F5 load balancer

Useful F5 BIG-IP CLI Commands

Bigtop – shows quick summary of stats for virtual and real servers

B interface – display interface information and stats. Can see volumes and any error conditions

B vlan show – display vlan information and stats

B route – display routing table

b conn server/client show – display connections to the ip address ‘ip-addr’

b version – display F5 OS, Linux OS, and hardware platform information

b platform – display hardware information including serial number

b node - display node(server) stats. Entering ‘b node’ will display all nodes

b virtual show – display virtual-server (b virtual  shows all)

b pool - display pool-name

b load – replaces the running config with the config in the stored config file (bigip.conf). This can be invokved at times to reset the existing config if some odd conditions are occurring. It is disruptive.

b load myconfig.conf – replace the running config with the config in myconfig.conf

b config install - restore a backed up config. Move the .ucs file (tftpdir/pub) from DMS to F5

b failover show – display failover status of the device. Useful to understand if failover occurred and when

b config synch show – display config synchronization status. Useful to know if config synch has occurred.

bigstart list  -lists all bigip services

bigstart restart - restarts the specific service (e.g,. bigstart restart httpd ). This can be useful if there is a specific issue –e.g., if http is an issue then ‘bigstart restart httpd’ will restart just the http service.

bigstart restart – stop and restart ALL F5 functions/processes (does NOTperform a Linux/system reboot)

reboot – reboot entire BIGIP system

LTM Log files – located in var/log with a prefix of ‘ltm’. Files are a ring that is overwritten –e.g.,. ltm.1.gz

GTM Log files – located in var/log with a prefix of ‘gtm’. Files are a ring that is overwritten – e.g., gtm.1.gz

Configuration Files

/config/bigip.conf	main configuration file containing objects for local application traffice such as pools, virtuals servers, pools etc.
/config/bigip.license	system licenses
/config/bigip_base.conf	networking components (bigpipe base load) not sync`d for HA setups.
/config/bigip_local.conf	stores virtuals servers for GTM
/config/bigip_sys.conf	stores the Linux/UNIX configuration objects
/etc/alertd/alert.conf	defines custom SNMP OID`s.

Check Point R75 SecurePlatform Part III

We are now at the final part in this installation series. In this tutorial we will be connecting to the SecurePlatform HTTPS web server, downloading the Management tools, installing the management tools and connecting to the gateway.
1. Log into your management station or desktop and browse to the management interface of the Check Point firewall. In this tutorial we will browse to https://192.168.10.50. Click Yes to accept the certificate.
2. Login with your SecurePlatform user credentials. In this case i’ll login with the account cpadmin.

3. On the left hand side browse to Product Configuration – Download SmartConsole and click Download. Either save it to a location or click run.

4. Click Run.

5. The installation wizard begins. Click Next.

6. Click Yes to accept the License Agreement.

7. Click Next to accept the default destination folder.

8. I’m going to install all products. Click Next.

9. I’d like to Add SmartConsole shortcuts to the desktop, so i’ll select that option and click Finish.

10. Start up the Check Point Smart Dashboard program. Enter in your username, password and the management IP address of the Check Point gateway.
11. You will be presented with the Fingerprint. Click Approve.
12. You have now successfully connected to the firewall and ready to further configure your firewall rules, nat, IPS, Application Control, Anti-spam, etc

Check Point install R75 SecurePlatform Part 2

We will now continue on with Part 2 of the Check Point R75 Installation tutorial where we will configure the rest of the gateway settings and install the Check Point products.
1. We have now completed the previous Part 1 of the tutorial and have just changed the admin username from admin to cpadmin and were prompted to run sysconfig for system and product configuration. Type sysconfig and press enter.

2. The wizard begins. Type n and press enter to proceed to the next screen.

3. First up we are presented with some network configuration options.

4. Press 1 for Host Name configuration and set a host name for the Check Point gateway. When you are finished type e and press enter to go back to the previous screen.

5. Press 2 and set a domain name for the Check Point gateway. When you are finished type e and press enter to go back to the previous screen.

6. Press 3 to setup DNS server for name resolution. When you are finished type e and press enter to go back to the previous screen.

7. Press 4 to enter into the Network configuration options. Since we have only configured the internal interface with an ip address, we’ll need to configure our external interface. Type 2 and press enter to configure a connection, select eth0 and configure your external ip address, subnet mask and default gateway. When you are finished type e and press enter to go back to the previous screen.

8. Pressing 5 and entering into the routing configuration menu allows you to either set a new default gateway or show the current default gateway. When you are finished type e and press enter to go back to the previous screen.

9. Type n and press enter to proceed to the next screen. In this screen we can set our time zone, date, local time and display the current time settings. Set this as per your location. When you are finished type n and press enter to proceed to the next screen.

10. As this is a brand new installation we do now have any import configuration files, so we can just press n for next.

11. We have finished with the SecurePlatform side and now we can start installing the Check Point products we will be using. It is important to note that you don’t need to install all the products in this step, you can come back at a later stage, type sysconfig and install the software that you wish to use. Press n for next.

12. Press y to access the License Agreement.

13. Select New Installation and press n for next.

14. In this tutorial we will just be installing Security Gateway, Security Management, SmartEvent and SmartReporter Suite, Management Portal and Mobile Access. Press n for next.

15. As this is the first Gateway we will select Primary Security Management. Press n for next.

16. We will just be installing SmartReporter and SmartEvent Server. Press n for next.

17. You are now displayed a brief summary of what products you have chosen to install. If you are happy press n for next otherwise feel free to go back and make changes.

18. The installation begins.

19. Once the installation is finished there are just a few more settings that are needed before the gateway is ready. If you have a license I would wait to use SmartUpdate later on to install them. I will not be adding any licenses now. Press n.

20. Yes we will want to add an administrator to this Security management server. Press y.

21. Type the new administrators username and password.

22. Yes we will want to define GUI clients to be able to manage this gateway. Press y.

23. I would like to add my internal subnet as a GUI client. I type in 192.168.10.0/255.255.255.0, press enter, then press ctrl-D. Lastly confirm this is correct by pressing y.

24. The Fingerprint of the Security Management Server is displayed. This can be used to verify that you are connecting to the correct server. You have an option to save this to a file. I won’t be saving this so I’ll type n.

25. The installation is now complete. You must reboot to put the settings into effect. Press Enter.

26. Type reboot and Y to confirm. Once your firewall has booted up, you can continue onto Part 3, which will show you how to install the management tools and connect to the firewall.

Check Point R75 Installation PART1

This 3 part tutorial guide will show you how to install Check Point R75 Secure Platform. I’m using this image file for the install – Check_Point_R75.Splat.iso which can be downloaded from the Check Point website and is fully operational for 15 days for you to evaluate. The good thing about the Check Point installations is that they are very similar between versions. So you can also follow this guide for earlier version. Let’s begin!
1. Insert the DVD or boot the ISO image and boot the server. You will be presented with the Check Point SecurePlatform installation.

2. In between the previous step and this step your hardware would of been scanned and either found suitable or unsuitable for Check Point SecurePlatform. You can also add drivers by clicking on Add Driver. Click Ok.

3. Select your keyboard type and click Ok.

4. In this lab I have two network cards connected to my Check Point gateway. eth0 is for outside or untrusted networks and eth1 is for internal or trusted networks. I want to configure the internal network card at this stage. Select your internal network card and click Ok.

5. Enter the IP address and subnet mask. Only enter inthe default gateway information if you are configuring the external interface, as I’m configuring the internal interface I will leave the Default Gateway blank. Click Ok.

6. I want to turn on the HTTPS secure web server and have it run on port 443. This is the default setting. Click Ok.

7. Your hard drives will now be formatted and the SecurePlatform operating system installed. Click Ok.

8. The install is now complete. As you can see you can login to the secure web server by browsing to https://192.168.10.50 which we will use later. Click Ok and the server will be rebooted.

9. When the server has rebooted you are presented with the login prompt at the console. The default username and password is admin and admin. Once you type this in you are prompted to change the password. Enter in a new password.

10. You have the option to change the admin username as well. In this tutorial I will be changing it to cpadmin.

11. The username has now been changed and you are prompted to run sysconfig to further configure the gateway and install Check Point products. Please continue onto Part 2 of this Installation series.

Clearing hung TCP session on a Cisco router

R1#debug ip tcp trans
TCP special event debugging is on
R1#term mon
R1#
messages
connection queue limit

2) Take a look at: 

R1#sh tcp brief
TCB       Local Address   Foreign Address        (state)
6353F5E8 10.10.3.5.1720   10.11.3.24.12871      SYNRCVD
63555A14 10.10.3.5.1720   10.11.3.23.12814      SYNRCVD
6353AEFC 10.10.3.5.1720   10.11.3.24.12872      SYNRCVD
6350B2DC 10.10.3.5.1720   10.11.3.24.12875      SYNRCVD
63488D44  10.10.3.5.23    10.11.3.23.11265      ESTAB
63571718 10.10.3.5.1720   10.11.3.24.12914      SYNRCVD

All of the TCB's associated with TCP port 1720 are 'hung' (SYNRCVD).
The associated TCP Control Block (TCB) are highlighted in a PINKISH colour.

3) To clear them, clear the associated TCB:
R1#clear tcp tcb 6353F5E8
[confirm]y
[OK]
R1#
R1#clear tcp tcb 63555A14
[confirm]y
[OK]
R1#
R1#clear tcp tcb 6353AEFC
[confirm]y
[OK]
R1#
R1#clear tcp tcb 6350B2DC
[confirm]y
[OK]
R1#
R1#clear tcp tcb 63571718
[confirm]y
[OK]
R1#

Blogger Buzz: Blogger integrates with Amazon Associates

Blogger Buzz: Blogger integrates with Amazon Associates

How To Change Router configuration from NAT to Routing : cisco

How To Change Router configuration from NAT to Routing : cisco

1.Need login Router and first need to change existing Private IP in LAN interface to Public IP with appropriate subnet .

2. After Change (Private To Public IP) we need to remove all NAT command and related access list which supporting NAT in Router .

Command which need to remove as following:

No ip nat inside (from LAN interface)
No ip nat outside (From WAN interface normally -VLAN1)
Remove NAT access list : no ip access-list standard for_NAT
Disable DHCP if existing in preconfiguration.


3. Then we need to reboot LAN interface through shut and no shut command so that changes will come into effect and client need to do required changes in his end on own device.

4. After That when connection backup we need to check internet through router and for that we can ping our DNS server IP (209.250.128.6 or 209.250.128.8) through extended source as following:

ping 209.250.128.6 source f0

Here f0 we are assuming client LAN interface

5. If we are able to go outside means changes in configuration is ok otherwise we need to check configuration changes again carefully .

Gre Tunnel

End A Configuration
----------------------------

1. Create Gre Tunnel having any number

Router(config)#interface Tunnel1
Router(config-if)#description Gre Tunnel to Remote Location

2. Need to give IP Address to Tunnel
Router(config-if)#ip address 10.10.0.1 255.255.255.252

3. Need to Give Public Source address to tunnel 1 from where it would initiate
Router(config-if)#tunnel source Vlan1
where x.x.x.x is the IP address of Vlan 1 and is Source/Wan IP of Self Router

4. Need to give Public destination address where it terminate
Router(config-if)# tunnel destination y.y.y.y
where y.y.y.y is the destination public IP Address
!

5. Following is the Configuration of LAN Interface Port.

Router(config)# interface FastEthernet0
Router(config-if)#description Local Lan IP
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# ip nat inside

6.Following is the Configuration of WAN Interface Port.

Router(config)# interface Vlan1
Router(config-if)# description Cisco IP
Router(config-if)# ip address x.x.x.x 255.255.255.252
Router(config-if)# ip nat outside

7. Default Route Pointing to Internet using Pathway.

ip route 0.0.0.0 0.0.0.0 Pathway

8. Remote LAN Route pointing to other end ip of gre tunnel 1

ip route 192.168.2.0 255.255.255.0 10.10.0.2





End B Configuration
---------------------------

1. Create Gre Tunnel having any number

Router(config)#interface Tunnel1
Router(config-if)#description Gre Tunnel to Remote Location

2. Need to give IP Address to Tunnel
Router(config-if)# ip address 10.10.0.2 255.255.255.252

3. Need to Give Public Source address from where it would initiate
Router(config-if)# tunnel source Vlan1
where y.y.y.y is the IP address of Vlan 1 and is Source/Wan IP of Self Router

4. Need to give Public destination address where it terminate
Router(config-if)# tunnel destination x.x.x.x
where x.x.x.x is the destination public IP Address

5. Following is the Configuration of LAN Interface Port.

Router(config)# interface FastEthernet0
Router(config-if)# description Local LAN_IP
Router(config-if)# ip address 192.168.2.1 255.255.255.0
Router(config-if)# ip nat inside

6. Following is the Configuration of WAN Interface Port.

Router(config)# interface Vlan1
Router(config-if)# description Cisco IP
Router(config-if)# ip address y.y.y.y 255.255.255.252
Router(config-if)# ip nat outside

7. Default Route Pointing to Internet using Pathway.

ip route 0.0.0.0 0.0.0.0 Pathway

8. Remote LAN Route pointing to other end ip of gre tunnel 1

ip route 192.168.1.0 255.255.255.0 10.10.10.1

How to Configure Site-to-Site VPN in Cisco Routers

How to Configure Site-to-Site VPN in Cisco Routers


1. Create Internet Key Exchange (IKE) key policy. The policy used in our case is number 10 and it requires a pre-shared key

Router(config)#crypto isakmp policy 10

Router(config-isakmp)#hash md5

Router(config-isakmp)#authentication pre-share

Encryption 3des
Group 2
Lifetime 28800

2. Setup the shared key that would be used in the VPN,

Router(config)#crypto isakmp key 1q2w3e4r address X. X. X.X no-xauth

where,

1q2w3e4r is the shared key that you will use for the VPN, and remember to set the same key on the other end.

X.X.X.X the static public IP address of the other end.

3. Now we set lifetime for the IPSec security associations,

Router(config)#crypto ipsec security-association lifetime seconds YYYYY

Where YYYYY is the association’s lifetime in seconds. It is usually used as 86400, which is one day.

4. Define the transformations set that will be used for this VPN connection,

Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC

where,

SETNAME is the name of the transformations set. You can choose any name you like.

BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des and esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.

5) After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.

Router(config)#crypto map MAPNAME ipsec-isakmp 10

Router(config-crypto-map)#set peer X.X.X.X.

Router(config-crypto-map)#set transform-set SETNAME

Router(config-crypto-map)#match address 123

where,

MAPNAME is a name of your choice to the crypto-map

X.X.X.X. the static public IP address of the other end

SETNAME is the name of the transformations set that we configured in step 4

123 is the number of the access-list that we created to define the traffic in step 7

6) The last step is to bind the crypto-map to the interface that connects the router to the other end.

Router(config-if)#crypto map MAPNAME

where MAPNAME is the name of the crypto-map that we defined in step 5

7) Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,

Router (config)#access-list 123 permit ip X.X.X.X. Y.Y.Y.Y A.A.A.A B.B.B.B

where,

123 is the access-list number

X.X.X.X. Y.Y.Y.Y is the source of the data allowed to use the VPN link.

A.A.A.A B.B.B.B is the destination of the data that need to pass though the VPN link.

8) Deny access-list 123 in NAT access-list

Router(config)#deny ip X.X.X.X. Y.Y.Y.Y A.A.A.A B.B.B.B
Permit ip X.X.X.X. Y.Y.Y.Y any

Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.


For troubleshooting purposes, you can use the following commands,

show crypto isakmp sa

show crypto ipsec sa

show crypto engine connections active

and show crypto map

To Configure DHCP on a Cisco router

To Configure DHCP on a Cisco router

To configure Cisco DHCP, follow these steps, which include sample commands

1) Configure an IP address on the router's Ethernet port, or Fast Ethernet Port and
bring up the interface .
Eg:-
Router(config)# interface FA 0/0

Router(config-if)#ip address 1.1.1.1 255.0.0.0

Router(config-if)# no shutdown

2) enable the DHCP service in the router

Router(config)#service dhcp

3) Create a DHCP IP address pool for the IP addresses you want to use.
Router(config)# ip dhcp pool mypool
Where mypool is name of the DHCP pool

4) Specify the network and subnet for the addresses you want to use from the pool.
Router(dhcp-config)# network 1.1.1.0 255.0.0.0


5) Specify the DNS domain name for the clients.
Router(dhcp-config)# domain-name pathcom.com

6) Specify the primary and secondary DNS servers
Router(dhcp-config)# dns-server 209.250.128.6 209.250.128.8

7) Specify the default router (i.e., default gateway).
Router(dhcp-config)#default-router 1.1.1.1

8) Specify the lease duration for the addresses you're using from the pool.
Router(dhcp-config)#lease 7

9) Exit Pool Configuration Mode.
Router(dhcp-config)#exit

10) Configure the IP addresses to be excluded from the pool. This is usually done to
avoid the conflicts caused by the DHCP with servers and printers. Remember to
give ALL servers and network printers static IP addresses in the same range of the
DHCP pool. And then exclude these addresses from the pool to avoid conflicts

Router(config)#ip dhcp excluded-address XXX.XXX.XXX.XXX

Use the command in the previous form to excluded a single address. You can
repeat it as much as you see fit for the IP addresses you want to exclude.



Use the following commands to check the DHCP operation on the router:

Router#show ip dhcp binding

This command shows the current bindings of addresses given to clients

Router#show ip dhcp server statistics

This command show the DHCP server statistics.

Router#debug ip dhcp server

To clear DHCP server variables, use the following commands as needed:

Router#clear ip dhcp binding *


NOTE:- DHCP service uses port 67 and 68. So, if you are using a firewall, remember to open these ports

How to configure the PPTP on Cisco sever

How to configure the PPTP on Cisco sever


1) Enable VPDN (virtual private dial-up networking) on Router.To do so use this command:

Router(config)# vpdn enable

2) Create a VPDN group for PPTP, just like the Microsoft VPN client will use, by default

Router(config)# vpdn-group TEST-VPN

Router(config-vpdn)# accept-dialin

Router(config-vpdn)# protocol pptp

virtual-template 1


Router(config-vpdn)# exit

3) configure the ip address on local LAN interface
Router(config)# interface FA0/0

Router(config-if)# ip address z.z.z.z

Router(config-if)# no shutdown

4) Create your virtual-template that will apply to the inbound VPN connections. This template references the FA/0 interface for its IP address. It also references a pool of IP addresses that will be handed out to VPN clients. Finally, it configures the PPP encryption and authentication mechanisms to match what the Microsoft VPN client defaults to:
5)
Router(config)# interface Virtual-Template1

Router(config-if)# ip unnumbered FA0/0

Router(config-if)# peer default ip address pool defaultpool

Router(config-if)# ppp encrypt mppe auto required

Router(config-if)# ppp authentication ms-chap ms-chap-v2

No keepalive

Create the pool of IP addresses for PPTP Users

Router(config)# ip local pool defaultpool x.x.x.x y.y.y.y

Where x.x.x.x is the Stariug IP and y.y.y.y is the Last IP ,also above Range of IP should
be excluded from DHCP List



6) Create a test vpn user:

Router(config)# username pathway password 0 1q2w3e4r

Loopback address

127.0.0.1 Defined in the Internet RFC's

The proper use of 127.0.0.1 is defined in RFC 3330: Special-Use IPv4 Addresses:

127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere.

The IPv6 version of localhost is defined in RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture as ::1/128.

Routing

(n.) In internetworking, the process of moving a packet of data from source to destination. Routing is usually performed by a dedicated device called a router. Routing is a key feature of the Internet because it enables messages to pass from one computer

to another and eventually reach the target machine. Each intermediary computer performs routing by passing along the message to the next computer. Part of this process involves analyzing a routing table to determine the best path.

Routing is often confused with bridging, which performs a similar function. The principal difference between the two is that bridging occurs at a lower level and is therefore more of a hardware function whereas routing occurs at a higher level where the software component is more important. And because routing occurs at a higher level, it can perform more complex analysis to determine the optimal path for the packet.