I have seen many couldn't understand the Virtual host and the concept behind it. Let me help you to understand how it works. DNAT policy is being held there. Let me explain you what is DNAT
Sunday 19 February 2012
CCNSP Pass Guide Concept 5
How to upgrade an appliance?
V9 VS VX
V9: I have been working on this product for long time. Before the current verison, there is one more version version. The GUI was random. We need to searching about the GUI to find the required option. Let me find an image of V9 on Google or KB of the Cyberoam.
The left one is the V9 and the right one is the VX(version X or Version 10) which you must be currently using in the labs. V9 is no longer used and I have upgraded most of them to VX.
In V9, you have to first upload the firmware image from the GUI and then upgrade it from the CLI. I know its little odd.
But in VX its simpler now. All you need to do is upload it from the GUI and its upgrade it automatically.
V9 VS VX
V9: I have been working on this product for long time. Before the current verison, there is one more version version. The GUI was random. We need to searching about the GUI to find the required option. Let me find an image of V9 on Google or KB of the Cyberoam.
VS
The left one is the V9 and the right one is the VX(version X or Version 10) which you must be currently using in the labs. V9 is no longer used and I have upgraded most of them to VX.
In V9, you have to first upload the firmware image from the GUI and then upgrade it from the CLI. I know its little odd.
But in VX its simpler now. All you need to do is upload it from the GUI and its upgrade it automatically.
CCNSP Pass Guide Concept 4
Authentication servers which can be integrated with Cyberoam:
The following servers can be integrated with Cyberoam.
1> AD : Active Directory
2> LDAP: Lightweight Directory Access Protocol
and also the different types whose underlying protocol is LDAP like
Novel e-directory & SunSolaris
3> RADIUS
Not supported:
TACACS, TACACS+, Kerberos
The following servers can be integrated with Cyberoam.
1> AD : Active Directory
2> LDAP: Lightweight Directory Access Protocol
and also the different types whose underlying protocol is LDAP like
Novel e-directory & SunSolaris
3> RADIUS
Not supported:
TACACS, TACACS+, Kerberos
CCNSP Pass Guide Concept 3
question 3 > Difference between NAT and Bridge mode. The questions were little twisted like which of these features are not supported by the Cyberoam in bridge mode. There were almost 4 questions
Bridge Mode (Features Not supported):
1> NAT
2> VPN
3> SSL
4> Multi Link manager
5> HA (High Availability)
6> VPN zone and DMZ zone
Note: The Bridge mode has following zones only LAN, WAN and Local
NAT Mode/Route Mode (Features Not supported):
1> Hardware Bypass
Note: The route mode has following zone LAN, WAN, DMZ, VPN, Local
Bridge Mode (Features Not supported):
1> NAT
2> VPN
3> SSL
4> Multi Link manager
5> HA (High Availability)
6> VPN zone and DMZ zone
Note: The Bridge mode has following zones only LAN, WAN and Local
NAT Mode/Route Mode (Features Not supported):
1> Hardware Bypass
Note: The route mode has following zone LAN, WAN, DMZ, VPN, Local
CCNSP Pass Guide Concept 2
Q2 > Default IP address of the Cyberoam?
solution> A virgin appliance will have following IP address defined on the ports
Port A : 172.16.16.16/255.255.255.0 : Lan Zone
Port B: 192.168.2.1/255.255.240.0 : WAN Zone
solution> A virgin appliance will have following IP address defined on the ports
Port A : 172.16.16.16/255.255.255.0 : Lan Zone
Port B: 192.168.2.1/255.255.240.0 : WAN Zone
CCNSP Pass Guide Concept 1
Questions I remember while taking the CCNSP are here. The question paper changes like in any other examination. Cyberoam is having question paper based exam. The instructor will give you question paper comprising 30 mins.
Tips to Pass the CCNSP:
1> Take notes
2> understand the scenarios given by the instructor
3> If you have any queries, do not feel shy
4> CCNSP question are little tough so read the material
5> Go through the slides and understand what they mean once you are back at the hotel room
Below are some question which I could remember from my past CCNSP paper:
1> How many trials(I do not remember the exact format of the question)
solution: The CR appliances are two types. Demo and Regular.
Demo Appliance: These appliances are given by the Cyberoam to us at little cost so that we can do POC at the customer site. POC is proof of concept, where customer test the capability of the appliance. When a demo appliance is registered, you get three trials. Each trail lasts 15 days, totaling to 45 days. Doing a registration mean that you give an email address. Each email address gives you 3 trails each lasting 15 days. Once done, clear the registration of the appliance and then register it again with new email address. The new email address will again give you 3 trials lasting 15 days. And this continues till the appliance goes RMA or dead.
Regular appliance: The are the appliances, which are sold to the customer once the POC is done. You need to register the appliance to activate the subscriptions. To register an appliance you need an email address. Once the email address has been registered corresponding to an appliance, you can not change it. You need to contact their support. There are only 3 trails on the appliance each lasting 15 days once done, you can not change the email and hence no more trials.
NOTE: Multiple appliances can be registered with single email address. Like a customer bought 4 appliances and he wants to register all the appliances with one single email address. This can be done!
Tips to Pass the CCNSP:
1> Take notes
2> understand the scenarios given by the instructor
3> If you have any queries, do not feel shy
4> CCNSP question are little tough so read the material
5> Go through the slides and understand what they mean once you are back at the hotel room
Below are some question which I could remember from my past CCNSP paper:
1> How many trials(I do not remember the exact format of the question)
solution: The CR appliances are two types. Demo and Regular.
Demo Appliance: These appliances are given by the Cyberoam to us at little cost so that we can do POC at the customer site. POC is proof of concept, where customer test the capability of the appliance. When a demo appliance is registered, you get three trials. Each trail lasts 15 days, totaling to 45 days. Doing a registration mean that you give an email address. Each email address gives you 3 trails each lasting 15 days. Once done, clear the registration of the appliance and then register it again with new email address. The new email address will again give you 3 trials lasting 15 days. And this continues till the appliance goes RMA or dead.
Regular appliance: The are the appliances, which are sold to the customer once the POC is done. You need to register the appliance to activate the subscriptions. To register an appliance you need an email address. Once the email address has been registered corresponding to an appliance, you can not change it. You need to contact their support. There are only 3 trails on the appliance each lasting 15 days once done, you can not change the email and hence no more trials.
NOTE: Multiple appliances can be registered with single email address. Like a customer bought 4 appliances and he wants to register all the appliances with one single email address. This can be done!
Friday 17 February 2012
CTAS Ports
CTAS is an application for Cyberoam. This application needs to be installed on the PDC and ADC for SSO to work.
But there were port being used in the CR CLI command and the CTAS GUI. The ports being used by the CR are following:
6677 UDP
5566 UDP
6060 UDP
6060: This port is used to send the user information from the AD to Cyberoam. AD conveys msg to CR that user1 has logged in and also when to kick him off. This msg contains the username only.
5566: This port is used to convey msgs between two domain controllers. Suite is installed on the PDC while the agent is installed on the additional domain controller. If the users gets logged in to the ADC, then agent installed on the ADC has to inform user details to the suite installed on the PDC. If you are using the Win2008 then create an exception for this port.
6677: This is very important port number, create an exception for this port on your domain controller. This port is used by the CR to interact with the Suite installed on the PDC. Let's say a UserA went home with his laptop along. Did his work all night came back office in the morning with remaining work to complete. He opened his laptop and all his sessions were open(browsers, messangers, outlook). As soon as his connects his laptop to the wireless of the wired network he gets and IP address. When CR gets a request from this IP address neither the CR has any record nor the AD(because he just did not switch his laptop, he hibernated his laptop). In this scenario, CR sends an msg to AD to send WMI query or read registry (according your settings) to find out the user who is logged in to that IP.
But there were port being used in the CR CLI command and the CTAS GUI. The ports being used by the CR are following:
6677 UDP
5566 UDP
6060 UDP
6060: This port is used to send the user information from the AD to Cyberoam. AD conveys msg to CR that user1 has logged in and also when to kick him off. This msg contains the username only.
5566: This port is used to convey msgs between two domain controllers. Suite is installed on the PDC while the agent is installed on the additional domain controller. If the users gets logged in to the ADC, then agent installed on the ADC has to inform user details to the suite installed on the PDC. If you are using the Win2008 then create an exception for this port.
6677: This is very important port number, create an exception for this port on your domain controller. This port is used by the CR to interact with the Suite installed on the PDC. Let's say a UserA went home with his laptop along. Did his work all night came back office in the morning with remaining work to complete. He opened his laptop and all his sessions were open(browsers, messangers, outlook). As soon as his connects his laptop to the wireless of the wired network he gets and IP address. When CR gets a request from this IP address neither the CR has any record nor the AD(because he just did not switch his laptop, he hibernated his laptop). In this scenario, CR sends an msg to AD to send WMI query or read registry (according your settings) to find out the user who is logged in to that IP.
VPN: GRE
GRE is mainly used to send the multicast over an unsecured network. The IPSec can not send multicast traffic, hence we need to from IPSec and also GRE. This is also know as IPSec over GRE
Here is the diagram for your understanding and which I recently accomplished for my customer:
(I have changed the IP address to random)
We need to send the multicast traffic over the IPSec through GRE.
ON HO:
1. Please Login to CLI using Telnet/SSH.
2. Select Option 4. .
3. Creating the GRE tunnel between HO and BO
console> cyberoam gre tunnel add name GRE_TUN0 local-gw portB remote-gw 81.23.XX.XX local-ip 1.1.1.1 remote-ip 1.1.1.2
GRE_TUN0 its just a name given to GRE tunnel. you can give any name you want
PortB if you have multiple ISP links choose the physical interface you want GRE traffic, choose the one on which IPSec is created.
Since GRE is point to point connection you need to have interfaces (logical/virtual) at each end within same subnet. so we have 1.1.1.1 and 1.1.1.2
ON BO:
console> cyberoam gre tunnel add name GRE_TUN0 local-gw portB remote-gw 91.23.XX.XX local-ip 1.1.1.2 remote-ip 1.1.1.1
on HO:
console> cyberoam gre route add net 192.168.1.25/255.255.255.255 tunnelname GRE_TUN0
on BO
console> cyberoam gre route add net 192.168.0.100/255.255.255.255 tunnelname GRE_TUN0
on HO GUI:
Then on GUI you need to enable the multicast:
Network-->static routes-->Multicast: fill in the information:
Source Network: 192.168.1.25
Source Interface: GRE_TUN0
Multicast address:239.225.225.225
Destination Interface: choose the interface on which the 192.168.0.100 is connected (here LAN/DMZ)
:-) it should work fine
Some appliances like CISCO,Juniper can work with shared interface IP address. I am not sure how to do it with Cyberoam. Need to contact cyberoam support
Here is the diagram for your understanding and which I recently accomplished for my customer:
We need to send the multicast traffic over the IPSec through GRE.
ON HO:
1. Please Login to CLI using Telnet/SSH.
2. Select Option 4. .
3. Creating the GRE tunnel between HO and BO
console> cyberoam gre tunnel add name GRE_TUN0 local-gw portB remote-gw 81.23.XX.XX local-ip 1.1.1.1 remote-ip 1.1.1.2
GRE_TUN0 its just a name given to GRE tunnel. you can give any name you want
PortB if you have multiple ISP links choose the physical interface you want GRE traffic, choose the one on which IPSec is created.
Since GRE is point to point connection you need to have interfaces (logical/virtual) at each end within same subnet. so we have 1.1.1.1 and 1.1.1.2
ON BO:
console> cyberoam gre tunnel add name GRE_TUN0 local-gw portB remote-gw 91.23.XX.XX local-ip 1.1.1.2 remote-ip 1.1.1.1
on HO:
console> cyberoam gre route add net 192.168.1.25/255.255.255.255 tunnelname GRE_TUN0
on BO
console> cyberoam gre route add net 192.168.0.100/255.255.255.255 tunnelname GRE_TUN0
on HO GUI:
Then on GUI you need to enable the multicast:
Network-->static routes-->Multicast: fill in the information:
Source Network: 192.168.1.25
Source Interface: GRE_TUN0
Multicast address:239.225.225.225
Destination Interface: choose the interface on which the 192.168.0.100 is connected (here LAN/DMZ)
:-) it should work fine
Some appliances like CISCO,Juniper can work with shared interface IP address. I am not sure how to do it with Cyberoam. Need to contact cyberoam support
MSS and MTU
Some times my users complain that the internet is slow or the website being access is not possible. The issue turns out to be the MSS/MTU issue.
what is the difference between MSS and MTU?
DP= Data packet
PL=Packet length=MTU= Maximum Transmission Unit
IPHL= IP header length
DP=PL - IPHL
DP= MTU-IPHL-----------------------> equation 1
Also, DP=TCPHL + MSS -------------------->equation 2
where TCPHL= TCP header length
MSS= Maximum Segment Size
Combining eq 1 and eq2 we have
MSS+TCPHL=MTU- IPHL
MSS= MTU-IPHL-TCPHL
But the minimum header size of the ip header and the tcp header if 40 Bytes.
Therefore,
MSS=MTU-20-20
Finally we go
MSS=MTU-40
To check the MSS value of a segment in the Cyberoam check step 1 from below link:
http://cyberoamexpert.blogspot.in/2012/02/traffic-for-virtual-host-explained.html
what is the difference between MSS and MTU?
DP= Data packet
PL=Packet length=MTU= Maximum Transmission Unit
IPHL= IP header length
DP=PL - IPHL
DP= MTU-IPHL-----------------------> equation 1
Also, DP=TCPHL + MSS -------------------->equation 2
where TCPHL= TCP header length
MSS= Maximum Segment Size
Combining eq 1 and eq2 we have
MSS+TCPHL=MTU- IPHL
MSS= MTU-IPHL-TCPHL
But the minimum header size of the ip header and the tcp header if 40 Bytes.
Therefore,
MSS=MTU-20-20
Finally we go
MSS=MTU-40
To check the MSS value of a segment in the Cyberoam check step 1 from below link:
http://cyberoamexpert.blogspot.in/2012/02/traffic-for-virtual-host-explained.html
Back up over VPN to mail server
Below is the Scenario, which was requested recently by one of my customer. They wanted a regular backup being sent to the mail server automatically. It would have been simpler if they wanted backup being sent on the WAN IP of the mail server. Instead, they wanted it over the VPN to the HO and to the mail server behind HO CR:
Here are the steps need to be done on the BO CR (nothing to be configured on the HO CR)
Step 1> Drop the VPN tunnel (do not delete it, just deactivate the tunnel)
Step 2> set advanced-firewall cr-traffic-nat add destination 192.168.1.5 netmask
255.255.255.255 snatip 192.168.2.1
(the above command is used when the CR initiated traffic has to be sent with different source IP address. By default it sends the traffic with WAN IP address and its sent via WAN port. If you have multiple lan interface then choose the interface ip whose subnet has been published in the VPN tunnel. You want to know where else you can use this command: Check out this link)
Step 3> cyberoam ipsec_route add host 192.168.1.5 tunnelname VPN_BO_2_HO
(As discussed in the earlier, the default behavior is to send the traffic over the Wan physical interface. However, in this case we want to send the CR initiated traffic being sent on VPN interface(logical interface).)
Traffic for virtual host: explained
Above is the
tcpdump which shows the TCP triple handshake of the process:
1>
The first packet with time
stamp as 19:44:44.524107 Packet hits the CR on PORT B (IN) from 10.103.4.250
with source port as 59261 and its going to 10.103.4.11 and destination port is
3389. The flags sets are SYN[S]. The sequence number of the packet is 10988617
and window size of the packet is 8192. You can also find the MSS of the packet
as 1460.
2>
CR has now changed the
destination IP of the packet as the internal server IP i.e. 10.10.1.2 from
10.103.4.11 and the destination port still remain the same as 3389 and other
parameters are still same. The time stamp of the packet is 19:44:44.524276
3>
The third packet with time
stamp as 19:44:44.524606 is the SYN/ACK packet received from the 10.10.1.2 with
SYN as 2506618164 and the ACK as 10988618.
4>
The third packet source IP
will be NAT with 10.103.4.11 and sent out on port B. This packet is still
SYN/ACK with time stamp 19:44:44.524679
5>
The packet received is
final ACK of the tcp triple handshake with ACK. The time stamp of this packet
is 19:44:44.528029
6>
Sixth packet is the
inbound NAT to the internal server.
TCPDUMP
I wanted to understand what these CR guys are using in the CLI when using TCPDUMP. These guys check the packets and let us know the result. Here are some of the scenarios and commands which I use for my analysis.
1>To check the traffic coming from a particular source IP:
tcpdump "host <ipaddress>" like tcpdump "host 192.168.1.1"
2> If you are only checking the ping traffic
tcpdump "host 192.168.1.1 and proto ICMP"
3> if you are searching for traffic coming from a particular host and particular port
tcpdump "host 192.168.1.1 and port 80"
4> you can get more creative, like you are already connected to CR GUI on port 80 from IP 192.168.1.1 and you do not want port 80 traffic in you dump.
tcpdump "host 192.168.1.1 and port !80"
5> If you want to have the whole packet in the dump
tcpdump "host 192.168.1.1 -s 4096"
6> in case of virtual host:
a> you should always check the tcpdump on the source (source for me here is, I am right in my office and my customer complained about virtual host not working. So when I am going to hit his public IP on port 80 from my browser, I should see traffic with source IP as my public IP and the destination as the customer public IP)
tcpdump "host 81.32.45.67 and port 80"
Also note that when you are doing it, try taking the access of the Cyberoam on https and port 22(ssh)
7> you can also use || (2 pipe) for or statement
tcpdump "host 192.168.1.1 || host 192.168.1.2 || port 80"
8> You can use the same statements in the GUI as well to check if the packets are being dropped:
System-> diagnostices-->packet capture
use the filter within the double quotes and it should be filtering the traffic.
1>To check the traffic coming from a particular source IP:
tcpdump "host <ipaddress>" like tcpdump "host 192.168.1.1"
2> If you are only checking the ping traffic
tcpdump "host 192.168.1.1 and proto ICMP"
3> if you are searching for traffic coming from a particular host and particular port
tcpdump "host 192.168.1.1 and port 80"
4> you can get more creative, like you are already connected to CR GUI on port 80 from IP 192.168.1.1 and you do not want port 80 traffic in you dump.
tcpdump "host 192.168.1.1 and port !80"
5> If you want to have the whole packet in the dump
tcpdump "host 192.168.1.1 -s 4096"
6> in case of virtual host:
a> you should always check the tcpdump on the source (source for me here is, I am right in my office and my customer complained about virtual host not working. So when I am going to hit his public IP on port 80 from my browser, I should see traffic with source IP as my public IP and the destination as the customer public IP)
tcpdump "host 81.32.45.67 and port 80"
Also note that when you are doing it, try taking the access of the Cyberoam on https and port 22(ssh)
7> you can also use || (2 pipe) for or statement
tcpdump "host 192.168.1.1 || host 192.168.1.2 || port 80"
8> You can use the same statements in the GUI as well to check if the packets are being dropped:
System-> diagnostices-->packet capture
use the filter within the double quotes and it should be filtering the traffic.
Subscribe to:
Posts (Atom)