PIX 6.3, aaa accounting
Hello
I'm trying to understand how the following command:
"accounting aaa include tcp/0 inside 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255 GANYMEDE +".
(1.1.1.1 is a former host, 2.2.2.2 is the PIX)
I think I get 'include' (create a new rule) & "tcp/0"(the rule specifies all tcp ports).
But 1.1.1.1 (including pix 6.3 ios doc called local_ip-"host or network of hosts that you want to be authenticated or authorized")-I think it would be customers. Is this fair?
And 2.2.2.2 (called foreign_ip) is not clear at all - the doc called this foreign_ip - "hosts you want to access the address local_ip. As I have defined 2.2.2.2 as the PIX, it seems to the PIX to access customers. Yet if I flip the IP addresses, I get the PIX box I want to have authenticated, that does not seem fair...
I am missing probably completely what circumstances this would be used for. On my network, to present all we use AAA for UAL telnet is in features and commands that are run on the devices, but I know that AAA is also used to allow users access to various things...
(doc, that I'm looking is http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1073208)
TIA - Linnea
You guessed it!
Tags: Cisco Security
Similar Questions
-
AAA accounting report is not with issued orders.
Hello everyone, I have a problem with the AAA accounting on my ACS 4.0 device. When I view the posting journal lists the connections, protocols and addresses IP but not the commands executed on the specific switch. When I debug AAA accounting I see ouput but when I debug Ganymede accounting I see nothing. An exammple of my config is:
AAA new-model
AAA group Ganymede Server + ACS
Server [ip address here]
Server [ip address here]
AAA accounting exec by default start-stop group ACS
AAA accounting command 0 arrhythmic group ACS
orders accounting AAA 15 start-stop ACS group
RADIUS-server key [here].
I left on the framework for the authentication of the configuration (in the example above) that it works very well.
Someone at - it ideas why the actual orders are not be captured on GBA?
Thanks in advance.
GBA, accounting of the order must be recorded in the Administration of GANYMEDE + do not connect not the journal GANYMEDE + accounting! Don't ask me why, what just. At least it is on my own and took me a while to discover as well.
Hope this helps
Concerning
Mike
-
Hey guys,.
I'm looking for help to set up my router to where it makes account of my CSACS all commands run by users. For example, I login as the user bbaggins and I change a configuration of ACL, is there a way for the orders that I typed in being connected by the ACS?
Thanks for your help.
You must configure this Ganymede. Here are the commands.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
Command accounting logs are stored in the newspapers of the administration of Ganymede. There is also a known issue on ver 4.1.1 and we must apply the ACS 4.1.1.23.5 patch to fix the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Acs hotfix for windows is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
Kind regards
~ JG
Note the useful messages
-
I have a PIX 520 in the laboratory running 6.3.3 and PDM 3.0. I tested AAA authentication and authorization to our ACS server and run into problems.
I have two groups put in place on our ACS server. A group can be accessed freely, the other group is set to the top with a Shell command authorization set that limit orders so that they can watch the running-config and a few other things. Users of both groups can connect to the PDM or SSH/telnet/series in the unit and are authenticated and authorized correctly.
The configuration below works fine, until I pull the ACS server off the network. Because it is not any backup authentication or authorization to order method I am dead in the water. When this happens, I can always connect via the serial console, by using the 'pix' username and password enable, I just cannot run the command 'Enable' mode privlieged or any other control besides. (I get an error "Permission has no orders").
Here's a current configuration:
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host 1.2.3.4 123456 timeout 5
Console telnet authentication GANYMEDE AAA +.
the AAA console ssh GANYMEDE authentication +.
AAA authentication GANYMEDE serial console +.
AAA authentication enable console GANYMEDE +.
Console AAA authentication http GANYMEDE +.
order of AAA for authorization GANYMEDE +.
Is it possible to set up a backup method for approval of authentication and control? If not, is there any other way the problem I'm running into?
Let me know if you need more info. Thank you!
Hello
Sorry, I missed this earlier. There is a failure on the PIX for this and we have an open enhancement request to add several methods of authorization to the PIX - CSCea04538. At this point, your best bet is to bug of your account team to get this feature added to the code of PIX to come. Sorry for the inconveinence.
Scott
-
AAA accounting records to the RADIUS server
Im trying to activate recods orders accounting to be send to my server ACS on all my devices, I activated this orders accounting for each level of privilege to follow who types what on my devices, now the problem is that the files are not displayed on my ACS accouting reports, I get everything except the records for the typed commands , any suggestions on what order the put value on my devices to enable this feature... ?
The head about it. It points you to a patch for a 4.1 Setup that I assume that you are using.
See you soon
-
I have Cisco ACS 3.2 on widnows with cisco (IOS 12.3) devices configured with authentication. I need enable accounting. I just need the list of commands (changes) on the cisco device. What is the command to correct authentication? This is the current configuration.
AAA server Ganymede group + tacgrp
Server X.X.X.X
Server Y.Y.Y.Y
!
AAA authentication login default group Ganymede + local
AAA authentication login relief group Ganymede + activate
AAA - the id of the joint session
GANYMEDE-server host X.X.X.X
GANYMEDE-server host Y.Y.Y.Y
RADIUS-server application made
RADIUS-server key 7 XXXXXXXXXXXXXXXXXXX
Line con 0
line vty 0 4
There is no accounting for SNMP.
The snmp on the router show command can tell you how many polls where done.
Example to see the output of snmp:
RAME: SCA043004DW
Contact: smotwani
Location: noida
SNMP 56224160 to input packets
0 bad SNMP version error
38 unknown community name
Illegal operation in name of the provided community 0
Coding errors 0
Number of requested variables 268814216
Number 112 of the variables changed
35437579 get PDUs request
20781918 get-next PDUs
24 set-request PDUs
0 input queue DROPS number package (Maximum 1000 queue size)
56224122 release of SNMP packets
0 too big mistakes (maximum 1500 packet size)
15 no such errors of name
Bad values 0 errors
0 General errors
56219928 response PDUs
0 trap PDUs
You can also define a list of access allowing for any snmp and connect the access list which will have a counter that increments.
There is no such thing as research in the papers of the ACS to know how often snmp has been consulted and what ip address for the simple reason that the authorization does not apply to the snmp.
-
AAA accounting in charge of the Windows 2008 network POLICY server log
Hello world
We have configured our Cisco devices to use Windows 2008 network POLICY server for RADIUS. However, we cannot configure aaa represents priv 15 commands to use the same radius servers for recording of commands in privileged mode. When you set up by using the following command:
AAA commands 15 arrhythmic default accounting RADIUS_SERVERS group
I noticed that there is only GANYMEDE + servers 'group' categories and optional. After entering the server radius group, I realized that the command is not saved and by inspecting the logs I saw the following:
The 'MF_RAD' server group is not a Ganymede server group. Please define "RADIUS_SERVERS" as a Ganymede server group.
This means that the function of accounting 'orders' (and probably most others) can be activated only when you use a GANYMEDE Server +?
Thanks in advance
You're absolutely right. Accounting command only works with Ganymede. We cannot have the command for the radius Protocol accounting. RADIUS accounting only gives you start and stop sessions package.
~ BR
Jatin kone* Does the rate of useful messages *.
-
I have a PIX with the following configuration:
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host 192.168.1.1 77777 timeout 5
RADIUS Protocol RADIUS AAA server
AAA-RADIUS (inside) host 192.168.1.1 Server 77777 timeout 10
AAA-server local LOCAL Protocol
AAA authentication GANYMEDE serial console +.
AAA authentication enable console GANYMEDE +.
order of AAA for authorization GANYMEDE +.
AAA accounting correspond to aaa_acl inside RADIUS
Everything works fine when the RADIUS server is available. When he is not available, I can log in with the username "PIX" and "password". The problem is, once I connected, I can't get permission to execute orders. Does anyone know of a command that is similar to the "if-certified" for routers that I can use?
There is no method of backup for authorization for the PIX. As you know, if the RADIUS server is down, you can connect with "pix" and the password enable, but it doesn't help a permission. The only thing you can do is wait the GANYMEDE server back to the top. I'm sorry.
-
Accounting on my PIX command failed
Hello
I'm setting up my PIX ver 7.2 (2) for accounting command using the command 'aaa accounting command', but I am not able to see any accounting information on my ACS 4.1 build 23 Server!
Although authentication for this PIX works very well and the accounting also works perfectly for other IOS devices, accounting for the PIX does not work when you browse the administration GANYMEDE page +!
I write the show-tech for your referecne PIX!
Appreciate your support here!
BR,
Haitham
Recommend you to take a look at this CSCsg97429bug.
~ Rohit
-
Administrator command accounting Pix 515
Hello
Is there a way to connect firewall admin commands issued to the firewall? As for example, send to a GANYMEDE Server +?
Thanks for the help.
Hello noipt,
Accounting command can be configured ONLY in PIX v7.x. In addition, looks not - show only orders will be sent.
By the order No.
Accounting messages to the GANYMEDE + accounting server when you enter one command other display commands in the CLI, use the command of control accounting aaa in global configuration mode.
AAA accounting command
http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a1_711.htm#wp1428200
For version 6.x.
Authentication and authorization in order for PIX 6.2
http://www.Cisco.com/warp/public/110/pix_command.shtml#accounting
There is no command available real accounts, but in having enabled on the PIX of syslog, you can see what steps have been made, as shown in this example:
307002: allows connection of the 172.18.124.111 Telnet session
111006: connection to pixtest to the console console
611103: user disconnected: Uname: pixtest
307002: allows connection of the 172.18.124.111 Telnet session
111006: connection to pixtest to the console console
502103: user priv level changed: Uname: pixtest of: 1:15
111008: user 'pixtest' command 'enable '.
111007: configuration Begin: 172.18.124.111 reading of the terminal
111008: user 'pixtest' run the command "configure t."
111008: user 'pixtest' run the command "write t.
I hope this helps! If Yes, please rate.
Thank you
-
Accounting customer VPN on PIX 515 worm problem. 6.3
Hello everyone! Is it possible to configure PIX 515 worm. 6.3 to send logs to the RADIUS to break when a VPN Client user loggs in and outside loggs? I can't find any aaa accounting command which allows this.
Hello
Accounting of VPN was added in PIX 7.x. It is not available with 6.x
Kind regards
Vivek
-
Select orders accounting aaa for all levels of privilege?
Here is the syntax of the command:
AAA accounting {auth-proxy | system | network | exec | login | orders level} {default | name-list} {arrhythmic | stop only | none} group [broadcast] name of
The accounting type 'command' must include the privilege level of the orders that you log on. How can I connect all orders?
Consider the following example:
aaa accounting commands 15 default start-stop group mygroup
If I run this command will mean that command that the user runs which have a level of less than 15 privilege are not registered? Or only commands that require exactly the privilege level 15 will be connected?
How can I connect all orders regardless of the privilege level?
Hey red,
If you customize the command privilege level by using the command of privilege, you can limit who commands the unit accounts for by specifying a minimum privilege level. The security apparatus does not account for orders that are below the minimum privilege level.
The default privilege level is 0. So if you do not specify a level of privilege then all should be counted.
You can find the details of the order to. It's good for the SAA.
http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/command/referenc...
Kind regards
Kanwal
Note: Please check if they are useful.
-
Accounting and authorization of the AAA
Hello everyone.
I give myself a proposed implementation of AAA on routers and switches in our environment. Can someone please help me understand the difference between.
command option 1) aaa authorization exec and the authorization of the aaa.
aaa accounting exec command option 2) and the aaa accounting.
Thank you very much.Sent by Cisco Support technique Android app
Hello
command option 1) aaa authorization exec and the authorization of the aaa.
One allows if the user has the privilege level right to enter unrestricted IOS (0,1,15) levels, you can customize it.The other allows different commands, a user can type and send to the device
aaa accounting exec command option 2) and the aaa accounting.
One represents once again when a user changes from a specific user-level (level preferred 15 or user-level Exec 1)
Secondly it sends a message of each shipment of order based costing to box
Check out my blog at http:laguiadelnetworking.com for more information.
See you soon,.
Julio Segura Carvajal
-
The AAA authentication &; accounting using the command of Ganymede-orders
In the page of the cisco Remote Access Companion guide 394 book we got these configuration lines:
RTA (config) #tacacs - server host 192.168.0.11
RTA (config) #tacacs - host 192.168.0.12 server
RTA (config) #tacacs - server key topsecret
RTA (config) #aaa new-model
Ganymede + RTA (config) #aaa authentication login default group
If I want to add to the configuration above, the following command:
RTA (config) #aaa accounting connection defult stop / start Ganymede +.
Is it necessary that the above lines be in a specific order when I configure the RTA?
No, the order in which you enter commands doesn't matter.
-
It seems that I have problems similar to many others in the connection of remote clients to a PIX 515E.
Currently, I have tried both the client VPN Cisco 3.6 and 4.03 without success. Users are authenticated very well and the customer, you can see that their assigned an address etc but they are unable to access the internal network. The crypto ipsec his watch HS no encrypted traffic has affected the Pix as its...
within the State of the customer etc., it shows that packets are encrypted so I'm at a bit of a loss.
I have also a problem with pptp connections - this seems to differ between the BONES on the client but Win2K machines can connect and get checked etc but again failed to connect within the networks. These could be linked?
My current config is: (change of address, etc.)
SH run
: Saved
:
PIX Version 6.2 (1)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 intf2
enable password xxxx
passwd xxxx
hostname fw
domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol 2000 skinny
No fixup protocol sip 5060
names of
name Inside_All 10.0.0.0
name 10.30.1.0 Ireland1_LAN
name 159.135.101.34 Ireland1_VPN
name 213.95.227.137 IrelandSt1_VPN
name 10.30.2.0 Cardiff_LAN
name 82.69.56.30 Cardiff_VPN
access-list 101 permit ip Inside_All 255.0.0.0 10.1.1.88 255.255.255.248
access-list 101 permit ip Ireland1_LAN 255.255.255.0 255.0.0.0 Inside_All
access-list 101 permit ip Cardiff_LAN 255.255.255.0 255.0.0.0 Inside_All
access-list 101 permit ip Inside_All 255.0.0.0 10.30.3.0 255.255.255.0
access-list 101 permit ip Inside_All 255.0.0.0 192.168.253.0 255.255.255.0
outside_interface list access permit icmp any any echo
outside_interface list access permit icmp any any echo response
outside_interface list of access permit icmp any any traceroute
outside_interface list access permit tcp any host 212.36.237.99 eq smtp
outside_interface ip access list allow any host 212.36.237.100
access-list permits outside_interface tcp host 212.241.168.236 host 212.36.237.101 eq telnet
outside_interface list of access permitted tcp 192.188.69.0 255.255.255.0 host 212.36.237.101 eq telnet
outside_interface list access permit tcp any any eq telnet
allow the ip host 82.69.108.125 access list outside_interface a
access-list 102 permit ip 10.1.1.0 255.255.255.0 Ireland1_LAN 255.255.255.0
access-list 103 allow ip 10.1.1.0 255.255.255.0 Cardiff_LAN 255.255.255.0
access-list 104. allow ip 10.1.1.0 255.255.255.0 10.30.3.0 255.255.255.0
pager lines 24
opening of session
recording of debug console
monitor debug logging
interface ethernet0 10baset
interface ethernet1 10baset
Automatic stop of interface ethernet2
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
IP outdoor 212.36.237.98 255.255.255.240
IP address inside 10.1.1.250 255.255.255.0
intf2 IP address 127.0.0.1 255.255.255.255
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.1.1.88 - 10.1.1.95
IP local pool mspool 10.7.1.1 - 10.7.1.50
IP local pool mspools 192.168.253.1 - 192.168.253.50
location of PDM Inside_All 255.255.255.0 inside
location of PDM 82.69.108.125 255.255.255.255 outside
location of PDM 10.55.1.0 255.255.255.0 inside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static 212.36.237.100 (Interior, exterior) 10.1.1.50 netmask 255.255.255.255 0 0
public static 212.36.237.101 (Interior, exterior) 10.1.1.254 netmask 255.255.255.255 0 0
public static 212.36.237.99 (Interior, exterior) 10.1.1.208 netmask 255.255.255.255 0 0
Access-group outside_interface in interface outside
Route outside 0.0.0.0 0.0.0.0 212.36.237.97 1
Route inside Inside_All 255.255.255.0 10.1.1.254 1
Route inside 10.2.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.3.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.4.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.5.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.6.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.7.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.8.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.9.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.10.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.11.1.0 255.255.255.0 10.1.1.253 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout uauth 0:00:00 uauth absolute 0:30:00 inactivity
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
AAA-server AuthInOut Protocol Ganymede +.
AAA-server AuthInOut (inside) host 10.1.1.203 Kinder timeout 10
the AAA authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
the AAA authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
AAA accounting include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
AAA accounting include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
Enable http server
http 82.69.108.125 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server SNMP community xxx
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Sysopt connection permit-pptp
Sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac VPNAccess
Crypto ipsec transform-set esp-3des esp-md5-hmac VPNAccess2
Crypto-map dynamic dynmap 10 game of transformation-VPNAccess2
card crypto home 9 ipsec-isakmp dynamic dynmap
card crypto ipsec-isakmp 10 home
address of 10 home game card crypto 102
set of 10 House card crypto peer IrelandSt1_VPN
House 10 game of transformation-VPNAccess crypto card
card crypto ipsec-isakmp 15 home
address of home 15 game card crypto 103
set of 15 home map crypto peer Cardiff_VPN
House 15 game of transformation-VPNAccess crypto card
card crypto ipsec-isakmp 30 home
address of 30 home game card crypto 104
crypto home 30 card set peer 212.242.143.147
House 30 game of transformation-VPNAccess crypto card
interface card crypto home outdoors
ISAKMP allows outside
ISAKMP key * address IrelandSt1_VPN netmask 255.255.255.255
ISAKMP key * address Cardiff_VPN netmask 255.255.255.255
ISAKMP key * address 212.242.143.147 netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 5
ISAKMP strategy 5 3des encryption
ISAKMP strategy 5 md5 hash
5 2 ISAKMP policy group
ISAKMP life duration strategy 5 86400
part of pre authentication ISAKMP policy 7
ISAKMP strategy 7 3des encryption
ISAKMP strategy 7 sha hash
7 2 ISAKMP policy group
ISAKMP strategy 7 life 28800
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 1 ISAKMP policy group
ISAKMP policy 10 life 85000
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 85000
vpngroup client address mspools pool
vpngroup dns-server 194.153.0.18 client
vpngroup wins client-server 10.155.1.16
vpngroup idle time 1800 customer
vpngroup customer password *.
Telnet 82.69.108.125 255.255.255.255 outside
Telnet 10.55.1.0 255.255.255.0 inside
Telnet 10.1.1.0 255.255.255.0 inside
Telnet timeout 15
SSH 82.69.108.125 255.255.255.255 outside
SSH timeout 15
VPDN Group 6 accept dialin pptp
PAP VPDN Group 6 ppp authentication
VPDN Group 6 chap for ppp authentication
VPDN Group 6 ppp mschap authentication
VPDN Group 6 ppp encryption mppe auto
VPDN Group 6 client configuration address local mspools
VPDN Group 6 pptp echo 60
local 6 VPDN Group client authentication
VPDN username xxxx password *.
VPDN username password xxx *.
VPDN username password xxx *.
VPDN username password xxx *.
VPDN username xxxx password *.
VPDN allow outside
username xxx pass xxx
Terminal width 80
Cryptochecksum:8f8ceca91c6652e3cc8086edc8ed62fa
: end
If you do not see decrypts side Pix while my thoughts are (for IPSEC) ESP and GRE (for PPTP) do not get to your Pix (blocks perhaps of ISP or other devices).
If you do a "capture" of the packets on the external interface you see all traffic ESP or GRE? Where the customer? If this isn't the case, dialup is ESP or permitted GRE?
Maybe you are looking for
-
Satellite M70-164 PSM71: after the installation of Vista the display flashes
Hello I have a M70 - 164 witch has an ATI mobility Radeon x 700 with 128 MB dedicated. I installed Windows Vista Business on it, but sometimes, when the LCD resolution changes (IE, when I start a game, when I close the LCD screen and open when I conn
-
App for the time and payroll sheet calculations
My daughter in hospitality makes work so much split and travel on a Saturday and Sunday. I am looking for an application that we can punch in his hours for the week and be able to do the calculation of salary based on the appropriate hourly rate so t
-
I bought a 128 GB SSD for my HP computer. Use of recovery on this disc?
My current HARD drive works fine, but I wanted the advantage of speed of installation of the operating system and programs on an SSD. I tried using the recovery on the SSD disks and he got all the way to the final, but could not go beyond the part o
-
How can I get rid of Babylon Search
I downloaded div - x and since then, something called search of Babylon took over all research. I can't find it in my programs to remove it, and it still triggers a lot of problems that ad-aware pro picks up (something to do with cookies?) I tried to
-
Is the .mov file type a file type supported for Windows Movie Maker?
QuickTime + Windows Movie Maker Is it possible to import MOV (Quicktime Movie File) files in Windows Movie Maker? I have a Kodak EasyShare Dx4330 (very old model digital camera) Anyone know of a FREE video converter (shareware)? Help, please. It is