In my last post I taught you how to forward a port on the ASA 5505 running version 8.3 from the CLI. Some of you prefer to use the ASDM to do you changes, so I guess I'll show you how to do it from there. The ASDM is a bit of a learning curve for someone that's used to the CLI, and most CLI guys hate a GUI with a great passion. I can go either way. I use the ASDM to make some changes simply because I want to learn it and there's some guys coming into the field today that were taught on the GUI rather than a command line.
In this lesson I'm using ASDM version 6.3(1) and ASA version 8.3(1). Since we added a web server in the last post, let's make this one an FTP server. The FTP server's IP is the same as the web server, 10.9.8.7/24 and we're running over the standard FTP port, 21.
First off, we want to start up the ASDM and connect to the ASA. Once there, click on the button at the top of the screen, then the button near the bottom left, and finally select near the top left. You'll now be at a screen that looks something like this:
Click for larger version
Now we need to create a new object, so click on "Add" under Addresses, then "Network Object".
Now we need to fill out our new window. Once you fill out the name, IP address and description, you need to drop down the NAT box and fill it out. Click the "Add Automatic Address Translation Rules" box, leave the type as "static" and set the translated address as the outside interface.
We now need to go to the Advanced menu from the Add Network Object window and setup the port forwarding. The source will be inside, destination is outside. Protocol in this instance is TCP and our port is 21, both real and mapped.
Click "OK" twice and your object will be created as well as the port forward. Now we just need to add the access rule. On the left side of the screen, just above the NAT Rules is your Access Rules. From there we want to click "Add" and "Access Rule".
We need to create the rule on the outside interface, coming from any IP to the FTPServer using FTP as the service.
Once you click OK, your rule is added. You don't have to add a description like I did in the image above this one, I just did that for the hell of it. When you click "Apply" at the bottom of the screen, the ASDM will issue the commands to the ASA. I have preview turned on, so I can always see what commands are being sent to the device before they are actually sent. If you followed all the steps above and you have preview turned on, you'll see the following:
And you'll notice that those are the exact 4 commands that I gave in the last post about doing it from the CLI! Now you can forward any port you want from either the CLI or the ASDM!
On a side note, I know a lot of guys hate the ASDM. When I was writing this post and going through all of this I was kinda upset when I saw that I had 10 pictures for 4 lines of code. The good thing about the ASDM is that you have everything right there at your disposal and you really don't need to know the vernacular of IOS. The drawback is that it will take you longer to get things done at first, but once you get used to it, it can be just as fast.
So it's been a month and a half since I posted an update, and it's 4:15 am right now. I can't sleep and I found out there's another networking blog out there using the same WP theme as me, so I figured I better put something up here since it was fresh in my mind. Well, now that the niceties are out of the way, let's get to work.
I recently added an ASA 5505 to my home network at the edge. Obviously, when I did, all of my port forwards went to hell because the ASA is now blocking everything. I run a web server on one of my servers here and I like to be able to access it because I keep a lot of tech manuals and other stuff on there. Well, I went about trying to set up port forwarding the old way and learned real quick that this pops up when I do:
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.
Yeah, that sucks. On the new version of the ASA OS, global has gone the way of the dodo. I did a bunch of searches on Google to figure it out and everything I ran across was very hard to decipher. That's why I'm writing this. You can setup a port forward in 4 quick and easy steps. Just change the things that are underlined to fit your network and you'll be just fine.
In this example, we want to be able to access a web server behind the firewall. We'll assume you are using the standard HTTP port, the web server's internal IP address is 10.9.8.7/24, and that you at least know what you're doing enough to be configuring an ASA in the first place. I'll give you the steps, then I'll explain.
Step 1: Create a new object group for you web server.
asa5505(config)# object network Webserver
Step 2: Add the IP of the web server to the network group.
asa5505(config-network-object)# host 10.9.8.7
Step 3: Forward the port via the NAT command.
asa5505(config-network-object)# nat (inside,outside) static interface service tcp www www
Step 4: Exit back to the root and add the access list
asa5505(config)# access-list outside_access_in permit tcp any object Webserver eq www
That's it! Now, let's explain what's going on here. Cisco has started moving more and more towards use of object groups in their configs. It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in. Rather than having to rewrite a whole bunch of ACL's, you just add the IP of the new web server into the object group and everything is done for you. After you create the object group (in this instance a network object, you can also create service objects), you add the IP of the specific object (or objects) that you want to point to. So here our web server is 10.9.8.7. If you want to send port 80 to more than 1 IP on your internal network, just add more IP's to that object group.
Now is the fun part. While we're in the object group, we need to NAT port 80 only to that specific object group, hence you're still at "asa5505(config-network-object)#" prompt. Now type "end" to get back to the regular config terminal and we need to open that port in the ACL. Yes, www = 80. You can type either one and you get the same result. If I have to go through and explain NAT, how it works and why I enter in that specific command to forward the port, then there's a possibility that I'd need to send you an invoice for my time because we would be here for a while.
This works for ANY port forward. If you want to RDP into a machine, simply replace port 80 (all those www's you see up there) with 3389. There is one caveat. You can only do one port forward per object group. So let's say that our web server is also an FTP server and you want port 21 to forward as well as port 80. You're going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host 10.9.8.7), do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in permit tcp any object FTPServer eq ftp).
This should get you up and running with you port forwards in no time flat. It is a bit of a pain in the ass to have to create a new object group for every port you want to forward, and maybe there's someone out there that's reading this right now thinking "dude, you don't have to create more than one group! You can just do...". Well, you need to enlighten the world with this knowledge and post it in the comments section. And if you're too scared to do so, shoot me an email to greg(at)gregledet(dot)net.
I'd also like to thank Stefan Fouant for an excellent class today on JUNOS Switching. I learned a lot in his class and you can learn a lot from his website. Check it out and tell him Greg sent ya!
Friday I had an interview with a large insurance company in Columbus. Actually, I had 2. I went there to interview for a firewall job and once I was done with that the recruiter pulled me into another interview for a route/switch job. In the first interview, there were 5 guys in there. 4 of them actually spoke to me and 1 just sat in a corner typing away on his laptop. I don't know why, but that made me really nervous. Now, I NEVER get nervous around people, it's just not in me to do so, but this time I got real shaken up. And it hurt me in the next interview.
I was completely honest with the people in the first interview. If I didn't know a question, I told them I didn't know the answer and how I would find the answer. In the second interview though, I drew a complete blank mind. I didn't remember simple trunking protocols, something that I should remember from my CCNA. I stumbled over many questions that they asked and most of the stuff was simple things that any CCNA should know, but my mind was clouded. I choked up, I got even more nervous, and I found out this morning that they passed on me. I was told that I wasn't strong enough to work there.
I haven't heard back from the firewall job yet and I'm hoping that something comes of it. I have been in Ohio for a year and 3 days now and I have worked for a total of 3 weeks. I guess I'm really going to have to hit the books hard and get some of this basic knowledge back to the front of my mind!
(Please read the whole thing before you get mad and click that X at the top right of the screen.)
Dear Technical Recruiter,
I would first like to thank you for contacting me about the position that you are trying to fill. I appreciate that you either found my resume on one of the web's many job sites or that I was already in your database. Before we get into your email, I would like to cover a few bases with you that I think may help you not only in this search, but in future searches as well.
First off, if we have a previous rapport, it is perfectly fine to contact me with few personal details in your email. Evidently we have spoken before and you are just passing along information for my consumption. If we have never been in contact before, I feel that a short introduction is in order. At least tell me who you are and who you represent. And no, your email signature is not good enough. It's not hard to throw in a "Hi Greg! I'm Joe Schmoe with ABC IT Services!" It's much better than "I saw your resume online. Look at this job." followed by a signature. I'm a person... trying being personable.
Secondly, as a technical recruiter, it may help that you have some technical knowledge. I'm not saying that you have to know everything. All I'm saying is that some knowledge may be helpful. It really makes you look like an idiot in some of the job postings when you have no idea what you are talking about.
On that subject, let's talk about industry certifications. Learn them. They are your lifeline to the "real" world. You need to know what each certification is, where it stands in the hierarchy of that technology, and what kind of knowledge it takes to obtain each cert. Send me one more "entry-level" position that requires a CCIE and I will reply with a very rapidly spreading virus attached to my resume. Trust me when I say your virus scanner will not pick it up either. And don't think I'm joking with you. I will do it. In the world of Cisco, it goes CCENT -> CCNA -> CCNA - Speciality -> CCxP (where x = speciality) -> CCIE - Speciality. The "A" in CCNA means Associate, the "P" in CCNP means Professional, and the "E" in CCIE means EXPERT. May I suggest a quick trip to Cisco's website to brush up on those certs. It takes all of 5 minutes and makes you look a lot less like a complete idiot. Microsoft has a page like this to. So does Citrix. I could continue to link to all the sites, but I'm not going to do your job for you.
Thirdly, let's learn a little English. Now this is a VERY small percentage of you, but when I get an email that reads "I saw you resume online I like bring your attention to following contract position" I am going to assume that if you can't master the languange of the country you reside in, you can't master your job and therefore I'm not going to want you as the guy that holds my future in his hands. How can I trust that you will accurately convey my experience and qualifications to the client if you can't accurately convey the job requirements to me?
Now, about the position that you have contacted me about. Before you start banging out that e-mail to me, do yourself a favor and brush up on those certs we spoke about earlier. If the job REQUIRES a CCNP and the client is not willing to accept a CCNA in place, don't bother wasting my time or your time. Also, I have to ask if the client is even sure what he needs. Is your contact with the client an HR person with no idea what he's talking about when it comes to this position or is he the IT Department head who knows what he wants and needs? If he's the HR guy, chances are he is about as informed as a house fern when it comes to technology. He wants to seem smart and impressive so he's going to say he wants that CCIE for his entry to mid level position. Someone needs to tell him about an old quote... "Tis better to keep your mouth closed and be thought a fool than open it and remove all doubt". Let the big boys handle the big jobs. You are looking for someone to manage your most important asset after your employees; your network. I understand you want the best person for the job, but please be reasonable in your requests. Someone that has undertaken the time and expense to obtain a CCIE is not going to even think about accepting your $60k per year job when he can be making $150k elsewhere.
Think/Read before you write/speak/type/forward. If the client sends you an email with the requirements for a position and in that email one of the requirements is "10 years experience with Microsoft Windows Server 2003" and it's only 2009, contact the client before forwarding me that email. You will come off like an idiot when I read that and not only will I forward it to all of my friends to show them how big of an idiot you are, I will most likely reply to you to tell you how much of an idiot you are. If you think that it is a reasonable request for someone to have 10 years experience with Server 2003, quit your job and kill yourself so you do not contaminate the gene pool any further.
Let me give you an example of an unsolicited email that I would like to see. In this example, you have already looked at my resume and have a position that I may be a fit for.
My name is Cheesy McHeadhunter with TekNetSolutions Consulting Technology Management. I came across your resume on I-Need-A-Job-So-I-Can-Buy-Beer.com and have a position that you may be a fit for. While the requirements for the job state that a CCNP is required, I believe that the client is/would be willing to accept a CCNA and someone with your experience, so please don't let that deter you from getting back with me. I believe that your resume fits what the client really needs and I'm ready to talk with you about this position. You can reach me at 212-382-5968 or my email. I hope to hear from you soon!
(signature with contact info)
How hard is that? You don't look like an idiot, you haven't offended me by treating me like just another set of alphanumeric characters in your "to" line, and it's personable and informative. Wow. You just got my attention! It's SO EASY! You have just become the guy I want working for me. I now feel comfortable with you bidding me to prospective clients and I will almost certainly pass your information along to my friends that are in the market for technical positions. You will now have a whole contact list full of qualified and talented individuals that you can easily place, you'll make better money, and you won't become the laughing stock of the talent pool.
I didn't write this letter to offend you. I wrote this to help you. I hope you take this to heart and do what you can in the future to at least TRY to change the perception that we, the talent pool, have of recruiters. To be honest, we hate dealing with you, but we know it's just a fact of life that we have to. We know you hate dealing with us too. You think of us as pretentious geeks, and that's OK. We are. Let's just try to make the best of it and make it as painless as possible for the both of us.
I have been in Ohio now since September 18, 2008. I worked for a total of 3 weeks since being here. I've been looking for a job and sending out resumes nearly every day since then. I've had a few interviews, but nothing has really panned out. On Friday, I went in for an interview with a recruiter who had a few positions with a large enterprise client. This is surely someone you've heard of and it seems like a company that I would want to go to work for. During the interview, we spoke about what kind of hourly rate I would require to go to work. The number we discussed was $35 an hour. This is a little less than what I was making at my last job, but I'm willing to take a bit of a pay cut to get back to work. I normally charge $115 an hour for consulting, and I thought that $35 would be reasonable.
I received a phone call this morning from that same recruiter. He was getting ready to have lunch with the client today and wanted to discuss with me my asking rate. He told me that he wanted to be competitive and asked if I'd be willing to come down on that rate a little. I tried to explain to him that I would be willing to come down slightly, but at the same time, I have a resume and a salary history to think about. Not only that, but I don't feel that I should have to lowball my salary, especially with my experience, to get a 3 month contract. That's when he hit me with a bit of a bomb. He told me that he has spoken with other network engineers that would be willing to do the job for $25 per hour.
What the hell is wrong with people? This is a SENIOR position, not entry level. Why would someone be willing to belittle themselves and the industry by offering to do a job for so little? I had to explain to him that I was applying for a senior level position and not an entry level job. I'm not some kid fresh out of school with a brand new CCNA and no experience. Then he hit me with a real bombshell. An entry level engineer with a college degree and a CCNA only makes $15 per hour. That's $31,200 per year! I can't even pay my bills with $15 per hour and wouldn't be living comfortable at all with $25 per hour.
I know the economy is in the crapper folks, but as a group we need to stick together and tell these companies that our job demands a serious salary. If you go into an interview and tell someone that you're willing to work for 2/3 what everyone else makes, you need to reevaluate your position. Companies need network engineers. That need will not be going away anytime soon. If you are a senior level engineer, you need to stand up and tell them "I've worked very long to reach a level of salary that I feel I deserve and I'm not going to fall back to the kind of money that a highschool kid makes!"
I don't know about all of you, but I've busted my ass with hours of study, thousands of dollars in books, labs, tests, etc., and I've dealt with more stress than I can imagine. Yet, a UAW worker for Ford makes $55 per hour, including benefits. I promise you that a line worker for an auto company hasn't had to go through all the bullshit that I have to get certifications and make sure that he keeps up with the absolute latest in technology. An UNskilled laborer demands more money than a network engineer. WTF is wrong with that picture?
I told the recruiter to use his best judgement in shopping me to the client. I feel that my resume and experience speaks for itself. I also told him, and I was very blunt in this, that he better not screw me. If he thinks I'm going to be offended by his offer, don't bother calling me. The last recruiter I dealt with here did that and it really pissed me off. I told him I wanted $80k per year, he came back with $50k per year. I got it up to $65k, took the job, then got laid off 3 weeks later because they didn't have enough work. I'm not going to let that crap happen again.
Fellow engineers, don't take this crap from recruiters. I know times are hard and bills have to be paid, but if you hold out just a little longer, the companies are going to come full circle. They will realize that you need to be paid for what you do and what you know. Don't lowball yourself! It's not very becoming of you as a person and it will only hurt everyone else in the field that's out there looking for work.