Monday, December 22, 2008

Understanding Linux (System V) Run Levels

On Linux systems, the run level controls what starts or stops at boot time. Run level directories contain links to scripts that start and stop daemons (services). Run level 0 shuts everything down. Run level 6 is used when a restart is requested. Run level 1 is typically used for emergency repairs such as adminsitrative (root) password recovery. Other run levels (usually 2, 3 , 4, and 5) can be configured to start and stop daemons based on your particular needs. It's pretty common to only use one of the run levels other than 0, 1, and 6.

The number of run levels varies from distro to distro, as do the default settings in each run level. What follows is an example of the default configurations for run levels in a system running a Red Hat-based distribution:

  • runlevel0: Shut down the system. Do not set the inittab value to runlevel0.
  • runlevel1: Single-user mode
  • runlevel2: Multi-user mode, but no NFS support
  • runlevel3: Multi-user mode without “X” (the most commonly used run level and usually the best choice for servers)
  • runlevel4: Not used
  • runlevel5: Full multi-user mode with X11 (graphics support) (Good for end-user workstations, but not recommended for servers.)
  • runlevel6: Reboot (Do not set the inittab value to runlevel6.)

A Debian-based system also has seven run-levels. Run levels 0, 1, and 6 are the same as in a Red Hat-based system. Run levels two through five are identical, but can be configured in whatever way you desire. The default configuration boots the system into run level two which is configured as full multi-user mode with graphics (X windows).

You can view the current run level with this command:
#runlevel

The display will indicate the current and previous run level, separated by a space.

You can change the current run level with this command:
#init [desired run level] or #telinit [desired run level]

Controlling Run Levels

Change the default run level by modifying /etc/inittab. Look for a line near the top of the file similar to this:

id:3:initdefault:

The number in the line is the default run level. You can modify it with your favorite text editor to whatever value you want, obviously avoiding 0, 1, and 6.

Control daemons (services) at boot time by modifying scripts within “rc” directories.

  • In Red Hat Linux, they’re in the /etc/rc.d directory
  • In SuSE Linux, they’re in /etc/init.d/rc
  • In Debian Linux, they’re in /etc

There is an “rc” directory that corresponds to each run level. For example, rc3.d corresponds to run level 3. Look for the corresponding directory to the run level you wish to modify. Within that directory, you’ll find links to scripts for each of the services on the system. Each link name includes an “S” or a “K”. Those whose names start with “S” start indicated daemons with the directory’s run level. Those whose names start with “K” kill daemons within the directory’s run level. (Scripts in an rc directory are executed in alphabetical, then numerical order.)

You’ll also notice scripts in /etc/rc.d called rc, rc.local, and rc.sysinit. The rc script is responsible for starting and stopping services when runlevels change, rc.sysinit runs once at boot time before all other rc scripts, and rc.local runs after all the other init scripts. You can put your own initialization scripts in rc.local instead of working through the System V runlevels.

Thursday, November 13, 2008

Verifying hashes

This is another one of the things that falls under the category of "What took me so long?". When you download files from the Internet, most sites will provide a hash of some sort, often MD5, which you can use to check the validity of the file you downloaded. You probably know it's a way of ensuring the bad guys didn't mess with the file in some way. I've always wanted a simple way of verifying the files without having to go to the command line and, thanks to www.joomla.org, I've found it. It's a Windows Explorer extension that adds a tab to file properties windows. The tab displays the hashes associated with a file. There's a field where you can paste in the hash from the website where you downloaded the file and the extension compares the two. Very quick and extremely easy. It's called HashTab Shell extension and you can download it for free at http://beeblebrox.org/hashtab/. Be sure to pay VERY close attention to the license agreement. :)

Saturday, September 6, 2008

Understanding the Basics of Ethernet

Ethernet was developed at Xerox's Palo Alto Research Center (PARC) by Robert Metcalfe and David Boggs with Chuck Thacker and Butler Lampson in the early 1970s. Xerox filed a patent application for Ethernet in 1975. Today, Ethernet is based on IEEE standard 802.3 (Institute of Electrical and Electronic Engineers). Metcalfe left Xerox in 1979 and founded 3Com to promote local area networks and personal computers. He persuaded Digital Equipment Corporation (DEC) and Intel to work together with Xerox to promote the DIX (Digital/Intel/Xerox) Ethernet standard. Ethernet is named for the invisible, massless substance that 19th century scientists believed filled the universe. Ethernet was originally based on the same rules as those for polite conversation. Each computer wanting to transmit data waits until there's a lull in network traffic before attempting to transmit its data. That technology was called CSMA/CD for Carrier Sense Multiple Access Collision Detection and used coaxial cables as a transmission medium. Today, Ethernet uses full duplex transmission over unshielded twisted pair copper cables or fiber optic cables with a system of hubs and/or switches.

Ethernet operates at layer two of the OSI reference model. Layer two, also known as the Data Link Layer, is subdivided into the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. Ethernet nodes use a globally-unique 48-bit address called the MAC address to communicate within a network. Datagrams at layer two are called frames. The frame structure used by modern Ethernet is the same as that used by earlier coaxial-cabled Ethernet networks, thus providing a level of backwards compatibility.The original Ethernet operated at a speed of three megabits per second. Today, typical transmission rates for Ethernet are 10 Mbps, 100 Mbps, and 1000 Mbps (Gigabit Ethernet). 10,000 Mbps (10 Gigabit Ethernet) is now starting to emerge. Faster data rates are always under development.


Ethernet Cable Standards

  • 10-Base-2, also known as thinnet, uses coaxial cable, is limited to 10 Mbps, and a maximum segment length of 185 meters. 10-Base 2 is falling into disuse due to the lower cost and greater simplicity associated with UTP (unshielded twisted pair) cabling.
  • 10-Base-5, also known as thicknet, uses coaxial cable, is limited to 10 Mbps, and a maximum segment length of 500 meters. 10-Base-5 is rarely seen anymore.
  • 10-Base-T uses unshielded twisted pair (UTP) cable over a maximum of 100 meters (328 feet) at a data rate of 10 Mbps. 10-Base-T uses only two of the four wire pairs in the cable.
  • 10-Base-FL uses fiber optic lines up to 2000 meters with a maximum data rate of 10 Mbps.
  • 100-Base-TX uses UTP cable over a maximum segment length of 100 meters with a maximum data rate of 100 Mbps. 100-Base-TX also uses only two of the four wire pairs in the cable.
  • 100-Base-FX uses fiber optic cable over a maximum segment length of 2000 meters with a maximum data rate of 100 Mbps.
  • 1000-Base-FX uses fiber optic cable over a maximum segment length of 2000 meters with a maximum data rate of 1000 Mbps (one gigabit per second).
  • 1000-Base-TX uses UTP cable cable over a maximum segment length of 100 meters with a maximum data rate of 1000 Mbps (one gigabit per second). Unlike 100-Base-TX, 1000-Base-TX uses all four wire pairs in the cable.

Copper Cable Categories

Although there are a total of nine categories of unshielded twisted pair (UTP) copper cable, there are really only three that you're likely to encounter in your local area network. The others are either obsolete or designed for use in backbone networks. The three categories are:

  • Category 5e: Provides performance of up to 100 MHz, and is frequently used for both 100 Mbit/s and Gigabit Ethernet networks.
  • Category 6: Provides performance of up to 250 MHz, more than double category 5 and 5e.
  • Category 6a: Provides performance of up to 500 MHz, double that of category 6 and is even suitable for 10 Gigabit Ethernet networks.

What should you use in your network?

Build your networks with the fastest cable you can afford. Your bandwidth demands will increase over time and retro-fitting your cable plant is disruptive, time-consuming, and expensive.

Wednesday, July 9, 2008

Email, RFCs, and the Growth of Knowledge

When I first started technical training, I was intimidated by the sheer volume of knowledge in the field of Information Technology. I remember thinking, "How can I possibly stay ahead of the students in my seminars?". I began to realize that it's not a matter of staying ahead of the students, but instead an issue of providing information in a particular area or areas that the student didn't already have. That said, I'm still amazed when I run across a new bit of information that I think I should have already known about. That just happened with RFC 2142: Mailbox Names for Common Services, Roles, and Functions. An email I sent was rejected by rfc-ignorant.org, an organization that was new to me. They provide a blacklist of domains that are non-RFC compliant. It appears that they're mainly concerned with RFC 2142 compliance. RFC 2142, as its name implies, specifies standard email names for common services, roles, and functions within an organization. Specifically, it wants you to have a postmaster@(your domain name) and an abuse@(your domain name) mailbox. (It recommends other names as well, but those two appear to be the ones that rfc-ignorant.org wants to see in your domain.) We actually do have those names now, but when our system was originally set up, the mail administrator (no longer with us) didn't include those names. We'd been blacklisted for some time. It's a simple process to get removed. Just send an email to the admin and rfc-ignorant.org indicating that you've created the appropriate mailboxes, they'll send emails to the addresses in question, you click in a link in the emails and you're done. As a network administrator and an I.T. trainer, I'm always a little concerned about what else there is that I don't know.

Saturday, June 28, 2008

TinyMCE Editor Width in Joomla

Wow, I can't believe it's been so long since I wrote anything here. I've been incredibly busy with some really interesting stuff. One of the things I'm working on is a redesign of the soundtraining.net website. It's going to be based on Joomla 1.5. If you have anything to do with website design and you're not familiar with Joomla, you need to get to know it. The website is www.joomla.org. It's an incredibly powerful content management system and it's going to allow us to offer you some really cool stuff on our website. But that's not what I wanted to write about. One of the challenges I've been dealing with is the width of the TinyMCE text editor. Problem is that it has been intruding into the right column and I couldn't figure out how to change it. Turns out the issue was with the toolbar not wrapping. I found this hack which seems to be working. In template.css, I added the following code at the end of the file:

.mceToolbarTop * {
float:left;
}

.mceToolbarTop select {
width:auto!important;
}

.mceToolbarTop option {
float:none;
}

Like I said, so far it seems to be working and I thought maybe some other people could use that info. I found the hack on a Drupal site, but it looks like it works just fine in Joomla. Check back in a few weeks and see if I'm still enthusiastic about it!

Wednesday, April 30, 2008

How to Create and Manage Cisco ASA and PIX Access-Control Lists

Access Control Lists (ACLs) are sequential lists of permit and deny conditions applied to traffic flows on a device interface. ACLs are based on various criteria including protocol type source IP address, destination IP address, source port number, and/or destination port number. ACLs can be used to filter traffic for various purposes including security, monitoring, route selection, and network address translation.

ACLs are comprised of one or more Access Control Entries (ACEs). Each ACE is an individual line within an ACL. ACLs on a Cisco ASA Security Appliance (or a PIX firewall running software version 7.x or later) are similar to those on a Cisco router, but not identical. Firewalls use real subnet masks instead of the inverted mask used on a router. ACLs on a firewall are always named instead of numbered and are assumed to be an extended list.

The syntax of an ACE is relatively straight-forward:

asa(config)#access-list name [line number] [extended] {permit deny} protocol source_IP_address source_netmask [operator source_port] destination_IP_address destination_netmask [operator destination_port] [log [[disable default] [level]] [interval seconds]] [time-range name] [inactive]

Here's an example:

asa(config)# access-list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq www
asa(config)# access-list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq 443
asa(config)# show access-list demo1
access-list demo1; 2 elements
access-list demo1 line 1 extended permit tcp 10.1.0.0 255.255.255.0 any eq www
access-list demo1 line 2 extended permit tcp 10.1.0.0 255.255.255.0 any eq https

In the above example, an ACL called "demo1" is created in which the first ACE permits TCP traffic originating on the 10.1.0.0 subnet to go to any destination IP address with the destination port of 80 (www). In the second ACE, the same traffic flow is permitted for destination port 443. Notice in the output of the show access-list that line numbers are displayed and the extended parameter is also included, even though neither was included in the configuration statements.

You can deactivate an ACE without deleting it by appending the inactive option to the end of the line.

As with Cisco routers, there is an implicit "deny any" at the end of every ACL. Any traffic that is not explicitly permitted is implicitly denied.

Editing ACLs and ACEs

New ACEs are appended to the end of the ACL. If you want, however, to insert the new ACE at a particular location within the ACL, you can add the line number parameter to the ACE:

asa(config)# access-list demo1 line 1 deny tcp host 10.1.0.2 any eq www
asa(config)# show access-list demo1
access-list demo1; 3 elements
access-list demo1 line 1 extended deny tcp host 10.1.0.2 any eq www
access-list demo1 line 2 extended permit tcp 10.1.0.0 255.255.255.0 any eq www
access-list demo1 line 3 extended permit tcp 10.1.0.0 255.255.255.0 any eq https

Notice in the first line of the example above that an ACE is added at line one in the ACL. Notice in the output from the show access-list demo1 command that the new entry is added in the first position in the ACL and the former first entry becomes line number two.

You can remove an ACE from an ACL by preceding the ACE configuration statement with the modifier no, as in the following example:

asa04(config)#no access-list demo1 deny tcp host 10.10.2 any eq www

In my next post, I'll show you how to use time-ranges to apply access-control lists only at certain times and/or on certain days. I'll also show you how to use object-groups with access-control lists to simplify ACL management by grouping similar components such as IP addresses or protocols together.

Wednesday, April 23, 2008

We're heading to California with Cisco training

We've just added California dates for our Cisco Router Training and Cisco ASA Training seminars.

Here are the Cisco router training dates for California:

  • Sacramento: July 22/23
  • San Francisco: July 24/25
  • Los Angeles (Buena Park/Anaheim area): September 15/16
  • Los Angeles (LAX area): September 17/18

Here are the Cisco ASA training dates for California:

  • Sacramento: August 25/26
  • San Francisco: August 27/28
  • Los Angeles (Buena Park/Anaheim area): October 14/15
  • Los Angeles (LAX area): October 16/17

Registration is now open at www.soundtraining.net.

See you in class in California!

Friday, April 18, 2008

A Free SCP Utility

I just ran across a very cool, open-source SCP/SFTP utility called WinSCP. I have a business hosting account with 1and1 which includes SSH access. This utility allows me to configure my SSH credentials and then use a Windows Explorer or Norton Commander style of interface to move files back and forth. Very cool. Had to share it with you. Download it here. Let me know what you think.

Wednesday, April 16, 2008

Eight Basic Commands to Configure a Cisco ASA Security Appliance

Note:  This post has been updated to reflect changes in NAT/PAT configuration.  View the updated post here.  There is also a video demonstrating this process using the newer commands here.

There are literally thousands of commands and sub-commands available to configure a Cisco security appliance. As you gain knowledge of the appliance, you will use more and more of the commands. Initially, however, there are just a few commands required to configure basic functionality on the appliance. Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts. Additionally, management must be allowed from at least one inside host. Here are eight basic commands:

interface
The interface command identifies either the hardware interface or the VLAN interface that will be configured. Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces.

nameif
The nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ.

security-level
Security levels are used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way. Access-lists must be used to permit traffic to flow from lower security levels to higher security levels. Security levels range from 0 to 100. The default security level for an outside interface is 0. For an inside interface, the default security level is 100.In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it.
ciscoasa(config)# interface vlan1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# interface vlan2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#interface vlan3
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50

ip address
The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using non-standard masks, you must explicitly configure the mask, but otherwise, it's not necessary.In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.
ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# ip address 192.168.1.1

switchport access
The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on) through the use of the "no shutdown" statement.
ciscoasa(config-if)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown

nat
The nat command enables network address translation on the specified interface for the specified subnet.In this sample, configuration, NAT is enabled on the inside interface for hosts on the 192.168.1.0/24 subnet. The number "1" is the NAT I.D. which will be used by the global command to associate a global address or pool with the inside addresses. (Note: NAT 0 is used to prevent the specified group of addresses from being translated.)
ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0

global
The global command works in tandem with the nat command. It identifies the interface (usually outside) through which traffic from nat'ed hosts (usually inside hosts) must flow. It also identifies the global address which nat'ed hosts will use to connect to the outside world.In the following sample, the hosts associated with NAT I.D. 1 will use the global address 12.3.4.5 on the outside interface.
ciscoasa(config)# global (outside) 1 12.3.4.5

In this additional example of the use of the "global" command, the interface statement tells the firewall that hosts associated with NAT I.D. 1 will use the DHCP-assigned global address on the outside interface.
ciscoasa(config)# global (outside) 1 interface

route
The route command, in its most basic form, assigns a default route for traffic, typically to an ISP's router. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets.In this sample configuration, the route command is used to configure a default route to the ISP's router at 12.3.4.6. The two zeroes before the ISP's router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route.
ciscoasa(config-if)# route outside 0 0 12.3.4.6

The above commands create a very basic firewall, but frankly, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. Other commands to use include hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts. Obviously, if you're using a device such as an ASA or a PIX, you'll probably be doing a lot more with it than simply setting up a basic firewall, but the above commands will provide a foundation for the more complex configurations.

For more step-by-step guides on the ASA, please check out my book The Accidental Administrator: Cisco ASA Security Appliance: A Step-by-Step Configuration Guide, available on Amazon.com, Barnes and Noble, and other channels.

Based on the two-day workshop Cisco ASA Training: Two-Day Hands-On Workshop from soundtraining.net (http://www.soundtraining.net/cisco-asa-training-101).

Monday, March 3, 2008

Configure NAT Using Port Address Translation in 4 Steps on a Cisco Router

Network Address Translation, better known simply as NAT, allows an outside address to represent a single or many inside addresses. There are several forms of NAT, but one of the most common is called NAT overloading, Port Address Translation, or simply PAT. PAT provides a many-to-one mapping with many inside private addresses mapped to one outside public address. We often see PAT used in home firewalls and routers to allow several home computers and perhaps a gaming console to use private addresses such as 192.168.1.1-100 and share a single registered public address on the Internet. The process is made possible by appending different port numbers to the source and destination addresses to create a unique connection. Given that there are more than 65,000 port numbers, you'll likely run out of bandwidth or system resources long before running out of translation slots!

Here are the four steps to configuring Port Address Translation (Note: Each step starts in configuration mode ("config t".):
1.ï¾  Configure nat on your inside interface:
ï¾ ï¾ ï¾ ï¾  int e0/0
ï¾ ï¾ ï¾ ï¾  ip nat inside
2.ï¾  Configure nat on your outside interface:
ï¾ ï¾ ï¾ ï¾  int e0/1
ï¾ ï¾ ï¾ ï¾  ip nat outside
3.ï¾  Configure an access control list to allow the inside traffic to use NAT:
ï¾ ï¾ ï¾  access-list 101 permit ip any any
4.ï¾  Enable NAT overloading (PAT) on the outside interface:
ï¾ ï¾ ï¾  ip nat inside source list 101 interface e0/1 overload

In this example, the "ip nat inside" and "ip nat outside" statements are used to tell the router which interface is considered inside and which interface is considered outside for the purpose of NAT. Interface Ethernet 0/0 is inside and Interface Ethernet 0/1 is outside. Your interfaces will probably different, for example your router might have f0/0 or gigabit 0/1.

The access control list statement tells the router to permit all IP traffic to flow from any source to any destination. The number (101) is simply an ID that must match the number used in the "ip nat" statement. (Note that, in this case, the number must fall between 100 and 199 inclusive.)

The "ip nat insisde source list" statement tells the router which access control list to use to know the traffic to permit (access-list 101), the interface on which NAT will be performed (interface ethernet 0/1) and the form of NAT to perform (overload).

This configuration will allow any host on the inside subnet to share the outside interface for the purpose of going on the Internet. There is no restriction as to the type of traffic, nor are there any restricted hosts. Obviously, this configuration would only be acceptable in a small office or home type of network. Even then, you might want to limit hosts' access to the Internet by creating a more restrictive access control list.

Thursday, February 28, 2008

Remotely manage Windows systems from the command line

It seems like nearly every operating system has a lot of hidden tools; little gems that, if you know about them, make your life a lot easier by solving problems or helping your work more efficiently. Anyone who has attended one of my seminars knows I'm all about centralizing system management and working as efficiently as possible. In this blog post, I'm going to show you a group of Windows tools that do just that.

You're probably aware of Mark Russinovich's work in creating great tools to help manage Windows systems. You may not be aware, however, of his PsTools suite. This collection of command-line tools allows you to perform many functions on remote systems from your command line. They're lightweight, they're very easy to install on your system, they don't require any installation on the remote system, and they work very well. Here's a list of the tools and what they do (taken from the PsTools webpage):

  • PsExec - execute processes remotely
  • PsFile - shows files opened remotely
  • PsGetSid - display the SID of a computer or a user
  • PsInfo - list information about a system
  • PsKill - kill processes by name or process ID
  • PsList - list detailed information about processes
  • PsLoggedOn - see who's logged on locally and via resource sharing (full source is included
  • PsLogList - dump event log records
  • PsPasswd - changes account passwords
  • PsService - view and control services
  • PsShutdown - shuts down and optionally reboots a computer
  • PsSuspend - suspends processes

The name "Ps" comes from the UNIX/Linux "ps" command that lists running processes.

This collection of tools falls under the heading of, "What took me so long to find these?" Download them here.

I'll bet you find them helpful!

Tuesday, February 26, 2008

We're bringing accelerated Cisco training to Denver and Phoenix

We just added new dates for our Cisco router fundamentals seminar and our Cisco ASA security appliance seminar for Denver and Phoenix in June. I'm excited about bringing our unique accelerated training format to new cities and hope to see you in one of our seminars soon. Registration is now open. Details online, of course.

Tuesday, February 19, 2008

We just added new Cisco training dates in Portland, Oregon

We just added two new dates for Cisco training in Portland, Oregon. We're presenting our Cisco Router Training: 2-Day Hands-On Fundamentals Workshop on May 8 and 9 and our two-day Cisco ASA / PIX Firewall Training: Installing, Configuring, Optimizing, and Troubleshooting on May 15 and 16. Registration is now available online. We're also working on bringing these two seminars to Denver and Phoenix. We should have details worked out in about two weeks. Check back here or sign up for my free newsletter and I'll be sure to let you know.

Monday, February 18, 2008

The Acronym Addict's Guide to PPTP VPNs Using Static NAT on a Cisco Router

Acronmyn addicts are bound to love this one. You really can't talk about Virtual Private Networks (VPN) without opening a can of alphabet soup.

Recently, a student at one of our seminars asked about port forwarding on a router. She wanted to allow PPTP clients to connect from the outside to a VPN server on the inside. In this article, I’ll explain how to do it along with a quick look at using static NAT to forward packets to a web server.

Port Forwarding on a Cisco Router

Sometimes we have internal resources that need to be Internet-accessible such as Web servers, mail servers, or VPN servers. Generally, I recommend isolating those resources in a DMZ to protect your office LAN from the bad guys, but regardless of how you choose to design it, the process involves forwarding desired packets from the router’s outside interface to an internal host. It’s really a fairly simple process. Here’s the configuration on a Cisco 2611 router:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0/1 1723
!
access-list 101 permit ip any any

In the above configuration, Ethernet 0/1 is connected to the public Internet with a static address of 12.1.2.3 and Ethernet 0/0 is connected to the inside network with a static address of 192.168.101.1. NAT outside is configured on E0/1 and NAT inside is configured on E0/0. Access-list 101 works in conjunction with the “ip nat inside source list 101 interface Ethernet0/1 overload” statement to permit all inside hosts to use E0/1 to connect to the Internet sharing whatever IP address is assigned to interface Ethernet E0/1.

The “overload” statement implements PAT (Port Address Translation) which makes that possible. (PAT allows multiple internal hosts to share single address on an external interface by appending different port numbers to each connection.)

The statement “ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0/1 1723” takes incoming port 1723 (PPTP) requests on Ethernet0/1 and forwards them to the VPN server located at 192.168.101.2.

You could do something similar with a Web server by changing port 1723 to port 80 or port 443. Here’s what that would look like:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.101.2 80 interface Ethernet0/1 80
!
access-list 101 permit ip any any

In this example, the web server is located at 192.168.101.2 and instead of forwarding PPTP (port 1723) traffic, we’re forwarding HTTP (port 80) traffic.

Obviously, you can configure your Cisco router in a similar manner to forward nearly any type of traffic from an outside interface to an internal host.

Wednesday, February 6, 2008

Virtualizing Cisco routers

For years, I've wanted a tool that would do for routers what VMWare does for computers. Sure, there are some really great simulators available such as the Sybex CCNA Virtual Lab (which I used to renew my CCNA), but a simulator is not the same as a router. A simulator is a great learning tool because of its structured labs, but it doesn't support the entire IOS command set and it doesn't allow you to connect to real or virtual PCs and networks.
Recently, I ran across Dynamips and Dynagen. These two open-source tools work together to allow you to virtualize routers in much the same way that VMWare, VirtualPC, and similar tools allow you to virtualize computers. Dynamips is the backend that does the actual emulation and Dynagen is the front-end that provides easy-to-use management tools for Dynamips. There is a GUI called GNS3, but I tend to prefer command-line configuration of Cisco devices. Windows users can download a complete package that includes Dynamips, Dynagen, WinPCap, sample labs, and a tutorial. Linux/UNIX users have several download options as well. Support is provided through tutorials and a forum. The tutorial is excellent and reasonably easy to follow. When running under Windows, WinPCap allows you to integrate the virtual router with physical networks and devices. I actually used my virtual router to perform classroom demos today in our Cisco router seminar while fully integrating with the classroom network.
There are some limitations: By default, the tool uses 100% of your CPU, but a configuration guide explains how to avoid that. The tool also seems to exhibit some instability when changing interface parameters, but that could be a result of my newness with it. It doesn't support the entire line of Cisco routers; just 7200s, 3700s, 3600s, and 2600s. Some documentation suggests that it also supports 1700s. I have also read forum postings by people who use it with PIX software images (One more thing to try!). You do have to provide your own IOS software image. All-in-all, I'm quite impressed with it...so much so that I wanted to share this information with you right away. Hope you find it helpful.

Wednesday, January 30, 2008

Delighting Your Users: Providing Responsive Customer Service

This is from an article I wrote that was published in the Nov/Dec 2007 issue of HDI Support World. I hope you enjoy it. (You can download a PDF of it here.)

Users tell us that it’s important for us to be responsive. How do you get your users to say you’re responsive to their needs?

This is about your willingness to respond to customer needs by answering their phone or e-mail requests quickly, and your willingness to do what it takes to respond effectively to a service request. Responsiveness is adopting a can-do attitude, and a willingness to go the extra mile for the customer. Recent research studies support the theory that soft skills (such as listening, empathy, courtesy, and creating rapport) are more important than technical skills in the career advancement of any employee. This is especially true in the support industry, where most managers have realized that they must hire people who have a good attitude or approachto serving customers plus an aptitude for technical knowledge, and that the rest can be taught.A positive attitude is the first step in building good soft skills.

You have control over your attitude. Just like you can choose what clothes to wear in the morning, you can also choose what attitude to assume every day. You can choose to see the glass as half-full, or half-empty. Your approach, or attitude, toward life is a self-fulfilling prophecy. If your attitude is “Everyone has something to offer me!” then you will interpret everything that happens to you as an interesting journey. On the other hand, if you approach your job and your life in a less than positive way, every bump in the road will seem like a huge obstacle. How do you answer your phone? Do you answer it promptly? Can the caller understand you or do you rush through your greeting? Are you pleasant and does your tone of voice convey a positive start to the call? How do you answer e-mails? Do you reply promptly? Do you convey in your e-mail responses that you really want to help your user? Do you understand the meaning of all the words you use? For those of you who provide support in a second language, make sure you’re using the user’slanguage correctly. Ask someone who speaks it natively to review your e-mail responses and give you feedback.

Look in the mirror. Often, the solution to our problems lies within ourselves. Several months ago, I faced some of the usual challenges of life on the road. Things usually go very well for me and on those rare occasions when things “hiccup,” they’re usually minor. This particular week, however, I dealt with a major problem that had the potential to cause a major disruption in my business. Now, as I look back on what happened, I’m beginning to see the entire situation with new clarity. I made several mistakes.

The first mistake was in making assumptions about what a vendor would do. I could have spent more time at their Web site and learned more about their policies and procedures. Instead, I spent a brief time skimming over their services and made assumptions about how to order a particular service and whether it was the right service for me.

The second mistake I made was in not contacting this vendor earlier to discuss how best to use their services (and whether they were even the right vendor for this job).

The third mistake I made was in trying to deal with this vendor while I was hurrying to catch a train. In otherwords, I was in a state of stress which undoubtedly came through in my voice (even though I don’t think I was rude, demanding, or abusive). As I dealt with this vendor in trying to resolve several problems, I received brusk (almost rude) customer service. I don’t believe there is ever a reason to treat any customer in a manner that is anything other than cheerful, pleasant, respectful, and empathetic, but I wonder if there were subtle messages that I was sending that caused me to receive less than exemplary customer service.

As I look back at my experiences with other people, I also need to look in the mirror. Am I doing everything I can to have a positive effect on everyone I meet? Have I gone out of my way to touch people in a positive way? When the world doesn’t go my way, do I take a moment to stop and regroup or do I complain to everyone around me so they can feel bad, too? I know I can’t control other people, but I certainly can control how I appear when they look in my direction.

So, what are the lessons I learned and how do they relate to you as a tech support pro?

Lesson one

Start early. When you have plenty of time, you’re more relaxed and things just seem to go better. Arrive at your desk early. Give yourself fifteen or twenty minutes before your shift starts to gather your thoughts and organize your workspace. Then later, when the day starts to get frantic, you’ll find you’re more in control of things.

Lesson two

Do enough research. As a tech support person, do you subscribe to news feeds and blogs about the products you support? Do you spend time each day reading articles and books related to the products you support? Have you set up a virtual lab using VMWare, VirtualPC, or Xen so you can experiment and test your solutions before you offer them to your users? Knowledge is power and the more knowledge you have, the more you’ll be empowered to delight your users with relevant, accurate solutions.

Lesson three

Focus on the task at hand instead of multi-tasking (Millennials really can multi-task, but GenXers, Boomers, and Veterans really can’t). This means, when your user calls needing help, you focus exclusively on them and nothing else. (And, for you Gen Y’ers, Iknow you really can multi-task, but don’t let your users know you’re doing it while you’re talking to them!)

Lesson four

When the world is crashing around you, before you do anything else, look in the mirror. Maybe you can’t control the rest of the world, but you are in complete control over how you view the world and what’s happening in it. As a support professional, take a moment to ask yourself the following questions:

  1. Do I put myself in the user’s shoes?
  2. Do I take ownership of a problem and see it through to completion?
  3. Am I willing to help both users and co-workers?
  4. Do I consciously assume a positive outlook with my users and co-workers?
  5. Am I respectful and courteous to the user?
  6. Do I treat everyone with respect and courtesy?
  7. Do I speak and conduct myself confidently with users?

If you answered yes to at least five, you are on the right track to creating a positive position from which to serve your users for the best results. If you answered yes to fewer than five, your attitude might be keeping you from doing your best to create the proper environment for success in your job.

Your users’ perception of your responsiveness starts with their perception of you. Your attitude, your demeanor, your tone-of-voice, and the words you choose all play a part in how you are perceived. You have it within your power to create users who perceive you to be responsive to their needs; to care about them as people first and co-workers second.

Wednesday, January 9, 2008

IT Project Management: 3 Keys to Success

I hope your holidays were good and that your new year is off to a good start.

One of the ways we can ensure a good start to the year is by effectively managing our projects. As IT professionals, our work is all about projects. From managing software upgrades to deploying new hardware, our lives are often one project after another. I asked Paul Senness, one of our project management trainers, to identify the three keys to successful project management. Here is his response:

  1. Clearly identify the project's goal. There's a better than 50% chance that, without proper definition, the project will fail. To revive an old quote, "You can't get there if you don't know where you're going." This is the critical phase where you get everyone on board: the team, the project sponsor, and your boss.
  2. Have a well thought-out plan, anticipating every contingency. Airline pilots are trained to anticipate every possible fault and problem. The idea is, through training, to make them so familiar with every contingency that even emergencies seem routine. Give a great amount of thought to what could go wrong in your project so that murphies are merely annoyances and not disasters.
  3. Have the discipline to execute around the project's plan. During the execution phase of any project, there will be opportunities to veer off track. Sometimes, such side ventures may actually help accomplish the project's goal(s) and should be taken. Other times they can distract you from meeting the project's goals. A great project manager knows the difference. You must never lose sight of the goal(s), but you must also be flexible enough to make changes and adjustments as needed or when opportunities present themselves.

As you might expect, I would add a fourth key to successful project management and that's to attend our upcoming two-day project management seminar: How to Herd Cats: Secrets of Successful IT Project Management. It's coming up in just under two weeks in Seattle on January 22 and 23. Class size is small, the instruction is as good as it gets, and your "take away" is a new set of skills and tools to help you really take control of your projects.
Registration is open now at http://www.soundtraining.net/onlinestore/categories/category62.html or give us a call at 206.988.5858. Enroll three or more and save 12%.

Friday, January 4, 2008

Second Life, SalesForce.com, and our small business

It seems like this blog is a bunch of miscellaneous ramblings about everything from info systems to customer service. That's the nice thing (or bad thing, depending on your perspective) about blogging and Web 2...there's no editor making decisions about what you can and cannot publish. At any rate, I've been thinking a lot about soundtraining.net and our business model lately. Business has been very good and all indications are that it will continue to be good, but I wonder if the somewhat traditional model we use for both promoting our training services and delivering same is the best model for us to use. We've been exploring Second Life (my SL name is Don Baroque and Janet's is Tenaj Baroque), we're about to invest heavily in a CRM application (we're considering everything from Microsoft's CRM solution to SalesForce.com to open source solutions such as SugarCRM and vtiger CRM) with the idea of further engaging our customers in the relationship with soundtraining.net. We'll soon be adding live reviews to each course page on our website. My point is not to ramble on and on about all the cool things we're doing, but instead to say we're actively pursuing new ways of running our business and interacting with our customers. As a small business competing with some very large businesses (and even some not-for-profit organizations), one of our challenges is how to differentiate ourselves from our competitors in positive ways that are meaningful to our customers. Do Web 2 things like blogs and customer reviews really make a difference for this type of business? Is Second Life an important way for us to invest our time and money in terms of growing our business? I don't have many answers to questions like these, but we're certainly trying to figure it out. I'll share my thoughts as we go through the process. I'd also love to hear your thoughts.

IIS 6.0, ISO files, and MIME types

I'm using a classroom Web server more and more to deliver things to students during seminars. I chose IIS 6.0 for no particular reason other than I was teaching a Windows class at the time. (As you may know, I have no particular loyalty to any operating system...they are, after all, just operating systems.) Anyway, I recently wanted to serve .iso files to students (CD-ROM images) for a particular class. I copied them into the server root, but when I tried to use either a browser or wget to retrieve them, I kept getting 404 errors. Turns out that IIS 6.0 will not serve unknown file types. It was a simple matter to fix it. In the Internet Services Manager console in W2K3, right-click on the server name and choose properties. Click the MIME types button, enter .iso for the file type and "application/octet-stream" for the MIME-type. Restart the server and you're rockin'. Hope this helps you. Oh, and here's the KB article at MS: http://support.microsoft.com/Default.aspx?id=326965