Thursday, July 22, 2010

How to recover IOS from ROMMON

rommon 1 > IP_ADDRESS=172.30.10.20 (gives IP address to current device)

rommon 2 > IP_SUBNET_MASK=255.255.255.0

rommon 3 > DEFAULT_GATEWAY=172.30.10.1

rommon 4 > TFTP_SERVER=172.30.10.100

rommon 5 > TFTP_FILE=c3640-jk9o3s-mz.123-14.T7.bin

rommon 6 > tftpdnld  (this command will start the download of IOS from TFTP server)

at 2:18 AM 0 comments
Labels:

Tuesday, July 20, 2010

Sharing Folder between Linux/UNIX systems using NFS

1. Create the folder which we want to share
mkdir /nfs1
chmod 666 /nfs1
2. Share the folder by entering its details in /etc/exports file. In the /etc/exports file, enter the following:
/nfs1       192.168.1.60(rw) [This means this folder can be accessed by 192.168.1.60 in read-write mode]
/nfs2        172.30.10.0/24
3. Start service
service nfs start
ckconfig nfs on
4. Export the file (publishing):
exportfs –v
note: if we add more folder then we can update the exports using exportfs –a
5. Done!!!

How to access these shared folders from the remote 192.168.1.60 system
1. Create a corresponding directory anywhere say nfs1
mkdir /nfs1
2. Mount the remote shared directory (192.168.1.50) to that this directory
mount –t nfs 192.168.1.50:/nfs1 /nfs1
3. Use the “df –h” or “mount” command to confirm it and we are done!!!

Additional configurations
1. Allow client/remote 'root' user the ability to write to /nfs1 export
/etc/exports: (rw,no_root_squash)
2. Setup mount points so that they're available upon reboot
Edit /etc/fstab
192.168.1.50:/nfs1      /nfs1                   nfs     defaults  0 0
note : Unmount and confirm that NFS mount points will be available when the client system changes runlevels (reboots, starts, etc.) - 'mount –a'

3.  showmount -a 192.168.1.50 - shows mounts on this system (connected NFS clients)
at 5:34 AM 0 comments
Labels: , ,

Monday, July 19, 2010

How to see and change default MTU in Windows

Open command prompt and type:
netsh interface ipv4 show subinterfaces

and hit Enter. We will get a list of all your network adapters installed on your PC. The MTU value is listed on the left

image

In command prompt, type the following to ping with an MTU size
ping google.com -f -l 1472

The -f marks packets that should not be fragmented in the ping. -l 1472 sets the size of the packet.

image

If we get successful replies, then your current MTU is fine for your connection. If we receive error messages like in the above image, then your packets are getting fragmented.

Try to find out successful value. When you find a successful value, you can then set a new MTU limit with this value.You will need to add IP/ICMP overheads (usually 28), so if 1462 is successful, then 1490 is your MTU limit.

To set new limit, in a command prompt use the following command:
netsh interface ipv4 set subinterface "Realtek" mtu=1490 store=persistent
at 3:25 AM 0 comments
Labels:

Wednesday, July 7, 2010

DHCP installation and Configuration on RHEL5/CentOS

1. Install dhcp server
yum –y install dhcp
2. Copy the sample configuration file to /etc
cp -v /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample /etc/dhcpd.conf
3. Edit the dhcp configuration file /etc/dhcpd.conf as our network details. Also  do the following
#       range dynamic-bootp 192.168.0.128 192.168.0.254; (comment this line and add as below)
        range 192.168.1.150 192.168.1.200;
note: If we dont want specific ip assignments for the hosts (reservation), comment that lines.
4. Start dhcp server
service dhcpd start
chkconfig dhcpd on
5. If we want to configure reservations for a system do as following in the /etc/dhcpd.conf file
host xp1 {
         hardware ethernet 00:0C:29:0C:55:83;
         fixed-address 192.168.1.170;
}
note : Optional 'option-*' are supported between host { } block
6. Restart the service to make the changes to effect
service dhcpd restart
7. Done!!

Notes:
1. On client system /var/lib/dhclient/dhclient-eth0.leases file contains dhcp lease information. On server /var/lib/dhcpd/dhcpd.leases contains the lease information for all clients.
2. NTP details can be given outside the subnet options to make globally available. For more information use ‘man dhcpd.conf’ command.
at 1:26 AM 0 comments
Labels: , ,

Thursday, July 1, 2010

Installing and configuring TFTP server in Linux (RHEL5 & Centos)


1. Install tftp server using the following command
yum -y install tftp-server
2. Open  /etc/xinetd.d/tftp file using any text editor and make 
disable                 = no
3. Start xinetd server (because tftpd is sub service of that xinetd)
service xinetd start - to start XINETD
4.  Check whether the tftp port 69 using the following command
netstat -nulp | grep 69
5. If selinux is not disabled by default, use the following command to make it disable for the tftpd service
setsebool -P tftpd_disable_trans=1 - disables SELinux for TFTPD
service xinetd restart
6. Installation of tftp server create a directory called /tftpboot where files are stored (tftp root). we must create a
blank file using touch and change permission to 666 using chmod to make it writable
touch r1-config
chmod 666 r1-config
7. Now from cisco router we can use the copy command
R1#copy run tftp://192.168.1.20/r1-config
at 7:32 PM 0 comments
Labels: , ,

Monday, May 3, 2010

ASA trunk interface configuration

trunkconfiguration
Switch side
Switch(config)#int fa0/9
Swtich(config-if)#switchport
Swtich(config-if)#switchport trunk encapsulation dot1q
Swtich(config-if)#switch trunk allowed vlan 100,101 (if not specified, every vlan  will send to ASA)
Swtich(config-if)#swtichport mode trunk (ASA cannot negotiate trunk using dynamic protocol)
Swtich(config-if)#no shut

ASA side
NOTE: Each physical interface of ASA carry one or more sub interfaces, each carries one vlan

ASA(config)# int e0/3
ASA(config-if)# no shut
ASA(config)# int e0/3.1
ASA(config-subif)# vlan 100 ; specifies which vlan carried over this sub interface
ASA(config-subif)# nameif inside
ASA(config-subif)# ip address 10.1.1.1 255.255.255.0
ASA(config)# int e0/3.2
ASA(config-subif)# vlan 101
ASA(config-subif)# nameif building1
ASA(config-subif)# security-level 50
ASA(config-subif)# ip address 10.2.1.1 255.255.255.0
ASA(config-subif)# no shut

Trunk interface on firewall module
cat6500#show vlan : to see vlan inside switch
cat6500#show module : to see connected module number
cat6500#config t
cat6500(config)#firewall vlan-group 1 10,100 ;says which vlan should send to firewall module, vlan group number can be anything.
cat6500(config)#firewall module 3 vlan-group 1 ; to which firewall module to send these to

Cat6500#session slot 3 processor 1
FWSM> enable
FWSM# config term
FWSM(config)#interface vlan 10
FWSM(config-if)#nameif outside
FWSM(config-if)# ip address 192.168.10.1 255.255.255.0
FWSM(config-if)#no shut
FWSM(config-if)#exit

FWSM(config)# int valn 100
FWSM(config-if)#namif inside
FWSM(config-if)#ip address 172.30.10.1 255.255.255.0
FWSM(config-if)#no shut
FWSM#show int
at 2:12 AM 0 comments
Labels: , ,

ASA Redundant Interface


REDUNDANT INTERFACE ASA
ciscoasa(config)# int redundant 1
ciscoasa(config-if)# member-interface ethernet 0/0
ciscoasa(config-if)# member-interface ethernet 0/1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.10.10.1 255.255.255.0
ciscoasa# show interface redundant 1 : to check both are operational
at the bottom we can see redundancy information
show interface :- we can see which one is active
show interface | include (Interface|member)
NOTE: if primary interface came up it will not switch back until the current one fails
at 1:37 AM 0 comments
Labels: , ,

Tuesday, March 23, 2010

Creating Site-to-Site VPNs with Pre-Shared Keys

Documentation:
1. Document your IKE Phase 1 negotiation criteria (example below)
  • Encryption algorithm: AES-128
  • Hashing: SHA-1
  • Authentication: pre-shared
  • Key exchange: Diffie-Hellman Group 2
2. Document your IPSec (IKE Phase 2) negotiation criteria (example below)
  • Encryption algorithm: esp-aes 128
  • Authentication: esp-sha-hmac
Configuring IKE Phase 1:
1. Enable ISAKMP: Router(config)#crypto isakmp enable
2. Create ISAKMP Policy: Router(config)#crypto isakmp policy <1-10000>
  • Router(config)#crypto isakmp policy 100
  • Router(config-isakmp)#encryption aes 128
  • Router(config-isakmp)#authentication pre-share
  • Router(config-isakmp)#group 2
  • Router(config-isakmp)#hash sha
3. Configure ISAKMP Identity: Router(config)#crypto isakmp identity <address/hostname>
4. Configure pre-shared keys: Router(config)#crypto isakmp key <key> address <remote_ip>
Configuring IKE Phase 2:
1. Create transform sets: Router(config)#crypto ipsec transform-set <name> <methods>
  • Router(config)#crypto ipsec transform-set JEREMY esp-aes 128 esp-sha-hmac
2. (optional) Configure IPSec lifetime: : Router(config)#crypto ipsec <seconds/kilobytes> <value>
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received encrypted
4. Set up IPSec crypto-map: Router(config)#crypto isakmp map <name> <seq> ipsec-isakmp
  • Router(config)#crypto map MAP 100 ipsec-isakmp
  • Router(config-crypto-map)#match address <acl>
  • Router(config-crypto-map)#set peer <remote_ip>
  • Router(config-crypto-map)#set pfs <group1/2/5>
  • Router(config-crypto-map)#set transform-set <set>
Verify:
  • show crypto isakmp policy
  • show crypto ipsec transform-set
  • show crypto ipsec sa
  • show crypto map
  • debug crypto isakmp
  • debug crypto ipsec
at 6:53 AM 0 comments
Labels: , ,

Java configuration for IPS (IDM)



Step 1 Close all instances of Internet Explorer or Netscape.

Step 2 Click Start > Settings > Control Panel.

Step 3 If you have Java Plug-in 1.4.2 installed:

a. Click Java Plug-in.

The Java Plug-in Control Panel appears.

b. Click the Advanced tab.

c. Type -Xmx256m in the Java RunTime Parameters field.

d. Click Apply and exit the Java Control Panel.

Step 4 If you have Java Plug-in 1.5 installed:

a. Click Java.

The Java Control Panel appears.

b. Click the Java tab.

c. Click View under Java Applet Runtime Settings.

The Java Runtime Settings Panel appears.

d. Type -Xmx256m in the Java Runtime Parameters field and then click OK.

e. Click OK and exit the Java Control Panel.
at 5:14 AM 0 comments
Labels: , ,

Commonly Used Regular expressions

image
Technorati Tags:
at 3:21 AM 0 comments
Labels: , , , ,

Thursday, March 18, 2010

Configuring Router to Bridge mode in order to get the public IP to ASA

Technorati Tags:

At times when ISP drops an internet connection, it is needed to put the router in bridge mode so that the public ip address can be directly assigned on the inside firewall (any brand).

So you can put a cisco router in bridge mode this way;
bridge 1 protocol ieee

int fa0/0   <–connected to ISP (change interface accordingly)
no ip address
bridge-group 1

int fa0/1  <–connected to ASA (change interface accordingly)
no ip address
bridge-group 1
at 6:17 PM 0 comments
Labels: ,
Subscribe to: Posts (Atom)