Showing posts with label netscreen. Show all posts
Showing posts with label netscreen. Show all posts

Saturday, June 2, 2012

Mapped IP configuration on Netscreen



         I'm going to talking about MIP feature on Nescreen via a sample network design. This network uses private addresses in the Internal Side and has got public addresses to use external side. The network structure is shown below,


         As shown on network design, we have a computer which has got 172.16.100.11 ip address and we want to map it to 21x.xxx.xx.236 public IP address. What we want is shown below:

         When computer sends any request to public Internet side, devices which are located on Internet side will see it as 21x.xxx.xx.236 and when a request is sent from Internet to 21x.xxx.xx.236 IP address, FW redirects it to 172.16.100.11 IP address. So 172.16.100.11 means 21x.xxx.xx.236 and 21x.xxx.xx.236 means 172.16.100.11.

We will set MIP configuration on Netscreen for this purpose.

(The external side is defined as Internet zone and the internal network is defined as system zone on firewall before. Following configurations are illustrating as that zone names)

         First of all, 21x.xxx.xx.236 is an IP address which is located in the segment between FW and Main router. This segment is not behind of a firewall, conversely, front of the firewall. The firewall should be taken on itself like a sub-interface. Anyway we have to see 21x.xxx.xx.236 IP address in the main router ARP Table with a MAC address which is got from firewall. Otherwise, packages which contains 21x.xxx.xx.236 in the destination field is not able to arrive to target. I will explain this background info at the end of this article. Let's continue to configuration.

1)
         Select “Interfaces” item on the menu which is located on left side of the netscreen configuration web-interface.


2) 
         When Interfaces item is clicked, we can see a page as shown below on the right side of page.


3)
         Clicking to Edit link which is marked on above picture. When It is clicked, following page will be opened.


4)
         Clicking to MIP link, this page is listing already created MIPs.


5)
         Clicking to New button on the right side.


6)
         When clicking to OK and check MIP list again, we will see our configuration on the MIP list,



7)
         Right now, Mapped IP configuration is done. But we have to create the policy to permit traffic. It should have both directions. The following one is about Internet to system direction.


         When you are clicking to policies under the policy menu, you can see policy list on the right side of the page. There are “from” and “to” commands at top of the right side. Select the “Internet” option from the combobox “from” and select system using the “to” part.  


         Right now, The firewall is listing policies from internet to system. Clicking to “New” buttom on the top-right side.

         These two points are important at this step. First, destination address should be MIP. Second, action should be “Permit”.

8)
         Select “system” for 'from' part and select “Internet” for 'to' part on top side and click “go” button after than click to “New” button.


         Source address should be 172.16.100.11 and destination address should be “any”. Than select permit for action.  

         This step permits access to Internet side for 172.16.100.11 addressed computer. If you want to permit access from internet to your internal workstation only, you don't need this step.  


Let's analyse communication background on this scenario.

Telnet to Main router (It's Cisco 3661) and run “show arp” command. Getting output like below,

UGC_Topkapi_3661#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
..
Internet  21x.xxx.xx.250          0   0010.dbff.22e0  ARPA   FastEthernet4/0
….
Internet  21x.xxx.xx.236        161   0010.dbff.22e0  ARPA   FastEthernet4/0
…
...


As you know, 21x.xxx.xx.236 and 21x.xxx.xx.250 ip addresses has got exactly same MAC address. The Main router should be send 21.x.xxx.xx.236 packages to firewall mac. The firewall know already how to access to main router. If you understand any step, let me know please.

Friday, October 21, 2011

Checking System Room Temperature with Cisco, Hp, Netscreen

{ able to visit following link to read newest entry about same subject;
This article has got a mobile phone client application to follow up to system room temperature. That first version is especially for Nokia Phones. }

The "http://stdioe.blogspot.com/2011/09/how-to-follow-up-temperature-of-system_23.html" article is explaining "How to follow up temperature of system room" via an IBM Blade Chassis device. I used to plan to explain how to use it because, the most reliable device on my system room is IBM Blade chassis. But may most of SDTIOE blog users haven't got an IBM blade chassis. Anyway that article can be able to help them ofcourse but I can re-write it for frequently used devices such as Cisco, Juniper and Hp. These products also have different operation systems. So each version has got little differences. This article presents some composite solutions for those systems.

Checking the system room temperature with Cisco:


Cisco routers have internaly got "show environment" or "show environment temperature" commands. We can get the temperature information with these commands. we can also use the article on page "http://stdioe.blogspot.com/2011/09/how-to-follow-up-temperature-of-system_23.html" to get that info from Cisco routers using the script below:

#!/usr/bin/perl

use Net::Telnet::Cisco;

my $session = Net::Telnet::Cisco->new(Host => 'x.x.x.x');
$session->login('TelnetUser', 'TelnetPassword');

# Execute a command
my @output = $session->cmd('show environment');
print @output;

$session->close;



attention!:
Cisco routers have different IOS versions and different IOS's have got different level of detail.

First Cisco example:

The first example is about Cisco 3661. It has got following IOS version;

HostName_Router_3661#show version 
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3660-IK9S-M), Version 12.2(13)T12, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Tue 30-Mar-04 14:38 by ccai
Image text-base: 0x60008940, data-base: 0x61C20000

ROM: System Bootstrap, Version 12.0(6r)T, RELEASE SOFTWARE (fc1)
ROM: 3600 Software (C3660-IK9S-M), Version 12.2(13)T12, RELEASE SOFTWARE (fc1)

HostName_Router_3661 uptime is 7 weeks, 5 days, 11 hours, 21 minutes
System returned to ROM by reload
System restarted at 04:17:12 ISTANBUL Sat Aug 27 2011
System image file is "flash:c3660-ik9s-mz.122-13.T12.bin"

cisco 3660 (R527x) processor (revision 1.0) with 119808K/11264K bytes of memory.
Processor board ID JAC0617A0XT
R527x CPU at 225Mhz, Implementation 40, Rev 10.0, 2048KB L2 Cache
Channelized E1, Version 1.0.
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
Primary Rate ISDN software, Version 1.1.
Basic Rate ISDN software, Version 1.1.


3660 Chassis type: ENTERPRISE
5 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
8 ISDN Basic Rate interface(s)
1 ATM network interface(s)
2 Channelized E1/PRI port(s)
2 Voice FXO interface(s)
2 Voice FXS interface(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

HostName_Router_3661#


This IOS version supports only the "show environment" command and the output is simple. It hasn't got any value about the temperature as shown below:

HostName_Router_3661#show environment 

Power Supply 1 is present.
Thermal status: normal
Input Voltage status: normal
DC Output Voltage status: normal

Power Supply 2 is present.
Thermal status: normal
Input Voltage status: normal
DC Output Voltage status: normal

Board Temperature: normal.

HostName_Router_3661#


We have to grep the "Thermal status:" line and split it using the ":" character and get the usual part. The perl script should be changed for this goal as shown below:

#!/usr/bin/perl
use Net::Telnet::Cisco;
my $session = Net::Telnet::Cisco->new(Host => 'x.x.x.x');
$session->login('userName', 'passWord');
my @output = $session->cmd('show environment');

$session->close;

foreach $item (@output)
{
if(grep(/Thermal status/, $item) == "1") {
($key, $value) = split(/:/,$item);
}
}

sub trim($)
{
my $string = shift;
$string =~ s/^\s+//;
$string =~ s/\s+$//;
return $string;
}


$value = trim($value);
print "theValue:".$value."\n";

# If you want to write result to a file, you can use following part with erase "#" chars.

#open (target, ">tempfile.txt") || die ("Could not open file <br> $!");
#print target "$value";
#close (target);


We can do the parsing step in this Perl script or we can save the output of "show environment" command to a file and than handle it with shell commands. Lets try this way on "Second cisco example":

Second Cisco example:

The second example is about Cisco 38xx. It has got following IOS version;

HostName_Router_3800#show version 
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(11)T3, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 11-Jul-07 21:30 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

HostName_Router_3800 uptime is 7 weeks, 4 days, 15 hours, 56 minutes
System returned to ROM by power-on
System image file is "flash:c3845-advipservicesk9-mz.124-11.T3.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3845 (revision 1.0) with 482304K/41984K bytes of memory.
Processor board ID FTX1135A1E0
4 FastEthernet interfaces
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
125440K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2142 (will be 0x2102 at next reload)

HostName_Router_3800#


This IOS version supports only the "show environment" command but the output has higher level of detail when we compare it to "First Example". It has got temperature values as shown below:

HostName_Router_3800#show environment 

SYS PS1 is present.
Fan status: Normal
Input Voltage status: Normal
DC Output Voltage status: Normal
Type: AC
Thermal status: Normal

SYS PS2 is absent.

AUX(-48V) PS1 is present.
Status: Normal

AUX(-48V) PS2 is absent.
Compliance Mode: IEEE 802.af compliant

Fan 1 Normal
Fan 2 Normal
Fan 3 Normal

Fan Speed is Normal

Alert settings:
Intake temperature warning: Enabled, Threshold: 55
Core temperature warning: Enabled, Threshold: 70 (CPU: 90)

Board Temperature: Normal
Internal-ambient temperature = 31, Normal
CPU temperature = 42, Normal
Intake temperature = 24, Normal
Backplane temperature = 25, Normal

Voltage 1(3300) is Normal, Current voltage = 3316 mV
Voltage 2(5150) is Normal, Current voltage = 5153 mV
Voltage 3(2500) is Normal, Current voltage = 2525 mV
Voltage 4(1200) is Normal, Current voltage = 1215 mV

Nominal frequency

HostName_Router_3800#


We are interested in the temperature of system room, so we will use "Backplane temperature" part in this case. But other values are really very helpful for different purposes so you can edit this sample for something else like CPU. In this case, the Perl script records all of the output of "show environment" command to a file and we will handle that work using linux shell commands,

#!/usr/bin/perl
use Net::Telnet::Cisco;
my $session = Net::Telnet::Cisco->new(Host => 'x.x.x.x');
$session->login('userName', 'passWord');
my @output = $session->cmd('show environment');

$session->close;

open (target, ">tempfile.txt") || die ("Could not open file <br> $!");
print target "@output";
close (target);


Right now, all the information that we need is in the text file. We can handle it easily with linux shell commands. Lets continue,

grep "Backplane temperature" tempfile.txt | awk -F ' ' '{print $4}' | awk -F ',' '{print $1}'


The above result is 25 in this sample. We can use this final result as described on "http://stdioe.blogspot.com/2011/09/how-to-follow-up-temperature-of-system_23.html" article.

Checking system room temperature with Juniper / Netscreen:

Right now, I'm using an ISG2000 to prepare this article. The version information is;


Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 6.1.0r3.0, Type: Firewall+VPN


We can use the following command to get the temperature information:

UGC:isg2000-UP(M)-> get chassis 
Chassis Environment:
Power Supply: Good
Fan Status: Good
CPU Temperature: 104'F ( 40'C)
Slot Information:
Slot Type S/N Assembly-No Version Temperature
0 System Board 0079082006000411 0051-005 E01 80'F (27'C), 84'F (29'C)
4 Management 0081082006000307 0049-004 D11 104'F (40'C)
5 ASIC Board 000319230H060098 0050-003 C00
Marin FPGA version 9, Jupiter ASIC version 1, Fresno FPGA version 102
I/O Board
Slot Type S/N Version FPGA version
1 2 port 10/100/1000T 0142092006000038 C00 20
3 2 port 10/100/1000T 0142092006000036 C00 20
4 4 port 10/100 0138082006000020 D01 6
Alarm Control Information:
Power failure audible alarm: disabled
Fan failure audible alarm: disabled
Low battery audible alarm: disabled
Temperature audible alarm: disabled
Normal alarm temperature is 132'F (56'C)
Severe alarm temperature is 150'F (66'C)
UGC:isg2000-UP(M)->


We can use the "|" (pipe) function to get required lines only. (Also This feature exists in Cisco. I try to write different solutions in each single example. But of course you can also use the pipe function in Cisco example.)

UGC:isg2000-UP(M)-> get chassis | include temperature
CPU Temperature: 104'F ( 40'C)
Slot Type S/N Assembly-No Version Temperature
Temperature audible alarm: disabled
Normal alarm temperature is 132'F (56'C)
Severe alarm temperature is 150'F (66'C)
UGC:isg2000-UP(M)->


This output is better, isn't it? Let's write a Perl script to get this info from the Juniper box to a file on our system.

#!/usr/bin/perl

use Net::Telnet::Netscreen ();

my $fw = new Net::Telnet::Netscreen(host=>'x.x.x.x');

$fw->login('username','password') or die $fw->error;

@lines = $fw->cmd("get chassis | include temperature");

open (target, ">tempfile.txt") || die ("Could not open file <br> $!");
print target "@lines";
close (target);


Now, we can use the content of tempfile.txt file. If you want to focus on only only a single line of this content, you can change "temperature" part on "get chassis | include temperature" command but It's not needed because, we can already manipulate that string with grep and awk commands.

Checking system room temperature with HP Procurve switch:

The first step is writing a Perl script to get the temperature information from Hp Procurve Switch. We can use a script as shown below:


#!/usr/bin/perl

use Net::Telnet ();
$session = new Net::Telnet (Timeout => 5,
Telnetmode => 0,
Prompt => '/PROMPTofDEVICE#/',
Host => "x.x.x.x");

# $session->waitfor('/Press any key to continue/');
# $session->print("");

$session->waitfor('/Password: /');
$session->print('PassworDofDevice');

$session->waitfor('/PROMPTofDEVICE#/');

@lines = $session->cmd("show system temperature");

$session->cmd("exit");
$session->cmd("exit");

open (target, ">tempfile.txt") || die ("Could not open file <br> $!");
print target "@lines";
close (target);


When we connect to a Procurve device, a "Press any key to continue" expression is shown. Some versions don't require this message to be shown. If you want this message to be shown, you can delete the '#' chars at the beginning of lines. The tempfile.txt file contains the information below:

 System Air Temperatures
# |Current Temp | Max Temp | Min Temp | Threshold | OverTemp
-------+-------------+----------+----------+-----------+----------
Sys-1 | 20C | 29C | 14C | 55C | NO


We can use a command as follows:

grep Sys-1 tempfile.txt | awk -F ' ' '{print $3}'


We can add that script to crontab and record output to mysql table. The other script/service can analyze recorded values like "http://stdioe.blogspot.com/2011/09/how-to-follow-up-temperature-of-system_23.html" article.

Thursday, September 22, 2011

How to Connect Juniper Netscreen Device using Perl Scripts

The site http://search.cpan.org contains a usable and easy library to connect netscreen devices. Name of the library is Net::Telnet::Netscreen. Its use is straightforward:

#!/usr/bin/perl
use Net::Telnet ();
$t = new Net::Telnet (Timeout => 10,
Prompt => '/ns5gt-adsl->/');

$t->open("IP_ADDR_of_NetscreenDevice");
$t->login(netscreenUsername, Password);
@lines = $t->cmd("get policy id X");
print @lines;
$t->cmd("exit");
$t->cmd("exit");


IP_ADDR_of_NetscreenDevice, netscreenUsername and Password expressions can be replaced with an address, an username and a password, respectively.