Monday, July 20, 2009

Frame-Relay

Just for the record, I never liked Frame-Relay. It's old and tired and every connection should be a metro ethernet connection in my opinion.... well something better than this. But the reason I am writing this and documenting the setup of a very basic Frame-Relay connection is because it's something that is still asked about and test questions want you to be able to configure it.

Ok Here goes - We have three routers (rack1r1, rack1r2 and rack1r6) each connecting to a Frame Switch (fsw) on a different serial interface. The frame router is essentially any old router with a few serial connections and a global command "frame-relay switching" set.



• Step 1
On the fsw we setup the serial interface to rack1r1 like so:
!
frame_switch#
interface Serial1/0
description connection to r1
no ip address
encapsulation frame-relay <--- This is important
keepalive 20
no fair-queue
serial restart-delay 0
clockrate 64000 <--- Need this too
frame-relay lmi-type ansi <--- another important item
frame-relay intf-type dce <--- this as well
frame-relay route 102 interface Serial1/1 201 <--- This maps traffic into fsw with DLCI 102 to rack1r2 DLCI 201
frame-relay route 103 interface Serial3/2 301 <--- This maps traffic into fsw with DLCI 103 to rack1r6 DLCI 301
!

• Step 2 and 3, you setup the interfaces that connect to rack1r2 and rack1r6. In this case it's Serial1/1 and Serial3/2:
!
frame_switch#
interface Serial1/1
description connection to r2
no ip address
encapsulation frame-relay <--- same
keepalive 20
no fair-queue
serial restart-delay 0
clockrate 64000 <--- same
frame-relay lmi-type ansi <--- same
frame-relay intf-type dce <--- same
frame-relay route 201 interface Serial1/0 102 <--- ok DLCI 201 over to 102 - thats the reverse of rack1r1
frame-relay route 202 interface Serial3/2 302 <--- This is DLCI 202 over to rack1r6 which we configure below

Here is the link to rack1r6:
!
frame_switch#
interface Serial3/2
description connection to r6
no ip address
encapsulation frame-relay <---yup
keepalive 20
no fair-queue
serial restart-delay 0
clockrate 64000 <--- yea
frame-relay lmi-type ansi <--- I know...
frame-relay intf-type dce <--- I know!
frame-relay route 301 interface Serial1/0 103 <--- Reverse again 301 to 103 which is rack1r1
frame-relay route 302 interface Serial1/1 202 <--- Back to rack1r2 on 202

• OK so we have all that in place. We are ready now to configure the interfaces on the routers themselves to make all this happen:



- Starting with rack1r1:
!
rack1r1#
interface Serial0/0
description connection to frameswitch s1/0
ip address 192.168.1.1 255.255.255.248
ip pim dense-mode
encapsulation frame-relay <--- need this here also
keepalive 15
no fair-queue
frame-relay map ip 192.168.1.1 102 broadcast <--- This is in place so you can ping yourself
frame-relay map ip 192.168.1.2 102 broadcast <--- map for traffic destined for rack1r2's ip
frame-relay map ip 192.168.1.3 103 broadcast <--- map for traffic destined for rack1r6's ip
frame-relay lmi-type ansi <--- the options you have here are cisco, ansi and q933a

• OK same thing on the other two routers:
!
rack1r2#
interface Serial0/0
description connection to frameswitch s1/1
ip address 192.168.1.2 255.255.255.248
ip pim dense-mode
encapsulation frame-relay <--- same thing
keepalive 15
no fair-queue
frame-relay map ip 192.168.1.1 201 broadcast
frame-relay map ip 192.168.1.2 201 broadcast <--- This is in place so you can ping yourself
frame-relay map ip 192.168.1.3 202 broadcast
frame-relay lmi-type ansi <--- same
!
rack1r6#
interface Serial0/0
description connection to frameswitch s3/2
ip address 192.168.1.3 255.255.255.248
encapsulation frame-relay <--- same
keepalive 15
no fair-queue
frame-relay map ip 192.168.1.1 301 broadcast
frame-relay map ip 192.168.1.2 302 broadcast
frame-relay map ip 192.168.1.3 301 broadcast <--- This is in place so you can ping yourself

• Ok now that thats all done you should have a working model with the ability from any router to ping the other two and yourself.

Here is what the fsw should look like when you do a "show frame-relay route"

Input Intf Input Dlci Output Intf Output Dlci Status
Serial1/0 102 Serial1/1 201 active
Serial1/0 103 Serial3/2 301 active
Serial1/1 201 Serial1/0 102 active
Serial1/1 202 Serial3/2 302 active
Serial3/2 301 Serial1/0 103 active
Serial3/2 302 Serial1/1 202 active

Thursday, July 16, 2009

ASA Packet Capture

This post is intended to show how to capture packets on an ASA. This is especially helpful when you are trying to determine why something is not being allowed through the FW, you can permit all traffic from a host using an ACL and then capture the traffic and find out what is going on.

• First you need to create the ACL. In this case the host 192.168.168.31 is the target and we are allowing ip to anything.
!
(config)# access-list test permit ip host 192.168.168.31 any

• Next we will define the capture for this host. We make the statement "inside" at the end because this hosts sits on the trusted inside interface.
!
(config)# capture test1 access-list test interface inside

• Now all you do is ask to see what has been captured
!
# show capture test1

• Here is a typical dump:

21 packets captured

1: 11:21:43.783315 802.1Q vlan#1 P0 192.168.168.31 > 192.168.168.221: icmp: echo reply
2: 11:22:13.784322 802.1Q vlan#1 P0 192.168.168.31 > 192.168.168.221: icmp: echo reply
3: 11:22:23.056652 802.1Q vlan#1 P0 192.168.168.31.24894 > 216.239.38.10.53: udp 60
4: 11:22:23.097559 802.1Q vlan#1 P0 192.168.168.31.50934 > 74.125.53.9.53: udp 49
5: 11:22:23.165076 802.1Q vlan#1 P0 192.168.168.31.53 > 192.168.168.221.59255: udp 281
6: 11:22:27.040464 802.1Q vlan#1 P0 192.168.168.31.43688 > 74.125.53.9.53: udp 60
7: 11:22:27.110605 802.1Q vlan#1 P0 192.168.168.31.53 > 192.168.168.221.58190: udp 498
....


• Make sure you clean up your capture when you are done so as not to add to the load of the FW unnecessarily. Here's how to stop things:
!
(config)# no capture test1

And here's how to delete the ACL:

!
(config)# no access-list test permit ip host 192.168.168.31 any

!
# show access-list test
ERROR: access-list does not exist

Have fun with this one.

ASA Regular Expression - Whitelist/Blacklist

The intent of this post is to show how you can permit specific web sites from your inside hosts and block all others. In order to do this URL (or IRI) filtering on the ASA you need to create few things.

• First off you need to decide what you want to allow by calling them out in a regex statement:
!
regex urlreg1 "cisco.com"
regex urlreg2 "yahoo.com"

• Next we will group these statements under a class-map and call it whitelist:
!
class-map type regex match-any whitelist
match regex urlreg1
match regex urlreg2

• The class-map "goodclass" just assembles the URL's that are listed in the "whitelist" and says match this.
!
class-map type inspect http match-all goodclass
match request header host regex class whitelist

• Now we need to create a class-map that blocks everything not in the allowed list. This is done by creating the "badclass" and stating "match not" for the whitelist.
!
class-map type inspect http match-all badclass
match not request header host regex class whitelist

• Here we are taking the "badclass" and "goodclass" and putting them into a policy-map that has actions. In this case the action for the "badclass" is to drop it
!
policy-map type inspect http regex-policy
parameters
class goodclass
class badclass
drop-connection

• The policy-map "global_policy" might already exist on the ASA (not sure since I have hacked mine to hell) but in any case it calls out the "class inspection_default" that has to exist on the box for the statement under the "global_policy" to take. If you are missing it here it is:

# class-map inspection_default
# match default-inspection-traffic

!
policy-map global_policy
class inspection_default
inspect http regex-policy

• This next statement applies the "global_policy" to the inside interface. Once applied this will allow users on the trusted LAN to access two sites - cisco.com and yahoo.com and thats it.
!
service-policy global_policy interface inside

Have fun with this one. Maybe call out some social networking sites in the regex statement and change the actions in the policy-map "regex-policy" to log the hits and see how often your users are accessing those sites.

Here is a graphical Illustration of what we just made: