Directly on an ESX Host: If you have a stand-alone ESX Server running version 8.x, Log in via the web console > Select ‘Host’ > Actions > Services > Enable Secure Shell (SSH).
Via vSphere/vCenter: If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacentres’ view > Select the Host > Configure > Services > Locate SSH > Start.
Enable SSH Permanently: Some people don’t want this enabled for security reasons, and in production that makes sense, but on my test network I always have SSH enabled. from the same screen as above with SSH selected > Edit Start-up Policy > Select ‘Start an stop with host” > OK.
VMware Enable SSH 6.5
If you have a stand-alone ESX Server running version 6.5, it’s a lot easier to enable ESX access. Select ‘Host’ > Actions > Service > Enable Secure Shell (SSH). Note: You can also enable the direct console access here.
If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacenters’ view > Select the Host > Configure > Security Profile > Scroll down to ‘Services’ > Edit.
Locate ‘SSH > Start > OK.
Once enabled you will see the following warning on the hosts summary page, however, in version 6.5 you can suppress this error.
VMware Enable SSH ESX 5
ESX 5 has a built in firewall, which can have SSH opened in the VI clients, or just as with version 4.1.0 you can enable SSH Locally from the console from troubleshooting options.
Enable Remotely
1. Log into the host with the VI client > Select the host > Configuration > Security Profile > Properties.
2. Locate SSH Server > Tick it > Options > You can either manually start it or set it to start automatically.
3. You will see the following warning to “retrieve” the firewall settings (because you have just changed them) > Select Yes.
Note: Having it running will still cause the “Configuration Issues – SSH for the host has been enabled” nag screen on the summary tab of the host.
VMware Enable SSH ESX 4.0.1
Starting with version 4.0.1 you can enable SSH access from the server console.
1. Go to the normal ESX console > Press F2 > Log in >Troubleshooting Options.
2. Select “Enable Remote Tech support” toggle on and off with {enter} if you want to SSH in the server remotely using PuTTy for example > If you want to log on directly at the console choose “Enable Local Tech Support”.
3. Note: Having it running will still cause the “Configuration Issues – Remote Tech support Mode (SSH) for the host {hostname} has been enabled” nag screen on the summary tab of the host.
Grant SSH Access to ESX 4.0.0 and earlier
1. Go to the normal ESXi console.
2. Press ALT+F1 > the screen will change > Type unsupported {enter} > Note: Nothing will appear on the screen till you hit {enter} > Type in the root password and press {enter}.
3. You now need to edit a config file, the only editor we have is vi (sorry) issue the following command,
[box]vi /etc/inetd.conf[/box]
4. The vi editor will open the file, use the arrow keys to move down to the line that says,
[box]#ssh stream tcp nowait root…[/box]
Press I on the keyboard (that puts the vi editor into insert mode) and delete the hash “#” mark from the beginning of the line.
5 Then, to save the changes press {Esc} > type in :wq {Enter} (that’s write the changes and quit if you’re interested).
6. Enter the following command.
[box]
cat /var/run/inetd.pid
[/box]
It will provide you with a number, (in the example below its 4983, yours will be different).
7. Issue the following command.
[box]
kill -HUP {the number you got from above}
[/box]
8. To get back to the usual ESXi screen and exit command line press ALT+F2.
9. You can now connect with an SSH client like Putty.
Related Articles, References, Credits, or External Links
To join Windows Server 2022 to a Domain (Local Domain). The end proces is the same as it’s always been, they’ve just made the job of getting to there a little more convoluted, (this is the same with Windows 11).
Solution: Server 2022 Domain Join
Whilst logged in as a (local) administrative user, click the Windows button > Settings.
System.
About.
Advanced system settings.
Computer name > Change.
Select the domain radio button > Type in the domain name (must be resolvable in DNS, if in doubt try ‘pinging‘ the domain name” > OK > Enter a domain credential that has right to add machines to a domain. (Here I’m using the domain admin account, but normally a domain user can add a number (10 by default) of machines to a domain) > OK.
BUG / BAD UI ALERT: Minimise the window (because the popup box you are waiting for will appear behind it (please fix this Microsoft!)) > OK.
Enter a domain credential that has right to add machines to a domain. (Here I’m using the domain admin, but normally a user can add a number (10 by default) of machines to a domain) > OK.
After a few seconds, it should tell you to reboot, you can do so by entering;
[box]
Restart-Computer
[/box]
PowerShell: Remove Windows Server 2022 from a Domain
I was having some problems setting up a Fortigate (VM64-KVM) firewall, and I needed to know, (at command line,) how to view the address that had been assigned to it via DHCP.
View Fortigate DHCP address (from CLI)
The syntax required is;
[box]
config system interface
edit ?
[/box]
Note: Dont Forget the “?” at the end, it will not show onscreen as seen below.
View Fortigate DHCP address (from GUI)
If the GUI/Web access is working, simply go to Network > Interfaces.
Related Articles, References, Credits, or External Links
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
Note2: If your firewall is running a version older than 8.3 you will need to scroll down the page.
Port forwarding on Cisco firewalls can be a little difficult to get your head around, to better understand what is going on remember in the “World of Cisco” you need to remember two things…..
1. NAT Means translate MANY addresses to FEW Addresses
2. PAT Means translate MANY addresses to ONE Address.
Why is that important you ask? Well most networking types assume NAT is translating one address to many, BUT on a Cisco device this is PAT, and it uses (as the name implies) port numbers to track everything. e.g. the first connection outbound might be seen on the firewall as 123.123.123.123:1026 and the second connection outbound might be seen as 123.123.123.123:2049 so when the traffic comes back the firewall knows where to send it.
Fair enough but what has that got to do with Port Forwarding? Well you can use the exact same system to lock a port to an IP address – so if only one port can go to one IP address then that’s going to give you port forwarding 🙂
To make matters more confusing (sorry) you configure PAT in the NAT settings, for this very reason it confuses the hell out of a lot of people, and the GUI is not intuitive for configuring port forwarding, (the ADSM is better than the old PIX PDM) but most people, (me included,) prefer to use command line to do port forwarding.
Note: This option uses ASDM Version 7.9(2) If yours is older see below;
Connect to the ASDM, Configuration > Firewall > NAT Rules > Right Click ‘Network Object Nat Rules’ > Add ‘Network Object’ Nat Rule.
Name = “Give the internal server/host a sensible name” > Type = Host > IP Address = The internal / private IP address > Type = Static > Translated address = Outside > Advanced > Source Interface = Inside > Destination Interface = Outside > Protocol = TCP > Real port = http > Mapped Port = http > Ok > OK > Apply.
Note: This assumes your Outside interface is called outside, Inside interface is called inside and you want to port TCP port 80 (http).
Interface = Outside > Action = Permit > Source = Any > Destination {Browse} > Locate the object you created earlier > Add to Destination > OK.
Service {Browse} > Select the Port you require (i.e. http) > OK.
OK > Apply > When you have tested it works, save the changes.
Using Older ASDM (PIX V7 and ASA5500) 1 Port to 1 IP Address
1. As above you will need to know the port and the IP to forward it to, Launch the ASDM, Select Configuration > Security Policy > Then either Rule Add, or right click the incoming rules and select “Add Access Rule.”
2. Interface = Outside > Direction = Incoming > Action = Permit > Source = Any > Destination, Type = Interface IP, Interface = Outside > Protocol = TCP > Destination Port Source = smtp (for example) > OK > Apply.
3. Back at the main screen select Configuration > NAT > Add, or Right Click an Existing mapping and click “Add Static NAT Rule.”
4. Real Address Interface = Inside > IP Address = 10.254.254.1 > Netmask = 255.255.255.255 > Static Translation Interface = outside > IP Address = (Interface IP) > Tick “Enable Port Translation (PAT) > Protocol = TCP > Original Port = smtp > Translated Port = smtp (for example) > OK > Apply.
5. File > “Save Running Configuration to Flash.”
Option 2 Use the Command Line to Port Forward (Post Version 8.3)
Note: Port forwarding changed on PIX/ASA devices running OS 8.3 and above, in regards to port forwarding. There is no longer a global command, for a full run-down of the changes click here.
If you issue a global command after version 8.3 you will see this error,
ERROR: This syntax of nat command has been deprecated.
Please refer to “help nat” command for more details.
1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I’ve got a server at 10.254.254.5 and it’s a mail server so I want to Forward all TCP Port 80 traffic (HTTP) to it. Connect to the Firewall via Console/Telnet or SSH.
[box]
Warning Notice
User Access Verification#
Password:********
Type help or '?' for a list of available commands.
Petes-ASA>
[/box]
2. Enter enable mode, and enter the enable mode password.
[box]
Petes-ASA> enable
Password:********
Petes-ASA#
[/box]
3. Now we need to go to configuration mode.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
4. Create an object for the web server that the traffic is going to be forwarded to.
6. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;
[box]
Petes-ASA# show run access-group
access-group inbound in interface outside
access-group outbound in interface inside
[/box]
Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!
[box]
Petes-ASA(config)# access-list inbound permit tcp any object Internal_Web_Server eq http
[/box]
7. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.
[box]
Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#
[/box]
8. Don’t forget to save your hard work. (write memory).
object network Internal_Web_Server
host 10.254.254.5
nat (inside,outside) static interface service tcp http http
access-list inbound permit tcp any object Internal_Web_Server eq http
access-group inbound in interface outside
[/box]
Use the Command Line to Port Forward (pre version 8.3) 1 Port to 1 IP Address
1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example we will assume I’ve got a server at 10.254.254.1 and it’s a mail server so I want to forward all TCP Port 25 traffic to it. Connect to the Firewall via Console/Telnet or SSH.
[box]
Warning Notice
User Access Verification
Password:*******
Type help or '?' for a list of available commands.
Petes-ASA>
[/box]
2. Enter enable mode, and enter the enable mode password.
[box]
Petes-ASA> enable
Password: ********
Petes-ASA#
[/box]
3. Now we need to go to configuration mode.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
4. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;
[box]
Petes-ASA#show run access-group
access-group inbound in interface outside
access-group outbound in interface inside
[/box]
Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DON’T have an access-group entry for inbound traffic then we will do that at the end!
5. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.
[box]
Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#
[/box]
6. Lastly the command that actually does the port forwarding, (static command). And allow the traffic in.
Option 3 Use the PIX Device Manager (PIX Version 6 Only)1 Port to 1 IP Address
1. As above you will need to know the port and the IP to forward it to, Launch the PIX Device manager, Select Configuration > Access Rules > Then either click “Rule”s > Add or Right click an incoming rule and select > “Insert Before” or “Insert After”.
2. Under the “Action” select “Permit”, Under Source Host/Network Select “Outside”, and all the zeros, Under Destination Host/Network Select “Inside” and all the zeros then set the “Destination Port” to smtp > OK > Apply.
3, Now select the “Translation Rules” tab, Rules Add or Right click a rule and select “Insert before” or “Insert After”.
4. In this example I’ve set it to forward all TCP Port 25 traffic to 10.254.254.10 (NOTE: I’ve blurred out the public IP Address you will need to add this also) > OK > Apply.
5. Finally save your work > File > “Save Running Configuration to Flash.” > Exit.
Related Articles, References, Credits, or External Links
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
Note: This is quite an OLD POST, only use these instructions if you need to create a VPN tunnel that uses IKEv1, (i.e. The other end is not a Cisco ASA, or it’s a Cisco ASA running code older than 8.4). You can still use an IKEv1 tunnel of course, so this article is still valid, it’s just IKEv2 has some better levels of encryption.
Everyone else, go to the following article instead!
Note: There have been a number of changes both in NAT and IKE on the Cisco ASA that mean commands will vary depending on the OS that the firewall is running, make sure you know what version your firewall is running (either by looking at the running config or issue a “sho ver” command).
Note 2: Cisco introduced IKE version 2 with ASA 8.4(x). This assumes we are configuring a tunnel using IKE version 1. (For version 2, both ends need to be running version 8.4(x) or greater).
Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMP on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see “crypto isakmp enable outside” or “crypto ikev1 enable outside” then you need to issue that command.
[box]
Firewall Running an OS of 8.4(x) or newer
PetesASA# show run crypto
crypto ikev1 enable outside << Mines already enabled and its IKE version1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#
Firewall Running an OS Earlier than 8.4(x)
PetesASA# show run crypto
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#
[/box]
1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt. If you are running an ASA older than version 8.3(x) you will need to create a second access list to STOP the ASA performing NAT on the traffic that travels over the VPN.
Warning: (ASA Version 8.3 or older): If you already have NAT excluded traffic on the firewall (for other VPN’s) this will BREAK THEM – to see if you do, issue a “show run nat” command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.
So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).
[box]
Firewall Running an OS of 8.3(x) or newer
PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permitip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SNdestination static Site-B-SN Site-B-SN no-proxy-arp route-lookup
Firewall Running an OS Earlier than 8.3(x)
PetesASA(config)# access-list VPN-INTERESTING-TRAFFIC line 1 extended permit
ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)# access-list NO-NAT-TRAFFIC line 1 extended permit
ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)#nat (inside) 0 access-list NO-NAT-TRAFFIC
[/box]
2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.
Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.
3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established, we have already put in a shared secret, this policy will make sure we use it. It also sets the encryption type (3DES), the hashing algorithm (SHA) and the Level of PFS (Group 2). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (that’s 1440 Minutes – or 24 hours if your still confused 🙂 ).
[box]
Firewall Running an OS of 8.4(x) or newer
PetesASA(config)# crypto ikev1 policy 10
PetesASA(config-ikev1-policy)#authentication pre-share
PetesASA(config-ikev1-policy)#hash sha
PetesASA(config-ikev1-policy)#group 2
PetesASA(config-ikev1-policy)#lifetime 86400
Firewall Running an OS Earlier than 8.4(x)
PetesASA(config)# crypto isakmp policy 10 authen pre-share
PetesASA(config)# crypto isakmp policy 10 encrypt 3des
PetesASA(config)# crypto isakmp policy 10 hash sha
PetesASA(config)# crypto isakmp policy 10 group 2
PetesASA(config)# crypto isakmp policy 10 lifetime 86400
[/box]
4. We stated above that we are going to use 3DES and SHA so we need a “Transform Set” that matches. [box]
Firewall Running an OS of 8.4(x) or newer
PetesASA(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmacFirewall Running an OS Earlier than 8.4(x)
PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
[/box]
5. Finally we need to create a “Cryptomap” to handle “Phase 2” of the VPN Tunnel, that also will use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.
[box]
Firewall Running an OS of 8.4(x) or newer
PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
PetesASA(config)# crypto map outside_map 1 set pfs group2
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123
PetesASA(config)# crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
PetesASA(config)# crypto map outside_map interface outsideFirewall Running an OS Earlier than 8.4(x)
PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
PetesASA(config)# crypto map outside_map 1 set pfs group2
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123
PetesASA(config)# crypto map outside_map 1 set transform-set ESP-3DES-SHA
PetesASA(config)# crypto map outside_map interface outside
[/box]
5. Don’t forget to save your hard work with a “write mem” command.
[box]
PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#
[/box]
6. Simply configure the other end as a “Mirror Image” of this one.
ASA 5500 Site to Site VPN Copy and Paste Config
Note: This uses AES and SHA. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.
This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.
Solution
1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.
2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.
[box]
Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0
[/box]
3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.
[box]
Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1
Petes-ASA(config-webvpn)# anyconnect enable
[/box]
4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.
But if you want to use the native Windows VPN client you can still use L2TP over IPSEC. I had a look around the net to work out how to do this and most decent articles are written using the older versions of the ASDM, and the CLI information I found on Cisco’s site didn’t help either.
What I’m using
1. Cisco ASA5525 version 9.2(4) and ASDM version 7.6(1).
2. Network behind the ASA 192.168.110.0/24.
3. IP addresses of the remote clients 192.168.198.1 to 254 (DNS 192.168.110.10).
Configure the ASA 5500 for L2TP IPSEC VPNs from ASDM
1. From within the ASDM > Wizards > VPN Wizards > IPSec (IKEv1) Remote Access VPN Wizard)
2. Next.
3. Tick Microsoft Windows Client using L2TP over IPSEC > Tick MS-CHAP-V2 ONLY > Next.
4. Type in a pre-shared key > Next.
5. Select LOCAL authentication > Next.
6. Enter a username/password to use for connection to the VPN > Next.
7. Create a ‘VPN Pool‘ for the remote clients to use as a DHCP pool > OK > Next.
8. Enter your internal DNS server(s) and domain name > Next.
9. Set your internal network(s) > Tick “Enable Split tunnelling…” > Untick PFS > Next.
10. Finish.
11. Save the changes.
Configure the ASA 5500 for L2TP IPSEC VPNs from CLI
1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#
[/box]
2. First we need to create a “Pool” of IP addresses for the remote client to use.
[box]
PetesASA(config)# ip local pool L2TP-Pool 192.168.198.1-192.168.198.10
[/box]
3. Now to make sure the traffic that’s going to travel over our VPN is not NATTED.
Note: This is assuming that 192.168.100.0/24 is the remote VPN clients subnet, and 10.254.254.0/24 is the subnet BEHIND the ASA.
4. Normally when a remote client is connected they will lose all other connections (including their other internet connections) while connected, to stop this you need to enable “Split Tunnelling“. You will refer to this later but for now we just need to create an ACL.
[box]
PetesASA(config)# access-list Split-Tunnel-ACL standard permit 192.168.110.0 255.255.255.0
[/box]
5. We need a “Transform Set” that will be used for “Phase 2” of the tunnel, I’m going to use AES encryption and SHA hashing, then set the transform type to “Transport”.
6. Remote VPNs usually use a “Dynamic Cryptomap”, the following will create one that uses our transform set, then applies that to the firewalls outside interface.
7. Then enable IKE (version 1) on the outside interface. And create a policy that will handle “Phase 1” of the tunnel, in this case 3DES for encryption, and SHA for hashing, and Diffie Hellman group 2 for the secure key exchange.
8. Create a group policy, that hold the following, DNS server IP(s) that will be leased to the remote clients. Tunnel type (L2TPIPSEC), enable spit tunnelling using the ACL we created in step 4. The domain name that will be given to the remote clients. The “intercept-dhcp enable” looks after a Windows client problem. And finally create a user and password.
Note: In this example I’m using the ASA’s local database of users for authentication.
9. Every tunnel needs a “Tunnel Group”, You HAVE TO use the DefaultRAGroup (Unless you are securing things with certificates which we are not). This pulls in the IP Pool we created in step 2 and the policy we created in step 8.
10. For the tunnel group, setup a shared key, and the authentication method for our clients.
Note: We are disabling CHAP and enabling MSCHAP v2.
[box]
PetesASA(config-tunnel-general)# tunnel-group DefaultRAGroup ipsec-attributes
PetesASA(config-tunnel-ipsec)# ikev1 pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# tunnel-group DefaultRAGroup ppp-attributes
PetesASA(config-ppp)# no authentication chap
PetesASA(config-ppp)# authentication ms-chap-v2
[/box]
11. Finally save the new config.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Configure Windows VPN client for L2TP IPSEC connection to Cisco ASA 5500
Note: Windows 10 Enterprise used.
1. Start > Settings > Network and Internet.
2. VPN > Add a VPN Connection.
3. VPN Provider = Windows (Built-in) > Connection Name = (A Sensible name) > Server name or Address = Public IP/Hostname of the ASA > Scroll Down.
4. VPN Type = L2TP/IPSEC with pre-shared key > Pre Shared Key = {the one you set on the firewall in our example 1234567890} > Type of sign-in information = Username and Password.
Note: You may want to untick “Remember my sign-in information” To supply a username and password each time.
5. Start > ncpa.cpl {Enter} > Right click your VPN connection profile > Properties..
6. Security Tab > Allow These Protocols > Tick “Microsoft CHAP version 2 (MS-CHAP v2)” > OK.
7. You can now connect your VPN.
Related Articles, References, Credits, or External Links
We had the ‘run as’ service way back in Windows 2000, so the concept of running a command window ‘as administrator’ should not be difficult to understand. But the amount of times I tell people ‘You need to run that as administrator’, and they reply ‘I AM an administrator’ is far too high. With PowerShell theres no way of knowing, and with command prompt the differences are subtle.
Solution
There’s a myriad of different ways to launch an administrator command window, here are a few, If I’ve missed any let me know.
Launch Powershell in Administrative Mode
Powershell administrative mode (from Within Powershell)
If you’re already in Powershell you can open an administrative Powershell window, with the following command;
[box]
Start-Process PowerShell -Verb RunAs
[/box]
Powershell Administrative Mode (from Start Menu)
Option 1: From Start/Search > Powershell > Right Click Windows PowerShell > Run as administrator.
Option 2: Start > Right Click Windows PowerShell > Run as administrator.
Option 3: Start > Windows PowerShell > Windows Powershell > Run as Administrator.
Option 4: Right Click Start Menu (or Press Windows+X) > Window Powershell (Admin).
Launch Task Manger > File > Run new task > Powershell > Tick ‘Create this task with administrative privileges’.
Powershell Administrative Mode (from Windows Explorer)
From Windows Explorer > File > Open Windows PowerShell as administrator.
Launch Command Prompt in Administrative Mode
Administrator Command Prompt From Start Menu. (Windows 10 and Server 2016/2019)
From the Start/Search option > Type cmd > Then right click Command Prompt and select ‘Run as administrator’.
Command Prompt (Admin) – Windows 10 (& Server 2016/2019)
Right click the Start Button > Command Prompt (Admin)
Command Prompt (Admin) – Windows 8 (& Server 2012) Quick Links Menu
Press Windows Key+X > Select Command Prompt (Admin)
Administrator Command Prompt From Start Menu. (Windows 8 and Server 2012)
If you have the new Windows 8/2012 Start Menu (that we can’t call Metro any more) then type ‘command’ in the search window, then either right click and select ‘Run as administrator’, or press Ctrl+Shift+Enter to launch.
If you have the traditional start menu enabled or are running Windows 7/Vista, you can type command in the search/run box, then
Create An Always Run As Administrator Command Prompt Shortcut
1. Right click and empty area of your desktop > New > Shortcut.
2. Set the location to ‘cmd’ > Next > Call it Admin Command > Finish.
3. Right click your new shortcut > Properties.
4. Shortcut > Advanced > Run as administrator > Apply > OK.
Launch Admin Command Prompt from Task Manager.
Launch Task Manager (Ctrl+Shift+Esc) > File > Run new task > cmd > Tick ‘Create this task with administrative privileges’.
Launch Command Prompt ‘As Administrator’ From Command/Run.
I’m not a fan of this, in fact I only include it here for completeness, you can call a command windows and run it as administrator from command (or the run box (Windows Key+R). The reason I don’t like this is, you need to enter the machines local administrators password for it to work.
[box]
runas /user:%computername%administrator cmd
[/box]
If theres any I’ve missed feel free to drop me an email, and I will update the article.
Related Articles, References, Credits, or External Links
This is a simple job to do from command line, however the world is full of people who would rather spend an hour in the ASDM working out how to do it! So I’ve included both methods.
What is split tunneling?
This is the process of letting a remote VPN user browse the web, and access local resources etc, from their location whilst connected to your VPN in this case via SSLVPN, but also from WebVPN or IPSECVPN.
Solution
Option 1 Enable Split Tunnel via Command Line.
1. Connect to the ASA > Go to enable mode > Then to global configuration mode > Create an ACL that permits traffic from the network behind the ASA to any. (Note: Add additional ACL’s for additional internal networks).
[box]
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ******
PetesASA# configure terminal
PeteASA(config)# access-list Split-Tunnel standard permit 10.0.0.0 255.255.255.0
[/box]
2. Add the split tunnel to the policy you are using for you remote VPN, (if you are unsure issue a show run group-policy).
PeteASA(config)# write mem
Building configuration...
Cryptochecksum: cb28eeb2 3d203272 eda92e1c a3b70d09
3166 bytes copied in 0.890 secs
[OK]
PeteASA(config)#
[/box]
Enable Split Tunnel on an older (PIX Firewall)
[box]
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ******
PetesPIX# configure terminal
PetesPIX(config)# access-list Split-Tunnel permit ip 10.0.0.0 255.255.255.0 any
PetesPIX(config)# vpngroup RemoteVPN split-tunnel Split-Tunnel
[/box]
Option 2 Enable Split Tunnel via ASDM
1. Launch the ASDM > Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Select your policy.
2. Edit > Select Advanced > Split Tunneling.
3. Next to Policy > Untick “Inherit” > Change to “Tunnel Network List Below”.
4. Next to “Network List” remove the tick from Inherit > Click Manage.
5. Add ACL > Call it something sensible like Split-Tunnel > OK.
6. Then click Add ACE.
7. Select Permit and enter the network BEHIND THE ASA> OK.
8. Should look a bit like this > OK.
9. OK.
10. Apply > File > Save running configuration to flash.
Related Articles, References, Credits, or External Links
I’ve been rebuilding some Hyper-V hosts over the last few weeks, and one thing I learned rebuilding VMware ESX hosts is, ‘make sure you know what all the network cards are doing before you flatten it!’
The same is true of storage as well but here I’m just concentrating on networking.
List Network Cards and MAC Addresses
If you have these documented you can rename the network card correctly after the rebuild and the mac addresses ensure you have the right names assigned to the right NICs. (Without having to go and check all the cabling afterwards!)
From the names of the network connections above we can see we are using network teaming, but even if yours dont have sensible names, you can get the team names and the NICs that are a member of each team with the following command;
[box]Get-NetLbfoTeam[/box]
List NICs and IP addresses
To see what IP addresses are in use on which NICs, (physical or virtual) use the following;