crypto

Habilita LTE Modem y SDWAN en FortiNet FortiGate 60E

Posted on

Les voy a mostrar como ustedes pueden configurar tu fortinet firewall con una verizon MiFi® 4G LTE Global USB Modem U620L. Pero primero entra en el portal del administrator y open el CLI o connectate via SSH a tu fortigate y abilitar el puerto.
Despues entras este comando:

fortigate# config system lte-modem
fortigate (lte-modem)# set status enable
fortigate (lte-modem)# end
fortigate # show system lte-modem
config system lte-modem
    set status enable 

Para saber y asegurarse que typo de modems son compatibles con tu fortigate, ve a este enlace: https://kb.fortinet.com/kb/documentLink.do?externalID=FD30613

Ahora vamos al portal de web y tendras una nueva interface llamada WWAN.
Para asegurarte ve a Network > Interfaces

Edita tu nueva WWAN interface con un Role de WAN y IP via DHCP or Manual. Dependiendo de tu configuracion.

Ahora navega hacia Network > SD-WAN y abilitalo con “Enable”. Y anide tus interfaces WAN como en la foto de abajo.

La seccion de load balancing lo tengo configurado con Volumen, con el 90% de mis seciones salen por WAN1 y el resto por el WWAN. Para mas informacion ve aqui: https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/SD-WAN/SD-WAN_load_balancing.htm

Ahora necesitamos crear una regla para saber cuando una de las interfaces tenga problemas y la Fortigate pueda controlar el trafico de manera inteligente. Navega hacia Network > SD-WAN Status Check y crea una regla nueva como la de bajo.

La ultima parte es crear una default route para el SD-WAN. Ve a Network > Static Routes y crea una nueva ruta como la que tengo abajo. Esta va a dirigir tu traffic destinado al internet por medio de tu interface virtual de SD-WAN.

cisco

How to upgrade firmware on SG350 Switch

Posted on

1. Download latest firmware from https://software.cisco.com/download/home
2. Download Solarwinds Free TFTP Server and install on your PC: https://www.solarwinds.com/free-tools/free-tftp-server
3.Open Putty and connect to your switch. Once connected run this command from the switch:

Switch1#system boot tftp://YOUR_IP/image_tesla_hybrid_2.4.5.71_release_cisco_signed.bin
12-Feb-2019 22:33:34 %COPY-I-FILECPY: Files Copy - source URL tftp://169.254.55.38/image_tesla_hybrid_2.4.5.71_release_cisco_signed.bin destination URL flash://system/images/image_tesla_hybrid_2.4.5.71_release_cisco_signed.bin
12-Feb-2019 22:35:33 %COPY-N-TRAP: The copy operation was completed successfully

Copy: 43487307 bytes copied in 00:02:00 [hh:mm:ss]

4. Reboot immediately or schedule a reboot with the command below:

SW#reload 
  at                   Reload at a specific time/date
  cancel               Cancel pending reload
  in                   Reload after a time interval
SW#reload in 
  <1-999>              time interval in minutes (mmm format)
  WORD<4-6>            time interval in hours & minutes (hhh:mm format)

SW#reload in 07:00 
This command will reset the whole system and disconnect your current session. Reload is scheduled for 23:36:35 web(UTC-4) Tue Oct 31 2017 (in 7 hours). Do you want to continue ?  (Y/N)[N] Y

SW#31-Oct-2017 16:36:44 %RNDMISC-N-SRACTIVE: system is scheduled to perform a restart at 23:36:35 Tue Oct 31 2017 (in 6 hours and 59 minutes).

5. Your switch will boot up with the new firmware image

cisco

How to update Cisco SG300 Switches

Posted on

1. Download latest firmware from https://software.cisco.com/download/home
2. Download Solarwinds Free TFTP Server and install on your PC: https://www.solarwinds.com/free-tools/free-tftp-server
3.Open Putty and connect to your switch. Once connected run this command:

SW#copy tftp://YOUR_IP/sx300_fw-1486.ros image

4. Identify on which image slot your firmware was copied to:

SW#sh bootvar
Image  Filename   Version     Date                    Status
-----  ---------  ---------   ---------------------   -----------
1      image-1    1.4.7.5     15-Nov-2016  11:19:18   Active* 
2      image-2    1.4.8.6     10-Jul-2017  17:14:29   Not active

"*" designates that the image was selected for the next boot
__________________________________________________

5. Set to boot to the new version with the command below:

SW#boot system image-2

6. Reboot your switch or schedule a reboot with the command below:

SW#reload 
  at                   Reload at a specific time/date
  cancel               Cancel pending reload
  in                   Reload after a time interval
SW#reload in 
  <1-999>              time interval in minutes (mmm format)
  WORD<4-6>            time interval in hours & minutes (hhh:mm format)
SW#reload in 07:00 
This command will reset the whole system and disconnect your current session. Reload is scheduled for 23:36:35 web(UTC-4) Tue Oct 31 2017 (in 7 hours). Do you want to continue ?  (Y/N)[N] Y
SW#31-Oct-2017 16:36:44 %RNDMISC-N-SRACTIVE: system is scheduled to perform a restart at 23:36:35 Tue Oct 31 2017 (in 6 hours and 59 minutes).

7. Your switch will boot up with the new firmware image

ccnp

Como Configurar DMVPN

Posted on

Hola colegas, abajo estan las configs de las rutas.

Configuracion de Ruta1 Hub Distribucion
interface Tunnel0
 description TUNEL
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 6783
!
interface GigabitEthernet0/0
 description INTERNET
 ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet0/1
 description LAN
 ip address 10.10.10.1 255.255.255.0
!
router eigrp 100
 network 1.0.0.0
 eigrp stub connected summary
!
router eigrp 1
 network 10.0.0.0
 network 172.16.0.0
Configuracion de Ruta2 Enlace
interface Tunnel0
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco123
 ip nhrp map multicast 1.1.1.1
 ip nhrp map 172.16.0.1 1.1.1.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 6783
!
interface GigabitEthernet0/0
 ip address 2.2.2.1 255.255.255.252
!
interface GigabitEthernet0/1
 ip address 10.20.20.1 255.255.255.0
!
router eigrp 100
 network 2.0.0.0
!
router eigrp 1
 network 10.0.0.0
 network 172.16.0.0
!
Configuracion de Ruta3 Enlace
interface Tunnel0
 ip address 172.16.0.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco123
 ip nhrp map multicast 1.1.1.1
 ip nhrp map 172.16.0.1 1.1.1.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 6783
!
interface GigabitEthernet0/0
 ip address 3.3.3.1 255.255.255.252
!
interface GigabitEthernet0/1
 ip address 10.30.30.1 255.255.255.0
!
router eigrp 100
 network 3.0.0.0
!
!
router eigrp 1
 network 10.0.0.0
 network 172.16.0.0
!
Encripta tus Tuneles

En todas las rutas, configura esto para encriptar el trafico, especialmente si tus tuneles pasan por redes publicas (Internet). No se te olvide de cambiar las key cisco123 si utilizas esta configuracion afuera de un laboratorio.

crypto isakmp policy 10
 hash sha256
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set security-association lifetime seconds 28800
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 tunnel protection ipsec profile IPSEC-PROFILE
!
Confirmacion de Tuneles Encriptados

Checa la Fase 1 Diga ACTIVE

Router1_Hub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.1.1.1         2.2.2.1         QM_IDLE           1001 ACTIVE
1.1.1.1         3.3.3.1         QM_IDLE           1003 ACTIVE
3.3.3.1         1.1.1.1         QM_IDLE           1004 ACTIVE
2.2.2.1         1.1.1.1         QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

Checa la fase 2 y asegurate de que no tenga seros en encaps y decaps.
Router1_Hub#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (3.3.3.1/255.255.255.255/47/0)
   current_peer 3.3.3.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 263, #pkts encrypt: 263, #pkts digest: 263
    #pkts decaps: 263, #pkts decrypt: 263, #pkts verify: 263
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xCC4E37C1(3427678145)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
 --More-- 

ccnp

Cisco SDWAN Con IP SLA en Español

Posted on

Gracias por visitar mi pagina, porfavor subscribete a mi canal de youtube. Dale un like al video y de paso tambien comparte mi canal por whatsapp, facebook o por señales de humo. Cuando llegue a 1,000 seguidores, voy a regalar una tarjeta de regalo de amazon! Gracias y disfruta este video:

Configuracion de Ruta1
conf t
track 6 ip sla 6 reachability
ip sla 6
icmp-echo 172.31.2.2 source-ip Gig0/2
threshold 1500
timeout 500
frequency 5
tos 160
tag SD-WAN
exit
ip sla schedule 6 life forever start-time now
ip route 192.168.200.0 255.255.255.0 172.31.255.2 track 6
Configuracion de Ruta2
conf t
track 6 ip sla 6 reachability
ip sla 6
icmp-echo 172.31.2.1 source-ip Gig0/2
threshold 1500
timeout 500
frequency 5
tos 160
tag SD-WAN
exit
ip sla schedule 6 life forever start-time now
ip route 192.168.100.0 255.255.255.0 172.31.255.1 track 6
Confirmacion

Hacegurate de que el routing valla por la interface correcta con

Ruta1#show ip route
ccnp

Cisco CCNP EIGRP LAB

Posted on
Lab#1

Configura EIGRP en 2 rutas con AS 100. Desabilita Auto-summary.

### Ruta1 ###
Router eigrp 100
Network 1.0.0.0
Network 10.0.0.0
No auto-summary

### Ruta2 ###
Router eigrp 100
Network 1.0.0.0
Network 20.0.0.0
No auto-summary
Verifica:
R1#show ip route
C 1.0.0.0/8 is directly connected, Serial0/2/0
D 20.0.0.0/8 [90/2195456] via 1.1.1.2, 00:43:52, Serial0/2/0
C 10.0.0.0/8 is directly connected, FastEthernet0/0
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 1.1.1.2 Se0/2/0 13 00:45:08 355 2130 0 106
ccnp

Como Configurar Cisco VPN Facil y Rapido

Posted on

Mira el video abajo para aprender como configurar una VPN

Configuracion de Ruta1:
####PHASE 1 / FASE 1######
crypto isakmp policy 1
encrypt aes 256
hash sha256
auth pre-share
group 5
lifetime 28800
exit
####PHASE 2 / FASE 2 - No olvides cambiar la key si usas esto en produccion#####
crypto isakmp key THISISMYKEY addr 2.2.2.2
crypto  ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile MY-IPSEC-PROFILE
set transform-set MY-SET
set pfs group2
set security-association lifetime seconds 28800
exit
####TUNNEL CONFIG / CONFIGURACION DEL TUNEL###
interface tunnel 1
ip addr 172.31.1.1 255.255.255.252
tunnel source GI0/0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MY-IPSEC-PROFILE
exit
####OSPF CONFIG###
interface tunnel 1
ip ospf area 1
exit
router ospf 1
area 1
network 192.168.100.0 0.0.0.5 area 1
end
Configuracion de Ruta2:
####PHASE 1 / FASE 1######
crypto isakmp policy 1
encrypt aes 256
hash sha256
auth pre-share
group 5
lifetime 28800
exit
####PHASE 2 / FASE 2 - No olvides cambiar la key si usas esto en produccion#####
crypto isakmp key THISISMYKEY addr 1.1.1.1
crypto  ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile MY-IPSEC-PROFILE
set transform-set MY-SET
set pfs group2
set security-association lifetime seconds 28800
exit
####TUNNEL CONFIG / CONFIGURACION DEL TUNEL###
interface tunnel 1
ip addr 172.31.1.2 255.255.255.252
tunnel source GI0/0
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MY-IPSEC-PROFILE
exit
####OSPF CONFIG###
interface tunnel 1
ip ospf area 1
exit
router ospf 1
area 1
network 192.168.200.0 0.0.0.5 area 1
end
Verificacion

Confirma la fase 1 esta establecida:

show crypto isakmp sa

Confirma la fase 2 esta establecida y asegurate de que ahiga packets en decrypt y encrypt:

show crypto ipsec sa

Por ultimo puedes mandar ‘interesting’ trafico (trafico asociado con los SA (security association) Como ping entre las computadoras adentro de las LANs internas.