Friday, April 26, 2013

Hiding Routing Path for the Traceroute Applications by Looping Traceroute Packets

How Traceroute Works?

 There are several Traceroute Applications including tracert, traceroute etc..  each of them use different protocols although the method is the same.
ex : Tracert uses ICMP echo   while Traceroute uses UDP protocol.

 so in this Lab i configured this Looping method only for tracing applications which use ICMP echo and UDP protocols.

 the common method is Tracing application sends a packet or packets (= Probe count) to Destination IP by increasing its TTL value in the IP header step by step. each nod or layer 3 device normally decrease packet TTL when it got the packet. as soon as TTL is equal 0 router will send an ICMP time exceed error packet to the tracing application's nod.

Steps to Configure

 1st Step

 Create an ACL to filter Tracing Packets.. it can be filtered in several ways.
ex: by TTL value , protocols or source/destination ip..
but i use TTL value for filtering.
2nd Step

 Create a Route-map and matches the ACL and define the Action
in this case action is route packet to the specific next-hop
3rd Step

 Apply Route-map for an Interface



This Looping Method i used also called Policy based Route or PBR

Topology



Loop Occurs between R2 interface fa1/0 and R3 interface fa1/0

Configurations

R1 Configs...
 !  
 !  
 interface Loopback0  
  ip address 1.1.1.1 255.255.255.255  
 !  
 interface FastEthernet0/0  
  ip address 10.0.0.1 255.255.255.252  
  duplex full  
 !  
 interface FastEthernet1/0  
  ip address 192.168.1.1 255.255.255.0  
  duplex half  
 !  
 router eigrp 1  
  network 1.1.1.1 0.0.0.0  
  network 10.0.0.0 0.0.0.3  
  network 192.168.1.0  
  no auto-summary  
 !


R2 Configs...
   
 !  
 !  
 interface Loopback0  
  ip address 2.2.2.2 255.255.255.255  
 !  
 interface FastEthernet0/0  
  mac-address 0000.2222.0000  
  ip address 10.0.0.5 255.255.255.252  
  duplex full  
  speed auto  
 !  
 interface FastEthernet0/1  
  mac-address 0000.2222.1111  
  ip address 10.0.0.2 255.255.255.252  
  ip policy route-map ICMP_MAP  
  duplex full  
  speed auto  
 !  
 interface FastEthernet1/0  
  mac-address 0000.2222.2222  
  ip address 10.0.0.13 255.255.255.252  
  ip policy route-map ICMP_MAP  
  duplex half  
 !  
 router eigrp 1  
  network 2.2.2.2 0.0.0.0  
  network 10.0.0.0 0.0.0.3  
  network 10.0.0.4 0.0.0.3  
  no auto-summary  
 !  
 ip access-list extended ROUND_ICMP  
  permit udp any any ttl lt 35  
  permit icmp any any traceroute  
  permit icmp any any ttl lt 35  
 !  
 logging alarm informational  
 !  
 !  
 !  
 route-map ICMP_MAP permit 5  
  match ip address ROUND_ICMP  
  set ip next-hop 10.0.0.14  
 !  
 !

R3 Configs...
   
 !  
 interface Loopback0  
  ip address 3.3.3.3 255.255.255.255  
 !  
 interface FastEthernet0/0  
  mac-address 0000.3333.0000  
  ip address 10.0.0.10 255.255.255.252  
  ip policy route-map ICMP_MAP  
  duplex full  
  speed auto  
 !  
 interface FastEthernet0/1  
  mac-address 0000.3333.1111  
  ip address 10.0.0.6 255.255.255.252  
  duplex full  
  speed auto  
 !  
 interface FastEthernet1/0  
  mac-address 0000.3333.3333  
  ip address 10.0.0.14 255.255.255.252  
  ip policy route-map ICMP_MAP  
  duplex half  
 !  
 router eigrp 1  
  network 3.3.3.3 0.0.0.0  
  network 10.0.0.4 0.0.0.3  
  network 10.0.0.8 0.0.0.3  
  no auto-summary  
 !  
 !  
 ip access-list extended ROUND_ICMP  
  permit udp any any ttl lt 35  
  permit icmp any any traceroute  
  permit icmp any any ttl lt 35  
 !  
 logging alarm informational  
 !  
 !  
 !  
 route-map ICMP_MAP permit 5  
  match ip address ROUND_ICMP  
  set ip next-hop 10.0.0.13  
 !  
 !

R4 Configs...
 !  
 interface Loopback0  
  ip address 4.4.4.4 255.255.255.255  
 !  
 interface FastEthernet0/0  
  ip address 10.0.0.9 255.255.255.252  
  duplex full  
 !  
 router eigrp 1  
  network 4.4.4.4 0.0.0.0  
  network 10.0.0.8 0.0.0.3  
  no auto-summary  
 !


That's it... :)

Any trouble ?? Please comment.. Thank you 


Wrote By at No comments:

Monday, April 01, 2013

CCNA - Frame-Relay and PPP (PPPoFR - PPP over Frame-relay) - Lab 1



Why PPPoFR ?

well , the answer is 'PPP support additional features than Frame-Relay'.

what are those features?

In basic , PPP features Authentication , Data compression , Multilinks etc..
with frame-relay , we couldn't Authenticate the peer , couldn't Compress data , also  couldn't bundle PVCs. Using the PPP with FR we can overcome all those disadvantages.

Configuring PPPoFR is not difficult.
First  configure the Serial port with the encapsulation of Frame-Relay
Then we need to configure Frame-relay to use PPP.
PPP configurations are done using a Virtual-template.


Here are the complete Configurations of the above Topology.

Site1 Configurations
 username SITE2 password 0 cisco  
 !  
 !   
 !  
 !  
 !  
 !  
 !  
 interface Loopback0  
  ip address 1.1.1.1 255.255.255.255  
 !  
 interface FastEthernet0/0  
  no ip address  
  shutdown  
  duplex half  
 !  
 interface Serial1/0  
  no ip address  
  encapsulation frame-relay  
  serial restart-delay 0  
  frame-relay interface-dlci 101 ppp Virtual-Template1  
 !  
 interface Serial1/1  
  no ip address  
  shutdown  
  serial restart-delay 0  
 !  
 interface Serial1/2  
  no ip address  
  shutdown  
  serial restart-delay 0  
 !  
 interface Serial1/3  
  no ip address  
  shutdown  
  serial restart-delay 0  
 !  
 interface Virtual-Template1   
  ip address 10.0.0.1 255.255.255.252  
  ppp authentication chap  
  ppp chap hostname SITE1  
  ppp chap password 0 cisco  
 !  
 router eigrp 1  
  network 1.1.1.1 0.0.0.0  
  network 10.0.0.0 0.0.0.3  
  no auto-summary  
 !


Site2 Configurations
 username SITE1 password 0 cisco  
 !  
 !   
 !  
 !  
 !  
 !  
 !  
 interface Loopback0  
  ip address 2.2.2.2 255.255.255.255  
 !  
 interface FastEthernet0/0  
  no ip address  
  shutdown  
  duplex half  
 !  
 interface Serial1/0  
  no ip address  
  encapsulation frame-relay  
  serial restart-delay 0  
  frame-relay interface-dlci 201 ppp Virtual-Template1  
 !  
 interface Serial1/1  
  no ip address  
  shutdown  
  serial restart-delay 0  
 !  
 interface Serial1/2  
  no ip address  
  shutdown  
  serial restart-delay 0  
 !  
 interface Serial1/3  
  no ip address  
  shutdown  
  serial restart-delay 0  
 !  
 interface Virtual-Template1   
  ip address 10.0.0.2 255.255.255.252  
  ppp authentication chap  
  ppp chap hostname SITE2  
  ppp chap password 0 cisco  
 !  
 router eigrp 1  
  network 2.2.2.2 0.0.0.0  
  network 10.0.0.0 0.0.0.3  
  no auto-summary  
 !

first , PPP LCP authenticate the Peer.
Then Handover the control to the PPP NCP (in this case its IPCP)

Sending Data is encapsulated by the IP protocol then there are two protocols at the Layer 2. PPP and FR. but PPP will encapsulate the Packet after IP layer because the Main Layer 2 protocol should be the FR. so FR will finally encapsulate the Frame and pass to the Physical layer.

If you have Questions regarding FR or PPP , Please Comment it. Thank you...
Wrote By at No comments:

CCNA Security - Site to Site IPsec Tunnel between two Sites - Lab1



PC1 and PC2 both are VPCs and i connect Two routers to the Internet using my PPPOE connection.

Both PCs can surf the Internet while connecting to the Site to Site VPN.

Site1 Configuration
 !  
 !  
 version 12.3  
 service timestamps debug datetime msec  
 service timestamps log datetime msec  
 no service password-encryption  
 !  
 hostname Site1  
 !  
 boot-start-marker  
 boot-end-marker  
 !  
 enable secret cisco  
 !  
 no aaa new-model  
 ip subnet-zero  
 ip cef  
 !  
 !  
 !  
 ip audit po max-events 100  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !   
 !  
 crypto isakmp policy 5  
  encryption aes 256  
  authentication pre-share  
  group 5  
  lifetime 1000  
 crypto isakmp key cisco address Site2_dialer1_ip  
 !  
 crypto ipsec security-association lifetime kilobytes 2560  
 crypto ipsec security-association idle-time 10000  
 !  
 crypto ipsec transform-set ipsec1 esp-aes 256 esp-md5-hmac comp-lzs   
 !  
 crypto map VPN1 5 ipsec-isakmp   
  set peer Site2_dialer1_ip  
  set transform-set ipsec1   
  set pfs group5  
  match address SITE1_TO_SITE2_VPN  
 !  
 !  
 !  
 !  
 interface FastEthernet0/0  
  no ip address  
  duplex auto  
  speed auto  
  pppoe enable  
  pppoe-client dial-pool-number 1  
 !  
 interface FastEthernet0/1  
  ip address 192.168.1.1 255.255.255.0  
  ip access-group INTERNET in  
  duplex auto  
  speed auto  
 !  
 interface Dialer1  
  ip address negotiated  
  encapsulation ppp  
  dialer pool 1  
  ppp authentication pap callin  
  ppp pap sent-username username password password  
  ppp ipcp dns request  
  crypto map VPN1  
 !  
 ip classless  
 ip route 0.0.0.0 0.0.0.0 Dialer1  
 !  
 ip http server  
 no ip http secure-server  
 !  
 ip access-list extended INTERNET  
  permit ip any any  
 ip access-list extended SITE1_TO_SITE2_VPN  
  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255  
  deny  ip 192.168.1.0 0.0.0.255 any  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 line con 0  
 line aux 0  
 line vty 0 4  
 !  
 end


Site2 Configurations
 !  
 !  
 version 12.3  
 service timestamps debug datetime msec  
 service timestamps log datetime msec  
 no service password-encryption  
 !  
 hostname Site2  
 !  
 boot-start-marker  
 boot-end-marker  
 !  
 enable secret cisco  
 !  
 no aaa new-model  
 ip subnet-zero  
 ip cef  
 !  
 !  
 !  
 ip domain name lab.local  
 ip audit po max-events 100  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !   
 !  
 crypto isakmp policy 5  
  encryption aes 256  
  authentication pre-share  
  group 5  
  lifetime 1000  
 crypto isakmp key cisco address Site1_dialer_ip  
 !  
 crypto ipsec security-association lifetime kilobytes 2560  
 crypto ipsec security-association idle-time 10000  
 !  
 crypto ipsec transform-set ipsec1 esp-aes 256 esp-md5-hmac comp-lzs   
 !  
 crypto map VPN1 5 ipsec-isakmp   
  set peer Site1_dialer_ip  
  set transform-set ipsec1   
  set pfs group5  
  match address SITE2_TO_SITE1_VPN  
 !  
 !  
 !  
 !  
 interface FastEthernet0/0  
  no ip address  
  duplex auto  
  speed auto  
  pppoe enable  
  pppoe-client dial-pool-number 1  
 !  
 interface FastEthernet0/1  
  ip address 192.168.2.1 255.255.255.0  
  ip access-group INTERNET in  
  duplex auto  
  speed auto  
 !  
 interface Dialer1  
  ip address negotiated  
  encapsulation ppp  
  dialer pool 1  
  ppp authentication pap callin  
  ppp pap sent-username username password password  
  ppp ipcp dns request  
  crypto map VPN1  
 !  
 ip classless  
 ip route 0.0.0.0 0.0.0.0 Dialer1  
 !  
 no ip http server  
 no ip http secure-server  
 !  
 ip access-list extended INTERNET  
  permit ip any any  
 ip access-list extended SITE2_TO_SITE1_VPN  
  permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 !  
 line con 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line aux 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line vty 0 4  
  login  
 !  
 end

VPN peer ip address should be changed according to your ip addresses and Dialer interface username and password should be changed to your username and password.

If you have questions regarding to IPsec tunnel feel free to comment and appreciate any suggestion.Thank you ..
Wrote By at No comments:

CCNA Security - GRE Tunnel (include HSRP also)



PC1 and PC2 are VPCs
I got a pppoe Connection

Site_1_R1 and Site_2_R1 are the Primary Routers for the topology and other two Routers for the Backup or Redundancy purpose.


Site_1_R1 Configurations ..

 !  
 !  
 version 12.4  
 service timestamps debug datetime msec  
 service timestamps log datetime msec  
 service password-encryption  
 !  
 hostname Site_1_R1  
 !  
 boot-start-marker  
 boot-end-marker  
 !  
 enable secret cisco  
 !  
 no aaa new-model  
 memory-size iomem 5  
 ip cef  
 !  
 !  
 ip auth-proxy max-nodata-conns 3  
 ip admission max-nodata-conns 3  
 !  
 !  
 ip domain name lab.local  
 !  
 !  
 !  
 key chain GRE  
  key 1  
   key-string GRE  
 !  
 !  
 username Admin privilege 15 secret cisco  
 !  
 !  
 !  
 !  
 !   
 !  
 !  
 !  
 interface Tunnel1  
  ip address 10.0.0.1 255.255.255.248  
  keepalive 3 3  
  tunnel source Dialer1  
  tunnel destination Site_2_R1_router_dialer1_IP 
  tunnel key 1  
 !  
 interface FastEthernet0/0  
  no ip address  
  duplex auto  
  speed auto  
  pppoe enable group global  
  pppoe-client dial-pool-number 1  
 !  
 interface FastEthernet0/1  
  ip address 192.168.1.1 255.255.255.0  
  ip nat inside  
  ip virtual-reassembly  
  duplex auto  
  speed auto  
  standby 1 ip 192.168.1.5  
  standby 1 priority 105  
  standby 1 preempt  
  standby 1 authentication md5 key-string SITE1 
  standby 1 mac-address 000a.000b.000a  
  standby 1 track Dialer1  
  standby 1 track Tunnel1  
 !  
 interface Dialer1  
  ip address negotiated  
  ip nat outside  
  ip virtual-reassembly  
  encapsulation ppp  
  dialer pool 1  
  keepalive 60  
  ppp authentication pap callin  
  ppp pap sent-username username password password  
  ppp ipcp dns request  
  ppp ipcp route default  
 !  
 ip forward-protocol nd  
 !  
 no ip http server  
 no ip http secure-server  
 ip nat inside source list NAT interface Dialer1 overload  
 !  
 ip access-list extended NAT  
  deny  ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255  
  permit ip 192.168.1.0 0.0.0.255 any  
 !  
 !  
 !  
 control-plane  
 !  
 !  
 !  
 line con 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line aux 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line vty 0 4  
  login local  
 line vty 5 15  
  login  
 !  
 !  
 end  



Site_1_R2 Configurations

 !  
 !  
 version 12.4  
 service timestamps debug datetime msec  
 service timestamps log datetime msec  
 no service password-encryption  
 !  
 hostname Site_1_R2  
 !  
 boot-start-marker  
 boot-end-marker  
 !  
 enable secret cisco  
 !  
 no aaa new-model  
 memory-size iomem 5  
 ip cef  
 !  
 !  
 ip auth-proxy max-nodata-conns 3  
 ip admission max-nodata-conns 3  
 !  
 !  
 ip domain name lab.local  
 !  
 !  
 !  
 key chain GRE  
  key 1  
   key-string GRE  
 !  
 !  
 username Admin privilege 15 secret cisco  
 !  
 !  
 !   
 !  
 !  
 !  
 interface Tunnel2  
  ip address 10.0.0.9 255.255.255.248  
  keepalive 3 3  
  tunnel source Dialer1  
  tunnel destination Site_2_R2_router_dialer1_IP 
  tunnel key 1  
 !  
 interface FastEthernet0/0  
  no ip address  
  duplex auto  
  speed auto  
  pppoe enable group global  
  pppoe-client dial-pool-number 1  
 !  
 interface FastEthernet0/1  
  ip address 192.168.1.2 255.255.255.0  
  ip nat inside  
  ip virtual-reassembly  
  duplex auto  
  speed auto  
  standby 1 ip 192.168.1.5  
  standby 1 preempt  
  standby 1 authentication md5 key-string SITE1  
  standby 1 mac-address 000a.000b.000a  
 !  
 interface Dialer1  
  ip address negotiated  
  ip nat outside  
  ip virtual-reassembly  
  encapsulation ppp  
  dialer pool 1  
  keepalive 60  
  ppp authentication pap callin  
  ppp pap sent-username username password password  
  ppp ipcp dns request  
  ppp ipcp route default  
 !  
 ip forward-protocol nd  
 !  
 no ip http server  
 no ip http secure-server  
 ip nat inside source list NAT interface Dialer1 overload  
 !  
 ip access-list extended NAT  
  deny  ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255  
  permit ip 192.168.1.0 0.0.0.255 any  
 !  
 !  
 !  
 control-plane  
 !  
 !  
 !  
 line con 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line aux 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line vty 0 4  
  login local  
 line vty 5 15  
  login  
 !  
 !  
 end



Site_2_R1 Configurations

 !  
 !  
 version 12.4  
 service timestamps debug datetime msec  
 service timestamps log datetime msec  
 service password-encryption  
 !  
 hostname Site_2_R1  
 !  
 boot-start-marker  
 boot-end-marker  
 !  
 enable secret cisco  
 !  
 no aaa new-model  
 memory-size iomem 5  
 ip cef  
 !  
 !  
 ip auth-proxy max-nodata-conns 3  
 ip admission max-nodata-conns 3  
 !  
 !  
 no ip domain lookup  
 ip domain name lab.local  
 !  
 !  
 !  
 key chain GRE  
  key 1  
   key-string GRE  
 !  
 !  
 username Admin privilege 15 secret cisco  
 !  
 !  
 !  
 !  
 !   
 !  
 !  
 !  
 interface Tunnel1  
  ip address 10.0.0.2 255.255.255.248  
  keepalive 3 3  
  tunnel source Dialer1  
  tunnel destination Site_1_R1_router_dialer1_IP  
  tunnel key 1  
 !  
 interface FastEthernet0/0  
  no ip address  
  duplex auto  
  speed auto  
  pppoe enable group global  
  pppoe-client dial-pool-number 1  
 !  
 interface FastEthernet0/1  
  ip address 192.168.2.1 255.255.255.0  
  ip nat inside  
  ip virtual-reassembly  
  duplex auto  
  speed auto  
  standby 1 ip 192.168.2.5  
  standby 1 priority 105  
  standby 1 preempt  
  standby 1 authentication md5 key-string SITE2  
  standby 1 mac-address 0002.0002.0002  
  standby 1 track Dialer1  
  standby 1 track Tunnel1  
 !  
 interface Dialer1  
  ip address negotiated  
  ip nat outside  
  ip virtual-reassembly  
  encapsulation ppp  
  dialer pool 1  
  keepalive 60  
  ppp authentication pap callin  
  ppp pap sent-username username password password  
  ppp ipcp dns request  
  ppp ipcp route default  
 !  
 interface Dialer2  
  no ip address  
 !  
 interface Dialer4  
  no ip address  
 !  
 ip forward-protocol nd  
 !  
 no ip http server  
 no ip http secure-server  
 ip nat inside source list NAT interface Dialer1 overload  
 !  
 ip access-list extended NAT  
  deny  ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255  
  permit ip 192.168.2.0 0.0.0.255 any  
 !  
 !  
 !  
 control-plane  
 !  
 !  
 !  
 line con 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line aux 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line vty 0 4  
  login local  
 line vty 5 15  
  login  
 !  
 !  
 end



Site_2_R2 Configurations

 !  
 !  
 version 12.4  
 service timestamps debug datetime msec  
 service timestamps log datetime msec  
 no service password-encryption  
 !  
 hostname Site_2_R2  
 !  
 boot-start-marker  
 boot-end-marker  
 !  
 enable secret cisco  
 !  
 no aaa new-model  
 memory-size iomem 5  
 ip cef  
 !  
 !  
 ip auth-proxy max-nodata-conns 3  
 ip admission max-nodata-conns 3  
 !  
 !  
 no ip domain lookup  
 ip domain name lab.local  
 !  
 !  
 !  
 key chain GRE  
  key 1  
   key-string GRE  
 !  
 !  
 username Admin privilege 15 secret cisco  
 !  
 !  
 !   
 !  
 !  
 !  
 interface Tunnel2  
  ip address 10.0.0.10 255.255.255.248  
  keepalive 3 3  
  tunnel source Dialer1  
  tunnel destination Site_1_R2_router_dialer1_IP  
  tunnel key 1  
 !  
 interface FastEthernet0/0  
  no ip address  
  duplex auto  
  speed auto  
  pppoe enable group global  
  pppoe-client dial-pool-number 1  
 !  
 interface FastEthernet0/1  
  ip address 192.168.2.2 255.255.255.0  
  ip nat inside  
  ip virtual-reassembly  
  duplex auto  
  speed auto  
  standby 1 ip 192.168.2.5  
  standby 1 preempt  
  standby 1 authentication md5 key-string SITE2  
  standby 1 mac-address 0002.0002.0002  
 !  
 interface Dialer1  
  ip address negotiated  
  ip nat outside  
  ip virtual-reassembly  
  encapsulation ppp  
  dialer pool 1  
  keepalive 60  
  ppp authentication pap callin  
  ppp pap sent-username username password password  
  ppp ipcp dns request  
  ppp ipcp route default  
 !  
 ip forward-protocol nd  
 !  
 no ip http server  
 no ip http secure-server  
 ip nat inside source list NAT interface Dialer1 overload  
 !  
 ip access-list extended NAT  
  deny  ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255  
  permit ip 192.168.2.0 0.0.0.255 any  
 !  
 !  
 !  
 control-plane  
 !  
 !  
 !  
 line con 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line aux 0  
  exec-timeout 0 0  
  privilege level 15  
  logging synchronous  
 line vty 0 4  
  login  
 line vty 5 15  
  login  
 !  
 !  
 end


In my example I use,

PC1 ip = 192.168.1.10 with 24 mask
PC2 ip = 192.168.2.10 with 24 mask

Also dialer interface should have your pppoe connection password and Username correctly configured.

below is the .net file for GNS3

Mediafire Link for .net File

if you have any questions regarding the GRE tunnel feel free to comment that..
Thank you ..
Wrote By at 1 comment:
Subscribe to: Posts (Atom)