Why can’t I remember this command?

In order to remove the entire access list, use the clear configure access-list command

I’ve been implementing a few Cisco ASA’s recently, and I blogged about this strange behavior; well I came across another one yesterday.

Take a look at this debug arp….

Note to self, the ports I need to allow thru the Un-Authenticated ACL for Active Directory SSO to work…

TCP 88,135,389,636,445,1025,1026
UDP 88,389,636 

I came accross something odd the other day, I had some Cisco IP Phones on a DMZ interface and the Call Manager was behind the inside interface. If you made a call from a 7940 to a 7940 everything worked fine, if you made a call from a 7905 to a 7940 it failled!

I ran a packet capture and found that the phone was “bouncing” the RTP stream off the firewall rather than connecting directly to the peer phone… very weird! The problem was solved by enabling…

same-security-traffic permit intra-interface

I thought I post this for some future googlers!

I tweeted a little while ago about Nokia recently supporting interface failover within IPSO, well it looks like Cisco’s ASA Version 8 software can do it now too!

The following example creates two redundant interfaces:

asa(config)# interface redundant 1
asa(config-if)# member-interface gigabitethernet 0/0
asa(config-if)# member-interface gigabitethernet 0/1
asa(config-if)# interface redundant 2
asa(config-if)# member-interface gigabitethernet 0/2
asa(config-if)# member-interface gigabitethernet 0/3

Reference: Adding a Redundant Interface

As it’s late, and I’m bored waiting for a customer call back, I thought I’d write about something both amusing & irritating. Recently I purchased a copy of Network Security Technologies & Solutions from Amazon, as I’m in no hurry I opted for the free royal mail delivery option. When I got home I found the Amazon box on my door-step and surprising the the box was open!!!

You hear about things going lost in the mail regularly and I can only presume that someone responsible for sorting the parcel spotted a rather heavy box from Amazon and thought it must be some expensive gadget, how disappointed they must have been to see that it was a dull old Cisco book

If you saw this tweet, you’ll see that a little while ago I had some fun with Playstation 3 online gaming; it’s probably my own fault because I’m possibly the only person with a version 6 Cisco Pix Firewall at home in front of their playstation.

If you want to get online gaming working though your firewall there’s a really good online reference here and my specific grumble about having to open up a shed load of ports for EA’s Burnout paradise is documented in their support area.

To summarize, this is what I’ve got open:

Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn’t look good, there’s a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.

*No, I didn’t get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.

I’ve had a new request in recently, as part of a move to SCEP + Certificates (away from pre-shared keys) a customer has asked if we could use the PKI CA build into Cisco’s router IOS. Now is this is a new idea to me; in the past people have either “plumped” for Microsofts CA implementation or cooked something up themselves with openssl.

Cisco’s IOS Security Guide (you may need a CCO Login) clearly states that it’s possible and that it supports SCEP auto-enrolment, so I thought I’d give it a go!

I wanted to write a document on how to import RADIUS VSA’s (vendor specific attributes) into cisco’s ACS SE (Solution Engine) appliance, the reason being that I couldn’t find any good examples on the net and cisco’s documentation just wasn’t clear enough.

My purpose was to use RADIUS authentication between a Nokia IPSO appliance such that users who access voyager or ssh get authenticated centrally; for RADIUS authentication to work your authentication server (in this case ACS) needs to supply the AAA client (in this can the ipso box) with a “return list attribute”. By default ACS doesn’t have the nokia attributes; to import attributes you need to get your hands on a dictionary file, for nokia ipso it’s /etc/nokia.dictionary - I’ve a copy here.

One of the interesting things about ASA’s is the fact that it supports running two OSPF Processes. This was a great decision by cisco, if a business has two different OSPF domains the chances are they are owned by two separate parts of the business, so where would be a better place to put a firewall?

Just Found this,

heise Security - News - Fooling Cisco’s NAC network access control

Security experts at the Black Hat conference in Amsterdam have demonstrated how Cisco’s NAC network access control can be fooled. In a live demonstration using a modified Trust Agent, Michael Thumann and Dror-John Röcher from ERNW were able to gain full access to an NAC protected network using a computer which did not comply with network policies.

Although it was obvious that hackers would target the the Trust Agent, it’s interesting to read a sucess story.

I found this via slashdot ….

Military & Aerospace Electronics - Cisco develops smart robot nodes to maintain network connectivity while on the move Company engineers built prototype cube-shaped robots that sense when a laptop computer user is about to lose wireless network connectivity and move toward the user to maintain the network link, said Dave Buster, product marketing manager for the Cisco Global Government Solutions Group (GGSG) in Research Triangle Park, N.C.

It’s been a while since I’ve been up close & personal with a nokia firewall , but recently I’ve needed to play.

The first thing I noticed was that the console cable has changed, now let’s not focus too much on the design floor where by you can’t actually get your fingers in properly to release the cable, but at least they got rid of the db9 type, serial thing that kept breaking.

The good news is, looking at the cable colours you can see that the cables are roll over cables - exactly the same as cisco use - great ! One less thing to carry around in the laptop bag

Here you are, a cisco security “tid bit”, you can secure backup the running config of your Cisco ASA over https, now you should enable AAA and set a username, but for now, here’s default url & command for wget.