The ASA is not like the other models in the ASA lineup. The 5505 has a built-in 8 port ethernet switch, two ports are able to do POE (ports 6 & 7). Cisco has implemented two layer 2 technologies in this device that makes our life easier and securer. The first technology is: Read more…
Cisco has released version 8.4 OS for the ASA. I was surprised that this version of code was released because 8.3 has only been out since March 2010. This version does have a lot of new features though. If you run transparent mode in single or context mode, the new bridged mode feature is a very welcome feature. I will be testing this new feature shortly and hope to blog about it shortly. Other new features include etherchannel support, stateful failover for routing protocols, and increased connections through the appliance for various technologies.
All of these are great new features and I can’t wait to dive into them. On that note, you will still need the same RAM requirements as version 8.3. There are also multiple migration paths when you are upgrading to this latest OS, it is nice because Cisco tries to migrate most of the things for you automatically upon reload of the new OS, but I still see errors with things. Be careful when you migrate though, you will find a file with the startup errors when upgrading. Official Cisco documentation in regards to this OS can be found here.
This will be a quick post in regards to adding a Cisco IOS device to a Solarwinds Orion Network Management System (NMS). Of course, there are other NMS products available so this tutorial will focus more on the IOS side of configuration and less on the NMS side. The negative side of SNMP v3 that I am running into though is on the NMS side. I can’t speak for all NMS products, but to send SNMP V3 traps requires the NMS to support this feature. Currently, the Windows Server Operating System (2003/2008) does not support SNMP V3 traps, and at present, neither does Orion. Solarwinds has mentioned that they are building their own SNMP trap service for SNMP V3 but it is not out yet. If anyone knows of an NMS that can accept SNMP V3 traps please let me know. I believe CiscoWorks now supports SNMP V3 but I have not used it in years.
It has been decided that I would try to blog more by demonstrating setups that I do on a regular basis in production. So today I will be setting up a Cisco 891 router with integrated IPS functionality using the latest signature pack from Cisco. So let’s dive in.
Firstly, we will need to determine whether or not the router is capable of performing IPS and is licensed to do so. The 891 router I have is running IOS version 15 so licensing is definitely going to be an issue. Let’s verify what the licensing is too make sure we can continue with this project. The licensing information is located at the bottom of the following command:
This post will be the first in a series in regards to security implementations on a network. In this first part of the series, we will take a look at how to silently install a router into an existing vlan/subnet without changing IP addressing. In the next series, we will look at some filtering involving Zone Based Firewall (ZBF) and Context-Based Access Control (CBAC – legacy firewall). The ASA can be setup in the same fashion by using transparent firewall mode. So let’s jump in with this simple topology involving 3 routers.
Cut-Through Authentication proxy on the ASA is an excellent way to track and authorize users when they access resources on the network that you may not want them to access to originally. I have used it to track user activities, authorize users to different network devices from time to time that they really should not be accessing whenever they feel, and to provide a user a way to override the firewall policies that have been defined for a given subnet. In other words, it is a very useful function and I believe it’s function is vital for users as well as the network administrator. Just so you know, this feature is just like the Auth-Proxy or Network Admission technologies on an IOS router.
Here is the topology we will be working with. I have setup a PC so we can simulate a typical user experience.
Read more…
Well, I felt like my good friend Vybhav needed to have an interview done after interviewing a bunch of people including myself the past few months. He is a great study partner and I converse with him on a regular basis – almost daily in fact. I am not sure where he gets the time to do everything he does (blog, lab, study, play flight simulators) but he must have a great girlfriend. Vybhav and I are taking our labs on the same day and I know he will ace it first attempt. As I am sure all of you know, he has a great blog site @ tacack.com where he has a wealth of information in regards to the CCIE Security exam. So without further adieu, please read on to find out things you may not have known about our good friend!
I manage several Cisco IOS devices with alot of VPN connections on them, one device has 100+. So what happens when 1 of the 100 peers is failing to establish. Well, I can tell you, whatever you do, don’t do a debug crypto isakmp or ipsec without any conditions… you will definately give a big tug to the CPU on the device. This tug could be to the point that you can’t recover by issueing u all command. So to this end, a router reload would probably be the only option left which would probably trigger resume updating.
So how do you go about picking the needle out of the haystack? Well, Cisco has given us an excellent tool to solve this issue with VPN conditional debugging. With conditional filtering for VPN’s, we can filter based on several different attributes such as peer, getvpn group, username, spi, or connid to name a few. This has definately helped me out in a pinch and I am now in the habit of using this instead of just debugging everything crypto within the IOS device.
So how do we implement this great feature you may ask. Well, quite easily, but then again everything is easy once you know what you are doing. So let’s head over to command line and take a look… Read more…
Regular expression matching is used for several different applications within the Modular Policy Framework (MPF). Regular expressions is basically text matching, either exact text or multiple variants of a text string. In most cases, whenever you run across named-based policies, you will more than likely need to configure regular expressions. The command “regex” is used to configure regular expressions within the security appliance. We will discuss some of the special characters called metacharacters used to create wildcard matching of text strings below. This is the majority of the metacharacters we will be dealing with.
Read more…
Well, it appears that Cisco IOS is slowly gaining features that I love on the ASA. Although I find the ASA is far superior when it comes to access-list technology, Cisco IOS is starting to make life easier in terms of updating and managing access-lists. One issue I always ran into when working with IOS ACL’s is the addition or deletion of the entries that made up the ACL. So a basic extended access-list would start like this: