Sunday, April 15, 2012

My Basic Linux Commands

#####Shell, Basic linux Command#####
   1.tty     - reveals the current terminal
   2.whoami  - reveals the currently logged-in user
   3.which   - reveals where in the search path a program is located
   4.echo    - prints to the screen
      a. echo $PATH - prints out the current path to STDOUT
      b. echo $PWD  - dumps the contents of the $PWD variable
      c. echo $OLDPWD - dumps the
   5. set    - prints and optionally sets shell variables
   6. clear  - clears the screens or terminal
   7. reset  - clears the screen buffer
   8. history - reveal command history
          a. !600 - executes the 600th command in our history
          b. command histroy is maintained on a per-user basis via:~/.bash_history
          c. ~   - users's $HOME directory in the BASH shell
   9. pwd    - prints the working directory
   10. cd     - changes directory to desired directory
          a. 'cd ' with no options changes to the $HOME drectory
          b. 'cd ~' changes to the $HOME directory
          c. 'cd /' changes to root directory
          d.  'cd Desktop/' changes to the relative directory
          e. 'cd..' 'cd ../..' chages one-level/ two-levels up in the directory tree\
    11. Arrow ( up/down) keys
    12. Bash supports tab completions
          a. type unique characters in the command and press 'Tab' key
    13. copy and paste in GNOME terminal windows using:
          a. left button to block
          b. right button to paste OR Ctrl-Shift-v to past
    14.ls - lists directories
          a. ls / - lists the contens of the '/' mount point
          b. 'ls -l' - lists the contents of a direcotry in long format
          c. 'ls -ld' - lists the directory properties rather than the contents
          d. 'ls -ltr' sorts chronologically from older to newer ( bottom )
          e. 'ls -help'
          f. 'ls -a'  - reveal hiden files
       Note: files/directories prefixed with '.' are hidden
    15. cat - catenates files
          a. can dumps multiple files to STDOUT
    16. mkdir - creates a new directory
    17. cp - copies files
          By default, 'cp' does NOT preserve the original modification time
    18. mv - moves files
    19. rm - remove files/directories
            a. 'rm -rf' - removes recursively and enforces
    20. touch - creaes blank files / updates timestamp
           a. touch test.txt  - will create a 0 file if it didn't exist
                                Will update timestamp if it does exist
           b. touch -t 200901091530 test.txt - will change timestamp
    21. stat -  reveals statistics of files
    22. find - finds files using search patterns
           a. find / -name 'fstab*'             
       Note: 'find' can search for fields returned by the 'stat' command
    23. alias - returnsds/sets aliansed for commands
       

###Linux Redirection & Pipes###
Features:
    1. Ability to control input and output

  Input redirection '<'
   
Input redirection:
    1. cat < 123.tst    
   Note: Use input direction when program does NOT default to file

Output redirection '>'

    1. cat 123.txt > onetwothree.txt
  Note: Default nature is to:
       a. Clobber the target file
       b. Populate with information from input stream

   Append redirection '>>'
     1. cat 123.txt >> numbers.txt - creates 'numbers.txt' if it doesn't exist,
    or appends if it does

Pipes '|'
Features: Connects the output stream of one command to the input stream of a subsequent command
###Command Chaining###
Features:
   1. Permits the execution of multiple commands in sequence
   2. Also permits execution based on the success or failure of a previous command
Previous command
   1. cat 123.txt ; ls -l  - this runs first command, then second command without regards for exit status of the first command
   2. cat 123.txt && ls -l  - This will run second command, if the first command is successful
   3. cat 123.txt || ls -l  - This will run second command, if the first command failed.
24. more | less   - paginators, which display text on-page at a time
   1. more /etc/  
25. seq - echoes a sequence of numbers
   a. swq 1000 > 1000.txt
   b. seq 5 5 100 > 55.txt
  
26. su - switches users
   a. su  -  with on option will attempt to login to root
27. head  -  displays opening lines of the text files
28. tail  -  displays the closing lines of text files
29. wc    -  counts words and optionally lines of the text files
30. file - determines file type
    a file /var/log/messages

Monday, April 9, 2012

Cisco IOS Easy VPN configuration

Server


o   Configure an IKE policy
crypto isakmp policy 10
 authentication pre-share

crypto isakmp policy 20
 authentication pre-share
 group 2

o   Configure IPsec transform sets and IPsec Profile

crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac
crypto ipsec profile PROFILE-IPSEC
   set transform-set TRANSFORM-IPSEC
 ! the following settings has to be done after isakmp profile creation
   set isakmp-profile PROFILE-ISAKMP




ip local pool VPN-LOCAL-POOL 172.16.39.200 172.16.39.250

crypto isakmp client configuration group VPN-CLIENT-GROUP
 key vpnclientcisco
 dns 192.168.117.1
 domain leo-li.com
 pool VPN-LOCAL-POOL

o   Configure a client configuration group

o   Configure a dynamic VTI template interface which the Router will use to create tunnel interfaces for each remote user
interface Virtual-Template1 type tunnel
 ip unnumbered Serial1/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE-IPSEC
 !

o   Configure a local AAA authentication method and add user accounts to the router local database
aaa authentication login default local
aaa authorization network LOCAL-AUTHOR local

username cisco privilege 15 password 0 cisco




o   Configure an ISAKMP profile that will bind the remote user group to the client configuration group
      crypto isakmp profile PROFILE-ISAKMP
   match identity group VPN-CLIENT-GROUP
   isakmp authorization list LOCAL-AUTHOR
   client configuration address respond
   client configuration group VPN-CLIENT-GROUP
   virtual-template 1






Client

o   Configure EZVPN Remote Profile
crypto ipsec client ezvpn EZVPN-CLIENT
 connect auto
 group VPN-CLIENT-GROUP key vpnclientcisco
 mode client
 peer 10.100.23.2
 username cisco password cisco
 xauth userid mode local


Designate EZVPN interface Roles

crypto ipsec client ezvpn EZVPN-CLIENT inside  

crypto ipsec client ezvpn EZVPN-CLIENT outside


Configuration Scenario Example


E-R3 is acting a VPN server router which will be located at central head office, while E-R4 is the remote client site sub-office router which is the router dial-in to head office. I will use E-R2 simulate the internet, which has only basic interfaces setting without any routing setup to E-R3 and E-R4 routers.
The head office has NAT/PAT set up at the E-R3 router to support DMZ and internal users with internet connection, the same to the sub-office at E-R4 routers. E-R4 will need directly send traffic to internet, rather than go through head office router E-R3, so Split Tunnel is necessary.
The topology is as the follow:
.


E-R3

!
hostname E-R3
   !Authentication and authorization setup and local account setup for VPN
aaa new-model
aaa authentication login default local
aaa authorization network LOCAL-AUTHOR local
username cisco privilege 15 password 0 cisco

!DHCP setup for local machines
ip dhcp pool LOCAL-POOL-172.16.30
   network 172.16.30.0 255.255.255.0
   default-router 172.16.30.1
!ISAKMP Policies
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp policy 20
 authentication pre-share
 group 2

!Client group setup, acl VPN-SPLIT-TUNNEL will enable Split Tunnel for VPN clients
crypto isakmp client configuration group VPN-CLIENT-GROUP
 key vpnclientcisco
 dns 192.168.117.1
 domain leo-li.com
 pool VPN-LOCAL-POOL
 acl VPN-SPLIT-TUNNEL

crypto isakmp profile PROFILE-ISAKMP
   match identity group VPN-CLIENT-GROUP
   isakmp authorization list LOCAL-AUTHOR
   client configuration address respond
   client configuration group VPN-CLIENT-GROUP
   virtual-template 1
!
crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac
!
crypto ipsec profile PROFILE-IPSEC
 set transform-set TRANSFORM-IPSEC
 set isakmp-profile PROFILE-ISAKMP

!Loopback0 is used for sub-offices which will route internet traffic through the head office, L0 ip address + 1 will be the next hop of packets from the remote office.
interface Loopback0
 ip address 172.16.31.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface FastEthernet0/0
 ip address 172.16.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex half
 !
!
interface Serial1/0
 ip address 10.100.23.2 255.255.255.0
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 serial restart-delay 0
 !
!VT is the place has the route-map policy added NOT the physical interface, in this case interface Serial1/0, as the VPN is through tunnel.
!
interface Virtual-Template1 type tunnel
 ip unnumbered Serial1/0
 ip policy route-map VPN_CLIENT_INTERNET
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE-IPSEC
 !
! Addresses for VPN clients can be separated subnets
ip local pool VPN-LOCAL-POOL 172.16.39.200 172.16.39.250
!
ip nat pool INTERNET-ADDRESSES 10.100.23.3 10.100.23.200 prefix-length 24
ip nat inside source list NAT-ADDRESSES pool INTERNET-ADDRESSES
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
ip access-list extended NAT-ADDRESSES
 deny   ip 172.16.30.0 0.0.0.255 172.16.40.0 0.0.0.255
 permit ip 172.16.30.0 0.0.0.255 any
 permit ip 172.16.31.0 0.0.0.255 any
ip access-list extended VPN-SPLIT-TUNNEL
 permit ip 172.16.30.0 0.0.0.255 any
ip access-list extended VPN_CLIENTS
 permit ip 172.16.39.0 0.0.0.255 any
!Route-map for redirecting sub-office internet requesting traffic
route-map VPN_CLIENT_INTERNET permit 10
 match ip address VPN_CLIENTS
 set ip next-hop 172.16.31.2
!


E-R4

!
hostname E-R4
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
ip dhcp pool DHCP-172.16.40
   network 172.16.40.0 255.255.255.0
   default-router 172.16.40.1
!
username cisco privilege 15 password 0 cisco
!
crypto ipsec client ezvpn EZVPN-CLIENT
 connect auto
 group VPN-CLIENT-GROUP key vpnclientcisco
 mode client
 peer 10.100.23.2
 username cisco password cisco
 xauth userid mode local
!
interface FastEthernet0/0
 ip address 172.16.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 crypto ipsec client ezvpn EZVPN-CLIENT inside
!
interface Serial0/0
 ip address 10.100.24.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no fair-queue
 serial restart-delay 0
 clock rate 2000000
 crypto ipsec client ezvpn EZVPN-CLIENT
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip nat pool INTERNET-ADDRESSES 10.100.24.3 10.100.24.200 prefix-length 24
ip nat inside source list NAT-ADDRESSES pool INTERNET-ADDRESSES
!
ip access-list extended NAT-ADDRESSES
 deny   ip 172.16.40.0 0.0.0.255 172.16.30.0 0.0.0.255
 permit ip 172.16.40.0 0.0.0.255 any