A simple security change in the local administrators group for domain users.
It’s common that you see in the local administrators group of a laptop or pc. That the domain users are added to it. Well some security issues could exist.. Like other domain users can run program’s on your computer while your are logged in.
This issue you could change to Authenticated users. ( this group will not be shown in the search option of the computer when you want to add this user group to the local administrators group. )
What you have to do is remove Domain Users from the local administrators group and use the next command to add the Authenticated users.
Net localgroup administrators “authenticated users” /add
You could test it and it should work that only the local user can changes computer settings while he is logged in to the computer at the moment.
Some Configuration Tips with an IP Range of 4 or more IP addresses
Some skilful tips when you configure a Cisco Router or ASA. When you have 4 or more ip addresses in your ip range from your ISP.
In the past and present I noticed during creation of configuration that I used frequently the first IP Address fo the IP Range i got from my ISP.
I noticed this wasn’t a good idea for some facilities you can use on your Router or ASA. For example you want to use SSL VPN on you Router or ASA, you need to open the http port and https port ( 80 & 443 ). But when you use these ports for web services of you local network to the outer world. Like Outlook Web Access or Citrix Web Access. These web apps using port 80 and or port 443.
Now when I have an IP Range of 4 IP addresses which i can use. I start for the router or ASA only the master IP address ( the first one in the list )
Example: I have an IP range 192.168.10.1 – 192.168.10.7 255.255.255.248I can now use my Router IP address to configure SSLVPN ( this is a web-based VPN where the first time of logon will be used to install you AnyConnect VPN Client. ) I use also this IP address to create VPN tunnels to other offices.
- Router IP address will be: 192.168.10.1
- Mail IP address will be: 192.168.10.2
- Citrix IP address will be: 192.168.10.3
Via this construction I know exactly what I can use and where for. It will also prevent you from leaving IP addresses behind you will forget to use in the Future. And it will make some configuration abilities you may have to make.
This construction can also be used on Cisco IOS Routers.
Cisco Inter-vlan configuration Cisco Router 871 Cisco Catalyst 2960
Today I was busy with a configuration between a Cisco Router 871 and a Cisco Catalyst 2960. It was in an enviroment with lots of other switches ( Catalyst 3560 PoE ) So i had to create a good routing infrastructure.
Situation: Cisco Catalyst 3560 ( main infrastructure ) Cisco Catalyst 2960 ( Customer infrastructure ) Cisco Router 871 ( Customer Internet Device )
I had to create a trunk from the main infrastructure to the Customer infrastructure. This was kinda an easy part.
The main infrastructure contained a VTP domain incl. server so the Customer Infrastructure needed to be part of the main infrastructure. Since this was the easy part I created that first. second of all i had to prepare for some internet connection. I did this with the Cisco Router 871.
On the Cisco Router 871 i configured. the normal way of configuration like the other on my webblog. Except some configurations below i had to add to my Cisco Router 871.
vlan 2
name <voice-lan>
!
vlan 181
name <customer-name>
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
switchport access vlan 181
!
interface FastEthernet2
switchport access vlan 181
!
interface FastEthernet3
switchport access vlan 181
switchport voice vlan 2
A static rout to the Cisco Catalyst 2960
ip route < network > < subnet > < switch ip address >
Added VLAN interfaces on the Cisco Router 871
interface Vlan1
description LAN < your line >
ip address < native network id > 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
ip policy route-map RMP_Vlan1_NO_NAT
!
interface Vlan181
description LAN < your own text >
ip address < Customer network id> 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip route-cache flow
ip policy route-map RMP_Vlan1_NO_NAT
!
interface Vlan2
description LAN < your own text >
ip address < Voice Lan ID > 255.255.254.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
ip policy route-map RMP_Vlan1_NO_NAT
On the Switch side it wasn’t that special. Just one interface for trunking.
interface GigabitEthernet0/2
switchport mode trunk
switchport nonegotiate
ip default-gateway < ip address route r>
make for sure a notice: use a cross-cable otherwise both ports on switch as router have the status DOWN.
Cisco Configuration Professional Tool
I would like to explain about the Cisco Configuration Professional Tool. This is what you can say a really upgraded version of a Cisco Configuration Assistant aswell the former SDM software what you found on Cisco routers.
With this configuration tool specially designed for the minor Cisco Router 28xx and up routers will work even for the lite Small Business Routers Cisco 87x / 88x /89x / 18xx series.
I am using it now for couple of weeks and I am really impressed with this tool. Especially if I want to configure the Cisco SSL VPN on a Cisco 2821 ISR or Cisco 877 router it will help a lot. Instead of configuring it from the CLI.
The Cisco configuration professional is available in to variants. A router bases flash CCP express and a standalone for the computer CCP ( with the voice module )
I would suggest to experiment with the tool… The tool works under windows up to Windows 7 ( i run this OS version ) and then you will need to start the program in administrative mode. otherwise you aren’t able to use the program
Info: http://www.cisco.com/en/US/products/ps9422/tsd_products_support_series_home.html
Cisco Router 877 configuration in the UK with BT internet
Few weeks back I had to do an installation for my work in the UK.
We had some problems to get the connection correct. And I had to find out which configuration I had to use.
The main problem we found was which configuration we needed. Because me and my colleague are used to configure Dutch Internet Connections with Dutch ISP’s.
But aftersome search I found the correct configuration we needed. And below is what you need to use.
interface ATM0
description ADSL Britisch Telecom number : <telephonenumber> order nummer : <ordernumber>
no ip address
ip route-cache policy
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 10
!
dsl operating-mode auto
!
interface Vlan1
description LAN < network information >
ip address < ip address> <subnetmask>
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer10
description ADSL Britisch Telecom on number : < telephonenumber> order nummer : <ordernumber>
ip address negotiated
ip access-group ACL_DIALER10_IN in
ip access-group ACL_DIALER10_OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect FW_DIALER10_IN in
ip inspect FW_DIALER10_OUT out
ip virtual-reassembly
encapsulation ppp
ip route-cache policy
ip route-cache flow
dialer pool 10
dialer idle-timeout 0
dialer-group 10
no cdp enable
ppp authentication chap pap callin
ppp chap hostname <your BT HOSTNAME>
ppp chap password <your BT PAssword
ppp pap sent-username <your BT username> password < your BT password >
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
ppp ipcp address accept
!
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip cef
!
ip access-list extended ACL_DIALER10_IN
remark DHCP <IPS>
permit udp any any eq bootpc
permit udp any any eq bootps
!
Recente reacties