Tuesday, September 29, 2009

Cisco PIX PPOE Client

This is the proper recipe for connecting to an ISP that requires PPPOE authentication.

ip address outside pppoe setroute
vpdn group ISP request dialout pppoe
vpdn group ISP localname dsl-username
vpdn group ISP ppp authentication pap
vpdn username dsl-username password dsl-password

You must be using PIX IOS version 6.2 or greater for this to work.

Tuesday, September 22, 2009

Connect a USR modem to your Cisco Console and AUX port

This recipe has been tested to work on the Cisco PIX firewall.  Modem was a USR 56k v.92 model 5686 modem.  Plugged directly into the modem is a Cisco RJ45 to 25-pin serial adapter.  This adapter is marked CAB-5MODEM on one side, 29-0881-01 on the other.  A blue RJ45-RJ45 console cable was used between the adapter and the console port.

For security purposes, make sure that the console port is secured with a password or username/password and the timeout is set to something other than the default of 0.  Otherwise, if you log into the port and fail to logout before disconnecting, it is possible for someone to dial into the router and take control of it without authentication.

I have not verified the instructions to connect a modem to the AUX port.

USR modem on console port

1) Set dip switches to 3,8 down, all others up
2) Connect modem to PC
3) Run hyperterminal and connect to modem at 9600 baud
4) Send init string: at&fs0=1&c1&h0&d2&r2&b1&m4&k0&n6&w
5) Set dip switches to 1,4,8 down, all others up
6) Connect modem to console port with appropriate cable

USR modem on Router AUX port

1) Set dip switches 3 and 8 down, all others up.
2) Connect modem to aux port using rolled (console) cable
and Cisco "modem" adapter.
3) Paste the following at an enable (#) prompt:

config t
modemcap edit usrmodem misc &FS0=1&C1&D3&H1&R2&B1
line aux 0
modem inout
transport input all
flowcontrol hardware
modem autoconfigure type usrmodem
autoselect ppp
autoselect during-login

NOTE: You might get errors on the "autoselect" lines.
4) Dial into modem. You should get a router prompt.

1) Type "show line" a couple of times and check
if speed of aux line is consistent. If it
changes, it is not autoconfiguring properly.
This means you do not have physical connectivity
to the modem. Power-cycle the modem, check the
cables, and then do "clear line aux 0".
2) If you get garbage when you dial into it, your
init string is bad. You may need a different
modemcap. Try this one:
modemcap edit usrmodem misc &F1S0=1
3) If you get nothing (not even garbage) when you
dial into it, reload the router.
4) If the modem does not answer when connected to
the router, but does answer when not connected,
try this modemcap:
modemcap edit usrmodem misc &FS0=1&C1&D3&H1&B1

Monday, September 21, 2009

Cisco PIX / ASA Secure your console port

By default, the console port on your PIX or ASA is not password protected.  Your enable password should keep most people out, but to be safe you should protect it:

user someuser pass somepass
aaa authentication serial console LOCAL

Cisco PIX / ASA Syslog

Basic recipe for Cisco PIX logging to a syslog server or Kiwi Syslog:

logging on
logging timestamp
logging trap notifications
logging host inside

If you are logging across a VPN tunnel, you must add:

management-access inside

The trap levels that can be used are:

0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notification
6 Informational
7 Debug

Cisco recommends level 3 for production use and 7 for debugging.

To ensure that your timestamps are accurate:

clock timezone EST -5 <--- EST is a timezone name of your choosing
clock summer-time EST recurring 2 Sunday March 2:00 first Sunday November 2:00

Wyse S10 cannot connect to terminal server

Here's the fix, direct from Wyse tech support:

1)      From your WTOS device –
     Click on start > select System setup > Network

2.) From Network settings –
Input the following information
            File Servers/Path:

Username: Anonymous

Click OK and restart the S10.

When you restart, you should see an ICA icon on the desktop.  NOTE you do not need to click on this icon, it is an indication that the wnos.ini file has been read. 

If you do not see the ICA icon, verify the information above was input correctly.

If you do see the icon, get back into the Network menu and clear out the information in the File Servers Path field and restart the unit.

After the S10 boots up, test your connection.

Cisco Catalyst and PIX - Set your clock timezone and DST settings

These commands will set your timezone and DST settings properly.  This is especially useful so that your syslog timestamps are correct.

config t
clock timezone EST -5             <--- EST is a timezone name of your choosing, Eastern Time Zone is UTC -5
clock summer-time EST recurring 2 Sunday March 2:00 first Sunday November 2:00
service timestamps log  datetime localtime

This also works for PIX but there is no service timestamps.

Cisco PIX restrict Internet but not VPN

If you have a PIX with a site-to-site VPN configured, you may want to allow all the internal hosts to utilize the VPN but only certain hosts to get to the Internet.  In that case, allow traffic to your internal subnet in your access list, then allow the IP's that are permitted Internet access.

access-list 1 permit ip any  <--- This allows traffic to the internal VPN
access-list 1 permit ip host any               <----This allows a specific IP Internet access
access-list 1 permit ip host any
access-list 1 permit ip host any
access-group 1 in interface inside

Cisco PIX Restrict Internet Access

Use an access list applied to the inside interface of your PIX to restrict outbound Internet access.

access-list 1 permit ip host any
access-list 1 permit ip host any
access-list 1 permit ip host any
access-group 1 in interface inside

Friday, September 18, 2009

Cisco Catalyst Port-Security

The Cisco Catalyst switch is capable of restricting network access to certain MAC addresses.  Using the port-security feature, you can cause the switch port to go into shutdown if an unauthorized MAC address is connected.

There are two other states that the switch port can go into, rather than shutdown mode.   Here are all three states (taken from http://cauew.blogspot.com/2008/09/switchport-port-security-what-we-must.html)

  • Protected - When a violation occurs, it´ll simple ignore any exceeding MAC Addresses, according to your configuration (if you allow only one MAC Address, it´ll permit the first MAC Address to transmit, and drop everything else for any new MAC Address trying to transmit to this port).

  • Restrict - Does exactly the same thing as Protected mode, but will also send a SNMP Trap regarding the violation.

  • Shutdown - When a violation occurs in the shutdown mode, it sets the port to ERRDISABLE state. The port will stop transmitting anything in the ERRDISABLE state, also, the port LED will  turn off. It  sends out a SNMP Trap about this.

The following example shows how this is done:

config t
interface fa0/1
switchport mode access

switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address xxxx.xxxx.xxxx

If the switch port goes into shutdown mode because of a violation, you will have to manually log into the switch and do a shut/no shut on the port that is affected.

The commands show port-security address and show port-security interface fa0/1 will show you exactly what is going on.

Optionally, if you want the port to automatically reset itself you can add these commands to your configuration:

errdisable recovery cause psecure-violation
errdisable recovery interval 3600

This will cause the port to reset after 3600 seconds (30 minutes).

Cisco Catalyst DHCP with Reservation

The Cisco Catalyst 29xx series is capable of DHCP if you purchase a model with the LANBASE image preinstalled, such as the WS-C2960-24TT-L.  Models with the suffix of "S" are LANLITE images.

This example shows a DHCP pool with a single reservation, tied to a MAC address.  On the Catalyst, if you need more than one reservation, you will have to create individual pools for each MAC that you want to service.  This could get unwieldy if you have many reservations that you want to create; you will want to pursue a DHCP relay configuration that relays the DHCP requests from the switch to a Windows 200x server.

ip dhcp pool Eric
   client-identifier 0100.16d3.3e9c.f8 (the MAC address must be preceded by "01" per Cisco)
   domain-name domain.local
   netbios-name-server (this is your WINS server)

Cisco Catalyst Syslog

This recipe will cause a Catalyst switch to log to a syslog server, or a Windows server running Kiwi Syslog.

logging on
logging trap

logging facility local1 (can use local1 through local7)

Logging Levels

  Level         Description                       Severity
  emergencies   System is unusable                (severity=0) 

  alerts        Immediate action needed           (severity=1)
  critical      Critical conditions               (severity=2)
  errors        Error conditions                  (severity=3) 

  warnings      Warning conditions                (severity=4)

  notifications Normal but significant conditions (severity=5)

  informational Informational messages            (severity=6)

  debugging     Debugging messages                (severity=7)

Thursday, September 3, 2009

Migrating a Windows 2000 or XP PC to a new Windows XP PC

Follow the steps in this document to keep your machine migrations consistent.  I have developed this method and fine-tuned it over the years.
Gather information from the SOURCE machine

Network Control Panel
  • IP Address, subnet mask, gateway, primary DNS, secondary DNS of Local Area Connection
  • Details of any dial-up connections such as name, phone number with area code. username.  Locate the password using Asterisk Password logger.
System Control Panel
  • Computer name
  • Workgroup or Domain name

Related Files

Wednesday, September 2, 2009

Cisco ASA Virtualized in VMWare

Here we have a project that has virtualized the Cisco ASA 5500 into a self-installing VMWare image.  This might be useful in the future.  Wish someone had done this to the PIX!

Cisco PIX Syslog

logging on
logging standby
logging timestamp
logging trap notifications (or warnings - notifications will send a ton of info)
logging facility 18
logging host inside/outside ip address
I also like to use the command logging device-id string name. This tags all messages in my syslog with an identifier so I know what device sent the message (by name rather than IP address).

NT Backup

NT Backup sucks but sometimes you don't have any other choice.  Here is a working command line that you can insert into a Scheduled Task.  Make sure that the scheduled task runs as a user with at least "backup" authority, and has a password assigned to it.  You cannot setup a scheduled task that runs as a user without a password.  Do not use the Administrator account, because the password might get changed somewhere along the line, which will cause your backup to not run.

This command line assumes that you have gone through the NT Backup wizard and have created a job called "Daily Data Backup" while you were logged into the Administrator account.

C:\WINDOWS\system32\ntbackup.exe backup "@C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\Daily Data Backup.bks" /n "Media created 4/1/2005 at 1:44 PM" /d "Daily Backup" /v:yes /r:no /rs:no /hc:on /m normal /j "Daily Data Backup" /l:s /p "4mm DDS" /um