Posts Tagged ‘router’

Adding incoming and outgoing access rules on a Cisco ASA

Saturday, March 17th, 2012

To understand incoming and outgoing rules there are a couple of things to know before you can define your rules. Let’s start with an understanding of traffic flow on an ASA. All incoming rules are meant to define traffic that come inbound to the ASA’s interface. Outgoing is for all traffic that is going outbound of an ASA’s interface. It does not matter which interface it is since this is a matter data flow and each active interface on an ASA will have it’s own unique address.

To try an explain this further let’s say we have and internal interface with an IP address of 10.0.0.1 that is for your local area network to connect to. You can add a permit or deny rule to this interface specifying whether incoming or outgoing  traffic will be permitted or not. This allows you to control what computers can communicate past that interface or not. Essentially you would define most of your rules for the local area network on the internal interface, governing which systems/devices could access the internet, certain protocols, or not.

Now if you know about the basic configuration of an ASA you know that you have to set the security level of the Internal and External ports. So by default these devices allow traffic from a higher security interface to a lower security interface. NAT/PAT will need to be configured depending on if you want to define port traffic for specified protocols.

For this article I will just mention that their are several types of Access Control Lists (ACL) that you can create on an ASA. These types are Standard, Extended, Ethertype, webtype, and IPV6. For this example we will use Extended because most likely that is what most everyone will use the most. With extended ACL not only can you specify IP addresses in the access control list, but you can specify port traffic to match the protocol that might be required.

Lets look at the the examples below:

You will see we are in the configuration terminal mode

ASA(config)# access-list acl extended permit tcp any host 192.0.43.10 eq 80

-So the first part “access-list acl” means the access list will be named “acl”.
-Next you have a choice between type of access list. We are using Extended for this example.
-The next portion is the permit or deny option and we have permit selected for this statement.
-On the next selection that say’s “any” this refers to inside traffic (simply meaning that any internal traffic is allowed). If you dont use any you can specify specific devices by using “host and the IP address like that last part of this ACL statement.
-The next part of this refers to specifying a specific host address of 192.0.43.10 equals port 80.

So this example tells us that our access control list named ACL will allow any inside traffic out the host address of 192.0.43.10 that is internet traffic.

Later you will notice that your statement will look like this on the ASA

ASA(config)access-list acl extended permit tcp any host 192.0.43.10 www
Notice how “eq 80″ default http traffic changed automatically to www) This is common on Cisco ASA devices).

Configuring a Cisco ASA 5505 with the basics

Thursday, March 1st, 2012

The Cisco ASA 5505 is great for small to medium businesses. Below are the steps you will have to complete to configure your ASA to communicate with the internet. There are many more steps, options, and features to these devices (which later there will be more articles in regards to some of these features).

Bring your device into configuration mode
318ASA>en
Brings the device into enable mode

318ASA#config t
Change to configuration terminal mode

318ASA(config)#
The ASA is now ready to be configured when you see (config)#

Configure the internal interface VLAN (ASA’s use VLAN’s for added security by default)
318ASA(config)# interface Vlan 1

Configure interface VLAN 1
318ASA(config-if)# nameif inside
Name the interface inside

318ASA(config-if)#security-level 100

Set’s the security level to 100

318ASA(config-if)#ip address 192.168.5.1 255.255.255.0
Assign your IP address

318ASA(config-if)#no shut
Make sure the interface is enabled and active

Configure the external interface VLAN (This is your WAN\internet connection)
318ASA(config)#interface Vlan 2
Creates the VLAN2 interface

318ASA(config-if)# nameif outside
Name’s the interface outside

318ASA(config-if)#security-level 0
Assigns the most strict security level to the outside interface (lower the number the higher the security).

318ASA(config-if)#ip address 76.79.219.82 255.255.255.0
Assign your Public Address to the outside interface

318ASA(config-if)#no shut
Enable the outside interface to be active.

Enable and assign the external WAN to Ethernet 0/0 using VLAN2
318ASA(config)#interface Ethernet0/0
Go to the Ethernet 0/0 interface settings

318ASA(config-if)#switchport access vlan 2
Assign the interface to use VLAN2

318ASA(config-if)#no shut
Enable the interface to be active.

Enable and assign the internal LAN interface Ethernet 0/1 (note ports 0/1-0/7 act as a switch but all interfaces are disabled by default).
318ASA(config)#interface Ethernet0/1
Go to the Ethernet 0/1 interface settings

318ASA(config-if)#no shut
Enable the interface to be active.
If you need multiple LAN ports you can do the same for Ethernet0/2 to 0/7.

To have traffic route from LAN to WAN you must configure Network Address Translation on the outside interface
318ASA(config)#global (outside) 1 interface
318ASA(config)#nat (inside) 1 0.0.0.0 0.0.0.0

***NOTE for ASA Version 8.3 and later***
Cisco announced the new Cisco ASA software version 8.3. This version introduces several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

318ASA(config)#nat (inside,outside) dynamic interface

For more info you can reference this article from Cisco with regards to the changes – http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Configure the default route (for this example default gateway is 76.79.219.81)
318ASA(config)#route outside 0.0.0.0 0.0.0.0 76.79.219.81 2 1

Last but not least verify and save your configurations. If you do not save your configurations you will have to.

Verify your settings are working. Once you have verified your configurations write to memory to save the configuration. If you do not write to memory your configurations will be lost upon the next reboot.

318ASA(config)#wr mem

Basic SonicWALL Router Setups

Tuesday, October 11th, 2011

A work in progress…

1. Register the Sonicwall appliance at www.mysonicwall.com A new account may be created for this purpose

2. Download the latest firmware from mysonicwall.com

3. Disable popup blocking on your browser

4. The default IP of a factory Sonicwall device is 192.168.168.168. Connect to the Sonicwall (you need to adjust your Ethernet NIC’s config to match the Sonicwall’s network settings)

5. Follow the setup wizard and define a WAN IP, LAN IP, and DHCP range of IPs

6. Upload the newer firmware downloaded above and boot from it

7. In the https://[Sonicwall IP Address]/diag.html screen, uncheck the box ““Enforce Host Tag Search with for CFS”

8. Use the Public Server Wizard to create additional systems on the LAN that need to be publicly accessible. Note that the default WAN IP address provided in the wizard is the SonicWALL’s, but you can enter a different WAN IP; this creates a NAT policy using a new Address Object in the WAN zone

9. If more than one service needs to be visible for a system (ie, a mail sever needing 993, 587, 465, etc.), just select a single service during the wizard setup and then modify the “Service Group” that the wizard creates to include additional services that you want visible

10. For site-to-site VPN, follow the documentation in the SonicOS Administrators guide. Typically we have found that setting the VPN policy up in Aggressive Mode works more reliably than Main Mode

Mac OS X Server 10.5: NATd

Tuesday, August 12th, 2008

There are certain aspects of Mac OS X Server that it just isn’t that great at. One of them is acting as a router. It’s just a fact that an appliance by SonicWALL, Cisco, Watchguard and sometimes LinkSys will run circles around the speed and feature set of Mac OS X Server. So with that in mind, let’s look at how you would go about configuring a basic port forward on OS X Server if you decided not to listen to us on this point…

You can use the /etc/nat/natd.plist. The key you’ll want to edit is the redirect_port, one per port or a range of all in one key… Basically the array would look something like this assuming you were trying to forward afp traffic to 192.168.0.2 from a WAN IP of 4.2.2.2:

redirect_port

proto

TCP

targetIP

192.168.0.2

TargetPortRange

548

aliasIP

4.2.2.2

aliasPortRange

548

You could also use the route command or ipfw depending on exactly what you’re trying to do with this thing. Route is going to be useful if you’re trying to respond to network traffic over a different interface than the default interface.

Installing and Configuring Asterisk

Thursday, April 26th, 2007

Installing and Configuring Asterisk

The following article is for installing and configuring Asterisk. There are now different flavors of using Asterisk, the two I will touch upon in this writing is Asterisk (the command line version) and Trixbox (f.k.a Asterisk@Home).

BACKGROUND
Asterisk is a PBX (Phone Box Exchange) system used to connect multiple phone to multiple lines (or a combination there of) for having many features that a traditional PBX would give you, but Open Source (in this case free). You can use PSTN lines, IAX, or SIP routing lines, as well as hard phones (traditional telephones or VoIP handsets) or soft phones. It is used for VoIP (Voice over Internet Protocol).

INSTALLATION
We will first cover installation with the traditional Asterisk software:

First have a box with Linux loaded on it.

System Requirements:

First download Asterisk from CVS:

# cd /usr/src
# export CVSROOT=:pserver:anoncvs@cvs.digium.com:/usr/cvsroot
# cvs login
(password is same as username)
# cvs checkout zaptel asterisk
# cd zaptel
# make clean ; make install
# cd ../libpri
# make clean ; make install
# cd ../asterisk
# make clean ; make install
# make samples

If all of this worked without any errors, you have successfully installed Asterisk.

You can now run

# asterisk –vvvvvvvc

If that doesn’t work, try

# /usr/sbin/asterisk -vvvvvvc

This will run asterisk console in super-verbose mode, if there are any errors, you will see them scrolling across the screen too.

You can type “stop now” to kill Asterisk.

Installing Cards:

Open up your computer and install the card into a PCI slot. These cards require a certain voltage, so make sure your computer can power the card appropriately. When in doubt, lookup the model number of your card, and the model number of your computer. Sometimes, you will need an extra plug from the powersupply to power some of the larger TDM cards.

After you have your card installed, you must configure the card. The following is how to configure a card (this checks for any type of card):

# modprobe zaptel
# modprobe wcfxo
# modprobe wcfxs

NOTE: The first one to be probed, will become channel 1, etc.

Next, you have to edit the zaptel.conf file to let it know where the cards are at. Here is an example of a basic zaptel.conf configuration:

Fxsks=1
Fxoks=2
Fxoks=3
Loadzone=us
Defaultzone=us

Without getting too deep as to why, fxsks is actually for the fxo card, the fxoks stuff is for the fxs cards. The zones just need to be equal to your country code. The number after the fx??? Needs to be equal to what you got when you modprobed earlier.

Now, save your changes and prepare to edit another file called Zapata.conf.

Under Zapata.conf, you would change it (in this scenario) as so:

• busydetect=1 #busy detect on or off
• busycount=7 #how many rings it would take for it to know it’s busy
• relaxdtmf=yes #if dtmf should not be forced
• callwaiting=yes #self-explanatory
• callwaitingcallerid=yes #self-explanatory
• threewaycalling=yes #self-explanatory
• transfer=yes #self-explanatory
• cancallforward=yes #self-explanatory
• usecallerid=yes #self-explanatory
• echocancel=yes #tries to kill/adjust echoing that’s prevalent with VoIP
• echocancelwhenbridged=yes #Self-explanatory
• rxgain=0.0 #volume
• txgain=0.0 #volume
• group=1 #groups for trunking
• pickupgroup=1-4 #groups for phones to pickup calls ringing on other phones
• immediate=no #as soon as the phone is picked up, it dials a specified number [think Red Bat Phone from Original Batman program]
• context=bell #bell is a “group of settings” in your extensions.conf file
• signalling=fxs_ks #signalling method, just have it match your zaptel.conf
• callerid=asreceived #pass callerid on to asterisk’s extension logic
• channel=1 #assign the settings to this channel
• context=home #home is a “group of settings” in your extensions.conf file
• group=2
• signalling=fxo_ks #signalling method, just have it match your zaptel.conf
• mailbox=2468 #mailbox number
• callerid=”Phone 1″ <2468> #callerid of phone on this channel
• channel=2 #assign the settings to this channel
• signalling=fxo_ks #signalling method, just have it match your zaptel.conf
• mailbox=3579 #mailbox number
• callerid=”Phone 2″ <3579> #callerid of phone on this channel
• channel=3 #assign the settings to this channel

Run the following (after stopping Asterisk) to finish configuring the Zaptel cards:
# ztcfg –vv

Now edit the extensions.conf file to configure numbers for the cards:

[default] #This is the default plan for what happens when someone dials extension 103, or 1000
; exten => $extensionNumber,$priority,$command
exten => 103,1,BackGround(tt-monkeys)
; definitions for extension 1000….
exten => 1000,1,Dial(SIP/dg,20,t,r)
exten => 1000,2,Voicemail(s1000)

[telewest_pstn] #This is a sample dial plan called “telewest_pstn” that determines what happens when you use your PSTN like to make a SIP phone ring.
exten => s,1,Dial(SIP/dg,25,t,r)
exten => s,2,Voicemail(s1000)
exten => s,3,Hangup

[default] #This is another part of the default dial plan for dialing out.
; if the number starts with a 9, send it via the PSTN landline.
exten => _9.,1,Dial(Zap/1/${EXTEN:1})
; or if it’s a 6 digit number (i.e local call)
exten => _XXXXXX,1,Dial(Zap/1/%{EXTEN})

Make sure to save your changes.

Sip.conf

From http://www.voip-info.org, the resource for Asterisk, and VoIP related items.
The sip.conf file is a “configuration file for Asterisk SIP channels, for both inbound and outbound calls.”

Here is an example from www.voip-info.org:

[general]
context = (own_context in extensions.conf where receive the call )
realm = real.com (If you’d like to separate by realms)
bindbort=5060 (the port to bind to)
srvlookup=yes (lookup the server?)
disallow=all (secure it by not allowing everybody)
allow=ulaw (protocol)
allow=gsm (encoding/compression – check with provider)
language=en (self explanatory)

trustrpid = yes
sendrpid = yes

register => fromuser@fromdomain:secret@host (from your other asterisk box or VoIP provider)
register => XXXX@YYYY.com:AAAA@IP (from your other asterisk box or VoIP provider)

[my_provider]
type=peer (type of SIP extension)
fromuser=XXXX (user name)
fromdomain=YYYY.com (domain name)
canreinvite=no (usually set to no)
secret=AAAAA (password)
insecure=very (usually set to this)
host= IP (IP address of what this extension should use to authenticate)
disallow=all (secure it by not allowing everybody)
allow=gsm (encoding/compression – check with provider)
allow=ulaw (encoding/compression – check with provider)
allow=alaw (encoding/compression – check with provider)
qualify=yes (usually set to yes)
nat=no (if you’re behind a SOHO firewall, set this to yes)

Outbound call in extensions.conf
exten => _X.,1,Dial(SIP/${EXTEN}@my_provider) (how outbound calls are handled by Asterisk: This specific one means that when a phone number is dialed the first thing that happens is for it to go to a variable extension being called (which is usually declared beforehand) through a SIP line.

When creating or making changes to this file, reload Asterisk by logging into the console and typing the following:

Reload

This will tell Asterisk to re-scan the *.conf files and absorb the changes accordingly.

Trixbox:

Trixbox is a good program that contains all of the essentials of Asterisk, but it much easier to setup. You just pop in the install CD, ad it will install Asterisk, and a lot of other add-ons for you (along with wiping out your hard drive).

Instead of re-inventing the wheel. Sureteq has a good link for how to install and configure Trixbox. It’s for version 1.2, but it will work for version 2.0 just as well.

http://www.sureteq.com/asterisk/trixboxv1.2.htm

Firewalls:

Ideally, when setting up VoIP you will want to do the following with your VoIP PBX system.
1. Separate it from your regular network, whether this be through VLAN’ing, Subnetting or AirGaping, make sure its separate so that it doesn’t mess with your traffic.
2. Change the default passwords on your PBX for EVERYTHING!!!
3. Run the updates to update everything on the server BEFORE configuring it
4. Confirm that your Firewall/Router has QoS (preferably for VoIP on it).
5. Open up the following ports if applicable:
a. 22 TCP for SSH (Quick Remote Administration)
b. 5060 TCP for SIP Registration
c. 10000-20000 UDP for RTP (for audio, video and data)
d. 4569 UDP for IAX2 -> If you’re using IAX, this is probably the one you want.
e. 5036 UDP for IAX
6. Add your modules (especially the backup/restore module)
7. Set a backup schedule for the PBX

An earlier version of Trixbox is Asterisk@home, and was just as easy to manage. Something to keep in mind is that within versions of Trixbox 2.0 and later, it is not too hard to restore your configuration. Upgrades between versions, and between Trixbox and Asterisk will require you to have a card copy of all of your information and will have to be manually entered once the upgrade is complete.

Dual WANs for Your Office

Tuesday, September 5th, 2006

Often, a single internet connection is all that is needed to allow a group of computers to access the internet for websites, email and chatting. DSL, Cable Modem or a single T1 can often provide enough bandwidth for a small group of users.

As your company grows, there can come a point where the speed of the internet connection becomes a bottleneck, increasing the time for web pages to load and for emails to be sent and received. After you hit the limits of what a single connection is able to provide, one very cost effective way to address the issue is to add a second connection.

Adding a second internet connection to your network is also highly recommended if your business relies heavily on the internet. In the event of a downed internet connection, the outage could cost companies thousands of dollars in lost productivity and client interaction. By utilizing a second internet connection from an alternate provider, businesses can ensure a higher level of availability and uptime.

The equipment can be set up in one of two ways. When setup in a failover configuration, the second internet connection is used only when the primary fails. In typical configurations, the fast data connection such as a T1 is supplemented by the slower connection, such as DSL, to bear the burden of connectivity in the event of an outage.

When setup with load balancing, both internet connections are used simultaneously, with the traffic load being split and routed to the more ‘available’ connection. In this configuration, both data circuits should be sufficiently fast to allow the load to be effectively shared between both circuits, typically T1’s.

318 is an expert in setting up and integrating Dual-WAN networks. It can be as simple as using a DSL line and a cable modem, or as robust as using two T1s from two different providers. Or even an mix of a T1 and WiMax link. If you think this is a situation that would suit your business, give 318 a call to discuss your options.