Create FQDN obejct for ACL
# set address Contonso fqdn www.contonso.com
Configure this object in to ACL
Check for correct DNS resolution via CLI:
# request system fqdn show
To refresh DNS entries:
# request system fqdn refresh
Wednesday, 16 December 2015
Wednesday, 2 December 2015
CISCO - Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding
uRPF is design to help protect layer 3 devices from malicious traffic by checking reachability of the source IP address. If uRPF is enabled Layer 3 device will check incoming traffic against FIB (CEF) table the source IP is reachable. This will stop spoofed traffic passing via LAYER 3 device. There are two modes for uRPF, strict and loose. In strict mode source IP of the packet arriving on the interface needs be reachable by interface on which packet arrives. In loose mode source IP can be reachable by any interface. Loose mode is ideal for network with asymmetric routing. Strict mode will be ideal for ISP and Customer edge network.
Configuration:
First enable IP Cisco Express Forwarding switching on your device if it is not already enabled:
Router(config)# ip cef
Enable uRPF on Fastethernet 0/0
in Loose Mode:
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip verify unicast source reachable-via any
in Strict Mode:
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip verify unicast source reachable-via rx
Option:
allow-default - allow to use default gateway
allow-self-ping - allow ping interface
list - implement access control list
Show Command:
show cef interface FastEthernet 0/0
Enable uRPF on Cisco ASA and FWSM
CLI:
ip verify reverse-path interface interface_name
Show command:
ASA5520# show ip verify statistics
interface outside: 21 unicast rpf drops
interface inside: 2738 unicast rpf drops
interface vpn: 0 unicast rpf drops
Cisco Switch - Private VLAN - PVLAN and PVLAN Edge
Private VLAN is functionality that offers more granule control for single
broadcast domain. There two option for private vlan ports. Ports in private VLAN could be in community vlan or isolated vlan. Differences are that ports in community vlan are able to communicate with
each other and with promiscuous port and ports in private vlan are able to communicate only with ports in promiscuous mode. Promiscuous port is usually port that is uplink to another switch so it
would also trunk port or it is port connected to default gateway device.
Terminology:
Primary VLAN:  single broadcast domain.
Secondary Community VLAN: Ports in this VLAN can communicate with each other and with promiscuous
ports
Secondary Isolated VLAN: Ports in this VLAN are able to communicate only with promiscuous
ports.
Config:
!!!! vtp mode transparent!!!!
vlan 600
private-vlan community
vlan 400
private-vlan isolated
vlan 200
private-vlan primary
private-vlan association 400,600
port g0/23 isolated port config:
switchport mode private-vlan host
switchport private-vlan host-association 200 400
ports g0/24 - g0/26 community ports:
switchport mode private-vlan host
switchport private-vlan host-association 200 600
int gig0/20 primary promiscuous port:
switchport mode private-vlan promiscuous
switchport private-vlan mapping 200, 400, 600
switchport mode trunk
PVLAN Edge
int gig0/18
switchport protected
Show cli:
show vlan brief
show vlan private-vlan type
show vlan private-vlan
Cisco Router - DHCP configuration
Set up static mapping for device that requires permanent IP address rather than IP assign by DHCP server (for example for printer)
Requirements:
Static IP for printer
MAC address of the printer
IP DHCP pool: 172.19.142.0 255.255.255.0 
Excluded IP: 172.19.142.0 172.19.142.99 and 172.19.142.200 172.19.142.255 (our excluded IPs)
Static IP (printer): 172.19.142.211
Set up excluded addresses:
(Static IP needs to be one of excluded IPs)
#ip dhcp excluded-address 172.19.142.0 172.19.142.99
#ip dhcp excluded-address 172.19.142.200 172.19.142.255
Set up DHCP pool:
#ip dhcp pool LAN_POOL
    import all
    network 172.19.142.0 255.255.255.0
    domain-name cisco.local
    default-router 172.19.142.254
    dns-server 172.19.142.17 172.19.140.16
    lease 0 2
Set up Static IP Mapping:
#ip dhcp pool STATIC
    host 172.19.142.211 255.255.255.0  (printers IP)
    hardware-address d485.6440.b314   (printers MAC address)
    domain-name cisco.local
    default-router 172.19.142.254
    dns-server 172.19.142.17 172.19.140.16
Clear DHCP address from router database:
#sh ip dhcp binding (to see DHCP database)
#clear ip dhcp binding 1.1.1.1 (This will clear IP address from router database, but the device will still respond on old IP. To assign new IP: reboot of the device or clear old IP with ipconfig /renew)
Tuesday, 1 December 2015
Juniper SRX – Commit error: Missing mandatory statement
After changing configuration on Juniper SRX and trying to save config with commit cli I have receive error below:
root# commit
[edit]
  'system'
    Missing mandatory statement: 'root-authentication'
error: commit failed: (missing statements)
Solution to this error is to set up root password. As this device was brand new root password was not set and I was unable to commit ather changes to CLI.
To set root password “JUNIPER” follow this CLI:
root#set system root-authentication plain-text-password
New password: JUNIPER
Retype new password: JUNIPER
root# commit
Kali Linux – Backtrack VPN button is grey out
After starting my kali Linux (previously know as Backtrack) my VPN add button is grey out and I am not able to add IPSec VPN connection to ASA gateway.
By running commands below in terminal VPN option become available:
apt-get update
apt-get install network-manager-openvpn network-manager-pptp network-manager-pptp-gnome network-manager-vpnc network-manager-vpnc-gnome
Monday, 30 November 2015
Palo Alto Firewall - View if there are no pending jobs (like commit)
admin@FW01(active)> show jobs all
Enqueued ID Type Status Result Completed
--------------------------------------------------------------------------
2015/11/07 20:14:04 1 AutoCom FIN OK 20:15:30
Palo Alto Firewall - Initiate failover on Active/Standby pair
Run this CLI command on standby firewall:
> request high-availability state suspend
Palo Alto Firewall - View MAC address for each interface
Some time is necessary to find out MAC address of interface on firewall to troubleshoot connectivity.
On Palo Alto firewall log in to CLI and issue command:
admin@PA-200> show interface all
--------------------------------------------------------------------------------
ethernet1/1 16 1000/full/up 00:1b:17:00:01:10
ethernet1/2 17 ukn/ukn/down(power-down) 00:1b:17:00:01:11
ethernet1/3 18 1000/full/up 00:1b:17:00:01:12
ethernet1/4 19 ukn/ukn/down(autoneg) 00:1b:17:00:01:13
ethernet1/7 22 1000/full/up 00:1b:17:dc:b5:16
ethernet1/8 23 1000/full/up 00:1b:17:dc:b5:17
vlan 1 [n/a]/[n/a]/up 00:1b:17:00:01:01
loopback 3 [n/a]/[n/a]/up 00:1b:17:00:01:03
tunnel 4 [n/a]/[n/a]/up 00:1b:17:00:01:04
Subscribe to:
Comments (Atom)
1.1 Switched campus 1.1.a Switch administration 1.1.a i Managing MAC address table Show Commands: Switch#show mac address-table ? address ...
- 
After changing configuration on Juniper SRX and trying to save config with commit cli I have receive error below: root# commit [edit]...
- 
Some time is necessary to find out MAC address of interface on firewall to troubleshoot connectivity. On Palo Alto firewall log in ...