I manage an equipment demo network accessed via the old Cisco VPN Client. Last night the router seems to have become the subject of attacks that overload the remote access in such a ways as to deny legitimate remote access. No unauthorised remote logins have occurred but the continued connections are a DoS.
Using the command show aaa user all show dozens of connections like this:
Unique id 67 is currently in use. Accounting: log=0x18001 Events recorded : CALL START INTERIM START INTERIM STOP update method(s) : NONE update interval = 0 Outstanding Stop Records : 0 Dynamic attribute list: 66534E00 0 00000001 connect-progress(36) 4 No Progress 66534E14 0 00000001 pre-session-time(254) 4 19965(4DFD) 66534E28 0 00000001 elapsed_time(324) 4 0(0) 66534E3C 0 00000001 pre-bytes-in(250) 4 0(0) 66534E50 0 00000001 pre-bytes-out(251) 4 0(0) 66534E64 0 00000001 pre-paks-in(252) 4 0(0) 66534E78 0 00000001 pre-paks-out(253) 4 0(0) No data for type EXEC No data for type CONN NET: Username=(n/a) Session Id=00000040 Unique Id=00000043 Start Sent=0 Stop Only=N stop_has_been_sent=N Method List=0 Attribute list: 66534E00 0 00000001 start_time(327) 4 Dec 16 2016 14:54:43 66534E14 0 00000001 session-id(322) 4 64(40) No data for type CMD No data for type SYSTEM No data for type RM CALL No data for type RM VPDN No data for type AUTH PROXY No data for type CALL No data for type VPDN-TUNNEL No data for type VPDN-TUNNEL-LINK No data for type 11 No data for type IPSEC-TUNNEL No data for type 13 No data for type RESOURCE Debg: No data available Radi: No data available Interface: TTY Num = -1 Stop Received = 0 Byte/Packet Counts till Call Start: Start Bytes In = 0 Start Bytes Out = 0 Start Paks In = 0 Start Paks Out = 0 Byte/Packet Counts till Service Up: Pre Bytes In = 0 Pre Bytes Out = 0 Pre Paks In = 0 Pre Paks Out = 0 Cumulative Byte/Packet Counts : Bytes In = 0 Bytes Out = 0 Paks In = 0 Paks Out = 0 StartTime = 14:54:43 UTC Dec 16 2016 Component = VPN_IPSEC Authen: service=LOGIN type=ASCII method=LOCAL Kerb: No data available Meth: No data available Preauth: No Preauth data. General: Unique Id = 00000043 Session Id = 00000040 Attribute List: 66534E00 0 00000001 port-type(162) 4 Virtual Terminal 66534E14 0 00000009 interface(158) 13 W.X.Y.Z PerU: No data available Service Profile: No Service Profile data.
Where W.X.Y.Z is the IP address of the attacker.
I've added a temporary ACL on the class A subnet from where the attacks originate to the public interface of the router but it has no effect:
interface FastEthernet0/1 description Outside interface ip address .... .... ip access-group 101 in no ip redirects no ip unreachables ip nat outside
access-list 101 remark temporary attack block attack access-list 101 deny ip W.0.0.0 0.255.255.255 any access-list 101 permit ip any any
The relevant local AAA config is:
aaa new-model ! aaa authentication login default local aaa authentication login vpn_xauth_ml_1 local aaa authentication login sslvpn local aaa authorization network vpn_group_ml_1 local ! aaa session-id common
username ABCD secret 5 ....
I' m struggling to get my head around what's happening, probably not helped by the fact this all occurred at midnight.
... View more
I recently migrated a couple of 6941 phones from ports on a NME-16ES-1G-P that died to a 9ESW with POE. These two phones connect via Cat 3 and were set to 10 Mbps full duplex because of the cabling limitation. Now, no matter how I configure the 9ESW (auto auto, 10 auto, 10 full, or even 10 half) I get continuous "duplex mismatch discovered" errors on the 2821 router. I've tried leaving the phone on auto and setting it to 10 full and 10 half. No combination works, even auto on the switch and auto on the phone. You would expect 10 full set at both ends would avoid any negotiation. The router is running 15.1 something. The phone loads are DSP69xx.12-4-122-99.131025 and SCCP69xx.9-4-1-3SR1. The phones worked fine for years on the 16ES service module. I appreciate the 9ESW is a different beast from the 'ES and I had little difficulty migrating the other Cat5 connected phones to it. The 16ES was removed from the router to enable the 9ESW to operate. The problem phones work fine connected over Cat 5 but replacing the premise wiring is not an option in this case. So to restore service I put the 6941 phones on an external third-party POE switch hooked to the same port on the 9ESW. Everything is fine (except the phones are in the wrong VLAN (native rather than voice but they still work OK). Any suggestions please?
... View more
I have a pre-shared key VPN system consisting of a 3725 hub with a public IP and several 2600 remotes, where each remote is behind ISP infrastructure served with non-routable DHCP supplied addresses. All works well with the static public IP of the hub stored in the remote configs but I’m trying to migrate the remotes to a new config based on the FQDN of the hub to allow a future hub address change without having to visit every remote. The problem is that the remotes are old and memory constrained, they are currently at or about IOS 12.2 (27). I have tried to implement ‘Real-Time Resolution for IPsec Tunnel Peer’ ie: crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp key <key> hostname abc.xyz.com ! crypto ipsec transform-set TS esp-des esp-md5-hmac ! crypto map vpn-to-hub 10 ipsec-isakmp set peer abc.xyz.com dynamic set transform-set TS set pfs group2 match address 101 While the old IOS accepts the crypto isakmp statement with the FQDN, it will not accept the keyword ‘dynamic’ in the set peer line. Leaving out the dynamic qualifier causes the IOS to immediately resolve abc.xyz.com into an IP address during the config and simply store the IP address. The remotes have DHCP client functionality implemented and a DNS nominated. The hub is FQDN resolvable. I do not have the budget to replace the remote routers and their memory is too small to upgrade the IOS, so any work around suggestions would be appreciated. Thanks, John
... View more
Thanks Paul, I'll have a look at GRE. I was thinking perhaps STUN might be the option that would work best with older hardware and IOS combinations. STUN basic without local-ack look interesting but I'd appreicate some thoughts from anyone who's done something like this.
... View more
I have a need to transport low speed (rates of 19,200 bps or less) HDLC frames over IP. I’m only interested in layer 2 transport. I’ve looked at briefly at L2TPv3 but this seems only to be supported on high-end hardware. CEoIP also seems overkill for my needs. I’m thinking more of WIC-1T single serial port WAN interface cards in a 2811. I know these are designed to implement circuits over a serial WAN but is it possible in some way to configure them to address my need and convey HDLC over IP? Failing the 2811 what other low cost Cisco options are there?
... View more