How To: Setup Cisco EtherChannel with ESX Server

In this blog, I will go through on how to setup a Port-Channel in a Cisco Catalyst 3750G switch, and setup that port-channel (etherchannel) to work properly with ESXi Server version 5.5. In my environment, it took, much, much longer to get this running because I had to completely re-architect my network to function this way. But if you’re building an environment from scratch, then this should be pretty easy to do.

I’ve verified that this config will also work with other Catalyst switches (2960’s, 3500’s, 3700’s, 4500’s, and 6500 series switches). This configuration will NOT work with Cisco Nexus switches, because the Cisco Nexus switches have different command line parameters than their Catalyst cousins.

So, let’s get going here.

I’m going to start by configuring a Port-Channel on my Catalyst switch.

interface Port-channel2
description Port Channel interface to DL380 Server
switchport trunk encapsulation dot1q
switchport mode trunk


After you create your port channel, you need to add switch ports to that port-channel. See below, as I add 8 ports to this port-channel.

interface GigabitEthernet4/0/11
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/12
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/14
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/15
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/21
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/22
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/23
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/24
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on


From here I need to mirror the same VLANs that the ESXi server will have on it. So, lets create 5 VLANs to start. We can add more at any time.

interface Vlan1
no ip address
!
interface Vlan10
description Outside zone between pfSense and ASA
no ip address
 
interface Vlan20
description Inside network
ip address 192.168.1.2 255.255.255.0

interface Vlan30
description Front DMZ for direct connections from the Internet
no ip address

interface Vlan40
description Back DMZ -- Teired DMZ for server systems
no ip address

interface Vlan50
description Wireless network
no ip address


Now that the Cisco Catalyst switch is configured, let’s log into ESXi vSphere Client and configure the server to communicate with our switch.


I actually just bought a new quad port network adapter off of eBay just for this project. So after I installed it in my HP DL 380 G6 Server, I went in to verify that the card worked. And from this screenshot, it looks like it is working just fine.

esxi-1


Now go over to the “Networking” section. You can see I already have multiple vSwitches defined for my other 4 port network card that was already installed in the server. What my plan is going to be, is that I want all eight of my network adapters to be part of one port-channel. This will maximize the throughput and bandwidth to and from the server, as well as provide a reliable 8 way path to my core switch. The only downside to this is that my core switch is now my single point of failure on the network. I recommend that if you’re going to do this in your environment, you should have an identical switch and a full backup of the configuration on your primary switch so that you can swap out if the primary fails.

esxi-2


From here, click on “Add Networking…”

esxi-3


You need to select “VMkernel” here. You’ll be using “Virtual Machine” network type later. For now, VMkernel, then click “Next”:

esxi-4


Select the network adapters you want to participate in the port channel, then click “Next”:

esxi-5


Since this is a Port-Channel, or Etherchannel, you want this to trunk all of your VLANs from the Cisco Catalyst switch to your ESXi server. Make it easy and name this “Port-Channel” and allow all VLANs to traverse the link, then click “Next”:

esxi-6


You’ll want to enable management on this, so give it an IP address on your Internal network. Please, for the love of all that is right and just, do NOT open up management access to the Internet or any of your DMZs!

esxi-7


Verify your settings on the “Summary” screen, then click “Finish” to continue.

esxi-8


After you create your switch, you’ll see it appear in the “Networking” screen of your vSphere client. You’ll see that I haven’t attached network cables yet, which is why all my adapters are showing as “Down” with the red “X” next to each physical adapter.

Go ahead and click on “Properties…” to continue.

esxi-9


Make sure your vSwitch is highlighted in the left column, then click, “Edit…”

esxi-10


In the vSwitch Properties window, make sure that you have ESXi “Route based on IP Hash”, then click okay.

esxi-11


Now you can add in all your VLANs that will live on this vSwitch. So click on “Add Networking…” to continue:

esxi-3


Here is where you’re going to use the “Virtual Machine” connection type. Click Next to continue.

esxi-12


We’re going to bind this VLAN to the new switch we created. So select the vSwitch you created earlier in this process, then click “Next” to continue.

esxi-13


Here, I will create a Business-to-Business VLAN, and I’ll tag all traffic in this VLAN to #75. Then click “Next” to continue.

esxi-14


Verify your changes in the “Summary” screen, then click “Finish” to continue.

esxi-15


After you create all of your VLANs and add your virtual machines to each network you desire, your end result will look like this:
esxi-16



If you have any questions, please feel free to contact me at any time!

http://vmwaremine.com/vmware-vsphere-best-practices/
http://vmwaremine.com/2012/05/29/networking-configuration-for-esx-ot-esxi-part-3/
http://frankdenneman.nl/2013/01/28/vmotion-and-etherchannel-an-overview-of-the-load-balancing-policies-stack/
http://www.virtualizetips.com/2011/03/05/esxi-management-network-issues-when-using-etherchannel-and-nic-teaming/
http://blog.scottlowe.org/2008/07/16/understanding-nic-utilization-in-vmware-esx/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1010778
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1003825
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003806
http://searchnetworking.techtarget.com/tip/How-to-configure-Virtual-Switch-Tagging-for-vSphere-VLANs
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://serverfault.com/questions/628541/esxi-5-5-nic-teaming-for-load-balancing-using-cisco-etherchannel
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1001938
http://www.simongreaves.co.uk/vmware-nic-trunking/
http://www.geekmungus.co.uk/vmware/vmwareesxi55managementnetwork-nicteamingandvlantrunking
http://www.mustbegeek.com/configure-nic-teaming-in-esxi-server/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074
http://www.ahmedchoukri.com/?p=298
https://glazenbakje.wordpress.com/2012/05/10/cisco-catalyst-switch-ether-channel-settings-to-vmware-esxi-5/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://longwhiteclouds.com/2012/04/10/etherchannel-and-ip-hash-or-load-based-teaming/
http://wahlnetwork.com/2012/05/09/demystifying-lacp-vs-static-etherchannel-for-vsphere/
http://www.amirmontazeri.com/?p=18

VN:D [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

AT&T u-Verse Static IP work around with pfSense

First off, I’d like to give AT&T an honorable mention (sarcasm) for using the fucking worst, P.O.S. garbage, DSL Modems on the planet: 2WIRE. These things are ridiculous. You’d think that if a provider was able to route a /28 subnet to your home/business, that they’d be able to properly manage that subnet through their “firewall” or whatever you want to call it. The way this normally works is through routing a network range to your device. But AT&T and 2WIRE ensure that for every public static IP address you have, it has to have a unique MAC address and it must look like a different device all together. This is asinine.

So, with the help of my business partner, we’ve come up with a solution on how to get a set of static IP addresses to work so that you can host services on AT&T u-Verse. The way we accomplished this was through the use of an open source and free operating system named, “pfSense”. I’m sure there are other systems out there that we could have used, or just done it in Linux, but pfSense is really robust and has a nice interface. So that’s what we went with.

Additionally, I’m sure not everyone and their mother have an HP DL380 running in their basement, but… welcome to the Erdmanor. I have a DL380 in my basement. So what we’ve done is virtualized a firewall. We’re running pfSense in a virtual machine on the DL 380, which is running ESXi 5.5. I know ESXi 6.0 has been out for a few months now, but to be honest, I’m just too damn lazy to upgrade my box.

Anyways, here’s how we configured the virtual firewall. In ESX, we provisioned the system to have 8 network adapters, a 10GB HDD, 2GB RAM, and 1 virtual CPU. From there we added the VM to access the three different network segments (DMZ, Internal, Outside), and created the interfaces within pfSense. Then we programmed the AT&T gateway to use the external addresses that were provided by them, making sure that the proper interfaces and MAC addresses lined up between the ESX server, the AT&T gateway and the pfSense console. Also, in the AT&T gateway, we setup the system to be in DMZplus Mode, which you can read about in the screenshot below.

pfSense1

pfSense2

pfSense3

att-config0

att-config1

att-config2

att-config3



Now that our AT&T gateway is properly forwarding External IP traffic to the proper interfaces on our pfSense firewall, we can go through and create all the inbound NATs, firewall rules and network security that we wish to have.

If you have any further questions on how to set this up, just ask!

Thanks!





VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Setting up Etherchannel between Cisco ASA and Cisco Switch

I’ve recently had the need to re-architect my network in order to gain more functionality, scalability and security. I’ve written in past blogs on how important it is to have network security built into your network, and how important it is to have a properly segmented network. Here I’m going to show you how easy that is to do, and show you why every business should be doing this to some extent.

So let’s get going here. First off, if you have an ASA that is already being used in a production environment, you’re going to have to schedule some downtime. In order to setup Etherchannel on the ASA, your ports need to have no configuration on them. In my case, I’m setting up a quad port Etherchannel, so I need all my ports wiped clean.

erdmanor-5510# sh run int
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
erdmanor-5510#
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.1.2     YES manual up                    up  
erdmanor-5510#


Now that we have a clean configuration, let’s setup the port-channel.

erdmanor-5510(config)# int port-channel 1
erdmanor-5510(config-if)#
erdmanor-5510(config-if)# no nameif
erdmanor-5510(config-if)# no security-level
erdmanor-5510(config-if)# no ip address
erdmanor-5510(config-if)#


Now that we have a port-channel created, we need to assign what interfaces are going to take part in that port channel.

erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int Ethernet0/0
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/0.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/1        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/1.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/2        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/2.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)# int Ethernet0/3        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/3.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)#


Now we need to get our switch configured. We’ll basically be doing the same thing on the switch that we just got done doing on our ASA. You’ll notice the syntax on the ASA is just a bit different than the switch, but Cisco came close on the two.

Let’s start with creating our port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int port-channel 1
Erdmanor3750G(config-if)#    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switch mode trunk
Erdmanor3750G(config-if)#


Now we can get our Ethernet ports into the port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/1
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/2              
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA                
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/3        
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/4      
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA      
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#


Now that the port-channel is up and running, we need to establish what VLANs are going to traverse this link. The way that Cisco ASAs interpret VLANs is a bit different than the way Catalyst Switches interpret VLANs, at least for the configuration of them. In a Cisco ASA, for every VLAN that you want, you create a sub-interface. For The Catalyst Switch,

erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.10
erdmanor-5510(config-subif)# vlan 10
erdmanor-5510(config-subif)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 172.98.17.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.20                
erdmanor-5510(config-subif)# vlan 20                            
erdmanor-5510(config-subif)# nameif Inside                      
INFO: Security level for "Inside" set to 100 by default.
erdmanor-5510(config-subif)# ip address 192.168.100.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.30                
erdmanor-5510(config-subif)# vlan 30                              
erdmanor-5510(config-subif)# nameif FrontDMZ                      
INFO: Security level for "FrontDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.121.23.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.40                
erdmanor-5510(config-subif)# vlan 40                              
erdmanor-5510(config-subif)# nameif BackDMZ                      
INFO: Security level for "BackDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.156.183.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.50                
erdmanor-5510(config-subif)# vlan 50                              
erdmanor-5510(config-subif)# nameif Wireless                      
INFO: Security level for "Wireless" set to 0 by default.
erdmanor-5510(config-subif)# security-level 50
erdmanor-5510(config-subif)# ip address 172.21.49.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#



From here we just need to create some VLANs on the switch and then we can finalize the configuration on the ASA.

Erdmanor3750G#
Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#vlan 10
Erdmanor3750G(config-vlan)#no shut
%VLAN 10 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 20
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 30
Erdmanor3750G(config-vlan)#no shut
%VLAN 30 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 40
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 50
Erdmanor3750G(config-vlan)#no shut
%VLAN 40 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#interface vlan 10
Erdmanor3750G(config-if)#description Outside zone between pfSense and ASA
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 20                              
Erdmanor3750G(config-if)#description Inside network                      
Erdmanor3750G(config-if)#no shut                  
Erdmanor3750G(config-if)#exit                      
Erdmanor3750G(config)#interface vlan 30        
Erdmanor3750G(config-if)#description Front DMZ for direct connections from the Internet
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 40                                            
Erdmanor3750G(config-if)#description Back DMZ -- Teired DMZ for server systems
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 50                                    
Erdmanor3750G(config-if)#description Wireless network                
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#



So this is what my interface list looks like in the running config now:

interface Ethernet0/0
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 channel-group 1 mode on
 no nameif    
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Port-channel1
 no nameif
 no security-level
 no ip address
!
interface Port-channel1.10
 vlan 10
 nameif Outside
 security-level 0
 ip address 172.98.17.1 255.255.255.0
!
interface Port-channel1.20
 vlan 20
 nameif Inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Port-channel1.30
 vlan 30
 nameif FrontDMZ
 security-level 0
 ip address 10.121.23.1 255.255.255.0
!
interface Port-channel1.40
 vlan 40
 nameif BackDMZ
 security-level 0
 ip address 10.156.183.1 255.255.255.0
!
interface Port-channel1.50
 vlan 50      
 nameif Wireless
 security-level 50
 ip address 172.21.49.1 255.255.255.0
!



And now a look at my switch port configuration:

!
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet4/0/1
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/2
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/3
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/4
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 ip address 192.168.1.3 255.255.255.0
!
interface Vlan10
 description Outside zone between pfSense and ASA
 no ip address
!
interface Vlan20
 description Inside network
 no ip address
!
interface Vlan30
 description Front DMZ for direct connections from the Internet
 no ip address
!
interface Vlan40
 description Back DMZ -- Teired DMZ for server systems
 no ip address
!
interface Vlan50
 description Wireless network
 no ip address


Erdmanor3750G#
Erdmanor3750G#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  192.168.1.3     YES manual up                    up      
Vlan10                 unassigned      YES unset  up                    up      
Vlan20                 unassigned      YES unset  up                    up      
Vlan30                 unassigned      YES unset  up                    up      
Vlan40                 unassigned      YES unset  up                    up  
GigabitEthernet4/0/1   unassigned      YES unset  up                    up      
GigabitEthernet4/0/2   unassigned      YES unset  up                    up      
GigabitEthernet4/0/3   unassigned      YES unset  up                    up      
GigabitEthernet4/0/4   unassigned      YES unset  up                    up      
...  
Port-channel1          unassigned      YES unset  up                    up



Fantastic. Let’s check to see that the ASA is showing the port-channel working.

erdmanor-5510# sh port-channel detail
        Channel-group listing:
        -----------------------

Group: 1
----------
Span-cluster port-channel: No
Ports: 4   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip
        Ports in the group:
        -------------------
Port: Et0/0
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/1
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/2
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/3
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

erdmanor-5510# sh port-channel sum    
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol  Span-cluster  Ports
------+-------------+---------+------------+------------------------------------
1      Po1(U)             -            No     Et0/0(P)   Et0/1(P)   Et0/2(P)   Et0/3(P)  
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.86.2    YES manual up                    up  
Port-channel1              unassigned      YES unset  up                    up  
Port-channel1.10           172.98.17.1     YES manual up                    up  
Port-channel1.20           192.168.100.1   YES manual up                    up  
Port-channel1.30           10.121.23.1     YES manual up                    up  
Port-channel1.40           10.156.183.1    YES manual up                    up  
Port-channel1.50           172.21.49.1     YES manual up                    up  
erdmanor-5510#



And now to check the port channel on the Catalyst switch:

Erdmanor3750G#sh etherchannel detail
        Channel-group listing:
        ----------------------

Group: 1
----------
Group state = L2
Ports: 4   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -
        Ports in the group:
        -------------------
Port: Gi4/0/1
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:45s

Port: Gi4/0/2
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:16s

Port: Gi4/0/3
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:04s

Port: Gi4/0/4
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:23m:53s

        Port-channels in the group:
        ---------------------------

Port-channel: Po1
------------

Age of the Port-channel   = 0d:00h:33m:13s
Logical slot/port   = 10/1          Number of ports = 4
GC                  = 0x00000000      HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =    -

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Gi4/0/1  On                 0
  0     00     Gi4/0/2  On                 0
  0     00     Gi4/0/3  On                 0
  0     00     Gi4/0/4  On                 0

Time since last port bundled:    0d:00h:23m:53s    Gi4/0/4

Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#sh etherchannel sum  
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)          -        Gi4/0/1(P)  Gi4/0/2(P)  Gi4/0/3(P)  
                                 Gi4/0/4(P)  

Erdmanor3750G#



Now, moving forward, please remember that you MUST specify the VLAN each switch port will be in, otherwise you’re going to have communications issues. The Catalyst switches do NOT auto-sense what VLAN your port is in. So to do this, you need to specify the VLAN, on both the Cisco ASA and the Switch, like this:

Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#
Erdmanor3750G(config)#vlan 60
Erdmanor3750G(config-vlan)#no shut
%VLAN 60 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#interface Vlan60
Erdmanor3750G(config-if)#description ATT Outside Public 108.227.33.120/28 Network
Erdmanor3750G(config-if)#no ip address
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#int GigabitEthernet4/0/19
Erdmanor3750G(config-if)#switchport access vlan 60
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#


Now create the VLAN (sub-interface) on the ASA, like this:

erdmanor-5510# conf t
erdmanor-5510(config)# interface Port-channel1.60
erdmanor-5510(config-subif)# vlan 60
erdmanor-5510(config-subif)# nameif ATTOutside
INFO: Security level for "ATTOutside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 108.227.33.121 255.255.255.248
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)# exit
erdmanor-5510#


Now that we have the VLANs and port-channel created, we need to ensure that our firewall rulebase is setup properly.

NOTE: I am just showing you how to set this up. It is up to YOU to be a smart network admin and lock down these VLANs with the proper rules!!!

From here, create your basic ACLs and lock them down tightly. Make sure that you tie your access-list to an interface too! I personally like to write all my ACLs from the point of view of the requester or client machine on a network. So what I do is write the ACL like you’re going into a garden hose. The garden hose is like the interface that traffic will be going to. Basically, you’re writing the rules that will be implemented as close to the end point as possible.

erdmanor-5510(config)# access-list backdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list frontdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list inside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list outside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list wireless-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)#
erdmanor-5510(config)# access-group outside-traffic-in in interface Outside
erdmanor-5510(config)# access-group inside-traffic-in in interface Inside
erdmanor-5510(config)# access-group frontdmz-traffic-in in interface FrontDMZ
erdmanor-5510(config)# access-group backdmz-traffic-in in interface BackDMZ
erdmanor-5510(config)# access-group wireless-traffic-in in interface Wireless


Now we’re all done! Please contact me with any questions or concerns (or if you found that I screwed this up at all!). Thanks for reading!





http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#wp1709086
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#18497
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-5-0E/15-21E/configuration/guide/config/channel.html#pgfId-1040179
http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12033-89.html
http://www.amirmontazeri.com/?p=18
http://www.ciscozine.com/configuring-link-aggregation-with-etherchannel/
https://networkingtipz.wordpress.com/2013/12/09/etherchannel-on-asa-2/
http://www.gomjabbar.com/2012/05/08/cisco-asa-5520-creating-subinterfaces/
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/interface-vlan.pdf
https://supportforums.cisco.com/discussion/11378981/portchannel-cisco-asa-subinterface-vlan
https://www.fir3net.com/Firewalls/Cisco/configuring-etherchannel-on-an-asa-firewall.html
http://www.danpol.net/index.php/cisco/firewalls/asa-port-channels/
http://www.petenetlive.com/KB/Article/0001085.htm
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-1_19_ea1/configuration/guide/3750scg/swethchl.pdf

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco AnyConnect on Cisco ASA 5500 running IOS 9.1.5

Cisco AnyConnect is a great VPN client because it runs over SSL/TLS and is very mature at this point in time. So, because of this, and the fact that I had a lot of questions come up about this in the past month (for one of my clients), I decided to write a blog on how to implement Cisco AnyConnect on a Cisco ASA 5515, running IOS 9.1.5. While I’m using a ASA-5515, I have also tested this to work on my 5505 and my 5510 test machines. So let’s get configuring!

We’ll start by downloading all the software from Cisco. For this you’ll need Cisco IOS version 9.1.5, ASDM version 7.x, and AnyConnect Version 2.5 or higher. To get this software legally, you’ll need to have a valid CCO ID (Cisco account), and you’ll need a valid SmartNet or SmartCare contract on your ASA.

Once you’ve obtained your software, we’ll need to upload it to your ASA. So let’s do that right now. If you don’t have a TFTP server, you’ll need one. If you need one that is simple to setup and use, check out my blog on setting up a Linux TFTP server.


Below, I am uploading the new IOS 9.1.5.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asa915-k8.bin

Destination filename [asa915-k8.bin]?

Accessing tftp://192.168.1.10/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27113472 bytes copied in 39.670 secs (695217 bytes/sec)
erdmanor-5510#
erdmanor-5510# conf t
erdmanor-5510(config)# boot system disk0:/asa915-k8.bin
erdmanor-5510(config)# sh run boot
boot system disk0:/asa915-k8.bin
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: fdee857f 734e0f13 a5fda71e e6bc2320
9154 bytes copied in 3.250 secs (3051 bytes/sec)
[OK]
erdmanor-5510(config)#
erdmanor-5510(config)# exit
erdmanor-5510# reload
Proceed with reload? [confirm]
erdmanor-5510#

***
*** --- START GRACEFUL SHUTDOWN ---


Now lets get the new ASDM uploaded along with our SSLVPN client.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asdm-743.bin

Destination filename [asdm-743.bin]?

Accessing tftp://192.168.1.10/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing current ASDM file disk0:/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
24810876 bytes copied in 34.30 secs (729731 bytes/sec)
erdmanor-5510# copy tftp flash

Address or name of remote host [192.168.1.10]?

Source filename [asdm-743.bin]? anyconnect-win-2.5.2014-k9.pkg

Destination filename [anyconnect-win-2.5.2014-k9.pkg]?

Accessing tftp://192.168.1.10/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4678691 bytes copied in 6.460 secs (779781 bytes/sec)

erdmanor-5510# dir

Directory of disk0:/

107    -rwx  27113472     13:27:06 Nov 03 2015  asa915-k8.bin
113    -rwx  24810876     13:40:12 Nov 03 2015  asdm-743.bin
115    -rwx  4678691      13:41:07 Nov 03 2015  anyconnect-win-2.5.2014-k9.pkg

62904320 bytes total (5550080 bytes free)
erdmanor-5510#


Great. Now that we have our software, let’s start setting up our environment.

When dealing with SSL, you need to have some kind of certificate installed on your server in order to create a secure connection. If this is a company, you should setup a real certificate from a real vendor like Verisign/Symantec, but for this instance I’m just going to setup a self-signed certificate. Keep in mind that self-signed certs are less secure and that they will prompt your end users with security warnings whenever your users connect.

So lets get a certificate setup for our ASA’s Outside interface, since that’s where our outside users will be connecting from.

erdmanor-5510(config)#
erdmanor-5510(config)# crypto key generate rsa label ErdmanorSSLCert modulus 2048

Keypair generation process begin. Please wait...
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# crypto ca trustpoint ErdmanorSSLTrustpoint
erdmanor-5510(config-ca-trustpoint)# enrollment self
erdmanor-5510(config-ca-trustpoint)# fqdn sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# subject-name CN=sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# keypair ErdmanorSSLCert
erdmanor-5510(config-ca-trustpoint)# crypto ca enroll ErdmanorSSLTrustpoint
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: sslvpn.erdmanor.com

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes
erdmanor-5510(config)#
erdmanor-5510(config)# ssl trust-point ErdmanorSSLTrustpoint Outside
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: 9be339e8 0522dd14 a192370f 5e9c6bf4

7969 bytes copied in 3.240 secs (2656 bytes/sec)
[OK]
erdmanor-5510(config)#


Now we need to configure WebVPN to work on our ASA, and allow it to present the AnyConnect VPN client to our connecting users.

erdmanor-5510(config)# webvpn
erdmanor-5510(config-webvpn)# enable Outside
INFO: WebVPN and DTLS are enabled on 'Outside'.
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg
erdmanor-5510(config-webvpn)# anyconnect enable
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: aa7a52ab 38eb7e98 3e15d522 856eae67

8069 bytes copied in 3.250 secs (2689 bytes/sec)
[OK]
erdmanor-5510(config)#


Before we go any further, you have to make a determination here on how you’re going to perform DHCP addressing for your VPN users. There are two primary options:
1. Host the DHCP pool on the ASA
2. Forward DHCP requests to a DHCP server (like a Windows Domain Controller)

For this case, I’ve opted to host the DHCP pool locally on the ASA. But for a business environment, I would suggest that you forward these requests to your domain controller. Especially if you’re running other Microsoft services such as Exchange, SCCM, SCOM and others. I’ll go over both methods, but I’m going to be using the local DHCP server.

erdmanor-5510(config)#
erdmanor-5510(config)# ip local pool AnyConnectIPPool 192.168.2.1-192.168.2.200 mask 255.255.255.0
erdmanor-5510(config)#


I will update this section of the DHCP forwarding at a later time. Please check back!
For now, here is what Cisco has on this: http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516



In the Microsoft world, Group Policies are a group of settings that are applied to a Windows operating system in a domain. For instance, if you wanted all the desktop backgrounds to be a picture of your company logo, you could roll that our via MS Group Policy.

In the same fashion, Cisco has begun using Group Policies in order to set certain parameters and settings to their clients that connect. Group Policies are actually a pretty good idea in order to group a list of settings together that would apply to one connection type. In this case, that connection type is Cisco’s AnyConnect users.

So, let’s get our Group Policy setup for our users. This policy will be extremely basic, but please understand that Cisco’s Group Policies can get very in-depth.

erdmanor-5510(config)#
erdmanor-5510(config)# group-policy AnyConnectPolicy Internal
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# dns-server value 192.168.1.5 192.168.1.6
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# vpn-tunnel-protocol ssl-client
erdmanor-5510(config-group-policy)# default-domain value erdmanor.com
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# address-pools value AnyConnectIPPool
erdmanor-5510(config-group-policy)#


The next thing we need to do is allow our SSL VPN users to bypass outside access lists so they can get to the Internal network. If this isn’t put in there, then you’ll have to write up ACLs on your Outside access list that specifically allow your VPN users to access certain network locations. This can turn into an administration overhead nightmare. The easiest thing to do is allow your users to bypass the Outside ACL, and then manage the ACL from the inside. It’s cleaner, and causes less headaches.

erdmanor-5510(config)# sysopt connection permit-vpn


Now we need to create our AnyConnect connection profile. This profile is what users will see when they connect to the Outside interface of our ASA. To do this we need to create what is named a, “tunnel-group” in Cisco terminology. This tunnel-group will contain all of the connection profile settings that will be applied to any user successfully connecting with the AnyConnect client. When you’re going through this configuration, please make sure to see what config mode you’re in. You’ll start in normal config and progress through “config-tunnel-general“, “config-tunnel-webvpn“, and “config-webvpn“. Make sure to ? each of those and check out the other commands in there.

erdmanor-5510(config)#
erdmanor-5510(config)# tunnel-group AnyConnectPolicy type remote-access
erdmanor-5510(config)# tunnel-group AnyConnectPolicy general-attributes
erdmanor-5510(config-tunnel-general)#
erdmanor-5510(config-tunnel-general)# default-group-policy AnyConnectPolicy
erdmanor-5510(config-tunnel-general)# tunnel-group AnyConnectPolicy webvpn-attributes
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# group-alias Erdmanor-VPN enable
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# webvpn
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# tunnel-group-list enable
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# exit
erdmanor-5510# wr
Building configuration...
Cryptochecksum: 52d129a7 a5d58820 28b2f420 29226a32

8622 bytes copied in 3.240 secs (2874 bytes/sec)
[OK]
erdmanor-5510#


Since we’re going to be using Split Tunneling for our VPN connection, we need to ensure that our VPN users get the proper routing updates they need so that when they try to access a resource on our corporate network, their computers will send that traffic down the SSL VPN tunnel to our office or Data Center. We should discuss what we mean by Split tunneling as well. There are three options here, as you can see below, and here is more information from Cisco on Split-Tunneling.

erdmanor-5510(config-group-policy)# split-tunnel-policy ?              

group-policy mode commands/options:
  excludespecified  Exclude only networks specified by split-tunnel-network-list
  tunnelall         Tunnel everything
  tunnelspecified   Tunnel only networks specified by split-tunnel-network-list


To configure the network routes that our end user will see, we’ll create an access list and then specify that ACL in the group-policy configuration. We’ll also specify that our tunnel is a Split-Tunnel, and we’ll provide our internal domain name so any DNS resolution works as well.

erdmanor-5510(config)#
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 192.168.1.0 255.255.255.0
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 10.10.10.0 255.255.255.0
erdmanor-5510(config)#                                                                                
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes    
erdmanor-5510(config-group-policy)# split-tunnel-policy tunnelspecified
erdmanor-5510(config-group-policy)# split-tunnel-network-list value split-tunnel-network-acl
erdmanor-5510(config-group-policy)# split-dns value erdmanor.com
erdmanor-5510(config-group-policy)# exit
erdmanor-5510(config)#


Now we need to fix up the NAT’ing to ensure that our users are able to communicate to the rest of the network as well as get Internet access. To enable that functionality, we’re actually going to be creating two NAT statements here. The first NAT that we’re going to create is a dynamic NAT that will translate connections from the VPN users and allow them Internet access. Remember that in order for this to work, you still need an ACL to allow the access to specific locations. Also, another point is that we are allowing split tunnelling, so technically we don’t need to allow them Internet access here, but I’m covering it anyway just in case you need to tunnel all traffic from your end users back to your internal network for security reasons.

First let’s get our dynamic NAT created. Since our internal network is on 192.168.1.0/24, we put our VPN users on 192.168.2.0/24. So here we’ll create an object-group for our VPN users and then we can create our dynamic NAT.

erdmanor-5510(config)#
erdmanor-5510(config)# object-group network VPN-Users                        
erdmanor-5510(config-network-object-group)# network-object 192.168.2.0 255.255.255.0
erdmanor-5510(config)# nat (Outside,Outside) source dynamic VPN-Users interface
erdmanor-5510(config)#


Now let’s get our static NAT configured. This one is what Cisco refers to as a “Identity NAT”. According to Cisco, “You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.

So based on this information, we know that we need an Identity NAT. So let’s get that going.

erdmanor-5510(config)#
erdmanor-5510(config)# nat (Inside,Outside) source static Internal-Network Internal-Network destination static VPN-Users VPN-Users no-proxy-arp route-lookup
erdmanor-5510(config)#


Also, let’s say for instance that we have a Site-to-Site VPN tunnel to our sister data center, or a partner company, which our end users will need access to. While we’re talking about NATs, let’s walk through NATing this traffic as well.

We’ll start by assuming that we already have a S2S VPN already up and running. Let’s say it’s to the Amazon Cloud (AWS). Since this is already setup, we just need to allow our users access to this. Remember, you’ll need to setup ACLs to allow the traffic, this is just ensuring that NAT’ing is setup properly. Here, we’re assuming we already have an Object-Group named “AWS-Network“. But the NAT is nearly the same as before, but the difference is that this is what Cisco refers to as a Hairpin Nat. For this to work properly, you’ll need to enable “intra-interface” traffic. The “Inter-Interface” traffic is for different interfaces, while the “Intra-Interface” allows communication into and back out the SAME interface. See here:

erdmanor-5510(config)# same-security-traffic permit ?              

configure mode commands/options:
  inter-interface  Permit communication between different interfaces with the same security level
  intra-interface  Permit communication between peers connected to the same interface
erdmanor-5510(config)#


So let’s get this Hairpin NAT started. First you’ll notice that the Interface is the same (Outside,Outside). Remember, AnyConnect users are coming in from the “Outside” interface, and they’re communicating across a VPN tunnel that is also connected to the “Outside” interface.

erdmanor-5510(config)#
erdmanor-5510(config)# same-security-traffic permit intra-interface
erdmanor-5510(config)# nat (Outside,Outside) source static VPN-Users VPN-Users destination static AWS-Network AWS-Network no-proxy-arp route-lookup
erdmanor-5510(config)#


Okay moving right along here! Now we’ll create a user account and test logging into our system.

erdmanor-5510(config)#
erdmanor-5510(config)# username vpnsteve password NotMyP@ssw0rd
erdmanor-5510(config)# username vpnsteve attributes        
erdmanor-5510(config-username)# service-type remote-access
erdmanor-5510(config-username)# exit
erdmanor-5510(config)#


I’ll have to get this thing actually setup on the Internet so that I can connect to it, but I know the configuration works from here. I’ve set this up a few times this month alone for clients, so I’m confident in it running properly for you as well. When I can, I’ll get some screenshots posted here to show it works.

Thanks for reading!




http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30.pdf
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/anyconnectadmin24/ac03features.html#wp1064149
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
http://www.databasemart.com/HowTo/Cisco_VPN_Remote_Access_Setup_ASA5500.aspx
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#25608
http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/dhcp.html
http://www.petenetlive.com/KB/Article/0001050.htm
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
http://www.techrepublic.com/blog/data-center/eight-easy-steps-to-cisco-asa-remote-access-setup/

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Setting up a TFTP server in Debian/Ubuntu

I’ve needed to setup a TFTP server for various reasons in the past. Most recently, I needed it in order to upload files (OS images, VPN clients, etc.) to Cisco routers, switches and ASA Firewalls. So this blog is for the sole purpose of setting up a TFTP server.

I need to stress and emphasis the security issues that TFTP servers have. There is no logon credentials, the protocol is all in plain text, and there is no file security for any files supplied by the TFTP server. So make sure that you are only putting files on this server that are considered “compromisable”. If you’re going to be backing up files on this server (running configs, especially), then you should do everything in your power to limit access to this machine by use of firewall rules. For large networks, I would recommend using a product like CatTools.

Alright, so lets see here. First off you’re going to need to install some software.

steve @ steve-G75VX ~ :) ##   sudo apt-get update
[sudo] password for steve:
...
...                                                                                                                                                                        
Fetched 916 kB in 8s (112 kB/s)                                                                                                                                                                                                            
Reading package lists... Done
steve @ steve-G75VX ~ :) ##   sudo apt-get install xinetd tftpd tftp
Reading package lists... Done
Building dependency tree      
Reading state information... Done
xinetd is already the newest version.
tftp is already the newest version.
tftpd is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
steve @ steve-G75VX ~ :) ##


Now that we have our software installed, we need to configure our TFTP daemon to run.

Start by creating a new file and paste in this info:

steve @ steve-G75VX ~ :) ##   sudo nano /etc/xinetd.d/tftp
service tftp
{
protocol        = udp
port            = 69
socket_type     = dgram
wait            = yes
user            = nobody
server          = /usr/sbin/in.tftpd
server_args     = /tftp
disable         = no
}
steve @ steve-G75VX ~ :) ##


Things to remember here are that you’re specifying the default port of 69/udp and that the user “nobody” is going to be the user of the files.


Now that we have that done, we can create our directory and set permissions:

steve @ steve-G75VX ~ :) ##   sudo mkdir /tftp
steve @ steve-G75VX ~ :) ##   sudo chmod -R 777 /tftp
steve @ steve-G75VX ~ :) ##   sudo chown -R nobody /tftp


All that’s left is that we need to start the service!

steve @ steve-G75VX ~ :) ##   sudo service xinetd restart

-OR-

steve @ steve-G75VX ~ :) ##   sudo /etc/init.d/xinetd restart


Just test to make sure that the service is running:

steve @ steve-G75VX ~ :) ##   ps aux | grep xinet
root      7049  0.0  0.0  15024   456 ?        Ss   Oct22   0:00 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
steve    16301  0.0  0.0  15188  1984 pts/3    S+   17:25   0:00 grep --color=auto xinet
steve @ steve-G75VX ~ :) ##  
steve @ steve-G75VX ~ :) ##   ports | grep 69
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
udp        0      0 0.0.0.0:69              0.0.0.0:*                           -              
steve @ steve-G75VX ~ :) ##


And we’re done!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco ASA 8.3(and up) packet capturing

In the course of time, it becomes necessary to run packet captures in order to understand where issues are within a network. In this case, I’ve done this so many times I figured it would be easy enough to write a quick blog on it.

DISCLAIMER: Make sure you know what access-list or lists you’re modifying in Config mode.

######################################
###   Here we will go over exactly how
###   to create a packet capture and
###   how to view it via the CLI as well as
###   how to download it in PCAP file
######################################


##########
### enter system global config mode
##########
Configure terminal
conf t

##########
### START with creating an access list that is going to capture data from ALL directions needed
###
### Make sure that if you're just monitoring traffic between two hosts, that you setup your ACL like this:
##########


ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error


### you may need to know some interface specific information, so don’t forget to:
ErdmanorASA(config)# sh ip add
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                1.1.1.1         255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 192.168.1.1     255.255.255.0   CONFIG
GigabitEthernet0/2       DMZ                    10.1.1.1        255.255.255.0   CONFIG
GigabitEthernet0/3.1     failover               169.254.0.1     255.255.255.252 unset
GigabitEthernet0/3.2     failover-state         169.254.0.5     255.255.255.252 unset
Management0/0            TESTDMZ                10.2.2.2        255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                1.1.1.1         255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 192.168.1.1     255.255.255.0   CONFIG
GigabitEthernet0/2       DMZ                    10.1.1.1        255.255.255.0   CONFIG
GigabitEthernet0/3.1     failover               169.254.0.2     255.255.255.252 unset
GigabitEthernet0/3.2     failover-state         169.254.0.6     255.255.255.252 unset
Management0/0            TESTDMZ                10.2.2.2        255.255.255.0   CONFIG


############
### Here we are going to apply the packet capture on an interface (in this case the “inside” interface”)
### we’re specifying to capture the last 10000000 packets
ErdmanorASA(config)# capture steve interface inside access-list temp_packet_capture buffer 10000000 packet-length 1522


############
### this command shows any current captures that are taking place (your capture should be in there if you set one up)
ErdmanorASA(config)# sh capture
capture steve type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Inside [Capturing - 301082 bytes]
capture steve2 type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Ouside [Capturing - 298168 bytes]

############
### show the capture you just made
ErdmanorASA(config)# sh capture temp_packet_capture


ErdmanorASA(config)# show cap steve

2024 packets captured

   1: 16:30:31.895690 192.168.1.10.44441 > 8.8.8.8.5120: S 4293989912:4293989912(0) win 14600 <mss 1380,sackOK,timestamp 408760499 0,nop,wscale 9>
   2: 16:30:31.895903 8.8.8.8.5120 > 192.168.1.10.44441: S 4128260078:4128260078(0) ack 4293989913 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 173100302 408760499>
   3: 16:30:31.896193 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
   4: 16:30:31.896514 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
   5: 16:30:32.097300 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760550 173100302>
   6: 16:30:32.097452 10.52.11.6.5120 > 192.168.1.10.44441: . ack 4293990409 win 256 <nop,nop,timestamp 173100322 408760499,nop,nop,sack sack 1 {4293989913:4293990409} >
   7: 16:30:32.469412 10.52.11.6.5120 > 192.168.1.10.44441: P 4128260079:4128260495(416) ack 4293990409 win 256 <nop,nop,timestamp 173100359 408760499>
   8: 16:30:32.469564 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
   9: 16:30:32.469625 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990409:4293990490(81) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
  10: 16:30:32.469824 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990490:4293990572(82) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
...
...


ErdmanorASA(config)#   sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082311710 for outside:8.8.8.8/443 to inside:192.168.1.10/54210 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082311788 for outside:8.8.8.8/443 to inside:192.168.1.10/54211 duration 0:00:00 bytes 5856 TCP FINs
ErdmanorASA(config)#   sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082312752 for outside:8.8.8.8/443 to inside:192.168.1.10/54212 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082312815 for outside:8.8.8.8/443 to inside:192.168.1.10/54213 duration 0:00:00 bytes 5856 TCP FINs



##############
###To clean-up the ASA when you're done
##############



##############
### to kill the capture you created
no capture temp_packet_capture


##############
###
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Debian Backups, the Command Line Way…

I’ve been wanting to write a blog on this for a long time since I’ve actually had this backup method running in my environment for years. It’s super easy to setup and, while thank god I’ve never had to recover from a backup, I have been able to go back and recover individual files from my backups. What you’ll need from an environment setup is at least one Linux box that you need backed up, and at least one NAS or other file storage server that has an SSH server. I perform all my backups to online disk storage that is based on FreeNAS. There are plenty of NAS environment, and I’m not saying FreeNAS is the best or the worst, but I like it and it works for me. It works extremely well with Linux, Windows and Mac OS X.

There are two parts to this:

  • 1. manual backups
  • 2. automated backups

  • Let’s start with the manual backups, because once we have the manual backups performed, then we can easily turn that into a script and run it in CRON.


    First, we need to specify the directories we don’t want to backup in a file that is accessible to root. Let’s list the directories in “/” first.

    steve @ steve-G75VX ~ :) ##   ll /
    total 18M
    drwxr-xr-x  25 root   root 4.0K Oct 22 14:54 ./
    drwxr-xr-x  25 root   root 4.0K Oct 22 14:54 ../
    drwxr-xr-x   2 root   root 4.0K Aug 14 02:03 bin/
    drwxr-xr-x   4 root   root 3.0K Oct  3 11:39 boot/
    drwxrwxr-x   2 root   root 4.0K May 21 11:52 cdrom/
    -rw-------   1 root   root  18M Oct  3 11:40 core
    drwxr-xr-x  24 root   root 4.8K Oct 31 12:38 dev/
    drwxr-xr-x 148 root   root  12K Oct 27 20:37 etc/
    drwxr-xr-x   3 root   root 4.0K May 21 11:53 home/
    lrwxrwxrwx   1 root   root   33 Aug 14 02:06 initrd.img -> boot/initrd.img-3.19.0-25-generic
    lrwxrwxrwx   1 root   root   33 Jul 10 08:56 initrd.img.old -> boot/initrd.img-3.19.0-22-generic
    drwxr-xr-x  26 root   root 4.0K Oct 13 13:41 lib/
    drwxr-xr-x   2 root   root 4.0K May 21 12:41 lib32/
    drwxr-xr-x   2 root   root 4.0K Apr 22  2015 lib64/
    drwx------   2 root   root  16K May 21 11:47 lost+found/
    drwxr-xr-x   3 root   root 4.0K May 21 12:01 media/
    drwxr-xr-x   2 root   root 4.0K Apr 17  2015 mnt/
    drwxr-xr-x   6 root   root 4.0K Oct 20 11:28 opt/
    dr-xr-xr-x 283 root   root    0 Oct 21 20:30 proc/
    drwx------   4 root   root 4.0K Oct 27 16:57 root/
    drwxr-xr-x  30 root   root 1.1K Oct 27 20:50 run/
    drwxr-xr-x   2 root   root  12K Aug 14 02:03 sbin/
    drwxr-xr-x   2 root   root 4.0K Apr 22  2015 srv/
    dr-xr-xr-x  13 root   root    0 Oct 22 14:55 sys/
    drwxrwxrwx   2 nobody root 4.0K Oct 22 17:55 tftp/
    drwxrwxrwt  18 root   root 4.0K Nov  1 15:17 tmp/
    drwxr-xr-x  11 root   root 4.0K May 21 12:41 usr/
    drwxr-xr-x  13 root   root 4.0K Apr 22  2015 var/
    lrwxrwxrwx   1 root   root   30 Aug 14 02:06 vmlinuz -> boot/vmlinuz-3.19.0-25-generic
    lrwxrwxrwx   1 root   root   30 Jul 10 08:56 vmlinuz.old -> boot/vmlinuz-3.19.0-22-generic


    So, based on this, we’ll exclude like this:

    steve @ steve-G75VX ~ :) ##   sudo mkdir /backups
    [sudo] password for steve:
    steve @ steve-G75VX ~ :) ##   sudo touch /backups/exclude.list
    steve @ steve-G75VX ~ :) ##   sudo nano /backups/exclude.list
    steve @ steve-G75VX ~ :) ##  

    /cdrom
    /dev
    /lost+found
    /proc
    /run
    /sys
    /tmp

    (Ctrl+x to quit, then y to save)


    Now that we have our directory and exclude list setup, now we need to make sure RSYNC is installed on our system.

    steve @ steve-G75VX ~ :) ##   sudo apt-get update
    ...
    ...
    Fetched 1,743 kB in 21s (79.7 kB/s)
    Reading package lists... Done
    steve @ steve-G75VX ~ :) ##   sudo apt-get install rsync
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    rsync is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
    steve @ steve-G75VX ~ :) ##


    Now that we have RSYNC installed and our backup exclusions defined, lets get our backups started.

    First, edit your .bashrc file in your home directory and add this line:

    alias backupall='sudo rsync -athvz --delete / steve@1.1.1.1:/mnt/Backups/laptop/


    “What does all this do?” you might ask… well, it’s quite simple really.

    First, we create an alias for your shell named, “backupall”, because we’ll be performing full system backups from here.

    Next, we call “rsync” to run as root, and ask it to run with the switches -a, -t, -h, -v and -z.

  • -a = run in archive mode, which equals -rlptgoD (no -H,-A,-X)
  • -t = makes sure to preserve modification times on your files
  • -h = ensures that output numbers in a human-readable format
  • -v = trun verbosely.
  • -z = makes sure that file data is compressed during the transfer
  • And lastly, the “–delete” means, “This tells rsync to delete extraneous files from the receiving side (ones that aren’t on the sending side), but only for the directories that are being synchronized. You must have asked rsync to send the whole directory (e.g. lqdirrq or lqdir/rq) without using a wildcard for the directory’s contents (e.g. lqdir/*rq) since the wildcard is expanded by the shell and rsync thus gets a request to transfer individual files, not the files’ parent directory. Files that are excluded from the transfer are also excluded from being deleted unless you use the –delete-excluded option or mark the rules as only matching on the sending side (see the include/exclude modifiers in the FILTER RULES section).” — http://linux.die.net/man/1/rsync

    Next is the “/”, which means we’re backing up everything in “/”, which is everything.

    Lastly, we’re specifying the destination. In this case, we’re doing RSYNC over SSH, so we’ll be specifying a location in the way that you would specify a destination in SCP.


    Now test running your backup. I’ve run mine before, so my update is pretty quick. But this is going to backup your whole system for, so expect it to take a while.

    steve @ steve-G75VX ~ :( ᛤ>   backupallnas
    steve@1.1.1.1's password:
    sending incremental file list
    ./
    var/lib/mysql/blog/wp_AnalyticStats.MYD
    var/lib/mysql/blog/wp_AnalyticStats.MYI
    var/lib/mysql/blog/wp_options.MYD
    var/lib/mysql/blog/wp_options.MYI
    var/lib/mysql/blog/wp_postmeta.MYD
    var/lib/mysql/blog/wp_postmeta.MYI
    var/lib/sudo/steve/0
    var/log/auth.log
    var/log/apache2/access.log
    var/log/apache2/error.log

    sent 1.09M bytes  received 50.77K bytes  58.56K bytes/sec
    total size is 1.91G  speedup is 1673.17
    rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1070) [sender=3.0.9]
    steve @ steve-G75VX ~ :( ᛤ>



    Now we need to create our script, and make it executable.

    root @ steve-G75VX ~ :) ##   nano /backups/backupall
    root @ steve-G75VX ~ :) ##   chmod +x /backups/backupall
    root @ steve-G75VX ~ :) ##   ll /backups/backupall
    -rwxr-xr-x 1 root root 96 Nov  1 17:02 /backups/backupall*
    root @ steve-G75VX ~ :) ##


    I added this one line to the backup file:

    sudo rsync -athvz --delete / steve@1.1.1.1:/mnt/Backups/laptop/



    This looks pretty good! Now that we have a full backup of our machine, lets get this setup in CRON.

    steve @ steve-G75VX ~ :) ##   sudo su
    root @ steve-G75VX ~ :) ##   crontab -l
    no crontab for root
    root @ steve-G75VX ~ :( ##   crontab -e
    no crontab for root - using an empty one

    Select an editor.  To change later, run 'select-editor'.
      1. /bin/ed
      2. /bin/nano        <---- easiest
      3. /usr/bin/vim.tiny

    Choose 1-3 [2]: 2
    crontab: installing new crontab
    root @ steve-G75VX ~ :) ##


    The line that I added to CRON was this:

    0 3 * * * /backups/backupall >/dev/null 2&>1


    This basically states that every day at 3am, this script will be run.


    From here we need to make sure our local system can perform password-less logon to the SSH server. To do that we’ll be working off of a prior blog I wrote on SSH Keys, here: Using SSH Keys to simplify logins to remote systems.

    You’ll want to test that your system can SSH to your remote system without entering a password. As long as that works, we’re good to go!

    That’s it! It’s that simple!



    I have run into issues on some machines where SSH keys don’t work. I haven’t had the time to troubleshoot why, so I got a different way to figure out how to make backups work, without using SSH keys. The down side is that this is MUCH less secure, and I really don’t recommend running this in a production setting. But for home or non-business use, you’re probably just fine.

    So to do this, we’re going to use “SSHPASS” package. It’s out there for Debian and Ubuntu, so I’m sure it’s out there for other Linux/Unix systems as well.

    root @ steve-G75VX ~ :) ##   sudo apt-get install sshpass
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    The following NEW packages will be installed:
      sshpass
    0 upgraded, 1 newly installed, 0 to remove and 38 not upgraded.
    Need to get 10.5 kB of archives.
    After this operation, 56.3 kB of additional disk space will be used.
    Get:1 http://us.archive.ubuntu.com/ubuntu/ vivid/universe sshpass amd64 1.05-1 [10.5 kB]
    Fetched 10.5 kB in 0s (65.3 kB/s)  
    Selecting previously unselected package sshpass.
    (Reading database ... 258807 files and directories currently installed.)
    Preparing to unpack .../sshpass_1.05-1_amd64.deb ...
    Unpacking sshpass (1.05-1) ...
    Processing triggers for man-db (2.7.0.2-5) ...
    Setting up sshpass (1.05-1) ...
    root @ steve-G75VX ~ :) ##


    Go ahead and test logging into your NAS box, or any box really, with this. The idea is that, when you’re scripting you need to logon to remote systems without a password. If you can’t use SSH keys, then this is your next best bet. Create a file in “root’s” home dir and name it whatever you want. I named mine, “backup.dat”. It must contain only the password you use to log into your remote machine, on one line, all by itself.

    root @ steve-G75VX ~ :) ##   nano ~/backup.dat
    root @ steve-G75VX ~ :) ##   chmod 600 backup.dat


    You’ll call “sshpass”, -f for the file with the password, the location of your “ssh” program, -p and the port number (default port for ssh is 22), followed by the username you login with (make sure it’s in the format of, “user@machine-ip”).

    root @ steve-G75VX ~ :) ##   sshpass -f /root/backup.dat /usr/bin/ssh -p 22 steve@1.1.1.1
    Last login: Sun Nov  1 17:22:08 2015 from 1.1.1.2
    FreeBSD 9.2-RELEASE (FREENAS.amd64) #0 r+2315ea3: Fri Dec 20 12:48:50 PST 2013

        FreeNAS (c) 2009-2013, The FreeNAS Development Team
        All rights reserved.
        FreeNAS is released under the modified BSD license.

        For more information, documentation, help or support, go here:
        http://freenas.org
    Welcome to FreeNAS
    [steve@freenas ~]$ exit
    logout
    Connection to 1.1.1.1 closed.
    root @ steve-G75VX ~ :) ##


    Okay, now that we’ve tested this and know it’s working, lets modify our script here and get this working with “sshpass”.

    root @ steve-G75VX ~ :) ##   /usr/bin/rsync -athvz --delete --rsh="/usr/bin/sshpass -f /root/backup.dat ssh -o StrictHostKeyChecking=no -l YourUserN@me" /home/steve steve@1.1.1.1:/mnt/Backups/laptop/


    Now test to make sure the script is working (as soon as you see the incremental file list being sent, you know it’s working properly):

    root @ steve-G75VX ~ :) ##   /usr/bin/rsync -athvz --delete --rsh="/usr/bin/sshpass -f /root/backup.dat ssh -o StrictHostKeyChecking=no -l steve" /home/steve steve@1.1.1.1:/mnt/Backups/laptop
    sending incremental file list
    ^Crsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(632) [sender=3.1.1]
    root @ steve-G75VX ~ :) ##
    root @ steve-G75VX ~ :) ##
    root @ steve-G75VX ~ :) ##   /backups/backupall
    sending incremental file list
    steve/.cache/google-chrome/Default/Cache/
    ^Crsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(632) [sender=3.1.1]
    root @ steve-G75VX ~ :( ##

    Success!







    http://linux.die.net/man/1/rsync
    https://www.debian-administration.org/article/56/Command_scheduling_with_cron

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    How-to: SCP files from ASA

    This is a quick and simple blog. Just notes really on how to use SCP/SSH to download files off of an ASA. It comes in handy for scripting purposes, but I thought I would at least share for everyone to see.

    First things first, we need to enable SSH and SCopy on our ASA. We can accomplish this by entering config mode, and then issuing 2 different “ssh” commands:

    steve @ phiberoptiklmde ~ :) ##  ssh steve@1.1.1.1
    pomeroy@1.1.1.1's password:
    Type help or '?' for a list of available commands.
    MyASA5510> en
    Password: ***********
    MyASA5510# conf t
    MyASA5510(config)#ssh 0.0.0.0 0.0.0.0 Inside
    MyASA5510(config)#ssh scopy enable
    MyASA5510(config)#wr
    Cryptochecksum: 0d46cc75 79177ae7 9069c9a8 94153d78

    8184 bytes copied in 0.690 secs
    [OK]
    MyASA5510(config)#exit
    MyASA5510#exit

    The first “ssh” command allows anyone to connect to this from the “Inside” interface of our ASA. This is NOT secure. In a real production environment, we should lock this down to a specific IP address, a handful of IP addresses, or a management network.

    The second “ssh” command tells the ASA to enable “scopy”. Which basically means that you can connect to the ASA with a SCP client and download files.

    From here we can just use our Linux machine to download the file to whatever folder you want to save your files to. See below on how to do that.
    Start with “scp”, then your user account at the IP of the machine: “scp steve@1.1.1.1”.
    From here, it needs to call an actual file that exists on the ASA. If you log into the ASA and issue the “dir” command from enable mode, you can get a listing of all files on the local flash drive on the machine.
    Lastly, you just need to specify the path that you want to save the file to.

    It’s that easy!

    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-win-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-win-3.1.05152-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-win-3.1.05152-k9.pkg                                                                                                                                                                           100%   34MB 212.0KB/s   02:42    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-macosx-i386-3.1.02040-k9.pkg /home/steve/Desktop/penvpn01-anyconnect/anyconnect-macosx-i386-3.1.02040-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-macosx-i386-3.1.02040-k9.pkg                                                                                                                                                                   100%   11MB 226.7KB/s   00:48    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-3.1.02040-k9.pkg /home/steve/Desktop/anyconnect-linux-3.1.02040-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-linux-3.1.02040-k9.pkg                                                                                                                                                                         100%   11MB 317.9KB/s   00:34    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-64-3.1.02040-k9.pkg /home/steve/Desktop/anyconnect-linux-64-3.1.02040-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-linux-64-3.1.02040-k9.pkg                                                                                                                                                                      100% 9735KB 314.0KB/s   00:31    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-macosx-i386-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-macosx-i386-3.1.05152-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-macosx-i386-3.1.05152-k9.pkg                                                                                                                                                                   100%   11MB 334.6KB/s   00:34  
    Connection to 1.1.1.1 closed by remote host.  
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-64-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-linux-64-3.1.05152-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-linux-64-3.1.05152-k9.pkg                                                                                                                                                                      100%   10MB 343.9KB/s   00:31  
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-linux-3.1.05152-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-linux-3.1.05152-k9.pkg                                                                                                                                                                         100%   10MB 341.5KB/s   00:31    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Bash Shell Customizing

    I’ve had a request for a blog on how to update bash shell. I’ll put more into this in the future, but for now, here is the actual code in my .bashrc file.

    Basically, I like to have my command line environment customized to my liking, just like any other user/administrator. So what I’ve done here is added some color to my shell, as well as added some nice, helpful and easy to remember aliases that really save time in typing.

    Here is a screenshot of what my shell looks like:

    Screenshot

    #PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"

    # mint-fortune - If you like the fortunes, keep this on, otherwise delete it.
    # you will need to have Mint Fortunes installed on your system for this to work
    /usr/bin/mint-fortune

    #------------------------------------------------------------------------------------------------------
    #------------------------------------------------------------------------------------------------------


    #[Color Prompt] This adds color prompt to your shell.
    #    I've gone through and figured out a whole bunch
    #    of colors so you can go ahead and customize to
    #    your heart's content.

    force_color_prompt=yes

    #[Variables]
    RESET="\[\017\]"
    NORMAL="\[\033[;m\]"
    LGREEN="\[\033[1;32m\]"
    LGREEN0="\[\033[0;32m\]"
    LBLUE="\[\033[1;34m\]"
    LCYAN="\[\033[1;36m\]"
    LRED="\[\033[1;31m\]"
    LPURPLE="\[\033[1;35m\]"
    BLACK="\[\033[0;30m\]"
    BLUE="\[\033[0;34m\]"
    GREEN="\[\033[0;32m\]"
    CYAN="\[\033[0;36m\]"
    PURPLE="\[\033[0;35m\]"
    BROWN="\[\033[0;33m\]"
    LGRAY="\[\033[0;37m\]"
    DGREY="\[\033[01;30m\]"
    RED="\[\033[0;31m\]"
    YELLOW="\[\033[01;33m\]"
    WHITE="\[\033[01;37m\]"


    #[Good Command]
    SMILEY="${GREEN}:)${NORMAL}"

    #[Bad Command]
    FROWNY="${RED}:(${NORMAL}"

    #[Command Judge]
    SELECT="if [ \$? = 0 ]; then echo \"${SMILEY}\"; else echo \"${FROWNY}\"; fi"

    #[Working PS1 output]
    PS1="${RESET}${LCYAN}\u ${RED}@ ${LCYAN}\h: ${YELLOW}\w\a~ \`${SELECT}\` ${YELLOW}\$ ${GREEN} ${NORMAL} "


    #------------------------------------------------------------------------------------------------------
    #------------------------------------------------------------------------------------------------------


    #[Aliases]
    alias du="du -bchsS"
    alias ll="ls -alhF --color=auto"
    alias ..='cd ..'
    alias ...='cd ../..'
    alias dfah='df -ah'
    alias mount='mount |column -t'
    alias now='date +"%T'
    alias nowdate='date +"%d-%m-%Y"'
    alias vlspci='sudo lspci -vvnn'
    alias vi=vim
    alias disks='sudo blkid && sudo fdisk -l'

    alias svi='sudo vi'
    alias vis='vim "+set si"'
    alias edit='vim'
    alias ports='netstat -tulanp'
    alias apt-get="sudo apt-get"
    alias updatey="sudo apt-get --yes"
    alias update='sudo apt-get update && sudo apt-get upgrade'
    alias meminfo='free -m -l -t'
    alias psmem='ps auxf | sort -nr -k 4'
    alias psmem10='ps auxf | sort -nr -k 4 | head -10'
    alias pscpu='ps auxf | sort -nr -k 3'
    alias pscpu10='ps auxf | sort -nr -k 3 | head -10'
    alias cpuinfo='lscpu'
    ##alias cpuinfo='less /proc/cpuinfo' ##
    alias gpumeminfo='grep -i --color memory /var/log/Xorg.0.log'
    alias reboot='sudo /sbin/reboot'
    alias poweroff='sudo /sbin/poweroff'
    alias halt='sudo /sbin/halt'
    alias shutdown='sudo /sbin/shutdown'
    alias tftpstuff='sudo chmod 777 /tftp/* && sudo chown root:root /tftp/*'


    #------------------------------------------------------------------------------------------------------
    #------------------------------------------------------------------------------------------------------

    #[Backups] This section is where I have my backups defined.
    #    For more information, please check out my "Backups"
    #    blog. You can find it here:
    #    http://www.erdmanor.com/blog/debian-backups-command-line-way/

    alias backupall='sudo rsync -athvz --delete --exclude-from='backups/exclude.list' / /backups/computername/path/to/save/backups'

    VN:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
    VN:F [1.9.22_1171]
    Rating: +1 (from 1 vote)

    Backing up Cisco Configurations for Routers, Switches and Firewalls

    I will add more about this when I have time. Until then, you should be able to just install python, paramiko and pexpect and run this script as-is (obviously changing the variables).

    This should give you all the software you need:

    sudo apt-get update
    sudo apt-get install python python-pexpect python-paramiko

    I plan on GREATLY increasing the ability of this script, adding additional functionality, as well as setting up a bash script that will be able to parse the configs, and perform much deeper backup abilities for ASAs.

    I have not tested this on Routers and Switches. I can tell you that the production 5520 HA Pair that I ran this script against was running “Cisco Adaptive Security Appliance Software Version 8.4(2)160”. Theoretically, I would believe that this would work with all 8.4 code and up, including the 9.x versions that are out as of the writing of this blog.

    Here you go! Full Scripted interrogation of Cisco ASA 5520 that can be setup to run on a CRON job.

    #!/usr/bin/python
    import paramiko, pexpect, hashlib, StringIO, re, getpass, os, time, ConfigParser, sys, datetime, cmd, argparse



    ### DEFINE VARIABLES

    currentdate="10-16-2014"
    hostnamesfile='vpnhosts'
    asahost="192.168.222.1"
    tacacsuser='testuser'
    userpass='Password1'
    enpass='Password2'
    currentipaddress="192.168.222.1"
    currenthostname="TESTASA"


    #dummy=sys.argv[0]
    #currentdate=sys.argv[1]
    #currentipaddress=sys.argv[2]
    #tacacsuser=sys.argv[3]
    #userpass=sys.argv[4]
    #enpass=sys.argv[5]
    #currenthostname=sys.argv[6]

    parser = argparse.ArgumentParser(description='Get "show version" from a Cisco ASA.')
    parser.add_argument('-u', '--user',     default='cisco', help='user name to login with (default=cisco)')
    parser.add_argument('-p', '--password', default='cisco', help='password to login with (default=cisco)')
    parser.add_argument('-e', '--enable',   default='cisco', help='password for enable (default=cisco)')
    parser.add_argument('-d', '--device',   default=asahost, help='device to login to (default=192.168.120.160)')
    args = parser.parse_args()

       


    #python vpnbackup.py $currentdate $currentipaddress $tacacsuser $userpass $enpass $currenthostname



    def asaLogin():
       
        #start ssh")
        child = pexpect.spawn ('ssh '+tacacsuser+'@'+asahost)
       
        #testing to see if I can increase the buffer
        child.maxread=9999999
       
        #expect password prompt")
        child.expect ('.*assword:.*')
        #send password")
        child.sendline (userpass)
        #expect user mode prompt")
        child.expect ('.*>.*')
        #send enable command")
        child.sendline ('enable')
        #expect password prompt")
        child.expect ('.*assword:.*')
        #send enable password")
        child.sendline (enpass)
        #expect enable mode prompt = timeout 5")
        child.expect ('#.*', timeout=10)
        #set term pager to 0")
        child.sendline ('terminal pager 0')
        #expect enable mode prompt = timeout 5")
        child.expect ('#.*', timeout=10)
        #run create dir function")
        createDir()
        #run create show version")
        showVersion(child)
        #run create show run")
        showRun(child)
        # run showCryptoIsakmp(child)
        showCryptoIsakmp(child)
        # run dirDisk0(child)
        dirDisk0(child)
        # run showInterfaces(child)
        showInterfaces(child)
        #run  showRoute")
        showRoute(child)
        #run showVpnSessionDetail")
        showVpnSessionDetail(child)
        # run showVpnActiveSessions(child)
        showWebVpnSessions(child)
        # run showVpnActiveSessions(child)
        showAnyConnectSessions(child)
        #send exit")
        child.sendline('exit')
        #close the ssh session")
        child.close()
       
       
    def createDir():
        if not os.path.exists(currentdate):
            os.makedirs(currentdate)
        if not os.path.exists(currentdate+"/"+currenthostname):
            os.makedirs(currentdate+"/"+currenthostname)
       
       
       
    def showVersion(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-ver.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show version")
        child.sendline('show version')
        #expect enable mode prompt = timeout 400")
        child.expect(".*# ", timeout=50)
        #closing the log file")
        fout.close()
       
       
    def showRun(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-run.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending more system running-config")
        child.sendline('more system:running-config')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=999)
        #closing the log file
        fout.close()   
       

    def showCryptoIsakmp(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"cryptoisakmp.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show crypto isakmp sa")
        child.sendline('show crypto isakmp sa')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=50)
        #closing the log file
        fout.close()   


    def dirDisk0(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"dirdisk0.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending dir disk0:")
        child.sendline('dir disk0:')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=75)
        #closing the log file
        fout.close()


    def showInterfaces(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"interfaces.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show interface")
        child.sendline('show interface')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=100)
        #closing the log file
        fout.close()


    def showRoute(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"show-route.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show route")
        child.sendline('show route')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=300)
        #closing the log file
        fout.close()


    def showVpnSessionDetail(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"vpnsession.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show vpn-sessiondb detail")
        child.sendline('show vpn-sessiondb detail')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=50)
        #closing the log file
        fout.close()


    def showWebVpnSessions(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"webvpns.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show vpn-sessiondb webvpn")
        child.sendline('show vpn-sessiondb webvpn')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=200)
        #closing the log file
        fout.close()


    def showAnyConnectSessions(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"anyconnectvpns.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show vpn-sessiondb anyconnect")
        child.sendline('show vpn-sessiondb anyconnect')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=999)
        #closing the log file
        fout.close()




    def main():
        #Nothing has been executed yet
        #executing asaLogin function
        asaLogin()
        #Finished running parTest\n\n Now exiting
       

    main()

    Here are all the websites that have provided help to me writing these scripts:
    http://www.802101.com/2014/06/automated-asa-ios-and-nx-os-backups.html
    http://yourlinuxguy.com/?p=300
    http://content.hccfl.edu/pollock/Unix/FindCmd.htm
    http://paulgporter.net/2012/12/08/30/
    http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html
    http://ubuntuforums.org/archive/index.php/t-106287.html
    http://stackoverflow.com/questions/12604468/find-and-delete-txt-files-in-bash
    http://stackoverflow.com/questions/9806944/grep-only-text-files
    http://unix.stackexchange.com/questions/132417/prompt-user-to-login-as-root-when-running-a-shell-script
    http://stackoverflow.com/questions/6961389/exception-handling-in-shell-scripting
    http://stackoverflow.com/questions/7140817/python-ssh-into-cisco-device-and-run-show-commands
    http://pastebin.com/qGRdQwpa
    http://blog.pythonicneteng.com/2012/11/pexpect-module.html
    https://pynet.twb-tech.com/blog/python/paramiko-ssh-part1.html
    http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html
    http://www.lag.net/paramiko/
    http://www.lag.net/paramiko/docs/
    http://stackoverflow.com/questions/25127406/paramiko-2-tier-cisco-ssh
    http://rtomaszewski.blogspot.com/2012/08/problem-runing-ssh-or-scp-from-python.html
    http://www.copyandwaste.com/posts/view/pexpect-python-and-managing-devices-tratto/
    http://askubuntu.com/questions/344407/how-to-read-complete-line-in-for-loop-with-spaces
    http://stackoverflow.com/questions/10463216/python-pexpect-timeout-falls-into-traceback-and-exists
    http://stackoverflow.com/questions/21055943/pxssh-connecting-to-an-ssh-proxy-timeout-exceeded-in-read-nonblocking
    http://www.pennington.net/tutorial/pexpect_001/pexpect_tutorial.pdf
    https://github.com/npug/asa-capture/blob/master/asa-capture.py
    http://stackoverflow.com/questions/26227791/ssh-with-subprocess-popen

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Creating a basic monitoring server for network devices

    I’ve recently been working more and more with network device management. So, to help with up-time monitoring, interface statistics, bandwidth utilization, and alerting, I’ve been building up a server with some great Open Source tools. My clients love it because it costs virtually nothing to run these machines, and it helps keep the network running smoothly when we know what is going on within the network.

    One thing I haven’t been able to do yet is SYSLOG monitoring with the ability to generate email alerts off of specific SYSLOG messages. That’s in the work, and I’ll be adding that information into this blog as soon as I get it up and running properly.

    I am using Debian 7.6 for this Operating System. Mainly because it’s very stable, very small, and doesn’t update as frequently (making it easier to manage). You can follow a basic install of this OS from here: Debian Minimal Install. That will get you up and running and we’ll take it from there.

    Okay, now that you have an OS running, go ahead and open up a command prompt and log in as your user account or “root”. Go ahead an then “sudo su”.

    Now we will update apt:

    apt-get update

     

    From here, let’s get LAMP installed and running so our web services will run properly.

    apt-get install apache2
    apt-get install mysql-server
    apt-get install php5 php-pear php5-mysql

     

    Now that we have that all setup, lets secure MySQL a bit:

    mysql_secure_installation

     

    When you run through this, make sure to answer these questions:

    root@testmonitor:/root# mysql_secure_installation




    NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
          SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!


    In order to log into MySQL to secure it, we'll need the current
    password for the root user.  If you've just installed MySQL, and
    you haven't set the root password yet, the password will be blank,
    so you should just press enter here.

    Enter current password for root (enter for none):
    OK, successfully used password, moving on...

    Setting the root password ensures that nobody can log into the MySQL
    root user without the proper authorisation.

    You already have a root password set, so you can safely answer 'n'.

    Change the root password? [Y/n] n
     ... skipping.

    By default, a MySQL installation has an anonymous user, allowing anyone
    to log into MySQL without having to have a user account created for
    them.  This is intended only for testing, and to make the installation
    go a bit smoother.  You should remove them before moving into a
    production environment.

    Remove anonymous users? [Y/n] y
     ... Success!

    Normally, root should only be allowed to connect from 'localhost'.  This
    ensures that someone cannot guess at the root password from the network.

    Disallow root login remotely? [Y/n] y
     ... Success!

    By default, MySQL comes with a database named 'test' that anyone can
    access.  This is also intended only for testing, and should be removed
    before moving into a production environment.

    Remove test database and access to it? [Y/n] y
     - Dropping test database...
    ERROR 1008 (HY000) at line 1: Can't drop database 'test'; database doesn't exist
     ... Failed!  Not critical, keep moving...
     - Removing privileges on test database...
     ... Success!

    Reloading the privilege tables will ensure that all changes made so far
    will take effect immediately.

    Reload privilege tables now? [Y/n] y
     ... Success!

    Cleaning up...



    All done!  If you've completed all of the above steps, your MySQL
    installation should now be secure.

    Thanks for using MySQL!

     
     

    Let’s test the server and make sure it’s working properly. Using nano, edit the file “info.php” in the “www” directory:

    nano /var/www/info.php

     

    Add in the following lines:

    <?php
    phpinfo();
    ?>

     

    Now, open a web browser and type in the server’s IP address and the info page:

    http://192.168.0.101/info.php

     

     

    Now let’s get Cacti installed.

    apt-get install cacti cacti-spine

    Make sure to let the installer know that you’re using Apache2 as your HTTP server.

    Also, you’ll need to let the installer “Configure database for cacti with dbconfig-common”. Say yes!

    After you apt is done installing your software, you’ll have to finish the install from a web browser.

    http://192.168.0.101/cacti/install/

     

    After answering a couple very easy questions, you’ll be finished and presented with a login screen.

    The default credentials for cacti are “admin:admin”

    From there you can log in and start populating your server with all the devices that you want to monitor. It’s that easy.

     

     

     

     

    Now, let’s get Nagios installed. Again, it’s really easy. I just install everything nagios (don’t forget the asterisk after nagios):

    apt-get install nagios*

    This is what it will look like:

    root@debiantest:/root# apt-get install nagios*
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    Note, selecting 'nagios-nrpe-plugin' for regex 'nagios*'
    Note, selecting 'nagios-nrpe-doc' for regex 'nagios*'
    Note, selecting 'nagios-plugins-basic' for regex 'nagios*'
    Note, selecting 'check-mk-config-nagios3' for regex 'nagios*'
    Note, selecting 'nagios2' for regex 'nagios*'
    Note, selecting 'nagios3' for regex 'nagios*'
    Note, selecting 'nagios-snmp-plugins' for regex 'nagios*'
    Note, selecting 'uwsgi-plugin-nagios' for regex 'nagios*'
    Note, selecting 'ndoutils-nagios3-mysql' for regex 'nagios*'
    Note, selecting 'nagios-plugins' for regex 'nagios*'
    Note, selecting 'gosa-plugin-nagios-schema' for regex 'nagios*'
    Note, selecting 'nagios-nrpe-server' for regex 'nagios*'
    Note, selecting 'nagios-plugin-check-multi' for regex 'nagios*'
    Note, selecting 'nagios-plugins-openstack' for regex 'nagios*'
    Note, selecting 'libnagios-plugin-perl' for regex 'nagios*'
    Note, selecting 'nagios-images' for regex 'nagios*'
    Note, selecting 'pnp4nagios-bin' for regex 'nagios*'
    Note, selecting 'nagios3-core' for regex 'nagios*'
    Note, selecting 'libnagios-object-perl' for regex 'nagios*'
    Note, selecting 'nagios-plugins-common' for regex 'nagios*'
    Note, selecting 'nagiosgrapher' for regex 'nagios*'
    Note, selecting 'nagios' for regex 'nagios*'
    Note, selecting 'nagios3-dbg' for regex 'nagios*'
    Note, selecting 'nagios3-cgi' for regex 'nagios*'
    Note, selecting 'nagios3-common' for regex 'nagios*'
    Note, selecting 'nagios3-doc' for regex 'nagios*'
    Note, selecting 'pnp4nagios' for regex 'nagios*'
    Note, selecting 'pnp4nagios-web' for regex 'nagios*'
    Note, selecting 'ndoutils-nagios2-mysql' for regex 'nagios*'
    Note, selecting 'nagios-plugins-contrib' for regex 'nagios*'
    Note, selecting 'ndoutils-nagios3' for regex 'nagios*'
    Note, selecting 'nagios-plugins-standard' for regex 'nagios*'
    Note, selecting 'gosa-plugin-nagios' for regex 'nagios*'
    The following extra packages will be installed:
      autopoint dbus fonts-droid fonts-liberation fping freeipmi-common freeipmi-tools gettext ghostscript git git-man gosa gsfonts imagemagick-common libavahi-client3 libavahi-common-data libavahi-common3 libc-client2007e
      libcalendar-simple-perl libclass-accessor-perl libclass-load-perl libclass-singleton-perl libconfig-tiny-perl libcroco3 libcrypt-smbhash-perl libcups2 libcupsimage2 libcurl3 libcurl3-gnutls libdata-optlist-perl libdate-manip-perl
      libdatetime-locale-perl libdatetime-perl libdatetime-timezone-perl libdbus-1-3 libdigest-hmac-perl libdigest-md4-perl libencode-locale-perl liberror-perl libfile-listing-perl libfont-afm-perl libfpdf-tpl-php libfpdi-php
      libfreeipmi12 libgd-gd2-perl libgd2-xpm libgettextpo0 libgomp1 libgs9 libgs9-common libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl
      libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libice6 libijs-0.35 libio-pty-perl libio-socket-ip-perl libio-socket-ssl-perl libipc-run-perl libipmiconsole2 libipmidetect0 libjansson4 libjasper1 libjbig0 libjbig2dec0
      libjpeg8 libjs-jquery-ui libkohana2-php liblcms2-2 liblist-moreutils-perl liblqr-1-0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl liblwp-useragent-determined-perl libmagickcore5 libmagickwand5 libmail-imapclient-perl
      libmailtools-perl libmath-calc-units-perl libmath-round-perl libmcrypt4 libmemcached10 libmodule-implementation-perl libmodule-runtime-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-tls-perl
      libnet-snmp-perl libnet-ssleay-perl libodbc1 libpackage-deprecationmanager-perl libpackage-stash-perl libpackage-stash-xs-perl libpaper-utils libpaper1 libparams-classify-perl libparams-util-perl libparams-validate-perl
      libparse-recdescent-perl libpgm-5.1-0 libpq5 libradiusclient-ng2 libreadonly-perl libreadonly-xs-perl librecode0 librrds-perl librtmp0 libruby1.9.1 libslp1 libsm6 libsocket-perl libssh2-1 libsub-install-perl libsub-name-perl
      libsystemd-login0 libtalloc2 libtdb1 libtiff4 libtimedate-perl libtry-tiny-perl libunistring0 liburi-perl libwbclient0 libwww-perl libwww-robotrules-perl libxpm4 libxt6 libyaml-0-2 libyaml-syck-perl libzmq1 mlock ndoutils-common
      perlmagick php-fpdf php5-curl php5-gd php5-imagick php5-imap php5-ldap php5-mcrypt php5-recode poppler-data python-httplib2 python-keystoneclient python-pkg-resources python-prettytable qstat rsync ruby ruby1.9.1 samba-common
      samba-common-bin slapd smarty3 smbclient ttf-liberation uwsgi-core x11-common
    Suggested packages:
      dbus-x11 freeipmi-ipmidetect freeipmi-bmc-watchdog gettext-doc ghostscript-cups ghostscript-x hpijs git-daemon-run git-daemon-sysvinit git-doc git-el git-arch git-cvs git-svn git-email git-gui gitk gitweb gosa-si-server
      cyrus21-imapd postfix-ldap gosa-schema php5-suhosin php-apc uw-mailutils cups-common libgd-tools libdata-dump-perl libjasper-runtime libjs-jquery-ui-docs libkohana2-modules-php liblcms2-utils libcrypt-ssleay-perl
      libmagickcore5-extra libauthen-sasl-perl libmcrypt-dev mcrypt libio-socket-inet6-perl libcrypt-des-perl libmyodbc odbc-postgresql tdsodbc unixodbc-bin libscalar-number-perl slpd openslp-doc libauthen-ntlm-perl backuppc perl-doc
      cciss-vol-status expect ndoutils-doc imagemagick-doc ttf2pt1 rrdcached libgearman-client-perl libcrypt-rijndael-perl poppler-utils fonts-japanese-mincho fonts-ipafont-mincho fonts-japanese-gothic fonts-ipafont-gothic
      fonts-arphic-ukai fonts-arphic-uming fonts-unfonts-core python-distribute python-distribute-doc ri ruby-dev ruby1.9.1-examples ri1.9.1 graphviz ruby1.9.1-dev ruby-switch ldap-utils cifs-utils nginx-full cherokee libapache2-mod-uwsgi
      libapache2-mod-ruwsgi uwsgi-plugins-all uwsgi-extra
    The following NEW packages will be installed:
      autopoint check-mk-config-nagios3 dbus fonts-droid fonts-liberation fping freeipmi-common freeipmi-tools gettext ghostscript git git-man gosa gosa-plugin-nagios gosa-plugin-nagios-schema gsfonts imagemagick-common libavahi-client3
      libavahi-common-data libavahi-common3 libc-client2007e libcalendar-simple-perl libclass-accessor-perl libclass-load-perl libclass-singleton-perl libconfig-tiny-perl libcroco3 libcrypt-smbhash-perl libcups2 libcupsimage2 libcurl3
      libcurl3-gnutls libdata-optlist-perl libdate-manip-perl libdatetime-locale-perl libdatetime-perl libdatetime-timezone-perl libdbus-1-3 libdigest-hmac-perl libdigest-md4-perl libencode-locale-perl liberror-perl libfile-listing-perl
      libfont-afm-perl libfpdf-tpl-php libfpdi-php libfreeipmi12 libgd-gd2-perl libgd2-xpm libgettextpo0 libgomp1 libgs9 libgs9-common libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl
      libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libice6 libijs-0.35 libio-pty-perl libio-socket-ip-perl libio-socket-ssl-perl libipc-run-perl libipmiconsole2 libipmidetect0
      libjansson4 libjasper1 libjbig0 libjbig2dec0 libjpeg8 libjs-jquery-ui libkohana2-php liblcms2-2 liblist-moreutils-perl liblqr-1-0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl liblwp-useragent-determined-perl
      libmagickcore5 libmagickwand5 libmail-imapclient-perl libmailtools-perl libmath-calc-units-perl libmath-round-perl libmcrypt4 libmemcached10 libmodule-implementation-perl libmodule-runtime-perl libnagios-object-perl
      libnagios-plugin-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-tls-perl libnet-snmp-perl libnet-ssleay-perl libodbc1 libpackage-deprecationmanager-perl libpackage-stash-perl
      libpackage-stash-xs-perl libpaper-utils libpaper1 libparams-classify-perl libparams-util-perl libparams-validate-perl libparse-recdescent-perl libpgm-5.1-0 libpq5 libradiusclient-ng2 libreadonly-perl libreadonly-xs-perl librecode0
      librrds-perl librtmp0 libruby1.9.1 libslp1 libsm6 libsocket-perl libssh2-1 libsub-install-perl libsub-name-perl libsystemd-login0 libtalloc2 libtdb1 libtiff4 libtimedate-perl libtry-tiny-perl libunistring0 liburi-perl libwbclient0
      libwww-perl libwww-robotrules-perl libxpm4 libxt6 libyaml-0-2 libyaml-syck-perl libzmq1 mlock nagios-images nagios-nrpe-plugin nagios-nrpe-server nagios-plugin-check-multi nagios-plugins nagios-plugins-basic nagios-plugins-common
      nagios-plugins-contrib nagios-plugins-openstack nagios-plugins-standard nagios-snmp-plugins nagios3 nagios3-cgi nagios3-common nagios3-core nagios3-dbg nagios3-doc nagiosgrapher ndoutils-common ndoutils-nagios3-mysql perlmagick
      php-fpdf php5-curl php5-gd php5-imagick php5-imap php5-ldap php5-mcrypt php5-recode pnp4nagios pnp4nagios-bin pnp4nagios-web poppler-data python-httplib2 python-keystoneclient python-pkg-resources python-prettytable qstat rsync ruby
      ruby1.9.1 samba-common samba-common-bin slapd smarty3 smbclient ttf-liberation uwsgi-core uwsgi-plugin-nagios x11-common
    0 upgraded, 196 newly installed, 0 to remove and 0 not upgraded.
    Need to get 81.9 MB of archives.
    After this operation, 272 MB of additional disk space will be used.
    Do you want to continue [Y/n]?

     

     

    Now to test, just login at http://your-server-ip/nagios3/

    You’ll have to look up tutorials on configuring Nagios and Cacti. Of the two, Cacti is much easier because it’s all web based. But Nagios isn’t too difficult once you get used to playing around with config files.

    One last thing I did was setup a landing page to point at the services. To do that just edit the index.php file in your www folder like this:

    root@testdebian:/etc/nagios3/conf.d/hosts# cat /var/www/index.html
    <html><body><h1>TEST Monitoring Server</h1>
    <p>This is the landing page for the TEST Monitoring server.</p>
    <p>&nbsp;</p>
    <p>Please use the following links to access services:</p>
    <p><a href="/nagios3"> 1. Nagios</a></p>
    <p><a href="/cacti"> 2. Cacti</a></p>
    </body></html>
    root@testdebian:/etc/nagios3/conf.d/hosts#

    Now you can browse to the IP address and get a easy to use page that will forward you to which ever service you want!

    Let me know if you have any questions!

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Mounting Windows Partitions in FreeNAS 9.x

    Recently I built a FreeNAS box so I could backup my computers to it. I figure with the redundancy of the disks, and the ability to have 2 hot spares in a ZRAID2 ZFS Volume would make it more stable than having Terabytes of data just sitting on a disk in my computer.

    Long story short I needed to move about 4 Terabytes of data off my local workstation onto the FreeNAS box. I didn’t want to transfer it over the LAN just does to speed so I hooked the drive up to the FreeNAS box with an External Drive Enclosure that had an eSATA port on it.

    After some quick research, I found that you need to load a module for FreeNAS to understand NTFS partitions. Here’s what I did:

    mkdir /mnt/usb
    kldload fuse
    ntfs-3g /dev/da1s1 /mnt/usb

    If that doesn’t work, you may need to call the fuse module by direct path, like this.

    mkdir /mnt/usb
    kldload /usr/local/modules/fuse.ko
    ntfs-3g /dev/da1s1 /mnt/usb

    Those three commands was all it took and the drive was connected. From there some “cp” and “mv” commands was all it took to backup my data from these drives.

    Hope this helps anyone having the same issues.

    VN:F [1.9.22_1171]
    Rating: 4.5/5 (2 votes cast)
    VN:D [1.9.22_1171]
    Rating: +3 (from 3 votes)

    Creating a Reverse Proxy with Apache2

    Sometimes there is a need for hosting multiple websites from one server, or from one external IP address. For whatever your reason or need is, in this tutorial, I’ll just go through what I did to setup Apache server to forward requests.

    In my setup here, I have a Debian Wheezy server in my DMZ, and in my tier 2 DMZ I have 5 Web servers. My objective is to host all these server from 1 IP address, and introduce some security.

    I found a ton of info out there on setting up Apache as a reverse proxy, but none of them really spelled out exactly what to do, and what the results would be. Some of them did, but it wasn’t what I was looking for. So I took a bunch of stuff I see others doing, modify it to fit my needs and report back to you. I hope this helps.

    Lets get started.

    You’ll want a base install of Debian Wheezy which you can find at www.debian.org. After you download that, just follow my guide for install if you need: Debian Minimal Install: The base for all operations

    As I stated before, I have a bunch of web servers in my tier 2 DMZ, and a Debian box in my Internet facing DMZ. It is my intention that the web servers never actually communicate with the end users. I want my end users to talk to my Debian box, the Debian box to sanitize and optimize the web request, and then forward that request on to the web server. The web server will receive the request from the Debian box, process it, and send back all the necessary data to the Debian server, which will in turn reply to the end user who originally made the request.

    It sounds complicated to some people, but in reality it’s pretty simple, and the reverse proxy is transparent to the end user. Most people out there don’t even realize that many sites out there utilize this type of technology.

    My Debian server needs some software, so I installed these packages:

    sudo apt-get install apache2 libapache2-mod-evasive libapache2-mod-auth-openid libapache2-mod-geoip
    libapache2-mod-proxy-html libapache2-mod-spamhaus libapache2-mod-vhost-hash-alias libapache2-modsecurity

    From here you’ll want to get into the Apache directory.

    cd /etc/apache2

    Let’s get going with editing the main Apache config file. These are just recommendations, so you’ll want to tweak these for what ever is best for your environment.

    sudo vim apache2.conf

    I modified my connections for performance reasons. The default is 100.

    # MaxKeepAliveRequests: The maximum number of requests to allow
    # during a persistent connection. Set to 0 to allow an unlimited amount.
    # We recommend you leave this number high, for maximum performance.
    #
    MaxKeepAliveRequests 500

    Also, what security engineer out there doesn’t know that without logs you have no proof that anything is happening. We’ll cover log rotation and retention in another blog, but for now, I set my logging to “notice”. Default was “warn”.

    # LogLevel: Control the number of messages logged to the error_log.
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    #
    LogLevel notice

    Perfect. Now, you may want to tweak your server a little differently, but for now this is all we need for here.

    Now let’s get into some security hardening of the server.

    sudo vim /etc/apache2/conf.d/security

    We do have security in mind, so let’s not divulge any information that we don’t need to. Set “ServerTokens Prod”

    # ServerTokens
    # This directive configures what you return as the Server HTTP response
    # Header. The default is 'Full' which sends information about the OS-Type
    # and compiled in modules.
    # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
    # where Full conveys the most information, and Prod the least.
    #
    #ServerTokens Minimal
    #ServerTokens OS
    #ServerTokens Full
    ServerTokens Prod

    Now let’s set “ServerSignature Off”

    # Optionally add a line containing the server version and virtual host
    # name to server-generated pages (internal error documents, FTP directory
    # listings, mod_status and mod_info output etc., but not CGI generated
    # documents or custom error documents).
    # Set to "EMail" to also include a mailto: link to the ServerAdmin.
    # Set to one of:  On | Off | EMail
    #
    #ServerSignature Off
    ServerSignature On

    And lastly, go ahead and uncomment these three lines in your config. We’ll configure “mod_headers” later.

    Header set X-Content-Type-Options: "nosniff"

    Header set X-XSS-Protection: "1; mode=block"

    Header set X-Frame-Options: "sameorigin"

    Sweet, looking good. Go ahead and save that, and we can get “mod_headers” activated. First, I’d like to point out that you can view what modules you have installed by using the “a2dismod” program. Simply enter the command, and it will ask you what modules you’d like to disable. Obviously, if you see it in the list, it’s already enabled. just hit “Ctrl+C” to stop the program.

    To enable a module in Apache, you need to first made sure it’s installed, then you can just use the program “a2enmod”… like this:

    sudo a2enmod headers

    Now that we’ve enabled “mod_header”, lets verify we have the other necessary modules enabled as well.

    steve @ reverseproxy ~ :) ᛤ>   a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    cache
    Enabling module cache.
    Could not create /etc/apache2/mods-enabled/cache.load: Permission denied
    steve @ reverseproxy ~ :( ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    cache
    Enabling module cache.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_ajp
    Considering dependency proxy for proxy_ajp:
    Module proxy already enabled
    Enabling module proxy_ajp.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_balancer
    Considering dependency proxy for proxy_balancer:
    Module proxy already enabled
    Enabling module proxy_balancer.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_connect
    Considering dependency proxy for proxy_connect:
    Module proxy already enabled
    Enabling module proxy_connect.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_ftp
    Considering dependency proxy for proxy_ftp:
    Module proxy already enabled
    Enabling module proxy_ftp.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_http
    Considering dependency proxy for proxy_http:
    Module proxy already enabled
    Enabling module proxy_http.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    rewrite
    Enabling module rewrite.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    vhost_alias
    Enabling module vhost_alias.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    vhost_hash_alias
    Enabling module vhost_hash_alias.
    To activate the new configuration, you need to run:
      service apache2 restart

    Here is a list of the Modules I just enabled:
    cache proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http rewrite vhost_alias vhost_hash_alias

    Now let’s just restart Apache, and keep going.

    steve @ reverseproxy ~ :) ᛤ>   sudo service apache2 restart
    [ ok ] Restarting web server: apache2 ... waiting .

    Perfect, moving right along… Now what we need to do is setup a new file in the “/etc/apache2/conf.d/sites-available” directory. I named mine, “reverseproxy”, as it’s easy to figure out what it is.

    Now, to correctly setup your reverse proxy, this server should not be hosting ANY websites. This is a proxy server, not a web host. So go ahead and delete the config sym link for the default website. We don’t want to host that.

    sudo rm /etc/apache2/sites-enabled/000-default

    Now we can edit our “reverseproxy” file.

    sudo vim /etc/apache2/sites-available/reverseproxy

    #enter this code into your file

    <VirtualHost *:80>
      ServerName yoursite.info
      ServerAlias www.yoursite.info yoursite.info
      ServerAdmin info@yoursite.info
      ProxyPreserveHost On
      ProxyPass / http://www.yoursite.info/
      ProxyPassReverse / http://www.yoursite.info/
      <Proxy *>
            Order allow,deny
            Allow from all
      </Proxy>
      ErrorLog /var/log/apache2/yoursite.info.log
      CustomLog /var/log/apache2/yoursite.info.log combined
    </VirtualHost>



    <VirtualHost *:80>
      ServerName anothersite.com
      ServerAlias anothersite.com www.anothersite.com
      ServerAdmin info@anothersite.com
      ProxyPreserveHost On
      ProxyPass / http://www.anothersite.com/
      ProxyPassReverse / http://www.anothersite.com/
      <Proxy *>
            Order allow,deny
            Allow from all
      </Proxy>
      ErrorLog /var/log/apache2/anothersite.com.log
      CustomLog /var/log/apache2/anothersite.com.log combined
    </VirtualHost>




    <VirtualHost *:80>
      ServerName thirdsite.cc
      ServerAlias thirdsite.cc www.thirdsite.cc
      ServerAdmin info@thirdsite.cc
      ProxyPreserveHost On
      ProxyPass / http://www.thirdsite.cc/
      ProxyPassReverse / http://www.thirdsite.cc/
      <Proxy *>
            Order allow,deny
            Allow from all
      </Proxy>
      ErrorLog /var/log/apache2/thirdsite.cc.log
      CustomLog /var/log/apache2/thirdsite.cc.log combined
    </VirtualHost>

    Awesome, now save that file and we can get it enabled. Just like setting up new modules, we’re going to sym-link our new file to the “sites-enabled” folder.

    sudo ln -s /etc/apache2/sites-available/reverseproxy /etc/apache2/sites-enabled

    Now we can just reload the Apache server (no restart required) the server so that it picks up the new settings.

    sudo service apache2 reload

    Now we need to edit the /etc/hosts file so that our reverse proxy server knows where to push site traffic to on our DMZ. So lets do that:

    127.0.0.1       localhost
    127.0.1.1       reverseproxy.internal.dmz  reverseproxy
    192.168.0.26   www.thirdsite.cc
    192.168.0.26   thirdsite.cc
    192.168.0.26   www.anothersite.com
    192.168.0.26   anothersite.com
    192.168.0.65   www.yoursite.info
    192.168.0.65   yoursite.info

    # The following lines are desirable for IPv6 capable hosts
    ::1     localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters

    Sweet, all done!
    Now you can test from a computer that all your sites are working. They *should* be! 🙂

    I’ll work on a blog eventually to show how to enable mod_security with this setup so that we can sanitize user interaction with our site. Our visitors are probably good people, but attackers and skiddies are always out there trying to damage stuff.

    Thanks for reading!!

    References:
    http://ubuntuguide.org/wiki/Apache2_reverse_proxies
    http://www.raskas.be/blog/2006/04/21/reverse-proxy-of-virtual-hosts-with-apache-2/
    http://www.askapache.com/hosting/reverse-proxy-apache.html
    http://www.integratedwebsystems.com/2010/06/multiple-web-servers-over-a-single-ip-using-apache-as-a-reverse-proxy/
    http://httpd.apache.org/docs/current/vhosts/examples.html
    http://geek-gogie.blogspot.com/2013/01/using-reverse-proxy-in-apache-to-allow.html
    http://www.ducea.com/2006/05/30/managing-apache2-modules-the-debian-way/
    http://www.akadia.com/services/apache_redirect.html
    http://unixhelp.ed.ac.uk/manual/mod/mod_proxy.html
    https://httpd.apache.org/docs/2.2/vhosts/
    https://httpd.apache.org/docs/2.2/vhosts/name-based.html
    https://httpd.apache.org/docs/2.2/vhosts/examples.html
    https://httpd.apache.org/docs/2.2/vhosts/mass.html
    https://httpd.apache.org/docs/2.2/vhosts/details.html

    VN:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Open Source: Managing Debian and Ubuntu Linux with Active Directory


    I talked about this in my last blog post: We had a need for Authentication on our Linux/Unix systems to be done by Active Directory. So my co-worker and I set off on a mission to fulfill this request. We’d tried some software that wasn’t free, heard about some other software that wasn’t free and then is struck us. “Why Pay?”

    All the work had previously been done for us in the Open Source community… why not leverage them directly? So this is my homage to the Open Source community. I’m going to try to give back by writing this blog about my trials and tribulations in setting up this functionality. I’ll forewarn you, this blog entry is very long and gets into a lot of detail, but I assure you, at the end of the day, this works!

    My testbed here is my home network. I’m running a 2008 Server with AD installed. Nothing special, very vanilla, no crazy GPOs to deal with, no delegations to worry about and I’ve secured the environment fairly well (IMHO). There are virtually no extra roles, services or features installed other than a base install of AD Services, but I do have Exchange Server 2010 installed, so the schema has been extended for that. But it shouldn’t affect your environment if you aren’t running Exchange.

    I want to get one last statement in here: I am by no means a Linux or Unix Expert, but I can troubleshoot and read. The way I have this setup here is the way I figured out to do it and the best I can say is that it works, it’s secure, and it doesn’t take long to do. I’ve done a bunch of research and I’m going to attempt to regurgitate that knowledge back into this blog as best I can. If you know how to do something better here, please contact me at my LinkedIn page 🙂 .

    So lets get down to brass tacks here… I have some Debian based systems (Linux Mint 13, Debian 6 and two Ubuntu 10.04 Servers), a Red Hat server (REL 6), an Oracle Enterprise Linux 6 Server, 3 Windows Server 2008 domain controllers, an Exchange 2010 server and some other systems on my home network. I wanted to extend my AD capabilities by getting my Debian based systems to authenticate to my 2008 Domain Controllers (DCs).

    To start, you’ll need to know a couple peices of information. You’ll need to know what DC is holding the PDC FSMO role. Easiest way to do that is to log onto a DC, fire up AD Users and Computers, right click on the domain name and then click on Operations Masters. In the window that appears on your screen click on the PDC tab and document the FQDN of the server that currently holds that role.

    Operations Master

    After you identify this system, the next best thing to do is create a DNS entry pointing to your PDC Server. This way if you ever need to decommission your current PDC server, you can just change the DNS record and not have to go back to all your Linux systems to update the system they authenticate to.

    From here, everything you’re going to do, aside from creating new AD users and security groups, will all be done at the Linux command line. There’s a couple of conf files that we need to configure after installing some software on each of the systems. In one of my future blog posts, I’m (hopefully) going to be going over using Chef to distribute configuration files <http://wiki.opscode.com/pages/viewpage.action?pageId=7274862>.

    This whole process isnt all that difficult as long as you have a decent understanding of the services and subsystems that you’re relying on. Here they are:

    • Pluggable Authentication Modules (PAM)
    • Server Message Block (SMB, Samba)
    • WinBIND (part of Samba)
    • Kerberos 5 (By MIT, with Microsoft compatibility hacks)

    SO, lets get some software installed. Below is the EXACT command line that I used on my Ubuntu servers (10.04).

    sudo apt-get install krb5-user libkrb53 krb5-config winbind samba ntp ntpdate nss-updatedb libnss-db libpam-ccreds libnss-ldap ldap-utils

     

    After installing that software, you’ll want to stop all the services while you configure them:

    sudo /etc/init.d/samba stop
    sudo /etc/init.d/winbind stop
    sudo /etc/init.d/ntp-server stop

     

    Each server in a Kerberos authentication realm must be assigned a Fully Qualified Domain Name (FQDN) that is both forward- and reverse-resolvable.

    Note: Active Directory depends heavily on DNS, so it is likely that the Active Directory Domain Controller is also running the Microsoft DNS server package. If this is the case, verify that each server has a FQDN assigned to it before performing the tests outlined in this section.

    If the server already has an FQDN assigned to it, test forward and reverse look-up with the following commands:

    nslookup server.example.com
    nslookup  (ip address of server) 10.1.1.5

    The output of the first command should contain the IP address of the server. The output of the second command should contain the FQDN of the server. If this is not the case, Kerberos authentication will not function properly. Next, we’ll be configuring the Kerberos Config file which is located here: /etc/krb5.conf Here’s what mine looks like (Make sure to read the comments I put in there):

    [libdefaults]
    default_realm = ERDMANOR.COM #Kerberos is CASE sensitive; this must be all UPPERCASE!
    [logging]
    default = FILE:/var/log/krb5.log
    kdc = FILE:/var/log/krb5kdc.log
    [realms]
    MYDOMAIN.COM = { # MUST BE ALL CAPS ON THIS LINE!
    kdc = kerberos.mydomain.com:88 #You really only need 1 kerberos domain controller
    kdc = kerberos2.mydomain.com:88 #but in my network there are three, so I listed
    kdc = kerberos3.mydomain.com:88 #all of them in here.
    admin_server = kerberos.mydomain.com #This should be set to the DC that holds the PDC Role
    default_domain = mydomain.com #
    }

    [login]
    krb4_convert = true
    krb4_get_tickets = false

    #

     

    Active Directory, for as long as I can remember, is time sensitive to about +/- 5 minutes. You can adjust that window to anything you want by editing your Domain Policies (Group Policies (GPOs)), but there’s no need to really do that. Anything outside that window of time and your Domain Controllers will deny any kerberos ticket requests. This is why you need to make sure and setup your NTP daemon to point at your domain controller. I recommend setting it up with a DNS name, but you can get by with an IP address. Reason is, if the PDC ever changes, you dont need to go back to all your old machines and update conf files. Run this command: “sudo nano /etc/ntp.conf”

    # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

    driftfile /var/lib/ntp/ntp.drift
    statistics loopstats peerstats clockstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable
    filegen clockstats file clockstats type day enable

    # Specify one or more NTP servers.

    server kerberos.mydomain.com #insert your PDC here
    server kerberos2.mydomain.com #secondary DC
    server kerberos3.mydomain.com #third DC
    server 1.ubuntu.pool.ntp.org #fall back to Ubuntu's NTP
    server 2.ubuntu.pool.ntp.org #
    server 3.ubuntu.pool.ntp.org #

    #

    So, we’re on our way here. Without saying, you’re probably getting a DHCP address from a Domain Controller if you’re already on a Windows network. If you’re setting up a server with a Static address, then make sure to setup your DNS nameservers in your /etc/resolv.conf file so that you’re getting DNS from your PDC and any other Domain Controllers which host DNS. I DONT recommend using your “/etc/hosts” file for this.

     

    So lets get to testing! From the command line issue this command:

    kinit -p username@MYDOMAIN.COM
    #obviously changing to your username and domain name on your network.
    #Notice the UPPERCASE spelling of MYDOMAIN.COM?
    #

    After that command is entered you should be getting prompted for your DOMAIN password. From here just make sure that you’re not getting any errors (which you shouldn’t). If you’re looking to verify that you have a valid ticket, then issue this command:

    klist -e

    Now that we have Kerberos and NTP working properly, we can move onto the next portion of authentication: PAM. If you dont know anything about PAM then you can safely move on to the configuration portion of this part. But for those of you wanting more of an understanding, here you go. I got this information from http://www.tldp.org/HOWTO/html_single/User-Authentication-HOWTO/, and it’s VERY good info. Also, verify that your “/etc/skel/” directory is setup properly. You can get creative with this and have some pretty neat options rolled out to all your users if you prefer.

    #I took out all the #comments for this blog, but I HIGHLY recommend that you leave them in!

    so here are what my PAM modules look like in /etc/pam.d/:

    common-account:
    # /etc/pam.d/common-account - authorization settings common to all services
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 #VERY IMPORTANT!
    account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so
    account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so
    account [success=1 default=ignore] pam_ldap.so
    account requisite pam_deny.so
    account required pam_permit.so
    account required pam_krb5.so minimum_uid=1000
    #

     

    common-auth:
    # /etc/pam.d/common-auth - authentication settings common to all services
    # here are the per-package modules (the "Primary" block)
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
    auth [success=6 default=ignore] pam_krb5.so minimum_uid=1000
    auth [success=5 default=ignore] pam_unix.so nullok_secure try_first_pass
    auth [success=4 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
    auth [success=3 default=ignore] pam_ldap.so use_first_pass
    auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
    auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
    auth requisite pam_deny.so
    auth required pam_permit.so
    auth optional pam_ccreds.so minimum_uid=1000 action=store
    auth optional pam_mount.so
    auth optional pam_cap.so
    #

     

    common-password:
    # /etc/pam.d/common-password - password-related modules common to all services
    password [success=4 default=ignore] pam_krb5.so minimum_uid=1000
    password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
    password [success=2 default=ignore] pam_winbind.so use_authtok try_first_pass
    password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
    password requisite pam_deny.so
    password required pam_permit.so
    password optional pam_gnome_keyring.so
    #

     

    common-session
    # /etc/pam.d/common-session - session-related modules common to all services
    session [default=1] pam_permit.so
    session requisite pam_deny.so
    session required pam_permit.so
    session optional pam_umask.so
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
    session optional pam_krb5.so minimum_uid=1000
    session required pam_unix.so
    session optional pam_winbind.so
    session optional pam_mount.so
    session optional pam_ldap.so
    session optional pam_ck_connector.so nox11
    #

     

    common-session-noninteractive
    # /etc/pam.d/common-session-noninteractive - session-related modules
    # common to all non-interactive services
    session [default=1] pam_permit.so
    session requisite pam_deny.so
    session required pam_permit.so
    session optional pam_umask.so
    session optional pam_krb5.so minimum_uid=1000
    session required pam_unix.so
    session optional pam_winbind.so
    session optional pam_mount.so
    session optional pam_ldap.so
    #

     

    This should be everything you need for PAM to work properly. Now we need to work on Samba. The Samba config is stored at “/etc/samba/smb.conf”. Again, I stripped my Samba config down and made a backup of the original. I dont want my end users sharing data between themselves, I want them using corporate file shares where I know that the data is backed up. Also, I want them using Print Servers, not hosting printers from their machines. So this smb.conf is pretty short compared to the original. If you visit the Samba website, you’ll even see that they want people to keep this file short and simple. According to the Samba Team, the longer this file is, the more it impacts performance of the system. Please heed the warnings in your smb.conf as well as the notes I post below:

    # NOTE: Whenever you modify this file you should run the command
    # "testparm" to check that you have not made any basic syntactic
    # errors.
    #
    #======================= Global Settings =======================

    [global]

    security = ads
    realm = MYDOMAIN.COM #Must be UPPER case
    password server = kerberos.mydomain.com #PDC that we mentioned earlier
    workgroup = MYDOMAIN #This is the NetBIOS name of your Domain
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    template homedir = /home/MYDOMAIN/%U #Dont forget to update this directory!
    template shell = /bin/bash #You can use whatever shell you'd like
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    winbind use default domain = yes
    restrict anonymous = 2

    server string = %h server (Samba, Ubuntu)
    dns proxy = no
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog only = yes
    syslog = 4
    panic action = /usr/share/samba/panic-action %d
    encrypt passwords = true
    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
    map to guest = bad user
    domain logons = no #Extremely important that this is NO.
    usershare allow guests = yes

     

     

    Next we’ll be setting up the “/etc/nsswitch.conf” file. This file does a few things to help communications with your LDAP server (AD in this case) as well as tell your local Linux system where to look for password information.

    When fiddling with /etc/nsswitch.conf, it is best to turn the Name Services Caching Daemon off or you will be confused by cached results. Turn it on afterwards.

    /etc/init.d/nscd stop

    Now edit the nsswitch.conf file:

    # /etc/nsswitch.conf
    passwd: files winbind
    group: files winbind
    shadow: compat
    hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
    networks: files
    protocols: db files
    services: db files
    ethers: db files
    rpc: db files
    netgroup: nis
    #

    And Turn back on your service:

    /etc/init.d/nscd start

     

    Assuming that all goes well and Kerberos, Winbind and Samba are setup properly, you should be able to join your linux system to the domain. Due to restrictions in the NetBIOS protocol, the hostname must contain no more than 15 characters. If you see a STATUS_BUFFER_OVERFLOW message in the winbind log, odds are the hostname is invalid. Now would also be a good time to clear whatever cache files, if any, Winbind had previously generated. The Winbind cache is located in /var/lib/samba/. Backup this directory to /var/lib/samba.bak/ and delete all the files in the original. Now you can issue this command:

    sudo net ads join -S MYDOMAIN.COM -U {domain-admin-user}

    Couple things here.
    First, you may need to change MYDOMAIN.COM to KERBEROS.MYDOMAIN.COM. If it doesn’t work the first way, try the next. Second is, {domain-admin-user} MUST be a Domain Admin account in Active Directory. Otherwise you’ll fail.

    Now, I’ve gotten mixed results here… My Mint 12 and 13 boxes joined and I actually got a “Domain Joined!” message in the shell.

    My Debian 6 machine threw an error:

    steve @ mintdebianvm ~ :) ᛤ>   sudo net ads join -S ERDMANOR.COM -U administrator
    [sudo] password for steve:
    Enter administrator's password:
    kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
    Failed to join domain: failed to connect to AD: Server not found in Kerberos database

    I haven’t had much time to look into why this is happening, but I can assure you the system joined the domain, the computer account was created in AD and I’m able to SSH to this machine with domain creds… If anyone knows why this is happening, PLEASE contact me! Thanks!

     

    Look up Windows Ports needed for Active Directory. Need Microsoft Link!
    After your join to the domain is successfull, you can startup your services:

    sudo /etc/init.d/samba start
    sudo /etc/init.d/winbind start

     

     

    From this point, you should be able to test some querys against the domain:

    getent passwd
    getent shadow
    getent group

    At this point, you should be able to resolve users and groups from the Windows Active Directory domain using getent passwd and getent group. If these commands don’t display your Windows accounts, try to resolve them using wbinfo -u and wbinfo -g. These commands query the Winbind service directly, bypassing the name service switch. If you can resolve users and groups with wbinfo, go back and make sure you configured /etc/nsswitch.conf properly.

     

    Now with EVERYTHING setup properly, you *should* be able to fire up an SSH session to your linux box and log in with AD Credentals. BUT! Your Domain Users are NOT going to be able to “sudo” any commands. For the sake of security, you dont want ALL your domain users to be able to sudo commands, so what I did is create a domain security group, mine is named “linux-sudo”. Then I added in only the users I want to be able to sudo commands to that group. Then I edited my “sudoers” file to include the domain security group “linux-sudo”. So make sure to edit your “/etc/sudoers” file, and add this line:

    %linux-sudo     ALL=(ALL:ALL) ALL

    Now, I’m able to log into my Debian, Mint and Ubuntu Linux systems with Domain Credentials! 🙂

    EDIT: In looking for information regarding this entire process on a RED HAT system. (RHEL 5 or 6), please refer to this guide:
    http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/9/jcr:frozenNode/rh:resourceFile

     
    Here are all the sites that I used in the making of this blog:
     
    http://wiki.samba.org/index.php/Samba_%26_Active_Directory#Setting_up_PAM_Authentication_for_Active_Directory
    https://help.ubuntu.com/community/ADAuthentication
    https://help.ubuntu.com/community/Kerberos
    https://help.ubuntu.com/community/PamCcredsHowto
    https://help.ubuntu.com/community/ActiveDirectoryHowto
    https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
    http://www.tldp.org/HOWTO/html_single/User-Authentication-HOWTO/
    http://www.linuxcertif.com/man/5/libnss-ldap.conf/
    http://debian.securedservers.com/kernel/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
    http://www.tldp.org/HOWTO/SMB-HOWTO.html
    https://wiki.samba.org/index.php/Samba4/Winbind
    http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html
    http://www.ccs.neu.edu/home/battista/articles/winbind/index.html
    http://www.samba.org/samba/docs/man/Samba-Guide/simple.html
    http://communities.vmware.com/thread/298545
    http://www.thegeekstuff.com/2010/09/sudo-command-examples/
    http://serverfault.com/questions/444219/troubleshooting-sudoers-via-ldap
    http://www.aeronetworks.ca/howtos/LinuxActiveDirectory.html
    http://users.telenet.be/mydotcom/howto/linuxsbs/samba4.htm
    https://help.ubuntu.com/8.04/serverguide/NTP.html
    https://help.ubuntu.com/community/Samba/Kerberos

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: +1 (from 1 vote)