Glazenbakje's Weblog

It’s common that you see in the local administrators group of a laptop or pc. That the domain users are added to it. Well some security issues could exist.. Like other domain users can run program’s on your computer while your are logged in.

This issue you could change to Authenticated users. ( this group will not be shown in the search option of the computer when you want to add this user group to the local administrators group. )

What you have to do is remove Domain Users from the local administrators group and use the next command to add the Authenticated users.

Net localgroup administrators “authenticated users” /add

You could test it and it should work that only the local user can changes computer settings while he is logged in to the computer at the moment.

Some skilful tips when you configure a Cisco Router or ASA. When you have 4 or more ip addresses in your ip range from your ISP.
In the past and present I noticed during creation of configuration that I used frequently the first IP Address fo the IP Range i got from my ISP. 

I noticed this wasn’t a good idea for some facilities you can use on your Router or ASA. For example you want to use SSL VPN on you Router or ASA, you need to open the http port and https port ( 80 & 443 ).  But when you use these ports for web services of you local network to the outer world. Like Outlook Web Access or Citrix Web Access. These web apps using port 80 and or port 443.

Now when I have an IP Range of 4 IP addresses which i can use. I start for the router or ASA only the master IP address ( the first one in the list )

Example: I have an IP range 192.168.10.1 – 192.168.10.7 255.255.255.248

1. Router IP address will be: 192.168.10.1
2. Mail IP address will be: 192.168.10.2
3. Citrix IP address will be: 192.168.10.3

I can now use my Router IP address to configure SSLVPN ( this is a web-based VPN where the first time of logon will be used to install you AnyConnect VPN Client. )  I use also this IP address to create VPN tunnels to other offices.

Via this construction I know exactly what I can use and where for. It will also prevent you from leaving IP addresses behind you will forget to use in the Future. And it will make some configuration abilities you may have to make.

This construction can also be used on Cisco IOS Routers.

Today I was busy with a configuration between a Cisco Router 871 and a Cisco Catalyst 2960. It was in an enviroment with lots of other switches ( Catalyst 3560 PoE ) So i had to create a good routing infrastructure.

Situation: Cisco Catalyst 3560 ( main infrastructure ) Cisco Catalyst 2960 ( Customer infrastructure ) Cisco Router 871 ( Customer Internet Device )

I had to create a trunk from the main infrastructure to the Customer infrastructure. This was kinda an easy part.
The main infrastructure contained a VTP domain incl. server so the Customer Infrastructure needed to be part of the main infrastructure. Since this was the easy part I created that first. second of all i had to prepare for some internet connection. I did this with the Cisco Router 871.

On the Cisco Router 871 i configured. the normal way of configuration like the other on my webblog. Except some configurations below i had to add to my Cisco Router 871.

vlan 2
 name <voice-lan>
!
vlan 181
 name <customer-name>

interface FastEthernet0
 switchport mode trunk
!
interface FastEthernet1
 switchport access vlan 181
!
interface FastEthernet2
 switchport access vlan 181
!
interface FastEthernet3
 switchport access vlan 181
 switchport voice vlan 2

A static rout to the Cisco Catalyst 2960

ip route < network > < subnet > < switch ip address >

Added VLAN interfaces on the Cisco Router 871

interface Vlan1
 description LAN < your line >
 ip address < native network id > 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 ip route-cache flow
 ip policy route-map RMP_Vlan1_NO_NAT
!
interface Vlan181
 description LAN < your own text >
 ip address < Customer network id> 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 ip route-cache flow
 ip policy route-map RMP_Vlan1_NO_NAT
!
interface Vlan2
 description LAN < your own text > 
 ip address < Voice Lan ID > 255.255.254.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 ip route-cache flow
 ip policy route-map RMP_Vlan1_NO_NAT

 On the Switch side it wasn’t that special. Just one interface for trunking.

interface GigabitEthernet0/2
 switchport mode trunk
 switchport nonegotiate

ip default-gateway < ip address route r>

make for sure a notice: use a cross-cable otherwise both ports on switch as router have the status DOWN.

I would like to explain about the Cisco Configuration Professional Tool. This is what you can say a really upgraded version of a Cisco Configuration Assistant aswell the former SDM software what you found on Cisco routers.

With this configuration tool specially designed for the minor Cisco Router 28xx and up routers will work even for the lite Small Business Routers Cisco 87x / 88x /89x / 18xx series.

I am using it now for couple of weeks and I am really impressed with this tool. Especially if I want to configure the Cisco SSL VPN on a Cisco 2821 ISR or Cisco 877 router it will help a lot. Instead of configuring it from the CLI.

The Cisco configuration professional is available in to variants. A router bases flash CCP express and a standalone for the computer CCP ( with the voice module )

I would suggest to experiment with the tool… The tool works under windows up to Windows 7 ( i run this OS version ) and then you will need to start the program in administrative mode. otherwise you aren’t able to use the program

Info: http://www.cisco.com/en/US/products/ps9422/tsd_products_support_series_home.html

Few weeks back I had to do an installation for my work in the UK.
We had some problems to get the connection correct. And I had to find out which configuration I had to use.

The main problem we found was which configuration we needed. Because me and my colleague are used to configure Dutch Internet Connections with Dutch ISP’s.

But aftersome search I found the correct configuration we needed. And below is what you need to use.

interface ATM0
 description ADSL Britisch Telecom number : <telephonenumber> order nummer : <ordernumber>
 no ip address
 ip route-cache policy
 ip route-cache flow
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 10
!
 dsl operating-mode auto
!
interface Vlan1
 description LAN < network information >
 ip address < ip address> <subnetmask>
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 ip route-cache flow
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer10
 description ADSL Britisch Telecom on number : < telephonenumber> order nummer : <ordernumber>
 ip address negotiated
 ip access-group ACL_DIALER10_IN in
 ip access-group ACL_DIALER10_OUT out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip inspect FW_DIALER10_IN in
 ip inspect FW_DIALER10_OUT out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache policy
 ip route-cache flow
 dialer pool 10
 dialer idle-timeout 0
 dialer-group 10
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <your BT HOSTNAME>
 ppp chap password <your BT PAssword
 ppp pap sent-username <your BT username> password < your BT password >
 ppp ipcp dns request
 ppp ipcp mask request
 ppp ipcp route default
 ppp ipcp address accept
!
ip route 0.0.0.0 0.0.0.0 Dialer10
!
ip cef
!
ip access-list extended ACL_DIALER10_IN
 remark DHCP <IPS>
 permit udp any any eq bootpc
 permit udp any any eq bootps
!