Unetlab Installation on ESXi

ESXi:
-check your CPU support virtualization
http://ark.intel.com/Products/VirtualizationTechnology

-check your hardware support virtualization
# esxcfg-info |grep “HV Support”
|—-HV Support……………………………………..3
|—-World Command Line……………………………grep HV Support
0 – VT/AMD-V indicates that support is not available for this hardware.
1 – VT/AMD-V indicates that VT or AMD-V might be available but it is not supported for this hardware.
2 – VT/AMD-V indicates that VT or AMD-V is available but is currently not enabled in the BIOS.
3 – VT/AMD-V indicates that VT or AMD-V is enabled in the BIOS and can be used.

-Edit the VM settings and go to VM settings > Options > CPUID mask > Advanced > Level 1, add the following CPU mask level
ECX —- —- —- —- —- —- –H- —-
NOTE: do above only if all else failed

-Edit the VM settings and go to VM settings > Options > CPU/MMU
Virtualization . Select
“Use Intel VT-x/AMD-V for instruction set virtualization and Intel EPT/AMD RVI for MMU virtualization”
Image

-vm hardware version must be version 9 or above
# vim-cmd vmsvc/getallvms
# vim-cmd vmsvc/upgrade unetlab-vmid vmx-09

-modify /etc/vmware/config
add in the last line then reboot
vhv.enable = “TRUE”

-should show “nestedHVSupported true”
# vim-cmd vmsvc/get.capability 8

-test in ubuntu
# egrep -c ‘(vmx|svm)’ /proc/cpuinfo
the output should be 8

Download Unetlab from: http://www.unetlab.com/download/
# apt-get update
# apt-get -y upgrade
# apt install tree

-to upgrade unetlab only
# apt-get -o Dpkg::Options::=”–force-overwrite” install unetlab unetlab-qemu
-to check unetlab version
# dpkg  -l unetlab

-Below is the reference node in UNL: “/opt/unetlab/html/includes/init.php”
‘a10′                   =>      ‘A10 vThunder’,
‘clearpass’             =>      ‘Aruba ClearPass’,
‘timos’                 =>      ‘Alcatel 7750 SR’,
‘veos’                  =>      ‘Arista vEOS’,
‘brocadevadx’   =>      ‘Brocade vADX’,
‘cpsg’                  =>      ‘CheckPoint Security Gateway VE’,
‘asa’                   =>      ‘Cisco ASA’,
‘asav’                  =>      ‘Cisco ASAv’,
‘csr1000v’              =>      ‘Cisco CSR 1000V’,
‘cips’                  =>      ‘Cisco IPS’,
‘c1710′                 =>      ‘Cisco IOS 1710 (Dynamips)’,
‘c3725′                 =>      ‘Cisco IOS 3725 (Dynamips)’,
‘c7200′                 =>      ‘Cisco IOS 7206VXR (Dynamips)’,
‘iol’                   =>      ‘Cisco IOL’,
‘titanium’              =>      ‘Cisco NX-OSv (Titanium)’,
‘sourcefire’    =>      ‘Cisco Sourcefire’,
‘vios’                  =>      ‘Cisco vIOS’,
‘viosl2′                =>      ‘Cisco vIOS L2′,
‘vwlc’                  =>      ‘Cisco vWLC’,
‘vwaas’               =>      ‘Cisco vWAAS’,
‘coeus’                 =>      ‘Cisco Web Security Appliance’,
‘xrv’                   =>      ‘Cisco XRv’,
‘nsvpx’                 =>      ‘Citrix Netscaler’,
‘extremexos’    =>      ‘ExtremeXOS’,
‘bigip’                 =>      ‘F5 BIG-IP LTM VE’,
‘fortinet’              =>      ‘Fortinet FortiGate’,
‘hpvsr’                 =>      ‘HP VSR1000′,
‘olive’                 =>      ‘Juniper Olive’,
‘vmx’                   =>      ‘Juniper vMX’,
‘vsrx’                  =>      ‘Juniper vSRX’,
‘paloalto’              =>      ‘Palo Alto VM-100 Firewall’,
‘vyos’                  =>      ‘VyOS’,
‘esxi’                  =>      ‘VMware ESXi’,
‘win’                   =>      ‘Windows’

-to install ios image
scp c1710-bk9no3r2sy-mz.124-23.bin, c3725-adventerprisek9-mz.124-15.T14.bin and c7200-adventerprisek9-mz.152-4.S6.bin to /opt/unetlab/addons/dynamips
# cd /opt/unetlab/addons/dynamips
# unzip c1710-bk9no3r2sy-mz.124-23.bin
# unzip c3725-adventerprisek9-mz.124-15.T14.bin
# unzip c7200-adventerprisek9-mz.152-4.S6.bin
# mv C1710-BK.BIN c1710-bk9no3r2sy-mz.124-23.image
# mv C3725-AD.BIN c3725-adventerprisek9-mz.124-15.T14.image
# mv C7200-AD.BIN c7200-adventerprisek9-mz.152-4.S6.image
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions-to install asa
# mkdir -p /opt/unetlab/addons/qemu/asa-9.15
scp hda.qcow2 and hdb.qcow2 into /opt/unetlab/addons/qemu/asa-9.15
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install asav
STATUS: FAILED
# mkdir -p /opt/unetlab/addons/qemu/asav-923.200
scp asav923.ova into /opt/unetlab/addons/qemu/asav-923.200
# cd /opt/unetlab/addons/qemu/asav-923.200
# tar xf asav923.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 boot.vmdk virtioa.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install bigip-11.6.0
# mkdir -p /opt/unetlab/addons/qemu/bigip-11.6.0/
scp BIGIP-11.6.0.0.0.401.ALL-scsi.ova into /opt/unetlab/addons/qemu/bigip-11.6.0/
# cd /opt/unetlab/addons/qemu/bigip-11.6.0/
# tar xf BIGIP-11.6.0.0.0.401.ALL-scsi.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 BIGIP-11.6.0.0.0.401-disk1.vmdk hda.qcow2
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 BIGIP-11.6.0.0.0.401-disk2.vmdk hdb.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install brocadevadx
STATUS: FAILED (blank screen)
# mkdir -p /opt/unetlab/addons/qemu/brocadevadx-3100
scp SSR3100ESX_EVAL.zip into /opt/unetlab/addons/qemu/brocadevadx-3100
# cd /opt/unetlab/addons/qemu/brocadevadx-3100
# unzip SSR3100ESX_EVAL.zip
# tar xf SSR03100ESX.ova# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 SSR1000ESX-disk1.vmdk hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install coeus
STATUS: FAILED (blank screen)
# mkdir -p /opt/unetlab/addons/qemu/coeus-8-0-5-075
scp coeus-8-0-5-075-S000V.zip into /opt/unetlab/addons/qemu/coeus-8-0-5-075
# cd /opt/unetlab/addons/qemu/coeus-8-0-5-075
# unzip coeus-8-0-5-075-S000V.zip
# cd coeus-8-0-5-075-S000V
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 coeus-8-0-5-075-S000V-disk1.vmdk hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install csr
# mkdir -p /opt/unetlab/addons/qemu/csr1000v-universalk9.03.14.00.S.155-1.S
scp csr1000v-universalk9.03.14.01.S.155-1.S1-std.ova into /opt/unetlab/addons/qemu/csr1000v-universalk9.03.14.00.S.155-1.S
# cd /opt/unetlab/addons/qemu/csr1000v-universalk9.03.14.00.S.155-1.S
# tar xf csr1000v-universalk9.03.14.01.S.155-1.S1-std.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 csr1000v_harddisk.vmdk hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install extremexos
# mkdir -p /opt/unetlab/addons/qemu/extremexos-15.3.2.11
scp extremexosvm.zip /opt/unetlab/addons/qemu/extremexos-15.3.2.11
# cd /opt/unetlab/addons/qemu/extremexos-15.3.2.11
# unzip extremexosvm.zip
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 “EXOS_VM_15.3.2.11 sw1.vmdk” hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install fortinet-5.2.3b670
STATUS FAILED ([others.c:2390] get_ttree(‘root’) failed)
# mkdir -p /opt/unetlab/addons/qemu/fortinet-5.2.3b670
scp FGT_VM64-v5-build0670-FORTINET.out.ovf.zip into /opt/unetlab/addons/qemu/fortinet-5.2.3b670
# cd /opt/unetlab/addons/qemu/fortinet-5.2.3b670
# unzip FGT_VM64-v5-build0670-FORTINET.out.ovf.zip
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 fortios.vmdk hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install hpvsr
# mkdir -p /opt/unetlab/addons/qemu/hpvsr-7.10.R0204P01
scp VSR1000_7.10.R0204P01.zip into /opt/unetlab/addons/qemu/hpvsr-7.10.R0204P01
# cd /opt/unetlab/addons/qemu/hpvsr-7.10.R0204P01
# unzip VSR1000_7.10.R0204P01.zip
# tar xf VSR1000_HP-CMW710-R0204P01-X64.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 VSR1000_HP-CMW710-R0204P01-X64-disk1.vmdk hda.qcow2
# mv VSR1000_HP-CMW710-R0204P01-X64.iso cdrom.iso
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install nsvpx
# mkdir -p /opt/unetlab/addons/qemu/nsvpx-11.0.55.20
scp NSVPX-ESX-11.0-55.20_nc.zip into /opt/unetlab/addons/qemu/nsvpx-11.0.55.20
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 NSVPX-ESX-11.0-55.20_nc-disk1.vmdk virtioa.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install paloalto-6.1.0
# mkdir -p /opt/unetlab/addons/qemu/paloalto-6.1.0
scp PA-VM-ESX-6.1.0.ova into /opt/unetlab/addons/qemu/paloalto-6.1.0
# cd /opt/unetlab/addons/qemu/paloalto-6.1.0
# tar xf PA-VM-ESX-6.1.0.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 PA-VM-ESX-6.1.0-disk1.vmdk virtioa.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install sourcefire
STATUS: FAILED (Kernel panic)
Image

# mkdir -p /opt/unetlab/addons/qemu/sourcefire-5.4.0-763
scp Sourcefire_Defense_Center_Virtual64_VMware-5.4.0-763.tar.gz into /opt/unetlab/addons/qemu/sourcefire-5.4.0-763
# cd /opt/unetlab/addons/qemu/sourcefire-5.4.0-763
# tar zxf Sourcefire_Defense_Center_Virtual64_VMware-5.4.0-763.tar.gz
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 Sourcefire_Defense_Center_Virtual64_VMware-5.4.0-763-disk1.vmdk hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install timos
# mkdir -p /opt/unetlab/addons/qemu/timos-12.0.R6
scp TiMOS-SR-12.0.R6-vm.zip into /opt/unetlab/addons/qemu/timos-12.0.R6
# cd /opt/unetlab/addons/qemu/timos-12.0.R6
# mv TiMOS-SR-12.0.R6-vm/vm/7xxx-i386/sros-vm.qcow2 hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install titanium
# mkdir -p /opt/unetlab/addons/qemu/titanium-7
scp hda.qcow2 into /opt/unetlab/addons/qemu/titanium-7
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install veos
# mkdir -p /opt/unetlab/addons/qemu/veos-4.15.0f
scp vEOS-lab-4.15.0F.vmdk and Aboot-veos-serial-2.1.0.iso into /opt/unetlab/addons/qemu/veos-4.15.0f
# cd /opt/unetlab/addons/qemu/veos-4.15.0f
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 vEOS-lab-4.15.0F.vmdk hda.qcow2
# mv Aboot-veos-serial-2.1.0.iso cdrom.iso
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install vios
# mkdir -p /opt/unetlab/addons/qemu/vios-adventerprisek9-m-15.5
# mkdir -p /opt/unetlab/addons/qemu/viosl2-adventerprisek9-m-15.2
scp vIOS-L3.qcow2 into /opt/unetlab/addons/qemu/vios-adventerprisek9-m-15.5
scp vIOS-L2.qcow2 into /opt/unetlab/addons/qemu/viosl2-adventerprisek9-m-15.2
# cd /opt/unetlab/addons/qemu/vios-adventerprisek9-m-15.5
# mv vIOS-L3.qcow2 hda.qcow2
# cd /opt/unetlab/addons/qemu/viosl2-adventerprisek9-m-15.2
# mv vIOS-L2.qcow2 hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install vmx
# mkdir -p /opt/unetlab/addons/qemu/vmx-1.0
scp vMX.ova into /opt/unetlab/addons/qemu/vmx-1.0
# cd /opt/unetlab/addons/qemu/vmx-1.0
# tar xf vMX.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 vMX-disk1.vmdk hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install vsrx
# mkdir -p /opt/unetlab/addons/qemu/vsrx-12.1X46-D10.2-domestic
scp junos-vsrx-12.1X46-D10.2-domestic.ova into /opt/unetlab/addons/qemu/vsrx-12.1X46-D10.2-domestic
# cd /opt/unetlab/addons/qemu/vsrx-12.1X46-D10.2-domestic
# tar xf junos-vsrx-12.1X46-D10.2-domestic.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 junos-vsrx-12.1X46-D10.2-domestic-disk1.vmdk hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install vwlc
# mkdir -p /opt/unetlab/addons/qemu/vwlc-8.1.102.0
scp AIR-CTVM-K9-8-1-102-0.ova and AIR-CTVM-k9-8-1-102-0.iso into /opt/unetlab/addons/qemu/vwlc-8.1.102.0
# cd /opt/unetlab/addons/qemu/vwlc-8.1.102.0
# tar xf AIR-CTVM-K9-8-1-102-0.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 AS_CTVM_8_1_102_0.vmdk hda.qcow2
# mv AIR-CTVM-k9-8-1-102-0.iso cdrom.iso
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to install xrv
# mkdir -p /opt/unetlab/addons/qemu/xrv-k9-5.2.2
scp hda.qcow2 into /opt/unetlab/addons/qemu/xrv-k9-5.2.2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-to update file, this must be done everytime you copy or update qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

-Log location
# cat /opt/unetlab/data/Logs/

WINDOWS:
-download and install putty
-download and install UltraVNC from http://www.uvnc.com/downloads/ultravnc.html
-download and extract http://public.routereflector.com/unetlab/Windows%2064bit%20Url%20Integration.zip
copy vnc_wrapper.bat into C:\Program Files\uvnc bvba\UltraVNC
run vnc_win7_64bit.reg

go to http://10.0.20.71 and Sign-in with
L: admin
P: unl

Bypass Firewall

Method 1: external DNS
Test:
-set dns to 4.2.2.1 – 4.2.2.6
-test whether can access http://www.playboy.com

Result:
BlueCoat:
CheckPoint:
CIsco ASA:
Cyberoam:
FortiGate:
Juniper SRX:
PaloAlto:
SonicWall:

Method 2: Opera Turbo
Test:
-open Opera and tick File/Opera Turbo menu
-test whether can access http://www.playboy.com

Result:
BlueCoat:
CheckPoint:
CIsco ASA:
Cyberoam:
FortiGate: No filter for this app
Juniper SRX:
PaloAlto: FAILED
SonicWall:

Method 3: FireFox or Chrome Zenmate Extention
Test:
-open Chrome or FireFox and enable Zenmate extention
-test whether can access http://www.playboy.com

Result:
BlueCoat:
CheckPoint:
CIsco ASA:
Cyberoam:
FortiGate:
Juniper SRX:
PaloAlto:
SonicWall:

Method 4: Block Torrent
Test:
a. utorrent
-download and install utorrent from http://www.utorrent.com
-download and open torrent magnet from kickass.to
-test whether utorrent can download

b. tor browser
-download and install tor browser from https://www.torproject.org/projects/torbrowser.html.en
-launch Tor browser and go to http://www.playboy.com

c. Tor Network
Test:
-launch Tor browser but leave it running
-open Chrome
-open Chrome Settings/Show advanced settings
-click Change proxy settings
-click LAN settings
-click Advanced
Socks: 127.0.0.1 Port 9150
-test whether can access http://www.playboy.com

Result:
BlueCoat:
CheckPoint:
CIsco ASA:
Cyberoam:
FortiGate:
Juniper SRX:
PaloAlto:
SonicWall:

Method 5: Open Proxy
Test:
-search open proxy that using port 80 from http://proxylist.hidemyass.com/
-set Chrome using open proxy for example 107.167.21.243 port 80
-test whether can access http://www.playboy.com

Result:
BlueCoat:
CheckPoint:
CIsco ASA:
Cyberoam:
FortiGate: FAILED
Juniper SRX:
PaloAlto:
SonicWall:

Method 6: Soft-Ether
Test:
-download, install and run Soft-Ether from http://www.vpngate.net/en/
-connect to VPN Relay Server using UDP
-set dns to 4.2.2.2
-test whether can access http://www.playboy.com

Result:
BlueCoat:
CheckPoint:
CIsco ASA:
Cyberoam: No filter for this app
FortiGate: SUCCESS with custom app signature
Juniper SRX:
PaloAlto:
SonicWall:

Method 7:  Psiphon
Test:
-download and install Psiphon from https://s3.amazonaws.com/0ubz-2q11-gi9y/en/download.html
-run and choose SSH+
-test whether can access http://www.playboy.com

Result:
BlueCoat:
CheckPoint:
CIsco ASA:
Cyberoam:
FortiGate:
Juniper SRX:
PaloAlto: FAILED
SonicWall:

If anyone success blocking above test, please email me your rule. Because either I don’t the device or I have the device but don’t have the license or my filter is wrong

Enabling https in Citrix License Server

VPX:

-allow ssh port and ping in iptables
# echo “-A INPUT -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT” >> /etc/sysconfig/iptables
# echo “-A INPUT -i eth0 -p icmp -j ACCEPT” >> /etc/sysconfig/iptables
# service iptables restart
put license directly, just put into /opt/citrix/licensing/myfiles
make sure XenDesktop license hostname match with license server hostname

-to change https port
# vi /opt/citrix/licensing/LS/conf/server.xml
search for securePort
change to 10443 because iptables allow port 10443

-to access web http://ip:8082 or https://ip:10443
-to check iptable
-to check service list
# chkconfig –list

-to restart a service
# service citrixlicensing restart

-to login using https://ipaddress:10443
L: admin P:

Windows:

SOURCE: http://support.citrix.com/article/CTX140698
-On the License Administration Console go to Administration > Server Configuration > Secure Web Server Configuration. Select Enable HTTPS.
-To enable HTTP to HTTPS redirection, select Redirect non-secure web access to secure web access click Save and restart the license server. This moves HTTP traffic to go over HTTPS

-enable FW config
>netsh advfirewall firewall delete rule name=”Temporary Block for Licensing Admin PowerShell” dir=out protocol=TCP remoteip=<IP of License Server> remoteport=8083
>netsh advfirewall firewall delete rule name=”Temporary Block Web Services For Licensing” dir=out protocol=TCP program=”c:\Program Files (x86)\Citrix\Licensing\UsageCollector\ctxurt.exe” remoteport=443

IPSec VPN Cyberoam to SonicWall

Image
SOURCE: https://support.software.dell.com/kb/sw5857
a. in both PC firewall, enable ICMP
click Start and Search cmd
right click CMD and choose Run as Administrator
>netsh advfirewall firewall add rule name=”All ICMP v4″ protocol=icmpv4:any,any dir=in action=allow

CYBEROAM1
-configure Network/Interface IP
-create a Network/Address Objects
On Address Objects, click Add
 Image

-configure Firewall rules
Image

-configure VPN
Image

Image

SONICWALL2
-configure Network/Interface IP
Image

-create a Network/Address Objects
On Address Objects, click Add
Image

-configure VPN
Image
 click Add
Image
Image
Image
Image

Back to Cyberoam1
click Active and click Connection
Image

Now you can try ping from PC1 to PC2

IPSec VPN SonicWall to SonicWall

Image

SOURCE: https://support.software.dell.com/kb/sw5857
https://support.software.dell.com/kb/sw7565
a. in both PC firewall, enable ICMP
click Start and Search cmd
right click CMD and choose Run as Administrator
>netsh advfirewall firewall add rule name=”All ICMP v4″ protocol=icmpv4:any,any dir=in action=allow

SONICWALL1
-configure Network/Interface IP

Image

-create a Network/Address Objects
On Address Objects, click Add
Image
-configure VPN
Image
click Add
Image
Image
Image
Image

SONICWALL2
-configure Network/Interface IP
Image

-create a Network/Address Objects
On Address Objects, click Add
Image
-configure VPN
Image
click Add
Image
Image
Image
Image
Now you can try ping from PC1 to PC2