Connecting to and Managing Cisco Firewalls

Also see “Allow Remote Management

KB ID 0000075

Problem

To connect to and manage a Cisco firewall you need three things,

  1. To be in possession of a password, (and in some cases a username).
  2. Have the ‘Method of Access granted to you’ (or have physical access to the firewall).
  3. Know a ‘Method of Access‘ to the firewall for management.

Cisco Firewall Passwords

Unless your firewall is brand new (in which case the passwords will either be {blank} or cisco), to access a Cisco firewall you will need a password, (this stands to reason it is a security device after all!).

Cisco Firewall Usernames

As for usernames, with a few exceptions, you do not USUALLY need a username. Those exceptions being;

  1. Access via SSH needs a username (before version 8.4 you could use the username pix, and the Telnet password, this no longer works).
  2. If you have set up authentication to be done by AAA.

Cisco Firewall Forgotten Password Recovery

If you do not know the password then you need to perform some password recovery.

Cisco ASA – Methods of Access.

1. Console Cable: This uses the rollover cable that came with the firewall, They are usually pale blue in colour, and the more modern ones have a moulded serial socket on them. The older ones have a grey network to serial converter that plugs on the end. Access is via some Terminal Emulation Software, e.g. PuTTy or HyperTerminal. This method of access is enabled by default, but requires physical access to the devices console port.

2. Telnet: This simply allows connection via a telnet client, all versions of Windows have one, though Microsoft have done a good job of Hiding it in Windows 7. You can also use PuTTy, HyperTerminal, or another third party telnet client. This is considered the LEAST SECURE method of connection, (as passwords are sent in clear text). On a new firewall the telnet password is usually set to cisco (all lower case).

3. Web Browser: (How the vast majority of people access the firewall). Depending on the age and version of the firewall dictates what “Web Server” you are connecting to, devices running Version 7 and above use the “Adaptive Security Device Manager”. Cisco firewalls running an Operating system of version 6 and below use the “PIX Device Manager”. Both the ADSM and the PDM have a similar look and feel, and both require you have to Java installed and working.

4. SSH: Secure Sockets Handshake: This is sometimes called “secure telnet” as it does not send passwords and user names in clear text. It requires you supply a username and a password. Firewalls running an OS older than 8.4 can use the username of pix and the telnet password. After version 8.4 you need to enable AAA authentication and have a username and password setup for SSH access.

5. ASDM Client software: (Version 7 firewalls and above). You will need to have the software installed on your PC for this to work (you can download it from the firewall’s web interface, or install from the CD that came with the firewall).

Cisco ASA Remote Management via VPN

Even if you allow traffic for a remote subnet, there are additional steps you need to take to allow either a remote client VPN session, or a machine at another site that’s connected via VPN. Click here for details.

Solution

Connecting to a Cisco Firewall Using a Console Cable

Obviously before you start you will need a console cable, you CAN NOT use a normal network cable, OR a crossover cable as they are wired differently! They are wired the opposite way round at each end, for this reason some people (and some documentation) refer to them as rollover cables. They are usually Pale blue (or black). Note if you find your console cable is too short you can extend it with a normal network cable coupler and a standard straight through network cable.

On each end of the console cable the wiring is reversed.

Old (Top) and New (Bottom) versions of the Console Cable.

Note: If you don’t have a serial socket on your PC or Laptop you will need a USB to Serial converter (this will need a driver installing to add another COM Port to the PC).

 

 

 

 

Option 1 Using PuTTY for Serial Access.

1. Connect your console cable, then download and run PuTTy. (I’m assuming you are using the COM1 socket on your machine, if you have multiple serial sockets then change accordingly).

2. By default PuTTy will connect with the correct port settings, if you want to change the settings see the option I’ve indicated below. Simply select Serial and then ‘Open’.

3. You will be connected. (Note: The password you see me entering below is the enable password).

Option 2 Using HyperTerminal for Serial Access

1. Connect your console cable, then download install and run HyperTerminal. (Note: With Windows XP and older it’s included with Windows, look in > All Programs > Communications). Give your connection a name > OK.

2. Change the ‘Connect Using’ option to COM1 > OK.

3. Set the connection port settings from top to bottom, they are, 9600, 8, None, 1, None > Apply > OK.

4. You will be connected. (Note: The password you see me entering below is the enable password).

Connecting to a Cisco Firewall via Telnet

To connect via telnet, the IP address you are connecting from (or the network you are in) has to have been granted access. If you cannot access the firewall using Telnet then you will need to connect via a console cable. Note Windows 7/2008/Vista needs to have telnet added.

Option 1 Use Windows Telnet Client for Firewall Access

1. Ensure you have a network connection to the firewall and you know its IP address > Start.

2. In the search/run box type cmd {enter}.

3. Execute the telnet command followed by the IP address of the firewall.

Windows – ‘Telnet’ is not recognized as an internal or external command

4. Enter the telnet password (default password is cisco).

Option 2 Use PuTTy for Telnet Firewall Access

1. Ensure you have a network connection to the firewall and you know its IP address > Launch PuTTy.

2. Select Telnet > Enter the IP address of the firewall > Open.

3. Enter the telnet password (default password is cisco).

Option 2 Use HyperTerminal for Telnet Firewall Access

1. Ensure you have a network connection to the firewall and you know its IP address > Launch HyperTerminal.

2. Give the connection a name > OK.

3. Change the ‘Connect using’ section to TCP/IP (Winsock) > Enter the IP address of the firewall > OK.

4. Enter the telnet password (default password is cisco).

Connect to to a Cisco Firewall via Web Browser

To connect via Web Browser – the firewall’s internal web server needs to be enabled in the firewall configuration, and the IP address of the machine you are on (or the network it is in, also needs to be allowed). If you cannot connect from your web browser you will need to establish a console cable connection.

Also to access via this method you need to know the firewall’s “Enable Password”. If you use a proxy server then you will need to remove it from the browser settings while you carry out the following. Ensure also that you have Java installed and working.

1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.

2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.

3. Click “Run ASDM” (older versions say ‘Run ADSM Applet’). Note: for information on the other option ‘Install ASDM launcher…’ see connecting via ASDM).

The Startup Wizard is for setting up a new firewall, I don’t recommend you ever use this unless you follow this guide.

4. You might receive a few Java warning messages, answer them in the affirmative.

5. Run.

6. Enter the ‘Enable’ password > OK.

7. You will be connected.

Connecting to a Cisco Firewall via SSH

To connect via SSH the IP address of the PC you are on, (or the network it is in) needs to have been allowed SSH Access in the firewall’s configuration. You will also need an SSH Client, I prefer PuTTy because its free and works.

Note: After version 8.4 you can only access the Cisco ASA using AAA authentication, see here. Prior to version 8.4 you can use the username of ‘pix’ and the firewall’s telnet password.

1. Ensure you have a network connection to the firewall and you know its IP address > Launch PuTTy.

2. Tick SSH > enter the IP address of the firewall > Open.

3. The first time you connect you will be asked to accept the certificate > Yes.

4. You will be connected, supply the username and password configured for AAA access., (or username pix and the telnet password if you are older than version 8.4).

Connecting to a Cisco Firewall via ASDM Client Software

As the name implies you need a v7 (or newer) firewall running ASDM for this to work 🙂 Essentially this is just a “Posh” front end for the firewall’s internal web server, so the same rules apply, the http server must be enabled, the PC you are on (or the network it’s in) need to be allowed https access to the firewall. Also you will need to know the enable password.

1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.

2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.

3. Select ‘Install ASDM Launcher and Run ASDM’.

4. The username is usually blank (unless you are using AAA), and you will need to enter the enable password.

5. Run (or save if you want to install manually later).

6. Accept all the defaults.

7. The ASDM, will once again ask for the password. (By default it will place a shortcut on the desktop for the next time you need to access the firewall).

8. The ASDM will launch and you will be connected.

Connecting to a Cisco Firewall via Pix Device Manager

1. Open your web browser and navigate to the following,

https://{inside IP address of the firewall}

Note if you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”.

IE6 Users will see this instead

2. If Prompted leave the username blank, and the password is the firewall’s enable password.

Note if you are using AAA you might need to enter a username and password.

3. You will see this.

4.You might receive a few Java warning messages, answer them in the affirmative, on some newer versions of Java you may also need to enter the password a second time.

5. The PDM opens. You are successfully connected.

Related Articles, References, Credits, or External Links

Cisco ASA – Allow Remote Management

Manage your firewall form your Windows Mobile device

Cisco ASA 5500 – Remote Management via VPN

Originally Written 09/11/09

VMware: Creating a Storage Encryption Policy

KB ID 0001471

Problem

This is essentially part-two of deploying encrypted virtual machines, in a vSphere VMware (6.5 and above) environment. Back in part-one we deployed a KMS server and registered it with vCenter. Now we will create a storage policy that enforces encryption, then apply that policy to a virtual machine.

Solution

While logged into vCenter > Home > Policies and Profiles > VM Storage Policies > Create VM Storage Policy > Give it a name > Next.

Next.

Add > Encryption. Note: On some versions of vCenter, Select Encryption > Custom.

Accept the defaults > Next.

Untick “Use rule-sets in the storage policy” > Next.

This just shows you which ‘Datastores‘ are compatible, (it’s not going to encrypt them, or format them, or anything!) > Next

Finish.

Apply an Encryption Storage Policy to a VM

There are a couple of ways to do this. Before you start, make sure the VM is in a compatible Datastore >  Right click the (powered off) VM > VM Polices > Edit VM Storage Policies > Select VM Home (to encrypt the entire VM), or the individual disks (to encrypt them only) > Change the policy to the encrypted one you just created > OK.

Or to encrypt the drives manually > Right Click the VM > Edit Settings > Expand the hard drive > VM Storage Policy > Change the policy to the one you created above. (Note: this only encrypts the drives, NOT the entire VM).

Check Virtual Machine Encryption

If a VM is encrypted then it will tell you on its ‘Virtual Hardware‘ tab, you will also notice that encrypted drives have a small ‘padlock’ over them.

Additionally: Under VM Options, you will notice that Encrypted vMotion is now set to ‘Required‘.

You can also tell at a glance from the virtual machines ‘Summary tab‘.

Things You Need To Know About Encrypted Virtual Machines

  • To encrypt a VM it must be Powered off.

The attempted operation cannot be performed in the current state (“Powered On”).

  • To encrypt an VM it must have No Snapshots.

Invalid virtual machine configuration.
Cannot change encryption state with virtual machine snapshots present.

  • Fault Tolerance is Not Supported.

Unsupported virtual machine configuration for Fault Tolerance

  • vSphere replication is Not Supported.
  • Cloning Is Supported, but the cloned VM has the same encryption keys as the source.
  • Snapshots Are Supported, but, you will see the following error if you attempt to snapshot of an encrypted VM.

The virtual machine is encrypted and guest memory cannot be saved.

You need to ‘untick’, Snapshot the virtual machine memory.

  • You cant ‘Suspend‘ an encrypted virtual machine.

The virtual machine is encrypted and cannot be suspended. Failed to suspend the virtual machine. Incorrect virtual machine state.

  • You cannot export an encrypted virtual machine to OVF file.

Provider method implementation threw unexpected exception: %s VapiStructureProxy.cause
The operation failed due to the operation is not supported on the object

Related Articles, References, Credits, or External Links

NA

VMware vSphere Virtual Machine Encryption

KB ID 0001470

Problem

Other that learn this for an exam I’ve never had to deploy this in anger. So when I heard we had a customer at work who wanted to take a look at it I was quite keen to take a look.

To encrypt a VM you need to have an additional KMS (Key Management server) which VMware do not provide. They do provide a list, so theres no point me posting a list that will be out of date in a couple of weeks. Our client expressed a preference for HyTrust, so that’s what I ran with

WARNINIG: You need vCenter 6.5 or above to do VM encryption

Deploy HyTrust KMS Server

At time of writing the current version is 4.2.1 you can get a 60 trial if you want to give it a test.

Pull down the appliance and deploy the OVF into your environment;

VMware vSphere – How to Import and Export OVF and OVA Files

Go get a coffee, when deployed, connect to the console set a console password, and follow the instructions until it tells you to connect via a browser.

Connect via a browser (default username and password is secroot), Change the password when prompted, and proceed to KMIP. By default the service is disabled so enable it. (Take note of the port number, 5696 you will ned this later!)

Client Certificates > Action > Create Certificate > Give it a name, and leave the password section blank.

Actions > Download certificate > Save the Zip file, if you open it you will find two PEM files, (you only actually need the one that has the same name as you used above).

Over on your vCenter  > Select the vCenter > Configure > Key Management Servers > Add.

Supply a name, the IP address of the appliance, and the port number > OK > Yes.

Trust.

Select the KMS > Establish trust with KMS.

Upload a certificate and private key > OK.

Paste in the SAME PEM FILE into both top and bottom windows. (The one with the name you chose, and downloaded earlier) > OK.

If you have done everything right all the status lights should ‘go-green’

You can now create a VM Storage Encryption Policy. (Well you can create one first, but without a KMS server, nothing will get encrypted).

Part Two: VMware: Creating a Storage Encryption Policy

Related Articles, References, Credits, or External Links

NA

PowerShell: Bulk Enable / Disable Users

KB ID 0001469

Problem

I needed to work out how to bulk disable some domain users from a .CSV file this week, so I thought I’d write it up.

Disable Domain Users in Bulk from CSV

Well firstly, you need to have your users in a CSV file. For the live job I just exported all the SamAccountNames to a CSV, but here for testing I just loaded a few in manually;

Then execute the following two commands;

[box]

Import-Module ActiveDirectory 

Import-Csv -Path "C:\Temp\Users-To-Disable.csv" | ForEach-Object {Set-ADUser -Identity $_.’User-Name’ -Enabled $false}

[/box]

Let’s have a quick check, and sure enough they are disabled.

Enable Domain Users in Bulk from CSV

To re-enable them, we just need to change one word in the command, (from false to true).

[box]

Import-Module ActiveDirectory 

Import-Csv -Path "C:\Temp\Users-To-Enable.csv" | ForEach-Object {Set-ADUser -Identity $_.’User-Name’ -Enabled $true}

[/box]

A quick refresh and our users are enabled again!

Related Articles, References, Credits, or External Links

NA

Exchange and the LegacyExchangeDN Problem

KB ID 0001468

Problem

Why do we have the Exchange LegacyDN? It’s a throwback, from a time when we had our users, and our mail users in different databases. Below you can see the ExchangeLegacyDN for this Exchange on-premises user;

/O=First Organisation/OU=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn={something-user-specific}

Who cares? Well they are still important, if you send an internal email (to someone in the same Exchange Organisation). Exchange uses this address NOT the SMTP address which you would expect. Also Microsoft Outlook has a habit of caching this address and NOT the SMTP address. Normally this is not a problem, UNTILL you migrate your mail somewhere else, then the internal cached ExchangeLegacyDN addresses are now incorrect. (See error message below).

How Does Migrating To Office 365 Handle This?

If you do a Hybrid Exchange Migration with Azure AD sync, this is all ‘fixed’ in the background for you, When you first get your AD user ‘synced’ (i.e before you migrate the mailbox) you get an X500 address that’s just used in O365.

Then once the mailbox is migrated the users gets the ExchangeLegacyDN copied across as an additional X500 Address.

In fact if you repeat the command we did at the very start, you will see the on-prem user no longer has an ExchangeLegacyDN

Note: As pointed out, (below) you can run ‘Get-Remotemailbox “Pete Long” |  FL LegacyExchangeDN‘ to locate mailboxes not hosted on the mail server you are working on.

LegacyExchangeDN Problems

You will see problems ‘Post Migration‘ to another domain, to a newer version of Exchange, or if you use a third party tool, to migrate your users to Office 365, (which is just another domain to be honest).

If your users attempt to send an email to a ‘cached’ address, they will get an error that looks like this;

More Info for Email Admins
Status code: 550 5.1.11

The recipient email address is a LegacyExchangeDN address, which isn’t used by the Office 365 service. You might see this error if you’ve migrated your organization’s email from on-premises to the cloud, or if your organization has a hybrid configuration and you synchronize your on-premises directory with Office 365. If clearing the recipient Auto-Complete List from the user’s Outlook or Outlook on the web doesn’t solve the problem, try to clear the related LegacyExchangeDN address from your on-premises Active Directory. Then synchronize the directory again.

For more information, see Fix email delivery issues for error code 5.1.11 in Office 365.

Original Message Details

Created Date:     06/09/2018 15:37:37

Sender Address: pete@pnl.co.uk

Recipient Address:            IMCEAEX-_O=PNL_OU=First+20Administrative+20Group_cn=Recipients_cn=Bob+2EGSmith@GBRP265.PROD.OUTLOOK.COM

Subject: CRS Update

Error Details

Reported error:  550 5.1.11 RESOLVER.ADR.ExRecipNotFound; Recipient not found

You can either tell your users to run (within Outlook) File > Options > Mail > Send Messages > Empty Auto-Complete List.

Or try fighting with your users NK2 Files, (if you are on older versions of Outlook).

Outlook Autocomplete / Nickname / Nk2 file

Or you can export all the ExchangeLegacyDN addresses from your source domain, (in x400 format), convert them to x500 format and import them into your new domain as an additional ProxyAddress, that will get replicated to Office 365, or understood by your newer version of Exchange. (NOTE: If you are running AzureAD Sync you import them into the on-prem domain and let the changes synchronise to Office 365.)

Export LegacyExchangeDN Addresses (Source Domain)

On a DC or a machine that you have imported the Active Directory module;

[box]

Get-ADUser -SearchBase “DC=YOUR-DOMAIN,DC=COM” -Filter * -Properties SamAccountName,legacyExchangeDN | Select-Object SamAccountName,legacyExchangeDN | Export-CSV C:\Temp\Exported-LegacyDN.csv -NoTypeInformation

[/box]

Import LegacyExchangeDN Addresses (Target Domain)

Save the following as Import.ps1 then run the script;

[box]

Import-Module ActiveDirectory
$Input = Import-CSV C:\Temp\Exported-LegacyDN.csv
ForEach ($ADUser in $Input){
if ($ADUser.legacyExchangeDN){
Set-ADUser -Identity $ADUser.SamAccountName -add @{proxyAddresses=”X500:$($ADUser.legacyExchangeDN)”}
}
}

[/box]

Related Articles, References, Credits, or External Links

NA

Forward Mail From Exchange (On-Prem) To Office 365

KB ID 0001467

Problem

WARNING: Do not do this, if you are carrying out a Hybrid migration to Office 365!

I’ve been doing an On-Prem to Office 365 migration recently. It was a little unusual because the ‘on-prem’ Exchange was not in the clients domain. So rather than migrate all the mail to their domain, and them migrate it to Office 365  we chose to use a third party migration solution ODME (Quest On Demand Migration for Exchange). 

So using their tool I could migrate the ‘DATA’ and then the plan is to use the Quest CPUU (Client Profile Update Utility) to repoint all the clients Outlook profiles to Office 365.

Thats fine but how to keep the mail ‘up to date’ in both locations while they are being migrated. I thought (incorrectly) that the Quest ODME would do this, but forwarding from on-prem Exchange deployments is not supported.

This is what I wanted to do;

Then I could migrate everyone, then move the mail flow to Office 365, by simply changing the DNS (MX) Records.

Solution

I’ve covered forwarding of mail before in this previous article (you might want to have a read though that one fist).

Microsoft Exchange – Forwarding Mail To External Email Addresses

So I know what the commands are, and I can supply the usernames and the email addresses to forward to, in a CSV file.

Firstly: You need to enable Forwarding to your office 365 email address*

[box]

New-RemoteDomain -Name YOUR-DOMAIN-O365 -DomainName your-domain.onmicrosoft.com
Get-RemoteDomain YOUR-DOMAIN-O365 | Select DomainName, AutoForwardEnabled

[/box]

*Note: I’m using the ‘onmicrosoft.com‘ tennant email as it is already publicly routable, and lets me still have my live mail feed pointed to the on-prem Exchange.

Now assuming you have all your on-prem usernames and their Office 365 email address sin a CSV file like so,

And you have saved the CSV file as C:\Temp\Office-365-Users.csv, use the following script.

[box]

Import-Csv -Path "C:\Temp\Office-365-Users.csv" | ForEach-Object {
	Set-Mailbox -Identity $_.'Source-User' -DeliverToMailboxAndForward $true -ForwardingSMTPAddress $_.'Target-Mailbox'
}

[/box]

To test it worked;

[box]

Get-Mailbox | Where {$_.ForwardingSMTPAddress -ne $null} | Select Name, UserPrincipalName, ForwardingAddress, ForwardingSMTPAddress, DeliverToMailboxAndForward

[/box]

To Remove it when you have finished;

[box]

Get-Mailbox | Set-Mailbox -DeliverToMailboxandforward $False -ForwardingSMTPAddress $Null -ForwardingAddress $Null

[/box]

Related Articles, References, Credits, or External Links

NA

Office 365: Grant a User Full Mailbox Access to all Mailboxes

KB ID 0001466

Problem

Obviously there are some security concerns about having a user with full mailbox access to all mailboxes! But that aside, I was using a third party Migration tool last week, and it needed to connect to every mailbox with full access rights to perform the migration.

So this is how I did it;

Solution

Firstly you need to connect to your Office 365 tenant with PowerShell;

Connect to Office 365 Exchange PowerShell

Now I could grant access to one user, but I’m going to create a ‘Group’, Exclude that group from the Global Address List, Put my user in that group. Then Finally grant the ‘group’ rights to all the mailboxes.

[box]

New-DistributionGroup -Name “365-Migration-Admins” -Type "Security"

Set-DistributionGroup "365-Migration-Admins" -HiddenFromAddressListsEnabled $True

Add-DistributionGroupMember -Identity "365-Migration-Admins" -Member "Pete@tenant.onmicrosoft.com"

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User 365-Migration-Admins@tenant.onmicrosoft.com -AccessRights FullAccess -InheritanceType all

[/box]

Related Articles, References, Credits, or External Links

NA