Greetings Networkers and other readers,
Just got an ASA 5510 in to configure for a client... it shipped with the latest 8.2 release - not 8.4 release. After learning 8.4 by necessity back in April for another client, I was amused more than surprised. Those of you who have grappled with 8.4 or 8.3 likely know what I mean.
The question really is to upgrade or not to upgrade? If Cisco plans on being done with the nat 0 and nat 1 commands of the 8.2 realm, then now is the best time to upgrade. There won't be a better one, really.
So after applying a small bit of config to this new ASA, IP Addresses, nameifs, gateway, dhcpd pool, logging, commands to make ssh work, and the like, I decided to upgrade.
But I also wanted to see what 8.4 would do to my nat 1 and global statements ... so I threw these in for fun:
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
Wish I'd thrown in a few ACLs, too ...
Nevertheless ... downloaded asa842-k8.bin
Made sure there was room for both images
Backed up the current 8.2(5) image to tftp; backed up the running config to tftp
Uploaded 8.4(2) to disk0: (aka flash:)
Entered this config:
boot system disk0:/asa842-k8.bin
wr mem
reload
Here was the output (minimized):
...
Loading disk0:/asa842-k8.bin... Booting...
Platform ASA5510
...
This platform has an ASA 5510 Security Plus license.
Cisco Adaptive Security Appliance Software Version 8.4(2)
...
(all good so far)
...
Reading from flash...
!!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map',
'dynamic-filter classify-list', 'aaa match' will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_5_0_startup_cfg.sav'
*** Output from config line 5, "ASA Version 8.2(5) "
...
Cryptochecksum (unchanged): f02d75cc f9c78de4 a3c860ee f04eca61
NAT migration logs:
INFO: NAT migration completed.
Real IP migration logs:
No ACL was changed as part of Real-ip migration
The flash device is in use by another task.
Type help or '?' for a list of available commands.
fw01>
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201112161542.log'
DHCP Client: can't enable DHCP Client when DHCP Server/Relay is running on the interface.
DHCP: Interface 'management' is currently configured as SERVER and cannot be changed to a CLIENT by a CLIENT feature
(this last message repeated itself 7 times)
This is what happened to the nat 1 command:
object network obj_any
subnet 0.0.0.0 0.0.0.0
! --- and ----
object network obj_any
nat (Inside,Outside) dynamic interface
Not sure about the complaint about dhcp on the management interface, the config looks like before the upgrade.
Checked the error log, but it says the same thing as the above.
Friday, December 16, 2011
Monday, September 12, 2011
Comparing two MS Office Word 2007 documents
Today I discovered the most useful feature of Microsoft Office Word 2007: Compare!
When tasked with the challenge of comparing two versions of a lengthy legal document, to determine what changed, I thought for sure I was doomed to read side by side print outs (or on screen displays), or install some tool that would require converting to ascii (and then I could use 'diff', for Unix's sake!).
But Microsoft bless, I found one reason to really like Microsoft today, and that feature is called Compare.
Enough blithering, here's how it works:
Open MS Word
Choose Review > Compare
compare two versions of a single document (legal blackline)
Select the original and revised documents.
And, as if by Microsoft Magic, you'll have a list of changes between the documents.
Open MS Word 2007,
When tasked with the challenge of comparing two versions of a lengthy legal document, to determine what changed, I thought for sure I was doomed to read side by side print outs (or on screen displays), or install some tool that would require converting to ascii (and then I could use 'diff', for Unix's sake!).
But Microsoft bless, I found one reason to really like Microsoft today, and that feature is called Compare.
Enough blithering, here's how it works:
Open MS Word
Choose Review > Compare
compare two versions of a single document (legal blackline)
Select the original and revised documents.
And, as if by Microsoft Magic, you'll have a list of changes between the documents.
Open MS Word 2007,
Tuesday, September 06, 2011
Protocol & network speed
Greetings, Internet audience.
Out of idle curiosity, and a plaguing question from a client about why he wasn't getting as much throughput as he expected on super-sweet gigabit Catalyst 4948 switches as he expected, meaning he expected ~600Mbps throughput, and got about 130Mpbs.
I suspected two things:
1) bandwidth limitations on the servers, meaning that a 1Gbps NIC doesn't get 1Gbps speeds on the internal BUS, and thus, won't get near 1Gbps wire speed.
2) protocol. We were testing speed using scp, and I suspected encryption was reducing the speed.
Since #2 is a bit easier for me to prove, I staged a test on my home office network, at a time I was the only one on the network.
My plan:
copy a 706330624 byte file locally, using three protocols:
scp (tcp/22), tftp (udp/69), and ftp (tcp/21)
my home network is comprised of inexpensive 10/100Mbps Netgear switches, the kind you can buy at Fry's for $30, or could a few years back, you get the point.
Note the results are in Mega "bits" per second, not Mega "bytes" per second. For MBPS, divide by 1024, or check out this handy calculator-page:
http://www.matisse.net/bitcalc/
Results:
Protocol Mbps
scp ~20Mbps
tftp ~6Mbps
ftp ~89Mbps
As you may have already figured out, the cost of encryption on network speed, is pretty high, and if you are hearing complaints about your network speed, make sure and test with FTP for the lower-protocol-overhead results. My swag as to why tftp is so slow is udp retries, but this is slower than I expected. If anyone has an opinion to add, comment away.
Out of idle curiosity, and a plaguing question from a client about why he wasn't getting as much throughput as he expected on super-sweet gigabit Catalyst 4948 switches as he expected, meaning he expected ~600Mbps throughput, and got about 130Mpbs.
I suspected two things:
1) bandwidth limitations on the servers, meaning that a 1Gbps NIC doesn't get 1Gbps speeds on the internal BUS, and thus, won't get near 1Gbps wire speed.
2) protocol. We were testing speed using scp, and I suspected encryption was reducing the speed.
Since #2 is a bit easier for me to prove, I staged a test on my home office network, at a time I was the only one on the network.
My plan:
copy a 706330624 byte file locally, using three protocols:
scp (tcp/22), tftp (udp/69), and ftp (tcp/21)
my home network is comprised of inexpensive 10/100Mbps Netgear switches, the kind you can buy at Fry's for $30, or could a few years back, you get the point.
Note the results are in Mega "bits" per second, not Mega "bytes" per second. For MBPS, divide by 1024, or check out this handy calculator-page:
http://www.matisse.net/bitcalc/
Results:
Protocol Mbps
scp ~20Mbps
tftp ~6Mbps
ftp ~89Mbps
As you may have already figured out, the cost of encryption on network speed, is pretty high, and if you are hearing complaints about your network speed, make sure and test with FTP for the lower-protocol-overhead results. My swag as to why tftp is so slow is udp retries, but this is slower than I expected. If anyone has an opinion to add, comment away.
Thursday, June 30, 2011
DSAdd, my new best friend
When faced with the need to create 50 new users in a brand, spanking new Windows 2008 R2 Active Directory Domain, our heroine did what most hero(ines) would do ... search for a command line tool to help her out.
So I searched, and first found "ldifde" which was, essentially a giant pain in the petunia, to quote a Disney fairy.
Then I found DSADD! Oh how I love you DSADD! For those script minded folks, you can do cool things with VB scripts and excel imports using dsadd, but I was happy to copy and paste.
Here's a string that worked, btw, with identifying names and domains changed to protect the innocent and private.
dsadd user "cn=Julie Smith,ou=ABUsers,dc=mydomain,dc=local" -fn Julie -ln Smith -display "Julie Smith" -disabled no -pwd Something123 -mustchpwd yes -tel 212.555.1111 -samid ud -email julie@mydomain.com -upn julie@mydomain.local
One gotcha, that got me good. I had users in an Excel table, that I added columns and text around to create the format above, then copy/paste into Word to search out extra tabs, spaces and the like. Word got all smarty-pants on me and switched out the plain-text double quote (") with Smartie-pants quotes that wrapped around. DSAdd complained and whined about these and refused to play nice.
dsadd failed: ... :A referral was returned from the server.
This also happens if you're trying to add a user to a OU or DC that doesn't exist, btw.
p.s. with love from Microsoft
So I searched, and first found "ldifde" which was, essentially a giant pain in the petunia, to quote a Disney fairy.
Then I found DSADD! Oh how I love you DSADD! For those script minded folks, you can do cool things with VB scripts and excel imports using dsadd, but I was happy to copy and paste.
Here's a string that worked, btw, with identifying names and domains changed to protect the innocent and private.
dsadd user "cn=Julie Smith,ou=ABUsers,dc=mydomain,dc=local" -fn Julie -ln Smith -display "Julie Smith" -disabled no -pwd Something123 -mustchpwd yes -tel 212.555.1111 -samid ud -email julie@mydomain.com -upn julie@mydomain.local
One gotcha, that got me good. I had users in an Excel table, that I added columns and text around to create the format above, then copy/paste into Word to search out extra tabs, spaces and the like. Word got all smarty-pants on me and switched out the plain-text double quote (") with Smartie-pants quotes that wrapped around. DSAdd complained and whined about these and refused to play nice.
dsadd failed: ... :A referral was returned from the server.
This also happens if you're trying to add a user to a OU or DC that doesn't exist, btw.
p.s. with love from Microsoft
Saturday, June 18, 2011
Cisco ASA IOS 8.4 and the art of a native Windows 7 L2TP/IPSec VPN
It was a day full of IP wrangling, the day I got this to work. A sine curve kind of day full of frustrations and eventually joy. Perhaps this will save someone else a bit of agony ...
Here's a config that works on ASA software version 8.4(1) with the mind twisting new NAT syntax. The config is for IPSec clients which are Linux (using vpnc - tip of the keyboard to AI for that info), Mac OSX, and Cisco VPN Client, and also for L2TP/IPSec. Confirmed working on Windows 7, Vista, and XP Pro.
Identifying info like IP addresses, valid domain names, and the like have been scrubbed to create anonymity.
Caveat emptor, when using ADSM rather than the command line, it has a way of mucking with VPN tunnel configurations. Consider yourself warned!
Configuration required for IPSec VPN, used by Cisco VPN Client and Mac OSX, iPad, and iPhone colored orange.
Configuration required for L2TP/IPSec VPN, used by Windows XP, Vista, and 7 native clients, colored aqua.
Configuration required by both IPSec and L2TP/IPSec is in white.
…
interface Ethernet0/2
nameif Outside-ISP1
security-level 0
ip address X.X.15.2 255.255.255.248
!
interface Ethernet0/3
nameif Outside-ISP2
security-level 0
ip address Y.Y.18.86 255.255.255.248
…
object network NAT_VPN
subnet 10.1.1.0 255.255.255.0
…
access-list VPN_ROUTES standard permit 10.1.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.2.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.4.0.0 255.255.0.0
…
! separate pools are not needed, but it's easier to identify, you can definitely create only one
ip local pool VPN_POOL 10.1.1.11-10.1.1.40 mask 255.255.255.0
ip local pool L2TP_POOL 10.1.1.41-10.1.1.150 mask 255.255.255.0
…
! this next line is needed because the Windows client doesn't obey the split tunneling nicely, if you have multiple inside subnets, but this does mean if the VPN is connected, all traffic will go through the ASA and back out.
nat (Outside-ISP1,Outside-ISP1) source dynamic NAT_VPN interface
nat (Inside,Outside-ISP1) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP1) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
nat (Inside,Outside-ISP2) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP2) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
! For IPsec only, do NOT specify “mode transport”
crypto dynamic-map DynMap 1 set ikev1 transform-set ESP-3DES-SHA_trans ESP-3DES-SHA
crypto map MapVPN 100 ipsec-isakmp dynamic DynMap
crypto map MapVPN interface Outside-ISP1
crypto map MapVPN interface Outside-ISP2
crypto isakmp nat-traversal 60
crypto ikev1 enable Outside-ISP1
crypto ikev1 enable Outside-ISP2
! can probably delete policy 10 or 65535, test and report back
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
…
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy VPNPolicy internal
group-policy VPNPolicy attributes
dns-server value 10.2.1.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
group-policy VPNPolicyIpsec internal
group-policy VPNPolicyIpsec attributes
dns-server value 10.2.1.32 Public_DNS_Server_IP
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
…
! when creating new users, specify the encryption type as mschap, not as nt-encrypted so that when the account is created, the password will be converted to unicode and hashed in MD4.
username user1 password **** nt-encrypted
username user2 password **** nt-encrypted
…
! L2TP for Windows uses the DefaultRAGroup, it won't use a specific tunnel group
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP_POOL
authorization-server-group LOCAL
default-group-policy VPNPolicy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group VPNGroupIpsec type remote-access
tunnel-group VPNGroupIpsec general-attributes
address-pool VPN_POOL
default-group-policy VPNPolicyIpsec
tunnel-group VPNGroupIpsec ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
If you want specifics on the client side setup, let me know.
Here's a config that works on ASA software version 8.4(1) with the mind twisting new NAT syntax. The config is for IPSec clients which are Linux (using vpnc - tip of the keyboard to AI for that info), Mac OSX, and Cisco VPN Client, and also for L2TP/IPSec. Confirmed working on Windows 7, Vista, and XP Pro.
Identifying info like IP addresses, valid domain names, and the like have been scrubbed to create anonymity.
Caveat emptor, when using ADSM rather than the command line, it has a way of mucking with VPN tunnel configurations. Consider yourself warned!
Configuration required for IPSec VPN, used by Cisco VPN Client and Mac OSX, iPad, and iPhone colored orange.
Configuration required for L2TP/IPSec VPN, used by Windows XP, Vista, and 7 native clients, colored aqua.
Configuration required by both IPSec and L2TP/IPSec is in white.
…
interface Ethernet0/2
nameif Outside-ISP1
security-level 0
ip address X.X.15.2 255.255.255.248
!
interface Ethernet0/3
nameif Outside-ISP2
security-level 0
ip address Y.Y.18.86 255.255.255.248
…
object network NAT_VPN
subnet 10.1.1.0 255.255.255.0
…
access-list VPN_ROUTES standard permit 10.1.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.2.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.4.0.0 255.255.0.0
…
! separate pools are not needed, but it's easier to identify, you can definitely create only one
ip local pool VPN_POOL 10.1.1.11-10.1.1.40 mask 255.255.255.0
ip local pool L2TP_POOL 10.1.1.41-10.1.1.150 mask 255.255.255.0
…
! this next line is needed because the Windows client doesn't obey the split tunneling nicely, if you have multiple inside subnets, but this does mean if the VPN is connected, all traffic will go through the ASA and back out.
nat (Outside-ISP1,Outside-ISP1) source dynamic NAT_VPN interface
nat (Inside,Outside-ISP1) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP1) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
nat (Inside,Outside-ISP2) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP2) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
! For IPsec only, do NOT specify “mode transport”
crypto dynamic-map DynMap 1 set ikev1 transform-set ESP-3DES-SHA_trans ESP-3DES-SHA
crypto map MapVPN 100 ipsec-isakmp dynamic DynMap
crypto map MapVPN interface Outside-ISP1
crypto map MapVPN interface Outside-ISP2
crypto isakmp nat-traversal 60
crypto ikev1 enable Outside-ISP1
crypto ikev1 enable Outside-ISP2
! can probably delete policy 10 or 65535, test and report back
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
…
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy VPNPolicy internal
group-policy VPNPolicy attributes
dns-server value 10.2.1.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
group-policy VPNPolicyIpsec internal
group-policy VPNPolicyIpsec attributes
dns-server value 10.2.1.32 Public_DNS_Server_IP
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
…
! when creating new users, specify the encryption type as mschap, not as nt-encrypted so that when the account is created, the password will be converted to unicode and hashed in MD4.
username user1 password **** nt-encrypted
username user2 password **** nt-encrypted
…
! L2TP for Windows uses the DefaultRAGroup, it won't use a specific tunnel group
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP_POOL
authorization-server-group LOCAL
default-group-policy VPNPolicy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group VPNGroupIpsec type remote-access
tunnel-group VPNGroupIpsec general-attributes
address-pool VPN_POOL
default-group-policy VPNPolicyIpsec
tunnel-group VPNGroupIpsec ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
If you want specifics on the client side setup, let me know.
Thursday, February 24, 2011
Fun at home with VMWare ESXi, CentOS netinstall, and Windows Server 2008 R2
At long last, I am building that home VMWare ESXi host, to be the home for a few OS'es, including CentOS 5, and Windows Server 2008 R2, as my personal server playgrounds.
Here are a few tips and tricks I learned along the way, that you may find useful, if you ever do this at home (try it at home, kids, it's fun and safe!).
So. The environment:
Dell PowerEdge 830 tower server which has:
4GB memory (would love to upgrade, but not willing to pay the $$)
CERC SATA RAID controller
3 x 250GB disks, RAID5 configuration
First, VMWare ESXi. I wasn't willing to install Windows OS first, and then VMWare server, so I was on a mission to figure out which ESXi version (as ESX is nowhere to be found anymore), would work on my four year old server. It wasn't 4.1, and the free version is now called VMWare VSphere Hypervisor 4.1. But the HCLs say no way Jose to my 4 year old box, so I need version 3.5, open source.
So I searched, and searched, and found a link at long last to ...
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_hypervisor_esxi/3_5
File: VMware-VMvisor-InstallerCD-3.5.0_Update_5-207095.i386.iso
Register, by the way, and you get a free license. Don't register, and VMWare will commit suicide in 60 days.
Burn that puppy to a CD, and boot from it. Installed like a charm, like a champ, configure your datastore as you will, I made all available space the datastore.
Once you get that license, add it ...
In the Virtual Infrastructure Client, select the server, click on the Configuration Tab, select "Licensed Features" and add the serial number.
I downloaded CentOS-5.5-i386-netinstall.iso so I would not have to download 5 ginormous CentOS install ISOs. LOVE netinstall!
Then I created a folder under the main datastore on the ESX host, ahem, ESXi host, so I could mount the ISO like a CD for the new VM.
On the ESX host, Configuration tab > Storage option > right click on the Datastore > Browse datastore.
Create a new folder, I called mine Distros. Open folder, click the Upload icon, and you can upload the CentOS ISO to that directory.
Then ... the fun part!
Create a new VM for CentOS, name it as you will.
In the Settings, for the CD/DVD drive, select Datastore ISO file, and browse to the ISO.
Here's the one tricky part, figuring out the server and path to the rest of the images needed by the CentOS netinstall. After browsing the many CentOS mirrors, this is what worked, which was not the path where I downloaded the netinstall ISO. Go figure.
At the root URL for the mirror, browse to some path that could look like this:
http://hostname/5.5/os/i386/
make sure that the path you specify has an /images subdirectory. That's the ticket!
Good luck here. Erroneous errors including CentOS returning extra //'s in the path that could just drive you crazy. Just look for the /images subdir, and specify the parent path.
Then ... onto Windows Server 2008 R2 install, which is, of course, 64-bit. First attempt at install gave me this lovely error ...
For search purposes, here is the main clue:
Attempting to load a 64-bit application, however this CPU is not compatible with 64-bit mode.
Say what?!
As I soon figured out, with a tip of the hat to google, there is a BIOS setting, disabled by default, that resolves this error in a jiffy.
Here's how I did it on my server:
F2 at boot, get into bios settings
CPU info
Virtualization technology > disabled by Default, change to Enabled
Reboot, and guess what? Problem solved! Windows Server 2008 R2 installed happily and easily, once I copied the ISO to the datastore as I did for CentOS. No small lovely netinstall though, MS you might want to get with the program.
Here are a few tips and tricks I learned along the way, that you may find useful, if you ever do this at home (try it at home, kids, it's fun and safe!).
So. The environment:
Dell PowerEdge 830 tower server which has:
4GB memory (would love to upgrade, but not willing to pay the $$)
CERC SATA RAID controller
3 x 250GB disks, RAID5 configuration
First, VMWare ESXi. I wasn't willing to install Windows OS first, and then VMWare server, so I was on a mission to figure out which ESXi version (as ESX is nowhere to be found anymore), would work on my four year old server. It wasn't 4.1, and the free version is now called VMWare VSphere Hypervisor 4.1. But the HCLs say no way Jose to my 4 year old box, so I need version 3.5, open source.
So I searched, and searched, and found a link at long last to ...
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_hypervisor_esxi/3_5
File: VMware-VMvisor-InstallerCD-3.5.0_Update_5-207095.i386.iso
Register, by the way, and you get a free license. Don't register, and VMWare will commit suicide in 60 days.
Burn that puppy to a CD, and boot from it. Installed like a charm, like a champ, configure your datastore as you will, I made all available space the datastore.
Once you get that license, add it ...
In the Virtual Infrastructure Client, select the server, click on the Configuration Tab, select "Licensed Features" and add the serial number.
I downloaded CentOS-5.5-i386-netinstall.iso so I would not have to download 5 ginormous CentOS install ISOs. LOVE netinstall!
Then I created a folder under the main datastore on the ESX host, ahem, ESXi host, so I could mount the ISO like a CD for the new VM.
On the ESX host, Configuration tab > Storage option > right click on the Datastore > Browse datastore.
Create a new folder, I called mine Distros. Open folder, click the Upload icon, and you can upload the CentOS ISO to that directory.
Then ... the fun part!
Create a new VM for CentOS, name it as you will.
In the Settings, for the CD/DVD drive, select Datastore ISO file, and browse to the ISO.
Here's the one tricky part, figuring out the server and path to the rest of the images needed by the CentOS netinstall. After browsing the many CentOS mirrors, this is what worked, which was not the path where I downloaded the netinstall ISO. Go figure.
At the root URL for the mirror, browse to some path that could look like this:
http://hostname
make sure that the path you specify has an /images subdirectory. That's the ticket!
Good luck here. Erroneous errors including CentOS returning extra //'s in the path that could just drive you crazy. Just look for the /images subdir, and specify the parent path.
For search purposes, here is the main clue:
Attempting to load a 64-bit application, however this CPU is not compatible with 64-bit mode.
Say what?!
As I soon figured out, with a tip of the hat to google, there is a BIOS setting, disabled by default, that resolves this error in a jiffy.
Here's how I did it on my server:
F2 at boot, get into bios settings
CPU info
Virtualization technology > disabled by Default, change to Enabled
Reboot, and guess what? Problem solved! Windows Server 2008 R2 installed happily and easily, once I copied the ISO to the datastore as I did for CentOS. No small lovely netinstall though, MS you might want to get with the program.
Subscribe to:
Posts (Atom)