DEVICE CONFIGURATION

Device Configuration
• Common issues in installing or configuring
information security devices
• Methods to resolve these issues
• Methods of testing installed/configured
information security devices
 Troubleshoot Firewall Problems
1) Ping a PC near the device
2) Ping the device
3) Telnet and/or browse to the device
4) Confirm the port configuration of the device
5) Confirm that important IP addresses are not
blocked
6) Trace the route to the device
 Troubleshoot Firewall Problems
1) Ping a PC near the device
• A simple ICMP ping to a PC near the device is a
good initial test to determine connectivity status
and network performance issues.
• ICMP ping is an IP-based signal sent from one
device to another.
• If the target device receives the "ping" from the
source device, it will (if configured to do so)
respond to confirm that is active and connected to
the network.
• It's a simple way of confirming that a device is
 Troubleshoot Firewall Problems
1) Ping a PC near the device
• So, if your pings to the PC are not returned, try
pinging the gateway.
• Continue working your way up the network with
your pings to identify the point where they stop.
• Check for firewalls and firewall configurations,
especially those that block UDP, SNMP, pings, or
ports 161 or 162.
• Keep in mind that some networks block all ping
traffic as a security measure.
 Troubleshoot Firewall Problems
2) Ping the device
– Next, send another simple ICMP ping to the device to
determine connectivity.
– If pings to the PC in Step 1 were successful, but pings
sent to the device fail, the problem is almost certainly
with your SNMP device.
3) Telnet and/or browse to the device
– If the SNMP device you are testing supports Telnet
connections or Web access, you should attempt to
connect using one of these methods.
– If pings succeed but Telnet and/or browsing is blocked,
this is a very good indication that you have a firewall
 Troubleshoot Firewall Problems
4) Confirm the port configuration of the device
– For additional security, some SNMP devices may use non-
standard ports to obstruct unauthorized SNMP traffic. If
so, make sure that these ports are not blocked by a
firewall and are accepted by the manager.
– Another potential solution is to reconfigure the device to
use standard ports.
5) Confirm that important IP addresses are not
blocked
– A firewall may simply be blocking the IP address of your
device and/or manager.
– Confirm that these or any other needed IP addresses are
 Troubleshoot Firewall Problems
6) Trace the route to the device
– Tracing the "hops" that network traffic is following
to reach the device can allow you to pinpoint a
tricky firewall issue. A simple trace can be
performed from the Command Prompt of
Windows XP:
• Open a Command Prompt in Windows XP.
• Type "tracert", a single space, and the IP address of the
device you are trying to reach (i.e. "tracert
192.168.230.143")
• Press return to start the trace.
 Troubleshooting CISCO IOS Firewall
configurations
• Reverse (Remove) - an access list
- put a "no" in front of the access-group
command in interface configuration mode

Eg: int <interface>

no ip access-group # in|out
 Contd.
• If too much traffic is denied, study the logic of
your list or try to define an additional broader list,
and then apply it instead.
• Eg:
access-list # permit tcp any any
access-list # permit udp any any
access-list # permit icmp any any
int <interface>
ip access-group # in|out
 Contd.
• Command - show ip access-lists
- which access lists are applied and what traffic is denied by them.
• Command - no ip route-cache
- If the router is not heavily loaded, debugging can be done at a
packet level on the extended or ip inspect access list.
Then in enable (but not config) mode:
term mon
debug ip packet # det
Output:
*Mar 1 04:38:28.078: IP: s=10.31.1.161 (Serial0), d=171.68.118.100
(Ethernet0), g=10.31.1.21, len 100, forward

*Mar 1 04:38:28.086: IP: s=171.68.118.100 (Ethernet0), d=9.9.9.9

(Serial0), g=9.9.9.9, len 100, forward
 Contd.
• Extended Access list
access−list 101 deny ip host 171.68.118.100 host 10.31.1.161 log
access−list 101 permit ip any any
- can be used with log options also
Output:
*Mar 1 04:44:19.446: %SEC−6−IPACCESSLOGDP: list 111
permitted icmp 171.68.118.100 −> 10.31.1.161 (0/0), 15 packets

*Mar 1 03:27:13.295: %SEC−6−IPACCESSLOGP: list 118 denied tcp

171.68.118.100(0) −> 10.31.1.161(0), 1 packet
 Troubleshooting Routers
• Basic Faults
- Physical Layer Stuff
- Check the Interfaces
- Ping
- Check the Routing Table
- Is there a Firewall on the Computer?
- Any Access Lists?
- Is the VPN Up?
- Do the Protocols Match?
- Check for Human Error
- Verify Settings
Common Router problems and solutions

• Physical Layer Stuff:

– Check power issues. Look for power lights, check
plugs, and circuit breakers.
• Check the Interfaces:
– show ip interface brief or show ipv6 interface brief
Common Router problems and solutions

• Ping:
– Use the ping and trace commands to check for
connectivity.
• Check the Routing Table:
– show ip route or show ipv6 route
Common Router problems and solutions

• Is there a Firewall on the Computer?

– If the problem involves a computer, check to
ensure that its firewall is not blocking packets.
• Any Access Lists?
– check for access-control lists that block traffic.
Common Router problems and solutions

• Is the VPN Up?

– If a VPN is part of the connection, check to ensure
that it is up.
• Do the Protocols Match?
– If you are trying to gain remote access to a server,
ensure that it supports the protocol you’re
attempting to use.
Common Router problems and solutions

• Check for Human Error:

– Check to ensure that correct usernames and
passwords are being used,
– same network addresses and matching subnet
masks.
• Verify Settings:
– Do not make assumptions. Verify everything!
Common Router problems and solutions

1. Correct your Wi-Fi Security Settings

2. Update your Hardware or Firmware
3. Fix Overheating or Overloading
4. Remove MAC Address Restrictions
5. Check Wireless Signal Limitations
Common Router problems and solutions

1. Correct your Wi-Fi Security Settings

– Network Mode: The router must be allowed to
accommodate all Wi-Fi models used by network
clients. For example, routers designed to run in
802.11g mode only will not support 802.11n or old
802.11b devices. Adjust the router to run in mixed
mode to remedy this kind of network failure.
– Security mode: Most Wi-Fi devices support
several network security protocols (typically different
variations of WPA and WEP). All Wi-Fi devices,
including routers belonging to the same local
network, shall use the same protection mode.
Common Router problems and solutions

1. Correct your Wi-Fi Security Settings

– Security key: Wi-Fi security keys are phrases or
sequences of letters and digits. All devices that
enter the network must be configured to use the
Wi-Fi key recognized by the router (or wireless
access point).
Common Router problems and solutions

2. Update your Hardware or Firmware

– The reason for this step is twofold. You can take
benefit of any additional features and
improvements of the new version of the firmware.
Also, your router will normally receive any critical
security updates.
– Typically, you will have the choice of checking,
evaluating, downloading, and installing the latest
firmware on your router's administration tab. The
exact steps depend on the make and model of
your router, so check the specifics of the router
Common Router problems and solutions

3. Fix Overheating or Overloading

– You can set up a different Wi-Fi router or allow the
"Guest Network" option for your router.
– You can also set up a separate SSID and password for
your host network to avoid issues with your main
network.
– This segregation would also work with your smart
appliances and secure your key devices from attacks
on the Internet of Things.
– You can also use QoS (Quality of Service). QoS is a
feature on some routers that lets you prioritize traffic
according to the type of data being transmitted.
Common Router problems and solutions

4. Remove MAC Address Restrictions

– A number of network routers support a function
called MAC address filtering.
– While disabled by default, router administrators
can turn this function on and limit connections to
only those devices by their MAC address number.
– Check the router to ensure that either the MAC
address filtering is off or the MAC address of the
computer is included in the list of allowed
connections.
Common Router problems and solutions

5. Check Wireless Signal Limitations

– If you have a newer router, check if it supports the
5GHz band. Newer routers typically have dual-
band capabilities.
– By allowing dual bands, you could hold older
devices that only support slower G specification
on the 2.4GHz band and newer devices on the
beefier and faster 5GHz band.
– Essentially, this is like having two routers in one.
 Router Troubleshooting Tools
• Using Router Diagnostic Commands
– Cisco routers provide numerous integrated
commands to assist you in monitoring and
troubleshooting your internetwork.
 Using show Commands

– The show commands are powerful monitoring and

troubleshooting tools.
• Monitor router behaviour during initial installation
• Monitor normal network operation
• Isolate problem interfaces, nodes, media, or
applications
• Determine when a network is congested
• Determine the status of servers, clients, or other
neighbours
 Commonly used show commands
• show interfaces
– show interfaces ethernet
– show interfaces tokenring
– show interfaces fddi
– show interfaces atm
– show interfaces serial
• show controllers
– show controllers mci
– show controllers token
– show controllers FDDI
– show controllers LEX
– show controllers ethernet
– show controllers E1
– show controllers cxbus
 Commonly used show commands
• show running-config
• show startup-config
• show flash
• show buffers
• show memory
• show processes
• Show stacks
• show version
 Using debug Commands

– The debug privileged exec commands can provide

a wealth of information about the traffic being
seen (or not seen) on an interface, error messages
generated by nodes on the network, protocol-
specific diagnostic packets, and other useful
troubleshooting data.
 Router Diagnostic Commands
• Using the ping Command
– To check host reachability and network connectivity, use
the ping exec (user) or privileged exec command.
– After you log in to the router or access server, you are
automatically in user exec command mode. The exec
commands available at the user level are a subset of those
available at the privileged level.
– In general, the user exec commands allow you to connect
to remote devices, change terminal settings on a temporary
basis, perform basic tests, and list system information.
– The ping command can be used to confirm basic network
connectivity on AppleTalk, ISO Connectionless Network
Service (CLNS), IP, Novell, Apollo, VINES, DECnet, or XNS
 Router Troubleshooting Tools
• Using the trace Command
– The trace user exec command discovers the
routes that a router’s packets follow when
traveling to their destinations.
– The trace privileged exec command permits the
supported IP header options to be specified,
allowing the router to perform a more extensive
range of test options.