Thursday, October 28, 2010

IP POWER IP9258 and the ip address 122.116.138.126

I am very glad to have this ip power 9258. This is Network based power controller - I am able to power on and off all my cisco routers and switches from anywhere in the world. Because this simple unit, I am saving on electricity and cut off my phone calls to my wife and daughter . I used to call them to turn on devices when I am at starbucks studying.

But there is something I discovered with this ip power that very SCARY. It mapped my ip address to a public ip service server located 122.116.138.126 - Anybody in the world could access my network and turn on and off all my devices. Can you imagine if I plug my production servers into this device?


http://122.116.138.129/test/ip_search.asp


I found lot of ip addresses (ip power devices) with default username and password. I could turn off and on if I wanted to scare people specialy on this halloween days.

SO - PLEASE MAKE SURE YOU CHANGED THE PASSWORD AND DENY ANY TRAFFIC TO 122.116.138.129

You can put it to the test. Change the name of your IP 9258 and go to the website and enter the new hostname. You will be scared.

Thursday, October 14, 2010

VPN filtering using ASDM 6.3 with ASA 8.3



1. You are the new admin of the YAKIMA Company. You decide to filter traffic coming from Oregon to your company. All you want is to allow your users to access only the AS400 server in Oregon.

2. Easy job! You said to yourself. You called the Oregon admin to change the interesting traffic from (10.10.10.0—192.168.1.0) to (10.10.10.100-192.168.1.0) on his side and you are going to do the same from (192.168.1.0 – 10.10.10.0) to (192.168.1.0 – 10.10.10.100).

3. Bummer!!!! The Oregon admin refused saying I don’t want touch that cisco thing. I am not a cisco guy and our cisco consultant is way too expensive. I am sorry I can’t let you touch our device. SO, you are stuck.

4. And then you find me online – another fellow who went to the same dilemma.

5. The solution : VPN filtering using ASDM 6.3 ASA 8.3.4

5.1 Go to Configuration, site-to-site vpn, group policy, click add and internal group policy
Pic1



5.2 Give your policy a name, Uncheck inherit on tunnel protocol and ipv4 filter.
Pc2

5.3 click manage and extended ACL, click add ACL, give it a name and then click add ACE – please be careful with the source and destination address – pc3



5.4 click ok twice and you should be back to the internal group policy- click ok - pic4




5.5 Now go to Advanced Tunnel groups, select the correct tunnel , click edit – in the group policy select your new filter policy.pic5



5.6 Click ok and apply –
5.7 It will seems like nothing is working – Now you need to log out the tunnel and ping the server and see the difference
Go to monitoring, vpn, session and choose site-to-site, choose the correct tunnel and click logout.
Pc6






Voila test it and let me know the result.

Thursday, September 30, 2010

SHOW eigrp hello time

It is very simple to know the exact eigrp hello interval on an interface.

The command is :

show ip eigrp (AS) interface detail (interface type)


R2#sh ip eigrp 1 int detail fa0/0.23
IP-EIGRP interfaces for process 1

Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0.23 1 0/0 4 0/1 50 0
Hello interval is 5 sec
Next xmit serial
Un/reliable mcasts: 0/3 Un/reliable ucasts: 4/4
Mcast exceptions: 1 CR packets: 1 ACKs suppressed: 0
Retransmissions sent: 1 Out-of-sequence rcvd: 0
Authentication mode is not set
Use multicast
R2#

Sunday, September 12, 2010

quick review of How to enable ssh with a cisco router

here are the steps you need to follow to enable ssh
in config mode

1- hostname ...

2- ip domain-lookup

3- username .... password

4- crypto key-generate rsa

5- ip ssh authentication-retries

6 - ip ssh version

7- line vty 0 4
login local
transport input none
transport input ssh

8 - save your work.


Example from my router:

conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#hostname SSHSERVER
SSHSERVER(config)#ip domain-name CCIE
SSHSERVER(config)#username BERTRAND password r3
SSHSERVER(config)#crypto key generate rsa
% You already have RSA keys defined named SSHSERVER.CCIE.
% Do you really want to replace them? [yes/no]: y
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]:
Mar 1 01:31:52.676: %SSH-5-DISABLED: SSH 2.0 has been disabled
1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Mar 1 01:32:12.172: %SSH-5-ENABLED: SSH 2.0 has been enabled
SSHSERVER(config)#
SSHSERVER(config)#ip ssh version 2
SSHSERVER(config)#ip ssh authentication-retries 3
SSHSERVER(config)#line vty 0 4
SSHSERVER(config-line)#login local
SSHSERVER(config-line)#transport input none
SSHSERVER(config-line)#transport input ssh
SSHSERVER(config-line)#^Z
SSHSERVER#wr
Building configuration...

access_server#7
% 7 is not an open connection
access_server#6
[Resuming connection 6 to sw1 ... ]

SW1#ssh -l BERTRAND 172.16.50.1 3

Password:

Password:

SSHSERVER>sh ssh
Connection Version Mode Encryption Hmac State Username
66 1.99 IN aes128-cbc hmac-sha1 Session started BERTRAND
66 1.99 OUT aes128-cbc hmac-sha1 Session started BERTRAND
%No SSHv1 server connections running.
SSHSERVER>exit

[Connection to 172.16.50.3 closed by foreign host]
SW1#

Saturday, September 4, 2010

RemoteApp disconnected - The client could not connect - Remote desktop

I installed RemoteApp from Terminal Server and Distribute the application to all users. But one of the users who work from home (Remote worker - Location: idaho) is experiencing some weird problem.

When he clicked on the Famous software (remote Apps), he receive the message
"The client could not connect. You are already connected to the console of this computer. A new console session cannot be established".

After 30 minutes of troubleshooting, I discovered the cause of the problem and I wanted to share the solution with my audience.

The problem was that the user home network subnet is 192.168.1.0/24 same as my office network and worse his computer has the same ip address as my terminal server 192.168.1.2 -

so when the vpn to our network, the remoteApps is confuse about the exact location of the terminal server because the 192.168.1.2 is belong the host iniated the connection.

To fix the problem without causing too much pain to my users, I changed the user computer IP adddress from 192.168.1.2 to 192.168.1.55 (a ramdom number) and voila the remoteApps work and the client was able to access famous software (it is our accounting software).

But the best way to fix this problem and the one I will recommend is to change the subnet address of the user home network. For example, give it the subnet address of 10.10.10.0/24 if not used in your organization.

Thanks

Wednesday, August 25, 2010

Famous Software - Unable to print tag label

When click save or F12 nothing happens on the screen or the printer label.

Solution: Give full permission to everyone to the following folders:
1- The famous server itself, give full permission to everyone to : c:\famous client
2- In the terminal server give full permission to everyone to c:\famous client

Famous software - print error 2

Today, the repacking station was acting weird. Tom called me and said that when he click on save (or F12) on famous to print a tag, he receive printer error 2.

Here how I fixed the problem:

Cause: The printer name in the famous propriety is different from the name in the terminal server.

Solution:
1- Go the terminal server and check the name of the printer,
2- On the station, launch famous, click file, proprieties
3- Choose the correct printer name.