Setup FTP Server with Windows Server

KB ID 0000342

Problem

You want to Setup FTP on your Windows Server, (and more importantly make it work without disabling the firewall.) Below are the procedure you will need to carry out.

Note: For older Windows Operating systems like Server 2012, click here, or for Server 2008, click here.

Setup FTP Server (Windows Server)

Setup FTP on Windows Server 2012 (Including firewall setup)

 Setup FTP on Windows Server 2008 R2 (Including firewall setup)

Firewall Configuration for FTP on Server 2008 R2 (Included in the Video above).

>

Related Articles, References, Credits, or External Links

NA

Cisco Catalist Upgrading 2900, 5500 and 3700 Stacks

KB ID 0001630

Problem

People are often nervous about doing this, I’m not sure why because Cisco have made it painfully simple now. That’s because instead of the old /bin files we used to use, you can now upgrade a switch (or a switch stack) using a .tar file with one command, (and it will also upgrade all the stack members and the firmware on any other network modules you have in the switches at the same time).

Yes it does take a while*, and for long periods of time theres no updated output on the screen, which is worrying if you’ve never done it before.

*Note: The procedure below was updating two 2960-X switches and took about 45-50 minutes. If anyone wants to post any further timings below as a help to others, state the switch types and quantities, and versions you used, etc.

Solution

First things first, BACK UP YOUR SWITCH CONFIG. I also have a habit of copying out the original .bin file from the flash to my TFTP server as an extra ‘belt and braces’ precaution, in case everything ‘Goes to hell in a hand cart!’

I find it easier to do this with the update file on a USB Drive, (format the drive as Fat32). If you dont have a USB Drive, or the switch does not have a working USB port then don’t panic, you can use ftp or tftp to upgrade also.

Place your new upgrade .tar file on your USB Drive and insert it into the master switch, you should see the following;

[box]

Dec 19 13:13:18.466: %USBFLASH-5-CHANGE: usbflash0 has been inserted!

[/box]

Note: If yours says usbflash1, or usbflash2 etc. Then that’s just the switch numbering in the stack, use the number it tells you!

Make sure the switch can see your upgrade file;

[box]

Petes-Switch# dir usbflash1:
Dec 19 16:56:45.712: %USBFLASH-5-CHANGE: usbflash0 has been inserted!

Directory of usbflash0:/
 -rw- 37488640 Nov 25 2019 10:08:34 +00:00 c2960x-universalk9-tar.152-7.E0a.tar

8036286464 bytes total (7997743104 bytes free)

[/box]

You can execute the entire upgrade with this one command;

[box]

Petes-Switch# archive download-sw /overwrite usbflash0:/c2960x-universalk9-tar.152-7.E0a.tar

[/box]

Note: If using tftp then use archive download-sw /overwrite tftp:/{ip-of-tftp-server}/{image-name}.tar instead.

It will take quite a long time, as soon as it says extracting xyz….go and have a coffee, wait until it says ‘All software images installed.’

[box]

---LOTS OF OUTPUT OMITTED FOR THE SAKE OF BREVITY---
New software image installed in flash2:/c2960x-universalk9-mz.152-7.E0a
Deleting old files from dc profile dir "flash:/dc_profile_dir"
extracting dc profile file from "flash:/c2960x-universalk9-mz.152-7.E0a/dc_default_profiles.txt" to "flash:/dc_profile_dir/dc_default_profiles.txt"
Deleting old files from dc profile dir "flash2:/dc_profile_dir"
extracting dc profile file from "flash2:/c2960x-universalk9-mz.152-7.E0a/dc_default_profiles.txt" to "flash2:/dc_profile_dir/dc_default_profiles.txt"
All software images installed.

[/box]

Now let’s do a couple of checks just for our ‘peace of mind‘, first make sure the images are in all the relevant switches flash storage;

[box]

Petes-Switch#dir flash1:
Directory of flash:/

    2  -rwx        5486  Dec 19 2019 16:55:40 +00:00  private-config.text
    3  -rwx          33   Aug 7 2019 08:28:12 +00:00  pnp-tech-time
    4  -rwx       11114   Aug 7 2019 08:28:14 +00:00  pnp-tech-discovery-summary
    5  -rwx        3096  Dec 19 2019 16:55:40 +00:00  multiple-fs
  699  drwx         512  Dec 19 2019 17:35:25 +00:00  c2960x-universalk9-mz.152-7.E0a
  480  drwx         512  Dec 19 2019 17:35:28 +00:00  dc_profile_dir
  696  -rwx         796   Aug 9 2019 09:48:30 +00:00  vlan.dat
  698  -rwx        7539  Dec 19 2019 16:55:40 +00:00  config.text

122185728 bytes total (84392960 bytes free)
Petes-Switch#dir flash2:
Directory of flash2:/

    2  -rwx        5486  Dec 19 2019 16:55:40 +00:00  private-config.text
    3  -rwx          33   Aug 7 2019 08:32:38 +00:00  pnp-tech-time
    4  -rwx       11126   Aug 7 2019 08:32:40 +00:00  pnp-tech-discovery-summary
    5  -rwx        7539  Dec 19 2019 16:55:40 +00:00  config.text
    6  drwx         512  Dec 19 2019 17:35:26 +00:00  c2960x-universalk9-mz.152-7.E0a
  481  drwx         512  Dec 19 2019 17:35:28 +00:00  dc_profile_dir
  696  -rwx        3096   Aug 8 2019 10:21:29 +00:00  multiple-fs
  697  -rwx         796  Dec 11 2019 10:55:22 +00:00  vlan.dat
  698  -rwx        7514  Dec 19 2019 16:55:40 +00:00  config.text.backup
  699  -rwx        5486  Dec 19 2019 16:55:40 +00:00  private-config.text.backup

122185728 bytes total (84378624 bytes free)

[/box]

Note: Repeat for each switch in the stack, if you have further switches.

Why does it not have .tar or .bin on the end? Because it’s a folder 🙂

The let’s make sure the ‘boot variable‘ in the device is set to use the new image;

[box]

Petes-Switch# show boot
BOOT path-list      : flash:/c2960x-universalk9-mz.152-7.E0a/c2960x-universalk9-mz.152-7.E0a.bin
Config file         : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break        : yes
Manual Boot         : no
Allow Dev Key         : yes
HELPER path-list    :
Auto upgrade        : yes
Auto upgrade path   :
Boot optimization   : disabled
NVRAM/Config file
      buffer size:   524288
Timeout for Config
          Download:    0 seconds
Config Download
       via DHCP:       disabled (next boot: disabled)
-------------------
Switch 2
-------------------
BOOT path-list      : flash:/c2960x-universalk9-mz.152-7.E0a/c2960x-universalk9-mz.152-7.E0a.bin
Config file         : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break        : yes
Manual Boot         : no
Allow Dev Key         : yes
HELPER path-list    :
Auto upgrade        : no
Auto upgrade path   :

[/box]

All looks good save the config and reload the stack.

[box]

Petes-Switch# write mem
Petes-Switch# reload
Proceed with reload? [confirm] {Enter}

Dec 19 17:38:50.952: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.

[/box]

Time for another coffee while it’s reloading the stack, when it’s back up you can check it was successful like so;

[box]

Petes-Switch# show version
---LOTS OF OUTPUT OMITTED FOR THE SAKE OF BREVITY---
Switch Ports Model                     SW Version            SW Image
------ ----- -----                     ----------            ----------
*    1 54    WS-C2960X-48TS-L          15.2(7)E0a            C2960X-UNIVERSALK9-M
     2 54    WS-C2960X-48TS-L          15.2(7)E0a            C2960X-UNIVERSALK9-M

[/box]

Related Articles, References, Credits, or External Links

NA

Draytek Vigor Router Port Forwarding

KB ID 0000425 

Problem

This procedure was carried out on a Draytek Vigor 2800 Router, for this I needed to forward RDP (That’s on TCP Port 3389).

Warning: If you need to forward any of the following ports 23 (Telnet), 80 (HTTP) , 443 HTTPS/SSL), 21 (FTP), or 22 (SSH). The Draytek has these reserved for remote management. You will need to change the port number (system Maintenance > Management > Management Port Setup).

Solution

1. Log into the routers web console (default will be a blank username and password, or admin and admin, or admin and blank password).

2. Expand NAT > Select Port Redirection.

2. Give the service a name (Like RDP) > Enter the protocol type TCP or UDP > Enter the internal IP that you want to forward the port to > Tick active > Click OK.

Note: Depending on setup you may see this instead (if that’s the case select the correct public IP)

3. That should be all you need to do, unless the firewall is turned on, if that’s the case expand NAT > Open Ports.

4. Again enter a name in the comment box > The local IP of the machine > and the port details > OK.

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

DrayTek Vigor – Reset To Factory Settings

Google Searches Work, But All the Result Links DON’T(BT Broadband)

KB ID 0000740

Problem

I was covering the phone for one of the days over the Christmas period, and a client had rang in with this problem, at first I thought it was simply an EDNS problem like this. However some testing proved DNS was working fine? Then I thought it was an Internet Explorer problem, until Chrome and Firefox did the same. I could go to Google and search for what I wanted,but all the links (and any other URL I tried, with the exception of YouTube strangely), would not work. SMTP/Email worked, as did FTP and everything else I tested? But HTTP and HTTPS would not, with the exception of Google/YouTube.

So I knew the problem was either the router, (a Cisco 1800 with firewall IOS), or the ADSL circuit itself that was causing the problem.

Solution

As BT Business Broadband ADSL circuits don’t usually come with a Cisco Router, I thought if I rang them I’d get the “We didn’t supply or support that router” speech, so I got the client to dig out their supplied (2Wire) router, and asked him to ring BT while I was on-site.

While he was explaining the problem, the Engineer on the other end said, “Unplug the 2Wire and plug the Cisco router back in, I will ring you back…”. This was strange behavior for BT, and I thought we would be the victim of “BT Syndrome“, and sure enough five minutes later is magically fixed itself.

When BT rang back, they explained that this had been imposed on the client, because they were a ‘little late’ paying their bill, (there’s Christmas spirit for you).

Related Articles, References, Credits, or External Links

NA

Juniper SRX – Update the Operating System / Firmware

KB ID 0000989 

Problem

With two brand new SRX240 firewalls on the bench my first task was to get them updated to the latest operating system.

Solution

Before you start get the updated Juniper software.

Option 1 Update the SRX firewall via Command Line

1. Connect to the firewall via either Console cable, telnet, or SSH.

2. Log on and then go to CLI mode, and then configuration mode.

[box] login: root
Password: *******

— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# [/box]

2. The more observant of you will have noticed that it has already shown you the OS version above, but in case there is any doubt.

[box] root@FW-02# show version
## Last changed: 2014-08-26 21:15:09 GMT
version 12.1X44-D30.4;

[edit]
root@FW-02# exit[/box]

3. I’ve always got 3CDeamon on my laptop so I’ll copy the update file over via FTP to the /var/tmp folder. (Note: We’re not at CLI or configure mode!)

[box]root@FW-02% ftp 10.5.0.2
Connected to 10.5.0.2.
220 3Com 3CDaemon FTP Server Version 2.0
Name (10.5.0.2:root): PeteLong
331 User name ok, need password
Password:********
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /var/tmp
Local directory now /cf/var/tmp
ftp> bin
200 Type set to I.
ftp> get junos-srxsme-12.1X47-D10.4-domestic.tgz
local: junos-srxsme-12.1X47-D10.4-domestic.tgz remote: junos-srxsme-12.1X47-D10.
4-domestic.tgz
200 PORT command successful.
150 File status OK ; about to open data connection
100% |**************************************************| 158 MB 00:00 ETA
226 Closing data connection; File transfer successful.
166060642 bytes
received in 64.50 seconds (2.46 MB/s)
ftp> bye
221 Service closing control connection
root@FW-02%[/box]

4. Now perform the upgrade.

[box] root@FW-02% cli
root@FW-02> request system software add no-copy /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz
NOTICE: Validating configuration against junos-srxsme-12.1X47-D10.4-domestic.tgz
.
NOTICE: Use the ‘no-validate’ option to skip this if desired.
Formatting alternate root (/dev/da0s2a)…
/dev/da0s2a: 627.4MB (1284940 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 156.86MB, 10039 blks, 20096 inodes.
super-block backups (for fsck -b #) at:
32, 321280, 642528, 963776
Extracting /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz …
Checking compatibility with configuration
Initializing…
Verified manifest signed by PackageProduction_12_1_0
Verified junos-12.1X44-D30.4-domestic signed by PackageProduction_12_1_0
Using junos-12.1X47-D10.4-domestic from /altroot/cf/packages/install-tmp/junos-1
2.1X47-D10.4-domestic
Copying package …
Verified manifest signed by PackageProduction_12_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
Usage: license-check -f “<features>” -m -p -q -M -u -U -V
Validation succeeded
Installing package ‘/altroot/cf/packages/install-tmp/junos-12.1X47-D10.4-domesti
c’ …
Verified junos-boot-srxsme-12.1X47-D10.4.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1X47-D10.4-domestic signed by PackageProduction_12_1_0
JUNOS 12.1X47-D10.4 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING: Use the ‘request system reboot’ command
WARNING: when software installation is complete
Saving state for rollback …

root@FW-02> [/box]

5. Then reboot the firewall.

[box]

root@FW-02> request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 2749]

root@FW-02>

*** FINAL System shutdown message from root@FW-02 ***

System going down IMMEDIATELY

[/box]

6. Post reboot, check the version again.

[box]

login: root
Password: ********

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# show version
## Last changed: 2014-08-26 21:51:09 GMT
version 12.1X47-D10.4;

[edit]
root@FW-02#

[/box]

 

Option 2 Update the SRX firewall via J-Web

1. To check the current version > Connect to the web console > Dashboard > Software Version.

2. Maintain > Software > Upload Package > Choose File > Browse to the file you downloaded earlier > Upload and Install Package.

Note: Here I have selected ‘Reboot Firewall’, in production you may NOT want to do that until later.

3. It can take a little while, (and look like nothing is happening), time for a coffee.

4. Post reboot, check the version again to make sure it has incremented.

Related Articles, References, Credits, or External Links

NA

Cisco ISE – Upgrading

KB ID 0001071 

Problem

Just as I was hunting around for an NFR version of Cisco ISE 1.3, they released 1.4. I wasn’t sure if I could upgrade my NFR version without breaking it so I thought I would ‘have a go’.

Solution

If you read the documentation for the upgrade of 1.2 to 1.4, I suggest you skip straight to the tasks to do AFTER upgrade, as it has a habit of resetting things back to default, best to make sure you know how everything is setup that might break before you start.

This upgrade took me a long time! The best part of an afternoon!

1. Before we do anything let’s take a snapshot, just in case it all goes to hell in a hand cart.

2. Gotcha! The upgrade fails if you have any expired certificates, even disabling them wont help, you need to delete all expired root certs before you start.

3. Copy the upgrade file from an FTP server to the ISE device, it wont show you any progress bar, go and get a coffee, if it does not error it’s probably copying over OK :).

4. When you get the prompt back you can check it’s there with a ‘dir’ command.

5. Before you can upgrade you need to create a repository for the upgrade;

[box]

ISE-01/admin# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ISE-01(config)# repository upgrade
ISE-01(config-Repository)# url disk:
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes.
If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
ISE-01(config-Repository)# exit
ISE-01(config)# exit

[/box]

6. Then you need to ‘prepare’ for the upgrade.

[box]

ISE-01/admin# application upgrade prepare ise-upgradebundle-1.2.x-to-1.4.0.253.x86_64.tar.gz upgrade
Getting bundle to local machine...
md5: 35a159416afd0900c9da7b3dc6c72043
sha256: e3358ca424d977af67f8bb2bb3574b3e559ce9578d2f36c44cd8ba9e6dddfefd
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y

[/box]

7. Start the upgrade, this takes ages, go and have at least three coffees.

[box]ISE-01/admin# application upgrade proceed[/box]

8. The appliance will reboot and complete the upgrade, more waiting.

9. When it’s done log in and issue a show version command to check the new version.</p?

10. Follow the advice, check the article and complete any further steps as required.</p?

11. I wont list all the post install tasks, but you need to change the hardware version to ‘Red Hat Enterprise Linux 6 (64 bit).</p?

 

Related Articles, References, Credits, or External Links

NA

Cisco Firewall (ASA/PIX) – Granting Access to an FTP Server

KB ID 0000772

Problem

If you have an FTP server, simply allowing the FTP traffic to it wont work. FTP (in both active and passive mode) uses some random high ports that would normally be blocked on the firewall. So by actively inspecting FTP the firewall will know what ports to open and close.

Solution

How you ‘allow’ access to the FTP server will depend on weather you have a public IP address spare or not, if you only have one public IP you will need to ‘port forward’ the FTP traffic to the server. But if you have a spare public IP address you can create a static mapping to that IP address instead.

Cisco ASA FTP Procedure

1. Connect to the firewall > Go to enable mode > Go to Configure terminal mode > Create an object for the FTP server > redirect all FTP Traffic to that object.

Note: In this example 192.168.1.1 is the IP of the FTP server.

[box]

USING PORT FORWARDING

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# object network Internal_FTP_Server
Petes-ASA(config-network-object)# host 192.168.1.1
Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp ftp ftp
Petes-ASA(config-network-object)#exit
Petes-ASA(config)#
USING A SPARE PUBIC IP (STATIC MAPPING to 123.123.123.124)

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# object network Internal_FTP_Server
Petes-ASA(config-network-object)# host 192.168.1.1
Petes-ASA(config-network-object)# nat (inside,outside) static 123.123.123.124
Petes-ASA(config-network-object)# exit 
Petes-ASA(config)#

[/box]

2. Then allow the FTP traffic in from outside.

Now you need to allow the ftp traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA(config)# show run access-group
access-group inbound in interface outside
access-group outbound in interface inside[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

[box]

Petes-ASA(config)# access-list inbound permit tcp any object Internal_FTP_Server eq ftp[/box]

3. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
 [/box]

4. Then to allow the ASA to insect the FTP traffic, do the following;

[box]

Petes-ASA(config)# policy-map global_policy
Petes-ASA(config-pmap)# class inspection_default
Petes-ASA(config-pmap-c)# inspect ftp 
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit
Petes-ASA(config)# [/box]

5. Save the changes.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#[/box]

Allow Access to FTP Server via ASDM

1. Connect to the ASDM > Configuration > Firewall > Addresses Section > Add > Network Object > Give the FTP server a name > Set it to ‘Host’ > Enter The IP Address > Select the drop down arrow > Tick the ‘Add Automatic Address Translation Rule’ > Advanced.

2. Set Source interface = inside > Destination Interface = outside > Protocol = tcp > Real and Mapped ports = ftp > OK > OK > Apply.

3. To allow the traffic in right click the outside interface > Add Access Rule.. > Set the destination to the server you created earlier > and the service to tcp/ftp > OK > Apply.

4. Service Policy Rules > Inspection_default > Edit > Rule Actions > Tick FTP > OK > Apply.

5. Save the changes > File > Save running Configuration to Flash.

Cisco PIX FTP Procedure

1. Connect to the firewall > Go to enable mode > Go to Configure terminal mode > Access List for the inbound FTP traffic (Its wide open we will narrow it down in a moment).

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ********
PetesPIX# configure terminal
PetesPIX(config)# access-list inbound permit tcp any any eq ftp
PetesPIX(config)# access-group inbound in interface outside

[/box]

2. Create a static mapping that locks all incoming FTP traffic to the internal servers IP address (In this case 192.168.1.1).

[box]

 PetesPIX(config)# static (inside,outside) tcp interface ftp 192.168.1.1 ftp netmask 255.255.255.255[/box]

3. Now because FTP uses dynamic port allocation you need to add a ‘fixup’ to the FTP port (TCP port 21).

[box]

PetesPIX(config)# fixup protocol ftp 21[/box]

4. Finally save the changes.

[box]

PetesPIX(config)# write mem
Building configuration...
Cryptochecksum: 01832c5d a90d008d ebf30483 dc48a0d0
[OK][/box]

 

Related Articles, References, Credits, or External Links

Cisco PIX / ASA Port Forwarding

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Original article written 15/02/13

ASA 5585-X Update the CX SSP Module

KB ID 0001005 

Problem

Every piece of documentation I found on upgrading CX SSP modules was for doing so on models other than the ASA5585-X. The (current) latest CLI guide says;

“For the ASA 5585-X hardware module, you must install or upgrade your image from within the ASA CX module. See the ASA CX module documentation for more information.”

Yeah good luck finding that!

Solution

Before I saw the information above I tried to upgrade the CX module from the ASA and this is the error you get when you try;

[box]PetesASA(config)# hw-module module 1 recover configure url tftp://10.0.41.100/asacx-5500x-boot-9.3.1.1-112.img
ERROR: Module in slot 1 does not support recovery[/box]

Then, I tried the update from within the CX module, and got the following error;

[box] asacx>system upgrade ftp://10.0.41.100/asacx-sys-9.3.1.1-112.pkg
Verifying

111
Upgrade aborted.

[/box]

Note: If you have not already found out, the default username is admin and the default password is Admin123.

Turns out that was an error in 3CDaemon that I use as an FTP server, once I fixed that, I was cooking on gas.

Upgrade the ASA 5585-X CX SSP Module

1. Connect to the CX modules console port, and you can view the version.

[box] Cisco ASA CX 9.1.2
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg
If you require further assistance please contact us by sending email to
export@cisco.com.

You can access the Web UI from your browser using the following URL(s):
https://192.168.8.8/

asacx login:

[/box]

2. Now the CX module has its default IP of 192.168.8.8, I need to change this, I’ll do that from command line on the ASA like so.

[box] PetesASA(config)# session 1 do setup host ip 10.0.41.34/24,10.1.41.1

Syntax

session 1 do setup host ip {IP Address}/{Subnet Mask},{Default Gateway}

[/box]

3. At this point make sure that Management port 1/0 on the CX module is connected to the network.

4. You can simply ping the new IP, or view it in the ASDM. (Note: here you can also view the CX software version).

5. Now the CX module and your FTP server are on the same network, and you have downloaded the CX software from Cisco, you can perform the upgrade, (from the console session on the CX module).

Note: Don’t press any keys (unless asked to), while this is going on, or it has a habit of aborting!

[box] asacx>system upgrade ftp://10.0.41.100/asacx-sys-9.3.1.1-112.pkg
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-CX 9.3.1.1-112 System Upgrade
Requires reboot: Yes

NOTE: If this device is being managed by a PRSM server, you must also apply the same upgrade package to the PRSM server or you will not be able to deploy configurations from the PRSM server to this device.

Do you want to continue with upgrade? [y]:y

Doing so might leave system in unusable state.

Upgrading
Starting upgrade process …[ 459.563380] kjournald starting. Commit interval 5 seconds
[ 459.648202] EXT3 FS on sde3, internal journal
[ 459.700274] EXT3-fs: mounted filesystem with ordered data mode.

Populating new system image
Copying over new application components
Cleaning up old application components

Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system. {Enter}

Broadcast message from root (console) (Fri Oct 3 08:20:59 2014):

The system is going down for reboot NOW!

[/box]

6. Post reboot you can see the new version from the console connection.

[box] Cisco ASA CX 9.3.1.1
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg
If you require further assistance please contact us by sending email to
export@cisco.com.

You can access the Web UI from your browser using the following URL(s):
https://10.0.41.34/
https://[fe80::5af3:9cff:fe05:d2e4]/

asacx login:

[/box]

You can also check the version has updated from within the ASDM.

 

Related Articles, References, Credits, or External Links

NA

 

ASA Upgrading and Imaging a Hardware CX Module

KB ID 0001025

Problem

Last time I had to do one of these the process was very straight forward, one command and the ASA got its new image from FTP, extracted it, and then installed it.

I had a CX module fail last week, and Cisco shipped me out a replacement. After installing it and running the setup, I needed to upgrade it (it will be managed by PRSM). It was running version 9.0.2 (probably been on the shelf a while!). And every time I tried to run a system upgrade it told me this, (regardless of what version I tried to install).

[box]This package is not applicable to release 9.0.2.[/box]

If I tried to set a boot image in the ASA, I got the following errors;

[box] Module 1 cannot be recovered.

OR

ERROR: Module in slot 1 does not support recovery

[/box]

Well there is a boot image especially for the 5585-X CX module, so how do you use it?

Solution

Remember the ASA-SSP-CX unit is basically the same hardware as the ASA, you need to boot that card to ROMMON, then install the boot image via TFTP. Once that’s loaded you can run setup and install the new software package.

1. As you can see this one’s running a very old OS.

[box] Petes-CX>show version

Cisco ASA CX Platform 9.0.2 (103)

Cisco Prime Security Manager 9.0.2 (103) for Petes-CX firewall

Petes-CX>

[/box]

2. Reload the module and as it starts to boot, send a ‘break’ keystroke.

[box] Petes-CX>system reload
Are you sure you want to reload the system? [N]: y
Broadcast message from root (console) (Mon Jan 19 14:47:09 2015):
The system is going down for reboot NOW!
INIT: SwitchingStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 3862)
.
Stopping Advanced Configuration and Power Interface daemon: no /usr/sbin/acpid found; none killed
stopping Busybox inetd: inetd… stopped inetd (pid 3875)
done.
Stopping Vixie-cron.
Stopping ntpd: stopped process in pidfile ‘/var/run/ntp.pid’ (pid 3880)
done
Stopping syslogd/klogd: done
Deconfiguring network interfaces… done.
Stopping CGroup Rules Engine Daemon…stopped /usr/sbin/cgrulesengd (pid 3865)

Success
CGRE[3865]: Stopped CGroup Rules Engine Daemon at Mon Jan 19 14:47:13 2015
Stopping cgconfig service: Success
Sending all processes the TERM signal…
Sending all processes the KILL signal…
Unmounting remote filesystems…
Deactivating swap…
Unmounting local filesystems…
umount2: Device or resource busy

——————————————
–Output Removed for the Sake of Brevity–
——————————————

The system is restarting…

CISCO SYSTEMS

Embedded BIOS Version 2.0(13)0 20:40:45 10/21/11

USB storage device found … SMART eUSB USB Device

Total memory : 12 GB

Total number of CPU cores : 8

CPLD revision 0008h
Cisco Systems ROMMON Version (2.0(13)0) #0: Fri Oct 21 20:01:34 CDT 2011

Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.Boot in 10 seconds.

Boot interrupted.

Management0/0
Link is UP
MAC Address: 6c20.5658.928c

Use ? for help.
rommon #0>

[/box]

3. Remember in ROMMON mode you need to set up all the network settings to copy in the boot image (where 192.168.1.10 will be the CX,and .101 is the TFTP server).

Note: This is the BOOT image, it will have a .img file extension.

[box] rommon #0> ADDRESS=192.168.1.10
rommon #1> SERVER=192.168.1.101
rommon #2> GATEWAY=192.168.1.1
rommon #3> IMAGE=asacx-boot-9.3.2.1-9.img
rommon #4> [/box]

4. Make sure you can ping the TFTP server.

[box]rommon #4> ping 192.168.1.101
Sending 20, 100-byte ICMP Echoes to 192.168.1.101, timeout is 4 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20)[/box]

5. Issue a sync command, then start the transfer.

[box]

rommon #5> sync

Updating NVRAM Parameters…

rommon #6> tftp
ROMMON Variable Settings:
ADDRESS=192.168.1.10
SERVER=192.168.1.101
GATEWAY=192.168.1.1
PORT=Management0/0
VLAN=untagged
IMAGE=asacx-boot-9.3.2.1-9.img
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20

tftp asacx-boot-9.3.2.1-9.img@192.168.1.010 via 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

——————————————
–Output Removed for the Sake of Brevity–
——————————————

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 65605385 bytes

Launching TFTP Image…

Execute image at 0x14000
[STUB]
Boot protocol version 0x209

——————————————
–Output Removed for the Sake of Brevity–
——————————————

Starting syslogd/klogd: done
Cisco ASA CX Boot Image 9.3.2.1

Petes-CX login: admin
Password: ************

Cisco ASA CX Boot 9.3.2.1 (9)
Type ? for list of commands
Petes-CX-boot>

[/box]

WARNING the following procedure will erase all the settings from your CX module

6. Partition the CX module drive. (This takes a long time, good time to put the kettle on!)

[box]

Petes-CX-boot>partition
WARNING: You are about to erase all policy configurations and data.
You cannot undo this action.
Are you sure you want to proceed? [y/n]:y
Logical volume “data” successfully removed
Logical volume “var” successfully removed
Logical volume “packages” successfully removed

——————————————
–Output Removed for the Sake of Brevity–
——————————————

Persistent partition is there so create symbolic link /etc/ntp.conf
Persistent partition is there so create symbolic link /etc/hosts
Petes-CX-boot>

[/box]

7. Run the basic setup.

[box]

Petes-CX-boot>setup

Welcome to Cisco Prime Security Manager Setup
[hit Ctrl-C to abort]
Default values are inside []

Enter a hostname [asacx]: Petes-CX
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.10
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.20
Do you want to configure Secondary DNS Server? (y/n) [n]: Y
Enter the secondary DNS server IP address: 192.168.1.21
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: petenetlive.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: petenetlive.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 192.168.1.31,192.168.1.32
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname:Petes-CX
Management Interface Configuration

IPv4 Configuration:static
IP Address:192.168.1.10
Netmask:255.255.255.0
Gateway:192.168.1.1

IPv6 Configuration:Stateless autoconfiguration

DNS Configuration:
Domain:petenetlive.com
Search:
petenetlive.com
DNS Server:
192.168.1.20
192.168.1.21

NTP configuration:
192.168.1.31,192.168.1.32
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying…
Restarting network services…
Restarting NTP service…
Done.
Press ENTER to continue…
Petes-CX-boot>

[/box]

8. You can now upgrade the CX module from FTP.

Note: This is the SYSTEM image, it will have a .pkg extension.

[box]

Petes-CX-boot>system install ftp://192.168.1.101/asacx-sys-9.3.2.1-9.pkg
Verifying..
Downloading..
Extracting..
Package Detail
Description:Cisco ASA-CX 9.3.2.1-9 System Upgrade
Requires reboot:Yes

Do you want to continue with upgrade? [y]: y

Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Upgrading..
Starting upgrade process ..
Populating new system image..
Copying over new application components..
Cleaning up old application components..
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.

PRESS ENTER

Broadcast message from root (consoStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 2883)

[/box]

9. After the module has reloaded, log in and make sure every thing is working.

[box]

Petes-CX login: admin
Password:***********


    Cisco Prime Security Manager 9.3.2.1 (9) for Petes-CX firewall
  Type ? for list of commands

Petes-CX>show services status
============================================================
Process           | PID   | Up    | Up Time
============================================================
HTTP Server       | 6139  | True  | 00:02:00
Data Plane        | 6665  | True  | 00:01:35
Opdata Helper     | 6299  | True  | 00:01:59
AD Interface      | 6674  | True  | 00:01:35
HW Regex Server   | 6572  | True  | 00:01:43
Message Nameserver| 6279  | True  | 00:01:59
HTTP Auth Daemon  | 6469  | True  | 00:01:57
Management Plane  | 6481  | True  | 00:01:57
signup            | 6347  | True  | 00:01:59
PDTS              | 6442  | True  | 00:01:59
Predictive Defense| 6679  | True  | 00:01:35
HTTP Inspector    | 6689  | True  | 00:01:35
HPM Monitor       | 6684  | True  | 00:01:35
Updater           | 7772  | True  | 00:00:19
Card Manager      | 6071  | True  | 00:02:00
ARP Daemon        | 6458  | True  | 00:01:58
Event Server      | 6512  | True  | 00:01:52
TLS Proxy         | 6719  | True  | 00:01:35
============================================================
Petes-CX>

[/box]

 

Related Articles, References, Credits, or External Links

Special thanks to Veronika Klauzova from Cisco TAC

 

Dreamweaver CS6 – Backup and Restore Site Settings

KB ID 0000672 

Problem

If you are like me and struggle to remember settings, passwords etc. Then being able to back up all your website settings in Dreamweaver so you can restore them back again, (after a rebuild on a new PC) can save you some heartache.

Solution

1. On the SOURCE machine, Launch Dreamweaver > Site > Manage Sites > Select the site in question > Select the ‘Export Site’ Icon.

2. Choose whether to export the site login details and passwords > OK.

3. Select where you want to save the settings.

4. From the Same Menu on the TARGET Machine > Import Site.

5. Browse to the .ste file you saved earlier > Open.

Related Articles, References, Credits, or External Links

NA