I had an issue with cattools not backing up
I found the issue was in the banner the config had used ^C for the banner marker and it seemed to be causing an issue.
Removed it and all was good.
Thursday, 19 December 2019
Tuesday, 17 December 2019
checking for packet loss
ping your gateway
ping 8.8.8.8
ISP's often have a direct connection to google from their network so its best to try ping an IP that will traverse the internet like ping a server in the UK or Australia
ping the gateway
pathping -n -4 x.x.x.x
ping 8.8.8.8
ISP's often have a direct connection to google from their network so its best to try ping an IP that will traverse the internet like ping a server in the UK or Australia
ping the gateway
pathping -n -4 x.x.x.x
Friday, 13 December 2019
private ip ranges in differnt formats
Private IP ranges in different formats for use in ACLs
192.168.0.0 - 192.168.255.255 (65,536 IP addresses)
172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses)
10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)
CIDR
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Netmask
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0
Wildcard
10.0.0.0 0.0.0.255
172.16.0.0 0.0.240.255
192.168.0.0 0.0.255.255
192.168.0.0 - 192.168.255.255 (65,536 IP addresses)
172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses)
10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)
CIDR
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Netmask
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0
Wildcard
10.0.0.0 0.0.0.255
172.16.0.0 0.0.240.255
192.168.0.0 0.0.255.255
Tuesday, 10 December 2019
wildcard cert on firepower FTD
Logins:
- Customer login for cert vendor
- Login to server/device where we want to install the cert
We need 3 files:
- Wildcard cert (download from cert vendor site digicert/godaddy etc)
- Private key (get from customer or find on windows servers or make one with openssl cmd)
- cert chain bundle (download from cert vendor site)
We need the private key password (you can set if when making one):
- Password for the private key.
This password and pkey should be stored secure and safe somewhere by the customer for later use.
Command to generate private key if needed:
This command "openssl genrsa -out private.key 2048"
Once we have all files bundle them into one pfx file with openssl:
openssl pkcs12 -export -in wildcard-cert.crt -inkey private.key -certfile sf_bundle-g2-g1.crt -out cert-chain-pkey-bundle.pfx
In this case the wildcard was already installed on a windows server (exchange)
I opened mmc on the exchange server
added the certs snap in
Found the wildcard cert
Exported it with the private key (set a password)
Exported PFX
In firepower went to objects -> PKI -> cert enroll
Selected import from PCKS12 files
Now go to devices certificates -> add
Now go to devices -> VPN -> Remote access
Edit the AnyConnect profile
Access interfaces tab
Change the two entries SSL and IKEv2 and select the new cert
Save + Deploy
Wednesday, 4 December 2019
setup netflow on cisco 9300 stack
Setup netflow
x.x.x.x = your netflow collector eg solarwinds etc.
flow exporter NETFLOW-EXP-TO-ORION
destination x.x.x.x
source vlan1
transport udp 2055
Setup what you want to record
flow record NETFLOW-RECORD-IN
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
flow record NETFLOW-RECORD-OUT
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match flow direction
collect interface input
collect counter bytes long
collect counter packets long
Setup the monitors
flow monitor NETFLOW-MON-OUT
exporter NETFLOW-EXP-TO-ORION
cache timeout inactive 10
cache timeout active 60
record NETFLOW-RECORD-OUT
flow monitor NETFLOW-MON-IN
exporter NETFLOW-EXP-TO-ORION
cache timeout inactive 10
cache timeout active 60
record NETFLOW-RECORD-IN
Enable the monitors on the interfaces
Enable under the interfaces you want to collect netflow data from usually these will be uplinks, links to other sites etc
interface GigabitEthernet2/0/36
ip flow monitor NETFLOW-MON-IN input
ip flow monitor NETFLOW-MON-OUT output
Don't forget to write your config.
You might need to check firewall rules between the two hosts.
Allow a few minutes for the data to populate in the collector.
x.x.x.x = your netflow collector eg solarwinds etc.
flow exporter NETFLOW-EXP-TO-ORION
destination x.x.x.x
source vlan1
transport udp 2055
Setup what you want to record
flow record NETFLOW-RECORD-IN
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
flow record NETFLOW-RECORD-OUT
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match flow direction
collect interface input
collect counter bytes long
collect counter packets long
Setup the monitors
flow monitor NETFLOW-MON-OUT
exporter NETFLOW-EXP-TO-ORION
cache timeout inactive 10
cache timeout active 60
record NETFLOW-RECORD-OUT
flow monitor NETFLOW-MON-IN
exporter NETFLOW-EXP-TO-ORION
cache timeout inactive 10
cache timeout active 60
record NETFLOW-RECORD-IN
Enable the monitors on the interfaces
Enable under the interfaces you want to collect netflow data from usually these will be uplinks, links to other sites etc
interface GigabitEthernet2/0/36
ip flow monitor NETFLOW-MON-IN input
ip flow monitor NETFLOW-MON-OUT output
Don't forget to write your config.
You might need to check firewall rules between the two hosts.
Allow a few minutes for the data to populate in the collector.
Subscribe to:
Comments (Atom)