пятница, 28 февраля 2014 г.

Настройка туннеля IPSec между маршрутизаторами Cisco

Как настроить туннель IPSec между маршрутизаторами Cisco с шифрованием трафика.
В рассматриваемом примере две отдельные локальные сети с приватными адресами (192.168.1.0/24 и 192.168.2.0/24), подключенные к интерфейсам FastEthernet0/0 маршрутизаторов Cisco. Маршрутизаторы могут быть практически любой модели, но операционная система Cisco IOS на них должна поддерживать шифрование (имя файла IOS должно включать символы «k9»). Внешние интерфейсы (FastEthernet0/1) этих маршрутизаторов подключены к глобальной сети с реальными IP-адресами (1.0.0.1/24 и 1.0.0.2/24). Настроим IPSec-туннель между внутренними сетями, чтобы пользователи одной сети могли безопасно обращаться к ресурсам другой, при этом трафик будет шифроваться. Также настроим NAT, чтобы тунеллировался только трафик из одной сети в другую, а остальной трафик (например, в Интернет), шел по другому каналу. Для второго маршрутизатора настройки такие же, меняется только адрес внутренней сети и внешнего интерфейса, соответственно изменяются access-list’ы.


Настройка IPsec на IOS состоит из нескольких шагов:
  1. Настраиваем политики первой фазы IPsec – определяем метод шифрования, группу ДХ, метод аутентификации. Делается это в режиме конфигурирования crypto isakmp policy
  2. Если на первом шаге для аутентификации были выбраны преднастроенные ключи, то этот ключ необходимо задать командой crypto isakmp key
  3. Задаем набор политик для второй фазы IPsec: алгоритм шифрования, метод проверки подлинности трафика (иными словами, хэш-функцию). Делается это командой crypto ipsec transform-set.
  4. Создаем расширенные списки доступа для определения того, какой трафик необходимо шифровать, а какой нет.
  5. Создаем карту шифрования, которая будет в себе содержать необходимый набор политик второй фазы, идентификатор удаленной стороны и вешаем эту карту на интерфейс. Создать карту шифрования можно командой crypto-map

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname c2811-1
no aaa new-model
ip cef
crypto isakmp policy 100
 encryption aes           # можно выбирать des, 3des, aes 128, aes 192, aes 256
 hash md5                 # md5 или sha1
 authentication pre-share #pre-share, rsa-sig или rsa-encr
 group 2                  # группа безопасности для шифрования трафика при обмене ключами между маршрутизаторами
crypto isakmp key cisco address 1.0.0.2  # адрес другого маршрутизатора – конца туннеля
crypto ipsec transform-set PEERS esp-aes esp-md5-hmac
crypto map IPSEC 100 ipsec-isakmp
 set peer 1.0.0.2                         # адрес другого маршрутизатора – конца туннеля
 set security-association idle-time 600
 set transform-set PEERS
 set pfs group1                           # использование DH-алгоритма при первоначальном обмене ключами
 match address ACL_IPSEC
interface FastEthernet0/0                 # внешний интерфейс
 encapsulation dot1Q 1 native
 ip address 1.0.0.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no snmp trap link-status
 crypto map IPSEC
interface FastEthernet0/1                 # внутренний интерфейс
 encapsulation dot1Q 2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 192.168.2.0 255.255.255.0 1.0.0.2
ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip access-list extended ACL_IPSEC          # крипто-ACL
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip host 1.0.0.1 host 1.0.0.2
 permit ip host 1.0.0.2 host 1.0.0.1
 deny   ip any any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
# эта строка нужна, чтобы NAT не использовался для внутренних адресов – они связываются через туннель IPSec
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
line con 0
line aux 0
line vty 0 4
 password cisco
 login
Автор: на Комментариев нет:

пятница, 21 февраля 2014 г.

Сброс пароля и настроек Cisco Pix 506e

Сегодня ко мне в руки попал данный аппарат. Нужно было вернуть его к заводским настройкам. Порывшись по форумам я не нашёл толковой пошаговой инструкции, поэтому напишу свою.
1. Скачиваем и устанавливаем программу Cisco TFTP Server
2. Подключаемся к консоли с помощью кабеля COM-RJ45 и любого терминального клиента, например, HyperTerminal, входящего в стандартную поставку Windows, или Putty (freeware), или VanDyke SecureCRT (платная). В общем выбор есть.
Используем следующие параметры терминального соединения:
- бит в секунду (бод): 9600
- бит данных: 8
- четность: нет
- стоп-бит: 1
- контроль передачи: Xon/Xoff
3. Подключаем витую пару в один из портов Циски, а другой стороной напрямую в комп или в свитч. И подаём питание к Циске.
4. Ждём пока загрузится и находим строку такого вида:
"Cisco PIX Firewall Version 6.3(3)"
Здесь мы видим версию встроенного ПО
Находим по этой ссылке версию бинарника файла соответствующую нашей и сохраняем его в TFTP Server Root Directory.
5. Перезагружаем Циску (можно просто передёрнуть питание) и во время загрузки нажимаем клавишу “ESC”. дальше процесс идёт таким образом (текст скопирован из Telnet-консоли):
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54fe.42f9
monitor> address 192.168.100.1 (даём циске адрес из нашей подсети)
address 192.168.100.1
monitor> server 192.168.100.45 (прописываем айпишник вашего компа, где установлен TFTP-сервер)
server 192.168.100.45
monitor> file np63.bin (прописываем имя файла который мы скачали)
file np63.bin
monitor> ping 192.168.100.45 (пингуем наш TFTP-сервер)
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 192.168.100.45, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp (запускаем процесс копирования бинарника)
tftp np63.bin@192.168.100.45...................................
Received 92160 bytes
 
Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22 23:22:19 PDT 2000
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xd8000
 
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
 
Rebooting....
6. После перезагрузки ждём пока загрузится ПО
pixfirewall> enable (включаем режим администрирования)
Password: (нажимаем Enter)
pixfirewall# configure terminal
pixfirewall(config)# configure factory-default
Begin to apply factory-default configuration:
Clear all configuration
Excuting command: interface ethernet0 auto
Excuting command: interface ethernet1 100full
Excuting command: ip address outside dhcp setroute

 или
pixfirewall#  write erase
pixfirewall#  reload



http://vokinburt.livejournal.com/199170.html
Автор: на Комментариев нет:

PIX 506e обновление прошивки до 7.1(2)

У Вас должно быть хотя бы 64 МБ ОЗУ.
Подходят любые планки DIMM, если конечно остался у вас такой раритет.

SETUP: TFTP Server:192.168.5.1 PIX: 192.168.5.2 Consoled into PIX.


CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
64 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1974784 bytes of image from flash.
##################################################################################
64MB RAM
mcwa i82559 Ethernet at irq 11 MAC: 001a.a2a4.5c33
mcwa i82559 Ethernet at irq 10 MAC: 001a.a2a4.5c32
System Flash=E28F640J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000

-----------------------------------------------------------------------
     ||        ||
     ||        ||
    ||||      ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
-----------------------------------------------------------------------
Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(5)
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 4
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has a Restricted (R) license.

Cryptochecksum(unchanged): 6a5b0c6c fd46250c 3dd9bb06 a6df7e62
Type help or '?' for a list of available commands.
pixfirewall> en
Password:
pixfirewall(config)# no dhcpd address 192.168.1.2-192.168.1.254 inside
DHCPD disabled on inside interface because address pool is removed
pixfirewall(config)# no dhcpd enable inside
pixfirewall(config)# ip address inside 192.168.5.2 255.255.255.0
pixfirewall(config)# ping 192.168.5.1
192.168.5.1 response received -- 0ms
192.168.5.1 response received -- 0ms
192.168.5.1 response received -- 0ms
pixfirewall(config)# exit
pixfirewall# wr mem
Building configuration...
Cryptochecksum: 5ca481c6 1487c90e c50ead2b a3088231
[OK]
pixfirewall# clear flashfs
pixfirewall# sh flash
flash file system: version:0 magic:0x0
file 0: origin: 0 length:0
file 1: origin: 0 length:0
file 2: origin: 0 length:0
file 3: origin: 0 length:0
file 4: origin: 0 length:0
file 5: origin: 0 length:0
pixfirewall# reboot
Proceed with reload? [confirm]

Rebooting..ÿ

CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
64 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
 System Flash=E28F640J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
[Hit ESC]
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 001a.a2a4.5c33
Use ? for help.
monitor> address 192.168.5.2
address 192.168.5.2
monitor> server 192.168.5.1
server 192.168.5.1
monitor> file pix712.bin
file pix712.bin
monitor> tftp
tftp pix712.bin@192.168.5.1..........................................................
Received 6764544 bytes

Cisco PIX Security Appliance admin loader (3.0) #0: Tue Mar 14 16:46:07 PST 2006
#############################################################
64MB RAM

Total NICs found: 2
mcwa i82559 Ethernet at irq 11 MAC: 001a.a2a4.5c33
mcwa i82559 Ethernet at irq 10 MAC: 001a.a2a4.5c32
BIOS Flash=am29f400b @ 0xd8000
Old file system detected. Attempting to save data in flash

Initializing flashfs...
flashfs[7]: Checking block 0...block number was (-2131)
flashfs[7]: erasing block 0...done.
flashfs[7]: Checking block 1...block number was (-12656)
flashfs[7]: erasing block 1...done.
flashfs[7]: Checking block 2...block number was (-31472)
flashfs[7]: erasing block 2...done.
flashfs[7]: Checking block 3...block number was (32183)
flashfs[7]: erasing block 3...done.
flashfs[7]: Checking block 4...block number was (27050)
flashfs[7]: erasing block 4...done.
flashfs[7]: Checking block 5...block number was (10385)
flashfs[7]: erasing block 5...done.
flashfs[7]: Checking block 6...block number was (27686)
flashfs[7]: erasing block 6...done.
flashfs[7]: Checking block 7...block number was (1814)
flashfs[7]: erasing block 7...done.
flashfs[7]: Checking block 8...block number was (22750)
flashfs[7]: erasing block 8...done.
flashfs[7]: Checking block 9...block number was (11436)
flashfs[7]: erasing block 9...done.
flashfs[7]: Checking block 10...block number was (10399)
flashfs[7]: erasing block 10...done.
flashfs[7]: Checking block 11...block number was (-4384)
flashfs[7]: erasing block 11...done.
flashfs[7]: Checking block 12...block number was (10801)
flashfs[7]: erasing block 12...done.
flashfs[7]: Checking block 13...block number was (3939)
flashfs[7]: erasing block 13...done.
flashfs[7]: Checking block 14...block number was (29271)
flashfs[7]: erasing block 14...done.
flashfs[7]: Checking block 15...block number was (3)
flashfs[7]: erasing block 15...done.
flashfs[7]: Checking block 16...block number was (-12561)
flashfs[7]: erasing block 16...done.
flashfs[7]: Checking block 17...block number was (-17835)
flashfs[7]: erasing block 17...done.
flashfs[7]: Checking block 18...block number was (25075)
flashfs[7]: erasing block 18...done.
flashfs[7]: Checking block 19...block number was (18017)
flashfs[7]: erasing block 19...done.
flashfs[7]: Checking block 20...block number was (21479)
flashfs[7]: erasing block 20...done.
flashfs[7]: Checking block 21...block number was (-3643)
flashfs[7]: erasing block 21...done.
flashfs[7]: Checking block 22...block number was (-18350)
flashfs[7]: erasing block 22...done.
flashfs[7]: Checking block 23...block number was (25412)
flashfs[7]: erasing block 23...done.
flashfs[7]: Checking block 24...block number was (8285)
flashfs[7]: erasing block 24...done.
flashfs[7]: Checking block 25...block number was (-11600)
flashfs[7]: erasing block 25...done.
flashfs[7]: Checking block 26...block number was (-32046)
flashfs[7]: erasing block 26...done.
flashfs[7]: Checking block 27...block number was (1769)
flashfs[7]: erasing block 27...done.
flashfs[7]: Checking block 28...block number was (-28376)
flashfs[7]: erasing block 28...done.
flashfs[7]: Checking block 29...block number was (-19639)
flashfs[7]: erasing block 29...done.
flashfs[7]: Checking block 30...block number was (-20657)
flashfs[7]: erasing block 30...done.
flashfs[7]: Checking block 31...block number was (3744)
flashfs[7]: erasing block 31...done.
flashfs[7]: Checking block 32...block number was (-11933)
flashfs[7]: erasing block 32...done.
flashfs[7]: Checking block 33...block number was (17275)
flashfs[7]: erasing block 33...done.
flashfs[7]: Checking block 34...block number was (23299)
flashfs[7]: erasing block 34...done.
flashfs[7]: Checking block 35...block number was (-13460)
flashfs[7]: erasing block 35...done.
flashfs[7]: Checking block 36...block number was (10511)
flashfs[7]: erasing block 36...done.
flashfs[7]: Checking block 37...block number was (-10457)
flashfs[7]: erasing block 37...done.
flashfs[7]: Checking block 38...block number was (30155)
flashfs[7]: erasing block 38...done.
flashfs[7]: Checking block 39...block number was (7950)
flashfs[7]: erasing block 39...done.
flashfs[7]: Checking block 40...block number was (-13108)
flashfs[7]: erasing block 40...done.
flashfs[7]: Checking block 41...block number was (-13108)
flashfs[7]: erasing block 41...done.
flashfs[7]: Checking block 42...block number was (-13108)
flashfs[7]: erasing block 42...done.
flashfs[7]: Checking block 43...block number was (-13108)
flashfs[7]: erasing block 43...done.
flashfs[7]: Checking block 44...block number was (-13108)
flashfs[7]: erasing block 44...done.
flashfs[7]: Checking block 45...block number was (-13108)
flashfs[7]: erasing block 45...done.
flashfs[7]: Checking block 46...block number was (-13108)
flashfs[7]: erasing block 46...done.
flashfs[7]: Checking block 47...block number was (-13108)
flashfs[7]: erasing block 47...done.
flashfs[7]: Checking block 48...block number was (-13108)
flashfs[7]: erasing block 48...done.
flashfs[7]: Checking block 49...block number was (-13108)
flashfs[7]: erasing block 49...done.
flashfs[7]: Checking block 50...block number was (-13108)
flashfs[7]: erasing block 50...done.
flashfs[7]: Checking block 51...block number was (-13108)
flashfs[7]: erasing block 51...done.
flashfs[7]: Checking block 52...block number was (-13108)
flashfs[7]: erasing block 52...done.
flashfs[7]: Checking block 53...block number was (-13108)
flashfs[7]: erasing block 53...done.
flashfs[7]: Checking block 54...block number was (-13108)
flashfs[7]: erasing block 54...done.
flashfs[7]: Checking block 55...block number was (-13108)
flashfs[7]: erasing block 55...done.
flashfs[7]: Checking block 56...block number was (-13108)
flashfs[7]: erasing block 56...done.
flashfs[7]: Checking block 57...block number was (-13108)
flashfs[7]: erasing block 57...done.
flashfs[7]: Checking block 58...block number was (-13108)
flashfs[7]: erasing block 58...done.
flashfs[7]: Checking block 59...block number was (-13108)
flashfs[7]: erasing block 59...done.
flashfs[7]: Checking block 60...block number was (-13108)
flashfs[7]: erasing block 60...done.
flashfs[7]: Checking block 61...block number was (0)
flashfs[7]: erasing block 61...done.
flashfs[7]: 0 files, 1 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 7870464
flashfs[7]: Bytes used: 1024
flashfs[7]: Bytes available: 7869440
flashfs[7]: flashfs fsck took 53 seconds.
flashfs[7]: Initialization complete.

Saving the configuration
!
Saving a copy of old configuration as downgrade.cfg
!
Saved the activation key from the flash image
Saved the default firewall mode (single) to flash
The version of image file in flash is not bootable in the current version of
software.
Use the downgrade command first to boot older version of software.
The file is being saved as image_old.bin anyway.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Upgrade process complete
Need to burn loader....
Erasing sector 0...[OK]
Burning sector 0...[OK]

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform does not support Failover.

--------------------------------------------------------------------------
      .            .
      |            |
     |||          |||
   .|| ||.     . || ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
--------------------------------------------------------------------------

Cisco PIX Security Appliance Software Version 7.1(2)

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************

Copyright (c) 1996-2006 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

timeout sip-disconnect 0:02:00 sip-invite 0:03:00
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 40, "timeout sip-disconnect 0..."
ERROR: This command is no longer needed. The LOCAL user database is always enabled.
*** Output from config line 48, "aaa-server LOCAL protoco..."
ERROR: This command is no longer needed. The 'floodguard' feature is always enabled.
*** Output from config line 55, "floodguard enable"

Cryptochecksum (unchanged): 5ca481c6 1487c90e c50ead2b a3088231
INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol http 80' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rsh 514' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting 'fixup protocol skinny 2000' to MPF commands
INFO: converting 'fixup protocol smtp 25' to MPF commands
INFO: converting 'fixup protocol sqlnet 1521' to MPF commands
INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands
INFO: converting 'fixup protocol tftp 69' to MPF commands
INFO: converting 'fixup protocol sip udp 5060' to MPF commands
INFO: converting 'fixup protocol xdmcp 177' to MPF commands
************************************************************************
** **
** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** **
** **
 ** ----> Current image running from RAM only!
en
Password:
pixfirewall# sh ver

Cisco PIX Security Appliance Software Version 7.1(2)

Compiled on Tue 14-Mar-06 17:00 by dalecki
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

pixfirewall up 15 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0xfff00000, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 001a.a2a4.5c32, irq 10
1: Ext: Ethernet1 : address is 001a.a2a4.5c33, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
pixfirewall# sh flash

Directory of flash:/

4 -rw- 1830 16:23:18 Aug 04 2012 downgrade.cfg
7 -rw- 1978424 16:23:34 Aug 04 2012 image_old.bin

7870464 bytes total (5884928 bytes free)
pixfirewall# delete downgrade.cfg

Delete filename [downgrade.cfg]?

Delete flash:/downgrade.cfg? [confirm]

pixfirewall# delete image_old.bin

Delete filename [image_old.bin]?

Delete flash:/image_old.bin? [confirm]

pixfirewall# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet1 inside 192.168.5.2 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet1 inside 192.168.5.2 255.255.255.0 CONFIG
pixfirewall# copy tftp://192.168.5.1/pix712.bin flash

Address or name of remote host [192.168.5.1]?

Source filename [pix712.bin]?

Destination filename [pix712.bin]?

Accessing tftp://192.168.5.1/pix712.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Writing file flash:/pix712.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

6764544 bytes copied in 72.900 secs (93952 bytes/sec)
pixfirewall# sh flash

Directory of flash:/

4 -rw- 6764544 16:29:38 Aug 04 2012 pix712.bin

7870464 bytes total (1101312 bytes free)
pixfirewall# show run | i boot
pixfirewall# config t
pixfirewall(config)# boot system pix712.bin
INFO: Converting pix712.bin to flash:/pix712.bin
pixfirewall(config)# exit
pixfirewall# wr mem
Building configuration...
Cryptochecksum: 1c4473b8 dc713c6f 0b1336b3 b45dea54

1765 bytes copied in 0.430 secs
[OK]
pixfirewall# show run | i boot
boot system flash:/pix712.bin
pixfirewall# reload
Proceed with reload? [confirm]
pixfirewall#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system

***
*** --- SHUTDOWN NOW ---

Rebooting....

CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
64 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 123392 bytes of image from flash.

PIX Flash Load Helper

Initializing flashfs...
flashfs[0]: 6 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7870464
flashfs[0]: Bytes used: 6770176
flashfs[0]: Bytes available: 1100288
flashfs[0]: Initialization complete.

Reading image flash:/pix712.bin
Launching image flash:/pix712.bin
###############################################

64MB RAM

Total NICs found: 2
mcwa i82559 Ethernet at irq 11 MAC: 001a.a2a4.5c33
mcwa i82559 Ethernet at irq 10 MAC: 001a.a2a4.5c32
BIOS Flash=am29f400b @ 0xd8000

Initializing flashfs...
flashfs[7]: 6 files, 3 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 7870464
flashfs[7]: Bytes used: 6770176
flashfs[7]: Bytes available: 1100288
flashfs[7]: flashfs fsck took 9 seconds.
flashfs[7]: Initialization complete.

Need to burn loader....
Erasing sector 0...[OK]
Burning sector 0...[OK]

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform does not support Failover.

--------------------------------------------------------------------------
      .            .
      |            |
     |||          |||
   .|| ||.      .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
--------------------------------------------------------------------------

Cisco PIX Security Appliance Software Version 7.1(2)

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************

Copyright (c) 1996-2006 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cryptochecksum (unchanged): 1c4473b8 dc713c6f 0b1336b3 b45dea54
Type help or '?' for a list of available commands.
pixfirewall> sh ver

Cisco PIX Security Appliance Software Version 7.1(2)

Compiled on Tue 14-Mar-06 17:00 by dalecki
System image file is "flash:/pix712.bin"
Config file at boot was "startup-config"

pixfirewall up 7 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0xfff00000, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 001a.a2a4.5c32, irq 10
1: Ext: Ethernet1 : address is 001a.a2a4.5c33, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
pixfirewall> en
Password:
pixfirewall# sh flash

Directory of flash:/

4 -rw- 6764544 16:29:38 Aug 04 2012 pix712.bin

7870464 bytes total (1100288 bytes free)
pixfirewall#
pixfirewall#




http://www.tunnelsup.com/upgrade-a-cisco-pix-506e-to-run-7-1-pix-code
Автор: на Комментариев нет:

среда, 19 февраля 2014 г.

New-Style TACACS+ Configuration for IOS 15.0

While working with Cisco Catalyst IOS image 12.2(58)SE1, I noticed that configuration for TACACS+ had changed. My first clue that there was a problem was the following: 
 
switch(config)#tacacs-server host 192.168.9.25
This cli will be deprecated soon. Use new server cli 
 
Ominous.

It seems that part of the reason for the change is so that you can now specify an IPv4 and IPv6 address for each TACACS+ server.
Listed below is the old school TACACS+ configuration I was using.


tacacs-server host 192.168.9.25 
tacacs-server key rycserdOb 
!
aaa group server tacacs+ TAC_PLUS 
    server 192.168.9.25

 
This now becomes:
tacacs server AUTH 
    address ipv4 192.168.9.25 
    key rycserdOb 

aaa group server tacacs+ TAC_PLUS 
    server name AUTH
 
 
 
 
 
 
 
tacacs server AUTH1
 address ipv4 192.168.9.25
 key rycserdOb
!
tacacs server AUTH2
 address ipv4 192.168.9.100
 key rycserdOb
!
aaa group server tacacs+ TAC_PLUS
 server name AUTH1
 server name AUTH2
Автор: на 1 комментарий:

вторник, 11 февраля 2014 г.

Подмена номера

To Change caller ID of a Station’s outbound calls aka  calls over the PSTN issue the following command

change public-unknown-numbering 1

once you issue this command , click on the 2 tab to make a new entry
you should now see the below picture


Ext Len = The amount of digits used for this station internally
Ext Code= Station or Extension ID
Trunk Group = The ISDN  Trunk group you want this caller id to be active on
Cpn Prefix= The caller ID number you want to appear
Cpn Total= the total amount of digits for this caller id



Пример:
Ext           Ext            Trk             CPN                     Total
Len        Code         Grp(s)         Prefix                  CPN Len  
  5            14              10         4951112233               10
  5            15              10         4951112233               12

При звонке с номера 14*** по 10 транку передается АОН   (495)111-22-33
При звонке с номера 15*** по 10 транку передается АОН   (495)111-22-33-15






http://avayareference.wordpress.com/tag/change-public-unknown-numbering/
Автор: на Комментариев нет:

пятница, 7 февраля 2014 г.

avaya АОН

Использую данный прием, когда мне нужно по одному и тому же транку передавать на соседнюю АТС разный АОН (в зависимости от набранных цифирек):

1) В соответствующей trunk-group поставьте Format = private (или unk-pvt) на 3 стр.
Незабываем поставить  Send Name: y

2) завожу, например, два rout-pattern, в которых прописываю этот транк:
     1 - для соединения с внутренним номером на соседней АТС (отдаю внутренний АОН). В нем ставлю  Numbering format = lev0-pvt;
     2 - для транзита через соседнюю АТС вовне (отдаю нужный внешний АОН, определенный в ch pub). В нем ставлю  Numbering format  = natl-pub или pub-unk.

В зависимости от набранного номера, направляю его с помощью ars или aar через первый или второй rout-pattern, соответственно. Отдавая нужный АОН.



If the Trunk Group numbering format is set to 'private' and

a. call types are set to npvt or lpvt in ARS
or
b. call types are set to unku, lev0 or lev1 in AAR
or
c. unk-unk or lev0-pvt on the Route Pattern

Then the call WILL use the private numbering table and a '+' will not be inserted.
Note: use of numbering format on the route pattern overrides the table to use specified by call type in AAR/ARS.

If trunk group numbering format is set to public, ALL calls use public table regardless of call type or route pattern administration.

In the example given I would expect a call using Route Pattern 8 via trunk group 1 to use the private table and the + not inserted.

The trunk is set 'private' but the call type in ARS in 'fnpa' which uses the public table; but, the route pattern set with 'unk-unk' forces the use of the private table.

I would expect the public table to be used if the format on route pattern 8 was blank. Did you try that?

Note: 'Private' for the SIP Trunk Group number format provides the most flexibility allowing the 'call type' to determine which table will be used to build the calling party info.

Hope this helps and let us know what you find.
Автор: на Комментариев нет:
Подписаться на: Сообщения (Atom)