set groups vpn12725 interfaces em1 unit 116 family mpls
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 0 then next term
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from interface em1.116
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then community add vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 then preference 4
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12745
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 2 then reject
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 2 then reject
set groups vpn12725 policy-options community vpn12725 members target:65000:12725
set groups vpn12725 policy-options community vpn12745 members target:65000:12745
set groups vpn12725 routing-instances vpn12725 description vpn=12725
set groups vpn12725 routing-instances vpn12725 instance-type vrf
set groups vpn12725 routing-instances vpn12725 interface em1.116
set groups vpn12725 routing-instances vpn12725 route-distinguisher 65000:12725
set groups vpn12725 routing-instances vpn12725 vrf-import vpn12725-import-vrf
set groups vpn12725 routing-instances vpn12725 vrf-export vpn12725-export-vrf
set groups vpn12725 routing-instances vpn12725 vrf-table-label
set groups vpn12725 routing-instances vpn12725 routing-options auto-export
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 type external
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 import vpn12725-import-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 authentication-key cisco123
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 export vpn12725-export-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 peer-as 65120
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 neighbor 18.18.18.2 passive
  1. Customer aggregation switches karais3 and lahoris3 are configured as following:
!
interface FastEthernet1/0
 description to_karair3:em1
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet1/1
 description to_karachigw1:f0/0
 switchport mode trunk
 duplex full
 speed 100
!
         
karais3#sh int trunk 
Port      Mode         Encapsulation  Status        Native vlan
Fa1/0     on           802.1q         trunking      1
Fa1/1     on           802.1q         trunking      1
Port      Vlans allowed on trunk
Fa1/0     1-4094
Fa1/1     1-4094
Port      Vlans allowed and active in management domain
Fa1/0     1,116
Fa1/1     1,116
Port      Vlans in spanning tree forwarding state and not pruned
Fa1/0     1,116
Fa1/1     1,116
!
interface FastEthernet1/0
 description to_lahorir3:em0
 switchport mode trunk
 no ip address
 duplex full
 speed 100
!         
interface FastEthernet1/1
 description to_lahoregw1:fa0/0
 switchport mode trunk
 no ip address
 duplex full
 speed 100
!

lahoris3#sh int trunk 
Port      Mode         Encapsulation  Status        Native vlan
Fa1/0     on           802.1q         trunking      1
Fa1/1     on           802.1q         trunking      1
Port      Vlans allowed on trunk
Fa1/0     1-1005
Fa1/1     1-1005
Port      Vlans allowed and active in management domain
Fa1/0     1,117
Fa1/1     1,117
Port      Vlans in spanning tree forwarding state and not pruned
Fa1/0     1,117
Fa1/1     1,117
  1. Configuration of customer managed routers karachigw1/lahoregw1 in their office in Karachi and Lahore configured as following:
karachigw1#

!
interface FastEthernet0/0.116
 description to_karair3
 encapsulation dot1Q 116
 ip address 18.18.18.2 255.255.255.248
!
!
router bgp 65120
 no synchronization
 bgp log-neighbor-changes
 network 18.18.18.0 mask 255.255.255.248
 neighbor 18.18.18.1 remote-as 65000
 neighbor 18.18.18.1 password cisco123
 neighbor 18.18.18.1 soft-reconfiguration inbound
 no auto-summary
!         
ip route 10.141.33.96 255.255.255.240 18.18.18.1
ip route 18.18.18.0 255.255.255.248 Null0
!
lahoregw1#
!
interface FastEthernet0/0.117
 description to_lahoris3
 encapsulation dot1Q 117
 ip address 19.19.19.2 255.255.255.248
!

router bgp 65120
 no synchronization
 bgp router-id 19.19.19.2
 bgp log-neighbor-changes
 network 19.19.19.0 mask 255.255.255.248
 neighbor 19.19.19.1 remote-as 65000
 neighbor 19.19.19.1 password cisco123
 neighbor 19.19.19.1 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
ip route 10.141.212.144 255.255.255.240 19.19.19.1
ip route 19.19.19.0 255.255.255.248 Null0
!

Now let’s try to ping from karachigw1 and lahoregw1 customer managed routers to the Cloud Firewall interfaces karacf3/lahorcf3 in dc-karachi & dc-lahore respectively.

lahoregw1#ping 10.236.7.179
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.236.7.179, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/12 ms
lahoregw1#
karachigw1#ping 10.236.7.171
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.236.7.171, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms
karachigw1#

We have now IP reachability from customer’s offices in Lahore & Karachi to their dc-lahore & dc-karachi firewalls.

Netscreen useful commands

Here is list of some useful Netscreen commands:

1. Search for the virtual firewall context from main context:
get conf | i context-name

2. Get into the vsys context:
enter vsys context-name

3. Identificy policy action is denying/allowing packing from source 
to destion using service:
get policy src-ip x.x.x.x dst-ip x.x.x.x "service name eg HTTPS"

4. Define an IP addresss in a zone:
set address "zone-name" "address-book-name" x.x.x.x 255.255.255.255

5. Define a group in a zone and add an address into group:
set group address "zone-name" "Public_Networks"
set group address "zone-name" "Public_Networks" add "address-book-name"

6. Define a service/port and add it into a group (optional):
set service "tcp_41458" protocol tcp src-port 0-65535 dst-port 41458-41458
set group service "TCP_Citrix" add "tcp_41458"

7. Define a policy to permit https traffic from inside zone to outside 
zone and NAT the outgoing traffic and log as well. Let Policy id auto created:
set policy top from "inside" to "outside" "inside-address-book-name" "outside-address-book-name" "HTTPS" nat src permit log

8. Define a policy id manualy:
set policy id 102 from "inside" to "outside" "inside-address-book-name" "outside-address-book-name" "HTTPS" permit log

9. Add an additional service of "DNS" in existing policy 102:
set service "DNS" protocol tcp src-port 0-65535 dst-port 53-53
set policy id 102
set service "DNS"
exit

10. Unset an existing policy 102
unset policy id 102

11. Check general overview of VPN configured
netscreen(M)-> get vpn

12. Confirm Phase 1:
To confirm whether IKE has been successful you can run the following command. 
You may find though that there is no IKE cookie but there is a Phase 2 Security Assicoation. 
This is due to the Phase 1 IKE lifetime being set to a value less then the IKE Phase 2 lifetime. 
netscreen(M)->get ike cookie | i [remote peer ip]
81182f/0003, [REMOTE-PEER-IP]:500->[LOCAL-PEER-IP]:500, PRESHR/grp5/AES128/SHA, xchg(5) (VPN-gateway/grp-1/usr-1)

13. Confirm Phase 2:
From the get sa command you can see the status and various details of the Security Assiociations. 
The section below which is highlighted in bold shows the status of the vpn tunnel (left) and the 
status of the VPN monitor (right). In this case the VPN tunnel is active and the VPN monitor is 
dashed out as it isnt enabled.
netscreen(M)-> get sa | i [peer ip]
00000007<       [peer ip]  500 esp:3des/md5  zbcA14zz  3317 unlim A/-    22 0
00000007>       [peer ip]  500 esp:3des/md5  fbcb64ee  3317 unlim A/-    -1 0

Using the SA ID we can confirm additional details of the Phase 2 SA.

netscreen(M)-> get sa id 0x00000007
index 49, name Example, peer gateway ip [remote peer]. vsys<Root>
auto key. policy node, tunnel mode, policy id in:<10104> out:<10103> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 662, peer id 52, NSRP Active. Vsd 0   site-to-site. Local interface is ethernet5 
<[local peer]>.
  esp, group 0, a256 encryption, sha1 authentication
  autokey, IN active, OUT active
  monitor<0>, latency: 0, availability: 0
  DF bit: clear
  app_sa_flags: 0x2067
  proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0
  ike activity timestamp: 590051543
nat-traversal map not available
incoming: SPI 9j32882e, flag 00004000, tunnel info 40000296, pipeline
  life 86400 sec, 19761 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0xb6840, window 0xffffffff, idle timeout value <0>, idled 0 seconds
  next pak sequence number: 0x0
outgoing: SPI 7bz2a942, flag 00000000, tunnel info 40000296, pipeline
  life 86400 sec, 19761 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 0 seconds
  next pak sequence number: 0x89j9c

14. Netscreen - Rekeying a VPN / Clearing the SA`s
In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 "keys" from the gateway. 
Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association).

To see an overview of your VPN`s run the command:
get vpn

In order to find the current IKE Cookies or SA`s, run either of the following commands,
get ike cookies 
get sa active

To clear either of these run either or of the following commands:
clear ike-cookie [gateway ip] 
clear sa [id] 

Below shows you an example of clear a VPN`s SA`s,

ns5gt-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000007<       10.1.1.25  500 esp:3des/md5  ef1d167f  3317 unlim A/-    22 0
00000007>       10.1.1.25  500 esp:3des/md5  fbcb64ee  3317 unlim A/-    -1 0

ns5gt-> clear sa 00000007
ns5gt-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000007<       10.1.1.25  500 esp:3des/md5  ef1d1680  3592 unlim A/-    22 0
00000007>       10.1.1.25  500 esp:3des/md5  bd1cbef7  3592 unlim A/-    -1 0

The main thing to ensure is that you show only the active sa`s as the firewall will not let you clear 
inactive sa`s. You can tell that they are active as the "Sta" (State) is A/- which is active. 
Also note that the Hex ID was used when using the `clear sa` command.

15. RUNNING A DEBUG
Here we will run a debug so we can obtain a more verbose view of what is happening to our traffic.
netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint] 
netscreen(M)-> undebug all
netscreen(M)-> clear db
netscreen(M)-> debug ike basic
netscreen(M)-> debug flow basic
netscreen(M)-> get db str
!
!
Permitted by policy 109
  No src xlate   choose interface ethernet5 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet5
  vsd 0 is active
  no loop on ifp ethernet5.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in , out 
  existing vector list 25-6870620.
  Session (id:127345) created for first pak 25
  flow_first_install_session======>
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet5, [remote endpoint]->[local endpoint]) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet2
  [Dest] 10.route [local endpoint]->[next hop], to ethernet2
  route to [next hop]
  nsrp msg sent.
  flow got session.
  flow session id 127345
  vsd 0 is active
  skipping pre-frag 
  going into tunnel 40000266.
  flow_encrypt: pipeline.
chip info: DMA. Tunnel id 00000266
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
    put packet(557a0f0) into flush queue.
    remove packet(557a0f0) out from flush queue.

If the tunnel does not come up you can use the following debug:
netscreen(M)-> ike detail set sa-filter [IP] 

16. EVENT LOGS
In addition to check the Logs that the traffic is being passed you can check for 
Phase 1 and Phase 2 errors from the devices event logs. 

netscreen(M)-> get event include [peer ip]

Cisco ASA Basic Configuration

This is a base configuration template that can be used to start building your Cisco ASA firewalls. Enjoy !!!

!
username admin password mypassword privilege 15
hostname <hostname>
!
enable password mypassword
!
clock timezone GMT/BST 0
clock summer-time BST recurring 1 Sun Apr 3:00 last Sun Oct 2:00
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x
!
interface Management0/0
nameif management
security-level 100
ip address x.x.x.x
management-only
!
pager lines 24
logging enable
logging timestamp
logging standby
logging buffered informational
logging trap informational
logging asdm informational
logging facility 23
logging queue 250
!
logging host management x.x.x.x
!

logging host inside x.x.x.x
!
mtu inside 1500
mtu management 1500
mtu outside 1500
!
route management x.x.x.x x.x.x.x 
route inside x.x.x.x x.x.x.x 
!
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host x.x.x.x
 key mytacacskey
aaa-server TACACS+ (management) host x.x.x.x
 key mytacacskey
!
aaa authentication ssh console TACACS+ 
aaa authentication telnet console TACACS+ 
aaa authentication http console TACACS+ 
aaa authentication serial console TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
aaa accounting serial console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+

or

aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+ LOCAL
aaa accounting enable console TACACS+ LOCAL
aaa accounting serial console LOCAL
aaa accounting ssh console TACACS+ LOCAL

snmp-server host inside x.x.x.x community 

or

snmp-server host inside x.x.x.x
snmp-server community 
snmp-server location 
snmp-server contact 
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
!
policy-map global_policy
class inspection_default
inspect icmp
!

Renew SSL Certificate on Stingray Loadbalancer

Once SSL certificate on Stingray/Brocase/Zeuss reaching expiry, there will be an alert generated on the Loadbalancer in advance to inform you to take necessary action.

If you recieve .pfx certificate from customer, then you would need to convert it in order to import into the Stingray Loadbalancer. Please note that this .pfx file contains public and private key and extension .pfx is associated Microsoft Servers.  Private key in received .pfx file received from customer will also be encrypted with password, so customer will provide you password as well do decrypt it before installing into the Stingray Loadbalancer.

What you would need is basically access to any Unix machine that has openssl installed. Then you need to follow these steps:

Extracting the private key from a PKCS12 file:

openssl pkcs12 -in certificate.from.customer.pfx -nocerts -out key.pem -nodes

If you omit the -nodes flag, openssl will prompt you for an encryption password to protect your private key; Stingray does not support such encrypted keys.  If you inadvertently create an encrypted key, you can generate the decrypted version as follows:

openssl rsa -in key.pem -out key.decrypted.pem

Extracting the certficate from a PKCS12 file:

openssl pkcs12 -in certificate.from.customer.pfx -nokeys -out cert.pem

Now go into Loadbalncer>SSL tab. Then import cert.pem and key.decrypted.pem file into the Loadbalancer. You would then see the newly imported certificate is now showing into the list of all available SSL certificate.

You would now need to attach the newly imported certificate with the VIP/Pool.

  1. Just go into the Catalog>SSL tab and select your certificate that is expiring.
  2. Then click on the VIP/Pool linked to the certificate that is expiring.
  3. Select the newly imported certificate from the drop-down list of available certificates and click update at the bottom of the page.

You should now see the alert in the load balancer regarding certificate expiry is now cleared. This can be checked in event logs in the load balancer tab and notice that the new certificate activation cause alert to go green from amber.

TCP Handshake as seen from ASA

When troubleshooting problems related connection timeout on Cisco ASA, there are few things necessary to look at if need investigate in more details. Such as TCP handshake messages below. You may have Syslog enabled on the firewall which may provide you clue of what is actually going on. But having a look at the Firewall in real time to provide you open or active or inactive TCP or even UDP session.

Take a look at the each flag and root cause the time outs.

TCP ASA Messages.png

Active/Standby Data Centre Network Design using GNS3/Virtualbox/JUNOS and Cisco – Part-3

In this tutorial, I am going to explain the Cloud firewall configuration and connectivity in more detail.

Final Topology

 

  • Interface e1/0 (Gi0/0) on both Firewalls is configured as trunk interface to carry multiple VLAN by creating sub-interfaces in trusted zone towards core switch karais3 fa1/0 and lahoris3 fa1/0.
  • Interface e2/0 (Gi0/1) on both Firewalls is configured as sub-interface and placed in un-trusted zone similarly towards core switch karais3 fa1/2 and lahorcf3 fa1/2. This link will carry traffic to the internet.
  • Both Firewalls are connected to the Core switch (karais3 and lahoris3) on trunk ports fa1/2 and fa1/0 to carry multiple VLAN.
  • To test connectivity between LAN interfaces behind Firewall, I have placed VPCS server named Service-vlan102 IP address 10.141.33.98/28 under VLAN 102 on Access port Fa1/14 on karais3 switch at dc-karachi. Similarly Service-vlan103 10.141.212.147/28 is connected to lahoris3 switch port F1/14 at dc-lahore under VLAN 103. These two Service machines are in LAN subnets behind cloud firewalls for which we have created static routes in our VPN configuration as well (vpn12729 and vpn12730). So Ideally these two host should be able to ping each other.

Configuration of both Firewalls (karacf3 and lahorcf3) is below:

karacf3#
!
interface GigabitEthernet0/0.100
 vlan 100
 nameif s2s
 security-level 100
 ip address 10.144.213.92 255.255.255.248 
!
interface GigabitEthernet0/0.102
 vlan 102
 nameif service
 security-level 100
 ip address 10.141.33.97 255.255.255.240 
!
route s2s 10.141.212.144 255.255.255.240 10.144.213.90 1
route s2s 10.144.253.120 255.255.255.248 10.144.213.90 1
!

lahorcf3
========

!
!
interface GigabitEthernet0/0.101
 vlan 101
 nameif s2s
 security-level 100
 ip address 10.144.253.124 255.255.255.248 
!
interface GigabitEthernet0/0.103
 vlan 103
 nameif service
 security-level 100
 ip address 10.141.212.145 255.255.255.248 
!
route s2s 10.141.33.96 255.255.255.240 10.144.253.122 1
route s2s 10.144.213.88 255.255.255.248 10.144.253.122 1
!

To test connectivity between both Service-vlan102 & Service-vlan103  test machines in dc-karahi and dc-lahore, I performed following tests:

  1. PING from karair3 VRF vpn12729 to the Firewall karacf3 interface 10.144.213.92/29 – testing okay.
  2. PING from karair3 VRF vpn12729 to the Firewall lahorcf3 interface 10.144.253.124/29 -testing okay.
  3. PING from karair3 VRF vpn12729 to Service-vlan102 test machine in Service VLAN 102 – IP address 10.141.33.98/28 – testing okay in dc-karachi.
  4. PING from Service-vlan102 test machine in Service VLAN 102 at dc-karachi to Service-vlan103 test machine in VLAN 103 at dc-lahore – testing okay.

NOTE:

If you are failing to ping between the test machines then check, If PE are receiving the next-hop information in the routing table. Also Router-Reflector has next-hop information in bgp3.l3pn.0 table as well. If you cannot PING, then  this means though PE have received the routes from the RR but did not populate their vpn12730.inet.0 and vpn12729.inet.0 table with next-hop information. Hence, no transport MPLS label assigned. This means PING was being dropped at Router Reflector due to that fact that PE doesn’t know what is the next hop.

To fix, you can try few things:

  1. Add the next-hop resolution to inet.0 or inet.3. Please check Juniper documentation for Route Reflector next-hop resolution. You may only need to use if your Route Reflector is not within the Core. Please see documentation from Juniper or search on internet for various resources.
  2. Make sure the MP-BGP peering between PE (karair3 and lahorir3) to RR (pakcore) is sourced from loopback interfaces.
  3. Reboot the P and PE routers one by one and see if this makes difference:

For our configuration, I am seeing routing table at Route-Reflector as following which is showing we have learned the routes from both PE routers for vpn12739 and vpn12730:

root@pakcore> show route table bgp.l3vpn.0 
bgp.l3vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
65000:12729:10.141.33.96/28                
                   *[BGP/170] 00:03:09, localpref 100, from 1.1.1.1
                      AS path: I
                    > to 40.50.60.1 via em0.0, Push 16
65000:12729:10.144.213.88/29                
                   *[BGP/170] 00:03:09, localpref 100, from 1.1.1.1
                      AS path: I
                    > to 40.50.60.1 via em0.0, Push 16
65000:12730:10.141.212.144/28                
                   *[BGP/170] 00:03:05, localpref 100, from 3.3.3.3
                      AS path: I
                    > to 10.20.30.1 via em1.0, Push 16
65000:12730:10.144.253.120/29                
                   *[BGP/170] 00:03:05, localpref 100, from 3.3.3.3
                      AS path: I
                    > to 10.20.30.1 via em1.0, Push 16
root@pakcore>

If I look at the vpn12729 routing table on PE karair3, I have now two MPLS label allocated to the routes we have learned from the remote dc. One label is to identify the VPN in MPLS core. And Top level label is the MPLS transport label ( that is LDP) in our case.

root@karair3> show route table vpn12729.inet.0    
vpn12729.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.141.33.96/28    *[Static/5] 00:57:06
                    > to 10.144.213.92 via em3.100
10.141.212.144/28  *[BGP/170] 00:56:32, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 40.50.60.2 via em0.0, Push 16, Push 299792(top)
10.144.213.88/29   *[Direct/0] 00:57:06
                    > via em3.100
10.144.213.90/32   *[Local/0] 00:57:07
                      Local via em3.100
10.144.253.120/29  *[BGP/170] 00:56:32, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 40.50.60.2 via em0.0, Push 16, Push 299792(top)

Since all looks good at the routing table. I am getting PING response from PE karair3 to local LAN and also to the remote LAN.

root@lahorir3> ping routing-instance vpn12730 10.141.33.98 
PING 10.141.33.98 (10.141.33.98): 56 data bytes
64 bytes from 10.141.33.98: icmp_seq=0 ttl=64 time=12.530 ms
64 bytes from 10.141.33.98: icmp_seq=1 ttl=64 time=1.741 ms
64 bytes from 10.141.33.98: icmp_seq=2 ttl=64 time=11.981 ms
64 bytes from 10.141.33.98: icmp_seq=3 ttl=64 time=2.722 ms
64 bytes from 10.141.33.98: icmp_seq=4 ttl=64 time=2.423 ms
64 bytes from 10.141.33.98: icmp_seq=5 ttl=64 time=2.371 ms
^C
--- 10.141.33.98 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.741/5.628/12.530/4.698 ms
root@lahorir3>
root@lahorir3> ping routing-instance vpn12730 10.141.212.147  
PING 10.141.212.147 (10.141.212.147): 56 data bytes
64 bytes from 10.141.212.147: icmp_seq=0 ttl=64 time=1.855 ms
64 bytes from 10.141.212.147: icmp_seq=1 ttl=64 time=1.768 ms
64 bytes from 10.141.212.147: icmp_seq=2 ttl=64 time=1.350 ms
64 bytes from 10.141.212.147: icmp_seq=3 ttl=64 time=1.346 ms
^C
--- 10.141.212.147 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.346/1.580/1.855/0.234 ms
root@lahorir3>

We have Service LAN communication in place between two VDC. Both host in Service LAN can PING each other.

Internet Access Firewall Cisco ASA

In this tutorial, I am going to show how you can setup the Cisco ASA to allow internet access to the LAN behind. Our lab topology would like as following:

Untitled.png

Configure the Un-trusted and Trusted network as following:

!
 interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 172.16.1.3 255.255.255.248
 !
 interface GigabitEthernet0/2
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.224
 !

Setup an Object of type network named ANY to represent any traffic coming from the LAN interface of the firewall that is named as inside interface.

!
 object network ANY
 nat (inside,outside) dynamic interface
 !

Setup a default route that should be pointing to the VRRP interface of the PE router:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

Enable the DHCP for the any device connected to the inside interface to get an IP address automatically:

dhcpd dns 8.8.8.8 9.9.9.9
 !
 dhcpd address 10.10.10.5-10.10.10.30 inside
 dhcpd enable inside
 !
 dhcprelay timeout 60