How to add a static map through a PIX to a device on the inside of your network. A one to one translation.static (inside,outside) (outside IP) (inside IP) netmask 255.255.255.255 Example: static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 Now you have a static nat to a specific device on the inside of your PIX. You can now write an Access List to specify what services to allow to this device.... Read More

 Permit selected traffic to an internal host.First, a static mapping must be made for the host. There is another recipe for this configuration. static (inside,outside) 1.1.1.1 192.168.0.100 netmask 255.255.255.255 then: To allow traffic, a conduit must be constructed. For example, to allow ICMP (ping) traffic to all hosts from anywhere (bad idea): conduit permit icmp any any To allow SSH to a specific host from anywhere: conduit permit tcp host 1.1.1.1 eq 22 any or With ACLs: access-list 100 permit tcp any host 1.1.1.1 22 access-group 100 in interface outside... Read More

 How to pass PPTP traffic through a PIX Firewall This recipe is outdated. This recipe is outdated. See this one: http://www.tech-recipes.com/rx/2222/pptp_on_cisco_asa_or_pix_6_3_or_later_code. Cisco PIX Firewalls require two elements to pass traffic from outside (higher security) to inside (lower security): a static translation and a conduit. For this example, assume a server has IP address 192.168.1.100 and there is an available outside address of 1.1.1.1. First, create the static translation. This configuration line establishes a relationship between 1.1.1.1 (public Internet IP address) and 192.168.1.100 (inside, private IP address). static (inside,outside) 1.1.1.1 192.168.1.100 netmask 255.255.255.255 0 0 Next, create appropriate conduits to allow specific traffic to pass from the outside to the Inside interface. PPTP uses TCP/1723, TCP/139, UDP/Netbios-NS, UDP/Netbios-DGM, and IP/47 GRE. This is not needed. This recipie is outdated, and based on an old document. conduit perm... Read More

 The password paradox is a commonplace condition. Make your passwords strong and difficult to guess, change them frequently, and don't write them down. It a formula for forgetfulness. Eventually, many organizations find themselves locked out of their PIX. This recipe describes the process for resetting the PIX password.This information describes resetting the password on a PIX without a floppy drive. You must first have a TFTP server running. Most UNIX operating systems install with a TFTP server installed but possibly not running. Windows systems are at a disadvantage because Microsoft no longer ships Windows with a TFTP server. This recipe describes installing and configuring a third-party TFTP server on a Windows system. You need a console connection to your PIX from some system that is capable of sending a BREAK signal (the HyperTerminal communications application that ships with Windows doesn't do this.. again, Windows folks are at a disadvantage). The Private Edition of HyperTermi... Read More

 How to configure a PIX to redirect traffic to an inside host via port re-direction. An expample would be if you allowed your PIX to get its external address via DHCP but you wanted to access a ftp server on the inside of your firewall as well as maybe another host for vnc. First you have to add a static entry for the host and port redirecting like this: static (inside,outside) tcp 68.206.140.100 ftp 192.168.1.100 ftp netmask 255.255.255.255 static (inside,outside) tcp 68.206.140.100 5900 192.168.1.110 5900 netmask 255.255.255.255 Note: The 68.206.140.100 is your outside interface that was assigned via dhcp. Then you need to build an ACL to allow access through the PIX: access-list outside-inbound permit tcp any host 68.206.140.100 eq ftp access-list outside-inbound permit tcp host 65.205.64.60 host 68.206.140.100 eq 5900 Now you can ftp from anywhere to the outside IP Address of the PIX and be redirected to 192.168.1.100 on the inside ftp server. You can now also vnc to the outside int... Read More

 TFTP (trivial file transfer protocol) provides a convenient means of quickly transferring a Cisco IOS image to a firewall over an ethernet interface. This procedure is substantially faster than transferring over a serial port.Step 1: Copy the IOS binary file to the TFTP directory. By default on most UNIX systems, the default data directory for the TFTP server is /tftpboot Copy the IOS image file to this directory and make sure it is world readable (i.e., chmod 544 /tftpboot/filename.bin). The first time you try this procedure, or anytime you experience troubles, test the TFTP server configuration with the tftp client: cd /tmp tftp localhost get filename.bin You can change directory to /tmp or any other directory that does not contain the image file. You must use the exact name of your binary file. If there are no error messages, proceed; otherwise troubleshoot based on the error message. Step 2: Configure an ethernet interface on the firewall if not already configured. Test the configu... Read More

 In many situations such as remote sites connected by DSL or cable modem, the outside interface IP address of a firewall must support dynamic addressing by DHCP.To configure the outside interface to obtain its settings by DHCP: nameif ethernet0 outside security0 ip address outside dhcp setroute The firewall will immediately try to receive an IP address and settings by DHCP.... Read More

 If you are running Cisco IOS 12.2(8) or better, you can use the "do" command to run privileged commands in global config mode. In layman's terms, you can run "show" commands while config or config-if :)This will save you the trouble of exiting to privileged mode to check your work when you are configuring a router or switch. Just add "do" before the "show" command i.e. router(config)# do show interface f0/0 switch(config-if)#do show run This also works with ping, clear and debug commands.... Read More

 This recipe shows how to configure IAS for Cisco equiptment using level 15 and also level 2 so you can have tech users and admn users, depending on which OU you're in.==================== = IAS Radius SETUP = ==================== -Make sure machines are on domain -setup IAS -launch IAS -select radius clients -right click, add -add friendly name [sitename + subnet] -add [subnet/20] for ip address, next -choose Radius Standard and enter shared secret, finish -right click on IAS service local, register server in AD, OK, OK -select remote access policy -in the right window pane -rename to Radius Policy Level 1 -rename to Radius Policy Level 15 -go properties of Radius Policy Level 1 -remove anything in window -add Windows-Group -add, "switch users 1" under gaming domain, OK, OK -click on "grant remote access privleges", apply -click edit profile -authentication tab -check only unencryped authentication -advanced tab -remove the one that says Framed-Protocol -edit Service-type and change to... Read More

 RIP routing is a distance-vector routing protocol which is simple to configure. The routing protocol determines the best path to a target by estimating the distance in number of hops or intermediate routers.To configure RIP routing and to advertise the 192.168.200.0 network: conf t router rip network 192.168.200.0 ^Z... Read More

 IGRP is a proprietary routing protocol designed by Cisco and can only be used in a homogeneous network of Cisco routers. IGRP is a distance-vector protocol that considers delay, bandwidth and other optional parameters to determine the best path.IGRP uses an autonomous system number parameter in the configuration. All routers with the same autonomous system number will share router advertisements and participate. This number is arbitrary but must be the same on all routers within the autonomous system. To configure a router to participate in IGRP routing within autonomous system 5 and advertise routing information about the 192.168.200.0 network, use: conf t router igrp 5 network 192.168.200.0... Read More

 RIP routing is a distance-vector routing protocol which is simple to configure. The routing protocol determines the best path to a target by estimating the distance in number of hops or intermediate routers. To configure RIP version 2 routing and to advertise the 192.168.200.0 network: conf t router rip version 2 network 192.168.200.0 ^Z... Read More

 EIGRP enghanced version of the IGRP that supports variable-length subnet masks and several additional features.EIGRP uses an autonomous system number parameter in the configuration just as IGRP does. This number is arbitrary but must be the same on all routers within the autonomous system. To configure a router to participate in EIGRP routing within autonomous system 5 and advertise routing information about the 192.168.200.0 network, use: conf t router eigrp 5 network 192.168.200.0 ^Z... Read More

 Check and customize what protocols are running through your router with nbar protocol-discovery. this gives you packet count, byte count, 5 min bit rate, and 5 min max bit rate.first you need to enable nbar routers>en router#conf t router(config)#int serial 0 router(conf-if)#ip nbar protocol-discovery to customize ports router(config)#ip nbar custom to view router#sh ip nbar protocol-discovery... Read More

 I ran across an ancient 2500 series router today and had to go through a password recovery. The rommon version was earlier than any I'd seen before. The help functionality was very lean. Here's how to set the confreg for these geezers.If the rommon help screen (type H to see it) says to type O to look at the configuration registry, you set it like this: o/r 0x2142 I manually power cycled after this and had success. When you get things working again, I suggest backing away very slowly and cautiously.... Read More

 Every active interface on a Cisco router to be used with IP requires an IP address assigned to it. This short recipe describes how to set an interface's IP address.Given an interface fastethernet1, the IP address 192.168.1.5 with the subnet mask 255.255.255.0 can be assigned to it using the following command from privileged mode: Router(config)#interface fastethernet1 Router(config-if)#ip address 192.168.1.5 255.255.255.0 Router(config-if)#no shut The last command is important. It is an abbreviated form of "no shutdown." The default state of an interface is "shutdown" which makes the interface administratively down. If you plumb up an interface and it doesn't work, check to make sure it isn't administratively down first.... Read More

 Cisco VWIC cards need configuration before their serial ports will appear in the interface list. Once the VWIC configured, HDLC, frame relay, or ATM with an AIM processor can be configured.The Cisco VWIC cards can be configured with different channel-groups to support different applications, such as voice and data, on the same physical circuit. To configure the VWIC, connect to the router, enter the appropriate passwords, then: Enter configuration mode: configure terminal Enter controller configuration mode: controller t1 0/0 If configuring for ATM with AIM, the following line is needed to enable the AIM processor: mode atm aim 0 Create the channel-groups: channel-group 0 timeslots 1-24 speed 64 Now, messages should appear on the console about a new serial port. This port can now be configured for HDLC, frame relay, or ATM. Switch to interface configuration mode: interface serial 0/0:0or int atm0/0 Note that multiple channel-groups may be defined, but the number of timeslots must b... Read More

 When replacing a faulty router that is not completely dead, it may be possible to copy the startup configuration to the removable flash memory and swap the flash to get the new router up and configured in as short a time as possible. Without this procedure, it will be necessary to manually copy the old configuration to the new router. This simple command also provides a local backup copy of the router's config which can save hours of work when replacing a dead router.To copy the startup-config to flash as a file called backupconfig, use the command: copy startup-config flash:backupconfig It will verify the destination filename (just press enter to continue). This must be done on the old router (I try to do it whenever I make a configuration change). When moving the configuration to another router, physically move the flash memory, power on the router, and answer no to the system configuration prompt. Enter enable mode (no password should be required if this is an unconfigured route... Read More

 Messages logged by a router can make troubleshooting problems substantially easier. However, the default size of most Cisco routers is 4096 bytes which typically accomodates fewer than 60 messages. While this may help in many situations, adding some additional space can save the day when a router generates frequent error messages as when an interface state cycles up and down. This recipe describes the simple configuration to increase the size of the router log.To increase the router log size to 24000 bytes, use the following commands (from enable mode): conf t logging buffered 24000 To check the current log size, use this command: show logging ... Log Buffer (24000 bytes) It should be noted that memory you dedicate to the log is memory the router cannot use for routing. Larger routers with lots of memory can typically make due with less available memory. Smaller routers with less memory to spare can experience problems if the log size is too big.... Read More

 ATM is growing in popularity as a wide-area network (WAN) medium. ATM offers small cell size and strict quality of service, allowing voice, video, and data to coexist.First, Terminology: VPI - Virtural Path Identifier, 5 in this example VCI - Virtual Circuit Identifier, 200 in this example VC - Virtual Circuit In this example, the ATM interface is atm0/0, and the IP addressing on the VC is 192.168.0.0/30. Connect to the router, enter the appropriate passwords, then: Enter configuration mode configure terminal Enter interface configuration: interface atm0/0 Enable the interface: no shutdown Create the subinterface: interface atm0/0.200 point-to-point Configure the local IP address: ip address 192.168.0.1 255.255.255.252 Configure the VC: pvc 5/200 Configure the protocols on this VC: protocol ip 192.168.0.2 broadcast Configure the encapsulation: encapsulation aal5snap That's all!... Read More