Cisco ASA – routing sample

In this post, I will show you guys how to setup a Cisco ASA firewall serves as a layer 3 packet transfer device. The example will be demonstrate with 192.168.3.10/32 machine accessing to 9.9.9.92/32 via IPerf. There is only simple routing and has no NAT involve.

In this setup, the ASA is acting as the gateway between office network and the internet. The 192.168.3.0/24 is the internal subnet and 10.0.0.20/30 is the internet. There are couple areas we have to handle, and they are routing, and policy. Since ASA is a stateful device, we have to apply policy to allow internal network to access external network, but not vise versa.
Continue reading

Advertisements

Cisco ASA – Checking information

Cisco ASA firewall is a security appliance that can perform packet inspection and with limited routing features. For those who are new to this product, it uses different ways to present its information than Cisco routers. There might have some difficulty at first, but since it is using syntax similar with other Cisco products, such as “show run”, and it is not too hard to pick up this product. I will list out some frequently  used commands for troubleshooting purpose.

  1. show run – this is to show the running configuration the cisco ASA is running with.
  2. show run all – this is to show the configuration users had input and as well the default settings that is being run by the ASA.
  3. show ip – this is similar with the “sho ip int br” from other Cisco products, and it displays the address information being set in the ASA.
  4. show nameif – this is to show the association of the interfaces and the “zone”. This “zone” used for differentiate the purpose of each interface, such as “DMZ”, “inside”, “outside”, and etc…
  5. show xlate – this is to show the NAT information with the translated flow. It shares some information with “show nat” too.
  6. show nat – similar with “show xlate”.
  7. show conn – it can be used to show sessions with.
  8. show version – it shows the information of the ASA, including RAM, CPU, serial number of the device, uptime, and license information.
  9. show crypto ikev1 sa – to check the ikev1 active tunnels info.
  10. show crypto ikev2 sa – to check the ikev2 active tunnels info.
  11. show ipsec sa – it shows the ipsec active tunnels info.
  12. show interface – it shows information for the physical interfaces including the MAC address, BW, duplex, speed, as well as CRC errors.

Commands above are for general use, and can be run under “config mode” without the “do”. I will demonstrate more command within my ASA posts.

Using dynamic DNS at SRX with non DYNDNS service provider

When placing a network equipment without a static IP address, the best way to remote access to the device is by using the dynamic DNS service. Juniper has import this feature into their network security products such as Netscreen ScreenOS and JunOS SRX.

I recently has replaced my SSG with the SRX, and am having trouble updating the DDNS record with the built-in DDNS feature. What happen is SRX only offer 2 options of “dyndns.org or ddo.jp”, any service other than these 2 are out of questions. Since I am using HE.net for DDNS, that does not do my any good.

 

20160521-DDNS-SRX_DDNS_server

So my work around is: to map the dyndns domain name to a HE.net dns server IP address with the following command. The command below is to bind the members.dyndns.org (the dyndns.org DDNS service domain name) to the IP address of 184.105.242.3 (the DDNS service domain name). Continue reading

Turning Raspberry PI into WIFI AP (in bridge mode)

20160514-vSRX_to_PI

Turning raspberry PI into WIFI AP: SSG5 to SRX migration (part 2)

Due to the insecure of internet platform, I have decided to run a security appliance at home to replace my SSG firewall. My newest design is to have SRX as the SSG replacment. Since SRX lacks of the feature of build-in WIFI, I have decided to use RASPBERRY PI as the WIFI AP bridge to cover the wireless access feature. In part 2 of this migration, it mainly focus on turning the RASPBERRY PI as the WIFI AP and bridge it to its ETH0 interface.

The WIFI AP elements:
– Raspberry PI model B
– 0ace:1215 ZyDAS ZD1211B 802.11g

Design for PI:
– Since the ESXi host is using trunk, the PI needs to have its NIC ready to take tagged and untag packets.
– PI turns the WIFI NIC into WIFI access point
– PI needs to bridge the ETH NIC and WIFI NIC to extend the SRX LAN boardcast domain with wireless capability.

Continue reading

Traffic Engineering – MPLS

This time we will handle the basic traffic engineering within a MPLS network. This technique allows network admin to manipulate the traffic and fully utilize the subscribed bandwidth or circuits.

Traffic engineering within a MPLS network can be more accurate and convenience than in a typical TCP/IP network, because TE are happened at the MPLS level only, which would not affect the base of the whole network topology. If manipulate traffic at the IP level, everything running on top of IP level will be affected.

The network topology for this testing is listed below.
20160123-00-topo
Continue reading

Multicast Lab – Part 4 – NV-MVPN on Junos

It sure has been some times since the last multicast post. This time, we will put the lab into a higher level, and will be running the multicast on the MPLS VPN platform. Since this post is focusing on MCast only, the configuration for MPLS network will not be described with my detail. So let s dig in.

20160117-LAB-NGMVPN-topo

Continue reading

Playing with Multicast – Part 2.

The part 1 of multicast was simply doing the streaming within a local area network. This time, I will put my multicast lab to a level higher and put a router between the sender and receiver.

The test bed for this time will involve a simple routings. Please refer to the topology below.

To keep the multicast lab simple, it will be running on Sparse mode and using static RP instead of dynamic.

TOPOLOGY:

Mcast_topo_with_1_router

Components:
1x Ubuntus as sender
1x Windows XP as receiver.
1x Junos router Continue reading