Saturday, 6 December 2014

Easy VPN Configuration -

ASA5510 Configuration (Easy VPN Server)

! Assumes local subnet = 10.223.0.0/24
! Assumes remote subnet = 10.0.0.0/24

! isakmp policies
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

! NAT exemptions
access-list NONAT extended permit ip 10.223.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list SD_NONAT

! Defines the remote subnet
access-list US1998 remark ACL for EZ VPN Remote
access-list US1998 extended permit ip 10.223.0.0 255.255.255.0 10.0.0.0 255.255.255.0

! Group policy defines the configuration applied to the EZ VPN Remote client
group-policy EZVPN_GP internal
group-policy EZVPN_GP attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value US1998
 nem enable
 webvpn

! Tunnel group is used for initial authentication and to apply group policy
tunnel-group EZVPN_TG type ipsec-ra
tunnel-group EZVPN_TG general-attributes
 default-group-policy EZVPN_GP
tunnel-group EZVPN_TG ipsec-attributes
 pre-shared-key <group password here>

! EZ VPN remote user account password
username US1998 password <user password here>

crypto dynamic-map DYNAMIC-MAP 5 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 65530 ipsec-isakmp dynamic DYNAMIC-MAP

ASA5505 Configuration (Easy VPN Client)

vpnclient server 5.5.5.5 !(public IP of ASA5510)
vpnclient mode network-extension-mode
vpnclient vpngroup EZVPN_TG password <group password>
vpnclient username  US1998 password <user password>
vpnclient enable
Posted by at 2 comments:

Thursday, 27 November 2014

How to Configure DNS on ASA

Step 1:
Enable dns service on the inside interface
ciscoasa(config)# dns domain-lookup inside
Step 2:
Define dns servers:
ciscoasa(config)# dns name-server 4.2.2.2 4.2.2.3
Posted by at No comments:

Sunday, 28 September 2014

vpnsetup ipsec-remote-access steps

ASA5510(config)# vpnsetup ipsec-remote-access steps

Steps to configure a remote access IKE/IPSec connection with examples:

1. Configure Interfaces

        interface GigabitEthernet0/0
         ip address 10.10.4.200 255.255.255.0
         nameif outside
         no shutdown

        interface GigabitEthernet0/1
         ip address 192.168.0.20 255.255.255.0
         nameif inside
         no shutdown

2. Configure ISAKMP policy

        crypto isakmp policy 65535
         authentication pre-share
         encryption aes
         hash sha

3. Setup an address pool

        ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

        aaa-server MyRadius protocol radius
        aaa-server MyRadius host 192.168.0.254
         key $ecretK3y

5. Define tunnel group

        tunnel-group client type remote-access
        tunnel-group client general-attributes
         address-pool client-pool
         authentication-server-group MyRadius
        tunnel-group client ipsec-attributes
         pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

        crypto ipsec transform-set myset esp-aes esp-sha-hmac

7. Setup dynamic crypto map

        crypto dynamic-map dynmap 1 set transform-set myset
        crypto dynamic-map dynmap 1 set reverse-route

8. Create crypto map entry and associate dynamic map with it

        crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

        crypto map mymap interface outside

10. Enable isakmp on interface

        crypto isakmp enable outside

Posted by at No comments:

vpnsetup site-to-site steps

ASA5510(config)# vpnsetup site-to-site steps

Steps to configure a site-to-site IKE/IPSec connection with examples:

1. Configure Interfaces

        interface GigabitEthernet0/0
         ip address 10.10.4.200 255.255.255.0
         nameif outside
         no shutdown

        interface GigabitEthernet0/1
         ip address 192.168.0.20 255.255.255.0
         nameif inside
         no shutdown

2. Configure ISAKMP policy

        crypto isakmp policy 10
         authentication pre-share
         encryption aes
         hash sha

3. Configure transform-set

        crypto ipsec transform-set myset esp-aes esp-sha-hmac

4. Configure ACL

        access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

        tunnel-group 10.20.20.1 type ipsec-l2l
        tunnel-group 10.20.20.1 ipsec-attributes
         pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

        crypto map mymap 10 match address L2LAccessList
        crypto map mymap 10 set peer 10.10.4.108
        crypto map mymap 10 set transform-set myset
        crypto map mymap 10 set reverse-route
        crypto map mymap interface outside

7. Enable isakmp on interface

        crypto isakmp enable outside

Posted by at No comments:

Sunday, 31 August 2014

Cisco Switch Cluster & Switch Stack

switch cluster is a set of up to 16 connected, cluster-capable Catalyst switches that are managed as a single entity. The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different Catalyst desktop switch platforms through a single IP address.

In a switch cluster, 1 switch must be the cluster command switch and up to 15 other switches can be cluster member switches. The total number of switches in a cluster cannot exceed 16 switches. The cluster command switch is the single point of access used to configure, manage, and monitor the cluster member switches. Cluster members can belong to only one cluster at a time.

A switch stack is a set of up to nine stacking-capable switches connected through their StackWise Plus or StackWise ports

Switch Cluster: When you have a large campus network with many switches, instead of
managing each switch using their IP, you can add them to the cluster and
manage it through the cluster. (Cluster is good from management perspective)
Switch Stack: When you have a switch closet and need more than 48 ports to connect
your clients, Stack is a good solution. Also, if you need to have redundant
links to a specific device (NIC teaming), stack is a good option as it
supports cross-stack etherchannel.


Basic Comparison of Switch Stacks and Switch Clusters 

Switch Stack

Switch Cluster

Made up of Catalyst 3750-E or Catalyst 3750-X switches only

Made up of cluster-capable switches, such as Catalyst 3750-E, Catalyst 3560-E, Catalyst 3750, and Catalyst 2950 switches

Stack members are connected through StackWise Plus ports

Cluster members are connected through LAN ports

Requires one stack master and supports up to eight otherstack members

Requires 1 cluster command switch and supports up to 15 othercluster member switches

Can be a cluster command switch or a cluster member switch

Cannot be a stack master or stack member

Stack master is the single point of complete management for all stack members in a particular switch stack

Cluster command switch is the single point of some management for all cluster members in a particular switch cluster

Back-up stack master is automatically determined in case the stack master fails

Standby cluster command switch must be pre-assigned in case the cluster command switch fails

Switch stack supports up to eight simultaneous stack master failures

Switch cluster supports only one cluster command switch failure at a time

Stack members (as a switch stack) behave and is presented as a single, unified system in the network

Cluster members are various, independent switches that are not managed as and do not behave as a unified system

Integrated management of stack members through a single configuration file

Cluster members have separate, individual configuration files

Stack- and interface-level configurations are stored on each stack member

Cluster configuration are stored on the cluster command switch and the standby cluster command switch

New stack members are automatically added to the switch stack

New cluster members must be manually added to the switch cluster
Posted by at No comments:

Thursday, 31 July 2014

Copy a Folder to Another Folder and Retain its Permissions

Copy a Folder to Another Folder and Retain its Permissions

  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. Type xcopy sourcedestination /O /X /E /H /K and then press ENTER, where source is the source path for the files to be copied, and destination is the destination path for the files.

Example

Type xcopy c:\olddocs c:\newdocs /O /X /E /H /K, and then press ENTER, where olddocs is the source folder and newdocs is the destination folder.
Posted by at No comments:

Thursday, 26 June 2014

Traffic Shaping


Traffic Shaping

Traffic shaping on the security appliance allows the device to limit the flow of traffic. This mechanism will buffer traffic over the “speed limit” and attempt to send the traffic later. On the 7.x security device, traffic shaping must be applied to all outgoing traffic on a physical interface. Shaping cannot be configured for certain types of traffic. The shaped traffic will include traffic passing though the device, as well as traffic that is sourced from the device.
In order to configure traffic shaping, use the class-default class and apply the shape command in Policy Map Class Configuration mode. This class-default class is created automatically for you by the system. It is a simple match any class map that allows you to quickly match all traffic. Here is a sample configuration:
pixfirewall(config-pmap)#policy-map PM-SHAPER
pixfirewall(config-pmap)# class class-default
pixfirewall(config-pmap-c)# shape average 2000000 16000
pixfirewall(config-pmap-c)# service-policy PM-SHAPER interface outside
Verification is simple. You can run the following to confirm your configuration:
pixfirewall(config)# show run policy-map
!
policy-map PM-SHAPER
 class class-default
shape average 2000000 16000
!
Another excellent command that confirms the effectiveness of the policy is:
pixfirewall(config)# show service-policy shape
Interface outside:
 Service-policy: PM-SHAPER
Class-map: class-default
shape (average) cir 2000000, bc 16000, be 16000
Queueing
     queue limit 64 packets
 (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

Traffic Policing

With a policing configuration, traffic that exceeds the “speed limit” on the interface is dropped. Unlike traffic shaping configurations on the appliance, with policing you can specify a class of traffic that you want the policing to effect. Let’s examine a traffic policing configuration. In this configuration, we will limit the amount of Web traffic that is permitted in an interface.
pixfirewall(config)# access-list AL-WEB-TRAFFIC permit tcp host 192.168.1.110 eq www any
pixfirewall(config-if)# class-map CM-POLICE-WEB
pixfirewall(config-cmap)# match access-list AL-WEB-TRAFFIC
pixfirewall(config-cmap)# policy-map PM-POLICE-WEB
pixfirewall(config-pmap)# class CM-POLICE-WEB
pixfirewall(config-pmap-c)# police input 1000000 conform-action transmit exceed-action drop
pixfirewall(config-pmap-c)# service-policy PM-POLICE-WEB interface outside
Notice we can verify with similar commands that we used for shaping!
pixfirewall(config)# show run policy-map
!
policy-map PM-POLICE-WEB
 class CM-POLICE-WEB
  police input 1000000
!
pixfirewall(config)# show ser
pixfirewall(config)# show service-policy police
Interface outside:
  Service-policy: PM-POLICE-WEB
    Class-map: CM-POLICE-WEB
      Input police Interface outside:
        cir 1000000 bps, bc 31250 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps

Posted by at No comments:
Subscribe to: Posts (Atom)