Example for simple network configuration
one router with WAN/LAN interfaces and loopback interface:
- FastEthernet0/0 - WAN interface
- FastEthernet0/1 - LAN interface
- Loopback0 - internal router interface
SSL VPN access to networks:
- 2.2.2.0/24
- 4.4.4.0/24
configure router
interface Loopback0
ip address 4.4.4.1 255.255.255.0
!
interface FastEthernet0/0
description WAN interface
ip address 1.1.1.100 255.255.255.0
duplex auto
speed auto
no shut
!
interface FastEthernet0/1
description LAN interface
ip address 2.2.2.1 255.255.255.0
duplex full
speed 100
no shut
!
username cisco password cisco
configure SSL VPN
ip local pool SSLVPN1_POOL 3.3.3.10 3.3.3.20
!
access-list 2 permit c 0.0.0.255
access-list 2 permit 4.4.4.0 0.0.0.255
!
webvpn gateway SSLVPN
ip interface FastEthernet0/0 port 443
http-redirect port 80
ssl encryption 3des-sha1
ssl trustpoint TP-self-signed-4279256517
logging enable
inservice
!
webvpn install svc disk0:/webvpn/anyconnect-win-2.5.0217-k9.pkg sequence 1
!
webvpn context SSLVPN
!
policy group SSLVPN1
functions svc-enabled
svc address-pool "SSLVPN1_POOL" netmask 255.255.255.0
svc keep-client-installed
svc split include acl 2
svc dns-server primary 10.10.10.1
svc dns-server secondary 10.10.10.2
!
ssl authenticate verify all
default-group-policy SSLVPN1
gateway SSLVPN
max-users 10
logging enable
inservice
disable loggin
no logging enable
access to VPN
http://1.1.1.100
Monday, June 25, 2012
Configure Cisco IOS SSL vpn
Thursday, May 10, 2012
Configure Redundant interface on ASA 5510 and above
Example ASA redundant interface for Inside and DMZ interfaces. You need configure trunk ports on switch.
Doesn’t support on ASA 5505. For ASA 5505 need use STP.
# interface Ethernet0/1
# no nameif
# no security-level
# no ip address
# interface Ethernet0/2
# no nameif
# no security-level
# no ip address
# interface Redundant1
# member-interface Ethernet0/1
# member-interface Ethernet0/2
# no nameif
# no security-level
# no ip address
# interface Redundant1.100
# vlan 100
# nameif Inside
# security-level 100
# ip address 10.10.100.1 255.255.255.0
# interface Redundant1.50
# vlan 50
# nameif DMZ
# security-level 50
# ip address 10.10.50.1 255.255.255.0
Rename or move nameif Inside, Outside on Cisco ASA
# copy running-config flash:/running-config.backup
# copy running-config tftp:
edit running-config on your PC with text editor compatible with unix text files
# copy tftp: flash:/running-config.new
# copy flash:/running-config.new startup-config
# reload
if you need return to old configuration
# copy flash:/running-config.backup startup-config
# reload
P.S. was tested with ASA 8.3, works perfect
Friday, April 27, 2012
Enable SSH access on IOS without AAA
# conf t
# hostname Router
# ip domain-name ciscotest.com
# crypto key generate rsa
# username cisco privilege 15 secret cisco
# ip ssh version 2
# ip ssh time-out 120
# ip ssh authetication-retries 3
# line vty 0 15
# login local
# transport input ssh
Enable SNMP on Cisco ASA
# conf t
# snmp-server community public
# snmp-server location Rack22
# snmp-server contact IT support
# snmp-server host Management 10.10.10.100 community public version 2c
Enable SSH on Cisco ASA
# conf t
# domain-name cisco.com
# crypto key generate rsa
# ssh 0.0.0.0 0.0.0.0 inside
# username cisco password cisco
# enable password cisco
# aaa authentication ssh console LOCAL
Thursday, April 5, 2012
Dell server and two cisco switches
Connect Dell server with two Gbps NIC to two Cisco switches 4948. Cisco switches are connected with trunk.
1. On Dell server configure Virtual Adapter, add NIC's and type set to Smart Load Balancing.
2. On Cisco switches add server vlan to trunk bettween switches.
3. Configure server ports on two switches.
interface GigabitEthernet1/7
description Dell server
switchport access vlan 111
logging event link-status
load-interval 30
spanning-tree portfast
Tuesday, January 24, 2012
Cisco ASA 5505 Failover
ASA 5505 with Security Plus license support LAN-Based failover (Active/Standby)
you need
- two ASA 5505 with Security Plus license
- one crossover cable
In our configuration we use
- ethernet 0/5 for failover link
- ethernet 0/1 for internal lan
- ethernet 0/3 for outside internet
configure primary ASA
ciscoasa# conf t
ciscoasa(config)# hostname ASA5505-1
ASA5505-1(config)# interface vlan 221
ASA5505-1(config-if)# description LAN Failover
ASA5505-1(config-if)# no shutdown
ASA5505-1(config)# failover
ASA5505-1(config)# failover lan unit primary
ASA5505-1(config)# failover lan interface failover Vlan221
ASA5505-1(config)# failover interface ip failover 10.221.10.1 255.255.255.0 standby 10.221.10.2
SA5505-1(config)# int Vlan 80
ASA5505-1(config-if)# ip address 10.80.10.1 255.255.255.0 standby 10.80.10.2
ASA5505-1(config-if)# nameif TDMZ
ASA5505-1(config-if)# no shutdown
ASA5505-1(config)# int vlan 99
ASA5505-1(config-if)# ip address 10.10.20.253 255.255.255.0 standby 10.10.20.254
ASA5505-1(config-if)# nameif Outside
ASA5505-1(config-if)# security-level 100
ASA5505-1(config-if)# no shutdown
ASA5505-1(config)# interface ethernet 0/3
ASA5505-1(config-if)# switchport access vlan 99
ASA5505-1(config-if)# description Outside
ASA5505-1(config-if)# no shutdown
ASA5505-1(config-if)# interface ethernet 0/1
ASA5505-1(config-if)# description TDMZ
ASA5505-1(config-if)# switchport access vlan 80
ASA5505-1(config-if)# no shutdown
ASA5505-1(config-if)# interface ethernet 0/5
ASA5505-1(config-if)# description Failover
ASA5505-1(config-if)# switchport access vlan 221
ASA5505-1(config-if)# no shutdown
ASA5505-1# write memory
configure secoundary ASA
ciscoasa(config)# hostname ASA5505-2
ASA5505-2(config)# int vlan 221
ASA5505-2(config-if)# description LAN Failover
ASA5505-2(config-if)# no shutdown
ASA5505-2(config-if)# failover
ASA5505-2(config)# failover lan unit secondary
ASA5505-2(config)# failover lan interface failover Vlan221
ASA5505-2(config)# failover interface ip failover 10.221.10.1 255.255.255.0 standby 10.221.10.2
ASA5505-2(config)# interface ethernet 0/5
ASA5505-2(config-if)# description Failover
ASA5505-2(config-if)# switchport access vlan 221
ASA5505-2(config-if)# no shutdown
ASA5505-2(config-if)# write memory
after failover up secondary ASA get config from primary and rename hostname to ASA5505-1
check failover
ASA5505-1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Vlan221 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 23 maximum
Version: Ours 8.4(3), Mate 8.4(3)
Last Failover at: 18:52:25 UTC Jan 24 2012
This host: Primary - Active
Active time: 1022 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.4(3)) status (Up Sys)
Interface TDMZ (10.80.10.1): Normal (Monitored)
Interface Outside (10.10.20.253): Normal (Monitored)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.4(3)) status (Up Sys)
Interface TDMZ (10.80.10.2): Normal (Monitored)
Interface Outside (10.10.20.254): Normal (Monitored)
slot 1: empty