PIX Firewalls Do Not Eat Large Amounts of Copypasta.

One of the appliances we use frequently here are Cisco PIX firewalls. These devices are excellent in that they help keep your network secure without you having to dedicate a computer to firewalling. They are not-so-excellent in that they're not user-friendly if you don't have much experience with the Cisco IOS, and the PDM doesn't always play nicely with commands entered from the console.

I've not had to worry about messing with these much since we have a Cisco guru in Switzerland, but since I needed to send a PIX to one of our new locations and he is unable to assist me remotely with this currently, I decided to get my hands dirty. Nothing major; just need to copy a config from one PIX to another. Easy, right?

Well, hrm. Doing a write net doesn't guarantee a good "image"; you can't just copy tftp://server/imagefile flash:image back over. The PIX tells you it's invalid.

Okay, no problem. I'll just do a config net to load the config.

Or not. Turns out the PIX config doesn't save in the same order as the commands must be entered.

So I spent today learning about the order in which the commands must be entered into the PIX firewall, and here's what it appears to be (after a write erase and reload:

1. Interface- and IP-related commands


2. Protocols


3. Names


4. Services (object-group and port-object commands)


5. VPDN commands


6. Sysopt commands to permit IPSec &/or PPTP


7. Crypto commands (except match) and ISAKMP commands & keys


8. ACLs


9. Crypto match commands (to link the crypto maps with the ACLs)


10. DHCPd commands


11. Everything else (ICMP, PDM, NAT, AAA Server, SNMP, etc).

I would suggest taking an existing config file and rearranging it for this purpose. Use Notepad++, since the config files use LFs only (as opposed to CR+LF).

A colleague suggested that you can then copy/paste the config into the PIX, but, as the title of this post suggests, that doesn't work out so well. The PIX seems to take only the first 10-15 lines, skip several, take another 10-15 lines, skip several more, etc., until you're left with a fragmented, wonky configuration. This doesn't work too well, and copy/pasting 10 lines at a time can be tedious, depending on how long your configuration is and how many VPNs you have to different sites. Instead, you may want to do it via the config net command.

BEFORE DOING SO: Have a TFTP server ready that you can connect directly to the PIX (more info below). Don't try to hack this remotely.


Aaand once more, for the cheap seats:
CAUTION! Don't do this remotely or on a live system unless your connectivity is already botched and you know you have a good working config file!

With that said, here's how you load your newly-rearranged PIX configuration file:

1. write erase


2. reload


3. no (When it asks you if you want managed setup)


4. enable


5. configure terminal


6. interface eth0 auto


7. interface eth1 100full


8. ip address inside [ip] [netmask]


9. config net [TFTPserver]:[reorderedfile]

For [ip] above, set it to the same IP range and subnet as your TFTP server. For mine, I loaded Solarwinds Free TFTP Server on a laptop and connected directly to the PIX via patch cable (port 1-4) for the TFTP connection, and used a Console cable for the actual Terminal connection. The [TFTPserver] above was my laptop's IP.

I keep seeing updated questions from people online regarding PIX firewalls, so I know I can't be the only person who works with them from time to time, despite the newer ASAs out there. Hopefully this information helps someone. Until next time!

Rob

Setting up HylaFAX: Complete!

No, I didn't just finish the project I started two years ago. I did have to shelve it for several months as something else came up, but I completed in Q3 of 2009. I thought it would be a good idea to finally update this blog with additional details to help others who attempt the same thing!

First off, the Rocketport card works flawlessly. If you can obtain one, I highly recommend it. They're standard analogue loop-start ports; if you're looking for a T1 solution, you'll need to drop some extra money on either a Brooktrout or an Eicon Diva board. But for standard fax lines, the Rocketport card is perfect.

For the mail solution, I ended up going with Qmail on the HylaFAX box. Here's what is required to get QMail talking to Exchange:

1. HylaFAX needs fax addresses formatted as Name@Number.fax (i.e.:Rob@7701234567.fax). Go to Exchange, navigate to your Connectors under the local Routing Group, and create a new SMTP Connector.
   
   
   
   • On the [General] tab, set it to forward all mail for that connector to the HylaFAX server. You can use the FQDN here as well as the IP address.
   
   
   • On the the [Address Space] tab, create an SMTP Address Space for a *.fax address. Set your cost & scope as needed. If you only have one, a cost of 1 and a scope of Entire organization should be good. Just make sure you aren't utilizing another fax solution which requires an address of *.fax. If you're using Rightfax, Faxination or GFI Faxmaker, there should be no conflict. They actually use the FAX address space native in Exchange (used for the "Business Fax" listing in your Contacts).
   
   
   
   


2. Back on the HylaFAX server (or whichever server you have hosting QMail), configure for the following:
   
   
   
   • /var/qmail/control/virtualdomains: Add the line .fax:fax
   
   
   • /var/qmail/alias/.qmail-fax-default: Add the line /local/etc/mailfax
   
   
   
   

Bounce your services, and you're good to go. I used Ubuntu 9.04 for Hylamonster, so /etc/init.rd/hylafax restart does the trick.

Fun With Setting Up HylaFAX, Part Eight

Wait, what? Part Eight? What happened to parts two through seven?
I didn't waste time blogging on them when they occurred, but here, I'll sum them up for you:

Part 1: As you may recall, I got stuck at what I thought was VMWare ESXi Server. I may have been incorrect at that.

Part 2: Realized that using Windows XP and VMWare Workstation wasn't helping me, either. No serial ports forwarded.

Part 3: Installed Ubuntu directly on the machine and loaded Hylafax. Still can't talk to the modem? WTF?

Part 4: Realized you can't call up a softmodem when it relies on software which is only available for Windows. Returned softmodems, feeling like a moron; bought a US Robotics and a Hayes external modem for $99.99 and $69.99, respectively. Will return them soon, most likely, if they don't work.

Part 5: Hayes modem can be spoken to, and it talks back to me! Woot! This is going to be GREAT!

Part 6: Can actually talk to fax machines w/ the Hayes modem, but for some odd reason, getting DIS/DTC 3 times, losing the transmission every time. Played around with init strings, but nothing seems to work. Not making sense.

Part 7: Hooked up the US Robotics modem and re-ran faxsetup. Test fax outbound works like a charm!

Part 8: So here we are, at Part 8, which was completed last night. After configuring faxdispatch and dumping it into the /etc directory (not /etc/hylafax, which is what I was doing initially), I actually received my first test fax! The received e-fax looks like this:

recvq/fax000000002.tif (ftp://:4559/recvq/fax000000002.tif):

Sender: 770XXXXXXX

Pages: 1

Quality: Normal

Size: North American Letter

Received: 2008:11:10 18:05:18

Time To Receive: 0:14

Signal Rate: 14400 bit/s

Data Format: 2-D MMR

Error Correct: Yes

CallID1:

CallID2:

Received On: ttyS0

CommID: 000000071 (ftp://:4559/log/c000000071)

That's a bit too much detail for the average user, so I'll modify the /etc/hylafax/templates/en/faxrcvd-success.txt file to remove things like the quality, size, signal rate, data format, etc. All a user really cares about is that a fax was received and, more often than not, that it's in PDF format.

Next step: need to find a way to have Hylafax interface with Exchange for outbound faxes so I don't need to install a print-to-fax client on each machine.

When using the FAX address space, Microsoft formats the address like this: IMCEAFAX-faxnumber@company.com.

Knowing this is all well and good, but even so, you still have to have something which will accept the message, strip off the excess, and pass the appropriate info (with attachment) to HylaFAX. May need to interface with Samba and smbfax to make something work. I'll see what I can come up with/find, and post results later.

In the interim, I'm just happy as hell to have a working, open-source fax server. I can increase or decrease as many lines or users as I have space for without having to pay additional licensing fees, which is important for any small company. For additional lines to come off our T1, I have an SLA on the way to convert a single digital channel to two analogue channels (already have one in place, so I'll have four fax lines total), and a RocketPort card I purchased on eBay. Here's hoping the bloody thing works when it arrives. The HylaFAX documentation points to this card as being compatible, so here's hoping....

Awesome Buddhist Quote

I love this quote:


Hey you, expecting results without effort! So sensitive! So long-suffering! You, in the clutches of death, acting like an immortal! Hey sufferer, you are destroying yourself!

-Santideva, Bodhicaryavatara

Somehow, in my quest for a nice balance between efficiency, fun, and mindfulness, I always seem to get off-track. I occasionally come back to center and ground myself, then get back to business, but I always seem to work back towards a feeling of imbalance, frustration, and just generally not having enough time in the day.

With that said, I'm going to go regain my focus. Be back in a bit. kthxbai.

Fun With Setting Up Hylafax, Part One

Okay, I admit it: I'm a Windows user. I've used Windows all my life. Sure, I've played around in Ubuntu here and there, and the Gnome desktop is great. Even KDE is nice and intuitive. Stick me at a Bash prompt, though, and "ls" is about all I know. That, and to avoid "vi" at all costs unless I want to reboot the machine, since I can't get out of vi or vim.

Well, that was Monday. Today is Friday, and I've spent the week learning my way around Bash a bit. I've spent considerable amounts of time getting used to emacs & nano, which are much more intuitive than vi or vim, and using ssh to connect directly to the machine's terminal window rather than using TightVNC or the VMWare Infrastructure Client to play around in Gnome, since it's faster to go straight to the terminal.

Why am I going through all of this? Well, besides the fact that I've been meaning to learn Linux for quite some time, I need a fax server. We already have GFI Faxmaker, but it's only for one line, and the server only has one PCI slot. We need more than that, and if I go above four, GFI costs extra; not something I can head towards, since I've been told to "make do with what I have" in terms of IT budget. That means open-source solutions are afoot.

So I learned about Hylafax from a friend's son, who happens to be a Linux geek. You can learn more about Hylafax from www.hylafax.org. Needless to say, the installation and usage should've been relatively painless, but I inadvertently threw my own monkey wrench in there with one thing: The VMWare ESXi Hypervisor. For some reason, it simply refuses to recognize any local COM ports on the hypervisor machine, which I would then forward to the host machine.

I finally discovered this after using cu -hl ttyS0 caused the terminal to lock up again and again.

Now, I'm downloading the machine's virtual disk files locally from the hypervisor's datastore. I'll wipe the hypervisor box, install Windows XP, then load the VMWare Desktop hypervisor. Windows XP plays nicer with faxmodems, so we'll see if I can forward the COM ports that way.

Time will tell; I'll post an update with my results later. And yes, for those of you who have also read the documentation and set up your own Hylafax server, I DID name the virtual machine "Hylamonster." It'll be a cuter name when it's actually working.

The problem with all-in-one solutions....

...is that they aim to solve everything, and often fall short of the goal. Take Myspace for instance. A mix of instant messaging, blogging, microblogging, and e-mailing to keep up with contacts seems like a great idea, but it lacks mobile interoperability (like Twitter and Blogger), and is so slow and bloated that it takes forever to load the page.

I don't need shiny pretty graphics all over the place. Let me post the info I want to post, and I'll make shiny happy graphics later. The Internet, after all, is primarily a place where people gather and share data, right?

So, with that said, I've posted a single blog onto my Myspace page. It links here.

If you've come here from my Myspace, I offer you a warm fuzzy welcome, complete with lint roller (you'll need it). If you didn't, well, I don't have anything to offer you. This blog is primarily a mind-dump for me, and I often joke with myself. As long as I make myself laugh, "that's half the battle" (Craig Ferguson).

If you happen to be as odd as I am, then maybe you'll get a laugh or two as well.

Take care,
Rob

Vendor/Customer Relations

You know you've thoroughly irritated a vendor when they don't even finish their Powerpoint slideshow.

It's important to know which potential vendors are out there, but it's also important to weed out the ones who will help you from the ones who won't.

When I finally ask a vendor for help, here are the results:

When I ask them to obtain pricing for me and they throw up their hands and say they can't do anything at all, I don't go back to the vendor.

When they direct me to the manufacturer's website (where the List price is) and tell me that's it, I don't go back to the vendor.

When they beg me for business (read as "call more than twice a month to touch base"), I give them an opportunity, and they drop the ball, I don't go back to the vendor.

So what does a good vendor do?

When you ask them for help, they don't have to know all the answers, but they should say one of the following:

• "I don't know, but I'll find out and let you know."
• "Let me get back with you on that."
• "We don't have an expert on that in-house, but I have a contact for you."
• "I'll do what I can. What's your timeframe for that phase of the project?"

Under no circumstances should a vendor ever throw up their hands and say, "I dunno."

So when meeting a new vendor, I let them know up-front that when I don't have a budget, communications need to be kept short. I don't have time for conference calls about our needs, etc. when I don't have a budget. If you need info, shoot me questions in an e-mail and I'll get back with you ASAP.

So why the most recent vendor decided to put together an 8-page slideshow JUST for us and then schedule a conference call when I already told the representative I didn't have a budget and wouldn't until 2009 is beyond me. They didn't finish the slideshow, though, and cut the call short.

Hopefully follow-up communications (if there are any) will be clearer. I simply don't have the time to muck around with vendors who don't listen. If they don't listen to me now, how can I know they'll listen when I need good information from them??

Grr.