Unified Networking Lab – Connecting ESX VM to the Internet

KB ID 0001276

Problem

UPDATE: This is an old article, UNL is now EVE-NG, please use the following link;

EVE-NG Connecting to the Internet

UNL is by far the coolest bit of kit I’ve got my hands on this year. I can run it in ESX, and connect to it from anywhere, so I don’t have to keep my labs on my laptop. But what if you want to connect your labs to a live network? Theres a great article on the unetlab website for the smaller versions of VMWare. If you’re lucky enough to have your own vSphere environment there’s a few more hoops to jump through.

Solution

First job is to present the vNics to the UNL virtual machine. Here all those vNics are in the same ‘port group’, but they don’t have to be, there’s no reason why you can’t present different VLANS,  test networks, or DMZs for example.

Here I’m directly on the console, but you can also connect via SSH if you prefer. Make sure you can see the presented vNics with the following command;

[box]ifconfig -a | grep ^eth[/box]

Those networks need to be ‘bridged’ to the pnet interfaces that you use within UNL, to do that edit the network setttings;

[box]nano /etc/network/interfaces[/box]

Note: I already had nano installed, ‘apt-get install nano’ will install it for you if you don’t. 

Make sure it looks like this, (OK, I’ve got 10 network cards bridged and only presented 5, but I can add more now, without having to go though this process again).

[box]

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
iface eth0 inet manual
auto pnet0
iface pnet0 inet dhcp
    bridge_ports eth0
    bridge_stp off
    bridge_ageing 0

# Cloud devices
iface eth1 inet manual
auto pnet1
iface pnet1 inet manual
    bridge_ports eth1
    bridge_stp off
    bridge_ageing 0

iface eth2 inet manual
auto pnet2
iface pnet2 inet manual
    bridge_ports eth2
    bridge_stp off
    bridge_ageing 0

iface eth3 inet manual
auto pnet3
iface pnet3 inet manual
    bridge_ports eth3
    bridge_stp off
    bridge_ageing 0

iface eth4 inet manual
auto pnet4
iface pnet4 inet manual
    bridge_ports eth4
    bridge_stp off
    bridge_ageing 0

iface eth5 inet manual
auto pnet5
iface pnet5 inet manual
    bridge_ports eth5
    bridge_stp off
    bridge_ageing 0

iface eth6 inet manual
auto pnet6
iface pnet6 inet manual
    bridge_ports eth6
    bridge_stp off
    bridge_ageing 0

iface eth7 inet manual
auto pnet7
iface pnet7 inet manual
    bridge_ports eth7
    bridge_stp off
    bridge_ageing 0

iface eth8 inet manual
auto pnet8
iface pnet8 inet manual
    bridge_ports eth8
    bridge_stp off
    bridge_ageing 0

iface eth9 inet manual
auto pnet9
iface pnet9 inet manual
    bridge_ports eth9
    bridge_stp off
    bridge_ageing 0

[/box]

You can ensure the interfaces are up by running;

[box]brctl show[/box]

If there’s a problem, you can bring tham up manually by running ‘for i in $(seq 1 9); do ifup pnet${i}; done‘.

ESX Enabling Promiscuous Mode

To enable your devices to talk through your vSwitches, they need to allow ‘promiscuous mode‘, below you can see that being done on the vSwitch (in the VI Client).

Check the ‘port group’ as well and ensure that will also accept promiscuous mode.

If you are using the vSphere Web Client here is where promiscuous mode is set on the vSwitch.

And here is where it’s set on the port group.

Unfortunately you can’t change this setting in the new HTML5 management console but you can view it.

Connect Your UNL Lab To the Public Network

Add a new node, and select the ‘Network’ option > When you place it you can select which live network you want to connect to.

WARNING: Connect to live networks as you would in real life, (with a router, firewall, or correctly configured L3 device).

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 – Deny a Single IP Address External Access

KB ID 0000743 

Problem

This got asked on Experts Exchange today, the poster specifically asked for an ASDM solution, so here goes. However I will also do the commands as well.

Solution

Block an IP via ASDM

1. Connect to the ASDM > Configuration > Firewall > Add ‘Network Object’.

Note: You could create a Network Object Group, then add a Network Object to that group. This is handy if there are liable to be more IP addresses you want to block in the future. In that case you would then simply add the new Network Objects to the existing group.

2. Give the host a name, set its type to ‘Host’ > Enter the IP > The description is not mandatory.

3. Locate the rules that are applied to the inside interface (incoming), select the first one.

Note: I refer to these as ‘Outbound’ rules, they apply to traffic flowing IN through the INSIDE interface.

4. Add a new access rule > Set to Deny > Select the source as the host (or group) you have just created > OK.

5. Make sure your new rule is at the TOP > Click Apply.

6. Warning: Below your ‘deny’ rule you need to ‘allow’ the traffic that should be allowed, or all other traffic will get blocked.

7. Save the changes to memory > File > Save Running Configuration to Flash.

 

Block an IP via Command

Note: This assumes you do NOT have an outbound ACL (Issue a show acess-group command to find out), if you do it will say access-group {name} in interface inside, Simply replace the word outbound below for the name of yours and DONT issue the command that starts access-group.

[box]

User Access Verification

Password:
Type help or ‘?’ for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA# access-list line 1 outbound deny ip host 10.254.254.113 any
PetesASA# access-list line 2 outbound permit ip any any
PetesASA# access-group outbound in interface inside
PetesASA(config)# write mem
Building configuration…
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

 

Related Articles, References, Credits, or External Links

NA