Friday, February 26, 2010

SWITCH memo

EtherChannel
PAgP has 2 modes: auto (passive) and desirable (active).
LACP has modes active and passive
In active/desirable switch actively trying to form etherchannel and in auto/passive mode switch waits for the other side to negotiate.

If PAgP configured for a silent auto mode, the link will eventually come up (after bundling it to a port-channel) even without device configured for an etherchannel on the other end of the link. However, the link won't join Port-channel. It will be up, but not as a part of a channel. If the link was configured with silent desirable mode, it will form a channel without hearing any PAgP packet from the opposite side. It allows to form a channel with not a PAgP capable devices like servers etc.
If non-silent command was configured in Switch(config-if)# channel-group number mode {on | {{auto | desirable} [non-silent]}} then it will be required for each port to receive PAgP packets before adding them to a channel. If PAgP isn’t heard on an active port, the port remains in the up state, but PAgP reports to the Spanning Tree Protocol (STP) that the port is down.
If show commands, then show ETHERCHANNEL
If interface command, then int PORT-CHANNEL
If configuration commands, then CHANNEL-XXXX


Spanning Tree Protocol
Catalyst switches offer the PortFast feature, which shortens the Listening and Learning states to a negligible amount of time. When a workstation link comes up, the switch immediately moves the PortFast port into the Forwarding state. Spanning-tree loop detection is still in operation, however, and the port moves into the Blocking state if a loop is ever detected on the port. We can configure PortFast as a global default, affecting all switch ports with a single command. All ports that are configured for access mode (nontrunking) will have PortFast automatically enabled.

The UplinkFast feature on Catalyst switches enables leaf-node switches or switches at the ends of the spanning-tree branches to have a functioning root port while keeping one or more redundant or potential root ports in Blocking mode. When the primary root port uplink fails, another blocked uplink immediately can be brought up for use. UplinkFast works by keeping track of possible paths to the root bridge. Therefore, the command is not allowed on the root bridge switch. The goal is to keep UplinkFast limited to leaf-node switches that are farthest from the root. First, the switch’s bridge priority is raised to 49,152, making it unlikely that the switch will be elected to root bridge status. The port cost of all local switch ports is incremented by 3000, making the ports undesirable as paths to the root for any downstream switches.
When an uplink on a switch goes down, UplinkFast makes it easy for the local switch to update its bridging table of MAC addresses to point to the new uplink. However, UplinkFast also provides a mechanism for the local switch to notify other upstream switches that stations downstream (or within the access layer) can be reached over the newly activated uplink. The switch accomplishes this by sending dummy multicast frames to destination 0100.0ccd.cdcd on behalf of the stations contained in its Content-Addressable Memory (CAM) table. The MAC addresses are used as the source addresses in the dummy frames, as if the stations actually had sent them. The idea is to quickly send the multicast frames over the new uplink, giving upstream hosts a chance to receive the frames and learn of the new path to those source addresses.


BackboneFast works by having a switch actively determine whether alternative paths exist to the root bridge, in case the switch detects an indirect link failure. A switch detects an indirect link failure when it receives inferior BPDUs from its designated bridge on either its root port or a blocked port.
Normally, a switch must wait for the Max Age timer to expire before responding to the inferior BPDUs. However, BackboneFast begins to determine whether other alternative paths to the root bridge exist according to the following port types that received the inferior BPDU:
■ If the inferior BPDU arrives on a port in the Blocking state, the switch considers the root port and all other blocked ports to be alternative paths to the root bridge.
■ If the inferior BPDU arrives on the root port itself, the switch considers all blocked ports to be alternative paths to the root bridge.
■ If the inferior BPDU arrives on the root port and no ports are blocked, however, the switch assumes that it has lost connectivity with the root bridge. In this case, the switch assumes that it has become the root bridge, and BackboneFast allows it to do so before the Max Age timer expires.
If the local switch has blocked ports, BackboneFast begins to use the Root Link Query (RLQ) protocol to see whether upstream switches have stable connections to the root bridge. First, RLQRequests are sent out. If a switch receives an RLQRequest and either is the root bridge or has lost connection to the root, it sends an RLQ Reply. Otherwise, the RLQ Request is propagated on to other switches until an RLQ Reply can be generated. On the local switch, if an RLQ Reply is received on its current root port, the path to the root bridge is intact and stable. If it is received on a nonroot port, an alternative root path must be chosen. The Max Age timer immediately is expired so that a new root port can be found. BackboneFast is simple to configure and operates by short-circuiting the Max Age timer when needed. Although this function shortens the time a switch waits to detect a root path failure, ports still must go through full-length Forward Delay timer intervals during the Listening and Learning states.

When used, BackboneFast should be enabled on all switches in the network because BackboneFast requires the use of the RLQ Request and Reply mechanism to inform switches of Root Path stability.

Root Guard
The Root Guard feature was developed as a means to control where candidate root bridges can be connected and found on a network. Basically, a switch learns the current root bridge’s bridge ID. If another switch advertises a superior BPDU, or one with a better bridge ID, on a port where Root Guard is enabled, the local switch will not allow the new switch to become the root. As long as the superior BPDUs are being received on the port, the port will be kept in the root-inconsistent STP state.When the superior BPDUs no longer are received, the port is cycled through the normal STP states to return to normal use.

BPDU Guard should be used along with PortFast feature, to prevent inadvertent connection of bridging devices to an access port. However, BPDU Guard won't prevent loops, if non-STP capable device is connected to a port. BPDU Guard feature puts port to a err-disable state, if BPDU is received on a port.
Why is it so terrifying to get a bridge or switch on a Portfast enabled port? It is because port will transition from a blocking to a forwarding state without any delay (forward delay, max age etc), so a bridging loop might occur. That's why Portfast enabled ports should be "guarded" by a BPDU Guard feature (Guard enables on a port as soon as Portfast is enabled). When the BPDUs no longer are received, the port still remains in the errdisable state.

UDLD and LoopGuard. Suppose, the switch port is in Blocking state and it receives BPDU's from a designated port on a segment. If, BPDU's stop arrive, then switch assumes, that there is no STP device on that segment (like PC is connected), so it can safely move it to Forwarding state and make it designated on this segment. However, suppose, that something filtering BPDU's on their way to the switch, but there is still a device actively sending them on the opposite side of the link. This means, that switch should NOT transit port from a blocking to a forwarding state, however it will happen if LoopGuard feature isn't enabled on this port.
When enabled, LoopGuard keeps track of the BPDU activity on nondesignated ports. This feature will move port to a loop-inconsistent state if BPDU's go missing (effectively preventing loops to occur). After BPDU's are received on a port again, Loop Guard allows to port to move through the normal STP states and become active.
UDLD works like pings on fiber-optic links where link can become partly damaged and become unidirectional. So on the one side switch could stop to receive BPDU's, however it can send data across the link. A unidirectional link poses a potential danger to STP topologies because BPDUs will not be received on one end of the link. If that end of the link normally would be in the Blocking state, it will not be that way for long. A switch interprets the absence of BPDUs to mean that the port can be moved safely through the STP states so that traffic can be forwarded. However, if that is done on a unidirectional link, a bridging loop forms and the switch never realizes the mistake.
The objective behind UDLD is to detect a unidirectional link condition before STP has time to move a blocked port into the Forwarding state. To do this, the target time must be less than the Max Age timer plus two intervals of the Forward Delay timer, or 50 seconds. UDLD can detect a unidirectional link after about three times the UDLD message interval (45 seconds total, using the default). If none of those messages is echoed back, the port is placed in the Errdisable state so that it cannot be used (in case of aggressive mode, otherwise syslog message is generated).
HSRP/VRRP/GLBP
HSRP. Only the standby (the one with the second-highest priority) router monitors the hello messages from the active router.
HSRP mac address 0000.0c07.acxx, where xx represents the HSRP group number as a two-digit hex value. HSRP sends its hello messages to the multicast destination 224.0.0.2 (“all routers”) using UDP port 1985. Priority and group numbers:
  • 0 to 255
VRRP MAC address is of the form 0000.5e00.01xx, where xx is a two-digit hex VRRP group number. VRRP sends its adverts to the multicast destination address 224.0.0.18 (VRRP), using IP protocol 112. Priority and group numbers:
  •  group numbers range from 0 to 255;  priorities range from 1 to 254.
AVG sends periodic hello messages to each of the other GLBP peers. In addition, it expects to receive hello messages from each of them.
GLBP MAC addresses always have the form 0007.b4xx.xxyy. The 16-bit value denoted by xx.xx represents six zero bits followed by a 10-bit GLBP group number. The 8-bit yy value is the virtual forwarder number. Priority and group numbers
  • group numbers range from 0 to 1023. Priority can be 1 to 255
  • The maximum weight can range from 1 to 254 (default 100).

SWITCH Commands

Here I am going to post configurations commands related to the certain exam topics.

Vlan trunking configuration
Switch(config)# interface type mod/port
Switch(config-if)# switchport
Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}
Switch(config-if)# switchport trunk native vlan vlan-id
Switch(config-if)# switchport trunk allowed vlan {vlan-list | all | {add | except | remove} vlan-list}
Switch(config-if)# switchport mode {trunk | dynamic {desirable | auto}}
If you decide to configure both ends of a trunk link as a fixed trunk (switchport mode trunk), you can disable DTP completely so that these frames are not exchanged. To do this, add the switchport nonegotiate command to the interface configuration.

VTP should be in a first section, but i guess, that it's easy enough to configure it.
vtp mode server
vtp password SECRET
vtp version 1/2
vtp domain DOMAIN
Troubleshooting:
show vtp status
show vtp password
 
■EtherChannel
Load-balance distribution:
port-channel load-balance  METHOD
The following methods exist:

 PAgP configuration:
Switch(config)# interface type mod/num 
Switch(config-if)# channel-protocol pagp
Switch(config-if)# channel-group number mode {on | {{auto | desirable} [non-silent]}}
By default, PAgP operates in silent submode. The silent submode listens for any PAgP packets from the far end, looking to negotiate a channel. If none is received, silent submode assumes that a channel should be built anyway, so no more PAgP packets are expected from the far end.
Even if the two interfaces are using PAgP auto silence mode, the link will still eventually come up, although not as a channel.

LACP configuration:
Switch(config)# lacp system-priority priority
Switch(config)# interface type mod/num
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group number mode {on | passive | active}
Switch(config-if)# lacp port-priority priority
First, the switch should have its LACP system priority defined (1 to 65,535; default 32,768). If desired, one switch should be assigned a lower system priority than the other so that it can make decisions about the EtherChannel’s makeup. We can configure more interfaces in the channel group number than are allowed to be active in the channel. This prepares extra standby interfaces to replace failed active ones. The lacp port-priority command allows us to configure a lower port priority (1 to 65,535; default 32,768) for any interfaces that must be active, and a higher priority for interfaces that might be held in the standby state. Otherwise, we can use the default scenario, in which all ports default to 32,768 and the lower port numbers (in interface number order) are used to select the active ports.
Troubleshooting:
show etherchannel port-channel
show etherchannel summary
show etherchannel load-balance

Spanning Tree Protocol
We can configure PortFast as a global default, affecting all switch ports with a single command. All ports that are configured for access mode (nontrunking) will have PortFast automatically enabled.
Switch(config)# spanning-tree portfast default
Switch(config)# spanning-tree uplinkfast [max-update-rate pkts-per-second]
Switch(config)# spanning-tree backbonefast

Switch(config-if)# spanning-tree guard root
Switch(config)# spanning-tree portfast bpduguard default
Switch(config-if)# [no] spanning-tree bpduguard enable
Switch(config)# spanning-tree loopguard default
Switch(config-if)# [no] spanning-tree guard loop
Switch(config)# udld {enable | aggressive | message time seconds}
Switch(config-if)# udld {enable | aggressive | disable}
Switch(config)# spanning-tree portfast bpdufilter default
Switch(config-if)# spanning-tree bpdufilter {enable | disable}
The default keyword indicates that BPDU filtering will be enabled automatically on all ports that have PortFast enabled. If PortFast is disabled on a port, then BPDU filtering will not be enabled there.

Troubleshooting
Switch# show spanning-tree
Switch# show spanning-tree detail
Switch# show spanning-tree [vlan vlan-id] summary
Switch# show spanning-tree [vlan vlan-id] root
Switch# show spanning-tree [vlan vlan-id] bridge
Switch# show spanning-tree interface type port
Switch# show spanning-tree uplinkfast/backbonefast
We can display switch ports that Root Guard (and not only Root Guard) has put into the root-inconsistent state with the following command: 
Switch# show spanning-tree inconsistentports
Switch# show udld [type mod/num]
Switch# udld reset - reenable ports that UDLD aggressive mode has errdisabled.
Very useful commands not only for spanning tree:
Router#show int status
Router#show int status err-disabled
MST - ?
■HSRP
Switch(config-if)# standby group priority priority
Switch(config-if)# standby group timers [msec] hello [msec] holdtime
Switch(config-if)# standby group preempt [delay [minimum seconds] [reload seconds]]
Switch(config-if)# standby group authentication string   - plain text auth
Switch(config-if)# standby group authentication md5 key-string [0 | 7] string
Switch(config-if)# standby group track type mod/num [decrementvalue]
Switch(config-if)# standby group ip ip-address [secondary]
Troubleshooting
Router# show standby [brief] [vlan vlan-id | type mod/num] 

■VRRP
Troubleshooting
Switch# show vrrp [brief]

■GLBP

Switch(config-if)# glbp group priority level
Switch(config-if)# glbp group preempt [delay minimum seconds]
Hello messages are sent at hellotime intervals, with a default of 3 seconds. If hellos are not received from a peer within a holdtime, defaulting to 10 seconds, that peer is presumed to have failed.
Switch(config-if)# glbp group timers [msec] hellotime [msec] holdtime
The redirect timer is used to determine when the AVG will stop using the old virtual MAC address in ARP replies. The AVF corresponding to the old address continues to act as a gateway for any clients that try to use it.
When the timeout timer expires, the old MAC address and the virtual forwarder using it are flushed from all the GLBP peers. The AVG assumes that the previously failed AVF will not return to service, so the resources assigned to it must be reclaimed.
Switch(config-if)# glbp group timers redirect redirect timeout
GLBP also can use a weighting function to determine which router becomes the AVF for a virtual MAC address in a group. Each router begins with a maximum weight value (1 to 254). As specific interfaces go down, the weight is decreased by a configured amount. GLBP uses thresholds to determine when a router can and cannot be the AVF. If the weight falls below the lower threshold, the router must give up its AVF role. When the weight rises above the upper threshold, the router can resume its AVF role. By default, a router receives a maximum weight of 100. If you want to make a dynamic weighting adjustment, GLBP must know which interfaces to track and how to adjust the weight.
Switch(config)# track object-number interface type mod/num {line-protocol | ip routing}
The maximum weight can range from 1 to 254 (default 100).
Switch(config-if)# glbp group weighting maximum [lower lower] [upper upper]
Switch(config-if)# glbp group weighting track object-number [decrement value]

Switch(config-if)# glbp group load-balancing [round-robin | weighted | hostdependent]
Switch(config-if)# glbp group ip [ip-address [secondary]]
Troubleshooting
show glbp [brief]

■Using ACL's in a switch

vlan access-map map-name [sequence]
 math {ip | mac} {acl-name | acl - number}
 action {drop | forward | redirect type mod/num}
 exit

vlan filter map-name vlan-list vlan-list

Troubleshooting:
show vlan filter
show vlan access-map

Sunday, February 21, 2010

ASA Image

In this article, I will show you how to emulate Cisco ASA using Qemu. Once again, please note that ASA is not provided and will not be. So please don’t ask. Also be aware that ASA does not 100% work in Qemu but that’s enough to play with it.
This Howto is still a draft and has been tested only on Linux.

Installation

First compile and patch Qemu as you would do for running JunOS. This will give us pcap, lcap and UDP tunnels (i.e. GNS3/Dynamips connections) capabilities.
Then obtain ASA itself. If you are smart and patient you will find it. I used asa802-k8.bin for my installations. As far as I know, nobody has been able to run ASA > version 8.2 (ASA keeps rebooting).
The next step is to get an initrd and a Linux kernel (inside the initrd) from your ASA image to use them with Qemu and also fix the initrd for our needs. The initrd is zipped and archived in the ASA image, we have to extract it.
There are 2 ways, manually or using a tool I created.

Manual method

Create an hexadecimal dump of your image:
hexdump -C asa802-k8.bin > asa802-k8.hex
Search for the ZIP header:
grep “1f 8b 08 00 1d” asa802-k8.hex
001228b0  1f 8b 08 00 1d 3d 73 46  00 03 ec 3a 6d 54 14 57  |…..=sF…:mT.W|
We can see that the ZIP file starts at offset 1228b0.
Let’s find the image size:
ls -la asa802-k8.bin
-rwxr-xr-x  1 root  staff  14524416 26 Nov 20:14 asa802-k8.bin
14524416 bytes.
Now we need to find out where in the file we can start extracting the ZIP part.
echo "14524416 ; ibase=16 ; last - 1228B0" | bc | tail -n 1
13334352
Extract the zipped part of the ASA image:
tail -c 13334352 asa802-k8.bin > asa802-k8.gz
Decompress it with gzip:
gzip -d asa802-k8
gzip: asa802-k8.gz: decompression OK, trailing garbage ignored
Make a temp directory and go into it so we can extract the files contained in the uncompressed archive file (the initrd):
mkdir tmp ; cd tmp
Now extract the archive with cpio (you must have the administrator rights to successfully extract device files).
cpio -i --no-absolute-filenames --make-directories < ../asa802-k8
Copy the Linux kernel to your previous directory:
cp vmlinuz ../asa802-k8.kernel
Before compressing back the initrd, create the following script in asa/scripts/first_start.sh
This script formats the 256 MB flash on first start to be used by ASA. Loads the network drivers modules for Intel e100 (i82559er in Qemu) and Intel e1000 cards and activates the network interfaces to be used in ASA. I noticed that if we immediately start ASA after this first boot, it freezes (don’t really know why but it seems the system do something and slow down during the first minute …). The next time you start the system, the script will still load the activate the network interfaces and automatically start ASA.
#!/bin/sh
 
FIRST_START=no
if test ! -e /mnt/disk0/lina_monitor
then
 fdisk /dev/hda << EOF
n
p
1
5
979
t
4
w
EOF
 mkdosfs -F 16 /dev/hda1
 mount -o umask=0000,noatime,check=s,shortname=mixed /dev/hda1 /mnt/disk0
 cp /asa/bin/lina /mnt/disk0/lina
 cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor
 FIRST_START=yes
fi
modprobe e100
modprobe e1000
ifconfig eth0 up
ifconfig eth1 up
ifconfig eth2 up
ifconfig eth3 up
ifconfig eth4 up
ifconfig eth5 up
if test $FIRST_START = yes
then
 echo ""
 echo ""
 echo "This is your first boot, please wait about 1 min and then type the following commands:"
 echo "cd /mnt/disk0"
 echo "/mnt/disk0/lina_monitor"
 echo ""
 echo "Please note to use the following command under ASA to save your configs:"
 echo "copy run disk0:/.private/startup-config"
 echo ""
 exit
fi
cd /mnt/disk0
/mnt/disk0/lina_monitor
In order for the script to be loaded at startup, edit etc/init.d/rcS and change /asa/bin/lina_monitor by /asa/scripts/first_start.sh
Now you can compress all the file and have the initrd ready to use in Qemu:
find . | cpio -o -H newc | gzip -9 > ../asa802-k8.initrd.gz

Using ASA with Qemu

Create a FLASH (this is a virtual hard disk).
qemu-img create FLASH 256M
Then you can start Qemu.
qemu -hda FLASH -kernel asa802-k8.kernel -hdachs 980,16,32 \
-initrd asa802-k8.initrd.gz -m 512 -no-kqemu -nographic -append \
"console=ttyS0,9600n8 hda=980,16,32 bigphysarea=16384 auto nousb ide1=noprobe"
TODO: networking of ASA. Very similar with JunOS emulation.

Using ASA with GNS3

To be completed:
In Preferences -> Qemu -> Qemuwrapper section:
Set the path to Qemuwrapper (can be found in the GNS3 package)
Set the working directory (e.g. /tmp).
Set the path to your patched Qemu in “Path to Qemu”
In ASA section:
Set the paths to your initrd and kernel.
Drag and Drop an ASA symbol on the scene, start the firewall and telnet to it.

Saturday, February 20, 2010

Interesting facts about ASA

In today's lab I found out quite a few interesting facts about ASA security algorithms.
Sample lab topology:

 MyHostComputer:
Adapter1 - XX.XX.XX.XX/24 - Internet
Adapter1 - 192.168.137.1/24 - bridged to ASA and CorporateHost
Adapter2 - 192.168.138.1/24 - bridged to RemoteClient

CorporateHost:
Adapter1 - 192.168.137.195/24 - VMware bridged interface
Loopback1 - 192.168.255.100 - bridged to ASA. Default gateway of host 192.168.255.254

ASA:
Ethernet0/0 - 192.168.137.254/24 - Outside interface
Ethernet0/1 - 192.168.255.254/24 - Inside interface

ASA config:

nat (outside) 0 access-list REMOTE_NAT0_ACL
nat (outside) 1 access-list REMOTE_NAT_ACL
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list NAT1_ACL
global (outside) 1 interface
access-list REMOTE_NAT_ACL extended permit ip 192.168.200.0 255.255.255.0 any
access-list REMOTE_NAT0_ACL extended permit ip 192.168.200.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.255.0 255.255.255.0 remote_protected 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.200.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.255.0 255.255.255.0 remote_protected 255.255.255.0
access-list NAT1_ACL extended permit ip 192.168.255.0 255.255.255.0 any
access-list INBOUND_PERMIT extended permit icmp host boss any
access-group INBOUND_PERMIT in interface outside

That is our initial data.

If you will take a closer look, you will notice that inbound pings are permitted through the appliance to the internal hosts. However, if I try to ping 192.168.255.100 from 192.168.137.1, I'm getting syslog message:
2010-02-20 12:30:47    Local4.Error    192.168.255.254    Feb 20 2010 12:30:50 192.168.255.254 : %ASA-3-305005: No translation group found for icmp src outside:boss dst inside:192.168.255.100 (type 8, code 0)
Well, why? There is no nat-control command in running config, inbound icmp are permitted. And message states, that no translation group for icmp. This is point to a decision that the problem is related to NAT, isn't it?
As I found out, the problem was related to ASA security algorithms. ASA is smart enough to understand, that packet is coming inbound, so the reply will come from inside interface to outside and PAT will be performed (be default, ASA doesn't track icmp connection in it's connections table). It means that the outbound packet (coming from inside to outside) will have it source address translated to IP address of outside interface of ASA (PAT). It means that host 192.168.137.1 will receive icmp reply from different address in contrast to address it was pinging. So it will drop the packet. So this process is totally useless and ASA decides to drop the packet as it first comes as icmp echo request. For pings to be successful, we need to add one more translation rule to NAT. Namely Identity NAT (NAT 0). That way the echo reply source address won't be translated as it goes through the ASA and will not be dropped by receiving host.
Therefore, to make it all works, we should add one more ACL:

access-list inside_nat0_outbound extended permit ip 192.168.255.0 255.255.255.0 host boss

Friday, February 19, 2010

ASA ambiguities

ACL's:
  • For a standard ACL, the addresses or networks you enter are addresses that the remote is trying to reach (destination addresses). Instead of source addresses as it is at IOS.
  • Network mask is used in ASA ACL's instead of wildcard masks at IOS.

VPN with NAT-Traversal

I'm going to talk about an issue that arise when you are trying to setup Remote Access VPN for devices behind the NAT/PAT. For the IPsec tunnel to be negotiated, first there is an ISAKMP connection has to be established. It uses UDP on port 500. That means, that PAT device must be configure with port forwarding to VPN device on UDP port 500. That is about ISAKMP. When both ISAKMP phases are negotiated and ISAKMP connection are established, it's time to establish IPsec tunnel. Let's assume, that we are using ESP encapsulation for our IPsec. ESP is a network layer protocol, os it doesn't contain any layer 4 headers with port numbers. But somehow PAT device has to translate these connections. It is done through using of NAT-Traversal or IPsec over TCP. NAT-Traversal encapsulate ESP packet in a UDP header with destination port 4500. So to get VPN working, we have to configure port forwarding on our PAT device with redirection of both UDP port 500 and 4500. The same thing can be accomplished with IPsec over TCP, but with IPsec over TCP we have an ability to change ports on with our tunnels will be established.

P.S. AH can't be used along with PAT devices on it's way, because MD5 hash that it generates, include IP headers, which means, that changing them will completely brake the hash and the packet will be discarded on recieving device. For example, ESP doesn't calculate hash of the whole packet. Instead, it calculate it for payload only. So ESP is a protocol of my choice. Why do someone should use AH these days anyway?

Split tunneling defines what traffic from the user must go across the tunnel and what traffic can leave the client in clear text. Split tunneling policies are defined with the split-tunnel-policy command. The default split-tunneling policy is tunnelall, which means that, with the exception of DHCP and ARP packets, all traffic from the remote must go across the tunnel. You can exclude networks from being tunneled (excludespecified parameter) or include networks that should only be tunneled (tunnelspecified parameter). When overriding the default split tunneling policy, you must use the split-tunnel-networklist command to specify what destination networks are (tunnelspecified) or are not tunneled (excludespecified). These are defined in an extended or standard ACL. For a standard ACL, the addresses or networks you enter are addresses that the remote is trying to reach (destination addresses). For an extended ACL, the addresses off of the higher-level interface of the appliance (corporate office networks) are the source addresses in an ACL statement, and the destination addresses are the internal addresses of the remotes.

Sounds stupid. I should test it.

Tuesday, February 16, 2010

ReGex

Special Character Explanation

. The “.” matches any single character. For example, “d.g” matches “dog”, “dig”, “dug”, and any word that contains those characters, like “daggonnit”.

(exp) The “()” segregates characters from the surrounding characters, so that you can use other metacharacters on the subexpression. For example, “d(o|i)g” matches “dog” and “dig”, but “do|ig” matches “do” and “ig”. A subexpression can also be used with repeated quantifiers to differentiate the characters meant for repetition. For example, “12(34){3}5” matches “123434345”.

| The “|” matches either expression it separates. For example, “dog|cat” matches “dog” or “cat”.

? The “?” indicates that there are 0 or 1 of the previous character. For example, “ra?ise” matches on “raise” or “rise”. Note that you must enter Ctrl+V and then the question mark,
or else the ASA CLI help function is performed instead.


* The “*” indicates that there are 0, 1, or any number of the previous character. For example, “mo*se” matches on “mse”, “mose”, “moose”, and so on.

+ The “+” indicates that there is at least 1 of the previous character. For example, “mo+se” matches on “mose” and “moose”, but not “mse”.

{x} or {x,} The “{}”, with a number between the braces, indicates the previous expression is repeated at least “x” times. For example, “ab(fd){2,}e” matches “abfdfde”, “abfdfdfde”, and so on.

[abc] The “[]” matches any character in the brackets. For example, “[Rr]” matches on “R” or “r”.

[^abc] The “[^]” matches a single character that is not contained within the brackets. For example, “[^abc]” matches any character other than “a”, “b”, or “c”; or “[^A-Z]” matches any single character that is not an uppercase letter.

[a-c] The “[-]” matches any character in the range. For example, “[A-Z]” matches any uppercase letter. You can also mix characters and ranges: “[abcq-z]” matches “a”, “b”, “c”, and “q” through “z”. You could also write this as “[a-cq-z]”.

" abc" The “""” preserves trailing or leading spaces in the string. For example, " secret" preserves the leading space when it looks for a match.

^ The “^” specifies the beginning of a line.

\ The “\”, when used with a regular expression metacharacter, matches a literal character. For example, “\.” matches a period (“.”). This is used when you want to match on a character that is itself a metacharacter.

\r The “\r” matches on a carriage return.

\n The “\n” matches on a new line.

\t The “\t” matches on a tab.

\f The “\f” matches on a form feed (new page).

\xNN The “\x” matches on an ASCII character specified by the two hexadecimal digits (NN).

\NNN The “\” matches on any ASCII character specified as octal (the three digits listed).

Monday, February 15, 2010

Troubleshooting packet flow through the ASA

http://www.networkblueprints.com/troubleshooting/cisco-asa-troubleshooting-tool-kit

ASA translation policy order

When looking for a matching translation policy, the appliance goes through the following steps:
1. The appliance looks for an existing translation in the translation table; sometimes Cisco will refer to this as trying to find a “matching xlate slot” in the translation table.
2. If no entry exists in the translation table, the appliance looks for address translation exceptions in the nat 0 commands on a best-match basis.
3. If there are no matches on the Identity NAT commands, the appliance will try to find a match against the configured static NAT commands based on a best-match basis.
4. If there are no matches on the static NAT commands, the appliance will try to find a match against the configured static PAT (PAR) policies on a best match basis.
5. If no match is found within the PAR translation policies, the appliance then looks for a match in its policy nat and global commands with a corresponding ACL.
6. If there is not a match on a policy translation configuration, the appliance then looks for a match in its normal nat and global commands.
7. If a translation or translation policy doesn’t exist for the packet, the appliance will drop the packet if NAT control is enabled; if NAT control is not enabled, then the packet is not translated, but can flow through the appliance, assuming other appliance policies allow it.

Sunday, February 14, 2010

SysLog

Logging Facilities
When syslog messages are sent to a server, it is important to indicate through which pipe the Security Appliance will send the messages. The single syslog service, syslogd, can be thought of as having multiple pipes. It uses the pipes to decide where to send incoming information based on the pipe through which the information arrives. Syslogd is a daemon/service that runs on UNIX machines. In this analogy, the logging facilities are the pipes by which syslogd decides where to send information it receives—that is, to which file to write. Eight logging facilities (16 through 23) are commonly used for syslog on the Cisco Security Appliance. On the syslog server, the facility numbers have a corresponding identification— local0 to local7. The following are the facility numbers and their corresponding syslog identification:
■ local0 (16)
■ local1 (17)
■ local2 (18)
■ local3 (19)
■ local4 (20)
■ local5 (21)
■ local6 (22)
■ local7 (23)
The default facility is local4 (20). To change the default logging facility on the Security Appliance, you use the logging facility facility command. The following command shows the logging facility changed to 21:
Pix(config)# logging facility 21

Logging Levels
Different severity levels are attached to incoming messages. You can think of these levels as
indicating the type of message. A Security Appliance can be configured to send messages at
different levels.
The lower the level number, the more severe the syslog message. The default severity level is 3 (error).
The level you specify causes the Cisco Security Appliance Firewall to send the messages of that level and below to the output location. For example, if you specify severity level 3 (error), a Security Appliance, such as the PIX, sends severity level 0 (emergency), 1 (alert), 2 (critical), and 3 (error) messages to the output location.

Configuring a Syslogd Server
Because syslogd was originally a UNIX concept, the features available in the syslogd products on non-UNIX systems depend on the vendor implementation. Features might include dividing incoming messages by facility or debug level or both, resolving the names of the sending devices, and reporting facilities. For information on configuring the non-UNIX syslog server, refer to the vendor’s documentation.

To configure syslog on UNIX, follow these steps:
Step 1 On SunOS, AIX, HPUX, or Solaris, as root, make a backup of the /etc/ syslog.conf file before modifying it.
Step 2 Modify /etc/syslog.conf to tell the UNIX system how to sort out the syslog messages coming in from the sending devices—that is, which logging-facility.level goes in which file. Make sure there is a tab between the logging-facility.level and file-name.
Step 3 Make sure the destination file exists and is writable.
Step 4 The #Comment section at the beginning of syslog.conf usually explains the syntax for the UNIX system.
Step 5 Do not put file information in the ifdef section.
Step 6 As root, restart syslogd to pick up changes.
For example, if /etc/syslog.conf is set for local7.warn /var/log/local7.warn
warning, error, critical, alert, and emergency messages coming in on the local7 logging facility are logged in the local7.warn file. Notification, informational, and debug messages coming in on the local7 facility are not logged anywhere.

Configuration for RADIUS authentication

That is it.

aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default local group radius
!
radius-server host 192.168.137.195 auth-port 1812 acct-port 1813 key 7 13061E010803

Saturday, February 13, 2010

ASA Site-to-Site IPsec VPN

Today, I would like to write about the simplest configuration of ASA for Site-to-Site IPsec VPN.
I'm going to post configuration example along with comments about every particular command.


!--- Configure the outside interface.
!interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0 
!--- Configure the inside interface.
!interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!-- Output suppressed
!passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid

access-list 100 extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 
10.20.10.0 255.255.255.0 
!--- This access list (inside_nat0_outbound) is used 
!--- with the nat zero command. This prevents traffic which 
!--- matches the access list from undergoing network address translation (NAT).
!--- The traffic specified by this ACL is traffic that is to be encrypted and
!--- sent across the VPN tunnel.  This ACL is intentionally 
!--- the same as (outside_1_cryptomap).
!--- Two separate access lists should always be used in this configuration. 
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 

10.20.10.0 255.255.255.0
!--- This access list (outside_cryptomap) is used 
!--- with the crypto map outside_map 
!--- to determine which traffic should be encrypted and sent 
!--- across the tunnel.
!--- This ACL is intentionally the same as (inside_nat0_outbound).  
!--- Two separate access lists should always be used in this configuration.pager lines 24
mtu inside 1500
mtu outside 1500
no failover
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
!--- NAT 0 prevents NAT for networks specified in 
!--- the ACL inside_nat0_outbound.
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 dmz
no snmp-server location
no snmp-server contact
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here. 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
!--- Define the transform set for Phase 2.
 crypto map outside_map 1 match address outside_1_cryptomap
!--- Define which traffic should be sent to the IPsec peer.
crypto map outside_map 1 set peer 172.17.1.1
!--- Sets the IPsec peer
crypto map outside_map 1 set transform-set ESP-DES-SHA
!--- Sets the IPsec transform set "ESP-AES-256-SHA"
!--- to be used with the crypto map entry "outside_map".
 crypto map outside_map interface outside
!--- Specifies the interface to be used with 
!--- the settings defined in this configuration. 
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.   
!--- The configuration commands here define the Phase 
!--- 1 policy parameters that are used. 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
tunnel-group 172.17.1.1 type ipsec-l2l
!--- In order to create and manage the database of connection-specific 
!--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command
!--- tunnel-group in global configuration mode.
!--- For L2L connections the name of the tunnel group MUST be the IP 
!--- address of the IPsec peer. 
tunnel-group 172.17.1.1 ipsec-attributes
 pre-shared-key *
!--- Enter the pre-shared-key in order to configure the 
!--- authentication method.

Understanding and Configuring VLAN Routing and Bridging on a Router Using the IRB Feature

In order for a VLAN to span a router, the router must be capable of forwarding frames from one interface to another, while maintaining the VLAN header. If the router is configured for routing a Layer 3 (network layer) protocol, it will terminate the VLAN and MAC layers at the interface a frame arrives on. The MAC layer header can be maintained if the router is bridging the network layer protocol. However, regular bridging still terminates the VLAN header. Using the IRB feature in Cisco IOS® Release 11.2 or greater, a router can be configured for routing and bridging the same network layer protocol on the same interface. This allows the VLAN header to be maintained on a frame while it transits a router from one interface to another. IRB provides the ability to route between a bridged domain and a routed domain with Bridge Group Virtual Interface (BVI). The BVI is a virtual interface within the router that acts like a normal routed interface that does not support bridging, but represents the comparable bridge group to routed interfaces within the router. The interface number of the BVI is the number of the bridge group that the virtual interface represents. The number is the link between the BVI and the bridge group.
When you configure and enable routing on the BVI, packets that come in on a routed interface, which are destined for a host on a segment in a bridge group, are routed to the BVI. From the BVI, the packet is forwarded to the bridging engine, which forwards it through a bridged interface. This is forwarded based on the destination MAC address. Similarly, packets that come in on a bridged interface, but are destined for a host on a routed network, first go to the BVI. Next, the BVI forwards the packets to the routing engine before it sends them out of the routed interface. On a single physical interface, the IRB can be created with two VLAN sub-interfaces (802.1Q tagging); one VLAN sub-interface has an IP address that is used for routing, and the other VLAN sub-interface bridges between the sub-interface used for routing and the other physical interface on the router.
Since the BVI represents a bridge group as a routed interface, it must be configured only with Layer 3 (L3) characteristics, such as network layer addresses. Similarly, the interfaces configured for bridging a protocol must not be configured with any L3 characteristics.
Standard design:
As the frame flows through the switch, the VLAN header is applied because the connection is a trunk link. There may be several VLANs communicating across the trunk.
The router terminates the VLAN layer and the MAC layer. It examines the destination IP address and forwards the frame appropriately. In this case, the IP frame is to be forwarded out of the port toward PC B. This is also a VLAN trunk and so a VLAN header is applied.
Although the VLAN connecting Switch 2 to the router can be called the same number as the VLAN connecting Switch 1 to the router, it is actually not the same VLAN. The original VLAN header is removed when the frame arrives at the router. A new header may be applied as the frame exits the router. This new header may include the same VLAN number that was used in the VLAN header that was stripped when the frame arrived. This is demonstrated by the fact that the IP frame moved through the router without a VLAN header attached, and was forwarded based on the contents of the IP destination address field, and not on a VLAN ID field.
Because the two VLAN trunks sit on opposite sides of the router, they must be different IP subnets.
In order for the two PCs to have the same subnet address, the router would have to be bridging IP on its interfaces. However, having the devices on VLANs share a common subnet does not mean that they are on the same VLAN.

IRB:

 Sample config:
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
ip subnet-zero
no ip domain-lookup
bridge irb
!-- This command enables the IRB feature on this router.!
interface Ethernet0
no ip address
no ip directed-broadcast
bridge-group 1
!-- The interface E0 is in bridge-group 1.!
Interface Ethernet1
no ip address
no ip directed-broadcast
bridge-group 1
!-- The interface E1 is in bridge-group 1.!
Interface Serial0
ip address 10.10.20.1 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
interface BVI1
ip address 10.10.10.1 255.255.255.0
!-- An ip address is assigned to the logical BVI for routing!-- IP between bridged interfaces and routed interfaces.no ip directed-broadcast
!
ip classless
ip route 10.10.30.0 255.255.255.0 10.10.20.2
!
bridge 1 protocol ieee
!-- This command enables the bridging on this router.bridge 1 route ip
!-- This command enable bridging as well routing for IP protocol.!
line con 0
transport input none
line aux 0
line vty 0 4
!
end

Dividing traffic for NAT'ing and for any type of VPN's.

Access-lists have to divide traffic for NAT'ing. Then they can be applied for NAT as a route-map or source list.
As I got it, top lines should deny traffic with private source and private destination and bottom lines should permit traffic with private source and any destination.
Example:
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
.....
access-list 100 permit ip 192.168.10 0.0.0.255 any

By the way, this is good example for summarization. If private subnets can be summarized, it will be easier to define access-list and it will be much shorter.

Friday, February 12, 2010

VPN using Virtual Tunnel Interface (VTI) with IP Security (IPSec)

I'm going to speak about two different ways to configure IPsec VPN's. The first way is to configure VPN using traditional crypto map's and the second one is to implement Virtual Tunnel Interfaces(VTI). VTI, actually, is a better and newer way to design VPN. The question is - is it compatible with non-Cisco devices?
The are several important advantages of VTI:
  • Ability to send multicast across VPN;
  • Dynamic routing;
  • Ability to apply QoS to traffic going through the tunnel;
  • Easier to configure of ZFW, because Tunnel interface can be a member of any security zone. Thus, providing more easier and granular configuration of traffic inspections;
Configuration examples.
First one is traditional VPN:
=================================================
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
 lifetime 1800
crypto isakmp key 12345 address 55.104.78.135
!
crypto ipsec transform-set branch_transform esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to55.104.78.135
 set peer 55.104.78.135
 set transform-set branch_transform
 match address 100
!
interface FastEthernet0/0
 ip address 95.104.78.135 255.255.255.0
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
=================================================
The second one is using VTI:
=================================================
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set S2S_TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile FOO_IPSEC_PROFILE
 set transform-set S2S_TS
!
!
interface Loopback1
 ip address 192.168.30.1 255.255.255.0
!
interface Tunnel1
 ip address 192.168.20.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 95.104.78.135
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile FOO_IPSEC_PROFILE
!
interface FastEthernet0/0
 ip address 95.104.78.150 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.137.70 255.255.255.0
 duplex auto
 speed auto
=================================================

As with all other tunnels, it's important to keep an accurate routing table, so the interesting traffic will be forwarded to the tunnel. 

Also, QoS can be applied to the tunnel.
==================
policy-map FOO
class class-default
shape average 128000
 !
interface Tunnel0
service-policy output FOO
==================
Commands for verification:
  • show interfaces tunnel 1
  • show crypto session detail 
  • show policy-map interface tunnel 1 (displaying QoS policy, associated with tunnel)
  • show ip route 

Thursday, February 11, 2010

DoS protection with ZFW

When your router's DoS counters exceed the default or configured values, the router will reset one old half-open connection for every new connection that exceeds the configured max-incomplete or one-minute high values, until the number of half-open sessions drops below the max-incomplete low values. The router will send a syslog message if logging is enabled, and if an intrusion prevention system (IPS) is configured on the router, the firewall router will send a DoS signature message via Security Device Event Exchange (SDEE). If the DoS parameters are not adjusted to your network's normal behavior, normal network activity may trigger the DoS protection mechanism, causing application failures, poor network performance, and high CPU utilization on the Cisco IOS Firewall router.

 Zone-Policy Firewall provides protection from DoS attack by default when a Zone-Policy Firewall is applied. The DoS protection is enabled on the zone-pair, in the direction in which the firewall is applied, for each class-map that the firewall policy is configured to inspect. DoS protection is only applied to network traffic if the inspect action is applied to traffic matching the class-map. Zone-Policy Firewall provides several adjustable values to protect against DoS attacks.


While you cannot "disable" your firewall's DoS protection, you can adjust the DoS protection so that it will not take effect unless a very large number of half-open connections are present in your firewall router's session table.
Follow this procedure to tune your firewall's DoS protection to your network's activity:
1. Be sure your network is not infected with viruses or worms that could lead to erroneously large half-open connection values and attempted connection rates. If your network is not a "clean slate," there is no way to properly adjust your firewall's DoS protection.
2. Define a parameter-map and set the max-incomplete high values to very high values:
parameter-map type inspect DoS-param-map
 max-incomplete high 20000000
 one-minute high 100000000
 tcp max-incomplete host 100000 block-time 0
Apply the parameter-map to every class-map's inspection action:
policy-map type inspect z1-z2-pmap
 class type inspect my-cmap
 inspect DoS-param-map
Note: If your router is running Cisco IOS Software Release 12.4(11)T, you do not need to raise the default DoS Protection values, because they are already set to their maximum limits.
This will prevent the router from providing DoS protection for the time being while you observe your network's connection patterns. If you wish to leave DoS protection disabled, stop following this procedure now.
3. Clear the Cisco IOS Firewall statistics, using the following command:
clear zone-pair counter
4. Leave the router configured in this state for some time, perhaps as long as 24 to 48 hours, so you can observe the network's pattern over a full day's activity cycle. While the values are adjusted to very high levels, your network will not benefit from Cisco IOS Firewall or IPS DoS protection.
5. After waiting for some observation period, check the DoS counters with the following command. The parameters you must observe to tune your DoS protection are highlighted in bold text:
router#sh policy-map type inspect zone-pair priv-pub
 Zone-pair: priv-pub
Service-policy inspect : priv-pub-pol
 Class-map: priv-pub-cmap (match-all)
Match: access-group 111
Match: class-map match-any all-proto-cmap
 Match: protocol tcp
 24009 packets, 671569 bytes
 30 second rate 0 bps
 Match: protocol udp
 42403 packets, 3244932 bytes
 30 second rate 0 bps
 Match: protocol icmp
 6 packets, 240 bytes
 30 second rate 0 bps
 Inspect
 Packet inspection statistics [process switch:fast switch]
 tcp packets: [14239:726275]
 udp packets: [43748:1572372]
 icmp packets: [2:19]
 Session creations since subsystem startup or last reset 46282
 Current session counts (estab/half-open/terminating) [45:22:10]
 Maxever session counts (estab/half-open/terminating) [92:46:33]
Last session created 00:00:45
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 270
Last half-open session total 0
 Class-map: class-default (match-any)
Match: any 
 Drop (default action)
80254 packets, 8678464 bytes
Note: If the software image installed in your router is not Cisco IOS Software Release 12.4(11)T or newer, you will not see the "maxever session creation rate" statistic in your "sh policy-map type inspect zone-pair" output.
6. Configure the parameter-map's "max-incomplete high" to a value 25 percent higher than your router's indicated maxever session count half-open value. A 1.25 multiplier offers 25 percent headroom above observed behavior.
For example:
Maxever session count (estab/half-open/terminating) [92:46:33]
46 * 1.25 = 58, thus, configure:
parameter-map type inspect DoS-param-map
 max-incomplete high 58
7. Configure "max-incomplete low" to the value your router displayed for its maxever session count half-open value.
For example:
Maxever session counts (estab/half-open/terminating) [92:46:33]
Thus, configure:
parameter-map type inspect DoS-param-map
 max-incomplete low 46
8. Cisco IOS Software Release 12.4(11)T introduced a new counter to track the maximum one-minute rate the router has reached since the last restart or statistic reset. If you have Cisco IOS Software Release 12.4(11)T or a newer software version, you may simply apply the "maxever session creation rate" value for the "one-minute low" value in your parameter map.
For example:
Maxever session creation rate 270
Thus, configure:
parameter-map type inspect DoS-param-map
 one-minute low 270
9. Configure the parameter-map's "max-incomplete high" to a value 25 percent higher than your router's indicated maxever session creation rate value. A 1.25 multiplier offers 25 percent headroom above observed behavior.
For example:
Maxever session creation rate 270
270 * 1.25 = 338 (after rounding), thus, configure:
parameter-map type inspect DoS-param-map
 one-minute high 338
12. You will need to define a value for "ip inspect tcp max-incomplete host" according to your understanding of your servers' capability.
13. Repeat this procedure for every inspect-type class-map contained within a policy-map that must have unique DoS protection requirements. As mentioned in Step 2 of this procedure, you may define one parameter that has very high DoS parameters for class-maps that will not need DoS protection, and use different parameter-maps for specific class-maps that need unique levels of DoS protection. If DoS protection is not required for a given policy-map's class-map's traffic, you should configure high limits for the DoS protection values, and apply the high limits to all relevant class-maps' inspection. If your router is loaded with Cisco IOS Software Release 12.4(11)T or later, the DoS protection is already effectively disabled through the default high DoS protection values.
14. Monitor your network's DoS protection activity. Ideally, you should use a syslog server and record occurrences of DoS attack detection. If detection happens very frequently, you may need to monitor and adjust your DoS protection parameters.