How To: Setup Cisco EtherChannel with ESX Server

In this blog, I will go through on how to setup a Port-Channel in a Cisco Catalyst 3750G switch, and setup that port-channel (etherchannel) to work properly with ESXi Server version 5.5. In my environment, it took, much, much longer to get this running because I had to completely re-architect my network to function this way. But if you’re building an environment from scratch, then this should be pretty easy to do.

I’ve verified that this config will also work with other Catalyst switches (2960’s, 3500’s, 3700’s, 4500’s, and 6500 series switches). This configuration will NOT work with Cisco Nexus switches, because the Cisco Nexus switches have different command line parameters than their Catalyst cousins.

So, let’s get going here.

I’m going to start by configuring a Port-Channel on my Catalyst switch.

interface Port-channel2
description Port Channel interface to DL380 Server
switchport trunk encapsulation dot1q
switchport mode trunk


After you create your port channel, you need to add switch ports to that port-channel. See below, as I add 8 ports to this port-channel.

interface GigabitEthernet4/0/11
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/12
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/14
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/15
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/21
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/22
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/23
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/24
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on


From here I need to mirror the same VLANs that the ESXi server will have on it. So, lets create 5 VLANs to start. We can add more at any time.

interface Vlan1
no ip address
!
interface Vlan10
description Outside zone between pfSense and ASA
no ip address
 
interface Vlan20
description Inside network
ip address 192.168.1.2 255.255.255.0

interface Vlan30
description Front DMZ for direct connections from the Internet
no ip address

interface Vlan40
description Back DMZ -- Teired DMZ for server systems
no ip address

interface Vlan50
description Wireless network
no ip address


Now that the Cisco Catalyst switch is configured, let’s log into ESXi vSphere Client and configure the server to communicate with our switch.


I actually just bought a new quad port network adapter off of eBay just for this project. So after I installed it in my HP DL 380 G6 Server, I went in to verify that the card worked. And from this screenshot, it looks like it is working just fine.

esxi-1


Now go over to the “Networking” section. You can see I already have multiple vSwitches defined for my other 4 port network card that was already installed in the server. What my plan is going to be, is that I want all eight of my network adapters to be part of one port-channel. This will maximize the throughput and bandwidth to and from the server, as well as provide a reliable 8 way path to my core switch. The only downside to this is that my core switch is now my single point of failure on the network. I recommend that if you’re going to do this in your environment, you should have an identical switch and a full backup of the configuration on your primary switch so that you can swap out if the primary fails.

esxi-2


From here, click on “Add Networking…”

esxi-3


You need to select “VMkernel” here. You’ll be using “Virtual Machine” network type later. For now, VMkernel, then click “Next”:

esxi-4


Select the network adapters you want to participate in the port channel, then click “Next”:

esxi-5


Since this is a Port-Channel, or Etherchannel, you want this to trunk all of your VLANs from the Cisco Catalyst switch to your ESXi server. Make it easy and name this “Port-Channel” and allow all VLANs to traverse the link, then click “Next”:

esxi-6


You’ll want to enable management on this, so give it an IP address on your Internal network. Please, for the love of all that is right and just, do NOT open up management access to the Internet or any of your DMZs!

esxi-7


Verify your settings on the “Summary” screen, then click “Finish” to continue.

esxi-8


After you create your switch, you’ll see it appear in the “Networking” screen of your vSphere client. You’ll see that I haven’t attached network cables yet, which is why all my adapters are showing as “Down” with the red “X” next to each physical adapter.

Go ahead and click on “Properties…” to continue.

esxi-9


Make sure your vSwitch is highlighted in the left column, then click, “Edit…”

esxi-10


In the vSwitch Properties window, make sure that you have ESXi “Route based on IP Hash”, then click okay.

esxi-11


Now you can add in all your VLANs that will live on this vSwitch. So click on “Add Networking…” to continue:

esxi-3


Here is where you’re going to use the “Virtual Machine” connection type. Click Next to continue.

esxi-12


We’re going to bind this VLAN to the new switch we created. So select the vSwitch you created earlier in this process, then click “Next” to continue.

esxi-13


Here, I will create a Business-to-Business VLAN, and I’ll tag all traffic in this VLAN to #75. Then click “Next” to continue.

esxi-14


Verify your changes in the “Summary” screen, then click “Finish” to continue.

esxi-15


After you create all of your VLANs and add your virtual machines to each network you desire, your end result will look like this:
esxi-16



If you have any questions, please feel free to contact me at any time!

http://vmwaremine.com/vmware-vsphere-best-practices/
http://vmwaremine.com/2012/05/29/networking-configuration-for-esx-ot-esxi-part-3/
http://frankdenneman.nl/2013/01/28/vmotion-and-etherchannel-an-overview-of-the-load-balancing-policies-stack/
http://www.virtualizetips.com/2011/03/05/esxi-management-network-issues-when-using-etherchannel-and-nic-teaming/
http://blog.scottlowe.org/2008/07/16/understanding-nic-utilization-in-vmware-esx/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1010778
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1003825
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003806
http://searchnetworking.techtarget.com/tip/How-to-configure-Virtual-Switch-Tagging-for-vSphere-VLANs
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://serverfault.com/questions/628541/esxi-5-5-nic-teaming-for-load-balancing-using-cisco-etherchannel
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1001938
http://www.simongreaves.co.uk/vmware-nic-trunking/
http://www.geekmungus.co.uk/vmware/vmwareesxi55managementnetwork-nicteamingandvlantrunking
http://www.mustbegeek.com/configure-nic-teaming-in-esxi-server/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074
http://www.ahmedchoukri.com/?p=298
https://glazenbakje.wordpress.com/2012/05/10/cisco-catalyst-switch-ether-channel-settings-to-vmware-esxi-5/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://longwhiteclouds.com/2012/04/10/etherchannel-and-ip-hash-or-load-based-teaming/
http://wahlnetwork.com/2012/05/09/demystifying-lacp-vs-static-etherchannel-for-vsphere/
http://www.amirmontazeri.com/?p=18

VN:D [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Setting up Etherchannel between Cisco ASA and Cisco Switch

I’ve recently had the need to re-architect my network in order to gain more functionality, scalability and security. I’ve written in past blogs on how important it is to have network security built into your network, and how important it is to have a properly segmented network. Here I’m going to show you how easy that is to do, and show you why every business should be doing this to some extent.

So let’s get going here. First off, if you have an ASA that is already being used in a production environment, you’re going to have to schedule some downtime. In order to setup Etherchannel on the ASA, your ports need to have no configuration on them. In my case, I’m setting up a quad port Etherchannel, so I need all my ports wiped clean.

erdmanor-5510# sh run int
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
erdmanor-5510#
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.1.2     YES manual up                    up  
erdmanor-5510#


Now that we have a clean configuration, let’s setup the port-channel.

erdmanor-5510(config)# int port-channel 1
erdmanor-5510(config-if)#
erdmanor-5510(config-if)# no nameif
erdmanor-5510(config-if)# no security-level
erdmanor-5510(config-if)# no ip address
erdmanor-5510(config-if)#


Now that we have a port-channel created, we need to assign what interfaces are going to take part in that port channel.

erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int Ethernet0/0
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/0.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/1        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/1.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/2        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/2.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)# int Ethernet0/3        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/3.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)#


Now we need to get our switch configured. We’ll basically be doing the same thing on the switch that we just got done doing on our ASA. You’ll notice the syntax on the ASA is just a bit different than the switch, but Cisco came close on the two.

Let’s start with creating our port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int port-channel 1
Erdmanor3750G(config-if)#    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switch mode trunk
Erdmanor3750G(config-if)#


Now we can get our Ethernet ports into the port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/1
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/2              
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA                
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/3        
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/4      
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA      
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#


Now that the port-channel is up and running, we need to establish what VLANs are going to traverse this link. The way that Cisco ASAs interpret VLANs is a bit different than the way Catalyst Switches interpret VLANs, at least for the configuration of them. In a Cisco ASA, for every VLAN that you want, you create a sub-interface. For The Catalyst Switch,

erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.10
erdmanor-5510(config-subif)# vlan 10
erdmanor-5510(config-subif)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 172.98.17.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.20                
erdmanor-5510(config-subif)# vlan 20                            
erdmanor-5510(config-subif)# nameif Inside                      
INFO: Security level for "Inside" set to 100 by default.
erdmanor-5510(config-subif)# ip address 192.168.100.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.30                
erdmanor-5510(config-subif)# vlan 30                              
erdmanor-5510(config-subif)# nameif FrontDMZ                      
INFO: Security level for "FrontDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.121.23.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.40                
erdmanor-5510(config-subif)# vlan 40                              
erdmanor-5510(config-subif)# nameif BackDMZ                      
INFO: Security level for "BackDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.156.183.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.50                
erdmanor-5510(config-subif)# vlan 50                              
erdmanor-5510(config-subif)# nameif Wireless                      
INFO: Security level for "Wireless" set to 0 by default.
erdmanor-5510(config-subif)# security-level 50
erdmanor-5510(config-subif)# ip address 172.21.49.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#



From here we just need to create some VLANs on the switch and then we can finalize the configuration on the ASA.

Erdmanor3750G#
Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#vlan 10
Erdmanor3750G(config-vlan)#no shut
%VLAN 10 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 20
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 30
Erdmanor3750G(config-vlan)#no shut
%VLAN 30 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 40
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 50
Erdmanor3750G(config-vlan)#no shut
%VLAN 40 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#interface vlan 10
Erdmanor3750G(config-if)#description Outside zone between pfSense and ASA
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 20                              
Erdmanor3750G(config-if)#description Inside network                      
Erdmanor3750G(config-if)#no shut                  
Erdmanor3750G(config-if)#exit                      
Erdmanor3750G(config)#interface vlan 30        
Erdmanor3750G(config-if)#description Front DMZ for direct connections from the Internet
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 40                                            
Erdmanor3750G(config-if)#description Back DMZ -- Teired DMZ for server systems
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 50                                    
Erdmanor3750G(config-if)#description Wireless network                
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#



So this is what my interface list looks like in the running config now:

interface Ethernet0/0
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 channel-group 1 mode on
 no nameif    
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Port-channel1
 no nameif
 no security-level
 no ip address
!
interface Port-channel1.10
 vlan 10
 nameif Outside
 security-level 0
 ip address 172.98.17.1 255.255.255.0
!
interface Port-channel1.20
 vlan 20
 nameif Inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Port-channel1.30
 vlan 30
 nameif FrontDMZ
 security-level 0
 ip address 10.121.23.1 255.255.255.0
!
interface Port-channel1.40
 vlan 40
 nameif BackDMZ
 security-level 0
 ip address 10.156.183.1 255.255.255.0
!
interface Port-channel1.50
 vlan 50      
 nameif Wireless
 security-level 50
 ip address 172.21.49.1 255.255.255.0
!



And now a look at my switch port configuration:

!
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet4/0/1
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/2
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/3
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/4
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 ip address 192.168.1.3 255.255.255.0
!
interface Vlan10
 description Outside zone between pfSense and ASA
 no ip address
!
interface Vlan20
 description Inside network
 no ip address
!
interface Vlan30
 description Front DMZ for direct connections from the Internet
 no ip address
!
interface Vlan40
 description Back DMZ -- Teired DMZ for server systems
 no ip address
!
interface Vlan50
 description Wireless network
 no ip address


Erdmanor3750G#
Erdmanor3750G#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  192.168.1.3     YES manual up                    up      
Vlan10                 unassigned      YES unset  up                    up      
Vlan20                 unassigned      YES unset  up                    up      
Vlan30                 unassigned      YES unset  up                    up      
Vlan40                 unassigned      YES unset  up                    up  
GigabitEthernet4/0/1   unassigned      YES unset  up                    up      
GigabitEthernet4/0/2   unassigned      YES unset  up                    up      
GigabitEthernet4/0/3   unassigned      YES unset  up                    up      
GigabitEthernet4/0/4   unassigned      YES unset  up                    up      
...  
Port-channel1          unassigned      YES unset  up                    up



Fantastic. Let’s check to see that the ASA is showing the port-channel working.

erdmanor-5510# sh port-channel detail
        Channel-group listing:
        -----------------------

Group: 1
----------
Span-cluster port-channel: No
Ports: 4   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip
        Ports in the group:
        -------------------
Port: Et0/0
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/1
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/2
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/3
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

erdmanor-5510# sh port-channel sum    
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol  Span-cluster  Ports
------+-------------+---------+------------+------------------------------------
1      Po1(U)             -            No     Et0/0(P)   Et0/1(P)   Et0/2(P)   Et0/3(P)  
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.86.2    YES manual up                    up  
Port-channel1              unassigned      YES unset  up                    up  
Port-channel1.10           172.98.17.1     YES manual up                    up  
Port-channel1.20           192.168.100.1   YES manual up                    up  
Port-channel1.30           10.121.23.1     YES manual up                    up  
Port-channel1.40           10.156.183.1    YES manual up                    up  
Port-channel1.50           172.21.49.1     YES manual up                    up  
erdmanor-5510#



And now to check the port channel on the Catalyst switch:

Erdmanor3750G#sh etherchannel detail
        Channel-group listing:
        ----------------------

Group: 1
----------
Group state = L2
Ports: 4   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -
        Ports in the group:
        -------------------
Port: Gi4/0/1
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:45s

Port: Gi4/0/2
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:16s

Port: Gi4/0/3
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:04s

Port: Gi4/0/4
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:23m:53s

        Port-channels in the group:
        ---------------------------

Port-channel: Po1
------------

Age of the Port-channel   = 0d:00h:33m:13s
Logical slot/port   = 10/1          Number of ports = 4
GC                  = 0x00000000      HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =    -

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Gi4/0/1  On                 0
  0     00     Gi4/0/2  On                 0
  0     00     Gi4/0/3  On                 0
  0     00     Gi4/0/4  On                 0

Time since last port bundled:    0d:00h:23m:53s    Gi4/0/4

Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#sh etherchannel sum  
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)          -        Gi4/0/1(P)  Gi4/0/2(P)  Gi4/0/3(P)  
                                 Gi4/0/4(P)  

Erdmanor3750G#



Now, moving forward, please remember that you MUST specify the VLAN each switch port will be in, otherwise you’re going to have communications issues. The Catalyst switches do NOT auto-sense what VLAN your port is in. So to do this, you need to specify the VLAN, on both the Cisco ASA and the Switch, like this:

Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#
Erdmanor3750G(config)#vlan 60
Erdmanor3750G(config-vlan)#no shut
%VLAN 60 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#interface Vlan60
Erdmanor3750G(config-if)#description ATT Outside Public 108.227.33.120/28 Network
Erdmanor3750G(config-if)#no ip address
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#int GigabitEthernet4/0/19
Erdmanor3750G(config-if)#switchport access vlan 60
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#


Now create the VLAN (sub-interface) on the ASA, like this:

erdmanor-5510# conf t
erdmanor-5510(config)# interface Port-channel1.60
erdmanor-5510(config-subif)# vlan 60
erdmanor-5510(config-subif)# nameif ATTOutside
INFO: Security level for "ATTOutside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 108.227.33.121 255.255.255.248
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)# exit
erdmanor-5510#


Now that we have the VLANs and port-channel created, we need to ensure that our firewall rulebase is setup properly.

NOTE: I am just showing you how to set this up. It is up to YOU to be a smart network admin and lock down these VLANs with the proper rules!!!

From here, create your basic ACLs and lock them down tightly. Make sure that you tie your access-list to an interface too! I personally like to write all my ACLs from the point of view of the requester or client machine on a network. So what I do is write the ACL like you’re going into a garden hose. The garden hose is like the interface that traffic will be going to. Basically, you’re writing the rules that will be implemented as close to the end point as possible.

erdmanor-5510(config)# access-list backdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list frontdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list inside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list outside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list wireless-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)#
erdmanor-5510(config)# access-group outside-traffic-in in interface Outside
erdmanor-5510(config)# access-group inside-traffic-in in interface Inside
erdmanor-5510(config)# access-group frontdmz-traffic-in in interface FrontDMZ
erdmanor-5510(config)# access-group backdmz-traffic-in in interface BackDMZ
erdmanor-5510(config)# access-group wireless-traffic-in in interface Wireless


Now we’re all done! Please contact me with any questions or concerns (or if you found that I screwed this up at all!). Thanks for reading!





http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#wp1709086
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#18497
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-5-0E/15-21E/configuration/guide/config/channel.html#pgfId-1040179
http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12033-89.html
http://www.amirmontazeri.com/?p=18
http://www.ciscozine.com/configuring-link-aggregation-with-etherchannel/
https://networkingtipz.wordpress.com/2013/12/09/etherchannel-on-asa-2/
http://www.gomjabbar.com/2012/05/08/cisco-asa-5520-creating-subinterfaces/
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/interface-vlan.pdf
https://supportforums.cisco.com/discussion/11378981/portchannel-cisco-asa-subinterface-vlan
https://www.fir3net.com/Firewalls/Cisco/configuring-etherchannel-on-an-asa-firewall.html
http://www.danpol.net/index.php/cisco/firewalls/asa-port-channels/
http://www.petenetlive.com/KB/Article/0001085.htm
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-1_19_ea1/configuration/guide/3750scg/swethchl.pdf

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Setting up a Cisco Switch from Scratch

This blog is probably going to be really “no-duh” for most people. But I’ve had questions over the years on how to setup a switch from scratch and how to enable management from it remotely. So, I wiped my switch config and started over. After reloading the switch I was brought to the “Initial Configuration Dialog”. You can either choose to go through that or not. The initial config is basically just getting an IP address setup for management, setting up a username and setting up the “enable” password. You can see below what the init dialog looks like.

init-config

From there, you’ll have just a few more things to do in order to have a base config up and running, and enable remote access. We need to create a certificate, specify the domain name, secure SSH, and then setup the VTY lines. Let’s get that done here:

Erdmanor3750G#  conf t
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  ip domain-name erdmanor.com
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  crypto key generate rsa general-keys modulus 2048
The name for the keys will be: Erdmanor3750G.erdmanor.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys... [OK]
00:15:32 %SSH-5-ENABLED: SSH 1.99 has been enabled

Erdmanor3750G(config)#  
Erdmanor3750G(config)#  ip ssh version 2
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  line vty 0 15
Erdmanor3750G(config-line)#  
Erdmanor3750G(config-line)#  transport input ssh
Erdmanor3750G(config-line)#  login local
Erdmanor3750G(config-line)#  exit
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  username steve privilege 15 password MyP@ssW0rd
Erdmanor3750G(config)#  
Erdmanor3750G(config)#  service password-encryption
Erdmanor3750G(config)#


Now we can go back to our Linux box and log in from the command line.

steve @ debianvm ~ :) ##   ssh 3
The authenticity of host '192.168.86.3 (192.168.86.3)' can't be established.
RSA key fingerprint is 11:4e:b6:34:72:23:9a:0f:03:28:f0:e2:c9:b7:cc:20.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.86.3' (RSA) to the list of known hosts.
steve@192.168.86.3's password:
Erdmanor3750G#
Erdmanor3750G#exit
Connection to 192.168.86.3 closed.
steve @ debianvm ~ :) ##


Hope this was helpful!



http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swauthen.html

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco AnyConnect on Cisco ASA 5500 running IOS 9.1.5

Cisco AnyConnect is a great VPN client because it runs over SSL/TLS and is very mature at this point in time. So, because of this, and the fact that I had a lot of questions come up about this in the past month (for one of my clients), I decided to write a blog on how to implement Cisco AnyConnect on a Cisco ASA 5515, running IOS 9.1.5. While I’m using a ASA-5515, I have also tested this to work on my 5505 and my 5510 test machines. So let’s get configuring!

We’ll start by downloading all the software from Cisco. For this you’ll need Cisco IOS version 9.1.5, ASDM version 7.x, and AnyConnect Version 2.5 or higher. To get this software legally, you’ll need to have a valid CCO ID (Cisco account), and you’ll need a valid SmartNet or SmartCare contract on your ASA.

Once you’ve obtained your software, we’ll need to upload it to your ASA. So let’s do that right now. If you don’t have a TFTP server, you’ll need one. If you need one that is simple to setup and use, check out my blog on setting up a Linux TFTP server.


Below, I am uploading the new IOS 9.1.5.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asa915-k8.bin

Destination filename [asa915-k8.bin]?

Accessing tftp://192.168.1.10/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27113472 bytes copied in 39.670 secs (695217 bytes/sec)
erdmanor-5510#
erdmanor-5510# conf t
erdmanor-5510(config)# boot system disk0:/asa915-k8.bin
erdmanor-5510(config)# sh run boot
boot system disk0:/asa915-k8.bin
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: fdee857f 734e0f13 a5fda71e e6bc2320
9154 bytes copied in 3.250 secs (3051 bytes/sec)
[OK]
erdmanor-5510(config)#
erdmanor-5510(config)# exit
erdmanor-5510# reload
Proceed with reload? [confirm]
erdmanor-5510#

***
*** --- START GRACEFUL SHUTDOWN ---


Now lets get the new ASDM uploaded along with our SSLVPN client.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asdm-743.bin

Destination filename [asdm-743.bin]?

Accessing tftp://192.168.1.10/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing current ASDM file disk0:/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
24810876 bytes copied in 34.30 secs (729731 bytes/sec)
erdmanor-5510# copy tftp flash

Address or name of remote host [192.168.1.10]?

Source filename [asdm-743.bin]? anyconnect-win-2.5.2014-k9.pkg

Destination filename [anyconnect-win-2.5.2014-k9.pkg]?

Accessing tftp://192.168.1.10/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4678691 bytes copied in 6.460 secs (779781 bytes/sec)

erdmanor-5510# dir

Directory of disk0:/

107    -rwx  27113472     13:27:06 Nov 03 2015  asa915-k8.bin
113    -rwx  24810876     13:40:12 Nov 03 2015  asdm-743.bin
115    -rwx  4678691      13:41:07 Nov 03 2015  anyconnect-win-2.5.2014-k9.pkg

62904320 bytes total (5550080 bytes free)
erdmanor-5510#


Great. Now that we have our software, let’s start setting up our environment.

When dealing with SSL, you need to have some kind of certificate installed on your server in order to create a secure connection. If this is a company, you should setup a real certificate from a real vendor like Verisign/Symantec, but for this instance I’m just going to setup a self-signed certificate. Keep in mind that self-signed certs are less secure and that they will prompt your end users with security warnings whenever your users connect.

So lets get a certificate setup for our ASA’s Outside interface, since that’s where our outside users will be connecting from.

erdmanor-5510(config)#
erdmanor-5510(config)# crypto key generate rsa label ErdmanorSSLCert modulus 2048

Keypair generation process begin. Please wait...
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# crypto ca trustpoint ErdmanorSSLTrustpoint
erdmanor-5510(config-ca-trustpoint)# enrollment self
erdmanor-5510(config-ca-trustpoint)# fqdn sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# subject-name CN=sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# keypair ErdmanorSSLCert
erdmanor-5510(config-ca-trustpoint)# crypto ca enroll ErdmanorSSLTrustpoint
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: sslvpn.erdmanor.com

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes
erdmanor-5510(config)#
erdmanor-5510(config)# ssl trust-point ErdmanorSSLTrustpoint Outside
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: 9be339e8 0522dd14 a192370f 5e9c6bf4

7969 bytes copied in 3.240 secs (2656 bytes/sec)
[OK]
erdmanor-5510(config)#


Now we need to configure WebVPN to work on our ASA, and allow it to present the AnyConnect VPN client to our connecting users.

erdmanor-5510(config)# webvpn
erdmanor-5510(config-webvpn)# enable Outside
INFO: WebVPN and DTLS are enabled on 'Outside'.
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg
erdmanor-5510(config-webvpn)# anyconnect enable
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: aa7a52ab 38eb7e98 3e15d522 856eae67

8069 bytes copied in 3.250 secs (2689 bytes/sec)
[OK]
erdmanor-5510(config)#


Before we go any further, you have to make a determination here on how you’re going to perform DHCP addressing for your VPN users. There are two primary options:
1. Host the DHCP pool on the ASA
2. Forward DHCP requests to a DHCP server (like a Windows Domain Controller)

For this case, I’ve opted to host the DHCP pool locally on the ASA. But for a business environment, I would suggest that you forward these requests to your domain controller. Especially if you’re running other Microsoft services such as Exchange, SCCM, SCOM and others. I’ll go over both methods, but I’m going to be using the local DHCP server.

erdmanor-5510(config)#
erdmanor-5510(config)# ip local pool AnyConnectIPPool 192.168.2.1-192.168.2.200 mask 255.255.255.0
erdmanor-5510(config)#


I will update this section of the DHCP forwarding at a later time. Please check back!
For now, here is what Cisco has on this: http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516



In the Microsoft world, Group Policies are a group of settings that are applied to a Windows operating system in a domain. For instance, if you wanted all the desktop backgrounds to be a picture of your company logo, you could roll that our via MS Group Policy.

In the same fashion, Cisco has begun using Group Policies in order to set certain parameters and settings to their clients that connect. Group Policies are actually a pretty good idea in order to group a list of settings together that would apply to one connection type. In this case, that connection type is Cisco’s AnyConnect users.

So, let’s get our Group Policy setup for our users. This policy will be extremely basic, but please understand that Cisco’s Group Policies can get very in-depth.

erdmanor-5510(config)#
erdmanor-5510(config)# group-policy AnyConnectPolicy Internal
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# dns-server value 192.168.1.5 192.168.1.6
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# vpn-tunnel-protocol ssl-client
erdmanor-5510(config-group-policy)# default-domain value erdmanor.com
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# address-pools value AnyConnectIPPool
erdmanor-5510(config-group-policy)#


The next thing we need to do is allow our SSL VPN users to bypass outside access lists so they can get to the Internal network. If this isn’t put in there, then you’ll have to write up ACLs on your Outside access list that specifically allow your VPN users to access certain network locations. This can turn into an administration overhead nightmare. The easiest thing to do is allow your users to bypass the Outside ACL, and then manage the ACL from the inside. It’s cleaner, and causes less headaches.

erdmanor-5510(config)# sysopt connection permit-vpn


Now we need to create our AnyConnect connection profile. This profile is what users will see when they connect to the Outside interface of our ASA. To do this we need to create what is named a, “tunnel-group” in Cisco terminology. This tunnel-group will contain all of the connection profile settings that will be applied to any user successfully connecting with the AnyConnect client. When you’re going through this configuration, please make sure to see what config mode you’re in. You’ll start in normal config and progress through “config-tunnel-general“, “config-tunnel-webvpn“, and “config-webvpn“. Make sure to ? each of those and check out the other commands in there.

erdmanor-5510(config)#
erdmanor-5510(config)# tunnel-group AnyConnectPolicy type remote-access
erdmanor-5510(config)# tunnel-group AnyConnectPolicy general-attributes
erdmanor-5510(config-tunnel-general)#
erdmanor-5510(config-tunnel-general)# default-group-policy AnyConnectPolicy
erdmanor-5510(config-tunnel-general)# tunnel-group AnyConnectPolicy webvpn-attributes
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# group-alias Erdmanor-VPN enable
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# webvpn
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# tunnel-group-list enable
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# exit
erdmanor-5510# wr
Building configuration...
Cryptochecksum: 52d129a7 a5d58820 28b2f420 29226a32

8622 bytes copied in 3.240 secs (2874 bytes/sec)
[OK]
erdmanor-5510#


Since we’re going to be using Split Tunneling for our VPN connection, we need to ensure that our VPN users get the proper routing updates they need so that when they try to access a resource on our corporate network, their computers will send that traffic down the SSL VPN tunnel to our office or Data Center. We should discuss what we mean by Split tunneling as well. There are three options here, as you can see below, and here is more information from Cisco on Split-Tunneling.

erdmanor-5510(config-group-policy)# split-tunnel-policy ?              

group-policy mode commands/options:
  excludespecified  Exclude only networks specified by split-tunnel-network-list
  tunnelall         Tunnel everything
  tunnelspecified   Tunnel only networks specified by split-tunnel-network-list


To configure the network routes that our end user will see, we’ll create an access list and then specify that ACL in the group-policy configuration. We’ll also specify that our tunnel is a Split-Tunnel, and we’ll provide our internal domain name so any DNS resolution works as well.

erdmanor-5510(config)#
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 192.168.1.0 255.255.255.0
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 10.10.10.0 255.255.255.0
erdmanor-5510(config)#                                                                                
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes    
erdmanor-5510(config-group-policy)# split-tunnel-policy tunnelspecified
erdmanor-5510(config-group-policy)# split-tunnel-network-list value split-tunnel-network-acl
erdmanor-5510(config-group-policy)# split-dns value erdmanor.com
erdmanor-5510(config-group-policy)# exit
erdmanor-5510(config)#


Now we need to fix up the NAT’ing to ensure that our users are able to communicate to the rest of the network as well as get Internet access. To enable that functionality, we’re actually going to be creating two NAT statements here. The first NAT that we’re going to create is a dynamic NAT that will translate connections from the VPN users and allow them Internet access. Remember that in order for this to work, you still need an ACL to allow the access to specific locations. Also, another point is that we are allowing split tunnelling, so technically we don’t need to allow them Internet access here, but I’m covering it anyway just in case you need to tunnel all traffic from your end users back to your internal network for security reasons.

First let’s get our dynamic NAT created. Since our internal network is on 192.168.1.0/24, we put our VPN users on 192.168.2.0/24. So here we’ll create an object-group for our VPN users and then we can create our dynamic NAT.

erdmanor-5510(config)#
erdmanor-5510(config)# object-group network VPN-Users                        
erdmanor-5510(config-network-object-group)# network-object 192.168.2.0 255.255.255.0
erdmanor-5510(config)# nat (Outside,Outside) source dynamic VPN-Users interface
erdmanor-5510(config)#


Now let’s get our static NAT configured. This one is what Cisco refers to as a “Identity NAT”. According to Cisco, “You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.

So based on this information, we know that we need an Identity NAT. So let’s get that going.

erdmanor-5510(config)#
erdmanor-5510(config)# nat (Inside,Outside) source static Internal-Network Internal-Network destination static VPN-Users VPN-Users no-proxy-arp route-lookup
erdmanor-5510(config)#


Also, let’s say for instance that we have a Site-to-Site VPN tunnel to our sister data center, or a partner company, which our end users will need access to. While we’re talking about NATs, let’s walk through NATing this traffic as well.

We’ll start by assuming that we already have a S2S VPN already up and running. Let’s say it’s to the Amazon Cloud (AWS). Since this is already setup, we just need to allow our users access to this. Remember, you’ll need to setup ACLs to allow the traffic, this is just ensuring that NAT’ing is setup properly. Here, we’re assuming we already have an Object-Group named “AWS-Network“. But the NAT is nearly the same as before, but the difference is that this is what Cisco refers to as a Hairpin Nat. For this to work properly, you’ll need to enable “intra-interface” traffic. The “Inter-Interface” traffic is for different interfaces, while the “Intra-Interface” allows communication into and back out the SAME interface. See here:

erdmanor-5510(config)# same-security-traffic permit ?              

configure mode commands/options:
  inter-interface  Permit communication between different interfaces with the same security level
  intra-interface  Permit communication between peers connected to the same interface
erdmanor-5510(config)#


So let’s get this Hairpin NAT started. First you’ll notice that the Interface is the same (Outside,Outside). Remember, AnyConnect users are coming in from the “Outside” interface, and they’re communicating across a VPN tunnel that is also connected to the “Outside” interface.

erdmanor-5510(config)#
erdmanor-5510(config)# same-security-traffic permit intra-interface
erdmanor-5510(config)# nat (Outside,Outside) source static VPN-Users VPN-Users destination static AWS-Network AWS-Network no-proxy-arp route-lookup
erdmanor-5510(config)#


Okay moving right along here! Now we’ll create a user account and test logging into our system.

erdmanor-5510(config)#
erdmanor-5510(config)# username vpnsteve password NotMyP@ssw0rd
erdmanor-5510(config)# username vpnsteve attributes        
erdmanor-5510(config-username)# service-type remote-access
erdmanor-5510(config-username)# exit
erdmanor-5510(config)#


I’ll have to get this thing actually setup on the Internet so that I can connect to it, but I know the configuration works from here. I’ve set this up a few times this month alone for clients, so I’m confident in it running properly for you as well. When I can, I’ll get some screenshots posted here to show it works.

Thanks for reading!




http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30.pdf
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/anyconnectadmin24/ac03features.html#wp1064149
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
http://www.databasemart.com/HowTo/Cisco_VPN_Remote_Access_Setup_ASA5500.aspx
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#25608
http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/dhcp.html
http://www.petenetlive.com/KB/Article/0001050.htm
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
http://www.techrepublic.com/blog/data-center/eight-easy-steps-to-cisco-asa-remote-access-setup/

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco Fun

So, I decided to go back to school (after 3 or so semesters off) and take some fun classes. Last time I went I was stuck in some shit Liberal Arts classes. I wont bore you with that. So this semester I’m taking Red Hat Admin 1, which I’m flying through at an obscene rate, and Cisco Security 1. Now, when I started college back in fall of 2002, I started with CCNA classes. I loved them; took 8 semesters of Cisco CCNA and CCNP courses. SO it’s been a while, but I figured I should take some new Cisco classes.

Well, it’s been great so far. Tonight, in my home lab I hooked up my 2600 routers and did some labs on password resets (easy, but good to know), and I also hooked up my 2 Cisco PIX 515’s and learned how to do a password reset on those too.

Now I learned that both of my PIX firewalls are still running 5.3 software… these things are from the stone age!!!

Also in my quest was working on some client work. They have a ASA 5510. In working on that, I thought to update my 5505. It’s been a while, so I went through and reconfigured a bunch of stuff. In the process I figured out it only supports 3 VLANs. 2 of those are for the Inside and Outside networks and a third, DMZ type VLAN, that isn’t allowed to initiate communications to any other VLAN. Come on Cisco, this is ridiculous. I need something with a serious amount of more horsepower and abilities.

The ASA 5505 is probably great for some people, but not me. Any one out there interested in buying this thing? It’s a couple years old but I have the 8.4 software on it and am willing to sell it at a good price!

References:

http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recovery09186a0080094675.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml#pix_without

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)