SearX for Anonymous Search

If you have read my past posts on search engines you would have realised that I am always looking to use a search engine other than Google search – well anything other than Google in everything I do!

In the past I have recommended Scroogle which unfortuately died in 2012, ixquick.com a European based search engine, duckduckgo.com which is still going and growing in strength and most recently privatesearch.io which also seems to have disappeared although the excellent sister site privacytools.io is still going – they have great advice on which software and services to use to be as private as possible (and move away from Google).

All these services have one thing in common, they anonymize your searching to mitigate against your personal life being tracked. Results are not produced by profiling the user (tracking), every user will get the same search results when entering the same search terms.

Scroogle used a hack into Google’s search engine but suffered from being reliant on Google not changing their API to thwart this kind of third party service.

Duckduckgo relies on Bing, Yahoo and crowdsourced sites like Wikipedia for it’s search results.

Privatesearch.io did something similar but also used Google for results.

Not sure what happened to Privatesearch.io but it was based on the opensource asciimoo/Searx project: https://github.com/asciimoo/searx. This works in a similar way to the other engines – anonymizes your search and uses Yahoo, Bing and Google (it shows which search engine the results have come from and also uses many other sources). It is completely open source and there is a thriving community – https://twitter.com/Searx_engine – where many people have created their own search engine sites for general search or for specific search criteria: http://stats.searx.oe5tpo.com/ This link will list all the current Searx sites available (and whether they are up – note the down signal for privatesearch.io). The one I use the most is the general Searx.me site.

searx.png

 

ixquick.com is still going, and it has somehow acquired the domain startpage.com. It is owned by a commercial outfit – Surfboard Holdings B.V. in the Netherlands. It has had much more written about it and many awards and plaudits associated with it: https://en.wikipedia.org/wiki/Ixquick. It’s based in Europe and adheres to European privacy rules plus a lot more. The only drawback is that it is a little slow.

startpage

What I found with all these engines was that results were very much steered towards the USA – I’m in the UK so I wanted results more relevant to my local area. Searx.me does offer preferences where you can change the country to United Kingdom and I found that the results are very good using this engine. Ixquick also now has the ability to change preferences to UK English and even has a ‘Pages from the UK’ button automatically appearing (I assume that changes according to which country you are in) and I have found the results very relevant.

So what would I recommend now?

At this time I would definitely recommend startpage.com from ixquick as your default search engine but if speed is important and you like the idea of using an opensource solution rather than commercial then go with SearX – that’s what I use.

Note: when saving preferences they are usually saved in a cookie. If you delete cookies on exiting your browser have a look at the selectivecookiedelete add-on for Firefox detailed in a previous post: My Firefox settings – retaining some cookies whilst deleting everything else on exit

 

IslandEarth moves to WordPress

You may have noticed that the IslandEarth website has changed. This is because we have now moved to WordPress.com

We were previously with Squarespace.com but the costs they charge started to become prohibitive.

I hadn’t even considered WordPress when I began looking around for alternative providers due to bad experiences in the past. But that was over 5 years ago – a millennium in IT terms!

The only reason I started looking at WordPress again was that the means of getting your old blog posts from one provider to another always involved using a WordPress formatted file as the intermediary mechanism. I tried that on a few hosting sites without much success – dates would be reset to today’s date, images would not be brought in etc.

Then I realised that WordPress was offering the same functionality, if not better, than the paid for hosting companies I was looking at. So I took the plunge and was pleasantly surprised at the simplicity of using WordPress and the functionality it has to offer. Just looked at the stats today and they are well presented as well.

It was by no means perfect importing my blog posts from the old site – some images did not transfer DNS A records to point at the WordPress server IPs: 192.0.78.24 and 192.0.78.25

So far so good and I highly recommend using WordPress.com not just for Blog style sites but ordinary websites as well.

My Firefox settings – retaining some cookies whilst deleting everything else on exit

I’ve been using the Firefox web browser since release 39 in 2015 which imrpoved the product greatly.

This completely replaced my day to day use of Chrome and Internet Explorer – although I still have those installed for testing purposes and occasionally to access some websites or local admin web pages that don’t work with Firefox.

Over this time I have perfected the settings I use so that when existingt the browser all history is deleted – apart from cookies that I want to keep.

Here’s my basic privacy settings:

firefox_privacy

Use Tracking Protection in Private Windows: I believe this only really works when you are in Private Browsing Mode but no harm in having it switched on anyway.

I also turn on Do Not Track – click “manage your Do Not Track settings”:

firefox_dnt

As you can see I set some custom settings whereby nothing is remembered and all history is deleted on exit.

The only exception is with cookies – I manage them using a separate add-on. This is because Firefox only allows a blanket approach whereby all cookies are deleted or none at all, but I want to specify some cookies that I want to keep.

Under Settings for Deleting History I have:

firefox_history

I’m not too worried about Site Preferences (zoom level, encoding etc.) so I leave that unticked. I also leave cookies unticked. So everything is deleted on exit apart from Cookies and Site Preferences.

To manage my cookies I use an add-on: selectivecookiedelete, which can be found by searching the Firefox add-ons store (go to Options menu (top right) and choose Add-ons). The add-on page is: https://addons.mozilla.org/en-GB/firefox/addon/selectivecookiedelete/?src=ss

I went though many cookie management add-ons and found this add-on to be by far the best mainly due to the management options.

If you go to the instgalled add-ons page and click options next to the selectivecookiedelete add-on you will get the following preferences dialog box:

firefox_selectivecookiedelete

As you can see there is an option to automatically remove cookies when Firefox closes but you can also set a whitelist:

firefox_cookieexceptions.png

As you can see I don’t have many exceptions! The searx.me is a good example – this is the search engine I use by default – which has preferences which gear the search results towards your geography i.e. English UK. It stores that preference in a cookie so I want that cookie kept so that I don’t have to set the preference every time I do a search.

The left hand side will display any cookies you have in your current session so to add new whitelisted cookies go to the website in question then to the whitelist and select from left to add to right.

I find this setup works really well and gives me good protection from tracking etc.

Check your Facebook Advert settings are what you really want

Came across an article recently that showed how Facebook has added a new option to the Adverts settings that allows Facebook to use tracking ads even if you previously opted out using the existing settings:

Facebook1.png

“Ads on apps and websites off of the Facebook Companies” – what legalese there I think. “The Facebook Companies” – looking at the details provides some further information on this: https://www.facebook.com/help/111814505650678:

facebook_companies.png

Love the cute owl – makes you fell all warm and cuddly and safe doesn’t it. Don’t be fooled – having this option set to Yes means Facebook can track you across all their sites/services and probably beyond.

To turn it off simply hit Edit and choose No:

facebook

Thanks to Dave Carol for highlighting this: https://medium.com/@profcarroll/awkward-conversation-with-facebook-ef1734ecdc62#.tipvxac44

Increasing attachment limits in Office 365/Exchange Online

The default limit for messages in Microsofts online mailboxes is 35MB. You can change this limit from powershell commands.

If you don’t know how to get started with Powershell admin then look at my previous posting: Send As From a different email domain in Office 365 Exchange Online.

There are 2 limit parameters: MaxReceiveSize and MaxSendSize.

The command for changing the mailbox limit parameters is:

Set-Mailbox John.Doe -MaxReceiveSize 55MB -MaxSendSize 55MB

Substitute John.Doe for the mailbox you want to change.

To change all mailboxes use this:

Get-Mailbox -Resultsize Unlimited | Set-Mailbox -MaxReceiveSize 55MB -MaxSendSize 55MB

And to set the limits for all new mailboxes use this:

Firstly find out which mailbox plan is the default:

Get-MailboxPlan | fl name,maxsendsize,maxreceivesize,isdefault

You will see a list of mailbox plans (name followed by a GUID) only one of which is marked as the default and they will also show the current limits.

To change the default mailbox plan use this command:

Set-MailboxPlan <em>ExchangeMailboxPlan-GUID</em> -MaxSendSize 55MB -MaxReceiveSize 55MB

Replace ExchangeMailboxPlan-GUID with the default plan listed previously.

Always remember to close your session with:

Remove-PSSession $Session

BreakthePaywall tested in Windows 10

BreakthePaywall tested in Windows 10 – you must use Internet Explorer rather than the new Edge browser but otherwise it works ok.

The Edge browser does not at this stage allow add-ons to be installed – we believe they will be allowing add-ons by the Autumn and BreakthePaywall will endeavour to have one available asap.

http://www.breakthepaywall.com

 

Gaining Admin access when you have forgotten the Admin password

A common occurance with all the family home computer users I support is that I will arrive on site, a problem is described that requires admin access but they have forgotten their admin password!

The way round this is to create another admin user within safe mode.

This works for Windows 7:

Restart the PC

Hold the F8 key down until you see the Windows Boot Menu

Choose Safe mode with Command Prompt

Wait for windows to boot and eventually you should be presented with a command prompt.

Add a new user (‘root’ in our case) using the following command:

net use root /add

Add the new user to the Administrators group:

net localgroup Administrators root /add

Delete the use from the limited users group:

net localgroup Users root /delete

Reboot the machine and you should now see a new user available at the logon screen. Logon with the new user and you can then change the password of the original admin user in the normal way (control panel, users).

You might also want to logoff, logon as original admin user and delete the new user you just created in the normal way (control panel, users) – just to tidy things up and not have multiple admin users hanging about.

 

Cisco ASA setting up port forwarding using ASDM – Minecraft example

To setup port forwarding on a Cisco ASA (5505 or 5506 on my systems but is applicable to any PIX type Cisco firewall) you need to setup a NAT translation rule and Access rules.

I mainly use ASDM for making changes as opposed to the command line. See Cisco ASA 5506 (and 5505, 5510) Basic Setup for details on setting up access.

The example given here is for port forwarding to a Minecraft server on the internal network at IP address 192.168.0.7 but is applicable to any device you want to make available on the internet.

Setting up the NAT rule:

Goto Configuration, Firewall, NAT Rules.

On the right hand side you should see a list of Network Objects – adding a network object is the easiest way to add a port forwarding NAT rule. Click Add above the list.

Enter the name of the network object – this can be anything you like but should be descriptive of the type of server and service.

Select Host for the Type.

Enter the IP address of the server – the internal IP.

Click on the NAT heading at the bottom to expand the NAT options.

Tick the Add Automatic Address Translation Rules option.

Select Static for the Type.

Select your ‘outside’ interface for the Translated Address.

Cisco_PFW1

Then click Advanced.

Source Interface should be set to Any.

Destination Interface should be set to your ‘outside’ interface.

At this point you can specify specific service ports to be used under the Real Port and Mapped Port options or you can leave them blank if you are happy for any service to be used.

You may want to allow any service if you have a range of external IP numbers that you can use. You can assign a single external static IP for your internal server and set the NAT rule to Any service. This does not mean that you are allowing access on any port to the server as you still have to setup Access rules to allow traffic through – you are just allowing access on any port from the ASA to the internal server.

Cisco_PFW2

In my case I only have one external IP address so I need specify specific ports as I also want to run a web server from a different internal machine and I may add other devices in future.

In the example above I have a Minecraft server which needs to allow access on port 25565 so that’s what I enter for the Real and Mapped ports (real port is the one being hit on the outside interface. You can map to a different port on the internal server if you wish).

I also need to setup port forwarding for UDP port 25565 – Minecraft server requires both TCP and UDP protocols on port 25565.

So I setup a separate network object for the UDP port forwarding:

Cisco_PFW3

Cisco_PFW4

Unfortunately you cannot choose tcp/udp when setting up NAT rules so you have to create two rules in this example – as mentioned earlier if you have a number of external IP addresses available then you could set service to Any and control ports using Access rules. You would then have just one NAT rule and 1 Access Rule (access rules allow you to specify tcp/udp).

You should now see something like this in your NAT rules list (note I also have my web server rule on port 80 (http) listed here as well):

Cisco_PFW5

Also note the general NAT rule at the bottom for translating internal addresses to external addresses for general browsing etc. See: Cisco ASA 5506 (and 5505, 5510) Basic Setup

Setting up Access Rules:

Goto Configuration, Firewall, Access Rules.

Select the ‘outside’ interface and select Add.

The interface should be set to ‘outside’.

The Action should be set to Permit.

The Source should be set to Any – you want everyone to be able to access your server.

Set the Destination to the Network Object you created under the NAT rules.

Under Service click the …elipse.

In this example we need to create a new Service Object corresponding to the port required (25565)

Under the Add option select Service Object.

Enter a Name of your choice.

Select the Service type

The destination port should be set to the Real port you are forwarding.

Leave the source port as the default – machines connecting may use any port in the allowable range to connect to a service on the internet so you have to cater for any port.

Click OK, make sure the Service Object you just create is selected and click OK.

Cisco_PFW6

Cisco_PFW7

Click OK and Apply to set your new Access Rule.

We also need to setup a separate rule for the UDP port 25565 that we also need to forward:

Cisco_PFW8

Cisco_PFW9

As mentioned before in the case of using a NAT rule covering any service you can add just one Access Rule that covers both tcp and udp.

You should now have an Access Rules screen that looks something like this:

Cisco_PFW10

Make sure you click Apply and you are all done.

Remember that any firewall on your servers also has to be set to allow traffic on the port you have forwarded.

 

Excel and SSIS – the problems and solutions

There are various problems with importing data from Excel files.

Today I came across an article from 2012 by Koen VerBeeck which has been re-blogged on the SQLServerCentral.com website which very succinctly summarises the problems and solutions:

http://www.sqlservercentral.com/blogs/koen-verbeeck/2015/07/10/reblog-whats-the-deal-with-excel-and-ssis/

Please note my comment at the bottom which I will repeat here:

One thing I would add is that if you are in a situation where changing registry settings is difficult or you don’t want to have to bother with changing settings every time you move machines/re-image machines i.e. you have to stick to the default of 8 rows being sampled. Then just add 8 dummy rows to the beginning of your Excel tables with the relevant type of data inserted – bunch of ‘A’s for strings, ‘9’s for numeric etc. – and then delete all the dummy records out with conditional split as mentioned. With this setup you can be certain the SSIS routine will work on any machine with default JET settings.

Cisco ASA 5506 (and 5505, 5510) Basic Setup

I recently acquired a Cisco ASA 5506-X unit to use as my main router for my fibre broadband connection and thought I should detail the basic setup of these units to get you connected.

Occasionaly I delve into the Cisco iOS command line but normally I just use the ASDM management GUI so that’s what i’ll use for the rest of this article.

The first thing to note is that the 5505 and 5506 units have 8 ports, the 5510 has 4 ports. Any port can be configured as a WAN side port or LAN side port or another type of port (failover between 2 units for example).

However, only the 5505 unit can use a set of ports in switching or bridging mode – enabling you to setup 1 port for the WAN connection and 7 ports as a LAN side switch where you can connect all your equipment. For some reason Cisco decided not to include this functionality in the newer 5506 units and there is some consternation about this decision and debate as the whether they can physically include that functionality in a future software release – a lot of people will upgrade to the 5506 to gain gigabit speeds (5505 is a 100mbit unit only) expecting it to function the same as the 5505 but will be disappointed. So for now you have to use the 5506 as a standard router with 1 port for WAN and 1 port for LAN connected to a separate switch (8 port gigabit switch is pretty cheap anyway).

Although you do lose the ability to do switching you do gain in terms of licensing – the basic license for a 5505 unit does not include trunking and failover. It also limits the number of inside hosts to 10. The 5506 units basic licensing includes unlimited inside hosts and trunking via sub-interfaces. You still have to pay extra for failover though.

5505 licensing: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/license.html

5506 licensing: http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/intro-license.html

Connecting to the management interface:

To connect to the router there is a separate management port usually set to IP: 192.168.1.1. To connect, change your network adapters IP address to an IP within that range e.g. 192.168.1.5, with a Class C subnet mask: 255.255.255.0.

In your browser goto the address: https://192.168.1.1 and you will be prompted to download the ASDM software package. Note: you may be prompted for a username and password – enter the standard enable_15 for username and password should be blank if the unit is at factory default (to factory default an ASA unit connect to the console using the console lead supplied and the Putty terminal programme – logon with enable_15, config terminal, configure factory-default). You will need Java runtime installed on your machine in order to use ASDM and you may get problems with newer versions of Java regarding certificates. Usually you can just ignore certificate warnings but if you do get problems Java 7 release 45 is the version that works without any problems.

For more details on this goto the Cisco site: http://www.cisco.com/c/en/us/td/docs/security/asdm/7_3/release/notes/rn73.html See the Java and Browser compatability section.

Or setup a self signed certificate: http://www.cisco.com/c/en/us/td/docs/security/asdm/identity-cert/cert-install.html Which you install into the Java software certificates list.

Setting up the WAN interface:

Most broadband connections will require you authenticate with the ISPs servers using the PPPoE protocol (point-to-point protocol over ethernet: https://en.wikipedia.org/wiki/Point-to-point_protocol_over_Ethernet).

In ASDM goto Configuration, Interface Settings, Interfaces and edit port 1 (GigabitEthernet1/1).

Give the Interface a name – I usually choose ‘outside’ for the WAN link and ‘inside’ for the LAN link but you can choose whatever you like.

Make sure the Security Level is set to zero.

Make sure the interface is enabled.

Under the IP Address section you can choose PPPoE and fill out the relevant details that you would have obtained from your ISP. You may have a different setup to mine and your ISP may use a different method of connecting you e.g. DHCP, in which case choose the method that is relevant to your situation.

Here’s a screenshot:

Cisco_WAN1

Scroll down until you see the IP Address and Route Settings button. You don’t need to tick the Store Username and Password in local flash option. Type in the settings according to your ISPs setup (usually you would obtain IP and default gateway information automatically – even if you have a static IP setup with your ISP):

Cisco_WAN2

Click on the Advanced tab and check the MTU setting – the default is 1500 but you may need to change this, again depending on your ISPs setup. With BT in the UK I need to set it to 1492 which is the standard setting for PPPoE connections. See here for more info: https://en.wikipedia.org/wiki/Maximum_transmission_unit:

Cisco_WAN3

There are obviously loads of other settings here because a Cisco router can basically connect to anything if setup correctly but these should be the only changes you need to make for a standard broadband connection.

If you go back to the Home screen you should see the ‘Outside’ interface changes from Down to Up and the ISPs IP address will appear together with the network mask number. Note: this may take a few seconds to appear.

Setting up the LAN interface:

On the interfaces page choose a port to use as the LAN port – usually port 2 (GigabitEthernet 1/2) and click edit.

Give an interface name – ‘inside’ in my case.

Make sure the security level is set to a higher number than was given for the WAN port – 50 is the default. With the ‘Outside’ interface set to zero this setting will ensure that no traffic will be allowed between the ‘Inside’ and ‘Outside’ interfaces unless explicitly allowed by NAT and Firewall Access rules – by default the router does not allow traffic to pass between higher and lower security levels.

Make sure the enable interface option is ticked.

Choose a static IP and fill in the IP address and Subnet mask – this is a number on your internal network. In my case I use the IP range 192.168.0.1-256 (a class C address range with subnet mask 255.255.255.0) but you can choose any range designated for private use. See: https://en.wikipedia.org/wiki/Private_network. It is also possible to use any valid IP range as these numbers are never routed to the outside world but the convention is to use a private range specifically designated for this purpose.

Note: the number you choose here will be your default gateway for all local connections.

Cisco_LAN1

Allowing PING:

By default the Cisco ASA allows the router to be pinged on the ‘Outside’ interface. If you wish to block this you can do so by adding a Management Access Rule.

Goto Configuration, Device Management, Management Access, ICMP and click Add.

Set the ICMP Type to Any.

Set the Interface to ‘Outide’.

Set the Action to Deny.

Set the IP address and the Mask to Any or 0.0.0.0

Cisco_PING1

By default the Cisco ASA does allow you to ping external addresses (see default Firewall Access Rules below) but will NOT allow the reply from the PING to be routed back. There are two ways of adding this functionality:

First method is by changing the Default Service Policy Rules – goto Configuration, Firewall, Service Policy Rules. There should be a Default Inspection rule listed – hit Edit.

Goto the Rule Actions tab.

Tick the ICMP option and click OK and Apply.

This will now allow the PING replies (or Echo’s) to be routed back.

The second method involves adding a Firewall Access Rule – goto Configuration, Firewall, Access Rules.

Select the ‘Outside’ interface section and click Add.

Select permit for the Action.

Source will by Any.

Destination will be Any.

The services should be set to ‘icmp/echo-reply’.

Again this will now allow the PING replies (or Echo’s) to be routed back.

Cisco_PING3.png

I prefer the second method as it separates the default rules from the ones you have added and keeps your rules listed under one section in the Firewall Access Rules.

Setting up the DHCP server:

Your next task is to setup the DHCP server which assigns addresses from your local network address range when devices try to connect.

Go to Configuration, Device Management, DHCP, DHCP Server.

This will list the interfaces you have created on the ASA – ‘inside’, ‘outside’ and the ‘management’ interface that was automatically setup (with a DHCP range already allocated to it).

We want to setup a DHCP server for the ‘inside’ interface so select that interface and click Edit.

Tick the ‘Enable DHCP Server’ option and enter an IP range for the pool of addresses the DHCP server should use. In our case I have chosen 192.168.0.10 to 100.

Don’t enter your inside interfaces address (192.168.0.1) as part of the pool – that needs to stay as a static IP.

Cisco routers do not allow address reservation. This is a function on, most consumer broadband routers, that allows you to reserve a particular IP for a device from the DHCP range according to the devices MAC address. This is useful if later on you want to use port forwarding to the device – you need the IP of the device to not change over time otherwise your port forwarding and routing rules, which have been specified for a particular internal IP number, will not work. This is an essential requirement if you want to host a server behind your router – web server, minecraft server etc.

When using Cisco routers you have to set the devices IP statically on the devices themselves – usually in their network adapter settings. I need a number of these static IPs setup – Wi-Fi Access Point, NAS drive, Minecraft server etc. So I have started my address range at 10 so that I can use the IPs 192.168.0.2-9 as static IPs on these devices. If I need any more in future I can change the DHCP range or use the numbers above 100. My DHCP addresses will only be used for roaming devices – mobiles, laptops, iPad’s etc.

You also need to enter the DNS server addresses that your DHCP clients will use. This can be an internal DNS server or more likely your ISPs DNS servers. In my case I use OpenDNS:

Cisco_DHCP1.png

Setting up NAT translation:

In order for your devices to be able to communicate to the outside world you need to setup some kind of translation to and from the external IP address and your internal IP addresses. You achieve this using a NAT rule.

The router uses NAT rules to substitute source and destination addresses as required – this enables you to use a single IP address on the ‘outside’ interface and a range of addresses on the ‘inside’ interface.

Goto Configuration, Firewall, NAT Rules and click Add.

Set the source interface to ‘Inside’.

Source address, destination address and service should all be set to ‘any’.

Under the Translated Packet section the Source NAT type should be ‘Dynamic PAT (Hide)’ and source address should be ‘Outside’.

Destination address and service should be set to Original.

Make sure the ‘Enable rule’ box is ticked.

Cisco_NAT1.png

Your NAT screen should look something like the image below. I have added a port forwarding NAT rule just to illustrate where the NAT rule should be positioned – it should always be at the bottom of the list otherwise your port forwarding rule would overide it. For port forwarding rules read my article here: Cisco ASA Port forwarding.

Cisco_NAT2.png

Configuring NAT rules guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/cfgnat.html

Setting up Firewall Access Rules:

This NAT rule you added above will translate any ‘inside’ IP addresses to the ‘outside’ address for any service. But the router will still abide by the Firewall Access Rules (Configuration, Firewall, Access Rules).

By default the Cisco ASA will allow all outbound traffic so in reality you don’t need to change anything after adding the NAT rule. But just to check here is the default Access Rules screen:

Cisco_FW1.png

At the bottom is a Global rule that denies all traffic (hence IP as the service) – both Inbound and Outbound.

The rule under the ‘Inside’ interface allows any IP traffic from the Inside interface to any less secure network i.e. any interface with a lower security level – we set the ‘Outside’ interface to security level 0 and the ‘Inside’ to level 50 so this rule will allow traffic to pass through the ‘Outside’ interface.

You can of course block all outbound traffic by denying access on the ‘Inside’ interface rule. And you can then explicitly allow traffic for invidual services above this rule e.g. add a rule to allow http traffic only – this would allow inside devices to browse to websites on port 80 (http) and nothing else, not even https (port 443).

To allow incoming traffic you would add rules to the ‘Outside’ interface section e.g. allow http (port 80) traffic to an internal web server address (192.168.0.2 for instance – you would also have to setup port forwarding NAT rules for this to work fully – see my Cisco ASA Port Forwarding article).

Setting Time:

Time is a critical component for the router so you should make sure the ASA is getting the correct time from the internet.

To set a time server goto Configuration, Device Setup, System Time.

You can set the time under the Clock section.

To set the ntp server goto NTP section and click Add.

I prefer to use the NTP.ORG servers – unfortunately you cannnot put a host name in here, you have to use an IP.

So ping pool.ntp.org first to obtain the correct IP number: 129.250.35.251 in my case, and enter that in the IP address field.

Tick the preferred box.

Set the interface to Outside (you can set it to an internal time server if you wish).

Click OK and Apply.

Cisco_NTP1.png

That’s about it, you now have a fully functioning router that is connecting to your ISP automatically, allowing internal devices to obtain IP numbers, allowing outbound traffic, denying inbound traffic, allowing pinging outbound and allowing pinging externally to the router.

Going forward you should make sure you keep your router up-to-date with the latest firmware and ASDM version. I find it easiest to download the update images from the Cisco server to a local drive and then using the ASDM ‘Upgrade from Local Computer’ option under the Tools menu.

And one final thing – backup your configuration using Tools, Backup Configurations. Do this now and before you do any upgrades.