Windows Connect to NFS Share

Windows Connect to NFS Share KB ID 0001861

Problem

I have an old Buffalo NAS box I use on my test network, its shared between some Windows servers and is also used by my vSphere ESX deployment as a datastore. I replaced my main admin server which had a drive mapped to the device and ‘forget’ how I’d mapped the drive originally, so it took me a while to work it out again.

Windows Connect to NFS Share: Solution

The first task is to install NFS client which you can do with the following PowerShell command.

[box]

Install-WindowsFeature NFS-Client

[/box]

Then to map the drive (persistently as Drive Letter S:) use the following command.

[box]

New-PSDrive -Name 'S' -PSProvider FileSystem -Root '\\server-name\folder-name' -Persist -Scope Global

[/box]

Your drive should now be present like so.

Windows Connect to NFS: SMB1 Warning Message

In my case, my target is a very old NAS box that still used SMB1, in production this might be a concern but as this is my test network and there only ever me on it, I enable SMB1 on the Windows 2022 server (Note: Add it as a feature from Server Manager).

Error: You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol which could expose your system to attack.

I’ve put the link to my normal SMB1 article below.

Related Articles, References, Credits, or External Links

SMB1 Is Dead? (Unfortunately Not Yet)

Adding Windows Server NFS Shares to VMware ESX

VMware vSphere: Adding NFS Storage

VMware Cannot Remove / Unmount an NFS Store

Fortigate Load Balancing

KB ID 0001762

Problem

I’ve been getting through my NSE4, and one of todays topics was NAT, just as an offhand comment the ‘narrator‘ (I say narrator because it’s a monotonous robot AI voice,) mentioned Fortigate Load Balancing.

In the past (with my Cisco hat on) when I’ve been asked about load balancing, I’ve said ‘If you want to load balance, buy a load balancer‘. But the Fortigate does try to be ‘all things to all men‘ so I wondered just how good a load balancer can it be?

Turns out, quite a decent one, if you just want simple http round robin, it does that, it you want weighted traffic routing, or host health monitoring, or HTTP cookie persistence, and even SSL offload. It’s as good as anything I’ve ever worked on before. Here’s my Fortigate ‘Test Bench‘, you will see I’ve added three web servers (on the right) called Red, Green, and Blue (the significance of which will become apparent). Note: Yes there’s another web server at the bottom, (I’m too lazy to remove it from the lab!)

I’m going to setup simple round robin load balancing between these three web servers, and I’m going to get the Fortigate to monitor their health by simply making sure they respond to ping packets. (Note: it can monitor http availability or something a little better if you wish).

Solution

This tripped me up for a while! Load balancing is a feature, you need to  turn it on first, System > Feature Visibility > Load Balancing > Enable.

FortiGate Load Balancing: Create a Health Check

Cisco Types: Think of this as a tracked SLA

Policy & Objects > Health Check > Create New > Give it a name > Type = Ping > Interval = 10 > Timeout = 2 > Retry = 3 > OK

Now create a Virtual Server (not a VIP!) Policy  & Objects > Virtual Servers > Create New  > Name = Give it a sensible name > Type = HTTP > Interface = Your Outside/WAN interface  > Virtual Server IP (Externally!) > Virtual Server Port = 80 > Load Balancing method = Round Robin > Persistence = HTTP cookie > Heath Check = Select the one you created above.

Scroll down > Real Servers > Create New.

Add in the first (internal server IP) > Port = 80 > Max connections  = 0 (that’s unlimited) > OK.

Repeat the process to add the remaining servers > OK.

FortiGate Load Balancing: Enable Firewall Policy

Now you need to ‘allow’ traffic in (it is a firewall after all!) Policy & Objects > Firewall Policy (or IPv4 policy on older firewalls) > Create New > Name = Give it a sensible name > Incoming Interface = Outside > Outgoing Interface = Inside > STOP Change Inspection Mode to PROXY Based > Destination = Your Virtual Server (it’s not visible unless you have enabled proxy based!) > Schedule = Always > Service = All > Action = Accept > NAT = Enabled > You may also enable AV inspection > OK.

FortiGate Load Balancing:Testing and Tweaking

So from ‘Outside’ let’s hit our load balanced page.

That’s great but if you hit refresh a few times nothing changes (in production nothing would change anyway, but to prove my back end servers are getting used and load balanced, each of mine serves a different coloured page (hence the red, green and blue server names). The reason I’m only seeing the blue one, is because we enabled ‘HTTP cookie Persistence‘ let’s just nip back onto the firewall and disable that (set it to None > OK).

Now when I refresh by browser I can see it cycling though the back end servers.

FortiGate SSL Offload

To use and process SSL requires some CPU power, some websites (like this one) serve their webpages protected by https and the certificate that enables that lives on the web server, for sites like mine that are getting about 12k hits a day that’s fine but if you are getting hundreds of thousands of hits a minute that’s a MASSIVE drain on CPU resources. That’s what SSL offload is all about, getting another device (in this case the Fortigate) to do all the heavy lifting for you. Then the back end servers can get on with the job of serving web pages. 

Upload the Certificate to the FortiGate

For HTTPS you will need a web certificate that will be trusted by your visitors. I’m lazy and tight so I’ll just create one in Microsoft Certificate Services, but in Production you will need Publicly Signed Certificate. System > Certificates (if you can’t see certificates) > Import > Local Certificate.

Mine’s in PFX format so I need to select PKCS#12 > upload the certificate and supply a password > OK

FortiGate: Enable SSL Offload

On your Virtual Server, change the Type to HTTPS > Virtual ServerPort to 443 > Certificate to the one you just uploaded > OK.

We are now serving pages securely even though the web servers are not configured for https.

Related Articles, References, Credits, or External Links

NA

TinyCore Linux: Build a ‘Persistent’ Web Server

KB ID 0001697

Problem

Recently I was building a lab for testing load balancing, and needed some web servers, I could have built three Windows servers, but I wanted to run them in EVE-NG, so they had to be as light as I could make them. I chose TinyCore Linux, (I know there are smaller options, but it’s light enough for me to run, and work with).

The problem occurs when you reboot the TinyCore host, it (by default) reverts back to its vanilla state, (that’s not strictly true, a couple of folders are persistent).

So I had to build a server that would let me SFTP some web content into it and allow me to reboot it without losing the web content, settings, and IP address.

Step 1: Configure TinyCore IP & Web Server

This is a two step procedure, firstly I’m going to give it a static IP.

[box]

sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0
sudo route add default gw 192.168.100.1

[/box]

I don’t need DNS, if you do, then simply edit the resolve.conf file;

[box]

sudo vi /etc/resolv.conf
Add a value e.g.
Nameserver 8.8.8.8

[/box]

If you are scared of  the VI editor see Using the VI Editor (For Windows Types)

To connect via SSH/SFTP you will need opnessh installing, and to run the website, we will use Busybox, to install those, do the following;

[box]

tce-load -wi busybox-httpd.tcz
tce-load -wi openssh

[/box]

You will now need to set a password for the root account, (so you can log on and trasfer web files in!)

[box]

su
passwd
Type in, and confirm a new password!

[/box]

Start the OpenSSH, and TFTP services;

[box]

cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start

[/box]

Now create a basic web page, (index.html) which you can update later. Setup the website, then copy that file to a location that will be persistent (you will see why later).

[box]

cd /usr/local/httpd/bin
sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
sudo vi index.html {ENTER SOME TEXT TO TEST, AND SAVE}
sudo mkdir /mnt/sda1/wwwsite/
sudo cp /usr/local/httpd/bin/index.html /mnt/sda1/wwwsite/index.html

[/box]

At this point, (if you want) you can use your favourite SFTP client, (I recommend FileZilla or WinSCP) and copy in some live web content to /mnt/sda1/wwwsite/ But ensure the home/landing page is still index.html though!

Step 2: Make TinyCore Settings ‘Persistent’

There may be better ways to do this, this just worked for me, and made sense! There’s a shell script that is executed as the TinyCore machine boots (bootlocal.sh) so if you edit that file and put in the commands to configure the IP, copy the website files from the permanent mount folder, start the web server, then start SSH and TFTP, you end up with a server doing what you want, every time the server boots.

[box]

sudo vi /opt/bootlocal.sh

ADD THE FOLLOWING TO THE BOTTOM OF THE FILE;

sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0 
sudo route add default gw 192.168.100.1
cp /mnt/sda1/wwwsite/index.html /usr/local/httpd/bin/index.html
cd /usr/local/httpd/bin/
Sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start

[/box]

Save and exit the file, then finally BACKUP THE CHANGES with the following command;

[box]

filetool.sh -b

[/box]

Related Articles, References, Credits, or External Links

NA

GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0000927 

NOTE: THIS ARTICLE IS FOR THE OLD VERSION OF GNS3

GO HERE FOR THE NEW ONE

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.

Solution

Note: At time of writing he latest version is 8.6

1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.

Note: You can do the same in future, by going to Edit > Preferences

2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

3. Option 2.

4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.

Adding Router Images to GNS 3

5. Option 3

Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.

6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.

Note: You need to legally download these images from Cisco. This means you need a Cisco CCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOS images, (I will just ignore you!).

7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.

8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.

Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!

9. When complete click Close > Save > Close.

10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences.

n

12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.

13. Save > OK > Apply.

14. You can now drag a Quemu Guest machine onto the work space, and console into it.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;

[box]

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

[/box]

Set the Kernel cmd line option to;

[box]

-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

[/box]

16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

17. Finally select the vmlunuz file > Open.

18. Save > OK > Apply.

19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}

[/box]

20. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

PPTP VPN – Enable Split Tunneling

 

KB ID 0000997 

Problem

I was asked yesterday, “When you get five minutes, I need split tunneling setup, when I VPN into a network I lose Internet connectivity”. On inspection he was using the Microsoft VPN client, I jumped on the VPN device to discover it was a Cisco IOS router.

What I discovered was, unlike the firewall VPN’s I’m used to, you DONT set split tunneling up on the VPN device, you set it up on the client, (and its a bit clunky – sorry!)

Solution

1. Windows Key + R > ncpa.cpl {Enter} > Locate the VPN connection > Right Click > Properties > Networking > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced.

2. Untick “Use default gateway on remote network” > OK > OK > OK.

BE AWARE: There is a downside to doing this, as site visitor Clayton Webb points out;

“Unchecking that default gateway is a godsend, until end users use their laptops for torrents, malware, etc. If you have the time I’d recommend a direct access setup for company equipment. VPN w/ NPS health validators for non-company equipment.”

I agree, I would only ever see this as a temporary solution for the ‘technically savvy’.

3. WARNING: At this point you may find you can connect to the VPN, and your Internet now works, (hooray!) But you can no longer talk to any servers or systems on the site you are VPN’d into. This is a Windows routing problem, lets take a look at what IP address I’m getting from the VPN Device.

Above you can see Ive got an IP address of 192.168.2.207, and in my case I don’t have a default gateway (this is not unusual, yours may be the same or you may have a default gateway as well).

4. If you open a command window and issue a ‘route print’ command, you can see the reason I don’t have a default gateway is my gateway is may actual IP address (again this is not unusual, In my case I need to remember 192.168.2.207, if you have a different gateway listed thats the one you need to take notice of).

5. Run a command window (as administrator) and issue a ‘route add‘, command like below.

Note: -P Adds the route persistently (will remain after a reboot). The network you are trying to get to will probably be a different network, to the network IP you are being leased to you by the VPN device. If you have multiple networks you will need a ‘route add’ for each one.

6. To demonstrate; below I can’t get to 192.168.1.1, I then enter the ‘route add’ command, and after that I can get to 192.168.1.1.

Note: I’m not adding my route as persistent!

 

Related Articles, References, Credits, or External Links

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0001079 

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.</p?

Solution

Note: At time of writing the latest version is 1.3.6</p?

1. Download GNS3, I usually accept all the defaults.

2. Edit > Preferences > Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

Adding Router Images to GNS 3

3. Dynamips > IOS Routers > New > Add in your route images > Follow instructions.</p?

Note: DONT Email me and ask for router images, go to Cisco and get them legally, (or use Google).

4. Make sure you take the time to calculate the ‘Idle-PC finder’ value for each router, or in large topologies you might quickly eat all your CPU power!

5. Continue adding routers as required.</p?

6. You can now drag a router onto the workspace and power it on.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

7. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to ASA 8.4(2).

8. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

9. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.</p?

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0:
{Enter}

[/box]

10. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.</p?

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to default.

n

12. Give it a sensible name.

13. Navigate to, and select the disk image you downloaded above.

14. You can now drag a Qemu Guest machine onto the work space, and console into it.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

GNS3 – Can’t Save ASA Config – ‘%Error copying system:/running-config (Not enough space on device)’

KB ID 0000987

Problem

I love GNS3, it is a brilliant piece of software, I use it for bench testing and proof of concept work. Yes is can be a bit clunky sometimes, but it’s FREE! I had a project open with about four ASA’s on it, and it would not save the config on just one of them.

[box]

HostName(config)# copy running-config startup-config

Source filename [running-config]?
Cryptochecksum: fdf42190 76959bba 05a6a3d6 3f900005

%Error copying system:/running-config (Not enough space on device)
HostName(config)#

[/box]

[box]

HostName(config)# write mem
Building configuration...
Cryptochecksum: fdf42190 76959bba 05a6a3d6 3f900005

%Error copying system:/running-config (Not enough space on device)
Error executing command
[FAILED]
HostName(config)# 

[/box]

[box]

HostName(config)# copy running-config disk0:

Source filename [running-config]?

Destination filename [running-config]?
Cryptochecksum: fdf42190 76959bba 05a6a3d6 3f900005

%Error copying system:/running-config (Not enough space on device)
HostName(config)# 

[/box]

Solution

At first I simply deleted the ASA and added a new one, which annoyingly did the same. Then I read a post that said, do the following;

1. Open the configuration for the affected ASA.

2. Change the NIC Model to pcnet > Apply > OK > Stop the firewall > Start the Firewall.

HOWEVER, in my case the problem persisted, I eventually fixed it by formatting the virtual ASA’s flash drive.

3. Execute the following command;

[box]

HostName# format flash 

 

Format operation may take a while. Continue? [confirm]

Format operation will destroy all data in "flash:". Continue? [confirm]{Enter}
Initializing partition - hda: hda1
done!
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk

Format of disk0 complete
HostName# 

[/box]

4. Power off, then power on the firewall, problem fixed.

Related Articles, References, Credits, or External Links

NA