I put in an ASA 5505 this week, and while I was setting it up I was getting plagued with these popping up in the command window all the time;
[box]
DHCP: Interface 'inside' is currently configured as SERVER and cannot be changed to a CLIENT by a CLIENT feature
DHCP Client: can't enable DHCP Client when DHCP Server/Relay is running on the interface.
[/box]
Seen here on ASA Version 9.1(1)
Solution
There not a lot of information out there about this, but it it essentially caused because you enabled the Cisco ‘Call-Home’ function. If you want call-home on then configure it, but I did not. The reason you are seeing these is because when you first entered configuration mode you were prompted with this,
You can confirm that by issuing a show call-home command,
As you can see its enabled, if you want it on, then configure it, I don’t so I’ll simply disable call-home.
[box]
User Access Verification
Password: Type help or ‘?’ for a list of available commands. PetesASA> enable Password: ********PetesASA# configure terminal PetesASA(cfg-call-home)# call-home PetesASA(cfg-call-home)# no configuration all PetesASA(cfg-call-home)# exit PetesASA(config)#
[/box]
Finally save the changes.
[box]
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96
3965 bytes copied in 1.490 secs (3965 bytes/sec) [OK]
PetesASA(config)#
[/box]
Related Articles, References, Credits, or External Links
When looking at a router, switch or firewall running config, it will usually display a page at a time, you can page down with the space bar, or line down with the Enter/Return key.
Normally that’s fine, but what if you want to capture (take a quick backup,) of the config?
If you do that, and page down you get a copy of the config that looks like this;
–More–
Yes, you can delete them, but in a big config that can take time, how about making the config scroll right to the end without the breaks/pauses.
Solution
Cisco ASA Disable Paging
On a firewall that’s done with a pager command, normally a firewall config will display 25 lines at a time, to get it to scroll straight to the end set the pager length to zero.
[box]
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password:*********
Petes-ASA# configure terminal
Petes-ASA(config)# pager 0
Petes-ASA(config)#
[/box]
Tip: If you want to take a copy of a firewall config it will blank, (replace with asterisks) the VPN shared secrets and failover keys, you can suppress that from happening, and show the hidden values with the following command;
[box]
Petes-ASA(config)# more system:running-config
[/box]
To return it back to pausing every 25 lines and giving the <— More —> prompt again.
[box]
Petes-ASA(config)# pager 25
[/box]
Cisco Router / Switch IOS Terminal Length
On IOS the default is 24 lines at a time (show terminal will tell you). You can change this by changing the terminal length. Note: This is NOT a global configuration command.
[box]
Petes-Router#terminal length 0
[/box]
To reset it, and get the –More– prompt back again;
[box]
Petes-Router#terminal length 24
[/box]
Related Articles, References, Credits, or External Links
In the following example I’m using 192.168.1.100 as the internal IP address of the View Server and the public IP address of the firewall is 123.123.123.123.
Which solution you use, depends on weather you are allowing access via a dedicated public IP that you will assign to the VMware View server, or if you do not have a spare public IP, you will need to use port forwarding.
Option 1 – You have a public IP that you want to assign to the VMware View Server
As I’m using 123.123.123.123 on the outside of my ASA I’m going to use another public IP address for the VMware View server (123.123.123.124) and I will statically map that to its internal IP address. Then I allow the ports to that IP address, and finally apply the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from).
Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).
Option 2 – You want to use Port Forwarding (And your ASA is pre version 8.3)
Below I’m creating a static PAT entry for all the ports required, then allowing the traffic with an access-list, and finally applying the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from)
Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).
Note: If you port forward https on the outside interface, as I’m doing here, you will not be able to access the ASDM from outside – unless you put it on another port. The following two commands would change the ASDM to port 2345 for example:
Option 3 – You want to use Port Forwarding (And your ASA is version 8.3 or newer)
Below I’m creating a network object for all the ports required and statically NATTING the ports required to them, then I’m allowing the traffic to reach that network object, and finally applying the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from)
Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).
Note: If you port forward https on the outside interface, as I’m doing here, you will not be able to access the ASDM from outside – unless you put it on another port: The following two commands would change the ASDM to port 2345 for example:
1. Initially I thought I’d just need to clear some junk out of the flash, but a spring clean didn’t help either, turns out I need to free up some RAM by disabling some stuff.
Note: I could also have booted to ROMMON mode, and copied the files into flash. (But I was too lazy to dig out a console cable and walk to the dining room).
[box]
Petes-ASA)# configure terminal
Petes-ASA(config)# no threat-detection basic-threat
Petes-ASA(config)# no threat-detection statistics tcp-intercept
Petes-ASA(config)# no threat-detection statistics
Petes-ASA(config)# no webvpn
Petes-ASA(config)# wr mem
Building configuration...
Cryptochecksum: 7b4c70ea dddb5908 f288701a 070f323a
9622 bytes copied in 1.230 secs (9622 bytes/sec)
[OK]
Petes-ASA(config)#
I cringed this morning when I was asked about this, last time I had to get a client to authenticate to a domain through a firewall, it was ‘entertaining’. The problem is Windows loves to use RPC, which likes to use random ports, so to make it work you either had to open TCP ports 49152 and 65535 (Yes I’m Serious). Or you had to registry hack all your domain controllers and specify individual ports for RPC as per MS KB 224196, then allow those ports. I have a client that’s got a separate domain in their DMZ and I need to setup a trust with their internal domain, so I started writing the firewall config. Then when I asked the ‘Do you want to open all these ports or simply lock RPC down on all the domain controllers?’ Question, my colleague found ‘dcerpc’ inspection.
Dcerpc has been available since at least ASA version 7.2, I had never heard of it! Cisco Says;
DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.
DCERPC inspection maps inspection for native TCP communication between a server called the Endpoint Mapper (EPM) and client on the well-known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and port number are received from the applicable EPM response messages. Because a client can attempt multiple connections to the server port returned by EPM, creation of multiple pinholes is allowed
Heres how to do it with the following topology;
Note: Setting up a ‘Trust’ or allowing a client to ‘Authenticate’ requires the same configuration, but below I will use the IP of the Domain controller, rather than the IP of the client.
Solution
I’m assuming you ALREADY have access-lists from your internal network, and from your DMZ, you may need to replace the names of the ACL’s I use below with your own, ‘show run access-group’ will tell you.
1. There are a myriad of ports, (both TCP and UDP) that you are required to open, those being;
So connect to the ASA, Go to enable mode, then global configuration mode, and add the ACL’s to open the ports above. BE AWARE the last line enables ICMP/ping (just for testing you can remove it later and you will need to have ICMP inspection on for it to work).
6. Give it a test, make sure the machines can ping each other, and you may at this point want to remove the ICMP lines from the ACL. Once you are happy, save the changes.
[box]PetesASA# write mem
Building configuration…
Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7
[OK]
PetesASA#[/box]
Related Articles, References, Credits, or External Links
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
A very long time ago I wrote an article about how to port forward from a public IP address to multiple servers for RDP. Basically you would connect to the firewall using various different ports, and the firewall would change the port to the correct one for RDP (TCP port 3389, unless you changed it on the machine). Then send it to the correct server, so you could manage multiple servers from the same public IP.
Now that was so long ago it was before the version 8.3 NAT changes. This week I was working on a problem where every change I made that had to be tested meant I had to swap VPNs, and reconnect to servers and test comms. This was getting a bit time consuming so I needed a public server to jump on for testing. I didn’t want to expose RDP to my server, so I planned to use a different port and translate that port on the firewall. But how to do that with modern ASA code?