Blog | Hotmodz

Creating Multiple Vlan's - ASA 5500-X Series

It's always super exciting when you can dig into your own network and get more involved in it. If you have a business that might be a different story(*) unless you have a developer environment. In my case, I have a really nice sized environment that I'm looking to expand into other exciting new technologies. To proceed with this I'm going to be setting up sub-interfaced vlans…

When setting up sub-interfaces you will either need to use putty to get into the console of the ASA remotely or utilize the ASDM software. My ASA 5506-X is setup with the Base license right now with a total of 5 vlans. If I want more vlans i'll have to eventually upgrade to the Security Plus license or upgrade to a larger ASA. For the moment were just going to go with vlan 4,10,12, & 15. I have some general pictures below and some snippets of config.

You will see in the config that I have a security level of
100 set on the guest vlan. This is NOT typical but thanks to the Ubiquiti equipment I utilize within my environment the device(s) will only pull DHCP and DNS requests . Any device trying to reach out to the internet first has to follow through to the hotspot authentication page. This page traverses my subnet only to the controller and DHCP/DNS server. Once the device is authenticated all private classes are blocked to access. These are pretty handy when throwing AP's at different family or friends homes like when we through a large family party or a lot of friends come over. I'm eventually going to work on this more thoroughly and whip up a better solution.

interface GigabitEthernet1/1
description COMCAST INTERNET CONNECTION
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
description LOCAL NETWORK
nameif inside
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/2.100
description Vlan (Testing Environment)
vlan 10
nameif Testing-Vlan
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/2.101
description Guest Network
vlan 12
nameif Guest
security-level 100
ip address 192.168.12.1 255.255.255.0

access-list Guest_access_in extended permit ip 192.168.12.0 255.255.255.0 any

nat (Guest,outside) source static Guest-Vlan Guest-Vlan destination static Guest-Vlan Guest-Vlan route-lookup



1. ASA Interfaces List


fullsizeoutput_4



2. Detailed GigabitEthernet 1/2.100 Information


fullsizeoutput_5



3. Nat Statement For VLan


screen-shot-2018-03-02-at-11.41.21-pm.png


4. ASA ACL Information

screen-shot-2018-03-02-at-11.41.03-pm.png


Once you have your ASA setup with the above information. The next step would be to setup trunking on your switch if it's capable of that. Thankfully I have a stack of 3750G switches that are capable. So, You will want to look at he posted config below. I've set this config up on the switch port that connects to my LAN port on my ASA


interface GigabitEthernet1/0/1
description Trunked ASA to LAN
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport trunk allowed vlan 4,10,12
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk






* If you are not confident or do not have the understanding to apply changes to any company network it is always best to employee a professional.


Home Datacenter 2017 "It's Time To Move"

Below is a link to my walk-through of my home lab. I hope everyone enjoys!

Just to get this out of the way first... I do live in a townhouse that I rent. So, it's kind of hard to make things the way I actually want to make them with wires going through the wall, AP's hanging from the ceiling, etc.,. so with that bearing in mind. I did move my network equipment from my upstairs spare bedroom aka IT junk room to the enclosed dell poweredge 4220 42u rack. I do however have one existing cable in red that snakes its way up the stair to my office/gaming room.

IT Junk room




Cisco 1811/1841
Brother wireless printer on standby
Old gaming case (4+ years old)




## Typical Watt usage for all the equipment in the PowerEdge 4220 is around 270-320 ##




Currently in the PowerEdge 4220 I have a good amount of goodies.

1x Arris cable modem - Comcast Cable
1x UBNT cloud key ( Migrated to a VM)
1x ASA 5506-X firewall with Firepower services
2x 3750's with stacking cables!!!
1x USB 2TB Veeam backup unit
1x R710 with 2 L5540's/72GB ram/ 2.5TB of storage
1x 2950 with 2 Quad cores (HT) / 32GB ram / 0 Storage


What's on my R710 you ask?

Host

ESXI1 - 192.168.4.124


VM's:

Cacti - Debian 8.5.0
Cacti Upgrade - Testing
DC2 - AD/DNS Master
DC3 - AD/DNS Slave
Debian - [email protected] project
Debian - Freepbx 12/13
Debian - Seedbox
Debian - Unifi Cloud Key
Debian - Virtualmin
Debian - Webmin
Debian Webserver - Dev testing
Exchange 2013 - Enterprise Cal
Server 2012 - Veeam and Vcenter (Host)
Unitrends - Backup testing
Workstation - Personal VDI
Workstation - Sister's VDI
WSUS 2012 - Windows Update Server



Plans for expansion

7x 600GB or 900GB 15K drives in Raid 6 for Production R710
7x/13x 3TB drives in Raid 5 on R710 or r510
2 APC/tripplite UPS
1x 3750G 24p or 3x 3850 24p
7x UBNT 1080P cameras
1x ASA 5525-X
1x 3945e


Some internal work:

Separate vlans for different devices (servers, computers, phones,etc)
Upgrade IPsec tunnel to GRE with EIGRP / OSPF depending on devices
Centralized cloud storage (cold or nearline)
Azure for hot standby vm's
Point to Point Bridges for family nearby

Is Security In Your Life Important?

What are some important things that come to mind right away that you want to protect? Your house, job, precious items, etc… Well, in the digital age of 2017 our priority needs to be on security.
 
Symantec Corporation stated these facts, "In 2015, we saw a record-setting total of nine mega-breaches, and the reported number of exposed identities jumped to 429 million. But this number hides a bigger story. In 2015, more companies chose not to reveal the full extent of their data breaches. A conservative estimate of unreported breaches pushes the number of records lost to more than half a billion.
An extremely profitable type of attack, ransomware will continue to ensnare PC users and expand to any network-connected device that can be held hostage for a profit. In 2015, ransomware found new targets in smart phones, Mac, and Linux systems. Symantec even demonstrated proof-of-concept attacks against smart watches and televisions in 2015."
https://www.symantec.com/security-center/threat-report

As we can see by the above statement, many other security vendors are seeing similar increases in cyber threats. The question though, is, what can we do to take preventative measures or try the best we can at eliminating the chance of an unknown individual getting ahold of our personal information? Well, one step that I wanted to take a look at out of a series of security posts is how we manage our passwords, credit cards and other personal information. When looking at my own personal data I wanted to break my information up into different locations or different providers I use to store my data. I've personally used google to manage all my information but have recently decided to change who has what data to limit the vulnerability of penetration if I was compromised. The company that I use to manage my passwords, cards, and notes is the company called LastPass. LastPass is free but to me $1.00 USD a month is hardly anything for keeping data secure. You can even compare what the personal (Free vs Premium) features are to better select which one works for you. I upgraded to the premium version because of the Yubico bundle that was being offered. I though to myself about getting the Yubico key to log into my Apple Macbook Pro as well as several other servers/workstations I have but to also use it as a second type of authentication. Most people that are tech savvy think that using dual factor authentication is secure when using text, calling, or account authentication through iCloud or Google. However, that's not the case as those can be spoofed especially text/call verification. I personally would rather have a physical device in my hands as a second authentication. Another nice feature that LastPass provides is an in application security challenge. It will scan all imported or created information and sort of give your information a test. That test will then come up in front of you display your score as well as what should be changed. Then after you can then generate new complex passwords better than the Password123 passwords you may have. This app has way too many features to talk about but you can always go to the webpage at https://lastpass.com to get more information.

screen-shot-2017-04-08-at-1.06.02-am.png

With the above information, it is always good to monitor and keep your security at the highest level possible. If reason cannot afford the $1 a month the free version is very viable but you do of course have
Google Chrome and Keepass (Keepass Installer, KeyPass Portable, KeePAssX OS X). Both options are free! You can either click on the blue links to download them via my storage or directly go to the vendor's pages.

Homelab Plans

Homelab 2017 Projects

I have a good bit of restructuring in my homelab which I will later upload a video to my channel or blog about it whichever comes first. If you take a look at the picture below and compare it to the Home Lab 2016 blog. You will notice that the Dell Poweredge R710 is now part of my vcenter cluster. I also have added a handful of virtual machines to the environment. With that being said I have some matters to handle to make this lab more "enterprise-like".

screen-shot-2017-04-06-at-12.55.57-am.png

I'm look at purchasing another server to separate my production and developer environment, expand my ram capacity from 74GB to 144GB (+), and purchase newer storage which I will explain more soon. Even though this is a homelab I still want to take it as serious as I can because… Guys this is what gets you a job or at least experience to feel confident in what you are doing. Having a lab not only gives me the time learn at home to expand my knowledge but also gives me better integration with my entire family. The server that will expand the lab is probably going to be another R710 since I know the power usage and its pretty reliable. However, the other candidates are a R720, R510, and a cluster of R610's.


So the current R710 I want to have the internal drives upgraded to SAS 600GB 15k or 900GB 10K drives. I also want to upgrade the Perc 6/i controller (I have in the system currently) with a H700 to use raid 6 for a 2 drive failure rather than raid 5's 1 drive failure. In order to get that up and running I would like to purchase another computer to have those vm's vmotioned over to the developer server until I get the new drives in.


Production Server (R710)Raid Card - For Current R710 -
http://tinyurl.com/mpsvc3m
(total cost = $99.99)Hard Drive 600GB - For Current R710 -
http://tinyurl.com/mcqktbn
(total cost = $474.00)Hard Drive 900GB - For 2nd server -
http://tinyurl.com/khmqfoj
( total cost = $1,200.00)Datastore Size for Production server:600GB x 6 - 2.2TB900GB x 6 - 3.3TBDeveloper Server Options:*Option #1 - For the Developer server 6 bay (HDD's) -
http://www.ebay.com/itm/351858323472 (total cost = $348.00) Total Drive Storage ( Raid 6) - 7.3TB*Option #2 - For the Developer server 12 bay(HDD's) - http://www.ebay.com/itm/351858323472 (total cost = $696.00) Total Drive Storage ( Raid 6) - 18.2TB