Tag Archives: Cisco

Firewall Down Alert – KB1039851

KB1039851

Description:  Alert that the customer’s Firewall is reporting down

Common customer description: I can’t connect to the servers

We have no internet

Probing questions: Did someone recently reboot the firewall device?

Was there a power outage?

Steps to isolate: Log into the firewall portal to verify that it went down

Steps to resolve:

1. Check the Networking Tab to find their Firewall device

Firewall - Network Device

2. Connect to the OM or their server and ping the firewall device

ping firewall

3. If your not able to ping the device, the firewall is down. Call the customer to see why it’s down

4. If you are able to ping the device, connect to the firewall’s web console

able to ping - firewall

Steps on Connecting the the Firewall Web Console

1. Find the firewall’s IP Address in the Networking Tab

Firewall - Network Device

2. Connect to the OM or their server and type the IP address in IE, Chrome, or Firefox

Web firewall

3. Enter the username and password for the firewall device under the Networking Tab

firewall login

4. If the device was rebooted recently, call the customer to see if they rebooted the device

Uptime for sonicwall

 

Additional considerations: If the customer doesn’t know why the firewall went down or why it was rebooted, say that we will monitor this issue to see if it comes down again. If it does go down again, follow the same steps above and then call the customer again, if again they don’t know, consult with a Tier 2 tech.

VPN Client Setup – The Basics KB1039291

KB1039291

VPN Client Setup

Windows VPN CLients
Cisco IPSec
Cisco SSL
Sonicwall IPSec
Sonicwall SSL
PPTP

MAC VPN CLients
Cisco IPSec
Cisco SSL
Sonicwall SSL
PPTP

What is VPN?
Virtual Private Network. Communicates from remote network to private network.

Why do we need it?
Securely access computers, files, connecting Outlook to Exchange remotely.

How do I set it up?
There are several different VPN clients to use.

What info is needed?
Local user or domain login, public IP/domain name, VPN group name, pre-shared key, username, and password.

Authentication methods
LDAP – Allows applications running on almost any platform to obtain directory info.
RADIUS – Authenticates to a RADIUS server installed on Active Directory.
Local Accounts – Uses local user accounts on the firewall itself.

When is it billable?
VPN client installs are non-billable. Troubleshooting connections are billable.

Public vs Private IPs
There are static and dynamic addresses.
Public IPs face outward to the internet.
Private IPs are for internal networks.

PCF files
Profile Configuration File. Automatically configures VPN client when imported.

TCP and UDP
Transmission Control Protocol (TCP) is a connection-oriented protocol.
User Datagram Protocol (UDP) is a connectionless protocol.
TCP will wait for information if it gets lost during delivery. UDP will not.

VPN Process
How the connection process unfolds

Installation
Communication
Authentication
Establishing a connection
Connected

Picture1

Try the VPN connection on your computer

Connection
Authentication
Group issues

The client only partially installs
Check to see if there is an error code
Uninstall the client
Clear temp files
Remove other VPN clients*
Reboot

Status stuck on “Connecting”
Ping Public IP or VPN domain name
New ISP or other ISP issue
Connectivity at remote location
Office down

Same subnet
192.168.0.x on both remote and office locations

See if their AV blocks communication
Trend Micro
Symantec
AVG

See if their firewall blocks communication
Windows Firewall

Find out if ports are blocked
Telnet
Open Command Prompt
Type telnet PublicIPAddress port

Picture2

Picture3

Common VPN ports
TCP 1723
TCP 1701
UDP 500
TCP 4500

Allow inbound and outbound ports
Start > Control Panel > Windows Firewall > Advanced Settings > Inbound Rules (or Outbound Rules) >
New Rule > Select Port > Click Next > Select which protocol (TCP or UDP) > Select Specific local ports > Type port or port range > Click Next > Select Allow the connection > Click Next > Select Domain, Private, and Public > Click Next > Name the rule > Click Finish >

Picture4

Picture5

Picture6

Picture7

Picture8

Picture9

Picture10

Cannot get past the group name or username screen
Check spelling
Case sensitive usernames
Verify username
Reset password

VPN connects, but there is no access to anything

Same subnet or wrong subnet
192.168.0.x on both office and remote locations
APIPA address – 169.254.x.x

Connect by IP or Fully Qualified Domain Name
Servername.domain.local instead of servername

Reinstall the VPN client.
Remove VPN client
Reboot
Reinstall

Consult Tier 2
Less common issues (Example: DNE Update for Cisco)
Firewall configuration
Escalate

Connecting to a firewall

Find the information to connect to a firewall
Sonicwall
Cisco

 

Put the IP address into a browser
May need to specify https:// and/or port number
Common ports: 8080 and 4443.
https://ipaddress:port

Picture12

Picture13

Picture14 Picture15 Picture16

Multiple consoles
ASDM
SSH (PuTTY)

Setting up a local user in the firewall
Sonicwall
Cisco

Local versus AD accounts


Local

LDAP not supported
Few users allowed
Not using Active Directory
ADPreferred authorization method
Less hassle on user’s end

Connect to Sonicwall Navigate to:
Users > Local Users > Add User… > Enter username and password > Go to Groups tab >

Picture17

Check Groups – Everyone, Trusted Users, and VPN
Highlight group name

Click the right arrow below to send it to Member Of:
Go to VPN Access tab

Picture18

Go to VPN Access tab
Find “Firewalled Subnets” under Networks and Highlight it
Click the right arrow below to send it to the Access List
Click OK

Picture19

Connect to Cisco Navigate to:
Configuration
Remote Access VPN
AAA/Local Users
Local Users
Click Add
Enter username and password
Set privilege to No ASDM, SSH, Telnet, or Console access
Click OK
Click Apply
Click Save

Picture20

Cisco Meraki
Escalate to Tier 2

Domain User Setup
Setting up or modifying a domain user
Active Directory

Suggested account setup
Username = (First initial of first name)(last name)
Password = Password1

Password settings
Uncheck all settings

Picture21

Picture22 Picture23

Uses Routing and Remote Access
Active Directory group
Dial-in tab
Local firewall user

Picture24

VPNs on laptops

Will not affect work functionality

How users might ask
“I need to get to my folders”
Could mean desktop folders (RDP)
Could mean server folders (Mapped Drives)

Verify
Can they access the resources they were calling in about?

Windows Cisco SSL Setup KB1039233

KB1039233

Windows Cisco SSL Setup

1. Install the client.

2. With some setups, you can go to a website in a browser, login with network username/password, and download the client. This will automatically set up the client for connection. Skip to step 4.

3. If you are installing this on your computer, open the folder cisco anyconnect client install extracted and run setup.exe.

4. If you are installing this on a remote computer, send the folder cisco anyconnect client install zipped.zip to them, extract, and run setup.exe.

5. Find the information to connect

6. Creating a new connection

7. Open Cisco AnyConnect Secure Mobility client.

8. Enter the Public IP or fully qualified domain name.

9. Attempt connection.

10. Click connect.

11. Enter username and password.

12. You should now be connected. Depending on how the client would like to use their VPN, we may need to set up an RDP connection, mapped drives, Outlook, etc.

Mac Cisco SSL KB1039226

KB1039226

Mac Cisco SSL
1. Find the information to connect

2. Install the client.

a. With some setups, you can go to a website in a browser, login with network username/password, and download the client. This will automatically set up the client for connection. Skip to step 4.

3. Creating a new connection

a. Open Cisco AnyConnect VPN Client
b. Enter the Public IP or fully qualified domain name.
c. Enter username/password.
d. Enter domain name.

4. Attempt connection.

a. Click Connect.
b. You should now be connected. Depending on how the client would like to use their VPN, we may need to set up an RDP connection, mapped drives, Outlook, etc.

Mac Cisco IPSec KB1039211

KB1039211

Description:  Mac Cisco IPSec:

Common customer description:

We currently have a VPN setup, but we need to get this setup on my MAC.

Our VPN doesn’t work on my MAC, I need help getting this setup.

Probing questions:

Does the VPN connection currently work on windows computers?

What have you tried to get this to work so far if you have?

Are there any other MAC users that have the VPN connection setup already?

Was this ever setup before and was it ever working?

Steps to resolve: Either the method (this issue is caused by inaccurate AD settings; run virus scan (include TM instructions), or step by step (open control panel, select XXX, etc); this is the actual fix.

Mac OS systems are able to connect to the Cisco IPSec VPN client quite easily and is built into the Operating system natively.  To do this follow these instructions:

 

  1. Click on the Apple icon in the top left corner:
    1
  1. In the menu, select System Preferences:
    2

 

  1. The System Preferences console will open, This is basically control panel for Macs.  Open up Network:3
  2. Once the Network console is open You will need to hit the + button in the bottom left corner:4

 

  1. Once here you will need to go into the drop down for Interface and select VPN:5

 

  1. After VPN is selected, you will need to select the VPN Type, in the drop down select Cisco IPsec:6

 

  1. Name your VPN and select Create:7

 

  1. At this point you will be presented with 3 fields, Server Address, Account Name, and Password. The server Address is where you put in the external IP of the Cisco Firewall, and the Username and Password is usually the Active Directory information, or it might be local users on the firewall.  It should look like this:
    8

 

  1. After filling out the information select Authentication Settings, In this section you will need to provide the Pre-Shared key and the VPN Group for the VPN:
    9

 

After all of this is done, the VPN will connect to the network.  To test the connection you can open up the terminal Console by going to the magnify glass in the top right corner and type in terminal.  Then just try to ping like normal.

 

Additional considerations: If the IPSec client isn’t setup on the cisco router, it will need to be.