Search This Blog

Tuesday 11 September 2012

ASA VPN FAILOVER


crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2l 1 match address LAN_Traffic
crypto map l2l 1 set peer REMOTE_IP_FIRST _PEER REMOTE_IP_SEC_PEER 
crypto map l2l 1 set transform-set L2L
crypto map l2l interface outside   <--Points to first ISP
crypto map l2l interface outside2  <--Point to second ISP
crypto isakmp enable outside       <--Apply to first ISP
crypto isakmp enable outside2      <--Apply to second ISP
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
!
tunnel-group REMOTE_IP_FIRST _PEER type ipsec-l2l
tunnel-group REMOTE_IP_FIRST _PEER ipsec-attributes
 pre-shared-key mapskey
tunnel-group REMOTE_IP_SEC_PEER type ipsec-l2l
tunnel-group REMOTE_IP_SEC_PEER  ipsec-attributes
 pre-shared-key KEY

Posted by at No comments:

Monday 10 September 2012

DHCP on Juniper


set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option gateway x.x.x.x
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option dns1 x.x.x.x
set interface bgroup0 dhcp server ip x.x.x.x to x.x.x.x
unset interface bgroup0 dhcp server config next-server-ip
Posted by at No comments:

Wednesday 22 August 2012

ENABLE SSH ON ASA 5505



asa5505#conf t
asa5505(config)#username ccie password 4u
asa5505(config)#passwd  "your password"
ssh x.x.x.x x.x.x.x [inside/outside]<-- The network that is allowed to ssh : EX: ssh 10.10.10.1 255.255.255.255 outside
crypto key generate rsa modulus {512/768/1024/2048}
aaa authentication ssh console LOCAL    ß This “LOCAL” to be CAPITAL LETTERS
Posted by at No comments:
Labels: , , , ,

DHCP SERVER ASA5505


Below a quick dhcp server config for asa !


ASA5505(config)#dhcpd address  192.168.1.1 - 192.168.1.50 inside

 ASA5505 (config)#dhcpd dns 8.8.8.8 9.9.9.9ASA5505 (config)#dhcpd enable inside


ASA5505 (config)#sh dhcpd binding
Posted by at No comments:

Tuesday 21 August 2012

ASA Failover with 2 ISP's and SLA's


: Saved
: Written by enable_15 at 00:45:15.499 UTC Tue Aug 21 2012
!
ASA Version 8.2(5)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 shutdown
!
interface Ethernet0/1
 switchport access vlan 200
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 switchport access vlan 80
!
interface Ethernet0/4
 switchport access vlan 90
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 switchport access vlan 100
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan80
 nameif outside
 security-level 0
 ip address 20.20.20.1 255.255.255.252
!
interface Vlan90
 nameif outside2
 security-level 0
 ip address 172.16.0.217 255.255.255.0
!
interface Vlan100
 description LAN Failover Interface
!
interface Vlan200
 description INTERNAL_LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu outside2 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover-link Vlan100
failover interface ip failover-link 10.10.10.1 255.255.255.252 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 20.20.20.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 172.16.0.100 2 track 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 2
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside2
sla monitor schedule 2 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:52d9cb2e2214493c3f293194951ba5ed
: end

Posted by at No comments:

Wednesday 27 June 2012

How do I configure GRE tunnels?


Configuring GRE tunnels on Cisco routers is relatively easy—all it takes is a few simple commands. Here's an example of a simple configuration:
Router A:
interface Ethernet0/1
ip address 10.2.2.1 255.255.255.0

interface Serial0/0
ip address 192.168.4.1 255.255.255.0

interface Tunnel0
ip address 1.1.1.2 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.4.2
Router B:
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0

interface Serial0/0
ip address 192.168.4.2 255.255.255.0

interface Tunnel0
ip address 1.1.1.1 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.4.1

Posted by at No comments:

Tuesday 12 June 2012

ASA 5505 IPsec Configuration






Here is the Config of the First ASA 5505 same on opposite F/W also just change IP's


cisco-1# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname cisco-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
ftp mode passive
access-list 100 extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255                                                                                        .255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 2                                                                                        55.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 192.168.200.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 192.168.1.2
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                        CEService
  destination address email sendaler@home.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d1fd0b2e66163cb22f8ec19013d3b3c4
: end
cisco-1#
Posted by at 1 comment:
Subscribe to: Posts (Atom)