Labbing

Nexus 7 tablet

By | Industry | 7 Comments

It was my birthday in early October. Right before Network Field Day before. I received amongst many other treats a Nexus 7 tablet. I was very spoilt. Here within is my Nexus 7 review and how I have used it.

The Tablet

Google’s Nexus 7 tablet by Asus

Tech Specs here.

Physical

The tablet has a sound build quality. The  seven-inch tablet has a delicious 1280×800 resolution with IPS display. The ten-point touch screen provides sound and snappy responsiveness. The backlit screen I have found is fantastic; others will argue that it isn’t bright. Mine has had no issues of bleeding like some report. I sometimes wonder if I am just lucky or some people are UBER fussy. MicroUSB is the connection type at the base; it is compatible with many things! The weight is quite light. Sure, it isn’t the lightest on the market but nothing that will give your hands or arms aches. Battery life is also impressive. 9 hours is what I get doing light things; reading ePubs or browsing. Video I seem to get 7-9 hours depending on brightness. I found that games do kill it. GTA III + PS3 controller over bluetooth managed to reduce it to five hours. Still impressive though! Oh and you know what is great? I have the Nexus branded cover too. Great little flap and awesome screen protector. The size of the device with cover fits in my back pocket and makes for handy ‘anywhere’ internet fix.

Operating System

I last used an Android device around the days of Froyo and Gingerbread. They were far from polished and getting stomped by Apple. Google’s persistence and drive to match and surpass iOS as a mobile operating platform shines. Jelly-bean delivers an exceptionally refined and intuitive experience of  a user of any level. Full integration with Google’s services is so well done you get excited by using their applications. It has come a long way; it is clear why they are beating Apple in numbers.

Certification Study Material

I have one main use for this tablet. Portable certification study. Video, Audio, and printed text. It simply does all them. By default a lot of video codecs are supported by the default player. I choose to use the VLC app because of its ability to access my network devices and streaming features. Here is an example of Keith Barker’s CBT CCNA Security Nuggets on Nexus 7.

Videos are great!

With an internal storage of 16 GB I can carry quite a lot of these bad boys. My friends over at INE actually sell a CCIE level training package that has all of their digital content on one of these. Definitely worth checking out.Next big one is text books. I use ePubs due to their increased flexibility and PDF’s where there is no alternative. PDF’s from INE and IPX work fine. They render well and look good. The same goes for Cisco Press e books. The built-in PDF viewer is more than capable; Adobe is available for the devout. One annoying thing is that the Play Books app which is native only allows reading of purchased ePubs from the Google Play store. Painful if you acquire ePubs from elsewhere; Amazon, CiscoPress to name a few. MoonReader Pro is my choice for ePub reader. Below is a comparison of Play Books vs Moon Reader.

Fantastic book. It was 0.99 cents! Great TV series too.

As you can see; crisp display and nice content. Logical browsing too. Below is MoonReader Pro.

I believe that MoonReader, despite its convoluted menu, delivers a better reading experience. Day/Night settings, text to speech, auto-scroll, text manipulation, mark down, app interaction such as email, text, Ever note, are just some examples of what it can do! MoonReader itself could be a blog post in its own right so I won’t focus too long on it.

Audio is simply like any other audio device. It plays the standard suite of audio protocols. Google Play Music is a fantastic streaming service in which I place all my learning audio. What I like to keep a copy of local I mark for local storage and I have access anywhere. This applies to anything stored on Google’s cloud services! I can have Brian or Marko anywhere in my pocket!

Other Apps

I also have installed Anki flash cards. These sync with my decks online so I carry my flash cards also with me! ConnectBot gives me SSH access. I hit my LAB box and then can use IRC and my GNS3/Breakout test bed. Very handy. Here you can see myself and Daniel Dib talking in #cciestudy. The screen size of IRC is skewed due to being logged onto another box viewing the same session at an odd size.

#cciestudy baby!

 

OTG Cable

Micro USB to USB  On the Go USB cable allows for peripheral access. USB storage, Keyboards, controllers and more. I use this slot for a serial console to USB cable. I am going to test this out more thoroughly during the week and do a write-up on that. This expansion gives the user the ability to use many peripherals that are supported by the Nexus to further enhance the experience.

My home screen

Thoughts

Overall this product is great. Fast, Zippy, and importantly it is reliable. I have been a happy consumer of this device. If you are looking to purchase one based on my review I would suggest reading others too. You will find my statements echoed. I see where Google has come and you can see where they are going. Also to add in closing; do not buy a 16gb as of today. There are rumours that are proof that a 32gig model has been leaked and will feature around the same price. For me size is not an issue as most of my stuff is “out there” somewhere. Whatever you do, enjoy your tablet. I have read more books in the last 3 weeks than I have in 4 months. I am loving mine.

Opengear Challenge

By | Industry | 2 Comments

Note This is the first of a few posts on Opengear. My #NFD4 posts will be in any order at all. Disclaimer about my #NFD4 posts

On the first day our second presentation was Opengear. Before starting, a parcel was placed on each of our desks. Inside the box contained an Opengear console server. The model was the ACM 5004-G.

Lights out baby!

It is a 3G cellular router that is the army knife of out of band management; endless features with a myriad of use. I will review the presentation and the device in a later post but this is more of post to the delegates.

Traditionally the application of an emergency access 3G connection is great to hit that DC in the night and regain control. Opengear showed pictures of some Salmon Boats with the device installed. With all spawned salmon being tagged it is hard to know when they come home to breed. Each fish has an RFID token. The ship had a turret created with this device pointing into the water and it allowed scanning of the fish easily due an RFID scanner on the serial port!

Another example is weather deployments and wanting to access a device that went out. The sensor can generate temperatures and be customized to respond in any way. It could be set to perform an action; this is event driven!

Anthony’s musings

I put this out to my fellow delegates. I wonder who can find/make the most interesting deployment and use for the Opengear Console server. I will post pictures and or stories here.

 

 

NAT Enhancements

By | Industry | No Comments

NAT enhancements

There are a few little tricks to improve NAT performance. The first would be translation timeout. Translation timeout returns a translated address back to the pool. The default is 3:00 hours. If you have a smaller pool or find that PAT is being used too much you can adjust this timer. I personally like a smaller timer and depending on the application and/or load use 15 or 20 minute timers.

timeout xlate 1:00:00

The ASDM configuration window resides at Configuration > Firewall > Advanced > Global Timeouts. Modify the Translation Slot field.

The other feature is DNS rewriting. You are able to intercept and rewrite DNS requests that hit the ASA firewall. By default a DNS server may only know the public IP address of networkinferno.net but the DNS server has a private IP address. DNS rewrite will allow NAT translation of the IP address inside the DNS reply.

nat (dmz-dns,outside) source static DMZ-DNS-01 OUT-DNS-01 dns

The keyword dns at the end is what initiates the DNS rewrite feature.

The ASDM configuration window resides at Configuration > Firewall > NAT Rules.

This is an extract of my upcoming ASA companion guide. 

DNS on the ASA

By | Industry | No Comments

I hope you enjoy this extract from my upcoming ebook – Deploying Cisco ASA firewalls.


–DNS on ASA–

This section looks at the provision of DNS functions on the ASA. Whilst it cannot provide DNS AAA records it does provide forwarding functions.

DNS based name-to-IP-address mapping requires definition of a server group; this will then allow name-to-IP-address resolution. First we define which interface we want lookups performed on.

dns domain-lookup Inside

Next we create the DNS server group. I will name it CI-DNS and list my DNS servers in it.

dns server-group CI-DNS
 name-server 172.16.84.23
 name-server 172.16.62.23
 name-server 172.16.40.23
 name-server 8.8.8.8
 domain-name ciscoinferno.net

The final DNS server listed acts as a backup which is actually Google’s Public DNS. Also defined is the domain-name the actual ASA resides in.

hostname asa1
domain-name ciscoinferno.net

The FQDN of the ASA is now asa1.ciscoinferno.net. Provided the DNS servers are contactable, you can issue the ping command with a website url and you will see the resolution. It is possible to gain further insight with the debug dns resolver command.

The ASDM configuration window resides at Configuration > Device Management > DNS > DNS Client.

Inter vs Intra

By | Study Notes | One Comment

There are 101 security levels on the ASA. This may not be enough and you might be required to use the same security level a few times. We know that higher security level interfaces can talk pass traffic to lower security interfaces by default but what if they are the same security level? By default this is not permitted. Even if you define access-lists to permit traffic it is still denied.

Inter-interface

Inter interface communication allows communications between different interfaces of the same security level.

ASDM

Navigate to Configuration > Device Setup > Interfaces

Select the check box entitled Enable traffic between two or more interfaces which are configured with the same security levels.

CLI

ciscoasa# conf t
ciscoasa(config)# same-security-traffic permit inter-interface

Intra-interface

Intra-interface permits flows of traffic that comes in on an interface and routed back out the same interface. By default this is denied by default. An example of this would be hair-pinning; Hub and Spoke VPN topologies utilize this methodology.

ASDM

Navigate to Configuration > Device Setup > Interfaces
Select the check box entitled Enable traffic between two or more hosts connected to the same interface.

CLI 

ciscoasa# conf t
ciscoasa(config)# same-security-traffic permit intra-interface

To disable either use the no form of the command.

Why must we go to area 0?

By | Musings | One Comment

OSPF is something that still mystifies me. I know it is a vast and large protocol and I do hope I can dispel something today for you.

“Why do other areas need to connect to area 0?”

Picture a tree. Nice big tall trunk and it has many branches. Area 0 is the trunk of your network whilst other areas are in essence branches.

As we know every router in an area shares information about itself and the links it contains. This information is shared with all routers in an area. In turn, each router creates a link-state database. SPF is run on each router in the area and the “tree” is formed.

Simple multi-area OSPF

When areas become large and OSPF areas have a large link state database it is important to break networks into areas like the above. This allows control of the database and ensure efficient convergence. I like to apply areas based on site or geographic boundary where applicable or if I want to leverage distinct LSA’s from certain area types. This areas that connect to area 0 are our “branches”. By defining areas we can limit the SPF calculation to the devices in the area.

Each area is connected to the Area Border Router. ABR’s have an important role in maintaining separate link state databases. It uses type 3 LSAs to inform routers in adjacent areas that it knows how to reach prefixes in other connected areas. It is important to know that ABR’s act as the eyes and ears for routers in other areas. The ABR in the picture (R3) can see the routers R1/R2 in A0 and R4/R5 in A1 and acts as their eyes and ears. R1/R2 and R3/R4 do not know of each other directly.

Inter-area OSPF behaves like a distance vector protocol. Albeit OSPF is a link state protocol, the way OSPF handles inter-area traffic leaves it prone to routing loops. This is why OSPF must connect back to area 0 – to avoid routing loops. Now you can see why network designs that use OSPF all join back to area 0 and why it is important to ensure virtual links are used as band-aids only.

Remote Labbing – Lab long and prosper!

By | Industry, Study Notes | 2 Comments

Certification requires a lot of lab time. I mean a lot. Hundreds of hours of thorough, insightful, and meaningful labbing. Let alone the time invested behind the CLI of a CCIE certification. There are two routes these days that most people go. Hiring rack time or building their own lab. I am going to discuss the latter today including reproducing my setup!

Physical vs Semi-physical

There are two types of physical labs we can create. IF you have access to ex production kit, you are very wealthy, or happen to get lucky on eBay then a full physical topology is great. Routers, Switches, FR devices. When looking into a vendor topology for the CCIE lab you quickly realize it could be quite expensive. In this economic climate it ends up being quite expensive.

http://www.ine.com/topology.htm

Albeit this is classed as a cheaper lab there are a lot of interfaces and expansion cards to get. The price does add up.

I have opted for a hybrid physical/virtual topology. What on Earth? GNS3 + 4 physical switches + a whole lotta NICs. Let us now together build our server.

Physical Checklist

I am lucky enough that my workplace has spare servers. Dell PowerEdge 710 is the flavor. It is highly over powered for what we plan to do.

  • 2 x Xeon QC 2.8ghz
  • 32 GB ram (It did have 96GB)
  • 500GB 15k SAS
  • 3 x Intel QUAD 1GB NIC
  • 1 x Onboard NIC (4x 1GB)

Overkill. What I am doing can be re-produced on i5, 8gb ram, 3-4 quad NIC, machines. GNS3Vault, Matthew Mengelm, and Mellowd have done it on the above or less.

  • 2 x 3560-X (48Port, PoE, 100/1000, 2 x 10GB card)
  • 2 x 3750-G

Install time.

I have installed Ubuntu 12.04 x64 onto this machine.  I chose the desktop version and I am a grasshopper. The server is accessible when I am at work but I wanted easy access if I broke something :)

Install dependencies of GNS3/Dynamips

 sudo apt-get update
 sudo apt-get install python
 sudo apt-get install qt4-dev-tools
 sudo apt-get install pyqt4-dev-tools

Install GNS3 to /opt directory.
( I choose to keep all directories lowercase for sanity reasons)

 cd /opt
 sudo wget http://downloads.sourceforge.net/project/gns-3/GNS3/0.8.2/GNS3-0.8.2-src.tar.bz2
 sudo tar -xjvf GNS3-0.8.2-src.tar.bz2
 sudo mv GNS3-0.8.2-src /opt/gns3
 sudo rm GNS3-0.8.2-src.tar.bz2

Creating subdirectories and adding Read Write permission to projects directory.

 cd /opt/gns3
 sudo mkdir dynamips
 sudo mkdir ios
 sudo mkdir project
 sudo mkdir tmp
 sudo chmod o+rw -R ./project

Time to install the Dynamips backend:

 cd dynamips
 sudo wget http://downloads.sourceforge.net/project/gns-3/Dynamips/0.2.8-RC3-community/dynamips-0.2.8-RC3-community-x86.bin
 sudo chmod +x ./dynamips-0.2.8-RC3-community-x86.bin

X11 Forwarding

Now – before we begin I want to set up remote access. I use this machine via the internet. So once port forwarding is set up I need to add and change some SSH settings. I want GNS3 GUI to be X11 fowarding so I can access and change a topology and create new ones. My dynamips training wheels aren’t great.

sudo nano /etc/ssh/ssh_config
Remove the # and change ForwardX11 yes

Write these changes.

Access via CLI.

After SSH’ing into your box you land at the command prompt. To launch a GUI based GNS3 from CLI use the following.

sudo python /opt/gns3/gns3.pyw

That will launch GNS3. If you want it to auto boot a file too do the following

sudo python /opt/gns3/gns3.pyw /opt/gns3/project/ine/inev5.net

GNS3 settings

Due to having a bucket load of RAM I do the following to allow myself faster run times. I set the working directory for Dynamips to be my RAM swap. Pewpew!

Edit > Preferences > Dynamips >

Working Directory for Dynamips:
 /run/shm

Now to set up the basics with GNS3/Dynamips.

Edit > Preferences > Dynamips >

Executable path to Dynamips:
 /opt/gns3/dynamips/dynamips-0.2.8-RC3-community-x86.bin
Project directory : /opt/gns3/project
 Image Directory :/opt/gns3/ios

Inside the ios folder I have the c3725-adventerprisek9-mz.124-15.T5 image.
My idle-pc value which selects when the CPU isn’t processing is 0x602649b4. This will change for your machine. Find a value when you calculuate it with a *.
I have also increased the RAM of my 3725 to 256MB.

Fully loaded and running my INEv5 topology uses 8 percent of ram. :)

Goal Topology

This is the topology I am building. Where a SW is cabled into a router as far as the device is concerned they are adjacent. In the case of SW3 -> BB3 the physical connection is SW3 fa0/24 –> eth1 <— GNS3 cloud bound to eth1 <—- BB3 fa0/0 Rinse and repeat this step and you will find that you easily have this topology  but also, IPExpert, Narbik, Cisco360 or any conceivable topology. Oh and you can have more than 4 switches!

INE v5

INEv5 Ethernet

INEv5 Serial

Presenting the final GNS3 topology

Lab lab baby!

As the little clouds show they reflect which port they connect too. I hope by providing the physical serial, ethernet, and GNS3 diagrams you will be able to reproduce this nicely.

Extras to make labbing easy.

Now let us be cheeky and make full use of our Switches. Telnet to Serial!
I have 4 console cables, 2 USB, 2 Serial to access my switches. I access my switches my “telnetting” the console cables.

Install Serial to Telnet

sudo apt-get install ser2net

Edit the config

sudo nano /etc/ser2net.conf

I change to the TTY lines being used for my config.

6000:telnet:0:/dev/ttyS1:9600 8DATABITS NONE 1STOPBIT banner
6001:telnet:0:/dev/ttyS2:9600 8DATABITS NONE 1STOPBIT banner
6002:telnet:0:/dev/ttyUSB1:9600 8DATABITS NONE 1STOPBIT banner
6003:telnet:0:/dev/ttyUSB2:9600 8DATABITS NONE 1STOPBIT banner

The syntax above is portnumber:protocol:timeout:device:baud. Pretty easy.

Now lets restart the service so the config file is reloaded.

sudo service ser2net restart

To access all of my devices at once, conviniently and securely I use Byobu Terminal emulation over SSH.

sudo apt-get install byobu
sudo byobu

F2 creates a new terminal. F3/F4 navigate across.

It make take a while to get through but now you have a pseudo console server! It will keep your history which is the best part so if you lab remotely you can resume exactly where you left off with the output of previous sessions.

Treats!

I have uploaded my topology to ubuntu pastebin. Feel free to copy and paste this into a .net file and use it yourself. This applies to my computer only so do change it if you have different settings, install locations. Remember to adjust the IDLE-PC to match yours as a .NET file overrides global defaults.

My thoughts

My labbing has increased tenfold. The ability to spin up varying networks with L2/L3 technologies working harmoniously together. CLI access is fantastic and having now quite a few templates to work on I have zero excuse. I believe the hours I spent putting this together has already yielded dividends.

** EDIT – You can easily add in a Firewall using QEMU and ASA 8.4. More delicious topics to get your pretty faces into.

Additional and Supplementary post

RIDs. Spare a thought for the non-configured.

By | Musings | No Comments

The router-ID. (RID). Such a fundamental concept in so many regards. One of the more important parts of a routing protocol. I could almost argue that it is one of the easily forgotten things to configure. With routing protocols relying on their RID to keep a stable topology my mind drifted to planning and scoping addressing space.

Speaking with @networkjanitor today briefly we discussed this. His words are as always wise.

  • Divide up a /24 subnet.
  • Further divide these addresses into /32’s
  • Assign to a loopback interface.
  • Set OSPF network type as point-to-point.
  • Set passive-interface.

How do you ensure your topology is stable? Do you carve up a subnet and issue IP addresses to a loopback? Do you leave it up to chance and rely on your intimate knowledge of said network? Share your thoughts below about how you address RID’s to ensure a stable and easy to work with routing topology.

The importance of skinning cats

By | Study Notes | No Comments

Once again the VLAN topic comes to the forefront but immediately I know this will apply to all aspects of the blueprint. The old adage goes something like “There are many ways to skin a cat”.

Lets take the example of creating a VLANs. How many ways can you do it? Well I know of three. I will give an example of each below to show my point.

First Method – VLAN Database

S1#vlan database
% Warning: It is recommended to configure VLAN from config mode,
 as VLAN database mode is being deprecated. Please consult user
 documentation for configuring VTP/VLAN in config mode.
S1(vlan)#vlan 100 name CCIE-vlan100
VLAN 100 added:
 Name: CCIE-vlan100

Note here that we have added a VLAN into the VLAN Database. Remember that you can only have VLANs that are in the standard range which consists of 1-1004. Note also that this method is being deprecated but at time of writing still relevant.

Second Method – Global Configuration

S1(config)#vlan 150
S1(config-vlan)#name CCIE-vlan150

This method is quite easy in comparison. This method is what has replaced directly interacting with vlan.dat via the VLAN database. This is the method that most students are taught when getting their CCNA studies under their belt.

Third Method – Interface creation

S1(config)#int fa0/10
S1(config-if)#switchport access vlan 200
% Access VLAN does not exist. Creating vlan 200

Note here that we have created a VLAN inadvertently by placing an interface into a VLAN which has not been defined. This creates the VLAN in the database. This only applies to standard range VLANs and does not work on all devices.

If you have read my previous article discussing the difference between standard and extended range VLANs you will have more clarity in regards to the following error.

S1(config-if)#switchport access vlan 3500
% Access VLAN does not exist. Creating vlan 3500
S1(config-if)#
00:08:28: %PM-2-VLAN_ADD: Failed to add VLAN 3500 - VTP error.

This error will rear its head due to the fact that the switch cannot write an extended VLAN to the vlan.dat database. The VTP mode which allows extended VLANs to be utilized and written to the running config is transparent mode. VTPv3 does alleviate issues posed here but at this current time is outside the bounds and scope of the CCIE blueprint.

This entry was designed not as a guide to skinning our feline kitties. It’s purpose is to understand that a task may require a different way of execution. I know for a fact restrictions on the CCIE exam make some simple tasks a little trickier. It even takes trickier tasks to the extreme.

By understanding different methods such as those listed above you may avoid some obstacles. If a task stated

  • VLANs 500,1000,2000 must be created. VLAN information must be added to the running configuration concurrently.

You would have to weigh up what method and mode best suits the requirements of the question.

Fundamental understanding of technologies and their applications are important. Playing at the CLI also will reveal what the cause and effect of each word you type. The CCIE awaits me and I best get back to study.

Starting my CCIE Written (prematurely?)

By | Study Notes | 16 Comments

Today is a significant day. After much tossing and turning and discussions with my wife I have finally decided to start down the path of the CCIE Study. Those who follow my blog may know that I am not yet a CCNP ( I still have SWITCH to go) and that is fine. The reason I am waiting is financial. I am saving my pennies after a 0.9 percent miss on SWITCH back in may. I felt that continuing onwards will reinforce what I know and allow me to align study time to defined goals.

I am not taking this goal lightly. I understand the gravity of the task at hand. I have many good friends who are on the path, looking back on the path, and standing right beside me.

Join my adventures by subscribing to my blog or come chat over at #cciestudy on freenode.

IOS CLI Shortcuts!

By | Musings | No Comments

Found this neat list of IOS Short cuts! Adding for future reference. Ctrl + K  is my favourite!

Ctrl + A - Beginning Line
Ctrl + B - Backward Character
Ctrl + C - Clear line
Ctrl + D - Delete Character to the Right
Ctrl + E - End Line
Ctrl + F - Forward Character
Ctrl + H - Backspace Character to the Left
Ctrl + I - Refresh Line and Goto End
Ctrl + J - Return
Ctrl + K - Delete everything on the Right of cursor
Ctrl + L - Refresh Line
Ctrl + M - Return
Ctrl + N - Next Command
Ctrl + P - Previous Command
Ctrl + R - Refresh Line
Ctrl + T - Flip Last 2 Characters
Ctrl + U - Clear Line and Put in Buffer
Ctrl + V - Allows A Control Character To Be Typed
Ctrl + W - Delete Word Backwards and Put in Buffer
Ctrl + X - Clear Line to the Left and Put in Buffer
Ctrl + Y - Paste Buffer Contents

How can you help get the MSCE out of the toilet?

By | Musings | No Comments

 

2012 – A server odyssey

With Windows Server 2012 nearing launch the Microsoft Developer Network has released a great book on the features and offerings the new OS has built in. A quick glance gives options regarding blah blah cloud deployments, improved monitoring and more. With over 256 pages split to 5 chapters of Microsoft Server goodness I am sure there is something new in there for all Systems Administrators.

The new MSCE Server Infrastructure exams are on their way. This will help give you a leg up and get certified as soon as possible. With a lot of 03 boxes around and 08 (nonR2) many will find the path to server 2012 requiring a certified expert. Earn your stripes and get your teeth into some serious deployments/migrations.

Take Note – The quality of Microsoft exams don’t necessarily mean you are an Expert. That part is up to you. Notorious for being a grammar test more than technical it is important that labbing and proof of concept works are undertaken at home. Cisco used the saying ” It’s how they know you know” regarding their certification tracks. Simple : If you dump then they will know quickly that you are incapable and one of those people who bring the value of the cert down. If you lab hard, work hard and LEARN the technology then you will deliver. Oh and you might just help bring the standard of MSCE Certification out of the toilet!

Table of Contents

Chapter 1 The business need for Windows Server 2012  The rationale behind cloud computing Making the transition 
Technical requirements for successful cloud computing 
Four ways Windows Server 2012 delivers value for cloud computing Foundation for building your private cloud

Chapter 2 Foundation for building your private cloud  A complete virtualization platform 
Increase scalability and performance Business continuity for virtualized workloads

Chapter 3 Highly available, easy-to-manage multi-server platform
Continuous availability 
Cost efficiency 
Management efficiency 
 
Chapter 4 Deploy web applications on premises and in the cloud  Scalable and elastic web platform 
Support for open standards 
 
Chapter 5 Enabling the modern work style  Access virtually anywhere, from any device 
Full Windows experience 
Enhanced security and compliance

Link the PDF

Link to the Release Candidate

GNS3 and Cisco ASA 8.4 (Part 2)

By | Musings, Study Notes | 13 Comments

Alright! Bam! Excited? I surely am. Cisco ASA on my laptop and I can lab anywhere!  Now lets establish more than console access via GNS3 and get SSH/HTTPS/ASDM running. The reason I am so pushy to get ASA on a device is because certification guides all show how to do a task both ways. Handy in my opinion. Plus it doesn’t hurt for study reasons!
Requirements

  • tftpd32 – TFTP application
  • Legal version of ASDM 8.4.2 – Pretty GUI for the ASA
  • Administrator Rights – Need to bridge your interfaces!

Setup GNS3 for a host

Before we go making SSH access we need to connect our device into GNS3. Simple enough but can be daunting for some. I currently use Windows 7 on my lab machine due to the speed of spinning up VMs and the easy of connecting them in. I have dabbled with taps in Linux and it hurts my face and wastes my labbing time.

To connect your host to GNS3 I made a bridge interface with a pre-existing VM interface and my Gig Ethernet interface of my laptop.

  1. Open up network connections
  2. Select Ethernet connection and VM Connection
  3. Right Click > Bridge Connection
  4. Assign an IP address to your device.

Think Smart and It’s simple!

Now that we have created this adapter and assigned this address ( other end is g0 on the ASA – 192.168.2.1 ) we can create a magical unicorn (cloud) link!

  1. Open up GNS3 – Drag a cloud next to your ASA and place an Ethernet Switch down too.
  2. Right click on the cloud and configure. Select the MAC address bridge and add that connection.
  3. Cable the cloud to the switch and then the switch to the ASA

Pick the right interface lest their be judgment most Righteous

 

Back to the ASA!

Now lets get some initial configuration on this ASA and get connectivity from our Windows machine! We are getting there people! Slow and steady wins the race.

Note: GNS3 lists interfaces as E0-5. The ASA sees them as G0-5.

Alright – Basic ASA configuration and required Interfaces

interface GigabitEthernet2
 nameif MANAGEMENT
 security-level 0
 ip address 192.168.2.1 255.255.255.0
username asa password xGIkoVq88G4kwjuv encrypted privilege 15

Now to make the SSH keys

domain name ciscoinferno.net
crypto key generate rsa
ssh 192.168.2.0 255.255.255.0 MANAGEMENT
aaa authentication ssh console LOCAL
ssh timeout 5

Voila! Subnet 192.168.2.0 from the Management interface has been allowed for SSH. Now to test a ping from the 192.168.2.2 host and then connect via SSH!

C:\Users\CiscoInferno>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=4ms TTL=255
Reply from 192.168.2.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.2.1:
 Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 1ms, Maximum = 4ms, Average = 2ms

Looky Looky – SSH keys

and one day…. I got in

Now let’s TFTP the ASDM software from 192.168.2.2 onto the ASA at 192.168.2.1. Rather simple process. TFTD32 is installed onto the host at 192.168.2.2 and the file ASDM-641.bin is in the tftp root.

ASA1# copy tftp disk
Address or name of remote host []? 192.168.2.2
Source filename []? asdm-641.bin
Destination filename [disk]?
Accessing tftp://192.168.2.2/asdm-641.bin...!!!!!!  !!!!!!!
15841428 bytes copied in 41.550 secs (386376 bytes/sec)
ASA1#

Installed. Now we just enable the HTTPS web service and off we go. So close! Study can almost begin!
The commands to set up the HTTPS web server are not far away and very similar to the SSH syntax.  We first enable the service then allow what subnet on which interface to access it.

http server enable
http 192.168.2.0 255.255.255.0 MANAGEMENT
aaa authentication http console LOCAL

Let’s save this as a basic config.


copy run start
copy start disk
<span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 13px; line-height: 19px; white-space: normal;"><span style="text-decoration: underline;">ASDM Access time</span></span>

Now we open up Internet Explorer (Chrome went funky chicken on me) and lets browse to https:\\192.168.2.1 and see what happens.

 

Here we go!

Now – let us login via ASDM and use the web gui! Click Run ASDM.  After some loading check out what will appear next!

Jobs done!

And with that we have working ASDM! Now go forth and spread the good work. Let me know how you have found this post and I will attempt to help those below who cannot get this working. Again I will not give out any software illegally. Happy Labbing!

Previous Post GNS3 and Cisco ASA 8.4 (Part 1)

GNS3 and Cisco ASA 8.4 (Part 1)

By | Musings, Study Notes | 34 Comments

GNS3 has been a stable to my personal study. When I first achieved ROUTE on my way to CCNP I worked in a heavily switched environment. I had worked on routers and routing technologies about 5 percent of the time. It wasn’t enough to brush over the material and blitz the exam. I required a deep dive into the materials offered. I ended up using GNS3 and could create multi-area OSPF topologies, Giant EIGRP networks, and BGP with cheeky redistribution. This was only the beginning.

Imagine this inside your laptop and access anywhere?

My current place of employment is about to have ASA’s come out of the nether regions. 5585-CX is the flavour of the day. As a part of all this I am being sent to a Cisco partner course covering FIREWALL topics. I guess this aligns with the CCNP Security FIREWALL  curriculum. My ASA exposure is quite limited and I have to admit that I generally a fish out of water when it comes to hardcore security.

I have read around about people getting PIX firewalls working with GNS3 but PIX is old! ASA took over before I even got into networking. As the new CCNA Security is now adding ASA to the course (less rubbish, more content!) and CCNP Security requires ASA/IPS and ASDM. I couldn’t afford to buy ASA devices and or the required licensing. Luckily I gained access legally to licences and ASA IOS and ASDM.

I am an advocate of licensing and doing the right thing. DO NOT ask me for links to files or for a one off link. CCO login will more than let you know if you are eligible to be using the software detailed in this article. I could be breaking the rules as it is.

 

GNS3

Let me first start this off by disclaiming that this post is not a “Welcome to GNS3″. I am expecting a level of knowledge already present and will NOT be covering basics in this post.

The version of GNS3 that this laptop is using 0.82-BETA2. I’ve not updated for a while but this is the version that works for me. Included in the All in One installer is QEMU. QEMU is the hero and emulator of the ASA software.

ASA

* If you do not have any of the required files along the way I suggest that you use the googles a little. You may find the files required.

Now – lets point GNS3 towards our ASA software. I am using 8.4.2 ASA code.

  1. Edit
  2. Preference
  3. QEMU
  4. ASA

QEMU settings work for me. They may not for you.

Note the picture above. The following settings are input into the fields.

ASA SETTINGS

  • Name: ASA8.4 (can be anything)
  • RAM: 1024MB
  • NICs: 6
  • NIC model: e1000
  • Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

ASA SPECIFIC SETTINGS

  • Initrd: Location of Initrd file
  • Kernel: Location of Kernel (ASA) software

Probably the most important field is below. This exact string works for ASA code 8.4 and nothing prior.

  • Kernel CMD: Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

Wall of Fire

Now add that and close the window. Next step is to drag across an ASA into the topology. This is my topology I am using to create my virtual lab.

My Security lab

Now just hit console and you will get the ASA to start. It will load up and it can take a while the first time. Due to the requirements being high if your CPU spikes or RAM is maxed expect it to be a poor experience. My laptop rocks 16gb ram and a sandy bridge i7 so I do not have many issues.

Hardware requirements are of particular concern if you are using Virtual Machines such as Security Onion also. IF they are a concern then just worry about connecting your client up!

Licence to kill

As we all know ASA licensing is intense. Stupidity comes to mind. Want VLANs? We got a licence for that. Want fail over? Got a licence for that? 10GBE on 10GBE hardware? Yes, my word you need licence for that.

Well the same goes for our ASA we have running. It is now a fully functioning ASA – same rules apply. Though that being said I do use a legit ASA licence – I have sourced one for you floating around the internet. From what I have read the people who made all this work got this key working . Until I receive a take down notice – Here kiddies!

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6

Here I apply the key – note that the first time takes FOREVER and a day! Don’t worry just let it do it’s thing.

ciscoasa>
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n
In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".
Please remember to save your configuration.
ciscoasa(config)# activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0$
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.

Now the important thing to note here is the following. Restarting the ASA. DO NOT RELOAD. You must not reload otherwise you will need to put in another key the next time you boot up. It takes 5 minutes so it can slow you down.

What I have found is that stopping/starting via right click in the GNS3 gui will help you here. It remembers its information.

copy running-config startup-config
copy startup-config disk0

This is what allows configurations consistent through a restart.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual

Well. That is nice. VPNs, Failover, 3DES-AES, and contexts. Spoilt aren’t you!  That’s it for provisioning an ASA in qemu. IF there is any files you are missing a light google will help you find what you are missing – allegedly. It took me about 90 minutes of research and not much longer putting it together.

Next up we bind GNS3 to our host machine, kick the console for SSH access from the host then TFTP ASDM onto our device! Phwoar. CCNA CCNP CCIE SECURITY LABS FOR EVERYBODY!

Update –  Shout out to Routergods.net for the love. Check his ASA video out that aligns to this! http://www.youtube.com/watch?v=jAwPuw7G6u8&feature=g-all-u

GNS3-and-Cisco-ASA-8-4-part-2