When setting a password against the console, auxiliary and vty lines on a cisco router, unless password encryption is switched on the passwords will be displayed when viewing the config on the terminal screen
To turn it off again
no service password-encryption
Cisco PIX Firewalls require two elements to pass traffic from outside (higher security) to inside (lower security): a static translation and a conduit.
For this example, assume a server has IP address 192.168.1.100 and there is an available outside address of 220.127.116.11.
First, create the static translation. This configuration line establishes a relationship between 18.104.22.168 (public Internet IP address) and 192.168.1.100 (inside, private IP address).
fixup protocol pptp 1723
static (inside,outside) 22.214.171.124 192.168.1.100 netmask 255.255.255.255 0 0
Next, create appropriate conduits to allow specific traffic to pass from the outside to the Inside interface. PPTP uses TCP/1723, and IP/47 GRE.
conduit permit tcp 126.96.36.199 eq 1723 any
conduit permit gre host 188.8.131.52 anyor
access-list 101 permit tcp any host 184.108.40.206 1723
access-list 101 permit gre any host 220.127.116.11
access-group 101 in interface outside
A couple of notes:
In the conduits and access-lists, the any keyword allows matching traffic from any IP address to pass through the firewall. This should be replaced with the source IP address of the PPTP tunnel, if at all possible.
In the access-lists, verify any existing access-lists or other traffic needed before entering the last line!
Routers far away can be safely configured by using a reload command first. Before any configuration changes are made, issue a reload command to the remote router: reload in 30 or reload at 00:00 to reload at a specific time. This command instructs the router to reboot in 30 minutes. Proceed to configure the router as needed. As long as no configuration changes are saved, the router will revert to its previous configuration when it reloads. If configuration changes are successful, reload cancel will stop the pending reload. If configuration changes cause a loss of connectivity, the local side can be easily reset to the previous configuration. When the router reloads, connectivity will be restored.
Here’s a quick and simple way to install telnet.
Go to the command prompt and enter the following command.
start /w pkgmgr /iu:”TelnetClient
telnet is now installed.
Following is a quick listing of the commands you need to use when upgrading the IOS firmware on your Cisco router series 1600, 2000, 2500, 3000, AS5100 and AS5200. You should consult the Cisco web site to upgrade other devices. The process involves two phases: one, set the flash to read-write and reboot; two, download the firmware and reboot. You must setup a TFTP server and make the IOS binary file available for download. If your router is not on the same network segment as your TFTP server, be sure both devices have a default route configured so that they may access one another. I recommend using a Linux box for your TFTP server, and limit access to the service with both ipchains/iptables and the tcp-wrappers hosts.allow file. The following sequence of commands can be entered via the console port, or by telnet session. I recommend you have access to the console port if something fails . . . you’ve been warned!
enable conf t config-register 0x2101 ^Z wr mem reload
The router will reboot and the flash will now be in read-write mode. This is called “boot mode.” Avoid saving anything in this mode and answer no to any prompts about saving your current configuration. If you do save your config while in this mode, it may be partially or completely erased…
enable conf t config-register 0x2102 ^Z copy tftp flash it’ll prompt for ip address… it’ll prompt for filename… use same name to save as… when asked about erase say YES to confirm… reload answer NO to save current config answer YES to continue with reload
If you pray really hard, and offer up the right sacrifices, at this point you’ll be looking at a successful router upgrade! If connecting via the console port, make sure your terminal settings are as follows:
VT100 9600 bps 8 data bits 1 stop bit no parity no flow control
Sample Config Cisco IOS VPN with NAT
Current configuration : 3044 bytes
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
enable password cisco
username cisco password 0 cisco
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip domain-lookup
ip inspect name fw http
ip inspect name fw ftp
ip inspect name fw tcp
ip inspect name fw udp
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
crypto isakmp client configuration group 3000client
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
Those two lines are missing in an older sample on Cisco’s site: VPN clients won’t connect without those
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
ip address 18.104.22.168 255.255.255.0
ip nat inside
ip address 22.214.171.124 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map clientmap
ip local pool ippool 126.96.36.199 188.8.131.52
ip nat pool outsidepool 184.108.40.206 220.127.116.11 netmask 255.255.255.0
! Doesn’t work: ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source list 1 interface Serial0 overload
ip route 0.0.0.0 0.0.0.0 Serial0
access-list 1 permit 18.104.22.168 0.0.0.255
access-list 101 permit tcp 22.214.171.124 0.0.0.255 any
access-list 101 permit icmp 126.96.36.199 0.0.0.255 any
access-list 101 permit udp 188.8.131.52 0.0.0.255 any
access-list 102 permit udp host 184.108.40.206 eq isakmp host 220.127.116.11
access-list 102 permit ahp host 18.104.22.168 host 22.214.171.124
access-list 102 permit esp host 126.96.36.199 host 188.8.131.52
access-list 102 permit udp any host 184.108.40.206 eq 62514
access-list 102 permit udp any host 220.127.116.11 eq isakmp
access-list 102 permit tcp any any
access-list 102 permit icmp any any echo-reply
access-list 108 permit ip 18.104.22.168 0.0.0.255 22.214.171.124 0.0.0.255
access-list 199 deny ip 126.96.36.199 0.0.0.255 188.8.131.52 0.0.0.255
access-list 199 permit ip 184.108.40.206 0.0.0.255 any
route-map nonat permit 10
match ip address 199
line con 0
line aux 0
line vty 0 4
no scheduler allocate
Had this little doozey today. lucky a quick search i was able to find it is pretty common.
There is on rare occasion an issue where Windows Vista, ultimately Windows 7 and even Windows Server 2008 will get stuck on patching. It does not happen often at all, but on the very very rare time that it does, it gives you a heart attack for sure. Not to worry, it’s something that one can recover from.
The symptoms are that the server stays on Configuring updates Stage 3 of
3 0% completed and stays there forever. Meanwhile you have a heart attack.
First rule, don’t panic.
Second rule, take a deep breath and find your install media. Remember to hit F8 to get into the recovery console.
But here’s the workaround:
– Using the install media, the server was booted into the recovery console.
– In the following directory, c:windowswinsxs, the pending.xml file was
These two steps allowed the server to boot back into the desktop.
The issue is similar to this:
The update is not installed successfully, you receive a message, and the computer restarts when you try to install an update in Windows Vista:
On a Windows platform, you can connect to the VPN before you log on to Windows domain.
When selecting start before logon, the VPN Client starts and displays the connection dialog box over the system logon dialog box. You connect to the VPN first and then the connection dialog box goes away. You will see the normal windows logon screen and you log on to the domain. You may also load logon script.
To activate start before logon, follow these steps:
1. Open the VPN Client Options menu and choose Windows Logon Properties.
2. Check Enable start before logon and then click OK.