cisco networking academy
May 30, 2010 at 11:46 am | blog | No comment
Halamanblog, Berisi Berita dan tutorial terbaru
configure mikrotik on virtual box
May 30, 2010 at 11:39 am | blog | 1 comment
There are two ways to access Mikrotik using Winbox installed in Virtualbox:
1. Assigning ether1 IP Address to the same network of VirtualBox Host-Only Network.
This is the easiest way. You have to attach the Network Adapter of Mikrotik to ‘Host-only Adapter’ belong to ‘VirtualBox Host-Only Ethernet Adapter’. See image below:
Adapter Setting (click to enlarge)
Later you have to set the IP address of ether1 of Mikrotik to be the same network of VirtualBox Host-Only Network. The default IP address assigned to this Ethernet is 192.168.56.1/24, of cource you can change this IP address as you want. You can check the IP Address by using ‘ipconfig’ (Windows) or ‘ifconfig’ (Unix/Linux). See image below:
Virtualbox Ethernet Adapter (click to enlarge)
Now run the Mikrotik OS running in Virtualbox. Login using ‘admin’ and empty password. Set the IP address of ether1 to 192.168.56.2/24 or whatever IP address still in the same network.
ip address add address=192.168.56.2/24 interface=ether1
After setting to ethet1 ip address, try to ping the IP address from Host OS (Windows).
C:\Users\Fuad NAHDI>ping 192.168.56.2
Pinging 192.168.56.2 with 32 bytes of data:
Reply from 192.168.56.2: bytes=32 time<1ms TTL=64
Reply from 192.168.56.2: bytes=32 time=2ms TTL=64
Reply from 192.168.56.2: bytes=32 time<1ms TTL=64
Reply from 192.168.56.2: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.56.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
If Mikrotik replied the ping, it is ready to access it using Winbox. Run Winbox now and set to Connect To: 192.168.56.2. See image below:
Click ‘Connect’ button and if there are no errors you should successfully log in to the Mikrotik using Winbox.
Winbox Mikrotik (click to enlarge)
2. Mapping / Forwarding port used by Winbox.
Using this way you have to map/forward port used by a GuestOS installed on Virtualbox. Winbox is using port 8291 to LISTEN on the system.
So we will map/forward this port from HostOS to the GuestOS.
The command are as below:
C:\Users\Fuad NAHDI>cd\ C:\>cd "Program Files\Sun\xVM VirtualBox" C:\Program Files\Sun\xVM VirtualBox>VBoxManage setextradata Mikrotik "VBoxInternal/Devices/pcnet/0/LUN#0/Config/winbox/HostPort" 8291 VirtualBox Command Line Management Interface Version 3.0.2 (C) 2005-2009 Sun Microsystems, Inc. All rights reserved. C:\Program Files\Sun\xVM VirtualBox>VBoxManage setextradata Mikrotik "VBoxInternal/Devices/pcnet/0/LUN#0/Config/winbox/GuestPort" 8291 VirtualBox Command Line Management Interface Version 3.0.2 (C) 2005-2009 Sun Microsystems, Inc. All rights reserved. C:\Program Files\Sun\xVM VirtualBox>VBoxManage setextradata Mikrotik "VBoxInternal/Devices/pcnet/0/LUN#0/Config/winbox/Protocol" TCP VirtualBox Command Line Management Interface Version 3.0.2 (C) 2005-2009 Sun Microsystems, Inc. All rights reserved.
After executing the above commands withour any errors, now open Winbox application.
Set the Connect To value to localhost and Login to admin, then click Connect button.
After clicking Connect button and no error during login process, you should successfully log in to the winbox application.
Winbox Mikrotik (click to enlarge)
Hope this tutorial useful for others.
instalasi mikrotic on virtual box
May 30, 2010 at 11:31 am | blog | No comment
“MikroTik RouterOS ™ is a software to make them capable of a simple PC into a powerful and versatile router. With support for Wireless, Proxy, static and dynamic routing among hundreds of other features.”
Mikrotik is really powerful and simple, if not, one of the best software for providers of the world!
The Mikrotik as we all know is one of the best management for softs provider we have, but how it was developed based on a firware, it has some interesting things, like accounting and management modules for clients …. For this you can work in conjunction with software (or MyAuth Vigo). He is 100% compatible.
The Mikrotik is also an excellent tool if well configured. I am for beginners, which will use the Mikrotik PROFESSIONALLY, hire someone to configure the whole server … Contrary to what many think, not just install, connect the modem and you’re done! There are hundreds of things, rules, parameters to be configured “Dynamic” ie, according to the needs of the provider, network and etc. …
Here are the steps:
- Download the Mikrotik iso file on its website here. At the time this tutorial is written, the latest stable version is mikrotik-3.27.iso. Save it in you hard disk. We will boot mikrotik directly from the iso file so we do not need to burn it on a CD/DVD.
- Run your Virtualbox software. Click Machine > New (Ctrl+N) to create new virtual machine through Virtual Machine Wizard. Then click Next.
- On the VM Name and OS Type window, insert “Mikrotik” under the Name. Under OS Type, select Linux as Operating System and Other Linux as Version, then click Next.
- For the memory allocation to the virtual machine, accept as default (256 MB) and then click Next.
- On the Virtual Hard disk, check the Boot Hard Disk (Primary Master) option. And then we need to create new hard disk for the mikrotik to install.
- Create Virtual Disk Wizard will come up. Select Dynamically expanding storage for the Storage Type (selected by default).
- Since mikrotik is very small software, 512 MB space is more than enough for you. Then click Finish.
- The next step is point the virtualbox to use iso image file to boot. To do this, click Setting > CD/DVD-ROM. Check Mount CD/DVD Drive and select ISO Image File then point to the mikrotik iso file. Make sure in System category, the first Boot Order is using CD/DVD-ROM, then click OK.
- Now it is the time to start to boot from ISO Image File. Make sure that Mikrotik virtual machine is selected and then click ‘Start’.
- Mikrotik will boot and after detecting all the devices, the “Welcome to MikroTik Router Software Installation” and you are ready to continue to install the softwares you need.
- from http://www.techonia.com/install-mikrotik-virtualbox
VM Name and OS Type (click to enlarge)
Memory Allocation (click to enlarge)
Virtual Disk Location and Size (click to enlarge)
Mount ISO Image (click to enlarge)
System Boot Order (click to enlarge)
Configuration VPN on cisco IOS
May 28, 2010 at 11:26 pm | blog | 1 comment
The following is a typical gateway-to-gateway VPN that uses a preshared
secret for authentication.
10.5.6.0/24 172.23.9.0/24
| |
--| |--
| +-----------+ /-^-^-^-^--\ +-----------+ |
|-----| Gateway A |=====| Internet |=====| Gateway B |-----|
| AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |
--| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |--
| |
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's
LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has
the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN
interface address, 172.23.9.1, can be used for testing IPsec but is not
needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
* Main mode
* TripleDES
* SHA-1
* MODP group 2 (1024 bits)
* pre-shared secret of "hr5xb84l6aa9r6"
* SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
* TripleDES
* SHA-1
* ESP tunnel mode
* MODP group 2 (1024 bits)
* Perfect forward secrecy for rekeying
* SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
* Selectors for all IP protocols, all ports, between 10.5.6.0/24 and
172.23.9.0/24, using IPv4 subnets
To set up Gateway A for this scenario, use the following steps:
Cisco IOS includes IPSec support, beginning with early versions of IOS
Version 12; however the commands have changed during the evolution of IOS
Version 12 point releases. The following example uses the current release
version, Cisco IOS Version 12.2(8)T4.
This example uses a Cisco 1700 series router, which has one ethernet port
and one serial port. The ethernet port, FastEthernet0, will be the outside,
or Internet-facing interface. The serial port, Serial0, will be the inside
interface. (This is just an example. Your interfaces may be different.)
All configuration changes are volatile, and immediate, until the "write"
command is executed, when the configuration is saved to flash and will be
reloaded after a reboot. At any time, you may examine the running
configuration with the command "show running-configuration", or view the
saved configuration with the command "show config". Most commands can be
abbreviated. Use a ? at the prompt or in a command to see options.
Configure IP on the interfaces:
Router# config term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# int fa0
Router(config-if)# ip address 14.15.16.17 255.255.255.0
Router(config-if)# speed auto
Router(config-if)# ^Z
Router# config term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# int ser0
Router(config-if)# ip address 10.5.6.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# ^Z
Router#
Define the default route:
Router# config term
Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
Router(config)# exit
Cisco supports only one IKE policy per router, so you must design one which
is acceptable to all systems you are going to interoperate with. Assign it
an ordering number of 5. If you wanted to have more than one proposal in
the policy, the proposals would be given in order defined by this policy
order number. Configure the IKE Policy:
Router# config term
Router(config)# crypto isakmp policy 5
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# group 2
Router(config-isakmp)# hash sha
Router(config-isakmp)# lifetime 28800
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# exit
Since multiple peers will share the same IKE policy, you must match each
peer with its pre-shared secret:
Router# config term
Router(config)# crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25
Router(config-isakmp)# exit
The IPSEC transform will be combined later with the rest of the IPSEC policy
in a crypto map command. In this command, "STRONG" is just a label. Labels
are CASE-SENSITIVE. Define the IPSEC transform:
Router# config term
Router(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
Router(config-isakmp)# exit
Cisco IOS uses access lists for SPD entries. Many features of access lists
(.e.g. TCP flag checking) don't work in IPSEC. This kind of access list
MUST be labelled with a 3-digit number. The netmask in Cisco access lists
are inverted. Nobody knows why, they just are. This list says "all traffic
from 10.5.6.0/24 to 172.23.9.0/24, all ports, all IP protocols". Create the
IPSEC access list:
Router# config term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
Router(config)# exit
Because IOS is a router first and an IPSEC gateway second, we have to tell
IOS which interface to send packets on if the default route is not enough.
In this scenario we don't need it, but in other situations you might need to
define a route for the remote protected network:
Router# config term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.17
Router(config)# exit
A crypto map binds all the assorted crypto parameters with a specific remote
gateway. Several crypto maps bound to different remote gateways can be
grouped together in one crypto map SET which is then bound to an outgoing
interface. The number following the crypto map set name is the ordering of
the map in the set. Bind the policy together with a crypto map, and give it
the label CISCO:
Router# config term
Router(config)# crypto map CISCO 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)# set security-association life seconds 3600
Router(config-crypto-map)# set transform-set STRONG
Router(config-crypto-map)# set pfs group2
Router(config-crypto-map)# set peer 22.23.24.25
Router(config-crypto-map)# match address 101
Router(config-crypto-map)# exit
Because Ciscos could have many interfaces, you have to bind the SPD to the
outgoing interface:
Router# config term
Router(config)# interface fa0
Router(config-if)# crypto map CISCO
Router(config-if)# ^Z
If you had multiple tunnels to multiple gateways, you would need to create a
different access list for each tunnel, add an isakmp key entry for each
gateway, and possibly create a different ipsec transform if your security
policy is different. For example, let's say you have another remote peer at
23.23.24.25, for which you have created access-list 102. You could then add
a crypto map to the set created above:
Router# config term
Router(config)# crypto map CISCO 20 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)# set security-association life seconds 3600
Router(config-crypto-map)# set transform-set STRONG
Router(config-crypto-map)# set pfs group2
Router(config-crypto-map)# set peer 23.23.24.25
Router(config-crypto-map)# match address 102
Router(config-crypto-map)# exit
Now the outgoing interface FastEthernet0 has both crypto maps, and it will
compare traffic to each map in order to determine if the traffic requires
encryption.
Save the configuration:
Router# write
Building configuration...
[OK]
Here is the completed IPSEC part of the Cisco configuration:
Router# show config
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
set peer 22.23.24.25
set transform-set STRONG
set pfs group2
match address 101
!
interface FastEthernet0
ip address 14.15.16.17 255.255.255.0
speed auto
crypto map CISCO
!
interface Serial0
ip address 10.5.6.1 255.255.255.0
!
access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
!
Now, bring up a tunnel! The IOS ping command extensions will allow you to
select the source interface, and hence IP address, of the ping:
Router# ping
Protocol [ip]:
Target IP address: 172.23.9.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: serial0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.9.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Hmmmm ... what could be wrong? Let's check some basics:
Router# show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 14.15.16.17 YES manual up up
Serial0 10.5.6.1 YES manual down down
Ah, the serial interface is down. I have to actually connect it up to something
to bring the interface up. Now, the ping works and brings up the SAs.
Show the SAs with these commands:
Router# show crypto isakmp sa
dst src state conn-id slot
14.15.16.17 22.23.24.25 QM_IDLE 1 0
Router# show crypto ipsec sa
interface: FastEthernet0
Crypto map tag: CISCO, local addr. 14.15.16.17
local ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.23.9.0/255.255.255.0/0/0)
current_peer: 22.23.24.25
PERMIT, flags={origin_is_acl,}
# pkts encaps: 12, # pkts encrypt: 12, # pkts digest 12
# pkts decaps: 23, # pkts decrypt: 23, # pkts verify 23
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0
# send errors 0, # recv errors 0
local crypto endpt.: 14.15.16.17, remote crypto endpt.: 22.23.24.25
path mtu 1500, media mtu 1500
current outbound spi: 3C39A800
inbound esp sas:
spi: 0xD7228E4B(3609366091)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: CISCO
sa timing: remaining key lifetime (k/sec): (4607999/3574)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3C39A800(1010411520)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: CISCO
sa timing: remaining key lifetime (k/sec): (4607999/3574)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
The easiest way to clear SAs from a Cisco IOS system varies with version, but
one of these two will generally work:
RouterRouter# clear crypto isakmp
RouterRouter# clear crypto sa
To enable debugging in IOS, you must turn on the debug as well as turn on the
debug monitor, which is normally the terminal you are logged in on:
Router# debug crypto verbose
Router# debug crypto isakmp
Router# term monitor
To disable debugging:
Router# nodebug all
Router# term no monitor
http//:www.vpn.org
configure routing static on cisco ios
May 28, 2010 at 11:21 pm | blog | No comment
this is a story about how to configure routing static on cisco ios,, I use packettracer version 5.3 to simulate this work.
IP routing is automatically enabled on Cisco routers. If it has been previously disabled on your router, you turn it back on in config mode with the commandip routing.
ExampleName#configTwo things to be said about this example. First, the packet destination address must include the subnet mask for that destination network. Second, the address it is to be forwarded to is the specified addres of the next router along the path to the destination. This is the most common way of setting up a static route, and the only one this document covers. Be aware, however, that there are other methods.
ExampleName(config)#ip route 172.16.0.0 255.255.255.0 192.168.150.1
ExampleName(config)#ctrl-Z
ExampleName#show ip route
Dynamic routing protocols, running on connected routers, enable those routers to share routing information. This enables routers to learn the routes available to them. The advantage of this method is that routers are able to adjust to changes in network topologies. If a route is physically removed, or a neighbor router goes down, the routing protocol searches for a new route. Routing protocols can even dynamically choose between possible routes based on variables such as network congestion or network reliability.
There are many different routing protocols, and they all use different variables, known as “metrics,” to decide upon appropriate routes. Unfortunately, a router needs to be running the same routing protocols as its neighbors. Many routers can, however, run mutliple protocols. Also, many protocols are designed to be able to pass routing information to other routing protocols. This is called “redistribution.” The author has no experience with trying to make redistribution work. There is an IOS redistribute command you can research if you think this is something you need. This document’s compagnion case study describes an alternative method to deal with different routing protocols in some circumstances.
Routing protocols are a complex topic and this document contains only this superficial description of them. There is much to learn about them, and there are many sources of information about them available. An excelent source of information on this topic is Cisco’s website, http://www.cisco.com.