Disclaimer

The content of this material are challenges faced onsite and how I personally resolved them. Please be noted that solutions posted here

1> should not be considered as ultimate. The material may be considered for reference only.

2> should not be considered as guarantee that solutions may work. Contact Cyberoam support before making any changes.

3> blog does NOT belong to the Cyberoam. It's a blog...a personal blog.

Changes done after referring this site may seriously damage the network. So...

........DO CHANGES AT YOUR OWN RISK

(please contact cyberoamsupport before implementing any changes)
Showing posts with label Deployment. Show all posts
Showing posts with label Deployment. Show all posts

Friday, 17 February 2012

Back up over VPN to mail server

Below is the Scenario, which was requested recently by one of my customer. They wanted a regular backup being sent to the mail server automatically. It would have been simpler if they wanted backup being sent on the WAN IP of the mail server. Instead, they wanted it over the VPN to the HO and to the mail server behind HO CR: 






Here are the steps need to be done on the BO CR (nothing to be configured on the HO CR)

Step 1> Drop the VPN tunnel (do not delete it, just deactivate the tunnel)


Step 2> set advanced-firewall cr-traffic-nat add destination 192.168.1.5 netmask
255.255.255.255 snatip 192.168.2.1

(the above command is used when the CR initiated traffic has to be sent with different source IP address. By default it sends the traffic with WAN IP address and its sent via WAN port. If you have multiple lan interface then choose the interface ip whose subnet has been published in the VPN tunnel. You want to know where else you can use this command: Check out this link)

Step 3> cyberoam ipsec_route add host 192.168.1.5 tunnelname VPN_BO_2_HO

(As discussed in the earlier, the default behavior is to send the traffic over the Wan physical interface. However, in this case we want to send the CR initiated traffic being sent on VPN interface(logical interface).)

Step 4> Get the tunnel up. And you should be able to telnet you mail server successfully on the private IP address from the BO CR.









Posted by at No comments:
Labels: ,

Monday, 12 December 2011

Cyberoam Deployment with only one switch

Below is the customer network:

internet--->L3--->All users using L3 as as gw

The customer is having only L3 and internet is being terminated on it and also all the users are connected to it. How to deploy the CR in this network. There are many solutions to this problem. But this is the one I like so sharing with you.

The simplest solution is to Terminate internet link directly on the Cyberoam. But I will explain you many situations where you will be forced to use this deployment.


Solution

     ----(L)CR(W)---
    |                          |
-------------------------------
|    3                        2    |  1     ------->internet
|              L3                  |
|    4   5    6     7            |
------------------------------
              users

The port 1 an Port 2 of the switch will be one single vlan lets say vlan 100.  Port 3,4,5,6,7  will be lets say in single vlan 20 and the users are connected to this port.

The users will be using default gw as the cyberoam LAN IP address which is connected to port A.

Other networks where you can use deployment:

There is only one L3 switch and you want to use CR in HA mode.

                                   








Posted by at No comments:
Labels:

Deployment : Cyberoam deployed as single arm proxy in multiple vlan

Hi All,

Below is the network scenario

                 -------->vlan10
Fw--->l3  --------->vlan20----->CR
                ---------->Vlan30

Here Firewall is connected to a l3 switch which is capable to do inter-vlan routing. Customer is not ready to make any changes.

Cyberoam has be configured to place in the server vlan 20.  The gateway of all these server is vlan interface on the L3 i.e. 192.168.20.1

To deploy  the Cyberoam in the single arm proxy you need to get a free IP from the Vlan 20 network and assign in to PORT A of the appliance.

Port B--->Any dummy IP address and the gw of the port B will be any dummy IP address

In the Cyberoam Network--->static routes, you need to add following route:
destination network : 0.0.0.0/0.0.0.0
interface Port: Port A
Next Hop: 192.168.20.1

Users in other vlans will be using the CR IP in their browsers.

So traffic path from the Vlan 30 ---->l3---->CR(port A-IN)--->scanning done---->Port A (OUT due to static route)---->L3--->FW---internet

and the return path will also be same.


Posted by at No comments:
Labels:

Sunday, 11 December 2011

How to deploy CR as single arm proxy Deployment 3

To deploy the CR as single arm proxy it pretty straight forward.

When to deploy CR in Single arm proxy:
1> Customer is really not ready to make any changes in the network
2> Customer wants to replace existing proxy
3> Customer has to use the CR IP as the direct proxy in their users browser.

Scenario:
(Scenario may vary but this would be a simple scenario)

Router-->FW(192.168.1.1)--->switch--->users
                                            |  
                                         CR(Port A-192.168.1.xxx)(Port B-Dummy IP address)(CR GW any dummy)

Deployment Mode of Cyberoam: Gateway


Steps:

1> deploy the Cyberoam in gateway mode with any dummy WAN IP address(Port B)
2> You need to connect the LAN interface (port A) to the switch so choose an IP within lan range or use existing proxy ip address once you replace it
3> Most important is in creating the static route from the GUI (Network -->static routes)
       destination network : 0.0.0.0/0.0.0.0   gateway   FW lan Ip address

The route is most import:
1> the traffic from the browser will be received by the Cyberoam on port A.
2> Because of the static route it wil be retuned to the FW gateway once it does all the scanning and other stuff.


Posted by at No comments:
Labels:

Thursday, 8 December 2011

Deployment Scenario 2

Hi All,

Check the network diagram

          (HO)CR  <========IPSEC=======>CR(BO    
                 |                                                      |
(users)--->switch                                        switch<----(users 10.1.2.0/24)
        (10.1.3.0/24)
                   |
                Router<----Remote Office users(10.1.1.0/24)


Requirement: The BO users should reach 10.1.3.0 and 10.1.1.0 subnet

Solution: 1>Create the normal tunnel between HO and BO

 2> in the HO local subnets  [10.1.3.0/24  + 10.1.1.0/24] and remote subnet is [10.1.2.0/24]

3> In the BO local subnets  [10.1.2.0/24] and remote subnet is [10.1.3.0/24  + 10.1.1.0/24]

4> In the HO there should be static route
             if destination is 10.1.1.0/24 next hop address is the routers IP address which is in same subnet as 10.1.3.0 
Posted by at No comments:
Labels:

Friday, 2 December 2011

Deployment Scenario 1

Current Network:

Internet-->PIX-->Cisco 2800-->Cisco Catalyst 3560-->Cisco 2900 switch

After deploying CR:

Internet-->CR-->Cisco 2800-->Cisco Catalyst 3560-->Cisco 2900 Switch

More on Network:


  • There were vlans on the network.
  • there were multiple 2900s connected to catalyst 
  • catalyst was responsible for the intervlan routing
  • NAT was only done on pix, so will the cyberoam.
Issue:  No user from any VLAN was able to access internet

Debugging:
1> users were able to reach Cisco 2800
2> From Cisco 2800 we could ping CR and the vlan computers
3> From CR we could ping Cisco 2800 WAN interface but not the LAN interface IP. 

Clearly it was a routing issue. So we created static routes for a single vlan just to confirm. The static route we added was

if the destination is vlan 1 subnet then next hop will be cisco 2800 wan ip address

And it started working. 



Posted by at No comments:
Labels:

Deployment

Here I will try to post each new deployment and how we were able to integrate Cyberoam successfully in the network. Hope this helps.

Your comments are always welcome
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)