All posts by Amolak

About Amolak

Network Consultant View all posts by Amolak →

Test AAA Server on Cisco ASA and IOS Devices

March 29, 2016AAA, Cisco, Cisco ASA, SecurityAAA, Cisco ASA, Cisco IOSAmolak

When We configure AAA on Cisco ASA or any IOS device (Router/Switch), it is always a good practice to confirm that the configuration is good and the server is available and responding correctly.

Cisco IOS:

Radius Server IP Address: 10.1.2.3
Username: amolak
Password: password123

ROUTER-1#test aaa group radius server 10.1.2.3 amolak password123 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

ROUTER-1#test aaa group radius server 10.1.2.3 amolak wrongpassword legacy
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.

Cisco ASA:

Radius Servers Group Name: RADIUS-SERVERS
Radius Server IP Address: 10.1.2.3
Username: amolak
Password: password123

ASA-1# test aaa-server authentication RADIUS-SERVERS
Server IP Address or name: 10.1.2.3
Username: amolak
Password: password123
INFO: Attempting Authentication test to IP address <10.1.2.3> (timeout: 12 seconds)
INFO: Authentication Successful

ASA-1# test aaa-server authentication RADIUS-SERVERS
Server IP Address or name: 10.1.2.3
Username: amolak
Password: wrongpassword
INFO: Attempting Authentication test to IP address <10.1.2.3> (timeout: 12 seconds)
ERROR: Authentication Rejected: AAA failure

Note that you can choose the group, or specific server in the group. This makes it possible to check all servers in the group are working.

Self Signed Certificate for WebVPN on ASA

March 29, 2016Cisco ASA, Security, VPNAnyConnect, ASA, WebVPNAmolak

We will configure self signed certificate on Cisco ASA for AnyConnect (WebVPN).

1.Generate an RSA key for the certificate. The name should be unique. For example, sslvpnkeypair.

ASA-1(config)#crypto key generate rsa label sslvpnkeypair modulus 1024
INFO: The name for the keys will be: sslvpnkeypair
Keypair generation process begin. Please wait…

2. Create a trustpoint for the self-issued certificate.

ASA-1(config)#crypto ca trustpoint self

3. The fully qualified domain name is used for both fqdn and CN. The name should resolve to the ASA outside interface IP address.

ASA-1(config-ca-trustpoint)#enrollment self
ASA-1(config-ca-trustpoint)#fqdn vpn.amolak.net
ASA-1(config-ca-trustpoint)#subject-name CN=vpn.amolak.net

4. The RSA key is assigned to the trustpoint for certificate creation.

ASA-1(config-ca-trustpoint)#keypair sslvpnkeypair

5. Assign the trustpoint to be used for SSL connections on the outside interface.

ASA-1(config-ca-trustpoint)#crypto ca enroll self noconfirm
% The fully-qualified domain name in the certificate will be: vpn.amolak.net
ASA-1(config)# ssl trust-point self outside

Final Configuration:

crypto key generate rsa label sslvpnkeypair modulus 1024
!
crypto ca trustpoint self
 enrollment self
 fqdn vpn.amolak.net
 subject-name CN=vpn.amolak.net
 keypair sslvpnkeypair
!
crypto ca enroll self noconfirm
!
ssl trust-point self outside

BGP Default Route

March 24, 2016BGP, Cisco, Service ProviderBGP, Default RouteAmolak

We will discuss the different ways to advertise a default route in BGP. We will use following network topology for the same.

1. default-information originate

A default route can be injected into BGP with the command ‘default-information originate’. Following conditions must be fulfilled to use this method.

– A default route must be in the local routing table.
– The default route must be redistributed into the BGP
– Add ‘default-information originate’ under router bgp <ASN>

Here is the initial configuration and BGP status on all routers.

Let’s first try to add a static default route and redistribute it into BGP on R1.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip route 0.0.0.0 0.0.0.0 null0
R1(config)#router bgp 100
R1(config-router)#redistribute static
R1(config-router)#
R1(config-router)#do sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 redistribute static
 neighbor 12.12.12.2 remote-as 200
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
R1(config-router)#do sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "static", distance 1, metric 0 (connected), candidate default path
  Redistributing via bgp 100
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1
R1(config-router)#
R1(config-router)#do sh ip bgp
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i
R1(config-router)#

R1 is not yet advertising default route into BGP. It shows that simply redistributing a default route into BGP would not help. Let’s add a ‘default-information originate’ under BGP.

R1(config-router)#router bgp 100
R1(config-router)#default-information originate
R1(config-router)#do sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 redistribute static
 neighbor 12.12.12.2 remote-as 200
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
 default-information originate
R1(config-router)#do sh ip bgp
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 ?
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i
R1(config-router)#

Now you can see all BGP peers (iBGP and eBGP) are receiving default route information from R1.

R2#sh ip bgp
BGP table version is 10, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          12.12.12.1               0             0 100 ?
 *>  1.1.1.0/24       12.12.12.1               0             0 100 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  3.3.3.0/24       12.12.12.1                             0 100 300 i
 *>  4.4.4.0/24       12.12.12.1                             0 100 i
R2#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 200", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 12.12.12.1 00:02:25 ago
  Routing Descriptor Blocks:
  * 12.12.12.1, from 12.12.12.1, 00:02:25 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none
R2#

R3#sh ip bgp
BGP table version is 8, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          13.13.13.1               0             0 100 ?
 *>  1.1.1.0/24       13.13.13.1               0             0 100 i
 *>  2.2.2.0/24       13.13.13.1                             0 100 200 i
 *>  3.3.3.0/24       0.0.0.0                  0         32768 i
 *>  4.4.4.0/24       13.13.13.1                             0 100 i
R3#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 300", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 13.13.13.1 00:04:36 ago
  Routing Descriptor Blocks:
  * 13.13.13.1, from 13.13.13.1, 00:04:36 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none
R3#

R4#sh ip bgp
BGP table version is 8, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 0.0.0.0          14.14.14.1               0    100      0 ?
 r>i 1.1.1.0/24       14.14.14.1               0    100      0 i
 *>i 2.2.2.0/24       14.14.14.1               0    100      0 200 i
 *>i 3.3.3.0/24       14.14.14.1               0    100      0 300 i
 *>  4.4.4.0/24       0.0.0.0                  0         32768 i
R4#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 100", distance 200, metric 0, candidate default path, type internal
  Last update from 14.14.14.1 00:05:21 ago
  Routing Descriptor Blocks:
  * 14.14.14.1, from 14.14.14.1, 00:05:21 ago
      Route metric is 0, traffic share count is 1
      AS Hops 0
      MPLS label: none

2. network 0.0.0.0

A default route can be injected into BGP with configuration of ‘network 0.0.0.0’ under BGP if a default route is available in the local routing table of a router.

Following conditions must be fulfilled to use this method.

– A default route must be in the local routing table.
– Add ‘network 0.0.0.0’ under router bgp <ASN>

Let’s remove previously configured ‘default-information originate’ and ‘redistribute static’ commands and use ‘network 0.0.0.0’.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router bgp 100
R1(config-router)#no default-information originate
R1(config-router)#no redistribute static
R1(config-router)#network 0.0.0.0
R1(config-router)#do sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 0.0.0.0
 network 1.1.1.0 mask 255.255.255.0
 neighbor 12.12.12.2 remote-as 200
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
R1(config-router)#end
R1#sh ip
*Mar 24 11:42:36.623: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip bgp
BGP table version is 13, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          0.0.0.0                  0         32768 i
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i
R1#

Let’s verify BGP table and default route on peer routers.

R2#sh ip bgp
BGP table version is 12, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          12.12.12.1               0             0 100 i
 *>  1.1.1.0/24       12.12.12.1               0             0 100 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  3.3.3.0/24       12.12.12.1                             0 100 300 i
 *>  4.4.4.0/24       12.12.12.1                             0 100 i
R2#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 200", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 12.12.12.1 00:01:54 ago
  Routing Descriptor Blocks:
  * 12.12.12.1, from 12.12.12.1, 00:01:54 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none

R3#sh ip bgp
BGP table version is 10, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          13.13.13.1               0             0 100 i
 *>  1.1.1.0/24       13.13.13.1               0             0 100 i
 *>  2.2.2.0/24       13.13.13.1                             0 100 200 i
 *>  3.3.3.0/24       0.0.0.0                  0         32768 i
 *>  4.4.4.0/24       13.13.13.1                             0 100 i
R3#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 300", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 13.13.13.1 00:02:17 ago
  Routing Descriptor Blocks:
  * 13.13.13.1, from 13.13.13.1, 00:02:17 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none

R4#sh ip bgp
BGP table version is 10, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 0.0.0.0          14.14.14.1               0    100      0 i
 r>i 1.1.1.0/24       14.14.14.1               0    100      0 i
 *>i 2.2.2.0/24       14.14.14.1               0    100      0 200 i
 *>i 3.3.3.0/24       14.14.14.1               0    100      0 300 i
 *>  4.4.4.0/24       0.0.0.0                  0         32768 i
R4#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 100", distance 200, metric 0, candidate default path, type internal
  Last update from 14.14.14.1 00:03:06 ago
  Routing Descriptor Blocks:
  * 14.14.14.1, from 14.14.14.1, 00:03:06 ago
      Route metric is 0, traffic share count is 1
      AS Hops 0
      MPLS label: none

3. neighbor x.x.x.x default-originate

If you want to advertise default route to a specific peer, this is the method for that requirement.

– Add ‘neighbor x.x.x.x default-originate’ under router bgp <ASN>
– It does not even check for the existence of a default route in the IP routing table
– The ‘default-information originate’ command should not be configured with the ‘neighbor x.x.x.x default-originate’ command on the same router

Let’s remove previously configured commands.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no ip route 0.0.0.0 0.0.0.0 Null0
R1(config)#router bgp 100
R1(config-router)#no  network 0.0.0.0
R1(config-router)#end
R1#sh run
*Mar 24 11:50:22.479: %SYS-5-CONFIG_I: Configured from console by console
R1#sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 neighbor 12.12.12.2 remote-as 200
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
R1#sh ip route 0.0.0.0
% Network not in table
R1#sh ip bgp
BGP table version is 14, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i

Now advertise default route only to R2.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router bgp 100
R1(config-router)#neighbor 12.12.12.2 default-originate
R1(config-router)#end
R1#s
*Mar 24 11:53:46.471: %SYS-5-CONFIG_I: Configured from console by consoleh
R1#sh run | s bgp
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 neighbor 12.12.12.2 remote-as 200
 neighbor 12.12.12.2 default-originate
 neighbor 13.13.13.3 remote-as 300
 neighbor 14.14.14.4 remote-as 100
 neighbor 14.14.14.4 next-hop-self
R1#clear ip bgp 12.12.12.2 soft
R1#sh ip bgp
BGP table version is 15, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
     0.0.0.0          0.0.0.0                                0 i
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i
R1#sh ip route 0.0.0.0
% Network not in table
R1#

Notice there is no default route available in local routing table of R1 and bgp table also shows there is no best route (no *> status) for 0.0.0.0 network.

Let’s verify what R1 is advertising to its peers.

R1#sh ip bgp neighbors 12.12.12.2 advertised-routes
BGP table version is 15, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Originating default network 0.0.0.0

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i

Total number of prefixes 3

R1#sh ip bgp neighbors 13.13.13.3 advertised-routes
BGP table version is 15, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       0.0.0.0                  0         32768 i
 *>  2.2.2.0/24       12.12.12.2               0             0 200 i
 *>  3.3.3.0/24       13.13.13.3               0             0 300 i
 r>i 4.4.4.0/24       14.14.14.4               0    100      0 i

Total number of prefixes 4

## No default route advertised to R3(13.13.13.3)

Finally, verify BGP table and routing table on all peer routers.

R2#sh ip bgp
BGP table version is 14, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          12.12.12.1                             0 100 i
 *>  1.1.1.0/24       12.12.12.1               0             0 100 i
 *>  2.2.2.0/24       0.0.0.0                  0         32768 i
 *>  3.3.3.0/24       12.12.12.1                             0 100 300 i
 *>  4.4.4.0/24       12.12.12.1                             0 100 i
R2#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "bgp 200", distance 20, metric 0, candidate default path
  Tag 100, type external
  Last update from 12.12.12.1 00:08:27 ago
  Routing Descriptor Blocks:
  * 12.12.12.1, from 12.12.12.1, 00:08:27 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 100
      MPLS label: none

R3#sh ip bgp
BGP table version is 11, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  1.1.1.0/24       13.13.13.1               0             0 100 i
 *>  2.2.2.0/24       13.13.13.1                             0 100 200 i
 *>  3.3.3.0/24       0.0.0.0                  0         32768 i
 *>  4.4.4.0/24       13.13.13.1                             0 100 i
R3#sh ip route 0.0.0.0
% Network not in table

R4#sh ip bgp
BGP table version is 11, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 r>i 1.1.1.0/24       14.14.14.1               0    100      0 i
 *>i 2.2.2.0/24       14.14.14.1               0    100      0 200 i
 *>i 3.3.3.0/24       14.14.14.1               0    100      0 300 i
 *>  4.4.4.0/24       0.0.0.0                  0         32768 i
R4#sh ip route 0.0.0.0
% Network not in table

IPv6 Address Types

March 21, 2016IPv6IPv6Amolak

::/128 – Unspecified Address

This address may only be used as a source address by an initializing host before it has learned its own address.

IPv4 Equivalent – 0.0.0.0

::1/128 – Loopback Address

This address is used when a host talks to itself over IPv6. This often happens when one program sends data to another.

IPv4 Equivalent – 127.0.0.1

::ffff/96 – IPv4-Mapped Address

Example ::ffff:123.4.5.67

These addresses are used to embed IPv4 addresses in an IPv6 address. One use for this is in a dual stack transition scenario where IPv4 addresses can be mapped into an IPv6 address. See RFC 4038 for more details – https://www.ietf.org/rfc/rfc4038.txt

fc00::/7 – Unique Local Addresses (ULAs)

Example: fc00:1234:5678::99

These addresses are reserved for local use in home and enterprise environments and are not public address space. These addresses might not be unique, and there is no formal address registration. Packets with these addresses in the source or destination fields are not intended to be routed on the public Internet but are intended to be routed within the enterprise or organization.
See RFC 4193 for more details – https://www.ietf.org/rfc/rfc4193.txt

IPv4 Equivalent – Private or RFC1918 Addresses: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

fe80::/10 – Link-Local Addresses

Example: fe80::1234:5678:9abc:1234

These addresses are used on a single link or a non-routed common access network, such as an Ethernet LAN. They do not need to be unique outside of that link.
Link-local addresses may appear as the source or destination of an IPv6 packet. Routers must not forward IPv6 packets if the source or destination contains a link local address.
See RFC 4193 for more details – https://www.ietf.org/rfc/rfc4193.txt

IPv4 Equivalent – 169.254.0.0/16

2001:0000::/32 – Teredo

Example: 2001:0000:4136:e378:8000:63bf:3fff:fdd2

This is a mapped address allowing IPv6 tunneling through IPv4 NATs. The address is formed using the Teredo prefix, the server’s unique IPv4 address, flags describing the type of NAT, the obfuscated client port and the client IPv4 address, which is probably a private address. It is possible to reverse the process and identify the IPv4 address of the relay server, which can then be looked up in the relevant RIR’s Whois database.

You can do this on the following webpage:
http://www.potaroo.net/cgi-bin/ipv6addr

2001:0002::/48 – Benchmarking

Example: 2001:2::1234

These addresses are reserved for use in documentation. They should not be used as source or destination addresses.

IPv4 Equivalent – 198.18.0.0/15

2001:0010::/28 – Orchid

Example: 2001:10::1234

These addresses are used for a fixed-term experiment. They should only be visible on an end-to-end basis and routers should not see packets using them as source or destination addresses.

2002::/16 – 6to4

Example: 2002::1234

A 6to4 gateway adds its IPv4 address to this 2002::/16, creating a unique /48 prefix. As the IPv4 address of the gateway router is used to compose the IPv6 prefix, it is possible to reverse the process and identify the IPv4 address, which can then be looked up in the relevant RIR’s Whois database.

You can do this on the following webpage:
http://www.potaroo.net/cgi-bin/ipv6addr

IPv4 Equivalent – There is no equivalent but 192.88.99.0/24 has been reserved as the 6to4 relay anycast address prefix by the IETF.

2001:db8::/32 – Documentation

Example: 2001:db8::1234

These addresses are used in examples and documentation. They should never be source or destination addresses.

IPv4 Equivalent – 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24

2000::/3 – Global Unicast

Example: 2000::1234

Other than the exceptions documented in this table, the operators of networks using these addresses can be found using the Whois servers of the RIRs listed in the registry at:
http://www.iana.org/assignments/ipv6-unicast-address-assignments

IPv4 Equivalent – No equivalent single block

ff00::/8 – Multicast

Example: ff00::1234

These addresses are used to identify multicast groups. They should only be used as destination addresses, never as source addresses.

IPv4 Equivalent – 224.0.0.0/4

ASA Static Route with Object Tracking

August 1, 2015Cisco ASA, SecurityASA, Floating Static Route, NAT, SLA Monitor, Static Route, TrackAmolak

We will use following topology to configure floating static route on Cisco ASA with Object Tracking.

Objective of this task:

Configure floating static route with object tracking
Configure Dynamic NAT via Primary and Backup Link
Configure Static NAT with auto failover between Primary and Backup Link

Basic Configuration on ASA:

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 1.1.14.1 255.255.255.0 
!
interface GigabitEthernet1
 nameif outside-2
 security-level 0
 ip address 2.2.14.1 255.255.255.0 
!
interface GigabitEthernet2
 nameif inside
 security-level 100
 ip address 10.10.123.1 255.255.255.0 
!

Primary internet link IP subnet is 1.1.14.0/24 and ISP GW IP is 1.1.14.4.
Backup internet link IP subnet is 2.2.14.0/24 and ISP GW IP is 2.2.14.4
We will track reachability to IP address 4.4.4.4 via primary internet link to confirm if it is working fine.

# Configure static route to reach IP address 4.4.4.4 via primary internet link

route outside 4.4.4.4 255.255.255.255 1.1.14.4

# Create SLA Monitor session

sla monitor 101
 type echo protocol ipIcmpEcho 4.4.4.4 interface outside
 num-packets 5
 frequency 10
sla monitor schedule 101 life forever start-time now

# Create track session

track 1 rtr 101 reachability

# Configure default route via primary internet link with tracking

route outside 0.0.0.0 0.0.0.0 1.1.14.4 1 track 1

# Configure default route via backup internet link with higher administrative distance (i.e, 200, default AD is 1 for static route)

route outside-2 0.0.0.0 0.0.0.0 2.2.14.4 200

# Configure Dynamic NAT rule for LAN users to access internet via primary or backup internet link

object network ANY
 subnet 0.0.0.0 0.0.0.0
!
object network ANY-2
 subnet 0.0.0.0 0.0.0.0
!
object network ANY
 nat (inside,outside) dynamic interface
!
object network ANY-2
 nat (inside,outside-2) dynamic interface

Verify default route and internet access

# Verify SLA Monitor configuration

ASA# show sla monitor configuration 
SA Agent, Infrastructure Engine-II
Entry number: 101
Owner: 
Tag: 
Type of operation to perform: echo
Target address: 4.4.4.4
Interface: outside
Number of packets: 5
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

# Verify SLA Monitor operational status

ASA# show sla monitor operational-state 
Entry number: 101
Modification time: 09:54:01.469 UTC Sat Aug 1 2015
Number of Octets Used by this Entry: 1480
Number of operations attempted: 34
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 8
Latest operation start time: 09:59:31.479 UTC Sat Aug 1 2015
Latest operation return code: OK
RTT Values:
RTTAvg: 8       RTTMin: 1       RTTMax: 20
NumOfRTT: 5     RTTSum: 42      RTTSum2: 602

# Verify track status

ASA# show track 
Track 1
  Response Time Reporter 101 reachability
  Reachability is Up
  2 changes, last change 00:05:45
  Latest operation return code: OK
  Latest RTT (millisecs) 4
  Tracked by:
    STATIC-IP-ROUTING 0

# Verify routing

ASA# show run route
route outside 0.0.0.0 0.0.0.0 1.1.14.4 1 track 1
route outside-2 0.0.0.0 0.0.0.0 2.2.14.4 200
route outside 4.4.4.4 255.255.255.255 1.1.14.4 1
 
ASA# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 1.1.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.14.4, outside

# Ping internet IP address 5.5.5.5 (It is configured on R5)

R2#ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/36/48 ms

# Verify NAT on ASA

ASA# show xlate 
3 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:09:24 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:09:30 timeout 0:00:00
ICMP PAT from inside:10.10.123.2/2 to outside:1.1.14.1/35590 flags ri idle 0:00:28 timeout 0:00:30

ASA# show conn address 5.5.5.5
1 in use, 4 most used
ICMP outside 5.5.5.5:0 inside 10.10.123.2:3, idle 0:00:00, bytes 72

# Let's simulate primary internet link failure
# Shutdown int f0/0 on R4

R4#sh run int f0/0
Building configuration...

Current configuration : 92 bytes
!
interface FastEthernet0/0
 ip address 1.1.14.4 255.255.255.0
 speed 100
 full-duplex
end

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int f0/0
R4(config-if)#shut 
R4(config-if)#
*Mar  1 00:13:08.571: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar  1 00:13:09.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R4(config-if)#

# Verify Track status on ASA

ASA# show track
Track 1
  Response Time Reporter 101 reachability
  Reachability is Down
  3 changes, last change 00:00:31
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

# Verify Routing

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [200/0] via 2.2.14.4, outside-2

# As you see in above output it has selected default route via backup ISP GW (2.2.14.4) now.

# Verify Internet access from LAN and NAT status on ASA. Now LAN subnet is dynamically NAT'ed to backup interface.

R2#ping 5.5.5.5        

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/64 ms

ASA# show xlate 
3 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:18:18 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:18:24 timeout 0:00:00
ICMP PAT from inside:10.10.123.2/6 to outside-2:2.2.14.1/5805 flags ri idle 0:00:39 timeout 0:00:30

ASA# show conn address 5.5.5.5
1 in use, 6 most used
ICMP outside-2 5.5.5.5:0 inside 10.10.123.2:6, idle 0:00:00, bytes 72

# Let's restore primary internet link

R4(config-if)#no shut
R4(config-if)#end
R4#
*Mar  1 00:22:12.595: %SYS-5-CONFIG_I: Configured from console by console
R4#
*Mar  1 00:22:13.935: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:22:14.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

# Track status is UP now

ASA# show track
Track 1
  Response Time Reporter 101 reachability
  Reachability is Up
  4 changes, last change 00:00:28
  Latest operation return code: OK
  Latest RTT (millisecs) 8
  Tracked by:
    STATIC-IP-ROUTING 0

# Verify Routing

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 1.1.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.14.4, outside

So everything is working as expected, default route is used via primary link when track object IP 4.4.4.4 is reachable and when there is any issue with the primary link, i.e., IP 4.4.4.4 is not reachable via primary link, then this default route is removed and backup link become active. Also NAT translations are done based on the outgoing interface used by default route.

Now we have another requirement, We have a server (10.10.123.3) in LAN which need to be accessed from internet. First, we should have static NAT to be created for this server.

We will create two static NAT entries for this server. So that it can be accessed via either IP and internet link (Primary/Backup)

# Define Objects

object network SERVER-R3-PRIMARY
 host 10.10.123.3
!
object network SERVER-R3-BACKUP
 host 10.10.123.3

# Configure NAT Rules

object network SERVER-R3-PRIMARY
 nat (inside,outside) static 1.1.14.103
!
object network SERVER-R3-BACKUP
 nat (inside,outside-2) static 2.2.14.103

# Verify reachability from Internet (R5) to Server (Real IP: 10.10.123.3, Primary NAT: 1.1.14.103)

R5#ping 1.1.14.103

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.14.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/39/40 ms

# Verify NAT status on ASA

ASA# show xlate
2 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:36:19 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:00:11 timeout 0:00:00

ASA# show conn address 10.10.123.3
1 in use, 6 most used
ICMP outside 1.1.45.5:5 inside 10.10.123.3:0, idle 0:00:00, bytes 72

# Primary internet link is down now and default route is changed via backup ISP GW now

ASA# show track 
Track 1
  Response Time Reporter 101 reachability
  Reachability is Down
  5 changes, last change 00:00:01
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [200/0] via 2.2.14.4, outside-2

# The Server is still reachable from internet via backup NAT IP

R5#ping 2.2.14.103        

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.14.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/40/48 ms

# Verify NAT and connection status on ASA

ASA# sh xlate 
2 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:00:00 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:04:03 timeout 0:00:00

ASA# show conn address 10.10.123.3
1 in use, 6 most used
ICMP outside-2 1.1.45.5:10 inside 10.10.123.3:0, idle 0:00:00, bytes 72

Good Luck! 🙂

Amolak Networks

Stay Hungry Stay Foolish