Posts

How to install a Godaddy SSL certificate on a Cisco ASA firewall

The first step in getting an SSL certificate for your Cisco ASA is to generate a CSR request.
1.  Open ASDM > Configuration > Device Management
2.  Certificate Management > Identity Certificates > Add
3.  Add a New Identity Certificate > New
4.  Click the “Enter new key pair name” radio button.  Enter your FQDN of your firewall (VPN.MyDomain.com)
5.  Change the size to 2048
6.  Click generate now.
7.  On the next screen choose the following attributes and fill in the values then click add.
CN = FQDN of your domain (vpn.MyDomain.com)
OU = Department of your business responsible (IT)
O = Legal name of organization
C = Country abbreviation (US)
ST = State abbreviation (AZ)
L = City (Scottsdale)
8.  Click ok once these are all added
9.  Click advanced
10.  In the FQDN type again your FQDN (Vpn.MyDomain.com)
11.  Click Ok and Add Certificate.
12.  You will be prompted to save this certificate to your PC which you should do.
13.  Login to your Godaddy account and copy and paste all the text from the CSR.
14.  Once you submit your CSR you can download the certificate to your PC in .crt format.
15.  Go back to the ASDM Certificate Management > Identity Certificates.  Select your previously generated CSR and click the install button.  Browse to the .crt file you were provided with from Godaddy.
16.  Now that you have installed the certificate you must tell the ASA to use it for SSL.  To do this in the Device Management on the ASA browse to advanced > SSL settings.
17.  Select the interface for your VPN clients and click edit.  Now select your new certificate
 
Congrats you should now be able to brose to your external web interface and see it is a trusted site!
 
 
 
 
 

Cisco ASDM will not launch with version 7.x

If you have the latest version of Java 7 and you’re using ASDM 7.x it will not work.  You must uninstall Java and downgrade to version 6!  Found here – http://www.oldapps.com/java.php

Cisco ipsec VPN Client for Windows 8 error VPN Client failed to enable virtual adapter

If you download the latest version(as of this writing 5.0.07.0440) of the latest ipsec vpn client for the Cisco ASA you may notice an error when trying to connect through Windows 8. In order to get around this error and make it work you must modify your registry. It is a very simple tweak. Open regedit and browse to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCVirtA. Once here look on the right hand side for DisplayName. You will see its current setting is something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows”. Simply change this to “Cisco Systems VPN Adapter for 64-bit Windows”. Once this is finished close regedit reboot your PC and voila your vpn will now work!

Cisco ASA 8.3 and above NAT ranges how to

object network obj-Server1
host 192.168.1.5
object service MyRange
service tcp destination range 50 100
nat (outside,inside) source static any any destination static interface obj-Server1 services MyRange MyRange
access-list outside_access_in extended permit tcp any host 192.168.1.5 range 50 100
access-list outside_access_in in interface outside

Nat rules change after 8.3 upgrade breaks VPN

Normal Nat statment
access-list nonat extended permit ip
nat (inside) 0 access-list nonat-inside
New nat statment
object network vpnpool
subnet
exit
nat (inside,outside) source static any any destination static vpnpool vpnpool
This NAT rule says to keep the source address for anything coming from the internal interface going to the range designated by the vpnpool object while also keeping the destination address the same.
Seems like a strange way of going about this but this is all i have come across so far. Anyone else has a better way please leave a comment.

Changing the enable or telnet password on cisco pix or asa

To change the enable password:
enable password N3wP@ssw0rd
To change the telnet password:
password N3wP@ssw0rd

Microsoft Small Business Server 2008

Microsoft SBS Server 2008 is an excellent solution for small businesses.  However, migrating to SBS 2008 is not that simple.  First things first it is essential that you migrate to a new physical server.  Doing an in place upgrade is a nightmare and I would not attempt to do it.  If you don’t have another server and your current server is of x64 platform then you should create a virtual machine and use a physical to virtual utility to convert your existing machine to a virtual machine.  Once that is done install SBS 2008 from scratch then power up the virtual machine.  You can then migrate over to SBS 2008.
It should also be noted that x64 is becoming the new standard.  It gives you a bus twice as big as its predecessor x86 processing.  That being said Windows Server 2008 requires x64 hardware.  It will not install on x86.
You basically have two choices when it comes to SBS2008 standard or premium.  The main difference is with premium edition you can have 2 servers in the domain.  As where standard was intended to be a single server solution.
Microsoft decided that ISA server would not be included in SBS 2008.  This in my opinion was a good idea.  There are things certain companies are good at and they should stick to their core competencies of things that they can perfect.  Cisco owns Microsoft when it comes to networking/firewall’s and Microsoft has better server solutions.  Do yourself a favor and do not try to use a “software” firewall solution.  Use a Cisco ASA 5505 or model that fits your needs.
SBS 2008 also has a built in web interface for connecting to your PC at work.  I believe RDP is the way to go for employees accessing your network remotely.  The reason being is their PC acts as a dumb terminal and they can see and feel their desktop as if they were sitting at it.  VPN solutions also known as virutal private networks are over rated.  When a client VPN’s from home they basically connect their PC to your internal networking.  Meaning that if their PC is compromised their attacker basically has a door to your network.  Since it is almost impossible to control employees’ PC’s at home it is inevitable at some point they will get a virus or spyware.  If you remember this is how Microsoft’s network was compromised a few years back. 
Also with the premium edition you have the ability to install SQL 2008 standard.  This is not an option with standard.
The steps for migrating from SBS 2003 are as follows:
Always run backups on your existing server first before doing anything.  This is vital.
Next go to Windows Updates and make sure you upgraded and installed all service packs and updates.
You must now raise the function level of your SBS 2003 domain that can be done by first demoting any NT4 or Windows 2000 domain controllers(if you have any).  Once that is complete Go to active directory domains and trust.  Right click on your domain and select raise domain functional level to 2003.  You must also upgrade the forest functional level to 2003.  This can be done by staying in the console and right clicking on active directory domains and trusts select raise forest functional level.
I would recommend next that you have all of your users go into Outlook.  Tell them to go to tools and empty recycle bin.  This will free up tons of space worth of trash.  It will help make your migration faster.
Make sure your source server has the correct time as this is essential:  w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time
net start w32time
Make sure your domain is in native mode and not mixed
Next prepare your server by inserting the 2008 SBS DVD.  Go to tools click sourcetool and run it.  You are going to need an answer file for this which can be created by running SBSAfg.exe on the SBS 2008 DVD.
Keep in mind you must remove the source server.  You have 21 days.
When you install the new server make sure your answer file is on a USB drive.  It will be auto detected as long as it is in the source of any drive.  If it successfully detected after you answer all the Windows server 2008 questions you will get a start the migration page. 
To migrate Exchange 2003 to Exchange 2008 I would recommend you have all your users create a backup PST from Outlook.  This way you have local copies of your data.  Once that is complete then on the migration wizard home page click migrate exchange mailboxes and settings.  Follow the steps outlined.

VPN client cannot connect through PIX or ASA

Make sure to run this command to enable the pptp fixup protocol.
fixup protocol pptp 1723

External interface on Pix or ASA just stops working

Issues where the external interface on an ASA or Pix where it will suddenly stop receing traffic or dropping traffic is related to your duplex settings.  Although most firewall devices you can leave on auto negotiate it is not a good idea on these devices.  You should set it to match the routers inside interface which most commonly is set at 100/Full duplex.

Remotely change critical settings on a Pix or ASA device

If you are remotely configuring a Cisco ASA or Pix there is always the concern that you’ll change a setting that will take down the network and you will have to head onsite to gain access back in to the device.  One way to circumvent this problem is by doing the following.
First get to the CLI and type the following command
reload in 10
What this command does is it tells the device to reboot in 10 minutes.  Now you have 10 minutes to change the settings you want.  If the settings do not knock out your connectivity and everything is working as expect then you can simply issue the command.
reload cancel
Now your device will not reload and you have safely made the changes you needed to make.
However, had you made a change that knocked out entire network connectivity or hindered your ability to manage the device whether it was through telnet, ssh, adsm, or whatever the device will reload in 10 minutes and you’ll be back to your flash config and not your running.