I was doing a Domain/Exchange/RDS migration for a client this week. He had some Macros that he used for printing. Now Macros are something I know very little about. So I had made it clear, if he had problems with them, I would not be the best person to ask.
So when the call came in, that they were having problems with Macros I cringed! As it turned out, the problem wasn’t the Macros at all, it was the ‘Trust Center’ Settings in Word.
Error: Microsoft Office Trusted Location
The remote or network path you have entered is not allowed by your current security settings
Solution
I’m controlling all the office settings via group policy, this is easy to setup, and rather than reinvent the wheel read the following article if you don’t have GPO’s for office setup.
Now, that’s complete, you can solve this problem in one of two ways, (or both if you’re a belt and braces kind of a tech!)
Option 1
As you can see, (above), the location that the user was trying to add, was on a mapped drive (in this case S:), you can allow that from the following policy;
[box]
User configuration > Administrative Templates > Microsoft Word 2013 > Word Options > Security > Trust Center > Trusted Locations
[/box]
Pick one of the locations and configure as follows;
Option 2
Or simply allow the user to add network locations, to the trusted locations, from the following policy;
[box]
User configuration > Administrative Templates > Microsoft Word 2013 > Word Options > Security > Trust Center > Allow Trusted Locations on the network
[/box]
Enable the policy.
Related Articles, References, Credits, or External Links
I have a love hate relationship with GNS3, I appreciate it’s brilliant, (when it works). I also appreciate that it’s free, and people put a lot of effort into its development for very little reward. But when I try to do simple things, like connect my projects/labs to the internet and it’s massively overcomplicated I get pretty exasperated.
With Windows this is easy, (I’ve probably blogged about it before), drag a cloud onto the workbench and connect it to a network card, job done! On a Mac however it’s a whole different ball game, as I found out last year when I swapped from Windows to Mac. The documented method of doing this, is to use tun tap interfaces and run GNS3 as root and connect things together. But I cannot get this to work at all.
Kudos and credit for this solution goes to my colleague Steve. When I swapped to Mac he was my ‘go-to-guy’ for ‘how does this work’ and ‘what’s the Mac equivalent of {insert name of software}’ questions. I could not connect my new mac GNS3 labs to the internet, so he gave me a VM that did the hard work for me. Despite my efforts to find a better way of doing this, it remains the easiest, simplest, solution, and works over wireless/wired connections etc.
Solution
Requirements:
GNS3 (obviously). I’m using version 1.4.4
Virtualbox (This wont work with VMware Fusion unfortunately, I’ve tried). I’m using Version 5.0.16 r105871
Download the GW1 appliance (link above) and extract the files, then from within Virtualbox > Machine > Add > Locate the extracted GW1 appliance > Open.
Now in GNS3 > Preferences > Virtualbox > Virtualbox VMs > Add > Add in the GW1 appliance > Edit > Give it TWO network cards > Ensure ‘All GNS3 to use any configured Virtualbox adapter’ is NOT ticked > OK.
Now drag the GW appliance onto your GNS3 work area, and connect to a router (or anything you can configure an IP on). Make sure the appliance is started.
Now back in Virtualbox > Look at the NIC settings for the GW1 appliance, the one connected to GNS3 should say ‘Generic Driver’ and UDP Tunnel Now manually set the other NIC to be connected to your NAT Network, this network will nat the VM’s NIC out to the the internet connection being used by the Mac (either wired or wireless). Make sure you tick ‘Cable Connected’
Note: This is why I still use Virtualbox for this, in VMware Fusion any changes you make to the NICs are hijacked by GNS3 when you add and start the VM, with Virtualbox they are not.
You will know when you have the network cards right, as the ‘WAN’ will get an IP from your NAT Network.
Use option ‘6’ and make sire the virtual machine has a good connection to the internet.
Above you can see the appliance has a LAN IP of 192.168.1.1. Back in GNS3 give an IP address on the same range to the device you connected to the virtual appliance.
The network is directly connected, so you should not need to add a static route, I just do this out of habit.
First make sure you can ping the appliance, then make sure you can ping a public IP address.
Troubleshooting
While setting this up, you may have to ‘reset the appliance to factory settings’ (options 4), this should re-detect all the interfaces. You may also get the interfaces the wrong way round, ensure the right NIC is presented into GNS3.
Related Articles, References, Credits, or External Links
I have a bunch of VM’s that I use with GNS3 that are in Virtualbox. I also run VMware Fusion, and since my upgrade to version 1.4.4 I need to run the GNS3 VM in VMware, (I could not get the Virtualbox version to work). So I decided to copy over the remainder of my VMs as well.
Solution
Within Virtualbox > File > Export Appliance.
Select the VM in question > Continue.
Important: Ensure you have selected OVF Version 1.0 (if you use version 2.0 it wont work) > Take a note of where the OVA file is going to be saved > Continue.
There’s no need to add anything else unless you want to > Export.
The VM will export (depending on the size this can take a few minutes).
When complete, open VMware Fusion > File Import.
Browse to, and select the OVA file you just exported > Continue.
Choose a name of the new VM > Save.
Don’t panic! This is normal, simply click retry.
The VM will import.
Finish.
When you first boot the VM it may be a little sluggish (it’s just had its underlying hardware changed after all). If it wants to try and install drivers, cancel the procedure and install the VMware tools.
Now you can remove the original VM from Virtualbox.
Delete all files.
Related Articles, References, Credits, or External Links
Cisco documentation calls this a ‘DHCP Relay’, and uses the command IP-Helper, and I usually call this DHCP Helper, just to confuse everyone. To be fair the term DHCP Relay is an industry standard, it’s not particular to Cisco (as you will see later when I Wireshark the traffic).
So If you are reading this you have a DHCP server and you want to use it to lease addresses to clients that are on a different network segment (layer 2, or layer3).
To do that you need an agent to be on the same network segment as the client listening for DHCP requests, when it receives one it talks to the DHCP server on the clients behalf and gets the correct address.
Solution
Example 1 Cisco Router
Here we need to lease two different DHCP scopes to two different network segments, R1 will act as the IP-Helper for both of those networks, R2 and R3 will get their IP addresses from the correct DHCP scope.
This works because each (client facing) interface on R1 has an IP-Helper address defined that points to the DHCP server.
So How Does It Know Which Scope To Lease From? This is because the Router supplies the IP address of a RELAY AGENT, which is just the IP address of the physical interface that intercepted the DHCP request. When it asks for an IP address from the DHCP server, the Server leases an address from the same range, (again I’ve tracked all this in Wireshark below).
IP-Helper Router Configuration
[box]
R1 Config
!
interface GigabitEthernet0/0
description Uplink to DHCP Server
ip address 10.2.2.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
description Uplink to 192_168_2_0
ip address 192.168.2.1 255.255.255.0
ip helper-address 10.2.2.10
negotiation auto
!
interface GigabitEthernet3/0
description Uplink to 192_168_3_0
ip address 192.168.3.1 255.255.255.0
ip helper-address 10.2.2.10
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 10.2.2.10
!
R2 Config
!
interface GigabitEthernet2/0
description Uplink to R1
ip address dhcp
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/0
!
R3 Config
!
interface GigabitEthernet3/0
description Uplink to R1
ip address dhcp
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet3/0
!
[/box]
You can see this works because the DHCP server has matching scopes for both network segments. (Yes one of my test servers is 2003, you’re going to see some Windows XP in a minute!
Well that’s fine for routers, but what about machines? They send a DHCP Discover just like any other client. I’ve replaced one of the routers with an actual machine.
With its network card set to DHCP you will again get a lease from the correct scope, because the Router brokered it for us.
Back on the DHCP server you can see the lease to the windows XP machine entered in the current scope leases, It knows the name of the client because (as you will see below) the relay agent (Router) passed that information (along with the MAC address of the client) to the DHCP server.
Example 2 Cisco Switches
OK, I did the routers first because I find it easier to explain things at layer 3. Not that you can’t create sub interfaces on the router, add those sub interfaces to VLANs, and run DHCP relays from them. But in most cases you will be setting up DHCP helpers on switches. Here the principle is the same but you define the ip-helper on the VLAN, (unless it’s routed port then treat it the same as a router interface). Let’s modern things up a bit, and use a 2012 R2 DHCP server, and some Windows 8 clients.
I need to lease addresses from my second scope to clients in VLAN 200, (the other client and server are in the same VLAN, so that will just work. (Remember a VLAN is a broadcast domain, and DHCP is using broadcasts).
Here’s the two scopes setup on the 2012 server;
And my client, (DHCP Client in VLAN 200) gets the correct IP.
IP-Helper Switch Configuration (VLANS)
[box]
SW1 Config
interface FastEthernet1/0/1
description Uplink to DHCP Server
switchport access vlan 100
switchport mode access
spanning-tree pordtfast
!
interface FastEthernet1/0/4
description Uplink 192_168_200_0
switchport access vlan 200
switchport mode access
spanning-tree pordtfast
!
interface FastEthernet1/0/5
description Uplink 192_168_100_0
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface Vlan200
ip address 192.168.200.1 255.255.255.0ip helper-address 192.168.100.10
!
IF YOU HAVE MULTIPLE/FAILOVER IP-HELPERS OR SPLIT SCOPES YOU CAN ADD A SECOND
ADDRESSLIKE SO;
!
interface Vlan200
ip address 192.168.200.1 255.255.255.0ip helper-address 192.168.100.10ip helper-address 192.168.100.15
!
[/box]
Analysing (Packet-Sniffing) DHCP Relay Sequence with Wireshark
Other packet sniffers are available, but I’ve got a soft spot for Wireshark. To filter DHCP traffic you can use the following ‘filter’.
bootp.option.type == 53
DHCP works by using four messages, (which I remember using the acronym DORA: Discover, Offer, Request, Acknowledge). If you sniff the traffic on the DHCP server, you can watch this process being brokered by your DHCP Relay Agent.
Discover
Offer
Request
Acknowledge
And just to prove it’s not all ‘smoke and mirrors’, here’s the client with the leased address, showing a matching MAC address, and hostname.
Related Articles, References, Credits, or External Links
If you try and change a ports status, to make it a trunk port, you may see this error;
[box]
Petes-Switch(config-if)#switchport mode trunkCommand rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
[/box]
Trunk Settings
I don’t know if this is a throwback to when we had ISL trunking and 802.1q, but you need to specify the encapsulation before you can specify a trunk.
[box]
Petes-Switch(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
Petes-Switch(config-if)#switchport trunk encapsulation dot1q
Petes-Switch(config-if)#switchport mode trunk
Petes-Switch(config-if)#
[/box]
Related Articles, References, Credits, or External Links
It’s been such a long time since I touched any backup software, I setup Arcserve UDP this week for a client to backup their servers to a NAS drive, then they wanted to back that data off to tape for an offsite backup.
I installed Arcserve no problem, it looks much the same as it did last time I used it. When I expanded the server-name only the local drives were shown, as I only had a basic licence adding the NAS drive was not an option.
Solution
A quick call to the boys in the data center who look after all our backups pointed me in the right direction. Instead of adding the mapped drive letter, you simply add the UNC path to the share as a “Preferred Shared/Machines” source.
Related Articles, References, Credits, or External Links
This takes ages! Seriously, if it’s late in the afternoon you might want to do this tomorrow morning, or leave the re-imaging running overnight. (Remember if you set the FirePOWER module to ‘fail-closed’, you will lose internet access, so you might want to change that to ‘fail-open’ as well).
The process is a LOT EASIER to do in the ASDM, I’m not usually an advocate of the GUI, but if you can access the FirePOWER settings that way, it will do all the hard work for you, (see below).
Note: This ASDM upgrade will fail if the module is being managed by the FirePOWER Management center (FireSIGHT), you can update it from there, or remove the peer association, then update it.
Normally I only have to do this if something’s gone wrong, and I can’t contact the module, or I’ve go a lot of them to do, and I don’t have direct management access. This process works on the ‘baby ASA’s,’ i.e 5506-X and 5508-X, and also on the larger models i.e 5512-X upwards (but NOT the 5585-X, that has a hw-module not a sw-module).
Solution
Before you start you need three things;
A Boot Image file (i.e. asasfr-5500x-boot-6.0.0-1005.img) – download from Cisco.
A Firepower Software Package (i.e. asasfr-sys-6.0.0-1005.pkg) this is a BIG file (over a Gigabyte) – download from Cisco.
Petes-ASA(config)# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD200XXXXX
sfr FirePOWER Services Software Module ASA5506 JAD200XXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1 1.1 1.1.8 9.5(2)2
sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7 N/A N/A 5.4.1-211
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER UP 5.4.1-211
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr UP Sys Not Applicable
Petes-ASA(config)#
[/box]
Download the boot image from your web server into the ‘flash’ memory in the parent firewall.
[box]
Petes-ASA(config)# copy http flash
Address or name of remote host []? 10.3.0.84
Source filename []? asasfr-5500x-boot-6.3.0-3.img
Destination filename [asasfr-5500x-boot-6.0.0-1005.img]? {Enter}
Accessing http://10.3.0.84/asasfr-5500x-boot-6.3.0-3.img...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asasfr-5500x-boot-6.3.0-3.img...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
INFO: No digital signature found
41848832 bytes copied in 5.20 secs (8369766 bytes/sec)
[/box]
Then set that file as the boot image for the sourcefire module, and tell the module to perform a ‘recovery boot’.
[box]
Petes-ASA(config)# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.4.0-1.img
Petes-ASA(config)# sw-module module sfr recover boot
Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it. This may take
several minutes.
Recover module sfr? [confirm]{Enter}
Recover issued for module sfr.
[/box]
Now it looks like nothing is happening, but the SFR module will restart with the recovery/boot image, you can see a little of what’s going on if you issue a debug command on the module,
[box]
Petes-ASA(config)# debug module-boot
debug module-boot enabled at level 1
IF YOU LOOK AT THE MODULES STATUS IT WILL SAY 'RECOVER'
Petes-ASA(config)# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD200XXXXX
sfr FirePOWER Services Software Module ASA5506 JAD200XXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1 1.1 1.1.8 9.5(2)2
sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7 N/A N/A 5.4.1-211
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Not Applicable 5.4.1-211
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Recover Not Applicable
SAMPLE DEBUG OUTPUT
Mod-sfr 657> *** EVENT: Disk Image created successfully.
Mod-sfr 658> *** TIME: 07:05:36 GMT/BST Mar 1 2016
Mod-sfr 659> ***
Mod-sfr 660> ***
Mod-sfr 661> *** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_1.img, ISO: -cdrom /mnt/disk0
Mod-sfr 662> /asasfr-5500x-boot-6.4.0-1.img, Num CPUs: 3, RAM: 2266MB, Mgmt MAC: 00:F2:8B:FB
Mod-sfr 663> :FB:C7, CP MAC: 00:00:00:02:00:01, HDD: -drive file=/dev/sda,cache=none,if=virtio,
Mod-sfr 664> De
Mod-sfr 665> ***
<—Output Removed for the Sake of Brevity—>
Mod-sfr 50> Starting Advanced Configuration and Power Interface daemon: acpid.
Mod-sfr 51> acpid: starting up with proc fs
Mod-sfr 52> acpid: opendir(/etc/acpi/events): No such file or directory
Mod-sfr 53> starting Busybox inetd: inetd... done.
Mod-sfr 54> Starting ntpd: done
Mod-sfr 55> Starting syslogd/klogd: done
[/box]
This would be a good time to go get a coffee, it doesn’t take that long, the documentation at Cisco says 5 minutes, I’d wait at least 10! You then need to login to the SFR module and give it a basic config;
[box]
Petes-ASA(config)# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco FirePOWER Services Boot Image 6.4.0
asasfr login: admin
Password: Admin123
Cisco FirePOWER Services Boot 6.4.0 (1)
Type ? for list of commands
asasfr-boot>setup
Welcome to Cisco FirePOWER Services Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [asasfr]: Firepower-Module
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.253
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.254
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.10
Do you want to configure Secondary DNS Server? (y/n) [n]: N
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: petenetlive.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: petenetlive.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 194.35.252.7,130.88.202.49,93.93.131.118
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname:Firepower-Module
Management Interface Configuration
IPv4 Configuration:static
IP Address:192.168.1.253
Netmask:255.255.25.0
Gateway:192.168.1.254
IPv6 Configuration:Stateless autoconfiguration
DNS Configuration:
Domain:petenetlive.com
Search:petenetlive.com
DNS Server:10.3.0.2
NTP configuration: 194.35.252.7[4C130.88.202.49 93.93.131.118
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.
Press ENTER to continue...{Enter}
[/box]
Now you can install the software package on the SFR module. Note: the URL has TWO forward slashes in it not one, (Cisco update your documentation!)
UPDATE: (Thanks to Eli Davis) To avoid having to wait to confirm with the following step, use the ‘no confirm’ keyword. i.e. “system install noconfirm http://10.3.0.84/asasfr-sys-6.0.0-1005.pkg”.
WARNING You might want to set the SSH timeout to 45 minutes before you do this, or it will keep logging you out while you are waiting!
[box]
asasfr-boot>system install noconfirm http://10.3.0.84/asasfr-sys-6.4.0-102.pkg
Verifying. ..
Downloading. ..
Extracting. ..
Package Detail
Description:Cisco ASA-SFR 6.4.0-102 System Install
Requires reboot:Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
<——Output Removed for the Sake of Brevity——>
Mod-sfr 61> login: [ 2498.828291] sd 0:0:0:0: [sda] 6291456 512-byte hardware sectors: (3.22 G
Mod-sfr 62> B/3.00 GiB)
Mod-sfr 63> [ 2498.832675] sd 0:0:0:0: [sda] Write Protect is off
Mod-sfr 64> [ 2498.835298] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't
Mod-sfr 65> support DPO or FUA
Mod-sfr 808> ************ Attention *********
Mod-sfr 809> Initializing the configuration database. Depending on available
Mod-sfr 810> system resources (CPU, memory, and disk), this may take 30 minutes
Mod-sfr 811> or more to complete.
Mod-sfr 812> ************ Attention *********
Mod-sfr 813> Executing S10database
Console session with module sfr terminated.
[/box]
May take 30 minutes! I waited 45 then drove 8 miles home reconnected and it was still going, (it’s a lot faster on the larger firewalls.) Just keep an eye on the status it will change from recover to up when its complete
[box]
Petes-ASA(config)#show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD200XXXXX
sfr Unknown N/A JAD200XXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1 1.1 1.1.8 9.5(2)2
sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7 N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Recover Not Applicable
WAIT AGES UNTIL...
Petes-ASA# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD200XXXXX
sfr FirePOWER Services Software Module ASA5506 JAD200XXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1 1.1 1.1.8 9.5(2)2
sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7 N/A N/A 6.0.0-1005
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.4.0-102
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr UpUp
[/box]
Now you need to connect to the SFR and configure it, (yes again).
[box]
Petes-ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v6.0.0 (build 1005)
firepower login: admin
Password: Admin123
Last login: Tue Mar 1 10:08:16 UTC 2016 on pts/0
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.4.0 (build 102)
Cisco ASA5506 v6.0.0 (build 1005)
Last login: Tue Mar 1 10:01:01 UTC 2016 on cron
Last login: Tue Mar 1 10:08:16 UTC 2016 on pts/0
You must accept the EULA to continue.
Press to display the EULA: {Enter}
END USER LICENSE AGREEMENT
IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY
IMPORTANT THAT YOU CHECK THAT YOU ARE PURCHASING CISCO SOFTWARE OR EQUIPMENT
FROM AN APPROVED SOURCE AND THAT YOU, OR THE ENTITY YOU REPRESENT
(COLLECTIVELY, THE "CUSTOMER") HAVE BEEN REGISTERED AS THE END USER FOR THE
--Output Removed for the Sake of Brevity - Press Space Bar (A LOT!)--
Please enter 'YES' or press to AGREE to the EULA: YES
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: {Enter}
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.1.123
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.1.254
Enter a fully qualified hostname for this system [firepower]: Firepower-Module
Enter a comma-separated list of DNS servers or 'none' []: 192.168.1.10
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Creating default Identity Policy.
Creating default SSL Policy.
Update policy deployment information
- add device configuration
- add network discovery
- add system policy
- add access control policy
- applying access control policy
You can register the sensor to a Firepower Management Center and use the
Firepower Management Center to manage it. Note that registering the sensor
to a Firepower Management Center disables on-sensor Firepower Services
management capabilities.
When registering the sensor to a Firepower Management Center, a unique
alphanumeric registration key is always required. In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'
However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'
Later, using the web interface on the Firepower Management Center, you must
use the same registration key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
> exit
Remote card closed command session. Press any key to continue.
Command session with module sfr terminated.
Petes-ASA#
[/box]
Back at the firewall prompt make sure you can ping it, (you did put a cable in the management interface didn’t you?)
[box]
Petes-ASA# ping 192.168.1.123
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Petes-ASA# wr mem
Building configuration...
Cryptochecksum: 6bcde85c dc7a074d 8e22978c 0620c211
7149 bytes copied in 0.350 secs
[OK]
Petes-ASA#
A colleague was having some certificate problems onsite the other week. Someone suggested just using Certificate Services to simplify matters. I said I’d spin it up and configure it for him, (I’ve done a lot of Microsoft CA work, search the site!)
My fist question was, “Do they already have certificate services?’, unsurprisingly the answer was “I don’t know”.
So if you’re on a domain, and you want to locate your CA server, or simply find out if you have one, what do you do?
Solution
The simplest option is look in Active Directory Users and Computers, then locate the ‘Cert Publishers’ group and look at its members.
Or you can run adsiedit.msc > CN=Certification Authorities, CN=Public Key Services, CN=Services, CN=Configuration, DC={domain-name},DC={domain-extension}
Easy Option: If you’re lazy, (like me!) Simply run the following command;
[box]
certutil –config – -ping
[/box]
If you don’t have any CA’s this is what you will see;
But if you do (below there is one, but there may be many);
Related Articles, References, Credits, or External Links
If you attempt to perform an update on the FirePOWER services module in your firewall, you may see the following error;
Error
Installation Failed: Peer registration in progress.
Please retry in a few moments
I found myself in this situation because I’d attempted to register the firewall in the FirePOWER Management Center Appliance, and the process failed, (because the versions were different). So when I attempted to update the firewalls sfr module to match, it then fails because it’s waiting to register with the management center, (Catch 22).
Solution
Essentially you need to ‘kill’ the registration then, perform the upgrade and then attempt to add it as a managed device again. You can do this from within the ADSM. Configuration > ASA FirePOWER Configuration > Integration > Remote Management > Locate the registration and ‘Delete’.
Usually it says its ‘failed’, I’m assuming it’s referring to the peer registration itself, because it does get removed.
You can then attempt to do the upgrade, (which takes ages by the way!)
Note: I’ve also found you need to manually restart the sfr module when its complete. The upgrade takes ages on small firewalls like the 5506-X its a bit quicker on the larger firewalls like the 5515-X, but I would still leave the update running overnight and then restart the module in the morning.
Related Articles, References, Credits, or External Links