Monday, June 25, 2012

Configure Cisco IOS SSL vpn

Example for simple network configuration
one router with WAN/LAN interfaces and loopback interface:
- FastEthernet0/0  - WAN interface
- FastEthernet0/1  - LAN interface
- Loopback0 - internal router interface
SSL VPN access to networks:
- 2.2.2.0/24
- 4.4.4.0/24

configure router
interface Loopback0
ip address 4.4.4.1 255.255.255.0
!
interface FastEthernet0/0
description WAN interface
ip address 1.1.1.100 255.255.255.0
duplex auto
speed auto
no shut
!
interface FastEthernet0/1
description LAN interface
ip address 2.2.2.1 255.255.255.0
duplex full
speed 100
no shut
!
username cisco password cisco

configure SSL VPN
ip local pool SSLVPN1_POOL 3.3.3.10 3.3.3.20
!
access-list 2 permit c 0.0.0.255
access-list 2 permit 4.4.4.0 0.0.0.255
!
webvpn gateway SSLVPN
ip interface FastEthernet0/0 port 443
http-redirect port 80
ssl encryption 3des-sha1
ssl trustpoint TP-self-signed-4279256517
logging enable
inservice
!
webvpn install svc disk0:/webvpn/anyconnect-win-2.5.0217-k9.pkg sequence 1
!
webvpn context SSLVPN
!
policy group SSLVPN1
  functions svc-enabled
  svc address-pool "SSLVPN1_POOL" netmask 255.255.255.0
  svc keep-client-installed
  svc split include acl 2
  svc dns-server primary 10.10.10.1
  svc dns-server secondary 10.10.10.2
!
ssl authenticate verify all
default-group-policy SSLVPN1
gateway SSLVPN
max-users 10
logging enable
inservice

disable loggin
no  logging enable

access to VPN
http://1.1.1.100

Thursday, May 10, 2012

Configure Redundant interface on ASA 5510 and above

Example  ASA redundant interface for Inside and DMZ interfaces. You need configure trunk  ports on switch.
Doesn’t support on ASA 5505. For ASA 5505 need use STP.

# interface Ethernet0/1
# no nameif
# no security-level
# no ip address

# interface Ethernet0/2
# no nameif
# no security-level
# no ip address

# interface Redundant1
# member-interface Ethernet0/1
# member-interface Ethernet0/2
# no nameif
# no security-level
# no ip address

# interface Redundant1.100
# vlan 100
# nameif Inside
# security-level 100
# ip address 10.10.100.1 255.255.255.0

# interface Redundant1.50
# vlan 50
# nameif DMZ
# security-level 50
# ip address 10.10.50.1 255.255.255.0

Rename or move nameif Inside, Outside on Cisco ASA

# copy running-config flash:/running-config.backup
# copy running-config tftp:

edit running-config on your PC with text editor compatible with unix text files

# copy tftp:  flash:/running-config.new
# copy flash:/running-config.new  startup-config
# reload

if you need return to old configuration

# copy flash:/running-config.backup  startup-config
# reload

P.S. was tested with ASA 8.3, works perfect

Friday, April 27, 2012

Enable SSH access on IOS without AAA

# conf t
# hostname Router
# ip domain-name ciscotest.com
# crypto key generate rsa
# username cisco privilege 15 secret cisco
# ip ssh version 2
# ip ssh time-out 120
# ip ssh authetication-retries 3
# line vty 0 15
# login local
# transport input ssh

Enable SNMP on Cisco ASA

 # conf t
 # snmp-server community public
 # snmp-server location Rack22
 # snmp-server contact IT support
 # snmp-server host Management 10.10.10.100 community public version 2c

Enable SSH on Cisco ASA

# conf t
# domain-name cisco.com
# crypto key generate rsa
# ssh 0.0.0.0 0.0.0.0 inside
# username cisco password cisco
# enable password cisco
# aaa authentication ssh console LOCAL

Thursday, April 5, 2012

Dell server and two cisco switches

Connect Dell server with two Gbps NIC to two Cisco switches 4948. Cisco switches are connected with trunk.

 

1. On Dell server configure Virtual Adapter, add NIC's and type set to Smart Load Balancing.

2. On Cisco switches add server vlan to trunk bettween switches.

3. Configure server ports on two switches.

interface GigabitEthernet1/7

 description Dell server

 switchport access vlan 111

 logging event link-status

 load-interval 30

 spanning-tree portfast

Tuesday, January 24, 2012

Cisco ASA 5505 Failover

ASA 5505 with Security Plus license support LAN-Based failover (Active/Standby)

you need

- two  ASA 5505 with Security Plus license

- one crossover cable

 

In our configuration we use

- ethernet 0/5 for failover link

- ethernet 0/1 for internal lan

- ethernet 0/3 for outside internet

 

configure primary ASA

 

ciscoasa# conf t

ciscoasa(config)# hostname ASA5505-1

ASA5505-1(config)# interface vlan 221

ASA5505-1(config-if)# description LAN Failover

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config)# failover 

ASA5505-1(config)# failover lan unit primary 

ASA5505-1(config)# failover lan interface failover Vlan221

ASA5505-1(config)# failover interface ip failover 10.221.10.1 255.255.255.0 standby 10.221.10.2

 

SA5505-1(config)# int Vlan 80

ASA5505-1(config-if)# ip address 10.80.10.1 255.255.255.0 standby 10.80.10.2

ASA5505-1(config-if)# nameif TDMZ

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config)# int vlan 99

ASA5505-1(config-if)# ip address 10.10.20.253 255.255.255.0 standby 10.10.20.254

ASA5505-1(config-if)# nameif Outside

ASA5505-1(config-if)# security-level 100

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config)# interface ethernet 0/3

ASA5505-1(config-if)# switchport access vlan 99

ASA5505-1(config-if)# description Outside

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config-if)# interface ethernet 0/1   

ASA5505-1(config-if)# description TDMZ      

ASA5505-1(config-if)# switchport access vlan 80

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config-if)# interface ethernet 0/5   

ASA5505-1(config-if)# description Failover     

ASA5505-1(config-if)# switchport access vlan 221

ASA5505-1(config-if)# no shutdown 

ASA5505-1# write memory

 

 

configure secoundary ASA

 

ciscoasa(config)# hostname ASA5505-2

ASA5505-2(config)# int vlan 221

ASA5505-2(config-if)# description LAN Failover

ASA5505-2(config-if)# no shutdown 

 

ASA5505-2(config-if)# failover 

ASA5505-2(config)# failover lan unit secondary 

ASA5505-2(config)# failover lan interface failover Vlan221

ASA5505-2(config)# failover interface ip failover 10.221.10.1 255.255.255.0 standby 10.221.10.2

 

ASA5505-2(config)# interface ethernet 0/5

ASA5505-2(config-if)# description Failover

ASA5505-2(config-if)# switchport access vlan 221

ASA5505-2(config-if)# no shutdown 

ASA5505-2(config-if)# write memory

 

 

after failover up secondary ASA get config from primary and rename hostname to ASA5505-1

check failover 

 

ASA5505-1# show failover

Failover On

Failover unit Primary

Failover LAN Interface: failover Vlan221 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 23 maximum

Version: Ours 8.4(3), Mate 8.4(3)

Last Failover at: 18:52:25 UTC Jan 24 2012

        This host: Primary - Active

                Active time: 1022 (sec)

                slot 0: ASA5505 hw/sw rev (1.0/8.4(3)) status (Up Sys)

                  Interface TDMZ (10.80.10.1): Normal (Monitored)

                  Interface Outside (10.10.20.253): Normal (Monitored)

                slot 1: empty

        Other host: Secondary - Standby Ready

                Active time: 0 (sec)

                slot 0: ASA5505 hw/sw rev (1.0/8.4(3)) status (Up Sys)

                  Interface TDMZ (10.80.10.2): Normal (Monitored)

                  Interface Outside (10.10.20.254): Normal (Monitored)

                slot 1: empty