Category: Networking

Categories
HostMonitor Linux Network Monitoring Networking Windows

Network Monitoring With Advanced Host Monitor by KS-Soft

HostMonitor is a highly scalable network monitoring software and it is suitable for small and enterprise-level networks.

You will progably say “There are dozens of programs like this“? That is right! But please check what HostMonitor offers and compare its power and flexibility to surprisingly low price:
  • using 62 test methods this software can check almost any parameter of your servers;
  • highly flexible action profiles allow you to start actions in predefined order depending on the test results;
  • HostMonitor creates various log files using different detail levels and file formats (Text, HTML, DBF and ODBC);
  • built-in Report Manager allows you to create and customize reports to your liking in a variety of ways;
  • using Remote Monitoring Agents for Windows, FreeBSD, Linux, NetBSD, OpenBSD and Solaris you may easily monitor remote networks;
  • Web Service, Telnet Service and Remote Control Console simplifies remote management;
  • and this is not all…  Advanced Host Monitor does much more!  
I have been using HostMonitor for years and love it.  It is flexible, easy to use and won’t break the bank.  Check it out.
Categories
ethernet FREE FTP Grep Linux Networking NGrep Packet Sniffing SSH Utility Windows WinDump WinPCap WireShark

FREE Windows Utilities for Sniffing


WinDump
WinDump is an exceptionally powerful command-line packet sniffer. Ported over from the source of the Tcpdump utility available for UNIX, WinDump carries over the same power and flexibility to the Windows world, all in a lightweight executable.
WinDump is a helpful utility when you need to do some quick and easy packet capturing to diagnose a network problem. It’s flexible, and it can capture and display details about every packet going across the network interface. It can filter the output results based on protocol (e.g., Address Resolution Protocol—ARP, IP, TCP, UDP), source network or host, destination network or host, source port, destination port, and many other criteria.
To use WinDump, you’ll first need to download and install the Windows Packet Capture Library (WinPcap), the Windows port of the open-source packet-capture and network-analysis library libpcap for UNIX. WinPcap runs on all versions of Windows.
After you install WinPcap, you can download the standalone WinDump executable. To launch WinDump, simply run it from the command line with the appropriate options for what you’d like to capture or read. You’ll find the online manual for WinDump here.
The first command you might want to execute is Win-Dump -D, which will display a list of interfaces available on your computer, as well as a corresponding number for each interface, so that you can determine which interface to use for your sniffing activities. After you know which interface to run, you can simply use that number with the -i option (i.e., WinDump -i 3, if number 3 is the interface you’d like to use) to start viewing packet data in real time. (Because these are ports of UNIX utilities, the command-line switches are case-sensitive.)
Ngrep
Although WinDump is a tremendous utility, sometimes it requires a considerable amount of overhead or knowledge to determine what you’re looking for. For example, suppose you’re trying to look up whether a DNS query is making it across your network, but you aren’t familiar with the protocols and that DNS uses by default. Or, suppose a lot of traffic is coming across a network connection, and you’re finding it too cumbersome to work through all the packets just to find the one particular packet you’re looking for. For such situations enter ngrep, the network-aware grep utility.
If you aren’t familiar with grep, it’s probably one of the most widely known and oft-utilized UNIX utilities. Grep finds matching text strings (through a mechanism known as regular expressions) in files on a file system, then outputs the lines to the display. You might compare grep with the Windows command-line Find utility, but grep differs by providing an exceptional amount of power in its search for text strings.
By applying these capabilities to the network layer, ngrep provides the same level of functionality for packet sniffing. As a result, you don’t need to know what protocols, ports, network, or IP addresses that two devices are using to transfer data. You just need to know something about the packet’s payload, and ngrep will find it for you—regardless of how it’s transmitted.
Ngrep is great for troubleshooting DNS query problems. In a large Active Directory (AD) environment, dozens of DNS queries are typically occurring across the network per second. If I’m trying to troubleshoot a specific set of problems, searching each packet to find the one I’m looking for is cumbersome at best. Instead of relying on a straight packet capture of all DNS traffic, I can simply use ngrep to find the text string I’m looking for because DNS queries and responses are performed in plain text.
Ngrep currently recognizes ICMP, IGMP, Raw, TCP, and UDP protocols across 802.11, Ethernet, FDDI, PPP, SLIP, Token Ring, and null interfaces. Like WinDump it requires the WinPcap library to operate properly.
WireShark (formerly Ethereal)
When you face a situation in which you need to roll up your sleeves and dive as deeply as possible into network capture and analysis, one utility needs to come to mind: the world’s most popular network analyzer, WireShark. Network experts around the world use WireShark because it has all the standard features you’ll find in most protocol analyzers, in addition to some you won’t find in any other product. More than 400 developers around the world have made contributions to this open-source application. A decade ago, you would have to pay thousands of dollars for software that had the same capabilities, but WireShark offers it all free.
WireShark can capture data off your network connection, filter the data, dive into the details of each packet, save the packet capture for detailed analysis, send packet captures to other network engineers (or vendors) to help with debugging, and open packet captures from many other leading packet-capture utilities. WireShark can capture data off of various network transports, such as Classical IP over ATM (CIP), Ethernet, Fiber Distributed Data Interface (FDDI), Point-to-Point Protocol (PPP), Token Ring, 802.11, and loopback interfaces (although it doesn’t support all types on every platform). Across all those network transports, WireShark can “dissect” more than 750 protocol types, including FTP, HTTP, NetBIOS, POP3, remote procedure call (RPC), SNMP, SSH, SMTP, and Telnet, just to name a few.
Like the other sniffing utilities I’ve mentioned, WireShark depends on an installation of WinPcap to function properly, so you’ll need to install that first. Then, after you install the latest Ethereal distribution for Windows, simply access the Capture, Interfaces menu and select the interface you want to start using for capture. Then, you’re ready to start analyzing your traffic.
Categories
ethernet Linux Networking

View Ethernet Statistics in Linux



You need to use the following two commands:

  • ifconfig command – Display all interfaces which are currently available.
  • netstat command – Display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

ifconfig example

Type the following command:
/sbin/ifconfig eth0

OR
/sbin/ifconfig -a

OR
ifconfig

Sample output:

eth0      Link encap:Ethernet  HWaddr 00:19:d1:2a:ba:a8
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::219:d1ff:fe2a:baa8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1948632 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1559234 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2366493974 (2.3 GB)  TX bytes:388339315 (388.3 MB)
          Memory:e3180000-e31a0000 

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:27378 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27378 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3046452 (3.0 MB)  TX bytes:3046452 (3.0 MB)

netstat Command Example

Ti display a table of all network interface including recived and send packets, enter:

 
netstat -i

Sample outputs:

Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0   1955323      0      0 0       1563543      0      0      0 BMRU
lo        16436 0     27472      0      0 0         27472      0      0      0 LRU

Display Summary Statistics For Each Protocol

Type the following command:

 
netstat -s

Sample output:

Ip:
    2025059 total packets received
    21 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    2024996 incoming packets delivered
    1568954 requests sent out
    5 outgoing packets dropped
    60 reassemblies required
    30 packets reassembled ok
    5 fragments failed
Icmp:
    225 ICMP messages received
    13 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 89
        timeout in transit: 71
        echo replies: 65
    146 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 79
        echo request: 67
IcmpMsg:
        InType0: 65
        InType3: 89
        InType11: 71
        OutType3: 79
        OutType8: 67
Tcp:
    20603 active connections openings
    99 passive connection openings
    1125 failed connection attempts
    352 connection resets received
    17 connections established
    1983950 segments received
    1475010 segments send out
    51436 segments retransmited
    0 bad segments received.
    38462 resets sent
Udp:
    40292 packets received
    62 packets to unknown port received.
    0 packet receive errors
    42369 packets sent
UdpLite:
TcpExt:
    16 invalid SYN cookies received
    2 packets pruned from receive queue because of socket buffer overrun
    4956 TCP sockets finished time wait in fast timer
    128 packets rejects in established connections because of timestamp
    45978 delayed acks sent
    5 delayed acks further delayed because of locked socket
    Quick ack mode was activated 6369 times
    21 packets directly queued to recvmsg prequeue.
    13099 bytes directly received in process context from prequeue
    1435761 packet headers predicted
    9 packets header predicted and directly queued to user
    133229 acknowledgments not containing data payload received
    38661 predicted acknowledgments
    5170 times recovered from packet loss by selective acknowledgements
    2 bad SACK blocks received
    Detected reordering 1 times using FACK
    Detected reordering 2 times using SACK
    Detected reordering 2 times using time stamp
    3 congestion windows fully recovered without slow start
    3 congestion windows partially recovered using Hoe heuristic
    9 congestion windows recovered without slow start by DSACK
    3521 congestion windows recovered without slow start after partial ack
    7455 TCP data loss events
    TCPLostRetransmit: 402
    6 timeouts after reno fast retransmit
    2810 timeouts after SACK recovery
    673 timeouts in loss state
    10164 fast retransmits
    111 forward retransmits
    7138 retransmits in slow start
    15322 other TCP timeouts
    878 SACK retransmits failed
    125 packets collapsed in receive queue due to low socket buffer
    8425 DSACKs sent for old packets
    167 DSACKs sent for out of order packets
    1244 DSACKs received
    13 DSACKs for out of order packets received
    1779 connections reset due to unexpected data
    104 connections reset due to early user close
    247 connections aborted due to timeout
    TCPSACKDiscard: 1
    TCPDSACKIgnoredOld: 650
    TCPDSACKIgnoredNoUndo: 463
    TCPSpuriousRTOs: 31
    TCPSackShifted: 5988
    TCPSackMerged: 14413
    TCPSackShiftFallback: 11127
IpExt:
    InMcastPkts: 556
    OutMcastPkts: 433
    InBcastPkts: 473
    InOctets: -1923455127
    OutOctets: 368984572
    InMcastOctets: 73654
    OutMcastOctets: 50857
    InBcastOctets: 40987

ss command – Display Quick Stats

Type the following command:

 
ss -s

Sample outputs:

ss -s
Total: 767 (kernel 824)
TCP:   123 (estab 15, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0

Transport Total     IP        IPv6
*   824       -         -
RAW   1         1         0
UDP   6         5         1
TCP   123       121       2
INET   130       127       3
FRAG   0         0         0
Categories
Linux Networking TCP/IP Ubuntu

Linux Change MTU Size

How do I change MTU size under Linux?

You need support in both network hardware and card in order to use JumboFrames. If you want to transfer large amounts of data at gigabit speeds, increasing the default MTU size can provide significant performance gains.

Changing the MTU size with ifconfig command

In order to change the MTU size, use /sbin/ifconfig command as follows:

ifconfig ${Interface} mtu ${SIZE} up
ifconfig eth1 mtu 9000 up

Note this will only work if supported by both the network nterface card and the network components such as switch.

Changing the MTU size permanently under CentOS / RHEL / Fedora Linux

Edit /etc/sysconfig/network-scripts/ifcfg-eth0, enter
# vi /etc/sysconfig/network-scripts/ifcfg-eth0

Add MTU, settings:
MTU="9000"

Save and close the file. Restart networking:
# service network restart

Note for IPV6 set dedicated MTU as follows:
IPV6_MTU="1280"

Changing the MTU size permanently under Debian / Ubuntu Linux

Edit /etc/network/interfaces, enter:
# vi /etc/network/interfaces

Add mtu as follows for required interface:
mtu 9000

Save and close the file. Restart the networking, enter:
# /etc/init.d/networking restart

Changing the MTU size permanently (other Linux distros)

Edit /etc/rc.local and add the following line:

/sbin/ifconfig eth1 mtu 9000 up
Categories
Linux Networking Windows

Adding persistant static routes in linux

Let’s say that you have a box that lives on subnet 172.16.16.0 /24. Your default route is set in /etc/sysconfig/network as 172.16.16.1, as shown below:

NETWORKING=yes
HOSTNAME=testbox.domain.com
GATEWAY=172.16.16.1

Now you need to get to network 1.2.3.0 /24 using gateway 172.16.16.250 and network 45.67.89.0 /24 using gateway 172.16.16.254. One option is to add those routes manually with the following commands:

SYNTAX
# route add [-net|-host] netmask gw dev X

EXAMPLES
route add -net 1.2.3.0 netmask 255.255.255.0 gw 172.16.16.250
route add -net 45.67.89.0 netmask 255.255.255.0 gw 172.16.16.254

This will work in the short term, and can be doublechecked using the ‘route’ command – sample output shown below:

Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.16.0 * 255.255.255.0 U 0 0 0 eth0
1.2.3.0 172.16.16.250 255.255.255.0 UG 0 0 0 eth0
45.67.89.0 172.16.16.254 255.255.255.0 UG 0 0 0 eth0
default 172.16.16.1 0.0.0.0 UG 0 0 0 eth0

NOTE: once the machine is rebooted, those statis routes will disappear, as they are stored in memory and are not recreated on startup.

To add a persistent static route in Redhat Enterprise Linux or CentOS, create a file called route-X in the /etc/sysconfig/network-scripts/ directory where is the interface number and X is the interface number. As you would expect, these are specified in separate files for each of the available interfaces.

In this particular case, we will be creating a file called ‘route-eth0’ in /etc/sysconfig/network-scripts in order to make those routes persistent through reboot, and populating it with the information shown below

vi /etc/sysconfig/network-scripts/route-eth0
1.2.3.0/24 via 172.16.16.250
45.67.89.0/24 via 172.16.16.254

Once that file has been modified, run the following command to restart the network:

service network restart

After that, run the route command and make sure that your routes are in place.

Categories
Linux Networking Performance

Linux Tune Network Stack (Buffers Size) To Increase Networking Performance

I have two servers located in two different data centers. Both servers deals with a lot of concurrent large file transfers. But network performance is very poor for large files and performance degradation take place with a large files. How do I tune TCP under Linux to solve this problem?

By default the Linux network stack is not configured for high speed large file transfer across WAN links. This is done to save memory resources. You can easily tune Linux network stack by increasing network buffers size for high-speed networks that connect server systems to handle more network packets.

The default maximum Linux TCP buffer sizes are way too small. TCP memory is calculated automatically based on system memory; you can find the actual values by typing the following commands:
$ cat /proc/sys/net/ipv4/tcp_mem

The default and maximum amount for the receive socket memory:
$ cat /proc/sys/net/core/rmem_default
$ cat /proc/sys/net/core/rmem_max

The default and maximum amount for the send socket memory:
$ cat /proc/sys/net/core/wmem_default
$ cat /proc/sys/net/core/wmem_max

The maximum amount of option memory buffers:
$ cat /proc/sys/net/core/optmem_max

Tune values

Set the max OS send buffer size (wmem) and receive buffer size (rmem) to 12 MB for queues on all protocols. In other words set the amount of memory that is allocated for each TCP socket when it is opened or created while transferring files:

WARNING! The default value of rmem_max and wmem_max is about 128 KB in most Linux distributions, which may be enough for a low-latency general purpose network environment or for apps such as DNS / Web server. However, if the latency is large, the default size might be too small. Please note that the following settings going to increase memory usage on your server.



# echo 'net.core.wmem_max=12582912' >> /etc/sysctl.conf
# echo 'net.core.rmem_max=12582912' >> /etc/sysctl.conf

You also need to set minimum size, initial size, and maximum size in bytes:
# echo 'net.ipv4.tcp_rmem= 10240 87380 12582912' >> /etc/sysctl.conf
# echo 'net.ipv4.tcp_wmem= 10240 87380 12582912' >> /etc/sysctl.conf

Turn on window scaling which can be an option to enlarge the transfer window:
# echo 'net.ipv4.tcp_window_scaling = 1' >> /etc/sysctl.conf

Enable timestamps as defined in RFC1323:
# echo 'net.ipv4.tcp_timestamps = 1' >> /etc/sysctl.conf

Enable select acknowledgments:
# echo 'net.ipv4.tcp_sack = 1' >> /etc/sysctl.conf

By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation. If set, TCP will not cache metrics on closing connections.

# echo 'net.ipv4.tcp_no_metrics_save = 1' >> /etc/sysctl.conf

Set maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them.

# echo 'net.core.netdev_max_backlog = 5000' >> /etc/sysctl.conf


Now reload the changes:

# sysctl -p


Use tcpdump to view changes for eth0:

# tcpdump -ni eth0

Categories
Lefthand Linux Networking Passwords SAN Windows

Lefthand SAN Remote Access

To access the iLo port on a Lefthand NSM 2120 using the HP DL320S hardware use the following credentials.

username – sanmon
password – sanmon

https://nodeIP:2381

Categories
Cisco Encryption Firewall Linux Networking Passwords SSH SSL VPN Windows Windows 2000

Creating Client SSL VPN on Cisco ASAs

Introduction

This document how to allow remote access VPN connections to the ASA from the Cisco AnyConnect 2.0 client.
Prerequisites
Requirements

Ensure that you meet these requirements before you attempt this configuration:

*

Basic ASA configuration that runs software version 8.0
*

ASDM 6.0(2)

Components Used

The information in this document is based on these software and hardware versions:

* Cisco ASA 8.0(2), ASDM 6.0 (2)
* Cisco AnyConnect 2.0
Background Information

The Cisco AnyConnect 2.0 client is an SSL-based VPN client. The AnyConnect client can be utilized and installed on a variety of operating systems, such as Windows 2000, XP, Vista, Linux (Multiple Distros) and MAC OS X. The AnyConnect client can be installed manually on the remote PC by the system administrator. It can also be loaded onto the security appliance and made ready for download to remote users. After the application is downloaded, it can automatically uninstall itself after the connection terminates, or it can remain on the remote PC for future SSL VPN connections. This example makes the AnyConnect client ready to download upon successful browser-based SSL authentication.

For more information on the AnyConnect 2.0 client, refer to AnyConnect 2.0 Release Notes.

Note: MS Terminal Services is not supported in conjunction with the AnyConnect client. You cannot RDP to a computer and then initiate an AnyConnect session. You cannot RDP to a client that is connected via AnyConnect.

Note: The first installation of AnyConnect requires the user to have admin rights (whether you use the standalone AnyConnect msi package or push the pkg file from the ASA). If the user does not have admin rights, a dialog box appears that states this requirement. Subsequent upgrades will not require the user that installed AnyConnect previously to have admin rights.

Configure
Step 1. Configure a Self-Issued Certificate

By default, the security appliance has a self-signed certificate that is regenerated every time the device is rebooted. You can purchase your own certificate from vendors, such as Verisign or EnTrust, or you can configure the ASA to issue an identity certificate to itself. This certificate remains the same even when the device is rebooted. Complete this step in order to generate a self-issued certificate that persists when the device is rebooted.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Certificate Management, and then choose Identity Certificates.
3.

Click Add, and then click the Add a new identity certificate radio button.
4.

Click New.
5.

In the Add Key Pair dialog box, click the Enter new key pair name radio button.
6.

Enter a name to identify the keypair.

This example uses sslvpnkeypair.
7.

Click Generate Now.
8.

In the Add Identity Certificate dialog box, ensure the newly created key pair is selected.
9.

For Certificate Subject DN, enter the fully qualified domain name (FQDN) that will be used to connect to the VPN terminating interface.

CN=sslvpn.cisco.com
10.

Click Advanced, and enter the FQDN used for the Certificate Subject DN field.

For example, FQDN: sslvpn.cisco.com
11.

Click OK.
12.

Check the Generate Self Signed Certificate check box, and click Add Certificate.
13.

Click OK.
14.

Click Configuration, and then click Remote Access VPN.
15.

Expand Advanced, and choose SSL Settings.
16.

In the Certificates area, choose the interface that will be used to terminate the SSL VPN (outside), and click Edit.
17.

In the Certificate drop-down list, choose the self-signed certificate that you generated earlier.
18.

Click OK, and then click Apply.

Step 2. Upload and Identify the SSL VPN Client Image

This document uses the AnyConnect SSL 2.0 client. You can obtain this client at the Cisco Software Download Website. A separate Anyconnect image is required for each operating system that remote users plan to use. For more information, refer to Cisco AnyConnect 2.0 Release Notes.

Once you obtain the AnyConnect client, complete these steps:

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand Advanced.
3.

Expand SSL VPN, and choose Client Settings.
4.

In the SSL VPN Client Images area, click Add, and then click Upload.
5.

Browse to the location where you downloaded the AnyConnect client.
6.

Select the file, and click Upload File.

Once the client uploads, you receive a message that states the file was uploaded to flash successully.
7.

Click OK.

A dialog box appears to confirm that you want to use the newly uploaded image as the current SSL VPN client image.
8.

Click OK.
9.

Click OK, and then click Apply.
10.

Repeat the steps in this section for each operating system-specific Anyconnect package that you want to use.

Step 3. Enable Anyconnect Access

In order to allow the AnyConnect client to connect to the ASA, you must enable access on the interface that terminates SSL VPN connections. This example uses the outside interface in order to terminate Anyconnect connections.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then choose SSL VPN Connection Profiles.
3.

Check the Enable Cisco AnyConnect VPN Client check box.
4.

Check the Allow Access check box for the outside interface, and click Apply.

Step 4. Create a new Group Policy

A group policy specifies the configuration parameters that should be applied to clients when they connect. This example creates a group policy named SSLClientPolicy.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and choose Group Policies.
3.

Click Add.
4.

Choose General, and enter SSLClientPolicy in the Name field.
5.

Uncheck the Address Pools Inherit check box.
6.

Click Select, and then click Add.

The Add IP Pool dialog box appears.
7.

Configure the address pool from an IP range that is not currently in use on your network.

This example uses these values:
*

Name: SSLClientPool
*

Starting IP Address: 192.168.25.1
*

Ending IP Address: 192.168.25.50
*

Subnet Mask: 255.255.255.0
8.

Click OK.
9.

Choose the newly created pool, and click Assign.
10.

Click OK, and then click More Options.
11.

Uncheck the Tunneling Protocols Inherit check box.
12.

Check SSL VPN Client.
13.

In the left pane, choose Servers.
14.

Uncheck the DNS Servers Inherit check box, and enter the IP address of the internal DNS server that the AnyConnect clients will use.

This example uses 192.168.50.5.
15.

Click More Options.
16.

Uncheck the Default Domain Inherit check box.
17.

Enter the domain used by your internal network. For example, tsweb.local .
18.

Click OK, and then click Apply.

Configure Access List Bypass for VPN Connections

When you enable this option, you allow the SSL/IPsec clients to bypass the interface access list.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand Advanced.
3.

Expand SSL VPN, and choose Bypass Interface Access List.
4.

Ensure the Enable inbound SSL VPN and IPSEC Sessions to bypass interface access lists check box is checked, and click Apply.

Step 6. Create a Connection Profile and Tunnel Group for the AnyConnect Client Connections

When VPN clients connect to the ASA, they connect to a connection profile or tunnel group. The tunnel group is used to define connection parameters for specific types of VPN connections, such as IPsec L2L, IPsec remote access, clientless SSL, and client SSL.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand SSL VPN.
3.

Choose Connection Profiles, and click Add.
4.

Choose Basic, and enter these values:
*

Name: SSLClientProfile
*

Authentication: LOCAL
*

Default Group Policy: SSLClientPolicy
5.

Ensure the SSL VPN Client Protocol check box is checked.
6.

In the left pane, expand Advanced, and choose SSL VPN.
7.

Under Connection Aliases, click Add, and enter a name to which users can associate their VPN connections. For example, SSLVPNClient.
8.

Click OK, and then click OK again.
9.

At the bottom of the ASDM window, check the Allow user to select connection, identified by alias in the table above at login page check box, and click Apply.

Step 7. Configure NAT Exemption for AnyConnect Clients

NAT exemption should be configured for any IP addresses or ranges you want to allow the SSL VPN clients to access. In this example, the SSL VPN clients need access to the internal IP 192.168.50.5 only.

Note: If NAT-control is not enabled, this step is not required. Use the show run nat-control command to verify. In order to verify through ASDM, click Configuration, click Firewall, and choose Nat Rules. If the Enable traffic through the firewall without address translation check box is checked, you can skip this step.

ASDM Procedure

1.

Click Configuration, and then click Firewall.
2.

Choose Nat Rules, and click Add.
3.

Choose Add NAT Exempt Rule, and enter these values:
*

Action: Exempt
*

Interface: inside
*

Source: 192.168.50.5
*

Destination: 192.168.25.0/24
*

NAT Exempt Direction: NAT Exempt outbound traffic from interface ‘inside’ to lower security interfaces (Default)
4.

Click OK, and then click Apply.

Step 8. Add Users to the Local Database

If you use local authentication (the default), you must define user names and passwords in the local database for user authentication.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand AAA Setup, and choose Local Users.
3.

Click Add, and enter these values:
*

Username: matthewp
*

Password: p@ssw0rd
*

Confirm Password: p@ssw0rd
4.

Select the No ASDM, SSH, Telnet or Console Access radio button.
5.

Click OK, and then click Apply.
6.

Repeat this step for additional users, and then click Save.

Verify SSL VPN Client Connections

Use the show vpn-sessiondb svc command in order to verify connected SSL VPN clients.

ciscoasa(config-group-policy)#show vpn-sessiondb svc

Session Type: SVC

Username : matthewp Index : 6
Assigned IP : 192.168.25.1 Public IP : 172.18.12.111
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
Encryption : RC4 AES128 Hashing : SHA1
Bytes Tx : 35466 Bytes Rx : 27543
Group Policy : SSLClientPolicy Tunnel Group : SSLClientProfile
Login Time : 20:06:59 UTC Tue Oct 16 2007
Duration : 0h:00m:12s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

ciscoasa(config-group-policy)#

The vpn-sessiondb logoff name username command logs off users by user name. An Administrator Reset message is sent to the user when disconnected.

ciscoasa(config)#vpn-sessiondb logoff name matthewp
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name “matthewp” logged off : 1

ciscoasa(config)#

Categories
Linux Mac Networking Windows Windows 2003

Mac connect to Windows File Share

By default, Windows 2003 Server domain controllers have “Microsoft network server: Digitally sign communications (always)” set to “Enabled” by default. This is likely causing the Macs to fail to authenticate with the “error = -5000” when trying to connect via CIFS or SMB (samba)

To change this on a given domain controller, go to “Start” ->”Administrative Tools” -> “Domain Controller Security Policy” (not Domain Policy) and look for “Security Settings” -> “Local Policies” -> “Security Options” -> “Microsoft network server: Digitally sign communications (always)”. It should show “Enabled” by default. Double-click on it and set to “Disabled”.

Then close the app and click on start | Run – enter the command ‘gpudate’ to refresh group policy and hit enter.

You should now be able to use the “Go” > “Connect to Server” command in Finder to map to a share as shown below:

cifs://SERVER/SHARE

Categories
Cisco Linux Networking Windows

Manually assigning IP Information for a Cisco Catalyst 2960 (or other Cisco Switch)

Step 1 – Enter global configuration mode:

configure terminal

Step 2 – Enter interface configuration mode, and enter the VLAN to which the IP information is assigned. The range is 1 to 4094.

interface vlan <vlan-id>

Step 3 – Enter the IP address and subnet mask.

ip address <ip-address> <subnet-mask>

Step 4 – Return to global configuration mode.

exit

Step 5 – Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. The default gateway receives IP packets with unresolved destination IP addresses from the switch.

ip default-gateway <ip-address>

Once the default gateway is configured, the switch has connectivity to the remote networks with which a host needs to communicate.

Note: When your switch is configured to route with IP, it does not need to have a default gateway set.

Step 6 – Return to privileged EXEC mode.

end

Step 7 – Verify the configured IP address.

show interfaces vlan <vlan-id>

Step 8 – Verify the configured default gateway.

show ip redirects

Step 9 – (Optional) Save your work in the configuration file.

copy running-config startup-config – OR – copy ru st – OR – wr mem