Cisco ASA Static (One to One) NAT Translation

KB ID 0000691

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

If you have a spare/available public IP address you can statically map that IP address to one of your network hosts, (i.e. for a mail server, or a web server, that needs public access).

This is commonly referred to as a ‘Static NAT’, or a ‘One to One translation’. Where all traffic destined for public address A, is sent to private address X.

Note: This solution is for firewalls running versions above version 8.3. If you are unsure what version you are running use the following article.

Find out your Cisco ASA version (Operating system and ASDM)

If you only have one public IP address you would need to carry out port forwarding instead.

Cisco ASA 5500 (and PIX) Port Forwarding

Solution

In the following example I will statically NAT a public IP address of 81.81.81.82 to a private IP address behind the ASA of 172.16.254.1. Finally I will allow traffic to it, (in this example I will allow TCP Port 80 HTTP/WWW traffic as if this is a web server).

Create a Static NAT and allow web traffic via ASDM

Note for the command line alternative see below.

1. Connect to the ADSM.

2. Configuration > Firewall > NAT Rules > Add > Add “Network Object” NAT Rule.

3. Give the ‘object’ a name (I usually prefix them with obj-{name}) > It’s a Host > Type in it’s PRIVATE IP address > Tick the NAT section (press the drop-down if its hidden) > Static > Enter it’s PUBLIC IP address > Advanced > Source = Inside > Destination > Outside > Protocol TCP. Note: You could set this to IP, but I’m going to allow HTTP with an ACL in a minute, so leave it on TCP > OK > OK > Apply.

4. Now navigate to Firewall > Access Rule > Add > Add Access Rule.

5. Interface = outside > Permit > Source = any > Destination = PRIVATE IP of the host > Service > Press the ‘more’ button > Locate TCP/HTTP > OK > OK > Apply.

6. Then save your work with a File > Save Running Configuration to Flash.

Create a Static NAT and allow web traffic via Command Line

1. Connect to the ASA via Command Line.

2. Log In > Go to enable mode > Go to configure terminal mode.

[box]

User Access Verification

Password:*******
 
Type help or '?' for a list of available commands.
 PetesASA> enable
 Password: *******
 PetesASA# conf t
 PetesASA(config)
[/box]

3. First I’m going to allow the traffic to the host (Note: after version 8.3 we allow traffic to the private (per-translated IP address). This assumes you don’t have an inbound access list if you are unsure execute a “show run access-group” and if you have one applied substitute that name for the word ‘inbound’.

Warning before carrying out applying the ‘access-group’ command, see the following article;

Cisco ASA – ‘access-group’ Warning

[box]

PetesASA(config)# access-list inbound permit tcp any host 172.16.254.1
PetesASA(config)# access-group inbound in interface outside[/box]

4. Then to create the static translation.

[box]

PetesASA(config)# object network obj-172.16.254.1 
PetesASA(config-network-object)# host 172.16.254.1 
PetesASA(config-network-object)# nat (inside,outside) static 81.81.81.82 
PetesASA(config-network-object)# exit 
PetesASA(config)#
[/box]

5. Then save the changes.

[box]
PetesASA(config)# wr mem 

Building configuration... 
Cryptochecksum: 89faae4b 7480baa4 bf634e87 470d2d30 
6224 bytes copied in 1.10 secs (6224 bytes/sec) 
[OK]
[/box]

Static NAT Commands to Copy & Paste

[box]

access-list inbound permit tcp any host 172.16.254.1
access-group inbound in interface outside
object network obj-172.16.254.1
 host 172.16.254.1
 nat (inside,outside) static 81.81.81.82
[/box]

Note: Check and change the values in bold as appropriate

Related Articles, References, Credits, or External Links

NA

Cisco ASA AnyConnect VPN ‘Using CLI’

KB ID 0000943

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.

Also See Cisco ASA AnyConnect VPN ‘Using ASDM’

This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.

Solution

1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.

Install and Use a TFTP Server

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [10.254.254.183]? 192.168.80.1

Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter}

Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#

[/box]

2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

[box]

Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

[/box]

3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.

[box]

Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 
Petes-ASA(config-webvpn)# anyconnect enable

[/box]

4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.

[box]

Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

[/box]

5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.

[box]

Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com

[/box]

6. Create a matching tunnel-group that ties everything together.

[box]

Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

[/box]

7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.

[box]

Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

8. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

9. Give it a test from a remote client.

AnyConnect Commands to Copy and Paste

Simply change the values shown in red;

[box]

!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA AnyConnect VPN ‘Using ASDM’

AnyConnect: Allow ‘Local’ LAN Access

Cisco AnyConnect – Essentials / Premium Licences Explained

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Using a KMS Server

KB ID 0000582

Problem

Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.

So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”

I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.

Note: If you are using Server 2003 it will need SP1 (at least) and this update.

Solution

To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.

Install Microsoft Windows 2008 R2 Key Management Service (EASY)

1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.

3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.

4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Install Microsoft Windows 2008 R2 Key Management Service from Command Line

You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).

1. Locate your “Windows Server 2008 Std/Ent KMS B” Key > From command line issue the following command;

[box]

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

[/box]

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.

3. Now we need to activate the Windows Server > Run the following command;

[box]

c:\Windows\System32\slui.exe

[/box]

Select “Activate Windows online now” > Follow the on screen prompts.

4. When complete, it should tell you that it was successfully activated.

5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Testing the Key Management Server

Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)

Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.

Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).

1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.

2. From your client machines you can test that they can see the SRV record, by running the following command;

[box]

nslookup -type=srv _vlmcs._tcp

[/box]

Note: If this fails, can your client see the DNS server? And is it in the domain?

3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;

[box]

cscript c:\Windows\System32\slmgr.vbs /dli

[/box]

4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;

Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038

5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.

Troubleshooting KMS Clients

To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.

[box]

cd c:\windows\system32
slmgr /dli

[/box]

For further troubleshooting, see the following links.

How to troubleshoot the Key Management Service (KMS)

Managing License States

Adding an Office 2010 KMS Key to Your KMS Server.

In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.

If you want a KMS Server for JUST OFFICE 2010 and not Windows, then simply install and run the Office 2010 Key Management Service Host.

1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”

Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).

2. Download and run the “Microsoft Office 2010 KMS Host License Pack“.

3. When prompted type/paste in your “Office 2010 Suites and Apps KMS” product key > OK.

4. It should accept the key.

5. Press {Enter} to close.

6. Once you have five Office 2010 installations they should start to activate from your KMS server.

Troubleshooting Office 2010 KMS Activation

If you have a client that refuses to work you can manually force it to activate against your KMS server;

x64 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com 
cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /act 

[/box]

x32 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com
cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /act [/box]

Related Articles, References, Credits, or External Links

KMS Activation – Error: 0xC004C008

Microsoft PKI Planning and Deploying Certificate Services

KB ID 0001309

Problem

“I don’t know what it is about Certificates, I just don’t like them, I don’t understand them, and I don’t like working with them”

I hear this a lot, In fact I heard it this week, and as I’m usually the ‘go-to-guy’ for certificates and PKI, it winds me up! IT pros take the time to learn concepts like DNS, DHCP, Kerberos etc. But mention Certificate Services and heads disappear below monitors and silence decends.

OR WORSE: Someone adds the role, clicks Next > Next > Next > Job done! Lets have tea and medals!

So in typical PNL fashion lets simplify everything, get everyone on the same page. And most importantly, lay out how to do it so I don’t have to do it for you!

Solution

To design PKI well, you need to decide if you want a two or three tier PKI environment. 

What can’t I just have one CA Server? (Hmm your the Next > Next > Next > Job Done Person Eh?) Well you can! But if that one server breaks, (or get compromised.) Then you are in trouble. Plan you deployment properly and save yourself a headache.

Two Tier Or Three Tier PKI? That’s your call, The main advantage of three tier PKI is, if one of your issuing servers, is compromised, you don’t need to bring the offline Root CA back online to re-issue its certificate. I have a client who have an issuing server in their DMZ so this was a good fit for them. For most domains Two Tier is the best option.

So I can only have one issuing Server? No, I just put one on the diagram for simplicity, you can have 1, or 100, or 1000, it’s up to you.

Do I need CRL (Certificate Revocation List) and/or OCSP (Online Certificate Status Protocol) On a Separate Server? Strictly speaking No, but it’s considered good practice, and if you need to advertise a CRL externally, it is more secure. 

PKI Terminology Differences

You will notice I’ve mentioned a Root CA, an Intermediate CA, and an Issuing CA. This is to better explain the architecture and define a difference between an Intermediate CA, and an Issuing CA. Microsoft does not care,.Both of those servers are SubCA servers in Microsoft speak. 

Deploying an Offline Root CA

Whichever architecture you choose this will be your fist step. The offline Root CA is a non domain joined machine, its sole job is to issue SubCA certificates to your intermediate CAs (three tier PKI), or issuing CAs (two tier PKI). When you have finished you power off the Offline Root CA and keep it off.

Note: In my example I want my Root CA Cert to last 20 years

Before You Install Anything: Create a CAPolicy.inf file you can edit it with notepad. You may want to change the validity period, you certainly will need to change the legal notice URL (more on this later) to your own domain FQDN (Note: If you need people outside your organisation, (either at a partner, or just someone the public internet) to see that, ensure that URL is addressable.

Sample Offline Root CA CAPolicy.inf

[box]

[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://pki.cabench.com/pki/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=weeks
CRLPeriodUnits=26
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0

[/box]

Save the CAPolicy.inf file to C:\Windows, Make sure it’s not called Capolicy.inf.txt, (or it wont work).

Launch Server Manager > Manage > Add Roles and Features.

Role Based >  Next > Select the local server > Next  > Select ‘Active Directory Certificate Services’ > Add Features  > Next.

No other features are required > Next > Next > Certification Authority > Next.

Next > Next > Close.

Configure Active Directory Certificate Services.

Accept the default (local administrator) > Next > Certification Authority > Next.

Stanalone CA > Next > Root CA > Next.

Create a new private key > Next > Make sure the hash algorithm is SHA 256 (NOT SHA1) > Next.

Give the CA a sensible name > Next > Set the validity period (as mentioned above I’m going for 20 years) > Next.

All the default can now be accepted > Next > Next > Close.

Launch the Certification Authority Management console and make sure we have a green tick.

Now we need to ‘Stamp’ Certificates issued by this CA Server with some domain information, but we have no connection to the domain, so we need to do it manually. Open an administrative command window and execute the following commands;

Note: I want my SubCA certificate to be valid for 15 years, if you want longer/shorter then adjust the figures below

[box]

Certutil –setreg CA\DSConfigDN “CN=Configuration,DC=cabench,DC=com”

Certutil –setreg CA\CACertPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.cabench.com/pki/%1_%3%4.crt”

Certutil –setreg CA\CRLPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.cabench.com/pki/%3%8%9.crl”

Certutil –setreg CA\CRLPeriodUnits 52 

Certutil –setreg CA\CRLPeriod “Weeks” 

Certutil –setreg CA\CRLOverlapPeriodUnits 12 

Certutil –setreg CA\CRLOverlapPeriod “Hours” 

Certutil –setreg CA\ValidityPeriodUnits 15 

Certutil –setreg CA\ValidityPeriod “Years” 

Certutil –setreg CA\AuditFilter 127

net stop certsvc

net start certsvc

Certutil –crl

[/box]

Now my Offline Root server is not connected to a network, (because that’s best practice,) and as it’s a virtual machine the only way to get files from it is to use a virtual floppy drive, Im going to copy both my Root CA Certificate and CRL file to my floppy drive.

[box]Copy C:\Windows\System32\Certsrv\CertEnroll\*.* A:\[/box]

Now TAKE THESE FILES TO A DOMAIN JOINED MACHINE, and execute the following commands.

[box]

cd a:\
certutil -dspublish -f 01-Root-CA_ROOT-CA.crt RootCA
certutil –addstore –f root 01-Root-CA_ROOT-CA.crt
certutil –addstore –f root ROOT-CA.crl
certutil -dspublish  ROOT-CA.crl

[/box]

Note: These command publish the CA Certificate, (and its CRL) into Active Directory. You can see where, if you open the path shown in the example in ADSIEdit.msc (CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain})

See Microsoft PKI Planning and Deploying Certificate Services Part 2

Related Articles, References, Credits, or External Links

NA

MAC TFTP Software (OS X )

Mac TFTP KB ID 0001247

Problem

Every time I go to a networking event theres a sea of MacBooks in the audience, If techs like MacBooks so much why is there such a lack of decent Mac TFTP software?

Solution

The thing is, I’m looking at the problem with my ‘Windows User’ head on. When I have a task to perform I’m geared towards looking for a program do do that for me. OS X is Linux (There I said it!) Linux in a pretty dress, I’ll grant you, but scratch the surface a little bit and there it is.

Why is that important? Well your already holding a running TFTP server on your hand, your MAC is already running a TFTP server, you just need to learn how to use it.

MAC TFTP Server (OS X Native)

As I said it’s probably running anyway, but to check, open a Terminal window and issue the following command;

[box]netstat -atp UDP | grep tftp[/box]

If it’s not running you can manually start and stop the TFTP server with the following commands;

[box]Start TFTP

sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist

Stop TFTP

sudo launchctl unload -F /System/Library/LaunchDaemons/tftp.plist[/box]

Note: In macOS Catalina, it’s disabled by default, so if you don’t manually start it, you will see errors like;

[box]

%Error reading tftp://192.168.1.20/cisco-ftd-fp1k.6.6.0-90.SPA (Timed out attempting to connect)
[/box]

It would normally go without saying, but If I don’t say it, the post will fill up with comments! Make sure your Mac is physically connected to the same network as the network device, and has an IP address in the same range.

And make sure the device, and the Mac can ‘ping’ each other.

Use Mac TFTP Deamon To Copy a File To a Network Device

I’ve got a Cisco ASA 5505, but whatever the device is, does not really matter. You will have a file that you have downloaded, and you want to ‘send’ that file to a device. This file will probably be in your ‘downloads’ folder, the TFTP deamon uses the /private/tftpboot folder so we are going to copy the file there. Then set the correct permissions on the file.

[box]

cd ~/Downloads
cp FILENAME /private/tftpboot
cd /private/tftpboot
chmod 766 FILENAME

[/box]

Note: You can also use;

sudo chmod 777 /private/tftpboot
sudo chmod 777 /private/tftpboot/*

To set permissions on ALL files in this directory.

You can then execute the command on your device to copy the file across;

[box]

ciscoasa# copy tftp flash

Address or name of remote host []? 192.168.1.5

Source filename []? asa825-59-k8.bin

Destination filename [asa825-59-k8.bin]? {Enter}

Accessing tftp://192.168.1.5/asa825-59-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa825-59-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15482880 bytes copied in 12.460 secs (1290240 bytes/sec)
ciscoasa#

[/box]

Use Mac TFTP Deamon To Copy a File From a Network Device

There is a gotcha with the TFTP daemon, which is you cant copy a file to the TFTP daemon if that file does not already exist there.  Which at first glance sort of defeats the object, but what it really means id you have to have a file there with the same name and the correct permissions on it. In Linux you can create a file with the ‘Touch’ command.

[box]

cd /private/tftpboot
touch FILENAME
chmod 766 FILENAME

[/box]

You can then sent the file to your Mac from the device;

[box]

ciscoasa# copy flash tftp

Source filename []? asa825-59-k8.bin

Address or name of remote host []? 192.168.1.5

Destination filename [asa825-59-k8.bin]? {Enter}

Writing file tftp://192.168.1.5/asa825-59-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15482880 bytes copied in 9.940 secs (1720320 bytes/sec)
ciscoasa#

[/box]

I Want Mac OS X TFTP Software!

Well you have a limited choice, if you don’t like using the Mac TFTP Daemon. You can install and use a GUI front end that uses the built in TFTP software. 

But if you want a ‘stand-alone’ piece of software then the only other one I’ve found is PumpKIN, you will need to disable the built in TFTP daemon or it will throw an error.

Related Articles, References, Credits, or External Links

FortiGate TFTP : Backup To & Restore From

Backup and Restore Cisco IOS (Switches and Routers)

Backup and Restore a Cisco Firewall

CentOS – Install and Configure a TFTP Server

VMware View 5 – Configure and Deploy Clients in ‘Kiosk Mode’

KB ID 0000610 

Problem

Kiosk mode is quite useful, if you have some machines that you want to put in a public area for visitors to use, or for machines that are used in displays etc. Or if you have some older PC’s that you just want to repurpose as internet terminals or ‘point of sale’ box’s.

Essentially it’s a system that delivers a virtual VMware View desktop to a PC or Thin client without the need to authenticate to the connection server. Kiosk authentication is disabled by default, so you need to run a few commands to get it enabled.

Solution

Before starting you will need a Virtual Machine ready to be used for the Kiosk machine. You might want to create this machine with a “nonpersistent” disk.

Configure Windows 7 to be a VMware View Desktop

Step 1: Prepare Active Directory

1. Set yourself up an OU to hold your kiosk machine, and a security group that will contain the user account you are going to create later.

Step 2: Configure the VMware Connection Server

2. Now log into your VMware Connection Server, open a command window with elevated privileges. then issue the following command;

[box]vdmadmin -Q -clientauth -setdefaults -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -noexpirepassword -group kioskusers[/box]

Note: where kioskusers is the name of the group you created.

3. Now I will create a user ‘custom-kiosk-user’ with a password of ‘Password123’, and put him in the OU and group we created earlier;

[box]vdmadmin -Q -clientauth -add -domain petenetlive -clientid custom-kiosk-user -password “Password123” -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -group kioskusers -description “Kiosk Terminal”[/box]

Note: Alternatively you can create a user that matches the MAC address of the client machine and auto generate a password like so, (this assumes the thin client or PC’s MAC addresses is 3C:4A:92:D3:12:1C).

4. Then allow this connection server to accept kiosk connections with the following command;

[box]vdmadmin -Q -enable -s PNL-CS[/box]

Note: Where PNL-CS is the name of my VMware Connection Server.

5. You can view the settings configured on this connection server with the following command;

[box]vdmadmin -Q -clientauth -list[/box]

6. While still on your connection server open VMware View Administrator, and create a ‘Pool’ for your Kiosk machine.

7. Manual Pool > Next.

8. Dedicated > Next.

9. vCenter virtual Machines > Next.

10. Next.

11. Give the pool an ID and Display name > Next.

12. Select the machine you are using as the source for the Kiosk machine > Next.

13. When the pool is created > Entitlements.

14. Add in the group that you created in step 1 > OK.

15. Just check on the ‘desktops’ tab and make sure the machine is listed as ‘available’.

Step 3: Connect to the Kiosk Machine

16. Now from your client machine or thin client, you can execute the following command to open the kiosk session.

[box]c:program filesvmwarevmware viewclientbinwswc” -unattended -serverURL PNL-CS -userName custom-kiosk-user -password “Password123″[/box]

Note: In a live environment you may want to make the host machine or thin client automatically log on and put this command in the ‘startup’ folder, or call it from a startup/logon script so the machine will boot straight into the kiosk virtual machine.

17. All being well you should be presented with the kiosk VM machine, note you no longer get the normal VMware View tool bar etc, it will behave as if the machine is in front of you.

Related Articles, References, Credits, or External Links

Deploying VMware View 5

Windows XP – Sysprep (for imaging)

KB ID 0000599 

Problem

A client who we recently did a WDS (Windows 7) install for, needed to image a couple of Windows XP machines, (They had some software that either would not run, or was not supported on Windows 7).

They asked me for some documentation on how to do this, it’s been such a long time since I imaged any XP machine, so I took the opportunity to document it properly.

Solution

Before you begin, be aware you need to be building your reference machine with a Volume Licenced copy of Windows XP NOT an OEM or Retail copy (i.e. DONT build the machine with manufacturers rescue disks like Dell or HP). If you don’t do this you will need to activate every Windows machine that you deploy with Microsoft.

Make sure the version of sysprep you are using is at the same service pack level as the reference machine or bad things will happen.

Windows XP SP3 version of Deploy.cab

1. Build your reference machine, and configure it as you require.

2. Create a folder on the root of the C: Drive called ‘Sysprep”. Insert the Windows XP CD and locate the Deploy cabinet file. (This is ‘like’ a zip file and it’s in the supporttools folder).

3. Double click the support cab, then copy over the sysprep.exe file, the setupcl.exe file and the setupmgr.exe file to your c:sysprep folder.

4. You can now run sysprep.exe and skip to step 13. BUT if you require an answerfile (a script that will answer all the questions Windows will ask while it’s reinstalling post sysprep) then run the setupmgr.exe program, at the welcome screen click next.

5. Create New > Sysprep Setup > Windows XP Professional.

6. Fully Automate > Enter Name and Organisation > Set the Display Properties.

7. Set Time Zone > Enter the Volume Licence unlock code > If you are joining a domain, I suggest generating a random name then changing it later.

8. Set the Local Administrators password > Typical settings will enable DHCP > Supply any domain and domain credentials you need to join your domain.

9. Telephony (I just skip this) > Regional Settings > Languages.

10. Printers > Run Once commands > Additional Commands.

11. Enter a string that will go into the registry, and can be identified later > Finish > Accept the default save path > OK > At this point it looks like it’s crashed, you can manually close the setupmgr.

12. Now you can run sysprep.exe > OK > I select ‘mini-setup’ (If you don’t, it will run the welcome to windows session and play the annoying music you cant turn down!) > If you have installed applications and are going to image the machine click Reseal > OK.

Note: Factory will literally set the machine back to a ‘day one’ install of Windows XP.

The machine will then shut down and can be imaged.

Final Note: If you power it back on, it will rebuild itself and delete the c:sysprep directory. Which is fine unless you are doing some testing and realise you have to do the whole thing from scratch!

Related Articles, References, Credits, or External Links

Windows Deployment Services (Server 2003)
Deploying Windows XP

Windows Deployment Services (On Server 2008 R2)
Deploying Windows 7

Windows – Run Commands and Command Line Shortcuts

KB ID 0000828 

Problem

One of the advantages of launching applications form the ‘Run box’ is, no matter where Microsoft move things to in the graphical interface, they rarely change the commands. So when Windows 8 came out and there was much gnashing of teeth, I just ran the same old commands I used to run, and wondered what all the fuss was about!

Solution

Below is by no means a complete list, but is a collection of stuff I’ve found either from other sites or in my day to day troubleshooting.

Note: If Im missing one you think should be included, drop me an email (contact details below), and I’ll include it for you.

To Launch
From The Run Command,
Accessibility Controls  access.cpl
Accessibility Wizard  accwiz
Action Center wscui.cpl
Active Directory Users and Computers (if installed) dsa.msc
Add Hardware Wizard hdwwiz.cpl
Add/Remove Programs appwiz.cpl
Administrative Tools control admintools
Adobe Acrobat (if installed) acrobat
Adobe Bridge (if installed) bridge
Adobe Designer (if installed) formdesigner
Adobe Distiller (if installed) acrodist
Adobe Dreamweaver (if installed) dreamweaver
Adobe ImageReady (if installed) imageready
Adobe Photoshop (if installed) photoshop
Application Data Folder(opens the logged in users) %appdata%
Automatic Updates wuaucpl.cpl
Backup and Restore sdclt.exe
Bluetooth Devices bthprops.cpl
Bluetooth Transfer Wizard fsquirt
Calculator calc
Certificate Manager certmgr.msc
Character Map charmap
Check Disk Utility chkdsk
Clipboard Viewer (XP only) clipbrd
Color Calibration dccw.exe
Color Management colorcpl.exe
Command Prompt cmd
Common Program Files Folder (open) %commonprogramfiles%
Compare Files comp
Component Services dcomcnfg
Computer Management compmgmt.msc
Contacts wab
Control Panel control
Date and Time Properties timedate.cpl
DDE Shares (XP only) ddeshare
Devices and Printers control printers
Device Manager devmgmt.msc or hdwwiz.cpl
Direct X Control Panel (if installed) directx.cpl
Direct X Troubleshooter dxdiag
Disk Cleanup Utility cleanmgr
Disk Defragment (XP only) dfrg.msc
Disk Management diskmgmt.msc
Disk Partition Manager diskpart
Display Properties control desktop
Display Properties desk.cpl
Display Properties (XP Appearance Tab Preselected, Windows 8 Personalization > Color and Appearance) control color
Display (Scaling) DpiScaling.exe
DNS Management Console (if installed) dnsmgmt.msc
Dr. Watson System Troubleshooting Utility (Now Windows 8) drwtsn32
Driver Verifier Utility verifier
Ease of Access Center utilman
Event Viewer eventvwr.msc
Files and Settings Transfer Tool migwiz
File Signature Verification Tool sigverif
Findfast (XP Only) findfast.cpl
Firefox (if installed) firefox
Folder Sharing Management fsmgmt.msc
Folders Properties (XP only) folders
Fonts control fonts
Fonts Folder fonts
Font Viewer fontview
FTP ftp
Free Cell Card Game (if installed) freecell
Gateway Services for Netware (if installed) nwc.cpl
Game Controllers joy.cpl
Group Policy Editor (LOCAL Policy) gpedit.msc
Group Policy Management Console (Domain) gpmc.msc
Hearts Card Game (if installed) mshearts
Help and Support (XP only) helpctr
Home Path (display) %homepath%
Home Folder / Drive (display) %homedrive%
HyperTerminal (if installed (Removed in Windows 7) hypertrm
Iexpress Wizard iexpress
Import Windows Contacts wabmig
Indexing Service (XP only) ciadv.msc
Infrared Port properties (only if device installed) Irprops.cpl
Internet Connection Wizard (XP only) icwconn1
Internet Explorer iexplore
Internet Information Services iis.msc
Internet Properties inetcpl.cpl
Internet Setup Wizard (XP only) inetwiz
Java Control Panel (if installed) jpicpl32.cpl
Java Control Panel (if installed) javaws
Keyboard Properties control keyboard
Local Group Policy Editor gpedit.msc
Local Security Policy secpol.msc
Local Users and Groups lusrmgr.msc
Log on Server (display) %logonserver%
Logs You Out Of Windows logoff
Malicious Software Removal Tool mrt
Microsoft Access (if installed) msaccess
Microsoft Chat winchat
Microsoft Excel (if installed) excel
Microsoft Frontpage (if installed) frontpg
Microsoft Mail Post Office (XP only) wgpocpl.cpl
Microsoft Movie Maker moviemk
Microsoft Outlook (if installed) outlook
Microsoft Paint mspaint
Microsoft Picture Manager (if installed) ois
Microsoft Powerpoint (if installed) powerpnt
Microsoft Word (if installed) winword
Microsoft Syncronization Tool mobsync
Minesweeper Game (if installed) winmine
Mouse Properties control mouse
Mouse Properties main.cpl
Narrator Settings narrator
Nero (if installed) nero
Netmeeting (XP only) conf
Network Connections control netconnections
Network Connections ncpa.cpl
Network Setup Wizard (XP only) netsetup.cpl
Notepad notepad
Nview Desktop Manager (if installed) nvtuicpl.cpl
Object Packager (XP only) packager
ODBC Data Source Administrator (XP only) odbccp32.cpl
On Screen Keyboard osk
Opens AC3 Filter (if installed) ac3filter.cpl
Outlook Express (XP only) msimn
Paint pbrush
Password Properties (XP only_ password.cpl
PCMCIA card properties (if installed) main.cpl pc card
Pen and Touch tabletpc.cpl
People Near Me collab.cpl
Performance Monitor perfmon.msc
Performance Monitor perfmon
Phone and Modem Options telephon.cpl
Phone Dialer dialer
Pinball Game (if installed) pinball
Power Configuration powercfg.cpl
Printers and Faxes control printers
Printers Folder (XP only) printers
Private Character Editor eudcedit
Quicktime (If Installed) quicktime.cpl
Quicktime Player (if installed) quicktimeplayer
Real Player (if installed) realplay
Regional Settings intl.cpl
Registry Editor regedit
Registry Editor regedit32
Remote Access Phonebook rasphone
Remote Desktop mstsc
Removable Storage (XP only) ntmsmgr.msc
Removable Storage Operator Requests (XP only) ntmsoprq.msc
Resultant Set of Policy rsop.msc
Set Program Access and Computer Defaults computerdefaults.exe
Scan wiaacmgr
Scanners and Cameras (XP only) sticpl.cpl
Screen Resolution desk.cpl
Scheduled Tasks control schedtasks
Security Center wscui.cpl
Services services.msc
Shared Folders fsmgmt.msc
Shuts Down Windows shutdown
Sounds and Audio mmsys.cpl
Speech Properties (XP only) sapi.cpl
Spider Solitare Card Game (if installed) spider
SQL Client Configuration cliconfg
System Configuration Editor (XP only) sysedit
System Configuration Utility msconfig
System Information msinfo32
System Management Properties (XP only) smscfg.cpl
System Properties sysdm.cpl
System Properties (advanced tab) SystemPropertiesAdvanced.exe
System Restore rstrui.exe
Task Manager taskmgr
Telnet telnet
Tempraray Folder (open) %temp%
TCP Tester (XP only) tcptest
Telnet Client telnet
Tweak UI (if installed) tweakui
User Accounts netplwiz.exe
User Account Management (XP only) nusrmgr.cpl
User Profiles %allusersprofiles%
Utility Manager (XP only in later versions Ease of Access Center) utilman
User Profile (open) %userprofile%
Volume Mixer sndvol.exe
Windows Address Book (XP only in newer versions opens Contacts) wab
Windows 7 File Recovery sdclt.exe
Windows Address Book Import Utility wabmig
Windows Backup Utility (XP/2003 and earlier) ntbackup
Widows Directory %windir%
Windows Explorer explorer
Windows Features (turn on or off) optionalfeatures.exe
Windows Firewall firewall.cpl
Windows Magnifier magnify
Windows Management Infrastructure wmimgmt.msc
Windows Management Instrumentation wmic
Windows Media Player wmplayer
Windows Messenger (if installed) msmsgs
Windows Messaging (if installed) mlcfg32.cpl
Windows Picture Import Wizard (XP only – need a camera connecting) wiaacmgr
Windows Security Center (XP SP2 only) wsciu.cpl
Windows Script Host wscript
Windows System Security Tool syskey
Windows Update Launches (XP only) wupdmgr
Windows Version winver
Windows XP Tour Wizard (XP only) tourstart
Wordpad write

 

Related Articles, References, Credits, or External Links

Windows Shortcuts (Shortcut Keys / Shortcut Mouse Moves)

 

Windows Server 2012 ‘Direct Access with Windows 8’

KB ID 0000842

Problem

In the following procedure I’m using Window Server 2012, and Windows 8 Enterprise, I am NOT configuring for Windows 7 so I don’t need to worry about PKI and certificates. (Other than the one the direct access server uses for https identification).

I’m not adding in any Application or Infrastructure servers, this is just a basic run through on setting up Direct Access to get you up and running.

Solution

Step 1 Create Direct Access Group

You can of course accept the default of allowing access to the domain computers group, but I would like to tie things down a little further.

1. Server Manager> Tools > Active Directory Administrative Center > Select the OU (or create one) where you want to create the group.

2.Give the group a sensible name like DirectAccessComputers.

3. Remember when you try and ‘add’ members it will by default NOT have computers listed you will need to add them in.

4. Add in your computer objects as required.

Step 2 Install Direct Access

5. You can simply execute the following command;

[box]
Install-WindowsFeature RemoteAccess -IncludeManagementTools[/box]

6. Or from Server Manager > Tools > Add Roles and Features.

7. Simply add in ‘Remote Access’ and accept all the defaults.

Step 3 Configure Remote Access

8. Once installed launch Remote Access Management.

9. Run the getting stated wizard.

10. Deploy Remote Access Only (I’m not deploying VPNs).

11. Select how the server will be deployed, mine has a single NIC and I’m going to port forward TCP Port 443 (https) to it from the firewall. Enter its Publicly addressable name > Next > Finish.

Note: If you get an error see here.

12. Configure Remote Clients > Edit.

13. I want both options > Next

14. Remove the domain computers and add in the group we created above. Untick the ‘mobile only’ option.

Note: Force Tunnelling means that the remote clients will access the internet though YOUR corporate network. This is only a good idea if you have internet filtering, AV or NAP that you want to take advantage of. (It’s literally the exact opposite of split tunnelling).

15. Remote Access Server > Edit.

16. Select an existing Cert or create a new one > Next.

17. Remember I’m just using Windows 8, if you see the Windows 7 box and think “ooh I’ll tick that!” Then you need to start using certificates > Finish.

18. Finish.

19. Review the settings > Apply.

20. Operation Status.

21. Press Refresh until all the services are green.

Step 4 Configure Clients

The title is a misnomer and to be honest there is no configuration to be done, but they have to get the settings through group policy, so log then onto the domain.

22. A quick simple check is to run the following command;

[box]
Get-DaConnectionStatus[/box]

Note: If you get an error message make sure you are not using Windows 8 Pro see here.

23. The client knows it’s ‘inside’ the LAN, because it has a Name Resolution Policy Table and it can see your internal DNS, you can prove this with the following command;

[box] Get-DNSClientNrptPolicy[/box]

Step 5 Test Clients Externally

Note: Before you proceed your Direct access server needs to be publicly available via the name you specified on the certificate in step 11, and needs to have https open to it.

25. Whilst out on the internet you can test your remote client by first making sure it’s pointing to the correct place;

[box]netsh interface httpstunnel show interface[/box]

This should give the the URL that is on the certificate you specified in step 11, when you ping it by name you should expect a reply (unless ICMP has been blocked by your edge device).

26. And to prove that the client knows it’s NOT on the corporate LAN execute the following;

[box]netsh dnsclient show state[/box]

27. So If i try to ping the internal FQDN of my Direct Access server it should respond (Note its IPv6 address will respond this is normal).

Note: Here I’ve only setup the one server, you can add more Infrastructure and Application servers in the Remote Access Management Console.

28. Because I can resolve that, I can access resources on that server like UNC paths.

29. To access shared resources.

Step 6 Monitoring Remote Access Clients

30. Back on the Direct Access server, you can see the remote clients under ‘Remote Client Status’.

31. Right click each one for a more detailed view.

Related Articles, References, Credits, or External Links

NA

HP and Cisco – VLANs and Trunks Confusion!

KB ID 0000741

Problem

When I first started in IT, I went and did my Cisco CCNA. So I learned that to connect Cisco switches and pass VLAN traffic between them, I needed to create a ‘Trunk’ to pass the VLAN traffic. Fast forward a few years, and I now work for an HP reseller. Very early on I came to realise that what HP called a ‘trunk’ was very different from what I had been taught. Below is an article I did a while ago about setting up HP Trunks.

HP Networking ‘ProCurve’ – Trunking / Aggregating Ports

I was in some HP/Wireless training last week and once again I was struggling with their terminology, so today I lined up a bunch of switches on the test bench and worked out the differences.

Below you will find the following scenarios;

Scenario 1 Configuring Cisco Catalyst Switches with VLANs.

Scenario 2 Configuring HP Switches with VLANs.

Scenario 3 Setting up HP Switches with Trunked VLANs

Scenario 4 Setup VLANs via HP Trunks and Cisco Port Channels

Setting up VLANs on older Cisco Switches

Solution

Scenario 1 Configuring Cisco Catalyst Switches with VLANs.

In ‘Ciscoland’ All ports are either in access mode or trunk mode, the access mode allows the port to communicate with the VLAN. The trunk mode carries the VLAN traffic to another switch (or device). So to replicate the diagram above, this is what you would need to do. (Note: For older switches like the 3550XL the VLAN commands are a little different see here)

[box]

Switch01>
 Switch01>enable
 Password: xxxxxxxx
 Switch01#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch01(config)#vlan 10
 Switch01(config-vlan)#name Admin
 Switch01(config-vlan)#exit
 Switch01(config)#vlan 20
 Switch01(config-vlan)#name Data
 Switch01(config-vlan)#exit
 Switch01(config)#int f0/2
 Switch01(config-if)#switchport mode access
 Switch01(config-if)#switchport access vlan 10
 Switch01(config-if)#exit
 Switch01(config)#inf f0/16
 Switch01(config-if)#switchport mode access
 Switch01(config-if)#switchport access vlan 20
 Switch01(config-if)#exit
 Switch01(config)#int f0/23
 Switch01(config-if)#switchport mode trunk
 Switch02(config-if)#switchport trunk allowed vlan 1,10,20
 Switch01(config-if)#exit
 Switch01(config)#exit
 Switch01#write mem
 Building configuration...
 [OK]
 Switch01#
 
 
 
 Switch02>
 Switch02>enable
 Password: xxxxxxx
 Switch02#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch02(config)#vlan 10
 Switch02(config-vlan)#name Admin
 Switch02(config-vlan)#exit
 Switch02(config)#vlan 20
 Switch02(config-vlan)#name Data
 Switch02(config-vlan)#exit
 Switch02(config)#int f0/2
 Switch02(config-if)#switchport mode access
 Switch02(config-if)#switchport access vlan 10
 Switch02(config-if)#exit
 Switch02(config)#inf f0/15
 Switch02(config-if)#switchport mode access
 Switch02(config-if)#switchport access vlan 20
 Switch02(config-if)#exit
 Switch02(config)#int f0/1
 Switch02(config-if)#switchport mode trunk
 Switch02(config-if)#switchport trunk allowed vlan 1,10,20
 Switch02(config-if)#exit
 Switch02(config)#exit
 Switch02#write mem
 Building configuration...
 [OK]
 Switch02#[/box]

Scenario 2 Configuring HP Switches with VLANs.

With HP switches the terminology is different, here switch ports are either tagged members or untagged members of a VLAN.

What’s the difference between tagged and untagged? If a port is a tagged member it passes the VLAN information with the traffic it sends. If it is untagged it sends the VLAN traffic without adding in the VLAN tag. So you would only make a port a tagged member if the device that is plugged into it is VLAN aware, i.e. another switch, router, or machine with a VLAN aware NIC. (Note: The VLAN tag is the ID that gets inserted into the head of a network packet). So to do exactly the same as we did in scenario 1, but with HP switches, you would do the following:

BE AWARE: Any single port can only be untagged on one VLAN. Out of the box all ports are untagged on VLAN 1 (or the default VLAN), so if you untag a port into VLAN 20 (for example) it will automatically remove the ‘vlan 1 untagged’ property for that port.

[box]

Switch01> enable
 Password:xxxxx
 Switch01# configure terminal
 Switch01(config)# vlan 10 name Admin
 Switch01(config)# vlan 20 name Data
 Switch01(config)# vlan 10
 Switch01(vlan-10)# untagged 6
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# untagged 16
 Switch01(vlan-20)# exit
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged 13
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged 13
 Switch01(vlan-20)# exit
 Switch01(config)# write mem
 Switch01(config)#
 
 Switch02> enable
 Password:xxxxx
 Switch02# configure terminal
 Switch02(config)# vlan 10 name Admin
 Switch02(config)# vlan 20 name Data
 Switch02(config)# vlan 10
 Switch02(vlan-10)# untagged 4
 Switch02(vlan-10)# exit
 Switch02(config)# vlan 20
 Switch02(vlan-20)# untagged 20
 Switch02(vlan-20)# exit
 Switch02(config)# vlan 10
 Switch02(vlan-10)# tagged 23
 Switch02(vlan-10)# exit
 Switch02(config)# vlan 20
 Switch02(vlan-20)# tagged 23
 Switch02(vlan-20)# exit
 Switch02(config)# write mem
 Switch02(config)#[/box]

Scenario 3 Setting up HP Switches with Trunked VLANs

Remember with HP a Trunk is adding together lots of links, (if you’re a Cisco head think of port-channeling). So here we create a trunk, then use that trunk to pass tagged VLAN traffic across the switches.

[box]

Switch01> enable
 Password:xxxxx
 Switch01# configure terminal
 Switch01(config)# vlan 10 name Admin
 Switch01(config)# vlan 20 name Data
 Switch01(config)# vlan 10
 Switch01(vlan-10)# untagged 6
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# untagged 16
 Switch01(vlan-20)# exit
 Switch01(config)# trunk 21,23 Trk1 LACP
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged Trk1
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged Trk1
 Switch01(vlan-20)# exit
 Switch01(config)# write mem 
 Switch01(config)# 

 
 Switch02> enable
 Password:xxxxx
 Switch02# configure terminal
 Switch02(config)# vlan 10 name Admin
 Switch02(config)# vlan 20 name Data
 Switch02(config)# vlan 10
 Switch02(vlan-10)# untagged 4
 Switch02(vlan-10)# exit
 Switch02(config)# vlan 20
 Switch02(vlan-20)# untagged 20
 Switch02(vlan-20)# exit
 Switch01(config)# trunk 21,23 Trk1 LACP
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged Trk1
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged Trk1
 Switch01(vlan-20)# exit
 Switch02(config)# write mem
 Switch02(config)#

[/box]

Scenario 4 Setup VLANs via HP Trunks and Cisco Port Channels

Now we have gone full circle, we know what all the differences are, the final part is to get them to talk to each other. So I’ll set up a two cable HP Trunk, and connect it to Cisco LACP port channel, and then finally add in the VLAN traffic.

[box]

Switch01> enable
 Password:xxxxx
 Switch01# configure terminal
 Switch01(config)# vlan 10 name Admin
 Switch01(config)# vlan 20 name Data
 Switch01(config)# vlan 10
 Switch01(vlan-10)# untagged 6
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# untagged 16
 Switch01(vlan-20)# exit
 Switch01(config)# trunk 21,23 Trk1 LACP
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged Trk1
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged Trk1
 Switch01(vlan-20)# exit
 Switch01(config)# write mem 
 Switch01(config)# 

 
 Switch02>
 Switch02>enable
 Password: xxxxxxx
 Switch02#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch02(config)#vlan 10
 Switch02(config-vlan)#name Admin
 Switch02(config-vlan)#exit
 Switch02(config)#vlan 20
 Switch02(config-vlan)#name Data
 Switch02(config-vlan)#exit
 Switch02(config)#int f0/2
 Switch02(config-if)#switchport mode access
 Switch02(config-if)#switchport access vlan 10
 Switch02(config-if)#exit
 Switch02(config)# interface range fa0/23 - 24
 Switch02(config-if-range)# spanning-tree portfast trunk
 %Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

Switch02(config-if-range)# channel-protocol lacp
 Switch02(config-if-range)# channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
 Switch02(config-if-range)# interface port-channel 1
 Switch02(config-if)# switchport mode trunk
 Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
 Switch02(config-if)#exit
 Switch02(config)#exit
 Switch02#write mem
 Building configuration...
 [OK]
 Switch02#

[/box]

Setting up VLANs on older Cisco Switches

Here’s an example using the older vlan database commands.

[box]

Switch01>
 Switch01>enable
 Password: 
 Switch01#
 Switch01#vlan database
 Switch01(vlan)#vlan 10 name Admin
 VLAN 10 modified:
 Name: Admin
 Switch01(vlan)#vlan 20 name Data
 VLAN 20 modified:
 Name: Data
 Switch01(vlan)#exit
 APPLY completed.
 Exiting....
 Switch01#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch01(config)#int f0/2
 Switch01(config-if)#switchport mode access 
 Switch01(config-if)#switchport access vlan 10
 Switch01(config-if)#exit
 Switch01(config)#int f0/16
 Switch01(config-if)#switchport mode access
 Switch01(config-if)#switchport access vlan 20
 Switch01(config-if)#exit
 Switch01(config)#int f0/23
 Switch01(config-if)#switchport mode trunk
 Switch01(config-if)#switchport trunk encapsulation dot1q 
 Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
 Switch01(config-if)#exit
 Switch01(config)#exit
 Switch01#write mem
 Building configuration...
 
 Switch01#[/box]

 

Related Articles, References, Credits, or External Links

Thanks to Valentin Bajramifor the feedback