get public ip from cmd on windows

nslookup myip.opendns.com resolver1.opendns.com

You can also use this script to write it to a file. Then you can use bginfo to display it on the desktop.

'<script language="vbscript">

' Set the URL where we can get the public IP
const URL = "http://ifconfig.me/all.xml"
set xmldoc = CreateObject("Microsoft.XMLDOM")
xmldoc.async=false
xmldoc.load(URL)

' Loop to get the public IP from the XML
for each x in xmldoc.documentElement.childNodes
 if x.NodeName = "ip_addr" then
  myip = x.text
 end if
next

' echo for testing
'wscript.echo myip

'Output IP to file so bginfo can read it
Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="P:\Users\jack\Documents\scripts\ext-ip.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write myip
objFile.Close

static port nat on cisco router

Label your interfaces
int dialer 1
ip nat outside

int inside
ip nat inside

ip nat inside source static tcp 192.168.4.10 8080 interface dialer 1 8080


This will nat the public IP of dialer1 port 8080 to 192.168.4.10 port 8080

IOException when trying to connect cisco IPS with Cisco IME

When trying to connect to an old IPS the self signed cert is old and not liked by java/web browser.

I already had tried updating java and adding the IP to the java security exceptions list but it didn't resolve.

The fix was as follows:
Log into the ASA and go into enable mode
Run "Session ips console" to get into the IPS
tls generate-key
Log back into IPS via the Cisco IME software

https://popravak.wordpress.com/2014/03/10/ioexception-when-trying-to-connect-to-cisco-ips/

I had to get updated lic file from 'licensing@cisco.com' and manually apply it.
Once that was done I manually uploaded the latest signature file (wouldn't apply without updated license)

I found that auto updates won't work unless you have at least version 7.1(11)E4 this is because cisco switched to using SHA2. You need to update the software on the IPS to resolve.

Updating the IPS
Backup your config first (need IP config etc)
Update the secondary ASA/IPS
Need to setup again
Apply license
Apply signature
Failover
Update the primary ASA/IPS
Failback

Make sure to update the secondary ASA first
http://www.cisco.com/c/en/us/support/docs/security/intrusion-prevention-system/116155-configure-product-00.html#anc9

Make sure to download the correct file for your ASA. I had 5515 and needed the .aip file.
https://software.cisco.com/download/release.html?mdfid=283674966&flowid=24482&softwareid=282549758&release=7.1(11)E4&relind=AVAILABLE&rellifecycle=&reltype=all 

Enter the sw-module module ips recover configure image disk0:/imagename.aip

tnsping works but connectivity fails TNS-12502

Had an issue with an oracle database

tnsping worked but connecting to the database failed.

This oracle setup used some VIPs (Scan IPs) and real DB server IP's.
Only access to the scan IP's was requested so FW was blocking the rest.

TNS-12502 error was returned from the server.

The way I could see it working in the packet captures was the client connects to the scan ip which returns the IP of the real DB server, then the client connects to the real DB server IP.

So TNSping worked, however when they tried to connect to the DB server it failed

To resolve grant access to all VIPs and real server IPs

configure BVI (bridge-group) on ASA5506X

Step 1: Upgrade ASA to 9.7 (asdm 771) You need 9.8 otherwise BVI doesn't work with VPNs :( really disappointed with the ASA5506.

Step 2: Take a backup of your current config, If you have already created your inside interface you need to clear it out. You will lose some other config when you do this (NAT, DHCP etc).

Step3 : Create the BVI virtual interface (the number will match the bridge-group number we use later to assign ports)

interface BVI2
 nameif inside
 security-level 100
 ip address 10.32.11.254 255.255.255.0

Step 4: Assign other ports to the bridge group (bridge-group 2 matches with BVI2 interface number) you need to give each port a nameif or it won’t work (don’t ask me how I know that)

interface GigabitEthernet1/2
 bridge-group 2
 nameif inside_1
 security-level 100

interface GigabitEthernet1/8
 bridge-group 2
 nameif inside_2
 security-level 100

Step 5: Setup your DHCP / ACL’s / NATs again as it might have gotten cleared out
dhcpd address 10.32.11.10-10.32.11.199 inside
dhcpd dns 10.32.0.4 10.32.0.5 interface inside
dhcpd enable inside

system info on linux

inxi -Fxz

Gives a good overview of the system

source NAT on juniper SSG

I wanted to source NAT my traffic so it appears to come from 10.58.x.x range so it could go over my VPN.

I was able to do this with a DIP on juniper. The DIP must be created on the tunnel interface which is attached to the VPN that we want to travel over.

Since the tunnel interface is unnumbered I confgured the extended IP

10.58.254.1 /24 (I know this range is free)

For the DIP range I gave 10.58.254.2 - 10.58.254.254

set interface tunnel.4 ext ip 10.58.254.1 255.255.255.0 dip 4 10.58.254.2 10.58.254.254

You need a policy to allow the traffic and do the NAT.
The policy should be at the top so other rules won't overlap/interfere.

set policy id 123 from "Trust" to "Untrust" "LOCAL_NETS_2_NAT" "REMOVE_VPN_NETS" "ANY" nat src dip-id 4 permit log

The 10.58.x.x/16 network already had a policy to allow the traffic and was already in the encryption domain.

Did a debug flow basic and it seems to have worked, will test now.

WebGUI

Network -> Interfaces -> Edit tunnel.4

DIP tab  -> New 

Fill in IP range 10.58.254.2 - 10.58.254.254

Select port translation

Select in the same subnet as the extended IP fill in 10.58.254.1/24

Create you NAT policy

Policy -> Policies

Select source and destination networks

Service = ANY

Action = Permit

Click Advanced button

Tick Source Translation

Select the DIP you created on tun.4 

Click ok