Factory Reset a Cisco Firewall

KB ID 0000007 

Problem

You want to wipe the firewall’s config and revert to the factory settings (passwords blank – management or inside set to 192.168.1.1 and DHCP enabled, with all other settings wiped).

Solution

1. Connect to the ASA via the console Cable. CLICK HERE

2. log in and go to configure terminal mode.

3. Execute the following command “config factory-default

4. Press the space bar a few times to execute the commands.

5. When you get back to command prompt Execute the following command “reload save-config noconfirm” (Or on a Cisco PIX, write mem {enter} > reload {enter}{enter}).

6. The Firewall will reboot, (set to factory settings).

Procedure carried out on a Cisco ASA 5508-X (Running version 9)

 

Procedure carried out on a Cisco PIX 515E (Running version 8)

Note: Now the management interface, (if you have one) will be set to lease DHCP addresses. If you don’t have a management interface, (i.e. you have an  ASA 5505, or an older PIX,) then the inside interface will lease DHP addresses instead. The outside interface will be set to obtain its IP address via DHCP.

Related Articles, References, Credits, or External Links

Cisco ASA – Password Recovery / Reset

Cisco PIX (500 Series) Recovery

Reset IBM / Lenovo IMM Username and Password

KB ID 0001291 

Problem

After recycling an old M3 3650 IBM X Series server the other week, I was stuck trying to get into the IMM, because no one knew what the password was.

 

The default username of USERID and password of PASSW0RD (with a zero) didn’t work either.

Solution

For me it was OK because I could reboot the server and get directly into the BIOS , (Press F1 at boot)

System settings.

Integrated Management Module.

Reset IMM to defaults.

REMEMBER this will reset the name and IP settings, so you need to update them, and DON’T FORGET to press ‘Save Network Settings’, or nothing happens!

You can now use the default username USERID and default password (PASSW0RD).

Reset IMM Password Remotely

Remotely connect to your IBM server Download the IBM ASU Utility  (Note: There’s an x64 bit version, and an x32 bit version, run the correct one to extract the tools).

Run the following command to ensure that the USERID account exists

[box]

asu64.exe show IMM.LoginID.1
OR
asu.exe show IMM.LoginID.1

[/box]

It should detect the IMM by IP address and return IMM.LoginID.1=USERID

Note: If it returns a different username you can check each login ID and reset them one by one.

[box]

asu64.exe set IMM.password.1 Password123
OR
asu.exe set IMM.password.1 Password123

[/box]

Related Articles, References, Credits, or External Links

NA

Bag Yourself a Cheap Firewall The Symantec FW100 and FW200(R) Appliances

KB ID 0000109 

Problem

OK to be honest, before I went to work for my current employer I didn’t even know Symantec made hardware firewall’s, and at the time of writing they no longer make “Low End” firewall’s and corporate support for them has all but ended. With this in mind there are a load of them currently being replaced with newer firewall’s and they are either getting thrown in cupboards “In case of emergency” ending up on eBay, or worst of all going in the skip.

So why would you want one then?

Because in true Petenetlive fashion you can pick them up for nothing, or for a few pounds on eBay, and they make an excellent firewall for your Home PC, Home network or Small business.

Fair enough but what’s the difference between the two?

Basically both firewall’s can function as a hardware firewall and do site to site VPNS, the FW200 however can have 2 WAN connections and the 200R supports client to gateway VPN connections using the Symantec Client VPN software. Both appliances have a built in switch, on the FW100 its a four port and on the FW200 its an eight port.

FW100 (Top) and FW200 (Bottom)

To see what the Warning Lights and Symbols mean CLICK HERE

Right I’ve bought one now what the hell do I do with it?

That depends on what you want it for, there are a number of things a firewall can do, you can simply run through the basic setup and it will protect you PC/Network, or you might want to set up a permanent connection from home to your office (Site to Site VPN). Or you might want to access your PC’s at home or in the office from anywhere in the world with an internet connection (Client to Gateway VPN – FW200R only) You may have a server at home or an Xbox and want to Port forward particular traffic to a particular PC/Server or games console.

You can do as much or as little as you like with it, Ill outline the basic things you may want to do below

1. Reset to factory Settings

2. Connect to the firewall for administration

3. Update the firmware

4. Basic Setup

5. Port Forwarding

6. Site to Site VPN

7. Client to Gateway VPN

8. Client VPN Software

Solution

Reset to Factory Settings

If you have got an appliance of ebay or been given it by work then chances are you wont know its settings and the password to get in an manage it so before you do anything you need to reset the appliance back to its factory settings. Read the ENTIRE procedure before you do anything!

Factory Settings

1. Inside IP address set to 192.168.0.1

2. Inside Subnet Mask set to 255.255.255.0

3. Password is set to {Blank} – That’s NO Password.

4. Outside Interface(s) set to obtain their IP address dynamically.

5. Appliance turns on its internal DHCP server and leases addresses from its switch ports.

6. All traffic will be allowed out

7. No traffic will be allowed in (unless its a reply to traffic instigated inside).

On the back of the alliance you will see a row of “dip” switches, you can turn on (down) and off (up) With the unit powered off make use a pen, or paperclip and have a couple of practice flicks on switch 1

Procedure

1. Power off the appliance

2. Drop dip swich1 to ON

3 Power on the appliance and watch the backup/active LED Light come on (This one )

4. As soon as the LED goes out flip dip switch 1 up(off) , down (on), and up(off) again – note you only get 12 seconds!

5. If you have carried out the procedure correctly then the Error LED will come on (This one )and then alternate with the LAN/WAN Status LED (This one ).

6. The Appliance will reboot let it do so then remove the power, wait a few seconds, and power it up again.

Connect to the Firewall for Administration

Assuming you have just reset the firewall then its internal IP address will be 192.168.0.1, then simply connect your PC or Laptop to the firewall using a standard ethernet cable to any of the ports labelled LAN

Your PC should be set to get an IP address dynamically – Or Manually set an IP address in the 192.168.0.2 to 254 range. Then open a web browser and go to http://192.168.0.1

Standard front Page here on a FW100

And here on a FW200 (note the second WAN settings)

Note: You can manage these firewall’s from outside for example from work, BUT you need to enter the IP range that you will be administering from, to do this Select the “Expert Level” section and enter the range (note if you only have 1 IP add it in the start and End IP address section. you then access the device from http://public_IP_address:8088

Remember this is a firewall always set a password for access, select the “Config Password” Section then type and re-type a password. Then Press Save

Now to access the firewall the username is admin and the password you set above.

Upgrade the Firmware

You might wonder why bother – well I’ve used these firewall’s in anger on corporate networks, and I’ve seen strange problems with VPN’s and other bugs that have been fixed by simply upgrading the firmware – remember these are old firewall’s so the last version of firmware released for them (Called 18F was released Nov 2005) The FW100 firmware is here  vpn100_build18f and the FW200 firmware is here vpn200r_build18f. You will also need the nxtftpw.exe program you can download that here nxtftpw.

To check your Firewall’s Firmware version connect to the firewall as above and Select the Status section > Then the Device section. here you will see the firmware revision. This one says V1 Rel 8D so its version 18D we are going to upgrade it to 18F.

To Prepare the firewall for firmware updating, Power it off and drop dip switches 1 and 2 on the back. Then Power the firewall back on again.

On your PC launch nxtftpw.exe and enter the following information, under Server IP enter the IP address of the firewall. An in Local file navigate to the firmware file on your PC.

Warning: there are two versions of the firmware file, one looks like vpn100_18F_app.bin the other looks like vpn100_18Fall.bin use app.bin the all.bin will erase the configuration as well!

Click PUT.

It might take a while and say its re tying a few times, be patient, when its finished it will say SUCCESS at the bottom.

Wait a couple of minutes, when the lights on the appliance all return to normal shut it down. Lift all the dip switches again and power back up.

Log back into the firewall and Check the firmware revision on the Status Tab > Device Section to make sure the version is correct, it should say V1 Rel 8F.

Basic Setup

For a simple home user you will want to set an external IP with a default gateway, some DNS settings. Then set your internal IP.

Main Setup Tab

If your ISP supplies your IP address via DHCP you don’t need to do anything that’s the default – note if you have a router that needs PPPoE settings these can be set up on this tab as well. Click Save when finished

Static IP & DNS Tab

Or if you have a static IP address enter it here with the subnet mask and the default gateway supplied by your ISP. Also note you can statically assign DNS servers here too, then your internal clients can point directly to the Symantec Firewall for their DNS settings. Click Save when finished

LAN IP & DHCP

Set your inside interface here – Note you can also set the firewall up as a DHCP server for your network as well. Click Save when finished.

Port Forwarding

Not all port forwarding is used for servers and complicated communications, simply downloading torrent software or playing online games may require you to forward a port to one of your clients. For this example I’ll port forward TCP Port 3389 (that’s RDP for the non tech’s do you can connect to your PC and server from outside – note doing this in the real world has security implications and is done at your own risk).

Custom Virtual Servers Tab

You need to give the protocol you are forwarding a name, like RDP, Tick Enable, Enter the IP address you want to forward it to, Then enter the port number into ALL FOUR box’s. When done click “Add.”

This is what you want to be seeing 🙂

You will see the rule added at the bottom of the page – Note: As I said this is quite a security hole, so you can tick and un tick enable, then tick update to turn on and off as required.

Site to Site VPN

A site to site VPN connects one network to another securely, across an insecure network (in almost every case the insecure network is the public internet) So you can connect two offices together, or connect your home PC(s) to the office network. You need a device at both ends that can terminate a VPN. At our end we have the Symantec the other can be your corporate firewall or a VPN server.

To form a VPN you need both ends to agree a “Policy” as there are different methods of forming a VPN, the device at the other end must use the SAME settings as you do.

OK what do I need to know?

Encryption method: We will use 3DES Hashing Method: We will use SHA1 Diffie Hellman Group: we will use Group 2 IP address of the other Firewall: We will use 123.123.123.123 Network address of the Other network (the far one you are connecting to): We will use 10.1.0.0 Subnet Mask of the Other network (the far one you are connecting to): We will use 255.255.0.0 A Pre shared Key: we will use qwertyuiop123

Note: This firewall uses a system called PFS. Tell the Firewall administrator at the other end of the tunnel to make sure that end has it enabled.

VPN Dynamic Key Tab

Give it a descriptive name > Tick Enable > PPPoE Session set to Session 1 > Select Main Mode > ESP 3DES SHA1 > SA Lifetime to 475 > Data Volume Limit to 2100000 > PFS enable

Gateway Address set to the IP of the other firewall > ID Type to IP Address > Pre Shared Key to qwertyuiop123 > NETBIOS Broadcast to Disable > Global Tunnel to Disable > Remote subnet to the network at the other end of the tunnel > Remote Mask to the mask at the other end of the tunnel. > Click Add

Hopefully you will see this.

You will then see the tunnel appear at the bottom of the screen.

And the connection will change colour and say “Connected” when the tunnel comes up.

Client to Gateway VPN (200R Only)

In a client to gateway scenario, you install the client software on a laptop or remote PC, you then use that software to connect to your network behind the firewall. With this method you can securely connect many clients to one firewall.

OK What Do I need to Know?

A username: We will use Jane A shared secret: We will use 1234567890qwertyuiop

VPN Dynamic Key Tab

This sets the levels and method of encryption used by your remote clients, Type the name clients into the name box > Enable > Session 1 > Aggressive mode > ESP 3DES SHA1 > 475 Mins > 2100000 > PFS enable > Gateway Address to 0.0.0.0 > ID Type to Distinguished Name. Click Add

VPN Client Identity Tab

Enter the username > Tick Enable > Type in the shared secret > Tick Add > The user will be displayed at the bottom.

Obviously this procedure is carried out on the remote PC/Laptop

Once you have the software installed (Note you need to le a local system administrator to this bit – or the software wont let you in) Fire up the software and give yourself a username and password (This can be anything – its just to log into the software NOT bring up the VPN). You will be asked to confirm the password.

This is the main screen, you can save many tunnels to many firewalls, but we are just dealing with one, click new.

On the gateway tab, in IP address enter the IP of the outside of the firewall > Make sure download VPN policy is NOT checked > enter your shared secret 1234567890qwertyuiop (as set up on the firewall > Your client phase 1 ID is the name on the firewall – in the example above that’s “jane”

Click the Advanced Tab > Under Gateway Phase 1 ID re-enter the IP address of the outside of the firewall.

Click the Tunnels Tab > Click New.

Tunnel name HAS TO match the policy you created on the firewall (in out case “clients”) Then enter the network address and subnet mask of the network BEHIND the firewall you are connecting to. > OK > OK.

Back at the main screen click the Policies Tab > Set “Port Control Type” to “Wide Open”.

Click the Gateways Tab > Log Off > Close and restart the client software > Select the tunnel and click connect > In the progress log when you see a message stating “security gateway connected”.

Related Articles, References, Credits, or External Links

NA

ZyXEL – Router Setup (Public IP Range)

KB ID 0000331 

Problem

You have a ZyXEL router (In my case a P-600R-D1) and you want to put a device behind it with a public IP.

Note: I’m assuming you have agreed with your ISP that you will receive a range of public IP addresses. With some ASDL packages the first IP in the range usually gets allocated to the router, confirm this with your ISP.

BT Business Broadband Note: If you are a BT Business customer, your setup will be slightly different, I’ll point that out as we go along.

Solution

1. Connect up to the router, and you should get an IP address from it, open your web browser and proceed to http://192.168.1.1 the default password is “1234”

2. You will be prompted to change the default password, do so, then select the option to go to ‘Advanced Setup’.

3. Expand Network > WAN > Enter the ADSL details provided by your ISP (i.e. ADSL username and ADSL password). If you are having a static IP on the outside of the router you can also set that here.

Note: If you have only been given TWO IP addresses you may need to set BOTH the WAN and LAN IP address to the SAME IP (and disable NAT).

BT Business Broadband Note: Even if you have been allocated a range of public IP addresses, you LEAVE the routers outside IP address option set to, ‘Obtain an IP address automatically’

4. Disable NAT ONLY IF YOU ARE SETTING THE LAN AND WAN TO THE SAME IP: Select NAT > General > Un-tick “Active Network Address Translation (NAT)” > Apply.

4. Disable DHCP: Select LAN > DHCP Setup > Change DHCP to “None” > Apply.

5. Set the inside IP: Set this to the IP address allocated to your Router – (Note: this may be the SAME as the address allocated to the outside IP, don’t panic it will not conflict (NAT is disabled).

BT Business Broadband Note: This is typically the highest IP address in the range, BT have given you.

6. You can now connect your internal device/firewall (Note: You may need to reboot the device AND the router as the MAC address may have changed if you have been testing from your laptop/PC.) Or simply allocate another public IP address to device, then make its default route, (or default gateway) the IP address you set on the LAN port of the ZyXEL, (in our example above 123.123.123.124).

Factory Reset ZyXEL Router

If things break and you want to reset the router,

1. Power off the router.

2. Depress the reset button on the rear of the router.

3. Power on the device until the ethernet light, flashes amber.

4. Now DHCP will be turned on and the router will use 192.168.1.1 internally and the default password will be reset to 1234.

Related Articles, References, Credits, or External Links

ZyXEL Firmware downloads (Look under DSL Technology)

Original Article Written 28/09/10

Factory Reset Juniper SRX Firewall

KB ID 0001003 

Problem

If you manage to stuff up your firewall, or you have just done some testing and want to revert back to ‘as new’ here is how to do it.

Solution

1. Connect to the firewall either by console cable or via SSH, go to CLI mode then configuration mode.

[box] login: PeteL
Password: ************

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC

PeteL@Petes-SRX> cli

PeteL@Petes-SRX> configure
Entering configuration mode

[edit]
PeteL@Petes-SRX#

[/box]

2. Load factory defaults, at this point you cannot commit/save the configuration unless you set a password, so do that next.

[box]

[edit]
PeteL@Petes-SRX# set system root-authentication plain-text-password
New password: Password123
Retype new password: Pasword123

[edit]
PeteL@Petes-SRX#

[/box]

3. Save the changes then reboot.

[box] [edit]
PeteL@Petes-SRX# commit and-quit

commit complete
Exiting configuration mode

PeteL@Petes-SRX> request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 1904]

PeteL@Petes-SRX>

*** FINAL System shutdown message from root@FW-01 ***

System going down IMMEDIATELY

[/box]

Reset To Factory Settings if the SRX is part of a Chassis Cluster (is in Failover mode)

1. If the firewall is part of the Chassis cluster then you need to the following before you can carry out the procedure above.

[box]

PeteL@Petes-SRX> set chassis cluster disable reboot

For cluster-ids greater than 15 and when deploying more than one
cluster in a single Layer 2 BROADCAST domain, it is mandatory that
fabric and control links are either connected back-to-back or
are connected on separate private VLANS.

{primary:node0}
PeteL@Petes-SRX>

*** FINAL System shutdown message from root@FWA ***

System going down IMMEDIATELY

[/box]

Completely Wipe the Juniper SRX

Alternatively you can also do the following.

[box]

root> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

warning: zeroizing re0

root>

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Cisco IOS – Return an Interface to Default (Remove all Settings)

KB ID 0001010

Problem

The configuration for a particular interface can get quite long, you could go to interface configuration mode, and prefix all the commands with a ‘no’. But this can be a bit repetitive and time consuming.

Solution

To remove the configuration for interfaces use the ‘default’ command. for example take a look at the following config for FastEthernet1/0/5.

[box]

Petes-Switch>enable
Petes-Switch#show run
Building configuration...

Current configuration : 1854 bytes
!
<----------config removed for brevity---------->
!
interface FastEthernet1/0/5
switchport access vlan 999
switchport mode access
!
<----------config removed for brevity---------->
!
end

[/box]

To remove the configuration for that port, use the following command.

[box]

Petes-Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Switch(config)#default interface FastEthernet 1/0/5
Interface FastEthernet1/0/5 set to default configuration
Petes-Switch(config)#

[/box]

To check it worked.

[box]

Petes-Switch#show run
Building configuration...

Current configuration : 1854 bytes
!
<----------config removed for brevity---------->
!
!
interface FastEthernet1/0/5
!
<----------config removed for brevity---------->
!
end

[/box]

Reset / Remove the Configuration for Multiple Ports

You can combine selecting multiple Cisco device ports with the default command, to remove the configuration, and reset a ‘range’ of ports in one command.

[box]

Petes-Switch(config)#default interface range GigabitEthernet 0/3 - 6

[/box]

How to Remove the Configuration for a Cisco ASA 5500 Port

To do the same on a Cisco ASA you need a different command, you use the ‘clear configure‘ command. Note: The interface naming used here is for an ASA8885-X the interfaces on your model may have a different naming standard, i.e. vlan1, ethernet1 etc.)

[box]

Petes-ASA(config)#clear configure interface GigabitEthernet0/1

[/box]

 

Related Articles, References, Credits, or External Links

NA