Search This Blog

Tuesday 11 September 2012

ASA VPN FAILOVER


crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2l 1 match address LAN_Traffic
crypto map l2l 1 set peer REMOTE_IP_FIRST _PEER REMOTE_IP_SEC_PEER 
crypto map l2l 1 set transform-set L2L
crypto map l2l interface outside   <--Points to first ISP
crypto map l2l interface outside2  <--Point to second ISP
crypto isakmp enable outside       <--Apply to first ISP
crypto isakmp enable outside2      <--Apply to second ISP
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
!
tunnel-group REMOTE_IP_FIRST _PEER type ipsec-l2l
tunnel-group REMOTE_IP_FIRST _PEER ipsec-attributes
 pre-shared-key mapskey
tunnel-group REMOTE_IP_SEC_PEER type ipsec-l2l
tunnel-group REMOTE_IP_SEC_PEER  ipsec-attributes
 pre-shared-key KEY

Posted by at No comments:

Monday 10 September 2012

DHCP on Juniper


set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option gateway x.x.x.x
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option dns1 x.x.x.x
set interface bgroup0 dhcp server ip x.x.x.x to x.x.x.x
unset interface bgroup0 dhcp server config next-server-ip
Posted by at No comments:

Wednesday 22 August 2012

ENABLE SSH ON ASA 5505



asa5505#conf t
asa5505(config)#username ccie password 4u
asa5505(config)#passwd  "your password"
ssh x.x.x.x x.x.x.x [inside/outside]<-- The network that is allowed to ssh : EX: ssh 10.10.10.1 255.255.255.255 outside
crypto key generate rsa modulus {512/768/1024/2048}
aaa authentication ssh console LOCAL    ß This “LOCAL” to be CAPITAL LETTERS
Posted by at No comments:
Labels: , , , ,

DHCP SERVER ASA5505


Below a quick dhcp server config for asa !


ASA5505(config)#dhcpd address  192.168.1.1 - 192.168.1.50 inside

 ASA5505 (config)#dhcpd dns 8.8.8.8 9.9.9.9ASA5505 (config)#dhcpd enable inside


ASA5505 (config)#sh dhcpd binding
Posted by at No comments:

Tuesday 21 August 2012

ASA Failover with 2 ISP's and SLA's


: Saved
: Written by enable_15 at 00:45:15.499 UTC Tue Aug 21 2012
!
ASA Version 8.2(5)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 shutdown
!
interface Ethernet0/1
 switchport access vlan 200
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 switchport access vlan 80
!
interface Ethernet0/4
 switchport access vlan 90
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 switchport access vlan 100
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan80
 nameif outside
 security-level 0
 ip address 20.20.20.1 255.255.255.252
!
interface Vlan90
 nameif outside2
 security-level 0
 ip address 172.16.0.217 255.255.255.0
!
interface Vlan100
 description LAN Failover Interface
!
interface Vlan200
 description INTERNAL_LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu outside2 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover-link Vlan100
failover interface ip failover-link 10.10.10.1 255.255.255.252 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 20.20.20.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 172.16.0.100 2 track 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 2
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside2
sla monitor schedule 2 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:52d9cb2e2214493c3f293194951ba5ed
: end

Posted by at No comments:

Wednesday 27 June 2012

How do I configure GRE tunnels?


Configuring GRE tunnels on Cisco routers is relatively easy—all it takes is a few simple commands. Here's an example of a simple configuration:
Router A:
interface Ethernet0/1
ip address 10.2.2.1 255.255.255.0

interface Serial0/0
ip address 192.168.4.1 255.255.255.0

interface Tunnel0
ip address 1.1.1.2 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.4.2
Router B:
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0

interface Serial0/0
ip address 192.168.4.2 255.255.255.0

interface Tunnel0
ip address 1.1.1.1 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.4.1

Posted by at No comments:

Tuesday 12 June 2012

ASA 5505 IPsec Configuration






Here is the Config of the First ASA 5505 same on opposite F/W also just change IP's


cisco-1# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname cisco-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
ftp mode passive
access-list 100 extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255                                                                                        .255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 2                                                                                        55.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 192.168.200.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 192.168.1.2
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                        CEService
  destination address email sendaler@home.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d1fd0b2e66163cb22f8ec19013d3b3c4
: end
cisco-1#
Posted by at 1 comment:

Monday 11 June 2012

NAT Load Balance

Here is a small config I did with Nat load balance using route maps,









LAN#sh run
Building configuration...

Current configuration : 1272 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LAN
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 192.168.2.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.2.2
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map ISP2 interface FastEthernet1/1 overload
ip nat inside source route-map isp1 interface FastEthernet1/0 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
route-map isp1 permit 10
 match ip address 100
 match interface FastEthernet1/0
!
route-map ISP2 permit 10
 match ip address 100
 match interface FastEthernet1/1
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end

Posted by at No comments:

PPPoe Configuration for Cisco Router





!
interface FastEthernet0/1/0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username XXXXXXX password 0 XXXXXX
 no cdp enable


·         Check with command Show pppoe session status should be UP and the dialers on the command show ip inter br should get an IP
Posted by at No comments:

HSRP/SLA's With two Layer 3 Switches













Here the configs:


sh run
Building configuration...

Current configuration : 1609 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HSRP_1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
ip source-route
!
!
!
!
ip cef
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
track 1 ip sla 1 reachability
 delay down 10 up 1
!
!
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 standby 1 ip 192.168.1.254
 standby 1 priority 110
 standby 1 preempt
!
interface Vlan2
 ip address 192.168.2.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 standby 2 ip 192.168.2.254
 standby 2 preempt
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.100 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.2 10
no ip http server
no ip http secure-server
!
ip nat inside source list WLAN_NAT interface FastEthernet4 overload
!
ip access-list extended WLAN_NAT
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
!
ip sla 1
 icmp-echo 172.16.0.203
 frequency 10
ip sla schedule 1 life forever start-time now
no cdp run

!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login
!
scheduler max-task-time 5000
end

HSRP_1#



Here is the HSRP_2 config:


sh running-config
Building configuration...

Current configuration : 1671 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HSRP_2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
ip source-route
!
!
!
ip dhcp pool WLAN_DHCP
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.254
   dns-server 172.16.0.1
!
!
ip cef
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
track 1 ip sla 1 reachability
 delay down 10 up 1
!
!
!
interface FastEthernet0
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 standby 1 ip 192.168.1.254
 standby 1 preempt
!
interface Vlan2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 standby 2 ip 192.168.2.254
 standby 2 priority 110
 standby 2 preempt
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.100 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.1 10
no ip http server
no ip http secure-server
!
ip nat inside source list WLAN_NAT interface FastEthernet4 overload
!
ip access-list extended WLAN_NAT
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
!
ip sla 1
 icmp-echo 172.16.0.201
 frequency 10
ip sla schedule 1 life forever start-time now
no cdp run

!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login
!
scheduler max-task-time 5000
end

HSRP_2#


Posted by at No comments:
Subscribe to: Posts (Atom)