You want to wipe the firewall’s config and revert to the factory settings (passwords blank – management or inside set to 192.168.1.1 and DHCP enabled, with all other settings wiped).
Solution
1. Connect to the ASA via the console Cable. CLICK HERE
2. log in and go to configure terminal mode.
3. Execute the following command “config factory-default”
4. Press the space bar a few times to execute the commands.
5. When you get back to command prompt Execute the following command “reload save-config noconfirm” (Or on a Cisco PIX, write mem {enter} > reload {enter}{enter}).
6. The Firewall will reboot, (set to factory settings).
Procedure carried out on a Cisco ASA 5508-X (Running version 9)
Procedure carried out on a Cisco PIX 515E (Running version 8)
Note: Now the management interface, (if you have one) will be set to lease DHCP addresses. If you don’t have a management interface, (i.e. you have an ASA 5505, or an older PIX,) then the inside interface will lease DHP addresses instead. The outside interface will be set to obtain its IP address via DHCP.
Related Articles, References, Credits, or External Links
A while back I ran though “Managing Cisco ASA devices via the ASDM with Ubuntu“, I prefer to work at command line, with a new firewall my only choice is via the console port, In a windows environment I can fire up Hyperterminal and I’m away. With Linux there a couple of things to do first.
Solution
Step 1 (Get the Serial / RS232 / COM Port working)
As pictured above, this is being done on my Acer Netbook so I don’t have a serial port. I need to use a USB to Serial converter, If your machine has a serial port then simply skip this section.
1. Plug in your serial converter and wait a few seconds, open a terminal window (Applications > Accessories > Terminal) and issue the following command,
[box]dmesg[/box]
2. Amazingly it looks like been installed with the correct driver, without any effort by me at all! Lets make sure, unplug the USB to serial converter then issue the following command,
[box]lusb[/box]
Then plug the device back in and run the same command, notice the serial port has popped onto the list.
Note: If you not as lucky as me follow the excellent advice here to install the drivers you need.
Step 2 Install and Configure Minicom
1. Open a terminal window and issue the following command,
[box]sudo apt-get install minicom[/box]
Tap in your password, then enter “Y” for yes when prompted.
4. We need to know the connection name for the USB to Serial converter, issue the following command (See mines called ttyUSB0).
[box]dmesg | grep tty[/box]
5. Now lets fire up Minicom with the following command,
[box]sudo minicom[/box]
Tap in your password again, then as requested press CTRL+A, then Z.
6. To configure the serial settings press O (that’s O for Oscar not zero).
7. Select “Serial Port Setup”.
8. Press A to set the device.
9. As we discovered (above) ours is called ttyUSB0, so change the device to /dev/ttyUSB0.
10. Press C to change the connection speed to 9600 baud, Press Q (to set 8 bits, no stop bit, and 1 parity bit. On mine this was set by default), press {enter} to exit.
11. Press F to turn off hardware flow control (Some posts will say leave it on, I generally turn if off and I’ve never seen anything break!). Press G to disable software flow control (if enabled).
12. Then Select “Save setup as..”, and give is a sensible name. (If you went back too far simply press O again to get back here).
13. Now the settings are saved you can launch them at anytime with,
[box]sudo minicom {filename}[/box]
Note: Sometimes your serial drive gets locked up but a reboot will solve the problem.
14. Here’s me connected to an ancient old catalyst switch.
You try to connect to your Cisco CSC module, and see the following error.
Error: Activation Warning CSC is not activated. Please run setup wizard under Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup to perform setup process. Click OK button to to to Trend Micro Content Security Setup wizard.
Naturally if you’ve never setup the CSC you are going to see this, but what if it suddenly starts doing this?
3. This ones unresponsive, it probably just need restarting, to do that issue the following command.
[box]hw-module module 1 reset[/box]
4. They can take a little while to come up (apply the cup of coffee rule). Then to see if it’s back up again use the same command you used earlier.
[box]sh mod 1 det[/box]
That didn’t work! Sometimes CSC modules do fail!, I had one client go through three in a year, If doing the above or running through the setup wizard (you did write down the licence numbers that came with the CSC didn’t you?) doesn’t work then you need to log a call to TAC.
Related Articles, References, Credits, or External Links
2. Save the new config > File > “Save Running Configuration to flash”.
Cisco PIX (Version 6) Firewalls – Disable Web Management
If you are stuck on version 6, i.e. you are running a PIX 506E or PIX 501, then you CANNOT change the PDM port. you only option is to disable the PDM if you want to port forward https / ssl / TCP Port 443.
Related Articles, References, Credits, or External Links
I had a client the other week with about 25 sites, his core site was changing ISP and therefore changing its IP address. On the main site this is pretty straightforward, just change the outside interfaces IP address, sub net mask and the default route (That’s the default gateway for non cisco-ites).
All well and good, but what about his other 24 sites? They all had VPN’s back to the main site, and all these VPN’s were “hairpinned” together for “spoke to spoke” communication.
Well you can simply delete the VPNs and recreate them, but multiply that by 24 – then add on all the extra config for the hairpins and that’s a massive amount of work (and for the client a LOT of downtime.) So a swift config change on the remote sites is a much better idea.
For Cisco PIX firewalls running version 6 click here.
3. To see all the cryptomaps issue a “show run crypto map” command. (you may see more or less depending on the amount of VPN tunnels you have.
[box]
RemoteSite(config)# show run crypto map
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 111.111.111.111
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 123.123.123.123 <<<< Here it is!!!
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 133.133.133.133
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 144.144.144.144
crypto map outside_map 4 set transform-set ESP-3DES-SHA
RemoteSite(config)#[/box]
4. From the example above we can see the tunnel we want to change is using “outside_map 2” so lets remove the entry for the old IP address and put one in for the new IP address.
[box]
RemoteSite(config)# no crypto map outside_map 2 set peer 123.123.123.123
WARNING: The crypto map entry will be incomplete!
RemoteSite(config)# crypto map outside_map 2 set peer 234.234.234.234
RemoteSite(config)#[/box]
5. That’s the cryptomap changed, now for the tunnel group. You can see all your tunnel groups with a “sho run tun” command.
[box]
RemoteSite(config)# sho run tun
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key *****
tunnel-group 123.123.123.123 type ipsec-l2l <<<< Here it is!!!
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *****
tunnel-group 133.133.133.133 type ipsec-l2l
tunnel-group 133.133.133.133 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 2
tunnel-group 144.144.144.144 type ipsec-l2l
tunnel-group 144.144.144.144 ipsec-attributes
pre-shared-key *****[/box]
6. To delete a tunnel group, you use the “clear config tunnel-group” command.
Note: Before you delete it, make sure you know the pre shared key / shared secret – to see this, issue a “more system:running-config” command.
RemoteSite(config)# write mem
Building configuration...
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948
9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
RemoteSite(config)#
[/box]
9. Job done!
Well that didn’t seem very quick? No, but for the sake of explanation I did go a little deep, if you have multiple sites, just have the following in notepad.
configure terminal
no crypto map outside_map 2 set peer 123.123.123.123
crypto map outside_map 2 set peer 234.234.234.234
clear config tunnel-group 123.123.123.123
tunnel-group 234.234.234.234 type ipsec-l2l
tunnel-group 234.234.234.234 ipsec-attributes
pre-shared-key 123456789
write mem
Then simply jump from site to site changing the cryptomap name and shared secret for each one. If you get all this info first, you can migrate hundreds of sites in minutes, (That’s why I prefer command line to GUI ASDM).
Option 2 From ASDM
1. Connect to the ASDM, Configuration > Site-to-Site VPN > Advanced > Crypto Maps > Select the cryptomap going to 123.123.123.123 > Edit > Add the new IP Address.
2. Remove the old one > OK > Apply.
3. Configuration > Site-to-Site VPN > Advanced > Tunnel Groups > Select the old one > Delete > Apply.
4. Then to add a new one > Add > Set the Tunnel group name to the new IP > Enter the shared secret > OK > Apply.
5. Finally Save the changes > File > Save running configuration to Flash.
Cisco PIX (Version 6)
For older firewalls you will notice there is no “Tunnel-Group”, these came in with version 7. The process is similar, again you have to change the peer entry in the cryptomap, but you also need to set an isakmp peer.
no crypto map outside_map 20 set peer 123.123.123.123
crypto map outside_map 20 set peer 234.234.234.234
no isakmp key ******** address 123.123.123.123 netmask 255.255.255.255
isakmp key 123456789 address 234.234.234.234 netmask 255.255.255.255
Related Articles, References, Credits, or External Links
I had to update a Cisco PIX 515E last week, Cisco 500 firewalls are a bit thin on the ground these days, and most of my corporate clients have replaced then with Cisco ASA 5500 firewalls. So as these units are now getting retired, or moved to the test bench, or sold on ebay. I thought I’d document probably the last one I did for posterity, and to help anyone else out.
Note: Cisco 506E and 501 firewall cannot be updated past version 6.3(5) see here.
Solution
Related Articles, References, Credits, or External Links
AnyConnect runs over TCP port 443 (That’s HTTPS/SSL), but if you only have one public IP and need to forward that port to a web server or internal host then you are a bit snookered. You can of course change the port that AnyConnect runs over, so that it’s no longer on TCP port 443.
Why you would NOT want to do this.
Bear in mind that https is a well known port, and its open in most places for secure web traffic. You use it when you purchase things over the internet, or do your banking. For that reason it’s allowed from most networks, and through most firewalls. Which is what makes AnyConnect so handy, if you change the port then you may have some connection problems.
Solution
Assuming you accept the potential problems and want to swap the port over then do the following.
3. You can’t change the port while AnyConnect is enabled, so you need to disable it, change the port then re-enable it again (in this example I’ve changed it to port 444).
[box]
PetesASA(config)# webvpn
PetesASA(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
PetesASA(config-webvpn)# port 444
PetesASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
PetesASA(config-webvpn)#
[/box]
4. Save the changes with a write mem command.
[box]
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948
9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
PetesASA(config)#