18. July 2012 · Comments Off on Establishing a Point-to-Point WAN Connection with PPP · Categories: Cisco

18. July 2012 · Comments Off on SSH Setup on Cisco Router · Categories: Cisco · Tags: ,
SSH Setup on Cisco Device
 
Router>enable
Password:
Router#configure terminal
Router(config)#hostname router1
R1(config)#ip domain-name mydomain.local
R1(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: router1.mydomain.local
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
R1(config)#ip ssh time-out 60
R1(config)#ip ssh authentication-retries 3
R1(config)#ip ssh version 2
R1(config)#line vty 0 4
R1(config-line)#transport input ssh telnet
R1(config-line)#exit
18. July 2012 · Comments Off on ASA VPN Quick Copy Paste Setup · Categories: Cisco · Tags: , , , ,

ASA VPN Quick Copy Paste Setup

webvpn
enable outside
tunnel-group DefaultWEBVPNGroup tunnel-group DefaultWEBVPNGroup webvpn-attributes
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LOCAL
!
username Username password UserPassword
username Username attributes
!
webvpn
svc image anyconnect-win-2.5.2014-k9.pkg 1
svc image anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image anyconnect-linux-2.5.2014-k9.pkg 3
!
svc enable
!
ip local pool client-pool 172.16.21.1-172.16.21.254 mask 255.255.255.0
!
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol svc webvpn
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool client-pool
!

!
object-group network VPN
network-object 172.16.21.0 255.255.255.0
object-group network INSIDE-NETWORK
network-object 10.10.10.0 255.255.255.0
group-object VPN
!
access-list VPNUSERS extended permit ip 10.10.10.0 255.255.255.0 any
access-list SplitACL standard permit 10.10.10.0 255.255.255.0
!
group-policy DfltGrpPolicy attributes
split-tunnel-network-list value VPNUSERS
dns-server value 10.10.10.20 10.10.10.21
default-domain value MyDomain.local
!
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
!
group-policy DfltGrpPolicy attributes
webvpn
svc ask none default svc
!
End


The above config is a vpn setup on a different subnet.  Works well tested several times on a Cisco Adaptive Security Appliance Software Version 8.4(4)1

** The Setup command (guide) on the ASA Below.  Doesn’t harm the config..shows you the steps **

vpnsetup ssl-remote-access steps

18. July 2012 · Comments Off on Basic configuration tutorial for the Cisco ASA · Categories: Cisco · Tags: , ,
This article gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA security appliance. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch.

The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface.
Step1: Configure a privileged level password (enable password)
 
By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance.Configure this under Configuration Mode:
ASA5510(config)# enable password mysecretpassword
Step2: Configure the public outside interface
 
ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut
 
Step3: Configure the trusted internal interface
 
ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut
 
Step 4: Configure PAT on the outside interface
 
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0
 
UPDATE for ASA Version 8.3
From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:
 
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
 
Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)
 
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1
 
Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
 
ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside
18. July 2012 · Comments Off on VLAN Trunking Protocol (VTP) · Categories: Cisco · Tags: , ,

18. July 2012 · Comments Off on Cisco ASA Anyconnect Setup · Categories: Cisco · Tags: , , ,

Getting Started with Cisco Anyconnect

For the last few years, Cisco has been attempting to do away with what they call the Cisco EZVPN client. This has been the solution used by many corporate users in the mobile workforce for secure access to enterprise data. The need for mobility certainly isn’t going away and Cisco has a new solution for this called Anyconnect. While the EZVPN client used IPSec, Anyconnect uses SSL to create a secure tunnel. From the wire, this connection looks very much like accessing any ecommerce site and alleviates some of the challenges of using IPSec in an adhoc basis. In this article, we will start with a very basic ASA configuration and add a very basic Anyconnect configurations. There is actually a command that we can use to show us many of the configuration steps. We will also look at some of the additional items that typically need to be configured to achieve a basic Anyconnect environment.

Let’s start with the simplest possible ASA configuration. This can be achieved by using the “configure factory-default” command followed by configuring an outside IP address and default route. The relevant configuration is posted below. This output is from an ASA5505, so it uses VLANs as the layer 3 interfaces.

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
!
interface Vlan1
 name if inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 name if outside
 security-level 0
 ip address 192.0.2.2 255.255.255.0
!
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.0.2.1 1 ! !

The configuration above is sufficient in order to achieve the NAT and Firewall configuration for the following image.

More »

18. July 2012 · Comments Off on Current Equipment I own [More on the way] · Categories: Uncategorized

Pretty excited that I am feelling very confident about my Route exam and I am ready to take the test soon.  I even have a 3750 on the way.  Will be moving on to the Switch test next.  I plan on using GN3 and using the 3750 as a BreakOut Switch.  Below is the short list of cisco equipment I currently own.  I will need to get 2 3560’s so that I can work on some workbooks I have.  I will post diagrams as I start using them.

2 3620’s

1 ASA5505

1 2611

2 3550

1 1750

1 1720

1 851

17. July 2012 · Comments Off on Inter-VLAN Routing on a Stick · Categories: Cisco