Monday, December 23, 2013

Basic DNS Client Troubleshooting or How to Solve Name Resolution Problems

Sometimes, the network is up, all the link lights are on, pings by IP address work fine, but you still can't connect to a website. A likely culprit is name resolution.

The Name Resolution Process

Suppose you need to connect to www.soundtraining.net. Here's what happens when you type that URL into your browser:
  • Your computer has to find a way to associate www.soundtraining.net with an IP address. It's a lot like looking up a phone number in an old-fashioned phone book.
  • In the early days of the Internet, every host had a hosts file which held the hostname-to-IP address mapping for every host on the Internet. Although most systems today use DNS, all computers still contain a hosts file which usually takes precedence over other name resolution methods. On computers running modern Windows operating systems such as Windows 7 or 8, the hosts file is located in c:\windows\system32\drivers\etc.
  • Most computers maintain a local DNS cache containing the hostname-to-IP address mappings from previous lookups. A computer first checks its DNS cache to see if there's an entry for it from a previous connection attempt or from a static entry in the hosts file. (Computers running modern versions of the Windows operating system pre-load entries from hosts files into the DNS cache. Other operating systems may handle hosts file entries differently.)  On computers running the Windows operating system, you can view the contents of the DNS cache with the command ipconfig /displaydns. (Hint: You can filter the output using PowerShell's select-string capability. For example, the output of ipconfig /displaydns can get pretty lengthy. If you want to check for the existence of a particular text string, such as soundtraining.net, use the following syntax in PowerShell:
    ipconfig /displaydns | select-string -pattern "soundtraining.net".)
  • If the requested hostname doesn't exist in the DNS cache, the DNS resolver (the client) queries DNS servers in the order listed in the computer's configuration.
  • If the DNS server(s) is not reachable or can't resolve the hostname to an IP address, an error is returned.

Troubleshooting DNS and Name Resolution

Here are some steps to help you perform basic troubleshooting of name resolution issues.
  1. Confirm that name resolution is the issue by pinging the target host first by hostname, such as www.soundtraining.net, then by IP address. If the ping by hostname fails, but the ping by IP address is successful, the problem is most likely a name resolution issue.
  2. Determine the scope of the issue. If local name resolution works, but Internet name resolution doesn't, the problem is most likely with the service provider's DNS server. Try changing to the Google DNS servers (8.8.8.8 or 8.8.4.4) or OpenDNS servers (208.67.222.222 and 208.67.220.220) as a way of testing. If, on the other hand, Internet name resolution works, but local resolution doesn't the problem is most likely on the local DNS server.
  3. Check the TCP/IP settings on the local computer. If the problem exists on only a single computer, check its TCP/IP settings.
  4. Use the nslookup tool (it's included with most operating systems) to test connectivity with a DNS server. It's a powerful tool with many options, but it can also be used to perform a simple DNS query using the following syntax:
    nslookup soundtraining.net
    A simple query such as this will tell you whether name resolution is working at all and, if it is, which DNS server is being queried first. If nslookup returns an error stating that the server can't be reached, check for connectivity issues with the DNS server. If it returns an error stating that the domain or host doesn't exist, there's a problem with the DNS server configuration. If it returns what you believe to be a correct response, the problem may be an incorrect entry in the DNS cache or even an incorrectly configured hosts file.
  5. Check to see how widespread the problem is. If it's just users on a single subnet, it could be a misconfigured DHCP server providing incorrect IP settings.
  6. Check for malicious software. If the user is being directed to questionable websites, their computer may have been compromised with software that intercepts name resolution requests and redirects them to undesirable websites.
  7. Check the DNS cache with the command ipconfig /displaydns for incorrect entries or just do a precautionary clearing of the DNS cache with the command ipconfig /flushdns (administrator privileges are required to clear the DNS cache).
  8. Check for an incorrect entry in the hosts file. (This is not very likely, but it has happened to me when I made changes in the hosts file for testing purposes and forgot to change it back.)
  9. Try a reboot. As with most things digital, sometimes the problem can't be identified, but it can be solved with a reboot. This is especially true if you're using consumer grade routers that act as DNS forwarders, which is most of them. Just power-cycle the router or DNS server to see if the problem goes away.

DNS Troubleshooting Tools

The following tools and websites may also be helpful in name resolution troubleshooting.
BIND is the most commonly used DNS server. A download of BIND includes the dig utility which provides similar functionality to nslookup. You can download BIND from http://www.isc.org/downloads/.

For More Resources for I.T. Pros

You'll find books on Cisco and Linux technologies at my bookstore at soundtraining.net/bookstore. Also, check out my video channel at soundtraining.net/videos.

Please Leave a Comment

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

Wednesday, December 4, 2013

The Beginning Network Admin's Network Troubleshooting Checklist

I've recently been asked to work with groups of non-network admins to help them understand the basics of computer networks. Each of the groups has, as part of their jobs, installation of proprietary systems that must integrate with existing computer networks. None of the people in these classes is ever going to use tools like Fluke network testers or similar tools. They simply need to be able to install their software or hardware and do basic network troubleshooting. If that sounds like your situation, or if you're a new network administrator, here is a simple, ten-step checklist for network troubleshooting. It should be helpful for both beginning network administrators and non-network admins, too.
  1. Do a quick check of the rest of the network. Before you start running all kinds of tests on your system, check to make sure the rest of the network is functioning properly. Are other people or systems on the network having the same or similar problems as you? The problem may have nothing to do with your system or configuration.
  2. Gather information. What has changed since things were working properly? Has any new software been installed? Has any new hardware been installed? What settings may have been changed, either by you, another administrator, a vendor, or an end user? Have there been any power outages? Have there been any maintenance crews doing work which involved moving network equipment? Ask end users what was being done at the time of the failure. (Be careful not to be accusatory when asking questions like this. You want to get honest, helpful answers. You don't want people to get defensive or try to hide things.)
  3. Start at the physical layer. Check link lights, power cables, circuit breakers, cables, heat and dust (too much of either will down any electronic device including routers, switches, access points, firewalls, and servers). You can purchase an inexpensive cable tester for around $40.00. Such testers can be helpful, but if you don't have one, test a cable by replacing a known working cable with the cable in question. If it works with the first cable, but not the second, you've identified the problem. Make sure network cards are enabled. Check in the network settings on each affected device to ensure that network cards are enabled and active.
  4. Use ping, tracert (traceroute in Unix/Linux/Cisco), and pathping to test connectivity. Use ping within a single IP subnet and tracert or pathping when multiple IP subnets are involved. Here's how to use ping: Start by pinging your localhost (ping localhost or ping 127.0.0.1), then ping the IP address of the system you're working on, then ping another host on the same subnet, then ping the default gateway, and finally ping a remote system on another subnet. If all of the pings work except the remote system, try using tracert or pathping to see where connectivity fails. Try a ping by hostname instead of IP address. If a ping by hostname doesn't work, but a ping by IP address does work, the problem is most likely related to name resolution. See my post on DNS client troubleshooting.
  5. Check the routing table. If pings to systems on different networks fail, check the routing table for explicit entries, the correct default gateway, or duplicate default gateways (there should be only one). On a Windows computer, use the command route print to see the routing table. On a Cisco router, use the command show ip route.
  6. Check IP address settings. Use the Windows command line utility ipconfig to make sure the IP address is what you expect.
  7. Check for problems with MTU size. Use the mturoute tool to check MTU sizes on the network.
  8. Check for DHCP server connectivity. If you see an address starting with 169.254, that's an indication that the device or system could not reach a DHCP server to get an IP address.
  9. Is the IP address on the correct network? Check to ensure that the IP address of the device is on the same network or subnet as the rest of the devices. (If the subnet mask is 255.255.255.0 or /24, check to ensure that the first three octets of each of the connected devices match.)
  10. Check for a firewall blocking traffic. If you can ping out from a device, but not to the device, a likely culprit is a firewall on the device. Check the security settings. If the Windows firewall is disabled, check to see if a third-party firewall is enabled such as ZoneAlarm or Norton Internet Security. I once was stymied in troubleshooting by a surprise firewall that was included with a VPN client, so check for any other security-oriented software that might include a firewall.
Most network administrators have plenty of stories about forehead-slapping moments in troubleshooting when they missed something obvious. By following the above steps, hopefully you'll avoid flattening your forehead.

For More Resources for I.T. Pros

You'll find books on Cisco and Linux technologies at my bookstore at soundtraining.net/bookstore. Also, check out my video channel at soundtraining.net/videos.

Please Leave a Comment

If you find this networking tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

Tuesday, July 2, 2013

How to Change an Ubuntu Server from DHCP-Assigned IP Address to Static IP Address


I noticed, while perusing a variety of blog posts related to Ubuntu server configuration, that none of them completely covered the necessary steps in changing the server's IP address from one assigned by DHCP to one configured statically. This blog post will explain how to do it, along with several follow-up steps that seem to be missing from other posts.

For this post, I used Ubuntu Server version 12.04.

It's common practice for servers to be configured with static IP addresses, so if your Ubuntu server is currently configured to receive its IP address from a DHCP server, you probably want to change it to use a static (manually configured) IP address.

There are four steps:
  • Use a text editor to modify /etc/network/interfaces
  • Restart networking
  • Verify the change to the IP address and the DNS client
  • Disable the DHCP client, if desired

Companion Video

I created a video demonstrating the process, in case you prefer to watch a video instead of reading the steps.

Configuration Steps

Modify /etc/network/interfaces

Use the following command to open /etc/network/interfaces for editing:
sudo vi /etc/network/interfaces
It's certainly not required for you to use the vi text editor, but it's my preference. Any text editor will work.
Under primary network interface, change dhcp to static and add the desired address, mask, gateway, DNS server(s), and DNS default search domain. In the example, the server's IP address is 192.168.1.4 with a 24-bit mask, the gateway is at 192.168.1.1, the IP addresses for the DNS servers are the OpenDNS servers, and the default search domain is soundtraining.net. Presumably, you'll use different addresses that appropriate for your environment.
When you're finished, the file should look similar to this:
How to configure a static IP address on Ubuntu server

Restart Networking

Use the following command to restart networking:
sudo service network-interface restart INTERFACE=eth0

Verify the Changed Configuration

Use the ifconfig command to verify the changed configuration.
Also, view the contents of /etc/resolv.conf to verify that it picked up the DNS configuration from the configuration changes. It should look similar to this:
Notice that the DHCP-assigned DNS server is still listed. That's because the DHCP client is still running.

Disable the DHCP Client

It's not required to disable the DHCP client and, in fact, you may want to have the DHCP server supply additional DNS servers. If, however, you want to, you can disable the DHCP client (dhclient), if desired, with the dhclient -r command. It's usually a good idea to restart networking after making changes like this:
sudo service network-interface restart INTERFACE=eth0

For More Information

Pick up a copy of either of my Linux books. If you're working with Red Hat-based operating systems such as RHEL, Fedora, or CentOS, The Accidental Administrator: Linux Server Step-by-Step Configuration Guide is designed to take you from initial installation through various types of server configurations. My other Linux book is Tweeting Linux: 140 Linux Configuration Commands Explained in 140 Characters or Less, a Linux command reference for people who want concise explanations of various Linux commands. Tweeting Linux is applicable to Red Hat, Ubuntu, and Debian-based systems.

Tuesday, June 25, 2013

Another name change?

I'm changing the name of this blog to make it more accurately reflect its technical nature and to tie it in more closely with my series of tech books called The Accidental Administrator. From now on, this blog will be known as The Accidental Administrator and I've shifted the name The Compassionate Geek to my new blog on customer service and communication for technical staff. I don't think it's that big a deal, but if you notice and wonder, now you know.

Thanks for reading and following my blogs.

Tuesday, June 11, 2013

Network Troubleshooting Tools

Can you have too many network troubleshooting tools? I think not. Here's a blog post by Jack Wallen, one of my favorite tech bloggers, over at Tech Republic listing five network troubleshooting tools. The only one I already knew about is DNS Stuff, which is great. I'll be trying the others out shortly. http://www.techrepublic.com/blog/five-apps/five-web-based-network-troubleshooting-tools/1881

Thursday, June 6, 2013

Cisco IOS CLI Shortcuts

If you spend a lot of time working in the Cisco command line, a solid knowledge of CLI shortcuts can save you a ton of time. I was going to write a blog post showing you the various shortcuts, but then I found a blog by Greg Ferro with a comprehensive list of shortcuts, nicely formatted. Here's the link:  http://etherealmind.com/cisco-ios-cli-shortcuts/
Do yourself a favor and print out the list and tape it to your monitor! (Thanks, Greg.)

Wednesday, May 8, 2013

How to Increase the Scrollback Buffer in PuTTY

At a recent Cisco ASA training workshop, one of the students asked how to increase the buffer size in PuTTY so he could see more output history. Here's how to do it:
  1. In the PuTTY configuration window, select Window in the category tree on the left.

  2. Change the Lines of scrollback to whatever value you wish. The default is 200. Some people set it as high as 5000.
  3. If you'd like to make the new setting the default, select Session in the category tree, in the Saved Sessions window, type Default Settings, and click Save.
For More Resources for IT Pros

Visit my bookstore at www.soundtraining.net/bookstore. Also, check out my video channel at www.soundtraining.net/videos.

Please Leave a Comment 

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

Friday, April 19, 2013

Cisco ASA VPN Users and RADIUS Authentication with Active Directory

I've been busy writing a tutorial and producing videos on how to authenticate Cisco ASA VPN users with RADIUS connected to Active Directory. Here's a link to the tutorial: http://www.soundtraining.net/i-t-tutorials/cisco-tutorials/82-cisco-asa-vpn-radius-authentication

I've created two videos on the subject. The first one is about installing and configuring RADIUS on Windows Server 2012:

The second one is about configuring RADIUS authentication for VPN users on the ASA Security Appliance:

For More Cisco ASA Configuration Information

Pick up a copy of my configuration guide The Accidental Administrator: Cisco ASA Security Appliance, available through Amazon and other resellers.

Please Leave a Comment 

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

Thursday, April 4, 2013

A rant about Ubuntu, the OS that makes you appreciate Windows

There's a lot to love about Linux, but not so much to love about Ubuntu, at least not the more recent versions such as 12.10. One of the things to love about Linux is that it builds on its history. In other words, what you learned last year is still relevant this year. Perhaps my biggest complaint with Microsoft operating systems is that every few years, it seems you must toss out all you learned about, say Windows NT 4.0, and replace it with new information about, say Windows 2000 or Windows XP, or now Windows 8. The more I work with Ubuntu, the less it seems like Linux and the more it seems like Windows. Instead of embracing and working to improve the existing desktop environments of either Gnome or KDE, Ubuntu created Unity, a non-intuitive, non-functional weak excuse for a desktop environment. Not only that, but Ubuntu fights really hard to keep you from getting to a clean (no X) shell. Oh, it can be done, but it requires adventuring deep into Dante's inferno to get there. At least with Windows, when you update it, it doesn't usually break things beyond repair. I've spent the past 18 hours (minus 8 for sleeping) trying to fix a problem with the graphics drivers since I ran a routine upgrade to my new Ubuntu system. Just getting under the hood to a command prompt is a major undertaking in Ubuntu 12.10. I finally solved it after finding some obscure procedures on Igor Ljubuncic's blog (http://www.dedoimedo.com/). (Igor, thank you so much!) Seriously? I'm now thinking about setting up my laptop with good, ol' CentOS 6 and Gnome or KDE. Arghhhhhh! Even Slackware is easier to administer than Ubuntu. (I'm resisting the urge to come up with smarmy sounding names for it!)

Ubuntu team, I wonder if anyone is giving any thought to simplicity and ease of use for sys admins or is it all about promoting the Unity desktop at any cost?

Tuesday, March 19, 2013

How to Configure Split-Tunneling on a Cisco ASA VPN

Split tunneling is used when you want to allow remote VPN users to connect directly to Internet resources while using a corporate VPN instead of routing that traffic through the VPN. Obviously, traffic to the internal corporate LAN still goes through the encrypted VPN tunnel, but other traffic goes directly through the public Internet. There are valid reasons for choosing either to use a split tunnel or not, mainly related to security.

Examples of Split Tunneling



Companion Video

I've created the following video to show you how to configure a split tunnel on a Cisco ASA security appliance.


Here are the commands: 

Start by creating an access control list to permit a traffic-flow from the internal network:

access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0

Next, enter attributes configuration mode for the desired VPN group policy (in this example, the group-policy name is Account Reps NA):

group-policy "GroupPolicy_Account Reps NA" attributes

Now, specify the split tunnel mode. You can choose from the following three options:

  • excludespecified (exclude only networks specified by split-tunnel-network-list)
  • tunnelall (tunnel everything)
  • tunnelspecified (tunnel only networks specified by split-tunnel-network-list)

split-tunnel-policy tunnelspecified     
split-tunnel-network-list value Split_Tunnel_List

Watch the video for a complete demonstration of each of the commands.

For More Cisco ASA Configuration Information

Pick up a copy of my configuration guide The Accidental Administrator: Cisco ASA Security Appliance, available through Amazon and other resellers.

Please Leave a Comment

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

Tuesday, March 12, 2013

How to Install phpMyAdmin on a Linux Server

Most sysadmins who manage servers running Apache and MySQL with PHP find themselves using phpMyAdmin to assist with the MySQL database.

What is phpMyAdmin?

From the phpMyAdmin website: "phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement."

In this tutorial, I'll show you how to install phpMyAdmin on a LAMP (Linux-Apache-MySQL-PHP) server running CentOS 6.x. For a tutorial on installing and configuring LAMP, see this blog post.

Of course, you can install phpMyAdmin by compiling from source code. This tutorial, however, is based on using yum (Yellow Dog Updater Modified) to complete the installation.

Network Diagram



The Companion Video



Requirements

One server running CentOS 6.x with the following software installed: Apache 2.x, MySQL 5.x, and PHP 5.x. (The specific versions used in this tutorial are CentOS 6.4, Apache 2.2.15, MySQL 5.1.67-1, and PHP 5.3.3.), The procedures shown here may work with other software versions, but they have not been tested on other versions. The server in this tutorial has been configured with an IP address of 192.168.101.3 and a host name of centos6.soundtraining.local. Your server must have public Internet access, either directly or through a firewall/router. You must have administrative (root) access to the server. You can either perform the following tasks as root (easier, but dangerous) or by using sudo to execute the commands.

I manage my Linux servers remotely from a desktop or laptop computer using a remote terminal session over SSH. If I'm using a Windows-based computer for management, I usually use PuTTY to create the terminal sessions.

Enabling the Repository

phpMyAdmin is not available through the default CentOS 6 repositories (repos), so we need to add the RepoForge (formerly RPMforge) repo (not a bad idea anyway). The new installation procedure for RepoForge is much easier than the old procedure used with RPMforge.

Start by checking your version of CentOS with the following command:
cat /etc/redhat-release

This tutorial is based on CentOS 6.4. If you're running any version of CentOS 6.x or RedHat 6.x, this tutorial should apply to you. It has not been tested on other versions, but may work.

Next, check your system's architecture with the following command:
uname -r

Your system should be running either 32-bit (i686) or 64-bit (x86_64) architecture. If it's anything else, this tutorial probably doesn't apply to you.

Visit http://repoforge.org/use/ to download the appropriate package for your architecture and software version. I find it easiest to right-click on the appropriate version on the page and choose "Copy link address" or "Copy shortcut" (depending on your browser). Then I can type the rpm -Uvh command and paste the shortcut into the command-line interface. Alternatively, you can manually type the entire command, as follows:

On x86_64 systems:
rpm- Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

On i686 systems:
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

Now, install phpMyAdmin:
yum install phpmyadmin

You must also configure phpMyAdmin to allow connections from IP addresses other than localhost (127.0.0.1) by modifying /etc/httpd/conf.d/phpmyadmin.conf. Use vi or another text editor:

vi /etc/httpd/conf.d/phpmyadmin.conf

Modify the file to add the IP address of your management workstation, in this case 192.168.101.2.




I've read other tutorials that suggest commenting out the entire <Directory /usr/share/phpmyadmin> section to allow any host to connect from any IP address. Do NOT do that. Doing so opens your database to myriad types of attacks from anywhere on the Internet. If you need to use phpMyAdmin from a computer with a dynamically assigned IP address, plan on SSHing into your server to modify the above setting every time your IP address changes. (Changing the above setting requires an httpd restart.)

You must also modify the authentication type for phpMyAdmin by editing  /usr/share/phpmyadmin/config.inc.php:

vi /usr/share/phpmyadmin/config.inc.php


Change the authentication type from 'cookie' to 'http':


Restart the Apache server:
service httpd restart

Point the browser on your management workstation to 192.168.101.3/phpmyadmin. You should receive an authentication request:


Use the username root and the MySQL root password to authenticate.

Even though you have restricted access to phpMyAdmin to a single IP address, you might also want to use a different MySQL account for logins instead of root. You can use phpMyAdmin to set up a new user and grant specific permissions for that user.


For More Linux Configuration Information

Pick up a copy of my configuration guide The Accidental Administrator: Linux Server Step-by-Step Configuration Guide or my Linux command reference Tweeting Linux: 140 Linux Configuration Commands Explained in 140 Characters or Less, both available through Amazon and other resellers.

Please Leave a Comment

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

How to Install a LAMP (Linux-Apache-MySQL-PHP) Server on CentOS 6


LAMP (Linux-Apache-MySQL-PHP) servers power a huge portion of the global Internet. If you're using Wordpress, Joomla!, Drupal, or any of the myriad other content management systems, you're probably running them on a LAMP server.

In this blog post, I'll show you the basics of installing the LAMP stack on an existing server running CentOS 6.3.

Requirements

You must have root access to a server running CentOS 6.x. These procedures should also work on a RedHat 6.x installation. The server should have access to the public Internet, either directly or through a firewall or router, as indicated in the network diagram. You should also be comfortable working in the command-line interface, including the use of yum to install software and vi (or any text editor) to edit configuration files. For this tutorial, I'm using a server named centos6.soundtraining.local configured with an IP address of 192.168.101.3. You'll probably want to use a different host name and IP address.

Network Diagram



The Companion Video


Installing Apache 2

Use yum to install Apache2, configure Apache to start when the server is powered up, and start Apache (the -y switch automatically confirms that you want to continue the installation):

yum -y install httpd
chkconfig --levels 3 httpd on
service httpd start

Test your installation by pointing a browser to http://192.168.101.3. You should see the default Apache landing page. If not, check that the Linux firewall isn't preventing connections. You can use the command system-config-firewall to check and modify, if necessary.

Installing MySQL

As with Apache, use yum to install the MySQL client and MySQL server, configure the MySQL server to start at power up, and start the server:

yum -y install mysql mysql-server

chkconfig --levels 3 mysqld on
service mysqld start

Configuring MySQL's Initial Security

As a MySQL administrator, there are many security considerations. For the purpose of this tutorial, we'll take care of some of the basics, including setting a root password, removing anonymous users, disallowing remote root logins, and removing the test database. Use the following command to run a script that will prompt you through the previous procedures:

mysql_secure_installation

Say yes to Set root password?, enter and confirm the root password, as shown in the screen capture:


Say yes to Remove anonymous users?, say yes to Disallow root login remotely?, say yes to Remove test database and access to it?, and finally, say Yes to Reload privilege tables now?



Installing PHP5

As with Apache and MySQL, we'll use yum to install PHP, then we'll restart Apache to enable PHP on our server:

yum -y install php
service httpd restart

Testing the PHP Installation

Use vi (or your favorite text editor) to create a file called info.php in the document root of your new Apache server (the document root is typically in the path indicated below, but yours' might be different):

vi /var/www/html/info.php

In the blank file, enter the following lines of text (if you're using vi, you can enable input mode by pressing the i key):


<?php
phpinfo();
?>

(When you're finished entering the above information, if you're using vi, press ESC, then enter :wq to save the file.)

Now, point a browser to http://192.168.101.3/info.php and you should see the PHP info page. If you're not able to see the PHP Info page, you may need to modify your firewall's configuration to allow port 80 (WWW) traffic to reach the server, as detailed in the next section. If you are able to connect to the PHP Info page, you can skip the next section and go to the section titled Adding Additional Modules.

The PHP Info Page



Allowing Port 80 Traffic to the Server

If you can't reach the PHP Info page, your CentOS server may have a firewall enabled. The easiest way to allow port 80 (WWW) traffic to reach the server is by using the system-config-firewall tool. At a command prompt, issue the command system-config-firewall.

When the system-config-firewall tool opens, use your tab key to move the highlight to the Customize button and press the Enter key.



In the Trusted Services window, use the down arrow key to move the highlight to WWW (HTTP) and press the space bar to select WWW (HTTP) as a trusted service.  (You may want to do the same thing with Secure WWW (HTTPS).) Then, use your tab key to move the highlight to the Close button and press the Enter key.


In the Firewall Configuration window, use your tab key to move the highlight to the OK button and press the Enter key to apply the changes.



Now, try connecting to http://192.168.103.1/info.php in a browser again. This time it should work.

Adding Additional Modules

If you examine this page, you can see all the modules that are loaded automatically in a base installation of PHP. You'll notice that MySQL is not supported by default, so you must load the necessary MySQL PHP modules. The exact modules you'll need will vary based on your intended use of the server. You'll definitely need php-mysql. For a Wordpress installtion, for example, you'll probably need php-gd for things like picture thumbnails, php-xml and php-xmlrpc for import and export.  PHPMyAdmin requires php-mbstring, php-odbc, and php-pear. Use the following command to install these modules:

yum install php-mysql php-gd php-mbstring php-odbc php-pear php-xml php-xmlrpc

I've seen other tutorials recommend php-imap and php-ldap as part of a generic LAMP installation, but unless you know you need them, I'd leave them out. My thought is, as usual, to keep the installation as lightweight as possible to avoid having any unnecessary components running, thus reducing the attack surface.

Installing phpMyAdmin

You will most likely want to install phpMyAdmin to help manage the database. I've created a separate tutorial for that here in another blog post.

For More Linux Configuration Information

Pick up a copy of my configuration guide The Accidental Administrator: Linux Server Step-by-Step Configuration Guide or my Linux command reference Tweeting Linux: 140 Linux Configuration Commands Explained in 140 Characters or Less, both available through Amazon and other resellers.


Please Leave a Comment

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

Friday, March 1, 2013

Creating a Windows Server 2012 Domain Controller

I don't usually blog about Windows stuff here. Don't get me wrong. I use Windows a lot and was fairly impressed with Windows 7 (not so much with Windows 8). I run my production servers with CentOS Linux, but for my classes and videos, I need a Windows server. That's how I show things like Cisco VPN user authentication through Active Directory, for example. I recognize that's pretty important to a lot of people. So today I found myself installing Windows Server 2012. It occurred to me that there are couple tips that you might find helpful, especially if you're well-versed in older Windows server products, but not so much in Server 2012.

Remember how in Windows server products going all the way back to 2000, we would use dcpromo to elevate a server to a domain controller? Well, not anymore.  dcpromo has been deprecated. Of course, you can use the fancy new GUI, but it's a pain-in-the-rear, and it's just a lot easier to do it in the command line. So, open up PowerShell and execute two commands:

The first command adds Active Directory Domain Services to the server:

Add-WindowsFeature -name ad-domain-services -IncludeManagementTools

The second command creates a new domain controller in the root of a new forest (obviously, you'll want to change the domain name):
Install-ADDSForest –DomainName "soundtraining.local" 

You'll be asked to provide a directory service restore mode password, your server will whir for a few minutes, reboot, and before you know it, voila! You've got a domain controller in the root of a new forest. Not only that, but it automatically installs and configures a DNS server.

It's just as easy to add a domain controller to an existing forest. Use the following command:
Install-ADDSDomainController "soundtraining.class"

There are a ton of options a variations on the PowerShell Install command. To see them, type help install. To see the options for a particular command, type, for example, help Install-ADDSDomainController.

Tuesday, February 26, 2013

NAT Configuration on a Cisco Router (Port Address Translation or Dynamic NAT)


Configuring Dynamic NAT on a Cisco Router

(Also Known as Port Address Translation)

In this post, I’ll show you how to configure Port Address Translation in which all internal hosts will share one external interface and IP address on the external network.

Port Address Translation (PAT) is a many-to-one form of Network Address Translation (NAT). It is commonly found in home networks and small businesses where many internal nodes, using an RFC 1918 address space such as 192.168.0.0/24, share a single public IP address.

Use the following diagram for this tutorial.

Here is an accompanying video for this blog post:

Prepare Your Router and Management Workstation

  1. Ensure that your workstation is configured according to the network diagram.
  2. On your router, identify which interface will be external and which will be internal.  In a real-world setting, the inside interface would normally be an Ethernet connection to a LAN and the outside might be a T1 interface connected to a WAN such as the Internet.  For the purpose of this exercise, the internal (inside) interface will be the Gigabit Ethernet 0/0 interface and the external (outside) interface will be the router’s Gigabit Ethernet 0/1 interface.

Configure Port Address Translation with the following steps:

Configuring Router Interfaces for NAT
(NVI0 is the NAT Virtual Interface which is created automatically, but not used in this exercise.)
  1. Identify the inside interface:
    Router(config)#int g0/0
    Router(config-if)#ip nat inside
  2. Identify the outside interface:
    Router(config-if)#int g0/1
    Router(config-if)#ip nat outside
    Configuring an Access Control List to Specify Who Can Use NAT (PAT)
    (This access-control list permits all IP traffic from any source address to any destination address. For more information about access-control lists, see chapter 11 in my book The Accidental Administrator: Cisco Router Step-by-Step Configuration Guide.)
  3. Create an access-control list to identify the traffic permitted to use NAT:
    Router(config)#access-list 100 permit ip any any
  4. Turning on Port Address Translation (NAT overloading)
    (This statement tells the router to apply the just-created list 100 to interface g0/1 and to implment NAT overloading on the interface.)
  5. Apply the access-control list to the outside interface:
    Router(config-if)#ip nat inside source list 100 int g0/1 overload
  6. Router(config)#exit
You can also use sho ip nat translations and show ip nat statistics to view your NAT configuration.
The output of show ip nat translations following a ping to a website.
The following table describes each of the fields in the output of the show ip nat translations command.  (The number following each of the above IP addresses, just after the colon, is the port number.  The combination of the four IP addresses and port numbers is what creates a unique connection.)The actual IP on the outside interface that represents one or more inside local IP address to the outside world or network (In the example above, it’s an RFC 1918 address, but in the real world, it will usually be an Internet-routable address.)

Field Title Explanation
Pro The IP protocol in use
Inside global The actual IP on the outside interface that represents one or more inside local IP address to the outside world or network. (In the example above, it's an RFC 1918 address, but in the real world, it will usually be an Internet-routable address.)
Inside local The actual IP address of an inside host. This is often an RFC 1918 address that is not routable on the public Internet.
Outside local The IP address of an outside host as it appears to hosts on the inside network. This is how the inside host(s) see the outside host.
Outside global The actual IP address of an outside host, usually assigned by its owner.

You can use the command show ip nat statistics to view various information about NAT's performance on your router.
The output of show ip nat statistics
You can watch the address translation taking place with the following command:  debug ip nat.  To turn off debugging, issue the following command:  undebug all
The output of the debug ip nat commands.
In the above screen capture, you can see the time of the NAT translation, the source (s) and the destination (d).

The intermediate IP address is the Inside Global address.  The number in square brackets at the end of each line is the IP packet number which could be helpful in identifying the same packet in a protocol analyzer’s packet stream.

The asterisk indicates the packet is going through the fast path.  (The first packet always goes through the slow path, which means it is process switched.)

For more information about configuring the Cisco router, please see my book The Accidental Administrator:  Cisco Router Step-by-Step Configuration Guideavailable through Amazon and other resellers or through the soundtraining.net bookstore.  Also, consider attending my Cisco Router 101 workshop, either a public, open-enrollment workshop or available for onsite training at your location with your group.  More information is available here.

You have permission to reprint this article in your newsletter, blog, website, or publication if you include the following paragraph:

Don R. Crawley is a longtime geek and President/Chief Technologist of soundtraining.net with more than 35 years in workplace technology. He holds multiple technical certifications and is the author of numerous books on information systems and technology, including The Accidental Administrator: Cisco Router Configuration Guide. He has spoken to audiences worldwide on both technical topics and IT customer service. To view this Seattle IT pro's upcoming events or to receive free Cisco tutorials, Linux tutorials, IT customer service tips, and other guides, visit www.soundtraining.net or contact him at don@soundtraining.net or 206-988-5858.

Friday, February 15, 2013

Configuring Cisco ASA Transparent Mode (Version 8.4 and Later)

The following post is based on ASA software version 8.4 and later.

With the release of ASA software version 8.4, Cisco added bridge-groups to the ASA which changed the way that transparent mode is configured. Now, you must assign VLAN interfaces to bridge-groups. Bridge-groups provide a means of isolating network traffic. Traffic from one bridge-group is not shared with other bridge-groups. Instead of just assigning a global IP address to the device for management, you now assign a management IP address to the Bridge Virtual Interface (BVI). This address is used not only for management, but as the source address for packets originating from the ASA such as AAA communications or syslog messages. Although I'm not going to cover IPv6 in this document, the ASA does support IPv6 in transparent mode.

The following video is based on this blog post:


Here is the configuration on an ASA 5505 (it will be similar for other models in the ASA family):

You must first enable transparent mode on the firewall. Before executing this command, ensure that you have a good backup of the existing configuration. This command will obliterate the existing configuration.

In configuration mode, execute the command firewall transparent:

ciscoasa# conf t
ciscoasa(config)# firewall transparent

Next, assign physical interfaces to VLANs using the switchport access command and enable the physical interfaces with the no shutdown command:

ciscoasa(config)# interface Ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface Ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown

After configuring the physical interfaces, you must configure the VLAN interfaces by giving them names and assigning them to the same bridge-group:

ciscoasa(config-if)# interface vlan 2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# bridge-group 1

(Notice that the ASA automatically assigns security levels based on the names inside and outside. If you choose to give the VLAN interfaces different names than inside and outside, you will have to manually assign a security-level of 100 to the inside interface and 0 to the outside interface.)

Now, you'll configure the management IP address through the Bridge Virtual Interface (BVI):

ciscoasa(config-if)# interface bvi 1
ciscoasa(config-if)# ip address 192.168.1.240

(Notice that I didn't explicitly assign a subnet mask to the BVI's IP address. The ASA can assign a default mask based on the class of the IP address. Since 192.168.1.240 is a Class C address, the ASA automatically assigns a 24-bit mask of 255.255.255.0. If you're using something other than a default subnet mask, you can specify it in dotted-decimal notation following the IP address.)

The transparent mode configuration is now complete and the ASA will pass traffic. If you want to use the graphical ASDM (Adaptive Security Device Manager) to manage the device, you must enable the HTTP server and specify which hosts are permitted to access the ASDM with the following commands:

ciscoasa(config-if)# http server enable
ciscoasa(config)# http 0.0.0.0 0.0.0.0 inside

The first command does what the syntax implies, it enables the server. The second command permits any host connected to the inside interface, regardless of its IP address, to use the HTTP server. You might want to narrow the address range by specifying either your network address (in this example, it would be 192.168.1.0 255.255.255.0) or the host address of your management workstation.

Here is a screen capture of the complete configuration:


Here is the configuration in a copy and paste format. Make sure you have a backup of your ASA's existing configuration, because these commands will clear and replace the existing config.  You've been warned!


conf t
firewall transparent
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface vlan 2
nameif outside
bridge-group 1
interface vlan 1
nameif inside
bridge-group 1
interface bvi 1
ip address 192.168.1.240
http server enable
http 0.0.0.0 0.0.0.0 inside


One thing to note about this configuration: Your inside hosts will have no means of obtaining an IP address from a DHCP server on the outside of the ASA. You have three options.

  • You can configure your inside hosts with static IP address
  • You can configure a DHCP server on the inside network
  • You can configure access-control lists on the ASA to allow DHCP requests and responses to be exchanged between DHCP clients on the inside network and a DHCP server on the outside network.

My general recommendation is that you configure a DHCP server on the inside network. It could be the ASA, which can function as a DHCP server in transparent mode, or a standalone server such as a computer running Windows or Linux.

Friday, January 4, 2013

Configuring Static NAT with single and multiple outside addresses on an ASA Security Appliance

Two of the most common forms of Network Address Translation (NAT) are dynamic Port Address Translation (PAT) and Static NAT.  PAT is the many-to-one form of NAT implemented in many small office and home networks where many internal hosts, typically using RFC 1918 addresses such as 192.168.0.0/24, share a single external address on the public Internet.  Static NAT is a one-to-one mapping which is used when an internal host needs to be accessible from the public Internet or some other external network.  In this blog post and video, I'll explain how to configure Static NAT to make an internal Web server accessible from an external network.  The same concept applies when you want to make any internal server accessible from an external network, whether it's a Web server, a mail server, an FTP server, or any other type of server or device.

This video and documentation is based on ASA software version 9.0(1) and applies to version 8.3 and later.

Use the following diagram with this documentation.  This diagram uses RFC 1918 addresses.  In the real world, the outside interface would most likely be configured with a registered, public address.
There are four steps involved in enabling Static NAT.
  1. Create a network object identifying the internal host
  2. Within the network object that you just created, create a NAT statement identifying the outside interface, its IP address, and the type of traffic to be forwarded to the internal host
  3. Create an Access-Control List to permit the traffic flow against the security level from outside to inside.
  4. Apply the Access-Group to the outside interface.
Create the Network Object and Static NAT Statement As mentioned previously, a network object must be created identifying the internal host.  Within the network object, you must also create a static NAT statement to identify the outside interface, its IP address, and the type of traffic to be forwarded:

object network InternalHost host 192.168.102.5
nat (inside,outside) static interface service tcp 80 80

Note:  In the static NAT statement above, the use of the term interface tells NAT to use whatever address is on the outside interface.  The first use of 80 identifies the originating port number.  The second use of 80 identifies the destination port number. Build the Access-Control List Build the Access-Control List to permit the traffic flow (this statement goes on a single line): access-list OutsideToWebServer permit tcp any host 192.168.102.5 eq www Apply the Access-Control List Apply the ACL to the outside interface using the Access-Group command: access-group OutsideToWebServer in interface outside This is the complete configuration:


When successfully implemented, this configuration will permit a host on the outside network, such as the public Internet, to connect to the internal Web server using the address on the ASA's outside interface. Configuring the ASA with Multiple Outside Interface Addresses It is not possible to assign multiple IP addresses to the outside interface on a Cisco ASA Security Appliance.  It is possible, however, to configure the ASA to forward different outside addresses to different hosts on the inside network.  For example, you have a /29 block of addresses assigned by your ISP.  Also, suppose you have a mail server using POP3 and SMTP and a Web server using HTTP and HTTPS on the inside network.  You want each of the servers to be reachable via different outside addresses.  You can configure static NAT to accomplish this. Use this diagram with the documentation.  As above, in the real world the outside interface would probably be configured with registered, public addresses instead of the RFC 1918 addresses shown here.


The steps are similar to single-address static NAT configuration:
  1. Configure a network object for each internal host with a static NAT static statement specifying the outside address to be used and the service types (port numbers) to be forwarded.
  2. Configure access-control lists to permit the traffic flows.
  3. Apply the access-control lists to the outside interface with an access-group statement.
Configure Network Objects
These identify the internal hosts, the desired outside IP address, and the type of service to be forwarded.  (The exclamation marks are for formatting to improve readability and are not required for the configuration.)

object network WebServer-HTTP
host 192.168.102.5
nat (inside,outside) static 192.168.1.194 service tcp 80 80
!
object network WebServer-HTTPS
host 192.168.102.5
nat (inside,outside) static 192.168.1.194 service tcp 443 443
!
object network MailServer-SMTP
host 192.168.102.6
nat (inside,outside) static 192.168.1.195 service tcp 25 25
!
object network MailServer-POP3
host 192.168.102.6
nat (inside,outside) static 192.168.1.195 service tcp 110 110

Note:  In the above configurations, the host statement identifies the internal server (192.168.102.5 is the Web server and 192.168.102.6 is the mail server).  The NAT statement identifies the external address used to forward the specified packets to the internal host.

Configure Access-Control List

This Access-Control List permits the traffic flows against the security levels (each access-list statement goes on a single line).

access-list OutsideToInside permit tcp any host 192.168.102.5 eq 80
access-list OutsideToInside permit tcp any host 192.168.102.5 eq 443
access-list OutsideToInside permit tcp any host 192.168.102.6 eq 25
access-list OutsideToInside permit tcp any host 192.168.102.6 eq 110

Apply the Access-Control List to the Outside Interface

access-group OutsideToInside in interface outside

Here is the complete configuration:


For more information about configuring the Cisco ASA Security Appliance, please see my book The Accidental Administrator:  Cisco ASA Security Appliance, available through Amazon and other resellers or through the soundtraining.net bookstore.  Also, consider attending my Cisco ASA Security Appliance 101 workshop, either a public, open-enrollment workshop or available for onsite training at your location with your group.  More information is available here.

You have permission to reprint this article in your newsletter, blog, website, or publication if you include the following paragraph:

Don R. Crawley is a longtime geek and President/Chief Technologist of soundtraining.net with more than 35 years in workplace technology. He holds multiple technical certifications and is the author of numerous books on information systems and technology, including The Accidental Administrator: Cisco ASA Security Appliance. He has spoken to audiences worldwide on both technical topics and IT customer service. His clients include well-known names such as Facebook, Kraft, Discover Card, Colgate University, State of Washington, State of California, City of Los Angeles, Perot Systems, the United States Pacific Command, the US Navy, Mercy Corps, and hundreds of others. To view this Seattle IT pro's upcoming events or to receive free Cisco tutorials, Linux tutorials, IT customer service tips, and other guides that will help you with Cisco training, Linux training, customer service training, and other skills you need to know to build a great career in IT, visit www.soundtraining.net or contact us at don@soundtraining.net or 206-988-5858.