Sometimes, it is required to backup the configuration or IOS of firewalls to a dedicated machine in
case of malfunction with firewall. The farmiliar way is setting a tftp server on a workstation. Connect
you  latitude  to  firewall’s console part with attached console cable,  if you have a  terminal program
such  as  SecureCRT  or  windows  Hypertrm,  you  would  enter  into  CLI  of  firewalls.  Just  use  the
command like as below to backup the file necessary. If you don’t know which command to take, just
enter”?” to find context help.  
FWL# copy flash to tftp
    if you want to know some instances of firewall flash, you can use the command:
FWL#show flash  
 
-#- --length-- -----date/time------ path
    6 8515584        Sep 11 2008 14:14:30 asa724-k8.bin
    7 4181246        Sep 11 2008 14:15:30 securedesktop-asa-3.2.1.103-k9.pkg
    8 398305          Sep 11 2008 14:15:48 sslclient-win-1.1.0.154.pkg
    9 6514852        Sep 11 2008 14:17:36 asdm-524.bin
  12 0                    Sep 11 2008 14:21:38 crypto_archive
We can see from above information shown by the command “show flash”, which not hard to know
the model of firewall, the name of IOS file and the version of ASDM.  
 
If you plan to upgrade you ASA devices IOS, you have to enter the rommon mode. When firewall
reboot press ESC key to enter rommon mode. Perhaps you need make some configuration under
this mode so as to build communication with tftp server.  
 
rommon #1> set    
ROMMON Variable Settings:
    ADDRESS=192.168.0.1(firewall’s address
    SERVER=192.168.0.2 (TFTP server IP
    GATEWAY=192.168.0.2 (also set as TFTP IP)
    PORT=Ethernet0/0 (the port connects to tftp of firewall’s)
    VLAN=untagged 
    IMAGE=asa724-k8.bin  (case sensitive) 
    CONFIG=
    LINKTIMEOUT=20
    PKTTIMEOUT=4
    RETRY=3      (as possible as short)
After finish these setting, then you have to save these new configuration into NVRAM.
Rommon#1>sync
At  the  last  step,  that  is,  excute  tftp  download. Download  the  new  version  IOS  from  tftp  to  your
firewall.  
Rommon#1>tftpdnld
Wait for a minute until it finished all process, then the firewall has booted to user exec mode, such
as :
Firewall>
Enter enable and go into privilege mode, go ahead, because the preceding you finished procedure
just boot your firewall from the IOS exisiting in tftp, you must copy tftp to your firewall’s flash.
Firewall# copy tftp: flash:
According to prompt until success
Finally, excute “firewall#copy running-config startup-config”and end the process of upgrading IOS.

There is a case like this. That is, there is an industry system,which system time is sychronized with an external time source (such as GPS), furthermore, this system's time  priority to windows' time, it will override windows time changes，that is, windows must keep pace with this industry system's time on synchonizing. But how to implement and perform it ?

There are a Windows client, a server connect in dedicated system and an external GPS. The order of synchronization server synchronize with GPS, and the client of windows follow with server's time.

I have tested the time synchronization between PRM client and PRM server（simulated）,the detailed process as below:

RRM server side:

In register, you need to change a item as picture shows:

 

Next, open group policy editor of RRM server and make a change:

2. what should be set on PRM client?

Everything as the document described what I have provided .

3.after finishing step 2 and 3, please input some commands in windows command line interface as below:

It believe it will be success, good luck.

在windows 2003 active directory 架构的域中中。当客户端加入域后。那么域控制器就是一个time master,作为客户端的一个time source。理论上客户端会自动与DC进行时间同步。但实际，当客户端的时间发生变化后。是不能自动与域控制器进行时间同步的。要实现这个目的。我们还需要在DC上做些改变。将DC配置为不使用外部时间源的，则更改DC上的公告标志。首先在“运行”中输入regedit 进入注册表编辑器。按下图修改。

配置为DC是使用自己的时钟来提供时间源。
为了能使域中的client能主动找DC进行时间同步。所以还需要在DC的默认与策略上对Windows time做个配置。如下图

这样，DC便成为了在Windows域中名副其实的time master。我们检测下客户端，改一下客户端的时间。然后再命令行界面下输入：
net stop w32time
net start w32time
那么你就会发现。你改变过的时间已经变回正常时间了。再来查看一下系统日志。如下图所示：

明显看出。client  192.168.5.30 与time source 192.168.5.1（DC）通过ntp 的123端口进行了时间同步。
关于windows域的时间同步就介绍到这里。

在部署wsus后，需要通过组策略来实现client的更新。在DC上配置了Goup policy时，切记在option里要勾选no overide选项，否则默认的域策略会优先或者覆盖你自定义的策略。

查看策略是否生效，在command line下，使用“gpresult”。如要强制刷新组策略，可在client上使用"gpupdate /target:computer /force" 和“gpupdate /target:user /force”或者“gpupdate /force（同时刷新两项）”。

在wsus上要设定使用组策略来管理client，如要改变成员隶属组，可在管理控制台选项下，完成。然后再切换为使用组策略。

如果wsus无法发现client。需要检查以下选项：
1.浏览器是否设置成自动检测代理设定
2.auto update servce是否自动启动。
这个你可以使用wsus提供的wsusdiag工具实现。

如果还无法发现客户端。请在客户端的运行里使用命令：wuauclt.exe /detectnow 来启动windows的自动更新管理进程。然后再server端刷新。

这样，一般都会解决这个server找不到客户端的问题。

 

在进行试验前，我们需要对需要的设备及拓扑的搭建及IP地址的规划，都要做个完整的规划。那么我们才能在接下来的配置中，做到心中有数。
实验用的设备，请参考拓扑如下。

至于拓扑图的桥接，请参看我前面的关于桥接的文章，里面有此拓扑的桥接逻辑示意图。
IP地址的规划：
本机管理PC---192.168.0.1 /24其网关192.168.0.254/24
DMZ中VPC---192.168.5.4/24，其网关192.168.5.254/24
ISP地址(Loopback0 172.16.2.0/24 loopback1 172.16.3.0/24  S0/1 172.16.1.1/30)
ROUTER地址（S1/1 172.16.1.2/30  F0/0 10.1.10.1/24)
防火墙PIX接口地址（E0 192.168.0.254/24 E1 192.168.1.254/24 E2 10.110.254 E3 192.168.5.254/24)
L3SW接口地址 F1/0 192.168.1.1/24 网关192.168.1.254/24
PC1,PC2,PC3及其所属VLAN的地址分配
PC1---192.168.11.1---F0/0---VLAN11--->L3SW F1/1
PC2---192.168.12.1---F0/0---VLAN12--->L3SW F1/2
PC3---192.168.13.1---F0/0---VLAN13--->L3SW F1/3

实验目的：
1、在Router上通过TFTP可以将其配置文件保存到DMZ中的VPC上
2，PC1,PC2,PC3可以分别访问VPC的TELNET,HTTP(80),RDP(3389)服务
3，PC1,PC2,PC3可以访问ISP，包括可以PING和TELNET ISP（JUST FOR LAB PURPOSE)

实验过程中用到的知识点：
1.默认路由的设置
2.在路由器上NAT的配置
3.三层交换机口的配置
4.防火墙的基本配置
5.VMWARE的虚拟机的使用及虚拟网卡的桥接

好了。到此我们的准备过程完成，接下来启动模拟器，进行一些必要的配置。

首先，我们看看L3SW上做任何配置：
L3SW#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
L3SW(config)#no ip domain-lookup
L3SW(config)#enable secret cisco
L3SW(config)#exit
L3SW#vlan
*Mar  1 00:01:52.355: %SYS-5-CONFIG_I: Configured from console by console
% Incomplete command.

 

L3SW#vlan database
L3SW(vlan)#vlan 11
VLAN 11 added:
    Name: VLAN0011
L3SW(vlan)#vlan 12
VLAN 12 added:
    Name: VLAN0012
L3SW(vlan)#vlan 13
VLAN 13 added:
    Name: VLAN0013
L3SW(vlan)#exit
APPLY completed.
Exiting....
L3SW#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
L3SW(config)#int f1/0
L3SW(config-if)#no switchport
L3SW(config-if)#ip add 192.168.1.1 255.255.255.0
L3SW(config-if)#duplex full
L3SW(config-if)#speed 100
L3SW(config-if)#no shut
L3SW(config-if)#int f1/1
L3SW(config-if)#duplex full
L3SW(config-if)#speed 100
L3SW(config-if)#switchport acc vlan 11
L3SW(config-if)#int f1/2
L3SW(config-if)#duplex full
L3SW(config-if)#speed 100
L3SW(config-if)#switchport acc vlan 12
L3SW(config-if)#int f1/3
L3SW(config-if)#duplex full
L3SW(config-if)#speed 100
L3SW(config-if)#switchport acc vlan 13

L3SW(config-if)#exit
L3SW(config)#int vlan 11
L3SW(config-if)#ip add 192.168.11.254 255.255.255.0
L3SW(config-if)#no shut
L3SW(config-if)#int vlan 12
L3SW(config-if)#ip add 192.168.12.254 255.255.255.0
L3SW(config-if)#no shut
L3SW(config-if)#int vlan 13
L3SW(config-if)#ip add 192.168.13.254 255.255.255.0
L3SW(config-if)#no shut
L3SW(config-if)#exit
L3SW(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254
L3SW(config)#end
L3SW#wr
Building configuration...

*Mar  1 00:05:33.811: %SYS-5-CONFIG_I: Configured from console by console[OK]
L3SW#

PC1上的必要配置：
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname PC1
PC1(config)#no ip domain-lookup
PC1(config)#enable secret cisco
PC1(config)#line vty 0 4
PC1(config-line)#password cisco
PC1(config-line)#login
PC1(config-line)#exit
PC1(config)#service password-encryption
PC1(config)#ip default
PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.11.254
PC1(config)#int f0/0
PC1(config-if)#duplex full
PC1(config-if)#speed 100
PC1(config-if)#ip add 192.168.11.1 255.255.255.0
PC1(config-if)#no shut
PC1(config-if)#end
PC1#wr
Building configuration...

00:05:10: %SYS-5-CONFIG_I: Configured from console by console
00:05:11: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:05:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up[OK]

PC1#ping 192.168.11.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/29/36 ms
PC1#wr
Building configuration...

00:07:10: %SYS-5-CONFIG_I: Configured from console by console[OK]

PC2上需要做的配置：
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname PC2
PC2(config)#enable secret cisco
PC2(config)#no ip domain-lookup
PC2(config)#service password-encryption
PC2(config)#line vty 0 4
PC2(config-line)#password cisoc
PC2(config-line)#password cisco
PC2(config-line)#login
PC2(config-line)#exit
PC2(config)#int f0/0
PC2(config-if)#duplex full
PC2(config-if)#speed 100
PC2(config-if)#ip add 192.168.12.1 255.255.255.0
PC2(config-if)#no shut
PC2(config-if)#exit
PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.254
PC2(config)#end
PC2#wr
Building configuration...

00:02:48: %SYS-5-CONFIG_I: Configured from console by console[OK]
PC2#ping 192.168.12.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC2#ping 192.168.12.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/25/36 ms
PC2#ping 192.168.11.1 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/47/80 ms
PC2#wr
Building configuration...
[OK]
PC2#

PC3上需要做的配置：
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname PC3
PC3(config)#enable secret cisco
PC3(config)#enable p
PC3(config)#enable password encry
PC3(config)#passwo              
PC3(config)#passwor
PC3(config)#service pass
PC3(config)#service password-encryption
PC3(config)#line vty 0 4
PC3(config-line)#password cisco
PC3(config-line)#login
PC3(config-line)#exit
PC3(config)#int f0/0
PC3(config-if)#duplex full
PC3(config-if)#speed 100
PC3(config-if)#ip add 192.168.13.1 255.255.255.0
PC3(config-if)#no shut
PC3(config-if)#exit
PC3(config)#ip route 0.0.0.0 0.0.0.0 192.168.13.254
PC3(config)#end
PC3#wr
Building configuration...

00:12:02: %SYS-5-CONFIG_I: Configured from console by console[OK]
PC3#ping 192.168.13.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/14/28 ms
PC3#ping 192.168.12.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/44 ms
PC3#ping 192.168.11.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/17/28 ms
PC3#

在OUTSIDE ROUTER上需要做的配置：
R3620#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3620(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
R3620(config)#ip route 192.168.0.0 255.255.0.0 10.1.10.254
R3620(config)#int f0/0
R3620(config-if)#ip nat inside
R3620(config-if)#int s1/1
R3620(config-if)#ip add 172.16.1.2 255.255.255.252
R3620(config-if)#encapsulation ppp
R3620(config-if)#ip nat outside
R3620(config-if)#exit
R3620(config)#exit
R3620#
00:19:02: %SYS-5-CONFIG_I: Configured from console by console
R3620(config)#access-list 1 permit 192.168.0.0 0.0.255.255
R3620(config)#ip nat inside source list 1 interface s1/1 overload
R3620(config)#end
R3620#wr
Building configuration...

00:21:56: %SYS-5-CONFIG_I: Configured from console by console[OK]

模拟的ISP Router上需要做的配置:
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname ISP
ISP(config)#enable secret cisco
ISP(config)#no ip domain-loo
ISP(config)#no ip domain-lookup
ISP(config)#service passw
ISP(config)#service password-encryption
ISP(config)#line vty 0 4
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#int s1/0
ISP(config-if)#ip add 172.16.1.1 255.255.255.252
ISP(config-if)#encapsulation ppp
ISP(config-if)#no shut
ISP(config-if)#
00:14:11: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
ISP(config-if)#int loopback 0
ISP(config-if)#ip add 172.16.2.1 255.255.255.0
ISP(config-if)#int loopback 1
ISP(config-if)#ip add 172.16.3.1 255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#end
ISP#wr
Building configuration...

00:15:22: %SYS-5-CONFIG_I: Configured from console by console
00:15:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up[OK]
ISP#

DMZ中的VPC我采用的是用VMware虚拟的一台windows 2003 server standard english. 上面安装TFTP server（listen port 69),为了实验，我在服务中启用telnet service(port 23).vpc的网卡桥接到了tap3，如图所示.

至于在windows 2003 server上如何去安装TFTP或者配置TFTP，还是如果去启用默认停用的telnet服务，请参考相关资料。因为后面要用到http服务,所以，此vpc上还需要安装IIS（具体安装请参考相关讯息）。VPC网卡设置如下

 

最后我们需要做的，就是如何配置防火墙，以达到我们的实验目的。我们采用已经安装的ASDM去配置PIX。
如何安装ASDM，这里不做介绍，请参看我前面的文章。启动ASDM，登入PIX，并配置接口参数如图所示：

为了能够在全局方便的表示各设备，我讲各设备接口的IP地址与设备名称建立对应关系。如下

要实现本实验的目的，需要在防火墙上做哪些策略？如图所示：
在防火墙上需要指定的静态路由：