SNMP Configuration Cisco

Switches

ip access-list standard SNMP-Permitted
10 permit 192.168.130.242


1.3.6.1.2.1.4.21 – ipRouteTable (IP route table)
1.3.6.1.2.1.4.22 – ipNetToMediaTable (IPv4 ARP table) (deprecated by ipNetToPhysicalTable)
1.3.6.1.2.1.4.35 – ipNetToPhysicalTable (combined IPv4/IPv6 translation table)
1.3.6.1.2.1.3 – atTable (layer two address table)

and

snmpUsmMIB, snmpVacmMIB, and snmpCommunityMIB Objects excluded below


snmp-server view Company-RO iso included
snmp-server view Company-RO 1.3.6.1.2.1.4.21 excluded
snmp-server view Company-RO 1.3.6.1.2.1.4.22 excluded
snmp-server view Company-RO 1.3.6.1.2.1.4.35 excluded
snmp-server view Company-RO 1.3.6.1.2.1.3 excluded
snmp-server view Company-RO 1.3.6.1.6.3.15 excluded
snmp-server view Company-RO 1.3.6.1.6.3.16 excluded
snmp-server view Company-RO 1.3.6.1.6.3.18 excluded

snmp-server enable traps
snmp-server ifindex persist
snmp-server engineID local 8000000903005C710DE1D280
snmp-server location London
snmp-server contact support@Company.com
snmp-server group Company_snmp_mon_grp v3 priv read Company-RO access SNMP-Permitted
snmp-server user Company_snmp_mon Company_snmp_mon_grp v3 auth sha 3ZU50CjGs56ikZwxVLLy-5bm07WEQo priv aes 128 09pxfF-HTIJnhxZvL_vJ-VBKZawXqN

snmp-server host 192.168.130.242
snmp-server host 192.168.130.242 version 3 priv Company_snmp_mon

Advertisement

GETVPN (Group Encrypted Transport VPN) Config (Commands)

GETVPN is not used on public internet rather on a closed network e.g. MPLS where all the IP routing works becasue the header has the original internal source and destination IPs even after the ESP encrypted header.

GM (Group Member): Encrypts and Forwards on the Data Plane
KS (Key Server): Control Plane for IPSec (IKEv1 policy, IPsec transform set, IPsec Profile, Crypto ACL, Re-keying policy)
TEK:Traffic Encryption Key (Encryption key between GMs for data traffic encryption
KEK: Key Encryption Key (Encryption Key between GMs and KS using UDP port 848)
GDOI (Group Domain Of Interpretation): Group Members Common Agreement
COOP: Protocol used between primary and secondary key servers

(Routing should needs to work fully before starting to configure GET VPN)

KeyServer (R4):
crypto isakmp policy 10
enc aes 128
hash sha256
group 14
authen pre-share
exit

crypto isakmp key Cisco123 address 0.0.0.0

crypto ipsec transform-set Our-Transform-Set esp-aes esp-sha-hmac
crypto ipsec profile Our-IPSec-Profile
set transform-set Our-Transform-Set
set security=association lifetime seconds 3600
exit

KS Key-Pair generation:
crypto key generate rsa general-keys label KS-Keys mod 2048
exportable

ip access-list extended Our-List
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip any any
exit

crypto gdoi group Our-GETVPN-Group
identity number 6783

server local
address ipv4 4.4.4.4 (this is the loopback ip address)
reley lifetime seconds 1800 (rekey the GMs)
rekey retransmit 40 number 2
rekey authentication mypubkey rsa KS-Keys
rekey transport unicast
sa ipsec 777 (it can be any number)

profile Our-IPSec-Profile
match address ipv4 Our-List
replay time window-size 5
end

Group Member R1 (similar config except apply it to the correct exit interface):
crypto isakmp policy 10
enc aes 128
hash sha256
gruop 14
authen pre-share
exit

crypto isakmp key Cisco123 address 0.0.0.0

crypto gdoi group Our-GETVPN-Group
identity number 6783
server address ipv4 4.4.4.4

crypto map GM-Map 10 gdoi
set group Our-GETVPN-Group

interface g0/1
crypto map GM-Map

Verification:
ping x.x.x.x
show ip route
show crypto gdoi
show crypto gdoi gm

show crypto gdoi ks

show crypto ipsec sa

show crypto isakmp sa

DMVPN (Dynamic Multi Point VPN) Config (Commands)

(Publically reachable IP addresses in a DMVPN is called NBMA (Non-Broadcast Multi Access) network)
(mGRE (Multi Point GRE) is used instead of using separate tunnel interfaces for each router)
(NHRP (Next Hop Resolution Protocol) is used to know each other’s next hop NBMA address. Also, helps building spoke to spoke dynamic tunnel if there is a route to both the spoke’s via a hub)
(with DMVPN we don’t specify tunnel destinations, but we specify NHS (Next Hop Server))

CONFIGURING THE DMVPN HUB – R1 ROUTER:
interface GigabitEthernet0/0
description LAN-Network
ip address 10.1.0.1 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-Network
ip address 15.1.1.1 255.255.255.0
duplex auto
speed auto

interface Tunnel0
description mGRE – DMVPN Tunnel
ip address 172.16.123.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig 0/1
tunnel mode gre multipoint
tunnel key 6783
ip nhrp authen Cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp redirect (if pahse3 is supported based on the new IOS version or you can use ‘no ip next-hop-self’ on hub router to not use its ip advertised when advertising the spokes)
no ip split-horizon eigrp 1
end

CONFIGURING THE DMVPN SPOKES – R2 & R3 ROUTERS:
R2:

interface GigabitEthernet0/0
description LAN-Network
ip address 10.2.0.2 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-Network
ip address 25.2.2.2 255.255.255.0
duplex auto
speed auto

interface Tunnel0
description DMVPN Spoke site R2
ip address 172.16.123.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig 0/2
tunnel mode gre multipoint
tunnel key 6783
ip nhrp authen Cisco123
ip nhrp map 172.16.123.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.123.1
ip nhrp shortcut
end

R3:
interface GigabitEthernet0/0
description LAN-Network
ip address 10.3.0.3 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-Network
ip address 35.3.3.3 255.255.255.0
duplex auto
speed auto

interface Tunnel0
description DMVPN Spoke site R3
ip address 172.16.123.3 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig 0/3
tunnel mode gre multipoint
tunnel key 6783
ip nhrp authen Cisco123
ip nhrp map 172.16.123.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.123.1
ip nhrp shortcut
end

ROUTING BETWEEN DMVPN mGRE TUNNELS:
R1(config)#router eigrp 1
R1(config-router)#network 10.0.0.0
R1(config-router)#network 172.16.123.0 0.0.0.255
R1(config-router)#end

R2(config)#router eigrp 1
R2(config-router)#network 10.0.0.0
R2(config-router)#network 172.16.123.0 0.0.0.255
R2(config-router)#end

R3(config)#router eigrp 1
R3(config-router)#network 10.0.0.0
R3(config-router)#network 172.16.123.0 0.0.0.255
R3(config-router)#end

PROTECTING – ENCRYPTING DMVPN MGRE TUNNELS WITH IPSEC:
R1:

crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 86400
exit
!
crypto isakmp key Cisco123 address 0.0.0.0
!
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
mode transport
exit
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
exit
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
end

R2 and R3:
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 86400
exit
!
crypto isakmp key Cisco123 address 0.0.0.0
!
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
mode transport
exit
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
exit
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
end

Verification Commands:
show run int tun 0
show dmvpn
show ip nhrp
traceroute 10.3.0.50 source 10.2.0.2
show crypto session
show ip eigrp interfaces
show ip route eigrp
show ip route
show ip cef 10.3.0.0
show isakmp sa
show ipsec sa
show crypto engine connections active
show crypto map
show crypto
debug nhrp

GRE (Generic Route Encapsulation) over IPSec VPN Configuration on a Cisco Router

CREATING A CISCO GRE TUNNEL:
R1(config)# interface Tunnel0
R1(config-if)# ip address 10.12.12.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 15.1.1.1
R1(config-if)# tunnel destination 25.2.2.2

ROUTING NETWORKS THROUGH THE GRE TUNNEL:
R1(config)#route eigrp 1
R1(config-router)#no auto-summary
R1(config-router)#10.0.0.0 0.255.255.255
R1(config-router)#end

SECURING THE GRE TUNNEL WITH IPSEC:
(GRE is not protected or encrypted so we use IPSec)
CONFIGURE ISAKMP (IKE) – (ISAKMP PHASE 1):
R1(config)# crypto isakmp policy 7
R1(config-isakmp)# encr aes 256
R1(config-isakmp)# hash sha256
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 5
R1(config-isakmp)# lifetime 5000

Create PSK:
R1(config)# crypto isakmp key cisco123 address 0.0.0.0

CREATE IPSEC TRANSFORM (ISAKMP PHASE 2 POLICY):
R1(config)# crypto ipsec transform-set TS esp-aes 128 esp-sha384-hmac
R1(cfg-crypto-trans)# mode tunnel

(Old way was using crypto map and use an ACL for interesting traffic, but the new way is to use VTIs (VIrtual Tunnel Interface). Default mode for the tunnel is GRE but we will change it to IPSec and apply IPSec profile we created)

Create IPSec Profile :
R1(config)# crypto ipsec profile protect-gre
R1(ipsec-profile)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set TS

Apply it to the tunnel:
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile protect-gre

Verification Commands:
show run int tun 0
show ip route
show eigrp interfaces
show crypto isakmp policy
show crypto isakmp key
show crypto engine connections active
show crypto isakmp sa
show crypto ipsec sa
show crypto session

Site to Site VPN Config on a Cisco Router

Config isakmp (IKE) – (ISAKMP PHASE 1):
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400

Config Pre-Shared Key – PSK:
R1(config)# crypto isakmp key firewallcx address 1.1.1.2

  1. Create IPSec Transform (ISAKMP PHASE 2 POLICY):
    R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
    R1(cfg-crypto-trans)#mode tunnel (by default it is tunnel mode so don’t have to specify)
  2. Create extended ACL (Interesting Traffic):
    R1(config)# ip access-list extended VPN-TRAFFIC
    R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
  3. Create Crypto Map:
    R1(config)# crypto map CMAP 10 ipsec-isakmp
    R1(config-crypto-map)# set peer 1.1.1.2
    R1(config-crypto-map)# set transform-set TS
    R1(config-crypto-map)# match address VPN-TRAFFIC
    R1(config-crypto-map)# set pfs group 2
  4. Apply crypto map to the public interface:
    R1(config)# interface FastEthernet0/1
    R1(config- if)# crypto map CMAP

Verification Commands:
show run | section crypto
show crypto isakmp policy
show crypto map
show crypto isakmp sa
show crypto ipsec sa
show crypto isakmp sa detail
show crypto ipsec sa detail
show crypto engine connections active
debug crypto isakmp
debug crypto ipsec

Note: Limitations of IPsec Tunnel with Crypto maps is that we can not use Dynamic Routing Protocols over the tunnel so use GRE tunnel.

Note: ESP (Encapsulating Security Payload) is protocol 50 and GRE (Generic Route Encryption) is protocol 47.

How to import multiple objects into R80.x Management database using .csv file and then add them to a group

Check Checkpoint:
create a csv file and run it through mgmt_cli
Excel sheet file format with column headings:
name,subnet,subnet-mask

#mgmt_cli add network –batch IPs-ListFile.csv -r true

How to import multiple objects into R80.x Management database using .csv file and then add them to a group:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113078
https://community.checkpoint.com/t5/General-Management-Topics/Format-of-csv-file-to-add-object-in-group/td-p/8987

.csv files needs to be where you will be running the commands from:

Create the .csv file:

#cat networks.csv

name,subnet,subnet-mask
network1,10.10.10.0,255.255.255.0
network2,20.20.20.0,255.255.255.0
network3,30.30.30.0,255.255.255.0

Note: using underscore character in .csv file (for example, “network1_1”) can cause errors. Use the hyphen instead.

Run the API command:
#mgmt_cli add network –batch networks.csv

Then to add the objects to the right group use:

mgmt_cli set group –batch group-members_full_csv.csv

The CSV should have the following header row:

name,members.add

The name field is for the group and the members.add field will be the host object to add to the group.

The rest of the body of the CSV would then be filled in as you wish:

group1,host1

group1,host2

group1,host3

group2,host1

group2,host2

group2,host3