Cisco ASA 8.3+ – Configure Static PAT

Define host that we will be configure Static PAT

Added NAT Config.

ACL

 

Cisco ASA 8.3+ – Configuring NAT For Internet Access

Create object to define subnet/hosts which will be have NAT configured so they can access the internet.

Now we need to add the NAT rule to the object we created for the hosts we want to use NAT in conjunction with our external IP on the outside interface.

 

OpenLDAP – Installing/Configuring OpenLDAP 2.4 on CentOS 7

Introduction

LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services.

History

The OpenLDAP project was started in 1998 by Kurt Zeilenga. The project started by cloning the LDAP reference source from the University of Michigan where a long-running project had supported development and evolution of the LDAP protocol until that project’s final release in 1996.

As of May 2015, the OpenLDAP project has four core team members: Howard Chu (chief architect), Quanah Gibson-Mount, Hallvard Furuseth, and Kurt Zeilenga. There are numerous other important and active contributors including Luke Howard, Ryan Tandy, and Gavin Henry. Past core team members include Pierangelo Masarati.

Components

  • slapd – stand-alone LDAP daemon and associated modules and tools
  • libraries implementing the LDAP protocol and ASN.1 Basic Encoding Rules (BER)
  • client software: ldapsearch, ldapadd, ldapdelete, and others

Installing/Configuring

  • Install EPEL Repository.

  • Install OpenLDAP Packages.

  • Start OpenLDAP Service.

  • Create olcRootPW using slapasswd

  • Create hbd database config LDIF file.

  • Import hbd configuration to LDAP.

  • Create monitor config LDIF file.

  • Import monitor configuration to OpenLDAP.

  • Create ACL config LDIF file.

  • Import ACL configuration to OpenLDAP.

  • Import base directory schemas into OpenLDAP.

  • Copy DB_CONFIG/Set Ownership of /var/lib/ldap/*

  • Create base directory configuration file, which also includes groups, and users.

  • Import Users,Groups into OpenLDAP.

Conclusion

OpenLDAP 2.4 is now installed and configured. To view all the records we added you can use the following command to search the whole database.

 

OpenLDAP – Configuring OpenSSH Public Key Authentication

Introduction

OpenSSH server supports the AuthorizedKeysCommand option. With this option in the sshd_config file one can call an additional script that gets the public key from LDAP using theOpenSSH-LDAP schema, and the sshPublicKey attribute stored in LDAP. Configuring this is straight forward on CentOS 7.

Install/Configuration

  • First install the EPEL repository if you have not already done so.

  • In the EPEL repository there is a package with all the required files. Install openssh-ldap

  • OpenLDAP needs to have the OpenSSH-LDAP schema imported into the list of known schemas, run the command below to add.

  • OpenLDAP service will need to be restarted to use the new schema.

  • Now the OpenSSH-LDAP Schema has been imported into OpenLDAP we can add a user along with the objectClass: ldapPublicKey and the sshPublicKey attribute to store your SSH Public Keys in LDAP. Add the following into a file.

  • Import the LDIF file we created above to add a user with the sshPublicKey stored in LDAP.

  • Configure OpenSSH /etc/ssh/sshd_config with AuthorizedKeysCommand support(OpenSSH-Server >= 6.2, RedhatOpenSSH-Server >= 5.3) Ensure the lines below match.
  • Restart OpenSSH

Conclusion

You will now be able to log into your client machines without a password. This improves security as you won’t need to send your password over the internet.

Cisco – Enabling SSH

Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.

This document discusses how to configure and debug SSH on Cisco routers or switches that run a version of Cisco IOS Software that supports SSH. This document contains more information on specific versions and software images.

  • Configure the hostname.

  • Configure the domain-name

  • Generate the SSH keys.

  • Now enable SSH

Lastly, configure the VTY lines to allow SSH transport.

 

Cisco – Reset Cisco Catalyst 3750 To Factory Default

Resetting a Cisco Catalyst 3750 Switch to factory defaults is straight forward. At the console entering the following commands.

Delete VLAN Configurations

Delete Startup Configuration

Reload Switch

 

Linux – Configuring Message Of The Day (MOTD)

There are two places you can configure a MOTD on most Linux systems. The following have been tested on Red Hat/CentOS/Amazon Linux

To display a basic text MOTD when connecting to your system. You can place text inside the /etc/motd file. Example below.

And when you connect to your system, you will see the following.

If you wanted to display dynamic information, or retrieve information about the system then we will need to use a shell script, we can’t use shell commands in /etc/motd but there is a file we can use located at /etc/profile.d/motd.sh

Which displays when you connect.

 

Ansible – Distribution Specifiers

Ansible allows you to execute actions only if you are on a certain distribution. You can verify a hosts facts with Ansible by issuing the following command;

This will return facts such as the ones below.

With the relevant distribution values we can now specify tasks to only run when we have met our condition.

 

AWS – Invalid VPC Peering Models

Below are some examples of invalid AWS VPC Peering models.

Edge to Edge Routing Through a VPN Connection or an AWS Direct Connect Connection

If you’re thinking of connecting to multiple VPC’s through the use of a VPN connection and VPC Peering think again, AWS VPC Peering will not work through a VPN connection. You will need to configure separate VPN connections per VPC.