Skip to content

Archive

Archive for February, 2013

Meinberg

We are working on the following network diagram.

In order to properly work with my existing CCIE security lab i needed a valid ntp server in my virtual LAN, i decided to use windows 2003 box as ntp server for my cisco routers, switches and other linux machines running with the help of GNS3, Virtual Box and VMWare workstation creating a full virtual LAN atmosphere.

The issue with the cisco devices and windows machine ntp synchronization is that cisco devices use NTP , however on the other hand windows machines use SNTP as network time protocol. The difference between NTP and SNTP is that NTP has built in accuracy and validity checks however SNTP has no options for these , so in order to properly setup and use NTP on my virual LAN i decided to use 3rd party NTP softwares that run on top of windows , in this league of 3rd party softwares the best that i found is MEINBERG , the installation of Meinberg on windows box is little tricky , these are the steps that i performed to run Meinberg successfully.

  • We can find Meinberg here.
  • I have added one more network adapter as NAT on my Windows 2003 box running inside VMware workstation 8 to provide internet connection to my machine so that our ntp server can validate its Time from external authorized time source.
  • After downloading we need to execute the file named starting from “ntp-4.2.6p5@london-o-lpv-win32-setup”.

The next screen will provide us to Agree the license term and conditions, press on  “I Agree”.

  • Choose install location.

  • Choose components , leave it as default.

  • After clicking next the installation will happen and then it asks for configuration settings. I used it as follows. Define ntp servers according to your current location and do check the box for “Add local clock as last resort reference , stratum 12” , this will make the system inbuilt clock to act as ntp server in case the ntp servers on the internet are not found.

  • Verify the generated ntp.conf file and parameters.

  • On the next screen “Create a new user account for ntp”. Check all the parameters as below and click on next.

  • Create a new user as ntp and give it a password. And click on next to finish the installation.
  • Now go to Start>All Programs>Meinberg>Network time protocol>Quick NTP status And verify the status. In my box it is looking like below. There are other options also available on the same section as “start/stop/restart NTP” , documentation and other useful stuffs.

  • As of now our windows server 2003 NTP configuration is up and working , next we will go to our cisco devices and do network configuration there.
  • NTP configuration on cisco devices are pretty much straight forward. Here for testing purpose my Windows machine and Cisco router both are running on same Vlan 121 and on subnet 136.1.121.0/24.

R1#sh run | i ntp
ntp logging
ntp server 136.1.121.254 source FastEthernet0/0  –>Here 136.1.121.254 is our windows server 2003 box running Meinberg.
R1#sh run | i clock
clock timezone UTC 5 30      –>Set the clock timezone according to your location.

  • Now its time to run few Show commands to validate our configuration.

R1#sh ntp status
Clock is synchronized, stratum 4, reference is 136.1.121.254
nominal freq is 250.0000 Hz, actual freq is 250.0003 Hz, precision is 2**18
reference time is D4C2331F.DE8DBBCE (20:24:23.869 UTC Sun Feb 10 2013)
clock offset is -3.9092 msec, root delay is 369.77 msec
root dispersion is 642.85 msec, peer dispersion is 383.04 msec
R1#sh ntp association

address         ref clock     st  when  poll reach  delay  offset    disp
*~136.1.121.254    103.12.12.14      3    63    64   77     8.1   -3.91   383.0
* master (synced), # master (unsynced), + selected, – candidate, ~ configured
R1#sh ntp association detail
136.1.121.254 configured, our_master, sane, valid, stratum 3
ref ID 103.12.12.14, time D4C2318B.BCAEE8B8 (20:17:39.737 UTC Sun Feb 10 2013)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 361.66 msec, root disp 256.85, reach 177, sync dist 579.330
delay 8.10 msec, offset -3.9092 msec, dispersion 137.60
precision 2**20, version 3
org time D4C2335F.DB2617C5 (20:25:27.856 UTC Sun Feb 10 2013)
rcv time D4C2335F.DBD4CDBE (20:25:27.858 UTC Sun Feb 10 2013)
xmt time D4C2335F.D5AC17D8 (20:25:27.834 UTC Sun Feb 10 2013)
filtdelay =    24.02   32.07   24.03    8.10   24.31   47.99   56.67    0.00
filtoffset =    9.35   17.93    0.18   -3.91   -3.60   14.16   -1.17    0.00
filterror =     0.02    0.99    1.97    2.94    3.92    4.90    5.87 16000.0

R1#sh clock
20:25:42.485 UTC Sun Feb 10 2013

We have working NTP server synchronized with external time source and last resort as itself with stratum 12 in case Internet time server stops working or we loose internet connectivity. As NTP is synchronized my next goal is to test CA server on Cisco router.Enjoy :)

 

Information about Security Context

We can partition a single ASA into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.

Note:- When the ASA is configured for security contexts (for example, for Active/Active Stateful Failover), IPsec or SSL VPN cannot be enabled. Therefore, these features are unavailable.

We will be working on a small topology made on Gns3 just to understand the concept and functionality of ASA in multiple context mode.

Asa multiple context

There are three types of contexts.

  • The custom made context , that we are going to make,like SECURE or LEGACY.
  • The Admin context , It is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts.Normally in production network “Management 0” interface is assigned to this context.
  • The System context, The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as theadmin context. The system configuration does include a specialized failover interface for failover traffic only.

Here in the above figure R1 and R3 are on 13.13.13.0/24 subnet and will use Context LEGACY and R2 and R4 are on 24.24.24.0/24 subnet and will use Context SECURE inside ASA to communicate between each other. We will assign 13.13.13.254 and 24.24.24.254 on ASA1 interface inside particular context and provide default route on particular device towards ASA1 interface inside context, to check the connectivity.

The physical topology is mentioned below. Sorry for my bad drawing skills.

Asa multiple context Physical

R1 and R3 are part of Vlan 13 and R2 and R4 are part of Vlan 24. And GigE1 is connected to SW1 and GigE2 is connected to SW2 and there is trunk in between SW1 and SW2. We will first configure our switch as mentioned above. Ip addressing is mentioned above.

 Task Flow for Configuring Multiple Context Mode

To configure multiple context mode, perform the following steps:

  • Step 1    Enable multiple context mode.
  • Step 2    (Optional) Configure classes for resource management.
  • Step 3    Configure interfaces in the system execution space.
  • Step 4    Configure security contexts.
  • Step 5    (Optional) Automatically assign MAC addresses to context interfaces.
  • Step 6    Complete interface configuration in the context.

Step 1:-Enabling Multiple Context Mode

Prerequisites

•When we convert from single mode to multiple mode, the ASA converts the running configuration into two files. The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding.

•The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If we need to copy our configuration to another device, set the mode on the new device to match.

Now lets enable “mode multiple” , it gives us Warning and asks for Reload, so reload it and check the Disk0: space after that.

ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!!
The old running configuration file will be written to flash

Converting the configuration – this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple

ASA1# sh disk0:
–#–  –length–  —–date/time——  path
5  4096        Dec 09 2012 02:53:34  log
14  4096        Dec 09 2012 02:53:36  coredumpinfo
15  59          Dec 09 2012 02:53:36  coredumpinfo/coredump.cfg
48  17738924    Dec 09 2012 03:08:38  asdm-702.bin
49  4805906     Dec 09 2012 03:17:08  anyconnect-win-2.5.3055-k9.pkg
50  6975261     Dec 09 2012 03:17:28  anyconnect-linux-2.5.3055-k9.pkg
51  6300827     Dec 09 2012 03:17:46  anyconnect-macosx-i386-2.5.3055-k9.pkg
32  0           Dec 10 2012 01:25:46  nat_ident_migrate
53  8855        Feb 01 2013 01:49:44  old_running.cfg
   54  5710        Feb 01 2013 01:50:10  admin.cfg

Now our running config in Single mode has been saved as “old_running.cfg” and “admin.cfg”, we can confirm the config with “ASA1# more disk0:old_running.cfg  “.

Step 2 (Optional) Configure classes for resource management:-

To set the default class limit for conns to 10 percent instead of unlimited, enter the following commands:

ASA1(config)# class default
ASA1(config-class)# limit-resource conns 10%
All other resources remain at unlimited.

To add a class called gold, enter the following commands:

ASA1(config)# class gold
ASA1(config-class)# limit-resource mac-addresses 10000
ASA1(config-class)# limit-resource conns 15%
ASA1(config-class)# limit-resource rate conns 1000
ASA1(config-class)# limit-resource rate inspects 500
ASA1(config-class)# limit-resource hosts 9000
ASA1(config-class)# limit-resource asdm 5
ASA1(config-class)# limit-resource ssh 5
ASA1(config-class)# limit-resource rate syslogs 5000
ASA1(config-class)# limit-resource telnet 5
ASA1(config-class)# limit-resource xlates 36000

Step 3 & 4 Configure interfaces in the system execution space and Configure security contexts:-

First lets clear the old interface configuration.

ASA1(config)# clear configure interface

Now lets create our interfaces and assign it to contexts.

interface GigabitEthernet1.13
vlan 13
!
interface GigabitEthernet2.24
vlan 24
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!

context SECURE
member gold
allocate-interface GigabitEthernet2.24 int24
config-url disk0:/SECURE.cfg
!

context LEGACY
member gold
allocate-interface GigabitEthernet1.13 int13
config-url disk0:/LEGACY.cfg
!

Step 6    Complete interface configuration in the context:- (As of now we will skip step 5, it is optional although)

Currently we will not assign any interface to ADMIN context , normally in production network we assign “Management 0” to into ADMIN context for management only.Thats all  config needed in system context, now lets move it to the individual context and configure our rest of the config.

ASA1# changeto context SECURE
ASA1/SECURE# conf t
ASA1/SECURE(config)# interface int24
ASA1/SECURE(config-if)#  nameif inside
ASA1/SECURE(config-if)#  security-level 100
ASA1/SECURE(config-if)#  ip address 24.24.24.254 255.255.255.0
ASA1/SECURE(config-if)#  nameif inside_secure
ASA1/SECURE(config-if)# end

Now lets move to LEGACY context and configure interfaces.

ASA1/SECURE# changeto context LEGACY
ASA1/LEGACY# conf t
ASA1/LEGACY(config)# interface int13
ASA1/LEGACY(config-if)#  nameif inside_legacy
ASA1/LEGACY(config-if)#  security-level 100
ASA1/LEGACY(config-if)#  ip address 13.13.13.254 255.255.255.0
ASA1/LEGACY(config-if)# end
ASA1/LEGACY#

Now on the R1 and R3 side create a default route towards 13.13.13.254 ASA1/LEGACY context. And on R2 and R4 towards 24.24.24.254 ASA1/SECURE.

R1 and R3
ip route 0.0.0.0 0.0.0.0 13.13.13.254
R2 and R4
ip route 0.0.0.0 0.0.0.0 24.24.24.254

Verification:- Now to test the connectivity lets ping from R1,R2,R3 and R4.

R1#ping 13.13.13.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/32 ms
R1#ping 13.13.13.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/32 ms
!
R3#ping 13.13.13.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/32 ms
R3#ping 13.13.13.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/40 ms
!
R2#ping 24.24.24.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.24.24.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/16 ms
R2#ping 24.24.24.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.24.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/44 ms
!
R4#ping 24.24.24.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.24.24.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/20 ms
R4#ping 24.24.24.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.24.24.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/44 ms

Now lets verify on ASA1 with few show commands.

ASA1# sh context
Context Name      Class      Interfaces           URL
*admin            default                         disk0:/admin.cfg
SECURE           gold       GigabitEthernet2.24  disk0:/SECURE.cfg
LEGACY           gold       GigabitEthernet1.13  disk0:/LEGACY.cfg

Total active Security Contexts: 3
ASA1# sh disk0:           –>All files are in place.
–#–  –length–  —–date/time——  path
—rest of the outpur emitted—
53  8855        Feb 01 2013 01:49:44  old_running.cfg
   54  5710        Feb 01 2013 01:50:10  admin.cfg
   55  1567        Feb 01 2013 03:39:10  SECURE.cfg
   58  1567        Feb 01 2013 03:53:23  LEGACY.cfg

Indeed our configuration is working , we will work on more complex scenarios later on.