Don's Blog: Musings, Rants, and How-To Guides on Things IT

Email Notification of Event Viewer Events

noreply@blogger.com (Don R. Crawley) — Sat, 20 Jun 2009 12:46:00 +0000

In a recent onsite seminar about Windows Server and Group Policy, a student asked about ways to receive email notification of Event Viewer events. I found this article on Daniel Petri's website about how to do that: http://www.petri.co.il/forums/showthread.php?t=32283

My Top 10 Favorite Websites for I.T. People

noreply@blogger.com (Don R. Crawley) — Wed, 13 May 2009 13:42:00 +0000

Last month, I shared my top ten favorite tools for I.T. pros. This month, I'm sharing my top ten favorite websites for I.T. pros. This would have been a fairly easy list to compile, but then I decided to filter sites by six criteria as follows:

It had to be a site that provides information I need
It had to be a site that offers good stuff for free. It's okay if they charge for premium services, but there just had to be a lot of good stuff for fee. That eliminated sites like Experts-Exchange.
It had to be a site that is substantially about I.T. That eliminated sites like Wikipedia and Google.
It couldn't be a vendor site. As good as they are, I just didn't want to include Cisco, Microsoft, Sun, etc. on my list. Hey, it's my list; I get to choose!
It couldn't be a tools site such as Solar Winds. As helpful as those types of sites are, I wanted sites that were primarily about information.
It could be a site that I don't necessarily visit often, but one where I subscribe to their RSS feed such as Paul Thurott's WinSuperSite.

After I created the six criteria, I realized that there are really only about five sites I use regularly (other than vendor sites and, of course, Google and Wikipedia). So, here are my top five, plus five more sites that I don't use often but which are helpful.

The five that I use regularly:

http://www.techrepublic.com/ (General knowledge)
http://www.linuxquestions.org/ (Linux knowledge)
http://www.howtoforge.com/ (Linux configs)
http://www.rfc-editor.org/ (Look up RFCs)
http://www.winsupersite.com/ (Windows knowledge)

Five more that are definitely worth a look:

http://www.webopedia.com/ (General knowledge)
http://whatis.techtarget.com/ (General knowledge)
http://www.tomshardware.com/ (General knowledge)
http://www.computerperformance.co.uk/ (Windows scripting)
http://www.computerhope.com/ (General knowledge)

I'm sure you've got favorites of your own. Leave a comment and let me know what they are.

My Top 10 Favorite Tools

noreply@blogger.com (Don R. Crawley) — Thu, 09 Apr 2009 16:59:00 +0000

I've been building a new desktop computer for my office. (When I say "build", I'm speaking of installing an operating system and software.) As I've gone through the process, I've been thinking of all the tools I install and use. Lots of tech writers like to share their favorite tools list and I thought I'd do likewise. Here are my top ten, in alphabetical order:

HashTab: This very handy shell extension provides a great way to validate hashes for downloaded files. Download it at http://beeblebrox.org/

Inssider: This utility scans for wireless access points and displays MAC addresses, SSIDs, channels, signal strength, security, and speed. Download it at http://www.metageek.net/products/inssider

IrfanView: IrfanView is a must-have tool for viewing and performing basic manipulation of graphical images. It's a very fast, lightweight tool that allows you to crop and resize images and save them in different file formats. Get it at http://www.irfanview.com/

nmap: nmap is the king of port scanners. 'nuff said? Get it at http://nmap.org/

Notepad++: This is a replacement for Notepad on your Windows computer. I mentioned it last month. Get it for line numbering, if nothing else, but it offers a lot more than that. Download it at http://notepad-plus.sourceforge.net/

psTools: This is a suite of tools developed by Mark Russinovich of Sysinternals fame. They allow you to manipulate many aspects of remote Windows systems from the command line (subject, of course, to authentication). Unix/Linux admins especially will appreciate them. http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

PuTTY: PuTTY is the must-have terminal emulator for Windows. Anyone who administers network devices or servers from the command-line needs this. It can be downloaded as part of an installation package that includes key generation and management tools. http://www.chiark.greenend.org.uk/~sgtatham/putty/

Tftpd32: This is a lightweight, yet powerful TFTP server which also includes a DHCP server and a Syslog Server. http://tftpd32.jounin.net/

WinSCP: For transferring files securely between your laptop and your web server (You don't actually use FTP, do you???), this is a great piece of software. I love the drag-and-drop capability of the Explorer-like interface and the seemless support for public/private keypairs is great. http://winscp.net/

Wireshark: Formerly known as Ethereal, this is Gerald Combs masterpiece. If you're really serious about understanding what's happening on your network, you've already used Wireshark. If you're a newbie, Wireshark is one of the fastest and best ways to elevate yourself past the "newbie" stage. http://www.wireshark.org/

Five New Free Articles Available

noreply@blogger.com (Don R. Crawley) — Fri, 06 Feb 2009 23:06:00 +0000

We've created a new area on our website with free articles on various technical and workplace skills topics. You find the article you want and we'll send it to you for free. Many of the articles are lessons taken from our various workshops and seminars. The URL is www.soundtraining.net/free-docs.

I just uploaded the following articles:

Most Important Weblinks for I.T. Pros
Building a Site-to-Site VPN between Cisco Routers
vim Quick Reference Guide
Ten Ways to Delight Your User
Configuring SSH (Secure Shell) for Remote Login on a Cisco Router

I'm going to try to upload a significant number of articles regularly (subject, of course, to income-producing activities). Let me know what you think.

Thanks for your support

noreply@blogger.com (Don R. Crawley) — Thu, 29 Jan 2009 23:20:00 +0000

We're in a time of tremendous change right now. (Please forgive the understatement.) The reality is that, in good times and bad, there's always a need for quality products and services. You have my firm commitment to continue providing high quality learning solutions at fair prices, delivering great value. That's what we expect from our vendors and that's what you can expect from us.

We're Growing!

noreply@blogger.com (Don R. Crawley) — Thu, 29 Jan 2009 23:08:00 +0000

Please welcome a new addition to the soundtraining.net family. Jeff Martin joins us as National Accounts Manager. Jeff has been a trainer, content developer, and even a paramedic. He most recently was manager of content development at SkillPath Seminars. Jeff brings a wealth of experience in technical training (he has been certified as both MCSE and CCNA), content development, and customer relations. Jeff is responsible for developing onsite training opportunities nationwide. Jeff will be in the office starting this coming Monday and he'll be getting in touch with you over the next few weeks to introduce himself.

Week of Geek

noreply@blogger.com (Don R. Crawley) — Thu, 29 Jan 2009 22:29:00 +0000

Our onsite customers often ask us to customize the training for their particular needs. That makes sense, of course. You get focused training that targets your particular areas of interest and needs. Now, we've created a program to help you customize the training and we've even priced it to make a great value. We call it "Week of Geek". You select your choice of up to 30 modules from nearly 100 available and we deliver the training for your group of up to 14 over a period of five days. Each of the learners gets a customized workbook and you get a staff that's more knowledgeable and more motivated in just one week's time. You can find out more about "Week of Geek" here: www.soundtraining.net/weekofgeek. Please let me know what you think.

Blocking dictionary attacks against SSH

noreply@blogger.com (Don R. Crawley) — Sat, 24 Jan 2009 01:21:00 +0000

If you've ever looked at /etc/log/secure on your Internet-connected Linux box, you've probably been shocked at the number of logon attempts (hopefully failed attempts) from IP addresses you've never heard of. Of course, it's just some bad guy attempting a dictionary attack using common usernames and random passwords. One of the things you can do that's helpful is to use DenyHosts. It's a daemon that will create entries in /etc/hosts.deny after a pre-determined number of failed logon attempts. It's open source and available at www.denyhosts.net.

Windows 7 Beta

noreply@blogger.com (Don R. Crawley) — Wed, 21 Jan 2009 14:54:00 +0000

I'm not sure what got into me. I'm not usually interested in beta software for the sake of beta software. Maybe it's just the incredible amount of hype surrounding it, but I decided to install the beta of Windows 7 on my desktop system. (My laptop is my main computer...my desktop system is for testing, but it's usually some version of Linux that I'm playing with or maybe an application.) Anyway, I went ahead and installed Windows 7 on it. It's nothing special...3.40GHz P4 with 2GB of RAM and a 160GB hard drive. Cool eye candy, but that's expected on any modern O.S. What surprised me was how quickly pages load in I.E. 8. Admittedly, I just finished the installation, so there hasn't been time for any browser bloat to creep in, but still, it's noticeably faster. I'll add more comments as I run it for a while.

Understanding Linux (System V) Run Levels

noreply@blogger.com (Don R. Crawley) — Mon, 22 Dec 2008 16:50:00 +0000

On Linux systems, the run level controls what starts or stops at boot time. Run level directories contain links to scripts that start and stop daemons (services). Run level 0 shuts everything down. Run level 6 is used when a restart is requested. Run level 1 is typically used for emergency repairs such as adminsitrative (root) password recovery. Other run levels (usually 2, 3 , 4, and 5) can be configured to start and stop daemons based on your particular needs. It's pretty common to only use one of the run levels other than 0, 1, and 6.

The number of run levels varies from distro to distro, as do the default settings in each run level. What follows is an example of the default configurations for run levels in a system running a Red Hat-based distribution:

runlevel0: Shut down the system. Do not set the inittab value to runlevel0.
runlevel1: Single-user mode
runlevel2: Multi-user mode, but no NFS support
runlevel3: Multi-user mode without “X” (the most commonly used run level and usually the best choice for servers)
runlevel4: Not used
runlevel5: Full multi-user mode with X11 (graphics support) (Good for end-user workstations, but not recommended for servers.)
runlevel6: Reboot (Do not set the inittab value to runlevel6.)

A Debian-based system also has seven run-levels. Run levels 0, 1, and 6 are the same as in a Red Hat-based system. Run levels two through five are identical, but can be configured in whatever way you desire. The default configuration boots the system into run level two which is configured as full multi-user mode with graphics (X windows).

You can view the current run level with this command:
#runlevel

The display will indicate the current and previous run level, separated by a space.

You can change the current run level with this command:
#init [desired run level] or #telinit [desired run level]

Controlling Run Levels

Change the default run level by modifying /etc/inittab. Look for a line near the top of the file similar to this:

id:3:initdefault:

The number in the line is the default run level. You can modify it with your favorite text editor to whatever value you want, obviously avoiding 0, 1, and 6.

Control daemons (services) at boot time by modifying scripts within “rc” directories.

In Red Hat Linux, they’re in the /etc/rc.d directory
In SuSE Linux, they’re in /etc/init.d/rc
In Debian Linux, they’re in /etc

There is an “rc” directory that corresponds to each run level. For example, rc3.d corresponds to run level 3. Look for the corresponding directory to the run level you wish to modify. Within that directory, you’ll find links to scripts for each of the services on the system. Each link name includes an “S” or a “K”. Those whose names start with “S” start indicated daemons with the directory’s run level. Those whose names start with “K” kill daemons within the directory’s run level. (Scripts in an rc directory are executed in alphabetical, then numerical order.)

You’ll also notice scripts in /etc/rc.d called rc, rc.local, and rc.sysinit. The rc script is responsible for starting and stopping services when runlevels change, rc.sysinit runs once at boot time before all other rc scripts, and rc.local runs after all the other init scripts. You can put your own initialization scripts in rc.local instead of working through the System V runlevels.

Verifying hashes

noreply@blogger.com (Don R. Crawley) — Thu, 13 Nov 2008 17:51:00 +0000

This is another one of the things that falls under the category of "What took me so long?". When you download files from the Internet, most sites will provide a hash of some sort, often MD5, which you can use to check the validity of the file you downloaded. You probably know it's a way of ensuring the bad guys didn't mess with the file in some way. I've always wanted a simple way of verifying the files without having to go to the command line and, thanks to www.joomla.org, I've found it. It's a Windows Explorer extension that adds a tab to file properties windows. The tab displays the hashes associated with a file. There's a field where you can paste in the hash from the website where you downloaded the file and the extension compares the two. Very quick and extremely easy. It's called HashTab Shell extension and you can download it for free at http://beeblebrox.org/hashtab/. Be sure to pay VERY close attention to the license agreement. :)

Understanding the Basics of Ethernet

noreply@blogger.com (Don R. Crawley) — Sat, 06 Sep 2008 15:07:00 +0000

Ethernet was developed at Xerox's Palo Alto Research Center (PARC) by Robert Metcalfe and David Boggs with Chuck Thacker and Butler Lampson in the early 1970s. Xerox filed a patent application for Ethernet in 1975. Today, Ethernet is based on IEEE standard 802.3 (Institute of Electrical and Electronic Engineers). Metcalfe left Xerox in 1979 and founded 3Com to promote local area networks and personal computers. He persuaded Digital Equipment Corporation (DEC) and Intel to work together with Xerox to promote the DIX (Digital/Intel/Xerox) Ethernet standard. Ethernet is named for the invisible, massless substance that 19th century scientists believed filled the universe. Ethernet was originally based on the same rules as those for polite conversation. Each computer wanting to transmit data waits until there's a lull in network traffic before attempting to transmit its data. That technology was called CSMA/CD for Carrier Sense Multiple Access Collision Detection and used coaxial cables as a transmission medium. Today, Ethernet uses full duplex transmission over unshielded twisted pair copper cables or fiber optic cables with a system of hubs and/or switches.

Ethernet operates at layer two of the OSI reference model. Layer two, also known as the Data Link Layer, is subdivided into the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. Ethernet nodes use a globally-unique 48-bit address called the MAC address to communicate within a network. Datagrams at layer two are called frames. The frame structure used by modern Ethernet is the same as that used by earlier coaxial-cabled Ethernet networks, thus providing a level of backwards compatibility.The original Ethernet operated at a speed of three megabits per second. Today, typical transmission rates for Ethernet are 10 Mbps, 100 Mbps, and 1000 Mbps (Gigabit Ethernet). 10,000 Mbps (10 Gigabit Ethernet) is now starting to emerge. Faster data rates are always under development.

Ethernet Cable Standards

10-Base-2, also known as thinnet, uses coaxial cable, is limited to 10 Mbps, and a maximum segment length of 185 meters. 10-Base 2 is falling into disuse due to the lower cost and greater simplicity associated with UTP (unshielded twisted pair) cabling.
10-Base-5, also known as thicknet, uses coaxial cable, is limited to 10 Mbps, and a maximum segment length of 500 meters. 10-Base-5 is rarely seen anymore.
10-Base-T uses unshielded twisted pair (UTP) cable over a maximum of 100 meters (328 feet) at a data rate of 10 Mbps. 10-Base-T uses only two of the four wire pairs in the cable.
10-Base-FL uses fiber optic lines up to 2000 meters with a maximum data rate of 10 Mbps.
100-Base-TX uses UTP cable over a maximum segment length of 100 meters with a maximum data rate of 100 Mbps. 100-Base-TX also uses only two of the four wire pairs in the cable.
100-Base-FX uses fiber optic cable over a maximum segment length of 2000 meters with a maximum data rate of 100 Mbps.
1000-Base-FX uses fiber optic cable over a maximum segment length of 2000 meters with a maximum data rate of 1000 Mbps (one gigabit per second).
1000-Base-TX uses UTP cable cable over a maximum segment length of 100 meters with a maximum data rate of 1000 Mbps (one gigabit per second). Unlike 100-Base-TX, 1000-Base-TX uses all four wire pairs in the cable.

Copper Cable Categories

Although there are a total of nine categories of unshielded twisted pair (UTP) copper cable, there are really only three that you're likely to encounter in your local area network. The others are either obsolete or designed for use in backbone networks. The three categories are:

Category 5e: Provides performance of up to 100 MHz, and is frequently used for both 100 Mbit/s and Gigabit Ethernet networks.
Category 6: Provides performance of up to 250 MHz, more than double category 5 and 5e.
Category 6a: Provides performance of up to 500 MHz, double that of category 6 and is even suitable for 10 Gigabit Ethernet networks.

What should you use in your network?

Build your networks with the fastest cable you can afford. Your bandwidth demands will increase over time and retro-fitting your cable plant is disruptive, time-consuming, and expensive.

Email, RFCs, and the Growth of Knowledge

noreply@blogger.com (Don R. Crawley) — Wed, 09 Jul 2008 13:22:00 +0000

When I first started technical training, I was intimidated by the sheer volume of knowledge in the field of Information Technology. I remember thinking, "How can I possibly stay ahead of the students in my seminars?". I began to realize that it's not a matter of staying ahead of the students, but instead an issue of providing information in a particular area or areas that the student didn't already have. That said, I'm still amazed when I run across a new bit of information that I think I should have already known about. That just happened with RFC 2142: Mailbox Names for Common Services, Roles, and Functions. An email I sent was rejected by rfc-ignorant.org, an organization that was new to me. They provide a blacklist of domains that are non-RFC compliant. It appears that they're mainly concerned with RFC 2142 compliance. RFC 2142, as its name implies, specifies standard email names for common services, roles, and functions within an organization. Specifically, it wants you to have a postmaster@(your domain name) and an abuse@(your domain name) mailbox. (It recommends other names as well, but those two appear to be the ones that rfc-ignorant.org wants to see in your domain.) We actually do have those names now, but when our system was originally set up, the mail administrator (no longer with us) didn't include those names. We'd been blacklisted for some time. It's a simple process to get removed. Just send an email to the admin and rfc-ignorant.org indicating that you've created the appropriate mailboxes, they'll send emails to the addresses in question, you click in a link in the emails and you're done. As a network administrator and an I.T. trainer, I'm always a little concerned about what else there is that I don't know.

TinyMCE Editor Width in Joomla

noreply@blogger.com (Don R. Crawley) — Sat, 28 Jun 2008 16:55:00 +0000

Wow, I can't believe it's been so long since I wrote anything here. I've been incredibly busy with some really interesting stuff. One of the things I'm working on is a redesign of the soundtraining.net website. It's going to be based on Joomla 1.5. If you have anything to do with website design and you're not familiar with Joomla, you need to get to know it. The website is www.joomla.org. It's an incredibly powerful content management system and it's going to allow us to offer you some really cool stuff on our website. But that's not what I wanted to write about. One of the challenges I've been dealing with is the width of the TinyMCE text editor. Problem is that it has been intruding into the right column and I couldn't figure out how to change it. Turns out the issue was with the toolbar not wrapping. I found this hack which seems to be working. In template.css, I added the following code at the end of the file:

.mceToolbarTop * {
float:left;
}

.mceToolbarTop select {
width:auto!important;
}

.mceToolbarTop option {
float:none;
}

Like I said, so far it seems to be working and I thought maybe some other people could use that info. I found the hack on a Drupal site, but it looks like it works just fine in Joomla. Check back in a few weeks and see if I'm still enthusiastic about it!

How to Create and Manage Cisco ASA and PIX Access-Control Lists

noreply@blogger.com (Don R. Crawley) — Thu, 01 May 2008 04:16:00 +0000

Access Control Lists (ACLs) are sequential lists of permit and deny conditions applied to traffic flows on a device interface. ACLs are based on various criteria including protocol type source IP address, destination IP address, source port number, and/or destination port number. ACLs can be used to filter traffic for various purposes including security, monitoring, route selection, and network address translation.

ACLs are comprised of one or more Access Control Entries (ACEs). Each ACE is an individual line within an ACL. ACLs on a Cisco ASA Security Appliance (or a PIX firewall running software version 7.x or later) are similar to those on a Cisco router, but not identical. Firewalls use real subnet masks instead of the inverted mask used on a router. ACLs on a firewall are always named instead of numbered and are assumed to be an extended list.

The syntax of an ACE is relatively straight-forward:

asa(config)#access-list name [line number] [extended] {permit deny} protocol source_IP_address source_netmask [operator source_port] destination_IP_address destination_netmask [operator destination_port] [log [[disable default] [level]] [interval seconds]] [time-range name] [inactive]

Here's an example:

asa(config)# access-list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq www
asa(config)# access-list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq 443
asa(config)# show access-list demo1
access-list demo1; 2 elements
access-list demo1 line 1 extended permit tcp 10.1.0.0 255.255.255.0 any eq www
access-list demo1 line 2 extended permit tcp 10.1.0.0 255.255.255.0 any eq https

In the above example, an ACL called "demo1" is created in which the first ACE permits TCP traffic originating on the 10.1.0.0 subnet to go to any destination IP address with the destination port of 80 (www). In the second ACE, the same traffic flow is permitted for destination port 443. Notice in the output of the show access-list that line numbers are displayed and the extended parameter is also included, even though neither was included in the configuration statements.

You can deactivate an ACE without deleting it by appending the inactive option to the end of the line.

As with Cisco routers, there is an implicit "deny any" at the end of every ACL. Any traffic that is not explicitly permitted is implicitly denied.

Editing ACLs and ACEs

New ACEs are appended to the end of the ACL. If you want, however, to insert the new ACE at a particular location within the ACL, you can add the line number parameter to the ACE:

asa(config)# access-list demo1 line 1 deny tcp host 10.1.0.2 any eq www
asa(config)# show access-list demo1
access-list demo1; 3 elements
access-list demo1 line 1 extended deny tcp host 10.1.0.2 any eq www
access-list demo1 line 2 extended permit tcp 10.1.0.0 255.255.255.0 any eq www
access-list demo1 line 3 extended permit tcp 10.1.0.0 255.255.255.0 any eq https

Notice in the first line of the example above that an ACE is added at line one in the ACL. Notice in the output from the show access-list demo1 command that the new entry is added in the first position in the ACL and the former first entry becomes line number two.

You can remove an ACE from an ACL by preceding the ACE configuration statement with the modifier no, as in the following example:

asa04(config)#no access-list demo1 deny tcp host 10.10.2 any eq www

In my next post, I'll show you how to use time-ranges to apply access-control lists only at certain times and/or on certain days. I'll also show you how to use object-groups with access-control lists to simplify ACL management by grouping similar components such as IP addresses or protocols together.

We're heading to California with Cisco training

noreply@blogger.com (Don R. Crawley) — Wed, 23 Apr 2008 19:26:00 +0000

We've just added California dates for our Cisco Router Training and Cisco ASA Training seminars.

Here are the Cisco router training dates for California:

Sacramento: July 22/23
San Francisco: July 24/25
Los Angeles (Buena Park/Anaheim area): September 15/16
Los Angeles (LAX area): September 17/18

Here are the Cisco ASA training dates for California:

Sacramento: August 25/26
San Francisco: August 27/28
Los Angeles (Buena Park/Anaheim area): October 14/15
Los Angeles (LAX area): October 16/17

Registration is now open at www.soundtraining.net.

See you in class in California!

A Free SCP Utility

noreply@blogger.com (Don R. Crawley) — Sat, 19 Apr 2008 04:49:00 +0000

I just ran across a very cool, open-source SCP/SFTP utility called WinSCP. I have a business hosting account with 1and1 which includes SSH access. This utility allows me to configure my SSH credentials and then use a Windows Explorer or Norton Commander style of interface to move files back and forth. Very cool. Had to share it with you. Download it here. Let me know what you think.

Eight Basic Commands to Configure a Cisco ASA Security Appliance

noreply@blogger.com (Don R. Crawley) — Wed, 16 Apr 2008 14:40:00 +0000

There are literally thousands of commands and sub-commands available to configure a Cisco security appliance. As you gain knowledge of the appliance, you will use more and more of the commands. Initially, however, there are just a few commands required to configure basic functionality on the appliance. Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts. Additionally, management must be allowed from at least one inside host. Here are eight basic commands:

**interface**

The interface command identifies either the hardware interface or the VLAN interface that will be configured. Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces.

**nameif**

The nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ.

**security-level**

Security levels are used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way. Access-lists must be used to permit traffic to flow from lower security levels to higher security levels. Security levels range from 0 to 100. The default security level for an outside interface is 0. For an inside interface, the default security level is 100.In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it.

ciscoasa(config)# interface vlan1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# interface vlan2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#interface vlan3
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50

**ip address**

The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using non-standard masks, you must explicitly configure the mask, but otherwise, it's not necessary.In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.

ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# ip address 192.168.1.1

**switchport access**

The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on) through the use of the "no shutdown" statement.

ciscoasa(config-if)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown

**nat**

The nat command enables network address translation on the specified interface for the specified subnet.In this sample, configuration, NAT is enabled on the inside interface for hosts on the 192.168.1.0/24 subnet. The number "1" is the NAT I.D. which will be used by the global command to associate a global address or pool with the inside addresses. (Note: NAT 0 is used to prevent the specified group of addresses from being translated.)

ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0

**global**

The global command works in tandem with the nat command. It identifies the interface (usually outside) through which traffic from nat'ed hosts (usually inside hosts) must flow. It also identifies the global address which nat'ed hosts will use to connect to the outside world.In the following sample, the hosts associated with NAT I.D. 1 will use the global address 12.3.4.5 on the outside interface.

ciscoasa(config)# global (outside) 1 12.3.4.5

In this additional example of the use of the "global" command, the interface statement tells the firewall that hosts associated with NAT I.D. 1 will use the DHCP-assigned global address on the outside interface.

ciscoasa(config)# global (outside) 1 interface

**route**

The route command, in its most basic form, assigns a default route for traffic, typically to an ISP's router. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets.In this sample configuration, the route command is used to configure a default route to the ISP's router at 12.3.4.6. The two zeroes before the ISP's router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route.

ciscoasa(config-if)# route outside 0 0 12.3.4.6

The above commands create a very basic firewall, but frankly, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. Other commands to use include hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts. Obviously, if you're using a device such as an ASA or a PIX, you'll probably be doing a lot more with it than simply setting up a basic firewall, but the above commands will provide a foundation for the more complex configurations.

Configure NAT Using Port Address Translation in 4 Steps on a Cisco Router

noreply@blogger.com (Don R. Crawley) — Tue, 04 Mar 2008 03:02:00 +0000

Network Address Translation, better known simply as NAT, allows an outside address to represent a single or many inside addresses. There are several forms of NAT, but one of the most common is called NAT overloading, Port Address Translation, or simply PAT. PAT provides a many-to-one mapping with many inside private addresses mapped to one outside public address. We often see PAT used in home firewalls and routers to allow several home computers and perhaps a gaming console to use private addresses such as 192.168.1.1-100 and share a single registered public address on the Internet. The process is made possible by appending different port numbers to the source and destination addresses to create a unique connection. Given that there are more than 65,000 port numbers, you'll likely run out of bandwidth or system resources long before running out of translation slots!

Here are the four steps to configuring Port Address Translation (Note: Each step starts in configuration mode ("config t".):
1.ﾠ Configure nat on your inside interface:
ﾠﾠﾠﾠ int e0/0
ﾠﾠﾠﾠ ip nat inside
2.ﾠ Configure nat on your outside interface:
ﾠﾠﾠﾠ int e0/1
ﾠﾠﾠﾠ ip nat outside
3.ﾠ Configure an access control list to allow the inside traffic to use NAT:
ﾠﾠﾠ access-list 101 permit ip any any
4.ﾠ Enable NAT overloading (PAT) on the outside interface:
ﾠﾠﾠ ip nat inside source list 101 interface e0/1 overload

In this example, the "ip nat inside" and "ip nat outside" statements are used to tell the router which interface is considered inside and which interface is considered outside for the purpose of NAT. Interface Ethernet 0/0 is inside and Interface Ethernet 0/1 is outside. Your interfaces will probably different, for example your router might have f0/0 or gigabit 0/1.

The access control list statement tells the router to permit all IP traffic to flow from any source to any destination. The number (101) is simply an ID that must match the number used in the "ip nat" statement. (Note that, in this case, the number must fall between 100 and 199 inclusive.)

The "ip nat insisde source list" statement tells the router which access control list to use to know the traffic to permit (access-list 101), the interface on which NAT will be performed (interface ethernet 0/1) and the form of NAT to perform (overload).

This configuration will allow any host on the inside subnet to share the outside interface for the purpose of going on the Internet. There is no restriction as to the type of traffic, nor are there any restricted hosts. Obviously, this configuration would only be acceptable in a small office or home type of network. Even then, you might want to limit hosts' access to the Internet by creating a more restrictive access control list.

Remotely manage Windows systems from the command line

noreply@blogger.com (Don R. Crawley) — Thu, 28 Feb 2008 16:06:00 +0000

It seems like nearly every operating system has a lot of hidden tools; little gems that, if you know about them, make your life a lot easier by solving problems or helping your work more efficiently. Anyone who has attended one of my seminars knows I'm all about centralizing system management and working as efficiently as possible. In this blog post, I'm going to show you a group of Windows tools that do just that.

You're probably aware of Mark Russinovich's work in creating great tools to help manage Windows systems. You may not be aware, however, of his PsTools suite. This collection of command-line tools allows you to perform many functions on remote systems from your command line. They're lightweight, they're very easy to install on your system, they don't require any installation on the remote system, and they work very well. Here's a list of the tools and what they do (taken from the PsTools webpage):

PsExec - execute processes remotely
PsFile - shows files opened remotely
PsGetSid - display the SID of a computer or a user
PsInfo - list information about a system
PsKill - kill processes by name or process ID
PsList - list detailed information about processes
PsLoggedOn - see who's logged on locally and via resource sharing (full source is included
PsLogList - dump event log records
PsPasswd - changes account passwords
PsService - view and control services
PsShutdown - shuts down and optionally reboots a computer
PsSuspend - suspends processes

The name "Ps" comes from the UNIX/Linux "ps" command that lists running processes.

This collection of tools falls under the heading of, "What took me so long to find these?" Download them here.

I'll bet you find them helpful!

We're bringing accelerated Cisco training to Denver and Phoenix

noreply@blogger.com (Don R. Crawley) — Wed, 27 Feb 2008 01:07:00 +0000

We just added new dates for our Cisco router fundamentals seminar and our Cisco ASA security appliance seminar for Denver and Phoenix in June. I'm excited about bringing our unique accelerated training format to new cities and hope to see you in one of our seminars soon. Registration is now open. Details online, of course.

We just added new Cisco training dates in Portland, Oregon

noreply@blogger.com (Don R. Crawley) — Wed, 20 Feb 2008 05:16:00 +0000

We just added two new dates for Cisco training in Portland, Oregon. We're presenting our Cisco Router Training: 2-Day Hands-On Fundamentals Workshop on May 8 and 9 and our two-day Cisco ASA / PIX Firewall Training: Installing, Configuring, Optimizing, and Troubleshooting on May 15 and 16. Registration is now available online. We're also working on bringing these two seminars to Denver and Phoenix. We should have details worked out in about two weeks. Check back here or sign up for my free newsletter and I'll be sure to let you know.

The Acronym Addict's Guide to PPTP VPNs Using Static NAT on a Cisco Router

noreply@blogger.com (Don R. Crawley) — Mon, 18 Feb 2008 15:07:00 +0000

Acronmyn addicts are bound to love this one. You really can't talk about Virtual Private Networks (VPN) without opening a can of alphabet soup.

Recently, a student at one of our seminars asked about port forwarding on a router. She wanted to allow PPTP clients to connect from the outside to a VPN server on the inside. In this article, I’ll explain how to do it along with a quick look at using static NAT to forward packets to a web server.

Port Forwarding on a Cisco Router

Sometimes we have internal resources that need to be Internet-accessible such as Web servers, mail servers, or VPN servers. Generally, I recommend isolating those resources in a DMZ to protect your office LAN from the bad guys, but regardless of how you choose to design it, the process involves forwarding desired packets from the router’s outside interface to an internal host. It’s really a fairly simple process. Here’s the configuration on a Cisco 2611 router:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0/1 1723
!
access-list 101 permit ip any any

In the above configuration, Ethernet 0/1 is connected to the public Internet with a static address of 12.1.2.3 and Ethernet 0/0 is connected to the inside network with a static address of 192.168.101.1. NAT outside is configured on E0/1 and NAT inside is configured on E0/0. Access-list 101 works in conjunction with the “ip nat inside source list 101 interface Ethernet0/1 overload” statement to permit all inside hosts to use E0/1 to connect to the Internet sharing whatever IP address is assigned to interface Ethernet E0/1.

The “overload” statement implements PAT (Port Address Translation) which makes that possible. (PAT allows multiple internal hosts to share single address on an external interface by appending different port numbers to each connection.)

The statement “ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0/1 1723” takes incoming port 1723 (PPTP) requests on Ethernet0/1 and forwards them to the VPN server located at 192.168.101.2.

You could do something similar with a Web server by changing port 1723 to port 80 or port 443. Here’s what that would look like:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.101.2 80 interface Ethernet0/1 80
!
access-list 101 permit ip any any

In this example, the web server is located at 192.168.101.2 and instead of forwarding PPTP (port 1723) traffic, we’re forwarding HTTP (port 80) traffic.

Obviously, you can configure your Cisco router in a similar manner to forward nearly any type of traffic from an outside interface to an internal host.

Virtualizing Cisco routers

noreply@blogger.com (Don R. Crawley) — Wed, 06 Feb 2008 15:32:00 +0000

For years, I've wanted a tool that would do for routers what VMWare does for computers. Sure, there are some really great simulators available such as the Sybex CCNA Virtual Lab (which I used to renew my CCNA), but a simulator is not the same as a router. A simulator is a great learning tool because of its structured labs, but it doesn't support the entire IOS command set and it doesn't allow you to connect to real or virtual PCs and networks.
Recently, I ran across Dynamips and Dynagen. These two open-source tools work together to allow you to virtualize routers in much the same way that VMWare, VirtualPC, and similar tools allow you to virtualize computers. Dynamips is the backend that does the actual emulation and Dynagen is the front-end that provides easy-to-use management tools for Dynamips. There is a GUI called GNS3, but I tend to prefer command-line configuration of Cisco devices. Windows users can download a complete package that includes Dynamips, Dynagen, WinPCap, sample labs, and a tutorial. Linux/UNIX users have several download options as well. Support is provided through tutorials and a forum. The tutorial is excellent and reasonably easy to follow. When running under Windows, WinPCap allows you to integrate the virtual router with physical networks and devices. I actually used my virtual router to perform classroom demos today in our Cisco router seminar while fully integrating with the classroom network.
There are some limitations: By default, the tool uses 100% of your CPU, but a configuration guide explains how to avoid that. The tool also seems to exhibit some instability when changing interface parameters, but that could be a result of my newness with it. It doesn't support the entire line of Cisco routers; just 7200s, 3700s, 3600s, and 2600s. Some documentation suggests that it also supports 1700s. I have also read forum postings by people who use it with PIX software images (One more thing to try!). You do have to provide your own IOS software image. All-in-all, I'm quite impressed with it...so much so that I wanted to share this information with you right away. Hope you find it helpful.

Delighting Your Users: Providing Responsive Customer Service

noreply@blogger.com (Don R. Crawley) — Wed, 30 Jan 2008 17:38:00 +0000

This is from an article I wrote that was published in the Nov/Dec 2007 issue of HDI Support World. I hope you enjoy it. (You can download a PDF of it here.)

Users tell us that it’s important for us to be responsive. How do you get your users to say you’re responsive to their needs?

This is about your willingness to respond to customer needs by answering their phone or e-mail requests quickly, and your willingness to do what it takes to respond effectively to a service request. Responsiveness is adopting a can-do attitude, and a willingness to go the extra mile for the customer. Recent research studies support the theory that soft skills (such as listening, empathy, courtesy, and creating rapport) are more important than technical skills in the career advancement of any employee. This is especially true in the support industry, where most managers have realized that they must hire people who have a good attitude or approachto serving customers plus an aptitude for technical knowledge, and that the rest can be taught.A positive attitude is the first step in building good soft skills.

You have control over your attitude. Just like you can choose what clothes to wear in the morning, you can also choose what attitude to assume every day. You can choose to see the glass as half-full, or half-empty. Your approach, or attitude, toward life is a self-fulfilling prophecy. If your attitude is “Everyone has something to offer me!” then you will interpret everything that happens to you as an interesting journey. On the other hand, if you approach your job and your life in a less than positive way, every bump in the road will seem like a huge obstacle. How do you answer your phone? Do you answer it promptly? Can the caller understand you or do you rush through your greeting? Are you pleasant and does your tone of voice convey a positive start to the call? How do you answer e-mails? Do you reply promptly? Do you convey in your e-mail responses that you really want to help your user? Do you understand the meaning of all the words you use? For those of you who provide support in a second language, make sure you’re using the user’slanguage correctly. Ask someone who speaks it natively to review your e-mail responses and give you feedback.

Look in the mirror. Often, the solution to our problems lies within ourselves. Several months ago, I faced some of the usual challenges of life on the road. Things usually go very well for me and on those rare occasions when things “hiccup,” they’re usually minor. This particular week, however, I dealt with a major problem that had the potential to cause a major disruption in my business. Now, as I look back on what happened, I’m beginning to see the entire situation with new clarity. I made several mistakes.

The first mistake was in making assumptions about what a vendor would do. I could have spent more time at their Web site and learned more about their policies and procedures. Instead, I spent a brief time skimming over their services and made assumptions about how to order a particular service and whether it was the right service for me.

The second mistake I made was in not contacting this vendor earlier to discuss how best to use their services (and whether they were even the right vendor for this job).

The third mistake I made was in trying to deal with this vendor while I was hurrying to catch a train. In otherwords, I was in a state of stress which undoubtedly came through in my voice (even though I don’t think I was rude, demanding, or abusive). As I dealt with this vendor in trying to resolve several problems, I received brusk (almost rude) customer service. I don’t believe there is ever a reason to treat any customer in a manner that is anything other than cheerful, pleasant, respectful, and empathetic, but I wonder if there were subtle messages that I was sending that caused me to receive less than exemplary customer service.

As I look back at my experiences with other people, I also need to look in the mirror. Am I doing everything I can to have a positive effect on everyone I meet? Have I gone out of my way to touch people in a positive way? When the world doesn’t go my way, do I take a moment to stop and regroup or do I complain to everyone around me so they can feel bad, too? I know I can’t control other people, but I certainly can control how I appear when they look in my direction.

So, what are the lessons I learned and how do they relate to you as a tech support pro?

Lesson one

Start early. When you have plenty of time, you’re more relaxed and things just seem to go better. Arrive at your desk early. Give yourself fifteen or twenty minutes before your shift starts to gather your thoughts and organize your workspace. Then later, when the day starts to get frantic, you’ll find you’re more in control of things.

Lesson two

Do enough research. As a tech support person, do you subscribe to news feeds and blogs about the products you support? Do you spend time each day reading articles and books related to the products you support? Have you set up a virtual lab using VMWare, VirtualPC, or Xen so you can experiment and test your solutions before you offer them to your users? Knowledge is power and the more knowledge you have, the more you’ll be empowered to delight your users with relevant, accurate solutions.

Lesson three

Focus on the task at hand instead of multi-tasking (Millennials really can multi-task, but GenXers, Boomers, and Veterans really can’t). This means, when your user calls needing help, you focus exclusively on them and nothing else. (And, for you Gen Y’ers, Iknow you really can multi-task, but don’t let your users know you’re doing it while you’re talking to them!)

Lesson four

When the world is crashing around you, before you do anything else, look in the mirror. Maybe you can’t control the rest of the world, but you are in complete control over how you view the world and what’s happening in it. As a support professional, take a moment to ask yourself the following questions:

Do I put myself in the user’s shoes?
Do I take ownership of a problem and see it through to completion?
Am I willing to help both users and co-workers?
Do I consciously assume a positive outlook with my users and co-workers?
Am I respectful and courteous to the user?
Do I treat everyone with respect and courtesy?
Do I speak and conduct myself confidently with users?

If you answered yes to at least five, you are on the right track to creating a positive position from which to serve your users for the best results. If you answered yes to fewer than five, your attitude might be keeping you from doing your best to create the proper environment for success in your job.

Your users’ perception of your responsiveness starts with their perception of you. Your attitude, your demeanor, your tone-of-voice, and the words you choose all play a part in how you are perceived. You have it within your power to create users who perceive you to be responsive to their needs; to care about them as people first and co-workers second.