Skip to content

Tag: Cisco

Installing Cisco ASDM on Linux

Cisco’s Adaptive Security Device Manager is a GUI tool for managing and configuring Cisco security appliances. It runs perfectly well under Linux, but can be a little tricky to get running. Today, I’ll show you how.

I am currently running the following:

  • Fedora 22 Workstation w/ Gnome 3.16
  • Oracle Java 8 (1.8.0_45)

Adding a Security Exception

The first thing we need to do is add a security exception for the ASA. Open up the Java Control Panel with the following command:

$ /usr/java/latest/bin/ControlPanel &

Click on the Security tab and then on the Edit Site List… button.

Once the Exception Site List window opens, click on Add and type in “https://” followed by the IP of your ASA and a trailing forward-slash. If you’ve configured ASDM to be available on a different port, you’ll need to specify that. For example, if your ASA has the IP address of 192.168.10.1 and you’ve configured ASDM to be on port 4430, you’d enter the following:

https://192.168.10.1:4430/

Click OK to close the Exception Site List window, then OK again to close the Java Control Panel.

Installing ASDM

Go back to your terminal window and enter the following command, replacing <SITE_ADDRESS> with the IP and port number, if changed, of your ASA:

$ javaws https://<SITE_ADDRESS>/admin/public/asdm.jnlp

Accept the security warnings and login to your ASA. ASDM will install itself and, if you have the Applications Menu extension turned on, you’ll find it under Java WebStart.

Team Chief’s Toolkit, Part II: Hacking Your Equipment

Okay, “hacking” may be a bit overboard for what I’m talking about here, but between the recent policies from General Dynamics and the ineptitude of the team you may be replacing, I might not be that far off.

In Part II of the Team Chief’s Toolkit, I’ll give a few recommendations for modifying your equipment and provide a few useful tips for dealing with TPE equipment.

Modify Your Switches

Any remote switch you may have (that is, a switch not mounted inside your stacks) should be locked down and hardened.

  • Enable service password-encryption. This will prevent your VTY and console passwords from being displayed in clear text inside your config.
  • Enable SSH version 2 and disable telnet. Cisco has a nice article on how this is done.
  • Enable port security. For each non-trunk port, there should only be two MAC addresses: the IP phone and the computer attached to it. Port security is not needed on trunk ports, but ensure that nonnegotiate is set to prevent VLAN hijacking and only allow the voice, data, and management VLANs across.
  • Avoid using SNMP version 2c or earlier. Use 3 if your NETOPS will allow it.

Network Redesign: Almost Done

So, I’ve finally reached the point where I’m ready to buy equipment. I’ve settled on a Cisco 2821 router (nice ISR platform with Gigabit Ethernet ports) and an HP ProCurve switch like the 2510G-48. This will let me split up my network into a few VLANs: one for wired computers, one for VoIP (if I ever add it), one for wireless connectivity, and one for management.

By separating the network into VLANs, I can apply security features, like access control lists (ACLs), so I can do things like preventing guests on my wireless network from accessing my file server and the rest of my wired network, while still allowing them to get on the Internet.

Depending on whether I have fire-blocking in my walls, I also plan on putting a patch panel in the broom closet and installing RJ-45 jacks in the rooms that require wired access. Wireless access will be provided by a Cisco/Linksys WAP4400N wireless access point connected to the switch.

As I acquire and install equipment, I’ll post pictures, diagrams, and configurations.

Network Redesign: The Adventure Begins

Every time I head to the middle east, it seems that I get the itch to redesign my network. This time, I’m looking to increase security, upgrade all segments to Gigabit Ethernet (or 802.11n), adding a network storage device, and simplify the network at the same time.

While I’m still working on the design, I plan on purchasing a Cisco router with Gigabit Ethernet (GbE) LAN ports,  a fully-managed GbE switch with at least 16 ports, some kind of NAS device (currently looking at Drobos), and possibly a new 802.11n wireless access point.

I will also consolodate my servers using VMWare ESX. Hopefully, I won’t need to run more than one box anymore.

Updating the IOS on a Cisco Router

The most straight-forward way to update the IOS on your Cisco router is to run a TFTP server (such as Tftpd32) on a network directly connected to the router. Setup the TFTP server to serve files from the directory containing your new IOS image (C:UsersSeanDesktoptftpd32.335files in the screenshot below).

Connect to your router via telnet or console (preferred) and enter enabled mode. The following example assumes the computer running the TFTP server has the IP address 10.0.1.22 and the IOS image file used is c2600-adventerprisek9-mz.124-12.bin. Change these to suit your situation.

Configuring A Cisco Router with InterVLAN Routing and NAT/PAT

In this tutorial, I show how to configure a Cisco router (model is unimportant as long as it has to FastEthernet/Ethernet interfaces1) to act as an edge router, connecting multiple VLANs to the Internet via a Cable or DSL modem.

Requirements

In order for this to work, you must receive your IP address via DHCP. If you use PPPoE or some other mechanism to connect to your ISP, then this tutorial can be a place for your to start,  but that is outside of the scope of this article.

I am also assuming that you will have a 24-port Cisco switch. A fewer number of ports is fine, so long as you change any references of interface F0/24 to whatever your highest numbered port is. NOTE: This probably works with other managed switches that support VLANs via 802.1q, but I have not tested this and cannot be sure.