Cisco Router to Checkpoint FW-1 — IPSEC VPN Headaches with Supernetting

I setup quite a few IPSEC site-to-site VPNs.  Hundreds maybe.  Most go fine.  10 minutes on the line, bing, bam boom, we have a working IPSEC tunnel.

My company uses Cisco router/ASRs for our termination points for IPSEC VPNs.  We also have Checkpoint firewalls doing the filtering.  Why the separation?  Because we love a good headache.

My biggest headache comes from when a third party is using a Checkpoint firewall as the VPN termination point and I am using my Cisco router.  Checkpoint firewalls, often by default, will super-net the encryption domain.  So, I might be using a /32 host ACL on my Cisco, the Checkpoint is sending a /24 or larger ACL.  This does not play well in Cisco land and Phase 2 usually fails.

The hard part with this is figuring out this is happening, because it’s not obvious.  What I have found is turning on a single debug command makes all the difference in the world.

debug crypto ipsec

This shows all kinds of nasty IPSEC messages when a tunnel is negotiating.  You try finding the error on a box that has 75 tunnels terminating on it.  It is not easy! But, as the debug messages are scrolling by, one little entry can give you all the help you need:

Feb 1 17:20:39: Crypto mapdb : proxy_match
src addr : 142.184.211.75
dst addr : 121.98.112.0/25
protocol : 0
src port : 0
dst port : 0

On this particular tunnel (IPs changed to protect the innocent) the third party was supposed to be NATing behind a /32 address on the 121.98.112.0 network.  But, his Checkpoint box was super-netting behind the /25 network.  Bad Checkpoint.

I was able to pick it up from that debug message and let him know to change his config.  Five minutes later, IPSEC tunnel was up, Phase 1 and Phase 2 setup and communication was clean.

 

Porsche Boxster Alternator Replacement

The alternator died on the Boxster so I decided to tackle this project myself.  I have never done a major repair to any of my cars, but figured I’d give the alternator replacement a try.  All of the articles on the internet and in my tech manual made it look pretty easy, so what the hell?

I decided to document the project via a video, so here it is:

Here are the links to the references:
http://bit.ly/oUWGHp
http://amzn.to/nfNmtg

PTY allocation request failed

My hosting provider, Razor Servers, recently moved hosted centers from the 401 North Broad St location in Philadelphia to a building right next door.  As part of my VM move to the new location, I was no longer able to SSH into the device.  I got this strange error about PTY allocation request failed.  In addition, the SPAMD process was not running on the box.  I tried to re-install SpamAssassin, I tried to re-install Exim and I even tried a complete upgrade of cPanel.  No go.  I thought the two might be related so a Googling I went…

After a good long while of Googling the problem, I found this site with my exact error message.  Via the web console, I checked to see if /dev/ptmx existed, it didn’t.  I ran the command as noted on the page:

sbin/MAKEDEV -d /dev ptmx

Restarted the ssh daemon:

service sshd restart

And, presto, I was able to SSH back into my box.  No idea why that file would disappear after a VM move, but it is all fixed now.

How to configure a Checkpoint UTM device without using the GUI

There is an annoying aspect of configuring a Checkpoint UTM appliance, you are forced to enter the web based GUI to do some basic config before using the command line interface (CLI) to complete the install.  If you try to use the CLI before using the GUI, you receive the following message:

Welcome to VPN-1 UTM Appliance

You can not use the ‘sysconfig’ and ‘cpconfig’ utilities until you successfully complete the First Time Wizard in the Administration web GUI.

Press Enter to continue…

If you run the following command, this message is not displayed and you can use the CLI for the full config:

  • SecurePlatform OS:
    /opt/spwm/conf/wizard_accepted
  • Gaia OS:
    /etc/.wizard_accepted

 

How to configure DNS NAT or DNS Doctoring on Checkpoint FW-1

In some topologies, it is required to DNS reply traffic from a DNS server so that the querying host will think that a certain DNS entry (example smtp.company.com) is resolvable to a different IP address than the one written in the database of the DNS server.

Procedure:
The feature has a global on/off switch, in the objects_5_.C file, called fw_dns_xlation (by default set to false). When it is set to true, the regular NAT Rule Base is used to determine how to change the DNS packets.
The regular NAT rules used to NAT the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

To enable the fw_dns_xlation property, perform on the SmartCenter server:

  1. Close all SmartConsole clients connected to the SmartCenter server.
  2. Open the GuiDBedit utility and and connect to the SmartCenter server.
  3. Find the fw_dns_xlation property.
  4. Change the value of this property to true. Click OK.
  5. Select File -> Save All.
  6. Open the SmartDashboard and re-install the Security Policy on the Security gateway.

From this point on, the Security gateway will NAT the DNS data, according to the NAT Rule Base.
You must also enable the DNS protocol protection for UDP in the IPS (formerly, SmartDefense). To enable this protection:

For the Security Gateway R70:

  1. Open the IPS tab in the SmartDashboard.
  2. Go to the Protections -> By Protocol -> Application Intelligence -> DNS view.
  3. Open the ‘DNS – General Settings’ Protection Details.
  4. Click Edit.
  5. Verify that either the ‘UDP only’ or ‘Both TCP and UDP’ checkbox is selected.

For all other versions:

  1. Open the SmartDefense tab in the SmartDashboard.
  2. Go to the Application Intelligence -> DNS -> Protocol Enforcement view.
  3. Verify that the ‘UDP protocol enforcement’ checkbox is selected.

Limitations:

  1. The manual rules for network objects or Automatic NAT Static rules for host objects must be used. This feature does not work with Automatic NAT Static rules of network objects.
  2. Traffic will be modified based on the destination address of the NAT rules without considering the source of the traffic.
  3. The feature does not work for a DNS zone transfer (used to synchronize DNS databases between to internal DNS servers).
  4. The feature does not work for DNS queries over TCP.
  5. The Security gateway must be between the querying host and the DNS server.
  6. On Security Gateway R70, DNS traffic cannot be accelerated when using this feature.

Note:
If the “NAT for DNS payload” option is enabled and the “UDP DNS protocol enforcement” protection is disabled on at least one of SmartDefense/IPS profiles, the Security Policy installation will succeed but the following warning will appear:
“You enabled NAT on DNS payload, please make sure that DNS UDP protocol enforcement defense is enabled on the desired gateway.”

Displaying Pre-Shared Key on a Cisco ASA 55X0 Device

I recently had the task of moving four Cisco ASA 5540 devices from one location to another.  The big headache I found was that no one remembered the Pre-Shared Keys for the tunnel groups.  A simply show running-config shows only **** for the PSKs.  A bit of digging on the Cisco site resulted in the following command:

more system:running-config

This will show all hidden entries in the running config as clear text.

Blog Update and Change of Focus

I’m going to be moving the focus of this blog away from photos and person items and more towards technical info. I have been hitting alot of technical hurdles lately where I would have loved to just Google the answer and up it comes…so, I’m going to be doing basic technical answers to obscure problems here for a while…

Most of the info will be geared towards IT security, firewalls, VPNs and the like….let’s see how it goes! I have a new one posting….right….now..

AastraLink Pro 160 PBX Product Review

I’ve had the opportunity to purchase and install the AastraLink Pro 160 PBX in a small doctors office and I wanted to post a brief review of the product.

Background
My good friend is a dentist who was moving offices. As part of the move, a new phone system would need to be procured. I am a home user of Asterisk, the Linux based IP PBX system and I have been very happy with its overall use. I started doing a fair amount of research on Asterisk based PBXs. I did research on premise based systems, hosted systems and hybrid systems. I also looked at non-Asterisk based systems based on Microsoft Response Point and proprietary systems. Prices are all over the map. My biggest concern for my customer was first and foremost, usability. But, it also had to be priced right and feature rich.

Requirements

  • Auto-attendant (AA) with day/night/holiday scheduling and custom announcements
  • Easy to use telephones that integrated into the PBX cleanly
  • Support for FXO, PSTN line
  • SLA (Shared Line Appearances) support

The last item was the most important. This office was moving from an old punch-key system and my fear was that the users would not transition well to the new PBX without the idea of a shared line system.

Final Decision
At home, I’m a user of PBXinaFlash (http://pbxinaflash.net/) and I’m well aware of its close relationship and integration with Aastra phones. The XML based system that Aastra IP phone supports integrate easily and tightly to Asterisk PBX. I purchased a Aastra 57i CT phone a few years ago and have been very happy with it. When I saw that Aastra had a Asterisk based PBX that was tightly tied to Aastra IP phones, I knew I had a winner. At about $750 for the PBX and about $150 per phone, they hit the sweet spot for a small office. After a bit more research, I purchased the Aastralink Pro 160.

Review

Installation
Powering the PBX up and getting it online is a snap. The initial config is to grab a DHCP address, so no console access is required. One complaint is the external power brick. These bricks should be done away with universally for IT systems, the Aastralink Pro 160 is no exception.

After connecting the PBX to the network, you must connect a phone to the network as well. This will not only setup the admin account it will also tell you what the IP address of the PBX is so you can administer it. Plugging the phone into the network, it quickly found the PBX, loaded the latest firmware and began the registration process. After some short and easy questions on the phone (Extension info, password, full name and email address) the phone reboot again and on the Phone UI, the IP address of the Aastralink Pro 160 was displayed. This was the last part of the setup on the phone and I moved on to the web based config.

Administration
Logging into the Aastralink Pro 160 is pretty straight forward, extension and password is all you need. The Main Menu is displayed and you are off to the races. The GUI is not like any other Asterisk based GUI I have seen before and it is obvious that it was created in-house at Aastra. I’m a FreePBX man myself and I think the Aastra GUI is pretty good. It’s missing quite a few things that I would like (more on that later) but its great for the target audience, the small business.

Each subsequent phone that comes online gets registered and appears available in the GUI. You can modify quite a few things to make it custom to the end-users requirements. Is it as customizable as an out-of-the-box Asterisk system? No. But, for a small business, it does pretty much everything you would need.

For my dentist office, he wanted a single operator (receptionist) who would take the calls. The calls would either be transferred to an extension or placed on hold. The extension would be either answered or go to voicemail.

He did have some unique requirements that the 160 was able to handle without issue. The first was the need for every phone in the office to ring, not just the receptionist. This was easily done by creating a group, adding all phones to the group and then sending incoming calls to the group. The second was the ability to pickup a held call from any phone in the office. The Call Park feature handles this easily. Instead of just placing the call on hold, the receptionist simply places the call in the “Parking Lot”, which is available from any phone.

The killer piece of the Aastralink Pro 160 is its integration with the phones. Because Aastra makes both the PBX and the IP Phones, there is a very tight integration between the two. The user can modify the soft-keys via the web GUI, can open/close the office and can check the Visual Voicemail. This is all because the phone and PBX play very well together.

Also a neat feature is the function of the web GUI. You can listen to you email, check your call logs and even place outbound calls, right from the GUI. Neat stuff, that FreePBX doesn’t do.

The external SIP based connectivity worked right away. I entered in the login details to my SIP provider and it quickly registered. I was able to make outbound calls right away. With some tweaking on both the provider side and PBX side, inbound calls started to work. We decided on FlowRoute for the SIP provider, for its highly available service, great prices and support. I also did a Local Number Port to FlowRoute that resulted in about 4 hours of downtime. I don’t think this was FlowRoute’s fault, as they didn’t do anything and then suddenly it starting working. My bet is Verizon was slow on the gun.

All in all, a great product at a great price that fits the bill for a small office. But, that does not mean I didn’t have problems…the negatives for me were minor, but still negative. They were:

  • Inability to designate more then one phone/user as the “Operator”
  • No way to view logs — I’m having trouble getting the voice mail to email working. I don’t know if SMTP is getting blocked by my ISP, if my credentials are wrong, nothing. There is no error message, no email and no way to track down the problem. The ability to look at /var/log/messages or /var/log/mail is important.
  • Many things that should be configurable, are hard coded. Thinks like the outbound calling key (8+ for SIP) should be editable.

All in all, I’m happy with the install. The dentist has moved his office, the phone system is working great and the staff were able to make a very quick and easy adjustment to the new phones.

In summary:

Pros
Asterisk based open source PBX with Aastra IP phone expertise

  • Quick and easy IP Phone provisioning that makes turn-up a breeze
  • No hidden costs, support fees or licensing charges
  • Visual and standard voice-mail
  • Shared Line appearance
  • Great price
  • Works with SIP trunk providers

Cons

  • Proprietary system that is fairly closed off
  • Hard limit on number of phones and number of interconnected systems
  • When there is a problem, tough to determine the cause
  • No access to logs

 

Wedding Pictures, August 23, 2008

I finally got the official photographer pictures back in digital form — all 600 of them. So, I tried to trim them down to the best of my ability. There are probably quite a few still there and I’ll continue to trim some of the duplicated down to an acceptable number as time goes on.

In the mean time, check ’em out. Our photographer was Ron Dlutz, from Dlutz Photography.

Meeting my Bride