Here’s a handy list of ACL entries to allow your devices to speak routing protocols, availability protocols, and some other stuff. We’ll assume you have ACL 101 applied to your Ethernet inbound; your Ethernet has an IP of 192.168.0.1.
* BGP : Runs on TCP/179 between the neighbors
access-list 101 permit tcp any host 192.168.0.1 eq 179
* EIGRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.10
access-list 101 permit eigrp any host 224.0.0.10
* OSPF : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.5; also talks to 224.0.0.6 for DR/BDR routers
access-list 101 permit ospf any host 224.0.0.5
access-list 101 permit ospf any host 224.0.0.6
* HSRP : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.2. I’ve seen in the past that it runs on UDP/1985, but I didn’t find any evidence of that in a quick Google for it. Can someone verify?
access-list 101 permit udp any host 224.0.0.2 eq 1985
* HSRP version 2 : Runs on UDP/1985 from the source interface IP to the multicast address of 224.0.0.102.
access-list 101 permit udp any host 224.0.0.2 eq 1985
* RIP : Runs on UDP/520 from the source interface IP to the multicast address of 224.0.0.9
access-list 101 permit udp any host 224.0.0.9 eq 520
* VRRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.18
access-list 101 permit 112 any host 224.0.0.18
* VRRP-E : This is a Foundary thing according to readers, and runs on UDP/8888 from the source interface IP to the multicast address of 224.0.0.2
access-list 101 permit 112 any host 224.0.0.2 eq 8888
* GLBP : Runs on UDP from the source interface IP to the multicast address of 224.0.0.102
access-list 101 permit udp any host 224.0.0.102
* DHCPD (or bootps) : Runs on UDP/67 from 0.0.0.0 (since the client doesn’t have an address yet) to 255.255.255.255 (the broadcast).
access-list 101 permit udp any host 255.255.255.255 eq 67
If anyone else has one to add, do so in the comments.
Senin, 22 Februari 2010
Mengemulasi cisco ASA
berikut tautan nya, thx buat kontribusi dari penulis..sudah saya coba sendiri dan berhasil..god work buat semua tangan dan pikiran yg buat..cool..
http://superlubis.blogspot.com/
Cisco ASA adalah produk cisco biasanya digunakan untuk masalah security seperti firewall dan VPN dalam tulisan ini saya akan mencoba memamaparkan cara mengemulasi CISCO ASA dengan cara yang mudah dimengerti. Terimakasih sebesar2 kepada thumpercisco dan teman di hacki forum. Secara garis besar cara untuk mengemulasi cisco asa bisa dibagi menjadi
1. Download software-software yang dibutuhkan
2. Buat Microsoft Loopback Interface dan setting ip.
3. Liat nilai NIO _gen dari masing loopback interface, ini akan digunakan untuk mengedit file ASA-nolina_WIN.bat dan ASA-nolina.bat.
4. Edit file ASA-nolina_WIN.bat dan ASA-nolina.bat, sesuaikan nilai NIO_gen dengan yang ada pada masing2 komputer , karena biasanya selalu berbeda.
5. Jalankan file ASA-nolina_WIN.bat , ketik beberapa perintah, sampai pada tahap ini kita sudah bisa masuk ASA console. Untuk bisa menggunakan ASDM ada beberapa Step lagi.
6. Setting ip ethernet interface ASA.
7. Transfer file asdm dari TFTP Server ke Cisco ASA
8. Config ASA agar bisa diakses lewat web
9. Jalankan fiddler dan edit konfigurasinya.
10. Buka browser dan ketik address CISCO ASA, insya allah Jalan. Oke kita akan langsung kedetailnya mudah2 gak terlalu panjang dan mudah dimengerti.
1. Download Software2 yang dibutuhkan
* Fiddler 2 -> http://www.fiddler2.com/Fiddler2/version.asp
* GNS 3 -> http://www.gns3.net/download
* http://www.4shared.com/file/40629410/1a33eae5/qemu.html
* OpenTFTP Server -> http://sourceforge.net/projects/tftp-server/
* asdm-602.BIN bisa didapatkan disite cisco.com dengan account cco.
2. Buat Microsoft loopback
Loopback digunakan untuk membinding interface ASA kekomputer kita, dalam CISCO ASA ada 6 interface yaitu ethernet 0/0 - 0/5 , jika kita ingin menggunakan semua interface maka kita harus buat 6 loopback, dalam tulisan ini saya hanya buat 3 loopback yaitu untuk 3 interface ethernet 0/0 - 0/2. Caranya Cukup mudah,
* Start -> Control Panel -> Add Hardware
Pilih option "Yes, I Already Connected The Hardware" -> Next
Scrool sampai bawah pilih "Add New Hardware Device" -> Next
Pilih Option "Install Hardware That I Manualy Select From The List(Advance)" -> Next
Pilih List "Network Adapter" -> Next
Pilih List Manufacture " Microsoft " dan Network Adapter "Microsoft Loopback Adapter"
Next
And Thats all untuk membuat loopback , bisa dilihat di Start -> Control Panel -> Network Connection Sudah ada adapter baru. Kalo saya, saya rubah namanya menjadi yang lebih mudah dimengerti seperti lo0. Dan saya mengulangi langkah ini 2 kali lagi karena saya membutuhkan 3 interface loopback. Dan saya sekaligus mengassign IP untuk tip loopback, lo0 192.168.1.1/24 , lo1 192.168.2.1/24, dan l02 192.168.3.1/24
3. Instalasi GNS, instalasiinya cukup mudah, pilih semua paket yang diinstall lalu tinggal click next next and next.
4. Jalankan Program -> GNS3 -> Network Device List Catat or salin ke notepad nilai NIO_gen_eth dari masing loopback yang kita buat
disini kita bisa liat nilainya
Lo0 : NPF_{F06C85DD-3EDE-4D0C-A4A6-8418076FF33B}
Lo1 : NPF_{EF80438C-8795-4FBD-85C5-2DB6859A0F6C}
Lo2 : NPF_{078C9710-883C-4D5B-8B5D-E4233973E129}
4. Setting QEMU
Download file http://www.4shared.com/file/40629410/1a33eae5/qemu.html , ekstrasi Terserah dimana asal inget. Contoh saya ekstrasi di C:\qemu, browse kedalam cari file ASA-nolina_WIN.bat dan ASA-nolina.bat, kuncinya di kedua file ini. Kita edit kedua file.
4.1 Edit File ASA-nolina.bat
Aslinya
Yang perlu diedit adalah tulisan yang dibold sesuaikan dengan nilai NIO_gen_eth yang telah kita catat diatas.
@echo off
cls
title ASA Simulator
setlocal
set command_name= qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-all.gz -m 256 --no-kqemu
set parameter= -append "auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32"
set nic1=-net nic,vlan=0,model=i82557b,macaddr=00:aa:00:00:02:01
-net pcap,vlan=0,ifname=\Device\NPF_{F06C85EE-3EDE-444C-A4A6-8418076FF33B}
set nic2=-net nic,vlan=1,model=i82557b,macaddr=00:aa:00:00:02:02
-net pcap,vlan=1,ifname=\Device\NPF_{EF8043BA-8795-4F3D-85C5-2DB6859A0F6C}
set nic3=-net nic,vlan=2,model=i82557b,macaddr=00:aa:00:00:03:03
-net pcap,vlan=1,ifname=\Device\NPF_{EF8043BA-8795-4F3D-11C5-2DB6859A0F6C}
set options=-serial telnet::26001,server
%command_name% %parameter% %nic1% %nic2% %nic3% %nic4% %nic5% %nic6% %options%
Penjelasan :
set nic1=-net nic,vlan=0 -> ini adalah lo0 atau ethernet 0/0, binding dari lo0 kita ke e0/0
set nic2=-net nic,vlan=1 -> ini adalah lo1 atau ethernet 0/1, binding dari lo1 kita ke e0/1
set nic3=-net nic,vlan=2 -> ini adalah lo2 atau ethernet 0/2, binding dari lo2 kita ke e0/2
Setelah Diedit
@echo off
cls
title ASA Simulator
setlocal
set command_name= qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-all.gz -m 256 --no-kqemu
set parameter= -append "auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32"
set nic1=-net nic,vlan=0,model=i82557b,macaddr=00:aa:00:00:02:01
-net pcap,vlan=0,ifname=\Device\NPF_{F06C85DD-3EDE-4D0C-A4A6-8418076FF33B}
set nic2=-net nic,vlan=1,model=i82557b,macaddr=00:aa:00:00:02:02
-net pcap,vlan=1,ifname=\Device\NPF_{EF80438C-8795-4FBD-85C5-2DB6859A0F6C}
set nic3=-net nic,vlan=2,model=i82557b,macaddr=00:aa:00:00:03:03
-net pcap,vlan=1,ifname=\Device\NPF_{078C9710-883C-4D5B-8B5D-E4233973E129}
set options=-serial telnet::26001,server
%command_name% %parameter% %nic1% %nic2% %nic3% %nic4% %nic5% %nic6% %options%
4.2 Edit File ASA-nolina_WIN.bat
File ini juga isinya tidak jauh berbeda, dan yang perlu diedit pun sama yaitu nilai NPF yang sudah saya bold, disesuaikan dengan nilai yang didapat dikomputer.
Aslinya
@echo off
ECHO Telnet to 127.0.0.1 on port 1234 to access ASA Console
ECHO -------------------------------------------------------
ECHO * * * * * * *DO NOT CLOSE THIS WINDOWS* * * * * * * *
qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-nolina.gz -m 256 --no-kqemu -append "auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32"
-net nic,vlan=0,model=pcnet,macaddr=00:aa:00:00:01:01
-net pcap,vlan=0,ifname=\Device\NPF_{F06C85DD-3EDE-4D0C-A4A6-8418076FF312}
-net nic,vlan=1,model=pcnet,macaddr=00:aa:00:00:01:02
-net pcap,vlan=1,ifname=\Device\NPF_{EF80438C-8795-4FBD-85C5-2DB6859A0F61}
-net nic,vlan=2,model=pcnet,macaddr=00:aa:00:00:01:02
-net pcap,vlan=2,ifname=\Device\NPF_{078C9710-883C-4D5B-CC5D-E4233973E122}
-serial telnet::1234,server,nowait
Setelah diedit
@echo off
ECHO Telnet to 127.0.0.1 on port 1234 to access ASA Console
ECHO -------------------------------------------------------
ECHO * * * * * * *DO NOT CLOSE THIS WINDOWS* * * * * * * *
qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-nolina.gz -m 256 --no-kqemu -append "auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32"
-net nic,vlan=0,model=pcnet,macaddr=00:aa:00:00:01:01
-net pcap,vlan=0,ifname=\Device\NPF_{F06C85DD-3EDE-4D0C-A4A6-8418076FF33B}
-net nic,vlan=1,model=pcnet,macaddr=00:aa:00:00:01:02
-net pcap,vlan=1,ifname=\Device\NPF_{EF80438C-8795-4FBD-85C5-2DB6859A0F6C}
-net nic,vlan=2,model=pcnet,macaddr=00:aa:00:00:01:02
-net pcap,vlan=2,ifname=\Device\NPF_{078C9710-883C-4D5B-8B5D-E4233973E129}
-serial telnet::1234,server,nowait
5. Jalankan ASA-nolinna_WIN.bat
Sampai tahap ini kita tinggal menjalankan file ASA-nolina_WIN.bat. lalu akan tampil window seperti dibawah ini.
lalu jalankan command prompt dan telnet ke 127.0.0.1 port 1234.
C:\telnet 127.0.0.1 1234
Lalu jalankan perintah dibawah ini dan insya allah akhirnya akan tampil ASA prompt
#modprobe e100
#ifconfig eth0 up
#ifconfig eth1 up
#ifconfig eth2 up
#cd /mnt/disk0
#./lina_monitor
6. Setting interface Cisco ASA
Saatnya kita config sedikit, sekalian dites apakah bisa ping ke lo0,lo1, dan lo2. Eth0/0 terhubung(binding) ke lo0, Eth0/1 terhubung(binding) ke lo1, Eth0/2 terhubung(binding) ke lo2. berikut confignya
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.252 255.255.255.0
no shutdown
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.2.252 255.255.255.0
no shutdown
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.3.252 255.255.255.0
no shutdown
Kita coba ping dari command prompt ke ip address asa diatas.
C:\Documents and Settings\DELL>ping 192.168.1.252
Pinging 192.168.1.252 with 32 bytes of data:
Reply from 192.168.1.252: bytes=32 time=2ms TTL=255
Ping statistics for 192.168.1.252:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
C:\Documents and Settings\DELL>ping 192.168.2.252
Pinging 192.168.2.252 with 32 bytes of data:
Reply from 192.168.2.252: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.2.252:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 3ms, Average = 3ms
C:\Documents and Settings\DELL>ping 192.168.3.252
Pinging 192.168.3.252 with 32 bytes of data:
Reply from 192.168.3.252: bytes=32 time=11ms TTL=255
Ping statistics for 192.168.3.252:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms
And sukses....Kita Coba dari Cisco ASA ke komputer kita.
ciscoasa# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ciscoasa# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ciscoasa# ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ciscoasa#
7. Transfer asdm-602.BIN ke Cisco ASA.
Untuk mentrasfer image asdm ke cisco ASA bisa menggunakan beberapa cara dalam tulisan ini saya menggunakan tftp server. Download program tftp server yang linknya sudah dikasih diatas , install program, lalu taruh image asdm di tempat kamu menginstall tftp server. Lalu copy file dengan perintah :
ciscoasa# copy tftp://192.168.1.1/asdm-602.BIN disk0:/asdm-602.BIN
8. Config ASA agar bisa diakses lewat web.
ciscoasa# config terminal
ciscoasa(config)# hostname ASA1
ASA1(config)# http server enable
ASA1(config)# http 192.168.1.0 255.255.255.0 inside <---- ini adalah network yang diijinkan akses lewat web
ASA1(config)# username superlubis password superlubis privilige 15
9. Config Fiddler2
- Download dan instalasi fiddler2, cara instalasi sangat mudah tinggal next next next dan next .......
- Jalankan fiddler2 -> Tools -> Fiddler Option -> Pilih tab HTTPS -> Check box Decrypt HTTP Traffic -> OK
- Set java client agar menggunakan localhost:8888 untuk proxy semua protokol, caranya (control panel -> java -> network settings -> use proxy server localhost:8888 -> advanced -> use same proxy for all protocols
- Lalu Edit rules caranya , Rules -> Costumize Rules
* Cari function static function OnBeforeResponse(oSession: Session) , dan tambah kan if(kondisi) dibawah ini
if (oSession.url.EndsWith("/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context")){
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse('Hardware: ,','Hardware: ASA5520,');
}
if (oSession.url.EndsWith("/admin/exec/show+version")){ oSession.utilDecodeResponse(); oSession.utilReplaceInResponse('Hardware: ,','Hardware: ASA5510,'); }
* Cari function static function OnBeforeRequest(oSession: Session)
if ((oSession.url.EndsWith("/admin/asdm_handler")) || (oSession.url.EndsWith("/admin/pdm.sgz")))
{ oSession.bBufferResponse = false; }
10. Jalankan ASDM
Sebelumnya jalankan dulu fiddler2 lalu buka browser, ketik alamat https://192.168.1.252 , ignore dan accept masalah certificate , lalu akan tampil seperti dibawah ini. Lalu pilih " Run ASDM ", masukan username dan password yang sudah kita buat. Insyallah bisa jalan seperti saya...
http://superlubis.blogspot.com/
Cisco ASA adalah produk cisco biasanya digunakan untuk masalah security seperti firewall dan VPN dalam tulisan ini saya akan mencoba memamaparkan cara mengemulasi CISCO ASA dengan cara yang mudah dimengerti. Terimakasih sebesar2 kepada thumpercisco dan teman di hacki forum. Secara garis besar cara untuk mengemulasi cisco asa bisa dibagi menjadi
1. Download software-software yang dibutuhkan
2. Buat Microsoft Loopback Interface dan setting ip.
3. Liat nilai NIO _gen dari masing loopback interface, ini akan digunakan untuk mengedit file ASA-nolina_WIN.bat dan ASA-nolina.bat.
4. Edit file ASA-nolina_WIN.bat dan ASA-nolina.bat, sesuaikan nilai NIO_gen dengan yang ada pada masing2 komputer , karena biasanya selalu berbeda.
5. Jalankan file ASA-nolina_WIN.bat , ketik beberapa perintah, sampai pada tahap ini kita sudah bisa masuk ASA console. Untuk bisa menggunakan ASDM ada beberapa Step lagi.
6. Setting ip ethernet interface ASA.
7. Transfer file asdm dari TFTP Server ke Cisco ASA
8. Config ASA agar bisa diakses lewat web
9. Jalankan fiddler dan edit konfigurasinya.
10. Buka browser dan ketik address CISCO ASA, insya allah Jalan. Oke kita akan langsung kedetailnya mudah2 gak terlalu panjang dan mudah dimengerti.
1. Download Software2 yang dibutuhkan
* Fiddler 2 -> http://www.fiddler2.com/Fiddler2/version.asp
* GNS 3 -> http://www.gns3.net/download
* http://www.4shared.com/file/40629410/1a33eae5/qemu.html
* OpenTFTP Server -> http://sourceforge.net/projects/tftp-server/
* asdm-602.BIN bisa didapatkan disite cisco.com dengan account cco.
2. Buat Microsoft loopback
Loopback digunakan untuk membinding interface ASA kekomputer kita, dalam CISCO ASA ada 6 interface yaitu ethernet 0/0 - 0/5 , jika kita ingin menggunakan semua interface maka kita harus buat 6 loopback, dalam tulisan ini saya hanya buat 3 loopback yaitu untuk 3 interface ethernet 0/0 - 0/2. Caranya Cukup mudah,
* Start -> Control Panel -> Add Hardware
Pilih option "Yes, I Already Connected The Hardware" -> Next
Scrool sampai bawah pilih "Add New Hardware Device" -> Next
Pilih Option "Install Hardware That I Manualy Select From The List(Advance)" -> Next
Pilih List "Network Adapter" -> Next
Pilih List Manufacture " Microsoft " dan Network Adapter "Microsoft Loopback Adapter"
Next
And Thats all untuk membuat loopback , bisa dilihat di Start -> Control Panel -> Network Connection Sudah ada adapter baru. Kalo saya, saya rubah namanya menjadi yang lebih mudah dimengerti seperti lo0. Dan saya mengulangi langkah ini 2 kali lagi karena saya membutuhkan 3 interface loopback. Dan saya sekaligus mengassign IP untuk tip loopback, lo0 192.168.1.1/24 , lo1 192.168.2.1/24, dan l02 192.168.3.1/24
3. Instalasi GNS, instalasiinya cukup mudah, pilih semua paket yang diinstall lalu tinggal click next next and next.
4. Jalankan Program -> GNS3 -> Network Device List Catat or salin ke notepad nilai NIO_gen_eth dari masing loopback yang kita buat
disini kita bisa liat nilainya
Lo0 : NPF_{F06C85DD-3EDE-4D0C-A4A6-8418076FF33B}
Lo1 : NPF_{EF80438C-8795-4FBD-85C5-2DB6859A0F6C}
Lo2 : NPF_{078C9710-883C-4D5B-8B5D-E4233973E129}
4. Setting QEMU
Download file http://www.4shared.com/file/40629410/1a33eae5/qemu.html , ekstrasi Terserah dimana asal inget. Contoh saya ekstrasi di C:\qemu, browse kedalam cari file ASA-nolina_WIN.bat dan ASA-nolina.bat, kuncinya di kedua file ini. Kita edit kedua file.
4.1 Edit File ASA-nolina.bat
Aslinya
Yang perlu diedit adalah tulisan yang dibold sesuaikan dengan nilai NIO_gen_eth yang telah kita catat diatas.
@echo off
cls
title ASA Simulator
setlocal
set command_name= qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-all.gz -m 256 --no-kqemu
set parameter= -append "auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32"
set nic1=-net nic,vlan=0,model=i82557b,macaddr=00:aa:00:00:02:01
-net pcap,vlan=0,ifname=\Device\NPF_{F06C85EE-3EDE-444C-A4A6-8418076FF33B}
set nic2=-net nic,vlan=1,model=i82557b,macaddr=00:aa:00:00:02:02
-net pcap,vlan=1,ifname=\Device\NPF_{EF8043BA-8795-4F3D-85C5-2DB6859A0F6C}
set nic3=-net nic,vlan=2,model=i82557b,macaddr=00:aa:00:00:03:03
-net pcap,vlan=1,ifname=\Device\NPF_{EF8043BA-8795-4F3D-11C5-2DB6859A0F6C}
set options=-serial telnet::26001,server
%command_name% %parameter% %nic1% %nic2% %nic3% %nic4% %nic5% %nic6% %options%
Penjelasan :
set nic1=-net nic,vlan=0 -> ini adalah lo0 atau ethernet 0/0, binding dari lo0 kita ke e0/0
set nic2=-net nic,vlan=1 -> ini adalah lo1 atau ethernet 0/1, binding dari lo1 kita ke e0/1
set nic3=-net nic,vlan=2 -> ini adalah lo2 atau ethernet 0/2, binding dari lo2 kita ke e0/2
Setelah Diedit
@echo off
cls
title ASA Simulator
setlocal
set command_name= qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-all.gz -m 256 --no-kqemu
set parameter= -append "auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32"
set nic1=-net nic,vlan=0,model=i82557b,macaddr=00:aa:00:00:02:01
-net pcap,vlan=0,ifname=\Device\NPF_{F06C85DD-3EDE-4D0C-A4A6-8418076FF33B}
set nic2=-net nic,vlan=1,model=i82557b,macaddr=00:aa:00:00:02:02
-net pcap,vlan=1,ifname=\Device\NPF_{EF80438C-8795-4FBD-85C5-2DB6859A0F6C}
set nic3=-net nic,vlan=2,model=i82557b,macaddr=00:aa:00:00:03:03
-net pcap,vlan=1,ifname=\Device\NPF_{078C9710-883C-4D5B-8B5D-E4233973E129}
set options=-serial telnet::26001,server
%command_name% %parameter% %nic1% %nic2% %nic3% %nic4% %nic5% %nic6% %options%
4.2 Edit File ASA-nolina_WIN.bat
File ini juga isinya tidak jauh berbeda, dan yang perlu diedit pun sama yaitu nilai NPF yang sudah saya bold, disesuaikan dengan nilai yang didapat dikomputer.
Aslinya
@echo off
ECHO Telnet to 127.0.0.1 on port 1234 to access ASA Console
ECHO -------------------------------------------------------
ECHO * * * * * * *DO NOT CLOSE THIS WINDOWS* * * * * * * *
qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-nolina.gz -m 256 --no-kqemu -append "auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32"
-net nic,vlan=0,model=pcnet,macaddr=00:aa:00:00:01:01
-net pcap,vlan=0,ifname=\Device\NPF_{F06C85DD-3EDE-4D0C-A4A6-8418076FF312}
-net nic,vlan=1,model=pcnet,macaddr=00:aa:00:00:01:02
-net pcap,vlan=1,ifname=\Device\NPF_{EF80438C-8795-4FBD-85C5-2DB6859A0F61}
-net nic,vlan=2,model=pcnet,macaddr=00:aa:00:00:01:02
-net pcap,vlan=2,ifname=\Device\NPF_{078C9710-883C-4D5B-CC5D-E4233973E122}
-serial telnet::1234,server,nowait
Setelah diedit
@echo off
ECHO Telnet to 127.0.0.1 on port 1234 to access ASA Console
ECHO -------------------------------------------------------
ECHO * * * * * * *DO NOT CLOSE THIS WINDOWS* * * * * * * *
qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-nolina.gz -m 256 --no-kqemu -append "auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32"
-net nic,vlan=0,model=pcnet,macaddr=00:aa:00:00:01:01
-net pcap,vlan=0,ifname=\Device\NPF_{F06C85DD-3EDE-4D0C-A4A6-8418076FF33B}
-net nic,vlan=1,model=pcnet,macaddr=00:aa:00:00:01:02
-net pcap,vlan=1,ifname=\Device\NPF_{EF80438C-8795-4FBD-85C5-2DB6859A0F6C}
-net nic,vlan=2,model=pcnet,macaddr=00:aa:00:00:01:02
-net pcap,vlan=2,ifname=\Device\NPF_{078C9710-883C-4D5B-8B5D-E4233973E129}
-serial telnet::1234,server,nowait
5. Jalankan ASA-nolinna_WIN.bat
Sampai tahap ini kita tinggal menjalankan file ASA-nolina_WIN.bat. lalu akan tampil window seperti dibawah ini.
lalu jalankan command prompt dan telnet ke 127.0.0.1 port 1234.
C:\telnet 127.0.0.1 1234
Lalu jalankan perintah dibawah ini dan insya allah akhirnya akan tampil ASA prompt
#modprobe e100
#ifconfig eth0 up
#ifconfig eth1 up
#ifconfig eth2 up
#cd /mnt/disk0
#./lina_monitor
6. Setting interface Cisco ASA
Saatnya kita config sedikit, sekalian dites apakah bisa ping ke lo0,lo1, dan lo2. Eth0/0 terhubung(binding) ke lo0, Eth0/1 terhubung(binding) ke lo1, Eth0/2 terhubung(binding) ke lo2. berikut confignya
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.252 255.255.255.0
no shutdown
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.2.252 255.255.255.0
no shutdown
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.3.252 255.255.255.0
no shutdown
Kita coba ping dari command prompt ke ip address asa diatas.
C:\Documents and Settings\DELL>ping 192.168.1.252
Pinging 192.168.1.252 with 32 bytes of data:
Reply from 192.168.1.252: bytes=32 time=2ms TTL=255
Ping statistics for 192.168.1.252:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
C:\Documents and Settings\DELL>ping 192.168.2.252
Pinging 192.168.2.252 with 32 bytes of data:
Reply from 192.168.2.252: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.2.252:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 3ms, Average = 3ms
C:\Documents and Settings\DELL>ping 192.168.3.252
Pinging 192.168.3.252 with 32 bytes of data:
Reply from 192.168.3.252: bytes=32 time=11ms TTL=255
Ping statistics for 192.168.3.252:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms
And sukses....Kita Coba dari Cisco ASA ke komputer kita.
ciscoasa# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ciscoasa# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ciscoasa# ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ciscoasa#
7. Transfer asdm-602.BIN ke Cisco ASA.
Untuk mentrasfer image asdm ke cisco ASA bisa menggunakan beberapa cara dalam tulisan ini saya menggunakan tftp server. Download program tftp server yang linknya sudah dikasih diatas , install program, lalu taruh image asdm di tempat kamu menginstall tftp server. Lalu copy file dengan perintah :
ciscoasa# copy tftp://192.168.1.1/asdm-602.BIN disk0:/asdm-602.BIN
8. Config ASA agar bisa diakses lewat web.
ciscoasa# config terminal
ciscoasa(config)# hostname ASA1
ASA1(config)# http server enable
ASA1(config)# http 192.168.1.0 255.255.255.0 inside <---- ini adalah network yang diijinkan akses lewat web
ASA1(config)# username superlubis password superlubis privilige 15
9. Config Fiddler2
- Download dan instalasi fiddler2, cara instalasi sangat mudah tinggal next next next dan next .......
- Jalankan fiddler2 -> Tools -> Fiddler Option -> Pilih tab HTTPS -> Check box Decrypt HTTP Traffic -> OK
- Set java client agar menggunakan localhost:8888 untuk proxy semua protokol, caranya (control panel -> java -> network settings -> use proxy server localhost:8888 -> advanced -> use same proxy for all protocols
- Lalu Edit rules caranya , Rules -> Costumize Rules
* Cari function static function OnBeforeResponse(oSession: Session) , dan tambah kan if(kondisi) dibawah ini
if (oSession.url.EndsWith("/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context")){
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse('Hardware: ,','Hardware: ASA5520,');
}
if (oSession.url.EndsWith("/admin/exec/show+version")){ oSession.utilDecodeResponse(); oSession.utilReplaceInResponse('Hardware: ,','Hardware: ASA5510,'); }
* Cari function static function OnBeforeRequest(oSession: Session)
if ((oSession.url.EndsWith("/admin/asdm_handler")) || (oSession.url.EndsWith("/admin/pdm.sgz")))
{ oSession.bBufferResponse = false; }
10. Jalankan ASDM
Sebelumnya jalankan dulu fiddler2 lalu buka browser, ketik alamat https://192.168.1.252 , ignore dan accept masalah certificate , lalu akan tampil seperti dibawah ini. Lalu pilih " Run ASDM ", masukan username dan password yang sudah kita buat. Insyallah bisa jalan seperti saya...
Syslog Server (Generator)
Bagi anda yang memiliki banyak router maupun switch dan ingin menggabungkan log semua router, switch maupun server anda dapat membuat syslog server sendiri.
di linux ada ns-syslogser, di windows ada kiwi syslogserver atau anda dapat menggunakan syslog watcher di ambil di sini:
http://rs778tl3.rapidshare.com/files/125901912/8121668/Syslog.Watcher.Pro.v2.5.0.370.Cracked-iNViSiBLE.rar
untuk cisco device dapat menggunakan perintah ini untuk syncron :
service timestamps log datetime localtime
no logging console
no logging monitor
logging 192.168.1.100
ini untuk asa / pix :
logging on
logging standby
logging timestamp
logging trap notifications
logging facility 19
logging host inside 192.168.1.100
ok!!
di linux ada ns-syslogser, di windows ada kiwi syslogserver atau anda dapat menggunakan syslog watcher di ambil di sini:
http://rs778tl3.rapidshare.com/files/125901912/8121668/Syslog.Watcher.Pro.v2.5.0.370.Cracked-iNViSiBLE.rar
untuk cisco device dapat menggunakan perintah ini untuk syncron :
service timestamps log datetime localtime
no logging console
no logging monitor
logging 192.168.1.100
ini untuk asa / pix :
logging on
logging standby
logging timestamp
logging trap notifications
logging facility 19
logging host inside 192.168.1.100
ok!!
Rabu, 17 Februari 2010
Cisco PIX vs. Checkpoint Firewall
Cisco PIX vs. Checkpoint Firewall
Introduction
Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.
Stateful inspection works at the network layer and does not require a separate proxy for each application. This technology does not suffer from the same degradation in performance as application-level technology (proxies), which involves the extra overhead of transporting data up to the application layer. And on the contrary of packet filters it has the ability to maintain session state and therefore increase the security level of a network transaction.
Checkpoint Firewall-1
Checkpoint FW-1 has been the firewall market leader since shortly after its introduction in 1994/95. Its well-designed GUI interface was, and still is, the best visual interface to any firewall product. This intuitive interface makes FW-1 easy to work with even for those new to firewalls.
FireWall-1 is based upon Stateful Inspection technology, the de facto standard for firewalls. Invented by Check Point, Stateful Inspection provides the highest level of security. FireWall-1’s scalable, modular architecture enables an organization to define and implement a single, centrally managed Security Policy. The enterprise Security Policy is defined on a central management server trough a GUI and downloaded to multiple enforcement points (Inspection Modules) throughout the network.
The FireWall-1 Inspection Module is located in the operating system (NT or UNIX operating systems) kernel at the lowest software level. The Inspection Module analyzes all packets before they reach the gateway operating systems. Packets are not processed by any of the higher protocol layers unless FireWall-1 verifies that they comply with the Inspection Module security policy (it examines communications from any IP protocol or application, including stateless protocols, such as UDP and RPC)
PIX Firewall
Originally designed to be a network address translator, Cisco introduced the Private Internet Exchange (PIX) Firewall series in 1994. The PIX Firewall is a high-performance firewall that uses Stateful packet filtering. The PIX Firewall is essentially a firewall appliance"--it has its own integrated hardware/software solution (Intel hardware / proprietary OS). The PIX Firewall is not Unix or NT-based, but is based on a secure, real-time embedded system, known as the Adaptive Security Algorithm (ASA), which offers Stateful inspection technology. ASA tracks the source and destination address, TCP sequence numbers, port numbers, and additional TCP flags. All inbound and outbound traffic is controlled by applying the security policy to connection table entries, which house the information. Access is permitted through the PIX Firewall only if a connection has been validated or if it has been explicitly configured.
Comparison
PIX and checkpoint FW-1 are using similar technologies in that both use smart packet filtering technologies (Stateful technology).
There are several key differences: one is that FW1 uses a general-purpose operating system while Cisco's PIX uses an embedded operating system. Another is that the PIX is essentially a "diode": you define a security level for an interface, and anything from a higher (internal=100) to a lower (external=0) is allowed while lower (external) to higher (internal) is blocked (with coding for exception); with FW1 there are no native directions, and everything must be coded. (For this reason, FW1 can be found much more flexible)
The license structure on the PIX is per-connection; the license structure on FW1 is per protected host. All other things being equal, maintenance is much easier on the PIX, and performance is higher on the PIX. Cisco has recently released a host-to-LAN encryption solution; FW1 has such a solution for a long time now (SecuRemote for windows boxes). FW1 has extra features such as bandwidth management (floodgate) or content vectoring servers and others (see OPSEC products).
Note that FW1 is developed in a Unix environment. The Unix implementation is more efficient, more mature, and more stable. It is wrong to go with NT unless the client swears he can support NT and is afraid of Unix. Also, comparing FW1 on a switch or on a NOKIA box versus the PIX could be kind of an interesting comparison.
PIX Pros:
1) Minimal configuration if you have few or zero internal devices that needs to be accessed directly from the Internet (i.e. web servers on a protected DMZ) and want to allow everything outbound.
2) Complete hardware/software solution, no additional OS vulnerabilities or boot-time errors to worry about.
3) Cisco support, which is generally very good.
4) Performance, probably the best in the business.
5) No special client side software other than telnet, tftp or serial port terminal software.
6) Lots of detailed documentation.
7) Free upgrades
PIX Cons:
1) Difficult to manage if you have many servers on a protected DMZ (lots and lots of conduit statements) or many firewalls to manage.
2) Routing limitation in complex network architectures (Need to add a router for EACH segment).
3) Command line (IOS style) based. Cisco GUI manager (PIX Firewall Manager) is currently in its early releases and not as functional as FW-1's.
4) No ability to off-load layer 7 services like: virus scanning, URL filtering, etc. You can filter on outgoing traffic, but the process is not dynamic.
5) Requires a separate syslog server for logging.
6) No source port filtering.
8) No clear documentation (Cisco's documentation is often conflicting, fails to explain which version of the PIX OS a certain configuration will or will not work under, and seems to be constantly changing).
FW-1 Pros:
1) Very functional GUI interface.
2) Based on Stateful inspection like PIX, but can off-load layer 7 inspection to other servers if required.
3) Lots of features for complex environments like: large protected DMZ, Windows VPN support, firewall synchronization, bi-directional NAT, etc.
4) Can be used to control bi-directional traffic.
5) Complex logging provided on management station.
FW-1 Cons:
1) Must account for OS vulnerabilities as well as FW-1 vulnerabilities.
2) Performance on NT not as good as on Unix or the PIX.
3) Support is only through re-sellers, very expensive (Contracts start at 50% of the price of the original software per year) and needed for products upgrades.
4) OS boot-time errors possibilities.
NB: PIX can filter java but no ActiveX or JavaScript filtering yet. (Although FW-1 can)
Conclusion
In the simplest terms, FW-1 can be considered much more functional than the PIX, while the PIX has better performance and support. If your particular environment requires a lot of functionality, the best choice is the FW-1 solution, although you might want to consider running it on a Unix platform rather than a NT platform. If your environment is pretty simple, PIX is a solid solution with very good performance.
Introduction
Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.
Stateful inspection works at the network layer and does not require a separate proxy for each application. This technology does not suffer from the same degradation in performance as application-level technology (proxies), which involves the extra overhead of transporting data up to the application layer. And on the contrary of packet filters it has the ability to maintain session state and therefore increase the security level of a network transaction.
Checkpoint Firewall-1
Checkpoint FW-1 has been the firewall market leader since shortly after its introduction in 1994/95. Its well-designed GUI interface was, and still is, the best visual interface to any firewall product. This intuitive interface makes FW-1 easy to work with even for those new to firewalls.
FireWall-1 is based upon Stateful Inspection technology, the de facto standard for firewalls. Invented by Check Point, Stateful Inspection provides the highest level of security. FireWall-1’s scalable, modular architecture enables an organization to define and implement a single, centrally managed Security Policy. The enterprise Security Policy is defined on a central management server trough a GUI and downloaded to multiple enforcement points (Inspection Modules) throughout the network.
The FireWall-1 Inspection Module is located in the operating system (NT or UNIX operating systems) kernel at the lowest software level. The Inspection Module analyzes all packets before they reach the gateway operating systems. Packets are not processed by any of the higher protocol layers unless FireWall-1 verifies that they comply with the Inspection Module security policy (it examines communications from any IP protocol or application, including stateless protocols, such as UDP and RPC)
PIX Firewall
Originally designed to be a network address translator, Cisco introduced the Private Internet Exchange (PIX) Firewall series in 1994. The PIX Firewall is a high-performance firewall that uses Stateful packet filtering. The PIX Firewall is essentially a firewall appliance"--it has its own integrated hardware/software solution (Intel hardware / proprietary OS). The PIX Firewall is not Unix or NT-based, but is based on a secure, real-time embedded system, known as the Adaptive Security Algorithm (ASA), which offers Stateful inspection technology. ASA tracks the source and destination address, TCP sequence numbers, port numbers, and additional TCP flags. All inbound and outbound traffic is controlled by applying the security policy to connection table entries, which house the information. Access is permitted through the PIX Firewall only if a connection has been validated or if it has been explicitly configured.
Comparison
PIX and checkpoint FW-1 are using similar technologies in that both use smart packet filtering technologies (Stateful technology).
There are several key differences: one is that FW1 uses a general-purpose operating system while Cisco's PIX uses an embedded operating system. Another is that the PIX is essentially a "diode": you define a security level for an interface, and anything from a higher (internal=100) to a lower (external=0) is allowed while lower (external) to higher (internal) is blocked (with coding for exception); with FW1 there are no native directions, and everything must be coded. (For this reason, FW1 can be found much more flexible)
The license structure on the PIX is per-connection; the license structure on FW1 is per protected host. All other things being equal, maintenance is much easier on the PIX, and performance is higher on the PIX. Cisco has recently released a host-to-LAN encryption solution; FW1 has such a solution for a long time now (SecuRemote for windows boxes). FW1 has extra features such as bandwidth management (floodgate) or content vectoring servers and others (see OPSEC products).
Note that FW1 is developed in a Unix environment. The Unix implementation is more efficient, more mature, and more stable. It is wrong to go with NT unless the client swears he can support NT and is afraid of Unix. Also, comparing FW1 on a switch or on a NOKIA box versus the PIX could be kind of an interesting comparison.
PIX Pros:
1) Minimal configuration if you have few or zero internal devices that needs to be accessed directly from the Internet (i.e. web servers on a protected DMZ) and want to allow everything outbound.
2) Complete hardware/software solution, no additional OS vulnerabilities or boot-time errors to worry about.
3) Cisco support, which is generally very good.
4) Performance, probably the best in the business.
5) No special client side software other than telnet, tftp or serial port terminal software.
6) Lots of detailed documentation.
7) Free upgrades
PIX Cons:
1) Difficult to manage if you have many servers on a protected DMZ (lots and lots of conduit statements) or many firewalls to manage.
2) Routing limitation in complex network architectures (Need to add a router for EACH segment).
3) Command line (IOS style) based. Cisco GUI manager (PIX Firewall Manager) is currently in its early releases and not as functional as FW-1's.
4) No ability to off-load layer 7 services like: virus scanning, URL filtering, etc. You can filter on outgoing traffic, but the process is not dynamic.
5) Requires a separate syslog server for logging.
6) No source port filtering.
8) No clear documentation (Cisco's documentation is often conflicting, fails to explain which version of the PIX OS a certain configuration will or will not work under, and seems to be constantly changing).
FW-1 Pros:
1) Very functional GUI interface.
2) Based on Stateful inspection like PIX, but can off-load layer 7 inspection to other servers if required.
3) Lots of features for complex environments like: large protected DMZ, Windows VPN support, firewall synchronization, bi-directional NAT, etc.
4) Can be used to control bi-directional traffic.
5) Complex logging provided on management station.
FW-1 Cons:
1) Must account for OS vulnerabilities as well as FW-1 vulnerabilities.
2) Performance on NT not as good as on Unix or the PIX.
3) Support is only through re-sellers, very expensive (Contracts start at 50% of the price of the original software per year) and needed for products upgrades.
4) OS boot-time errors possibilities.
NB: PIX can filter java but no ActiveX or JavaScript filtering yet. (Although FW-1 can)
Conclusion
In the simplest terms, FW-1 can be considered much more functional than the PIX, while the PIX has better performance and support. If your particular environment requires a lot of functionality, the best choice is the FW-1 solution, although you might want to consider running it on a Unix platform rather than a NT platform. If your environment is pretty simple, PIX is a solid solution with very good performance.
site to site VPN ASA
Anggap local subnet 192.168.15.0/24, remote subnet 192.168.16.0/24. Remote public IP 11.11.11.11.
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 11.11.11.11
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside
nat (inside) 0 access-list REMOTE_SITE
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
pre-shared-key ***
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 11.11.11.11
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside
nat (inside) 0 access-list REMOTE_SITE
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
pre-shared-key ***
Kamis, 11 Februari 2010
Routing BGP single default route(default-originate)
Routing BGP single default route
Posted in BGP by giat on September 12, 2008
Konfigurasi BGP dengan single default route merupakan settingan routing untuk mengenal routing network yang berada diluar routing tabel yang ada. Misalnya terdapat suatu interkoneksi dengan ISP(internet service provider) dengan router tetangga/neighbor hal ini akan membuat routing pada ISP tidak akan sampai ke router yang kita miliki(konfigurasi). Untuk ini kita membutuhkan konfigurasi router BGP yakni Default-originate, settingan tersebut akan membuat routing pada ISP dapat sampai ke router kita.Sebagai contoh di bawah ini
akan menjelaskan konfigurasi router BGP dengan Default-originate.
Penjelasan pada gambar dimana pada kedua router saling terhubung dengan memakai nomor AS sama AS-1. Router A terkoneksi ke Router B dengan network 10.1.1.0 kedua router tersebut dapat saling berkomunikasi tanpa ada halangan. Router B terkoneksi dengan ISP atau Internet dengan network address 10.1.2.0/30 hal ini akan membuat router A tidak bisa mengenal network tersebut karena berada diluar routing tabel router A, untuk itu diperlukan konfigurasi default-route agar network luar dapat dikenal. Berbeda settingan default-router untuk router BGP, kali ini BGP akan memakai settingan sendiri yakni default-originate.
Default-originate akan menerangkan network diluar tabel routing yang kita miliki. Sama halnya dengan settigan routing default-route dipakai untuk routing internal.
Router A
router bgp 1
neighbor 10.1.1.2 remote-as 1
no sync
Router B
router bgp 1
neighbor 10.1.1.1 remote-as 1
neighbor 10.1.1.1 default-originate route-map exists
!
access-list 1 permit 10.1.2.0 0.0.0.3
!
route-map exists permit 10
match ip address 1
Konfigurasi diatas merupakan settingan pada router BGP untuk mendapatkan tabel routing ISP yang akan diperkenalkan pada Router A. Konfigurasi router B akan mengenal network internet kedalam tabel routing BGP router B sehingga router A dapat mengenal network tersebut. Setelah konfigurasi dilakukan coba periksa hasilnya pada tabel routing masing – masing router baik router A dan B dengan command show ip route untuk routing tabel dan show ip route bgp untuk tabel routing bgp. Apabila pada tabel routing tiap–tiap router menunjukan network address ISP/Internet tersebut berarti konfigurasi yang dilakukan berhasil kalo tidak coba lakukan verifikasi ulang terhadap konfigurasi masing - masing router.
routerA#show ip bgp
BGP table version is 3, local router ID is 172.17.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*>i0.0.0.0 10.1.1.2 100 0 i
*>i10.1.2.0/30 10.1.1.2 0 100 0 i
routerA#show ip route
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, * – candidate default
U – per-user static route, o – ODR, P – periodic downloaded static route
T – traffic engineered route
Gateway of last resort is 10.1.1.2 to network 0.0.0.0
10.0.0.0/30 is subnetted, 2 subnets
B 10.1.2.0 [200/0] via 10.1.1.2
C 10.1.1.0 is directly connected, Serial0
B* 0.0.0.0/0 [200/0] via 10.1.1.2
Terlihat tabel routing router A network – network yang telah diperkenalkan oleh router B. Terdapat network 10.1.2.0 merupakan network ISP/Internet yang telah default-originate kan router B. Network 10.1.1.0 network terkoneksi langsung oleh kedua router. Apabila ada masalah jangan disimpan dalam hati, tanyakan sama orang yang lebih mengerti
Port forwarding NAT
Berikut ini contoh nat di router cisco , sesuaikanlah dengan interface dan ip anda :
Interface WAN :
interface GigabitEthernet0/1
ip address 222.222.222.4 255.255.255.248
ip nat outside
no cdp enable
!
Interface Lokal :
interface GigabitEthernet0/2
ip address 192.168.3.250 255.255.255.0
ip nat inside
no cdp enable
Untuk Nat nya :
access-list 1 permit 192.168.3.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
Pasang Gateway nya :
ip route 0.0.0.0 0.0.0.0 222.222.222.1
Untuk forwarding port nya (forward port 1933 ke port 5900 internal ) :
ip nat inside source static tcp 192.168.3.30 5900 interface GigabitEthernet0/1 1933
Interface WAN :
interface GigabitEthernet0/1
ip address 222.222.222.4 255.255.255.248
ip nat outside
no cdp enable
!
Interface Lokal :
interface GigabitEthernet0/2
ip address 192.168.3.250 255.255.255.0
ip nat inside
no cdp enable
Untuk Nat nya :
access-list 1 permit 192.168.3.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
Pasang Gateway nya :
ip route 0.0.0.0 0.0.0.0 222.222.222.1
Untuk forwarding port nya (forward port 1933 ke port 5900 internal ) :
ip nat inside source static tcp 192.168.3.30 5900 interface GigabitEthernet0/1 1933
Langganan:
Postingan (Atom)