I had a situation a couple of weeks ago where I had the serial numbers for a bunch of Cisco switches, I needed to get some extended cover for them, but what I didn’t have were the Cisco SKU (Stock Keeping Unit) codes.
Solution
You will need to have a Cisco CCO login, once you have that go here > Add devices.
Give the device a name, (it does not matter what) > Paste in the serial number > Add.
Boom, there’s your SKU (Product ID)
Repeat as required.
Related Articles, References, Credits, or External Links
If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;
VPN establishment capability for a remote user is disabled. A VPN connection will not be established
VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established
This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl file, this file does not exist using Version 3 (I was using v 3.0.4235).
Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;
Profile settings do not allow VPN initiation from a remote desktop.
Note: This is fixed in version 4.8 and you will se the error at the top of the page.
Solution
To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)
Edit AnyConnect Profile With ASDM
Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.
Give the profile a name > Select a group policy to apply it to > OK.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
OR (older versions)
Apply the changes, and then save to the running configuration.
Edit AnyConnect Profile With Stand-Alone Profile Editor
1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).
Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to step 3, and skip all the other steps.
If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.
2. Once you have installed the profile editor, launch the “VPN Profile Editor”.
3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
4. Save the profile somewhere you can locate it quickly.
6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.
7. Make sure the file uploads correctly > Close.
8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.
9. Click New > Browse Flash > Locate the profile you uploaded earlier.
10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.
11. Then reconnect with your AnyConnect Mobility Client software.
Related Articles, References, Credits, or External Links
This page will be used as a central repository and ‘index’ for configuration on the Cisco Firepower 1010 series firewall. I intend to add to it as I test the capabilities and work out any problems whilst trialing/deploying and operating this platform.
So we have unboxed and setup our Firepower 1010 device, simply logging into the ASDM fires off warnings that it’s only running DES and I need to register the unit go get any decent level of encryption, (seriously why is 3DES still an ‘add on’ licence, who is still doing 56bit encryption!)
So let’s get is registered and licenced.
Solution
The ‘Licence Envelope’ in the box is simply instructions on setting up a Cisco Smart Account. I already have one of those. If you don’t you will first need to setup a Cisco CCO logon account, (this is free, and you need to log into any of the Cisco Sites). Once you have that sorted you can go to https://software.cisco.com/ and request a Smart Licence (again this is free, it involves some email exchanges).
Now ‘What I do‘ is then create a ‘Virtual account‘ in that Smart account, what you use these for is up to you, but if you want to share the licensing e.g. with your colleagues or employer, then you can do so without giving them access to all your Cisco licences etc. Go back to Software central and select under Administration > Manage Smart Account (normally you just go to Smart Software Licensing).
Creating a Cisco Smart Account ‘Virtual Account’
Virtual Accounts > New Virtual Account > Give it a name and description > Set Access Level ‘Public’ > Next
Give it a name and description > Set Access Level ‘Public’ > Next.
Assign any users that you want to give access to, (you can revisit this later) > Next.
Review the settings > Create Virtual Account.
Register a Cisco FirePower 1010 With Cisco
OK, Cisco Say you need the licences to exist in your Smart account before you licence the hardware, they also say that;
Standard license—L-FPR1000-ASA=. The Standard license is free, but you still need to add it to your Smart Software Licensing account. Security Plus license—L-FPR1010-SEC-PL=. The Security Plus license enables failover. Strong Encryption (3DES/AES) license—L-FPR1K-ENC-K9=. This license is free. Although this license is not generally required (for example, ASA’s that use older Satellite Server versions (pre-2.3.0) require this license), you should still add it to your account for tracking purposes.
Hey Pete,
L-FPR1000-ASA= license usually comes with the device and it’s free, however it has to be under a sales order in order for us to provision it into the account.As for L-FPR1K-ENC-K9 license it is not free and if you need that licenses please provide a Order under which the license is purchased.
Now getting that sales order number was a chore! I had to get it from the Disti that my company purchased the hardware from, after many emails I finally sent them the order only to be told;
Hey Pete,
Please be informed that this is a disti stocking SO. A disti stocking SO contains products and licenses that may be owned by multiple end customers.Hence, we do not get a link to assign disti stocking SOs to an end customer smart account in CCW. Also, the licenses associated with a disti stocking SO will get provisioned once the end customer registers the device on his/her respective smart account. So please ask the customer to register the devices owned by them on their smart account and the licenses will be automatically provisioned to the smart account. If, after the devices have been registered, the licenses do not get provisioned, then please revert and we will investigate the request.
So here’s what your Smart Licence Virtual Account SHOULD LOOK LIKE before you start;
How To Register a Firepower Appliance
Within your virtual account create a ‘New Token’ > Give it a description > New Token.
Copy it to the clipboard.
You need to have Smart Call-Home enabled On your FirePower 1010 First: Configuration > Device Management > Smart Call-Home > Turn it on and provide and email address > Check the Cisco TAC option > Apply.
Go and put the kettle on > After a few minutes, refresh and it should say registered.
Back in smart Licensing portal It should now look like this;
If it looks like this, then either you licence was not there to begin with, or was under a different Virtual Account!
So either documentation is wrong, or I’ve been given incorrect information by Cisco. Either way I’m not looking forward to negotiating this ‘bag of spanners’ every-time I have to install or deploy one of these!
My firm are in the middle of moving from Skype to Teams, so more and more online meetings are being done with Teams. I have had some problems trying to get my camera to work?
Solution
Firstly you need to ‘Allow’ Teams to use the camera; Click the ‘Apple’ icon > System preferences > Security and privacy > Privacy > Camera > Tick to enable ‘Microsoft Teams’ (Note: You may need to click the padlock at the bottom, before you can change any settings).
If you have Teams running, you will need to restart it, then if you can see the camera ‘feed’ in Settings > Devices, (as below) you should be good to go.
Cannot See Camera Input in Teams
If there’s still no input, then it’s probably because another application has control of the Camera. (Remember I said above, we are migrating from Skype!) Well look in Skype and boom its working there, so Teams can’t use it!
I don’t need my camera in Skype, so I can simply ‘Block’ Skype from using it;
But if you want to use the Camara in BOTH/MORE applications, simply close the other applications that may have stolen the camera and restart the one you want to use it.
Related Articles, References, Credits, or External Links
A few weeks ago I needed to sort out some extended warranty for a customers servers. To do that I needed the serial numbers of those servers, (a mixture of IBM/Lenovo and Dell Servers).
As I didn’t fancy a drive to two different datacenters, I wanted to try and get them programatically.
Solution
After some searching I came across a post by one of my old EE buddies LucD with exactly what I needed. I’m assuming you have PowerCLI setup before beginning.
Connect to your Virtual infrastructure;
[box]
Connect-VIServer {vCenter-server-FQDN}
[/box]
Then, (assuming you have a folder called C:\Temp that you can write to).
With the current lockdown and everyone working from home, I’m using Teams a lot. I use one of the images that I use here at PNL as one of the background images that ‘appear’ behind me when I’m using the webcam in Teams. I was asked today how I did that, so I thought I’d write it up here.
Solution
I’m using Teams on my MacBook but the procedure it pretty much the same in Windows, if you can’t see the options I’m mentioning, you might want to simply update your copy of Microsoft Teams.
Firstly: You need to actually be in a call before you can change your background! On your options bar, (if you cant see it, click on the Teams window). Click the elippses (3 dots) and select ‘Show Background Effects‘.
You can then simply select one of the Microsoft Included backgrounds, and apply them, (theres a long list scroll down!)
Adding Your Own Custom Image To Teams Backgrounds
This is pretty easy, but you will find that the image will be ‘flipped horizontally’ when other users see it like so;
So if it’s a landscape or an office backdrop that’s probably not going to bother you, but if you have text on the image, it will be back to front, or like me it just makes your OCD itch! Then simply use your favourite graphics editing software to flip the image before you put it in the correct folder.
Where to Save your Teams Custom Backgrounds
For macOS: In finder > Go > Got to Folder > ~/Library/Application Support/Microsoft/Teams/Backgrounds/Uploads
For Windows Clients: In Windows explorer > %AppData%\Microsoft\Teams\Backgrounds\Uploads
Don’t forget to restart Teams before they will appear.
Related Articles, References, Credits, or External Links
I like object-groups, they can make your firewall configs a lot smaller/neater and if you need to add a host, network, range, or port, then you can simply add the new requirement to an existing group. But what if you want to allow both UDP and TCP ports, you can create a service group for TCP and add the ports and a service group for UDP and add the ports, and add them into your ACL where you would expect ports to be, (at the end of the ACL,) like so;
Note: What this actually does is create ‘destination port’ objects, if you didn’t already know, if you are connecting to a web server on port 443 (https) for example, the source port can be any port number, it’s the destination port number that is 443. (If you’ve ever worked on a Symantec/SEF/Velociraptor firewall this would be more important).
Then place that service group in the ACL where you would normally specify the PROTOCOL like so;
[box]
!
access-list inbound permit object-group OBJ-Service-Ports any host 192.168.1.10
![/box]
Much simpler!
Related Articles, References, Credits, or External Links
When trying to connect to a Firepower 1010 ASDM I was met with this;
“Cisco ASDM-IDM.app” cannot be opened because the developer cannot be verified.
macOS cannot verify that this ap is free from malware
Solution
If you’ve spent much time using macOS then this is quite common, Open System Preferences > Security and Privacy > General tab > You will see a warning about the Cisco ASDM-IDM > Click ‘Open Anyway‘.
If you are prompted again simply click ‘Open‘.
Related Articles, References, Credits, or External Links
I’ve been trying to get my hands on one of these for a while. So thanks to my employer for sending me one to take a look at. The Firepower 1010 appliance is aimed at Small Office / Home Office, and possibly Small Remote Branch offices. But like its predecessors it will probably get put in EVERYWHERE because it’s ‘cheap’, (Note: for cheap, read possibly under-specced* and the wrong size!)
*Seriously, I’ve deployed a LOT of 5506-X (and 5508-X) firewalls, and then clients enabled every inspection, IDS/AMP/Web Filtering etc. Then complained that their internet connection was then terrible, ‘Why is my new firewall slower than the old one!’ So look at the throughput for these things, with inspection enabled before deciding to buy the cheapest one!
A Brief History
The Firepower 1010, will end up being the replacement for the ASA5506-X, which in turn was the replacements for the ASA5505
Left to Right: ASA 5505, ASA 5506-X, Firepower 1010
The 5505, was brilliant, I still see them everywhere, tucked in the bottom of comms cabinets, and balanced on top of other things in Data Centers. I know of 5505s that I installed new over 15 years ago that are still chugging away. It had built in PoE, a 7 port switch, (you need one port for the WAN.) The only thing that ever let the 5505 down, was, the earlier versions didn’t have enough RAM to update past version 8.3. It replaced the earlier PIX 501 and the PIX506E (I do have both of these models also tucked away somewhere, I was just too lazy to dig them out).
The 5506-X was, (to be honest), a massive let down, it shipped with 8 Ports on it, but those ports were independent, so you needed to buy a switch as well, and it didn’t have PoE. Cisco tried to ‘Fix’ the switch problem by introducing the BVI interface with version 9.7. the problem with that was, it was ‘horrifically terrible in the extreme‘. If you wanted to do anything even vaguely ‘firewall-ish’ with your firewall, the config would extend in size with a ratio like it was getting multiplied by the Fibonacci numbers. 🙁 The final nail in its coffin was, if you updated it past version 9.10 the FirePOWER module was disabled, (Regardless of the fact you had bought licences for it or not).
So Now the Firepower 1010
Is it FirePOWER or Firepower? : Good question, the rule was, if it was in an ASA it was FirePOWER if it was a dedicated device it was Firepower. But as the Firepower 1010 can run ASA code, it breaks the rules! So I’ll stick with Firepower for the new ones.
It runs ASA Code? : Yes Cisco firewall techs of the world rejoice! The Firepower 1010 model comes in two flavours;
FPR1010-ASA-K9: Good old Cisco ASA code, with an ASDM!
FPR1010-NGFW-K9: Runs the FTD (Firepower Threat Management) code.
I’ve written briefly about FTD on the Cisco ASA, I wasn’t really a fan, but I know we live in a ‘point and click’ society now, so maybe this version will win out in the end, but I hope not.
Oh Bugger! I’ve Ordered the wrong one! No problem, you can swap between versions, but you will need to ‘re-image’ the device completely (losing all settings).
What Do You Get With the Firepower 1010?
Out of the box you get the unit itself, a ‘Power Brick’ (with an annoying ‘Clover Leaf’ / ‘Mickey Mouse Ears’ / ‘IEC C5’ connector.) So if like me you get one with a Euro (2 pin) plug in the box and you live in the UK unless you have one spare you will have a problem. Luckily I’ve got most things at home, but if you unbox this in a Data Centre at 11 o’clock at night, good luck finding one of those Power Cables! You also get a USB console cable. There’s a quick setup card, mine was in French and Spanish, but the picture was self explanatory. Theres a licence envelope in there as well, on inspection, it’s just instructions on how to setup a ‘Smart’ License account.
It’s Fan-less: Like the 5506-X it’s fan-less (that’s why its covered in holes). So IT”S NOT SUPPOSED TO GO IN A RACK! If you want a rack mountable firewall buy a Firepower 1120.
But You Can Get Rack Mounting Kits For It? : I know, but then the world is full of people who sell the wrong stuff. If you put this thing in a rack, and impede airflow though it, it’s more likely to break, (lecture over).
It’s a Proper Switch! Yep even better than the 5505, it’s got proper switchports with proper switch commands! By default all Ports from GigabitEthernet 1/2 to 1/8 are in VLAN 1. Gigabit Ethernet 1/1 is a routed (no switchport) port.
PoE: The unit has PoE on ports GigabitEthernet 1/7 and GigabitEthernet 1/8 (only).
Throughput: Cisco state with NGFW inspection ‘or’ IDS turned on 650Mbps (notice they don’t say ‘and’!)
AnyConnect: Comes with 75 ‘Premium’ Licences, (without extra licensing!)
Licensing: Smart License model only, so no more ‘classic’ licences, and activation-keys any more.
Failover? here’s a GOTCHA for failover you need to add an additional licence to BOTH units, (on the 1010 only) and they are not cheap! But if you want enterprise solutions, then buy enterprise class firewalls guys!
Power: Much better than the 5506-x and the terrible 5505 power connector, you could probably swing on this and it wont come out. Just a pity about the IEC C5 connector on the power brick.
8 x Gigabit Ethernet ports: Normally GigabitEthernet 1/1 will be for the WAN, GigabitEthernet 1/2 though 1/8 will be for the LAN (with 1/7 and 1/8 being PoE).
Management Port.
Console Port (RJ45).
Console Port (Mini USB).
USB port (useful for upgrades, and backups).
Kensington Lock: Seriously? I’ve not seen one of these since about 2005, does anyone still use them?
Reset Button: Depress for 3 seconds reverts the firewall to its factory settings, (and preserves the config apparently).
Status Lights, (another reason not to put things on top of it!) Though you will notice there’s some on the back also.
Firepower 1010 Initial Setup (ASA Version)
It takes ages to boot! Like its predecessors the WAN Port will be set to get an IP address via DHCP, and the internal ports have DHCP enabled (192.168.1.0/24). The Management Port also has DHCP enabled 192.168.45.0/24) So be careful before connecting it to a live network. ASDM is enabled to the entire inside and management networks.
The only thing I can see different from its predecessor, (apart form the fact its got a working switch setup that isn’t terrible,) is the DNS servers are set to Ciscos, I’m assuming this is so that licensing and updates will ‘just work’ though some people will want to change this.
All traffic is set to translate to the outside interfaces IP address (This is actually PAT translation, that’s why I didn’t say NATTED to the outside interfaces IP address).