setting up a site-to-site pre-shared-key vpn on cisco pix
Posted by: blogcoding on: June 10, 2011
- In: cisco
- Leave a Comment
-
eastern pix configuration
ciscopix(config)# hostname eastern eastern(config)# domain-name asc.net eastern(config)# sysopt connection permit-vpn eastern(config)# interface ethernet 0 eastern(config-if)# no shutdown eastern(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. eastern(config-if)# ip address 41.201.1.113 255.255.255.0 eastern(config-if)# exit eastern(config)# interface ethernet 1 eastern(config-if)# no shutdown eastern(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. eastern(config-if)# ip address 192.168.221.2 255.255.255.0 eastern(config-if)# exit eastern(config)# route outside 0.0.0.0 0.0.0.0 41.201.1.161 eastern(config)# crypto isakmp enable outside eastern(config)# crypto isakmp identity address eastern(config)# crypto isakmp policy 9 eastern(config-isakmp-policy)# authentication pre-share eastern(config-isakmp-policy)# encryption 3des eastern(config-isakmp-policy)# group 5 eastern(config-isakmp-policy)# hash md5 eastern(config-isakmp-policy)# lifetime 3600 eastern(config-isakmp-policy)# exit eastern(config)# tunnel-group 81.196.251.71 type ipsec-l2l eastern(config)# tunnel-group 81.196.251.71 ipsec-attributes eastern(config-tunnel-ipsec)# pre-shared-key CiScO eastern(config-tunnel-ipsec)# exit eastern(config)# crypto ipsec transform-set transformeast mode transport eastern(config)# crypto ipsec transform-set transformeast esp-aes-256 esp-sha-hmac eastern(config)# access-list 90 permit ip 192.168.221.0 255.255.255.0 192.168.113.0 255.255.255.0 eastern(config)# nat (inside) 0 access-list 90 eastern(config)# nat (inside) 1 0.0.0.0 0.0.0.0 eastern(config)# global (outside) interface eastern(config)# crypto map easternmap 1 match address 90 eastern(config)# crypto map easternmap 1 set transform-set transformeast eastern(config)# crypto map easternmap 1 set peer 81.196.251.71 eastern(config)# crypto map easternmap interface outside
: Saved : PIX Version 8.0(4) ! hostname eastern domain-name asc.net enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 41.201.1.113 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.221.2 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name asc.net access-list 90 extended permit ip 192.168.221.0 255.255.255.0 192.168.113.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 90 nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 41.201.1.161 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set transformeast esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map easternmap 1 match address 90 crypto map easternmap 1 set peer 81.196.251.71 crypto map easternmap 1 set transform-set transformeast crypto map easternmap 1 set security-association lifetime seconds 28800 crypto map easternmap 1 set security-association lifetime kilobytes 4608000 crypto map easternmap interface outside crypto isakmp enable outside crypto isakmp policy 9 authentication pre-share encryption 3des hash md5 group 2 lifetime 3600 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept tunnel-group 81.196.251.71 type ipsec-l2l tunnel-group 81.196.251.71 ipsec-attributes pre-shared-key * ! ! prompt hostname context Cryptochecksum:24299216bacf0549953467115abaf6a5 : end [OK]
-
western pix configuration
: Saved : PIX Version 8.0(4) ! hostname western domain-name asc.net enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 81.196.251.71 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.113.2 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name asc.net access-list 90 extended permit ip 192.168.113.0 255.255.255.0 192.168.221.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 90 nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 81.196.251.196 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set transformwest esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map westernmap 1 match address 90 crypto map westernmap 1 set peer 41.201.1.113 crypto map westernmap 1 set transform-set transformwest crypto map westernmap 1 set security-association lifetime seconds 28800 crypto map westernmap 1 set security-association lifetime kilobytes 4608000 crypto map westernmap interface outside crypto isakmp enable outside crypto isakmp policy 9 authentication pre-share encryption 3des hash md5 group 2 lifetime 3600 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept tunnel-group 41.201.1.113 type ipsec-l2l tunnel-group 41.201.1.113 ipsec-attributes pre-shared-key * ! ! prompt hostname context Cryptochecksum:d90e5702d398bc26e519e0554a4f0b17 : end [OK]
using nat and pat on the cisco pix
Posted by: blogcoding on: June 9, 2011
- In: cisco
- Leave a Comment
: Saved : PIX Version 8.0(4) ! hostname pixfirewall domain-name asc.net enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 nameif inside security-level 100 ip address 192.168.184.10 255.255.255.0 ! interface Ethernet1 nameif outside security-level 0 ip address 41.201.1.10 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name asc.net pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.184.0 255.255.255.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns 8.8.8.8 dhcpd lease 36000 ! dhcpd address 192.168.184.200-192.168.184.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect http inspect icmp ! service-policy global_policy global prompt hostname context Cryptochecksum:96d78c7b95e2680b4db48e541d843175 : end [OK]
setting up a dhcp server on cisco pix
Posted by: blogcoding on: June 7, 2011
- In: cisco
- Leave a Comment
: Saved : PIX Version 8.0(4) ! hostname pixfirewall domain-name asc.net enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 nameif inside security-level 100 ip address 192.168.185.2 255.255.255.0 ! interface Ethernet1 nameif outside security-level 0 ip address 41.201.1.2 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name asc.net pager lines 24 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns 192.168.185.1 dhcpd lease 28800 dhcpd domain asc.net ! dhcpd address 192.168.185.200-192.168.185.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! ! prompt hostname context Cryptochecksum:61dc6b717b3202a22f4b017245137493 : end [OK]
configuring radius authentication for telnet on cisco pix
Posted by: blogcoding on: June 4, 2011
- In: cisco
- Leave a Comment
: Saved : Written by enable_15 at 23:37:50.702 UTC Fri Jun 3 2011 ! PIX Version 8.0(4) ! hostname pixfirewall domain-name asc.net enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 nameif inside security-level 100 ip address 192.168.184.2 255.255.255.0 ! interface Ethernet1 shutdown no nameif no security-level no ip address ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name asc.net pager lines 24 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server radiusserver protocol radius aaa-server radiusserver (inside) host 192.168.184.3 timeout 20 key R@D!U5$eRVeR aaa authentication telnet console radiusserver no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 192.168.184.4 255.255.255.255 inside telnet timeout 10 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! ! prompt hostname context Cryptochecksum:d31f692d95672effb686e5bb65df3641
configuring local authentication for telnet on cisco pix
Posted by: blogcoding on: May 29, 2011
- In: cisco
- Leave a Comment
: Saved : Written by enable_15 at 17:48:52.638 UTC Mon May 29 2011 ! PIX Version 8.0(4) ! hostname pixfirewall enable password 8Ry2YjIyt7RRXU24 encrypted passwd RUAvrpy/IaIOL1dK encrypted names ! interface Ethernet0 nameif inside security-level 100 ip address 192.168.184.2 255.255.255.0 ! interface Ethernet1 shutdown no nameif no security-level no ip address ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! ftp mode passive pager lines 24 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa authentication telnet console LOCAL no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 192.168.184.3 255.255.255.255 inside telnet timeout 10 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept username telnetuser password 7uDOCmxT/ygehFL3 encrypted ! ! prompt hostname context Cryptochecksum:7a8dbf31f4e2532a68875f59cbf9a248 pixfirewall(config)#
managing terminal services sessions remotely
Posted by: blogcoding on: March 11, 2011
usually my colleagues of working forget to logoff of their RDP sessions when they finish their works on the w2k3 servers, this situation is problematic when you know that the maximum number of simultaneous sessions is 2 in the servers of the compagny where i am working.
fortunately microsoft provides 2 commands (available on windows xp, 2k and 2k3 server) called rwinsta (reset windows station) and qwinsta (query windows station) to reset and query a remote session respectively.
- qwinsta syntax
Display information about Terminal Sessions. QUERY SESSION [sessionname | username | sessionid] [/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER] sessionname Identifies the session named sessionname. username Identifies the session with user username. sessionid Identifies the session with ID sessionid. /SERVER:servername The server to be queried (default is current). /MODE Display current line settings. /FLOW Display current flow control settings. /CONNECT Display current connect settings. /COUNTER Display current Terminal Services counters information.
- rwinsta syntax
Reset the session subsytem hardware and software to known initial values.
RESET SESSION {sessionname | sessionid} [/SERVER:servername] [/V]
sessionname Identifies the session with name sessionname.
sessionid Identifies the session with ID sessionid.
/SERVER:servername The server containing the session (default is current).
/V Display additional information.
securing php with suhosin
Posted by: blogcoding on: March 9, 2011
- In: debian | ubuntu
- Leave a Comment
- install suhosin
sudo aptitude install php5 php5-suhosin
- the configuration of suhosin is made through the /etc/php5/conf.d/suhosin.ini file.
Tags: suhosin
load balancing on debian lenny: Active Backup bonding
Posted by: blogcoding on: March 5, 2011
- install ifenslave-2.6
aptitude install ifenslave-2.6
- edit /etc/modprobe.d/arch/i386 and the following lines
alias bond0 bonding options bond0 mode=1 miimon=100
- edit /etc/netwotk/interfaces, comment all lines about eth0 and eth1 and add the following lines
iface bond0 inet static address 192.168.1.50 nestmask 255.255.255.0 gateway 192.168.1.1 up /sbin/ifenslave bond0 eth0 eth1 down /sbin/ifenslave -d bond0 eth0 eth1
- restart the network service
/etc/init.d/networking restart
Tags: load balancing
remove leading and trailing spaces from a field
Posted by: blogcoding on: January 29, 2011
TRIM([{BOTH | LEADING | TRAILING} [remstr FROM] str), TRIM([remstr FROM] str)
Tags: mysql
If you find the my posts that are useful, please consider making a donation.Thankyou!
