Cisco ASA 5505 Configuration Example

Cisco ASA 5505 Firewall Configuration Example

ASA Version 8.0(3)
hostname ASA5505
domain-name domain.local
enable password /z4VVuCaYOFObhYQ encrypted
no names
name Server1
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd /z4VVr#aYOFObhYQ encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
object-group network Support_Network
object-group network Support_Mail_Network
object-group service Support_Ports tcp
port-object eq smtp
port-object eq 3389
access-list outside_access_in extended permit icmp object-group Support_Network any
access-list outside_access_in extended permit tcp any host eq 3389
access-list outside_access_in extended permit tcp any host eq 3389
access-list outside_access_in extended permit tcp any host eq www
access-list outside_access_in extended permit tcp any host eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp object-group Support_Mail_Network host eq smtp
access-list outside_access_in extended permit tcp object-group Support_Network any object-group Support_Ports
access-list outside_access_in extended permit tcp any host eq smtp
pager lines 24
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) netmask
static (inside,outside) netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Server1 protocol nt
aaa-server Server1 host
nt-auth-domain-controller Server1
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh inside
ssh outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
enable outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
group-policy VPNGroupPolicy internal
group-policy VPNGroupPolicy attributes
wins-server value
dns-server value
default-domain value domain.local
username admin1 password 7f2915/98KkXAA7e encrypted privilege 15
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
authentication-server-group server01
default-group-policy VPNGroupPolicy
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

If you have a small business and need IT support, please contact us here

Microsoft Exchange Server 2003 To 2010 Upgrade

Microsoft Exchange Server 2003 To 2010 Requirements and Migration – Exchange 2010 on Windows Server 2008 R2:

  • Prepare: Ask users to clean up their mailboxes, empty deleted items ahead of time so you can cut down on mailbox move time.
  • Prepare: connect the two Exchange servers to the same Gigabit switch to speed up the mailbox move. I would connect them directly to the switch since you might have old cat5 cabling in the walls.
  • Join the new Windows 2008 server R2 that will run Exchange 2010 server to the Windows Domain and make sure you are logged in as Domain Admin to complete the move process.
  • Make sure Internet Protocol IP 6 is enabled/checked in the Properties of the Exchange 2010 Network Adapter.
  • Make sure Windows Domain and Forest levels are at Windows 2003 level (you can’t have Windows 2000 domain controllers on the network!). Go to Active Directory Domain and Trust and right-click on the Forest and choose Properties and check the Domain Functionality Level and Forest Functionality Level. Raise both if needed.To raise the Domain level, right-click on the domain and choose Raise Domain Functionality Level.

    To raise the Forest Level, right click on Active Directory Domain and Trust and choose Raise Forest Functionality Level.

  • Open the Exchange 2003 System Manager and right click on the Organization, make sure under Operation Mode is at “Native Mode”. If it’s in mixed mode, change it to “Native Mode”. No older Exchange servers are allowed!
  • If needed, Suppress Link State Updates on Exchange 2003 Microsoft Link Here . I didn’t have to do it last two migrations.
  • Install Windows Remote Management (WinRM) 2.0 and Windows PowerShell V2. Download them here
  • Download and Install Microsoft Office 2010 Filter Packs. For Exchange 2010 SP1 Download Here (The download might not work with the RTM version – check Microsoft site for RTM – not sure!).
  • Register the IFilter
    IFilter Registration Instructions Are Here Note: to run a Power Shell script called RegFilter.ps1 that is located on the C:\ drive, Start Command Line as Administrator and type:

    powershell.exe -noexit c:\RegFilter.ps1

    -OR- Another way

    From Command Line type powershell
    PS C:\> Set-ExecutionPolicy RemoteSigned
    PS C:\> .\RegFilter.ps1

  • Go to Services and change Net.TCP Port Sharing service startup type to Auto – it might be disabled.
  • Install the following Windows Components required by Exchange 2010 Server:Start PowerShell by going to Accessories –> Command Line–> right-click on Command Line and choose “run as administrator”.

    Type powershell to start Powershell
    PS C:\>Import-Module ServerManager

    Then type:
    PS C:\>Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

  • Restart server. Run Microsoft Updates to install latest Service Pack and Updates for .NET.
  • From the Exchange DVD run (command line): Setup /PrepareLegacyExchangePermissions

    Now before you do the next step, you might want to stop replication on the Primary Domain Controller in case anything goes wrong with PrepareSchema, the bad schema won’t replicate to other domain controllers.

    To find out the PDC server on the network, go to any domain controller command line and type:

    netdom /query fsmo

    Go to the PDC and disable outbound replication, Go to Command Line –> type the following text, and then press ENTER:
    repadmin /options +DISABLE_OUTBOUND_REPL

    Now back to Exchange DVD, Command Line, prepare Schema:

    Setup /PrepareSchema

    Re-enable outbound replication. Go to Command Line on PDC –> type the following, and then press ENTER:
    repadmin /options -DISABLE_OUTBOUND_REPL

    You can check the replication status by typing

    Repadmin /showreps

    Now prepare Active Directory:
    Setup /PrepareAD

    You should be ready now to install Exchange 2010 on the Windows 2008 R2 Server:

    Finishing up Migration – Exchange 2010 Installation:

  • Install Exchange 2010 from DVD by running Setup.
  • After setup is complete, Reboot. Run Microsoft Updates, download and apply latest Service Packs and updates for Exchange 2010. Reboot. Exchange Service Packs and Roll-ups might take an hour to apply – so be patient and prepared. Every time you reboot and start Windows run updates to make sure all updates are installed. Make sure latest Exchange 2010 service pack is installed, sometime Microsoft Updates don’t show it and you have to manually download it and install it.
  • On the Exchange 2010 –> Server Configuration –> Enter Product Key Group.
  • On the Exchange 2003 Server Manager, expand Administrative Groups, First Administrative Group, Folders, Public Folders, Offline Address Book, /o=xxx/cn=addrlist…., right click on it and choose All Tasks and Manage Settings (If that is unavailable, then right click and choose Properties). Add the new exchange 2010 server as a new replica.
  • On Exchange 2010 Server Manager, go to Server Configuration –> on the right under Mailbox make sure that that mailbox database shows as MOUNTED under the Copy Status column.
  • On Exchange 2010 Server Manager, Organization Configuration, Hub Transport, Send Connectors, Create a new Send Connect. For “Name”, call it Internet. For “Select Intend for this Send Connector”, choose Internet. Click Next and type * for Address Space. Click Next and Finish.Important under Organization Configuration, Mailbox, on the Right and under the top section that says “Mailbox” click on the Database Management tab, right-click on the mailbox database (might say something like “Database 0681573537”) where the users are stored, right click and choose Properties. Go to the Client Settings tab and make sure the Offline Address Book is pointing to the servers Offline Address Book (sometimes Offline Address Book has no entry there) – if it’s not there, click Browse and grab it. A missing Address Book means people connected to the new Exchange server will be getting errors when downloading the Address Book in Outlook Clients.

    On the Exchange 2010 server manager, go to Server Configuration, Hub transport, Under Receive Connectors, right-click on Default Exchange and choose Properties, Add Anonymous under Permission Groups.

  • Enable Outlook Anywhere. EMC –> Server Configuration –> Client Access –> select the server and on the right pane select “Enable Outlook Anywhere”, when prompt type in the external host name (something like
  • Select Client Access in Server Configuration & click on the Outlook Web Access tab. Select owa (Default Web Site) and click the Properties. Select Authentication tab. Under Use forms-based authentication: select User name only. Click Browse and select the domain name. Click OK.
  • Add an A record for Exchange 2010 Autodiscover address and webmail address on the external/Internet DNS. Something like pointing to the IP address of the OWA from outside. You should already have added the OWA address which would be something like
  • Obtain a SAN/UC SSL Certificate. That will allow you to have one certificate with multiple domains. SSL is a requirement for Exchange 2010 and choosing a SAN/UC Certificate makes things easier, since you have an internal Windows Domain plus an external Internet domain.
  • To configure another email domain that the Exchange should accept Follow this document.
  • Move mailboxes. EMC on Exchange 2010, Recipient Configuration, Mailbox, right click on the user and choose New Local Move request. After that you need to upgrade Address List, will be providing instructions on that shortly.
  • If you test sending email from a mailbox that was just moved from the Exchange 2003 to the Exchange 2010, and you get NDR and email bounces back with errors like “#5.2.0 smtp;550 5.2.0………”, or you’re getting error messages on the Exchange 2003 in the Application log saying “Named Prosperity Quota Limit reached….”. Check the following bostonIT Knowledgebase
  • Move Public Folders. On the Exchange 2003, open EMC, –> Administrative Groups, First Administrative Groups, Servers, the Exchange 2003 server, First Storage Group, Public Folder Store, right click and choose Move All replicas.
  • Move Address Books. EMC, Organization Configuration, Mailbox, Offline Address Book Tab on the right, right click on the Default Offline Address Book and choose Move.
  • Important: After moving mailboxes from Exchange 2003 to Exchange 2010, Outlook Client might show disconnected even though Outlook has been updated automatically to point to the new Exchange server. Go to Account Setting in Outlook –> More Setting and under Security tab make sure you check the box that says “Encrypt data between Microsoft Outlook and Microsoft Exchange Server). As soon as you do that, The Outlook Client will connect.If you have Outlook 2003, make sure you apply Office 2003 Service Pack 3 on PCs.

    Try to use Outlook 2003 in Cache Mode to avoid issues. Recommended, latest service packs for Outlook 2007/2010.

    You might have a problem with Shared Calendars on Outlook 2003. Disable Cache Mode, open Outlook with /cleanviews from command line and then enable cache mode.

  • Important: Even after migrating everything to the new Exchange 2010, don’t turn off the old exchange or uninstall it until all users open up their Outlook clients so they would auto re-configure with the new Exchange 2010 server name. Otherwise if the old Exchange is shutdown or uninstalled, you would need to go around and reconfigure Outlook clients with the new exchange server name. Why would anybody want to do that if the clients would re-configure as soon as you open them up!
  • After you have moved mailboxes and public folders to the new exchange server, I would shutdown the old Exchange 2003 server and reboot the Exchange 2010 server and make sure everything is working fine with the new exchange server (Outlook, Web Access, email and so on) so in case you have any issue you would still have the old exchange server to start and resolve issues.
  • Removing the old Exchange server entails, going to the Exchange 2003 Manager and deleting the Public Folders Store (you might need to do it through ADSIEDIT if it complains about something), deleting the Mailbox Store on the Exchange 2003, deleting the Connectors under Routing Groups of the Exchange 2003 server, Going to the Receipt Update Service and removing the Receipt Update Service, removing the Receipt Exchange Service (Enterprise) using ADSIEDIT, then going to Add and Remove programs to uninstall Exchange 2003. The following document explains that better.
  • While uninstalling the Exchange 2003 server you might get a message that Exchange 2003 can’t be uninstalled “The component “Microsoft Exchange Messaging and Collaboration Services” cannot be assigned the action “Remove” because: – One or more users currently use a mailbox store on this server”, even though you have migrated all mailboxes to the Exchange 2010 server. To find which mailbox still sits on the 2003 server, go to Active Directory Users and Computers on Exchange 2003, right click on the domain and click Find, in the Find field click “Custom Search”, Click Advanced tab and type the following under the LDAP query:(&(objectCategory=user)(msExchHomeServerName=*))

    Under the View, select Choose Columns, under Available Columns, choose “Exchange Home Server” and hit Find now, you should see any mailbox that is still sitting on the Exchange 2003, you can then move it, delete it or delete the Exchange attributes from it.
    The following article explains it more:

    If you find this article useful, please send me an email to so I can keep on adding more hands-on knowledgebase articles.



Windows Updates Error 80071A90

Windows 7 – Windows Updates keeps failing with Error 80071A90:


When trying to install Windows updates on a Windows 7 PC and after you reboot to apply, Windows reverts back changes and doesn’t apply updates as if nothing has happened!


KB2647753 is the fix.

Click Here to Download KB2647753 apply it and restart. Then try Windows Updates now and it should work.

If you find this article helpful, please send me a note to and so I can keep on adding more hands-on knowledgebase articles.

windows search error

Windows Search and Windows Updates don’t work after replacing laptop drives with a newer bigger cloned Hard Drive or after replacing one of the RAID disks:


You have a Windows computer and space is running out. You replace it with a newer and bigger cloned/imaged hard drive (cloned with Symantec Ghost for instance). After you start Windows, you discover Windows Search service won’t start and Windows Updates won’t run (Also when you replace one of the disks in a raid array you might run into the same issue). In the Windows Application log you get the following error messages:

The Windows Search service terminated with service-specific error %%-2147217025

Log Name:      System
Source:        Service Control Manager
Date:          8/29/2012 5:29:17 PM
Event ID:      7024
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
The Windows Search service terminated with 
service-specific error %%-2147217025.
Event Xml:
Event xmlns=" 
Provider Name="Service Control Manager" 
EventSourceName="Service Control Manager" />
EventID Qualifiers="49152">7024
Correlation />
Execution ProcessID="608" ThreadID="4348" />
Security />
Data Name="param1">Windows Search
Data Name="param2">%%-2147217025


Download and Install Intel Rapid Storage Technology (RST). Check the laptop vendor website for latest RST (Lenovo, HP, Dell…). The latest driver should support the Bytes Per Sector disk format on the new disk. If you can’t find it, the following link can help:

Download Intel RST Here

For some laptops/PCs, the latest version of RST might not work with older versions of Windows, so in these case install an older version of RST. Fixed!

If you find this article helpful, please send us a note to so I can keep on adding quality hands-on articles.

Default Credentials Ricoh MP C2551

Default Username and Password for Ricoh MP C2551 Printer:

User: Admin
Password: blank (no password)

For security purposes, change it when you can.

If you find this article helpful, please send us a note to 

How to Stop, Start or force restart iSeries Fax Support

How to Stop, Start or Force Restart iSeries AS400 Enhanced Fax Support:

1- End Fax Support

2- Confirm that the QFAXSBS and QFQSBS subsystems have ended:
You might need to wait for a few minutes for them to end

3- Vary off and on the controllers:

Take option 2. Vary Off and press ENTER
Take option 1. Vary On and press ENTER
The controller will go to a Vary On Pending status

4- Start Fax Support and Enhanced Services:

Force end writer – AS400 – System i

How to force end stuck iSeries (AS400) Writer:

Writer name P8 (for instance)



varry off P8

vary on P8


After that check Outq for messages

Configure Hot Failover between two Cisco ASA

How to Configure Hot Failover – Cisco ASA 5510, 5500 Series Firewalls – Active/Standby:

  • Two ASAs have identical hardware specs
  • From “Show version” compare the licenses installed. Licenses must match on both ASAs. If you are running ASA IOS 8.3 and above, licenses don’t need to match. Before upgrading to 8.3 (in case you want to but you don’t have to), study well! Access Lists and NAT are different so you need to do manual clean up and re-configuration. Also 8.3 needs 1G of memory.
  • After failover is configured, configuration from primary will replicate to standby. Important: If you have AnyConnect or VPN images loaded on the primary, you need to copy them into the secondary because again that will not replicate – ONLY configuration will replicate (Anyconnect images, AutoReconnect.xml, boot images all need to copied to both ASAs – upload everything before you start the config below). SSL Certificates and config, if installed on the primary, will replicate as well.
  • Connect the two ASAs through a cat5 cable for fail-over link (Heartbeat). You could use the Management interface management0/0 for that. Pick a network and IP address for that interface like The standby will have

Primary ASA:

For each interface with IP address and Subnet Mask pick an ip address for the  standby from the same network. For instance for inside network with IP address, pick an ip address for the standby like (no mask needed) and configure that interface:

ip address standby

Do the same thing for all other interfaces that you are going to use like the Outside and DMZ (of course with different ip addresses). Make sure they are in “no shutdown”. Interfaces need to be on different networks.

For management interface, do a no shutdown. Make sure interface has no interface name “no nameif”. Don’t configure ip address for it.

Type the following commands

ASA(config)# failover lan unit primary

ASA(config)# failover lan interface failover Management0/0
When you type this command the ASA will say “INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces” and it will give a description to that interface as “description LAN Failover Interface”

ASA(config)# failover interface ip failover standby

ASA(config)# failover link failover Management0/0

If you do show running-config you will see that the description of interface Management 0/0 has changed to “description LAN/STATE Failover Interface”.

ASA(config)# failover replication http

ASA(config)# Failover

Secondary/Standby ASA:

Connect all interfaces to the respective network (at least the inside interface to the inside network and outside interface to the outside network. The Management 0/0 interfaces on both ASAs are connected together through a Cat5 or crossover network cable). Connect to the ASA through a consol.

Go to all interfaces that you are going to use (just like the Primary ASA) and do a no shutdown. Don’t forget the Management Interface that will be used as a failover interface – Make sure interface has no interface name “no nameif”. ASA configuration including IP addresses will replicate from the Primary ASA when replication starts.

Following is the minimum configuration that you need to do on the standby. No more!

Type the following:

ASA(config)# failover lan interface failover Management0/0

ASA(config)# failover interface ip failover standby (this is the same exact command you typed on the Primary).

ASA(config)# failover link failover Management0/0

ASA(config)# failover lan unit secondary

ASA(config)# failover replication http

ASA(config)# failover (This is the last command that you need to do and as soon as you do that the replication of configuration will start)

You will see messages similar to the following:

“Detected an Active mate
Beginning configuration replication from mate…. Jul 12 2013 23:37:14: %ASA-6-720037: (VPN-Secondary) HA progression callback: id
=3,seq=200,grp=0,event=101,op=15,my=Sync Config,peer=Active.
Jul 12 2013 23:37:14: %ASA-6-721003: (WebVPN-Secondary) HA progression change:
event HA_PROG_STANDBY_CONFIG, my state Sync Config, peer state Active.
Jul 12 2013 23:37:14: %ASA-1-709006: (Secondary) End Configuration Replication (STB)”

Give some time (a minute or so) for replication to finish before you proceed with the following
After that, go back to the primary ASA (not standby) and save config on it and that will save it on both ASAs:
ASA#Wr mem

You can use the following two commands to see the state of failover
ASA# show failover
ASA# show failover state

Down the road, if standy configuration is out of sync with the active asa, go the active asa and do:
wr standby
That will wipe out the whole config of the standby and the config will replicate from active to standby.

If you find this article helpful, please send me a note to so I can keep on adding more hands-on knowledgebase articles.

Room permissions Office 365

Microsoft Hosted Exchange – How to grant a user full permissions on a room mailbox in Office 365:

Email address of user to be granted access:
Room mailbox email address:

You need to do that through Powershell.  Powershell is part of Windows 7.  From your Windows 7 machine, run Powershell as admin (right click on Powershell and choose Run as Admin).
In powershell command, type the following commands:
Set-ExecutionPolicy unrestricted
Choose Y to confirm
(You will be prompted for Office 365 admin user, and If you are an administrator in Office 365 then type your email adddress as user and your email password).

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic –AllowRedirection

Import-PSSession $session

Add-MailboxPermission -Identity -User -AccessRights FullAccess -InheritanceType All -AutoMapping:$false


My Notes on changing permissions on public folders

same as above steps expect last step is:

Get-PublicFolder -Identity “\CPM” -Recurse | Add-PublicFolderClientPermission -User “UserNameHere-WhichIsFirstpartOfEmailAddressBeforethe@” -AccessRights Owner


My Notes on changing permissions on public calendars:

add-MailboxFolderPermission -Identity\Calendar -User -AccessRights PublishingAuthor

Get-MailboxFolderPermission -Identity\calendar

Remove-MailboxFolderPermission -Identity user@mycompany:\calendar -user

My Notes on setting password to never expire for a user:

Find users PasswordNeverExpires status:

Get-MSOLUser -MaxResults 2000 | Select PasswordNeverExpires | export-csv c:\result.txt

Start Microsoft Online Services Module for Power Shell (download from web if not arelady installed). “Run As” Admin. Type the following:


Check the password policy for that user:
Get-MSOLUser -UserPrincipalName | Select PasswordNeverExpires
Substitute by the username that you want to change password policy for.

Change it to never expires:
Set-MsolUser -UserPrincipalName -PasswordNeverExpires $true
Substitute by the username that you want to change password policy for.

If you find this article helpful, please send me a note to so I can keep on adding more hands-on knowledgebase articles.

Find us on Bing,

Windows takes long time to shutdown

Windows Server 2008 Takes Too Long to Restart or Shutdown.

Had two identical Lenovo ThinkServer servers loaded with Windows Server 2008 SP1 (not R2) and when restarting or shutting down, it would take over 30 minutes for them to restart.

When you press restart in Windows, Keyboard and Mouse appear unresponsive and the screen halts.

It turned out that Windows 2008 Server was configured to clear the page file upon shut down/restart and that was delaying the process of server going down. To fix the issue, go to the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

and change ClearPageFileAtShutdown value to 0 instead of 1

Alternatively, you can go to Programs, Administrative Tools, Local Security Policy, Security Settings, Local Policies, Security Options, In the right pane, right click on Shutdown: Clear virtual memory pagefile. Change it to disabled.

After you make the change, reboot the server (it might still take a long time to reboot because the setting will take effect next time you boot).

If you have a Domain Policy configured make sure you change that setting in the Domain Group Policy on the Domain Controller.

If you find this article helpful, please send me a note to so I can keep on adding more hands-on knowledgebase articles.