Why can’t I remember this command?

In order to remove the entire access list, use the clear configure access-list command

I’ve been implementing a few Cisco ASA’s recently, and I blogged about this strange behavior; well I came across another one yesterday.

Take a look at this debug arp….

Note to self, the ports I need to allow thru the Un-Authenticated ACL for Active Directory SSO to work…

TCP 88,135,389,636,445,1025,1026
UDP 88,389,636 

I came accross something odd the other day, I had some Cisco IP Phones on a DMZ interface and the Call Manager was behind the inside interface. If you made a call from a 7940 to a 7940 everything worked fine, if you made a call from a 7905 to a 7940 it failled!

I ran a packet capture and found that the phone was “bouncing” the RTP stream off the firewall rather than connecting directly to the peer phone… very weird! The problem was solved by enabling…

same-security-traffic permit intra-interface

I thought I post this for some future googlers!

I tweeted a little while ago about Nokia recently supporting interface failover within IPSO, well it looks like Cisco’s ASA Version 8 software can do it now too!

The following example creates two redundant interfaces:

asa(config)# interface redundant 1
asa(config-if)# member-interface gigabitethernet 0/0
asa(config-if)# member-interface gigabitethernet 0/1
asa(config-if)# interface redundant 2
asa(config-if)# member-interface gigabitethernet 0/2
asa(config-if)# member-interface gigabitethernet 0/3

Reference: Adding a Redundant Interface

If you saw this tweet, you’ll see that a little while ago I had some fun with Playstation 3 online gaming; it’s probably my own fault because I’m possibly the only person with a version 6 Cisco Pix Firewall at home in front of their playstation.

If you want to get online gaming working though your firewall there’s a really good online reference here and my specific grumble about having to open up a shed load of ports for EA’s Burnout paradise is documented in their support area.

To summarize, this is what I’ve got open:

Here’s the story, moons ago when I started in security somebody told me all about Pretty Good Privacy (PGP) in my enthusiasm I got straight on to downloading a copy; now this was a long time ago and I can’t remember if it was freeware or a trial from pgp.com, but either way I got straight onto generating a public/private key pair.

Seahorse is a cracking GnuPG implementation for Gnome.

Just like GnuPG it also requires secure memory to get the best privacy; I can never remember how to set this up, fortunately there’s an faq on gnupg.org so a quick…

sudo chmod 4755 /usr/bin/seahorse*

and we’re done, no more error messages

It’s taken me a few days to catch up with my x-mas RSS backlog, the below are worth a mention

• A WordPress Plugin that removes the version info by BlogSecurity
• AirX for the n800 fixed so I play display X apps on my tablet
• An interesting GMail Security Article hit digg.
• Some nice images (wallpaper) for my n800.
• How to Backup your google account.
• Cisco VPN Client for n800 ITOS2008 Released.
• Some wordpress admin themes.
• A Critical WordPress Upgrade 2.3.2 including a custom DB Error Page, which I suggested (believe it or not).

Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn’t look good, there’s a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.

*No, I didn’t get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.

I’ve had a new request in recently, as part of a move to SCEP + Certificates (away from pre-shared keys) a customer has asked if we could use the PKI CA build into Cisco’s router IOS. Now is this is a new idea to me; in the past people have either “plumped” for Microsofts CA implementation or cooked something up themselves with openssl.

Cisco’s IOS Security Guide (you may need a CCO Login) clearly states that it’s possible and that it supports SCEP auto-enrolment, so I thought I’d give it a go!

I’ve been offline for a while, but I’ve just seen this:

The Associated Press: New Antivirus Software for Playstation 3
The company bills the software as the first of its kind for a home gaming system. It was released earlier this month as part of a PS3 upgrade and will be free until April.

This is a really positive thing to see; by the fact that there is a market there shows that “Joe gamet” is thinking about security , it’s a shame that sony aren’t giving this away for free but I guess that business .

I’ve been following the activity over at blogsecurity, their activities are very interesting and quite commendable. After some shameless delay I decided to read though their WP Security White Paper and apply some of the steps… yes I did say some, harden security folk will insist that you should follow all of the whitepaper to be security, which is probably true, but one should never forget that security is about risk… and in basic terms accessibility vs security, for example I won’t ever lock my wp-admin down to a single IP as I’ve been know to blog at work, home, around my parents place and even moderate comments on the train! Thus my wp-admin isn’t as secure as someone who did lock it down, but this is a risk I’m willing to live with.

I saw this digg article the other day and it lead me to something interesting. …

All Firefox add-ons must now use a secure method for auto-updating (see bug 378216 and this guide for more details)

Reference: Mozilla Gran Paradiso Alpha 8 Release Notes

In general this is a good thing, and I’m 100% behind any security improvements the mozilla team make….I just hope they make this amenable to the newbies, I recently had a go at writing a small “status bar” firefox addon, and the 1st thing I spotted when installing it was that it was “unsigned”… I looked into the documentation and found it very confusing, and when I finally got it to work I ran into the age old issue that I didn’t have a certificate that was signed by a main stream CA, as such I would need to distribute that as well.

I found this on redhat.com the other day….

It is now possible to limit yum to install security updates only. To do so, simply install the yum-security plugin and run the following command:

yum update –security

Hopefully this will allow fedora users to have the option of running a “stable” install