Re: [c-nsp] Cisco Commerce Estimates
Hi Jan, It's working for me, just tested it a few minutes ago. -ryan -Original Message- From: cisco-nsp On Behalf Of Jan Gregor Sent: Wednesday, June 27, 2018 2:27 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco Commerce Estimates Hi guys, is it just me, or did cisco gut out about 90% of functionality of Cisco Commerce Estimates? No way to expands added values, no way to export XLS. It allows export PDF, but "The file is damaged and cannot be opened." from both acrobat reader and evince. Anyone else seeing this? Jan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] script
Hi, > On Sep 21, 2016, at 7:11 AM, Lijalem Fetenewrote: > > Dears, > I want to login to hundreds of routers simultaneously in either telnet > /ssh and execute some command to each device and return the output. Is > there anyone to help me please ? > > Rancid/clogin or trigger come to mind. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5500 SSL VPN Auth
On Thu, Dec 18, 2014 at 00:29:48, Kris Amy wrote: Subject: [c-nsp] ASA 5500 SSL VPN Auth Hi All, Been searching through the archives and haven't seen this setup, wondering if anyone has done this and has any pointers... What pointers are you looking for? I've done a configuration like this before for Kiosks using a specific group-url, a cert enroll tunnel-group, and a certificate map to match the presented certificate against the device certificate on the ASA and issuing CA. Getting a device certificate on the ASA and importing CA are pretty easy. The bigger pain is at the certificate map. Here's a small example that should point you in the right direction. crypto ca certificate map name 1 issuer-name attr cn eq intermediate crypto ca certificate map name 2 issuer-name attr cn eq root crypto ca certificate map name 3 issuer-name attr cn eq full name I don't recall the crypto debugs now, but you can see where it's matching. I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active failover). To do auto-login without storing the username/password on the client machine I plan on deploying a PKI environment which the ASA's will then use for authenticating the end-points. The endpoints are required to have static IP's as well. HTH -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vs nexus5596 and port-profiles
Add show port-profile to the command table in RANCID. Put it in the write term section. Sent from handheld. On Oct 3, 2014, at 7:24 AM, Arne Larsen / Region Nordjylland a...@rn.dk wrote: Hi all Can somone give me a hint about what we should do. We are using port-profiles on our nexus5596 boxes but we don't get the full config when we backup with rancid. It's the same problem if we do a tftp copy of then startup-config. If I do who port-profile the full config syntax is displayed. I can se that the xterm width on defaults to 184 colums. have anyone seen this before and if what have you done. /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6800 in V.S.S. with IA not working
I'm proposing a similar configuration. Are your IA's dual attached? Are your IA's stacked? I can't add to your experience, but understanding your environment would be helpful. Sent from handheld. On Oct 2, 2014, at 7:44 AM, R S dim0...@hotmail.com wrote: Hi folks, my problem is here. A couple of brand new 6880-x-le just configured in VSS (IOS inside 15.1(2)SY2 and later I put SY3), continuos reporting in console rebooting or downloading, console not responding sometimes, one IA (C6800IA-48TD) working and other two no with the same configuration... a complete nightmare. And more: two of the 4 cards (C6880-X-LE-16P10G) arrived with led of the interfaces completely switched-off (but ports working..) I found only one bug for C6880 (CSCup99867) with severity: 1 Catastrophic... Now the questions are: 1) is it only my nightmare ? 2) any experience to share ? 3) any way to troubleshoot on IA side ? Raccomended IOS release (facing the bug report is: 15.1(2)SY3.48, but I'm wondering... ) ? any additional experience on your side ? greeting from utrecht ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Autonomous AP per-client rate limiting
Anyone doing this? If so, could you share how? Thanks. Sent from handheld. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Setting CS0 on ARP traffic
First thing, that's a bad carrier. Second, they are already remarking, so why bother? If your 7609 was using a routing protocol, that would be CS6 as well. Personally, I would go the route of terminating services with that carrier, sounds like you'll be getting more surprises in the future. Sent from handheld. On May 29, 2014, at 7:27 AM, Tony td_mi...@yahoo.com wrote: Hi all, A new carrier that we are using requires that all traffic to them is marked as CS0. Any traffic that is non-CS0 is dropped on ingress by the carrier. We have connected the handoff from this carrier to a port on an ES20+ card in our 7609 (12.2.33.SRE9a). The first test service was refusing to work and upon inspection by the carrier (packet capture) it was shown that the ARP traffic from our box was marked as CS6. I then applied a QoS policy outbound on the sub-int we had terminated the service on to try and set all traffic to CS0, but the ARP traffic was still CS6. The carrier then applied a policy inbound on their gear (ie. from our 7609 towards them) to set everything to CS0 and the service started happily working. I then put a switch between our 7609 and the carrier so that I could SPAN the traffic and capture it via tcpdump. The results look like this: 17:04:53.446268 vlan 30, p 6, vlan 10, p 6, arp who-has 10.1.7.178 tell 10.1.7.177 So you can see on the outer VLAN 30, it is set to p 6 and on the inner VLAN 10 it is also set to p 6. The configuration of the interface on 7609 on our side looks like this (fairly standard): interface GigabitEthernet4/4.300010 encapsulation dot1Q 30 second-dot1q 10 ip vrf forwarding xyz ip address 10.1.7.177 255.255.255.252 I logged a case with TAC and they responded with: = We have tried this in our lab and this seem to be the default behavior. There is a restriction on ES+ card which states that control plane packets generated from the switch are sent to a special TX queue and these packets do not match the egress QOS policies configured. Please refer the link: http://www.cisco.com/en/US/docs/routers/7600/install_config/ES40_config_guide/es40_chap7.html#wp1540799 So this is the reason why you do not see any cos 0 packets on the other side even after applying a outbound service policy and see only cos 6 packets. I tried few other things but could not find a way around this restriction = I've asked them to go back and have another look to see if there is something else that can be done. I'm at a loss at this stage and appealing for any suggestions that people can think of, at this point in time it would appear that I have two options: 1. Terminate the services from this carrier on a different device that doesn't suffer from this problem. 2. Run the service through a switch (ie. 3750, like it is now) so that the switch can set the packets to CS0. Both of these are sub-optimal solutions, so obviously we'd like to find a way to set the outbound traffic from the ES20 card to CS0 so that it can work how we expected it to. Any suggestions appreciated. Thanks, Tony. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA 8.4.7
We were running 8.4.6 for a while, but have been having good luck so far with 8.4.7 as well. -ryan -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Luan Nguyen Sent: Wednesday, October 09, 2013 3:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco ASA 8.4.7 Hi folks, With the newest advisory for the ASA: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa We are thinking of going uniform with Cisco ASA 8.4.7. Looking at the Resolved Caveats, lots of them got fixed: http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp631223 Has anyone been running 8.4.7 with good success? I am just looking for minimal NAT, mostly Remote Access VPN and a few hundred site to site VPN. Thanks. -Luan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pix 6.1(3)
It's 6.3.5(145) that is the latest PIX release that will support all the flavors. If you have a 515/515E, you can upgrade the memory and move to 8.0.4(28), which is the last interim release for the PIX family in ASA code. If you have a 506E, it's probably time to look at a 5505-5 or 5505-50 for the environment. 6.1(3) is over 10 years old. If you can't upgrade the memory, you could at least try the engineering special from 2008. -ryan -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Michael Malitsky Sent: Thursday, July 11, 2013 5:40 PM To: Aaron; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] pix 6.1(3) Fixup is an application-layer proxy. In other words, it checks for the validity of traffic in the context of the actual protocol. In version 7 and newer these are called inspect. Without it, you are left with a regular stateful firewall. Michael From: Aaron [aar...@gvtc.com] Sent: Thursday, July 11, 2013 3:24 PM To: Michael Malitsky; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] pix 6.1(3) Thanks Michael, What does http fixup do ? how would disabling fixup fix my issue ? Aaron -Original Message- From: Michael Malitsky [mailto:malit...@netabn.com] Sent: Thursday, July 11, 2013 2:49 PM To: aar...@gvtc.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] pix 6.1(3) Sounds eerily familiar, although I can't find any notes for v6. The first releases of 7 had a similar issue, caused by the firewall dropping any packets with MSSnegotiated size. However, you options are very few. Try disabling the http fixup to confirm it is the inspection engine causing the problem. In version 6, there is no way to tune the inspection engines, on/off is the only button, so your only option is to upgrade. I suggest trying 6.5.last (I think 6.5.105), if that doesn't work go to 7, the highest version that supports a PIX. In v7 you can at least exempt the problem traffic from inspection. Best option - upgrade to an ASA. Michael -- Date: Thu, 11 Jul 2013 09:51:16 -0500 From: Aaron aar...@gvtc.com To: cisco-nsp@puck.nether.net Subject: [c-nsp] pix 6.1(3) Message-ID: 01ce7e46$186efb20$494cf160$@gvtc.com Content-Type: text/plain; charset=us-ascii Anyone ever dealt with a weird issue whereas when going to a certain website via a cisco pix, the tcp syn and syn/ack flow fine, but the final ack is lost inside the pix. ? my sniffs seems to show this. Aaron = ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nexus 5500 + fcoe + citrix ven 6.1
You are not fully logged into the fabric. Did you create the necessary FCoE QoS policy? Sent from handheld. On May 28, 2013, at 8:06 AM, Piotr piotr.1...@interia.pl wrote: Hi, I'm new in nexus world, i just test some switches and i have problem: There is one switch 5548 with version 6.0(2)N1(2a). I try to make fcoe conenction between xenserver 6.1 (port 1/25) and linux fcoe target ( centos, port 1/26). In both servers i have card: Cisco Systems Inc VIC FCoE HBA (rev a2), on centos (target side) all looks good but from xenserver i don't see any traffic. In xencenter i see the cisco card connected but when try to discover new storage, xencenter don't find anything. thanks for any help or clue regards, Piotr my config: vlan 11 fcoe vsan 11 vsan database vsan 11 interface vfc2 bind interface Ethernet1/25 no shutdown interface vfc26 bind interface Ethernet1/26 no shutdown vsan database vsan 11 interface vfc2 vsan 11 interface vfc26 interface Ethernet1/25 switchport mode trunk spanning-tree port type edge trunk interface Ethernet1/26 switchport mode trunk spanning-tree port type edge trunk outputs: show lldp neighbors Capability codes: (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other Device IDLocal Intf Hold-time Capability Port ID 0018.8b9c.cfe6 mgmt0 120g21 nexus-2 Eth1/1 120B Eth1/1 nexus-2 Eth1/2 120B Eth1/2 nexus-2 Eth1/3 120B Eth1/3 nexus-2 Eth1/5 120B Eth1/5 nexus-test2 Eth1/7 120B Eth1/1 b0fa.eb72.7c06 Eth1/25 120b0fa.eb72.7c0a b0fa.eb72.7f3e Eth1/26 120b0fa.eb72.7f42 show fcoe database --- INTERFACE FCIDPORT NAME MAC ADDRESS --- vfc26 0x6a20:00:b0:fa:eb:72:7f:41 b0:fa:eb:72:7f:41 Total number of flogi count from FCoE devices = 1. VE Ports: --- INTERFACE MAC ADDRESS VSAN --- vfc154:7f:ee:8e:ad:0c 2 port 26, only target is ok: show flogi database INTERFACEVSANFCID PORT NAME NODE NAME vfc262 0x6a 20:00:b0:fa:eb:72:7f:41 10:00:b0:fa:eb:72:7f:41 but from xencenter side there is no traffic: show interface vfc 2 vfc2 is trunking Bound interface is Ethernet1/25 Hardware is Ethernet Port WWN is 20:01:54:7f:ee:8e:ac:7f Admin port mode is F, trunk mode is on snmp link state traps are enabled Port mode is TF Port vsan is 11 Trunk vsans (admin allowed and active) (1-2,11) Trunk vsans (up) () Trunk vsans (isolated) () Trunk vsans (initializing) (1-2,11) 1 minute input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec 1 minute output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec 0 frames input, 0 bytes 0 discards, 0 errors 0 frames output, 0 bytes 0 discards, 0 errors last clearing of show interface counters Sun Feb 21 11:15:15 2010 Interface last changed at Sun Feb 21 11:15:15 2010 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nexus 5500 + fcoe + citrix ven 6.1
With 5500 it is necessary. Sent from handheld. On May 28, 2013, at 8:28 AM, Piotr piotr.1...@interia.pl wrote: W dniu 2013-05-28 14:12, Ryan West pisze: Did you create the necessary FCoE QoS policy? It's necessary in almost default setup ? i read in cisco docs that is optional.. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nexus 5500 + fcoe + citrix ven 6.1
interface vfc2 bind interface Ethernet1/25 switchport trunk allowed vsan 11 no shutdown -Original Message- From: Piotr [mailto:piotr.1...@interia.pl] Sent: Tuesday, May 28, 2013 9:29 AM To: Ryan West Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] nexus 5500 + fcoe + citrix ven 6.1 W dniu 2013-05-28 14:41, Ryan West pisze: With 5500 it is necessary. I added but still without success.. :( new storage - hardware hba - probing for lun - no LUNs were found.. class-map type qos class-fcoe class-map type queuing class-fcoe match qos-group 1 class-map type queuing class-all-flood match qos-group 2 class-map type queuing class-ip-multicast match qos-group 2 class-map type network-qos class-fcoe match qos-group 1 class-map type network-qos class-all-flood match qos-group 2 class-map type network-qos class-ip-multicast match qos-group 2 system qos service-policy type queuing input fcoe-default-in-policy service-policy type queuing output fcoe-default-out-policy service-policy type qos input fcoe-default-in-policy service-policy type network-qos fcoe-default-nq-policy policy-map type control-plane copp-system-policy-customized class copp-system-class-hsrp-vrrp police cir 1024 kbps bc 256000 bytes class copp-system-class-l3dest-miss police cir 64 kbps bc 16000 bytes class copp-system-class-default police cir 2048 kbps bc 640 bytes ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco AnyConnect VPN Client
On Thu, Nov 03, 2011 at 19:35:18, Thomason, Simon wrote: Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco AnyConnect VPN Client Where are you getting this information from? As of 8.4 they redid the licensing for anyconnect and also added ikev2 ipsec to the anyconnect suite unless I missed something. The licensing still requires anyconnect essentials or premium. Otherwise, you only end up with 2 sessions. Not sure how ikev2 is calculated in that number, but my guess would be that they follow the same model. What licensing changes were you referring to? -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?
Not entirely sure it will work, but you can enter those commands on either FI by opening ssh to the shared address of UCSM and typing connect nx a or connect nx b to get to the CLI of either FI. Sent from handheld. On Apr 12, 2013, at 1:59 AM, Joachim Tingvold joac...@tingvold.com wrote: On 12. apr. 2013, at 07:53, Joachim Tingvold joac...@tingvold.com wrote: Any undocumented command to get them to work? service unsupported-transceiver? Maybe throw in this one as well; no errdisable detect cause gbic-invalid -- Joachim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?
Aaron, On Fri, Apr 12, 2013 at 12:05:22, Aaron wrote: Subject: Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX? Are you talking about sfp/xfp 3rd party support in NXOS? If so, would this limitation apply to Cisco 5548UP as well ? Asking since I'm considering buying some of those and want to know what I'm getting myself into. service unsupported-transceiver Warning: When Cisco determines that a fault or defect can be traced to the use of third-party transceivers installed by a customer or reseller, then, at Cisco's discretion, Cisco may withhold support under warranty or a Cisco support program. In the course of providing support for a Cisco networking product Cisco may require that the end user install Cisco transceivers if Cisco determines that removing third-party parts will assist Cisco in diagnosing the cause of a support issue. The OP is trying to get them working in the fabric interconnects of a UCS environment. You have some access to underlying NX-OS there, but the configuration is controlled from the UCSM GUI/XML/CLI. The command above works on Nexus 7k and 5k's. The 5548UP works quite well for us, with the exception of a few scenario's involving OSPF and devices that want to respond to the physical MAC vs. the virtual MAC when using VPC. Netapp management ports come to mind. We have used them in small DC/core environments for Ethernet, iSCSI, FC, and FCoE. Let me know if you have any specific questions about them. Thanks, -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Query
On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote: Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Query -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote: Hello Three zones/interface are used on ASA Internet - security level 0 Inside - security level 100 with ipsec configured for vpn clients DMZ - security level 100 Traffic from Inside to Internet works fine without ACL. Traffic from DMZ to Internet works when ACL is applied. As per my knowledge traffic from higher security zone to lower zone is allowed by default. Please suggest what could be the reason here. Which ASA platform specifically? A 5505 w/ a base license only has three VLANs, one of which is restricted to passing traffic to only one of the two remaining VLANs. Based on your question, I assume you are having difficulties passing traffic from inside to DMZ, could you post a sanitized configuration? Sounds like OP is missing 'same-security permit inter-interface' -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Query
On Wed, Mar 20, 2013 at 17:49:48, Dave Brockman wrote: Subject: Re: [c-nsp] ASA Query -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 3/20/2013 5:34 PM, Ryan West wrote: On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote: Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Query -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote: Hello Three zones/interface are used on ASA Internet - security level 0 Inside - security level 100 with ipsec configured for vpn clients DMZ - security level 100 Traffic from Inside to Internet works fine without ACL. Traffic from DMZ to Internet works when ACL is applied. As per my knowledge traffic from higher security zone to lower zone is allowed by default. Please suggest what could be the reason here. Which ASA platform specifically? A 5505 w/ a base license only has three VLANs, one of which is restricted to passing traffic to only one of the two remaining VLANs. Based on your question, I assume you are having difficulties passing traffic from inside to DMZ, could you post a sanitized configuration? Sounds like OP is missing 'same-security permit inter-interface' -ryan That would not apply inside to DMZ, they are not the same security level, no? It's difficult to read, but I show 100 - inside, 0 - outside, 100 - dmz. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IPSEC Client software for Windows 8 ?
Native support since anyconnect 3.0.1055 and 3.1. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ricardo Stella Sent: Saturday, March 09, 2013 8:59 AM To: Olivier CALVANO Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco IPSEC Client software for Windows 8 ? I using any connect 2.5 something. There is a registry hack needed to get it to work however. --- °(((=((===°°°((( On Mar 9, 2013, at 8:13 AM, Olivier CALVANO o.calv...@gmail.com wrote: Hi anyone know if they have a Cisco IPSec Client for Windows 8 ? for connect to my asa Thanks Olivier ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot
Scott, On Thu, Feb 21, 2013 at 08:50:02, Scott Voll wrote: Subject: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot I just installed a couple SSM-20's in my ASA's. install was a little less that I had hoped as the backup came online with the module and the Primary didn't have the module yet. So we will just say we had a little down time (ever so brief). my question now becomes, how do I reboot one of these modules without the ASA failing over to the backup? I don't want to knock off all my VPN users. I think you need to treat it like a zero downtime upgrade. Fail over to the secondary firewall, reload the module on the old primary and fail back after state is synced up. You should not lose VPN authentications during a failover. IPsec RA, L2L, webvpn, and SVC sessions should stay intact between failovers. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 8.4 NAT weirdness...
On Sun, Feb 17, 2013 at 16:36:22, Jeff Kell wrote: Subject: [c-nsp] ASA 8.4 NAT weirdness... OK, now have ASA up on 8.4 software, and boy is it ever weird :) We do NAT extensively (all 1918 addressing inside). For public-facing servers, primarily web servers, we made a habit of translating them into a public /24 network (say x.y.z.*). The firewall atrributes for this was to simply permit http and https for x.y.z.*/24 inbound on the outside interface, and the rest took care of itself. Along comes 8.4... and it includes NAT with the network object definitions... and the migration effort did this: * Put all the static NATs back into the inside object definition, * Generated a permit http and a permit https for EVERY SINGLE SERVER we had in the subnet Our configuration increased by an order of magnitude :( And it doesn't appear that explicitly adding the original permit into the list even works (it sits in the configuration above the generated individuals, but doesn't get any hits, they fall through to the generated mess). If you were running policy based NAT, you can reuse your original rules, but you'll need to use twice NAT and object groups to accomplish that. As for the ACL mess, you should note that switching to 8.3+ NAT, you need to reference the internal address of the server in your outside ACL. Try switching those object groups around or referencing the internal address and you'll start to see the hits again. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 5k version 6?
Hi Scott, On Fri, Feb 15, 2013 at 10:50:57, Scott Voll wrote: Subject: [c-nsp] Nexus 5k version 6? Has anyone upgraded to 6.0 yet? pro's? con's? Stability? Reason not to upgrade? Ours is a new install, thus if I can upgrade now, I won't have to later. Do you have this FEX - Cisco Nexus 2248PQ 10-Gigabit FEX? If not, I would probably steer clear of it. 5.2(1)N1 and 5.1(3)N2 have been pretty stable for us. 6.0 is probably just a merged code line, but it is first release. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] New to Nexus gear.... how does the licenses work?
Try turning on some features and the licenses should change. feature eigrp feature interface-vlan feature hsrp feature lacp feature vpc feature fcoe feature npiv feature fex -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll Sent: Wednesday, February 13, 2013 1:06 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] New to Nexus gear how does the licenses work? So we just got our new 5548UPs in the door. per the doc's it says the licenses are installed from the factor. But doing a show license usage we get all the pkg files saying install -- no. license count -- What am I missing here? TIA Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Can ASA 5550 do BGP
On Mon, Feb 11, 2013 at 13:21:46, Peter Rathlev wrote: Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Can ASA 5550 do BGP On Mon, 2013-02-11 at 18:58 +, pamela pomary wrote: Quick one. I have just read from Cisco's support community that generally ASA's dont do BGP. I want to verify if that is the case or there is tweak to get it to do BGP :) . We have ASA 5550 software version 8.2(3) which we possibly want to use as a border/edge router with our ISP. I'm pretty certain the ASA doesn't do any BGP. The FWSM supports BGP Stub Routing though it's very limited (bordering to useless). Through 9.1, no BGP support on the ASA. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fwd: 2960s-48fps-l flex stack
On Mon, Jan 14, 2013 at 18:58:18, Scott Voll wrote: Subject: [c-nsp] Fwd: 2960s-48fps-l flex stack I have a 2960s-48fps-l and when I inserted the flex stack module I get: %PLATFORM-6-FLEXSTACK_UNSUPPORTED_MODULE: Unsupported FlexStack module inserted in Switch 1. C2960S-F-STACK Looks like it might be the wrong stack module: C2960S-F-STACK FlexStack hot-swappable stacking module: compatible with Cisco Catalyst 2960-SF Series LAN Base switches only. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12651/data_sheet_c78-715638.html -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA 5512-x
On Wed, Dec 26, 2012 at 11:32:15, Andrey Petrenko wrote: Subject: [c-nsp] Cisco ASA 5512-x hello.Does cisco Asa 5512-x security plus support high-availability support (Active/Active, Active/Support). On this page: http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.h tml#~tab-a support. On this page http://www.cisco.com/en/US/products/ps6120/prod_models_home.html not support. -- At first release, it was a no, but it does support HA with a Security Plus license. ASA5512-SEC-PL is the part number. Thanks, -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Anyconnect ASA 5550
On Wed, Dec 26, 2012 at 13:57:53, Blake Pfankuch wrote: Subject: [c-nsp] Anyconnect ASA 5550 Int gi 0/1 Ip address 10.10.10.11 255.255.255.0 standby 10.10.10.12 Nameif outside Secu 0 Without changing the actual interface IP, I cannot have my Anyconnect clients connect to 10.10.10.15? Check out vpn load-balancing. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA is not sending syslog
On Tue, Dec 25, 2012 at 13:51:24, Farooq Razzaque wrote: Subject: [c-nsp] ASA is not sending syslog Hi All, I have ASA 5510 running on version 8.0(5)27. The ASA is not sending logs to syslog server 2. Previously it was sending logs to syslog server 2 (2.x.x.2). I changed the order in the config i.e i put the config of syslog server 3(3.x.x.3) at second number and then put the config of syslog server 2 (2.x.x.2) at third number after that ASA is not sending logs to syslog server 3 (3.x.x.3) which is at second number and syslog server 2 which is at third number I also remove the config of syslog (logging host mgmt 2.x.x.2 --- Syslog server 2) which was at third number. But still ASA is not seding logs to syslog at second number How can we check that ASA is sending syslogs out . Sniff it and look for the counters to increment. logging enable logging list VPN_Monitor level informational class abc logging list VPN_Monitor level informational class abcfo logging buffered informational logging trap informational logging asdm informational logging host mgmt 1.x.x.1 --- Syslog server 1 logging host mgmt 2.x.x.2 --- Syslog server 2 logging host inside 3.x.x.3 --- Syslog server 3 logging permit-hostdown logging class abc history informational logging class abcfo history informational # Others may have different experiences, but I've found that a reboot is the only fix sometimes. Removing all logging and adding it will not fix it when a configuration change is made. The logging feature is a little flaky. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA is not sending syslog
You can sniff to see if it's sending syslog messages, but you'll find that once it fails it will not recover on its own. Rebooting the box has fixed the issue. The issue we've faced is that the ASA will stop sending to a host and won't recover, regardless of configuration changes. Hope that helps. -ryan From: Farooq Razzaque [mailto:farooq_...@hotmail.com] Sent: Tuesday, December 25, 2012 3:55 PM To: Ryan West; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ASA is not sending syslog Hi Ryan Thanks for the reply. Have u faced the issue with ASA syslog ? If so, what issue you faced. Did it fix by reboot Can you elaborate the following Sniff it and look for the counters to increment. From: rw...@zyedge.commailto:rw...@zyedge.com To: farooq_...@hotmail.commailto:farooq_...@hotmail.com; cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ASA is not sending syslog Date: Tue, 25 Dec 2012 19:35:39 + On Tue, Dec 25, 2012 at 13:51:24, Farooq Razzaque wrote: Subject: [c-nsp] ASA is not sending syslog Hi All, I have ASA 5510 running on version 8.0(5)27. The ASA is not sending logs to syslog server 2. Previously it was sending logs to syslog server 2 (2.x.x.2). I changed the order in the config i.e i put the config of syslog server 3(3.x.x.3) at second number and then put the config of syslog server 2 (2.x.x.2) at third number after that ASA is not sending logs to syslog server 3 (3.x.x.3) which is at second number and syslog server 2 which is at third number I also remove the config of syslog (logging host mgmt 2.x.x.2 --- Syslog server 2) which was at third number. But still ASA is not seding logs to syslog at second number How can we check that ASA is sending syslogs out . Sniff it and look for the counters to increment. logging enable logging list VPN_Monitor level informational class abc logging list VPN_Monitor level informational class abcfo logging buffered informational logging trap informational logging asdm informational logging host mgmt 1.x.x.1 --- Syslog server 1 logging host mgmt 2.x.x.2 --- Syslog server 2 logging host inside 3.x.x.3 --- Syslog server 3 logging permit-hostdown logging class abc history informational logging class abcfo history informational # Others may have different experiences, but I've found that a reboot is the only fix sometimes. Removing all logging and adding it will not fix it when a configuration change is made. The logging feature is a little flaky. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750x Alternatives
Just one clarification. The 5548UP is around the same price as the 5010 was. The 5520 is a 2u model which closer the 5596UP. Sent from handheld. On Nov 19, 2012, at 6:28 PM, Andrew Miehs and...@2sheds.de wrote: On Tue, Nov 20, 2012 at 9:56 AM, CiscoNSP_list CiscoNSP_list cisconsp_l...@hotmail.com wrote: Thanks Andrew - The Nexus do look nice...The 5010/5020 are EOL'd correct?(But still able to get smartnet on them?)Is there a significant price point difference between these and the 5548(P?) The Nexus 5548 should cost about the same as the 5020 - but you would need to check this and speak with your Cisco sales rep. If the Nexus are heinously expensive, I might look at the 4500's as you suggest.or perhaps the 4900's?(I do require 6+ SFP for fibre connections though) Do you require SFP+ or SFP? (10G or 1G)? The 4500 Sup7E and 4500X should support VSS by the start of next year (probably mid until it is stable). If you can wait that long with the VSS requirement you could probably buy a 4500 now, and VSS it later. HP also have their own version of VSS called IRF which you will find on their H3C range of switches - I believe it is now called HP Comware. This may also be an alternative. Andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750x Alternatives
Now that the price list appears to be updated on CCX and netformx, it seems the 4500X is a pretty good choice. I didn't have the same experience with steep pricing on the ent version, at least not when compared to the LAN base - IP base - Ent upgrade pricing for the 4500E. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Kell Sent: Monday, November 19, 2012 8:10 PM To: Andrew Miehs Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3750x Alternatives If you seriously have 10G on the roadmap, 4500X looks sweet, you can get it in a 16-port version, SFP / SFP+ you upgrade as you are ready. A pair of them in a VSS deployment is going to be pretty steep however, especially if you need smart layer-3 (Enterprise). Otherwise perhaps a 4507E+R with a pair of Sup7Es, you can pre-load redundant power, Supervisors, and blades to fit the need now; if the VSS pans out you just need another chassis (and whatever else you may want redundantly redundant). Or go with 3750E/X if their mac address tables meet your needs. You get two 10G ports per switch, you can always uplink to a dumber/cheaper L2 10G switch. Jeff On 11/19/2012 8:00 PM, Andrew Miehs wrote: On Tue, Nov 20, 2012 at 11:34 AM, CiscoNSP_list CiscoNSP_list cisconsp_l...@hotmail.com wrote: 2 x 4500-e with Sup7e + WS-X4748-RJ45-E + WS-X4612-SFP-E ? Or 2 x 4500x with similar ports as 4500-e Or 2 x Nexus 5548 Is there a big price difference between these? Contact your Cisco reseller. He may be able to provide you with a global price list so that you can see the relative price of all the items. You will want some form of support on these boxes as well as you NEED to be able to download updates. Otherwise you will have me here all day working out Cisco prices :) Based on my gut feeling - I would think that the best solution for you would probably be a c4506 with a Sup7E. You could get your redundancy by using spanning tree rather than port channels until VSS becomes available. The 4500s are also quite a good layer 3 switch so you ever require layer 3 functionality. (Extra licenses however). NOTE: I can of course not guarantee that Cisco will bring out VSS for the 4500s or that it won't be an extra cost on the Sup7E - I can only state what I have read. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA 5505 VPN setup
So you have a VPN tunnel connecting them and you want all traffic to go through the tunnel to get to the Internet? I'm not following the part about removing the second link though, won't you still need that for the VPN? Sent from handheld. On Nov 8, 2012, at 4:32 PM, daniel Bahamombe dbanhamo...@yahoo.com wrote: Hello guys I have two sites remote from one another but all connected to the internet by two seperate ISP s using the Cisco ASA 5505 I would want to set up a VPN tunnels bettwen the two sites and have internet access from a single site as compared of getting from two links all supplying internet from seperate providers I do have static IPs on both ASAs facing the public internet Can anyone assist with the configuration if its possible to set up this without ISP intervention Regards Dan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Duplicate IP's.
ASA version? -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll Sent: Monday, October 29, 2012 11:40 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] OT: Duplicate IP's. We have VM's and now Desktops that are getting Duplicate IP errors on boot up when they have a static IP configured (and there is not duplicate IP). VMware says it's a ASA issue with Proxy arp. I have turned off proxy arp. Is there something else that may be causing these issues? TIA Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Duplicate IP's.
Scott, Can you post a sanitized output of show nat. I know you said you have proxy-arp turned off, but it does sound like a nat (inside,any) statement that's causing the issue. -ryan From: Scott Voll [mailto:svoll.v...@gmail.com] Sent: Monday, October 29, 2012 12:34 PM To: Ryan West Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OT: Duplicate IP's. 8.4.4.5 On Mon, Oct 29, 2012 at 8:48 AM, Ryan West rw...@zyedge.commailto:rw...@zyedge.com wrote: ASA version? -Original Message- From: cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll Sent: Monday, October 29, 2012 11:40 AM To: cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net Subject: [c-nsp] OT: Duplicate IP's. We have VM's and now Desktops that are getting Duplicate IP errors on boot up when they have a static IP configured (and there is not duplicate IP). VMware says it's a ASA issue with Proxy arp. I have turned off proxy arp. Is there something else that may be causing these issues? TIA Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAt on cisco ASA 5505
Is it 8.2 or 8.3+? Sent from handheld. On Oct 15, 2012, at 8:47 AM, Murat Kaipov mkkai...@gmail.com wrote: Hello Oliver. Yes it's possible. Do you need example config? -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Olivier CALVANO Sent: Monday, October 15, 2012 1:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAt on cisco ASA 5505 Hi i want nat on a cisco asa 5505 (ipsec tunnel site to site) : 192.168.10.0/24 in 192.168.235.0/24 it's possible ? all request from 192.168.10.0 to a IP into the ipsec tunnel are changer in 192.168.235.x thanks for your help olivier ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAt on cisco ASA 5505
On Mon, Oct 15, 2012 at 09:22:38, Olivier CALVANO wrote: it's 8.0(3) 2012/10/15 Ryan West rw...@zyedge.com: Is it 8.2 or 8.3+? 192.168.10.0/24 in 192.168.235.0/24 it's possible ? all request from 192.168.10.0 to a IP into the ipsec tunnel are changer in 192.168.235.x Try this - access-list policy-nat-192.168.235.0 extended permit ip 192.168.10.0 255.255.255.0 remote_end_of_tunnel 255.255.255.0 Static (inside,outside) 192.168.235.0 access-list policy-nat-192.168.235.0 For this to override other static NAT's, it needs to be at the top of list. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 NAT and asymmetric routing
On Mon, Oct 08, 2012 at 13:36:57, Matthew DeSantos wrote: Subject: [c-nsp] ASA 5505 NAT and asymmetric routing All, Hopefully I can explain this correctly. I'm having an issue with communication (telnet/ssh) from a public server to remote private nodes. The issue is the return path, private IPs can't route via the INET. So, my initial thought was to plug the servers into the ASA and give them private IPs. However, these servers actively monitor our private IPs. If I change the IP of the server(s) this will require a lot of manual changes. The private nodes will need to be updated to allow the new private IP access. I'm thinking I need to configure static PAT or some sort of NAT. This is where I'm stuck and don't fully understand how to implement. The setup is below: Public Server(s) -[ROUTER]---ASAtunnel=ASA--[ROUTER] Private IP (10.1.0.0/17) Not sure what version of code you're running, but assuming it's 8.2 or below, you can try this: Static (inside,outside) tcp public_address 23 private_address 23 Static (inside,outside) tcp public_address 22 private_address 22 Then you just update your outside acl to allow those services through. If you do a one to one translation for the public to private address, you'll need a no nat acl to fix your private communications. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Etherchannels on a 4506E?
I think it's closer to 64. Sent from handheld. On Sep 25, 2012, at 5:43 PM, Mohamed A. Abbas m.abdelmon...@gmail.com wrote: 8 ether channel i just faced it two days ago max is 8 + refer to the configuration document to be sure. Thanks, Monsef ®™ On Tue, Sep 25, 2012 at 11:25 PM, Scott Voll svoll.v...@gmail.com wrote: How many Ether channels (port channels) can you have setup on a Cat 4506E with sup 6E? I can't find the documentation on it. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- *--* ** *Eng. Mohamed A. Monsef* *Cisco Networks Engineer* *CCNP® - CCIP® - CCDP®* CS-RSSS® - *IPv6-FGCE ® * ITIL® - *ISO/IEC 27002®* ***Cell Phone : +2 0100 677 2 887* * **+2 0109 255 ** * * Land Line : +2 02 267 42 453 * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port channel
On Fri, Aug 24, 2012 at 06:40:07, Xu Hu wrote: Subject: Re: [c-nsp] Port channel What is the flex links about? Because the traffic load-balance or not is depend on your settings, by default is source mac address, let's say if you just have one source then the traffic will just use one port-channel link, if you have two sources, then should be load-balance between the two members. Correct me if I have the wrong understanding of hashing algorithm. The default hashing algorithm is different on some platforms in the Catalyst line. In the Nexus line, the default is different for a layer 3 port channel vs a layer 2. Flex Links disable STP and one interface or Portchannel acts as a backup. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/flexlink.html -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port channel
Flex links is an option as well. Sent from handheld On Aug 23, 2012, at 5:45 PM, Andrew Miehs and...@2sheds.de wrote: You could shut the one of the links down but if you really want to do this, why use a port channel at all - spanning tree can do what you are after... Sent from a mobile device On 24/08/2012, at 3:08, Harry Hambi harry.ha...@bbc.co.uk wrote: Hi all, In a port channel can you force traffic down a particular link, don't use the hashing algorithm. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] help with NAT on ASA 8.3+
Double NAT. Should look something like this: nat (inside,outside) source static obj_10.10.0.1 obj_172.17.1.1 destination static obj_10.10.1.0 obj_10.10.1.0 Since this equivalent to static policy nat in 8.2 and below, make sure you position this nat rule near the top. Sent from handheld On Aug 7, 2012, at 10:12 AM, Scott Voll svoll.v...@gmail.com wrote: I have a LAN to LAN connection (say 10.10.1.x/24) that terminates on my ASA 8.3+. I have a internal IP address on the inside of 10.10.0.1 that because of DNS needs to look like 172.17.1.1. So client at remote site 10.10.1.250 gets DNS for 172.17.1.1 but should be NAT'd and connecting to 10.10.0.1. How do I setup the NAT in 8.3+? 10.10.1.x looks to be on the outside interface and 10.10.0.1 looks to be on the inside interface. TIA Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 5596 - B22HP FCOE question
Have you applied the QoS policies needed for FCoE? What do your virtual FC interfaces show? You should see something like vfc# is trunking with a VSAN up and the proper FCoE VLAN listed. Here's an example of non SAN boot FCoE config: interface Ethernet2/4 description To esx4 CNA port1 switchport mode trunk switchport trunk allowed vlan 100,200,400-430 spanning-tree port type edge trunk channel-group 124 ! interface vfc124 bind interface port-channel124 switchport trunk allowed vsan 100 no shutdown The SAN boot version is the same, except you bind to the Ethernet interface instead. Have you already read this? http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps10110/ps11975/guide_c07-686089.html#wp9000363 -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of simon thomason Sent: Wednesday, July 18, 2012 5:34 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Nexus 5596 - B22HP FCOE question Hi All, Not certain if anyone can help but I have configured a new set of 5k for LAN fine all up and running but struggling with the SAN config. Current I have storage attacked to the 5k fine but the problem i am having is with the B22HP. I can see the ethernet ports fine and in DCNM see the FCOE ports but they are not talking back to the 5k to attack to the SAN. Can not see Flogi entry for the fcoe ports. I have followed the fcoe config guides closely but it seems like i am missing a step to attach the FCOE ports to the san management? I know there is not a lot of details but anyone run into something like this before? Good with the LAN side not so good with the SAN. Cheers, Simon. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid use without level 15 access?
On Fri, Jul 06, 2012 at 10:50:15, Steven Raymond wrote: Subject: [c-nsp] Rancid use without level 15 access? Is it possible to make use RANCID for Cisco config archiving without having to grant it full level 15 access? So far we've found no, but wondered if anyone has a trick or two? Steven, RANCID has a mailing list you can try, rancid-disc...@shrubbery.net. We use TACACS+ for command authorization and the RANCID user has the ability to run the commands listed in the commandtable. You can crawl the archives for examples - http://www.shrubbery.net/pipermail/rancid-discuss/ -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid use without level 15 access?
On Fri, Jul 06, 2012 at 12:06:54, Alan Buxey wrote: Subject: Re: [c-nsp] Rancid use without level 15 access? We use TACACS+ (shrubbery) to give the rancid user the rights to only the commands it needs. As for silently failing, you can eg run the login command and scripts manually (it was through checking those scripts we knew what commands to allow) When RANCID can't access a device for some reason, then you usually end up with silent fails. Failing on commands, from my experience, is pretty easy to find in $install_path/var/log. The commands are all listed in the commandtable, in a Cisco environment, that would include bin/rancid and bin/nxrancid. Most devices are covered under bin/rancid. @commandtable = ( {'show version' = 'ShowVersion'}, {'show redundancy secondary'= 'ShowRedundancy'}, {'show idprom backplane', = 'ShowIDprom'}, {'show install active' = 'ShowInstallActive'}, {'show env all' = 'ShowEnv'}, {'show rsp chassis-info', = 'ShowRSP'}, {'show gsr chassis' = 'ShowGSR'}, {'show diag chassis-info' = 'ShowGSR'}, {'show boot'= 'ShowBoot'}, {'show bootvar' = 'ShowBoot'}, {'show variables boot' = 'ShowBoot'}, {'show flash' = 'ShowFlash'}, {'dir /all nvram:' = 'DirSlotN'}, {'dir /all bootflash:' = 'DirSlotN'}, {'dir /all slot0:' = 'DirSlotN'}, {'dir /all disk0:' = 'DirSlotN'}, {'dir /all slot1:' = 'DirSlotN'}, {'dir /all disk1:' = 'DirSlotN'}, {'dir /all slot2:' = 'DirSlotN'}, {'dir /all disk2:' = 'DirSlotN'}, {'dir /all harddisk:' = 'DirSlotN'}, {'dir /all harddiska:' = 'DirSlotN'}, {'dir /all harddiskb:' = 'DirSlotN'}, {'dir /all sup-bootdisk:' = 'DirSlotN'}, # 6500 sup32 {'dir /all sup-bootflash:' = 'DirSlotN'}, # cat 6500-ios {'dir /all sup-microcode:' = 'DirSlotN'}, # cat 6500-ios {'dir /all slavenvram:' = 'DirSlotN'}, {'dir /all slavebootflash:' = 'DirSlotN'}, {'dir /all slaveslot0:' = 'DirSlotN'}, {'dir /all slavedisk0:' = 'DirSlotN'}, {'dir /all slaveslot1:' = 'DirSlotN'}, {'dir /all slavedisk1:' = 'DirSlotN'}, {'dir /all slaveslot2:' = 'DirSlotN'}, {'dir /all slavedisk2:' = 'DirSlotN'}, {'dir /all slavesup-bootflash:' = 'DirSlotN'}, # cat 7609 {'dir /all sec-nvram:' = 'DirSlotN'}, {'dir /all sec-bootflash:' = 'DirSlotN'}, {'dir /all sec-slot0:' = 'DirSlotN'}, {'dir /all sec-disk0:' = 'DirSlotN'}, {'dir /all sec-slot1:' = 'DirSlotN'}, {'dir /all sec-disk1:' = 'DirSlotN'}, {'dir /all sec-slot2:' = 'DirSlotN'}, {'dir /all sec-disk2:' = 'DirSlotN'}, {'show controllers' = 'ShowContAll'}, {'show controllers cbus'= 'ShowContCbus'}, {'show diagbus' = 'ShowDiagbus'}, {'show diag'= 'ShowDiag'}, {'show capture' = 'ShowCapture'}, # ASA/PIX {'show module' = 'ShowModule'}, # cat 6500-ios {'show spe version' = 'ShowSpeVersion'}, {'show c7200' = 'ShowC7200'}, {'show inventory raw' = 'ShowInventory'}, {'show vtp status' = 'ShowVTP'}, {'show vlan'= 'ShowVLAN'}, {'show vlan-switch' = 'ShowVLAN'}, {'show debug' = 'ShowDebug'}, {'show cdp neighbor detail' = 'ShowCDPDetail'}, {'show shun'= 'ShowShun'}, # ASA/PIX {'more system:running-config' = 'WriteTerm'},# ASA/PIX {'show running-config view full'= 'WriteTerm'},# workaround for {'show running-config' = 'WriteTerm'}, {'write term' = 'WriteTerm'}, ); -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA wild card cert...
Did you get the entire chain as part of your export, sounds like you're missing an intermediate cert? Do you see a difference between the ASA's when issue 'show crypto ca certificate'? -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll Sent: Thursday, July 05, 2012 11:38 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA wild card cert... I have exported from one ASA and would like to move to a second ASA our Wild card cert. It looks like the export / import went well. I can even see in IE that the cert is my *.domain.com but I'm still getting a Cert Error. This Certificate cannot be verified up to a trusted certification authority What did I miss? Thanks Scott ASA 8.4.4 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA - SSH/ASDM - Current logged on users
On Wed, Jun 06, 2012 at 06:28:49, Hansen, Ulrich Vestergaard B. (E W EN RD DT ES 1 2) wrote: To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA - SSH/ASDM - Current logged on users Hi nsp-group! Is there a command or method to display the current logged on users on Cisco ASA - like you can issue the who command in IOS. Or is there a way we can display a visual banner upon login to ASDM displaying who is working on the device? I wasn't able to find anything on a visual banner, the banner macro's are pretty basic. If you're using ASDM, Monitoring - properties - Device Access and click ASDM/HTTPS/Telnet/SSH Sessions. From cli it's a kludge. Run who to see telnet sessions, show asdm sessions for ASDM, and show ssh sessions for SSH. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5510 - show vpn-sessiondb l2l - Question
On Mon, Jun 04, 2012 at 20:23:47, Erik Sundberg wrote: Subject: [c-nsp] ASA5510 - show vpn-sessiondb l2l - Question When I do a show vpn-sessiondb l2l for my one peer Encryption and hashing alg is repeated 3 times Encryption : AES256 AES256 AES256 Hashing : SHA1 SHA1 SHA1 The Remote side of the VPN shows the following Encryption : AES256 Hashing : SHA1 Does anyone know why this happening config issue or output bug? I'm going with output bug, here is my 8.4.3: Protocol : IKEv1 IPsec Encryption : 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES Hashing : SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 Wasn't able to find a specific bug, but it appears to just be cosmetic. Maybe each time Phase 1 is restarted. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2/DHCP protection
On May 31, 2012, at 10:01 AM, Jason Lixfeld ja...@lixfeld.ca wrote: I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and I'm wondering what features other folks are using to prevent nefarious activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, etc.) from causing havoc when initiated from the customer side. So far, I've built up a config that looks sorta like so: ! interface GigabitEthernet1/1 switchport trunk allowed vlan 4001-4003 switchport mode trunk switchport nonegotiate switchport block multicast switchport block unicast switchport port-security violation shutdown vlan switchport port-security maximum 1 vlan logging event link-status logging event trunk-status storm-control broadcast include multicast storm-control broadcast level 1.00 storm-control action shutdown storm-control action trap no cdp enable spanning-tree bpdufilter enable spanning-tree bpduguard enable ip verify source vlan dhcp-snooping port-security ip dhcp snooping limit rate 1 ip dhcp snooping information option allow-untrusted ! In addition to above, there was the 'port-type uni' feature on the ME3400 and 'switchport protected' feature on the 3550s that would prevent two customers on the same VLAN from being able to talk together. I can't seem to find their equivalent on the 4500. Do they exist? Private-vlan isolated to mimic switchport protected and DAI for your DHCP needs. Anything else anyone can think of that might be useful here, or anything that is redundant and useless? Thanks in advance! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stacking 3750X vs diverse 4948E
On Tue, May 22, 2012 at 16:00:09, Mark Tinka wrote: Cc: scott owens Subject: Re: [c-nsp] Stacking 3750X vs diverse 4948E On Sunday, May 20, 2012 07:57:41 AM Reuben Farrelly wrote: It's also nice to be able to go from 1G to 10G by just upgrading SFP's. That's why we're looking at the 4500-X (Cisco) and EX4500 (Juniper), and ignoring the typical core switch devices like the 6500, Nexus 7000 (Cisco) and EX8200, EX6200 (Juniper), for small-to-mid size core deployments. And you'll have VSS in the X. I realize the 5500 and 4500-X are positioned differently, but the 10G capacity of the 4500-X does seem a little low for the price. I guess it all depends on the feature set you need. What are you needing in the 4500-X that isn't available in the 5500? -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stacking 3750X vs diverse 4948E
On Tue, May 22, 2012 at 16:42:20, Mark Tinka wrote: Subject: Re: [c-nsp] Stacking 3750X vs diverse 4948E On Tuesday, May 22, 2012 10:19:47 PM Ryan West wrote: And you'll have VSS in the X. I realize the 5500 and 4500-X are positioned differently, but the 10G capacity of the 4500-X does seem a little low for the price. I guess it all depends on the feature set you need. What are you needing in the 4500-X that isn't available in the 5500? Not much - pure Layer 2 switching in the core, and customer aggregation in the edge where router line cards are more expensive than the switch. We looked at the 5500 for such a purpose a while back, but we had 6500 in the core then, with typical 1U switches at the edge inside the data centres. For the price (or for what the price will be), the 4500-X fits our bill quite nicely in both segments we're looking at. The bundle price on the 5500 seems about 35% less than the 4500-X. Maybe I'm missing the other models, but the 3 listed in netformx start off at Land Rover pricing. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Call rejeciton from Cisco
On Tue, May 15, 2012 at 14:08:17, Joseph Mays wrote: Subject: Re: [c-nsp] Call rejeciton from Cisco On a related note, I am aware that part of the problem might be that the called party number might be listed as plan unknown and type unknown. I've been trying to figure out a way on the IAD 2400 to set this to national and isdn for all outgoing calls, but the only way I can find to do that is with translation rules, and those all seem to assume that the first thing you want to do is search and replace part of the dialed number. I really don't care what the dialed number is. Is there some way to match just on the plan and type, or some way to set those values other than a translation rule? You can try this: voice translation-rule 100 rule 1 /^\(.*\)/ /\1/ type any national plan any isdn ! voice translation-profile outbound-set translate called 100 Then put that on your POTS dial-peer outbound. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Monitoring 6K performance (pps)
On Sun, May 13, 2012 at 02:19:30, Aaron Riemer wrote: Subject: [c-nsp] Monitoring 6K performance (pps) Hey guys, We are looking at upgrading our CAT6K SUP's and I am trying to figure out how I can monitor the current throughput. We currently monitor the interface utilisation (bits / sec) with SNMP. That is all well and good but I am looking to obtain raw packets per second (pps) that are actually processed by the switch. Obviously bits / sec are not the same as packets / sec. Is there any real way to go about this other than monitoring each interface and calculating a total for a given time period? Aaron, Are you looking for the information contained in 'show platform hardware capacity'? There are sub commands that show PFC usage, fabric usage, and forwarding engine load with peak numbers. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA 5550 Throughput
On Tue, May 08, 2012 at 11:15:56, Covalciuc Piotr wrote: Subject: [c-nsp] Cisco ASA 5550 Throughput Hello, Can anybody explain me what is the maximum throughput of Cisco ASA- 5550? By the specification it's 1.2Gbps. But it's divided on 2 buses: slot0 and slot1 with 600Mbps of throughput each. If traffic flows via ASA, it enters to slot0 and it exit from slot1: Peter, It's 1 gbps across the bus, but each one of the slots can handle a total of 600 mbps. So that would mean 600 max passing between those slots. With your drawing if you just had 1 interface on each bus, it would be 600 in and 600 out. http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/5500_quick_start.html#wp35995 -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CAB-SFP-50CM 2960S
On Mon, May 07, 2012 at 03:00:08, Mal wrote: Subject: [c-nsp] CAB-SFP-50CM 2960S Anyone successfully using CAB-SFP-50CM between 2960S switches (WS-C2960S-48LPD-L) ? I have a link up between two 10G 2960S SFP+ port interfaces (and can ping across it) but its reporting a 10Gig speed connection via the cab-stack-50 SFP cable.. It's 10G, were you expecting stackwise speed? I think you have the part number confused with the 3750 line as well. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-578928.html -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Will the Cisco 2911 push GigE with NAT enabled ?
Might want to look at the 5525-X. Rated at 2Gbps, so with basic services turned on should get very close to handling a gig with NAT enabled. I'm not sure about FCS on the new boxes though. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Monday, April 30, 2012 12:11 PM To: 'Chuck Church'; 'dcostell-cisco...@torzo.com'; 'cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] Will the Cisco 2911 push GigE with NAT enabled ? If you need the full 1GB for VPN, yes, the 5585-X with SSP10 will be the best bet. It will probably be on the close order of 20k though. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Chuck Church Sent: Monday, April 30, 2012 12:02 PM To: dcostell-cisco...@torzo.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Will the Cisco 2911 push GigE with NAT enabled ? Since everything looks like Ethernet, why not consider an ASA 5585-X? This is probably the cheapest thing you'll find that can do a gigabit of VPN. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dave Sent: Monday, April 30, 2012 11:53 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Will the Cisco 2911 push GigE with NAT enabled ? Thats what I was afraid someone was going to say :) I guess its time to start looking into the ASRs and see what my options are. Thanks all! Really appreciate the help and information. Dave On 04/30/2012 08:50 AM, Aled Morris wrote: On 30 April 2012 16:40, Dave dcostell-cisco...@torzo.com mailto:dcostell-cisco...@torzo.com wrote: Thank you all for the responses. I actually found the PDF shortly after sending the e-mail. Sorry for wasting everyone's time. (Also a part of me was hoping the PDF was wrong). So for an office router that will do GigE + VPN + NAT anyone have any recommendations ? Is it the ASR1k or bust now days ? You're only going to get near gigabit performance with hardware forwarding, so ASR is your best bet. Switch platforms with Layer 3 (like the Catalyst 3560-X) aren't going to support the features you need in their forwarding ASICs so you'll get performance worse than the ISR2 you've already tried. Aled ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT on Cisco ASA
On Fri, Apr 13, 2012 at 10:13:28, Brian Morgan wrote: Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NAT on Cisco ASA On Thu, Apr 12, 2012 at 12:49 PM, Covalciuc Piotr pkovalc...@gmail.com wrote: I know, the servers can communicate through local network (10.10.10.x). I'd like just to know if the communication between local servers can be established through NATed IP. If so, how it should be configured on ASA? Good day Peter, It is possible for this to work by using a technique called hair pinning, the problem is that you may start getting strange behavior with your inside network. This feature was originally intended to allow vpn clients to communicate to each other, but can be abused to perform the NATing that you need. Cisco has released a nice video tutorial on how to do this http://www.youtube.com/watch?v=wjEfdfI0BqY and we have used this technique in labs, but try not to use it for production networks. Ah.. I've done this for outside to outside traffic during a move before, didn't think about applying to the internal segments though, but same setup. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT on Cisco ASA
On Thu, Apr 12, 2012 at 12:49:47, Covalciuc Piotr wrote: Subject: [c-nsp] NAT on Cisco ASA I know, the servers can communicate through local network (10.10.10.x). I'd like just to know if the communication between local servers can be established through NATed IP. If so, how it should be configured on ASA? Are you connecting to the NAT'd IP because of a public DNS record? If so, you could do a DNS rewrite to provide the local IP address when you query for the public. Just add the 'dns' keyword to the end of the statement. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT on the 3750X
On Thu, Mar 22, 2012 at 13:56:36, Keegan Holley wrote: Subject: [c-nsp] NAT on the 3750X Does cisco support NAT on it's rack mountable switches yet? 3560/3750X etc.. No, only on the 6500 in the catalyst series to my knowledge. The ME switch based on the 6500 may though. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 5000 convert between FC and FCoE?
Output of FCoE to a server? Currently multihop FCoE is not supported, but connecting to a CNA in that topology is. Sent from handheld On Mar 19, 2012, at 6:01 PM, Ray Van Dolson rvandol...@esri.com wrote: We're looking to run straight FC from an XIV storage rack into a Nexus 5000 and output FCoE via another port on that same 5000. Can anyone advise if this is doable or if we'd need additional hardware to make it happen? Thanks, Ray ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS display of show run on standby switch
On Wed, Mar 14, 2012 at 10:26:35, Chuck Church wrote: Subject: Re: [c-nsp] VSS display of show run on standby switch Haven't touched VSS in 8 months, but I believe you can do a 'sh mod ?' and after mod, you can do options for the individual chassis numbers. Yup, 'show mod switch all' will list both. Show inv will also get you both with a Chassis # identifier. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus network Design - Switching LOOP
N2k's do not run spanning-tree and will block ports if a bpdu is detected. You can disable spanning tree on those ports, but your 3750 will be flat at that point. Sent from handheld On Mar 13, 2012, at 8:57 AM, Nick Hilliard n...@foobar.org wrote: On 13/03/2012 11:56, jack daniels wrote: In this scenario Switching LOOP is getting formed. Only way I'm able to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this case. are the 3750 and both the n5k boxes running spanning tree? Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Moving ports on ASA's
On Thu, Mar 08, 2012 at 13:11:17, Scott Voll wrote: Subject: [c-nsp] Moving ports on ASA's I have two ASA's running in Active / Standby. I need to move a set of interfaces (non production DMZ set) from one switch to a different switch. if I don't want the ASA's to failover during the move, can I just shut the interface do the move and then no shut the interfaces? I don't want to affect other traffic on the ASA's with a Failover. no monitor-interface dmz Stops the interface monitoring status states that would cause a failover. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
Websvn here. Sent from handheld On Mar 2, 2012, at 6:30 PM, Erik Sundberg esundb...@nitelusa.com wrote: Thanks everyone, I just finished installing rancid and have it up and running already. What web front end are you using to browse the CVS tree? Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA SSL VPN client communicating across IPsec tunnel
It's possible, try 'same-security intra-interface' Sent from handheld On Feb 12, 2012, at 6:20 PM, Andy Dills a...@xecu.net wrote: I have a customer who has a couple of ASA 5510s connected with a typical IPsec tunnel, and on one of them he has a 10 seat Anyconnect SSL license. He'd like for the Anyconnect VPN users to be able to communicate with the network on the other side of IPsec tunnel. In theory that would work, but I've found the ASAs to sometimes ignore theory. I updated the NAT exemption ACL (to include traffic from the VPN users to the remote network and vice versa), the split-tunnel ACL (to have it advertise the remote network in addition to the local), and the crypto map ACL (so that the VPN users are included in the ipsec sa). It didn't seem to work...I didn't have good access to test, but before I arrange for better access to really work with it, is this indeed possible? Any configuration tips? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SSL VPN on an ASA 5505
On Tue, Jan 31, 2012 at 15:59:49, Ryan wrote: Subject: [c-nsp] SSL VPN on an ASA 5505 I used the VPN Wizard on ASDM 6.4(7) with an ASA 5505 running 8.4(3) to create a config for SSL VPNs. The ASDM didn't configure split-tunneling, so I did that manually by creating the NONAT access list and applying it to the Group Policy. The Anyconnect client connects successfully with the appropriate routes, but I can't get any traffic going to the networks that I've VPNed into. The sanitized config is below. Any thoughts? Anything in the logs or debugs that you could post as well? The new butchered no nat statements look ok to me. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA and ipads
On Sun, Jan 29, 2012 at 21:54:59, Thomason, Simon wrote: Subject: [c-nsp] Cisco ASA and ipads I am looking at allowing IPADS to from a VPN with our ASA to provide limited access. I would like to ideally have the IPAD connect with a cert and username password but have the ASA aware that the device connecting is an IPAD and heavily restrict its access. Since the Ipad/Iphone's do not run host scan, they are detected through a plugin value returned from DAP. That combined with cert based login should give you want and I don't think you would need the premium license for the plugin value. I really need the ASA to be aware what these device are to prevent users importing a laptop certain and gaining full access to the network over their IPAD. I am pretty certain you can get this functionality with premium but just want to check you can and it works well. Has anyone look into this at all? Just did a quick search to see if the ASA would support Dot1x and does not look like they do as this might have been a different option. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick (?) ASA VPN w/AD question...
Jeff, On Mon, Jan 30, 2012 at 16:41:00, Jeff Kell wrote: Subject: [c-nsp] Quick (?) ASA VPN w/AD question... Trying to break some new ground on ASA 8.4(2) VPN configuration (quite a number of changes) Need to map AD group membership onto a group policy selection. (1) Previous examples are using the Cisco name IETF-Radius-Class to map into the policy name, while 8.4(2) seems to want Group Policy saying that replaces IETF-Radius-Class. (2) You can now specify a Group Base DN for the group membership location, so I have a OU=Groups,DC=our,DC=domain,DC=specification. I don't seem to be getting hits on the group membership (memberOf) on any of: a) plain old group name (FOOBAR), b) qualified item name (CN=FOOBAR), c) fully-qualified group name (CM=FOOBAR,OU=Groups,DC=our,DC=domain,DC=specification) Anyone crossed this bridge and kept notes they could share? I have a fair amount of notes on 8.4.1 and below. I didn't see anything in the release notes for 8.4.2 that hinted to a change in LDAP. Unless I'm confusing it with another option, the group base dn is where the search for your users starts. Unless you're using DAP, the matching is still in the traditional LDAP map. I've found the easiest way to find the proper groups is to start with login@domain.local/com/whatever and password and query a username for authorization. Here's an example: aaa-server LDAP (inside) host 192.168.168.168 ldap-base-dn OU=Foo,DC=test,DC=local ldap-scope subtree ldap-login-password * ldap-login-dn CN=ldapadmin,OU=Foo,DC=test,DC=local (ldapadmin@test.local also works) server-type auto-detect ldap-attribute-map memberOf ! test-fw1# debug ldap 255 debug ldap enabled at level 255 test-fw1# show run ldap ldap attribute-map department ldap attribute-map memberOf map-name memberOf IETF-Radius-Class map-value memberOf CN=cust1-test,OU=Foo,DC=test,DC=local cust1-test map-value memberOf CN=vpn_users,OU=Foo,DC=test,DC=local work test-fw1# test aaa autho LDAP host 192.168.168.168 username rwest INFO: Attempting Authorization test to IP address 192.168.168.168 (timeout: 12 seconds) . . . [68587] memberOf: value = CN=cust1-test,OU=Foo,DC=test,DC=local [68587] mapped to IETF-Radius-Class: value = cust1-test [68587] mapped to LDAP-Class: value = cust1-test [68587] memberOf: value = CN=vpn_users,OU=Foo,DC=test,DC=local [68587] mapped to IETF-Radius-Class: value = work [68587] mapped to LDAP-Class: value = work A couple of caveats on the testing; your primary POSIX group does not show up in the LDAP query (usually Domain Users) and your first match is the winner (unless you are using DAP policies that allow combining). -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN L2L connecting to SSL VPN user?
On Tue, Dec 06, 2011 at 12:12:39, Scott Voll wrote: Subject: [c-nsp] VPN L2L connecting to SSL VPN user? I have a ASA at the hub and IPSEC VPN tunnels back to it from home offices. I also use this ASA to head end all my road warrior anyconnect traffic. For some reason I can not place a call between the Home office and the road warrior. All ACL's look to be setup correctly. is there a command I might have missed to allow the IPSEC tunnels to communicate with the SSL VPN users? Same-security-traffic permit intra-interface? -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN L2L connecting to SSL VPN user?
On Tue, Dec 06, 2011 at 12:24:11, Scott Voll wrote: Subject: Re: [c-nsp] VPN L2L connecting to SSL VPN user? I think that was the one I was asking about unfortunately I already have it must be my config. Thanks. Scott Check out the Identity NAT configurable proxy ARP and route lookup section of Table 7 here. It may be the cause of your issue: http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Profiling with ASA?
On Mon, Nov 21, 2011 at 14:00:47, Scott Voll wrote: Subject: Re: [c-nsp] Profiling with ASA? Ryan-- Thanks for the direction. I have setup CSD and DAP's but I'm wondering if there is some way to move from there to Group Policy? Where I'm going with all of this, is I have a Large telecommuting base and some use corporate laptops (that we want to use Scan Safe / Anyconnect 3.0) and home PC's that we don't want to use Scan Safe on. Any ideas? TIA Scott Hey Scott, I was out of town for a bit, have you checked out the SBA deployment guides. They have one for ScanSafe that should meet your needs. Basically, you're going to take the aggregate decision from CSD and DAP to make a mapping to a group-policy. That group-policy will have the ScanSafe settings and module download. If they don't map properly, you can dump them into a more restrictive group using the default-group-policy setting under the tunnel-group. Here is the SBA: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/August2011/SBA_Ent_BN_SecureRemoteMobileAccessDeploymentGuide.pdf Thanks, -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Can ASA support 2 WAN connections?
It can support failover. Look up ISP failover for an example. You can statically route other networks out the backup interface, but if you're looking for PBR, it's not on the ASA. Sent from handheld On Nov 23, 2011, at 8:55 PM, Deric Kwok deric.kwok2...@gmail.com wrote: Hi Can ASA support 2 WAN connections and do load sharing? Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Profiling with ASA?
Scott, On Thu, Nov 17, 2011 at 12:06:55, Scott Voll wrote: Subject: [c-nsp] Profiling with ASA? Has anyone done any Profiling of Devices connecting to ASA for anyconnect VPN service? I'm looking at how the ASA can Profile a user device, example. user Joe connects with Corporate Laptop, use profile Corp. user Joe turns around and connects via his home PC, use profile Home. I'm not sure where to look for the documentation, because I don't know what Cisco would call it. Any info or links would be Highly appreciated. If you already have premium anyconnect licensing, you could leverage host scan with CSD to pull a file or registry key to determine if the laptop is a corporate entity or not. If you need more a robust solution, Cisco is pushing ISE pretty hard these days and you could use an iPEP device after your ASA to enforce policy. http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac05hostscanposture.html#wp1033842 http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco AnyConnect VPN Client
ASA 8.4 added support for IKEv2, which you'll need to run IPSec using the AnyConnect Secure Mobility Client. IKEv1, ASA 8.3 and before, is not supported with the AnyConnect client. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manu Chao Sent: Thursday, November 03, 2011 12:24 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco AnyConnect VPN Client I haven't found how to configure IPSec with Cisco AnyConnect VPN Client. Is it possible? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA - Configuring Accounting for Network Access
On Mon, Oct 31, 2011 at 13:38:21, Antonio Soares wrote: Access Thanks Ryan. I was reading about that feature and I don't see how the session information is sent: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide / acces s_idfw.html Do you have experience with this feature ? I haven't implemented yet, but it's supposed to take a syslog message like this: Oct 31 2011 13:40:25: %ASA-5-304001: 192.168.x.x Accessed URL 96.17.203.95:http://www.static-cisco.com/web/fw/tools/mbox/mbox.js And translate it to: Oct 31 2011 13:40:25: %ASA-5-304001: (rwest) Accessed URL 96.17.203.95:http://www.static-cisco.com/web/fw/tools/mbox/mbox.js Similar to what you see with your RA VPN users. I'll be testing 8.4.2 again shortly and let you know what my results are. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HP VM ESX fcoe issues with Nexus 5020
On Tue, Oct 25, 2011 at 08:45:25, Nyman, Eric wrote: Subject: [c-nsp] HP VM ESX fcoe issues with Nexus 5020 All, I'm having an issue with my ESX servers that are connected to our Nexus 5020's using FCOE to connect to our storage MDS9500's. Basically, if for any reason connectivity (either FCOE or Ethernet) is disrupted to the 5K's, the ESX servers will not recover and will require a reboot to reconnect to the storage. Cisco TAC have been looking into it for some time now but they have not been able to provide any information. Cisco's recommendations were to try the 5K's in either NPV or NPIV mode but we get the same result. In another scenario, we also had a Cisco UCS chassis that would not connect to the storage unless a shut/no shut was initiated on the switch port. That seems to be resolved with a driver update but only on the 5K switch that is NOT NPV enabled. Anyone ever had any experiences with ESX servers connecting to storage on the 5K's? I had many issues in the beginning with FCoE coming online as an access port with Emulex cards. Trunking resolved that issue. As far as recovery goes, I was having problems with the 5010 rebooting on an earlier 5.0(2) code and corrupting portions of my voice lab. That's been resolved with 5.0(3)N1(1b), which has been running a little over a month with no incident. During the reload, the hosts were obviously disconnected from storage, but would reconnect when the fabric came back online. These are the versions I've tested: C210 M[12] - QLogic QLE8152 10 Gbps 2 port CAN 5010 w/ N5K-M1008 8x1/2/4G FC Module Hitachi AMS2100 directly attached to N5k-M1008 CIMC/BIOS version from 1.3 to 1.4(1a) currently ESXi 4.1 Initial release to 5.0 Haven't tested with NPV or NPIV though. Thanks, -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Change hostname on ASA
If you're using a public cert for ssl VPN, it shouldn't affect anything. I think I remember changing a hostname recently and having it not regenerate the general use RSA key as well. Sent from handheld On Oct 22, 2011, at 11:53 AM, Scott Voll svoll.v...@gmail.com wrote: Will Changing the Hostname on an ASA brake anything? I'm using the ASA for SSL VPN termination, IPSEC L2L tunnels, and Firewalling. I understand that my Cert will need to be updated but will it brake the stuff. TIA Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2800 series IOS versions.
On Tue, Oct 04, 2011 at 19:00:37, Keith wrote: Subject: [c-nsp] 2800 series IOS versions. Have a 2811 and a 2801. The 2801 runs this: c2801-ipbase-mz.124-1c.bin The 2811 runs: c2800nm-ipbase-mz.123-8.T5.bin What does the nm part of the version mean on the 2811? Network module. And that's just the naming convention of the 2801 vs the rest of the 2800 line. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA VPN groups... pointer/howto/cookbook?
On Wed, Sep 28, 2011 at 14:05:51, Jeff Kell wrote: Subject: [c-nsp] ASA VPN groups... pointer/howto/cookbook? I have been running standard VPN client profiles for VPN access for quite a few years, on PIX and now on ASA. I'm working on our next generation prototype now, and the number of VPN groups are growing a bit out of hand. Up to this point we have been distributing groups/roles by providing a suitable .pcf connection profile with the VPN client to each user. The .pcf contains the group name and preshared key (yes, admittedly not that secure). The current scheme is working fine, just getting a bit out of hand with the growing number of groups and necessity of distributing the .pcf files. It would be nicer if the client simply connected to the VPN server, authenticated (we are using TACACS+, but I also have a working Active Directory profile for a more general-purpose group), and had the appropriate group supplied by TACACS+ (or AD). It would be even nicer still if the client could connect either split-tunnel (from home or a secure location) or full-tunnel (to encrypt everything, if on a hotspot or WiFi for example). Currently this is done with two .pcf files (and two corresponding groups on the ASA). There are a dizzying number of possibilities and methods outlined in the documentation, but I was hoping for a more direct approach to accomplishing this goal. Pointers? References? Suggestions? (I would RTFM if it weren't so F'ing huge :) ) I'm not sure what licensing model you currently have for AnyConnect, but with some premium licenses you could run CSD combined with DAP to apply policies for company owned vs. public computers. DAP can also leverage LDAP attributes from AD to provide different levels of access based on AD group or department membership. The main negative point with DAP is being locked into ASDM to make future changes. http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1169923 -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 8.3/8.4 management issues...
Jeff, On Tue, Jul 26, 2011 at 10:44:19, Jeff Kell wrote: Subject: [c-nsp] ASA 8.3/8.4 management issues... I have some remote sites running off of ASA 5505s, and an existing VPN cluster running 8.4(2). For consistency's sake, I was trying to update the 5505s to 8.4(2) -- had one on 7.2 and one on 8.1. I've rolled everything back to 8.4.1 interim. I have an open bug for 8.4(2) relating to remote access VPN tunnels traversing other tunnels (same-security intra-interface). I would switch back to 8.4.1 and see if your problem follows. If you're interested in the bugID, I'll let you know once one is generated. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Graph cisco 4948 SVI
On Fri, Jul 08, 2011 at 11:33:34, Nick Ryce wrote: Subject: [c-nsp] Graph cisco 4948 SVI Hi, Does anyone know if the 4948 has the ability to be able to graph traffic transiting the SVI of a vlan? I know the 3550/3560's are unable to do this? Nick It's based on the 4500, so it should work fine. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA VPN, enabling Windows L2TP?
Are you trying to authenticate protocol nt? You could add LDAP authorization with an attribute map for group to local policy matching. If you want more details on that config, let me know. Then again, maybe I missed the question. Sent from handheld On Jul 8, 2011, at 5:27 PM, Jeff Kell jeff-k...@utc.edu wrote: Yes, another PIX migration question ('tis the season...). Our legacy VPN has several groups / profiles for different access types. I have been able to move these to the ASA successfully (users have VPN client, and get a matching profile .pcf for their respective access). The legacy used TACACS+ authentication, but I have some vanilla access profiles setup now using AD authentication to reduce the overhead in setting up new users with basic needs. To take this to the next level, I enabled L2TP with IPsec access on one of them and gave it a shot from Win7, taking a best guess at the L2TP setup. However, there appears to be no way to convey a group to an L2TP connection. Is there a reasonably transparent way to accomplish this from the Windows side? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MultiChassis LACP
Yes, it works on the 3750. Sent from handheld On Jul 5, 2011, at 8:53 PM, Timothy Riendeau triend...@grid4.com wrote: Have you actually done it with the 3750? I cannot find anything on cco about 3750 mlacp. --Tim Riendeau On 7/5/11 4:55 PM, Nick Hilliard n...@foobar.org wrote: On 05/07/2011 19:27, Timothy Riendeau wrote: Anyone know where to find a list of switches that support MLACP particularly metro ethernet switches? Catalyst 3750 Catalyst 6500 with VSS supervisor Nexus 7000 Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 8.3 full-tunnel VPN paradox...
On Wed, Jun 29, 2011 at 16:30:13, Jeff Kell wrote: Subject: [c-nsp] ASA 8.3 full-tunnel VPN paradox... I'm working on replacing an old PIX VPN setup with a new ASA, and having a bear of a time with a full tunnel setup. The PIX (old 6.x software) has setups for both split-tunnel and full-tunnel profiles. It is *not* the outbound gateway for internet-destined traffic. Our internet traffic goes from the border to a pair of active/active ASAs along with our perimeter protection, IPS, and other assorted goodies, so that is the desired path for the full-tunnel traffic. Since the active/active pair can't do VPN, another ASA is serving that purpose (inside the other ASAs), also connected to our core. On the PIX, there is a default route on both the outside and inside interfaces thusly: utc-pix# sho route | i 0.0.0.0 outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.246 1 OTHER static inside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.20 10 OTHER static Anything connecting to the VPN (or otherwise hitting the outside interface) follows the outside route. Any VPN-originated traffic on the full tunnel follows the inside route. The ASA is not behaving this way... it wants to always follow the outside route for the VPN-originated full-tunnel traffic if I include both routes (with unequal weights, as it doesn't allow them to be the same). If I define an explicit outside route to where I VPN from, and remove the default outside route, it works perfectly. Is there something obvious I'm missing here to make it behave like the PIX does? Try the keyword 'tunneled' at the end of the route statement. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Newb Question about site to site vpn....
On Thu, Jun 16, 2011 at 10:45:56, Scott Voll wrote: Subject: [c-nsp] Newb Question about site to site vpn I have setup a couple 881's to do a Dynamic site to site vpn tunnel back to my ASA at the head end. All traffic ends up stopping even thou the tunnel is still up. If I start some traffic from the 881 than the traffic starts working from the head end (ASA side). What have I missed to get traffic on the ASA side to start passing traffic? With out starting it on the far side (881). On the ASA you can try 'logging class vpn monitor debugging' and run term mon. The receiver usually has better information, so the 881 should debug as well. Can you post some of those debugs? Thanks, -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Vwic-1mft-g703 on cisco1841
On Tue, May 31, 2011 at 10:38:21, ccie wrote: Subject: [c-nsp] Vwic-1mft-g703 on cisco1841 Is there any requirements for vwic-1mft-g703 on 1841, the router see it in the show inventory, but once I go to the configuration I can't configure anything like Isdn switch-type ? ! not available Controller e1 0/0/0 ! also no available. Any hints on that?? Check on 'card type' -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN for Android
On Tue, May 31, 2011 at 06:47:46, Justin M. Streiner wrote: Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPN for Android On Tue, 31 May 2011, Soon Lee wrote: Is anyone who success to connect vpn for Android on ASA or router? I tried it with ASA L2TP but i couldnt. Pls let me know. Thanks. I've heard of people doing things to get a working IPSEC session, like rooting their phones and compiling vpnc themselves. If you can stomach the new NAT, 8.4 has support for Android using L2TP/IPsec: http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.pdf -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN for Android
On Tue, May 31, 2011 at 11:04:12, Mohlmaster, Jarod wrote: Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPN for Android ASA 8.2(5) and 8.4(1) add L2TP/IPsec support and SHA2 cert support for the native Android VPN client. Release notes also claim AnyConnect for Android version 2.4, but I haven't downloaded or tested that. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Soon Lee Sent: Tuesday, May 31, 2011 10:51 AM To: Justin M. Streiner Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPN for Android Do i have to do rooting ? Is there no option? 2011. 5. 31. 오후 11:42에 Justin M. Streiner strei...@cluebyfour.org님이 작성: On Tue, 31 May 2011, Soon Lee wrote: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] using RANCID in a CCIE lab
On Sun, May 29, 2011 at 13:10:57, Keegan Holley wrote: Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] using RANCID in a CCIE lab rancid is a good tool. It's also base on expect and perl so it's easy to modify the scripts to do other things. I installed this in a few other labs (non-certification) the biggest problem I ran into was everyone's tendency to blow away the routes,interface IP's and account info that alows RANCID to do it's work. Beyond that it's a great tool. Be careful where you run it. It's a pain to install on certain linux distros. It can modified pretty easily to allow backup and configuration pushes via a terminal server. Look for user_chat to see the modifications to clogin that allow it. RANCID is great IMO, with all the expect and credential information in place, it's easily adaptable cron jobs and scripts. I'm far from a programmer, but I was able to setup an automated block list for the ASA based off the emerging threats IP list using RANCID to push the changes. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] using RANCID in a CCIE lab
On Sun, May 29, 2011 at 14:28:34, Keegan Holley wrote: Subject: Re: [c-nsp] using RANCID in a CCIE lab what platform did you install it on? RANCID was pretty easy to install, but I could never get the cvs viewer they recommended working. I had to switch back to CVS web. I've had no issues installing it on Debian boxes, but we've been using websvn. What was the recommended CVS viewer? Viewvc? -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Remote LAN (IPsec) to Client (anyconnect) w/ ASA
On Wed, Apr 27, 2011 at 11:03:19, Scott Voll wrote: Subject: [c-nsp] Remote LAN (IPsec) to Client (anyconnect) w/ ASA I have an ASA 5510 that I use for both the head end for Anyconnect clients and Hub and Spoke IPSec tunnels for Lan to Lan. beside the no Nat, ACL for interesting traffic, and same-security-traffic permit intra-interface command is there anything else that needs to be done, in order to have the Anyconnect client access the remote IPSec LAN? Without seeing what the interesting traffic ACLs are (private vs public addressing), that should cover it. By default there isn't an outside NAT on a typical firewall deployment, so you shouldn't need to include the AnyConnect pool as part of your no nat. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asa 8.4 + etherchannel + nexus7k
On Tue, Apr 05, 2011 at 14:27:18, Federico Cossu wrote: Subject: [c-nsp] asa 8.4 + etherchannel + nexus7k hi all, i can't find any useful information about connecting ASA 8.4 etherchannels to 2 different nexus7K, where the 2 nexus devices are aggregating channels with vPC. the idea is to trunk inside, outside and failover vlan to ASA and let it manage routing between them. 8.4 supports LACP, so you should be fine to configure in this manner. Might want to consider a direct cable for the failover though. no L3 dynamic routing between asa --- nexus, my concern is that the nexus are also the L2/L3 boundary for the servers vlan, server have their default gateway on the nexus (hsrp). configuration guide cites only vss, not vpc unfortunately. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide / interface_start.html#wp1329030 thank you all for any shared information or experience. bye -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Perl Script for Nexus Switch
Have you tried RANCID? Sent from handheld On Mar 29, 2011, at 5:01 AM, Vineeth vineeth.mo...@sifycorp.com wrote: Hi , Did any one have the custom made perl Script for take the sh run of Cisco Nexus Switch . I have tried with Perl Script which runs for my Cisco IOS Switch but Switch but it was not working for me My Scripting knowledge is very minimal . -- Regards Vineeth Get your world in your inbox! Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id! Log on to http://www.sify.com ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at ad...@sifycorp.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Power Consumption OID
The following MIB should work for the 7606, but since the 3750 is fixed, I'm not sure you'll be able to extract the information via SNMP. snmpwalk 4510E 1.3.6.1.4.1.9.9.117.1.1.1 CISCO-ENTITY-FRU-CONTROL-MIB::cefcPowerRedundancyMode.15 = INTEGER: redundant(2) CISCO-ENTITY-FRU-CONTROL-MIB::cefcPowerUnits.15 = STRING: centiAmpsAt12V CISCO-ENTITY-FRU-CONTROL-MIB::cefcTotalAvailableCurrent.15 = INTEGER: 18333 CISCO-ENTITY-FRU-CONTROL-MIB::cefcTotalDrawnCurrent.15 = INTEGER: 10766 CISCO-ENTITY-FRU-CONTROL-MIB::cefcPowerRedundancyOperMode.15 = INTEGER: redundant(2) 18333 * 0.01 * 12 = 2199.66 10766 * 0.01 * 12 = 1291.92 4510E#show power Power Fan Inline Supply Model No Type Status Sensor Status -- - --- --- --- PS1 PWR-C45-6000ACV AC 6000W good good good PS1-1 220V good PS1-2 220V good PS2 PWR-C45-6000ACV AC 6000W good good good PS2-1 220V good PS2-2 220V good Power supplies needed by system: 1 Power supplies currently available : 2 Power Summary Maximum (in Watts) Used Available -- - System Power (12V) 12922200 -ryan From: Mohammad Khalil [mailto:eng_m...@hotmail.com] Sent: Monday, March 28, 2011 4:40 AM To: Ryan West; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Power Consumption OID Hi yes that what i am looking for , but the OIDs does not exist for my devices such as 7606S and ME3750 From: rw...@zyedge.commailto:rw...@zyedge.com To: eng_m...@hotmail.commailto:eng_m...@hotmail.com; cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Power Consumption OID Date: Sun, 27 Mar 2011 17:34:24 + Is this what you're looking for: ftp://ftp.cisco.com/pub/mibs/v2/POWER-ETHERNET-MIB.my 3560: snmpwalk test1-sw1 .1.3.6.1.2.1.105.1.3.1.1.2 POWER-ETHERNET-MIB::pethMainPsePower.1 = Gauge32: 370 Watts snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.4 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.1 = Gauge32: 189 Watts 4510E snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.2 POWER-ETHERNET-MIB::pethMainPsePower.1 = Gauge32: 1550 Watts POWER-ETHERNET-MIB::pethMainPsePower.2 = Gauge32: 1550 Watts POWER-ETHERNET-MIB::pethMainPsePower.3 = Gauge32: 800 Watts POWER-ETHERNET-MIB::pethMainPsePower.4 = Gauge32: 800 Watts POWER-ETHERNET-MIB::pethMainPsePower.7 = Gauge32: 800 Watts POWER-ETHERNET-MIB::pethMainPsePower.8 = Gauge32: 800 Watts snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.4 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.1 = Gauge32: 6 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.2 = Gauge32: 11 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.3 = Gauge32: 0 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.4 = Gauge32: 0 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.7 = Gauge32: 30 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.8 = Gauge32: 3 Watts -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net]mailto:[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil Sent: Sunday, March 27, 2011 10:45 AM To: cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net Subject: [c-nsp] Power Consumption OID i am trying to find an OID for power consumption ? is there a way to extract these information? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Power Consumption OID
Is this what you're looking for: ftp://ftp.cisco.com/pub/mibs/v2/POWER-ETHERNET-MIB.my 3560: snmpwalk test1-sw1 .1.3.6.1.2.1.105.1.3.1.1.2 POWER-ETHERNET-MIB::pethMainPsePower.1 = Gauge32: 370 Watts snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.4 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.1 = Gauge32: 189 Watts 4510E snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.2 POWER-ETHERNET-MIB::pethMainPsePower.1 = Gauge32: 1550 Watts POWER-ETHERNET-MIB::pethMainPsePower.2 = Gauge32: 1550 Watts POWER-ETHERNET-MIB::pethMainPsePower.3 = Gauge32: 800 Watts POWER-ETHERNET-MIB::pethMainPsePower.4 = Gauge32: 800 Watts POWER-ETHERNET-MIB::pethMainPsePower.7 = Gauge32: 800 Watts POWER-ETHERNET-MIB::pethMainPsePower.8 = Gauge32: 800 Watts snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.4 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.1 = Gauge32: 6 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.2 = Gauge32: 11 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.3 = Gauge32: 0 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.4 = Gauge32: 0 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.7 = Gauge32: 30 Watts POWER-ETHERNET-MIB::pethMainPseConsumptionPower.8 = Gauge32: 3 Watts -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil Sent: Sunday, March 27, 2011 10:45 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Power Consumption OID i am trying to find an OID for power consumption ? is there a way to extract these information? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 to Pix sudden loss of tunnel
Scott, I have two devices a Pix running the 7.x code base in the field and a pair of ASA 5520 devices running 8.2.2. The 5520 pair is set up in an active passive arrangement. Which version of 7.x are you running. 7.2.4 below interim 33 was very buggy with VPNs. They stop for no reason and removing the crypto map completely and re-applying it does not fix it. Try the following if you don't plan to upgrade soon: Enable logging class vpn monitor debugging, clear isakmp sa on both sides. The receiver of the tunnel is going to have the most useful debugs and if you don't have access to the devices on either side, use packet-tracer to simulate interesting traffic. Try initiating from both sides, if you still aren't getting anywhere, remove and add back the crypto map from the outside interface. Debug cry isa 255 and debug cry ipsec 255 should also help. Beyond that, a reboot will clear up the 7.2.4 bug. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 to Pix sudden loss of tunnel
NP. While you're upgrading, check to see if you're affected and think about upgrading to asa824-4-k8.bin/asa824-1-k8.bin. http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6e14d.shtml -ryan -Original Message- From: Scott Granados [mailto:sc...@granados-llc.net] Sent: Thursday, March 10, 2011 2:25 PM To: Ryan West Cc: cisco-nsp Subject: Re: [c-nsp] ASA 5520 to Pix sudden loss of tunnel Hi, thanks as always for the great response. This is more or less what I was running in to. I rebooted the Pix with no luck but when I restarted the ASA pair all began to function. I have some ASA hardware on the way to replac the pixes, I just need to make this hold together for a few more weeks. Thanks for the pointers! On Mar 10, 2011, at 6:32 AM, Ryan West wrote: Scott, I have two devices a Pix running the 7.x code base in the field and a pair of ASA 5520 devices running 8.2.2. The 5520 pair is set up in an active passive arrangement. Which version of 7.x are you running. 7.2.4 below interim 33 was very buggy with VPNs. They stop for no reason and removing the crypto map completely and re-applying it does not fix it. Try the following if you don't plan to upgrade soon: Enable logging class vpn monitor debugging, clear isakmp sa on both sides. The receiver of the tunnel is going to have the most useful debugs and if you don't have access to the devices on either side, use packet-tracer to simulate interesting traffic. Try initiating from both sides, if you still aren't getting anywhere, remove and add back the crypto map from the outside interface. Debug cry isa 255 and debug cry ipsec 255 should also help. Beyond that, a reboot will clear up the 7.2.4 bug. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 doesn't like itself
Can you post the show runs for the NAT, ACL, access-groups, and interfaces? Sent from handheld On Feb 17, 2011, at 6:54 PM, Michael Loether m...@azloether.com wrote: On Feb 17, 2011, at 4:04 PM, Michael Balasko wrote: Not sure what version of code you are on, but two things. Pre 8.3 code with nat control enabled, you need Fixup protocol icmp and you probably need a global statement to match the nat statement. Your nat looks more like a static statement so I'm not sure if that is an 8.3 thing... Running 8.3.2, Probably part of the problem, I still am not used to the NAT changes. Note icmp is NOT IP and thus is unaffected by ip any any Good point not sure why I missed it. I have added any any icmp to both the ingress and egress acls and not change. Also pings from the inside interface will not cross the outside interface either. Which leads to to think its a nat issue, but I am all out of ideas. Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA
Deric, Check out this link. http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Deric Kwok Sent: Monday, February 14, 2011 2:34 PM To: Cisco Network Service Providers Subject: [c-nsp] ASA Hi How can I be easy to do? 1/ disable httpd access from inside/management ip? 2/ allow ssh from outside int 3/ only allow dedicated access to https from outside interface Thank you so much ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 5548P - 1 Gbps support
Vijay, I just checked through a partner slide and came up with the same information about a future release. The 5010 shipped with the first 8 capable and 5020 enabled with the first 16. All 48 are supposed to be gigabit capable (when the upgrade is available). I would test it out. -ryan From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] on behalf of Ramcharan, Vijay A [vijay.ramcha...@verizonbusiness.com] Sent: Tuesday, February 08, 2011 2:36 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Nexus 5548P - 1 Gbps support This may be a dumb question but the best I could find was that 1 Gbps software support will be added in a future release. Can the Nexus 5548P switch make use of 1 Gbps copper and fiber modules or is it all 10 Gbps at this time? Thanks. Vijay Ramcharan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF aware syslog and snmps on IOS and IOS-XR
On 2/2/11 7:15 AM, Jason Lixfeld wrote: Sorry for the noise. Further testing suggests that I should also ask about vrf aware tacacs+ authentication. Hi Jason, afair SNMP is VRF-aware, haven't heard of exception with traps, tacacs+ and syslog are not yet. TACACS+ is VRF-aware, at least in the ISR line. aaa group server tacacs+ ACS server x.x.x.x server x.x.x.x ip vrf forwarding cust1 ! -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] active/standy failover
On 28/01/2011 20:21, Deric Kwok wrote: 4/ Where is port for cross over cable between active and standy? you need two ports, one to signal failover, and the other to transmit the firewall state. You can combine them onto a single cable as well. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/