029 - Configuring Cisco ASA 5505

Configuration example Cisco ASA 5505
Descriptions:
Device has eight 10/100 Ethernet port E0/0 to E0/7, last two port E0/6 & E0/7 are PoE.

Licensing:

• Base License
• 3Vlans
• Support three security zones (inside, outside, dmz) but with communication restriction between DMZ & INSIDE
  (Note: Inside vlan is permited to send traffic to the dmz only, but reverse traffic is not permited.
• No failover redundancy

• Security Plus Licens
• Upto 20 VLANs
• Failover redundancy

To Verify Serial Number and License type of ASA 5505

ciscoasa# show activation-key
Serial Number: XXXXXXXXXXX
Running Permanent Activation Key: 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.

Clear configuration on  ASA 5505
ASA5505# write erase

Resetting ASA 5505 to factory default
ASA5505(config)# config factory-default

Note: Factory default setting

• DHCP is enabled
• Preconfigured with two VLANs:
• Vlan 1 - Switchport E0/1 - E0/7 (inside trusted interface)
• Vlan 2 - Switch port E0/0 ( outside untrusted interface)
• Internal IP address is now 192.168.1.1

To set Privileged level password (enable password)
ASA5505(config)# enable password mysecretpassword

Configure the private inside interface
ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 10.0.0.1 255.255.255.0

ASA5505(config)#interface e0/1
ASA5505(config-if)#switchport access vlan 1

Configure the public outside interface
ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0

ASA5505(config)# inteface e0/0
ASA5505(config-if)# switchport access vlan 2

Configure the  DMZ interface (BASE License)ASA5505(config)# interface vlan 3
ASA5505(config-if)#no forward interface vlan 1
ASA5505(config-if)# nameif dmz
ASA5505(config-if)# security-level 50
ASA5505(config)# ip address 172.10.0.1 255.255.255.0

ASA5505(config)#interface e0/2
ASA5505(config-if)#switchport access vlan 3

If ISP is going to provide ip addess to outside interface then we can configure is as follows:
interface  vlan 2
 nameif outside
 security-level 0
 ip address dhcp setroute

Note: ip address dhcp setroute : gets ip address and also set default ISP as default gateway

interfae e0/0
  swithport access vlan 2

To enable management access to ASA from internal subnet 10.0.0.0 /24
http server enable
http 10.0.0.0 255.255.255.0 inside

Configure static route to reach internal subnet 10.0.0.0/24
route inside 10.10.10.0 255.255.255.0 ethernet 0/1

Configure default route to reach outside (internet)
route outside 0.0.0.0 0.0.0.0 192.168.1.2

Configure static router to DMZ
route dmz 172.16.0.1 255.255.255.0 ethernet 0/2

To configure DHCP pool for inside subnet
dhcpd address 192.168.1.2-192.168.1.50 inside
dhcpd enable inside

028 Password Recovery CISCO ASA 5505 Security Appliance

Password Recovery procedure for Cisco ASA 5505 Security Appliance.


1. Power-cycle your security appliance by unpluggin and pluggin the power cable.
2. Press Esc to interrupt the boot process and enter ROM Monitor mode.
      You will see a rommon prompt (rommon #0>).
3. Enter the confreg command to view the current configuration register setting:
                  rommon #0>confreg4. The current configuration register should be the default of 0x01 (it will actually display as 0x00000001). The security appliance will ask if you want to make changes to the configuration register. Answer no when prompted.
5. Change the configuration register to 0x41, which tells the appliance to ignore its saved (startup)configuration upon boot:
                  rommon #1>confreg 0x41
6. Reset the appliance with the boot command:
                  rommon #2>boot
7. The security appliance ignore the saved configuration and once it boot up following User Mode prompt will appear:
 ciscoasa>
8. Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, simply press:
ciscoasa>enable
Password:
ciscoasa#
9. Copy the startup configuration file into the running configuration with the following command: ciscoasa#copy startup-config running-config
10. Enter the following command to change the Privileged Mode password:
asa#conf t
asa(config)#enable password abcd
11. Change configuration register to the default of 0x01 so that ASA read its startup configuration on boot: asa(config)#config-register 0x01
12. Verify the configuaration change:
asa(config)#exit
asa#show version
Note: At bottom of the output of the show version command, you should see the following statement: Configuration register is 0x41 (will be 0x1 at next reload)
13. Save the current configuration
asa#copy run start Source filename [running-config]
14. Reload the security appliance:
asa# reload
System config has been modified. Save? [Y]es/[N]o:yes
Cryptochecksum: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX

2149 bytes copied in 1.480 secs (2149 bytes/sec)
Proceed with reload? [confirm]

027-BGP - Border Gateway Protocol

---

Introduction to BGP: 

• Path Vector protocol
• Administrative Distance: eBGP = 20 , iBGP = 200
• Protocol: IP , TCP port 179
• Authentication : MD5

BGP Attributes Categories

• Well-known mandatory (WM) - attributes must be supported and included in routing updates
• Well-known discretionary (WD) - attributes must be supported but may not be included routing updates
• Optional transitive (OT) - attributes don't have to be supported, but Marked as partial & passed onto peers
• Optional nontransitive (ON) - attributes don't have to be supported, and can be ignored.

BGP Attributes

1. Weight (O)- Cisco proprietary, a 16-bit value used only by local router.
2. Origin (WM) - The source of the route (IGP > EGP > unknown)
3. AS Path (WM) - An ordered list of the ASs the route has traversed
4. Next Hop (WM) - Specifies the next-hop address for the route
5. Local Preference (WD) - Communicated between iBGP peers to favor a route out of the AS
6. Multi Exit Discriminator (ON) - Advertised to eBGP peers to indicate a preferred entrance into the local AS
7. Atomic Aggregate (WD) - Notes that route summarization has been performed
8. Aggregator (OT) - Identifies the router and AS where summarization was performed
9. Community (OT) - Provides route tagging capability
10. Originator ID (ON) - Identifies a route reflector
11. Cluster List (ON) - Records the route reflector clusters the route has traversed

 NOTE:

An AS Path can be one of two types as distinguished by its type code:

• AS Sequence - An ordered list
• AS Set - An unordered list

An AS Set is used to record AS numbers lost when aggregation is performed. The Atomic Aggregate

attribute does not have to be included to indicate aggregation has been performed if an AS Set is

included.

BGP Path Selection Process:

---

030 SQL commands

Introduction to SQL

• SQL is a standard language for accessing and manipulating databases.
• SQL is an ANSI (American National Standards Institute) standard, there are many different versions of the SQL language.

To build a web site that shows some data from a database, you will need the following:

• An RDBMS database program (i.e. MS Access, SQL Server, MySQL)
• A server-side scripting language, like PHP or ASP
• SQL
• HTML / CSS

 

RDBMS :Relational Database Management System.

•  RDBMS is the basis for SQL, and for all modern database systems like MS SQL Server, IBM DB2, Oracle, MySQL, and Microsoft Access. 
• The data in RDBMS is stored in database objects called tables. 
• A table is a collection of related data entries and it consists of columns and rows.

SQL Command Summary:

CREATE DATABASE

CREATE DATABASE database_name

CREATE TABLE

CREATE TABLE table_name

(
column_name1 data_type,
column_name2 data_type,
column_name2 data_type,
...
)

UPDATE
UPDATE table_name
SET column1=value, column2=value,...
WHERE some_column=some_value

ALTER TABLE
ALTER TABLE table_name
WHERE SELECT Specific Column  ADD column_name datatype
OR

ALTER TABLE table_name
DROP COLUMN column_name

SELECT
SELECT column_name(s)
FROM table_name


SELECT ALL
SELECT * FROM table_name

SELECT DISTINCT
SELECT DISTINCT column_name(s)
FROM table_name

AND / OR
SELECT column_name(s)
FROM table_name
WHERE condition
AND | OR condition

BETWEENSELECT column_name(s)
FROM table_name
WHERE column_name
BETWEEN start_value AND end_value

ORDER BYSELECT column_name(s)
FROM table_name
ORDER BY column_name [ASC | DESC]

LIKESELECT column_name(s)
FROM table_name
WHERE column_name LIKE pattern

WHERE
SELECT column_name(s)DELETE
DELETE FROM table_name
WHERE column_name=specific_value
Note:
DELETE FROM table_name  OR  DELETE * FROM table_name
will delete entire table.

DROP Command
DROP DATABASE database_name
FROM table_name
WHERE column_name operator value

DROP TABLE
DROP TABLE table_name

SELECT TOP
SELECT TOP number | percent column_name(s)
FROM table_name

026- Converting Lightweight AP to Autonomous AP

To convert  LWAP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:

---

Step 1 Setup your PC

• Install TFTP server on you PC. 
• Assign static ip from following pool 10.0.0.2 to 10.0.0.3. 
• Ensure file extension are visible. From Windows Explorer, click Tools > Folder Options > View; then uncheck the Hide extensions for known file types check box.

Step 2: Downloading  IOS image

• Copy access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and activate TFTP. Set the timeout value on the TFTP server to 30 seconds.
• Rename the access point image file in the TFTP server folder to  
• c1200-k9w7-tar.default for a 1200 series access point,  
• c1130-k9w7-tar.default for an 1130 series access point,  
• c1240-k9w7-tar.default for a 1240 series access point, and  
• c1250-k9w7-tar.default for a 1250 series access point.

Step 3: Uploading IOS

• Disconnect power from the access point.
• Connect the PC to the access point using a Crossover cable.
• Press and hold MODE while you reconnect power to the access point. Keep holding the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
• Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.

Step 4: Configure Autonomous AP

•  After the access point reboots, reconfigure it using the GUI or the CLI.

---

 


 [Previous Post]    Networking Mnemonics

025- Networking Mnemonics

Mnemonics for Networking

---

THE 7 Layers of ISO
Application
Presentation
Session
Transport
Network
Data Link
Physical


All People Seem To Need Data Processing


BGP Route selection process.


Weight (Highest is better)
LOCAL_PREF (Highest is better)
Originated Locally
AS_PATH (shortest)
ORIGIN Type (IGP is lower than EGP and EGP is lower than Incomplete)
MED (lowest is better)
Paths (External > Internal)
RID (Router ID - lowest is better)


We Love Oranges AS Oranges Mean Pure Refreshment


Syslog Message types


Emergency (0)
Alert (1)
Critical (2)
Error (3)
Warning (4)
Notifications (5)
Information (6)
Debug (7)


"Emergency Alert & Critical Error Warning Notifies Information Bug"




DHCP process


Discover
Offer
Request
Acknowledge


DORA

---