Linux VBOX Keystroke Toggle
Pressing the left Ctrl key once tells VBox to toggle between your host/guest OS
PIX/ASA 7.x Easy VPN with an ASA 5500 as the Server and PIX 506E as the Client
Easy VPN Server (ASA 5520)
!— Configure the outside and inside interfaces.
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.20.20.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.22.1.1 255.255.255.0
!
!
!— This access list is used for a nat zero command that prevents
!— traffic which matches the access list from undergoing
!— network address translation (NAT).
access-list no-nat extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!— This access list is used to define the traffic
!— that should pass through the tunnel.
!— It is bound to the group policy which defines
!— a dynamic crypto map.
access-list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!
!
!— Specify the NAT configuration.
!— NAT 0 prevents NAT for the ACL defined in this configuration.
!— The nat 1 command specifies NAT for all other traffic.
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.20.20.2 1
!
!
!— This defines the group policy you use with EasyVPN.
!— Specify the networks
!— that should pass through the tunnel and that you want to
!— use network extension mode.
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
webvpn
!— Here the username and password associated with
!— this VPN connection are defined. You
!— can also use AAA for this function.
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
!
!— PHASE 2 CONFIGURATION —!
!— The encryption types for Phase 2 are defined here.
!— A single DES encryption with
!— the md5 hash algorithm is used.
crypto ipsec transform-set mySET esp-des esp-md5-hmac
!— Defines a dynamic crypto map with
!— the specified encryption settings.
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
!— Binds the dynamic map to the IPsec/ISAKMP process.
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
!— Specifies the interface to be used with
!— the settings defined in this configuration.
crypto map myMAP interface outside
!— PHASE 1 CONFIGURATION —
!— This configuration uses isakmp policy 1.
!— The configuration commands here define the Phase
!— 1 policies that are used.
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
!— The tunnel-group commands bind the configurations
!— defined in this configuration to the tunnel that is
!— used for EasyVPN. This tunnel name is the one specified on the remote side.
!— defined in this configuration to the tunnel that is
!— used for EasyVPN. This tunnel name is the one specified on the remote side.
tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
!
— The pre-shared-key used here is “cisco”.
pre-shared-key *
Easy VPN Remote Hardware Client :
PIX Version 6.3(5)
!— Brings the interfaces out of a shutdown state.
interface ethernet0 auto
interface ethernet1 auto
!— Assign the interface names.
nameif ethernet0 outside security0
nameif ethernet1 inside security100!
!
!— Assign the interface IP addresses.
ip address outside 10.10.10.1 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
!
!— Set the standard NAT configuration.
!— EasyVPN provides the NAT exceptions needed.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
!
!— Specify the default route.
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
!
!— EasyVPN Client Configuration —
!— Specify the IP address of the VPN server.
vpnclient server 10.20.20.1
!— This example uses network extension mode.
vpnclient mode network-extension-mode
!— Specify the group name and the pre-shared key.
vpnclient vpngroup mytunnel password ********
!— Specify the authentication username and password.
vpnclient username cisco password ********
!—- After you issue this command, the tunnel is established.
Summary :
ASA :
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.20.20.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.22.1.1 255.255.255.0
!
access-list no-nat extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!
access-list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.20.20.2 1
!
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
webvpn
!
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
crypto ipsec transform-set mySET esp-des esp-md5-hmac
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
!
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
!
tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
pre-shared-key *
PIX Client : Easy VPN Client :
interface ethernet0 auto
interface ethernet1 auto
!
nameif ethernet0 outside security0
nameif ethernet1 inside security100
!
ip address outside 10.10.10.1 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
!
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
!
vpnclient server 10.20.20.1
vpnclient mode network-extension-mode
vpnclient vpngroup mytunnel password ********
vpnclient username cisco password ********
!—- After you issue this command, the tunnel is established.
Linux Find List of Hardware
Run lsmod to find the modules that are loaded (probably quite a few) and use “lspci” to list your hardware.. find the ethernet card and compare to the lsmod output
Code :
lspci | grep Ethernet
Command will give you the names of the ethernet pci devices
AdditionalCommands :
dmesg | grep ‘Ethernet driver’
grep eth0 /etc/modules.conf
Additional Commands :
lspci – list all PCI devices
OPTIONS
- -v
- Tells lspci to be verbose and display detailed information about all devices.
- -vv
- Tells lspci to be very verbose and display even more information (actually everything the PCI device is able to tell). The exact meaning of these data is not explained in this manual page, if you want to know more, consult /usr/include/linux/pci.h or the PCI specs.
- -n
- Show PCI vendor and device codes as numbers instead of looking them up in the PCI ID database.
- -x
- Show hexadecimal dump of first 64 bytes of the PCI configuration space (the standard header). Useful for debugging of drivers and lspci itself.
- -b
- Bus-centric view. Show all IRQ numbers and addresses as seen by the cards on the PCI bus instead of as seen by the kernel.
- -t
- Show a tree-like diagram containing all buses, bridges, devices and connections between them.
Linux Repository
Adjust your repository settings :
Add one of the following lines according to your distribution to your /etc/apt/sources.list:
vi /etc/apt/sources.list ( package in this case is virtualbox ).
deb http://download.virtualbox.org/virtualbox/debian maverick contrib deb http://download.virtualbox.org/virtualbox/debian lucid contrib deb http://download.virtualbox.org/virtualbox/debian karmic contrib save file then run the kernal update : apt-get update then run :sudo apt-get install virtualbox-4.0 (this will fetch and install the software).
ASA 8.3(x) Dynamic PAT with Two Internal Networks and Internet Configuration
Requirements
Ensure that you meet these requirements before you attempt this configuration:
- Make sure the internal network has two networks located on the inside of the ASA:
- 192.168.0.0/24—Network directly connected to the ASA.
- 192.168.1.0/24—Network on the inside of the ASA, but behind another device (for example, a router).
- Make sure the internal users get PAT as follows:
- Hosts on the 192.168.1.0/24 subnet will get PAT to a spare IP address given by the ISP (10.1.5.5).
- Any other host behind the inside of the ASA will get PAT to the outside interface IP address of the ASA (10.1.5.1).
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Adaptive Security Appliance (ASA) with version 8.3(1)
- ASDM version 6.3(1)
ASA CLI Configuration
This document uses the configurations shown below.
| ASA Dynamic PAT Configuration |
|---|
ASA#configure terminal Enter configuration commands, one per line. End with CNTL/Z. !--- Creates an object called OBJ_GENERIC_ALL. !--- Any host IP not already matching another configured !--- object will get PAT to the outside interface IP !--- on the ASA (or 10.1.5.1), for internet bound traffic. ASA(config)#object network OBJ_GENERIC_ALL ASA(config-obj)#subnet 0.0.0.0 0.0.0.0 ASA(config-obj)#exit ASA(config)#nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface !--- The above statements are the equivalent of the !--- nat/global combination (as shown below) in v7.0(x), !--- v7.1(x), v7.2(x), v8.0(x), v8.1(x) and v8.2(x) ASA code: nat (inside) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface !--- Creates an object called OBJ_SPECIFIC_192-168-1-0. !--- Any host IP facing the the ‘inside’ interface of the ASA !--- with an address in the 192.168.1.0/24 subnet will get PAT !--- to the 10.1.5.5 address, for internet bound traffic. ASA(config)#object network OBJ_SPECIFIC_192-168-1-0 ASA(config-obj)#subnet 192.168.1.0 255.255.255.0 ASA(config-obj)#exit ASA(config)#nat (inside,outside) source dynamic OBJ_SPECIFIC_192-168-1-0 10.1.5.5 !--- The above statements are the equivalent of the nat/global !--- combination (as shown below) in v7.0(x), v7.1(x), v7.2(x), v8.0(x), !--- v8.1(x) and v8.2(x) ASA code: nat (inside) 2 192.168.1.0 255.255.255.0 global (outside) 2 10.1.5.5 |
| ASA 8.3(1) Running Config |
|---|
ASA Version 8.3(1) ! hostname ASA 1 names ! !--- Configure the outside interface. ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.1.5.1 255.255.255.0 !--- Configure the inside interface. ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! ! boot system disk0:/asa831-k8.bin ! ! object network OBJ_SPECIFIC_192-168-1-0 subnet 192.168.1.0 255.255.255.0 object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 ! nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface nat (inside,outside) source dynamic OBJ_SPECIFIC_192-168-1-0 10.1.5.5 |
Cisco PIX/ASA 8.3 Command Changes {NAT / Global / Access-List}
NAT and Global commands.
Basically there is no more global command, and we are now a lot more reliant on object groups.
If you are port forwarding (Static PAT) then the dns re-write will no longer work.
NAT 0 (or no nat) no longer exists.
OLD – Regular PAT – 1 External IP to many internal IP addresses
nat (inside) 1 0 0
global (outside) 1 interface
NEW – Regular PAT – 1 External IP to many internal IP addresses
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
OLD – Static PAT (Port Forwarding)
access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface www 10.254.254.5 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.254.254.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.254.254.5 3389 netmask 255.255.255.255
NEW – Static PAT (Port Forwarding)
access-list inbound extended permit tcp any object obj-10.254.254.5 eq smtp
access-list inbound extended permit tcp any object obj-10.254.254.5 eq www
access-list inbound extended permit tcp any object obj-10.254.254.5 eq 3389
object network obj-10.254.254.5
host 10.254.254.5
object network obj-10.254.254.5-01
host 10.254.254.5
object network obj-10.254.254.5-02
host 10.254.254.5
object network obj-10.254.254.5
nat (inside,outside) static interface service tcp www www
OLD – No NAT (seen mainly – but not always – on VPN traffic)
nat (inside) 0 access-list EXEMPT
access-list EXEMPT extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
NEW – No NAT
object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0
object network obj-172.16.254.0
subnet 172.16.254.0 255.255.255.0
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-172.16.254.0 obj-172.16.254.0
Access Lists
For as long as I can remember when you allowed access to an IP address on a PIX/ASA you allowed access to its translated IP address, NOW YOU DO NOT, you allow access to its “Pre-translation address”
OLD Access List and Static NAT
access-list inbound extended permit ip any host 123.123.123.123 eq www
access-group inbound in interface outside
static (inside,outside) 123.123.123.123 10.254.254.5 netmask 255.255.255.255
NEW Access List and Static NAT
access-list inbound extended permit ip any host 10.254.254.5
access-group inbound in interface outside
object network obj-10.254.254.5
host 10.254.254.5
nat (inside,outside) static 123.123.123.123
Cisco ASA Port-Forward
PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example
!— This access list allows hosts to access !— IP address 192.168.200.227 for the !— Simple Mail Transfer Protocol (SMTP) port.
access-list outside_int extended permit tcp any host 192.168.200.227 eq smtp
!— Allows outgoing SMTP connections. !— This access list allows host IP 172.16.31.10 !— sourcing the SMTP port to access any host.
access-list dmz_int extended permit tcp host 172.16.31.10 any eq smtp
!— This network static does not use address translation. !— Inside hosts appear on the DMZ with their own addresses.
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
!— This network static uses address translation. !— Hosts accessing the mail server from the outside !— use the 192.168.200.227 address.
static (dmz,outside) 192.168.200.227 172.16.31.10 netmask 255.255.255.255
access-group outside_int in interface outside
access-group dmz_int in interface dmz
!— The inspect esmtp command (included in the map) allows !— SMTP/ESMTP to inspect the application.
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
Linux Show Version installed
linux version installed on a different servers.
uname -a
or
/proc/version
When we telnet to any of the Linux server or machine’s,
the version shows very clearly like :
Red Hat Enterprise Linux ES release 3 (Taroon Update 6)
Kernel 2.4.21-37.ELsmp on an i686
!
On Linux Ubuntu :
Linux mediapc 2.6.32-26-generic #48-Ubuntu SMP Wed
Nov 24 09:00:03 UTC 2010 i686 GNU/Linux
Linux XVNC Listening Port Service Command
Run this command via ssh or terminal window to have Xvnc to start listening
on tcp port 5900 & Http port tcp 5800.
x11vnc -forever -usepw -httpdir /usr/share/vnc-java/ -httpport 5800
Cisco ASA Notes
nat (inside) 1 0.0.0.0 0.0.0.0 is correct for NATing all internal traffic.
!
dhcpd auto_config outside if your ISP is giving the ASA an IP with DHCP.