Unflappings

Recently I came across the issue of having to pass PPTP traffic from an internally PAT’ed LAN to an external PPTP server. For the sake of not taking the time of drawing an entire diagram, here is the ASCII version:

[Internal LAN] –>(internal address) [Cisco IOS Router] (external address)—> [Internet] —> [PPTP Server]

Please note that even though PPTP VPNs have made many appearances to this site so far, by no means do I recommend using them for most systems. In fact, as I will explain, using them in conjunction with Cisco IOS gear can be especially frustrating if you have not been informed of several caveats.

With the configuration I was using, there was a standard access list on the external interface of the IOS router only allowing in things for regular IPsec VPN’s such as UDP port 500, and ISAKMP. I also made sure to include the #inspect pptp line in my default inspect list. If you are not aware of what the inspect lines do, please refer to this document which gives a general overview:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1068224

The purpose for inspect lines is basically to “fix” the protocols passing through NAT devices to allow them to properly function behind IP translations. For example, an oddball (but favorite) protocol like FTP actually uses two channels, port 21 for the initial control connection, but then additionally the FTP server sends a request to the client from port 21. If normal ACL and NAT rules were applied, the traffic going through port 21 would be allowed through and back just fine, while port 20 would get completely blocked since it would be seen as a new incoming connection with no translation.

The “ip inspect” commands along with the ASA inspect or PIX fixup syntax tells the underlying processing system “hey, this is a weird protocol, help it out”. In the case of FTP this then opens up both port 21, and then allows an incoming flow on port 20 back in from the same source. Sort of a “it’s cool, I’m with him” approach.  Then FTP works as expected, configuration was a bit easier, and life goes on.

So back to our original topic, PPTP. This protocol also does some wonky stuff (but for better reasons than FTP). Read up on this in bored-to-tears depth here.  The boiled down version is that the connection initiates on TCP port 1723, a control channel if you will, and the PPTP server will respond back by opening up a GRE tunnel for data. Sound familiar? Control channel, data channel, much like FTP. So one would assume that the inspect commands for both of these protocols would work the same way. You’d be wrong, just as I was.

After having to TAC the case, and having the Cisco engineer struggle with things a little while, he eventually came to the conclusion that, yes the inspect command usually opens up that second line of communication for other protocols just fine, in the case of PPTP this is not the case, and by design apparently. The inspect pptp command lets the control channel work just fine…but it never allows the returning GRE tunnel. Fantastic.

So what does inspect pptp actually do? Well the same thing inspect tcp would do actually, only to a more limited scope. Instead of allowing stateful inspection of all TCP, you just allow for PPTP connections. However, in order to allow an actual tunnel to b established, Cisco recommends allowing all GRE from the needed hosts on the outside access list inbound. How elegant.

Long story short, inspect pptp is a useless command in any situation I’ve seen, and having to open up full GRE allow rules is a bit of a hack. One more reason for PPTP VPN servers to go by the wayward side.

Introduction

Cisco ACS is the newest revision (as of 8/2010) of their RADIUS/TACACS+ authentication server, which allows you to centrally manage user access and all that good stuff. One big thing people may ask is why not just use Windows IAS or Network Access Policy role on the newer servers. The Windows solution makes a whole lot of sense for small to medium installs, or where the IT staff is not strictly defined as “server” and “network” guys.  In larger installations or where this is the case, a box removed from the Active Directory servers and able to be controlled by “network” staff can more effectively delegate management throughout the organization.  Now lets dive in to the installation procedures.

Note: Keep in mind this install needs 60GB of free disk space and 1GB of usable memory, otherwise installations will fail.

Continue Reading »

Today I caught word of a next generation of Cisco Adaptive Security Appliances (ASAs) that will be released in Q3 2010. Details are low, but it sounds like the focus of the next series will be around performance, and bundling the IDS functionality right on box.  So to spare the marketing crap, here are the actual figures that I have heard.

• Cisco 5555, 5565, 5575, 5585 appliances.
• The 5555 Firewall performance starts out at about  4 Gbits/s with IDS functionality running at around 2 Gbits/s
• The 5585 performance is topping out at around 15 Gbits/s with IDS functionality into the 10 Gbit/s range.
• These devices will support ASA software version 8.4 which is also coming out soon, the main feature from that is direct Active Directory support, no more RADIUS/TACACS+ integration in between, but being able to directly talk LDAP and Active Directory.
• For the new appliances, the firewall services basically sits in its own unit, and an IDS/IPS is bolted onto the top, with both systems able to be logically configurable from each other. Each one of these systems also carries its own set of physical ports in case segregation beyond contexts is required.

To me this sounds like a response ( or at least a much needed hardware revision) to Juniper’s SRX platform which offers ASA type functionality with better performance numbers than Cisco’s current ASAs at the same price point.

However while my experience with Juniper is limited, I would be very interested to see their offerings since beyond the security aspects such as firewall/IDS/IPS and VPN, their SRX platforms offer full router functionality, and not the bizarrely crippled ASA software which does not support things such as GRE tunnels or full routing protocol suites.

Fun times ahead.