Anthony Curreri: IT Solutions

What is NAT? It stands for Network Address Translation. It means that we can have a public IP outside the Cisco Firewall, and it will route traffic inside to the internal address we select. Of course, because it’s a firewall, we need to tell the ASA5055 what traffic to allow through the firewall to the inside address. The decision on what to allow through is based on what port the traffic is coming in on.

This is all very easy to do on consumer grade hardware, but it’s difficult to do on the ASA5505 using the Cisco ASDM. I’m going to go through the steps I went through to set up NAT and port forwarding using the ASDM software.

First, setting up NAT

1. Use the ASDM software to log into your device.
2. Click “Configuration” at the top, then “NAT” on the left.
3. Click “Add,” then select “Add Static NAT Rule…”
4. Under “Real Address” type the destination, or internal address. For example: “192.168.10.111″
5. Change Netmask to: “255.255.255.255″
6. Under “Static Translation,” change the Interface to: “outside.”
7. Enter the outside, routable IP which you want to use to access the device from outside the firewall.
8. Click “OK.”
9. Click “Apply.”

Allowing traffic through the firewall, or Port Forwarding

Now all packets which are allowed through the firewall and are addressed to the outside IP address we just named will be delivered to the internal IP address. So, to use our internal IP address as a server, we need to open the firewall to allow traffic to come to this device.

1. Click “Security Policy” on the left.
2. First, we are going to define the services we want to let through. Click the “Services” tab in the right pane.
3. You’ll see a list of pre-defined services. This is helpful (especially http and https), but there are probably services you’ll use that aren’t listed here.
• Fileshares:
  Click “Add,” then TCP-UDP Service Group
  Type in a “Group Name” such as “fileshare.”
  Check the “Port #” radio button.
  Type in “137″ to “139″ and click the “Add >>” button.
  Next type in “445″ to “445″ and click the “Add >>” button.
• Remote Desktop:
  Click “Add,” then TCP-UDP Service Group
  Type in a “Group Name” such as “remotedesktop.”
  Check the “Port #” radio button.
  Type in “3389″ to “3389″ and click the “Add >>” button.
• SQL Connections
  Click “Add,” then TCP Service Group
  Type in a “Group Name” such as “sql.”
  Check the “Port #” radio button.
  Type in “3306″ to “3306″ and click the “Add >>” button.
4. Next, we want to define groups of IP addresses that are allowed to access different services. For our setup, we have a few subnets that are all allowed access to all services, but you might want to restrict more. You should create a group for each security level.
• Click the “Addresses Tab.”
• Click “Add” and select “Network Object Group…”
• Choose a group name, for example: “office.”
• Add the subnets you wish to allow. You probably want outside-network/24, which is the subnet of the units external interface. Click that and click “Add >>”
• Enter new subnets by typing in the IP address as: “xxx.xxx.xxx.0″ for example: “172.25.204.0″, and setting the Netmask to: “255.255.255.0″ This will allow 172.25.204.1 through 172.25.204.254. click “Add >>”
  When you are done, Click “OK.”
5. Now to define which networks are allowed on which services.
• Click “Security Policy” on the left and then in the center pane, click “Add.”
• Change the Interface dropdown to “Outside” and make sure Direction says: “incoming.”
• Under Source, change Type to “Network Object Group,” then select the group name we set previously.
• Under Destination, click the “…” button by IP address, and select the outside, world-routable IP address of the device you wish to allow access to.
• Change the Protocol dropdown to “tcp.”
• Leave Source Port as “any.”
• Under Destination Port, select the “Group” radio button.
• In the dropdown, select the service group we previously defined.
• Click OK.
• Click “Apply.”
• Now to save and reload the box, click ‘Tools/System reload’
• Select ‘Save the running configuration at time of reload’
• Click ‘Schedule Reload’

Update your server’s software firewall

Lastly, don’t forget to update the exceptions in the server’s software firewall!
If you were managing which subnets have access on the server’s software firewall, instead of doubling up your efforts you may choose to change the option to “Any computer” and let the Cisco ASA 5505 restrict by subnet. If not, you may still want to add the new internal subnet so that other servers behind the firewall can have access too.

***If your NAT isn’t working***

I used these directions to set up my NAT, but found that my NAT’ed addresses were not able to access network resources outside of the firewall. Luckily, if you are having that trouble, I posted my solution here!

If you haven’t done this yet or lack faith in your NAT setup, I have also posted instructions on how to set up a NAT on the Cisco ASA 5505.

After setting up my Cisco ASA5505 to perform NAT (Network Address Translation) I wasn’t able to access the server from outside the firewall. I also noticed that the Server behind the firewall was not able to access network resources outside the firewall. Using a packet sniffer, I determined that the Cisco device was sending the request packets out, and recieving responses from devices but not allowing those packets through the firewall.

Removing the server from the NAT rule by simply changing the NAT rules internal address IP and hitting apply allowed the server to instantly send traffic out. Using a whatismyip service showed that I was being identified by the firewall’s IP address.

There seems to be a bug in the Cisco firewall, because the “solution” is silly; change a setting and change it back.

1. Log into the ASA5505 using the Cisco ASDM software
2. Click “Configuration” at the top, then “Interfaces” on the left.
3. Select the “outside” interface and click “Edit.”
4. Select “Use static IP” and set the interfaces IP to the same as the outside IP address you’ve specified in your NAT Rule.
5. Click “OK,” then “Apply.” The device will take a few moments to change this setting.
6. Try to access a network service outside the firewall using your NAT’ed server. It should work!
7. Now, Click “Edit” again, and change the setting back to whatever you had there before.
8. Unbelievably, the NAT’ed server will still work AND your Cisco device will have the separate IP address you require. You haven’t changed any settings, but now it works!

If you have been mucking around in your Cisco ASA5505 and want to return to factory defaults using the ASDM management software, it’s pretty easy.

If you can’t use the ASDM, I have also have a write up for Resetting the Cisco asa 5505 Using the Console.

1. Click the “Wizards” drop down menu and select “Startup Wizard…”
2. Change the radio button to “Reset configuration to factory defaults.”
3. I suggest changing the management IP. This will change the subnet of devices behind the firewall. This is useful if you ever have to put another firewall device behind this device as some consumer grade devices make it a pain to change the internal subnet. You can use any non-routable IP, such as 192.168.x.1 where x is 1-254.
4. Click “Yes.”
5. After a few minutes, I got a status message with an ERROR. This is because the ASDM is trying to manage the device using the old IP.
6. Close the ASDM without saving, renew you DHCP lease and log in using the ASDM to the new address.
7. This doesn’t seem to reset the Enable password, so you’ll have to use that to login.

This walkthrough will describe how to use your Cisco ASA5505 as a VPN server for a remote client. The remote client doe not need to have an 5505 as a VPN endpoint, it only needs to have the Cisco VPN Client software installed.

To configure the ASA5505, first log into it using the Cisco ASDM.

1. Click the “Wizards” drop down, select “VPN Wizard.”
2. Select “Remote Access,” click Next.
3. Select “Cisco VPN Client,” click Next
4. Select “Pre-shared key,” then fill in what I’m going to call your “VPN Connection Password.” This will be saved in the client and should be as long and secure as possible.
5. Tunnel Group Name: Enter what I’m going to call your “VPN Connection Username,” and Click Next.
6. Select “Authenticate using the local user database,” click Next.
7. Create a username and password for each VPN user, click Next.
8. Click “New…” to create a new VPN IP pool. You can do whatever you want here, but here is my suggestion:
• Name: VPNUsers
• Starting IP Address: 192.168.15.194
• Ending IP Address: 192.168.15.220
• Subnet Mask: 255.255.255.224
• Click “OK.”
9. Click Next.
10. Fill in DNS and WINS for your outside network and Click Next.
11. IKE Policy defaults are fine, click Next.
12. IPSec defaults are fine, click Next.
13. Leave NAT Settings blank, but check “Enable Split tunneling” at the bottom and click Next.
14. Click Finish.

One more step, without this you won’t be able to connect to anything besides the internal network when you are connected to the VPN.

1. Click “Configuration” at the top of the screen.
2. Click “VPN” on the left side of the screen.
3. Under “General,” click “Group Policy.”
4. Click the Group Policy that corresponds to the one you defined during the Wizard, and click the Edit button.
5. Click the Client Configuration Tab.
6. Click the “Manage” button next to Split Tunnel Network List.
7. Double click the Entry under the Standard ACL tab.
8. Change the IP address and Netmask to match that of your internal network, the subnet where your servers are located.
9. Click OK, OK, OK and finally: Apply.

Now that we’ve done all that, we should save it from working memory into the flash. I like to do a reboot while I do this, and we can do it using the Cisco ASDM!

1. Click Tools and select System Reload.
2. Be sure to change the radio button at the top to Save the running configuration at the time of reload.
3. Click “Schedule Reload,” Yes, and Exit ASDM.

To connect your new VPN, you’ll need the Cisco VPN Client. I’m using version 4.6.

1. Install the Cisco VPN Client.
2. Click “New.”
• Connection Entry: Name of the VPN connection. I used the same thing I put in for the Tunnel Group Name (VPN Connection Username), but you can use whatever you want.
• Host: The IP address or DNS name of the VPN Server.
• On the Authentication Tab, make sure “Group Authentication” is selected.
• Name: Put whatever you put for Tunnel Group Name (VPN Connection Username).
• Password: put in your “Pre-shared Key” VPN (Connection password).
  That’s it! Hit Save.

To connect, double-click the connection entry you just created.
Enter your username and password, which we defined users on the Cisco ASA5505 device during the VPN Wizard.

Done and Done!

First we need to convert our .avi file from the digital camera into a .flv (flash video) file, so it can be viewed on the internet.

1. Open Adobe Media Encoder CS4 (located in the Adobe Design Premium CS4 folder in the start menu)
2. Click the “Add” button.
3. Double-click the .avi file you wish to convert.
4. Click the “Settings” button.
5. Change the “Preset” drop-down to be “FLV – Web Medium”
6. Click “OK”
7. Click “Start Queue”

Now we can insert the FLV file into a webpage using Adobe Dreamweaver

1. Put the cursor where you want to insert the video.
2. Click “Insert” drop down.
3. Click “Media” then “FLV…”
4. Click the “Browse” button.
5. Double-click the FLV file you just created.
6. Make sure to copy the file to the appropriate place in your website, if you haven’t already.
7. Click “Detect Size”
8. Check “Auto play” and “Auto rewind” if you want those functions.
9. Click “OK”
10. Save the page and check it in. Be sure to check in the whole folder, so your FLV file is uploaded as well.

The default quick print icon behavior in Word 2007 is to print to your default printer. Here is how to make an icon in the Word 2007’s Quick Access Toolbar (QAT) which prints directly to any printer you want. This is handy if you want an icon that prints to a different printer than the default, or you just want a quick print icon for each of your pinters.

To do this, we need to input a macro. To do that, we need the “Developer Tab”. Follow these steps to make the Developer Tab appear:

1. Click the Microsoft Office Button in the upper left, and then click Word Options.
2. Click Popular.
3. Under Top options for working with Word, select the Show Developer tab in the Ribbon check box.

The following creates the print macro.

1. Click the Developer Tab.
2. Click on the large Macros button on the left.
3. Type anything in the Macro Name box, for ex: “PrintFromFavoritePrinter”
4. Click the Create button.
5. Cut and paste the commands below, so that your window looks like this:

Sub PrintFromFavoritePrinter()
'
' PrintFromFavoritePrinter Macro
'
'
Dim sCurrentPrinter As String

sCurrentPrinter = ActivePrinter
ActivePrinter = "HP LaserJet 1020"
Application.PrintOut FileName:=""
ActivePrinter = sCurrentPrinter

End Sub

6. Replace the text: “HP LaserJet 1020″ with the exact name of your printer, from the Printers and Faxes section of your control panel.
7. Press ctrl+s to save, then close the window.

The macro has been created, you can run it out of the macros list, but what a pain! Create an icon on the Quick Access Toolbar.

1. Right-click anywhere on the QAT and click: “Customize Quick Access Toolbar…”
2. Select “Macros” from the “Choose commands from:” drop-down.
3. Click the “PrintFromFav…” macro on the left, then click the “Add>>” button.
4. Click the Modify button at the bottom, choose an icon and change the name to something short, then click OK.

The QAT now has the icon you selected. When you click on it, it should immediately print to your favorite printer!

I originally got this function from the comments on this page: http://us2.php.net/manual/en/function.split.php. But I recently put a bit of time into making it compatible with fields quoted with multiple quotes. This function can deal with input like:

"one"," "two"", """three"""

It will parse data that is not CSV (comma separated values) as well, just pass in a different delimiter.

I have two helper functions here, one which removes an element from the array, then rebuilds the array to re-create the array keys. The other deals with the multiple quote issue by stepping through the initial array and removing the extra rows created due to the fact that we have multiple quotes.

	
#######################################
function RemoveArrayElement($array, $removeKey)
{
   unset($array[$removeKey]);
      foreach ($array as $value)
         $return[] = $value;
   return ($return);
}
#######################################
function DealWithMultipleSurroundingQuotes($splitter, &$getstrings)
{
   for($x = 0; $x < count($getstrings); $x += 2) //foreach even key
   {
      if (!stristr($getstrings[$x], $splitter)) //if splitter is not in row
      {
         if (trim($getstrings[$x-1]) == '') //if previous row is empty
            //remove previous row
            $getstrings = RemoveArrayElement($getstrings, $x-1);
         else
            //remove current row
            $getstrings = RemoveArrayElement($getstrings, $x);

         return false;
      }
   }
   return true; //Function finished successfully!
}
#######################################
function quotesplit( $splitter=',', $s, $restore_quotes=false )
{
   # First step is to split it up into the bits that are surrounded by quotes
   # and the bits that aren't. Adding the delimiter to the ends simplifies
   # the logic further down

   $getstrings = explode('"', $splitter . $s . $splitter);

   while(!DealWithMultipleSurroundingQuotes($splitter, $getstrings));

   # $instring toggles so we know if we are in a quoted string or not
   $delimlen = strlen($splitter);
   $instring = 0;

   while (list($arg, $val) = each($getstrings))
   {
      if ($instring == 1)
      {
         if($restore_quotes)
         {
            # Add string with quotes to the previous value in the array
            $result[count($result)-1] = $result[count($result)-1]. '"' . addslashes(trim($val)) . '"';
         } else {
            # Add the whole string, untouched to the array
            $result[count($result)-1] = addslashes(trim($val));
         }
         $instring = 0;
      } else {
         # Break up the string according to the delimiter character
         # Each string has extraneous delimiters around it (inc the ones
         #  we added above), so they need to be stripped off
         $temparray = split($splitter, substr($val, $delimlen, strlen($val)-$delimlen-$delimlen+1 ) );
         while(list($iarg, $ival) = each($temparray))
            $result[] = addslashes(trim($ival));
         $instring = 1;
      }
   }
   return $result;
}