Week 12

Today is the day of presentation !! Feb 11 , 2009 from 3pm to 5pm.

Our group presentation started at 3.30pm

Feedback

SNMP configuration for Cisco PIX 515e

To allow SNMP in PIX, you have to key in the above code.

Also have to do an ACL for the SNMP so that PIX allow Source to route to other Destination using SNMP.

How to use Cacti interface?

In order to achieve Cacti interface, you have to include php, apache and cacti in debian host. After setting everything up, enter the ip address that is pointing to Apache in debian.

This image is showing the main page of Cacti interface:

In this page , you can choose to create device or graph. In my case i will click on create device.


This page show how to add a device:

In this page, those appearing in the list are devices that already created. To create, click add at the right hand side.



It will browse you to this page:

In this page, add the following details of your device like what i have done. Click Create if you have done.


This page show the details of the created device:

At the top right hand corner, click Create Graph for this Host.



This is the page where you can choose the ports that we want:

In this page, check on which ports you want and under the drop-down list, select In/Out bits and click create.

This page is the Graph Tree that show you the parent items and graph:

Click Add.

In this page, select root. Root means that you want to have a new heading and not using the existing. Give a name in the Title textbox.

After you have entered, Click Create.

To add sub-heading, click on add beside the Heading that you had created.

Since you are creating sub-heading, so in the parent item, select which heading you want to use. In my case i use Switch that i have created previously.

Enter the title and click Create.


To add graph, click on add beside the Heading that you had created.
Since you are creating graph, so in the parent item, select which heading you want to use. In my case i use Fa0/1 to E2 that i have created previously.

Enter the details and click Create.

To view graph just click on Graph on the top left hand corner.

In the tree view panel at the left, select which graph you will like to view.

The following diagrams show the graph:

How to turn on SNMP server in Cisco router

In your cisco router, type conf t then key in the following:

Community is just like giving snmp a name and RO means read-only

Location is to let the admin know that where the device is located

Configure Squid to cache websites

I have encountered a problem when using Squid Proxy. I received this error when i was trying to enter to http://www.msn.com

In order to solve this problem, you have to go to your squid.conf file. In the conf file, you have to enter acl to allow network addresses that you wish to include. Comment (#) off http_access deny all and add in http_access allow all.
In your Internet Option, click Connection tab and click lan setting. Uncheck Automatically detect settings and check on use proxy server and in the Adress. Key in the address that your network pointing to and click ok.

When you try to enter the website again, in squid/access.log you will see tcp_miss. It means information that u retrieving are not in the cache memory. When is show tcp_mem_hit, it means that the information is stored in the cache memory

installing cacti

#apt-get install cacti

the cacti installation was successful, however the database installation wasn't successful.

the following error was shown

syslog configuration in PIX 515E version 7.2(2)

was trying to configure syslog configuration into PIX.

the following command was typed,

*interface ethernet 1 is the connection to the Debian Syslog server
#logging host [interface name] "DMZ" udp | format emblem

we encoutered the error which states
"interface DMZ security level is 50 "
Error : " Port 0 is not within the range of 1025 - 65535"

Due to the security level which is set at 50, not all ports are opened.
port 0 to port 1024 are closed. Therefore the set up syslog hosting was not successful for PIX.

Mr Wagio if you happen to see this post, we need your advice on the configuration of PIX for syslog. Thank You

Ping DMZ from Inside

Yesterday, when i was trying my NTP in debian, i realized that i cannot ping DMZ from inside, then i went to do some research, and found out that i have to add the following command highlighted in red! 192.168.0.0 mean that any ip addresses that try to talk to the destination, they will check whether are they in the same network by using the subnet mask 255.255.255.0 to check the ip addresses !

After which, i try to ping from Inside to DMZ and it's work ! Then i try to ping from DMZ to inside, it denied by pix because of the security level i set for both DMZ and inside. Inside have higher security level, thus DMZ unable to ping !

configuring syslog in switch

Was trying to configure the switch to transfer the logs into syslog-ng server.



However an error msg was received "cannot open port to 200.10.10.77 "

We have checked the configuration of PIX, the address for 192.168.0.82 was successfully mapped onto 200.10.10.77 using static NAT.



we also tried to ping 200.10.10.77, however the error shown is unreachable host.



Later on we discovered that the error which shows , cannot open port to 200.10.10.77. was caused as the ip address and ip default gateway wasn't configured.



The following command was used



Switch(config)# int vlan40

Switch(config-if)# ip address 200.10.10.3 255.255.255.192

Switch(config-if)# ip default-gateway 200.10.10.1



The logging server was point to 200.10.10.77

Console logging was also enabled

Debian server was also running, any change in the state such as the ports being [shut and up] would be recorded in the syslog



after all this configuration, the syslog host can be reachable by "ping 200.10.10.77" and the logg recording was successful.

to show log , vi /var/log/messages


a sample log to show that syslog-ng has managed to show the status of the switch being logged.

Configure Static NAT in PIX

Firstly, we encountered a problem after we enter the static nat address, we cannot ping from Remote site to DMZ using the public ip address that we assigned. After much research and discussion with our supervisor, we managed to get the thing done after entering the following command !

global (outside) 1 interface
-The firewalls global outside address, used for outgoing nat communications

nat (DMZ) 1 0.0.0.0 0.0.0.0
- The number 1 is the local NAT ID (between 0 and 2 billion). - The 0 0 is the internal IP address and subnet mask to be translated 0 stands for all

access-list outside_in extended permit ip any host 200.10.10.77
-access list is to tell PIX that if outside network device want to use Public Address to ping. PIX will know the destination to route the ping.

static (DMZ,outside) 200.10.10.77 192.168.0.82 netmask 255.255.255.255
- Published address space, psudeo addresses of the servers, used to punch through the; fireall. Note however that this does no grant global access to these addresses, but; merely sets the connection between the ip addresses up.

OSPF - default-information originate

Yesterday, we encountered a problem that RR router cannot route to BR gateway which is the internet access. Then we tried alot of thing and eventually came up with the solution by Mr Wagio that we must key in the following command in order to work !

The OSPF router does not, by default, generate a default route into the
OSPF domain. In order for OSPF to generate a default route, you must use
the default-information originate command to enable default route
origination on this router. A default route will only be generated if a
default route has been manually configured.

After entering the command, when u do a show ip route in RR. It will show the following result:

It actually route the information from BR 200.10.10.65 to let BR know that RR network want to go out and use the internet access. In order to do so, they have to route through BR.

Problem with BR and RR routers

Yesterday morning, when i tried to ping from RR to BR but it cannot work. So i tried to troubleshoot and when i do a show ip route, the network addresss for the connection between RR and BR serial interface is not shown.

By right, for both BR and RR there must be a 200.10.10.64 network when show ip route. However, this thing is AUTOMATICALLY solved when i came back from lunch.

Cisco PIX, syslog configuration

Commands

logging on
logging standby
logging timestamp
logging trap notifications
logging facility 19
logging host inside 192.168.0.82

Cisco Local Director

Re: Configuring Syslog-ng

Great that you have configured the syslog client in the router side.

For syslog-ng server, you need to follow this instruction to get the syslog-ng server ready to receive the logs from the routers/switches.

The configuration file for syslog-ng is /etc/syslog-ng.conf

Uncomment the following line :
source net { udp(); };

Uncomment the following line :
log { source(src); source(net); filter(f_messages); destination(messages); };

To start syslog-ng issue the command /etc/init.d/sysklogd restart :
# /etc/init.d/sysklogd restart

Refer to this URL for the detail.
Simplest way to configure it is here

Configuring Syslog

We have tried to configure Syslog on the switch to test out Syslog-ng however we encountered the following error when we keyed in the command

Configuring the router to send buffered logging of its events to the memory.
(However Rebooting the router will lose all events stored in the buffered log.)
The command is as follow
Router(config)# logging buffered 16384

We point the logging address to the debian static IP however, it doesnt seem to be able to work.

debian updates error

Problems encoutered today

Error in getting updates!!

We keyed in the following command to get the updates

#apt-get update?

As we were not able to get updates from the debian server, we had to troubleshoot it.

The following command are used to check the network stauts and configurations in order to determine the errors

#ifconfig eth1 [ this is to allow us to see the status of the network interface ]
contains information such as the IP addresses, bcast and mask

#traceroute http://www.yahoo.com/ [ allow us to check the ping status ]

#cat /etc/resolv.conf [ show us the name server ]

#route n [ show the destination, gateway and Genmask ]

#vi /etc/network/interfaces [ to configure the debian IP , gateway and netmask ]
or else use #iface eth1 inet dhcp

Once the #ifconfig eth1 show the inet addr as 172.20.178.13 it is able to ping to the outside.

After which all updates and downloads patch could be installed and the problem of getting the connection to the update server is done.

Week 7 Presentation Feedback

Thing to improve on and to achieve

Gannt Chart
- We need to have a column of a actual finished date and planned date

Objectives
- Show the objectives and know what to emphasise on

- Such as Bandwidth, security, log error security, traffic flow, syslog-ng able to log error and the debian requirement are being met and able to run

- Show more work being done, less theory and more on configuration

- Problems that we encounter during our set-up

- Future Enhancement

- Explain in laymen term, in order to bring accross to audience

- IT risk management,
such as power failure, contigency plans, backup type (using tape backup)

NAT configuration in BR and PIX

PIX NAT
nat- control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ac1_icmp in interface DMZ
access-group ac1_icmp in interface outside
access-group ac1_icmp in interface inside
route outside 0.0.0.0 0.0.0.0 200.10.10.69 1


BR [NAT]