Not too much to say about. We all know that Cisco is investing a lot into it’s image on the market and sometimes we are dissapointed that what marketing is showing is different from the final product, but the next video worth every penny. At least is funny and can bring a smile on your network engineer face.
Enjoy!
As a network engineer, you most probably already had to do with PPP authentication at least once or two times in your daily operation. Even more, if you are going for a Cisco certification (and not only) you should know some stuff about PPP authentication. For today, I’ve planned to deal with back-to-back PPP authentication.
For this back to back scenario, we have the following simple topology:
When we talk about PPP authentication on a end-to-end line we are dealing with 3 major authentication method:
– PAP
– CHAP
– EAP
Now, when we think at security, we can easily observe that PAP is the less secure one and CHAP or EAP are the strongest one.
PAP (Password Authetication Protocol) transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It should be used only as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP.
CHAP (Challenge-Handshake Authentication Protocol) is a more secure protocol as it uses a three-way handshake and the shared secret (password) is never sent on the wires. Instead a MD5 hash checksum is calculated based on the share secret and this one is sent as a challenge to the other peer.
EAP (Extensible Authentication Protocol) is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined.
When we think of PPP authentication direction there are 2 types:
– one way authentication
– two ways authentication
Pretty obvious, no?
OK, enough with the theory. If you need some more deep understanding of PPP, there is always Internet. Next, I will show you some simple example with PPP authetication using PAP, CHAP and EAP.
PAP type authentication
Let’s assume that in the scenario above, R1 is sending a challenge to R2. Very important! From PPP authentication configuration, you don’t have to do anything to response to a challenge. This is done automatically.
R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication papR2
int s0/0
encapsulation ppp
ppp pap sent-user R2 password cisco
Actually that’s it. As I said, pretty simple. You configure R1 to send an authentication challenge to R2 with “ppp authentication pap”. R2 has to reply to this challenge with a username and a password defined with “ppp pap sent-user R2 password cisco”. This username and password have to be defined on R1. No matter what user and password you define on challenged part to be sent back, that information you have to define on challenger.
CHAP authentication type
Configuring CHAP is even easier. In the example below, I will configure R2 to send a CHAP challenge to R1
R1
username R2 password cisco
int s0/0
encapsulation pppR2
username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication chap
By default, CHAP is sending the router hostname the user in the three-way handshake process, so there is no need to specify what user to send like in PAP method. As I said before, this method is more secure than PAP.
EAP authetication type
To be honest I didn’t saw too many PPP connections being authenticated with EAP, but is there and I saw some CCIE lab topics so, you should keep an eye on it. Like the other two method this one is easy to implement and is offering more secure level of authetication than PAP.
R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R1
ppp eap password cisco
ppp eap localR2
username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R2
ppp eap password cisco
ppp eap local
I believe that the command syntax is telling pretty much all there is. With “identity” you define the user to be send to the peer, “password” it what word is saying and last option “local” is the quite important. By default EAP needs a RADIUS server for authentication. If you don’t have one (exams, quick testing…) then you want EAP to use local database instead of RADIUS.
This are the basics of PPP authentication. Even if there are not so much in use, try to remember this small steps as you might need them sometimes.
Digging through Internet I’ve found a very good article from David Davis explaining how to make your life easier when migrating from PIX to ASA.
The important thing to note about PIX and ASA configurations are that they are different. In other words, to do one thing on a PIX requires a different command on an ASA. The ASA uses a more “IOS-like” configuration where the PIX has its own “PIX-OS” configuration. Here are just some of the differences between the two:
There are two ways to perform this conversion — manually or by using the automatic migration tool. You may want to perform the conversion manually if you want more granular control, but Cisco offers a PIX to ASA Migration Tool that can perform this automatically. Let’s look at how it works.
Read the full article at: Converting from old to new with the PIX to ASA Migration Tool
I have seen that a lot of people is using search engines to look after terms like “NAT: failed to allocate address for…” or “NAT: address not stolen for…” asking for help in regard to a non-functional NAT. Of course I skipped the cases when the solution was obvious and clear like wrong NAT configuration, NAT pool or missing the access-list.
One not so clear case you have in the example below:
ip access-list standard nat_acl
permit 192.168.0.0 0.0.0.255route-map to_nat permit 10
match ip address nat_aclip nat pool test_pool 172.31.0.8 172.31.0.8 prefix-length 30
ip nat inside source route-map to_nat pool test_pool overload
Maybe I should have seen the mistake at first look, but I didn’t. But I can assure you that I’m not the only one :) Quick looking and a little careless made me said that the NAT configuration looks fine. Looks fine, but not working.
Debugging with “debug ip nat” command gave me the following output:
NAT: address not stolen for 192.168.0.10, proto 1 port 10
NAT: failed to allocate address for 192.168.0.10, list/map to_nat
Not too much information here either. So I’ve started to have a look closer to the NAT configuration, when I saw this:
ip nat pool test_pool 172.31.0.8 172.31.0.8 prefix-length 30
Oh boy, how can I miss that: 172.31.0.8/30 being the network address. You cannot use the network address to translate.Often this is not seen and the configuration is taken as being OK.
The solution would be in this case (if we want to keep the prefix-length 30) to change the ip to 172.31.0.9 or 172.31.0.10.No, you cannot use 172.31.0.11 as that’s the broadcast address and would result in faulty NAT.
Another solution would be to change the prefix-length to 24 giving you 254 addresses for translation. I would recommend changin the prefix-length if you are beginning now to deploy NAT and you want a scalable solution. If you prefer to stay with prefix-length of 30, you should take in consideration that at every 4 IP addresses you will lose 2 (network address and broadcast), which is not to fair if you are using public ranges.
Maybe one of the biggest loss of mine when I switched from PC to Mac, was the Microsoft Visio is not available for any other platform than Windows OS. Now, I’m not a big fan of Microsoft products, but I have to admit that they have some good products, and one of this is Visio. Like it or not, more than 75% of the network diagrams that I get are in VSD format, which we all know (or we should) is a closed proprietary format and cannot be imported in any other products until now.
I have no problem in drawing new diagrams in NeoOffice (as example) but, what should I do with the ones that I receive and I have to modify. Of course that before I use the solution below, I tried others like ConceptDraw or Omnigraffle, which are also good products and which promise that they can import a format called VDX in which Visio can export diagrams. I don’t know if only for me but most VDX files exported from Visio, looked not so nice when opened in another product. Lines where not aligned, some objects where moved, and so on. The final draw was looking nice, but not as expected and ready to work on it. And then again, I cannot call, e-mail everybody that send me a Visio diagram and say “well, you see, cannot you just export it to VDX…” so that I can check. It’s not professional and it’s a headache. On the other hand I really like my Mac, so I struggled my brains to find a solution.
The easiest one, it’s to have on a Mac or Linux, dual boot or a virtual Windows OS with Visio installed on it. Called me a freak, but I didn’t invest in a Mac to havea Windows running on it. In not saying anything about Linux which is open source and see Windows as it’s worst nightmare.
I decided to use something called Application Virtualization, which can deliver on your screen only the user interface of the software that you open. The solution is not new and I’m not the “genius” who think of it, but it’s the best that fit me as I can open any software (in our case Visio) over any network (including Internet) and compared with remote desktop solutions, proved to be more faster. What do you need for this to work properly?
First, you need a Windows Server OS available somewhere online, if you plan to have access to this applications when you are on the move. There are multiple solution. You can host one yourself at home if you have a 24/7 running machine (you can run it even on a virtual machine), maybe you have access to one at your company or maybe you can afford a VPS. As you don’t need so much power take the cheapest VPS with Windows Server (I saw some starting at 18$ / month). OK, this are some ideas, the important thing is to have one available.
Next, you need this Windows Server to have IIS and Terminal Services enabled as this is mandatory for the next step.
This step was the hard part. I needed some Application Virtualization software capable to stream application to any environment (mac, linux, windows) and to have affordable price or , unexpected, free. I found some out there in the Internet, but mostly were able to stream virtual application only to Windows platforms or they where doing something else that Application Virtualization. One product that immediately appeared was XenApp from Citrix. I used this in the past, and I know that it is reliable good product. But you can get it as trial only for 30 days and it was quite hard for me to achieve a working installation. Well, I’m not an expert in Citrix applications, so I assume that this is my fault, otherwise a great product but not for me.
I keeped searching and I found the X2 products webpage.
When I saw there Free download, I was thinking immediately about Trial free download. I was right, the download of the product has a trial of 30 days. But then digging a little bit deeper, I saw that after this 30 days, you can still use the product free of charge, the only limitation is that you have to stick to 3 concurrent connections and one server (so you cannot use the LoadBalancer feature). I don’t care about LoadBalancer as I only have one server, and anyhow I’m the only person using it. The 3 concurrent connections is enough for 1-2 users with decent usage. I think is fair that if you use this for your productive environment and want more support and resources to pay for them.
I registered, got the free license immediately and started installation on a VPS with Windows 2003 Server. The installation was quite easy and configuration as well due to existing documentation their site. Just read and follow the instructions and you will end with a working software.
After the installation is finished, all you have to do is to provision the software that you want to be able to access over the network, directly on your screen. Also if you want to have the full virtualized desktop, X2 is capable to provide this.
Since a short screencast can show more than 1000 words, please have a look below, where I’ll try to show you the major benefits of this software and how you can manage it to obtain the desired result:
I know that this is not the easiest way to do it, and maybe some of you just prefer to use a virtual machine or dual boot, but as I said this fits most to me and maybe you can use the same solution to solve your problems with other Windows based software, not only Visio. Regarding Visio, the best would be that Microsoft open the VSD format or release a Mac version. For Linux, I don’t think that they even consider such a possibility.
