Monday, June 25, 2012

Configure Cisco IOS SSL vpn

Example for simple network configuration
one router with WAN/LAN interfaces and loopback interface:
- FastEthernet0/0  - WAN interface
- FastEthernet0/1  - LAN interface
- Loopback0 - internal router interface
SSL VPN access to networks:
- 2.2.2.0/24
- 4.4.4.0/24

configure router
interface Loopback0
ip address 4.4.4.1 255.255.255.0
!
interface FastEthernet0/0
description WAN interface
ip address 1.1.1.100 255.255.255.0
duplex auto
speed auto
no shut
!
interface FastEthernet0/1
description LAN interface
ip address 2.2.2.1 255.255.255.0
duplex full
speed 100
no shut
!
username cisco password cisco

configure SSL VPN
ip local pool SSLVPN1_POOL 3.3.3.10 3.3.3.20
!
access-list 2 permit c 0.0.0.255
access-list 2 permit 4.4.4.0 0.0.0.255
!
webvpn gateway SSLVPN
ip interface FastEthernet0/0 port 443
http-redirect port 80
ssl encryption 3des-sha1
ssl trustpoint TP-self-signed-4279256517
logging enable
inservice
!
webvpn install svc disk0:/webvpn/anyconnect-win-2.5.0217-k9.pkg sequence 1
!
webvpn context SSLVPN
!
policy group SSLVPN1
  functions svc-enabled
  svc address-pool "SSLVPN1_POOL" netmask 255.255.255.0
  svc keep-client-installed
  svc split include acl 2
  svc dns-server primary 10.10.10.1
  svc dns-server secondary 10.10.10.2
!
ssl authenticate verify all
default-group-policy SSLVPN1
gateway SSLVPN
max-users 10
logging enable
inservice

disable loggin
no  logging enable

access to VPN
http://1.1.1.100

Thursday, May 10, 2012

Configure Redundant interface on ASA 5510 and above

Example  ASA redundant interface for Inside and DMZ interfaces. You need configure trunk  ports on switch.
Doesn’t support on ASA 5505. For ASA 5505 need use STP.

# interface Ethernet0/1
# no nameif
# no security-level
# no ip address

# interface Ethernet0/2
# no nameif
# no security-level
# no ip address

# interface Redundant1
# member-interface Ethernet0/1
# member-interface Ethernet0/2
# no nameif
# no security-level
# no ip address

# interface Redundant1.100
# vlan 100
# nameif Inside
# security-level 100
# ip address 10.10.100.1 255.255.255.0

# interface Redundant1.50
# vlan 50
# nameif DMZ
# security-level 50
# ip address 10.10.50.1 255.255.255.0

Rename or move nameif Inside, Outside on Cisco ASA

# copy running-config flash:/running-config.backup
# copy running-config tftp:

edit running-config on your PC with text editor compatible with unix text files

# copy tftp:  flash:/running-config.new
# copy flash:/running-config.new  startup-config
# reload

if you need return to old configuration

# copy flash:/running-config.backup  startup-config
# reload

P.S. was tested with ASA 8.3, works perfect

Friday, April 27, 2012

Enable SSH access on IOS without AAA

# conf t
# hostname Router
# ip domain-name ciscotest.com
# crypto key generate rsa
# username cisco privilege 15 secret cisco
# ip ssh version 2
# ip ssh time-out 120
# ip ssh authetication-retries 3
# line vty 0 15
# login local
# transport input ssh

Enable SNMP on Cisco ASA

 # conf t
 # snmp-server community public
 # snmp-server location Rack22
 # snmp-server contact IT support
 # snmp-server host Management 10.10.10.100 community public version 2c

Enable SSH on Cisco ASA

# conf t
# domain-name cisco.com
# crypto key generate rsa
# ssh 0.0.0.0 0.0.0.0 inside
# username cisco password cisco
# enable password cisco
# aaa authentication ssh console LOCAL

Thursday, April 5, 2012

Dell server and two cisco switches

Connect Dell server with two Gbps NIC to two Cisco switches 4948. Cisco switches are connected with trunk.

 

1. On Dell server configure Virtual Adapter, add NIC's and type set to Smart Load Balancing.

2. On Cisco switches add server vlan to trunk bettween switches.

3. Configure server ports on two switches.

interface GigabitEthernet1/7

 description Dell server

 switchport access vlan 111

 logging event link-status

 load-interval 30

 spanning-tree portfast