homelab for grownup

I have just completed re-building my home lab and it took for few weeks to make certain worked. Hypervisors and pfsense are core parts of systems, but I also want to try that legacy or retired gadgets like Cisco ASA or HP DL3 series. Using cloud services such as AWS, Azure or DigitalOcean could make our life more easier, but on-premise systems are still important to understand what is going on there.

I feel like installing the Pfsense is at least 5 times easier than Cisco ASA. We can make connection worked even few mouse clicks; however, we can not understand how packet flows and how to make different machines are connected between each other under hood. There’re lots of trial errors as always. From wipe-out firmware images on that bare-metal firewall to complete ACL, those process gave me lots of fun anyway.

Each networks are divided into different VLANs and totally isolated each other to prevent security holes. Maybe I could do malware analysis on this environment. Metasploitable 2 and DVWA/WebGoat will be used for penetration practice, then any packets between attack/target machines are monitored.

Regarding the hyper visors, I would like to say, they have both pros and cons. Windows Hyper-V provides ease-of-use experience with nice looking graphic interface. More than that, we can use Hyper-V bare-metal machine as a monitoring server as well. But it requires lots of computing resources. ESXi is a very solid hyper visor and it needs few resource. Although I reinstalled because of its’ speed, it was working okay on 32GB SD Card. I am still not so sure which one is better, so I am using two hyper visors simultaneously.

My total budget for this lab was under 400$ CAD thanks for the retired but still healthy generals.

Converting VMs to Hyper-V

Hyper-V provide a specific PowerShell tool for converting other VMs to Hyper-V disk(*.vhd, *.vhdx), but when converting images, it generally occurs errors depending on environment. After some trial errors, I found those errors can be categorized.

VMware to Hyper-V (*.vmdk to *.vhdx)

Download Microsoft Virtual Machine Converter 3.0 tools(mvmc) from MS
In PowerShell, import module from mvmc

PS C:\Users|Administrator>Import-Module ‘C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1’
PS C:\Users|Administrator>ConvertTo-MvmcVirtualHardDisk -SourceLiteralPath d:\scratch\vmx\VM-disk1.vmdk -VhdType DynamicHardDisk -VhdFormat vhdx -destination c:\vm-disk1

VirtualBox to Hyper-V (*.ova to *.vhdx)

OVA files are simply tar archive files containing the OVF directory. After renaming *ova file to *.tar, we can extract .vmdk file from *.tar.

Next step is same as vmdk

Dealing with errors

Common errors are starting with “The entry… us not a supported disk database entry fir the descriptor”

The dsfok tool helps modifying descriptor. It extracts descriptor from vmdk file then can combine them together. First take a descriptor from image file with difo.exe then inject it with dsfi.exe.

dsfo.exe "d:\folder\file.vmdk" 512 1024 descriptorname.txt
dsfi.exe "d:\folder\file.vmdk" 512 1024 descriptorname.txt

Just comment out where it generates errors.

ddb.toolsInstallType = "2" --> #ddb.toolsInstallType = "2"

References

https://live.osgeo.org/de/quickstart/hyperv_quickstart.html
https://blogs.msdn.microsoft.com/timomta/2015/06/11/how-to-convert-a-vmware-vmdk-to-hyper-v-vhd/
https://stackoverflow.com/questions/37481737/error-when-converting-vmware-virtual-disk-to-hyperv

CISCO ASA

Image retrieved from cisco.com

Open source ? or commercial product? I believe they have pros and cons respectively. PfSense is working perfect as a centralized firewall includes almost everything but need more computing power when it deals with massive network traffic. Cisco ASA series are robust and fast, but expensive. So, maybe mid-range companies or organizations might prefer to use pfSense and big companies seem to use legacy bare-bone firewalls. Anyways it would be better for us to use both side of firewalls and compare its functions together.

Factory reset

Boot up then push esc key few times
rmmon #0>confreg
select no
rmmon #1>confreg 0x41
rmmon #2>boot
ciscoasa>
ciscoasa>enable
blank password
ciscoasa#write erase
ciscoasa#configure terminal
ciscoasa(config)# config-register 0x01
ciscoasa(config)# exit
ciscoasa#show version
ciscoasa#write
ciscoasa#reload
login with blank password
ciscoasa(config)#configure factory-default

Setting up ASDM

#enable password mypassword
#show disk0: (to check asdm bin)
ciscoasa(config)#asdm image disk0:/asdm-xxx.bin
ciscoasa(config)#username sysadmin password mypassword privilege 15 ciscoasa(config)#aaa authentication http console LOCAL
ciscoasa(config)#http server enable 443

We should also install the JRE since ADSM is running on JAVA
Then add JRE path on system environment variables.

Then we can just start making initial configuration for physical ethernet ports. These are might be wan, management, dmz1 or dmz2 depending on purposes, but I would like to say we need to check consoles and GUI together to make sure that configurations are well synchronized.  We can add up Cisco routers or switches to expand or isolate traffics.

snapshot

I should have followed the wise saying: “There are two types of people. Those who backup and those who have yet to lose everything to a system crash.”

I wrote some takeaways from current learning practices on this tidy little space. Website was running on VM ESXi for few months without issue; however, an error has occurred while migrating and installing the hypervisors. Thought I made full disk back up, but I did not notice that file contains some errors. So, now I am in the middle of recovering my previous records.

Anyways, it’s time to move one step further.