procurve 2910: upgrade firmware from usb-stick

ProCurve 2910al-24G Switch# sh ver
Image stamp:    /sw/code/build/sbm(t4a)
                Nov  5 2009 18:02:07
                W.14.38
                51
Boot Image:     Primary
ProCurve 2910al-24G Switch# dir
Listing Directory /ufa0:
-rwxrwxrwx    1    8602885 Jun 30 15:50 W_14_49.SWI
ProCurve 2910al-24G Switch# copy usb flash W_14_49.SWI primary
The Primary OS Image will be deleted, continue [y/n]?  y
Validating and Writing System Software to the Filesystem ...
ProCurve 2910al-24G Switch# show flash
Image           Size(Bytes)   Date   Version
-----           ----------  -------- -------
Primary Image   : 8602885   06/30/10 W.14.49
Secondary Image : 8482560   11/05/09 W.14.38
Boot Rom Version: W.14.04
Default Boot    : Primary
ProCurve 2910al-24G Switch#

Hits: 107

Windows server 2008 disable password security complexity requirements

When setting up a new Windows Server 2008 server either with or without Active Directory you will discover that it has a rather strong policy for passwords. If you are setting this up at home or in a small business environment and don’t want to deal with the complex passwords that are required to meet the policy guidelines, you can edit the policy to disable the complexity requirements. You can try going to a command prompt and typing ‘gpedit.msc’ then navigating to Computer Settings\Windows Settings\Security Settings\Account Policies\Password Policy\ section.

Here you will see the ‘Password must meet complexity requirements’ item. When viewing the properties of it, usually the Enabled/Disabled radio buttons will be grayed out and you cannot change the values. If they are able to be changed, go ahead and do it, and save out of the dialog boxes. If it is grayed out and you cannot change it here, this is how you do it:

Go to a command prompt
Type ‘secedit /export /cfg c:\local.cfg’ and hit enter
Using notepad, edit c:\local.cfg
Look for the line “PasswordComplexity = 1” and change it to “PasswordComplexity = 0”
You can also edit “MinimumPasswordLength = 7” to a lesser value if you like.
Save the file
At a command prompt type ‘secedit /configure /db %windir%\security\local.sdb /cfg c:\local.cfg /areas SECURITYPOLICY
This will apply the new settings and refreshing the gpedit.msc should reflect the new settings
Set your new less complex password!

Hits: 25

wireshark filters

found here: http://www.lovemytool.com/blog/2010/04/top-10-wireshark-filters-by-chris-greer.html

ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]

2. ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]

3. http or dns [sets a filter to display all http and dns]

4. tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]

5. tcp.flags.reset==1 [displays all TCP resets]

6. http.request [displays all HTTP GET requests]

7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]

8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]

9. udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset]

10. tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]

Hits: 37

SRX config – ipsec vpn asa – srx multiple subnets

version 10.1R2.8;
interfaces {
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.34.2/16;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 10.0.2.254/24;
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family inet {
                address 2.2.2.2/28;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 2.2.2.1;
    }
}
security {
    ike {
        proposal ikep1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy IkePolicy1 {
            mode main;
            proposals ikep1;
            pre-shared-key ascii-text “$9$JgGHm36AB1h/CMX7d4o”; ## SECRET-DATA
        }
        gateway IkeGateway1 {
            ike-policy IkePolicy1;
            address 64.61.147.206;
            dead-peer-detection;
            no-nat-traversal;
            external-interface ge-0/0/14.0;
        }
    }
    ipsec {
        vpn-monitor-options {
            interval 10;
            threshold 10;
        }
        proposal ipsecp2 {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy VpnPolicy1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsecp2;
        }
        vpn Vpn1 {
            ike {
                gateway IkeGateway1;
                ipsec-policy VpnPolicy1;
            }
        }
    }
    nat {
        source {
            rule-set hide-nat {
                from zone [ Dmz2 Trust ];
                to zone Untrust;
                rule Except {
                    match {
                        destination-address 172.16.1.0/24;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule hide-nat-rule {
                    match {
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone Trust {
            tcp-rst;
            address-book {
                address local_lan 192.168.0.0/16;
            interfaces {
                ge-0/0/3.0;
            }
        }
        security-zone Untrust {
            address-book {
                address ASA_lan 172.16.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/14.0;
            }
        }
        security-zone Dmz2 {
            tcp-rst;
            address-book {
                address dmz2_lan 10.0.2.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/5.0;
            }
        }
    }
    policies {
        from-zone Untrust to-zone Dmz2 {
            policy ASADmz2 {
                match {
                    source-address ASA_lan;
                    destination-address dmz2_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy Dmz2ASA;
                        }
                    }
                }
            }
        }
        from-zone Trust to-zone Untrust {
            policy VpnASA {
                match {
                    source-address local_lan;
                    destination-address ASA_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy ASAVpn;
                        }
                    }
                }
            }
            policy 56 {
                match {
                    source-address Full_Access;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        from-zone Dmz2 to-zone Untrust {
            policy Dmz2ASA {
                match {
                    source-address dmz2_lan;
                    destination-address ASA_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy ASADmz2;
                        }
                    }
                }
            }
            policy sslvpn2any {
                match {
                    source-address sslvpn_10.0.2.10;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Untrust to-zone Trust {
            policy ASAVpn {
                match {
                    source-address ASA_lan;
                    destination-address local_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy VpnASA;
                        }
                    }
                }
            }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}

Hits: 33

ASA config – ipsec vpn asa – srx multiple subnets

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
names
name 192.168.0.0 NLLan
name 10.0.2.0 NLLan2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
object-group network VPNSubnets
 network-object NLLan2 255.255.255.0
 network-object NLLan 255.255.0.0
access-list outside_1_cryptomap extended permit ip 172.16.1.0 255.255.255.0 object-group VPNSubnets
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 object-group VPNSubnets
access-list inside_access_in extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
webvpn
group-policy DfltGrpPolicy attributes
 vpn-filter value inside_access_in
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
!

Hits: 31

Multiple vpn tunnels in Junos on SRX platform

interfaces {
    fe-0/0/3 {
        description untrustinterface;
        unit 0 {
            family inet {
                address 1.1.1.1/24;
            }
        }
    }
    st0 {
        description TunnelInterface;
        unit 10 {
            description TunnelVPN10;
            family inet {
                address 10.1.254.1/30;
            }
        }
        unit 11 {
            description TunnelVPN11;
            family inet {
                address 10.1.254.5/30;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.1.1.254;
        route 10.1.10.0/24 next-hop 10.1.254.2;
        route 10.1.11.0/24 next-hop 10.1.254.6;
    }
}
security {
    ike {
        proposal IkeProposal1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy IkePolicyVPN10 {
            mode main;
            proposals IkeProposal1;
            pre-shared-key ascii-text "vbnFGJrtuy"; ## SECRET-DATA
        }
        policy IkePolicyVPN11 {
            mode main;
            proposals IkeProposal1;
            pre-shared-key ascii-text "gjhgJHGDFGHdfj"; ## SECRET-DATA
        }
        gateway IkeGatewayVPN10 {
            ike-policy IkePolicyVPN10;
            address 2.2.2.2;
            dead-peer-detection;
            external-interface fe-0/0/3.0;
        }
        gateway IkeGatewayVPN11 {
            ike-policy IkePolicyVPN11;
            address 3.3.3.3;
            dead-peer-detection;
            external-interface fe-0/0/3.0;
        }
    }
    ipsec {
        proposal IpsecProposal1 {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy VpnPolicy1 {
            perfect-forward-secrecy {
                keys group2;
            }
        }
        vpn VPN10 {
            bind-interface st0.10;
            ike {
                gateway IkeGatewayVPN10;
                ipsec-policy VpnPolicy1;
            }
        }
        vpn VPN11 {
            bind-interface st0.11;
            ike {
                gateway IkeGatewayVPN11;
                ipsec-policy VpnPolicy1;
            }
        }
    }
    zones {
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                    ssh;
                    ping;
                }
            }
            interfaces {
                fe-0/0/3.0;
            }
        }
        security-zone VPN {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                st0.10;
                st0.11;
            }
        }

    }
    policies {
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}

Hits: 40

VRRP Example on Procurve E-series

On Core1:
vlan 201
   name "servers"
   ip address 10.254.201.1 255.255.255.0
   tagged A2-A23,B1-B24,C1-C23,Trk1
   exit
vlan 202
   name "beheer"
   untagged A2-A23,B1-B24,C1-C23
   ip address 10.254.202.1 255.255.255.0
   tagged Trk1
   exit
router vrrp
router vrrp virtual-ip-ping
vlan 201
   vrrp vrid 201
      owner
      virtual-ip-address 10.254.201.1 255.255.255.0
      priority 255
      enable
      exit
   exit
vlan 202
   vrrp vrid 202
      owner
      virtual-ip-address 10.254.202.1 255.255.255.0
      priority 255
      enable
      exit
   exit

On Core2:
vlan 201
   name "servers"
   ip address 10.254.201.2 255.255.255.0
   tagged A2-A23,B1-B24,C1-C23,Trk1
   exit
vlan 202
   name "beheer"
   untagged A2-A23,B1-B24,C1-C23
   ip address 10.254.202.2 255.255.255.0
   tagged Trk1
   exit
router vrrp
router vrrp virtual-ip-ping
vlan 201
   vrrp vrid 201
      backup
      virtual-ip-address 10.254.201.1 255.255.255.0
      priority 250
      enable
      exit
   exit
vlan 202
   vrrp vrid 202
      backup
      virtual-ip-address 10.254.202.1 255.255.255.0
      priority 250
      enable
      exit
   exit

Hits: 42