Avatar
/*reset everything*/
ap#write erase
ap#reload
ap>en
Password: Cisco //default password
ap#
/*configure AP's ip address*/
ap#config t
ap(config)#interface BVI1
ap(config-if)#ip address 192.168.0.100 255.255.255.0
ap(config-if)#no shut
/*other stuff*/
ap(config)#ip name-server 4.2.2.2 8.8.8.8
ap(config)#ip default-gateway 192.168.0.1
ap(config)#ip domain name example.com
/* configure ssid */
ap(config)#dot11 ssid 1242G
ap(config-ssid)#authentication open
ap(config-ssid)#authentication key-management wpa version 2
ap(config-ssid)#wpa-psk ascii 123456789 // psk
ap(config-ssid)#guest-mode //broadcasts ssid
/* associate ssid 1242G to the radio*/
ap(config)#interface dot11radio 0
ap(config-if)#encryption mode ciphers aes-ccm
ap(config-if)#ssid 1242G
/*ssh config*/
ap(config)#crypto key generate rsa //chose 1024
ap(config)#aaa new-model
ap(config)#aaa authentication login default local //use local database
ap(config)#username admin password admin
/*defaults http password*/
admin/Cisco
[ view entry ] ( 1307 views ) | print article
All hosts in 192.168.1.0/24 will be seen with source 172.16.1.192 in the internet. May also be known as PAT.
interface Ethernet0
nameif outside
security-level 0
ip address 172.16.1.192 255.255.255.0
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
//bonus: configure dns client in asa
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
[ view entry ] ( 1308 views ) | print article
1)yum install minicom
2)dmesg|grep ttyp //see what serial ports are available
2)minicom -s //configuration mode
3)select "Serial port setup" option
4)select "A" and enter desired serial port
5)select "E" and specify "C" and "Q" options (9600 8N1)
6)make sure "F" is YES and "G" is NO (hardware flow control only),on previous screen
7)save setup as CISCO
8)run it: [root@localhost ~]# minicom CISCO
======================================================================
2/2016
For step 2 /dev/ttyS0 worked (that's a zero), and NO Hardware Flow control made pressing enter work, restarted AP and I notice messages were appearing on screen, but hitting enter will not have any results, changing Hardware Flow Control to NO fixed it.
/dev/ttyUSB0 also worked :)
[ view entry ] ( 1269 views ) | print article
VIRTUAL TUNNEL INTERFACES
Cisco® IPSec VTIs are a new tool that customers can use to configure IPSec-based VPNs between site-to-site devices. IPSec VTI tunnels provide a designated pathway across a shared WAN and encapsulate traffic with new packet headers, which helps to ensure delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPSec provides true confidentiality (as does encryption) and can carry encrypted traffic.With IPSec VTIs, users can provide highly secure connectivity for site-to-site VPNs and can be combined with Cisco AVVID (Architecture for Voice, Video and Integrated Data) to deliver converged voice, video, and data over IP networks.
BENEFITS:
• Simplifies management---Customers can use the Cisco IOS® Software virtual tunnel constructs to configure an IPSec virtual tunnel interface, thus simplifying VPN configuration complexity, which translates into reduced costs because the need for local IT support is minimized. In addition, existing management applications that can monitor interfaces can be used for monitoring purposes.
• Supports multicast encryption---Customers can use the Cisco IOS Software IPSec VTIs to transfer the multicast traffic, control traffic, or data traffic---for example, many voice and video applications---from one site to another securely.
• Provides a routable interface---Cisco IOS Software IPSec VTIs can support all types of IP routing protocols. Customers can use these VTI capabilities to connect larger office environments---for example, a branch office, complete with a private branch exchange (PBX) extension.
• Improves scaling---IPSec VTIs need fewer established security associations to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.
• Offers flexibility in defining features---An IPSec VTI is an encapsulation within its own interface. This offers flexibility of defining features to run on either the physical or the IPSec interface.
Source (as of 2013):
http://www.cisco.com/en/US/technologies ... Paper.html
[ view entry ] ( 1729 views ) | print article
router#show ver
Cisco IOS Software, C1700 Software (C1700-ADVENTERPRISEK9-M), Version 12.4(7), RELEASE SOFTWARE (fc6)...
router(config)# ntp server 1.gr.pool.ntp.org
router(config)#clock timezone PST -7 //Los Angeles :)
router#show clock
18:21:43.570 PST Sat Oct 12 2013
router# show ntp associations
router# show ntp status
[ view entry ] ( 2022 views ) | print article
Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface fastethernet0/1
Switch(config)# monitor session 1 destination interface fastethernet0/8
[ view entry ] ( 2463 views ) | print article
//using tftpd32 server
rommon 36 > TFTP_SERVER=172.16.1.8
rommon 37 > tftpdnld
IP_ADDRESS: 172.16.1.33
IP_SUBNET_MASK: 255.255.255.0
DEFAULT_GATEWAY: 172.16.1.1
TFTP_SERVER: 172.16.1.8
TFTP_FILE: c1700-adventerprisek9-mz.124-7.bin
//If you want to boot from the image on the TFTP server without writing it to flash then use the command: tftpdnld -r
[ view entry ] ( 1715 views ) | print article
//local network
//LAN IP addres 10.0.0.0 255.255.255.0
//R2(local router) public address: 23.0.1.0 255.255.255.0
crypto isakmp policy 1
authentication pre-share
exit
crypto isakmp key cisco address 56.2.11.2
//interesting traffic
access-list 100 permit 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
//transform set
crypto ipsec transform-set MYSET esp-sha-hmac esp-aes
//crypto map(bind all together)
crypto map MYMAP 1 ipsec-isakmp
set transform-set MYSET
set peer 56.2.11.2
match address 100
exit
//turn on policy (interface with public address)
int fa0/0
crypto map MYMAP
exit
===============================================================================
//remote network
//LAN IP address 192.168.1.0 255.255.255.0
//R4(local router) public address: 56.2.11.2
crypto isakmp policy 1
authentication pre-share
exit
crypto isakmp key cisco address 23.0.1.2
//interesting traffic
access-list 100 permit 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
//transform set
crypto ipsec transform-set OTHER_MYSET esp-sha-hmac esp-aes
//crypto map(bind all together)
crypto map MYMAP 1 ipsec-isakmp
set transform-set OTHER_MYSET
set peer 23.0.1.2
match address 100
exit
//turn on policy (interface with public address)
int fa0/0
crypto map OTHER_MYMAP
exit
//Now local hosts should be able to ping remote hosts
//verification commands
show crypto ipsec sa
/* IKE phase 1 tunnel is for private use when the two edge routers(R2 &R4) need to talk to each other,and it's used to create the IKE phase 2 tunnel (also called the IPSec tunnel).*/
: )
[ view entry ] ( 1335 views ) | print article
Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process(telnet login authentication).
See cut-through proxy, They call it like that in the ASA world.
[ view entry ] ( 1778 views ) | print article
The video demonstrates configuration of remote access IPSec VPN with Windows software client on Cisco router. We will look at both simple pre-shared key authentication as well as using client certificate. The client is placed behind a NAT router to demonstrate the significance of NAT Transparency, and compare it to raw IPSec and cTCP (IPSec over TCP). The video finishes off by showing how client can be allowed access to local subnet when a non-split tunnel is used.
Topic includes
- Easy VPN (EZVPN) with Software IPSec Client
- Client Pre-Shared Key and Certificate Authentication
- NAT Transparency (UDP 4500)
- cTCP aka IPSec over TCP
- 'include-local-lan' Option when not using Split Tunnel
[ view entry ] ( 1648 views ) | print article
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Next> Last>>