|
This isn't Cisco specific, but I think the expertise is probably here for what I need to know. I'm setting up an IPSec VPN for our students/employees, and wanted to know if there is any reason I should NOT use a pre-shared key for Phase 1 IKE (that would pretty much be publicly known). Phase 2 needs a username/password anyway, so it seems like it should still be secure as a service. (Or at least as secure as any username/password combo goes.)
|
# ? Feb 7, 2013 15:40 |
|
|
# ? Apr 26, 2024 17:57 |
|
You become vulnerable to a straight key logger attack without the MFA protection of something you have and something you know,
|
# ? Feb 7, 2013 22:20 |
|
This sounds more like a job for an SSL VPN.
|
# ? Feb 8, 2013 04:20 |
The Juniper SA/MAG SSLVPNs are pro. Check them out.
|
|
# ? Feb 8, 2013 16:24 |
|
Yeah so i'm going to need some help here with our wireless network We've got a Cisco 2500 WLC Product Identifier Description AIR-CT2504-K9 Version Identifier Description V01 Software Version 7.0.116.0 Field Recovery Image Version 1.0.0 That in turn handles a couple of Cisco Aironet 3502i access points, Product ID AIR-CAP3502I-E-K9 Version ID V01 Primary software version 7.0.116.0 Boot version 12.4.23.0 IOS version 12.4(23c)JA2 Mini IOS version 7.0.112.74 One of these aps drops everything every 24 hours,which is a known "bug" and fixed in newer software updates. My problem is that i have no idea what i'm even supposed to download. At http://software.cisco.com/download/type.html?mdfid=283307699&flowid=16362 i have three choices, Autonomous ap ios software (which is for standalone aps?) IOS Software (?) Lightweight AP ios software (which should be what we use since we're connecting it to the WLC) Under lightweight i have 15.2.2-JB(ED) and 12.4.23c-JA7(ED), this seems to be completely different versions. (I do not have a support contract so i can't get either of them anyway). Why is everything Cisco so hard for me to understand?
|
# ? Feb 9, 2013 15:13 |
|
underlig posted:Why is everything Cisco so hard for me to understand? You only want to upgrade the software on your controller, the access points automatically downloads their code from there when they connect. Look for: AIR-CT2500-K9-1-8-0-0-FUS.aes (firmware upgrade) and AIR-CT2500-K9-7-4-100-0.aes (controller software) Both these should be installed on the controller. Make sure you read the release notes as the firmware upgrades takes a long time (30-45 minutes) and potentially bricks the unit if you abort it. Release notes here: http://www.cisco.com/en/US/docs/wireless/controller/release/notes/fus_1_8_0_0.html and here: http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn74.html When you have done this you get both bonjour gateway and AVC (deep packet inspection) support Also your nickname looks Norwegian or Swedish, am I right?
|
# ? Feb 9, 2013 15:40 |
|
ior posted:You only want to upgrade the software on your controller, the access points automatically downloads their code from there when they connect. Swedish yes, but i've got a couple of Underlig jul in the cupboard
|
# ? Feb 9, 2013 16:54 |
|
underlig posted:Thank you for the help, i'm still just getting into how things are setup at work and i didn't want to "fix" the ap by bricking it. Nøgne Ø, truly the beer of kings ;-) Just shoot me a PM if you need further assistance, I work as a mobility SE for Cisco Norway. ior fucked around with this message at 17:00 on Feb 9, 2013 |
# ? Feb 9, 2013 16:58 |
|
ior can I get firmware with AVC for my 5508? I'd tell you what version we're on now but it's literally on the floor of the new datacenter we're moving into this afternoon. Taking a break after internal DNS came back up and I could reach the forums again
|
# ? Feb 9, 2013 21:18 |
|
Mierdaan posted:ior can I get firmware with AVC for my 5508? I'd tell you what version we're on now but it's literally on the floor of the new datacenter we're moving into this afternoon. Yes 7.4 is available for the 5508.
|
# ? Feb 9, 2013 22:12 |
|
ior posted:Yes 7.4 is available for the 5508. Excellent, thanks.
|
# ? Feb 10, 2013 04:08 |
|
I have an absolutely odd one for you guys. Scheduled the down time to test my new ASA5515-x at our corp office. I plugged in the WAN- I can ping the modem/8.8.8.8 just fine- no problems there. I plugged in the LAN and nothing. I can not ping the internal gateway, I can not ping any internal hosts. From the core switch (HP 5406-zl) I can not ping the ASA. Here is what I tested: Laptop directly connected to ASA LAN port via patch cord- static IP, I can ping the ASA just fine. Laptop directly connected to Switch- static IP, I can ping the Gateway just fine. Checked ASA config- static route inside is fine Checked HP config- outbound route is fine Checked ASA int: Auto/Auto 1000mb connected is UP Disabled ASA LAN Int, reset ASA, re-enabled. I am a bit stumped. Could be this head cold, but I don't get it. Everything worked fine in the LAB.
|
# ? Feb 16, 2013 21:08 |
|
Stale ARP cache? If there are VLANs on the HP switch are you plugged into a port for the "LAN" VLAN?
|
# ? Feb 16, 2013 21:20 |
|
I'll try clearing the ARP, but I figured a reset would do that on both the ASA/HP. The switch port is correct(hence why I can plug my laptop in and ping the HP gateway just fine.) Before I toss in the towel today I decided to try one last thing. I grabbed a spare L3 switch and plugged my laptop directly in to it, set it up identical to the other core vlan's and all, and plugged the ASA in. It works. Here is the difference. Network layout (does NOT work): Cisco ASA-> HP 2510 (Access) -> HP 5406zl Core Network layout (works) Cisco ASA-> HP 2910al (Core) I am just plain confused- Why can I plug my laptop in to the distro switch and ping the Core just fine, but when I plug the ASA in, nothing. Nada. The only thing I can think of is I have never tried plugging an ASA in to a HP2510 switch before, only the 2910/5406. Could it possibly be a uplink/speed issue? *EDIT It's something with the switch gear. No idea what yet, but I decided to plug everything back in, except I added a 2nd port on the HP 2510 Access switch and plugged my laptop in. The laptop/asa ping eachother just fine- but can not ping the core despite everything being tagged correctly... With the ASA plugged in, I can not ping the core (where as before I could.) I wish my internet did not come in to the access closet. I think I might cheat though, I found where the 4x1Gb Cat6 runs are connecting the two "halves" of our offices (it used to be two separate offices). I could easily yank 4 more pulls back to the main server room and move the ASA in to a nice AC'd room with the rest of my gear and connect it straight up to the core. I am liking this idea more and more... Minus having to pull/terminate 4 runs. Oh well. the spyder fucked around with this message at 22:19 on Feb 16, 2013 |
# ? Feb 16, 2013 21:46 |
|
Guess who just bought an AIR-AP1041N-A-K9 and didn't realise it wasn't a standalone AP? I'm having trouble getting any response from the console when it says Press ENTER to get started, and then it gets stuck in a reload cycle. Interesting bits in bold. using eeprom values WRDTR,CLKTR: 0x80000800 0xc0000000 RQDC ,RFDC : 0x80000038 0x0000018e ddr init done IOS Bootloader - Starting system. FLASH CHIP: Numonyx P33 Checking for Over Erased blocks ..................................................................................... Xmodem file system is available. DDR values used from system serial eeprom. WRDTR,CLKTR: 0x80000800, 0xc0000000 RQDC, RFDC : 0x80000038, 0x0000018e PCIE0: link is up. PCIE0: VC0 is active PCIE1: link is NOT up. PCIE1 port 1 not initialized PCIEx: initialization done flashfs[0]: 27 files, 7 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 32385024 flashfs[0]: Bytes used: 5108224 flashfs[0]: Bytes available: 27276800 flashfs[0]: flashfs fsck took 24 seconds. Reading cookie from system serial eeprom...Done Base Ethernet MAC address: e8:b7:4830:3f Ethernet speed is 1000 Mb - FULL duplex button pressed for 7 seconds process_config_recovery: set IP address and config to default 10.0.0.1 Loading "flash:/c1140-k9w8-mx.124-23c.JA4/c1140-k9w8-mx.124-23c.JA4"...############# File "flash:/c1140-k9w8-mx.124-23c.JA4/c1140-k9w8-mx.124-23c.JA4" uncompressed and installed, entry point: 0x4000 executing... enet halted Restricted Rights Legend Use, duplication, or disclosure by the Government is blah blah blah Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Fri 27-Jan-12 19:37 by prod_rel_team Proceeding with system init Proceeding to unmask interrupts Initializing flashfs... FLASH CHIP: Numonyx P33 Checking for Over Erased blocks ...................... flashfs[1]: 26 files, 7 directories flashfs[1]: 0 orphaned files, 0 orphaned directories flashfs[1]: Total bytes: 32126976 flashfs[1]: Bytes used: 5108224 flashfs[1]: Bytes available: 27018752 flashfs[1]: flashfs fsck took 7 seconds. flashfs[1]: Initialization complete. flashfs[2]: 0 files, 1 directories flashfs[2]: 0 orphaned files, 0 orphaned directories flashfs[2]: Total bytes: 11999232 flashfs[2]: Bytes used: 1024 flashfs[2]: Bytes available: 11998208 flashfs[2]: flashfs fsck took 1 seconds. flashfs[2]: Initialization complete....done Initializing flashfs. Ethernet speed is 1000 Mb - FULL duplex Radio0 present 8363 8000 90020000 0 90030000 B Radio1 not present 0 0 0 0 0 0 This product contains cryptographic features and is subject to United blah blah blah %Error opening flash:/c1140-rcvk9w8-mx/info (No such file or directory)cisco AIR-LAP1041N-A-K9 (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory. Processor board ID FGL1521S46M PowerPC405ex CPU at 333Mhz, revision number 0x147E Last reset from watchdog timer expired LWAPP image version 7.0.112.74 1 Gigabit Ethernet interface 1 802.11 Radio(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: E8:B7:4830:3F Part Number : 73-13215-01 PCA Assembly Number : 800-34273-01 PCA Revision Number : A0 PCB Serial Number : FOC15183TUQ Top Assembly Part Number : 800-34284-01 Top Assembly Serial Number : FGL1521S46M Top Revision Number : A0 Product/Model Number : AIR-AP1041N-A-K9 % Please define a domain-name first. Press RETURN to get started! *Mar 1 00:00:10.075: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed *Mar 1 00:00:10.087: *** CRASH_LOG = YES *Mar 1 00:00:10.387: Port 1 is not presentSecurity Core found. Base Ethernet MAC address: E8:B7:4830:3F *Mar 1 00:00:11.444: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 *Mar 1 00:00:11.518: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 155 messages) *Mar 1 00:00:11.613: status of voice_diag_test from WLC is false *Mar 1 00:00:12.672: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up *Mar 1 00:00:13.850: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up *Mar 1 00:00:13.879: %SYS-5-RESTART: System restarted -- Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Fri 27-Jan-12 19:37 by prod_rel_team *Mar 1 00:00:13.879: %SNMP-5-COLDSTART: SNMP agent on host ap is undergoing a cold start *Mar 1 00:40:29.062: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY *Mar 1 00:40:29.062: bsnInitRcbSlot: slot 1 has NO radio *Mar 1 00:40:29.087: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Mar 1 00:40:29.090: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source *Mar 1 00:40:29.306: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 1 00:40:29.307: %SSH-5-ENABLED: SSH 2.0 has been enabled *Mar 1 00:40:29.533: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down *Mar 1 00:40:29.541: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Mar 1 00:40:29.626: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 1 00:40:30.096: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Mar 1 00:40:47.827: %PARSER-4-BADCFG: Unexpected end of configuration file. *Mar 1 00:40:47.828: status of voice_diag_test from WLC is false *Mar 1 00:40:47.900: Logging LWAPP message to 255.255.255.255. *Mar 1 00:40:57.941: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !! *Mar 1 00:40:58.941: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated How to breathe life into this thing? Am I stuck using it as a LWAP until I get a controller or is there some way of making this thing standalone?
|
# ? Feb 18, 2013 20:47 |
|
Gap In The Tooth posted:How to breathe life into this thing? Am I stuck using it as a LWAP until I get a controller or is there some way of making this thing standalone? If you have support you should be able to download an autonomous image off CCO and reflash it. You'll need a DHCP server on the network to get a prompt on the console, or you can hold MODE during the boot process and put it into monitor mode then reflash from there. Some details/info here: https://supportforums.cisco.com/thread/331666
|
# ? Feb 18, 2013 22:44 |
Gap In The Tooth posted:
|
|
# ? Feb 19, 2013 02:38 |
|
Cheers for the tip! I've got it autonomous and using IOS 15 at the moment, now I need to bury my CCNA-level self in the depths of Aironet config. And yes,
|
# ? Feb 19, 2013 03:58 |
|
Dalrain posted:This isn't Cisco specific, but I think the expertise is probably here for what I need to know. I'm setting up an IPSec VPN for our students/employees, and wanted to know if there is any reason I should NOT use a pre-shared key for Phase 1 IKE (that would pretty much be publicly known). Phase 2 needs a username/password anyway, so it seems like it should still be secure as a service. (Or at least as secure as any username/password combo goes.) 1. preshared key is obtainable by third party and once it is leaked it has to be changed for all users. 2. when preshared key is leaked, anyone who has it can launch a bruteforce/dictionary attack on authentication server. Watch for anomalies. If your userbase is small, there should be no problem in changing preshared key when problems occur. If you decide to go with SSL VPN then you must use certificate authentication. Otherwise anyone can connect to VPN and launch a bruteforce/dictionary attack on authentication server. SSL VPN with certificate authentication is better for controlling security breach. If users device has been compromised you disable this individual certificate and other users continue to use service unaffected.
|
# ? Feb 19, 2013 14:55 |
|
Quick CCNA Frame Relay question. What's the significance of using the frame map ip xx.xx.xx.xx dlci xxx versus just using ip address xx.xx.xx.xx and frame-relay interface-dlci 500? Are the latter two specifically for subinterfaces, and if so, why does the subinterface level support the frame map ip command?
|
# ? Feb 19, 2013 21:24 |
|
You are describing a L3 to L2 mapping with those commands so you have to consider how the L3 addressing relates to the L2 topology. You could have a single subnet for a P2P link or P2MP link. tortilla_chip fucked around with this message at 15:16 on Feb 20, 2013 |
# ? Feb 19, 2013 21:35 |
|
If you can think of a confusing frame-relay configuration, you can make it a reality.
|
# ? Feb 19, 2013 23:04 |
|
tortilla_chip posted:You are describing a L2 to L3 mapping with those commands so you have to consider how the L3 addressing relates to the L2 topology. Ah. I think I understand. Thanks!
|
# ? Feb 19, 2013 23:20 |
|
Here's hopefully a simple problem. I've recently bought an 867VAE for a remote site that has ADSL and an old router that is dieing slowly, and they wanted something a little more robust. I know nothing about IOS and figured that CP Express / Configuration Professional would sort the basic configuration out for me, but they seem to be completely useless. This is the config I'm running at the moment, built with Configuration Professional 2.6. code:
I'm aware that I should probably be using the CLI and not any of the terrible GUI tools, and it's my intention to learn and get my employer to put me through a CCNA course, but for now I just need this thing working.
|
# ? Feb 20, 2013 18:50 |
|
For one, the WAN interface is shutdown. Do a "no shut" or admin it up in the software you're using. Giving it the quick once over it looks normal otherwise. NAT looks normal, etc. interface GigabitEthernet1 description $ETH-WAN$ ip address dhcp client-id GigabitEthernet1 ip nat outside ip virtual-reassembly in shutdown duplex auto speed auto If you have a Cisco rollover cable to console in with, pull up a terminal (PuTTY, SecureCRT, etc.) login - conf t int gigabitethernet1 no shut exit wr
|
# ? Feb 20, 2013 19:01 |
|
I think that's left over from me testing it at my desk using GE1 as the WAN, the WAN now is/should be the ADSL modem (PPPoA).
|
# ? Feb 20, 2013 19:13 |
|
Some things from my working ADSL config on my SR520 that you don't have: interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! ... ! interface Dialer0 ip address negotiated ip nat outside no ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username come@me.bro password 0 pa$$w0rd ppp ipcp dns request ppp ipcp route default I'm sure one of the more experienced guys can correct me if I'm wrong but my theory is you don't have anything working at layer 3 (IP addressing). The PPP commands you have only set up the ADSL link, there are no lines in there that talk upstream to the ISP to get your WAN IP, next hop address or anything. This is where negotiated and ppp ipcp come in. Furthermore, 99% of the time when someone is using ADSL they will be using NAT, so make sure your NAT config is working by making Dialer0 the outside interface and one of your LAN ports or a VLAN the inside interface.
|
# ? Feb 20, 2013 19:41 |
|
I am not in any shape or form a Cisco expert. I do not have any Cisco Certs; however... I am using Cisco ASDM 6.1 for ASA. I have a 5500 series firewall. The inside interface is 172.x.x.x. I am trying to route all traffic going to 192.168.x.x to a router with a VPN connection in my lab. I have the static route set up, and the NAT rule to exempt the networks. So I have two NAT rules set up. Source Destination 192.168.x.x/24 172.x.x.x/16 172.x.x.x/16 192.168.x.x/24 I can route ICMP between the networks. If I ping 192.168.x.x from the 172.x.x.x network, I get a reply. If I ping 172.x.x.x from the 192.168.x.x network, I get reply. Tracert or traceroute works, also. from the 172.x.x.x network telent 192.168.x.x 3389... FAIL Telent 192.168.x.x 80 ... FAIL from the 192.168.x.x network Telent 172.x.x.x 3389 .... Good Telent 172.x.x.x 80 .... Good. The 192.168.x.x network has a firewall from I brought from home. A netgear something. Now, if I change the Gateway settings on one of the hosts on the 172.x.x.x network to the VPN server located on the 172.x.x.x network (in other words, bypass the Cisco firewall), I can telnet to the 192.168.x.x network no problem. I can connect to a web server on the 192.168.x.x. So, I know the problem is with the Cisco firewall. I have tried to setup a rule that allows this traffic, but it doesn't work. What am I missing on the Cisco Firewall?
|
# ? Feb 21, 2013 17:08 |
|
Use the packet tracer function in ASDM to see where it fails. (Uncheck the animation check, the only thing it does is make you wait.) Also, upgrade your asa, if you are using asdm 6.1, you are on an old version of the os.
|
# ? Feb 21, 2013 17:16 |
|
E: whoops, doublepost.
|
# ? Feb 21, 2013 17:17 |
|
How do you guys measure packet loss on WAN links? Like I expect some packet loss but in general it should be <<1% I'm working with a vendor and they are claiming we are experiencing packet loss on the WAN and thus that is the problem, but I disagree with that assessment, so how cna I "prove" that we are not losing packets. Also just in general it would be nice to periodically test the link for packet loss as something to present to the carriers if needed.
|
# ? Feb 21, 2013 17:19 |
|
Thanks. I've done that also. The packet is allowed. I'll look into upgrading.
|
# ? Feb 21, 2013 17:19 |
|
pt1xoom posted:I am not in any shape or form a Cisco expert. I do not have any Cisco Certs; however... Without seeing a diagram/configs it sounds like asynchronous routing. ICMP isn't a stateful connection which is why your pings work. You will need to statically route the 192.168.x.x network on your workstation to point directly to the netgear firewall instead of the default gateway (the ASA) or set up tcp state bypass on the ASA(I don't recommend this) Powercrazy posted:How do you guys measure packet loss on WAN links? Like I expect some packet loss but in general it should be <<1% I'm working with a vendor and they are claiming we are experiencing packet loss on the WAN and thus that is the problem, but I disagree with that assessment, so how cna I "prove" that we are not losing packets. I've used MTR in the past but if it's a WAN link over the internet I just usually tell people there's no SLA for internet traffic and to GTFO Sepist fucked around with this message at 17:57 on Feb 21, 2013 |
# ? Feb 21, 2013 17:54 |
|
Is this link Ethernet? If so, run Y.1731 and/or CFM.
|
# ? Feb 21, 2013 18:09 |
|
tortilla_chip posted:Is this link Ethernet? If so, run Y.1731 and/or CFM. I'm not familiar with either of those. What do i need to make those work?
|
# ? Feb 21, 2013 18:13 |
|
Essentially they perform SONET-esque alarm functions. Wireless carriers wanted detailed stats from service providers to prove they were meeting SLAs. One nice thing about either protocol is they use standard Ethernet frames and should be carried without issue across the service provider network. You'd definitely want to check the feature navigator to make sure CFM is available on the platform you're running. http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/ce_cfm.html You'll want to configure a MEP on each end of the circuit in question.
|
# ? Feb 21, 2013 20:00 |
|
I understand that a portchannel with more than 8 members will feature hot standby to some degree. I state this because we have someone with a Dell server who wants a portchannel setup, but doesn't want to push a gig + of data, but instead simply wants some type of fail over. I suggested HSRP, but haven't heard back. It's currently up/up and pingable, it's just that my interfaces are not bonded. They're l2 switchports so a port channel probably isn't even necessary on my end. Would this present any issues in the real world? Zuhzuhzombie!! fucked around with this message at 21:26 on Feb 21, 2013 |
# ? Feb 21, 2013 21:21 |
|
Powercrazy posted:I'm not familiar with either of those. What do i need to make those work? If you have to ask you likely don't have either. I'd set up IPSLA and measure with that (hopefully you have access to equipment on both ends). If you're just looking for a "right this second, on an Xmbps stream, there's Y% packet loss" I like to use iperf in dual-end UDP mode.
|
# ? Feb 21, 2013 21:43 |
|
Zuhzuhzombie!! posted:feature hot standby to some degree. Sounds like you want to run a LACP bundle with hot-standby. Should be available on most platforms.
|
# ? Feb 21, 2013 21:52 |
|
|
# ? Apr 26, 2024 17:57 |
|
pt1xoom posted:I am not in any shape or form a Cisco expert. I do not have any Cisco Certs; however... Sepist posted:Without seeing a diagram/configs it sounds like asynchronous routing. ICMP isn't a stateful connection which is why your pings work. I did a little reading on asynchronous connections and routing, and it doesn't look like it to me, but I am be very wrong. Attached is the diagram. Thanks.
|
# ? Feb 21, 2013 22:25 |