Network Monitoring With Advanced Host Monitor by KS-Soft

HostMonitor is a highly scalable network monitoring software and it is suitable for small and enterprise-level networks.

You will progably say "There are dozens of programs like this"? That is right! But please check what HostMonitor offers and compare its power and flexibility to surprisingly low price: using 62 test methods this software can check almost any parameter of your servers; highly flexible action profiles allow you to start actions in predefined order depending on the test results; HostMonitor creates various log files using different detail levels and file formats (Text, HTML, DBF and ODBC); built-in Report Manager allows you to create and customize reports to your liking in a variety of ways; using Remote Monitoring Agents for Windows, FreeBSD, Linux, NetBSD, OpenBSD and Solaris you may easily monitor remote networks; Web Service, Telnet Service and Remote Control Console simplifies remote management; and this is not all...  Advanced Host Monitor does much more!   I have been using HostMonitor for years and love it.  It is flexible, easy to use and won't break the bank.  Check it out.

FREE Windows Utilities for Sniffing

WinDump

WinDump is an exceptionally powerful command-line packet sniffer. Ported over from the source of the Tcpdump utility available for UNIX, WinDump carries over the same power and flexibility to the Windows world, all in a lightweight executable.

WinDump is a helpful utility when you need to do some quick and easy packet capturing to diagnose a network problem. It's flexible, and it can capture and display details about every packet going across the network interface. It can filter the output results based on protocol (e.g., Address Resolution Protocol—ARP, IP, TCP, UDP), source network or host, destination network or host, source port, destination port, and many other criteria.

To use WinDump, you'll first need to download and install the Windows Packet Capture Library (WinPcap), the Windows port of the open-source packet-capture and network-analysis library libpcap for UNIX. WinPcap runs on all versions of Windows.

After you install WinPcap, you can download the standalone WinDump executable. To launch WinDump, simply run it from the command line with the appropriate options for what you'd like to capture or read. You'll find the online manual for WinDump here.

The first command you might want to execute is Win-Dump -D, which will display a list of interfaces available on your computer, as well as a corresponding number for each interface, so that you can determine which interface to use for your sniffing activities. After you know which interface to run, you can simply use that number with the -i option (i.e., WinDump -i 3, if number 3 is the interface you'd like to use) to start viewing packet data in real time. (Because these are ports of UNIX utilities, the command-line switches are case-sensitive.)

Ngrep
Although WinDump is a tremendous utility, sometimes it requires a considerable amount of overhead or knowledge to determine what you're looking for. For example, suppose you're trying to look up whether a DNS query is making it across your network, but you aren't familiar with the protocols and that DNS uses by default. Or, suppose a lot of traffic is coming across a network connection, and you're finding it too cumbersome to work through all the packets just to find the one particular packet you're looking for. For such situations enter ngrep, the network-aware grep utility.

If you aren't familiar with grep, it's probably one of the most widely known and oft-utilized UNIX utilities. Grep finds matching text strings (through a mechanism known as regular expressions) in files on a file system, then outputs the lines to the display. You might compare grep with the Windows command-line Find utility, but grep differs by providing an exceptional amount of power in its search for text strings.

By applying these capabilities to the network layer, ngrep provides the same level of functionality for packet sniffing. As a result, you don't need to know what protocols, ports, network, or IP addresses that two devices are using to transfer data. You just need to know something about the packet's payload, and ngrep will find it for you—regardless of how it's transmitted.

Ngrep is great for troubleshooting DNS query problems. In a large Active Directory (AD) environment, dozens of DNS queries are typically occurring across the network per second. If I'm trying to troubleshoot a specific set of problems, searching each packet to find the one I'm looking for is cumbersome at best. Instead of relying on a straight packet capture of all DNS traffic, I can simply use ngrep to find the text string I'm looking for because DNS queries and responses are performed in plain text.

Ngrep currently recognizes ICMP, IGMP, Raw, TCP, and UDP protocols across 802.11, Ethernet, FDDI, PPP, SLIP, Token Ring, and null interfaces. Like WinDump it requires the WinPcap library to operate properly.

WireShark (formerly Ethereal)
When you face a situation in which you need to roll up your sleeves and dive as deeply as possible into network capture and analysis, one utility needs to come to mind: the world's most popular network analyzer, WireShark. Network experts around the world use WireShark because it has all the standard features you'll find in most protocol analyzers, in addition to some you won't find in any other product. More than 400 developers around the world have made contributions to this open-source application. A decade ago, you would have to pay thousands of dollars for software that had the same capabilities, but WireShark offers it all free.

WireShark can capture data off your network connection, filter the data, dive into the details of each packet, save the packet capture for detailed analysis, send packet captures to other network engineers (or vendors) to help with debugging, and open packet captures from many other leading packet-capture utilities. WireShark can capture data off of various network transports, such as Classical IP over ATM (CIP), Ethernet, Fiber Distributed Data Interface (FDDI), Point-to-Point Protocol (PPP), Token Ring, 802.11, and loopback interfaces (although it doesn't support all types on every platform). Across all those network transports, WireShark can "dissect" more than 750 protocol types, including FTP, HTTP, NetBIOS, POP3, remote procedure call (RPC), SNMP, SSH, SMTP, and Telnet, just to name a few.

Like the other sniffing utilities I've mentioned, WireShark depends on an installation of WinPcap to function properly, so you'll need to install that first. Then, after you install the latest Ethereal distribution for Windows, simply access the Capture, Interfaces menu and select the interface you want to start using for capture. Then, you're ready to start analyzing your traffic.

View Ethernet Statistics in Linux

You need to use the following two commands:

• ifconfig command - Display all interfaces which are currently available.
• netstat command - Display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

ifconfig example

Type the following command:
/sbin/ifconfig eth0

OR
/sbin/ifconfig -a

OR
ifconfig

Sample output:

eth0      Link encap:Ethernet  HWaddr 00:19:d1:2a:ba:a8
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::219:d1ff:fe2a:baa8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1948632 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1559234 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2366493974 (2.3 GB)  TX bytes:388339315 (388.3 MB)
          Memory:e3180000-e31a0000 

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:27378 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27378 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3046452 (3.0 MB)  TX bytes:3046452 (3.0 MB)

netstat Command Example

Ti display a table of all network interface including recived and send packets, enter:

 
netstat -i

Sample outputs:

Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0   1955323      0      0 0       1563543      0      0      0 BMRU
lo        16436 0     27472      0      0 0         27472      0      0      0 LRU

Display Summary Statistics For Each Protocol

Type the following command:

 
netstat -s

Sample output:

Ip:
    2025059 total packets received
    21 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    2024996 incoming packets delivered
    1568954 requests sent out
    5 outgoing packets dropped
    60 reassemblies required
    30 packets reassembled ok
    5 fragments failed
Icmp:
    225 ICMP messages received
    13 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 89
        timeout in transit: 71
        echo replies: 65
    146 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 79
        echo request: 67
IcmpMsg:
        InType0: 65
        InType3: 89
        InType11: 71
        OutType3: 79
        OutType8: 67
Tcp:
    20603 active connections openings
    99 passive connection openings
    1125 failed connection attempts
    352 connection resets received
    17 connections established
    1983950 segments received
    1475010 segments send out
    51436 segments retransmited
    0 bad segments received.
    38462 resets sent
Udp:
    40292 packets received
    62 packets to unknown port received.
    0 packet receive errors
    42369 packets sent
UdpLite:
TcpExt:
    16 invalid SYN cookies received
    2 packets pruned from receive queue because of socket buffer overrun
    4956 TCP sockets finished time wait in fast timer
    128 packets rejects in established connections because of timestamp
    45978 delayed acks sent
    5 delayed acks further delayed because of locked socket
    Quick ack mode was activated 6369 times
    21 packets directly queued to recvmsg prequeue.
    13099 bytes directly received in process context from prequeue
    1435761 packet headers predicted
    9 packets header predicted and directly queued to user
    133229 acknowledgments not containing data payload received
    38661 predicted acknowledgments
    5170 times recovered from packet loss by selective acknowledgements
    2 bad SACK blocks received
    Detected reordering 1 times using FACK
    Detected reordering 2 times using SACK
    Detected reordering 2 times using time stamp
    3 congestion windows fully recovered without slow start
    3 congestion windows partially recovered using Hoe heuristic
    9 congestion windows recovered without slow start by DSACK
    3521 congestion windows recovered without slow start after partial ack
    7455 TCP data loss events
    TCPLostRetransmit: 402
    6 timeouts after reno fast retransmit
    2810 timeouts after SACK recovery
    673 timeouts in loss state
    10164 fast retransmits
    111 forward retransmits
    7138 retransmits in slow start
    15322 other TCP timeouts
    878 SACK retransmits failed
    125 packets collapsed in receive queue due to low socket buffer
    8425 DSACKs sent for old packets
    167 DSACKs sent for out of order packets
    1244 DSACKs received
    13 DSACKs for out of order packets received
    1779 connections reset due to unexpected data
    104 connections reset due to early user close
    247 connections aborted due to timeout
    TCPSACKDiscard: 1
    TCPDSACKIgnoredOld: 650
    TCPDSACKIgnoredNoUndo: 463
    TCPSpuriousRTOs: 31
    TCPSackShifted: 5988
    TCPSackMerged: 14413
    TCPSackShiftFallback: 11127
IpExt:
    InMcastPkts: 556
    OutMcastPkts: 433
    InBcastPkts: 473
    InOctets: -1923455127
    OutOctets: 368984572
    InMcastOctets: 73654
    OutMcastOctets: 50857
    InBcastOctets: 40987

ss command - Display Quick Stats

Type the following command:

 
ss -s

Sample outputs:

ss -s
Total: 767 (kernel 824)
TCP:   123 (estab 15, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0

Transport Total     IP        IPv6
*   824       -         -
RAW   1         1         0
UDP   6         5         1
TCP   123       121       2
INET   130       127       3
FRAG   0         0         0        

Linux Change MTU Size

How do I change MTU size under Linux?

You need support in both network hardware and card in order to use JumboFrames. If you want to transfer large amounts of data at gigabit speeds, increasing the default MTU size can provide significant performance gains.

Changing the MTU size with ifconfig command

In order to change the MTU size, use /sbin/ifconfig command as follows:

ifconfig ${Interface} mtu ${SIZE} up
ifconfig eth1 mtu 9000 up

Note this will only work if supported by both the network nterface card and the network components such as switch.

Changing the MTU size permanently under CentOS / RHEL / Fedora Linux

Edit /etc/sysconfig/network-scripts/ifcfg-eth0, enter
# vi /etc/sysconfig/network-scripts/ifcfg-eth0

Add MTU, settings:
MTU="9000"

Save and close the file. Restart networking:
# service network restart

Note for IPV6 set dedicated MTU as follows:
IPV6_MTU="1280"

Changing the MTU size permanently under Debian / Ubuntu Linux

Edit /etc/network/interfaces, enter:
# vi /etc/network/interfaces

Add mtu as follows for required interface:
mtu 9000

Save and close the file. Restart the networking, enter:
# /etc/init.d/networking restart

Changing the MTU size permanently (other Linux distros)

Edit /etc/rc.local and add the following line:

/sbin/ifconfig eth1 mtu 9000 up

Adding persistant static routes in linux

Let's say that you have a box that lives on subnet 172.16.16.0 /24. Your default route is set in /etc/sysconfig/network as 172.16.16.1, as shown below:

NETWORKING=yes
HOSTNAME=testbox.domain.com
GATEWAY=172.16.16.1

Now you need to get to network 1.2.3.0 /24 using gateway 172.16.16.250 and network 45.67.89.0 /24 using gateway 172.16.16.254. One option is to add those routes manually with the following commands:

SYNTAX
# route add [-net|-host] netmask gw dev X

EXAMPLES
route add -net 1.2.3.0 netmask 255.255.255.0 gw 172.16.16.250
route add -net 45.67.89.0 netmask 255.255.255.0 gw 172.16.16.254

This will work in the short term, and can be doublechecked using the 'route' command - sample output shown below:

Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.16.0 * 255.255.255.0 U 0 0 0 eth0
1.2.3.0 172.16.16.250 255.255.255.0 UG 0 0 0 eth0
45.67.89.0 172.16.16.254 255.255.255.0 UG 0 0 0 eth0
default 172.16.16.1 0.0.0.0 UG 0 0 0 eth0

NOTE: once the machine is rebooted, those statis routes will disappear, as they are stored in memory and are not recreated on startup.

To add a persistent static route in Redhat Enterprise Linux or CentOS, create a file called route-X in the /etc/sysconfig/network-scripts/ directory where is the interface number and X is the interface number. As you would expect, these are specified in separate files for each of the available interfaces.

In this particular case, we will be creating a file called 'route-eth0' in /etc/sysconfig/network-scripts in order to make those routes persistent through reboot, and populating it with the information shown below

vi /etc/sysconfig/network-scripts/route-eth0
1.2.3.0/24 via 172.16.16.250
45.67.89.0/24 via 172.16.16.254

Once that file has been modified, run the following command to restart the network:

service network restart

After that, run the route command and make sure that your routes are in place.

Linux Tune Network Stack (Buffers Size) To Increase Networking Performance

I have two servers located in two different data centers. Both servers deals with a lot of concurrent large file transfers. But network performance is very poor for large files and performance degradation take place with a large files. How do I tune TCP under Linux to solve this problem?

By default the Linux network stack is not configured for high speed large file transfer across WAN links. This is done to save memory resources. You can easily tune Linux network stack by increasing network buffers size for high-speed networks that connect server systems to handle more network packets.

The default maximum Linux TCP buffer sizes are way too small. TCP memory is calculated automatically based on system memory; you can find the actual values by typing the following commands:
$ cat /proc/sys/net/ipv4/tcp_mem

The default and maximum amount for the receive socket memory:
$ cat /proc/sys/net/core/rmem_default
$ cat /proc/sys/net/core/rmem_max

The default and maximum amount for the send socket memory:
$ cat /proc/sys/net/core/wmem_default
$ cat /proc/sys/net/core/wmem_max

The maximum amount of option memory buffers:
$ cat /proc/sys/net/core/optmem_max

Tune values

Set the max OS send buffer size (wmem) and receive buffer size (rmem) to 12 MB for queues on all protocols. In other words set the amount of memory that is allocated for each TCP socket when it is opened or created while transferring files:

WARNING! The default value of rmem_max and wmem_max is about 128 KB in most Linux distributions, which may be enough for a low-latency general purpose network environment or for apps such as DNS / Web server. However, if the latency is large, the default size might be too small. Please note that the following settings going to increase memory usage on your server.

# echo 'net.core.wmem_max=12582912' >> /etc/sysctl.conf
# echo 'net.core.rmem_max=12582912' >> /etc/sysctl.conf


You also need to set minimum size, initial size, and maximum size in bytes:
# echo 'net.ipv4.tcp_rmem= 10240 87380 12582912' >> /etc/sysctl.conf
# echo 'net.ipv4.tcp_wmem= 10240 87380 12582912' >> /etc/sysctl.conf

Turn on window scaling which can be an option to enlarge the transfer window:
# echo 'net.ipv4.tcp_window_scaling = 1' >> /etc/sysctl.conf

Enable timestamps as defined in RFC1323:
# echo 'net.ipv4.tcp_timestamps = 1' >> /etc/sysctl.conf

Enable select acknowledgments:
# echo 'net.ipv4.tcp_sack = 1' >> /etc/sysctl.conf

By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation. If set, TCP will not cache metrics on closing connections.

# echo 'net.ipv4.tcp_no_metrics_save = 1' >> /etc/sysctl.conf

Set maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them.

# echo 'net.core.netdev_max_backlog = 5000' >> /etc/sysctl.conf


Now reload the changes:

# sysctl -p


Use tcpdump to view changes for eth0:

# tcpdump -ni eth0

Lefthand SAN Remote Access

To access the iLo port on a Lefthand NSM 2120 using the HP DL320S hardware use the following credentials.

username - sanmon
password - sanmon

https://nodeIP:2381

Creating Client SSL VPN on Cisco ASAs

Introduction

This document how to allow remote access VPN connections to the ASA from the Cisco AnyConnect 2.0 client.
Prerequisites
Requirements

Ensure that you meet these requirements before you attempt this configuration:

*

Basic ASA configuration that runs software version 8.0
*

ASDM 6.0(2)

Components Used

The information in this document is based on these software and hardware versions:

* Cisco ASA 8.0(2), ASDM 6.0 (2)
* Cisco AnyConnect 2.0
Background Information

The Cisco AnyConnect 2.0 client is an SSL-based VPN client. The AnyConnect client can be utilized and installed on a variety of operating systems, such as Windows 2000, XP, Vista, Linux (Multiple Distros) and MAC OS X. The AnyConnect client can be installed manually on the remote PC by the system administrator. It can also be loaded onto the security appliance and made ready for download to remote users. After the application is downloaded, it can automatically uninstall itself after the connection terminates, or it can remain on the remote PC for future SSL VPN connections. This example makes the AnyConnect client ready to download upon successful browser-based SSL authentication.

For more information on the AnyConnect 2.0 client, refer to AnyConnect 2.0 Release Notes.

Note: MS Terminal Services is not supported in conjunction with the AnyConnect client. You cannot RDP to a computer and then initiate an AnyConnect session. You cannot RDP to a client that is connected via AnyConnect.

Note: The first installation of AnyConnect requires the user to have admin rights (whether you use the standalone AnyConnect msi package or push the pkg file from the ASA). If the user does not have admin rights, a dialog box appears that states this requirement. Subsequent upgrades will not require the user that installed AnyConnect previously to have admin rights.


Configure
Step 1. Configure a Self-Issued Certificate

By default, the security appliance has a self-signed certificate that is regenerated every time the device is rebooted. You can purchase your own certificate from vendors, such as Verisign or EnTrust, or you can configure the ASA to issue an identity certificate to itself. This certificate remains the same even when the device is rebooted. Complete this step in order to generate a self-issued certificate that persists when the device is rebooted.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Certificate Management, and then choose Identity Certificates.
3.

Click Add, and then click the Add a new identity certificate radio button.
4.

Click New.
5.

In the Add Key Pair dialog box, click the Enter new key pair name radio button.
6.

Enter a name to identify the keypair.

This example uses sslvpnkeypair.
7.

Click Generate Now.
8.

In the Add Identity Certificate dialog box, ensure the newly created key pair is selected.
9.

For Certificate Subject DN, enter the fully qualified domain name (FQDN) that will be used to connect to the VPN terminating interface.

CN=sslvpn.cisco.com
10.

Click Advanced, and enter the FQDN used for the Certificate Subject DN field.

For example, FQDN: sslvpn.cisco.com
11.

Click OK.
12.

Check the Generate Self Signed Certificate check box, and click Add Certificate.
13.

Click OK.
14.

Click Configuration, and then click Remote Access VPN.
15.

Expand Advanced, and choose SSL Settings.
16.

In the Certificates area, choose the interface that will be used to terminate the SSL VPN (outside), and click Edit.
17.

In the Certificate drop-down list, choose the self-signed certificate that you generated earlier.
18.

Click OK, and then click Apply.


Step 2. Upload and Identify the SSL VPN Client Image

This document uses the AnyConnect SSL 2.0 client. You can obtain this client at the Cisco Software Download Website. A separate Anyconnect image is required for each operating system that remote users plan to use. For more information, refer to Cisco AnyConnect 2.0 Release Notes.

Once you obtain the AnyConnect client, complete these steps:

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand Advanced.
3.

Expand SSL VPN, and choose Client Settings.
4.

In the SSL VPN Client Images area, click Add, and then click Upload.
5.

Browse to the location where you downloaded the AnyConnect client.
6.

Select the file, and click Upload File.

Once the client uploads, you receive a message that states the file was uploaded to flash successully.
7.

Click OK.

A dialog box appears to confirm that you want to use the newly uploaded image as the current SSL VPN client image.
8.

Click OK.
9.

Click OK, and then click Apply.
10.

Repeat the steps in this section for each operating system-specific Anyconnect package that you want to use.


Step 3. Enable Anyconnect Access

In order to allow the AnyConnect client to connect to the ASA, you must enable access on the interface that terminates SSL VPN connections. This example uses the outside interface in order to terminate Anyconnect connections.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then choose SSL VPN Connection Profiles.
3.

Check the Enable Cisco AnyConnect VPN Client check box.
4.

Check the Allow Access check box for the outside interface, and click Apply.


Step 4. Create a new Group Policy

A group policy specifies the configuration parameters that should be applied to clients when they connect. This example creates a group policy named SSLClientPolicy.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and choose Group Policies.
3.

Click Add.
4.

Choose General, and enter SSLClientPolicy in the Name field.
5.

Uncheck the Address Pools Inherit check box.
6.

Click Select, and then click Add.

The Add IP Pool dialog box appears.
7.

Configure the address pool from an IP range that is not currently in use on your network.

This example uses these values:
*

Name: SSLClientPool
*

Starting IP Address: 192.168.25.1
*

Ending IP Address: 192.168.25.50
*

Subnet Mask: 255.255.255.0
8.

Click OK.
9.

Choose the newly created pool, and click Assign.
10.

Click OK, and then click More Options.
11.

Uncheck the Tunneling Protocols Inherit check box.
12.

Check SSL VPN Client.
13.

In the left pane, choose Servers.
14.

Uncheck the DNS Servers Inherit check box, and enter the IP address of the internal DNS server that the AnyConnect clients will use.

This example uses 192.168.50.5.
15.

Click More Options.
16.

Uncheck the Default Domain Inherit check box.
17.

Enter the domain used by your internal network. For example, tsweb.local .
18.

Click OK, and then click Apply.


Configure Access List Bypass for VPN Connections

When you enable this option, you allow the SSL/IPsec clients to bypass the interface access list.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand Advanced.
3.

Expand SSL VPN, and choose Bypass Interface Access List.
4.

Ensure the Enable inbound SSL VPN and IPSEC Sessions to bypass interface access lists check box is checked, and click Apply.


Step 6. Create a Connection Profile and Tunnel Group for the AnyConnect Client Connections

When VPN clients connect to the ASA, they connect to a connection profile or tunnel group. The tunnel group is used to define connection parameters for specific types of VPN connections, such as IPsec L2L, IPsec remote access, clientless SSL, and client SSL.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand SSL VPN.
3.

Choose Connection Profiles, and click Add.
4.

Choose Basic, and enter these values:
*

Name: SSLClientProfile
*

Authentication: LOCAL
*

Default Group Policy: SSLClientPolicy
5.

Ensure the SSL VPN Client Protocol check box is checked.
6.

In the left pane, expand Advanced, and choose SSL VPN.
7.

Under Connection Aliases, click Add, and enter a name to which users can associate their VPN connections. For example, SSLVPNClient.
8.

Click OK, and then click OK again.
9.

At the bottom of the ASDM window, check the Allow user to select connection, identified by alias in the table above at login page check box, and click Apply.


Step 7. Configure NAT Exemption for AnyConnect Clients

NAT exemption should be configured for any IP addresses or ranges you want to allow the SSL VPN clients to access. In this example, the SSL VPN clients need access to the internal IP 192.168.50.5 only.

Note: If NAT-control is not enabled, this step is not required. Use the show run nat-control command to verify. In order to verify through ASDM, click Configuration, click Firewall, and choose Nat Rules. If the Enable traffic through the firewall without address translation check box is checked, you can skip this step.

ASDM Procedure

1.

Click Configuration, and then click Firewall.
2.

Choose Nat Rules, and click Add.
3.

Choose Add NAT Exempt Rule, and enter these values:
*

Action: Exempt
*

Interface: inside
*

Source: 192.168.50.5
*

Destination: 192.168.25.0/24
*

NAT Exempt Direction: NAT Exempt outbound traffic from interface 'inside' to lower security interfaces (Default)
4.

Click OK, and then click Apply.


Step 8. Add Users to the Local Database

If you use local authentication (the default), you must define user names and passwords in the local database for user authentication.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand AAA Setup, and choose Local Users.
3.

Click Add, and enter these values:
*

Username: matthewp
*

Password: p@ssw0rd
*

Confirm Password: p@ssw0rd
4.

Select the No ASDM, SSH, Telnet or Console Access radio button.
5.

Click OK, and then click Apply.
6.

Repeat this step for additional users, and then click Save.


Verify SSL VPN Client Connections

Use the show vpn-sessiondb svc command in order to verify connected SSL VPN clients.

ciscoasa(config-group-policy)#show vpn-sessiondb svc

Session Type: SVC

Username : matthewp Index : 6
Assigned IP : 192.168.25.1 Public IP : 172.18.12.111
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
Encryption : RC4 AES128 Hashing : SHA1
Bytes Tx : 35466 Bytes Rx : 27543
Group Policy : SSLClientPolicy Tunnel Group : SSLClientProfile
Login Time : 20:06:59 UTC Tue Oct 16 2007
Duration : 0h:00m:12s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

ciscoasa(config-group-policy)#

The vpn-sessiondb logoff name username command logs off users by user name. An Administrator Reset message is sent to the user when disconnected.

ciscoasa(config)#vpn-sessiondb logoff name matthewp
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name "matthewp" logged off : 1

ciscoasa(config)#

Mac connect to Windows File Share

By default, Windows 2003 Server domain controllers have "Microsoft network server: Digitally sign communications (always)" set to "Enabled" by default. This is likely causing the Macs to fail to authenticate with the "error = -5000" when trying to connect via CIFS or SMB (samba)

To change this on a given domain controller, go to "Start" ->"Administrative Tools" -> "Domain Controller Security Policy" (not Domain Policy) and look for "Security Settings" -> "Local Policies" -> "Security Options" -> "Microsoft network server: Digitally sign communications (always)". It should show "Enabled" by default. Double-click on it and set to "Disabled".

Then close the app and click on start | Run - enter the command 'gpudate' to refresh group policy and hit enter.

You should now be able to use the "Go" > "Connect to Server" command in Finder to map to a share as shown below:

cifs://SERVER/SHARE

Manually assigning IP Information for a Cisco Catalyst 2960 (or other Cisco Switch)

Step 1 - Enter global configuration mode:

configure terminal

Step 2 - Enter interface configuration mode, and enter the VLAN to which the IP information is assigned. The range is 1 to 4094.

interface vlan <vlan-id>

Step 3 - Enter the IP address and subnet mask.

ip address <ip-address> <subnet-mask>

Step 4 - Return to global configuration mode.

exit

Step 5 - Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. The default gateway receives IP packets with unresolved destination IP addresses from the switch.

ip default-gateway <ip-address>

Once the default gateway is configured, the switch has connectivity to the remote networks with which a host needs to communicate.

Note: When your switch is configured to route with IP, it does not need to have a default gateway set.

Step 6 - Return to privileged EXEC mode.

end

Step 7 - Verify the configured IP address.

show interfaces vlan <vlan-id>

Step 8 - Verify the configured default gateway.

show ip redirects

Step 9 - (Optional) Save your work in the configuration file.

copy running-config startup-config - OR - copy ru st - OR - wr mem

ASA 5510 IOS 8.x ASDM firewall dashboard IOS commands

As of 8.x, the ASDM has some excellent features to allow you to track down top talkers and get a better view into your traffic flows, but each of these features (especially the Top 10 Services) uses a good bit of RAM. If you are running a 5510 or smaller, that can cause you to run out of RAM. While the ASDM gives you the option to enable these features, you need to disable them via command line.

Use the 'no' keyword in front of any the commands below to disable those functions:

Top 10 Access-Lists
======================================
enable
threat-detection statistics access-list
disable
no threat-detection statistics access-list

Top 10 Services (Very Memory Intensive - use only when troubleshooting)
======================================
enable
threat-detection statistics port
threat-detection statistics protocol
disable
threat-detection statistics port
threat-detection statistics protocol

Top 10 Sources / Top 10 Destinations (same command)
======================================
enable
threat-detection statistics host
disable
threat-detection statistics host

ITC Deltacom FTP site for testing upstream downstream speed

FTP 208.230.80.111

username: itc
password: itc

put and get files w/ hash and bin options set

Enable DOS FTP client through ASA

This configuration allows both active mode and pseudo-passive mode connections from the DOS FTP client provided with windows on a cisco ASA firewall. It has been tested with ASA code 7.2(3)

!--Enable FTP Passive mode
ftp mode passive

!--Create inspection_default class-map to match the ASA's default inspection traffic
class-map inspection_default
match default-inspection-traffic

!--Add the 'inspection_default' class to the global_policy w/ inspect ftp directive
policy-map global_policy
class inspection_default
inspect ftp

!--Apply the policy globally to all interfaces
service-policy global_policy global

Essentially this enables passive FTP while simultaneously turning on advanced application inspection and what was once known as 'protocol fixup' for active FTP.

Password recovery procedure Cisco catalyst fixed configuration layer 2 and 3 switches

Introduction
This document describes the password recovery procedure for the Cisco Catalyst Layer 2 fixed configuration switches 2900XL/3500XL, 2940, 2950/2955, 2960, and 2970 Series, as well as the Cisco Catalyst Layer 3 fixed configuration switches 3550, 3560, and 3750 Series.

Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites
There are no specific prerequisites for this document.

Step-by-Step Procedure
Follow the password recovery procedure below.

Attach a terminal or PC with terminal emulation (for example, Hyper Terminal) to the console port of the switch.

Use the following terminal settings:

Bits per second (baud): 9600

Data bits: 8

Parity: None

Stop bits: 1

Flow Control: Xon/Xoff

Note: For additional information on cabling and connecting a terminal to the console port, refer to Connecting a Terminal to the Console Port on Catalyst Switches.

Unplug the power cable.

Power the switch and bring it to the switch: prompt:

For 2900XL, 3500XL, 2940, 2950, 2960, 2970, 3550, 3560, and 3750 series switches, do this:

Hold down the mode button located on the left side of the front panel, while you reconnect the power cable to the switch.

Catalyst Switch Series
LED Behavior and Mode Button Release Action

2900XL, 3500XL, 3550
Release the Mode button when the LED above Port1x goes out.

2940, 2950
Release the Mode button after approximately 5 seconds when the Status (STAT) LED goes out. When you release the Mode button, the SYST LED blinks amber.

2960, 2970
Release the Mode button when the SYST LED blinks amber and then turns solid green. When you release the Mode button, the SYST LED blinks green.

3560, 3750
Release the Mode button after approximately 15 seconds when the SYST LED turns solid green. When you release the Mode button, the SYST LED blinks green.



Note: LED position may vary slightly depending on the model.

Catalyst 3524XL



Catalyst 2950-24



For 2955 series switches only:

The Catalyst 2955 series switches do not use an external mode button for password recovery. Instead the switch boot loader uses the break-key detection to stop the automatic boot sequence for the password recovery purposes. The break sequence is determined by the terminal application and operating system used. Hyperterm running on Windows 2000 uses Ctrl + Break. On a workstation running UNIX, Ctrl-C is the break key. For more information, refer to Standard Break Key Sequence Combinations During Password Recovery.

The example below uses Hyperterm to break into switch: mode on a 2955.

C2955 Boot Loader (C2955-HBOOT-M) Version 12.1(0.0.514), CISCO DEVELOPMENT TEST
VERSION
Compiled Fri 13-Dec-02 17:38 by madison
WS-C2955T-12 starting...
Base ethernet MAC Address: 00:0b:be:b6:ee:00
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 19 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7741440
flashfs[0]: Bytes used: 4510720
flashfs[0]: Bytes available: 3230720
flashfs[0]: flashfs fsck took 7 seconds.
...done initializing flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4

*** The system will autoboot in 15 seconds ***
Send break character to prevent autobooting.


!--- Wait until you see this message before
!--- you issue the break sequence.
!--- Ctrl+Break is entered using Hyperterm.


The system has been interrupted prior to initializing the flash file system to finish
loading the operating system software:

flash_init
load_helper
boot
switch:Issue the flash_init command.

switch: flash_init
Initializing Flash...
flashfs[0]: 143 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 2729472
flashfs[0]: Bytes available: 883200
flashfs[0]: flashfs fsck took 86 seconds
....done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
switch:

!--- This output is from a 2900XL switch. Output from
!--- other switches will vary slightly.

Issue the load_helper command.

switch: load_helper
switch:Issue the dir flash: command.

Note: Make sure to type a colon ":" after the dir flash.

The switch file system is displayed:

switch: dir flash:
Directory of flash:/
2 -rwx 1803357 c3500xl-c3h2s-mz.120-5.WC7.bin

!--- This is the current version of software.

4 -rwx 1131 config.text

!--- This is the configuration file.

5 -rwx 109 info
6 -rwx 389 env_vars
7 drwx 640 html
18 -rwx 109 info.ver
403968 bytes available (3208704 bytes used)
switch:

!--- This output is from a 3500XL switch. Output from
!--- other switches will vary slightly.

Type rename flash:config.text flash:config.old to rename the configuration file.

switch: rename flash:config.text flash:config.old
switch:

!--- The config.text file contains the password
!--- definition.

Issue the boot command to boot the system.

switch: boot
Loading "flash:c3500xl-c3h2s-mz.120-5.WC7.bin"...###############################
################################################################################
######################################################################
File "flash:c3500xl-c3h2s-mz.120-5.WC7.bin" uncompressed and installed, entry po
int: 0x3000
executing...

!--- Output suppressed.
!--- This output is from a 3500XL switch. Output from other switches
!--- will vary slightly.

Enter "n" at the prompt to abort the initial configuration dialog.

--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Continue with configuration dialog? [yes/no]: n

!--- Type "n" for no.

Press RETURN to get started.

!--- Press Return or Enter.

Switch>

!--- The Switch> prompt is displayed.

At the switch prompt, type en to enter enable mode.

Switch>en
Switch#Type rename flash:config.old flash:config.text to rename the configuration file with its original name.

Switch#rename flash:config.old flash:config.text
Destination filename [config.text]

!--- Press Return or Enter.

Switch#Copy the configuration file into memory.

Switch#copy flash:config.text system:running-config
Destination filename [running-config]?

!--- Press Return or Enter.

1131 bytes copied in 0.760 secs
Sw1#The configuration file is now reloaded.

Overwrite the current passwords that you do not know. Choose a strong password with at least one capital letter, one number, and one special character.

Note: Overwrite the passwords which are necessary. You need not overwrite all of the mentioned passwords.

Sw1# conf t


!--- To overwrite existing secret password

Sw1(config)#enable secret



!--- To overwrite existing enable password

Sw1(config)#enable password



!--- To overwrite existing vty password

Sw1(config)#line vty 0 15
Sw1(config-line)#password

Sw1(config-line)#login


!--- To overwrite existing console password

Sw1(config-line)#line con 0
Sw1(config-line)#password

Write the running configuration to the configuration file with the write memory command.

Sw1#write memory
Building configuration...
[OK]
Sw1#

Cisco Device Throughput Performance Information

Information on all devices
http://www.cisco.com/web/partners/tools/quickreference/index.html

Information on routers (for example)
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

Cisco U.S. Daylight Saving Time (DST) Changes for 2007 to Present

clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00807ca437.shtml

Host-based routes Windows Server 2000 2003 XP

To display the entire contents of the IP routing table, type:

route print

To display the routes in the IP routing table that begin with 10., type:

route print 10.*

To add a default route with the default gateway address of 192.168.12.1, type:

route add 0.0.0.0 mask 0.0.0.0 192.168.12.1

To add a route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0 and the next hop address of 10.27.0.1, type:

route add 10.41.0.0 mask 255.255.0.0 10.27.0.1

To add a persistent route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0 and the next hop address of 10.27.0.1, type:

route -p add 10.41.0.0 mask 255.255.0.0 10.27.0.1

To add a route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0, the next hop address of 10.27.0.1, and the cost metric of 7, type:

route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 metric 7

To add a route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0, the next hop address of 10.27.0.1, and using the interface index 0x3, type:

route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 if 0x3

To delete the route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0, type:

route delete 10.41.0.0 mask 255.255.0.0

To delete all routes in the IP routing table that begin with 10., type:

route delete 10.*

To change the next hop address of the route with the destination of 10.41.0.0 and the subnet mask of 255.255.0.0 from 10.27.0.1 to 10.27.0.25, type:

route change 10.41.0.0 mask 255.255.0.0 10.27.0.25

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx?mfr=true

Website Performance Optimization

PAGE LOAD OPTIMIZATION
http://www.websiteoptimization.com/services/analyze/

BANDWIDTH CALCULATOR
http://www.ibeast.com/content/tools/band-calc.asp

Vendor/Ethernet/Bluetooth MAC Address Lookup and Search

http://coffer.com/mac_find/

Linux NTP Configuration

SETTING DATE MANUALLY WITH NTP
====================================
ntpdate -u 130.207.244.240
clock --systohc
date
clock


CONFIGURING /etc/NTP.CONF
====================================
server 130.207.244.240


FORCING NTP updates (syncs w/ NTP server at X:27 every hour)
====================================
mkdir /root/bin

vi /root/bin/forceNTP.sh
/usr/sbin/ntpdate -u 130.207.244.240
/sbin/clock --systohc

chmod 744 /root/bin/forceNTP.sh

crontab -e
27 * * * * /root/bin/forceNTP.sh >/dev/null 2>&1


~~~~~~~~ALTERNATE PROCESS


RUN THESE COMMANDS
=======================================================================
mkdir /root/bin
echo "/usr/sbin/ntpdate -u 130.207.244.240" > /root/bin/forceNTP.sh
echo "/sbin/clock --systohc" >> /root/bin/forceNTP.sh
chmod 755 /root/bin/forceNTP.sh

THEN TAKE THESE STEPS (replace ## with the time of each hour you want the script to run)
=======================================================================
crontab -e
## * * * * /root/bin/forceNTP.sh >/dev/null 2>&1