This blog is designed to provide information about Routing, switching, Security, Data Center technologies for CCNA /CCNP/CCIE aspirants. Every effort has been made to make this blog as complete and as accurate as possible, but no warranty or fitness is implied
Tuesday 7 May 2013
Monday 6 May 2013
Configuring IOS CA Server
Configuring Cisco Router as CA Server
R1(config)#ip domain-name networkexpert.co
R1(config)#crypto key generate rsa general-keys label netx exportable
R1(config)#crypto key export rsa netx pem url nvram: 3des netx123
!generate and export RSA keys
R1#show crypto key mypubkey rsa
R1(config)#ip http server
R1(config)#crypto pki server netxCA
R1(cs-server)#database url nvram:
!If this command is not specified, all database entries are written to Flash.
R1(cs-server)#database level <minimum | names | complete>
!Minimum: Enough information is stored only to continue issuing new certificates without
conflict; the default value.
!Names: In addition to the information given in the minimal level, the serial number and
subject name of each certificate.
!Complete: In addition to the information given in the minimal and names levels, each issued
certificate is written to the database.
R1(cs-server)#issuer-name CN=iosca.networkexpert.co L=Blr C=In
R1(cs-server)#lifetime ca-certificate 365
!default 3year
R1(cs-server)#lifetime certificate 200
!default 1 year
R1(cs-server)#cdp-url http://172.18.108.26/netxcdp.netx.crl
R1(cs-server)#lifetime crl 24
!default 1week
R1(cs-server)#grant auto
R1(cs-server)#no shutdown
R1# show crypto pki server
Thursday 2 May 2013
Configuring Anyconnect on ASA 8.2
Anyconnect Confiuration
domain-name netx.com
!
crypto key generate rsa label sslvpnkeypair modulus 1024
!
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.netx.com
subject-name CN=sslvpn.netx.com
keypair sslvpnkeypair
!
crypto ca enroll localtrust noconfirm
!
ssl trust-point localtrust outside
!Above configuration is for Self Signed Certificate
copy tftp://172.16.1.66/anyconnect-win-2.0.0343-k9.pkg flash
!copy anyconnect s/w package to flash/disk0
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
enable outside
svc enable
!
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
!
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 172.16.1.95
vpn-tunnel-protocol svc
default-domain value netx.com
address-pools value SSLClientPool
!
sysopt connection permit-vpn
!
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
webvpn
tunnel-group-list enable
!
access-list no_nat extended permit ip host 172.16.1.0 255.255.255.0 192.168.25.0 255.255.255.0
!
nat (inside) 0 access-list no_nat
nat (inside) 1 0 0
global (outside) 1 interface
!
username netx password netx
username netx attributes
service-type remote-access
!
domain-name netx.com
!
crypto key generate rsa label sslvpnkeypair modulus 1024
!
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.netx.com
subject-name CN=sslvpn.netx.com
keypair sslvpnkeypair
!
crypto ca enroll localtrust noconfirm
!
ssl trust-point localtrust outside
!Above configuration is for Self Signed Certificate
copy tftp://172.16.1.66/anyconnect-win-2.0.0343-k9.pkg flash
!copy anyconnect s/w package to flash/disk0
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
enable outside
svc enable
!
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
!
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 172.16.1.95
vpn-tunnel-protocol svc
default-domain value netx.com
address-pools value SSLClientPool
!
sysopt connection permit-vpn
!
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
webvpn
tunnel-group-list enable
!
access-list no_nat extended permit ip host 172.16.1.0 255.255.255.0 192.168.25.0 255.255.255.0
!
nat (inside) 0 access-list no_nat
nat (inside) 1 0 0
global (outside) 1 interface
!
username netx password netx
username netx attributes
service-type remote-access
!
Wednesday 1 May 2013
Configuring Network Object NAT in ASA 8.4
Network Object NAT
(ASA 8.4)
(ASA 8.4)
-----------------------------
Dynamic NAT The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of
outside addresses 2.2.2.1-2.2.2.10:
ASA(config)# object network my-range-obj
ASA(config-network-object)# range 2.2.2.1 2.2.2.10
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic my-range-obj
Dynamic PAT
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address
2.2.2.2:
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic 2.2.2.2
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic interface
Dynamic NAT with Dynamic PAT backup
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside interface address.
ASA(config)# object network nat-range1
ASA(config-network-object)# range 10.10.10.10 10.10.10.20
!pool of public IP address(Dynamic NAT)
ASA(config-network-object)# object network pat-ip1
ASA(config-network-object)# host 10.10.10.21
!single Public IP for PAT (dynamic PAT)
ASA(config-network-object)# object-group network nat-pat-grp
ASA(config-network-object)# network-object object nat-range1
ASA(config-network-object)# network-object object pat-ip1
!Object grouping of dynamic NAT and then dynamic PAT in order
ASA(config-network-object)# object network my_net_obj5
ASA(config-network-object)# subnet 10.76.11.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface
!private subnet and nat config: first NAT using object group(in order) if full use interface(outside) for PAT
Static NAT
The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.
ASA(config)# object network my-host-obj1
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static 2.2.2.2 dns
The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.
ASA(config)# object network my-mapped-obj
ASA(config-network-object)# host 2.2.2.2
ASA(config-network-object)# object network my-host-obj1
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static my-mapped-obj
Static PAT
The following example configures static NAT with port translation for 1.1.1.1 at TCP port 21 to the
outside interface at port 2121.
ASA(config)# object network my-ftp-server
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static interface service tcp 21 2121
Identity NAT
The following example maps a host address to itself using an inline mapped address:
ASA(config)# object network my-host-obj1
ASA(config-network-object)# host 10.1.1.1
ASA(config-network-object)# nat (inside,outside) static 10.1.1.1
Monday 4 July 2011
Core Knowledge Questions Removed from the CCIE Security and CCIE Storage Exams
Effective August 15, 2011, CCIE Security Lab Exam and CCIE Storage Networking Lab Exam, in all global locations, will no longer include the four open-ended Core Knowledge questions. The removal of Core Knowledge questions allow candidates to utilize the total lab time for configuration and troubleshooting. The total lab time will remain eight hours.
Friday 3 June 2011
NAT 0 statement in Cisco FIrewall (PIX/ASA)
NAT 0 STATEMENT:
nat (inside_interface_name) 0
NAT 0 has two affects:
nat (inside_interface_name) 0
NAT 0 has two affects:
- nat (inside_interface_name) 0 access-list 101
This works exactly the same way as static, except it bypasses NAT. It does not require the connection to be initiated from the higher security interface before the host on the lower security interface can create a connection to the host on the higher security level interface. - nat (inside_interface_name) 0 0.0.0.0 0.0.0.0
This bypasses NAT, but requires the host on the higher security interface to first initiate a connection to the host on the lower security interface before the host on the lower security interface can initiate
a connection.
NAT Order of Operation in Cisco Firewall (ASA/PIX)
- nat 0 access-list (nat-exempt)
- match against existing xlates
- static statements
- static nat with and without access-list (first match)
- static pat with and without access-list (first match)
- nat
- nat access-list (first match)
Note: The nat 0 access-list command is not part of this command. - nat (best match)
Note: When choosing a global address from multiple pools with the same NAT ID, this order is attempted:
- If the ID is 0, create an identity xlate.
- Use the global pool for the dynamic NAT.
- Use the global pool for the dynamic PAT.
- nat access-list (first match)
Monday 30 May 2011
Automatic Backup of Cisco Router Configuration using KRON
About KRON:
The Command Scheduler (KRON) Policy for System Startup features enables support for Command Scheduler upon system startup.
Command Scheduler allows customers to schedule fully-qualified EXEC mode CLI commands to run once, at specified intervals, at specified calendar dates and times, or upon system startup. Originally designed to work with CNS commands, Command Scheduler has a broader application. Using the CNS image agent feature, remote routers residing outside a firewall or using Network Address Translation (NAT) addresses can use Command Scheduler to launch CLI at intervals to update the image running in the router.
Command Scheduler has two basic processes. A policy list is configured containing lines of fully-qualified EXEC CLI commands to be run at the same time or interval. One or more policy lists are then scheduled to run after a specified interval of time, at a specified calendar date and time, or upon system startup. Each scheduled occurrence can be set to run once only or on a recurring basis.
Commands
RX2(config)# kron policy-list netx
RX2(config-kron-policy)# cli sh running-config | redirect tftp://172.16.1.150/backup-cfg
RX2(config-kron-policy)# exit
RX2(config)# kron occurrence netx-kron at 10:00 recurring
RX2(config-kron-occurrence)# policy-list netx
RX2(config-kron-occurrence)# exit
Verification:
RX2#sh kron schedule
Kron Occurrence Schedule
netx-kron inactive, will run again in 0 days 21:03:06 at 10:00 on
The above configuration can be used to schedule automatic backup of Cisco Router Configuration. As per the configuration given, Router is scheduled to take backup at 10:00AM everyday to TFTP Server specified.
Automatic Backup of Cisco Router Configuration using Archive
RX2(config)#archive
RX2(config-archive)# path tftp://172.16.1.150/backup-cfg
RX2(config-archive)# time-period 1440
RX2(config-archive)# write-memory
RX2(config-archive)# exit
The above configuration can be used to schedule automatic backup of Cisco Router Configuration. As per the configuration given, Router is scheduled to take backup every 24hrs as well as when ever user saves the changes using write-memory command to TFTP Server specified in path command.
Configuration Change Notification and Logging
About Configuration Log
The Configuration Change Notification and Logging feature tracks changes made to the Cisco IOS software running configuration by maintaining a configuration log. This configuration log tracks changes initiated only through the command-line interface (CLI) or HTTP. Only complete commands that result in the invocation of action routines are logged. The following types of entries are not logged:
You can display information from the configuration log through the use of the show archive log config command, with the exception of the parser return codes, which are for use by internal Cisco IOS applications only.
About Configuration Change Notifications and Config Change Logging
You can configure the Configuration Change and Notification Logging feature to send notification of configuration changes to the Cisco IOS software system logging (syslog) process. Syslog notifications allow monitoring of the configuration log information without performing polling and information gathering tasks.
The Configuration Change Notification and Logging feature allows the tracking of configuration changes entered by users on a per-session and per-user basis. This tool allows administrators to track any configuration change made to the Cisco IOS software running configuration, and identify the user that made that change.
Commands
RX2(config)#archive
RX2(config-archive)# log config
RX2(config-archive-log-cfg)# hidekeys
RX2(config-archive-log-cfg)# logging enable
RX2(config-archive-log-cfg)# notify syslog
RX2(config-archive-log-cfg)# exit
Keyword “hidekeys” suppresses output of password while logging.
Verification:
RX2#sh archive log config all
idx sess user@line Logged command
1 1 console@console | logging enable
2 1 console@console | notify syslog
3 1 console@console | exit
4 1 console@console | exit
5 2 console@console |router rip
6 2 console@console | exit
7 2 console@console |no router rip
8 2 console@console |enable password *****
Subscribe to:
Posts (Atom)
Cisco SD-WAN: Onboarding Controllers step by step (on-prem)
This configuration example only covers the process of installing the SD-WAN controller software images on a VMWare ESXI instance, establish...
-
This configuration example only covers the process of installing the SD-WAN controller software images on a VMWare ESXI instance, establish...
-
SSH Configuration: RX1(config)#int f0/0 RX1(config-if)#ip address 10.1.1.1 255.0.0.0 RX1(config-if)#no shut RX1(config-if)#exit RX1(c...
-
IP Classless Where the ip classless configuration command falls within the routing and forwarding processes is often confusing. In ...