Posts tagged cisco

cisco sg300 setup

posted on 2016-08-13 17:52

These are the notes for setting up a cisco sg300 10 port switch with vlans via the cli. It's the best cheap switch with managing that happens to have a CLI that is similar to the ones on the bigger switches from cisco, and it comes with a serial interface.

standard ip

Use this IP for acessing SSH or the webgui in your browser:

192.168.1.254

standard password

user: cisco
pass: cisco

serial connection

In case you need it because you cannot access the switch via IP any longer (scanning 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 sure takes too much time to be feasible...), use its serial interface.

baud:      115200 (if not set otherwise)
bits:      8
parity:    N
stopbits:  1
no flow control

To use it, connect a USB-to-Serial computer with your laptop and use putty/screen/minicom, depending on the OS you use.

foreword

First, all commands are abbreviated here. Use ? in the CLI if you want to know what you type here, use it alone, after some characters or as a parameter on its own after a command.

cisco devices have different modes, and you edit the configuration in RAM after you logged in. To change all possible settings, you have to go into configure mode (conf), and to save it, the volatile configuration has to be copied back to the flash memory (copy run start or wr).

In normal mode there just are not so many options. To jump back, exit. More on the modes later on.

Sadly, ctrl+d doesn't work, but ctrl-z is its substitute.

first steps (after logging in and likely changing the password)

'backspace' key:

ctrl + h

delete current line;

ctrl + u
ctrl + k

disable/enable the output paging bullshit: (You know screen's copy mode via ctrl+a,[ so PGUP and PGDN work?')

terminal datadump
terminal no datadump

enable / disable command history / set its maximum size:

terminal history
terminal no history
terminal history size 206

show current configuration:

show run

show current access methods:

show line

save the changes up until now:

# choose 'yes', of course, when being prompted
copy run start

# this also works but is deprecated
wr t

configuration

For ease of use, when configure mode is needed, all the steps are shown. You can stay in configure mode if you want and perform several steps at once if you please.

hostname:

conf t
hostname <my_new_hostname>
ctrl-z
copy run start

search domain

conf t
ip domain name <your_search_domain>
ctrl-z
copy run start

create a new user and revoke admin rights from the standard 'cisco' user:

conf t username <new_user> privilege 15 password <new_password> username cisco privilege 1 password <doesnt_matter_you_dont_need_it_anymore> ctrl-z copy run start

What this was actually about was using the different privilege modes present on cisco switches.

privilege level 1      = user mode, '>' prompt
privilege level 2 - 15 = privileged EXEC mode, '#' prompt
configure              = configure mode, '(config)' prompt

You can do fine-grained access-levelling, with commands available only at different privilege modes (i.e. 3, 6, 10, 14, 15, however you see it fitting), but we want to disable the basic account and create a new one.

Level 15 can do everything. Regular workflow is logging in, and using the enable password to elevate to administrator levels if need be.

Via enable <number> and disable <number> you can enter higher or lower privilege modes, compared to your current one that can be looked up via show privilege.

While in configure mode, you can enter sub-modes for some of the commands, ex, end and ctrl-z will work there, too.

set default gateway

conf t
ip default-gateway <your_gw_ip>
do copy run start

The do keyword lets you run EXEC keywords from within configure mode.

set default ip

cisco sg300 upload new firmware via xmodem

posted on 2016-08-07 09:30

After a reset a sg300 did not want to boot, both slices were corrupt. The result was an endless boot loop, where it'd try downloading the firmware but without success.

Using minicom the upload was easy:

  • Turn off switch.
  • If you use an USB-to-serial adapter with a nullmodem cable, most likely the interface is /dev/ttyUSB0. Look through your devices under /dev, in case it is /dev/ttyUSB1
  • minicom -s and setup everything.
  • baud rate 115200 (instead of the usual 9600 with most cisco devices), 8N1 (8 bits, no parity, 1 stop bit), no hardware or software flow control
  • minicom -D /dev/ttyUSB0
  • start switch, press ESC when prompted
  • ctrl-a, s and choose xmodem
  • navigate to the file, or choose the [Goto] menu at the bottom
  • Space to select the file, Enter.

A window like this should pop up and the upload should begin:

+-----------[xmodem upload - Press CTRL-C to quit]------------+                                                                 
|Sending sx300_fw-14502.ros, 57760 blocks: Give your local XMO|                                                                 
|DEM receive command now.                                     |                                                                 
|                                                             |                                                                 
|                                                             |                                                                 
|                                                             |                                                                 
|                                                             |                                                                 
|                                                             |                                                                 
+-------------------------------------------------------------+   

After the upload is finished, the switch should successfully reboot again and be factory reset.

cisco: ASA 5510 basic setup

posted on 2016-02-29 22:49:46

This is almost the same posting as the previous one on setting up the 5505, but with some adjustments.

To have a very basic and usable ASA device after a factory reset, you might consider the commands presented in the following. These were entered into the device via a serial connection to the console port.

Usually this connection's speed is 9600 baud 8N1, in case you wonder.

ASDM will be available in LAN, not just via the Management port. Further there private IP networks being used for ingress and egress networks.

first aid

  • Use TAB to expand all the mentioned commands.
  • Use ? to show available commands.
  • In (config), use sh run to show your current configuration.

In case you need more in depth info, here is the original page from cisco.

modes

There are several modes, in very short:

  • EXEC = only most basic commands ('>' prompt)
  • privileged EXEC = you can now reboot and possibly change config ('#' prompt, enter via ena)
  • config = you can change configuration ('(config)' prompt, enter via conf t)

first steps upon fresh connect after a factory reset

! ! denotes comments and do not need being entered

! privileged mode
ena
! hit enter, initially no password needed

! now enter configure mode
conf t

! which box are we working on?
ho <hostname>

! set enable password
! can be used later for ASDM, too, which username being omitted
ena p <password>

set external and interal networks onto physical port

! maybe instead of 'E' you need 'G' for gigabit interfaces
in E 0/0
no shut
sec 0
ip ad 10.0.0.1 255.255.255.0
nameif OUTSIDE

in E 0/1
no shut
sec 100
ip ad 192.168.0.1 255.255.255.0
nameif INSIDE

! management IF, in case you want it
!in M 0/0

!exit
q

ASDM

! enable asdm...
ht s en

! ... from LAN
ht 192.168.0.0 255.255.255.0 INSIDE

save and reboot

wr mem
rel

ASA's are painful to maintain.

cisco: ASA 5505 basic setup

posted on 2016-02-29 22:49:46

To have a very basic and usable ASA device after a factory reset, you might consider the commands presented in the following. These were entered into the device via a serial connection to the console port.

Usually this connection's speed is 9600 baud 8N1, in case you wonder.

ASDM will be available in LAN, not just via the Management port. Further there private IP networks being used for ingress and egress networks.

first aid

  • Use TAB to expand all the mentioned commands.
  • Use ? to show available commands.
  • In (config), use sh run to show your current configuration.

modes

There are several modes, in very short:

  • EXEC = only most basic commands ('>' prompt)
  • privileged EXEC = you can now reboot and possibly change config ('#' prompt, enter via ena)
  • config = you can change configuration ('(config)' prompt, enter via conf t)

first steps upon fresh connect after a factory reset

! ! denotes comments and do not need being entered

! privileged mode
ena
! hit enter, initially no password needed

! now enter configure mode
conf t

! which box are we working on?
ho <hostname>

! set enable password
! can be used later for ASDM, too, which username being omitted
ena p <password>

create VLAN for external and interal network

in Vlan1
 nameif OUTSIDE
 sec 1
 ip ad 10.0.0.1 255.255.255.0

in Vlan10
 nameif INSIDE
 sec 100
 ip ad 192.168.1.1 255.255.255.0

! exit
q

set vlans for your physical interfaces

! first your uplink
in E 0/0
 no shut
 sw a v 1

! now the others
in E 0/1
 no shut
 sw a v 10

in E 0/2
 no shut
 sw a v 10

in E 0/3
 no shut
 sw a v 10

! of course you can do it for all others, too, if you want
! else:
q

ASDM

! enable asdm...
ht s en

! ... from LAN
ht 192.168.1.0 255.255.255.0 INSIDE

save and reboot

wr mem
rel

ASA's are painful to maintain.

cisco: boot router from USB

posted on 2016-02-29 14:29:20

A very short walkthrough, persisting the image is inclusive:

  • "The USB Flash Module is a hardware device sold by Cisco Systems ® that provides a secondary Flash capability on Universal Serial Bus (USB) ports." (I cited cisco, from the link at the bottom of this post.)

  • "USB drivers have been added to rommon, starting with version 12.4(13r)." (Also from the cisco link.)

  • filesystem has to FAT16, since FAT32 will NOT work

  • ctrl-break (or other) to enter rommon mode

    rommon 1>? rommon 2> dir usbflash0: rommon 3> boot usbflash0: c2800nm-ipbase-mz.124-3.bin

    Router> enable Router # copy usbflash0: c2800nm-ipbase-mz.124-3.bin flash: c2800nm-ipbase-mz.124-3.bin

Here is additional information directly from Cisco.

cisco ASA: ipsec example

posted on 2016-02-28 14:33:03

I fear I will need something like that soon, so here's a dump I found on google somewhere else: (None of the following is from me! But from here)

Table 1 Preconfiguration Checklist: ISAKMP/Phase-1 Attributes

Attribute   Value
Encryption  AES 128-bit
Hashing SHA-1
Authentication method   Preshared keys
DH group    Group 2 1024-bit field
Lifetime    86,400 seconds

We will use main mode rather than aggressive mode for negotiation. IPsec Phase 2 attributes are used to encrypt and decrypt the actual data traffic.

Table 2 Preconfiguration Checklist: IPsec/Phase-2 Attributes

Attribute   Value
Encryption  AES 128-bit
Hashing SHA-1
Lifetime    28,800 seconds4,608,000 kB
Mode    Tunnel
PFS group   None

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure IPsec. We assume that all IP addresses are already configured and basic connectivity exists between Cisco ASA and pfSense firewall.

ASA Configuration

! IPsec ISAKMP Phase 1

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
exit
!
crypto ikev1 enable outside

tunnel-group 173.199.183.2 type ipsec-l2l
tunnel-group 173.199.183.2 ipsec-attributes
ikev1 pre-shared-key Cisc0

! IPsec Phase 2

crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
!
access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 173.199.183.2
crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA
crypto map outside_map interface outside

cisco: factory reset a sg300 switch

posted on 2015-11-23 01:26:43

Resetting a SG300 is rather easy. Hold reset pressed until after like 10 seconds all port leds flash.

Login afterards is cisco:cisco.

cisco: cheatsheet

posted on 2015-11-22 00:31:25

different modes

user exec           switch>                 just login with user
privileged exec     switch#                 configure terminal
global config       switch (config)#        interface
if config           switch (config-if)#     vlan
vlan config         switch (config-vlan)#   line
line config         switch (config-line)#

actual commands for first setup

cisco:cisco are the first user credentials with which you log in. Then you best create a proper user and finish basic setup.

create user

hostname

hostname <hostname>

reboot

reload

show configuration

show running-config 

save configuration

write memory

## or: 
copy running-config startup-config

clear configuration

delete startup-config

## or: 
erase startup-config

cisco: factory reset for ASA 5510

posted on 2015-09-20 19:30:59

For factory resetting an 'Adaptive Security Appliance', some CLI work has to be done. In the following no prior configuration knowledge is assumed.

get a serial connection

Cisco switches are shipped with a blue female DB9-to-RJ45 adapter cable. (A null modem will not help here, as you need a RJ45 plug at the end which you connect to the ASA's CONSOLE port.)

Such a cable has to be connected to your ASA, and either your serial port of your comp. Since most desktops/laptops do not ship with an rs232 interface anymore, get yourself an male-male USB-to-DB9 adapter.

If you do not have the original cisco cable, use a comparable one: Juniper i.e. ships regular RJ45 ethernet cables plus an female-female RJ45-to-DB9 adapter which works just the same.

In the following a linux operating system is assumed; on windows this works, too. However you have to plug in the adapter, and find out which COM port is used via the device manager, you need this information later when using PuTTy.

On linux you can either go along with minicom, or just use screen. (I have the slight feeling I have written down all this somewhere else already on the blog...)

#as root
screen /dev/ttyUSB0 9600

... and you are connected. Cisco devices in general use 9600 baud, 8bit, 1 stop bit, no flow control. Once I read on official docs about 2 stop bits, but it worked with 1, so go figure it out from the manual if you have trouble with these settings.

step by step

  1. power cycle - turn it off and on again, so it freshly boots after you have connected the serial cable

  2. press ESC here during boot:

    Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005

    Platform ASA5510

    Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.

  3. confirm current configuration register, if promted if you wish to change anything, answer with 'no':

    rommon #0> confreg

    Current Configuration Register: 0x00000001 Configuration Summary: boot default image from Flash

    Do you wish to change this configuration? y/n [n]: n

    rommon #1>

  4. enter: confreg 0x41

  5. enter: boot

  6. after the appliance has rebooted, you should see this prompt: ciscoasa>

  7. enter privileged mode: enable

  8. erase startup config: write erase

  9. enter config mode: configure terminal

  10. config-register 0x01

  11. exit config mode: exit

  12. confirm via show version, see the end: Configuration register is 0x41 (will be 0x1 at next reload)

  13. save: write

  14. reboot: reload

Done. You now have a fresh ASA at your disposal.

cisco: factory reset a 2960G switch and initial configuration

posted on 2015-09-19 10:35:33

Factory resetting for a 2960G switch is rather easy:

Hold the button on the front panel, after like 3 seconds blinking, most lights should turn off. Keep the button pressed, after seven to ten more seconds, all lights will flash. Then switch is factory-resetted and will reboot.

Booting can take a while. Afterwards you are prompted for the initial installation.

This can either be done while being connected via a serial line (see next post here), or by using a pc connected via ethernet cable. Set the interface to DHCP and you should be able to access the switch in your browser via 10.0.0.1 through the web interface.

ASA: access console via serial port

posted on 2015-02-21 18:02:56

To connect to one of Cisco's ASA's (short for Adaptive Security Appliance), you have several options.

Either use the management ethernet port (labelled MGMT) or via the serial interface (CONSOLE), which are both rj45 outlets. This methods of access are the same for most other hardware appliances.

If the ASA was not accessed in a while and the network config was lost (or if it's a leftover from an old customer), you are likely unable to access it through the management port, because you do not know the subnet you have to be in to connect to it, anymore.

If you still happen to know your credentials, you might try the serial interface.

If your computer has a serial interface, too, you only need a rs232-to-rj45 cable for the asa. If you have a laptop its much more likely that you just lack the serial port, you need an adapter from serial to ethernet, plus an adapter from serial-to-usb.

From here the steps differ, depending on your operating system.

windows

  1. plug in the adapter, which is connected to the devices CONSOLE port, too
  2. open the device manager
  3. look up which COM port just got added
  4. open putty
  5. connection destination is i.e. COM-7, if thats the one you saw
  6. enter baud rate (9600 for cisco devices AFAIK)
  7. connect

You should be greeted by a prompt of the ASA. Hit space, in case putty does not update your console window.

linux

  1. plug in the adapter connected to the ASA
  2. ls -alh /dev/tty*
  3. You should see a device called something like /dev/ttyUSB0
  4. sudo screen /dev/ttyUSB0 9600, with baud rate of 9600 like mentioned in the windows manual above
  5. you should be connected, hit spacebar if nothing is shown.

If you happen to have problems to find out which device is added when you insert the adapter into your usb port, try:

watch --differences -n.2 ls /dev/tty*

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, applet, arcconf, arch, architecture, areca, arping, asa, asdm, autoconf, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blockdev, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, configuration management, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fdisk, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, global, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pct, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plasma, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pveam, pvecm, pvesm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, quickshare, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x11vnc, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh


Unless otherwise credited all material Creative Commons License by sjas