Monday, October 18, 2010

How to use Cisco Access List to Secure Guest Wireless or Network

*****NOTE*****
Always be careful with debugs, but particularly packet-level debugs! They can
produce a lot of information. If you do not practice caution you can cause your
router to become unresponsive.
**************

Example Network:

VLAN 1                     192.168.1.0 /24
VLAN 2                     192.168.2.0 /24
VLAN 3                     192.168.3.0 /24
VPN Range                10.10.10.0 /24
Guest VLAN 122       172.16.22.0 /24 - Default Gateway 172.16.22.1

Objective:
Secure the network to prevent users on the Guest VLAN from accessing the protected networks while
        still providing access to the internet.

*****Prevents access to ALL 192.168.0.0 /16 networks.
access-list 122 deny   ip any 192.168.0.0 0.0.255.255

*****Prevents access to the 10.10.10.0 /24 VPN network.
access-list 122 deny   ip any 10.10.10.0 0.0.0.255

*****Prevents Management access to the Default Gateway on the Guest VLAN. The ports include telnet,
          SSH, HTTP, HTTPS, and SNMP.
access-list 122 deny   tcp any host 172.16.22.1 eq telnet
access-list 122 deny   tcp any host 172.16.22.1 eq 22
access-list 122 deny   tcp any host 172.16.22.1 eq 80
access-list 122 deny   tcp any host 172.16.22.1 eq 443
access-list 122 deny   tcp any host 172.16.22.1 eq 161
access-list 122 deny   udp any host 172.16.22.1 eq 161

*****Allows access to the Default Gateway for Internet access.
access-list 122 permit ip 172.16.22.0 0.0.0.255 any


***** The access list without comments*****

access-list 122 deny   ip any 192.168.0.0 0.0.255.255
access-list 122 deny   ip any 10.10.10.0 0.0.0.255
access-list 122 deny   tcp any host 172.16.22.1 eq telnet
access-list 122 deny   tcp any host 172.16.22.1 eq 22
access-list 122 deny   tcp any host 172.16.22.1 eq 80
access-list 122 deny   tcp any host 172.16.22.1 eq 443
access-list 122 deny   tcp any host 172.16.22.1 eq 161
access-list 122 deny   udp any host 172.16.22.1 eq 161
access-list 122 permit ip 172.16.22.0 0.0.0.255 any

*****NOTE*****
The order is VERY important. With any access list there is an implicit deny all
rule. Access lists are processed from the top down. The first rule that matches
the traffic is the rule that is applied.
**************

If you want to edit the access list you need to copy it to a text document and
edit it with the new rules you want to add. Then you have two options.

1. Delete the access list by using the "no access-list 122" command and then
    paste it back in with the new rules.

2. Give the new access list a new number, such as access-list 123. You will need
     to change the access-list number on each line before pasting it in.

If you go with option number 2 you will need to go into the interface and apply the access list. More info on that procedure later.

*****NOTE*****
With option number 2 there is no time that your interface is completely open. You
simply switch from one access list to another. With option number 1 you will have
a few moments that an access list is not applied because it does not exist.
**************

If you are working remotely I would highly suggest option number 2. It will allow you to get all of your rules in place before they apply to the interface. Consider pasting the example access list in. When the first rule of an access list is applied you have an implicit deny rule. The first rule in the example is a very specific deny rule, but combined with the implicit deny all rule you have stopped all traffic from going through this interface. If you are using this interface to connect remotely you will lose connection.

When you have your access list ready you can apply it to your interface. In this example we will apply the access list to the Guest VLAN Default Gateway. It is a virtual interface called "vlan 122".

After logging in go into enable mode if necessary. Then enter the following commands:

configure terminal
interface vlan 122
ip access-group 122 in

These commands will apply your access list rules to all traffic coming into "interface vlan 122".

*****NOTE*****
Don't forget to save your config before exiting.
"write mem"
**************

If you would like to debug your access list you will need to issue the "term mon" command. This will show debug output on your session. To stop the output issue "term no mon".

The following command will debug our example access list:

debug ip packet 122 detail

Now produce traffic to get your debug output.

Monday, October 4, 2010

How to Add Sysprep file to VMWare vCenter Server

In order to create templates or customize the Windows OS on a cloned virtual machine in vCenter you must add the necessary sysprep files to the proper directory on your vCenter server.

*****NOTE*****
vCenter 4 and up has native support for Windows Server 2008. No sysprep files are necessary.
**************

In Windows Server 2008 the sysprep directory is:
c:\Program Data\VMWare\VMWare Virtual Center\sysprep


In Windows Server 2003 the sysprep directory is:
C:\Documents and Settings\All Users\Application Data\VMWare\VMWare VirtualCenter\sysprep


Choose the appropriate OS for the sysprep files downloaded from Microsoft and extract them to the proper directory using one of the following procedures:

If your sysprep file is an exe file:

(1) Go to "Start, Run"
(2) Enter the path to your sysprep files and run it with a "/x"
      ie:     c:\sysprep files\WindowsXPxxxxxx.exe /x

This command will run and ask you where to extract the sysprep files. Choose the appropriate sysprep directory.


If your sysprep file is a cab file:

(1) Open your cab file.
(2) Press ctrl-A to select all.
(3) Right click and extract to the appropriate sysprep directory.


*****Here's a link to a KB article from VMWare with more info.*****

VMWare KB Article 1005593