Monthly Archives: March 2011

Send email via Telnet

Advertisements

How to pass PPTP traffic through a PIX Firewall

Cisco PIX Firewalls require two elements to pass traffic from outside (higher security) to inside (lower security): a static translation and a conduit.

For this example, assume a server has IP address 192.168.1.100 and there is an available outside address of 1.1.1.1.

First, create the static translation. This configuration line establishes a relationship between 1.1.1.1 (public Internet IP address) and 192.168.1.100 (inside, private IP address).

fixup protocol pptp 1723
static (inside,outside) 1.1.1.1 192.168.1.100 netmask 255.255.255.255 0 0

Next, create appropriate conduits to allow specific traffic to pass from the outside to the Inside interface. PPTP uses TCP/1723, and IP/47 GRE.

conduit permit tcp 1.1.1.1 eq 1723 any
conduit permit gre host 1.1.1.1 anyor
access-list 101 permit tcp any host 1.1.1.1 1723
access-list 101 permit gre any host 1.1.1.1
access-group 101 in interface outside

A couple of notes:

In the conduits and access-lists, the any keyword allows matching traffic from any IP address to pass through the firewall. This should be replaced with the source IP address of the PPTP tunnel, if at all possible.

In the access-lists, verify any existing access-lists or other traffic needed before entering the last line!

Safely Configuring Cisco Routers

Routers far away can be safely configured by using a reload command first. Before any configuration changes are made, issue a reload command to the remote router: reload in 30 or reload at 00:00 to reload at a specific time. This command instructs the router to reboot in 30 minutes. Proceed to configure the router as needed. As long as no configuration changes are saved, the router will revert to its previous configuration when it reloads. If configuration changes are successful, reload cancel will stop the pending reload. If configuration changes cause a loss of connectivity, the local side can be easily reset to the previous configuration. When the router reloads, connectivity will be restored.

Updating Cisco IOS

Following is a quick listing of the commands you need to use when upgrading the IOS firmware on your Cisco router series 1600, 2000, 2500, 3000, AS5100 and AS5200. You should consult the Cisco web site to upgrade other devices. The process involves two phases: one, set the flash to read-write and reboot; two, download the firmware and reboot. You must setup a TFTP server and make the IOS binary file available for download. If your router is not on the same network segment as your TFTP server, be sure both devices have a default route configured so that they may access one another. I recommend using a Linux box for your TFTP server, and limit access to the service with both ipchains/iptables and the tcp-wrappers hosts.allow file. The following sequence of commands can be entered via the console port, or by telnet session. I recommend you have access to the console port if something fails . . . you’ve been warned!

enable conf t config-register 0x2101 ^Z wr mem reload

The router will reboot and the flash will now be in read-write mode. This is called “boot mode.” Avoid saving anything in this mode and answer no to any prompts about saving your current configuration. If you do save your config while in this mode, it may be partially or completely erased…

enable conf t config-register 0x2102 ^Z copy tftp flash it’ll prompt for ip address… it’ll prompt for filename… use same name to save as… when asked about erase say YES to confirm… reload answer NO to save current config answer YES to continue with reload

If you pray really hard, and offer up the right sacrifices, at this point you’ll be looking at a successful router upgrade! If connecting via the console port, make sure your terminal settings are as follows:

VT100 9600 bps 8 data bits 1 stop bit no parity no flow control

Cisco VPN with NAT

Sample Config Cisco IOS VPN with NAT
1720#sh run
Building configuration…
Current configuration : 3044 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1720
!
enable password cisco
!
username cisco password 0 cisco
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
no ip domain-lookup
!
ip inspect name fw http
ip inspect name fw ftp
ip inspect name fw tcp
ip inspect name fw udp
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key cisco123
pool ippool
acl 108
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
Those two lines are missing in an older sample on Cisco’s site: VPN clients won’t connect without those
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
ip address 196.0.0.1 255.255.255.0
ip nat inside
speed auto
!
interface Serial0
ip address 193.0.0.1 255.255.255.0
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
no fair-queue
clockrate 64000
crypto map clientmap
!
ip local pool ippool 197.0.0.3 197.0.0.5
ip nat pool outsidepool 193.0.0.5 193.0.0.10 netmask 255.255.255.0
! Doesn’t work: ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source list 1 interface Serial0 overload
ip route 0.0.0.0 0.0.0.0 Serial0
!
access-list 1 permit 196.0.0.0 0.0.0.255
access-list 101 permit tcp 196.0.0.0 0.0.0.255 any
access-list 101 permit icmp 196.0.0.0 0.0.0.255 any
access-list 101 permit udp 196.0.0.0 0.0.0.255 any
access-list 102 permit udp host 193.0.0.1 eq isakmp host 193.0.0.1
access-list 102 permit ahp host 193.0.0.1 host 193.0.0.1
access-list 102 permit esp host 193.0.0.1 host 193.0.0.1
access-list 102 permit udp any host 193.0.0.1 eq 62514
access-list 102 permit udp any host 193.0.0.1 eq isakmp
access-list 102 permit tcp any any
access-list 102 permit icmp any any echo-reply
access-list 108 permit ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 deny ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 permit ip 196.0.0.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 199
!
line con 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end

Configuring updates Stage 3 of 3 0% completed

Had this little doozey today. lucky a quick search i was able to find it is pretty common.

http://msmvps.com/blogs/bradley/archive/2009/03/08/configuring-updates-stage-3-of-3-0-completed-aka-the-heart-attack-screen.aspx

There is on rare occasion an issue where Windows Vista, ultimately Windows 7 and even Windows Server 2008 will get stuck on patching.  It does not happen often at all, but on the very very rare time that it does, it gives you a heart attack for sure.  Not to worry, it’s something that one can recover from.

The symptoms are that the server stays on Configuring updates Stage 3 of
3 0% completed and stays there forever.  Meanwhile you have a heart attack. 

First rule, don’t panic.

Second rule, take a deep breath and find your install media.  Remember to hit F8 to get into the recovery console.

But here’s the workaround:

– Using the install media, the server was booted into the recovery console.
– In the following directory, c:windowswinsxs, the pending.xml file was
renamed pending.old
These two steps allowed the server to boot back into the desktop.

The issue is similar to this:

The update is not installed successfully, you receive a message, and the computer restarts when you try to install an update in Windows Vista:
http://support.microsoft.com/kb/949358/en-us

Start Cisco VPN before logon Windows domain

On a Windows platform, you can connect to the VPN before you log on to Windows domain.

When selecting start before logon, the VPN Client starts and displays the connection dialog box over the system logon dialog box. You connect to the VPN first and then the connection dialog box goes away. You will see the normal windows logon screen and you log on to the domain. You may also load logon script.

To activate start before logon, follow these steps:

1. Open the VPN Client Options menu and choose Windows Logon Properties.

2. Check Enable start before logon and then click OK.