Miles' Tales

I wanted a project to take my mind off of things. I’ve had an old server cab lying around for a while now, it’s old (August 1996 according to the stamp) grey green and dirty. So I cleaned it up and gave it a new lease of life

My basis for requiring a cabinet is that this was untidy:

First sanded off any crap using 600 grit and applied white primer:

Now as I will be using this for all of my lan party equipment I bought some castors which are rated up to 70kg load:

The internal supports were removed and painted orange:

Once the primer was dry, the outside was coated black:

Masking tape on the base and marked out some holes, a wheel appears:

4 wheels on the box:

Internal supports put back in:

Glass pre-spraying:

The joys of friends with dremals, taking off the excess bolt:

The almost finished product:

After rack mounting the society equipment:

It even fits under the stairs

The only thing I have left to do is give it a name and spray paint LSUCS on the side!

I am officially CCENT qualified, now to move onto my CCNA

Target date for CCNA cert: 9th of September.

These posts will just be the little hints I pick up over time and my experiences with IOS.

Well I was playing about with DDNS  with an update method of HTTP. Now because the URL uses a question mark as it sends get parameters to update my DDNS record held with DynDns, this cause the IOS to bring up the help options rather than entering the full URL. (And if you copy and paste the URL you won’t notice it until your DDNS update isn’t working )

So in order to escape the question mark, it’s simple. Hit Control + V then type your question mark.

Problem solved

My bedroom wall has become involuntarily sponsored by packetlife.net cheat sheets. Very useful information all over my wall now…..just need something on the other walls to counter-act the amount of  geekery.

So I got bored today and setup Steve to be dual stacked with IPv6.  It was quite a pain getting it all working however that turned out to be a slight issue with OSX rather than my implementation on Steve.

The tunnel is provided by Hurricane Electric and the example config they provide was a perfect start for what I wanted to do. All it really took was adding the /64 address I was assigned to my LAN interface and then all of the rest is done by auto configuration. However after testing it on my iPhone and proving it worked I came across an annoying problem. OSX was not picking up the router advertisements very quickly and not routing traffic correctly. I even brought in wookie consultant Stuart Howlette who was equally baffled.

It appeared that increasing the router advertisements (literally putting more bits on the wire) fixed the issue.

Below is the router config plus comments that I current have on Steve:

! Enable Unicast-routing enables IPv6 globally on Steven

ipv6 unicast-routing

ipv6 cef

! The CBAC ipv6 firewall rules, not that different from IPv4

ipv6 inspect name lolipv6 tcp

ipv6 inspect name lolipv6 udp

! The tunnel interface with some slight differences

interface Tunnel0

description Hurricane Electric IPv6 Tunnel Broker

no ip address

! Note the difference between the third section of the address in the tunnel address and the LAN address

ipv6 address 2001:470:1F08:A35::2/64

ipv6 enable

! Applying ACLs is now classed as traffic filter rather than access group

ipv6 traffic-filter ipv6ACL in

ipv6 inspect lolipv6 in

tunnel source 86.13.39.151

tunnel destination 216.66.80.26

tunnel mode ipv6ip

! The LAN interface is slightly changed.

interface Vlan17

description <<< LAN INTERFACE >>>

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

! Note the difference between the third section of the address in the tunnel address and the LAN addres

ipv6 address 2001:470:1F09:A35::1/64

ipv6 enable

! Increasing the router advertisements to once every 4 seconds fixed the issue with OSX

ipv6 nd ra interval 4

! Default route for all ipv6 traffic to go out the tunnel interface

ipv6 route ::/0 Tunnel0

! IPv6 access lists are not really different from IPv4 ones except only extended/worded access lists are supported now

ipv6 access-list ipv6ACL

deny tcp any any eq 22

deny tcp any any eq telnet

permit tcp any any

permit udp any any

Since I’ve recently moved back to Loughborough into “CompSoc” house I found the networking equipment to be rather inadequate. So I purchased a 877 (he’s called Steven) and the fun began. First installing it wasn’t easy….and probably not safe.

The basic config is a simple NAT overload to the Virgin Modem, house switch connected off one port and a DD-WRT access point off another. After the NAT overload was put on security was the next issue, so to overcome the problem CBAC is used on the WAN interface to inspect inbound packets to ensure they originated from the LAN side first. Essentially a poor mans firewall.

After a bit of discussion with some of my housemates it became apparent it would be nice if we could VPN in to manage our LAN side equipment remotely. So I did a bit of research at work, got some sample configs and implemented them on Steven.

Now the VPN did work however I could only get to the LAN side of traffic, now I wasn’t satisfied with this, so I did a bit more research and Stuart Howlette found this technote on cisco’s website. In order to get WAN and LAN traffic routing through the VPN on a stick all that is required if a bit of knowledge on route maps. The route maps match any traffic heading the LAN subnet and then push it to the LAN interface otherwise it get pushed to the loopback which is then natted to the Internet.

So now below is a commented configuration file which explains what I did in order to get a home VPN on a stick which also routes to the internet.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Steven

!

boot-start-marker

boot-end-marker

!

logging buffered 50000

!

aaa new-model

!

!

! Activate User and Group authentication

aaa authentication login default local

aaa authentication login userlist local

aaa authorization network grouplist local

aaa authorization network groupauthor local

!

!

aaa session-id common

!

!

dot11 syslog

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.100 192.168.1.254

!

ip dhcp pool steve

network 192.168.1.0 255.255.255.0

domain-name stv

default-router 192.168.1.1

dns-server 8.8.8.8 208.67.222.222

!

!

ip domain name stv

ip inspect name lolnet http

ip inspect name lolnet https

ip inspect name lolnet telnet

ip inspect name lolnet ssh

ip inspect name lolnet tcp

ip inspect name lolnet udp

!

!

multilink bundle-name authenticated

!

! Username and password is required for the VPN client to authenticate against

username Steven password 0 supersecret!

!

!Create an ISAKMP  policy for phase 1 negotations

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp keepalive 60 5

!

! Create a cyrpto group for client configuration

! You can configure the preshare key, dns servers and the IP address pool

crypto isakmp client configuration group Home-vpn

key secretkey

dns 8.8.8.8 8.8.4.4

pool vpnz

!

! Create the phase 2 policy

crypto ipsec transform-set Home-set esp-3des esp-md5-hmac

!

! Create the dynamic map and apply it to the phase 2 policy

crypto dynamic-map mode 1

set transform-set Home-set

reverse-route

!

! Create the crypto map and apply the AAA authentication lists we created earlier

crypto map mode client authentication list userlist

crypto map mode isakmp authorization list grouplist

crypto map mode client configuration address respond

crypto map mode 1 ipsec-isakmp dynamic mode

!

archive

log config

hidekeys

!

!

ip ssh version 2

!

!

! Create a loopback on a separate subnet for VPN traffic heading to external destinations can be routed

interface Loopback0

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface FastEthernet0

description <<< PHYSICAL SWITCH TO HOUSE LAN >>>

switchport access vlan 17

spanning-tree portfast

!

interface FastEthernet1

description <<< PHYSICAL MODEM LINK >>>

switchport access vlan 12

spanning-tree portfast

!

interface FastEthernet2

description <<< ACCESS POINT >>>

switchport access vlan 17

spanning-tree portfast

!

interface FastEthernet3

!

interface Vlan1

no ip address

shutdown

!

interface Vlan12

description <<< WAN INTERFACE >>>

ip address dhcp

ip access-group WAN-IN in

ip nat outside

ip inspect lolnet in

ip virtual-reassembly

! Apply the route map to determine where traffic is heading

ip policy route-map VPN-Client

! Applying the crypto map allows vpn connections to establish

crypto map mode

!

interface Vlan17

description <<< LAN INTERFACE >>>

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

! Assign a third subnet for VPN clients

ip local pool vpnz 192.168.3.1 192.168.3.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Vlan12 dhcp

!

!

no ip http server

no ip http secure-server

ip nat translation timeout 360

ip nat inside source list NAT interface Vlan12 overload

!

! Anything heading to either 3.0 and 1.0 need to be denied through the NAT due to the order of operation

ip access-list extended NAT

deny   ip any 192.168.1.0 0.0.0.255

deny   ip any 192.168.3.0 0.0.0.255

permit ip any any

ip access-list extended WAN-IN

deny   icmp any any

deny   tcp any any eq 22

deny   tcp any any eq telnet

permit ip any any

! Route Map Access lists for matching against

access-list 143 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 144 permit ip 192.168.3.0 0.0.0.255 any

!

!

! If it’s heading to the LAN, push the traffic to the LAN interface

route-map VPN-Client permit 9

match ip address 143

set interface Vlan17

!

! If it’s not heading to the LAN subnet then push it to the Loopback so it can be natted

route-map VPN-Client permit 10

match ip address 144

set ip next-hop 192.168.2.2

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

Well after much persuasion from Stuart Howlette, I have decided to start blogging again. I’m hoping this will help in my throught process as I struggle towards getting my CCNA. The target is now sometime in September.

Here we go…