Sunday, April 15, 2012

My Basic Linux Commands

#####Shell, Basic linux Command#####
   1.tty     - reveals the current terminal
   2.whoami  - reveals the currently logged-in user
   3.which   - reveals where in the search path a program is located
   4.echo    - prints to the screen
      a. echo $PATH - prints out the current path to STDOUT
      b. echo $PWD  - dumps the contents of the $PWD variable
      c. echo $OLDPWD - dumps the
   5. set    - prints and optionally sets shell variables
   6. clear  - clears the screens or terminal
   7. reset  - clears the screen buffer
   8. history - reveal command history
          a. !600 - executes the 600th command in our history
          b. command histroy is maintained on a per-user basis via:~/.bash_history
          c. ~   - users's $HOME directory in the BASH shell
   9. pwd    - prints the working directory
   10. cd     - changes directory to desired directory
          a. 'cd ' with no options changes to the $HOME drectory
          b. 'cd ~' changes to the $HOME directory
          c. 'cd /' changes to root directory
          d.  'cd Desktop/' changes to the relative directory
          e. 'cd..' 'cd ../..' chages one-level/ two-levels up in the directory tree\
    11. Arrow ( up/down) keys
    12. Bash supports tab completions
          a. type unique characters in the command and press 'Tab' key
    13. copy and paste in GNOME terminal windows using:
          a. left button to block
          b. right button to paste OR Ctrl-Shift-v to past
    14.ls - lists directories
          a. ls / - lists the contens of the '/' mount point
          b. 'ls -l' - lists the contents of a direcotry in long format
          c. 'ls -ld' - lists the directory properties rather than the contents
          d. 'ls -ltr' sorts chronologically from older to newer ( bottom )
          e. 'ls -help'
          f. 'ls -a'  - reveal hiden files
       Note: files/directories prefixed with '.' are hidden
    15. cat - catenates files
          a. can dumps multiple files to STDOUT
    16. mkdir - creates a new directory
    17. cp - copies files
          By default, 'cp' does NOT preserve the original modification time
    18. mv - moves files
    19. rm - remove files/directories
            a. 'rm -rf' - removes recursively and enforces
    20. touch - creaes blank files / updates timestamp
           a. touch test.txt  - will create a 0 file if it didn't exist
                                Will update timestamp if it does exist
           b. touch -t 200901091530 test.txt - will change timestamp
    21. stat -  reveals statistics of files
    22. find - finds files using search patterns
           a. find / -name 'fstab*'             
       Note: 'find' can search for fields returned by the 'stat' command
    23. alias - returnsds/sets aliansed for commands
       

###Linux Redirection & Pipes###
Features:
    1. Ability to control input and output

  Input redirection '<'
   
Input redirection:
    1. cat < 123.tst    
   Note: Use input direction when program does NOT default to file

Output redirection '>'

    1. cat 123.txt > onetwothree.txt
  Note: Default nature is to:
       a. Clobber the target file
       b. Populate with information from input stream

   Append redirection '>>'
     1. cat 123.txt >> numbers.txt - creates 'numbers.txt' if it doesn't exist,
    or appends if it does

Pipes '|'
Features: Connects the output stream of one command to the input stream of a subsequent command
###Command Chaining###
Features:
   1. Permits the execution of multiple commands in sequence
   2. Also permits execution based on the success or failure of a previous command
Previous command
   1. cat 123.txt ; ls -l  - this runs first command, then second command without regards for exit status of the first command
   2. cat 123.txt && ls -l  - This will run second command, if the first command is successful
   3. cat 123.txt || ls -l  - This will run second command, if the first command failed.
24. more | less   - paginators, which display text on-page at a time
   1. more /etc/  
25. seq - echoes a sequence of numbers
   a. swq 1000 > 1000.txt
   b. seq 5 5 100 > 55.txt
  
26. su - switches users
   a. su  -  with on option will attempt to login to root
27. head  -  displays opening lines of the text files
28. tail  -  displays the closing lines of text files
29. wc    -  counts words and optionally lines of the text files
30. file - determines file type
    a file /var/log/messages

Monday, April 9, 2012

Cisco IOS Easy VPN configuration

Server


o   Configure an IKE policy
crypto isakmp policy 10
 authentication pre-share

crypto isakmp policy 20
 authentication pre-share
 group 2

o   Configure IPsec transform sets and IPsec Profile

crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac
crypto ipsec profile PROFILE-IPSEC
   set transform-set TRANSFORM-IPSEC
 ! the following settings has to be done after isakmp profile creation
   set isakmp-profile PROFILE-ISAKMP




ip local pool VPN-LOCAL-POOL 172.16.39.200 172.16.39.250

crypto isakmp client configuration group VPN-CLIENT-GROUP
 key vpnclientcisco
 dns 192.168.117.1
 domain leo-li.com
 pool VPN-LOCAL-POOL

o   Configure a client configuration group

o   Configure a dynamic VTI template interface which the Router will use to create tunnel interfaces for each remote user
interface Virtual-Template1 type tunnel
 ip unnumbered Serial1/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE-IPSEC
 !

o   Configure a local AAA authentication method and add user accounts to the router local database
aaa authentication login default local
aaa authorization network LOCAL-AUTHOR local

username cisco privilege 15 password 0 cisco




o   Configure an ISAKMP profile that will bind the remote user group to the client configuration group
      crypto isakmp profile PROFILE-ISAKMP
   match identity group VPN-CLIENT-GROUP
   isakmp authorization list LOCAL-AUTHOR
   client configuration address respond
   client configuration group VPN-CLIENT-GROUP
   virtual-template 1






Client

o   Configure EZVPN Remote Profile
crypto ipsec client ezvpn EZVPN-CLIENT
 connect auto
 group VPN-CLIENT-GROUP key vpnclientcisco
 mode client
 peer 10.100.23.2
 username cisco password cisco
 xauth userid mode local


Designate EZVPN interface Roles

crypto ipsec client ezvpn EZVPN-CLIENT inside  

crypto ipsec client ezvpn EZVPN-CLIENT outside


Configuration Scenario Example


E-R3 is acting a VPN server router which will be located at central head office, while E-R4 is the remote client site sub-office router which is the router dial-in to head office. I will use E-R2 simulate the internet, which has only basic interfaces setting without any routing setup to E-R3 and E-R4 routers.
The head office has NAT/PAT set up at the E-R3 router to support DMZ and internal users with internet connection, the same to the sub-office at E-R4 routers. E-R4 will need directly send traffic to internet, rather than go through head office router E-R3, so Split Tunnel is necessary.
The topology is as the follow:
.


E-R3

!
hostname E-R3
   !Authentication and authorization setup and local account setup for VPN
aaa new-model
aaa authentication login default local
aaa authorization network LOCAL-AUTHOR local
username cisco privilege 15 password 0 cisco

!DHCP setup for local machines
ip dhcp pool LOCAL-POOL-172.16.30
   network 172.16.30.0 255.255.255.0
   default-router 172.16.30.1
!ISAKMP Policies
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp policy 20
 authentication pre-share
 group 2

!Client group setup, acl VPN-SPLIT-TUNNEL will enable Split Tunnel for VPN clients
crypto isakmp client configuration group VPN-CLIENT-GROUP
 key vpnclientcisco
 dns 192.168.117.1
 domain leo-li.com
 pool VPN-LOCAL-POOL
 acl VPN-SPLIT-TUNNEL

crypto isakmp profile PROFILE-ISAKMP
   match identity group VPN-CLIENT-GROUP
   isakmp authorization list LOCAL-AUTHOR
   client configuration address respond
   client configuration group VPN-CLIENT-GROUP
   virtual-template 1
!
crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac
!
crypto ipsec profile PROFILE-IPSEC
 set transform-set TRANSFORM-IPSEC
 set isakmp-profile PROFILE-ISAKMP

!Loopback0 is used for sub-offices which will route internet traffic through the head office, L0 ip address + 1 will be the next hop of packets from the remote office.
interface Loopback0
 ip address 172.16.31.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface FastEthernet0/0
 ip address 172.16.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex half
 !
!
interface Serial1/0
 ip address 10.100.23.2 255.255.255.0
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 serial restart-delay 0
 !
!VT is the place has the route-map policy added NOT the physical interface, in this case interface Serial1/0, as the VPN is through tunnel.
!
interface Virtual-Template1 type tunnel
 ip unnumbered Serial1/0
 ip policy route-map VPN_CLIENT_INTERNET
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE-IPSEC
 !
! Addresses for VPN clients can be separated subnets
ip local pool VPN-LOCAL-POOL 172.16.39.200 172.16.39.250
!
ip nat pool INTERNET-ADDRESSES 10.100.23.3 10.100.23.200 prefix-length 24
ip nat inside source list NAT-ADDRESSES pool INTERNET-ADDRESSES
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
ip access-list extended NAT-ADDRESSES
 deny   ip 172.16.30.0 0.0.0.255 172.16.40.0 0.0.0.255
 permit ip 172.16.30.0 0.0.0.255 any
 permit ip 172.16.31.0 0.0.0.255 any
ip access-list extended VPN-SPLIT-TUNNEL
 permit ip 172.16.30.0 0.0.0.255 any
ip access-list extended VPN_CLIENTS
 permit ip 172.16.39.0 0.0.0.255 any
!Route-map for redirecting sub-office internet requesting traffic
route-map VPN_CLIENT_INTERNET permit 10
 match ip address VPN_CLIENTS
 set ip next-hop 172.16.31.2
!


E-R4

!
hostname E-R4
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
ip dhcp pool DHCP-172.16.40
   network 172.16.40.0 255.255.255.0
   default-router 172.16.40.1
!
username cisco privilege 15 password 0 cisco
!
crypto ipsec client ezvpn EZVPN-CLIENT
 connect auto
 group VPN-CLIENT-GROUP key vpnclientcisco
 mode client
 peer 10.100.23.2
 username cisco password cisco
 xauth userid mode local
!
interface FastEthernet0/0
 ip address 172.16.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 crypto ipsec client ezvpn EZVPN-CLIENT inside
!
interface Serial0/0
 ip address 10.100.24.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no fair-queue
 serial restart-delay 0
 clock rate 2000000
 crypto ipsec client ezvpn EZVPN-CLIENT
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip nat pool INTERNET-ADDRESSES 10.100.24.3 10.100.24.200 prefix-length 24
ip nat inside source list NAT-ADDRESSES pool INTERNET-ADDRESSES
!
ip access-list extended NAT-ADDRESSES
 deny   ip 172.16.40.0 0.0.0.255 172.16.30.0 0.0.0.255
 permit ip 172.16.40.0 0.0.0.255 any



Saturday, March 3, 2012

GNS3

I finally got GNS3 work for me, I do like this App, and it can simulate Cisco routers perfectly, so if you need play with Cisco Routr Switches or Firewall, I strongly recommend you give it try.

I used Dynagen + Dynamips, this works very well, but it's a bit harder to create new topology and connect to workstations or servers. With the help of GNS3 GUI interfaces, the life is much easier.

The problems I encountered with GNS3 the first two days are:

Flash: drive and saving setting.

1. Cannot copy anything to Flash:
2. Every time tried to save setting, new reload GNS3, all the routers went back to initial setting, which made me crazy. Also, with some IOS, “wr” or “copy run start” will cause APP no response.

Solutions:

1. “erase flash:” will fix this issue, I had this one in CLI mode
2. Take off “concfg= xxxx”, I believe this caused issue, but not so sure why.

Modify Topology file.
1. Save as Topology after changes

NOTE:
DO NOT Save Topology When exit GNS3 !

Someone suggested the solution for this:

Preferences → Dynamips → Clear 'automatically clean the working directory’

Will fix this issue, but I tried it, sometimes will kill my contents in Nvram:, couldn't be bothered, just make sure EXIT WITHOUT SAVEING ANYTHING.