Posted by The Blogging Desk on Mon, Mar 14, 2011
- by Chad, "The Dream", Weaver
It’s time once again for some simple Cisco tips. So you got that nice shiny router and or switch running an up to date version of the software. Plus you have it all configured up but you shouldn’t stop there. How about some basic security for the device itself and some logging? Why logging you ask; well if something happens, how will you know what it was if there are no logs to look at - perhaps guessing? There are very complicated ways to secure your device, but for this, the only two items I will touch on is limiting access to the terminal through an access-list and switching over to SSH for a little encryption action. This article follows the assumption that you have a syslog server all fired up somewhere and have taken care of that configuration. If you are looking for a decent syslog server the folks over at Solarwinds have the good old Kiwi syslog server, take a look if you need one.
First let’s get the logging working to the syslog server. You need to tell the device where to send messages to. From configure mode you need to enter this command to get things started.
Router(config)#logging X.X.X.X
You can also adjust what types of messages are sent to the syslog server by setting the following command.
Router(config)#logging trap 1-7
Where 1-7 is the level of logging you wish to see, with one being the lowest and 7 being probably more than you would ever need. From here it is a really good idea to turn on configuration change logging; this will record every change that was made to the configuration. This is a good idea for any device; it can prevent being in the dark about what another admin had changed. Plus if you know what commands were changed it can give you a good idea how to undo them. We use the special feature called archive logging for this.
Router(config)#archive
Router(config-archive)#log config
Router(config-archive-log-cfg)#logging enable
Router(config-archive-log-cfg)#hidekeys
Router(config-archive-log-cfg)#notify syslog
What that will give you is a syslog message of every command that was run on the device, and if you are using authentication, with usernames and passwords or RADIUS, you will see the name of the admin who entered the command. Plus you should be using usernames and passwords, keeps it clearly defined for who did what for auditing purposes. There are just a few other commands you should consider to get started with.
Router(config)#login on-success log
Router(config)#login on-failure log
This will let you know via your syslog every attempt to login to the device via any means always great information to have.
Next let’s protect that terminal, by setting up SSH and turning off telnet. SSH is much more secure because it encrypts management traffic preventing it from being sniffed out on a network, unlike telnet which is plain text. We do need to turn it on though; it is not configured by default. Most importantly you need an IOS image that supports crypto functions, so double check that. Then you need to define a domain name for the device via the ip domain-name command. Once you have completed that you need to generate your RSA keys. The command for that is crypto key generate rsa enter a number from 512 -2048 this is the size of the key modulus it can be the smaller, but in this case bigger is better, well at least stronger. The moment you create you rsa key your ssh server is turned on. From here make sure to set it to version 2 for extra security, ip ssh version 2. Now all that is left is to configure your vty lines to only accept SSH and you there you are. You can also configure your access list here to limit access to the provided access list, preventing general access to the terminal.
Router(config)line vty 0 15
Router(config-line)transport input ssh
Router(config-line)access-class (access-list name or number here) in
There you have it a couple simple ways to secure, and log changes for a Cisco device. Don't sweat the big stuff, let Trigon help you out!
Posted by The blogging Desk on Mon, Nov 08, 2010
- by Chad, "The Machine", Weaver
Alright, I think I have had enough time to wrap my head around the changes to the ASA code in the newest release to share with you some of the massive changes. The newest release is any code version 8.3 and higher. I’ve been configuring ASA, PIX firewalls, and Cisco routers so it took me a little bit of time to get the differences in structure between the ASA and PIX vs. Routers.
I had a great grasp on the concepts thanks to my time invested in those routers. When you work for a top notch IT Support company serving the Philadelphia area, these things come in handy. But, in this new release there is a curve ball when it comes to NAT. These changes are going to make it a little tough going in the transition, but I think as everyone gets used to this new way of doing things it will be second nature again very soon. Plus, I want to provide a few examples of the old way vs. the new way to get you started. One last thing before I jump in to some examples, if you’re planning on upgrading from 8.2 or below to 8.3 be advised there is a greater memory requirement that some ASAs sold previously will need to be upgraded to meet.
I want to give a quick explanation on the new way of doing things before we jump in to some details and basic examples. The way we configure NAT now involves creating network objects in the object to define network objects, and using the NAT keyword to create the translation. This is done directly in the network object configuration rather than in the global configuration as was the previous way.
Examples:
For the first example I want to go over the standard NAT for your inside addresses to a single public address, or a dynamic PAT.
The old commands looked something like this.
Hostname(config#)Global (outside) 1 1.1.1.1
Hostname(config#)Nat (inside) 1 192.168.1.0 255.255.255.0
This would translate the inside addresses of 192.168.1.0/24 to 1.1.1.1
New commands:
hostname(config)# object network Inside-nat-object
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 1.1.1.1
These commands do produce the same result but as you can see where the configuration for “nat” is made is also quite different, versus 8.2
Let’s not forget an example of interface overload, or dynamic PAT using the outside interface.
hostname(config)# object network Inside-nat-object
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
Same basic idea here, define what you are translating then using the nat keyword define how to translate.
Next let’s take a look at a couple static NAT and PAT commands for different uses, and that should cover most basic configuration needs to get you started. I may do a follow up post with a much more in-depth look at some of the more advanced configurations.
Example:
To map a single host IP to an external IP through a static NAT used to look like this.
Static (inside,outside) 192.168.1.2 1.1.1.2 netmask 255.255.255.255
New:
hostname(config)# object network my-first-NAT
hostname(config-network-object)# host 192.168.1.2
hostname(config-network-object)# nat (inside,outside) static 1.1.1.2
To expand on this idea, if we want to translate a service specifically http for this example or port 80 it would look like below.
hostname(config)# object network my-first-webnat
hostname(config-network-object)# host 192.168.1.2
hostname(config-network-object)# nat (inside,outside) static 1.1.1.2 service tcp 80 80
These Examples can get you going in the right direction.
These are just some of the technical aspects you don't have to worry about with Trigon working for you. Who wants to worry about all that mumbo jumbo? Not you, friend. If you think you need Trigon to take a look at your network infrastructure, give us a call.
Posted by The blogging Desk on Wed, Nov 03, 2010
- by Chad Weaver
Finally! I'm a little late to the party here but it turns out the SDM is dead. I can hear you saying, “What in the world is that?” “Who cares?!”
Well, I do for one. And as your friendly local Philadelphia area IT Support company, it's only going to be good news for you.
The SDM was the Cisco GUI tool for managing routers. It was also known as the security device manager. It will still be around for a while, but a couple months back the official EoL announcement was made. Why am I so happy? Even being a command line guy, sometimes using the GUI is a bit easier and for their other devices. I have never had an issue getting it up and running but that bad boy was always problems for me. Getting it loaded on the device seemed to take longer than any amount of time I used it for. There was also the fact that it seemed to have been written about 10 years ago and never updated again. So what are we using now?
The answer is they developed a new tool which is called the Cisco Configuration Professional, and can be downloaded from the Cisco website, provided you have a login. I recently took this tool for a spin and I like what I see. While remarkably similar to the tool it is replacing it was still easy to get setup, and get connected to a router quickly. I was viewing the configuration in a flash and all the interfaces were recognized! I can’t say the same for the old SDM.
I do have one small complaint; the install was 150 Mb. That seems a bit excessive for this but one install will hold you for all your routers so I can let that slide. Other than the install size and getting the IPs configured, it was a breeze checking out the new tool, so much so I decided to write about it. I know this isn’t exciting for everyone but for someone that truly loves Networking and IT support, it is almost the most exciting thing I have learned today!
Great! If you'd like some more information on how Trigon can help dig the hole for your SDM, give us a buzz. Or, if you have no idea what any of this blog even meant, give us a buzz, too!
Posted by The Blogging Desk on Tue, Oct 12, 2010
Yahoo via iTunes:
Connect with your IM friends using video and voice with the newest Yahoo! Messenger app for your iPhone. Make free voice and video calls to your Messenger friends, low cost calls to land line or mobile phones, video calls—plus get new features like multitasking, instant notifications and free SMS.
Let's be honest, who knew Yahoo was still a thing in 2010?
Aside from presumed posthumous app releases, Yahoo has really stepped it up here. Skype hasn't even added in video calling over Wi-Fi, let alone 3G. Of course, on top of needing friends, you'd also need those friends to have the Yahoo Messenger app. Friends are a tough thing to come by. I'm writing this from the inside of a cheezy poofs bag. Friends forever, bag!
I have only use the FaceTime app a few times, once with my wife from the first floor while she was in my office. I think we'll be using it more once my son bursts onto the scene. I'm the sentimental type, ok?
Outside of personal use, I can see video calling really taking off in the enterprise scene. Video meetings can be a bit more personable when you can't be on-site, and if you have a WiFi connection there, even better. As a top-notch IT Support company serving the Philadelphia area, we'd be ready to support some that kind of slick forward thinking. One would think Cisco would come out with an iOS video-calling app. Though, I would think that would work a bit better when the next iPad adds a front facing camera. That's just assumed, right?
I need more cheezy-poofs.
Posted by Chad Weaver on Mon, Apr 12, 2010
I am employed with a company that specializes in
IT support, and after the daylight savings time updates that were enacted a while back, I decided to share my experience with NTP and network devices. The recent change to DST prompted a quick audit of NTP settings and time on the network devices that I manage. I work mostly on Cisco equipment, so that is the types of hints I will share with everyone today. I am sure that other equipment is similar in settings if the commands are different.
First, I should go over the importance of NTP when it comes to network equipment and security for an IT solutions company. Most Cisco equipment does not include a battery to keep the internal clock running when the power is reset. So power outages, IOS upgrades, and scheduled maintenance that requires a reboot of the device will reset the clock. Second, if you are logging anything for either audit trails, security breaches, or penetration attempts, the logs are almost no help in establishing a timeline if the clock isn't accurate.
Now what is NTP? It's an acronym, for starters, that stands for network time protocol. For some interesting reading, hit it up on Wikipedia sometime. For the needs of this article, it is a way to update time on a device across the internet. Windows uses this to keep the time up to date on all their OS, and all workstations get their time from the domain controller responsible for getting the time from the internet. Now, as I asked before, what does this have to do with keeping good time on network devices? We can point our network devices to a public time server, and after every reboot, a fresh update is gathered and like magic time is up to date.
Ok enough with this babble, how do you know if a server is set and working on a Cisco switch, for instance, you may ask. Easy, with a couple commands I will share with you, you can quickly login to your devices and check if everything is working fine. The first new command in your arsenal is just the good old show clock. This is a quick easy way to see if the clock is even close to being correct. If it is not even close, the next thing you should take a look at is one of these two commands: show ntp associations, or show ntp status. These are your go to commands, and remember the ‘?' is your friend. Now if everything is looking good, you have nothing to worry about, but if you don't have a server set at all, never fear, I am going to cover just a few of the important configuration commands you need to get everything working.
The first thing I want to mention is you will need to enter configuration mode to make changes to the NTP configuration. I suggest you look up a public NTP server and a backup you plan to use and write them down. You will need that information to make the configuration. Get their IP address, if you have a DNS name this will help for the configuration. Now, to set the server you just need ntp server x.x.x.x . Nothing to it at all, and that will get a server configured and your time set in a short amount of time.
Next, if you are in an area that participates in DST, you need to configure that setting and at this point you should configure your time zone. The last two commands you need are clock summer-time EST recurring, this configures the clock for EST and that it happens every year, and then clock timezone EST -5. Both of those commands are to be run from configuration mode, and you should have perfect time in no time. Just verify that your clock is now up to date with a quick show clock and just feel better knowing that your timestamps and logging are in good shape.
Posted by Solutions Center on Mon, Jan 25, 2010
At
Trigon, we deal specifically with small and midsized organizations. And we like to provide our clients with peace of mind when it comes to technology. Essentially, through our
IT Services,it's our goal to allow people to use their technology for the benefit of their business, and to have it integrate seamlessly into their business plans and objectives.
Often times, our clients find it necessary to have a certain number of PCs running on different versions of Microsoft Windows. While this in itself isn't a problem, it seems that sharing folders and files on a network through this setup can be somewhat difficult.
That's why we thought it was important to point out to you that Cisco offers a product called Network Magic that can make things a heck of a lot more convenient for you. Network Magic is a tool that allows you to share files and folders, and also looks for security holes in your network. So, for around $30, you can secure your network and make sharing files and folders across a network easy.
As for how it works, it's quite simple... Once you install Network Magic on each PC..Voila!! You can share files and folders with just three simple clicks. The product comes in two editions; a $30 edition, Essentials, which offers licenses for up to 3 PCs. And also a $40 version, Pro, which offers licenses for up to 8!
So if you're having trouble setting up a network at your small or midsized business, be sure to check out Network Magic. And don't worry, your local IT Support Company can assist you in getting it up and running properly.