I’m loaded up pretty heavily on classes this semester.  I’m trying to finish up my BS in IS Management.  The workload as I get into 400 level classes has increased significantly.  I have a number of projects that have fallen to the side including:

Learn and understand nRF24l01 radios for Arduino to RPi communication.

Cobra electrical system (This hurts the most, perhaps.  I got the dash “in” but still have some loose ends to tie up before calling the electric done)

Better understand AWS topologies. Related, set up a Puppet server in house and connect it to the XenServer I’ve stood up.  XenServer 6.2 is open source now!  I’d also like to replace VMWare with XenServer and be able to do live migrations in house.  I was having trouble with the Mythbuntu ISO booting properly but it looks like it might just be the distro.

Continue to get away from SageTV.  It still runs.  I’m waiting for the day where that’s not the case.  I think I need to go towards MythTV.  There just isn’t a good alternative.

Around December I need to make a run at the CCDP. I need to renew the CCNP and only need one test for the CCDP.  Might as well add to the acronyms.

Anyway, enough of my sob story.

I’ve had all kinds of problems with this tonight. Luckily, none have affected the operating stack which is a pair of 3750’s. Not E’s or V2’s but original 3750’s. I’m trying to add a 3750X which is supposed to work just fine. I’ve done all kinds of things including about 10 different versions of 12.2.55 to no avail. I had another problem with the 3750x being LANBASE so I got a temp license (which I’ll have to pay for) for the IPBASE image. The versions, license levels and all of that are exactly the same. Then I stumble across this post:

I recently stacked 3750x-48pf-s running ip base with 3750v2-24. I originally attempted to use 12.2(55) but the stack failed to initialize, almost like the stack ports on the 3750x were err-disabling.

After some hair pulling I downgraded to 12.2(53) ( lowest version supported by both) and it did a full EEPROM rewrite on the 3750x. The stacking worked properly after that.

That is exactly my problem!

I’m currently installing 12.2(53) and it’s running a lengthy microcode update. I mean lengthy. This better work!

Update: Downgrading all of the switches to 12.2(53) worked although the new 3750x decided to be master and wiped out my config. Good thing we had a backup.

It’s taken me a while but I finally have another review to provide. I was due for my CCNP recert so I decided to go for the Switching test, 642-813. I started with this book:

My focus was on the switching section so this review really only addresses that part. I’ve been taking Cisco tests for a while so the process was familiar to me. I also had a good foundation in switching technologies. The book does a good job of breaking down the separate areas that the test focuses on. You couldn’t use this book to study for the CCNP if you’re coming right from the CCNA. It’s strictly a refresher level of knowledge. What I found was that there were several parts of the test that were more obscure but were referenced in the book. It wasn’t verbatim of course, but it was familiar enough to help me pass.

Another thing I found relevant is that the distilled information in this book is good for reminding me of the little things that can be done to tweak a network. I think most of us are content to worry about HSRP priorities and STP roots. We don’t so much focus on the other loop prevention tools that Cisco’s made available. Thanks to the short and direct content in this book, you can quickly get a sense for the other technologies at your disposal.

And I passed. Highly recommended!

Wow…4+ years later and I’m finally posting part 2. Yep, the original config didn’t work quite right but I did get it working. Here’s the result:

On the Cisco switch:
interface Port-channel98
no ip address
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet8/5
no ip address
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 98 mode on

etc...

On the Extreme switch:
enable sharing 1:1 grouping 1:1,1:2,1:3,1:4 algorithm port-based
configure vlan "out_of_band" ipaddress 172.16.0.254 255.255.254.0
configure vlan "out_of_band" add port 7:1 untagged
configure vlan "out_of_band" add port 1:1 tagged

out_of_band was used for testing. I put a PC on port 7:1 on the Extreme switch to make sure I could get to a PC on the Cisco switch.

Turns out I did full documentation on the test process and actually kept the doc! I was amazed! My notes suggest the only delay was when re-connecting ports that are part of the group they would not start forwarding for about 3 seconds. Otherwise it worked great!

That’s a mouthful. I’ve been having a hard time figuring out how to successfully transfer images to the Standby ASA’s flash from the Active’s CLI. Finally figured it out. Here’s the syntax:

failover exec standby copy /noconfirm tftp://{ip address}/{file name} disk0:/{file name}

Without the /noconfirm it’ll fail. You also need a standby ip address on the interface facing the tftp server and I haven’t confirmed this but I think it might also need to be on the same subnet. I’m still having some trouble with a situation where the standby ASA would have to reach another subnet.

I previously posted about some luck I had getting IPSEC VPN to work from my iPhone to my IOS router/firewall. That post is now kind of useless because the source blog disappeared about a year ago. So, in order to make this useful again I’m posting my full IOS code (obfuscated for obvious reasons). Change the IP addresses and the group name and password and you should be good to go. This uses the new(ish) method in IOS of zone based firewall. It’s overly complex and really hard to parse for anything remotely complicated but it’s what I’m working with. You’ll notice I used the SDM for most of the config. Yep, I’m lame and I’m not afraid to admit it. All of that zone config typing would have been a pain in the butt! Also, be sure to use a pool that is different from your “inside” subnet. Won’t work otherwise. Also, it should be obvious but this config uses local users so you need to add at least one of those.

Keep in mind this will all change when iPhone OS4 comes out as it’s supposed to support SSL VPN’s. Finally. The IPSEC works perfectly fine for now though. I’ve not tested this on my iPad yet since I haven’t had it out of the house…and it’s not a 3G model. Don’t see why it wouldn’t work though.

And now the code:

aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_2 local

crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2

crypto isakmp client configuration group mygroupname
key something_goes_here
dns 192.168.x.x
pool SDM_POOL_2
include-local-lan
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group mygroupname
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 2

crypto ipsec transform-set aes-transform esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set aes-transform
set isakmp-profile sdm-ike-profile-1

class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC

policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default

zone security ezvpn-zone

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip

interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1

ip local pool SDM_POOL_2 192.168.y.y 192.168.y.z

ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any

Seems my original post about the AnyConnect Essentials license is still quite popular. So why not capitalize on that! 🙂

The license does work as advertised. It’s a replacement for the IPSEC based client that Cisco seems to have stopped development on. I’ve been using it in numerous situations and it works great!

I just have a funny situation though where my client was exploring alternatives to Cisco. We got pricing for a couple of competitors including Sonicwall and Juniper and let me tell you…whoo-boy! I guess the others haven’t felt compelled to follow Cisco’s lead and they are still charging ridiculous sums for the SSL VPN clients. Of course there were howls of protest about how their clients did so much more and that if you wanted the same level of functionality you had to pay for Cisco’s full SSL VPN solution. All true, but who cares????

I want a simple client based SSL VPN to replace the IPSEC clients of old. I don’t need all the fancy clientless stuff. I suspect that’s true for a lot of customers. Cisco’s pricing strategy for the AnyConnect Essentials is smart not just because they don’t want to continue to develop the IPSEC client but because it drives business away from their competitors.

Cisco, your choice in focus these days mostly pisses me off but this is a real winner. A small bright spot in an otherwise dreary path you’ve taken. Now, if you could find a way to ship ASA’s before the summer I’d be happy.

Ran across this tonight. Someone had entered a prefix-list with the name “at&amp ;t” instead of “at&t” (wordpress didn’t like it either so I added the space between the p and the ; but they should really be together.

Oddly enough, IOS wouldn’t allow the bad line to simply be deleted. The “;” had to be removed so that the no command included “at&ampt”

Probably some sort of a regex problem or an ascii escape character but it’s still kind of strange.

I’ve been trying to figure out why a pair of Cisco IPS (AIP-SSM in this case) wouldn’t auto-update signature files or connect to the new Global Correlation feature. The management interfaces were located on a subnet that was between the firewall and the internal L3 switch. The internal LAN’s are on the other side of the switch.

I’ve known for a long time that Cisco ASA’s don’t support sending ICMP redirects. Because of this the IPS’s default gateway couldn’t be set to the FW interface. If I did that they would never be redirected to reach the internal networks. I’ve never had a problem with IOS doing ICMP redirects though, so the IPS’s have been using the switch VLAN interface as the default gateway. The switch sends ICMP redirects when the IPS needs to get out to the internet and the traffic goes direct to the firewall.

Except it doesn’t. I could swear it did at one time in the past. Either my memory is faulty or an image update on the IPS broke it. Now, it seems the IPS tosses ICMP redirects. My guess is it worries about man in the middle attacks and and ICMP redirect is a possible sign of that. So even though the switch is doing the correct thing the IPS disregards it.

Moved the IPS management interface to one of the internal LAN’s and all is happy now.