Netværk, server og internet

Om netværket, forbindelser, server og filområder, samt internet

 

Had to replace old Trustgate 160 firewall - and opted for new Cisco ASA 5506X unit compatible with company WAN setup.

Easy enough to get running in simple setup isolating LAN on 7 bridged ports gainst WAN on port 1.

First learning: prior to changing default IP - REMEMBER to add new LAN to approved management networks list! AND the factory reset switch is disabled by default - so for me it took quite a while to connect USB console cable, recalling old CLI knowledge - and get it accessible on GUI again.

I had to use my Linux server for access:

 

 

 

Connect to the Console Port with Linux

Follow these steps to connect a Linux system USB port to the console using the built-in Linux Terminal utility.


Step 1   Open the Linux Terminal window.
Step 2   Connect the Linux USB port to the ASA.
Step 3   Enter the following commands to find the Linux USB port number:

Example:
root@usb-suse# cd /dev
root@usb-suse /dev# ls -ltr *ACM*
crw-r--r-- 1 root root 188, 0 Jan 14 18:02 ttyACM0
root@usb-suse /dev#
Step 4   Connect to the USB port with the following command followed by the ASA USB port speed

Example:
root@usb-suse /dev# screen /dev/ttyACM0 9600
Step 5   To disconnect the Linux USB console from the Terminal window, enter Ctrl-a followed by : then quit.

Thx to: https://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5506xguide/b_Install_Guide_5506/b_Install_Guide_5506_chapter_011.html

Then the challenge is to remember the commands. On prompt 'ciscoasa>' config termial - changes to config mode, and enable allows for actual changes.

Got it on-line again - so NEXT problem - NAT just would not work...

After LOOOOOONG despair and try-and-fail - google brougt this article to the rescue:

https://supportforums.cisco.com/discussion/13221411/vpn-handle-error-new-asa-971-integrated-routing-and-bridging-feature-bug-id

It is not possible to NAT referring the BVI interface - but has to be done in duplicate to all interfaces... Sic!

Solution - delet the BVI and use ports individually. That is an option for me, as I have switches as well (old Trustgate did ONLY provide port for segments) - but might be a problem if you rely on using ASA as switch as well.

AGAIN - remember to ensure a working port to configure the device on, as all setup on original BVI will be lost... I did remember it this time, but took a while to recognize that DHCP setup was also deleted... :-(

SO - now setup several segments (insdie, guset and dmz) - and all NAT and accessrules was accepted... Still no luck.

ASA has fine facility for trace and syslog display - and traffic just did not get there...

 

Found a fine source for ecternal access testing: http://canyouseeme.org/ - which tries to connect, and shows if it succeeds.

In the end the final challenge was my understanding the proper logic and terminology.

This link: https://forums.plex.tv/discussion/91006/my-plex-connection-via-a-cisco-asa-firewall-not-working - gave some clues, but in the end it was to simple... The NAT directly in the 'device' locked down for additional services, so had to go back to basics.

Create hosts for easy reference

do NOT set NAT on host!

Create services naming the port in use for easy reference

do NOT specify source port!

 

Create an access allowing any trafik to host/service combination (on INTERNAL IP)

and

Create NAT rule based on outside interface/ service to target inside host/service

...and finally it worked!

 

Rushed to dupplicate for webcams and other stuff - just to make sure. And - yes - back to normal...

Write comment (0 Comments)
Suk, den gode Canon Pixma IP4000R synger på sidste vers... Frown

Havde den skilt ad (pga. en 6A00 fejl == papirfødning) - så ud til at hjælpe, men fandt at en ramme til tandhjulene i den side hvor hovedet parkeres var løs, så et hjul rasler noget rundt. Det holder nok ikke længe..

Hvad nu???

Canon er holdt op med at lave printere med net stik - kun kombi maskiner... Efter en del research ser det stadig ud til at Canon patroner er billigst (ved trykspar.dk) også for nyere modellere.
Valget ligger mellem MP980 som er skanner og print (uden arkføder), og så MX850 som er fuld multi med arkføder til skan. MX850 er lidt ældre, og erstattes med MX860 - men den kan ikke printe på CD'er..

Alle fås til lige under 2000kr, så det er ikke så galt. Nu må vi se om den gamle IP4000r holder lidt endnu 
Write comment (0 Comments)
OK - som nævnt har vi altså en medieserver i huset... Dvs. sådan en ting som sørger for at vi kan lave et lille lager af musikfiler, billeder og film som kan spilles fra pc'er og andet relevant udstyr på vores netværk.

Vigtigst er selvfølgelig at Denon forstærkeren kan få adagang til CD samlingen... Og det virker fint.

MEN - hvad nu når man gerne vil bruge sin pc som afspiller...??

Write comment (1 Comment)
Vi har en server på Kratvej 28 C - til intern brug. Det vænner man sig hurtigt til, så når den så går ned, er der krise. Det sket for nylig - og NEJ vi fortæller ikke hvorfor - men der var vist en mindre fejl i samlingen - oprindeligt -måske...

Dette er en huskeliste / beskrivelse af opsættet på serveren, sådan at det - næste gang den går ned - er lettere at huske hvad der skal gøres.

Formål med serveren:
  • fungere som fælles fil-server for alle pc'er på nettet  - på længere sigt også for fjernadgang
  • fungere som backupenhed for lokale pc'ere
  • fungere som multimedie server - primært musik / sekundært billeder og film
  • fungere som harddisk optager for DVB-T(jordbaseret digital tv) nettet og på sigt måske for DVB-S (satellit)

Write comment (0 Comments)