Emulating software is a very grey area for Cisco, they make their money by selling boxes so I guess officially Cisco don’t approve of things like GNS3 and PEMU. BUT cisco make a lot of their money from techies training in Cisco products who then get their management to buy boxes their certified in, as a result cisco appear to turn a blind eye to emulating their products for personal training purposes

Why can’t I remember this command?

In order to remove the entire access list, use the clear configure access-list command

I’ve been implementing a few Cisco ASA’s recently, and I blogged about this strange behavior; well I came across another one yesterday.

Take a look at this debug arp….

Note to self, the ports I need to allow thru the Un-Authenticated ACL for Active Directory SSO to work…

TCP 88,135,389,636,445,1025,1026
UDP 88,389,636 

I came accross something odd the other day, I had some Cisco IP Phones on a DMZ interface and the Call Manager was behind the inside interface. If you made a call from a 7940 to a 7940 everything worked fine, if you made a call from a 7905 to a 7940 it failled!

I ran a packet capture and found that the phone was “bouncing” the RTP stream off the firewall rather than connecting directly to the peer phone… very weird! The problem was solved by enabling…

same-security-traffic permit intra-interface

I thought I post this for some future googlers!

I tweeted a little while ago about Nokia recently supporting interface failover within IPSO, well it looks like Cisco’s ASA Version 8 software can do it now too!

The following example creates two redundant interfaces:

asa(config)# interface redundant 1
asa(config-if)# member-interface gigabitethernet 0/0
asa(config-if)# member-interface gigabitethernet 0/1
asa(config-if)# interface redundant 2
asa(config-if)# member-interface gigabitethernet 0/2
asa(config-if)# member-interface gigabitethernet 0/3

Reference: Adding a Redundant Interface

Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn’t look good, there’s a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.

*No, I didn’t get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.

I’ve had a new request in recently, as part of a move to SCEP + Certificates (away from pre-shared keys) a customer has asked if we could use the PKI CA build into Cisco’s router IOS. Now is this is a new idea to me; in the past people have either “plumped” for Microsofts CA implementation or cooked something up themselves with openssl.

Cisco’s IOS Security Guide (you may need a CCO Login) clearly states that it’s possible and that it supports SCEP auto-enrolment, so I thought I’d give it a go!

I wanted to write a document on how to import RADIUS VSA’s (vendor specific attributes) into cisco’s ACS SE (Solution Engine) appliance, the reason being that I couldn’t find any good examples on the net and cisco’s documentation just wasn’t clear enough.

My purpose was to use RADIUS authentication between a Nokia IPSO appliance such that users who access voyager or ssh get authenticated centrally; for RADIUS authentication to work your authentication server (in this case ACS) needs to supply the AAA client (in this can the ipso box) with a “return list attribute”. By default ACS doesn’t have the nokia attributes; to import attributes you need to get your hands on a dictionary file, for nokia ipso it’s /etc/nokia.dictionary - I’ve a copy here.

One of the interesting things about ASA’s is the fact that it supports running two OSPF Processes. This was a great decision by cisco, if a business has two different OSPF domains the chances are they are owned by two separate parts of the business, so where would be a better place to put a firewall?

Just Found this,

heise Security - News - Fooling Cisco’s NAC network access control

Security experts at the Black Hat conference in Amsterdam have demonstrated how Cisco’s NAC network access control can be fooled. In a live demonstration using a modified Trust Agent, Michael Thumann and Dror-John Röcher from ERNW were able to gain full access to an NAC protected network using a computer which did not comply with network policies.

Although it was obvious that hackers would target the the Trust Agent, it’s interesting to read a sucess story.

I found this via slashdot ….

Military & Aerospace Electronics - Cisco develops smart robot nodes to maintain network connectivity while on the move Company engineers built prototype cube-shaped robots that sense when a laptop computer user is about to lose wireless network connectivity and move toward the user to maintain the network link, said Dave Buster, product marketing manager for the Cisco Global Government Solutions Group (GGSG) in Research Triangle Park, N.C.

Here you are, a cisco security “tid bit”, you can secure backup the running config of your Cisco ASA over https, now you should enable AAA and set a username, but for now, here’s default url & command for wget.

I’ve been meaning to add a dedicated cisco section to my site for a while, I thought it’d be helpful if I converged my rants with work a little I’m hoping to build up a personal archive of notes for work, and in doing so help other with similar roles & problems. I’ve gone through and added any cisco related posts to my archive , useful cisco bookmarks have always been online with del.icio.us , and now to finish off I have a config files directory. Usual rules apply to this an all other posts - see disclaimer.

Looks like cisco have given their website an image overhaul…..

Evolution of Cisco.com - Cisco Systems
A transformation is occurring on the Web. The end user is more in charge, creating collaborative websites and blogs, generating, mixing and sharing content, and having more of a say in how companies do business with them. The potential of the Internet is being fulfilled by more than the physical network alone, it is the human network where people are connecting and collaborating, enabling ideas and opportunities. This represents an ideal time for Cisco to transform our website, into a platform for collaboration, interaction and innovation.