Using PPP To Provide Remote Network Access • Chapter 3 97 When multiple Cisco access servers are configured using MMP, the grouping is referred to as a “stack group.” Supported interfaces for MPP are PRI, BRI, Serial, and Asynchronous. MMP requires that each associated router be configured with the fol- lowing parameters: ■ PPP ■ Stack Group Bidding Protocol (SGBP)–A protocol for arbitrating the location of bundles within a stack group to the “highest bidder” (normally the stack group member that locates the initial bundle for the first link in a multilink connection) ■ MP ■ Virtual template for interface cloning Simple stack groups are composed of member peer routers and do not need to have a permanent “lead” router. Any stack group member who answers an incoming call becomes the “owner” of the call, if it is the first call in a new session with the particular remote-end device. When a second call comes in from this same remote-end device to the stack group, the answering router will forward the call to the stack group where the member routers will “bid” for the call. Since the first router “owns” the session by answering the first call, it will win the bid and the answering router will forward the call to it. www.syngress.com Workstation Modem Modem PPP Multichassis Multilink Workstation PSTN ISDN Plain old telephone service (POTS) PRI Figure 3.12 MMP configuration using routers. 93_sbcran_Ch03 10/16/00 2:29 PM Page 97 98 Chapter 3 • Using PPP To Provide Remote Network Access The second router accomplishes this by establishing a tunnel to the “owner” router and forwarding all packets to the owner. The owner router is responsible for reassembling and resequencing the packets. The owner router then forwards these packets on to the local network. There are two basic steps to configuring MMP on Cisco routers and access servers: Step 1 Configure the stack group and make member assignments. 1. Create the stack group on the first router to be configured, where “name” is the hostname of that router. [sgbp group group_name] 2. Add additional stack group members. [sgbp member router2_hostname router2_ip_address] [sgbp member router3_hostname router3_ip_address] <add additional sgbp member lines for each additional member router> Step 2 Configure a virtual template and Virtual Template Interface. 1. Create a virtual template for the stack group. [multilink virtual-template template_number] 2. Create IP address pool (a local pool is used in this example). [ip local pool default ip_address] 3. Create a Virtual Template Interface (not required for ISDN inter- faces or if physical interfaces are using dialers). [interface virtual-template template_number] 4. Use unnumbered IP addressing. [ip unnumbered ethernet 0] 5. Configure PPP. [encapsulation ppp] 6. Enable Multilink PPP. [ppp multilink] 7. Enable PPP authentication. [ppp authentication type] www.syngress.com 93_sbcran_Ch03 10/16/00 2:29 PM Page 98 Using PPP To Provide Remote Network Access • Chapter 3 99 Verifying and Troubleshooting PPP Sometimes problems arise when configuring PPP for remote access servers. Cisco provides a very powerful and robust set of commands to aid in iso- lating problems and solving communication problems. These commands exist in two different command sets: show commands and debug com- mands. Show commands are used to determine the current status of an inter- face or protocol, whereas debug commands are used to show the processes an interface or protocol executes in order to establish continuity or com- munication. Basic troubleshooting involves ensuring that the hardware is func- tioning correctly, then checking to see that configurations are correct and communication processes are proceeding normally over the wire. You should start at the physical layer and work your way up the OSI model to determine where the problem(s) are in establishing the connection. PPP and Cisco Access Servers Below are some basic steps that you can use to troubleshoot remote con- nections to a Cisco access server. 1. Does the user’s modem connect? If No, use these commands to determine the status of the modem: show modem log, debug modem. 2. Does the LCP negotiation succeed? If No, use these commands to determine the point of failure: debug PPP negotiation, debug PPP error. 3. Does the authentication succeed? If No, use this command to determine the cause of failure: debug PPP authentication. 4. Does the network layer succeed? If No, use this command to deter- mine the point of failure: debug PPP negotiation. 5. If all of the above is successful, use this command to inspect the user’s session: show caller {line, user, ip, interface}. PPP and ISDN Connections between Cisco Routers Following is a typical scenario to determine the problem(s) that occur when an BRI interface fails to establish a remote connection using PPP over an ISDN line: www.syngress.com 93_sbcran_Ch03 10/16/00 2:29 PM Page 99 100 Chapter 3 • Using PPP To Provide Remote Network Access First, we need to check the status of the physical layer: Cisco command: show isdn stat The current ISDN Switchtype = basic-nil ISDN BRIO interface Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: No Active Layer 3 Call(s) Activated ds1 0 CCBs = 0 Total Allocated ISDN CCBs = 0 The output above indicates that there is a problem with the physical layer. The layer 1 status being “DEACTIVATED” indicates this. This could be caused by a bad cable, a bad NT-1 device (or no power to an external NT-1 device), or a bad demarc. In this instance, we had a bad cable between the NT-1 device and the BRI interface of the Cisco router. We replaced our cable and executed the command again: The current ISDN Switchtype = basic-nil ISDN BRI0 interface Layer 1 Status: ACTIVE Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: No Active Layer 3 Call(s) Activated ds1 0 CCBs = 0 Total Allocated ISDN CCBs = 0 The output above indicates that the physical layer is functioning prop- erly as evidenced by the Layer 2 status being “ACTIVE.” Now we turn our attention to Layer 2 to determine where the problem is within that layer. If Layer 2 were functioning correctly, the router would receive TEIs (Terminal Endpoint Identifiers) from the ISDN switch. www.syngress.com 93_sbcran_Ch03 10/16/00 2:29 PM Page 100 Using PPP To Provide Remote Network Access • Chapter 3 101 To determine whether there are any Layer 2 problems, turn on terminal monitoring (term mon), execute the following command, and then PING the IP address of the BRI0 interface: Cisco command: debug isdn q921 ISDN Q921 packets is on (after ping): Type escape sequence to abort. Sending 5, 100 byte ICMP Echos to 10.1.20.2, timeout is 2 seconds: 12:20:01: TX -> IDREQ ri = 18543 ai = 127 dsl = 0 12:20:03: TX -> IDREQ ri = 1546 ai = 127 dsl = 0 12:20:05: TX -> IDREQ ri = 1834 ai = 127 ds1 = 0 12:20:07: TX -> IDREQ ri = 17456 ai = 127 ds1 = 0 … 12:21:03: TX -> IDREQ ri = 1654 ai = 127 ds1 = 0 The output above indicates a malfunctioning NT-1 device, an incor- rectly provisioned circuit, or an incorrect IDSN switch type configured on the router. After speaking with the local exchange carrier (LEC), it was determined that the circuit was not correctly provisioned. Here is what a good Layer 2 output looks like for this debug command: Type escape sequence to abort Sending 5, 1000 byte ICMP Echos to 10.1.20.2, timeout is 2 seconds: 12:45:17: BRI0: TX -> RRp sapi = 0 tei = 102 nr = 1 12:45:17: BRI0: RX <- RRF sapi = 0 tei = 102 nr = 1 12:45:19: BRI0: TX -> RRp sapi = 0 tei = 101 nr = 3 12:45:19: BRI0: TX <- RRf sapi = 0 tei = 101 nr = 3 12:45:19: BRI0: TX -> INFOc sapi = 0 tei = 101 ns = 1 nr = 2 I = 0x04E120406283703C14033348C4001233 12:45:21: BRI0: TX <- RRr sapi = 0 tei = 101 nr = 2 …. 12:45:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0: B- Channel 1, changed state to up. !!! Success rate is 60 percent (3/5), round-trip min/avg/max = 100/110/120 ms Please note the reception of TEIs from the ISDN switch. Each time you shut down the BRI0 interface and bring it back up, you should receive new TEIs from the ISDN switch. www.syngress.com 93_sbcran_Ch03 10/16/00 2:29 PM Page 101 102 Chapter 3 • Using PPP To Provide Remote Network Access Now, if you execute the show isdn status command, you will receive the following: Cisco command: show isdn status The current ISDN Switchtype = basic-nil ISDN BRI0 interface Layer 1 Status: ACTIVE Layer 2 Status: TEI = 102, State = MULTIPLE_FRAME_ESTABLISHED TEI = 101, State = MULTIPLE_FRAME_ESTABLISHED Layer 3 Status: 1 Active Layer 3 Call(s) Activated ds1 0 CCBs = 1 CCB:called=800C, sapi=0, ces=1, B-chan=1 If Layer 3 does not activate, use the debug isdn q931 command to troubleshoot the Layer 3 problems. Below is an example of output from a router whose Layer 3 is functioning properly (be sure to turn on terminal monitoring, execute the command, then ping the IP address of the router’s BRI0 interface): Cisco command: debug isdn q931 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.20.2, timeout is 2 seconds: 12:51:11: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 10.1.20.2 -> 10.1.20.2 (0/0), 1 packet 12:51:11: BRI0: TX -> SETUP pd = 8 callref =0x08 12:51:11: BRI0: Bearer Capability I = 0x8890 12:51:11: BRI0: Channel ID I = 0x62 12:51:13: BRI0: Called Party Number I = 0x70, ‘4097004509’ 12:51:13: BRI0: RX <- CALL_PROC pd = 8 callref = 0x82 12:51:13: BRI0: Channel ID I = 0x89 12:51:15: BRI0: ISDN Event: incoming ces value = 1 … 12:51:17: %LINK-3-UPDOWN: Interface BRI0: B-Channel 1, changed state to up 12:51:17: BRI0: TX -> CONNECT_ACK pd = 8 callref = 0x08 www.syngress.com 93_sbcran_Ch03 10/16/00 2:29 PM Page 102 Using PPP To Provide Remote Network Access • Chapter 3 103 12:51:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0: B- Channel 1, changed state to up!! Success rate is 60 percent (3/5), round-trip min/avg/max = 110/130/150 ms (If the line in bold contains “HOST_TERM_REGISTER_NACK – invalid EID/SPID, or TEI not assigned Cause I = 0x8082 – No route to specified network,” check to see that your service profile identifiers (SPIDs) are valid and that your ISDN switch-type is correct.) The most common Layer 3 problems are incorrect IP addressing, incorrect SPIDs, or erroneous access lists assigned to the interface. Many communication problems with remote access systems are due to an authentication failure. Below is an example of debugging CHAP: Cisco command: debug ppp chap (make sure your router is in terminal monitor mode and then ping the IP address of the BRI0 interface) 12:53:11: %LINK-3-UPDOWN: Interface BRI0: B-Channel 1, changed state to up 12:53:11: PPP BRI0: B-Channel 1: CHAP challenge from ciscortr2 12:53:11: PPP BRI0: B-Channel 1: CHAP response received from ciscortr2 12:53:11: PPP BRI0: B-Channel 1: remote passed CHAP authentication. 12:53:11: PPP BRI0: B-Channel 1: Passed CHAP authentication with remote If the output from the command states, “PPP BRI0: B-Channel 1: failed CHAP authentication with remote,” please check your username and pass- word for correctness—passwords and usernames are case sensitive. Other useful Cisco debug commands: debug ppp ? debug ppp chap debug ppp pap debug ppp multilink debug isdn events debug ppp negotiation debug dialer To debug MSCB: debug ppp cbcp www.syngress.com 93_sbcran_Ch03 10/16/00 2:29 PM Page 103 104 Chapter 3 • Using PPP To Provide Remote Network Access Providing Remote Access Services for Microsoft Windows Clients Microsoft Windows clients using either the native DUN that comes with the Windows operating system, or a third-party dialing program provided by an ISP or corporate IT department, can access Remote Access Services (RAS). There are two basic steps for configuring an RAS client on a Windows workstation: 1. Install a modem to be used for dial up (Microsoft Windows 9x and Windows 2000 should automatically recognize and configure most modems when booted for the first time after the device has been physically installed), and connect it to an operational communica- tions line. 2. Configure the software to be used as the dial-up program. Configuration issues include the number to be dialed, the link- layer and network protocols to be used, the manner in which the network address is assigned, and so on. The Microsoft DUN client supports TCP/IP, Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), and NetBEUI by default, as well as support for multilink when two modems are installed within the same computer. By default the “Log on to network” check box is selected under “Advanced options” of the “Server Types” tab of the “Properties” dialog box. This check box should be deselected when dialing into a Cisco access server. If this box is not deselected, the client will attempt to use your Windows user ID and password for logon, and you will be disconnected from the Cisco access server. Microsoft Specific PPP Options There are several PPP options that may be configured to provide remote access to Microsoft Windows clients using Microsoft’s proprietary protocols such as MS-CHAP and MSCB. MSCB is enabled by default when PPP callback is configured on Cisco routers running IOS version 11.3(2)T or later. MS-CHAP may be configured by using the keyword “ms-chap” on the PPP authentication command line under the interface configuration mode. For example: username rudder password elephantwalk interface Dialer1 www.syngress.com 93_sbcran_Ch03 10/16/00 2:29 PM Page 104 Using PPP To Provide Remote Network Access • Chapter 3 105 ip address 10.10.10.1 255.255.255.0 encapsulation ppp dialer in-band dialer group 1 ppp authentication ms-chap Windows 95 Clients Windows 95 clients default to the PPP dial-up server when using Microsoft’s DUN software. To confirm this setting, or to change a manually configured dial-up connection to PPP, do the following: 1. Double-click the “My Computer” icon on your desktop. 2. Double-click “Dial-up Networking.” 3. Right-click the dial-up connection of interest and select “Properties.” 4. Select the “Server Types” tab. 5. Under “Type of dial-up server,” select “PPP: Windows 95, Windows NT 3.5, Internet.” 6. Deselect the “Log on to network” radio button (unless dialing into a Windows server). 7. Select the check boxes of the network protocols you will be using. 8. If your IP address is to be dynamically assigned by your ISP or the corporate intranet, select “TCP/IP Settings.” 9. Next, select the “Server assigned IP address” radio button; the “Server assigned name server addresses” should also be selected. 10. Leave all other defaults as they are. 11. Click “OK” to save your changes and return to the DUN window. Windows 98 Clients Windows 98 clients default to a PPP dial-up server when using Microsoft’s DUN software. To confirm this setting, or to change a manually configured dial-up connection to PPP, do the following (Figures 3.13 and 3.14): 1. Double-click the “My Computer” icon on your desktop. 2. Double-click “Dial-up Networking.” www.syngress.com 93_sbcran_Ch03 10/16/00 2:29 PM Page 105 106 Chapter 3 • Using PPP To Provide Remote Network Access 3. Right-click the dial-up connection of interest and select “Properties.” 4. Select the “Server Types” tab. 5. Under “Type of Dial-Up Server,” select “PPP: Internet, Windows NT Server, Windows 98.” 6. Uncheck the “Log on to network” check box (unless dialing into a Windows server). 7. Select the check boxes of the network protocols you will be using. 8. If your IP address is to be dynamically assigned by your ISP or the corporate intranet, select the “TCP/IP Settings” radio button. Next, select the “Server assigned IP address” radio button. (“Server assigned name server addresses” should also be selected.) 9. Leave all other defaults as they are. 10. Click “OK” to save your changes and return to the DUN window. www.syngress.com Figure 3.13 Selecting PPP in MS dial-up networking. 93_sbcran_Ch03 10/16/00 2:29 PM Page 106 [...]... connection to PPP, do the following (Figures 3. 15, 3. 16, and 3. 17): 1 Double-click the “My Computer” icon on your Windows 2000 desktop Figure 3. 15 Windows 2000 dial-up connection properties www.syngress.com 93_ sbcran_Ch 03 10/16/00 2:29 PM Page 109 Using PPP To Provide Remote Network Access • Chapter 3 109 2 Double-click “Network and Dial-up Connections.” 3 Right-click the dial-up connection of interest... www.cisco.com/warp/ public/ 131 /6.html www.syngress.com 93_ sbcran_04 10/16/00 12:40 PM Page 1 13 Chapter 4 Utilizing Virtual Private Network (VPN) Technology for Remote Access Connectivity Solutions in this chapter: s Site-to-site VPN technology s Remote access VPN technology s Advantages of VPN technology s Disadvantages of VPN technology s Security s Cisco’s VPN solutions 1 13 93_ sbcran_04 114 10/16/00... corporate networks and all branch office networks, or a single host and the networks In this scenario we will secure all communications between the networks by terminating VPN tunnels on the outside interfaces of both Branch and Corporate routers, and defining that all traffic between them gets encrypted This is done in access lists based on source addresses, or networks and destination addresses, or networks. .. ipsec-isakmp Peer = 192.168.5.1 Extended IP access list 120 access- list 120 permit ip 10.2.2.0 0.0.0.255 10.2 .3. 0 0.0.0.255 Current peer: 192.168.5.1 Security association lifetime: 4608000 kilobytes /36 00 seconds PFS (Y/N): N Transform sets={ MYSET, } www.syngress.com 93_ sbcran_04 126 10/16/00 12:40 PM Page 126 Chapter 4 • Utilizing VPN Technology for Remote Access Connectivity Now look at the Branch... tab, and then press the “Advanced Security Settings” button and check all applicable authentication protocols Figure 3. 16 Windows 2000 advanced security settings dialog box www.syngress.com 93_ sbcran_Ch 03 110 10/16/00 2:29 PM Page 110 Chapter 3 • Using PPP To Provide Remote Network Access Windows 2000 clients use an installation wizard to guide users through the installation of new dial-up connections... done through the use of access lists These access lists are not like regular access lists, in that they are not used to define which traffic is blocked or permitted—these access lists are used to define what traffic is encrypted/decrypted and what traffic is not The access list is not applied to an interface, nor is it specific to IPSec Rather, it is the crypto map entry that ties the access list to IPSec,... image access list on the Branch router The list and peer will really be the only difference between the two configurations www.syngress.com 93_ sbcran_04 10/16/00 12:40 PM Page 125 Utilizing VPN Technology for Remote Access Connectivity • Chapter 4 125 Again, we start by defining what should be encrypted This should be a mirror image of the access list created on the Central router Branch(config)# access- list... 93_ sbcran_Ch 03 10/16/00 2:29 PM Page 107 Using PPP To Provide Remote Network Access • Chapter 3 107 Figure 3. 14 Selecting DHCP IP address assignment on Windows 98 Windows NT4 Clients Windows 95 clients default to a PPP dial-up server when using Microsoft’s... information through the www.syngress.com 93_ sbcran_04 10/16/00 12:40 PM Page 131 Utilizing VPN Technology for Remote Access Connectivity • Chapter 4 131 Public Switched Telephone Network (PSTN) unencrypted To secure our traffic we will be using the CiscoSecure VPN client, v 1.1 The CiscoSecure VPN client is a software program that is loaded on any hosts needing access to corporate through a VPN tunnel... Internet Research Server Corp E-Mail Accounting Server Branch Configuring IPSec on the Network Access Server Create the IPSec transform set RouterNAS(config)# crypto ipsec transform-set vpnclient esp-des esp-shahmac www.syngress.com 93_ sbcran_04 132 10/16/00 12:40 PM Page 132 Chapter 4 • Utilizing VPN Technology for Remote Access Connectivity Create the ISAKMP policy RouterNAS(config)# crypto isakmp policy 100 . 0 tei = 101 nr = 3 12:45:19: BRI0: TX <- RRf sapi = 0 tei = 101 nr = 3 12:45:19: BRI0: TX -> INFOc sapi = 0 tei = 101 ns = 1 nr = 2 I = 0x04E1204062 837 03C14 033 348C4001 233 12:45:21: BRI0:. MSCB: debug ppp cbcp www.syngress.com 93_ sbcran_Ch 03 10/16/00 2:29 PM Page 1 03 104 Chapter 3 • Using PPP To Provide Remote Network Access Providing Remote Access Services for Microsoft Windows. window. www.syngress.com Figure 3. 13 Selecting PPP in MS dial-up networking. 93_ sbcran_Ch 03 10/16/00 2:29 PM Page 106 Using PPP To Provide Remote Network Access • Chapter 3 107 Figure 3. 14 Selecting DHCP