Configure Cisco FTD Port Forwarding (via FDM)

KB ID 0001680

Problem

You have a Cisco FTD device that you manage via FDM, and you would like to setup port forwarding. In the example below I will forward TCP Port 80 (HTTP) traffic from the outside interface of my FTD Device (Firepower 1010) to an internal web server on 10.254.254.212

Solution (Step 1: Create an FTD NAT Policy)

Using a web browser connect to the FDM > Polices > NAT > Add.

 

Set the following options;

  • Title: Give the NAT rule a title e.g. Webserver-01
  • Create Rule for: Manual NAT
  • Status: Enable
  • Placement: Above a Specific Rule
  • Rule: InsideOutsideNATRule
  • Type: Static
  • Original Packet: Source Interface: inside
  • Original Packet: Source Address: Select ‘Create New Network’

In the Add new Network Object Window;

  • Name: Name of the server/object you are port forwarding to e.g. Webserver-01
  • Host: IP address of the server/object you are port forwarding to
  • OK

Back At the NAT Rule Window;

  • Source Address: Ensure it’s set to the object you just created
  • Original Packet: Source Port: HTTP (or whatever port you wish to forward) 
  • Translated Packet: Destination Interface: outside
  • Translated PacketSource Address: Interface
  • Translated Packet: Source Port:HTTP (or whatever port you wish to forward)
  • OK.

Solution (Step 2: Create an FTD Access Control Policy Rule)

Policies > Access Control > Add.

Set the access rule as follows;

  • Title: Give the access rule a title e.g. Webserver-Access
  • Source Zone: outside_zone
  • Source Networks:  any-ipv4
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks:  The Object you created (above)
  • Destination: Ports/Protocols: HTTP
  • OK

You can expand the rule, and see a diagram version if you wish.

Pending Changes > Deploy Now.

Wait! The changes probably haven’t deployed yet, you can check progress by clicking the pending changes button again.

Related Articles, References, Credits, or External Links

NA

How Do I Find/Change My IP Address?

KB ID 0000208

What’s an IP address?

An IP address is the address used on a network to find your PC, Server, Laptop, or Printer etc. It’s the networking equivalent of your house number and post code (or Zip Code for visitors from over the pond).

Do you want your PUBLIC or PRIVATE IP address? As we started to run out of addresses, there were a number of solutions that we came up with, one you will see below (DHCP) the other is NAT (Network Address Translation) that lets many IPs on a network share one (or more) public IP addresses on the internet. If you want to know your PUBLIC address (your address in on the internet) then simply see below;

Your Public IP Address Is: [user_ip]

Where does my IP address come from?

You get an IP address by two methods,

1. Statically Assigned: Your address never changes and is allocated to you manually.

2. Dynamically Assigned: Your machine gets its IP address automatically via a system called DHCP.

What does an IP address look like?

Most IP addresses in use today are IP version 4 and consist of 4 numbers separated by three full stops (or once again, periods, for overseas visitors).

An IP address 192.168.1.100

Is that all my computer needs?

NO! You need FOUR pieces of information to access the internet and work properly;

1. The IP address itself (i.e. 192.168.1.100) this is unique to every machine on the network.

2. The Subnet Mask (i.e. 255.255.255.0) this tells the machine how big the network it is on, is.

3. The Default Gateway, this is another IP address on the network that you need to go through to get off the local network, i.e. to access the internet.

4. The DNS IP address, this is another IP address of a machine that can translate IP addresses into names (e.g. translate www.bbc.co.uk to 212.58.246.159).

What’s my IP address?

1. Windows Key + R > type ‘cmd’ {Enter}

2. A Command Window will open, click within the box and you can type in commands, the command to show your IP address is ipconfig, but this WONT show us the DNS settings as well, to do that the command is “ipconfig /all“.

Note: If you have many network connections you will get results for them all, you may need to scroll up and down to find the right one.>

IP Problems

Problem 1: My machine has got an IP address that is 169.254.x.y (where x and y can be any number from 1 to 254).

Answer: This machine is set to get its IP address automatically via DHCP but it cant speak to the DHCP server, because either the DHCP server is down or there is no connection between the DHCP server and you.

Problem 2: My IP address shows as 0.0.0.0

Answer: You have been given a static IP address and someone on the same network is using the same address, this causes an IP conflict, change one of the IP addresses.

Find out if your IP address is statically assigned of dynamically assigned

The more eagled eyed of you will see on the ipconfig /all results above that this machine is disabled for DHCP so its dynamically assigned however, on your Windows machine do the following.

1. Windows Key + R > Tyoe ‘ncpa.cpl’ {Enter}

2. Your network connections window should open and locate the connection you are connecting with (you might have many, be sure to select the right one, i.e. you might have one for dial up, one for wireless, one for a VPN to the office etc). Right click the connection and select properties.

3. On the window that appears you may have to scroll down the list, we are looking for its TCP/IP (on newer machines it will be called “Internet Protocol Version 4 (TCP/IPv4)”, Select it and click properties.

4. Now you can see if your addresses are set statically or dynamically.

How to change your IP address

To change your IP address you first need to know if you have a static IP address or a Dynamically assigned one. (That’s why this section is below the one above).

1. If you have a static IP address, simply change it on the screen shown (diagram above).

2. If you have a Dynamic IP address, you can either reboot the machine in question or Click Start > run > cmd {enter}

3. A Command Window will open, click within the box and you can type in commands, the command to release your IP address is ipconfig /release

Then to get a new address type in ipconfig /renew

Related Articles, References, Credits, or External Links

NA

Windows Adding Firewall Rules With PowerShell

KB ID 0001538

Problem

There was a question on Experts Exchange this morning, the asker wanted to be able to add a ‘Trusted’ network range to their Windows Server Firewall settings as a ‘allow all ports’ rule.

Solution

You can of course add this manually in the GUI, normally I’d simply Add a Firewall Rule with a Group Policy. but the problem with that is, that’s fine if you want to open a particular TCP/UDP/ICMP port, but NOT if you want to open ALL ports. But you CAN use PowerShell like so;

[box]

New-NetFirewallRule -RemoteAddress 192.168.100.0/24 -DisplayName "Trusted Subnet" -Direction inbound -Profile Any -Action Allow

[/box]

Then you can check the settings, just as if you had created the rule in the GUI.

 

Related Articles, References, Credits, or External Links

NA

vCenter – Management Ports

KB ID 0001324 

Problem

A while ago my colleague was struggling to get into a vCenter server. Normal https (TCP 443) wasn’t letting him in, I knew you could manage the appliance directly, (but I couldn’t remember the port number!) He knew there was an alternate port number, but we didn’t know what it was.

Solution

vCenter Appliance (Direct) Management Port

TCP: 5480

i.e. https://{ip-or-host-name}:5480

vCenter / vSphere Management Port

TCP: 443

i.e. https://{ip-or-host-name}

vCenter / vSphere Alternative Management Port

TCP: 9443

i.e. https://{ip-or-host-name}:9443

Note: You can also connect to the PSC, (Platform Services Controller) If you installed this role on the same appliance. The URL for that is https://{ip-or-host-name}/psc 

Related Articles, References, Credits, or External Links

NA

Mac OSX and Linux – Quick and Dirty Web Server

KB ID 0001157 

Problem

I was clearing out some old emails yesterday, and saw one my colleague Steve had sent me. It was info on how to fire up a quick web server on your mac. It wasn’t until I took a look at it, I realised how handy it was.

After some reading, I found that it was not only possible on a mac, but on other flavours of Linux as well, (as long as they support ‘python’ and have it loaded).

WHAT USE IS THAT? What if you want to send a large file to a colleague? Yes you could use USB drives or dropbox, but executing one command is a lot quicker. Or what if you are on a site where everything is locked down, and only a few ports are open but you need to get a file somewhere, do a quick nmap scan and you can download your files over a different port.

Solution

First open a terminal window, then navigate to the folder you want to ‘serve’. Then simply execute the following command;

[box]

python -m SimpleHTTPServer 8080

[/box]

Note: Where TCP port 8080 is the port you want to use.
Then simply browse to https://{Your-IP-Address}:8080

BE AWARE: You shouldn’t see a problem if you use any port ABOVE 1024, however if you chose a lower port, you may see ‘Permission Denied’ errors.

To address that ‘sudo’ the command, (unless you are logged into Linux as root!)

Related Articles, References, Credits, or External Links

NA

VMware – Setting up ESX NTP Time Sync

KB ID 0000798

Problem

Having your ESX Server running the correct time is quite important, and before you visit this subject, I would suggest you MAKE SURE the time is set in the ESX Servers BIOS, ie the internal clock is set correctly first. I’ve lost count of the amount of times I’ve seen Windows domains fall over because the ESX host has reverted to its BIOS time and replicated that time to its guests, suddenly your domain clocks are two years apart and carnage ensues!

Solution

Note: For this to work the hosts need to be able to communicate with public time servers over NTP (UDP Port 123), ensure your firewall has this port open or time sync will fail.

1. Connect to the host (or vCenter and drill down to the host(s)). Select the host in question > Configuration > Time Configuration > Properties > Tick NTP Client Enabled > Options > Add > Add in your public time server IPs > Tick ‘Restart NTP Service to apply changes’ > OK > OK.

Note: I’m in the UK so I’m using two time servers in this country, you may want to use one closer to home.

130.88.212.143 = turnip.mc.man.ac.uk (Manchester University)
130.88.200.4 = dir.mcc.ac.uk (Manchester University)

2. When you see the following all is well.

Note: If all these details are IN RED, then it has failed to sync, either be patient, try putting the host into and out of maintenance mode, or reboot it, if it continues to fail check it can see the public time servers on UDP port 123.

Related Articles, References, Credits, or External Links

NA

VMware VI Client error ‘Unable to connect to the MKS: Failed to connect to server {ESX-Host}:902’

KB ID 0000815 

Problem

Seen when connected to the VMware VI client software, and attempting to open a console session with a virtual machine.

Solution

This is a pretty generic error, for whatever reason the client software cannot connect to the KMS (Keyboard, Mouse, and Screen).

In NEARLY every case this is a communication issue, either the machine running the client software cannot resolve the name of the ESX host that is hosting the virtual machines, or TCP Port 902 is being blocked by a firewall.

1. If you can’t simply pop the correct name in your DNS, then add the name and IP to the machines, (the one running the VI client software) host file. You will locate this in;

[box] C:WindowsSystem32Driversetc [/box]

2. Open it with Notepad, and add the IP and name of your ESX host(s), Note: I’m also putting the name and IP of my Virtual Center server as well. Save the file and try again.

3. You should now be able to connect.

It’s NOT DNS!

If you can happily resolve the name and are sure that the port is not being blocked, then have you made any IP changes? Is the default gateway on the ESX Server set correctly? And finally restart the management agents on the host, either from the console, or by running ‘/sbin/services.sh restart’.

I’ve also fixed this error by shutting down the machine > removing it from the inventory > then browsing the storage, to locate the .vmx file > then simply import it back again.

Related Articles, References, Credits, or External Links

NA

RSA SecurID Error – ‘106: The Web server is busy. Please try again later’

KB ID 0000975 

Problem

Not the most descriptive of errors! In fact this has got nothing to do with the busyness of the web server at all.

Solution

What’s actually happening is the RSA agent on this machine (in this case a web server) cannot communicate with the RSA Authentication Manager. In my case the web server was in a DMZ, and the RSA Authentication Manager Appliance was in another DMZ. The ports required (TCP 5500, UDP 5500, and TCP 5580). were not open from the agent to the appliance. Once I fixed that, we were up and running.

Related Articles, References, Credits, or External Links

NA

Draytek Vigor Router Port Forwarding

KB ID 0000425 

Problem

This procedure was carried out on a Draytek Vigor 2800 Router, for this I needed to forward RDP (That’s on TCP Port 3389).

Warning: If you need to forward any of the following ports 23 (Telnet), 80 (HTTP) , 443 HTTPS/SSL), 21 (FTP), or 22 (SSH). The Draytek has these reserved for remote management. You will need to change the port number (system Maintenance > Management > Management Port Setup).

Solution

1. Log into the routers web console (default will be a blank username and password, or admin and admin, or admin and blank password).

2. Expand NAT > Select Port Redirection.

2. Give the service a name (Like RDP) > Enter the protocol type TCP or UDP > Enter the internal IP that you want to forward the port to > Tick active > Click OK.

Note: Depending on setup you may see this instead (if that’s the case select the correct public IP)

3. That should be all you need to do, unless the firewall is turned on, if that’s the case expand NAT > Open Ports.

4. Again enter a name in the comment box > The local IP of the machine > and the port details > OK.

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

DrayTek Vigor – Reset To Factory Settings

Windows Change the RDP (Remote Desktop) Listening Port

KB ID 0000166

Problem

If you didn’t already know the Remote Desktop Protocol Port is TCP 3389, that fine but what if you want to change it to something else? That begs another question, Why?

Well some people like to change the port to something else, so that different ports are open in the even of a nasty type performing a port scan on your machine/firewall, even the most clueless script kiddies know that if they see TCP 3389 open then RDP is probably going to be on the other end of it. Or you might want to have all you servers available to the internet via RDP (people do) but you can only port forward TCP 3389 to one internal IP address. If you change the ports for each server then you only need to forward one port to one server.

Solution

Note: This works on Windows 2000/2003/2008/XP/Vista/Windows 7

1. On the machine in question Click Start > Run (or type in the Start Search) > Regedit {enter}.

2. The Registry Editor will open.

3. Navigate to HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp

4. In the right hand window locate PortNumber.

5. You will need to select Decimal, you will see by default its 3389 change it to something else (I suggest a number above 1024). In this case Ill use 3390.

6. Make sure that RDP is actually enabled on the machine in question. (Note: If this machine has a firewall enabled it will block the new port either enable that port or disable the local firewall)/

7. To connect to this machine from another one, use the same remote desktop client, Click Start > Run > MSTSC {enter} and the the target computers name or IP address then a colon then the new port number.

Related Articles, References, Credits, or External Links

NA