Configuring Telnet or SSH access across a VPN tunnel on a Cisco ASA (8.4+ - 9.1)

Want to enable telnet / ssh management of a Cisco ASA across a VPN tunnel?

In 8.2 and below, you simply use the command:

management-access inside

You may have noticed in post 8.4 that no longer works.   In post 8.4, you need to add the route-lookup command to your VPN nat statement.

management-access inside

nat (inside,outside) source static LocalSubnet LocalSubnet destination static RemtoeSubnet RemoteSubnet route-lookup

Of course, you need to enable telnet or ssh-

ssh 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 inside

(But don't use telnet, it's ghetto and insecure.)

Moving DHCP from one server to another and keeping all leases.

Moving DHCP from one server (2003-2012) to another, preserving all settings AND MOST IMPORTANTLY leases!

1.   Log on to the source DHCP server by using an account that is a member of the local Administrators group.

2.   Click Start, click Run, type cmd in the Open box, and then click OK.

3.   Type netsh dhcp server export C:\dhcp.txt all , and then press ENTER.

Configure the DHCP server service on the new server.

1.   Click Start, click Administrative Tools, click Server Manager. If needed acknowledge User Account Control.

2.   In Roles Summary click Add Roles, click Next, check DHCP server, and then click Next.

Import the DHCP database

1.   Copy the exported DHCP database file to the local hard disk of the new server.

2.   Verify that the DHCP service is started on the new server.

3.   Click Start, click Run, type cmd in the Open box, and then click OK.

4.   At the command prompt, type netsh dhcp server import c:\dhcp.txt all , and then press ENTER, where c:\dhcp.txt is the full path and file name of the database file that you copied to the server.

How to log into Windows Server 2008-2012 DC without knowing domain name OR how to log into a machine without knowing the local computer name.

Have you ever tried to RDP into a Windows Server 2008-2012 server and either a) wanted to log into a DC and didn't know the domain name or b) wanted to log as using the local ‘administrator’ account but don’t know the PCs name?

In either scenario, simply put .\administrator

If it’s a domain controller, you’ll log in as the domain\administrator, if it’s not you’ll log into the local administrator account.

Some cool websites (IT Tools)-

How about some cool websites?

Want to install and be able to update a bunch of common programs with one installer?

http://ninite.com/

Want to monitor up to 100 domains for free, monitor for expiration date, DNS changes, etc.?

http://www.domaintools.com/

Need to mount an ISO on Windows 7?  (Or, 8 of them?)

http://www.slysoft.com/en/virtual-clonedrive.html

Need to boot off of a CD or USB stick to scan a computer for viruses?

http://www.avg.com/us-en/avg-rescue-cd-download

Need to extract ANY type of archive?

http://legroom.net/software/uniextract

Want to know EVERYTHING about a computer?

http://www.gtopala.com/#axzz2saZjyi00

Want to export mailboxes from an Exchange database file to a PST?

http://www.kerneldatarecovery.com/exchange-server-recovery.html

Turning on RDP Remotely (Windows XP and Windows 7)

Ever take a late night call from a user who is trying to remote into their office computer and you need to enable RDP remotely so they can get in remotely?  Assuming a domain environment it is pretty easy.  This was easy in Windows XP, you could remote connect to the registry and turn it on.  Win 7 blocks that.

For Windows 7-

From the server,

psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

One minor issue, this doesn’t poke a hole in the windows firewall.  You’ll need to temporarily disable it, log in, add RDP to the profile, then turn it back on.  From the server-

netsh -r ComputerName -u Username -p Password -c advfirewall set allprofiles state off

That will shut off the firewall.  You can now RDP into the box and open RDP in the GUI in Windows Firewall, then turn it back on.

For Windows XP-

Just go into Regedit, File, Connect Network Registry.  Once connected go to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

Change fDenyTSConnection to 0

If you need to turn off windows firewall, you can go to Computer Management, connect to the box, and stop the windows firewall service.  (DO NOT attempt this in Windows 7).

Adam's tips-

Great SFTP server- Crush FTP.  Has a nice web interface to file shares as well, easy to configure.
http://www.crushftp.com/features.html

==============================================================

Some pretty sweet tools-
http://www.cjwdev.co.uk/Software.html

Notably-
AD Photo Edit- Allows easy upload of photos into AD
AD Info- A cool AD reporting tool for users, computers, groups, printers, etc.
Service Credential Manager- Changes service accounts on multiple servers at once.  Great for changing an admin password, it can automatically search out and update
Group Manager- A tool that allows users to administer groups they are assigned as the manager of.
AD Permission Reporter- Provides a report on your AD pertmissions

As well as a bunch of other tools.

==============================================================

SO if you ever need to set up a windows DHCP server but can’t authorize it because no AD server is available?  Works on 2008-2008R2 (not sure about 2012).

Here is a handy registry key to bypass authorization-

Add this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\DHCPServer\Parameters

Name: DisableRogueDetection

Type: REG_DWORD

Data: 0x1

and restart the server (only restarting the service will not help)

==============================================================

Need a tiny TFTP server that doesn't require anything be installed?  TFTPD32 is your answer.

http://www.firewall.cx/downloads/doc_download/19-4-tftpd-32-.html

https://a5-downloads.phpnuke.org/en/c74258/tftpd32-free-download-full-review

==============================================================

On a Cisco ASA, ever need to see either the client IPSec VPN or Site to Site (L2L) tunnel Pre-Shared-key (pre shared key)?

Use this command-

more system:running-config

It will show you the config with the preshared key/

==============================================================

Ever need to grab your Public IP from the command line in Linux?

content=$(wget ipecho.net -q -O -)

echo $content

==============================================================

Ever need to change the MTU size in windows?  Below will change it to 1452.

netsh interface ipv4 show subinterfaces

netsh interface ipv4 set subinterface "Local Area Connection" mtu=1458 store=persistent

Doing a ping larger than 1458 with the -f (no fragment command) should now fail-

ping 8.8.8.8 -f -l 1472

==============================================================

Want to enable DNS Lookup on your Cisco ASA?

dns domain-lookup outside

dns server-group Default DNS

name-server 8.8.8.8

==============================================================

Want to measure bandwidth from individual users on an ASA?

What to explore QOS issues?

Spot inappropriate internet use on an ASA/

http://www.fireplotter.com/index.php?option=com_content&view=article&id=3&Itemid=154

Product is FREE for watch only mode.  I'd be happy to assist getting it up and running if you have this need.

==============================================================

Ever run into that quirky VMware issue on a Dell PowerEdge server where you try to create a datastore and your vsphere client disconnects you?  You need to delete the Dell diagnostics partition on the disk.

1.       Enable SSH via console

2.       Connect to VM host via SSH

3.       Run the following to get a list of current LUN paths:

esxcli storage core path list

4.       Record the ‘Device’ value for the device that shows ‘Unavailable or path is unclaimed’ at ‘Adapter Transport Details’ or ‘Target Transport Details’

5.       Run the following to change the label on the partition:

partedUtil mklabel /dev/disks/<device> msdos

6.       Retry datastore creation operation in vSphere

==============================================================

Ever need to download software that was pre-installed on a Dell system?

smartsource.dell.com

==============================================================

Ever need to get the Cisco IPSec Client working on Windows 8?

There is a work-around.

1. Press Windows Key+R to open the run prompt > regedit {enter}

2. Navigate to;HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>CVirtA

Locate the DisplayName > Edit its value > Delete all the text to the LEFT of "Cisco Systems VPN Adapter for 64bit Windows."

==============================================================

Want to easily review blue screens (BSOD)?

http://www.nirsoft.net/utils/blue_screen_view.html

==============================================================

Ever need to turn on RDP on Windows 7 remotely?

psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

==============================================================

Ever need to check if inheritable permission is checked on all AD accounts?  This script will do that, just save it as a .vbs files-

Option Explicit

Dim objRootDSE, strDNSDomain, adoConnection

Dim strBase, strFilter, strAttributes, strQuery, adoRecordset

Dim strNTName, strDN, intNtSecDescCntrl

Dim objUser, objSecurityDescriptor, strInheritable

Const SE_DACL_PROTECTED = &H1000

' Determine DNS domain name.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.

Set adoConnection = CreateObject("ADODB.Connection")

adoConnection.Provider = "ADsDSOObject"

adoConnection.Open "Active Directory Provider"

Set adoRecordset = CreateObject("ADODB.Recordset")

adoRecordset.ActiveConnection = adoConnection

' Search entire domain.

strBase = "<LDAP://" & strDNSDomain & ">"

strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.

strAttributes = "distinguishedName,sAMAccountName"

' Construct the LDAP query.

strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

' Run the query.

adoRecordset.Source = strQuery

adoRecordset.Open

' Enumerate the resulting recordset.

Do Until adoRecordset.EOF

  ' Retrieve values.

  strNTName = adoRecordset.Fields("sAMAccountName").Value

  strDN = adoRecordset.Fields("distinguishedName").Value

  strDN = Replace(strDN, "/", "\/")

  Set objUser = GetObject("LDAP://" & strDN)

  Set objSecurityDescriptor = objUser.Get("ntSecurityDescriptor")

  intNtSecDescCntrl = objSecurityDescriptor.Control

  If (intNtSecDescCntrl And SE_DACL_PROTECTED) <> 0 Then

    strInheritable = "Allow inheritable permissions disabled"

  Else

    strInheritable = "Allow inheritable permissions enabled"

  End If

  Wscript.Echo strNTName & ";" & strDN & ";" & strInheritable

  adoRecordset.MoveNext

Loop

' Clean up.

adoRecordset.Close

adoConnection.Close

Setting up Veeam to use USB drives as an offsite backup.

I had a frugal customer have the need for me to utilize USB hard drives as an offsite backup with Veeam.  There were a few goofy challenges involved in doing this, so I thought I’d summarize it for you all.  First, I know of the existence of backup copy jobs in Veeam.  They are too complicated for my needs.  I simply want a FULL backup to USB in addition to the incrementals my regular job makes.  Why?  Well, say my incrementals are corrupt some how?  Maybe I don’t need to back up EVERY VM for offsite?  Plus I don’t need all of the retention of the incrementals on my main job.

Windows-

The challenge here is, you need to keep the drive letter the same when the client rotates the drives.  I utilized a utility called USBDLM.  It’s a pretty simple utility, but I had to play with it to basically figure out that it does a LOT more than we need it to.

-          Download USBDLM from http://www.uwe-sieber.de/usbdlm_e.html#download

-          Unzip them into C:\Program Files\USBDLM

-          Create a file called USBDLM.INI, in it put the following and NOTHING ELSE.  I used drive letter “A”, but you can use whatever you want.

[DriveLetters]

Letter1=A

-          Run the _install batch file to install it as a service, run the _start batch file to start it.

From here on out, whenever you connect ANY USB drive it will always be the drive letter specified in the USBDLM.INI.

Veeam-

Pretty straight forward, set up.  First you’re going to create a repository.  Make sure your first USB drive is connected, make a directory to store your backups (if you want, you don’t have to).

-          Open Veeam, go to Backup Infrastructure, and click on Backup Respositories.

-          Right click, Add Backup Repository.

-          I called mine “Offsite”, hit next, leave “Microsoft Windows Server”, hit next, Leave it on “This server”, hit populate.

-          Select your USB Drive.  (A:\ in my case).

-          Select the path you want to back up to.  (A:\Veeam) in my case.

-          Uncheck Enable vPower NFS, Next, Next, Finish.

Now, set up your offsite job.

-          Go to Backup & Replication, Jobs, Backup.

-          Right Click, Backup.  Name the job whatever you want, click next.  (I called mine Offsite)

-          Add the VMs you want to back up.  NOTE- you can remove certain ‘disks’ if you don’t need them to be offsite.  I have giant 4 TB drives, but if I didn’t, I might need to remove the C: drive of my file server for example…  Do this by clicking on Exclusions, Disks, Edit.  Hit Next.

-          Select your Offsite backup repository, change “Restore points to keep on disk” to 1.

-          Click Advanced, set backup mode to Incremental.  (NOT reversed incremental).  Make sure “enable synthetic fulls” is UNchecked.  Check the box under “Active Full Backup” that says “Perform Active Full Backups periodically.  Set the Weekly on selected days to the day of your offsite, Saturday in my case.  Hit OK, then Next.

-          Leave Image Processing and file system indexing unchecked.

-          Schedule your job to run on the day you want, in my case every Saturday night at 10:00 PM.

-          Hit Next, then Finish.

Last but not least, your jobs are going to fill up your hard drive and stop working.  You need to create a batch file to clean this up.  I made a folder on C:\ called DiskCleanup, then made a batch file with this in it-

forfiles -p "A:\Veeam\Offsite Job" -s -m *.* /D -45 /C "cmd /c del @path"

This file will delete backups over 45 days old, which leave me TWO fulls on each drive.  You might need to change the days to less if you only want it to keep one.  Then, make a scheduled task to run your batch file every week.