Upgrade VDSL modem firmware on a Cisco 880 Series Router

Firstly transfer the new firmware to your router’s flash memory using tftp. Next enter config mode and type:

router(config)# controller vdsl 0

Then type the following command at the prompt, where YOUR_FIRMWARE is the name of the firmware file that you transferred to flash e.g. vdsl.bin-A2pv6C035d_d23j which is the recommended firmware for BT ADSL in the UK.

router(config-controller)# firmware filename flash:YOUR_FIRMWARE

Refs:

Cisco BT xDSL Product Bulletin

A2pv6C035d_d23j Firmware Release Notes

 

Restart a VPN tunnel on a Cisco ASA or PIX

To reset and restart VPN tunnels on a Cisco ASA or PIX firewall simply type:

clear crypto isakmp sa

Find out which user owns an an Exchange email address using the Exchange Management Shell

In the Exchange Management Shell type the following where SEARCH_EMAIL_ADDRESS is the email address that you are looking for:

get-recipient -results unlimited | where {$_.emailaddresses -match “SEARCH_EMAIL_ADDRESS”}

 

 

Allow access to DMZ or other remote Vlan over VPN tunnel on Cisco ASA 8.4

I recently needed to provide internal access to a DMZ Vlan at one of my remote sites over a VPN tunnel. The VPN tunnel was provided by 2 Cisco ASA 5505 firewalls both running ASA software versions more recent than 8.4. The LAN subnets in this example can be defined as follows:

Main Office Subnet:     10.0.10.0/24

Remote Office Subnet:     10.0.20.0/24

Remote Office DMZ Subnet:     192.168.20.0/24

This article assumes that you already have the site to site VPN tunnel set up between the main office (10.0.10.0/24) subnet and the remote office (10.0.20.0/24) subnet, and that you have already created a network object for your main office subnet called main-office-lan, and for your remote office subnet called remote-office-lan on both ASAs. It also assumes that your DMZ interface on the remote ASA is called ‘dmz‘, and that you have an ACL defining interesting VPN traffic called main-remote-vpn on both ASAs.

Firstly create a network object for the remote office DMZ on both the main office and remote office ASAs. In configuration mode add the following two commands

object network remote-office-dmz

subnet 192.168.20.0 255.255.255.0

Next create a network object group for the 2 subnets at your remote site on both the main office and remote office ASAs

object-group network remote-office-networks
network-object object remote-office-lan
network-object object remote-office-dmz

Next, on the remote office ASA exempt traffic from the remote office DMZ subnet, to main office subnet from Network Address Translation (NAT) on the outside interface. i.e. traffic that will be travelling from the 192.168.20.0/24 to the 10.0.10.0/24 subnet over the VPN tunnel. In configuration mode add the following command:

nat (dmz,outside) source static remote-office-dmz remote-office-dmz destination static main-office-lan main-office-lan

Then on the remote office ASA change the ACL that defines interesting traffic for your site to site vpn tunnel (in this case called main-remote-vpn) to include the the dmz subnet, by using the network object group that you created earlier:

access-list main-remote-vpn extended permit ip object-group remote-office-networks object main-office-lan

Next you need to modify the configuration of the main office ASA to exempt traffic travelling over the VPN tunnel to the remote office DMZ from NAT, and also add the remote office subnet to the ACL that defines interesting traffic for your site to site VPN tunnel:

Modify the NAT rule on the main office ASA in config mode:

nat (inside,outside) source static main-office-lan main-office-lan destination static remote-office-networks remote-office-networks

Then modify the ACL that defines your site to site VPN traffic in config mode:

access-list main-remote-vpn extended permit ip object main-office-lan object-group remote-office-networks

Thats it, you should now be able to connect to hosts in the DMZ at you remote site over your site to site VPN connection. If you have multiple site to site VPNs from your main office network you may need to tweak this config , but the theory is the same.

PLEASE NOTE: This configuration will allow hosts in the DMZ at your remote site to connect to any hosts in your main office network! Clearly in most cases this will not be desirable, unless the additional remote Vlan is not a DMZ and performs some other function, which is not exposed directly to the Internet (which was the situation in my case). In any event you may wish to use VPN filters  to restrict traffic from the remote DMZ Vlan to your main office, or by disabling sysopt connection permit-vpn using the no sysopt connection permit-vpn command and applying ACLs to your outside interface. Excercise caution when applying either of these types of filtering to make sure you don’t restrict yourself from the site to site VPN tunnel.

iSCSI shares disappear after reboot on Windows

I experienced a problem the other day on one of our Windows 2003 servers where shares created on an iSCSI LUN connected to the server disappeared after the server was rebooted. By this I mean that folders that had previously been shared on this device were no longer shared, and needed to be completely reconfigured.

I turns out that this is due to the fact that the ‘iSCSI initiator’ service has not initialised by the time that the ‘Server’ service has started, and so the drive is not yet available, and therefore the shares are not recreated on boot up. A quick google lead me to a Microsoft KB article which outlines how to configure the ‘Server’ service to depend on the ‘iSCSI Initiator’ service allowing the drive to initialise before the ‘Server’ service has started. Simply follow the KB to fix the issue.

References:

File shares on iSCSI devices may not be re-created when you restart the computer

Deploying Java and Adobe Reader via Group Policy

Java:

Firstly download the latest Java Windows offline installer here.

Run the installer, and wait for the Welcome screen to appear. Next, navigate to the following directory, where USER_NAME is the name of the logged on user, and jre_VERSION is the name of the version of Java that you have just extracted:

C:\Users\USER_NAME\AppData\LocalLow\Sun\Java\jre_VERSION

In this folder you will find an msi file and a data.cab file. Copy the jre_VERSION folder to you network deployment point, and then add the msi file path to a new package in the software installation section of the Group Policy Object (GPO) that you wish to deploy Java to.

 

Adobe Reader:

Simple Method:

Download the most recent MSI file from ftp://ftp.adobe.com/pub/adobe/reader/win and deploy that to a new package in the software installation section of the GPO that you wish to deploy to e.g. AdbeRdr11000_en_US.msi. Note that Adobe only issue MSI files for the major releases e.g. 11.0.00.

Complex Method

This method includes how to patch the MSI file of the major release outlined in the simple method to include all the latest security patches. Firstly download the MSI file for the major release which you want to patch and place it in a folder on your computer e.g. C:\ADOBEREADER

Next download the .exe file for the update version which you want to patch to e.g. 11.0.01 from ftp://ftp.adobe.com/pub/adobe/reader/win and extract the contents using the following command, where _VERSION is the version number of the file you downloaded:

AdbeRdr_VERSION_en_US.exe -nos_ne

e.g. AdbeRdr1101_en_US.exe -nos_ne

This will extract the contents of the .exe file to a subfolder in the C:\ProgramData\Adobe\Setup folder. Copy the .MSP file contained in this folder to the C:\ADOBEREADER folder you created earlier. From the command prompt navigate to the C:\ADOBEREADER folder and run the following command where MSI_VERSION is the version of the MSI file that you are updating and PATCH_VERSION is the version of the patch that you are applying :

msiexec /a AdbeRdr_MSI_VERSION_en_US.msi /p AdbeRdr_PATCH_VERSION.msp

e.g. msiexec /a AdbeRdr11000_en_US.msi /p AdbeUpd11001.msp

Click through the steps of the installer, and then click finish. Your .msi file has now been patched

Finally, copy your new patched msi file to your network deployment point and create a new package in the software installation section of the GPO which you wish to deploy Adobe Reader to.

References:

How do I deploy Java using Active Directory across a network?

How to extract an MSI file from the EXE for Adobe Reader

Manually installing updates on VMware vSphere 5.x using esxcli

I recently had a situation where i needed to manually update a VMware vSphere 5.0 U1 host rather than using update manager in vCenter. To do this I performed the following steps:

Firstly, put the host into maintenance mode, by either shutting down or moving VMs off the host first, and then right clicking the host and choosing ‘Enter Maintenance Mode’.

Next, temporarily enable SSH on the host. To do this you need to start the SSH service, which can be found under ‘Configuration’, then ‘Security Profile’. Once on the ‘Security Profile’ screen, click properties under ‘Services’

Modify the SSH service properties under 'Security Profile'

Modify the SSH service properties under ‘Security Profile’

On the Service Properties screen highlight the SSH service and click the ‘Options’ button:

Start the SSH service on your ESXi 5 host

Start the SSH service on your ESXi 5 host

Click ‘Start’ to start the SSH service. On the ‘Options’ screen you can also choose whether to have the SSH service start and stop automatically with the host. This may be more convenient, but is not a great idea from a security perspective, so it is better to start and stop the service manually when you need it.

warning

Note that when the SSH service is running a warning logo will appear against your host in vCenter to alert administrators to this fact. Once SSH is running you will need to use WinSCP to upload the patch you wish to install to one of the datastores on your host. If you don’t already have it installed on your workstation download and install WinSCP. Then log in to your host using WinSCP and and creating a folder on one of your datastores called ‘Patches’. Next, download the relevant patch from the VMware downloads web page, and then copy the patch to the newly created ‘Patches’ folder on your host.

Create a folder and upload patches using WinSCP

Create a folder and upload patches using WinSCP

Close WinSCP, and fire up an SSH session to your host using Putty. Log in, and then run the following command where YOUR_DATASTORE is the name of the datastore where you stored the patches, and PATCH_NAME.zip is the name of the patch that you want to install

esxcli software vib install -d /vmfs/volumes/YOUR_DATASTORE/Patches/PATCH_NAME.zip

PLEASE NOTE: If your host is installed using custom drivers for either your storage controller or network cards you need to use the ‘update’ command rather than the ‘install’ command to prevent your custom drivers being overwritten. Failure to do this may temporarily cause you problems on your first reboot after installing the patch. On the second reboot of your host the patch will be uninstalled revert to your originally installed VMware version. For more info see here. This was relevant in my case as I was using a custom install of ESXi 5.0 U1 with an Adaptec 6805E RAID card.

esxcli software vib update -d /vmfs/volumes/YOUR_DATASTORE/Patches/PATCH_NAME.zip

Here is a screenshot of the update process before:

Running the esxcli software vib update command

Running the esxcli software vib update command

And after. Note that using the update command will show you which VIBs have been updated, which have been removed, and which have been skipped:

Patch installation result

Patch installation result

Once the patch is installed simply issue the reboot command to reboot the host

reboot

Once your host has rebooted verify the new version number in vCenter. Your update is complete.

References:

esxcli software command reference