http://w.atwiki.jp/desucre/ なんちゃって管理者のひとりごと ja 2012-11-03T13:16:08+09:00 1351916168 https://w.atwiki.jp/desucre/pages/43.html +番号リスト 2012-11-03T13:16:08+09:00 1351916168 https://w.atwiki.jp/desucre/pages/24.html *How to run ASA 8.4(2) under QEMU with GNS3 --http://twopacket.zymichost.com/2012/01/06/how-to-run-asa-8-42-under-qemu-with-gns3.html *ASAライセンス --http://cisco.sitecelerate.com/cisco/web/support/JP/docs/SEC/Multi-FunctionSecur/ASA5500AdaptiveSecurAppli/CG/004/license.html?bid=0900e4b1825ad74e#17205 *ASA　ライセンスのリホスト --https://supportforums.cisco.com/docs/DOC-18564 *ASA DAPとか -Configuring Dynamic Access Policies --http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/vpn_asdm_dap.html -Supported VPN Platforms, Cisco ASA 5500 Series --http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html -DAP設定 --http://www.cisco.com/cisco/web/support/JP/111/1110/1110300_dap-deploy-guide-j.html -any connectでDAPにより接続デバイスチェック --https://supportforums.cisco.com/docs/DOC-21453 *ASA切り分けとか資料 -http://www.scribd.com/doc/65665627/Troubleshooting-Firewalls -一般的な切り分け --http://www.cisco.com/cisco/web/support/JP/102/1020/1020798_common_ipsec_trouble-j.html *バイパス設定、行きと帰りが違うASAの場合 --http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml -同一intでの折り返し通信を許可する --same-security-traffic permit intra-interface -セキュリティレベルが同じインターフェイス間の通信を許可する --same-security-traffic permit inter-interfac *capture copy copy /pcap capture:test0/test0-active-outside.cap tftp: *エラーメモ --join-failover-groupしようとするとエラーになる。 ---コンテキスト内のintの設定をすべてclearして設定⇒再度コンテキストのintのnameifの設定を実施すればOK ASA/act(config)# context test1 ASA/act(config-ctx)# ASA/act(config-ctx)# join-failover-group 2 ERROR: Command requires failover-group 2 and 1 to be in the same state or no nameif comand for all interfaces in this context ASA/test1/act#changeto context test1 ASA/test1/act(config)# clear configure int g0/0.XX ASA/test1/act# changeto context sys ASA/act(config)# context test1 ASA/act(config-ctx)# ASA/act(config-ctx)# join-failover-group 2 ASA/act(config-ctx)# *メモ **宛先NAT destination nat -特定の送信元と先のみ変換する --http://www.netleets.com/2009/04/cisco-asa-destination-nat-for-1-source.html -http://www.scribd.com/jbotham/d/92874615-Android-ASA-Setup-Guide -ASA perlツール --http://www.skendric.com/nmgmt/device/Cisco/ 2012-09-04T23:14:37+09:00 1346768077 https://w.atwiki.jp/desucre/pages/18.html -RDP接続管理 RDCMAN RDPMAN --http://www.microsoft.com/en-us/download/details.aspx?id=21101 -証明書作成 --http://type-y.com/2009/09/xca-root-ca-ssl.html -負荷ツール --http://gigazine.net/news/20120606-jblitz-professional/ -就職メモ --http://www.lifehacker.jp/2012/05/120525careerhack.html -ツールまとめ --http://www.computerworld.jp/topics/603/%E3%83%87%E3%83%BC%E3%82%BF%E3%82%BB%E3%83%B3%E3%82%BF%E3%83%BC/143369/143209.html?page=0,4 -IPひろば　都道府県までIPで検索 --http://www.iphiroba.jp/index.php -Flashでネットワーク図がかける --http://www.gliffy.com/ -ふぁじんぐ --http://internet.watch.impress.co.jp/docs/news/20120328_521822.html?ref=rss -プリンストン、ゲーム機やPCを簡単切り替え「デジ像 HDMI-BOX版」 http://japan.cnet.com/digital/av/35016453/?ref=rss -暗号化 http://gigazine.net/news/20120424-cloudfogger/ -DIFFツール http://gigazine.net/news/20120416-difff/ Studynote - about http://studynote.jp/about SaaS型無料プロジェクト管理サービス「ブラビオ・プロジェクト」最新版 http://brabio.jp/ GMOクラウド、月額1480円からのVPSサービス「GMOクラウド VPS」 -INTERNET Watch http://internet.watch.impress.co.jp/docs/news/20120404_523796.html?ref=rss ソフトバンク携帯 http://onlineshop.mb.softbank.jp/ols/html/model/index_prepaid.html 災害伝言板 http://dengon.ezweb.ne.jp http://dengon.softbank.ne.jp http://dengon.willcom-inc.com http://dengon.docomo.ne.jp/top.cgi IPアドレス計算 http://www17.plala.or.jp/akisukenet/mini_tools/ipv4_address_calc.html 2012-09-02T23:07:00+09:00 1346594820 https://w.atwiki.jp/desucre/pages/39.html *AccessGateway4.6 -admintoolで設定 --http://support.citrix.com/proddocs/topic/access-gateway-vpx/nl/ja/agse-vpx-download-install-admin-tool-tsk.html?locale=ja -デフォルトパス root/rootadmin *AccessGateway5.0 -adminログインURL --https://IPaddress/lp/AdminLogonPoint/Logon.do --デフォルトパス admin/admin -アップデート --トライアルページのバージョンは5.0.2 --Access Gateway 5.0.4 cag_5.0.4.223500.binで5.0.4にアップデート --Access Gateway 5.0.4 - Security Patch 5_0_4_patch_1_284097.binでパッチあてすると最新になる -証明書 --証明書がエラーでもICAファイルまではダウンロード可能 --但しレシーバで接続時に無効なSSL証明書のエラーがでてつながらない=端末側で証明書エラーが解決できればつながる。 2012-08-28T16:32:34+09:00 1346139154 https://w.atwiki.jp/desucre/pages/42.html -URLパスを大文字から小文字にする --以下のファイルの編集も必要 ---C:\Windows\System32\inetsrv\config\applicationHost.config 2012-08-28T15:18:01+09:00 1346134681 https://w.atwiki.jp/desucre/pages/41.html *Anyconnect -IKEv1は対応していない。 -FAQ --https://supportforums.cisco.com/docs/DOC-15905 --http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html -2.5Manual --http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac03features.html#wp1230383 --http://www.cisco.com/cisco/web/portal/support/docs_listing.html?cid=283000185&locale=ja_JP&itag=prod_eu_guides_list -AnyConnect Client for Android に PKSC#12 ファイルを manual import する手順 --https://supportforums.cisco.com/docs/DOC-18985 --http://www.cisco.com/cisco/web/support/JP/docs/SEC/VirtualPrivateNWs_VPN_/AnyConnectSecureMobilityC/CG/001/ac09_admin_mobile.html?bid=0900e4b18291ad76 -anyconnectプロファイル --証明書接続の際は、CertificateMatchingに条件がないと証明書が選択されない。必ず何かしらの条件を入れておくこと --http://www.cisco.com/cisco/web/support/JP/docs/SEC/VirtualPrivateNWs_VPN_/AnyConnectSecureMobilityC/CG/001/ac03features.html?bid=0900e4b18291ad76#56956 -ASDMでのトラストポイント設定 --ホスト証明書→CAの証明書の順にすると同じトラストポイントでの設定が可能 ---逆順ですると同じトラストポイントはASDMで作れない -リモートデスクトップ内でのAnyconnectを許可する --プロファイルにてWindowsVPNEstablishmentをAllowRemoteUsersにし、配布すればOK *NetWorkAccessManager -https://supportforums.cisco.com/docs/DOC-23117 *IKEv2 -メモ --8.4.1以上で対応 -設定 --https://supportforums.cisco.com/docs/DOC-18960 -Anyconnectの証明書でIPSECにマップ --http://itsecworks.wordpress.com/2011/08/22/certificate-mapping-to-anyconnect-tunnel-group-ii-special-mapping/ 2012-08-10T15:00:20+09:00 1344578420 https://w.atwiki.jp/desucre/pages/40.html *JavaClient --http://support.citrix.com/proddocs/topic/receivers-java-101/java-client-deploying-wrapper-v2.html -CitrixDownloadから落とす、Reciverのところにある -C:\Program Files (x86)\Citrix\Web Interface\5.4.0\Clients\Javaに全部展開 -WIのクライアントの展開でJava選択 -SSLでエラーになったらhttps://jp.globalsign.com/support/faq/331.htmlを参考にJavaにSSL証明書投入 --keytoolの操作時のパスワードはchangeit *SecureGateway **インストール -証明書はmmcスナップインから、証明書：ローカルコンピュータを選んで　個人フォルダでインポートすれば使用可能 **download --XenAppの項目の中にある。 --https://www.citrix.com/English/ss/downloads/details.asp?downloadId=2316046&productId=186&c1=pov2313836#top -3.3.1 --http://support.citrix.com/article/CTX133520 --http://support.citrix.com/article/CTX130147/ 2012-08-03T16:29:22+09:00 1343978962 https://w.atwiki.jp/desucre/pages/25.html *VC構成時のMACアドレス変更のタイミング設定 -virtual-chassis mac-persistence-timer *VC設定 -http://kb.juniper.net/InfoCenter/index?page=content&cat=EX4200_1&channel=KB **プロビジョニングしない場合 set virtual-chassis no-split-detection set virtual-chassis member 0 mastership-priority 255 set virtual-chassis member 1 mastership-priority 255 **プロビジョニングする場合 　しない場合はプライオリティを同一にする設定のみでOK Change this so the "linecard" is a "backup RE" .. you have to run two RE's... virtual-chassis { preprovisioned; no-split-detection; member 1 { role line-card; serial-number FV0211137957; } member 0 { role routing-engine; serial-number BP0209472119; } } ------ -カレント　JUNOS 10.4R8.5 -サブint設定例 --http://www.mail-archive.com/intermapper-talk@list.dartware.com/msg04721.html -EX3200 および EX4200 スイッチの光インタフェース サポート - Technical Documentation - Support - Juniper Networks --http://www.juniper.net/techpubs/ja/release-independent/junos/topics/reference/specifications/optical-interface-ex3200-support.html 2012-07-09T10:35:33+09:00 1341797733 https://w.atwiki.jp/desucre/pages/36.html -設定参考を参照にしたhttpsログインしてのIPSEC接続 -SRXを1to1NATでIPSECする際は以下コマンドが必要 --http://kb.juniper.net/InfoCenter/index?page=content&id=KB23191 ## Last changed: 2012-05-20 19:23:12 JST version 10.4R6.5; system { host-name srx100h; time-zone Asia/Tokyo; root-authentication { encrypted-password "a"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; 8.8.8.8; 8.8.4.4; } login { user admin { uid 2002; class super-user; authentication { encrypted-password "a"; ## SECRET-DATA } } user test { uid 2001; class super-user; authentication { encrypted-password "a"; ## SECRET-DATA } } } services { ssh; telnet; xnm-clear-text; web-management { http { interface vlan.0; } https { system-generated-certificate; interface [ vlan.0 fe-0/0/0.0 ]; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; } propagate-settings fe-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.[[juniper]].net/junos/key_retrieval; } } ntp { server 133.243.238.243 prefer; server 133.243.238.163; } } interfaces { fe-0/0/0 { unit 0 { family inet { address 192.168.2.220/24; } } } fe-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } } } snmp { v3 { target-address NNM { address 192.168.1.10; target-parameters NNM-PARAM; } target-parameters NNM-PARAM { parameters { message-processing-model v2c; security-model v2c; security-level none; security-name SNMPCOMMUNITY; } } notify NOTIFY { type inform; } } community SNMPCOMMUNITY; } routing-options { static { route 0.0.0.0/0 next-hop 192.168.2.1; } } protocols { stp; } security { ike { policy ike-dyn-vpn-policy { mode aggressive; proposal-set standard; pre-shared-key ascii-text "a"; ## SECRET-DATA } gateway dyn-vpn-local-gw { ike-policy ike-dyn-vpn-policy; dynamic { hostname dynvpn; connections-limit 10; ike-user-type shared-ike-id; } external-interface fe-0/0/0.0; xauth access-profile dyn-vpn-access-profile; } } ipsec { policy ipsec-dyn-vpn-policy { proposal-set standard; } vpn dyn-vpn { ike { gateway dyn-vpn-local-gw; ipsec-policy ipsec-dyn-vpn-policy; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { https; ike; } } interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; ike; ping; https; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy dyn-vpn-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn; } } } } } } dynamic-vpn { access-profile dyn-vpn-access-profile; clients { all { remote-protected-resources { 10.0.0.0/8; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dyn-vpn; user { client1; client2; } } } } } access { profile dyn-vpn-access-profile { client client1 { firewall-user { password "a"; ## SECRET-DATA } } client client2 { firewall-user { password "a"; ## SECRET-DATA } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 10.10.10.0/24; xauth-attributes { primary-dns 4.2.2.2/32; } } } } firewall-authentication { web-authentication { default-profile dyn-vpn-access-profile; } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } } 2012-06-24T12:15:19+09:00 1340507719 https://w.atwiki.jp/desucre/pages/29.html * 購入　SRX100H -ebay.comにて海外から購入。 --46000+2200税関の消費税 --電源ケーブルがEU向けだった --ACアダプタは日本でもOKなもの --眼鏡口のケーブルのためそのへんのケーブルを差して起動確認 mgd: error: Cannot open configuration file: /config/[[juniper]].conf mgd: warning: activating factory configuration mgd: commit complete Setting initial options: debugger_on_panic=NO debugger_on_break=NO. Starting optional daemons: usbd. Doing initial network setup: . Initial interface configuration: additional daemons: eventd. savecore: /dev/bo0s1b: No such file or directory savecore: Reboot reason(s): 0x1: power cycle/failure savecore: no dumps found Additional routing options:kern.module_path: /boot//kernel;/boot/modules -> /boot//kernel;/boot/modules;/modu Loading the DIALER driver les kld netpfe drv: ifpfed_dialer. Doing additional network setup:. Starting final network daemons:. setting ldconfig path: /usr/lib /opt/lib starting standard daemons: cron. Initial rc.mips initialization:. Local package initialization:. starting local daemons:. kern.securelevel: -1 -> 1 Creating JAIL MFS partition... JAIL MFS partition created boot.upgrade.uboot="0xBFC00000" boot.upgrade.loader="0xBFE00000" Boot media /dev/da0 has dual root support ** /dev/da0s2a FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 40896 free (8 frags, 5111 blocks, 0.0% fragmentation) Sat May 12 10:35:58 UTC 2012 Amnesiac (ttyu0) login: root --- JUNOS 10.4R6.5 built 2011-07-23 11:18:23 UTC ******************************************************************** ** Welcome to JUNOS: ** ** ** ** To run the console configuration wizard, please run the ** ** command 'config-wizard' at the 'root%' prompt. ** ** ** ** To enter the JUNOS CLI, please run the command 'cli'. ** ** ** ******************************************************************** root@% root@srx100h> show system alarms 1 alarms currently active Alarm time Class Description 2012-05-12 19:36:09 JST Minor Rescue configuration is not set root@srx100h> request system configuration rescue save root@srx100h> show system alarms No alarms currently active **設定 -http://www.juniper.net/jp/jp/local/pdf/others/srxguide_201111.pdf を参照し、設定 --10.4日本語ガイド ---http://www.juniper.net/techpubs/software/translated/security-guide/translated/index.html --VISIO　http://www.juniper.net/jp/jp/products-services/icons-stencils/ **アップデート root@srx100h> request system software add no-copy http://192.168.2.110/junos-srxsme-12.1R2.9-domestic.tgz /var/tmp/incoming-package.1247 1339 kB 1339 kBps Package contains junos-12.1R2.9.tgz ; renaming ... NOTICE: Validating configuration against junos-12.1R2.9.tgz. NOTICE: Use the 'no-validate' option to skip this if desired. Formatting alternate root (/dev/da0s2a)... /dev/da0s2a: 297.9MB (610044 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 74.47MB, 4766 blks, 9600 inodes. super-block backups (for fsck -b #) at: 32, 152544, 305056, 457568 Checking compatibility with configuration Initializing... Verified manifest signed by PackageProduction_10_4_0 Verified junos-10.4R6.5-domestic signed by PackageProduction_10_4_0 Using junos-12.1R2.9-domestic from /altroot/cf/packages/install-tmp/junos-12.1R2.9-domestic Copying package ... Verified manifest signed by PackageProduction_12_1_0 Hardware Database regeneration succeeded Validating against /config/juniper.conf.gz cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied). cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied). mgd: commit complete Validation succeeded Validating against /config/rescue.conf.gz mgd: commit complete Validation succeeded Installing package '/altroot/cf/packages/install-tmp/junos-12.1R2.9-domestic' ... Verified junos-boot-srxsme-12.1R2.9.tgz signed by PackageProduction_12_1_0 Verified junos-srxsme-12.1R2.9-domestic signed by PackageProduction_12_1_0 JUNOS 12.1R2.9 will become active at next reboot WARNING: A reboot is required to load this software correctly WARNING: Use the 'request system reboot' command WARNING: when software installation is complete Saving state for rollback ... root@srx100h> 2012-06-23T23:13:15+09:00 1340460795