No more hiding in the server room
-
Christian Dinh
- Male
- South San Francisco, CA
- United States
- Blog Posts (1)
- Discussions (11)
- Events
- Photos (8)
- Photo Albums
- Videos
Christian Dinh's Discussions
Cisco ASA
5 Replies
I'm about to upgrade from Sonciwall FW to the Cisco ASA....anyone can shed some lights to configuring it?One segment to LAN.One segment to DMZ.DMZ should be able to access OWA (http/https), RDP, and…Continue
Tags: install, config, Sonicwall, ASA, Cisco
Started this discussion. Last reply by Christian Dinh Jun 24, 2010.
Christian Dinh's Page
Latest Activity
Christian Dinh left a comment for Wesley "Nonapeptide"
Thanks Wesley.
Wesley "Nonapeptide" left a comment for Christian Dinh
Unfortunately, I don't know much about Cisco stuff. Sorry. =(
I've always wanted to get into the gutsy parts of networking, but most of my responsibilities involve higher level application level stuff.
Photos posted by Christian Dinh
Christian Dinh left a comment for Wesley "Nonapeptide"
Wesley,
Are you a Cisco guru as well? Need some help configuring Cisco ASA...let me know if you can help.
thx.
Christian Dinh replied to Christian Dinh's discussion 'Cisco ASA'
Matt,
Thought to share with you my ASA transition issue. See below and attached files.
I have a Cisco ASA which configured with three interfaces: LAN (100), DMZ (50), and WAN(0). In my LAN, I have two servers which host OWA/HTTPS (192.168.254.25)…
Christian Dinh replied to Michael Francis's discussion 'Who (or what) are you influenced by when it comes to software tools?'
For me, Network World or Tech Republic are two websites/publications that I've trusted the most when it comes to software tools/white papers/etc... Moreover, it's even better when you have friends (or former co-workers) that work in the…
Christian Dinh replied to Graycat's discussion 'Archiving'
Isaac, I thought I had one of biggest mailboxes on Exchange 2003 at 6gb. Good luck to you before the upgrade to 2010. As far as handling email storage, I've deployed a product from Quest Software's Archive Manager…
Christian Dinh replied to Elizabeth Ayer's discussion 'Exchange 2010 -- voice your opinions'
I tried to install the Exchange '10 beta version on my test lab and it was a mess. I wonder if there's a cleaner version to test out. I'm running E2k3 and is looking to upgrade to 2k7 next year.
Isaac replied to Christian Dinh's discussion 'Cisco ASA'
It's just a license key that enables the additional features. Cisco part# L-ASA5505-SEC-PL= is the license key your looking for. Maybe you could still get the security plus bundle as your 5505 is still backorded?
Christian Dinh replied to Christian Dinh's discussion 'Cisco ASA'
Rob, the security license that you are referring to, is that the software license or the actual hardware that equipped with the security module?
Unfortunately, I haven't rec'd the ASA yet as Cisco keeps pushing back their shipping date…
Christian Dinh replied to Michael Francis's discussion 'Full time SysAdmin or part time DBA too?'
I'm a Network Engineer, Network & System Admin, Help Desk & AV support for a company of 50 people. When things are humming the way they should, I have plenty of time to research and specs out future projects. I'm currently testing…
Christian Dinh updated their profile
Christian Dinh replied to Wasim Raja Shaikh's discussion 'Unisntall WSS 3.0 - Unsuccessful'
Have you heard of the 'Windows Installer Clean Up'? I used this tool very often though it's used on the XP workstations but not on the server. It wouldn't hurt to try it out in your case...google it and try it out.
As an…
Rob Atkinson replied to Christian Dinh's discussion 'Cisco ASA'
Which edition have you purchased? you will need the security plus licence to achieve what you want, I believe.
You have 2 options, you can use the ASDM (GUI) or the Command line to configure your ASA, I prefer the command line myself but the ASDM…
Matt Simmons replied to Christian Dinh's discussion 'Cisco ASA'
I'm getting ready to do something similar, although I'm coming from a Juniper, but I suspect the implementation is going to play nicely. Incidentally, which model are you going with? I've only got the budget for the 5505, but I'm…
Christian Dinh replied to Wasim Raja Shaikh's discussion 'Exchange 2003 istallation'
The commands can be executed on the member server. Once they are executed, the Exchange installation will begin. Good luck.
Profile Information
- Job title
- Network Admin
- Tech Interests - e.g. Virtualisation? Cisco? Etc.
- Cisco, virtualization, routing/switching
Notes for my CCNA lab
Configure cisco router clock:
Router# clock set 10:50:00 Oct 26 2006
Router(config)# clock summer-time CDT recurring
Configure access-list
access-list access-list-number action protocol source source-wildcard destination destination-wildcard [log | log-input], which can be used to enable access lists;
A loopback interface is a virtual interface. One of it's uses is when you need an interface that will not go down due to a link or hardware failure.
In OSPF, the IP address of the loopback interface becomes the OSPF router ID. If a loopback interface is not used, then the IP address of a physical (real) interface is used. Should the link connected to that interface go down, then the OSPF router ID would change. Using a loopback interface is this situation insures the router ID will never change.
OSPF is one reason the use a loop back interface, but there are others. For example let’s say you have a router with redundant links, you could use the address of one of the interfaces to telnet to the router, but if that one goes down chances are you will end up having to dig up your documentation on that router to find another interface to telnet to because you are likely to only remember that one you usually use. If you use a loop back instead, you can telnet to the router using the loop back address regardless of what links are up, or down, so long as you have connectivity to it, and your routing is correct.
int loopback 0
ip address 10.1.1.9 255.255.255.255
no shutdown
Configuring and Verifying OSPF
There are a few simple commands that are used to configure and troubleshoot a Cisco router configured to use OSPF in a single area and in a multiple area network. The commands used to configure OSPF are:
. router ospf < process_number > where process_number is a number local to the router. This command configures OSPF as the routing protocol on the router.
. network network_number wildcard_mask defines the networks that are to participate in the OSPF updates and the area that they reside in.. interface loopback < interface_number > ip address < ip_address > < subnet_mask > defines a loopback interface, which is a virtual interface, on the router.
. ip ospf cost < cost > sets the default cost for the router.
. auto-cost reference-bandwidth changes the OSPF cost formula.
Note: The ip ospf cost command overrides the auto-cost reference bandwidth command.
There are a number of show ip commands that can be used when troubleshooting an OSPF network. These commands are:
. show ip ospf, which provides information about the OSPF process and its details.
. show ip ospf database, which provides information about the contents of the topological database.
. show ip ospf interface, which provides information on how OSPF has been configured on each interface.
. show ip ospf neighbor, which displays all the information about the relationship that the router has with its neighbors.
. show ip protocols, which displays the IP configuration on the router, including the interfaces and the configuration of the IP routing protocols.
. show ip route [ip-address [mask] [longer-prefixes]] | [protocol [process-id]], which provides detailed information on the networks that the router is aware of and the preferred paths to those networks. It also gives the next logical hop as the next step in the path.
. debug ip ospf events, which issues log messages for each OSPF packet.
. debug ip ospf packet, which issues log messages describing the contents of all OSPF packets.
Setting up NAT
int en0
! This is the Ethernet 0 interface on the Router- attached to the local network
ip address 10.10.10.10 255.0.0.0
ip nat inside
int s0
! This is the Serial 0 interface on the Router- attached to the Internet
ip address 11.11.11.254 255.255.255.128
ip nat outside
ip nat pool mypool 11.11.11.1 11.11.11.127 netmask 255.255.255.128
! Above is the pool of real Internet addresses which will be overloaded
access-list 1 permit 10.0.0.0 0.255.255.255
! Above is the access list which allows who from the local network can use the NAT service
ip nat inside source list 1 pool mypool overload
! Above is the command that brings all the other configs together- it says to DO IT
ip route 0.0.0.0 0.0.0.0 serial0
!the default route to the Internet
ACLs and HSRP, BGP, OSPF, VRRP, GLBP…
Here’s a handy list of ACL entries to allow your devices to speak routing protocols, availability protocols, and some other stuff. We’ll assume you have ACL 101 applied to your Ethernet inbound; your Ethernet has an IP of 192.168.0.1.
* BGP : Runs on TCP/179 between the neighbors
access-list 101 permit tcp any host 192.168.0.1 eq 179
* EIGRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.10
access-list 101 permit eigrp any host 224.0.0.10
* OSPF : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.5; also talks to 224.0.0.6 for DR/BDR routers
access-list 101 permit ospf any host 224.0.0.5
access-list 101 permit ospf any host 224.0.0.6
* HSRP : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.2. I’ve seen in the past that it runs on UDP/1985, but I didn’t find any evidence of that in a quick Google for it. Can someone verify?
access-list 101 permit udp any host 224.0.0.2 eq 1985
* HSRP version 2 : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.102.
access-list 101 permit udp any host 224.0.0.2 eq 1985
* RIP : Runs on UDP/520 from the source interface IP to the multicast address of 224.0.0.9
access-list 101 permit udp any host 224.0.0.9 eq 520
* VRRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.18
access-list 101 permit 112 any host 224.0.0.18
* VRRP-E : This is a Foundary thing according to readers, and runs on UDP/8888 from the source interface IP to the multicast address of 224.0.0.2
access-list 101 permit 112 any host 224.0.0.2 eq 8888
* GLBP : Runs on UDP from the source interface IP to the multicast address of 224.0.0.102
access-list 101 permit udp any host 224.0.0.102
* DHCPD (or bootps) : Runs on UDP/67 from 0.0.0.0 (since the client doesn’t have an address yet) to 255.255.255.255 (the broadcast).
access-list 101 permit udp any host 255.255.255.255 eq 67
Router# clock set 10:50:00 Oct 26 2006
Router(config)# clock summer-time CDT recurring
Configure access-list
access-list access-list-number action protocol source source-wildcard destination destination-wildcard [log | log-input], which can be used to enable access lists;
A loopback interface is a virtual interface. One of it's uses is when you need an interface that will not go down due to a link or hardware failure.
In OSPF, the IP address of the loopback interface becomes the OSPF router ID. If a loopback interface is not used, then the IP address of a physical (real) interface is used. Should the link connected to that interface go down, then the OSPF router ID would change. Using a loopback interface is this situation insures the router ID will never change.
OSPF is one reason the use a loop back interface, but there are others. For example let’s say you have a router with redundant links, you could use the address of one of the interfaces to telnet to the router, but if that one goes down chances are you will end up having to dig up your documentation on that router to find another interface to telnet to because you are likely to only remember that one you usually use. If you use a loop back instead, you can telnet to the router using the loop back address regardless of what links are up, or down, so long as you have connectivity to it, and your routing is correct.
int loopback 0
ip address 10.1.1.9 255.255.255.255
no shutdown
Configuring and Verifying OSPF
There are a few simple commands that are used to configure and troubleshoot a Cisco router configured to use OSPF in a single area and in a multiple area network. The commands used to configure OSPF are:
. router ospf < process_number > where process_number is a number local to the router. This command configures OSPF as the routing protocol on the router.
. network network_number wildcard_mask defines the networks that are to participate in the OSPF updates and the area that they reside in.. interface loopback < interface_number > ip address < ip_address > < subnet_mask > defines a loopback interface, which is a virtual interface, on the router.
. ip ospf cost < cost > sets the default cost for the router.
. auto-cost reference-bandwidth changes the OSPF cost formula.
Note: The ip ospf cost command overrides the auto-cost reference bandwidth command.
There are a number of show ip commands that can be used when troubleshooting an OSPF network. These commands are:
. show ip ospf, which provides information about the OSPF process and its details.
. show ip ospf database, which provides information about the contents of the topological database.
. show ip ospf interface, which provides information on how OSPF has been configured on each interface.
. show ip ospf neighbor, which displays all the information about the relationship that the router has with its neighbors.
. show ip protocols, which displays the IP configuration on the router, including the interfaces and the configuration of the IP routing protocols.
. show ip route [ip-address [mask] [longer-prefixes]] | [protocol [process-id]], which provides detailed information on the networks that the router is aware of and the preferred paths to those networks. It also gives the next logical hop as the next step in the path.
. debug ip ospf events, which issues log messages for each OSPF packet.
. debug ip ospf packet, which issues log messages describing the contents of all OSPF packets.
Setting up NAT
int en0
! This is the Ethernet 0 interface on the Router- attached to the local network
ip address 10.10.10.10 255.0.0.0
ip nat inside
int s0
! This is the Serial 0 interface on the Router- attached to the Internet
ip address 11.11.11.254 255.255.255.128
ip nat outside
ip nat pool mypool 11.11.11.1 11.11.11.127 netmask 255.255.255.128
! Above is the pool of real Internet addresses which will be overloaded
access-list 1 permit 10.0.0.0 0.255.255.255
! Above is the access list which allows who from the local network can use the NAT service
ip nat inside source list 1 pool mypool overload
! Above is the command that brings all the other configs together- it says to DO IT
ip route 0.0.0.0 0.0.0.0 serial0
!the default route to the Internet
ACLs and HSRP, BGP, OSPF, VRRP, GLBP…
Here’s a handy list of ACL entries to allow your devices to speak routing protocols, availability protocols, and some other stuff. We’ll assume you have ACL 101 applied to your Ethernet inbound; your Ethernet has an IP of 192.168.0.1.
* BGP : Runs on TCP/179 between the neighbors
access-list 101 permit tcp any host 192.168.0.1 eq 179
* EIGRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.10
access-list 101 permit eigrp any host 224.0.0.10
* OSPF : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.5; also talks to 224.0.0.6 for DR/BDR routers
access-list 101 permit ospf any host 224.0.0.5
access-list 101 permit ospf any host 224.0.0.6
* HSRP : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.2. I’ve seen in the past that it runs on UDP/1985, but I didn’t find any evidence of that in a quick Google for it. Can someone verify?
access-list 101 permit udp any host 224.0.0.2 eq 1985
* HSRP version 2 : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.102.
access-list 101 permit udp any host 224.0.0.2 eq 1985
* RIP : Runs on UDP/520 from the source interface IP to the multicast address of 224.0.0.9
access-list 101 permit udp any host 224.0.0.9 eq 520
* VRRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.18
access-list 101 permit 112 any host 224.0.0.18
* VRRP-E : This is a Foundary thing according to readers, and runs on UDP/8888 from the source interface IP to the multicast address of 224.0.0.2
access-list 101 permit 112 any host 224.0.0.2 eq 8888
* GLBP : Runs on UDP from the source interface IP to the multicast address of 224.0.0.102
access-list 101 permit udp any host 224.0.0.102
* DHCPD (or bootps) : Runs on UDP/67 from 0.0.0.0 (since the client doesn’t have an address yet) to 255.255.255.255 (the broadcast).
access-list 101 permit udp any host 255.255.255.255 eq 67
Christian Dinh's Photos
Christian Dinh's Blog
Problems-Issues Installaing E2K7 Mailbox Role
Continue
Posted on April 15, 2010 at 6:13pm
Comment Wall (2 comments)
- At 5:09pm on April 14, 2010,
Wesley "Nonapeptide" said…
- Hello Christian! Welcome to the SysAdmin Network! Nice to have you here. =)
- At 8:48pm on June 24, 2010,
- Unfortunately, I don't know much about Cisco stuff. Sorry. =(
I've always wanted to get into the gutsy parts of networking, but most of my responsibilities involve higher level application level stuff.
© 2012 Created by Elizabeth Ayer and Michael Francis.
Powered by 
.
