Thursday, February 28, 2008

Remotely manage Windows systems from the command line

It seems like nearly every operating system has a lot of hidden tools; little gems that, if you know about them, make your life a lot easier by solving problems or helping your work more efficiently. Anyone who has attended one of my seminars knows I'm all about centralizing system management and working as efficiently as possible. In this blog post, I'm going to show you a group of Windows tools that do just that.

You're probably aware of Mark Russinovich's work in creating great tools to help manage Windows systems. You may not be aware, however, of his PsTools suite. This collection of command-line tools allows you to perform many functions on remote systems from your command line. They're lightweight, they're very easy to install on your system, they don't require any installation on the remote system, and they work very well. Here's a list of the tools and what they do (taken from the PsTools webpage):

  • PsExec - execute processes remotely
  • PsFile - shows files opened remotely
  • PsGetSid - display the SID of a computer or a user
  • PsInfo - list information about a system
  • PsKill - kill processes by name or process ID
  • PsList - list detailed information about processes
  • PsLoggedOn - see who's logged on locally and via resource sharing (full source is included
  • PsLogList - dump event log records
  • PsPasswd - changes account passwords
  • PsService - view and control services
  • PsShutdown - shuts down and optionally reboots a computer
  • PsSuspend - suspends processes

The name "Ps" comes from the UNIX/Linux "ps" command that lists running processes.

This collection of tools falls under the heading of, "What took me so long to find these?" Download them here.

I'll bet you find them helpful!

Tuesday, February 26, 2008

We're bringing accelerated Cisco training to Denver and Phoenix

We just added new dates for our Cisco router fundamentals seminar and our Cisco ASA security appliance seminar for Denver and Phoenix in June. I'm excited about bringing our unique accelerated training format to new cities and hope to see you in one of our seminars soon. Registration is now open. Details online, of course.

Tuesday, February 19, 2008

We just added new Cisco training dates in Portland, Oregon

We just added two new dates for Cisco training in Portland, Oregon. We're presenting our Cisco Router Training: 2-Day Hands-On Fundamentals Workshop on May 8 and 9 and our two-day Cisco ASA / PIX Firewall Training: Installing, Configuring, Optimizing, and Troubleshooting on May 15 and 16. Registration is now available online. We're also working on bringing these two seminars to Denver and Phoenix. We should have details worked out in about two weeks. Check back here or sign up for my free newsletter and I'll be sure to let you know.

Monday, February 18, 2008

The Acronym Addict's Guide to PPTP VPNs Using Static NAT on a Cisco Router

Acronmyn addicts are bound to love this one. You really can't talk about Virtual Private Networks (VPN) without opening a can of alphabet soup.

Recently, a student at one of our seminars asked about port forwarding on a router. She wanted to allow PPTP clients to connect from the outside to a VPN server on the inside. In this article, I’ll explain how to do it along with a quick look at using static NAT to forward packets to a web server.

Port Forwarding on a Cisco Router

Sometimes we have internal resources that need to be Internet-accessible such as Web servers, mail servers, or VPN servers. Generally, I recommend isolating those resources in a DMZ to protect your office LAN from the bad guys, but regardless of how you choose to design it, the process involves forwarding desired packets from the router’s outside interface to an internal host. It’s really a fairly simple process. Here’s the configuration on a Cisco 2611 router:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0/1 1723
!
access-list 101 permit ip any any

In the above configuration, Ethernet 0/1 is connected to the public Internet with a static address of 12.1.2.3 and Ethernet 0/0 is connected to the inside network with a static address of 192.168.101.1. NAT outside is configured on E0/1 and NAT inside is configured on E0/0. Access-list 101 works in conjunction with the “ip nat inside source list 101 interface Ethernet0/1 overload” statement to permit all inside hosts to use E0/1 to connect to the Internet sharing whatever IP address is assigned to interface Ethernet E0/1.

The “overload” statement implements PAT (Port Address Translation) which makes that possible. (PAT allows multiple internal hosts to share single address on an external interface by appending different port numbers to each connection.)

The statement “ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0/1 1723” takes incoming port 1723 (PPTP) requests on Ethernet0/1 and forwards them to the VPN server located at 192.168.101.2.

You could do something similar with a Web server by changing port 1723 to port 80 or port 443. Here’s what that would look like:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.101.2 80 interface Ethernet0/1 80
!
access-list 101 permit ip any any

In this example, the web server is located at 192.168.101.2 and instead of forwarding PPTP (port 1723) traffic, we’re forwarding HTTP (port 80) traffic.

Obviously, you can configure your Cisco router in a similar manner to forward nearly any type of traffic from an outside interface to an internal host.

Wednesday, February 6, 2008

Virtualizing Cisco routers

For years, I've wanted a tool that would do for routers what VMWare does for computers. Sure, there are some really great simulators available such as the Sybex CCNA Virtual Lab (which I used to renew my CCNA), but a simulator is not the same as a router. A simulator is a great learning tool because of its structured labs, but it doesn't support the entire IOS command set and it doesn't allow you to connect to real or virtual PCs and networks.
Recently, I ran across Dynamips and Dynagen. These two open-source tools work together to allow you to virtualize routers in much the same way that VMWare, VirtualPC, and similar tools allow you to virtualize computers. Dynamips is the backend that does the actual emulation and Dynagen is the front-end that provides easy-to-use management tools for Dynamips. There is a GUI called GNS3, but I tend to prefer command-line configuration of Cisco devices. Windows users can download a complete package that includes Dynamips, Dynagen, WinPCap, sample labs, and a tutorial. Linux/UNIX users have several download options as well. Support is provided through tutorials and a forum. The tutorial is excellent and reasonably easy to follow. When running under Windows, WinPCap allows you to integrate the virtual router with physical networks and devices. I actually used my virtual router to perform classroom demos today in our Cisco router seminar while fully integrating with the classroom network.
There are some limitations: By default, the tool uses 100% of your CPU, but a configuration guide explains how to avoid that. The tool also seems to exhibit some instability when changing interface parameters, but that could be a result of my newness with it. It doesn't support the entire line of Cisco routers; just 7200s, 3700s, 3600s, and 2600s. Some documentation suggests that it also supports 1700s. I have also read forum postings by people who use it with PIX software images (One more thing to try!). You do have to provide your own IOS software image. All-in-all, I'm quite impressed with it...so much so that I wanted to share this information with you right away. Hope you find it helpful.