mounting screws and cage nuts for equipment racks

As far as I can see there are 2 main sizes that are used M5 and M6. M6 being bigger.

I've found most modern devices will only work with M5. The rack mounts won't fit the M6. Some older devices and heavy items like SANs and 3U servers etc will take the M6 ones. Some devices come with smaller holes for the M5 and a larger one in the middle of the mount for the M6 so you can use either.

Got these before, they run out faster than you would expect since I ping at least one off into oblivion every time.
http://www.amazon.co.uk/StarTech-com-Cage-Nuts-Server-Cabinets/dp/B00009XT0G/ref=sr_1_4?ie=UTF8&qid=1375172819&sr=8-4&keywords=cage+nuts

I've used this kind of cage nut tool and it really helps (no more stabbing your self with a screw driver)
http://www.amazon.co.uk/Economy-Cage-racking-cagenut-extraction/dp/B006BZDHYY/ref=sr_1_5?ie=UTF8&qid=1375172947&sr=8-5&keywords=cage+nuts+tool

I've never used one of these but looks good
http://www.amazon.co.uk/Deluxe-Cage-racking-extract-cagenut/dp/B006BZFG3O/ref=sr_1_1?ie=UTF8&qid=1375172947&sr=8-1&keywords=cage+nuts+tool

troubleshoot VPNs on a juniper device

http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb9221.htm

configuring an IP on centos / redhat

I was used to using ubuntu so this was a bit different

sudo vi /etc/sysconfig/network
set hostname and default gateway

sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
set up and IP on the interface

service network restart

WARNING: The crypto map entry is incomplete!

I've often prepared my crypto maps in advance and then pasted them in. An error that has thrown me in the past is "WARNING: The crypto map entry is incomplete!". At the time I was working with some old PIX firewalls where I was never sure if it the firewall was actually going to do what it was told. Here is an example:

V1FWCL01(config)# crypto map S2S 190 match address CUSTOMER_ACL
WARNING: The crypto map entry is incomplete!
V1FWCL01(config)# crypto map S2S 190 set pfs group2
WARNING: The crypto map entry is incomplete!
V1FWCL01(config)# crypto map S2S 190 set peer  xx.xx.xx.xx xxx.xxx.xxx.xxx
WARNING: The crypto map entry is incomplete!
V1FWCL01(config)# crypto map S2S 190 set transform-set ESP-AES-128-SHA
V1FWCL01(config)# crypto map S2S 190 set security-association lifetime seconds 3600
V1FWCL01(config)# crypto map S2S 190 set security-association lifetime kilobytes 4608000

You will get this warning until the crypto map gets the 3 things it needs

• The ACL
• The peer address
• The transform set

VPN troubleshooting guide from Cisco

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

unable to connect to VMware console of VM

Check events on the esx host
Connect to esx host and run df of vdf

Look for volumes that have filled up.

Sometimes you have to restart the services to get them to release the space after you have cleared log files out etc.

good tools for testing website load speed

Online tool (good quick test)
http://tools.pingdom.com

Desktop tool (more detail)
http://fiddler2.com/

How long does DNS take to propagate and short bash script to test after changing DNS entries

I was changing a customer's DNS to point at a new public IPs. They were concerned about how long it would take to switch over. The DNS provider told me they usually tell customers it will be complete in their network within 24 hours and they can't control outside of that. They said normally the DNS change will take effect immediately and should have propagated out across the internet within 24 hours so this covers them with customers.

Wrote a short bash script to do an nslookup so we could see the new public IP's and a curl to show the website was up.

echo "**********************************************"
echo "nslookup on my.customer.com"
echo "**********************************************"
echo " "
nslookup my.customer.com
echo " "
echo "**********************************************"
echo "curl on my.customer.com, expecting http 200 OK"
echo "**********************************************"
echo " "
curl -IL my.customer.com
echo " "

Good explanation of NAT on Cisco ASA 8.3+

http://www.tunnelsup.com/tup/2011/06/24/nat-for-cisco-asas-version-8-3


Video here:
http://www.youtube.com/watch?v=REGJodyLJEU

NAT for Cisco ASA's Version 8.3+

Jun 24th, 2011 | Comments

There are two major kinds of NAT in 8.3+ Auto NAT and Manual NAT. Auto is done inside the object and cannot take into consideration the destination of the traffic. Manual is done in global configuration and can NAT either the source IPs and destination IPs.

Auto NAT

The new term “autoNAT” is used in 8.3. Auto NAT is when the NAT command appears INSIDE the object statement on the firewall. There are two major variants of auto NAT: dynamic and static. Auto NAT is also sometimes referenced as “Network Object NAT” because the configuration is done within the network object.

Regular Dynamic PAT

To create a many-to-one NAT where the entire inside network is getting PAT’d to a single outside IP do the following.
Old 8.2 command:

nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 interface

New 8.3 equivalent command:

object network inside-net
  subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface

Note: the “interface” command is the 2nd interface in the nat statement, in this case the outside.

Static Auto-NAT

To create a one to one NAT within the object like when you have a webserver in your DMZ you can do the following NAT configuration.

object network dmz-webserver
  host 192.168.1.23
nat (dmz,outside) static 209.165.201.28

Please note, the nat (inside,outside) part of these commands are a lot easier to read in 8.3. The first interface is the interface the traffic is coming into the ASA on and the second interface is the interface that this traffic is going out of the ASA on. So the command “nat (dmz,outside) static 209.165.201.28” should be read as “NAT the IP address 192.168.1.23 to 209.165.201.28 if the traffic is coming in on the dmz interface and going out the outside interface, or vice versa.” This will not NAT traffic coming from the inside going to the DMZ, nor should it NAT the traffic coming from the DMZ going to the inside.

Using the any interface in the NAT statement

ASA 8.3 introduces the any interface when configuring NAT. For instance if you have a system on the DMZ that you wish to NAT not only to the outside interface, but to any interface you can use this command:

object network dmz-webserver
  host 192.168.1.23
nat (dmz,any) static 200.200.200.200

This makes it so users on the inside can web to 200.200.200.200 and if traffic is routed to the firewall it will NAT it to the real IP in the DMZ.

Port forwarding using Auto NAT

Suppose you have 2 web servers in your DMZ but you only have 1 IP address. You can configure port forwarding using the auto NAT feature in the following way:

object network dmz-webserver1
  host 192.168.1.25
nat (dmz,outside) static interface service tcp 8000 www
object network dmz-webserver2
  host 192.168.1.23
nat (dmz,outside) static interface service tcp 8080 www

This will make it so if you go to the IP address of the outside interface over port 8000 it will take you to 192.168.1.25 port 80 but if you go there using port 8080 it will take you to 192.168.1.23 port 80.
Confused yet? I hope not because it’s about to get weird…

Manual NAT or Twice NAT or Policy NAT or Reverse NAT

The limitation that Auto NAT has is that it cannot take the destination into consideration when conducting it’s NAT. This also of course results in it not being able to alter the destination address either. To accomplish either of these tasks you must use “manual NAT”.
All of these terms are identical: Manual NAT, Twice NAT, Policy NAT, Reverse NAT. Don’t be confused by fancy mumbo jumbo.

Policy NAT Exemption aka NAT Zero aka No NAT

In ASA 8.3 code this is known as Policy NAT exemption. This is commonly used to not NAT traffic over a VPN tunnel.

object network inside-net
  subnet 10.0.0.0 255.255.255.0
object network vpn-subnets
  range 10.1.0.0 10.5.255.255
nat (inside,outside) source static inside-net inside-net destination static vpn-subnets vpn-subnets

Policy NAT exemption for incoming remote access VPNs

In order for a packet to come in through a firewall from a lesser security interface to a higher security interface it must have a translation and an ACL to permit it through. If you are setting up remote access VPN then the ACL is usually bypassed since it’s tunneled traffic. There still needs to be a translation. This is completed by doing the following (Note the order of the interfaces in the NAT statement):

object-group network OBJ-INSIDE-NETWORKS
  network-object 172.16.200.0 255.255.255.0
object network obj-172.16.101.0
  subnet 172.16.101.0 255.255.255.0
nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS

Dynamic Policy NAT

This is when you want to specify an ACL for your NAT traffic to match on and if it matches that ACL then NAT it to something
Suppose you are trying to build a VPN tunnel to another site. The problem is that your private IP addresses are overlapping with their private IP addresses so they tell you that you MUST come from 172.27.27.27. If this was a static one to one translation it wouldn’t be so hard but in this case we have many users all needing to use that IP address.
In the pre 8.3 configuration your code would look something like this:

access-list ACL-VENDOR-VPN-NAT extended permit ip 192.168.1.0 255.255.255.0 host 172.16.75.5
nat (inside) 3 access-list ACL-VENDOR-VPN-NAT
global (outside) 3 172.27.27.27

In the new ASA 8.3 config the code looks like this:

object network inside-net
  subnet 192.168.1.0 255.255.255.0
object network vendor-vpn-nat
  host 172.16.75.5
object network translated-ip
  host 172.27.27.27
nat (inside,outside) source dynamic inside-net translated-ip destination static vendor-vpn-nat vendor-vpn-nat

Miscellaneous Notes

Use real IPs in access-lists

In ASA version 8.3 you must specify the real IP and not the translate IP. For instance to permit your traffic to the webserver through the outside ACL you must put:
access-list ACL-OUTSIDE-IN extended permit tcp any host 192.168.1.25 eq 80
This is a major change from pre 8.3 which would specify the public or NAT’d IP address.

Show commands

To view this configuration you must check two places to see what is being NAT’d.
show run object
show run nat
The command “show run object in-line” is sometimes useful to when using the pipe commands.
You can also see the order of NAT and number of NAT translation hit counts with:
show nat

Optional Destination keyword in manual NAT

The destination keyword and addresses in the manual NAT command is optional. This means that both of these configurations do the same work:

object network inside-net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface
!
object network inside-net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) source dynamic inside-net interface

NAT order and after-auto NAT’ing

The order of operation in NAT commands is documented here:
http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157
The NAT operation will only take place once. Once there is a match on a NAT it will stop looking down the line to see whether it needs to NAT this traffic or not. The order of operation for this is like so:

1. Twice NAT statements
2. Auto NAT statements
3. After-Auto NAT statements

Let’s say you have a Manual or Twice NAT that you want to be considered AFTER all of the auto NATs. You can specify this by adding the “after-auto” keyword which would look something like this:
nat (inside,outside) after-auto source dynamic any

Using Descriptions

The description keyword can be added to the end of a manual NAT statement to keep things more organized like so:

nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS description ANYCON-NONAT

Inactive NAT statements

You may deactivate a manual NAT statement by adding the “inactive” keyword at the end of the statement like so:

nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS inactive

Cisco Documentation on NAT for 8.3

CLI NAT configuration guide for ASA 8.3http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/nat_overview.html
Upgrading to ASA 8.3 – What you need to knowhttps://supportforums.cisco.com/docs/DOC-12690
Video examples and tutorialhttps://supportforums.cisco.com/docs/DOC-12324

ASA Pre-8.3 to 8.3 NAT configuration exampleshttps://supportforums.cisco.com/docs/DOC-9129
ASA NAT migration problems when upgrading to 8.3 ; Syslog “%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows”https://supportforums.cisco.com/docs/DOC-12569

creating large test files on windows

Use fsutil

http://www.windows-commandline.com/2009/07/how-to-create-large-dummy-file.html

Powershell script

$file = Read-Host “Enter File Path”
$size = Read-Host “Enter File Size followed by MB or GB (Example: 10MB or 10GB)”
$objFile = [io.file]::Create($file)
$objFile.SetLength((Invoke-Expression $size))
$objFile.Close()
Write-Host “File Created: $file Size: $size”

generating a self signed cert

• openssl genrsa -des3 -out mykeyname.key 1024
• openssl req -new -key mykeyname.key -out mykeyname.csr
• openssl x509 -req -days 365 -in mykeyname.csr -signkey mykeyname.key -out mykeyname.cer
• openssl pkcs12 -export -in mykeyname.cer -inkey mykeyname.key -out mykeyname.p12 -name mykeyname -CAfile mykeyname.cer -caname mykeyname -chain

The certificate (mykeyname.cer) was added into the Trusted Root Certification Authorities in the default domain policy. (Default Domain Policy -> Computer Configuration -> Windows Settings -> Public Key Policies -> Trusted Root Certification Authorities)

ioping shows disk latency in the same way as ping shows network latency

Interesting tool

https://code.google.com/p/ioping/

python script to test VPN connectivity opens socket to IP addresses and ports

Quick script I  wrote to test VPN connections. It reads in a list (data.csv) of IP's and ports and attempts to open a socket to them, then reports the result.

#!/usr/bin/env python

# Import some needed modules
import socket
import re
import sys
import csv

# Function that will take input of a customer name an ip address and a port number
# It will attempt to open a socket to that IP/port and report on success or failure

def test_connection(customer, address, port):
        # Create a TCP socket
        s = socket.socket()
        # Set the socket timeout to 10 seconds
        s.settimeout(15)
        msg1 = "Attempting to connect to customer %s on IP %s and port %s" % (customer, address, port)
        print msg1

        try:
                s.connect((address, port))
                msg2 = "Connection to customer [ %s ] on IP [ %s ] and port [ %s ] was [ OK ]" % (customer, address, port)
                pl = print_and_log_this(msg2)
                # If we can connect return True
                return True
        except socket.error, e:
                # If we can't connect and get an error return False
                msg3 = "Connection to customer [ %s ] on IP [ %s ] and port [ %s ] has [ FAILED ] with error [ %s ]" % (customer, address, port, e)
                pl = print_and_log_this(msg3)
                return False
        s.close()

# Function to print a message on screen and append it to a log file
def print_and_log_this (message):
    print message
    logfile = open("testipandportlog.txt", "a")
    logentry = message + "\n"
    logfile.write(logentry)
    logfile.close()


# Main fucntion of the program (program starts here)
if __name__ == '__main__':

        # Read in lines from the csv file, each line should have the following information
        # Customer-name,IP-address,Port-number
        # For each line in the CSV use the fuction created above to check connectivity
        data = open("data.csv", "rb")
        reader = csv.reader(data)
        for line in reader:
                c = line[0]
                a = line[1]
                p = eval(line[2]) # convert string to int
                check = test_connection(c, a, p)

        # Close our handle on the file
        data.close()
        #exit()

two datacenters one ISP

Had an issue today on the ISP end. Lost connectivity to several sites. The issue was routing between my ISP and the destinations. We have two data centers but are stuck with one ISP. In a better world we should use a datacenter that has more than one ISP. Alternatively use two separate data centers with different ISPs. This way if you hit a routing issue you can fail over to the other site and other ISP.

When pinging one of the public IP's I was trying to reach I got the message Time to live exceeded from an IP near where my traffic exits the ISP network onto the internet. From researching the message it points towards a routing loop. The ISP claimed an attack was causing the issue, but maybe someone just made a mistake.

Looking glasses can be helpful to spot BGP issues with your ISP
This one is from BT
http://lg.as2110.net/

Look up the destination IP and compare the result to your own ISP.

Base software to install on windows servers

Latest version of powershell and powershell ISE
http://windirstat.info/ - Disk usage report
http://www.7-zip.org/ - Opens lots of archives
http://www.wireshark.org/ - Network traffic capture
http://technet.microsoft.com/en-us/sysinternals/bb842062 - Sysinternals Suite lots of very useful tools
http://technet.microsoft.com/en-us/library/cc771275(v=ws.10).aspx - Telnet client
Your backup or monitoring agent if required
Your AV solution
Configure NTP
Configure Logging
Right click -> Computer -> Properties -> Advanced -> Startup and Recovery -> Settings -> Kernel memory dump

http://getgreenshot.org/ - screenshots

http://www.nirsoft.net/ - suite of tools bluescreen view being popular

RSAT - remote admin tools for windows server etc (install and then appwiz to add them)
ASDM - for Cisco
filezilla - transfering files
foxit reader - PDF
google chrome - web browser
java - required for asdm and maybe other aps
mRemoteNG - saving connections, ssh rdp, vnc, webpage external app
remote desktop connection manager (might not be needed if you have above)
keepass - password store
zenmap - gui for nmap

portqueryui - good for checking open ports and a nice screenshot

openssl (sclient) W32openssl

openssl s_client -connect www.google.com:443

openssl can convert certs too

sublime text or notepad++
sublimetext editor
winscp
grep for windows
dig for windows
my traceroute (https://winmtr.en.uptodown.com/windows)

sysinternals suite 

maybe microsoft powertoys for admins

psexec can be replaced by powershell PSSessions or Invoke-command. Psexec is still great because it runs locally on the target system. Can run as local system account.

NTRadping - Radius testing
https://community.microfocus.com/t5/OES-Tips-Information/NTRadPing-1-5-RADIUS-Test-Utility/ta-p/1777768

servers time going out of sync

I had an issue where a monitoring slave went out of sync with the master.

Quick fix - set the date/time manually
date MMddhhmmyyyy” so 17:32 13/12/2012 would be “date 121317322012”. You need to be root to run this command so “sudo su” or “sudo bash” first.
Or restart ntpd

You should have an NTP server configured in your network. FYI you can configure a Cisco ASA to provide NTP. The NTP server should be syncing off a local ntp server see http://www.pool.ntp.org/en/.

Some troubleshooting / information gathering steps below:

Step 1 - log on to both servers (the out of sync and the in sync)
Run "watch -n 1 date" this should highlight the difference in time

Step 2 - is the server VM or physical

sudo /usr/sbin/dmidecode | grep "Manufacturer: \|Product Name: "

If its a VM check for the vmware or hyper-v tools check time sync settings there

Check time sync settings on the VM host

If physical check ntp settings

Step 3 - check ntp config

vi /etc/ntp.conf 

Step 4 - check scheduled tasks, is ntpdate or ntpd running

sudo bash

crontab -l

*/1 * * * * /usr/bin/ntpd -q ?

This runs ntpd with –q which quits after it has set the time the “ > /dev/null” just redirects any output to trash because we don’t want to see the output. The 2>&1 is used to redirect stderr to stdout.  /dev/null 2>&1

ntpdate and ntpd are different and you shouldn't have both running at the same time

Step 5 - check service startup settings

/sbin/chkconfig –list

Step 6 - check ntpd service status

/etc/init.d/ntpd status