How to spray paint a Server Cabinet

August 25, 2010

I wanted a project to take my mind off of things. I’ve had an old server cab lying around for a while now, it’s old (August 1996 according to the stamp) grey green and dirty. So I cleaned it up and gave it a new lease of life :)

My basis for requiring a cabinet is that this was untidy:

First sanded off any crap using 600 grit and applied white primer:

Now as I will be using this for all of my lan party equipment I bought some castors which are rated up to 70kg load:

The internal supports were removed and painted orange:

Once the primer was dry, the outside was coated black:

Masking tape on the base and marked out some holes, a wheel appears:

4 wheels on the box:

Internal supports put back in:

Glass pre-spraying:

The joys of friends with dremals, taking off the excess bolt:

The almost finished product:

After rack mounting the society equipment:

It even fits under the stairs :D

The only thing I have left to do is give it a name and spray paint LSUCS on the side!


0

CCENT Passed!

August 9, 2010
Tags: , ,

I am officially CCENT qualified, now to move onto my CCNA :)

Target date for CCNA cert: 9th of September. :D

0

Today I Learned (TIL) How to Escape the Question Mark

July 16, 2010

These posts will just be the little hints I pick up over time and my experiences with IOS.

Well I was playing about with DDNS  with an update method of HTTP. Now because the URL uses a question mark as it sends get parameters to update my DDNS record held with DynDns, this cause the IOS to bring up the help options rather than entering the full URL. (And if you copy and paste the URL you won’t notice it until your DDNS update isn’t working :P )

So in order to escape the question mark, it’s simple. Hit Control + V then type your question mark.

Problem solved :)

0

My bedroom wall

July 10, 2010

My bedroom wall has become involuntarily sponsored by packetlife.net cheat sheets. Very useful information all over my wall now…..just need something on the other walls to counter-act the amount of  geekery.

0

IPv6 Shenanigans

July 4, 2010
Tags: , , ,

So I got bored today and setup Steve to be dual stacked with IPv6.  It was quite a pain getting it all working however that turned out to be a slight issue with OSX rather than my implementation on Steve.

The tunnel is provided by Hurricane Electric and the example config they provide was a perfect start for what I wanted to do. All it really took was adding the /64 address I was assigned to my LAN interface and then all of the rest is done by auto configuration. However after testing it on my iPhone and proving it worked I came across an annoying problem. OSX was not picking up the router advertisements very quickly and not routing traffic correctly. I even brought in wookie consultant Stuart Howlette who was equally baffled.

It appeared that increasing the router advertisements (literally putting more bits on the wire) fixed the issue.

Below is the router config plus comments that I current have on Steve:

! Enable Unicast-routing enables IPv6 globally on Steven
ipv6 unicast-routing
ipv6 cef
! The CBAC ipv6 firewall rules, not that different from IPv4
ipv6 inspect name lolipv6 tcp
ipv6 inspect name lolipv6 udp
! The tunnel interface with some slight differences
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
! Note the difference between the third section of the address in the tunnel address and the LAN address
ipv6 address 2001:470:1F08:A35::2/64
ipv6 enable
! Applying ACLs is now classed as traffic filter rather than access group
ipv6 traffic-filter ipv6ACL in
ipv6 inspect lolipv6 in
tunnel source 86.13.39.151
tunnel destination 216.66.80.26
tunnel mode ipv6ip
! The LAN interface is slightly changed.
interface Vlan17
description <<< LAN INTERFACE >>>
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
! Note the difference between the third section of the address in the tunnel address and the LAN addres
ipv6 address 2001:470:1F09:A35::1/64
ipv6 enable
! Increasing the router advertisements to once every 4 seconds fixed the issue with OSX
ipv6 nd ra interval 4
! Default route for all ipv6 traffic to go out the tunnel interface
ipv6 route ::/0 Tunnel0
! IPv6 access lists are not really different from IPv4 ones except only extended/worded access lists are supported now
ipv6 access-list ipv6ACL
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any any
permit udp any any
One up on Stuart is complete!
1

Moving in and VPN tomfoolery

July 4, 2010
Tags: , , ,

Since I’ve recently moved back to Loughborough into “CompSoc” house I found the networking equipment to be rather inadequate. So I purchased a 877 (he’s called Steven) and the fun began. First installing it wasn’t easy….and probably not safe.

An 871 next to a boiler? What could possibly go wrong.

The basic config is a simple NAT overload to the Virgin Modem, house switch connected off one port and a DD-WRT access point off another. After the NAT overload was put on security was the next issue, so to overcome the problem CBAC is used on the WAN interface to inspect inbound packets to ensure they originated from the LAN side first. Essentially a poor mans firewall.

After a bit of discussion with some of my housemates it became apparent it would be nice if we could VPN in to manage our LAN side equipment remotely. So I did a bit of research at work, got some sample configs and implemented them on Steven.

Now the VPN did work however I could only get to the LAN side of traffic, now I wasn’t satisfied with this, so I did a bit more research and Stuart Howlette found this technote on cisco’s website. In order to get WAN and LAN traffic routing through the VPN on a stick all that is required if a bit of knowledge on route maps. The route maps match any traffic heading the LAN subnet and then push it to the LAN interface otherwise it get pushed to the loopback which is then natted to the Internet.

So now below is a commented configuration file which explains what I did in order to get a home VPN on a stick which also routes to the internet.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Steven
!
boot-start-marker
boot-end-marker
!
logging buffered 50000
!
aaa new-model
!
!
! Activate User and Group authentication
aaa authentication login default local
aaa authentication login userlist local
aaa authorization network grouplist local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.100 192.168.1.254
!
ip dhcp pool steve
network 192.168.1.0 255.255.255.0
domain-name stv
default-router 192.168.1.1
dns-server 8.8.8.8 208.67.222.222
!
!
ip domain name stv
ip inspect name lolnet http
ip inspect name lolnet https
ip inspect name lolnet telnet
ip inspect name lolnet ssh
ip inspect name lolnet tcp
ip inspect name lolnet udp
!
!
multilink bundle-name authenticated
!
! Username and password is required for the VPN client to authenticate against
username Steven password 0 supersecret!
!
!Create an ISAKMP  policy for phase 1 negotations
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 60 5
!
! Create a cyrpto group for client configuration
! You can configure the preshare key, dns servers and the IP address pool
crypto isakmp client configuration group Home-vpn
key secretkey
dns 8.8.8.8 8.8.4.4
pool vpnz
!
! Create the phase 2 policy
crypto ipsec transform-set Home-set esp-3des esp-md5-hmac
!
! Create the dynamic map and apply it to the phase 2 policy
crypto dynamic-map mode 1
set transform-set Home-set
reverse-route
!
! Create the crypto map and apply the AAA authentication lists we created earlier
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
! Create a loopback on a separate subnet for VPN traffic heading to external destinations can be routed
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface FastEthernet0
description <<< PHYSICAL SWITCH TO HOUSE LAN >>>
switchport access vlan 17
spanning-tree portfast
!
interface FastEthernet1
description <<< PHYSICAL MODEM LINK >>>
switchport access vlan 12
spanning-tree portfast
!
interface FastEthernet2
description <<< ACCESS POINT >>>
switchport access vlan 17
spanning-tree portfast
!
interface FastEthernet3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan12
description <<< WAN INTERFACE >>>
ip address dhcp
ip access-group WAN-IN in
ip nat outside
ip inspect lolnet in
ip virtual-reassembly
! Apply the route map to determine where traffic is heading
ip policy route-map VPN-Client
! Applying the crypto map allows vpn connections to establish
crypto map mode
!
interface Vlan17
description <<< LAN INTERFACE >>>
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
! Assign a third subnet for VPN clients
ip local pool vpnz 192.168.3.1 192.168.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Vlan12 dhcp
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 360
ip nat inside source list NAT interface Vlan12 overload

!

! Anything heading to either 3.0 and 1.0 need to be denied through the NAT due to the order of operation

ip access-list extended NAT
deny   ip any 192.168.1.0 0.0.0.255
deny   ip any 192.168.3.0 0.0.0.255
permit ip any any
ip access-list extended WAN-IN
deny   icmp any any
deny   tcp any any eq 22
deny   tcp any any eq telnet
permit ip any any
! Route Map Access lists for matching against
access-list 143 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 144 permit ip 192.168.3.0 0.0.0.255 any
!
!
! If it’s heading to the LAN, push the traffic to the LAN interface
route-map VPN-Client permit 9
match ip address 143
set interface Vlan17
!
! If it’s not heading to the LAN subnet then push it to the Loopback so it can be natted
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 192.168.2.2
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end

Really the hardest part of getting this all working was my misunderstanding of Cisco’s order of operation. It took me a while to realise things heading for 192.168.3.0 were trying to go back out of the NAT, a simple modification to the NAT ACL resolved this.

I’ll post my write up of enabling IPv6 on Steven at some point just to one up Stuart.
0

Beginning again…

July 4, 2010

Well after much persuasion from Stuart Howlette, I have decided to start blogging again. I’m hoping this will help in my throught process as I struggle towards getting my CCNA. The target is now sometime in September.

Here we go…

1