Sunday, 22 April 2018

Making Use of Multiple Public IP addresses - Static NAT - Juniper SRX

Here's a little blog post on an application for making use of multiple external public IP addresses. Seems simple now that I know but like with many things if you don't know it can be frustrating trying to find the answer, so if someone stumbles across this blog post and it helps them then it's done its job.

When you buy a business internet connection, in my case a VDSL broadband service, you have the options of a static IP address or perhaps multiple static IP addresses. The classic use for these static IP addresses would be "mapping" one of them to an internal IP address of a server / appliance without using port forwarding. Port forwarding is great, but you can't forward the same port to two different servers, so it's more tricky to have resiliency. Having additional public IP addresses gets around this problem.

So how do you actually do it? The principle is straightforward. You use Static NAT in your edge router / firewall so that when it receives traffic destined for a particular public IP address it forwards the traffic to a defined private IP address. I.E. all traffic destined for 1.2.3.4 is forwarded to 192.168.1.100. And this applies in reverse, traffic from 192.168.1.100 is translated to 1.2.3.4 when it hits the public internet.

The reason this was ever in question for me was that try as I might I couldn't get the ISP supplied router to do this. It's a Huawei HG633 and there is no option to configure Static NAT. There are weird things like multi-NAT, one to many NAT and other variants. Some of which sound like they should work, none of which I could get to work.

And then enter my new SRX110, which I am loving more and more as I use it.

A great page from Juniper detailing static NAT works and a configuration example and it's working in all of 20 minutes. I love the way the page gives all the information you need to process the feature and get it working: A description, a simple picture, a dump of all the command you need, and then a step by step showing what each section of the configuration does. Ace.
https://www.juniper.net/documentation/en_US/junos/topics/example/nat-security-static-single-address-translation-configuring.html

I've pasted the picture and quick commands below just in case Juniper does something silly like changing the URL. Obviously, all credit goes to Juniper for the below, this good work is not me I'm just reposting it for reference:
 Static NAT Single
Address Translation


Quick Configuration:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security nat static rule-set rs1 from zone untrust
set security nat static rule-set rs1 rule r1 match destination-address 203.0.113.200/32
set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32
set security address-book global address server-1 192.168.1.200/32
set security policies from-zone trust to-zone untrust policy permit-all match source-address server-1
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
set security policies from-zone untrust to-zone trust policy server-access match source-address any
set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1
set security policies from-zone untrust to-zone trust policy server-access match application any
set security policies from-zone untrust to-zone trust policy server-access then permit

Friday, 20 April 2018

Talktalk Business VDSL Configuration for Juniper SRX110H

I've recently upgraded my broadband internet connection from a consumer grade connection with Talktalk "residential" to a business grade connection with Talktalk Business. The primary reason for this is because I want a number of static IP addresses to run applications, such as remote access VPN and a number of Unified Comms features. Plus I've always been curious about how it all works with multiple public IPs. I know you can do quite a lot with dynamic DNS, such as DYNDNS or noip, but there are quite a few advantages from a small number of static IPs for me so I'm giving it a go.

The router supplied with the broadband is a standard "budget" router, a Huawei HG633, which is ok but it's not intuitive and there's almost no assistance available. Plus as an IT professional I feel I should be using something a little more "real" anyway :) Traditionally I've used a Cisco 867VAE for ADSL / VDSL but I've run into a few issues, hopefully more in another post coming soon, so I'm decided to have a crack with a Juniper SRX110V-HA. And I have to say it's working brilliantly and it was easier than I thought to set up. So I wanted to write up a post with my configuration and a few experiences in case it helps anyone else in the future.

Talktalk Business Settings:
So starting off the TalkTalk Business VDSL settings for Simply Fibre as of April 2018:

Encapsulation Type: PPPoE
MTU: 1492
VDSL VLAN tag: 101
PPP Authentication mode: Chap
Internet Account username: phonenumber@talktalkbusiness.net
Internet Account Password: contact talktalk support for this
IP Address: negotiated

Juniper Configuration:
Now the Juniper specific Configuration.
The PT interface is the Physical VDSL Interface and the "unit 0" is default subinterface.

 pt-1/0/0 {
        vlan-tagging;
        mtu 1492;
        vdsl-options {
            vdsl-profile auto;
        }
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 101;
        }

The PP interface is the Logical VDSL interface, similar to a dialer on a Cisco Box. This interface is linked to the Physical interface using the "underlying-interface" command:
 pp0 {
        unit 0 {
            ppp-options {
                chap {
                    default-chap-secret "xxxxxxxxxxxxx";
                    local-name "xxxxxxxxxxx@talktalkbusiness.net";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface pt-1/0/0.0;
                auto-reconnect 10;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }

Set your local DHCP scope:
vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;

And your default route and your done:
routing-options {
    static {
        route 0.0.0.0/0 next-hop x.x.x.x (ISPs next hop address);

You will have to setup NAT and security zones but it is done by default in the SRX so that's nice and easy, although for completeness here is the config below.

NAT:
 nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

Security Zones:
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
                 pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                pt-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }

   screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
    pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                pt-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }

Please note you can't just paste the above config into your device you have to edit and set the commands, this is how JunOS works, it's actually a great OS and I'd be happy to lend a hand if anyone is new and wants a pointer. I'm no master but I'm enjoying the OS and the way it works.

Lessons Learned:
One gotcha I learned on the way. JunOS doesn't support VLAN tagging on the VDSL interface until Release 12.1. Originally my SRX shipped with 11.x and I had to upgrade this in order to get it working.

Juniper References:
SRX110 Software Config Guide (see the tabs on the left hand side):
https://www.juniper.net/documentation/en_US/release-independent/junos/topics/concept/services-gateway-srx110-configuration-preparing.html

Configuring PPPoE Interfaces:
https://www.juniper.net/documentation/en_US/junos/topics/example/pppoe-security-interface-configuring.html

Configuring Ethernet Switch Ports:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16667&actp=METADATA

Configuring a static route:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16572&actp=METADATA

Configuring OSPF:
https://www.juniper.net/documentation/en_US/junos/topics/example/ospf-single-area-configuring.html

Thursday, 1 March 2018

Cisco vWLC deployment in ESXi 6.5 Bug - "A required disk image was missing"

A marginal side track but still semi-relevant...

I tried to deploy an OVA file of the Cisco virtual WLC (vWLC), and I've tried a number of the versions and I keep getting the same error... - A required disk image was missing


After a little googling it appears to be a known bug, Cisco vWLC doesn't like being deployed on EXi 6.5 via the ESXi web interface. There seems to be 2 workarounds:
  • Deploying via vCenter web client
  • Using the OVF tool
I've tried the installation via the vCenter web client and I can confirm this works fine. I've not been able to try the OVF tool yet.

Wednesday, 21 February 2018

Customising VMware ESXi ISO - Adding Legacy Network Adapters

Part of my objective to understand VMware better is upgrading my lab hosts to a current version of ESXi, I've chosen 6.5 because it's the latest version and my lab is a long way away from a production environment so I don't have to worry about using a proven and stable release.

The snag I have is that one of my servers is a "white box" microserver, a Shuttle DS81, a great little box designed for digital signage, but the built-in Network Card is a Realtek 8111G, which is unsupported by VMware. This stops ESXi 6.x onwards being installed on the device. Error message shown below:

The way round this is customising your ESXi ISO image before installing it, adding the necessary drivers. Now this isn't a hack perse, because VMware actually gives you a tool in vCenter to do this, called the Image Builder, however I suspect this would affect your support from VMware because you are using unsupported hardware. I'm not fussed because this is a lab to enhance my learning, plus it's a great little box, very low power, reasonable spec (4 CPU, 16GB RAM), so there's no way I'm not using it.
VMware Image Builder:
https://blogs.vmware.com/vsphere/2016/11/getting-started-new-image-builder-gui-vsphere-6-5.html

Now I didn't actually use the image builder to customise the ISO files, I did give it a quick go but it is not immediately intuative for a complete novice.

There are 2 other ways (that I have found) to customise the ESXi ISO:

  • ESXi-Customiser
  • ESXi-Customiser-PS
The ESXi-Customiser is what I used, it's not an official VMware product, and has actually been suceeded by the ESXi-Customiser-PS but I found it so simple and easy to use, and works perfectly for ESXi 5.5, 6.0 and 6.5:
Just one note, I couldn't get this to work on windows 10, I had to use a win7 machine.

The ESXi-Customiser-PS (power shell), actually looks like it's semi easy to use as well but I'm a novice and my version of windows 10 said it couldn't run powershell scripts, so instead of getting side tracked learning about windows power shell (I'm concentrating on VMware, one thing at a time!), I decided to try the easy way, a 3 click, the ESXi-Customiser (above).

For anyone having the same issues with the Realtek 8111G NIC, the drivers I used were the 8168 driver pack, this page shows you how and provides a mirror:

vCenter License Administration; Apply the license! - Simple when you know

Ok, so this is actually a very simple topic / activity but it took me, a VMware rookie, a little while to suss out so I have decided to do a little blog post and perhaps it'll save someone some time in the future, or maybe just give me a giggle in a few years when I look back at this knowing more than I currently do.

Once you've installed your vCenter (vCSA) instance you will have the trial license installed with 60 days ticking down on the clock. Similarly, when you add a ESXi host into your vCenter inventory you will have an evaluation license, 60 days, ticking down. The free license which you get from VMware will not work when connecting the ESXi host to the vCenter server.

Licenses are installed in the licensing section, oddly enough!, but they don't actually take affect until you assign the license to one of your assets (the ESXi hosts or the vCenter Server itself). You can't just add the licenses and expect it to work, the added licenses are put into a pool, where they can then be assigned to an asset.

The licences section can be found here (in the vSphere Web Client):
Administration > Licensing > Licenses



There are 3 tabs in the pane, Licenses, Products and Assets. Licenses is where you add your licenses keys and then, once added, navigate to the assets tab, which shows your vCenter server and ESXi hosts, where you can then right click and assign a license to each of the hosts.

Friday, 16 February 2018

VMware vCenter vCSA Installation stuck at 80% Installing RPM

Installing vCenter 6-5 using the vCSA has been causing me a few issues, running through the GUI installation it kept getting stuck at 80% - installing RPM.




Doing a little googling this seems to happen semi-regularly when there is an issue with the installation.

My issue seemed to be that I was trying to install the vCenter vCSA on an ESXi which was version 5.5. Once I'd upgraded to 6.5 it seemed to install just fine.

If you are getting the same error it's worth checking the compatibility information:


The only other thing which I want to mention in case there is any connection, I also changed the 'system name' field to a FQDN, where previously I used an IP address.

For a link to an easy installation step-by-step for vCSA 6-5 see the below link:

honerable mention:

Wednesday, 29 July 2015

Windows 10 update not working - disable AVG = fix?? Maybe...

Hi,

Just a quick post but I wanted to get this up because I think I've got round my windows 10 update issue and possibly this might help someone else?

So I've been struggling with updating windows 10 this evening. It has not been automatically updating, so I gave it time, I waited for the notification from Microsoft which never came.

Seemingly windows update just wasn't finding the windows 10 update.

This post at Venture beat seemed to be the solution:
http://venturebeat.com/2015/07/28/how-to-force-windows-to-start-downloading-the-windows-10-update-files/

But I still couldn't get it to work.

Then I tried disabling AVG anti-virus... and now it's downloading...

I don't know why this seems to have worked but if anyone else is struggling to get windows 10 updated as well and you have AVG then try temporarily disabling it and then running through the steps on the above link.

Best of Luck!



** Important Update**

I think the old Cisco VPN client is causing issues. My upgraded has succeeded but I've lost all my network connections. They show in device manager but nowhere else, so no network access, internet access etc.

If you are doing the upgrade and have the VPN client installed I would strongly recommend uninstalling it first.

I'm not 100% sure if this is the reason but I'm not taking the risk on the next PC I upgrade!

Wednesday, 12 November 2014

vSphere client on Surface pro 3 / Windows 8.1 input issues

So here's an irritating issue... I have a Surface Pro 3, I really like it, however there are a few niggles and issues but on the whole it's great. (You generally get issues with new versions of windows anyway, anyone remember vista? and windows 7 wasn't perfect for a long time, although it's pretty damn stable now). 

One of these issues was that I couldn't use the VMware vSphere client to control virtual machines using the console on my SP3. The cursor wasn't in sync with the screen. I'd put the cursor in the middle of the screen and it would register further down and off to the right. This made it almost impossible to click anything. I got around this by creating a virtual machine and using RDP to connect to the virtual machine and then connecting that way but it's a bit of a mess.

So here's the actual solution, if you right click the vSphere client icon > Properties > Compatibility > then check the box which disables display scaling on high DPI.

This runs the application natively on the display, which makes everything very small because the screen resolution is fantastic, but I kinda like this, you get more real-estate. It messes up a few positions such as text boxes slightly screwy but at least it works!

I couldn't find any other pages which detail this issue so hopefully this'll help someone else with the same issue.

Friday, 25 July 2014

installing Windows XP in VMware ESXi

I'm relatively new to VMware, but it's on my list of things to look into / learn about, and as part of my little lab I'm building I've installed ESXi5.1 as the Hypervisor on my server. I've always used VMware Player and Workstation before and they are so easy to use but I wanted to use ESXi because it's a little more "real world".

Windows XP is one of my "go to" VMs, it's so quick and easy to install, I've only got trial versions of 7 and 8 and i'm just not familiar with Linux (although I'm trying... give me time) However XP and ESXi don't seem to get on initially.

It turns out XP, being the old OS that is is, does have the SCSI drivers needed, and ESXi chooses a SCSI hard drive by default.

There are two options here:
Install the 3rd party drivers in the XP host, here are the instructions for this:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1000863

Alternatively, you can just change the hard disk type to IDE and that works a treat too:

Thursday, 24 July 2014

Bridging Cisco Wireless Router to an AP (Or your Phone!!)

Doesn't it just feel great when you figure something out after being stuck on something for a little while? This was one of those moments...

I'm going through the motions for building a portable lab whereby I can test various applications and software and features and one of my initial considerations was how to get Internet access to the lab. I've got a 1841 with a 3G HWIC module inside it so I could buy a sim and configure that but the plans for 'non-mobile' devices are crazy expensive, plus I'm already paying for an unlimited internet package for my phone so it just feels wrong spending more money. The other option is tethering the phone to the LAN in some way - either via a USB to RJ45 adapter (but then I can't charge and tether my phone at the same time) or 2ndly some way wireless-ly, and it turns out this is very possible with a feature called universal client mode.

Universal Client Mode allows the router / AP to connect to a wireless device as though it was a client, very cool! So I able to use the portable hot-spot functionality of the phone, and connect to the phone from the router as though it was a client, below is a rough diagram of the setup:

"Free" access for my Lab.

So now here's the important bit, the configuration. I couldn't find any other bogs etc where people have done this, there are similar things but not exactly this and as such I spent some time figuring this out so I'm putting it here for future reference, and hopefully it'll help someone else out in the future.

! first of all you need to configure the radio:
interface Dot11Radio0

! Tells the router to act in universal client mode
station-role non-root 

! Set the IP address to be obtained using DHCP
ip address dhcp

! create the ssid - has to be the same as the ssid advertised from the phone
dot11 ssid SSID_NAME

!set the authentication - I've used open
authentication open

! Go back into the dot11 radio interface and associate the ssid to the interface
interface Dot11Radio0
ssid SSID_NAME

At this point you should have a virtual-dot11radio interface configured and it should receive and IP address from the phone.

And from here you just create a default route, setup NAT and "jobs a good 'un".

A couple of notes: you have to make sure there is no vlan X command because Universal Client Mode needs to use the native vlan (I.E. no vlan configured)

Also, when I added the default route I had to manually set the IP address of the phone I.E. 192.168.43.1 (in my case) it didn't work when I set the exit interface as either dot11radio0 or the virtual-dot11radio0. I don't know why, perhaps someone can comment? But that's well worth noting.

Excellent!

Here's a quick update, if you are not happy without any encryption you can add WPA2 encryption with a Pre-Shared Key (PSK) with these commands:

!Under the dot11 SSID config:
 authentication key-management wpa
 wpa-psk ascii 0 password

!Under the dot11radio interface:
encryption mode ciphers aes-ccm


!!Update number 2!!
So I managed to break my NAT translations, I was playing with settings and "cleaning up the config" and I noticed that my lab VMs had lost internet connectivity.
I've since fixed it but my method is not 100% conventional. I had to change my NAT statement to refer to the pool of IP addresses being translated rather than the exist interface (virtual-dot11radio0) for some reason my NAT statement and default route doesn't work if I point to the virtual-dot11radio0 interface. The simple fix is to use the IP address rather than the interface but I'm a little wary because IP addresses can change. We'll see, if I find away around this I will update again. Anyway for the time being, here are the revised NAT statements:

ip nat pool NAT-POOL 192.168.43.183 192.168.43.183 netmask 255.255.255.0
ip nat inside source list PERMIT-NAT pool NAT-POOL overload

ip access-list standard PERMIT-NAT
permit 172.16.213.0 0.0.0.255

Thursday, 10 April 2014

OSFP LSA types 1-7

I'm going through the process of decertifying my CCNP and one thing I can never recall from memory is a good description of each of the OSPF LSA types. Therefore it gets a quick blog post to aid the old memory.

LSA Type 1 (Router LSA):
Routers each create a type 1 LSA for each area they connect to in order to represent themselves within an area. Therefore the LSDB for an area will contain one type 1 LSA  for each router in the area. 

LSA Type 2 (Network LSA):
The type 2 LSA is created by a DR to detail the subnet and connected router interfaces in that subnet.

LSA Type 3 (Network Summary LSA):
The type 3 LSA is used to advertise subnets listed in one area to another area. The is created by an ABR. 

LSA Type 4 (ASBR Summary LSA):
The type 4 LSA is created by an ABR when it receives a type 5 LSA from a ASBR. This LSA is required in order to support the tie breaking logic for best path selection for routers, internal to an area, when calculating the best path to an external network in another area. This is required because E2 external routes do not increment the metric when travelling through the network, therefore a router in an area could have 2 (or more) paths to the external network. The tie break logic says that even though the metrics tie the router should put into the routing table the best route to reach the ASBR. So if it had a fast Ethernet connection and a serial connection even though the metrics would be the same (20 by default for an E2) instead of load balancing the router looks up the best path to reach the ASBR and puts this route into the routing table.

Now the above logic works fine if the router and the ASBR are in the same area. If not then the router can calculate the best path to the ABR but beyond this it has no awareness of the topology. This is where the type 4 LSA comes in. A type 4 LSA is generated by an ABR and details the ABR cost to reach the ASBR. This solves the above problem because where a internal area router has 2 ABRs out of the area, it now knows the cost of each ABR to reach the ASBR in the other area and so can make the best path selection accordingly.

LSA Type 5 (AS External LSA):
The type 5 LSA is used to advertise external routes into an area, this is created by the ASBR.

LSA Type 6 (Group Membership):
Unused on Cisco IOS so I'm ignoring it for the time being

LSA Type 7 (NSSA External LSA):
The type 7 LSA is created by an ASBR in a stub area to advertise external routes from an ASBR within that stub area. Stub areas suppress type 5 LSAs therefore an ASBR in a stub area uses type 7 LSAs within the stub which are then converted to type 5 LSAs at the ABR. Stub areas with an ASBR are NSSAs (Not So Stubby Areas)


I might well update this as I read and learn more but for the time being it's a good reference for me. 

Friday, 28 March 2014

Juniper Part number confusion

So this is another one which should be very obvious but again I'd never questioned it until recently, so I'm jotting it down for reference.

For Juniper's larger routers (MX etc) there are a number of items which are redundant - PSU, RE, SCB etc. Now when looking through the price list these items each have 3 different part code options: -BB, -R, -S

Here are the differences:
-BB = Base Bundle - This item is purchased when buying a new chassis and is often discounted because of this. You cannot purchase this item with the complete chassis.

-R = Redundant - This item is purchased with a complete chassis when you want a redundant item. For example, if you require a chassis with 2 SCB then you would purchase 1 -BB and 1-R.

-S = Spare - This item is purchased often if you are upgrading an existing chassis - I.E. replacing an item in an existing chassis with a new item, or adding a redundant component to an existing chassis.

Cisco MSE Appliances need L2 adjacency for HA operation

HA is a wonderful thing for obvious reasons but you do have to tread carefully sometimes when designing and deploying it.  I am specifically referring to the appliances / applications themselves and their physical location. Some appliances need to be located on the same subnet, which usually means physically very close. You can often fudge this by extending the layer 2 domain (such as using OTV) but this can be dangerous due to latency etc which can cause some unpredictable results, and not always practical.

MSE (7.4) is one of these applications. It maintains a health monitor connection to keep the two appliances synchronised and up to date.