Upgrade VDSL modem firmware on a Cisco 880 Series Router

Firstly transfer the new firmware to your router’s flash memory using tftp. Next enter config mode and type:

router(config)# controller vdsl 0

Then type the following command at the prompt, where YOUR_FIRMWARE is the name of the firmware file that you transferred to flash e.g. vdsl.bin-A2pv6C035d_d23j which is the recommended firmware for BT ADSL in the UK.

router(config-controller)# firmware filename flash:YOUR_FIRMWARE

Refs:

Cisco BT xDSL Product Bulletin

A2pv6C035d_d23j Firmware Release Notes

 

Advertisements

Allow access to DMZ or other remote Vlan over VPN tunnel on Cisco ASA 8.4

I recently needed to provide internal access to a DMZ Vlan at one of my remote sites over a VPN tunnel. The VPN tunnel was provided by 2 Cisco ASA 5505 firewalls both running ASA software versions more recent than 8.4. The LAN subnets in this example can be defined as follows:

Main Office Subnet:     10.0.10.0/24

Remote Office Subnet:     10.0.20.0/24

Remote Office DMZ Subnet:     192.168.20.0/24

This article assumes that you already have the site to site VPN tunnel set up between the main office (10.0.10.0/24) subnet and the remote office (10.0.20.0/24) subnet, and that you have already created a network object for your main office subnet called main-office-lan, and for your remote office subnet called remote-office-lan on both ASAs. It also assumes that your DMZ interface on the remote ASA is called ‘dmz‘, and that you have an ACL defining interesting VPN traffic called main-remote-vpn on both ASAs.

Firstly create a network object for the remote office DMZ on both the main office and remote office ASAs. In configuration mode add the following two commands

object network remote-office-dmz

subnet 192.168.20.0 255.255.255.0

Next create a network object group for the 2 subnets at your remote site on both the main office and remote office ASAs

object-group network remote-office-networks
network-object object remote-office-lan
network-object object remote-office-dmz

Next, on the remote office ASA exempt traffic from the remote office DMZ subnet, to main office subnet from Network Address Translation (NAT) on the outside interface. i.e. traffic that will be travelling from the 192.168.20.0/24 to the 10.0.10.0/24 subnet over the VPN tunnel. In configuration mode add the following command:

nat (dmz,outside) source static remote-office-dmz remote-office-dmz destination static main-office-lan main-office-lan

Then on the remote office ASA change the ACL that defines interesting traffic for your site to site vpn tunnel (in this case called main-remote-vpn) to include the the dmz subnet, by using the network object group that you created earlier:

access-list main-remote-vpn extended permit ip object-group remote-office-networks object main-office-lan

Next you need to modify the configuration of the main office ASA to exempt traffic travelling over the VPN tunnel to the remote office DMZ from NAT, and also add the remote office subnet to the ACL that defines interesting traffic for your site to site VPN tunnel:

Modify the NAT rule on the main office ASA in config mode:

nat (inside,outside) source static main-office-lan main-office-lan destination static remote-office-networks remote-office-networks

Then modify the ACL that defines your site to site VPN traffic in config mode:

access-list main-remote-vpn extended permit ip object main-office-lan object-group remote-office-networks

Thats it, you should now be able to connect to hosts in the DMZ at you remote site over your site to site VPN connection. If you have multiple site to site VPNs from your main office network you may need to tweak this config , but the theory is the same.

PLEASE NOTE: This configuration will allow hosts in the DMZ at your remote site to connect to any hosts in your main office network! Clearly in most cases this will not be desirable, unless the additional remote Vlan is not a DMZ and performs some other function, which is not exposed directly to the Internet (which was the situation in my case). In any event you may wish to use VPN filters  to restrict traffic from the remote DMZ Vlan to your main office, or by disabling sysopt connection permit-vpn using the no sysopt connection permit-vpn command and applying ACLs to your outside interface. Excercise caution when applying either of these types of filtering to make sure you don’t restrict yourself from the site to site VPN tunnel.

show dsl int replacement command for Cisco 880 series routers

If you try to run the:

show dsl int

Command on a Cisco 880 series ADSL/VDSL router to get info and stats about your adsl interface it will fail. The new replacement for this command is:

show controllers vdsl 0

Apply a Group Policy to a Specific Operating System

During our Windows 7 rollout it was necessary to apply some specific registry settings to the new Windows 7 machines without affecting the legacy Windows XP clients. This can easily be done by creating a WMI filter in the Group Policy Management Console and applying it to the relevant GPO.

To do this simply fire up gpmc.msc and click on the ‘WMI Filters’ section under the domain you want to create the group policy object (GPO) in.

WMI Filter section in GPMC

Right click the ‘WMI Filters’ section and choose ‘New’. Give the filter a name. Click on ‘Add’ and type the following to create a filter for Windows 7:

select * from Win32_OperatingSystem where Version like “6.1%” and ProductType=”1″

Adding a WMI filter for Windows 7

Finally, you need to apply this filter to the GPO that you want to use. In this example a GPO called ‘Windows 7 GPO’ has been created. Highlight the GPO in the Group Policy Management Console, and then under the ‘Scope’ tab, apply the WMI filter you created, by selecting it from the drop down list in the ‘WMI Filtering’ section as shown below:

Applying a WMI Filter to a GPO

You can filter the following operating systems in this way by adjusting the query in the WMI filter. Operating systems can be defined as follows:

Windows XP:

select * from Win32_OperatingSystem where (Version like “5.1%” or Version like “5.2%”) and ProductType = “1”

Windows Vista:

select * from Win32_OperatingSystem where Version like “6.0%” and ProductType = “1”

Windows 7:

select * from Win32_OperatingSystem where Version like “6.1%” and ProductType = “1”

Windows Server 2003:

select * from Win32_OperatingSystem where Version like “5.2%” and ProductType = “3”

Windows Server 2008:

select * from Win32_OperatingSystem where Version like “6.0%” and ProductType = “3”

Windows Server 2008 R2

select * from Win32_OperatingSystem where Version like “6.1%” and ProductType = “3”

You can use the ‘ProductType’ part of the query to specify whether the operating system is a client, server, or domain controller.

ProductType = “1” is a client

ProductType = “2” is a server operating as a domain controller

ProductType = “3” is a member server. i.e. not operating as a domain controller