I have saved some links to som fun online games to pass the time with:

WarBears

Yeti Sports – Icicle Climb
Yeti Sports – Penguin Swing

Blueprint

Here is an article on how to perform password recovery in a Cisto Pix.

My users need to be able to surf while using VPN (I know it is not best practice but I REALLY need it)…

You can solve this with split tunnels on Pix Version 6.1, 6.2 and 6.3 according this article.

In version 7 there will be an easier solution that looks like this:

      same-security-traffic permit intra-interface

Upgrade the Activation Key

There are a couple of reasons that you may need to upgrade the activation key on your PIX.

• Your PIX does not currently have VPN-DES or VPN-3DES encryption enabled.

  Note: VPN-DES encryption must be enabled for you to manage your PIX with the use of PDM. Registered users can obtain a free 56-bit VPN-DES activation key when they complete the PIX 56-bit License Upgrade Key form. VPN-3DES activation keys must be purchased through your local reseller or Cisco sales representative.

• Your PIX currently does not have failover activated.

• You upgrade from a connection-based license to a feature-based license.

If you fall into one of these categories and have obtained a new activation key for your PIX, the next step is to connect to your PIX, issue the show version command, and save the output to a text file. The output of the show version command contains your existing version, serial number, and activation key. You need this information if there are any problems with the upgrade of your activation key.

The PIX activation key is based on the serial number of the PIX and is therefore unique for each PIX. The activation key tells the PIX what features it is licensed for. The serial number of your PIX is saved in Flash. If you replace the Flash card in your PIX, then your PIX contains a new serial number (different from the number shown on the sticker on the outside of the box). Always use the serial number displayed in the output of the show version command.

Note: You need to manually enter Activation Keys because the cut and paste process can cause errors which cause the Activation Keys to fail.

Note:  Add additional numbers to 9-digit serial numbers that start with either the number 4 or 8 in order to make them 11-digit numbers. For example, the number 4xxxxxxxx appears as 444xxxxxxxx in the Activation Key. Likewise, numbers that start with an 8 require that you add two additional 8’s.

PIX Devices that Run Versions 6.1 and Earlier

If your PIX currently runs versions 6.1 or earlier, follow the instructions in Upgrade the PIX Firewall from Boothelper or Monitor Mode. Step 10 is where you are prompted to enter a new activation key.

PIX Devices that Run Versions 6.2 and 6.3

If your PIX currently runs versions 6.2 or 6.3, use the activation-key command in order to change your activation key. Refer to the PIX Command Reference for more information.

Example: Upgrade the Activation Key on a PIX that Runs Versions 6.2 or 6.3

pixfirewall(config)# activation-key 54bf4b80 b7237e20 05022c63 f09e3302 Updating flash...Done. Serial Number: 480490644 (0x1ca3b494) Flash Activation Key: 0x54bf4b80 0xb7237e20 0x05022c63 0xf09e3302 Licensed Features: Failover: Enabled VPN-DES:Enabled VPN-3DES: Enabled Maximum Interfaces: 10 Cut-through Proxy:Enabled Guards: Enabled URL-filtering:Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers:Unlimited The flash activation key has been modified. The flash activation key is now DIFFERENT from the running key. The flash activation key will be used when the unit is reloaded. pixfirewall(config)# pixfirewall(config)#reload

Since Ciscos website is to say the least a little messy… I have written a cheat sheet for this.

Register Smartnet Contract

Log in with your CCO id
Goto Technical Support & Documentation
In the Technical Support Column half way down click on Service Contract Center (SCC)
At the bottom click on Login to Packaged Services Registration
Here you can register and maintain your Smartnet Contracts

Download 3Des license

Log in with your CCO id
Goto Technical Support & Documentation
Goto Downloads
Click on Cisco Secure Software
Click on Cisco Secure PIX Firewall Software License Registration

Installing 3Des License

ACTIVATION-KEY XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX

Download VPN Client

Log in with your CCO id
Goto Technical Support & Documentation
Goto http://www.cisco.com/kobayashi/sw-center/
Click on Cisco Secure Software
Cisco Secure Access Control Server (ACS)
…?

Download Firmware Upgrades for Pix

Log in with your CCO id
Goto Technical Support & Documentation
Goto Downloads
Click on Cisco Secure Software
…?

When using Windows Server 2003 DNS some dns querys may fail because the Windows Server 2003 DNS Service is using Extension Mechanism which used UDP packets larger than 512 bytes. Some firewalls does not support this (so far I have seen this on Cisco PIX).

The Extension Mechanisms for DNS can be disabled using DNSCMD in Windows Support Tools

   dnscmd /config /enableednsprobes 0

Q832223: Some DNS Name Queries Are Unsuccessful After You Upgrade Your DNS Server to Windows Server 2003

More info on Extension Mechanisms for DNS

Using Extension Mechanisms for DNS (EDNS0)

Cisco Secure PIX Firewall 6.x and Cisco VPN Client 3.5 for Windows with Microsoft Windows 2000 and 2003 IAS RADIUS Authentication

Configuring the PIX Firewall

pixfirewall(config)# write terminalBuilding configuration...: Saved:PIX Version 6.1(1)nameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pixfirewallfixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol rtsp 554fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000names!--- Issue the access-list command to avoid !--- Network Address Translation (NAT) on the IPSec packets.access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 pager lines 24interface ethernet0 autointerface ethernet1 automtu outside 1500mtu inside 1500ip address outside 14.36.100.50 255.255.0.0ip address inside 172.18.124.152 255.255.255.0ip audit info action alarmip audit attack action alarmip local pool ippool 10.1.2.1-10.1.2.254pdm history enablearp timeout 14400global (outside) 1 14.36.100.51!--- Binding access list 101 to the NAT statement to avoid !--- NAT on the IPSec packets.nat (inside) 0 access-list 101Nat (inside) 1 0.0.0.0 0.0.0.0 0 0route outside 0.0.0.0 0.0.0.0 14.36.1.1 1route inside 10.1.1.0 255.255.255.0 172.18.124.1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolute!--- Enable access to the TACACS+ and RADIUS protocols.aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius !--- Associate the partnerauth protocol to RADIUS.aaa-server partnerauth protocol radius aaa-server partnerauth (inside) host 172.18.124.196 cisco123timeout 5no snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enable!--- Tell PIX to implicitly permit IPSec traffic.sysopt connection permit-ipsecno sysopt route dnat!--- Configure a transform set that defines how the traffic will be protected.crypto ipsec transform-set myset esp-des esp-md5-hmac!--- Create a dynamic crypto map and specify which !--- transform sets are allowed for this dynamic crypto map entry.crypto dynamic-map dynmap 10 set transform-set myset!--- Add the dynamic crypto map set into a static crypto map set.crypto map mymap 10 ipsec-isakmp dynamic dynmap!--- Enable the PIX to launch the Xauth application on the VPN Client.crypto map mymap client authentication partnerauth!--- Apply the crypto map to the outside interface.crypto map mymap interface outside!--- IKE Policy Configuration.isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400!--- IPSec group configuration for VPN Client.vpngroup vpn3000 address-pool ippoolvpngroup vpn3000 dns-server 10.1.1.2vpngroup vpn3000 wins-server 10.1.1.2vpngroup vpn3000 default-domain cisco.comvpngroup vpn3000 idle-time 1800vpngroup vpn3000 password ********telnet timeout 5ssh timeout 5terminal width 80Cryptochecksum:3f9e31533911b8a6bb5c0f06900c2dbc: end [OK]pixfirewall(config)#

Configuring the Microsoft Windows 2000 Server with IAS

Follow these steps to configure Microsoft Windows 2000 server with IAS. This is a very basic setup to use a Windows 2000 IAS server for RADIUS authentication of VPN users. If you require a more complex design, please contact Microsoft for assistance.

Note: These steps assume that IAS has already been installed on the local machine. If not, please add this through Control Panel > Add/Remove Programs.

1. Launch the Microsoft Management Console by going to Start > Run and typing mmc and then clicking OK.
2. To add the IAS service to this console, go to Console > Add Remove Snap-In….
3. Click Add. This will launch a new window with all of the available standalone snap-ins. Click Internet Authentication Service (IAS) and click Add.
4. Make sure Local Computer is selected and click Finish. Then click Close.
5. Notice that IAS is now added. Click OK to see that it has been added to the Console Root.

   

6. Expand the Internet Authentication Service and right-click on Clients. Click New Client and input a name. The choice of name really does not matter; it will be what you see in this view. Make sure to select RADIUS and click Next.
7. Fill in the Client address with the PIX interface address that the IAS server is connected to. Make sure to select RADIUS Standard and add the shared secret to match the command you entered on the PIX:
   

   aaa-server partnerauth (inside) host 172.18.124.196 cisco123 timeout 5

   Note: In this example, “cisco123” is the shared secret.

   

8. Click Finish to return to the Console Root.
9. Click Remote Access Policies in the left pane and double-click the policy labeled Allow access if dial-in permission is enabled.
10. Click Edit Profile and go to the Authentication tab. Under Authentication Methods, make sure only Unencrypted Authentication (PAP, SPAP) is checked.

    Note: The VPN Client can only use this method for authentication.

    

11. Click Apply and then OK twice.
12. To modify the users to allow connection, go to Console > Add/Remove Snap-in. Click Add and then select the Local Users and Groups snap-in. Click Add. Make sure to select Local Computer and click Finish. Click OK.
13. Expand Local User and Groups and click the Users folder in the left pane. In the right pane, double-click the user you want to allow access.
14. Click the Dial-in tab and select Allow Access under Remote Access Permission (Dial-in or VPN).

    

15. Click Apply and OK to complete the action. You can close the Console Management screen and save the session, if desired.
16. The users that you modified should now be able to access the PIX with the VPN Client 3.5. Please keep in mind that the IAS server only authenticates the user information. The PIX still does the group authentication.

Configuring the Microsoft Windows 2003 Server with IAS

Follow these steps to configure Microsoft Windows 2003 server with IAS.

Note: These steps assume that IAS has already been installed on the local machine. If not, please add this through Control Panel > Add/Remove Programs.

1. Go to Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client. When you have typed the client information, click OK.

   The example below shows a client named “Pix” with IP address 10.66.79.44. Client-Vendor is set to RADIUS Standard, and the shared secret is “cisco123.”

   

2. Go to Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
3. Ensure that the option for Grant Remote Access Permissions is selected.
4. Click Edit Profile and check the following settings.
   • On the Authentication tab, check Unencrypted authentication (PAP, SPAP).
   • On the Encryption tab, ensure that the option for No Encryption is selected.

   Click OK when you are finished.

   

5. Add a user into the local computer account by going to Administrative Tools > Computer Management > System Tools > Local Users and Groups.. Right-click on Users and select New Users.
6. Add user with Cisco password “cisco123” and check the following profile information.
   • On the General tab, ensure that the option for Password Never Expired is selected instead of the option for User Must Change Password.
   • On the Dial-in tab, select the option for Allow access (or leave default setting of Control access through Remote Access Policy).

   Click OK when you are finished.

   

Verify

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

• show crypto isakmp sa – View all current IKE security associations (SAs) at a peer.
• show crypto ipsec sa – View the settings used by current security associations.

Troubleshoot

This section provides information you can use to troubleshoot your configuration. For additional information, refer to Troubleshooting the PIX to Pass Data Traffic on an Established IPSec Tunnel.

Troubleshooting Commands

Certain commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands and IP Security Troubleshooting – Understanding and Using debug Commands.

• debug crypto ipsec – View the IPSec negotiations of phase 2.
• debug crypto isakmp – View the ISAKMP negotiations of phase 1.
• debug crypto engine – View the traffic that is encrypted.

Source

!— Access List for NAT-0

access-list NAT-0-INSIDE remark — No address translation for the VPN connections to Local LAN
access-list NAT-0-INSIDE permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

!— Access List for VPN Clients to Inside

access-list OUTSIDE-IN permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

!— Setting up DHCP Pool for Clients

ip local pool VPNPOOL1 192.168.10.1-192.168.10.254

!— No NAT from VPN to Inside

nat (inside) 0 access-list NAT-0-INSIDE

!— Authentication

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host [Radius Server] [Radius Session Key] timeout 5
aaa-server LOCAL protocol local

!— Configure a transform set that defines how the traffic will be protected.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!— Create a dynamic crypto map and specify which
!— transform sets are allowed for this dynamic crypto map entry.

crypto dynamic-map VPNUSERSZONE 10 set transform-set ESP-3DES-MD5

!— Add the dynamic crypto map set into a static crypto map set.

crypto map VPNZONE 10 ipsec-isakmp dynamic VPNUSERSZONE

!— ???

crypto map VPNZONE client configuration address initiate
crypto map VPNZONE client configuration address respond

!— Enable the PIX to launch the Xauth application on the VPN Client.

crypto map VPNZONE client authentication LOCAL

!— Apply the crypto map to the outside interface.

crypto map VPNZONE interface outside

!— IKE Policy Configuration.

isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNPOOL1 outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

!— IPSec group configuration for VPN Client.

vpngroup VPNCLIENTS1 address-pool VPNPOOL1
vpngroup VPNCLIENTS1 dns-server 192.168.1.17
vpngroup VPNCLIENTS1 default-domain domain.com
vpngroup VPNCLIENTS1 idle-time 1800
vpngroup VPNCLIENTS1 password 1234567890

On Cisco Pix

hostname host
domain-name domain.se

ssh <ip> <mask> outside
ssh <ip> <mask> inside
ssh timeout 30

ca generate rsa key 1024
show ca mypubkey rsa
ca save all

On Cisco ASA

hostname host
domain-name domain.se

ssh <ip> <mask> outside
ssh <ip> <mask> inside
ssh timeout 30

crypto key generate rsa modulus 1024