Technical Articles
Galleries
| Rajd Katyński |
|
|
| Zapraszamy na stronę Rajdu Katyńskiego - kliknij na powyższe logo. |
PIX 506E Hangs Up
This is really old Cisco firewall but it can be fun configuring it. Anyway - when it hangs up you receive the following screen:
CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
32 MB RAM
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10
Solution is quite simple. Turn it off, open the case carefully and put jumper J5 in different position. Turn it on - wait for output on the terminal. Than turn it off again. Reposition jumper back to its original position. Turn it on. Enjoy!
PIX 506 E Access-List Configuration - ICMP (ping)
PIX in factory-default mode, will not allow machines on the internal network to ping machines on the internet.
To allow this in it's most basic of forms, connect to the PIX and type the following commands:
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
access-group allow_ping in interface outside (bind access-group to a specific interface, outside in this particular case)
write memory
To check the ACL, and to see the hit count on each rule, type the following command:
sh access-list
Here is the explanation:
The command is of the following format:
access-list [name] permit icmp [src] [dst] [protocol]
where the following is true:
[name] = The name of the ACL group. This can be anything you like, as long as it's not already used.
[src] = The source of the ping packets. "any" indicates any machine on the inside interface.
[dst] = The destination of the ping packets. "any" indicates any host on the outside interface (the Internet).
[protocol] = The protocol to allow back in. For pings, we require "echo-reply", "source-quench", "unreachable" and "time-exceeded".
Also note that in both [src] and [dst], "any" can be replaced with one of the following options:
host 10.0.0.1 (an individual host)
PIX 506E Initial Configuration
Default uname and pass: pix/cisco
eth0 - outside (ssh access only)
eth1 - inside (telnet access)
hostname [put some name] (required for ssh on outside iface)
domain-name [put some domain name] (required for ssh on outside iface)
ca generate rsa key 1024 (or 512 or 2048, etc.)
ca save all
ssh [put your ip] [put your subnet mask] outside
ssh timeout [number] (default is 5 = 5min.)
show ssh sessions
PRIVILEGE LEVELS:
- privilege level 0 — Includes the disable, enable, exit, help, and logout commands
- privilege level 1 — Normal level on Telnet; includes all user-level commands at the pix> prompt
- privilege level 15 — Includes all enable-level commands at the pix# prompt
#username [username] password[password] privlege[privilege level e.g. 15] (cerating user - privilege can be separate, privilege manipulation is allowed)
#no username[username] (removing user)
#enable password [type your password to enable mode]
************************************************************************************************************
When there are no AAA commands implemented into routers, there must be a login and enable password set to have the PIX or ASA remotely accessible via telnet. Using more secure remote access method such as ssh is sometimes preferable or even required. Unlike routers that have no requirement of AAA implementation for ssh accessible, PIX or ASA requires such proper AAA implementation. With proper AAA command set implementation, all access attempt via telnet, ssh, http, https, SNMP, console in via Console port will be authenticated using the same credential.
Similar to router, PIX or ASA can use either local credential or remote credential stored on external AAA server such as TACACS+ and RADIUS. Using such external servers for authentication are highly recommended to provide more secure approach. Check out the following FAQ for more info on TACACS and RADIUS.
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
These AAA command set has been tested in various situation; including automatic failover from TACACS+ server to local credential or local enable password during unreachable TACACS+ server situation due to down server or down network.
At first AAA command set to authenticate using local credential only is introduced to provide preliminary understanding. Then external TACACS+ server utilization is introduced to provide greater security perimeter.
PIX Firewall running OS version 6.3
1. Using Local Credential
Sample #1:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
Behavior Description
With this AAA command set, there will be dedicated password for each username. There will be however single enable password that all usernames share to log into enable mode.
In other words, password for username and password for enable mode are in general different. When there is only single username defined, password for username and password for enable mode could be set as the same. With either case, this approach is considered insecure since the idea of having "shared password" as the only enable password is unreliable.
To login, enter the local username and password. To enter the privilege mode, enter the enable password.
Sample #2:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Behavior Description
Similar to previous AAA command set, there will be dedicated password for each username with this AAA command set. You may note that there will be single enable password that all usernames could at one time share to log into enable mode.
By default, the shared enable password is not used. Each username has to use its own password to log into enable mode. If for some reason all of defined username is removed along with the password, then you may use the shared enable password to log into enable mode. However this condition may never occur since both username and shared enable password are defined locally. Compared to previous sample configuration, this approach is more secure since the shared password in reality may never be used at anytime.
With those in mind, note that in general password to login and to enter privilege mode is the same. Therefore you may never use the enable password to enter the privilege mode.
2. Using External TACACS+ Server
Sample #3:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa-server LOCAL protocol local
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
Behavior Description
Similar to previous AAA command set, there will be dedicated password for each username with this AAA command set. By default, the ASA/PIX Firewall uses whatever password the username has as defined in the TACACS+ server database. If for some reason the TACACS+ server is unreachable or unusable, the ASA/PIX Firewall uses local credential (local username and associated password) to authenticate users.
You may note that with this sample configuration, the TACACS+ server is located toward Inside interface from the ASA/PIX Firewall perspective. There can be maximum of three attempts to log into the ASA/PIX Firewall using correct username and password. When user is not entering username or password within ten seconds, the login session will be timed out.
This approach should be considered most secure compared to the previous two sample configurations since a centralized authentication system (in this case the TACACS+) is in place and is used as primary resource while the local authentication is just for backup.
The security database on the server does not have computer account...
Windows 7 in Windows Server 2003 domain - computer connected to a domain succesfully but after reboot when you try log on to domain admin account you receive this:
"The security database on the server does not have computer account for this workstation trust realtionship"
Reconecting computer to a domain does not help. Reading the following article does not help:
http://technet.microsoft.com/en-us/library/ee849847(WS.10).aspx
But after 15 min. investigation I realized that computer account is not visible anywhere!!!! Apparently it does not exist in AD... Here is what I did:
- Open Active Directory Users and Computers
- select your domain
- Actions>Find>Computers>enter computer name (hostname)
- when it appears right click it>Move
- select the desired OU>Ok
Here it is!!! It is working. How nice!!!
Publishing Printer in Active Dierctory
Well - seems like an easy task - just script: pubprn.vbs