Monday, May 18, 2009

Configuring GRE Tunnels

This looks quite simple. All what we need to do is to configure a tunnel interface, and to point a route to the destination network with gateway the tunnel interface. We are using the same topology as for PKI deployment, and the same config-u files for start.

interface Tunnel0
ip address 172.31.1.1 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 172.30.6.2

ip route 10.10.3.0 255.255.255.0 Tunnel0

From now on, I'll include simple captures in the zip file.

You can get the files from here:

http://sites.google.com/site/cciesecurityattempt/Home/vpn-gre.zip

Update:

I have made a capture of an http connection between the routers, where you can clearly see GRE in action. The filename is http.cap, and the screenshot is named http-cap.png. Check the source and destination IP addresses, before encapsulation and after the GRE encapsulation. Also I have played a bit with tunnel interfaces. I have changed the IP address of the tun0 interface of router A to 169.254.254.254/24, and left the same IP address on router D and the tunnel was still working. If you remove the IP address of the tun0 interface, you'll not be able to bring up the tunnel.

Conclusion: The tunnel interfaces must have an IP address assigned, but they don't have to be in the same subnet in order for the tunnel to be brought up.

http-cap

Posted by at No comments:
Labels:

Thursday, May 14, 2009

Summary of all PUBLIC IP addresses

Recently we had to allow all public IP addresses through Cisco FWSM. I was googling for the list, but I wasn't able to find it. It took me approximately 2 hours to have that list compiled, and I decided to share it. Hopefully someone out there will find it useful. Here is the list. Feel free  to copy paste it.

network-object 1.0.0.0 255.0.0.0
network-object 2.0.0.0 254.0.0.0
network-object 4.0.0.0 252.0.0.0
network-object 8.0.0.0 254.0.0.0
network-object 11.0.0.0 255.0.0.0
network-object 12.0.0.0 252.0.0.0
network-object 16.0.0.0 240.0.0.0
network-object 32.0.0.0 224.0.0.0
network-object 64.0.0.0 192.0.0.0
network-object 128.0.0.0 224.0.0.0
network-object 160.0.0.0 248.0.0.0
network-object 168.0.0.0 252.0.0.0
network-object 172.0.0.0 255.240.0.0
network-object 172.32.0.0 255.224.0.0
network-object 172.64.0.0 255.192.0.0
network-object 172.128.0.0 255.128.0.0
network-object 173.0.0.0 255.0.0.0
network-object 174.0.0.0 254.0.0.0
network-object 176.0.0.0 240.0.0.0
network-object 192.0.0.0 255.128.0.0
network-object 192.128.0.0 255.224.0.0
network-object 192.160.0.0 255.248.0.0
network-object 192.169.0.0 255.255.0.0
network-object 192.170.0.0 255.254.0.0
network-object 192.172.0.0 255.252.0.0
network-object 192.176.0.0 255.240.0.0
network-object 192.192.0.0 255.192.0.0
network-object 193.0.0.0 255.0.0.0
network-object 194.0.0.0 254.0.0.0
network-object 196.0.0.0 252.0.0.0
network-object 200.0.0.0 248.0.0.0
network-object 208.0.0.0 240.0.0.0

Note: Excluded ranges from the list are: 0.0.0.0/8,  10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3. If you decide to include 0.0.0.0/8 on the list you'll save 2 lines by summarizing: 0.0.0.0/5.

Maybe for your needs you need to reconsider bogons (http://www.cymru.com/Documents/bogon-bn-agg.txt), but then this list will become much bigger.

Posted by at 1 comment:
Labels: ,
Subscribe to: Posts (Atom)