Cisco PIX-506E password reset and reset to factory defaults

image

image

In order to complete the process we’ll need to download the appropriate password reset file found here. In our case, since our PIX appliance is using software version 6.3(4), we’ll download the np63.bin file. Once downloaded we’ll start up a TFTP server on our workstation. There are many different tools that’ll allow you to run a TFTP server. We were using a free version of TFTPD64 software found here.

Reboot the unit. Press Break or Escape during boot to get into monitor mode. Once the unit starts up you’ll see the monitor> prompt.

Specify interface you’ll use to connect to your workstation (TFTP server)
interface 0

Assign an IP address to the interface
address X.X.X.X

Specify the IP address of the TFTP server (you’re workstation)
server Y.Y.Y.Y

Specify the file name you’ll use for password reset
file np63.bin

You can test connectivity to the TFTP server by issuing the following command
ping Y.Y.Y.Y

Sending 5, 100-byte 0xf8d3 ICMP Echoes to Y.Y.Y.Y, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)

Now you can start transferring the file from your TFTP server
tftp

Next you’ll be prompted to erase the current passwords on the appliance. Answer yes and the appliance will reboot itself

Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Rebooting….

image

Now when you try to access the device you’ll be able to access it without providing a password.

To reset the appliance to factory defaults you’ll need to do the following:

image

Reload the unit.

Configuring Cisco Access Server

In this example we’ll be using a Cisco AS2509RJ.

image

This device comes with 8 asynchronous ports, which are used to connect to console ports of devices you’d like to access. Unlike Cisco’s 2500 series that uses octal fan-out cables to connect to other devices, AS2509-RJ uses rollover cables also know as Cisco console cables. Usually these are light blue, flat cables, but we’ll be using some we made.

image

You can use the pin out diagram below to make them yourself, just don’t forget to qualify them before use.

image

To connect your Access Server to the rest of your network you’ll also want a AUI Transceiver. It connects to the AUI Ethernet port (yellow port in the picture above) and converts it to Ethernet (RJ45).

image

Once you are done with the basic setup of your access server, you’ll want to configure a loopback interface.

Router# conf t
Router(config)# interface Loopback 0
Router(config-if)#ip address 10.1.1.1 255.255.255.255

Then, we’ll configure the lines on the device.

Router(config)#line con 0
Router(config-line)#exec-timeout 0 0
Router(config-line)#logging synchronous

Router(config-line)#line 1 8
Router(config-line)#exec-timeout 0 0
Router(config-line)#no exec
Router(config-line)#transport input telnet

And finally, we’ll configure hosts you’ll be connecting to.

Router# conf t
Router(config)# ip host S1 2001 10.1.1.1
Router(config)# ip host S2 2002 10.1.1.1
Router(config)# ip host S3 2003 10.1.1.1
Router(config)# ip host R1 2004 10.1.1.1
Router(config)# ip host R2 2005 10.1.1.1
Router(config)# ip host R3 2006 10.1.1.1

To connect to a host just type the name you have configured such as S2 or R1.

To see which hosts are available on the access server type show host.

image
To see lines on the router type show line.

image

To jump from an active Telnet session back to the Access Server press CTRL+ SHIFT+6 and then X.

To resume the session press Enter or type resume R1

To see active sessions type show session

image

To disconnect a session type disconnect session #

You can ‘bypass’ the Access Server and connect directly to the device. From Putty, telnet to IP address of the Access Server but change the port to the port of the device you are trying to reach. In our example, if you Telnet to port 2002 (via IP address of the Access Server) you’ll be connected to S2.

Configuring a trunk between a Cisco switch and router

Let’s say we have to set up a small office network. We have a router and switch, and some end user workstations that we want to keep in separate VLANs.

image

Accounting Dept. PC is configured with the following settings:

IP address: 10.10.1.254
Subnet mask: 255.255.255.0
Default Gateway: 10.10.1.1

Engineering Dept. PC is configured with the following settings:

IP address: 10.20.1.254
Subnet mask: 255.255.255.0
Default Gateway: 10.20.1.1

Let’s configure the switch fist.

S1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
S1(config)#int fa0/2
S1(config-if)#description :: Accounting Dept PC ::
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 10
% Access VLAN does not exist. Creating vlan 10
S1(config-if)#

S1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
S1(config)#int f0/1
S1(config-if)#description :: Engineering Dept PC ::
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 20
% Access VLAN does not exist. Creating vlan 20

We can verify that VLANs 10 and 20 were created properly and that interfaces FastEthernet 0/1 and 0/2 have been configured properly by issuing the show vlan brief command.

S1#sh vlan bri

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
1    default                          active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig0/1, Gig0/2
10   VLAN0010                         active    Fa0/2
20   VLAN0020                         active    Fa0/1

1002 fddi-default                     active   
1003 token-ring-default               active   
1004 fddinet-default                  active   
1005 trnet-default                    active
   

Next, we’ll need to create the two SVIs.

S1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
S1(config)#interface vlan10
S1(config-if)#
%LINK-5-CHANGED: Interface Vlan10, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up

S1(config-if)#description AccountingVLAN
S1(config-if)#ip address 10.10.1.253 255.255.255.0

S1(config)#interface vlan 20
%LINK-5-CHANGED: Interface Vlan20, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up

S1(config-if)#description EngineeringVLAN
S1(config-if)#ip address 10.20.1.253 255.255.255.0

Now, let’s configure the trunk between interface FastEthernet 0/3 on Switch1 and Interface FastEthernet 0/0 on Router1.

On Switch1 we’ll configure the switchport to act as trunk, using 802.1q encapsulation. In addition, we’ll allow VLAN 10 and 20 traffic to cross the trunk.

S1(config)#interface Fa0/3
S1(config-if)#description :: Trunk to R1 Fa0/0 ::
S1(config-if)#switchport trunk encapsulation dot1q
S1(config-if)#switchport mode trunk
S1(config-if)#switchport trunk allowed vlan 10,20

On Router1 first we’ll shutdown interface FastEthernet 0/0

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface fastethernet0/0
R1(config-if)#no ip address
R1(config-if)#no shut

R1(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

R1(config-if)#

Then we’ll create two subinterfaces which will act as gateways for the two VLANs.

R1(config)#interface fastethernet 0/0.10
R1(config-subif)#
%LINK-5-CHANGED: Interface FastEthernet0/0.10, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.10, changed state to up

R1(config-subif)#encapsulation dot1q 10
R1(config-subif)#ip address 10.10.1.1 255.255.255.0
R1(config-subif)#no shut

R1(config)#interface fastethernet 0/0.20
R1(config-subif)#
%LINK-5-CHANGED: Interface FastEthernet0/0.20, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.20, changed state to up
encapsulation dot1q 20
R1(config-subif)#ip address 10.20.1.1 255.255.255.0
R1(config-subif)#no shut

Lastly let’s verify that PCs can ping each other.

imageimage

And that R1 can get to both end user workstations.

image

Enable NetFlow on Cisco ASA

You need to be running ASDM version 6.2 or newer and ASA version 8.2(2) or greater.

Start ASDM.

Alternatively you can use your web browser. Go to https://ASAIPAddress/admin and select Run ASDM.

image

Select Configuration> Device Management> Logging, then select NetFlow.

imageimageimage

Configure the value (in minutes) for “Template Timeout Rate”, check off the “Delay transmission of flow creation events for short-lived flows” check box. Next, add a NetFlow Collector.

image

Select the interface, specify the IP address and UDP port (default value is 2055).

Next we want to click on the Firewall tab and select Service Policy Rules, then click on Add.

image

imageimage

Select the Netflow tab and click on Add

image

Select the collector address you want to sent Flow data to.

image

Click Finish.

Below is a sample CLI configuration:

no logging message 106015
no logging message 106023
no logging message 106100
no logging message 302013
no logging message 302014
no logging message 302015
no logging message 302016
no logging message 302017
no logging message 302018
no logging message 302020
no logging message 302021
no logging message 313001
no logging message 313008
no logging message 710003
flow-export template timeout-rate 1
flow-export delay flow-create 15
flow-export destination inside XXX.XXX.XXX.XXX 2055
class-map global-class
  description ALL_TRAFFIC
  match any
policy-map global_policy
  description NETFLOW
  class global-class
    flow-export event-type all destination XXX.XXX.XXX.XXX

Site to Site VPN between a Sonicwall Firewall and Cisco ASA 5505

We’ll start the configuration of the VPN tunnel on the Cisco ASA side. First off, let’s start the ASDM.

image

Click on the Wizards option on the Menu Bar (top left), then select the IPsec VPN Wizard.

image

Select the Site-to-site option and pick your VPN Tunnel Interface. In our case it is the outside interface of the ASA.

image

Specify the Peer IP address. This is the IP address of the WAN interface on your Sonicwall appliance. Next, specify the Pre-Shared Key (keep track of this key as you’ll need it to complete the configuration on the Sonicwall end).

image

In the next step of the Wizard, select the encryption and authentication method used for IKE Phase 1. Document what you have specified here, as you’ll need to match it exactly in the Sonicwall configuration.

image

In Step 4 of the IPsec Wizard we need to configure IPsec/Phase 2 encryption and authentication types.

image

Lastly, we need to configure which Local and Remote network (one or multiple) we’d like to use. Let’s say your local subnet (behind the Cisco ASA) is 192.168.1.0/24. You’d configure that as your local network.

Similarly, let’s say you want to access two subnets behind the Sonicwall firewall: 10.1.1.0/24 and 10.1.2.0/24. You need to specify those in the Remote Networks field.

image

Once done, click on the Next button. Review the configuration and click on Finish. This will apply these settings to the ASA. This completes the configuration of the IPsec tunnel on the Cisco ASA side.

To configure your Sonicwall firewall, sign into the device using the Web interface. Once logged in, navigate to VPN>Settings.

image

Under the VPN Policies section click on the Add… button.

image

A new window will pop up. Under the General tab, we need to select Site to Site as the Policy Type. Additionally we want to use IKE using Preshared Secret as the Authentication. Next, specify the Name of the Policy (this can be anything you like). In the IPsec Primary Gateway Name or Address enter in the address of your remote peer. This will be the IP address of the outside interface of your Cisco ASA. Lastly enter in and confirm the Shared Secret (this is the Pre Shared Key you have already configured on the Cisco ASA side of things). Note that the Shared Secret (on Sonicwall) and Pre Shared Key (on Cisco ASA) have to match exactly, or the tunnel will not come up.

image

On the network tab, we need to configure the Local and Remote network. Following the example above we would configure 10.1.1.0/24 and 10.1.2.0/24 as our local networks and 192.168.1.0/24 as our remote network.

Finally, make sure that you match all of the settings for Phase 1 and 2 proposals exactly with values you have configured on the ASA.

image

Once configured correctly, you will see an active VPN connection on you Sonicwall.

image

On the Cisco side you can issue a show crypto isakmp sa command to see all of the active tunnels.

image

Issue with Crypto Archive File on Cisco ASA 5505

Discovered an issue with ASA 5505 generating a number of syslog messages:

%ASA-4-402127: CRYPTO: The ASA is skipping the writing of latest Crypto Archive File as the maximum # of files (2) allowed has been written to < disk0/crypto_acrhive >. Please Archive & remove files from < disk0/crypto_acrhive >.

image

A look at the contents of disk0 confirms it.

image

Per this document, this is a know issue (Cisco bug ID CSCtg58074). If you don’t have access to Cisco TAC, temporary workaround for this issue is to delete the crypto archive and reload the ASA.

Delete the file(s) in question by running the following command:

delete disk0:/crypto_archive/filename.bin

image

Once this is done, you’ll notice that your Syslog is going to immediately stop receiving messages shown above.

image

Restart the ASA by issuing the reload command.