Cisco Roadshow 2017 in Athens – Reimagine your Business

 

Yesterday, Cisco organised the Roadshow 2017 in Athens entitled “Reimagine your business”.The agenda was short, not deeply technical but absolutely interesting. The audience filled up the whole event room.

2

I must admit that I love Cisco events! What I like in these events is that Cisco looks ahead, tries to predict the future and adapts to it (or creates it). And this process is visible to the audience and it convinces me that Cisco is here and it will stay here.

Let’s see some pictures from the event. Mr. Antonis Tsimboukis, the general manager of the local  Cisco branch was the first speaker.

3

And this guy is Mr. Oren Seliger, who gave an absolutely great speech about Cisco’s view of the future. I will only mention the two quotes that he said during his speech, the combination of these shows Cisco’s philosophy.

He mentioned that

Shimon Peres said “Change is nothing to fear. Don’t be afraid of change. Don’t expect change but pursue change” and

Abraham Lincoln said “The best way to predict the future is to create it”

This is Cisco’s way of thinking…

45

The rest of the speakers where very good as well. The main keypoints were the following:

  • Panagiotis introduced Hyperflex data platform, that it seems to be a very good choice for SMEs entering into the virtualised world. It is VMware compatible right now and it supports local disks in a low cost configuration or an external storage.
  • Chara touched two issues about how easily network Cisco devices can be centrally managed and how network data analytics may help a business to take optimized key business decisions.
  • Nikos confirmed Cisco’s security commitment and announced that Cisco enters into endpoint security arena using Talos for threat analysis
  • And Alkis announced Spark, Cisco’s new collaboration platform, supported by video conferencing devices and Spark board, a new device for digital white boarding.

What a great day I had yesterday. As a final word, I would shout “Pursue change at personal level and create your future”.

Creating a Site to Site IPSec VPN with a Palo Alto Networks Application Firewall and a Cisco Router

A site to site VPN allows networks in multiple fixed locations (branch offices) to establish secure connections with a Headquarters Datacenter network over the Internet. In this example we will configure a Palo Alto Application Firewall to establish an IPSec tunnel with a Cisco Router. I will not go into Cisco ios configuration, since there are many guidelines over the internet about it.

Let’s suppose that the headquarters network is 10.1.1.0/24 and a local internet address that will be used for the tunnel is 195.35.111.1, additionally the remote network is 10.2.2.0/24 and the remote peer internet address is 195.35.222.2.

Example Networks

Example Networks

First open up Palo Alto Networks gui and goto Network – Interfaces and create a new tunnel interface, let’s say tunnel.2. Type in the standard MTU size of 1500 bytes, leave empty the IP address since this is used for dynamic routing and tunnel monitoring purposes, select the allow ping Management Profile, select your virtual router and Zone internal since we will bring the tunnel to an internal subnet and finally press ok to save the settings.

The tunnel Interface

The tunnel Interface

Then select Network – Zones at the menu and edit the internal zone (that is bound to the interface on the internal network). The internal ethernet interface and tunnel.2 should be checked. Press ok to save the settings.

The internal zone

The internal zone

Now let’s configure the IKE phase1 parameters by going to Network – Network Profiles – IKE Crypto and create a new IKE profile (e.g. name it IKE_BRANCH) that matches with the remote Cisco router ISAKMP profile (crypto isakmp policy command). For example let’s do the following DH Group 2, Encryption aes128 and 3des, Hash Algorithm sha1 and Lifetime 8 hours (indicative only values). Some options are more secure than others, but more resource hungry and less faster.

IKE phase 1 parameters

IKE phase 1 parameters

For IKE Phase2 parameters goto Network – Network Profiles – IPSec Crypto and create a new IPSec profile (e.g. name it IPSEC_BRANCH) that matches with the remote Cisco IPSec parameters (crypto ipsec transform-set command). For example let’s configure ESP authentication md5 and sha1, ESP encryption aes128 and 3des DH Group no-pfs and lifetime of 3 hours (indicative only values).

IKE phase 2 parameters

IKE phase 2 parameters

Now click on Network – Network Profiles – IKE Gateways to setup the configuration information necessary to perform IKE protocol negotiation between local and remote peer nodes. Input a name for IKE Gateway e.g. HQ_TO_BRANCH, select the internet interface of your firewall and select your internet ip address (in our case 195.35.111.1), at the peer address input the branch office’s router internet address (in our case 195.35.222.2), leave the dynamic checkbox unchecked (if a dynamic address is required, check the box and select the FQDN hostname at the Peer Identification selection at the advanced Phase 1 options below). Then input the pre-shared key defined on both firewall and router devices. Press the Show advanced Phase 1 options to display more settings and leave Local and Peer Identification to none and the local/peer IP address will be used as the local/peer identification value, otherwise choose the right setting. Choose main at the Exchange Mode (this should match to the Cisco router setting as well).

Phase 1 negotiation can occur using one of two modes: main mode and aggressive mode. The two modes serve different purposes and have different strengths. Main mode is slower than aggressive mode, but main mode is more secure and more flexible because it can offer an IKE peer more security proposals than aggressive mode. Aggressive mode is less flexible and not as secure, but much faster.

Select the previously created IKE Crypto Profile and finally leave checked the Dead Peer Detection checkbox.

IKE crypto profile

IKE crypto profile

Next goto Network – IPsec Tunnels and create a new setting to combine all the previously created elements of IPSec tunnel. Give it a name (e.g. VPN_TO_BRANCH), select the previously created tunnel.2 interface, leave type setting to the recommended Auto Key, select the previously created IKE Gateway and some of the following settings will autoupdate to the correct values. Then choose the previously created IPSec Crypto Profile (e.g. IPSEC_BRANCH). Next you must define the ProxyIDs (this is a must), these are actually the subnets or hosts that should talk to each other, for example in our case Local Id is 10.1.1.0/24 and Remote Id is 10.2.2.0/24. Here you may restrict subnets or protocols and ports but this depends on your needs. Finally check the Replay Protection setting to detect and neutralize replay attacks.

IPSec tunnel parameters

IPSec tunnel parameters

ProxyIDs setup

ProxyIDs setup

Till here we have configured the needed VPN IPSec tunnel settings, next we should route traffic between the subnets and restrict access permissions.

First add a static route to your Virtual Router to route the traffic from the Headquarters to the Branch Office, as follows.

Virtual router static route

Virtual router static route

Then you should configure the access permissions between the peer nodes by going to Policies – Security. The minimum configuration should be the icmp, ike, ipsec and ping permissions between the peer nodes, as follows.

Peer nodes access permissions

Peer nodes access permissions

Finally configure the permissions between the subnets. For example your may open up the traffic from the Headquarters subnet to the Branch Office subnet, or give access to workstations in Branch Office to specific services at the Headquarters.

Services access permissions

Services access permissions

If you configure the Cisco router accordingly the tunnel should come up. Check it out by going to Network – IPSec Tunnels, the status icons should have turn green!

IPSec tunnel status

IPSec tunnel status

You may need to goto Monitor – System to view the system log during IKE negotiations. This will help you to troubleshoot the IPSec tunnel errors on Palo Alto Firewall side.

VPN IPSec tunnel system logs

VPN IPSec tunnel system logs

On Cisco side use the show crypto isakmp, show crypto ipsec and show crypto map commands with the relevant flags for troubleshooting.

Cisco Connect Greece 2013 at Athens – The Internet of Everything

Photos from Cisco Connect Greece 2013 at Athens,  Greece. An interesting event about Cisco’s vision for the upcoming few years, the Internet of Everything.

image

A Cisco platform from sensors to networks to data analysis and decision making.

image

Don’t get fooled with the empty seats. The room was full of people. The photo was taken during the coffee break.

image

Mr. Antonis Tsimoukis, General Manager of Cisco Hellas opened the event.

image

A greek guy from Cisco UK, I don’t remember his name, talking about smart cities and local authorities’ european initiatives. Barcelona seems to be a prototype iCity in Europe.

image

Mr. Thanos Falagas, Marketing Director of Hellenic Telecoms Group, made an overview of IT trends and the position of Hellenic Telecoms in this landscape.

image

Mr. Andreas Enotiadis, Director Global Connected Industries Solutions, a Cisco guy who made a very interesting speech about Internet of Everything concept.

image