Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Because adding security to a network can complicate your troubleshooting efforts, you
should have an understanding of basic security configurations which you might encounter
on a router. Therefore, this section addresses the basic configuration and troubleshooting
of two of the more complex Cisco IOS security features: the Cisco IOS Firewall feature
and the Authentication, Authorization, and Accounting (AAA) feature.
Configuring and Troubleshooting the Cisco IOS Firewall Feature
Table 9-3 summarizes the two categories of firewalls supported on Cisco IOS routers.
As an example of a basic Classic Cisco IOS Firewall configuration, consider Figure 9-11.
In this example, the campus network is considered the trusted network, whereas the Internet
is considered the untrusted network. The goal of the configuration is to allow a user
on the trusted network to communicate with a web server on the Internet. Therefore, return
traffic from the web server should be allowed back into the trusted network. However,
web traffic (that is, HTTP traffic) should not be allowed into the trusted network
from the untrusted network if the web traffic is not return traffic from an already established
session.
Example 9-1 shows the configuration of the Classic Cisco IOS Firewall depicted.
Example 9-1 Classic Cisco IOS Firewall Configuration on Router R4
R4# show run
...OUTPUT OMITTED...
inspect name WEB http
!
interface FastEthernet0/1
ip address 10.8.8.1 255.255.255.0
ip access-group 100 in
ip inspect WEB out
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
282 CCNP TSHOOT 642-832 Official Certification Guide
HTTP
HTTP
Web Client
192.168.1.50
Cisco IOS
Firewall
Fa 0/1 Fa 0/0
HTTP
Internet
Web
Server
10.8.8.3
Campus
Network
R4
Figure 9-11 Classic Cisco IOS Firewall Topology
!
...OUTPUT OMITTED...
!
access-list 100 deny ip any any
...OUTPUT OMITTED...
Notice that ACL 100 has been created to deny all IP traffic. This ACL has been applied in
the inbound direction to interface Fast Ethernet 0/1. This blocks all IP traffic sourced from
the untrusted network destined for the trusted network.
Also notice that an inspection rule namedWEB has been created to inspect HTTP traffic,
using the inspect name WEB http command. This inspection rule is then applied in
the outbound direction to the Fast Ethernet 0/1 interface, using the ip inspect WEB out
command.
When HTTP traffic leaves the trusted network destined for the untrusted network, via interface
Fast Ethernet 0/1, the router inspects those HTTP traffic flows. As a result, when
return HTTP comes back from the untrusted network, interface Fast Ethernet 0/1 allows
that return traffic back into the router, even though an ACL has been applied to block all
inbound IP traffic.
You can use the show ip inspect session [detail] [all] command to troubleshoot such a
configuration. By itself, the show ip inspect session command shows current sessions being
inspected by the Cisco IOS Firewall feature. The detail option provides additional details
about the current sessions. The all option provides information about the way the
router is performing its inspection.
Example 9-2 shows sample output from the show ip inspect session command. The output
indicates that a trusted host with an IP address of 192.168.1.50 has opened two HTTP
sessions with a host having an IP address of 10.8.8.3.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 9: Security Troubleshooting 283
Example 9-2 show ip inspect session Command Output
R4#show ip inspect session
Established Sessions
Session 84638E80 (192.168.1.50:1832)=>(10.8.8.3:80) http SIS_OPEN
Session 84638BA8 (192.168.1.50:1830)=>(10.8.8.3:80) http SIS_OPEN
Example 9-3 provides sample output from the show ip inspect session detail command.
The output shows the number of bytes sent by both the session initiator and the session
responder. Also indicated in the output is that ACL 100 has been matched 116 times.
Example 9-3 show ip inspect session detail Command Output
R4#show ip inspect session detail
Established Sessions
Session 84638E80 (192.168.1.50:1832)=>(10.8.8.3:80) http SIS_OPEN
Created 00:01:54, Last heard 00:01:32
Bytes sent (initiator:responder) [408:166394]
In SID 10.8.8.3[80:80]=>192.168.1.50[1832:1832] on ACL 100 (116 matches)
Session 84638BA8 (192.168.1.50:1830)=>(10.8.8.3:80) http SIS_OPEN
Created 00:02:52, Last heard 00:01:33
Bytes sent (initiator:responder) [1262:333173]
In SID 10.8.8.3[80:80]=>192.168.1.50[1830:1830] on ACL 100 (253 matches)
Example 9-4 provides sample output from the show ip inspect session all command. This
output contains information about the interface’s inspection configuration.
Example 9-4 show ip inspect all Command Output
R4#show ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec — tcp finwait-time is 5 sec
tcp idle-time is 3600 sec — udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name WEB
http alert is on audit-trail is on timeout 3600
Interface Configuration
Interface FastEthernet0/1
Inbound inspection rule is not set
Outgoing inspection rule is WEB
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
284 CCNP TSHOOT 642-832 Official Certification Guide
http alert is on audit-trail is on timeout 3600
Inbound access list is 100
Outgoing access list is not set
Established Sessions
Session 84638E80 (192.168.1.50:1832)=>(10.8.8.3:80) http SIS_OPEN
Session 84638BA8 (192.168.1.50:1830)=>(10.8.8.3:80) http SIS_OPEN
To see real-time updates about the sessions being monitored by a router, you can enter the
ip inspect audit-trail global configuration mode command. This command causes syslog
messages to be created whenever a router creates a new stateful inspection session.
Example 9-5 shows sample syslog output (which is sent to a router’s console by default)
reflecting a new stateful inspection session. The syslog output shows that a new HTTP inspection
session began, with an IP address of 192.168.1.50 acting as the initiator and an IP
address of 10.8.8.3 acting as the responder. When 192.168.1.50 sends traffic to 10.8.8.3, it
does so using TCP port 80 (that is, the default HTTP port). However, when 10.8.8.3 responds
to 192.168.1.50, it does so using TCP port 1841.
Example 9-5 Syslog Output Generated Due to the ip inspect audit-trail Command
R4#
*Mar 3 12:46:32.465: %SYS-5-CONFIG_I: Configured from console by console
*Mar 3 12:47:10.115: %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator
(192.168.1.50:1841) — responder (10.8.8.3:80)
For even more detailed information, you could use the debug ip inspect object-creation
command. As Example 9-6 demonstrates, the debug output can provide information such
as the initiator’s and responder’s IP addresses, the ACL being used, and the Layer 4 protocol
(for example, TCP or UDP) in use. Interestingly, the debug output references Context-
Based Access Control (CBAC), the feature that has been renamed as Classic Cisco IOS
Firewall.
Example 9-6 debug ip inspect object-creation Command Output
*Mar 3 14:17:55.794: CBAC* OBJ_CREATE: Pak 83A830FC sis 84638BA8 initiator_addr
(192.168.1.50:1979) responder_addr (10.8.8.3:80)
initiator_alt_addr (192.168.1.50:1979) responder_alt_addr (10.8.8.3:80)
*Mar 3 14:17:55.798: CBAC OBJ-CREATE: sid 846524D4 acl 100 Prot: tcp
*Mar 3 14:17:55.798: Src 10.8.8.3 Port [80:80]
*Mar 3 14:17:55.798: Dst 192.168.1.50 Port [1979:1979]
*Mar 3 14:17:55.798: CBAC OBJ_CREATE: create host entry 84641108 addr 10.8.8.3
bucket 9 (vrf 0:0) insp_cb 0x83EBD140
*Mar 3 14:17:56.251: CBAC* OBJ_CREATE: Pak 83A830FC sis 84638E80 initiator_addr
(192.168.1.50:1980) responder_addr (10.8.8.3:80)
initiator_alt_addr (192.168.1.50:1980) responder_alt_addr (10.8.8.3:80)
*Mar 3 14:17:56.255: CBAC OBJ-CREATE: sid 84652528 acl 100 Prot: tcp
*Mar 3 14:17:56.255: Src 10.8.8.3 Port [80:80]
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 9: Security Troubleshooting 285
*Mar 3 14:17:56.255: Dst 192.168.1.50 Port [1980:1980]
*Mar 3 14:17:56.255: CBAC OBJ_CREATE: create host entry 84641108 addr 10.8.8.3
bucket 9 (vrf 0:0) insp_cb 0x83EBD140
Configuring and Troubleshooting AAA
Enforcing router login security in larger networks can be challenging if you have to manage
multiple user databases (for example, having a separate user database locally configured
on each router of your network). Fortunately, with AAA services, you can have a
single repository for user credentials. Then, when a network administrator attempts to log
into, for example, a router, the credentials they supply can be authenticated against a centralized
AAA database.
Another advantage of giving different network administrators their own login credentials,
as opposed to an enable secret password used on all routers, is that users can quickly be
added and deleted from the database without the need to touch each router. Not only can
AAA services serve administrative logins connecting to a router, AAA services can also
control connections passing through a router to, for example, resources inside a network.
Three services are offered by a AAA server, as follows:
■ Authentication: The authentication service can check user credentials to confirm
they are who they claim to be.
■ Authorization: Once authenticated, the authorization service determines what that
user is allowed to do.
■ Accounting: The accounting service can collect and store information about a user’s
login. This information can be used, for example, to keep an audit trail of what was
performed on a network.
Figure 9-12 shows a AAA topology where only authentication is being performed. The
user at an IP address of 192.168.1.50 is attempting to establish a Telnet session with a
router at an IP address of 10.3.3.2. The router’s configuration causes the router to prompt
the user for username and password credentials and to check those credentials against a
AAA server (a TACACS+ server in this example, as opposed to a RADIUS server). If the
provided credentials match the database being referenced by the AAA server, the user is
permitted to log in to the router.
The Cisco IOS implementation of AAA services includes multiple configuration options,
and discussing a complete AAA configuration is beyond the scope of the TSHOOT
course. However, Example 9-7 provides a basic configuration example. For more information
on AAA configuration, please consult the Cisco IOS Security Configuration Guide
available at the following URL: http://tinyurl.com/3ufo6j.
Example 9-7 AAA Configuration for Authenticating Remote Logins
R4#show run
...OUTPUT OMITTED...
aaa new-model
aaa authentication login ADMIN group tacacs+
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
286 CCNP TSHOOT 642-832 Official Certification Guide
10.3.3.2
Telnet
Telnet Client
192.168.1.50
Authentication
AAA Server
(TACACS+)
192.168.0.40
R4 R2
Figure 9-12 AAA Sample Topology
!
tacacs-server host 192.168.0.40 key cisco
!
line vty 0 4
password cisco
login authentication ADMIN
!
...OUTPUT OMITTED...
In the previous example, the aaa new-model command is used to enable AAA services on
the router. The aaa authentication login ADMIN group tacacs+ command defines a
method list named ADMIN, which requires authentication via a TACACS+ server for
logins. The TACACS+ server is defined as having an IP address of 192.168.0.40 with a
shared secret key of cisco. The method list of ADMIN is then applied as the authentication
method list for connections coming into the router over VTY lines 0 through 4. Therefore,
when someone attempts to Telnet into this router, they are challenged to provide valid
username and password credentials, which are then validated by the TACACS+ server.
From a troubleshooting perspective, you can view real-time information about authentication
attempts using the debug aaa authentication command, as demonstrated in
Example 9-8.
Example 9-8 debug aaa authentication Command Output
*Mar 3 14:39:39.435: AAA/BIND(0000000E): Bind i/f
*Mar 3 14:39:39.435: AAA/AUTHEN/LOGIN (0000000E): Pick method list ‘ADMIN’
*Mar 3 14:39:59.211: AAA: parse name=tty66 idb type=-1 tty=-1
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 9: Security Troubleshooting 287
Key
Topic
Table 9-4 Contrasting the TACACS+ and RADIUS Protocols
Characteristic TACACS+ RADIUS
Transport Layer
Protocol
TCP UDP
Modularity Provides separate services for authentication,
authorization, and accounting
Combines authentication and
authorization functions
Encryption Encrypts entire packet Only encrypts the password
Accounting
Functionality
Offers basic accounting features Offers robust accounting features
Standardsbased
No (Cisco proprietary) Yes
*Mar 3 14:39:59.211: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0
port=66 channel=0
*Mar 3 14:39:59.211: AAA/MEMORY: create_user (0x83C938B4) user=’kevin’
ruser=’NULL’ ds0=0 port=’tty66’ rem_addr=’192.168.1.50’ authen_type=ASCII
service=ENABLE priv=15 initial_task_id=’0’, vrf= (id=0)
*Mar 3 14:39:59.211: AAA/AUTHEN/START (4286245615): port=’tty66’ list=’’
action=LOGIN service=ENABLE
*Mar 3 14:39:59.211: AAA/AUTHEN/START (4286245615): non-console enable - default
to enable password
*Mar 3 14:39:59.215: AAA/AUTHEN/START (4286245615): Method=ENABLE
*Mar 3 14:39:59.215: AAA/AUTHEN(4286245615): Status=GETPASS
*Mar 3 14:40:00.710: AAA/AUTHEN/CONT (4286245615): continue_login
(user=’(undef)’)
*Mar 3 14:40:00.710: AAA/AUTHEN(4286245615): Status=GETPASS
*Mar 3 14:40:00.710: AAA/AUTHEN/CONT (4286245615): Method=ENABLE
*Mar 3 14:40:00.770: AAA/AUTHEN(4286245615): Status=PASS
*Mar 3 14:40:00.770: AAA/MEMORY: free_user (0x83C938B4) user=’NULL’ ruser=’NULL’
port=’tty66’ rem_addr=’192.168.1.50’ authen_type=ASCII service=ENABLE priv=15
vrf= (id=0)
From the preceding output, you can see that the ADMIN method list was used, that the
username was kevin, and that the IP address of the client was 192.168.1.50. To gather similar
types of information for AAA’s authorization and accounting features, you can use
the debug aaa authorization and debug aaa accounting commands.
The two most popular AAA protocols used for communicating between a network device
and a AAA server are TACACS+ and RADIUS. Table 9-4 contrasts these two protocols.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
288 CCNP TSHOOT 642-832 Official Certification Guide
When troubleshooting a TACACS+ configuration, consider the following common error
conditions:
■ The TACACS+ server is offline: This condition might be indicated by the text
“Connection refused by remote host” appearing in the output of the debug aaa
authentication command.
■ The shared secret key configured on the AAA client doesn’t match the key
configured on the AAA server: This condition might be indicated by the text
“Invalid AUTHEN/START packet (check keys)” appearing in the output of the debug
aaa authentication command.
■ An invalid username/password combination was provided by the AAA client:
This condition might be indicated by the text “Authentication failure” appearing in
the output of the debug aaa authentication command.
When troubleshooting a RADIUS configuration, consider the following common error
conditions:
■ The RADIUS server is offline: This condition might be indicated by the text “No
response from server” appearing in the output of the debug radius command.
■ The shared secret key configured on the AAA client doesn’t match the key
configured on the AAA server: This condition might be indicated by the text
“Reply for id fails decrypt” appearing in the output of the debug radius command.
■ A user is attempting to use a service for which they are not authorized: This
condition might be indicated by the text “No appropriate authorization type for
user” appearing in the output of the debug radius command.
■ An invalid username/password combination was provided by the AAA client:
This condition might be indicated by the text “Received from id id
IP_address:port_number. Access-Reject” appearing in the output of the debug radius
command.
Although multiple TACACS+ and RADIUS servers are available on the market today, be
aware of the Cisco product offering in this area—Cisco Secure ACS. Figure 9-13 shows
the web-based console view of Cisco Secure ACS.
By clicking the Reports and Activity button, you can access a collection of valuable
troubleshooting information. For example, you can retrieve reports about successful
and unsuccessful authentication attempts.
No comments:
Post a Comment