You have to use copy run start, or create this alias below
cli alias name wr copy run start
Tuesday, 28 February 2017
setup a new vlan interface on cisco nexus
You need to create your L2 VLAN first
vlan 80
name DB
Create the L3 VLAN interface
interface Vlan80
description ## Layer 3 DB VLAN ##
no shutdown
no ip redirects
ip address 172.100.0.250/24
ip router eigrp 100
no ip passive-interface eigrp 100
hsrp 80
authentication text SomePW
preempt
priority 120
ip 172.100.0.254
vlan 80
name DB
Create the L3 VLAN interface
interface Vlan80
description ## Layer 3 DB VLAN ##
no shutdown
no ip redirects
ip address 172.100.0.250/24
ip router eigrp 100
no ip passive-interface eigrp 100
hsrp 80
authentication text SomePW
preempt
priority 120
ip 172.100.0.254
Add the new VLAN to the trunk
Make sure to add it not replace or you'll take everything down
interface port-channel10
description ### PortChannel vPC Peer-Link DO NOT CHANGE ##
switchport mode trunk
switchport trunk allowed vlan 1,10,52,60,70-71,80,172,2200
spanning-tree port type network
vpc peer-link
Assign the vlan to the ports
interface Ethernet101/1/33
switchport access vlan 80
spanning-tree port type edge
copy run start
GW on hosts should be 172.100.0.254
If you want to make a DMZ interface you don't create the L3 interface, just the L2 VLAN and assign the ports. Your default route should be out to the ASA.
GW on hosts should be 172.100.0.254
If you want to make a DMZ interface you don't create the L3 interface, just the L2 VLAN and assign the ports. Your default route should be out to the ASA.
Thursday, 16 February 2017
cisco anyconnect reconnecting after a short time then stays connected
Had an issue where cisco anyconnect would connect but then after a short time reconnect and stay connected for good then.
The issue was the ISP was blocking DTLS protocol. The anyconnect tries to use it as its better for voice etc, once it realizes it can't use it, it reconnects with it disabled.
Solution 1: Get your ISP to unblock it and get the benefits from DTLS. In my case I didn't have control of the ISP.
Solution 2 turn it off
under group policy for anyconnect profile
group-policy VPN-GRP-POL attributes
webvpn
anyconnect ssl dtls none
The issue was the ISP was blocking DTLS protocol. The anyconnect tries to use it as its better for voice etc, once it realizes it can't use it, it reconnects with it disabled.
Solution 1: Get your ISP to unblock it and get the benefits from DTLS. In my case I didn't have control of the ISP.
Solution 2 turn it off
under group policy for anyconnect profile
group-policy VPN-GRP-POL attributes
webvpn
anyconnect ssl dtls none
Tuesday, 14 February 2017
interface groups on checkpoint
Network objects -> Right click on cluster -> details -> Topology
Click details on the IP addresses
Right click on the cluster IP -> Edit interface
Go to Topology tab
Look for the radio button
IP addresses behind this interface
Specific
The interface group should be selected there
The interface groups can be found under
Network objects -> groups ->
Click details on the IP addresses
Right click on the cluster IP -> Edit interface
Go to Topology tab
Look for the radio button
IP addresses behind this interface
Specific
The interface group should be selected there
The interface groups can be found under
Network objects -> groups ->
Thursday, 2 February 2017
investigating NAT issues on checkpoint firewalls
In Network Objects (bottom left)
Right click Nodes -> More -> Query Objects
Refine by: Search by IP
Double click on the object and check the NAT section for auto NAT
Also you can do Actions -> Where used -> Active policy
Look for any manual NAT's here
Try the traffic while watching the logs in the tracker
You can add the columns xlatesrc and NAT rule into the tracker
Also you can double click the log entry and get more details on the NAT rule and xlated source
Auto NAT's are processed first
Manual NAT's second
In some cases you may need to add and arp
Right click Nodes -> More -> Query Objects
Refine by: Search by IP
Double click on the object and check the NAT section for auto NAT
Also you can do Actions -> Where used -> Active policy
Look for any manual NAT's here
Try the traffic while watching the logs in the tracker
You can add the columns xlatesrc and NAT rule into the tracker
Also you can double click the log entry and get more details on the NAT rule and xlated source
Auto NAT's are processed first
Manual NAT's second
In some cases you may need to add and arp
SSH to CLI of CP firewall
clish
show configuration
Looks for arp
add arp proxy ipv4-address x.x.x.x. interface eth1-02 real-ipv4-address y.y.y.1
x.x.x.x is the IP of your server
y.y.y.y is the IP of your gateway
Subscribe to:
Posts (Atom)