I got the firewall back to its status quo. It is allowing network access to the internet and filtering all unsolicited inbound traffic without any issues. I still have to segment the network using VLAN's at some point but that has become a tertiary priority.
Also, I made a big mistake with our file server which I added to the plan last week after my post. I used our install disks for Windows Small Business Server. It turns out that this version has to be the ROOT of the domain. So when it isn't it powers itself down without asking for permission. This makes building a remote environment a pain in the ass when your server unexpectedly will shut down without any notice. I've setup a plan to move the data to backup and reload the server with Win2k3 standard. But, as always, something has come up.
Steve got back into town this week and offered be a bonus opportunity. He has a video shoot in Florida the 2nd week of December and he needs the ICND1 and ICND2 slides redrawn for it. I also have to make them compatible with the CompTia Net+ certification. This is going to require removing all the Cisco proprietary information from the slides as well as redrawing them so that aren't using any Cisco marketing or proprietary information.
This is a pretty big project and it puts most of my other projects on hold until I'm done with it.
Monday, October 22, 2007
Wednesday, October 17, 2007
Project Proposal – A Beginning
I began the planning for my project proposal tonight. I think that I'm doing this right. The guidelines do say that it is a "proposal," so that is what I'm going to write.
I hope that I'm right.
VPN Trouble
The original model for the network in our office was going to be using contextual mode. It turns out that the ASA series firewalls doesn't support VPN through contexts, or at all with the firewall when you have it switched to multiple mode.
Having to rebuild the firewall completely from the ground up. Also added DNS server and Exchange server to the list of items to be built. The exchange server will be for our internal domain only, it wont have an internet facing side. The DNS server is built to handle VPN clients connect remotely to the internal domain, resolve the internal names.
Active Directory will also be setup to support Windows NetBios names. This is a lot more than was initially planned but it should work. The next step after setting all of this up is to segment the network using VLAN's and writing ACL's to restrict access to particular network segments.
Also, I want to have the servers isolated from the internet completely excluding update.windows.com so that they can patch themselves.
Having to rebuild the firewall completely from the ground up. Also added DNS server and Exchange server to the list of items to be built. The exchange server will be for our internal domain only, it wont have an internet facing side. The DNS server is built to handle VPN clients connect remotely to the internal domain, resolve the internal names.
Active Directory will also be setup to support Windows NetBios names. This is a lot more than was initially planned but it should work. The next step after setting all of this up is to segment the network using VLAN's and writing ACL's to restrict access to particular network segments.
Also, I want to have the servers isolated from the internet completely excluding update.windows.com so that they can patch themselves.
Friday, October 12, 2007
Firewall - Cursed by CCNA Books
Ended up spending a lot of time working on the CCNA lab books for Steve's class next week. Only managed to get the firewall up and running so that internal network access was setup and allowing traffic from our host computer to the internet.
Also setup the firewall for logging to a logging server and created access lists to log and block bogon list traffic.
Also setup the firewall for logging to a logging server and created access lists to log and block bogon list traffic.
Tuesday, October 9, 2007
Bread Board Power
Worked a little on what it was going to cost to have a power supply for testing at home. The ones online are a little expensive, I want something that I can built myself.
Founds something good here that might be worth a try:
http://www.eleinmec.com/article.asp?16
Founds something good here that might be worth a try:
http://www.eleinmec.com/article.asp?16
Monday, October 8, 2007
Firewall Implementation
Got my list of tasks for the week before Steve went out of town. My goals included building more lab books for the CCNA course and working on setting up the firewall with one of the new ASA's that we picked up for last weeks class.
The firewall has to be setup to allow traffic inside the office and it also needs to be setup so that we can VPN into the network.
Should be a good week, since I have to implement what I learned while I was out of town already.
The firewall has to be setup to allow traffic inside the office and it also needs to be setup so that we can VPN into the network.
Should be a good week, since I have to implement what I learned while I was out of town already.
Saturday, October 6, 2007
SNPA Class Wrap-Up
Well that was a quick week. I don't know if I quite absorbed as much as I thought. It all seems sort of a haze as I look back on things. There is quite a bit that I learned that I can't quite put my finger on, but I bet that is because I'm not sitting in front of a piece of equipment to work on.
I think that I prefer this sort of education to traditional sorts of education. There is a lot of subject matter covered very quickly and lots of hands on to accompany the instruction that you are recieving. I'm a big fan of burning new knowledge with hands on experience so that it sticks in your mind in more than one way.
I learned a lot this week and I'm going to have to put it to use in the office. In terms of what my goals for this semester worth of internship I found this very useful and will help me attain the rest of the goals if I have the opportunity to do them.
I think that I prefer this sort of education to traditional sorts of education. There is a lot of subject matter covered very quickly and lots of hands on to accompany the instruction that you are recieving. I'm a big fan of burning new knowledge with hands on experience so that it sticks in your mind in more than one way.
I learned a lot this week and I'm going to have to put it to use in the office. In terms of what my goals for this semester worth of internship I found this very useful and will help me attain the rest of the goals if I have the opportunity to do them.
Friday, October 5, 2007
SNPA Course - Day 5
This was the last day of the course for us. We are headed back to Denver as I type this up in the passenger seat.
Today was sort of a quick day. We very quickly went over the contextual mode for the firewalls. Which is a sort of virtual firewall within the first firewall. It allows you to create segmentation with completely different policies, in fact completely different configurations between each of the 'guest' firewalls.
Part of this configuration process was building a new firewall from the ground up. This was achieved very quickly and we spent most of our time typing the configurations in, rather then doing anything else of significance.
Most of the people in the class weren't interested in this portion of the class and many of them left by 2pm for the day, since they didn't need the rest of the information that was being presented. So that being the way of things we decided to pack up and get a roll on earlier rather than later.
I'll have a class wrap up when I get back to Denver.
Today was sort of a quick day. We very quickly went over the contextual mode for the firewalls. Which is a sort of virtual firewall within the first firewall. It allows you to create segmentation with completely different policies, in fact completely different configurations between each of the 'guest' firewalls.
Part of this configuration process was building a new firewall from the ground up. This was achieved very quickly and we spent most of our time typing the configurations in, rather then doing anything else of significance.
Most of the people in the class weren't interested in this portion of the class and many of them left by 2pm for the day, since they didn't need the rest of the information that was being presented. So that being the way of things we decided to pack up and get a roll on earlier rather than later.
I'll have a class wrap up when I get back to Denver.
Thursday, October 4, 2007
SNPA Course - Day 4
Today we started with a serious lecture on EasyVPNs. EasyVPNs being a misnomer since it really isn't that easy and is in-fact quite complicated to setup and get working. I assume that this is probably what is used to have the interactive VPNs that Steve wants me to setup in the office.
I really didn't know what was going on in the first part of the day. Stephen blew through a lot of stuff on ACLs, Tunnel Groups, subneting and all this stuff very quickly. Again a little bit of my lack of previous experience is setting in but I'm getting a better feel for it. I don't feel nearly as lost as I did on the first day of class.
The lecturing went all the way to lunch and after lunch we are supposed to spend the rest of the day configuring our firewalls to do the EasyVPN solution so that another group can connect to our internal network and we can connect to another groups internal network.
The first part after lunch went really quick. We had all the ACLs and nat transversal's setup that we needed and then we led into getting them to work with the ISAKMP policies and we ran into some minor road bumps. It's well planned that we use the rest of the day to get this part configured and setup, the time is definitely needed in order to get things setup and working properly.
We got to the end of the day and our firewall was able to receive connections from the outside to get in and we were able to connect to another groups firewall. This was a very informative day. I learned a lot getting this setup and my familiarity with the command structure got fleshed out. We had to rebuild twice to get all of the configurations in the right order and the right place. Helps to do some things over again to get them down.
Tomorrow we are going to spend time on the contextual mode for the firewalls. Apparently we have to rebuild the firewall from the ground up when we put it into a virtual mode. I guess we are going to be doing a lot of things over then.
I really didn't know what was going on in the first part of the day. Stephen blew through a lot of stuff on ACLs, Tunnel Groups, subneting and all this stuff very quickly. Again a little bit of my lack of previous experience is setting in but I'm getting a better feel for it. I don't feel nearly as lost as I did on the first day of class.
The lecturing went all the way to lunch and after lunch we are supposed to spend the rest of the day configuring our firewalls to do the EasyVPN solution so that another group can connect to our internal network and we can connect to another groups internal network.
The first part after lunch went really quick. We had all the ACLs and nat transversal's setup that we needed and then we led into getting them to work with the ISAKMP policies and we ran into some minor road bumps. It's well planned that we use the rest of the day to get this part configured and setup, the time is definitely needed in order to get things setup and working properly.
We got to the end of the day and our firewall was able to receive connections from the outside to get in and we were able to connect to another groups firewall. This was a very informative day. I learned a lot getting this setup and my familiarity with the command structure got fleshed out. We had to rebuild twice to get all of the configurations in the right order and the right place. Helps to do some things over again to get them down.
Tomorrow we are going to spend time on the contextual mode for the firewalls. Apparently we have to rebuild the firewall from the ground up when we put it into a virtual mode. I guess we are going to be doing a lot of things over then.
Wednesday, October 3, 2007
SNPA Course - Day 3
Today started with more on ACLs as well as more on object groups and how to configure them.
The second part of the day was spent on lecture on basic IPSEC peer-to-peer VPNs. The second half was spent configuring the options for those VPNs. The lab work associated was with the other people in the room to configure our firewall to allow them VPN access and conversly we would have VPN access to their network.
The day wraped up a few minutes early to lead into the next day which will be mostl EasyVPNs.
Today was a lot of work. There was a fair bit of lecture, but we did things that I basically knew nothing about and working with the people in the room who already had a few certs under their belts was getting a little frustrating. They had all the language I seemed to be missing today since you apparently do this sort of tunnel between routers and switches frequently.
Anyhow, another day and I feel like I'm getting familiar with the command structure of the Cisco IOS and could rebuild what I've done already if I needed too, without too much help and a good command reference.
The second part of the day was spent on lecture on basic IPSEC peer-to-peer VPNs. The second half was spent configuring the options for those VPNs. The lab work associated was with the other people in the room to configure our firewall to allow them VPN access and conversly we would have VPN access to their network.
The day wraped up a few minutes early to lead into the next day which will be mostl EasyVPNs.
Today was a lot of work. There was a fair bit of lecture, but we did things that I basically knew nothing about and working with the people in the room who already had a few certs under their belts was getting a little frustrating. They had all the language I seemed to be missing today since you apparently do this sort of tunnel between routers and switches frequently.
Anyhow, another day and I feel like I'm getting familiar with the command structure of the Cisco IOS and could rebuild what I've done already if I needed too, without too much help and a good command reference.
Out of Town
I'm out of town this week for a business trip. Can't really work on anything related to school.
Tuesday, October 2, 2007
SNPA Course - Day 2
Today was a great day. We started off with a really short blast about access control lists(ACLs), policy generation, and object groups; then we jumped right into the configuration of the firewalls.
Last night I worked on reading a little bit about the basic command structure by flipping through the book that Steve gave me for the course. I felt much more comfortable today about the basic command structure of the firewalls and spent much less time stumbling as we configured the basic parameters.
The structure of the lab was basically permitting traffic from the inside our network to the DMZ web hosts, so that our imaginary web developers can update their web servers. As well we configured ACLs to allow traffic from outside to the web servers for HTTP and FTP, restricted FTP so that only get traffic would be allowed through the firewall, built bogon object groups and configured our NAT so that there were static mappings for our DMZ web farm.
All in all this was a very good day. We spent most of the day working on this one lab to get all the ACLs setup between the different parts of the network and the outside of our network. All in all it was a very instructional day and we got a lot of hands on.
For the day I felt that I got a lot of good experience working with the IOS. I spent a lot of time just banging around in the configuration trying to get things to work, trying different ways to get what I wanted to happen, happen. I feel much more comfortable with interacting with the IOS and talking to other people about what is going on.
Last night I worked on reading a little bit about the basic command structure by flipping through the book that Steve gave me for the course. I felt much more comfortable today about the basic command structure of the firewalls and spent much less time stumbling as we configured the basic parameters.
The structure of the lab was basically permitting traffic from the inside our network to the DMZ web hosts, so that our imaginary web developers can update their web servers. As well we configured ACLs to allow traffic from outside to the web servers for HTTP and FTP, restricted FTP so that only get traffic would be allowed through the firewall, built bogon object groups and configured our NAT so that there were static mappings for our DMZ web farm.
All in all this was a very good day. We spent most of the day working on this one lab to get all the ACLs setup between the different parts of the network and the outside of our network. All in all it was a very instructional day and we got a lot of hands on.
For the day I felt that I got a lot of good experience working with the IOS. I spent a lot of time just banging around in the configuration trying to get things to work, trying different ways to get what I wanted to happen, happen. I feel much more comfortable with interacting with the IOS and talking to other people about what is going on.
Monday, October 1, 2007
SNPA Course - Day 1
First thing this morning we went over the hardware configuration options and difference between the various models of the ASA framework. There was also a comparison to the previous PIX versions of the firewall.
After all of that summary we jumped in head first into basic configurations for the firewall. We worked on setting up host name, network addressing, and naming the interfaces to isolate the different portions of the network.
Learned a lot today about the basic functionality of a Cisco firewall. As well as the configuration options for it. There are a lot of little line items that require a configuration in order for the device to work.
This being my first configuration exposure to a piece of Cisco equipment I spent a lot of my time having to fight the command line in order to get anything done. I was getting more comfortable as the day went on, but I still seem to be having trouble with the basics. I'm going to have to see how things go tomorrow.
After all of that summary we jumped in head first into basic configurations for the firewall. We worked on setting up host name, network addressing, and naming the interfaces to isolate the different portions of the network.
Learned a lot today about the basic functionality of a Cisco firewall. As well as the configuration options for it. There are a lot of little line items that require a configuration in order for the device to work.
This being my first configuration exposure to a piece of Cisco equipment I spent a lot of my time having to fight the command line in order to get anything done. I was getting more comfortable as the day went on, but I still seem to be having trouble with the basics. I'm going to have to see how things go tomorrow.
Subscribe to:
Posts (Atom)