ASA 8.3(2) is out, as is ASDM 6.3(3)
I got off my ass tonight and decided to update the ASA (yes, my licensing is correct!). I haven't had a chance to play with it a while lot (you can see it's only been up for 3 and a half hours), but it seems pretty cool. I sat down and read the release notes for 8.3(2) and there's a few things you should know. First off, you're going to need more memory. Well, if you look at mine, you can see I've maxed out what the thing will accept, so I'm perfectly safe; but chances are, you're not. Cisco has a nice table to let you know what your memory needs are. In fact, if you head over to this web page, you check out the release notes for both 8.3(1) and 8.3(2). You'll see the new features as well as caveats fixed with these versions. Now that I have informed all you guys about the upgrade, I'm going to start playing with it for a little bit before the sun comes up and kills me. Dammit! It's already 1am!
Port Forwarding on the Cisco ASA in 8.3 from the ASDM made easy
In my last post I taught you how to forward a port on the ASA 5505 running version 8.3 from the CLI. Some of you prefer to use the ASDM to do you changes, so I guess I'll show you how to do it from there. The ASDM is a bit of a learning curve for someone that's used to the CLI, and most CLI guys hate a GUI with a great passion. I can go either way. I use the ASDM to make some changes simply because I want to learn it and there's some guys coming into the field today that were taught on the GUI rather than a command line.
In this lesson I'm using ASDM version 6.3(1) and ASA version 8.3(1). Since we added a web server in the last post, let's make this one an FTP server. The FTP server's IP is the same as the web server, 10.9.8.7/24 and we're running over the standard FTP port, 21.
First off, we want to start up the ASDM and connect to the ASA. Once there, click on the 
button at the top of the screen, then the 
button near the bottom left, and finally select 
near the top left. You'll now be at a screen that looks something like this:
Click for larger version
Now we need to create a new object, so click on "Add" under Addresses, then "Network Object".
Now we need to fill out our new window. Once you fill out the name, IP address and description, you need to drop down the NAT box and fill it out. Click the "Add Automatic Address Translation Rules" box, leave the type as "static" and set the translated address as the outside interface.
We now need to go to the Advanced menu from the Add Network Object window and setup the port forwarding. The source will be inside, destination is outside. Protocol in this instance is TCP and our port is 21, both real and mapped.
Click "OK" twice and your object will be created as well as the port forward. Now we just need to add the access rule. On the left side of the screen, just above the NAT Rules is your Access Rules. From there we want to click "Add" and "Access Rule".
We need to create the rule on the outside interface, coming from any IP to the FTPServer using FTP as the service.
Once you click OK, your rule is added. You don't have to add a description like I did in the image above this one, I just did that for the hell of it. When you click "Apply" at the bottom of the screen, the ASDM will issue the commands to the ASA. I have preview turned on, so I can always see what commands are being sent to the device before they are actually sent. If you followed all the steps above and you have preview turned on, you'll see the following:
And you'll notice that those are the exact 4 commands that I gave in the last post about doing it from the CLI! Now you can forward any port you want from either the CLI or the ASDM!
On a side note, I know a lot of guys hate the ASDM. When I was writing this post and going through all of this I was kinda upset when I saw that I had 10 pictures for 4 lines of code. The good thing about the ASDM is that you have everything right there at your disposal and you really don't need to know the vernacular of IOS. The drawback is that it will take you longer to get things done at first, but once you get used to it, it can be just as fast.
Port Forwarding on the Cisco ASA in 8.3 from the CLI made easy
So it's been a month and a half since I posted an update, and it's 4:15 am right now. I can't sleep and I found out there's another networking blog out there using the same WP theme as me, so I figured I better put something up here since it was fresh in my mind. Well, now that the niceties are out of the way, let's get to work.
I recently added an ASA 5505 to my home network at the edge. Obviously, when I did, all of my port forwards went to hell because the ASA is now blocking everything. I run a web server on one of my servers here and I like to be able to access it because I keep a lot of tech manuals and other stuff on there. Well, I went about trying to set up port forwarding the old way and learned real quick that this pops up when I do:
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.
Yeah, that sucks. On the new version of the ASA OS, global has gone the way of the dodo. I did a bunch of searches on Google to figure it out and everything I ran across was very hard to decipher. That's why I'm writing this. You can setup a port forward in 4 quick and easy steps. Just change the things that are underlined to fit your network and you'll be just fine.
In this example, we want to be able to access a web server behind the firewall. We'll assume you are using the standard HTTP port, the web server's internal IP address is 10.9.8.7/24, and that you at least know what you're doing enough to be configuring an ASA in the first place. I'll give you the steps, then I'll explain.
Step 1: Create a new object group for you web server.
asa5505(config)# object network Webserver
Step 2: Add the IP of the web server to the network group.
asa5505(config-network-object)# host 10.9.8.7
Step 3: Forward the port via the NAT command.
asa5505(config-network-object)# nat (inside,outside) static interface service tcp www www
Step 4: Exit back to the root and add the access list
asa5505(config)# access-list outside_access_in permit tcp any object Webserver eq www
That's it! Now, let's explain what's going on here. Cisco has started moving more and more towards use of object groups in their configs. It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in. Rather than having to rewrite a whole bunch of ACL's, you just add the IP of the new web server into the object group and everything is done for you. After you create the object group (in this instance a network object, you can also create service objects), you add the IP of the specific object (or objects) that you want to point to. So here our web server is 10.9.8.7. If you want to send port 80 to more than 1 IP on your internal network, just add more IP's to that object group.
Now is the fun part. While we're in the object group, we need to NAT port 80 only to that specific object group, hence you're still at "asa5505(config-network-object)#" prompt. Now type "end" to get back to the regular config terminal and we need to open that port in the ACL. Yes, www = 80. You can type either one and you get the same result. If I have to go through and explain NAT, how it works and why I enter in that specific command to forward the port, then there's a possibility that I'd need to send you an invoice for my time because we would be here for a while.
This works for ANY port forward. If you want to RDP into a machine, simply replace port 80 (all those www's you see up there) with 3389. There is one caveat. You can only do one port forward per object group. So let's say that our web server is also an FTP server and you want port 21 to forward as well as port 80. You're going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host 10.9.8.7), do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in permit tcp any object FTPServer eq ftp).
This should get you up and running with you port forwards in no time flat. It is a bit of a pain in the ass to have to create a new object group for every port you want to forward, and maybe there's someone out there that's reading this right now thinking "dude, you don't have to create more than one group! You can just do...". Well, you need to enlighten the world with this knowledge and post it in the comments section. And if you're too scared to do so, shoot me an email to greg(at)gregledet(dot)net.
I'd also like to thank Stefan Fouant for an excellent class today on JUNOS Switching. I learned a lot in his class and you can learn a lot from his website. Check it out and tell him Greg sent ya!
Oil Spill ROV cameras
I've put all the ROV cameras in one place.
How to get past the new isoHunt Lite and get to the old original site
If you are a torrent hound like some people, you have probably noticed that on April 5th, isoHunt changed the site for US users. This REALLY sucks because it basically takes away your filtering capabilities and the ability to view the comments on the files. The thing is, isoHunt is my favorite .torrent search engine and I want my old isoHunt back!!! Well, if you're like me and you want the old isoHunt back, here's how you can do it. This also works on TorrentBox.com and any other site that blocks US users.
1. First off, you should already have a copy of Firefox installed on your computer. If you are only using IE, you have problems that I can't solve in a simple blog post. Go get Firefox and get it installed. If you have it installed already, go to step 2.
2. We need to download a Firefox Add-on called FoxyProxy. You can find it at http://foxyproxy.mozdev.org/ or you can skip straight to it by clicking here. Add FoxyProxy to Firefox. You'll need to restart Firefox after you install it.
3. You'll notice at the bottom right corner of Firefox that FoxyProxy is Disabled. It'll look like this: 
Go ahead and click on that or you can go to Tools -> FoxyProxy Standard and it will open the next window (click for bigger version):
4. Now we need to add some proxies. I like to use xroxy.com to find my proxies. One reason I like it is because you can setup the proxies with a single click. I'll show you how to do both. We need to find a proxy to use that will get us past the isoHunt lite and to the main site. To do this you can use proxies all over the globe. For this how-to, I'll use a proxy in Canada. I suggest that you try out various proxies until you find one that works best for you. I've used proxies in Canada, the UK, and many other countries, it just so happens, that Canada seems to be the fastest for me.
5. At xroxy.com you need to click on "By Country" or click the picture below:
6. Click "Canada" in the list on that page to bring up the list of all Canadian proxies. Once there, there's 2 ways of setting up a proxy in FoxyProxy, manually or automatically. For the auto setup, just click the FoxyProxy icon next to the proxy: 
.
7. To setup a proxy manually, there's many different how-to's out there that can be found in the help section of FoxyProxy's website. There's one with screenshots for an older version of FoxyProxy, and there's one written by FoxyProxy on how to configure the software.
8. Once you have the proxy setup, you need to tell the software how to use it. For the sake of simplicity, you can simply right click on the "FoxyProxy:Disabled" and tell it "Use proxy 'XROXY Proxy' for all URLs". You can also setup patterns for that proxy to use.
9. To setup patterns, double click the XROXY Proxy from the main screen in FoxyProxy. Click on the URL Patterns tab and Add New Pattern. When the screen comes up, enter the following:
Type the URL EXACTLY like I did with the /* behind it to use as a wildcard. If you don't do this, only the main page of isoHunt will go through the proxy and all the search pages will kick back the Lite version. Click OK and you'll have setup the pattern. Now you can tell FoxyProxy to "Use proxies based on their pre-defined patterns and priorities". Once you do that, all traffic going to isoHunt will pass through the proxy and all other traffic will go straight to the internet without going through a proxy.
Once you're back to the main isoHunt site, you're good to go. I highly suggest using µTorrent as your client and I would definitely download PeerBlock to use block unwanted traffic. Once you have PeerBlock installed, you can get your lists from iBlockList.com to stop all those evil people that you don't want accessing your network. If you want to surf anonymously, you can download Tor, but that will really slow you down. Onion routers like Tor will bounce your traffic all over the world before it finally makes it out to the cloud.
That should be all you need to know to get back to the main site of isoHunt. We really shouldn't have to take such measures simply to view a website. We need to support net neutrality and tell our lawmakers that we will NOT be censored, and if they do, we will simply find a way around them.
P.S. For all those Canadians living in the US and would like to watch shows like Canada's Worst Driver but can't, you can use this same method. Make sure you use a Canadian proxy.
Slipping past cell phone voice mail greetings
I hate people that put long drawn-out voice mail greetings on their cell phones. In fact, very few things will cause me to just hang up the phone and not leave an important voice mail more than that. That's why I've done a bunch of searches and decided to tell you guys (and leave it here for my future reference) just how to skip past the greetings. I have a friend of mine, we'll call him "Mary" that has a greeting in which he'll tell you his life story, website, and read "War and Peace" before it ends. I VERY rarely leave him a voice mail because I don't want to sit through that long ass greeting, not to mention eat up an extra minute on my cell phone. Now I don't have to!
Verizon: press *
Sprint: press 1
T-Mobile or AT&T: press #
Of course, you need to know what carrier the person you are calling is using. The way I figure out is simply trial and error until I hit the right one. I timed Mary's once (he's on Verizon) and if I would have left a message, I would have been into the 3rd minute of the call and eating up my shared minutes. After his long ass greeting, Verizon gives all the options (including giving a fax options!) of crap you can do. I'm not sitting through that crap. Now as soon as I hear that voice mail pick up, I slam a * into the phone and I'm done.
What I would like to see is people to put this info at the beginning of the greeting. Something like "Hi, this is Greg. Please press * to skip this greeting". That would go a long way and I'm willing to bet more people would be willing to leave voice mail for you if you did.
Uploading multiple vCards to Google Contacts
As you can see from my last post, I've been messing around with my contacts list as of late. I'm trying to get as much info on these people as possible. Stuff like their birthdays and anniversaries, mailing addresses, emails, phone numbers, etc. While I'm putting all of this together, I'm also adding pictures for everyone on their vCard; a head shot for friends and the company logo for business contacts. Since I'm using Outlook 2007 as my main mail program, it's pretty easy to get all of this stuff in one place. The only problem I was running across was, like I said in the last post, Google was screwing with my contacts list. First off, you can only import 2 types of files to Google; a vCard file and a CSV. You can't upload a .pst file which would contain all of my contacts' pictures. The CSV file does move all the info I want except the pictures, and the vCard file moves everything, but you have to do it one at a time... or do you?
Click on the business card for the full vCard.
For those of you that don't know what I'm talking about, this is what a Business card vCard looks like in Outlook if I were to email it to you. It's a .vcf file and contains all kinds of rich information on the back end. There's a link under the picture for you to download a full vCard for the president. There's also tons of other formats out there to store your contacts; everything from simple text files all the way to QR codes. If you have an app on your phone that does 3D barcodes, snap a pic of that one and you'll get the same info that's in the vCard.
Now, back to what I was originally talking about. Seeing as I want all that rich information in my contacts and I want to import them into Google, I need to use a vCard. I don't want to have to upload 239 individual files, so this is what I'm going to do.
- Go to your contacts in Outlook and highlight them all (ctrl-A). Right click and "Send Full Contact" then "In Internet Format (vCard)". Depending on how many contacts you have, you may have to split them up into groups. I did...
- An email should pop up with a bunch of attachments. Send that email to yourself.
- From the email you just sent to yourself, highlight all the attachments, right-click, save as. Save them somewhere easy to access.
- Open up a command line. (Windows Key + R, then type "cmd" and press OK)
- Navigate to the folder where you saved the contacts. I saved them in C:\contacts, so we'll use that.
- The command to type from the directory you have saved your contacts is:
copy /B *.vcf all_contacts.vcf - This will create a file in that directory called "all_contacts.vcf". In that file will be the vCards of all of your contacts.
- Now you just go to Google.com/contacts, click "Import" on the right side of the page, and upload that file!
It's pretty easy when you think about it. I don't know of any way to do this from the GUI, so you're going to have to use the command line. Once you have everything uploaded to Google Contacts, you should be set. All you pictures and information should have been transferred and now you have a full backup of your contacts list should your computer crash! I also use the same contacts list on my Windows Mobile phone, so I have multiple backups of my contacts list. I'll never have to run around trying to rebuild it after losing my phone again!!!
-Greg
A message about security
When I originally started this blog, it was entitled "Adventures in Networking" and it dealt primarily with networking and, more specific, Cisco network security. Since that time I've written about everything from hurricanes to hacking an Western Digital NAS device and giving a $50 Linksys router the power of a $500 Cisco box. Lately, I've been posting how-to's for all kinds of stuff and it's time to take a step back and talk about security for a little bit.
A web hosting client of mine got his site hacked in the past couple of days. About a year ago, I installed phpBB3 for him and setup his domain on my server. After that, I acted as admin on the forums and stuff like that. Well, phpBB3 got neglected and hadn't been updated in a while. It was running version 3.0.6 while the latest version was 3.0.7-PL1. 4 versions have been released since the last update. When the site got exploited, he looked at me like it was my fault. In fact, he told me something along the lines of "I paid you to build a site that was secure and you didn't do that". Well, I did build him a secure site a year ago, but in the past year, there has been enough holes found in phpBB3 to kill a horse.
I'm sure that any freelancer or businessman out there has had to deal with clients that don't understand what it is exactly you do. This happens a lot to me due to the range of things that I do. But in this instance, the client was under the illusion that I was going to maintain the website and keep it up to date for him. The original invoice that I sent for the site was simply 8 hours of work to get everything installed and setup properly and for a year of hosting. Since that first invoice, I have fixed little errors here and there for him without invoicing him because it's little things that only take a few minutes to take care of. Plus, the guy is a real good friend of mine and has been my friend since before we started doing business together. I do freebies for a lot of my customers from time to time. Maybe I messed up by doing these repairs and not charging him for them and by doing that I lead him to believe that I was doing it all for free.
I logged into the site this morning to notice that it had been defaced. Some hacker managed to get in and screw around with the AdminCP. Language packs were messed with, 300+ accounts were created and a bunch of spam had been posted. I went ahead and fixed everything that happened and went through the process of upgrading phpBB3 to the latest version. It took me about 2½ hours to get it all cleaned up and upgraded. Once I was done, I submitted a service ticket for the work. Here's another place I screwed up. I should have asked him if he wanted me fix it first because we don't have a service agreement between the two companies.
Well, the site got upgraded to the latest version of phpBB3 and it was working fine.... for about 3 hours. That's when our little hacker managed to get back in and lock me out completely. My best guess is that there's a zero-day exploit on phpBB 3.0.7-PL1 that will also work on all previous versions. In that instance, there's not a whole lot I can do about it other than block the proxies that he's used to get to the site with or just shut the site down. Well, I shut it down.
Here's where the main problem starts. The customer assumed that it was my responsibility to update the software for him. I don't go to HP and bitch at them because there's holes in Windows. Once I install the software, it's up to the client to keep that software up to date. All of my other web clients know this and they keep their CMS software up to date. If we would have set up a service contract in which I said I would maintain the security of his site, then it's no problem. It's my responsibility to fix the security issues that come up, but there's no agreement there.
Also, the client wants 100% security. We all know that 100% security does not exist and never will exist. He didn't like the fact that I used open-source software for the site because people can read the source code. Well, the open-source stuff is free, so that's why it was used. But even closed-source software has security holes in it.
To wrap up this rant, I wish people could understand that the only secure computer is one that's powered down and unplugged from the internet. A friend once told me that if you installed a fresh copy of Windows XP (no service packs) on a computer and plugged it directly into the internet, it would be rooted within 12 seconds. 12 seconds! There is no security, only the illusion of it.
-Greg
DD-WRT and the WRT54G-TM
So I do a lot of DD-WRT how-to's. I don't know why, I guess it's just that I seem to put DD-WRT on a bunch of different routers and decide that I'm going to document what I've done. Today's how-to is for the WRT54G-TM. Let me give you a little info on the WRT54G-TM.
The WRT54G-TM (TM stands for T-Mobile) is also called the T-Mobile "Hotspot@Home" service. It allows calls to be made via T-Mobile's GSM network or via WiFi Unlicensed Mobile Access (UMA), using the same telephone and phone number (a special dual-mode phone designed for the service is required e.g. Blackberry Pearl 8120). Additionally, once a call is in progress, one may transition from WiFi to GSM (and vice versa) seamlessly, as WiFi signal comes and goes, such as when entering or exiting a home or business. A special router is not needed to use the service, but the T-Mobile branded routers are supposed to enhance the telephone's battery life. This is the only known tweak to the TM version of the firmware. Obviously, none of this will be worth anything seeing as you're about to flash it with DD-WRT.
The hardware appears to be like WRT54GL however has 32MB ram and 8MB flash. Yeah, this thing is a monster. Until not that long ago the only way to upgrade this router was through a JTAG cable and header, but luckily we don't have to worry about that anymore. Let's get to it.
First off, download the software you're going to need. Here's a rar file with everything you're going to need. In the archive are 3 files:
CFE_Updater-WRT54G-TM.bin
dd-wrt.v24-13064_mega_generic.bin
tftp2.exe
The upgrade is pretty straight forward, but it has a little twist. The default LAN IP Address of the Linksys WRT54G-TM is 192.168.0.1. The default IP for everything else is going to be 192.168.1.1. A way around this is to simply setup 2 static IP addresses on your computer. I setup 192.168.1.9 and 192.168.0.9, but you can put whatever you want as long as they fall within the /24 subnet of 192.168.1.0 and 192.168.0.0.
1.) As always DO A HARD RESET BEFORE YOU FLASH FIRMWARE. This does not mean hitting the reset button and saying you are done. This means doing the 30-30-30 reset. To do a 30-30-30 reset you must push the reset button with your router powered on. Hold it for 30 seconds with the router powered on. STILL holding it, pull the power cord for 30 seconds. Still holding it, plug the router back in and continue to hold the reset button for 30 more seconds. You will have held the button for a full 90 seconds without releasing it. You will not get a password renewal page as you have stock Linksys firmware on the router still.
2.) Open a command prompt window and type ping -t 192.168.1.1 and hit enter. Leave this window open. We're going to come back to this later, but you need to keep this open.
3.) Log into the WRT54G-TM's web interface @ http://192.168.0.1 and go to the Administration Tab - Firmware Upgrade. Upload the CFE_Updater-WRT54G-TM.bin to the router.
!!!ATTENTION!!! You MUST wait at least 5 minutes after clicking the Upgrade button to allow the CFE_Updater to replace the stock CFE on the router and for it to erase the rest of the flash, otherwise you will brick your router.
A few seconds after clicking the Upgrade button the Linksys web interface will report that the upload has been successful and the power light will begin flashing on the router. Do NOT assume that the CFE replacement/flash erasing/reboot process has finished as the power light will continue to flash after it has rebooted. So there is no way to tell when it is ready for you to TFTP the DD-WRT firmware to it except when you begin to see the ping respond.
So once it is finished replacing the stock CFE and erasing the rest of the flash, the router will reboot. When the router is ready for the TFTP upload of the DD-WRT firmware, you will see the ping -t 192.168.1.1 begin to respond in the command prompt window that you opened before.
4.) Open up the TFTP utility and set it up like this:
The file there is the path to the dd-wrt.v24-13064_mega_generic.bin in the archive
Now click the Upgrade button. Once the firmware is sent to the router, it will reboot. The power light will change from flashing to solid when it is ready to be configured. The default IP will be 192.168.1.1.
If you do not see a progress bar as the tftp utility transmits the file, you may need to power cycle your router. Wait until the tftp utility has finished its attempts, then power cycle (possibly waiting a few seconds) and wait until you can ping 192.168.1.1 before clicking Upgrade again.
A few notes:
- Tornado has made it so that the router will retain it's MAC Address that is on the label on the bottom of the router with the new CFE replacement.
- Tornado is in the process of making a revert bin for those who may choose to revert back to the stock Linksys firmware (god only know why)
Many thanks goes out to Tornado, Eko, and Brainslayer for their work on this! Also, thanks to Luniz2k1 that wrote the original how-to that my lazy ass ripped off to make this one.