Example for simple network configuration
one router with WAN/LAN interfaces and loopback interface:
- FastEthernet0/0 - WAN interface
- FastEthernet0/1 - LAN interface
- Loopback0 - internal router interface
SSL VPN access to networks:
- 2.2.2.0/24
- 4.4.4.0/24
configure router
interface Loopback0
ip address 4.4.4.1 255.255.255.0
!
interface FastEthernet0/0
description WAN interface
ip address 1.1.1.100 255.255.255.0
duplex auto
speed auto
no shut
!
interface FastEthernet0/1
description LAN interface
ip address 2.2.2.1 255.255.255.0
duplex full
speed 100
no shut
!
username cisco password cisco
configure SSL VPN
ip local pool SSLVPN1_POOL 3.3.3.10 3.3.3.20
!
access-list 2 permit c 0.0.0.255
access-list 2 permit 4.4.4.0 0.0.0.255
!
webvpn gateway SSLVPN
ip interface FastEthernet0/0 port 443
http-redirect port 80
ssl encryption 3des-sha1
ssl trustpoint TP-self-signed-4279256517
logging enable
inservice
!
webvpn install svc disk0:/webvpn/anyconnect-win-2.5.0217-k9.pkg sequence 1
!
webvpn context SSLVPN
!
policy group SSLVPN1
functions svc-enabled
svc address-pool "SSLVPN1_POOL" netmask 255.255.255.0
svc keep-client-installed
svc split include acl 2
svc dns-server primary 10.10.10.1
svc dns-server secondary 10.10.10.2
!
ssl authenticate verify all
default-group-policy SSLVPN1
gateway SSLVPN
max-users 10
logging enable
inservice
disable loggin
no logging enable
access to VPN
http://1.1.1.100
Monday, June 25, 2012
Configure Cisco IOS SSL vpn
Thursday, May 10, 2012
Configure Redundant interface on ASA 5510 and above
Example ASA redundant interface for Inside and DMZ interfaces. You need configure trunk ports on switch.
Doesn’t support on ASA 5505. For ASA 5505 need use STP.
# interface Ethernet0/1
# no nameif
# no security-level
# no ip address
# interface Ethernet0/2
# no nameif
# no security-level
# no ip address
# interface Redundant1
# member-interface Ethernet0/1
# member-interface Ethernet0/2
# no nameif
# no security-level
# no ip address
# interface Redundant1.100
# vlan 100
# nameif Inside
# security-level 100
# ip address 10.10.100.1 255.255.255.0
# interface Redundant1.50
# vlan 50
# nameif DMZ
# security-level 50
# ip address 10.10.50.1 255.255.255.0
Rename or move nameif Inside, Outside on Cisco ASA
# copy running-config flash:/running-config.backup
# copy running-config tftp:
edit running-config on your PC with text editor compatible with unix text files
# copy tftp: flash:/running-config.new
# copy flash:/running-config.new startup-config
# reload
if you need return to old configuration
# copy flash:/running-config.backup startup-config
# reload
P.S. was tested with ASA 8.3, works perfect
Friday, April 27, 2012
Enable SSH access on IOS without AAA
# conf t
# hostname Router
# ip domain-name ciscotest.com
# crypto key generate rsa
# username cisco privilege 15 secret cisco
# ip ssh version 2
# ip ssh time-out 120
# ip ssh authetication-retries 3
# line vty 0 15
# login local
# transport input ssh
Enable SNMP on Cisco ASA
# conf t
# snmp-server community public
# snmp-server location Rack22
# snmp-server contact IT support
# snmp-server host Management 10.10.10.100 community public version 2c
Enable SSH on Cisco ASA
# conf t
# domain-name cisco.com
# crypto key generate rsa
# ssh 0.0.0.0 0.0.0.0 inside
# username cisco password cisco
# enable password cisco
# aaa authentication ssh console LOCAL
Thursday, April 5, 2012
Dell server and two cisco switches
Connect Dell server with two Gbps NIC to two Cisco switches 4948. Cisco switches are connected with trunk.
1. On Dell server configure Virtual Adapter, add NIC's and type set to Smart Load Balancing.
2. On Cisco switches add server vlan to trunk bettween switches.
3. Configure server ports on two switches.
interface GigabitEthernet1/7
description Dell server
switchport access vlan 111
logging event link-status
load-interval 30
spanning-tree portfast