Re: [c-nsp] Cisco Commerce Estimates

[Ryan West]

Hi Jan,

It's working for me, just tested it a few minutes ago.

-ryan

-Original Message-
From: cisco-nsp  On Behalf Of Jan Gregor
Sent: Wednesday, June 27, 2018 2:27 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco Commerce Estimates

Hi guys,

is it just me, or did cisco gut out about 90% of functionality of Cisco 
Commerce Estimates? No way to expands added values, no way to export XLS. It 
allows export PDF, but "The file is damaged and cannot be opened." from both 
acrobat reader and evince.

Anyone else seeing this?

Jan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] script

[Ryan West]

Hi,

> On Sep 21, 2016, at 7:11 AM, Lijalem Fetene  wrote:
> 
> Dears,
> I want to login to hundreds of routers  simultaneously  in  either telnet
> /ssh and execute some command to each device and return the output. Is
> there anyone to help me please ?
> 
> 

Rancid/clogin or trigger come to mind. 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5500 SSL VPN Auth

[Ryan West]

On Thu, Dec 18, 2014 at 00:29:48, Kris Amy wrote:
 Subject: [c-nsp] ASA 5500 SSL VPN Auth
 
 Hi All,
 
 Been searching through the archives and haven't seen this setup, wondering
 if anyone has done this and has any pointers...
 

What pointers are you looking for?  I've done a configuration like this before 
for Kiosks using a specific group-url, a cert enroll tunnel-group, and a 
certificate map to match the presented certificate against the device 
certificate on the ASA and issuing CA.  Getting a device certificate on the ASA 
and importing CA are pretty easy.  The bigger pain is at the certificate map.  
Here's a small example that should point you in the right direction.

crypto ca certificate map name 1
  issuer-name attr cn eq intermediate
crypto ca certificate map name 2
  issuer-name attr cn eq root
crypto ca certificate map name 3
  issuer-name attr cn eq full name

I don't recall the crypto debugs now, but you can see where it's matching.

 I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active
 failover). To do auto-login without storing the username/password on the
 client machine I plan on deploying a PKI environment which the ASA's will
 then use for authenticating the end-points. The endpoints are required to
 have static IP's as well.

HTH

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] vs nexus5596 and port-profiles

[Ryan West]

Add show port-profile to the command table in RANCID.  Put it in the write term 
section. 

Sent from handheld. 

 On Oct 3, 2014, at 7:24 AM, Arne Larsen / Region Nordjylland a...@rn.dk 
 wrote:
 
 Hi all
 
 Can somone give me a hint about what we should do.
 We are using port-profiles on our nexus5596 boxes but we don't get the full 
 config when we backup with rancid.
 It's the same problem if we do a tftp copy of then startup-config.
 If I do who port-profile the full config syntax is displayed.
 I can se that the xterm width on defaults to 184 colums.
 have anyone seen this before and if what have you done.
 
 /Arne
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 6800 in V.S.S. with IA not working

[Ryan West]

I'm proposing a similar configuration.  Are your IA's dual attached?  Are your 
IA's stacked?  I can't add to your experience, but understanding your 
environment would be helpful. 

Sent from handheld. 

 On Oct 2, 2014, at 7:44 AM, R S dim0...@hotmail.com wrote:
 
 Hi folks,
 my problem is here.
 
 A couple of brand new 6880-x-le just configured in VSS (IOS inside 15.1(2)SY2 
 and later I put SY3), continuos reporting in console rebooting or 
 downloading, console not responding sometimes, one IA (C6800IA-48TD) 
 working and other two no with the same configuration... a complete nightmare.
 
 And more: two of the 4 cards (C6880-X-LE-16P10G) arrived with led of the 
 interfaces completely switched-off (but ports working..)
 
 I found only one bug for C6880 (CSCup99867) with severity: 1 Catastrophic...
 
 Now the questions are: 
 
 1) is it only my nightmare ? 
 2) any experience to share ?
 3) any way to troubleshoot on IA side ?
 
 Raccomended IOS release (facing the bug report is: 15.1(2)SY3.48, but I'm 
 wondering... ) ?
 any additional experience on your side ?
 
 greeting from utrecht
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Autonomous AP per-client rate limiting

[Ryan West]

Anyone doing this?  If so, could you share how? 

Thanks. 

Sent from handheld. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Setting CS0 on ARP traffic

[Ryan West]

First thing, that's a bad carrier. Second, they are already remarking, so why 
bother?  If your 7609 was using a routing protocol, that would be CS6 as well.  

Personally, I would go the route of terminating services with that carrier, 
sounds like you'll be getting more surprises in the future. 

Sent from handheld. 

 On May 29, 2014, at 7:27 AM, Tony td_mi...@yahoo.com wrote:
 
 Hi all,
 
 
 A new carrier that we are using requires that all traffic to them is marked 
 as CS0. Any traffic that is non-CS0 is dropped on ingress by the carrier.
 We have connected the handoff from this carrier to a port on an ES20+ card in 
 our 7609 (12.2.33.SRE9a).
 
 The first test service was refusing to work and upon inspection by the 
 carrier (packet capture) it was shown that the ARP traffic from our box was 
 marked as CS6. I then applied a QoS policy outbound on the sub-int we had 
 terminated the service on to try and set all traffic to CS0, but the ARP 
 traffic was still CS6. The carrier then applied a policy inbound on their 
 gear (ie. from our 7609 towards them) to set everything to CS0 and the 
 service started happily working. I then put a switch between our 7609 and the 
 carrier so that I could SPAN the traffic and capture it via tcpdump. The 
 results look like this:
 
 17:04:53.446268 vlan 30, p 6, vlan 10, p 6, arp who-has 10.1.7.178 tell 
 10.1.7.177
 
 So you can see on the outer VLAN 30, it is set to p 6 and on the inner VLAN 
 10 it is also set to p 6.
 
 The configuration of the interface on 7609 on our side looks like this 
 (fairly standard):
 
 interface GigabitEthernet4/4.300010
  encapsulation dot1Q 30 second-dot1q 10
  ip vrf forwarding xyz
  ip address 10.1.7.177 255.255.255.252
 
 
 I logged a case with TAC and they responded with:
 
 =
 We have tried this in our lab and this seem to be the default behavior.
 
 There is a restriction on ES+ card which states that control plane packets 
 generated from the switch are sent to a special TX queue and these packets do 
 not match the egress QOS policies configured. Please refer the link:
 
 http://www.cisco.com/en/US/docs/routers/7600/install_config/ES40_config_guide/es40_chap7.html#wp1540799
 
 So this is the reason why you do not see any cos 0  packets on the other side 
 even after applying a outbound service policy and see only cos 6 packets. I 
 tried few other things but could not find a way around this restriction
 =
 
 I've asked them to go back and have another look to see if there is something 
 else that can be done.
 
 I'm at a loss at this stage and appealing for any suggestions that people can 
 think of, at this point in time it would appear that I have two options:
 
 1. Terminate the services from this carrier on a different device that 
 doesn't suffer from this problem.
 2. Run the service through a switch (ie. 3750, like it is now) so that the 
 switch can set the packets to CS0.
 
 Both of these are sub-optimal solutions, so obviously we'd like to find a way 
 to set the outbound traffic from the ES20 card to CS0 so that it can work how 
 we expected it to.
 
 Any suggestions appreciated.
 
 
 Thanks,
 Tony.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA 8.4.7

[Ryan West]

We were running 8.4.6 for a while, but have been having good luck so far with 
8.4.7 as well.

-ryan

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Luan 
Nguyen
Sent: Wednesday, October 09, 2013 3:11 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco ASA 8.4.7

Hi folks,

With the newest advisory for the ASA:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

We are thinking of going uniform with Cisco ASA 8.4.7. Looking at the Resolved 
Caveats, lots of them got fixed:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp631223
Has anyone been running 8.4.7 with good success? I am just looking for minimal 
NAT, mostly Remote Access VPN and a few hundred site to site VPN.

Thanks.

-Luan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] pix 6.1(3)

[Ryan West]

It's 6.3.5(145) that is the latest PIX release that will support all the 
flavors.  If you have a 515/515E, you can upgrade the memory and move to 
8.0.4(28), which is the last interim release for the PIX family in ASA code.  
If you have a 506E, it's probably time to look at a 5505-5 or 5505-50 for the 
environment.

6.1(3) is over 10 years old.  If you can't upgrade the memory, you could at 
least try the engineering special from 2008.

-ryan

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Michael 
Malitsky
Sent: Thursday, July 11, 2013 5:40 PM
To: Aaron; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] pix 6.1(3)

Fixup is an application-layer proxy.  In other words, it checks for the 
validity of traffic in the context of the actual protocol.  In version 7 and 
newer these are called inspect.  Without it, you are left with a regular 
stateful firewall.

Michael 


From: Aaron [aar...@gvtc.com]
Sent: Thursday, July 11, 2013 3:24 PM
To: Michael Malitsky; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] pix 6.1(3)

Thanks Michael, What does http fixup do ?  how would disabling fixup fix my 
issue ?

Aaron


-Original Message-
From: Michael Malitsky [mailto:malit...@netabn.com]
Sent: Thursday, July 11, 2013 2:49 PM
To: aar...@gvtc.com; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] pix 6.1(3)

Sounds eerily familiar, although I can't find any notes for v6.  The first 
releases of 7 had a similar issue, caused by the firewall dropping any packets 
with MSSnegotiated size.
However, you options are very few.  Try disabling the http fixup to confirm it 
is the inspection engine causing the problem.  In version 6, there is no way to 
tune the inspection engines, on/off is the only button, so your only option is 
to upgrade.  I suggest trying 6.5.last (I think 6.5.105), if that doesn't work 
go to 7, the highest version that supports a PIX.  In v7 you can at least 
exempt the problem traffic from inspection.  Best option - upgrade to an ASA.

Michael

--

Date: Thu, 11 Jul 2013 09:51:16 -0500
From: Aaron aar...@gvtc.com
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] pix 6.1(3)
Message-ID: 01ce7e46$186efb20$494cf160$@gvtc.com
Content-Type: text/plain;   charset=us-ascii

Anyone ever dealt with a weird issue whereas when going to a certain website 
via a cisco pix, the tcp syn and syn/ack flow fine, but the final ack is lost 
inside the pix. ?  my sniffs seems to show this.



Aaron

=


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nexus 5500 + fcoe + citrix ven 6.1

[Ryan West]

You are not fully logged into the fabric.  Did you create the necessary FCoE 
QoS policy?

Sent from handheld. 

On May 28, 2013, at 8:06 AM, Piotr piotr.1...@interia.pl wrote:

 Hi,
 
 I'm new in nexus world, i just test some switches and i have problem:
 
 There is one switch 5548 with version 6.0(2)N1(2a). I try to make fcoe 
 conenction between xenserver 6.1 (port 1/25) and linux fcoe target ( centos, 
 port 1/26).
 
 In both servers i have card: Cisco Systems Inc VIC FCoE HBA (rev a2), on 
 centos (target side) all looks good but from xenserver i don't see any 
 traffic. In xencenter i see the cisco card connected but when try to discover 
 new storage, xencenter don't find anything.
 
 
 thanks for any help or clue
 
 regards,
 Piotr
 
 
 my config:
 
 vlan 11
  fcoe vsan 11
 
 vsan database
   vsan 11
 
 interface vfc2
  bind interface Ethernet1/25
  no shutdown
 
 interface vfc26
  bind interface Ethernet1/26
  no shutdown
 
 vsan database
  vsan 11 interface vfc2
  vsan 11 interface vfc26
 
 
 interface Ethernet1/25
  switchport mode trunk
  spanning-tree port type edge trunk
 
 interface Ethernet1/26
  switchport mode trunk
  spanning-tree port type edge trunk
 
 
 
 outputs:
 
 show lldp neighbors
 Capability codes:
  (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
  (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
 Device IDLocal Intf  Hold-time  Capability  Port ID
 0018.8b9c.cfe6   mgmt0   120g21
 nexus-2  Eth1/1  120B   Eth1/1
 nexus-2  Eth1/2  120B   Eth1/2
 nexus-2  Eth1/3  120B   Eth1/3
 nexus-2  Eth1/5  120B   Eth1/5
 nexus-test2 Eth1/7  120B   Eth1/1
 b0fa.eb72.7c06   Eth1/25 120b0fa.eb72.7c0a
 b0fa.eb72.7f3e   Eth1/26 120b0fa.eb72.7f42
 
 
 
 show fcoe database
 
 ---
 INTERFACE   FCIDPORT NAME   MAC ADDRESS
 ---
 vfc26   0x6a20:00:b0:fa:eb:72:7f:41 b0:fa:eb:72:7f:41
 
 Total number of flogi count from FCoE devices = 1.
 
 VE Ports:
 ---
 INTERFACE   MAC ADDRESS VSAN
 ---
 vfc154:7f:ee:8e:ad:0c   2
 
 
 
 
 
 port 26, only  target is ok:
 
 show  flogi database
 
 INTERFACEVSANFCID   PORT NAME   NODE NAME
 
 vfc262 0x6a  20:00:b0:fa:eb:72:7f:41 
 10:00:b0:fa:eb:72:7f:41
 
 
 but from xencenter side there is no traffic:
 
 show  interface vfc 2
 vfc2 is trunking
Bound interface is Ethernet1/25
Hardware is Ethernet
Port WWN is 20:01:54:7f:ee:8e:ac:7f
Admin port mode is F, trunk mode is on
snmp link state traps are enabled
Port mode is TF
Port vsan is 11
Trunk vsans (admin allowed and active) (1-2,11)
Trunk vsans (up)   ()
Trunk vsans (isolated) ()
Trunk vsans (initializing) (1-2,11)
1 minute input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
1 minute output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
  0 frames input, 0 bytes
0 discards, 0 errors
  0 frames output, 0 bytes
0 discards, 0 errors
last clearing of show interface counters Sun Feb 21 11:15:15 2010
 
Interface last changed at Sun Feb 21 11:15:15 2010
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nexus 5500 + fcoe + citrix ven 6.1

[Ryan West]

With 5500 it is necessary. 

Sent from handheld. 

On May 28, 2013, at 8:28 AM, Piotr piotr.1...@interia.pl wrote:

 W dniu 2013-05-28 14:12, Ryan West pisze:
 Did you create the necessary FCoE QoS policy?
 It's necessary in almost  default setup ? i read in cisco docs that is 
 optional..

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nexus 5500 + fcoe + citrix ven 6.1

[Ryan West]

interface vfc2
   bind interface Ethernet1/25
  switchport trunk allowed vsan 11
   no shutdown

-Original Message-
From: Piotr [mailto:piotr.1...@interia.pl] 
Sent: Tuesday, May 28, 2013 9:29 AM
To: Ryan West
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nexus 5500 + fcoe + citrix ven 6.1

W dniu 2013-05-28 14:41, Ryan West pisze:
 With 5500 it is necessary.

I added but still without success.. :(
new storage - hardware hba - probing for lun - no LUNs were found..


class-map type qos class-fcoe
class-map type queuing class-fcoe
   match qos-group 1
class-map type queuing class-all-flood
   match qos-group 2
class-map type queuing class-ip-multicast
   match qos-group 2
class-map type network-qos class-fcoe
   match qos-group 1
class-map type network-qos class-all-flood
   match qos-group 2
class-map type network-qos class-ip-multicast
   match qos-group 2
system qos
   service-policy type queuing input fcoe-default-in-policy
   service-policy type queuing output fcoe-default-out-policy
   service-policy type qos input fcoe-default-in-policy
   service-policy type network-qos fcoe-default-nq-policy policy-map type 
control-plane copp-system-policy-customized
   class copp-system-class-hsrp-vrrp
 police cir 1024 kbps bc 256000 bytes
   class copp-system-class-l3dest-miss
 police cir 64 kbps bc 16000 bytes
   class copp-system-class-default
 police cir 2048 kbps bc 640 bytes





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco AnyConnect VPN Client

[Ryan West]

On Thu, Nov 03, 2011 at 19:35:18, Thomason, Simon wrote:
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Cisco AnyConnect VPN Client
 
 Where are you getting this information from?
 
 
 
 As of 8.4 they redid the licensing for anyconnect and also added ikev2 
 ipsec to the anyconnect suite unless I missed something.
 
 

The licensing still requires anyconnect essentials or premium.  Otherwise, you 
only end up with 2 sessions.  Not sure how ikev2 is calculated in that number, 
but my guess would be that they follow the same model.  What licensing changes 
were you referring to?

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?

[Ryan West]

Not entirely sure it will work, but you can enter those commands on either FI 
by opening ssh to the shared address of UCSM and typing connect nx a or connect 
nx b to get to the CLI of either FI. 

Sent from handheld. 

On Apr 12, 2013, at 1:59 AM, Joachim Tingvold joac...@tingvold.com wrote:

 On 12. apr. 2013, at 07:53, Joachim Tingvold joac...@tingvold.com wrote:
 Any undocumented command to get them to work?
 service unsupported-transceiver?
 
 Maybe throw in this one as well;
 
 no errdisable detect cause gbic-invalid
 
 -- 
 Joachim
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?

[Ryan West]

Aaron,

On Fri, Apr 12, 2013 at 12:05:22, Aaron wrote:
 Subject: Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?
 
 Are you talking about sfp/xfp 3rd party support in NXOS?  If so, would 
 this limitation apply to Cisco 5548UP as well ?  Asking since I'm 
 considering buying some of those and want to know what I'm getting myself 
 into.
 

service unsupported-transceiver
Warning: When Cisco determines that a fault or defect can be traced to the use 
of third-party transceivers installed by a customer or reseller, then, at 
Cisco's discretion, Cisco may withhold support under warranty or a Cisco 
support program. In the course of providing support for a Cisco networking 
product Cisco may require that the end user install Cisco transceivers if Cisco 
determines that removing third-party parts will assist Cisco in diagnosing the 
cause of a support issue.

The OP is trying to get them working in the fabric interconnects of a UCS 
environment.  You have some access to underlying NX-OS there, but the 
configuration is controlled from the UCSM GUI/XML/CLI.  The command above works 
on Nexus 7k and 5k's.

The 5548UP works quite well for us, with the exception of a few scenario's 
involving OSPF and devices that want to respond to the physical MAC vs. the 
virtual MAC when using VPC.  Netapp management ports come to mind.  We have 
used them in small DC/core environments for Ethernet, iSCSI, FC, and FCoE.  Let 
me know if  you have any specific questions about them.

Thanks,

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA Query

[Ryan West]

On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote:
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] ASA Query
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote:
  Hello
 
  Three zones/interface are used on ASA
 
  Internet - security level 0 Inside - security level 100 with ipsec 
  configured for vpn clients DMZ - security level 100
 
  Traffic from Inside to Internet works fine without ACL.
 
  Traffic from DMZ to Internet works when ACL is applied.
 
  As per my knowledge traffic from higher security zone to lower zone 
  is allowed by default.
 
  Please suggest what could be the reason here.
 
 Which ASA platform specifically?  A 5505 w/ a base license only has 
 three VLANs, one of which is restricted to passing traffic to only one 
 of the two remaining VLANs.  Based on your question, I assume you are 
 having difficulties passing traffic from inside to DMZ, could you post 
 a sanitized configuration?
 

Sounds like OP is missing 'same-security permit inter-interface'

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA Query

[Ryan West]

On Wed, Mar 20, 2013 at 17:49:48, Dave Brockman wrote:
 Subject: Re: [c-nsp] ASA Query
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 3/20/2013 5:34 PM, Ryan West wrote:
  On Wed, Mar 20, 2013 at 17:08:48, Dave Brockman wrote:
  Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Query
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 3/20/2013 11:05 AM, Muhammad Jawwad Paracha wrote:
  Hello
 
  Three zones/interface are used on ASA
 
  Internet - security level 0 Inside - security level 100 with ipsec 
  configured for vpn clients DMZ - security level 100
 
  Traffic from Inside to Internet works fine without ACL.
 
  Traffic from DMZ to Internet works when ACL is applied.
 
  As per my knowledge traffic from higher security zone to lower 
  zone is allowed by default.
 
  Please suggest what could be the reason here.
 
  Which ASA platform specifically?  A 5505 w/ a base license only has 
  three VLANs, one of which is restricted to passing traffic to only 
  one of the two remaining VLANs.  Based on your question, I assume 
  you are having difficulties passing traffic from inside to DMZ, 
  could you post a sanitized configuration?
 
 
  Sounds like OP is missing 'same-security permit inter-interface'
 
  -ryan
 
 That would not apply inside to DMZ, they are not the same security level, no?
 

It's difficult to read, but I show 100 - inside, 0 - outside, 100 - dmz.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco IPSEC Client software for Windows 8 ?

[Ryan West]

Native support since anyconnect 3.0.1055 and 3.1.

-ryan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ricardo Stella
Sent: Saturday, March 09, 2013 8:59 AM
To: Olivier CALVANO
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco IPSEC Client software for Windows 8 ?

I using any connect 2.5 something.  There is a registry hack needed to get it 
to work however.

---
°(((=((===°°°(((

On Mar 9, 2013, at 8:13 AM, Olivier CALVANO o.calv...@gmail.com wrote:

 Hi
 
 anyone know if they have a Cisco IPSec Client for Windows 8 ? for 
 connect to my asa
 
 Thanks
 Olivier
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot

[Ryan West]

Scott,

On Thu, Feb 21, 2013 at 08:50:02, Scott Voll wrote:
 Subject: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot
 
 I just installed a couple SSM-20's in my ASA's.  install was a little 
 less that I had hoped as the backup came online with the module and 
 the Primary didn't have the module yet.  So we will just say we had a 
 little down time (ever so brief).
 
 my question now becomes, how do I reboot one of these modules without 
 the ASA failing over to the backup?  I don't want to knock off all my 
 VPN users.
 

I think you need to treat it like a zero downtime upgrade.  Fail over to the 
secondary firewall, reload the module on the old primary and fail back after 
state is synced up.  You should not lose VPN authentications during a failover. 
 IPsec RA, L2L, webvpn, and SVC sessions should stay intact between failovers.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 8.4 NAT weirdness...

[Ryan West]

On Sun, Feb 17, 2013 at 16:36:22, Jeff Kell wrote:
 Subject: [c-nsp] ASA 8.4 NAT weirdness...
 
 OK, now have ASA up on 8.4 software, and boy is it ever weird :)
 
 We do NAT extensively (all 1918 addressing inside).  For public-facing 
 servers, primarily web servers, we made a habit of translating them 
 into a public /24 network (say x.y.z.*).  The firewall atrributes 
 for this was to simply permit http and https for x.y.z.*/24 inbound on 
 the outside interface, and the rest took care of itself.
 
 Along comes 8.4... and it includes NAT with the network object 
 definitions... and the migration effort did this:
 
 * Put all the static NATs back into the inside object definition,
 * Generated a permit http and a permit https for EVERY SINGLE 
 SERVER we had in the subnet
 
 Our configuration increased by an order of magnitude :(  And it 
 doesn't appear that explicitly adding the original permit into the 
 list even works (it sits in the configuration above the generated 
 individuals, but doesn't get any hits, they fall through to the generated 
 mess).
 

If you were running policy based NAT, you can reuse your original rules, but 
you'll need to use twice NAT and object groups to accomplish that.  As for the 
ACL mess, you should note that switching to 8.3+ NAT,  you need to reference 
the internal address of the server in your outside ACL.  Try switching those 
object groups around or referencing the internal address and you'll start to 
see the hits again.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 5k version 6?

[Ryan West]

Hi Scott,

On Fri, Feb 15, 2013 at 10:50:57, Scott Voll wrote:
 Subject: [c-nsp] Nexus 5k version 6?
 
 Has anyone upgraded to 6.0 yet?
 
 pro's? con's?  Stability?  Reason not to upgrade?
 
 Ours is a new install, thus if I can upgrade now, I won't have to later.
 

Do you have this FEX - Cisco Nexus 2248PQ 10-Gigabit FEX?  If not, I would 
probably steer clear of it.  5.2(1)N1 and 5.1(3)N2 have been pretty stable for 
us.  6.0 is probably just a merged code line, but it is first release.

-ryan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] New to Nexus gear.... how does the licenses work?

[Ryan West]

Try turning on some features and the licenses should change.


feature eigrp
feature interface-vlan
feature hsrp
feature lacp
feature vpc
feature fcoe
feature npiv
feature fex

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll
Sent: Wednesday, February 13, 2013 1:06 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] New to Nexus gear how does the licenses work?

So we just got our new 5548UPs in the door.  per the doc's it says the licenses 
are installed from the factor.  But doing a show license usage we get all the 
pkg files saying install -- no.  license count --

What am I missing here?

TIA

Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Can ASA 5550 do BGP

[Ryan West]

On Mon, Feb 11, 2013 at 13:21:46, Peter Rathlev wrote:
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Can ASA 5550 do BGP
 
 On Mon, 2013-02-11 at 18:58 +, pamela pomary wrote:
  Quick one. I have just read from Cisco's support community that 
  generally ASA's dont do BGP. I want to verify if that is the case or 
  there is tweak to get it to do BGP :) . We have ASA 5550 software 
  version 8.2(3) which we possibly want to use as a border/edge router 
  with our ISP.
 
 I'm pretty certain the ASA doesn't do any BGP. The FWSM supports BGP 
 Stub Routing though it's very limited (bordering to useless).
 
Through 9.1, no BGP support on the ASA.

-ryan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Fwd: 2960s-48fps-l flex stack

[Ryan West]

On Mon, Jan 14, 2013 at 18:58:18, Scott Voll wrote:
 Subject: [c-nsp] Fwd: 2960s-48fps-l flex stack
 
 I have a 2960s-48fps-l and when I inserted the flex stack module I get:
 
 %PLATFORM-6-FLEXSTACK_UNSUPPORTED_MODULE: Unsupported FlexStack module 
 inserted in Switch 1. C2960S-F-STACK
 

Looks like it might be the wrong stack module:

C2960S-F-STACK
FlexStack hot-swappable stacking module: compatible with Cisco Catalyst 2960-SF 
Series LAN Base switches only.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12651/data_sheet_c78-715638.html

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA 5512-x

[Ryan West]

On Wed, Dec 26, 2012 at 11:32:15, Andrey Petrenko wrote:
 Subject: [c-nsp] Cisco ASA 5512-x
 
 hello.Does  cisco Asa 5512-x security plus support high-availability 
 support (Active/Active, Active/Support). On this page:
 http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.h
 tml#~tab-a support. On this page
 http://www.cisco.com/en/US/products/ps6120/prod_models_home.html
 not support.
 --

At first release, it was a no, but it does support HA with a Security Plus 
license.  ASA5512-SEC-PL is the part number.

Thanks,

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Anyconnect ASA 5550

[Ryan West]

On Wed, Dec 26, 2012 at 13:57:53, Blake Pfankuch wrote:
 Subject: [c-nsp] Anyconnect ASA 5550
 
 
 Int gi 0/1
 Ip address 10.10.10.11 255.255.255.0 standby 10.10.10.12 Nameif 
 outside Secu 0
 
 Without changing the actual interface IP, I cannot have my Anyconnect 
 clients connect to 10.10.10.15?
 

Check out vpn load-balancing.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA is not sending syslog

[Ryan West]

On Tue, Dec 25, 2012 at 13:51:24, Farooq Razzaque wrote:
 Subject: [c-nsp] ASA is not sending syslog
 
 
 
 
 
 
 Hi All,
 
 I have ASA 5510 running on version 8.0(5)27.
 
 
 The ASA is not sending logs to syslog server 2. Previously it was 
 sending logs to syslog server 2 (2.x.x.2). I changed the order in the 
 config i.e i put the config of syslog server 3(3.x.x.3) at second 
 number and then put the config of syslog server 2 (2.x.x.2) at third 
 number after that ASA is not sending logs to syslog server 3 (3.x.x.3) 
 which is at second number and syslog server 2 which is at third number
 
 I also remove the config of syslog (logging host mgmt 2.x.x.2  --- 
 Syslog server 2) which was at third number. But still ASA is not 
 seding logs to syslog at second number
 
 How can we check that ASA is sending syslogs out .
 

Sniff it and look for the counters to increment. 

 
 logging enable
 logging list VPN_Monitor level informational class abc logging list 
 VPN_Monitor level informational class abcfo logging buffered 
 informational logging trap informational logging asdm informational 
 logging host mgmt
 1.x.x.1 --- Syslog server 1 logging host mgmt 2.x.x.2  --- Syslog 
 server 2 logging host inside 3.x.x.3  --- Syslog server 3 logging 
 permit-hostdown logging class abc history informational logging class 
 abcfo history informational #
 

Others may have different experiences, but I've found that a reboot is the only 
fix sometimes.  Removing all logging and adding it will not fix it when a 
configuration change is made.  The logging feature is a little flaky.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA is not sending syslog

[Ryan West]

You can sniff to see if it's sending syslog messages, but you'll find that once 
it fails it will not recover on its own.  Rebooting the box has fixed the 
issue.  The issue we've faced is that the ASA will stop sending to a host and 
won't recover, regardless of configuration changes.

Hope that helps.

-ryan

From: Farooq Razzaque [mailto:farooq_...@hotmail.com]
Sent: Tuesday, December 25, 2012 3:55 PM
To: Ryan West; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] ASA is not sending syslog

Hi Ryan

Thanks for the reply.

Have u faced the issue with ASA syslog ? If so, what issue you faced.  Did it 
fix by reboot

Can you elaborate the following

Sniff it and look for the counters to increment.




 From: rw...@zyedge.commailto:rw...@zyedge.com
 To: farooq_...@hotmail.commailto:farooq_...@hotmail.com; 
 cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net
 Subject: RE: [c-nsp] ASA is not sending syslog
 Date: Tue, 25 Dec 2012 19:35:39 +

 On Tue, Dec 25, 2012 at 13:51:24, Farooq Razzaque wrote:
  Subject: [c-nsp] ASA is not sending syslog
 
 
 
 
 
 
  Hi All,
 
  I have ASA 5510 running on version 8.0(5)27.
 
 
  The ASA is not sending logs to syslog server 2. Previously it was
  sending logs to syslog server 2 (2.x.x.2). I changed the order in the
  config i.e i put the config of syslog server 3(3.x.x.3) at second
  number and then put the config of syslog server 2 (2.x.x.2) at third
  number after that ASA is not sending logs to syslog server 3 (3.x.x.3)
  which is at second number and syslog server 2 which is at third number
 
  I also remove the config of syslog (logging host mgmt 2.x.x.2 ---
  Syslog server 2) which was at third number. But still ASA is not
  seding logs to syslog at second number
 
  How can we check that ASA is sending syslogs out .
 

 Sniff it and look for the counters to increment.

 
  logging enable
  logging list VPN_Monitor level informational class abc logging list
  VPN_Monitor level informational class abcfo logging buffered
  informational logging trap informational logging asdm informational
  logging host mgmt
  1.x.x.1 --- Syslog server 1 logging host mgmt 2.x.x.2 --- Syslog
  server 2 logging host inside 3.x.x.3 --- Syslog server 3 logging
  permit-hostdown logging class abc history informational logging class
  abcfo history informational #
 

 Others may have different experiences, but I've found that a reboot is the 
 only fix sometimes. Removing all logging and adding it will not fix it when a 
 configuration change is made. The logging feature is a little flaky.

 -ryan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750x Alternatives

[Ryan West]

Just one clarification.  The 5548UP is around the same price as the 5010 was. 
The 5520 is a 2u model which closer the 5596UP. 

Sent from handheld. 

On Nov 19, 2012, at 6:28 PM, Andrew Miehs and...@2sheds.de wrote:

 On Tue, Nov 20, 2012 at 9:56 AM, CiscoNSP_list CiscoNSP_list 
 cisconsp_l...@hotmail.com wrote:
 
 Thanks Andrew - The Nexus do look nice...The 5010/5020 are EOL'd
 correct?(But still able to get smartnet on them?)Is there a significant
 price point difference between these and the 5548(P?)
 
 The Nexus 5548 should cost about the same as the 5020 - but you would need
 to check this and speak with your Cisco sales rep.
 
 
 If the Nexus are heinously expensive, I might look at the 4500's as you
 suggest.or perhaps the 4900's?(I do require 6+ SFP for fibre
 connections though)
 
 Do you require SFP+ or SFP? (10G or 1G)?
 
 The 4500 Sup7E and 4500X should support VSS by the start of next year
 (probably mid until it is stable). If you can wait that long with the VSS
 requirement you could probably buy a 4500 now, and VSS it later.
 
 HP also have their own version of VSS called IRF which you will find on
 their H3C range of switches - I believe it is now called HP Comware. This
 may also be an alternative.
 
 Andrew
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750x Alternatives

[Ryan West]

Now that the price list appears to be updated on CCX and netformx, it seems the 
4500X is a pretty good choice.  I didn't have the same experience with steep 
pricing on the ent version, at least not when compared to the LAN base - IP 
base - Ent upgrade pricing for the 4500E.

-ryan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Kell
Sent: Monday, November 19, 2012 8:10 PM
To: Andrew Miehs
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 3750x Alternatives

If you seriously have 10G on the roadmap, 4500X looks sweet, you can get it in 
a 16-port version, SFP / SFP+ you upgrade as you are ready.  A pair of them in 
a VSS deployment is going to be pretty steep however, especially if you need 
smart layer-3 (Enterprise).

Otherwise perhaps a 4507E+R with a pair of Sup7Es, you can pre-load redundant 
power, Supervisors, and blades to fit the need now; if the VSS pans out you 
just need another chassis (and whatever else you may want redundantly 
redundant).

Or go with 3750E/X if their mac address tables meet your needs.  You get two 
10G ports per switch, you can always uplink to a dumber/cheaper L2 10G switch.

Jeff

On 11/19/2012 8:00 PM, Andrew Miehs wrote:
 On Tue, Nov 20, 2012 at 11:34 AM, CiscoNSP_list CiscoNSP_list  
 cisconsp_l...@hotmail.com wrote:

 2 x 4500-e with Sup7e +  WS-X4748-RJ45-E + WS-X4612-SFP-E ?
 Or 2 x 4500x with similar ports as 4500-e Or 2 x Nexus 5548

 Is there a big price difference between these?

 Contact your Cisco reseller. He may be able to provide you with a 
 global price list so that you can see the relative price of all the 
 items. You will want some form of support on these boxes as well as 
 you NEED to be able to download updates.

 Otherwise you will have me here all day working out Cisco prices :)

 Based on my gut feeling - I would think that the best solution for you 
 would probably be a c4506 with a Sup7E. You could get your redundancy 
 by using spanning tree rather than port channels until VSS becomes 
 available. The 4500s are also quite a good layer 3 switch so you ever 
 require layer 3 functionality. (Extra licenses however).

 NOTE: I can of course not guarantee that Cisco will bring out VSS for 
 the 4500s or that it won't be an extra cost on the Sup7E - I can only 
 state what I have read.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA 5505 VPN setup

[Ryan West]

So you have a VPN tunnel connecting them and you want all traffic to go through 
the tunnel to get to the Internet?   I'm not following the part about removing 
the second link though, won't you still need that for the VPN?

Sent from handheld. 

On Nov 8, 2012, at 4:32 PM, daniel Bahamombe dbanhamo...@yahoo.com wrote:

 Hello guys 
  
 I have two sites remote from one another but all connected to the internet by 
 two seperate ISP s using the Cisco ASA 5505 
  
 I would want to set up a VPN tunnels bettwen the two sites and have internet 
 access from a single site as compared of getting from two links all supplying 
 internet  from seperate providers 
 I do have static IPs on both ASAs facing the public internet 
 Can anyone assist with the configuration  if its possible to set up this 
 without ISP intervention 
  
  
 Regards
  
 Dan
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: Duplicate IP's.

[Ryan West]

ASA version?

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll
Sent: Monday, October 29, 2012 11:40 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] OT: Duplicate IP's.

We have VM's and now Desktops that are getting Duplicate IP errors on boot up 
when they have a static IP configured (and there is not duplicate IP).

VMware says it's a ASA issue with Proxy arp.  I have turned off proxy arp.
 Is there something else that may be causing these issues?

TIA

Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: Duplicate IP's.

[Ryan West]

Scott,

Can you post a sanitized output of show nat.  I know you said you have 
proxy-arp turned off, but it does sound like a nat (inside,any) statement 
that's causing the issue.

-ryan

From: Scott Voll [mailto:svoll.v...@gmail.com]
Sent: Monday, October 29, 2012 12:34 PM
To: Ryan West
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OT: Duplicate IP's.

8.4.4.5
On Mon, Oct 29, 2012 at 8:48 AM, Ryan West 
rw...@zyedge.commailto:rw...@zyedge.com wrote:
ASA version?

-Original Message-
From: 
cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net]
 On Behalf Of Scott Voll
Sent: Monday, October 29, 2012 11:40 AM
To: cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net
Subject: [c-nsp] OT: Duplicate IP's.
We have VM's and now Desktops that are getting Duplicate IP errors on boot up 
when they have a static IP configured (and there is not duplicate IP).

VMware says it's a ASA issue with Proxy arp.  I have turned off proxy arp.
 Is there something else that may be causing these issues?

TIA

Scott
___
cisco-nsp mailing list  
cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAt on cisco ASA 5505

[Ryan West]

Is it 8.2 or 8.3+?

Sent from handheld. 

On Oct 15, 2012, at 8:47 AM, Murat Kaipov mkkai...@gmail.com wrote:

 Hello Oliver.
 Yes it's possible.
 Do you need example config? 
 
 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Olivier CALVANO
 Sent: Monday, October 15, 2012 1:51 PM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] NAt on cisco ASA 5505
 
 Hi
 
 i want nat on a cisco asa 5505 (ipsec tunnel site to site) :
 
 
 192.168.10.0/24 in 192.168.235.0/24
 
 it's possible ?
 
 all request from 192.168.10.0 to a IP into the ipsec tunnel are changer in
 192.168.235.x
 
 thanks for your help
 
 olivier
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAt on cisco ASA 5505

[Ryan West]

On Mon, Oct 15, 2012 at 09:22:38, Olivier CALVANO wrote:
 
 it's 8.0(3)
 
 2012/10/15 Ryan West rw...@zyedge.com:
  Is it 8.2 or 8.3+?
 
 
  192.168.10.0/24 in 192.168.235.0/24
 
  it's possible ?
 
  all request from 192.168.10.0 to a IP into the ipsec tunnel are 
  changer in 192.168.235.x

Try this - 

access-list policy-nat-192.168.235.0 extended permit ip 192.168.10.0 
255.255.255.0 remote_end_of_tunnel 255.255.255.0
Static (inside,outside) 192.168.235.0 access-list policy-nat-192.168.235.0

For this to override other static NAT's, it needs to be at the top of list.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5505 NAT and asymmetric routing

[Ryan West]

On Mon, Oct 08, 2012 at 13:36:57, Matthew DeSantos wrote:
 Subject: [c-nsp] ASA 5505 NAT and asymmetric routing
 
 All,
 
 Hopefully I can explain this correctly. I'm having an issue with 
 communication
 (telnet/ssh) from a public server to remote private nodes. The issue 
 is the return path, private IPs can't route via the INET. So, my 
 initial thought was to plug the servers into the ASA and give them 
 private IPs. However, these servers actively monitor our private IPs. 
 If I change the IP of the server(s) this will require a lot of manual 
 changes. The private nodes will need to be updated  to allow the new 
 private IP access. I'm thinking I need to configure static PAT or some 
 sort of NAT. This is where I'm stuck and don't fully understand how to 
 implement. The setup is below:
 
 Public Server(s) -[ROUTER]---ASAtunnel=ASA--[ROUTER] Private 
 IP (10.1.0.0/17)
 

Not sure what version of code you're running, but assuming it's 8.2 or below, 
you can try this:

Static (inside,outside) tcp public_address 23 private_address 23
Static (inside,outside) tcp public_address 22 private_address 22

Then you just update your outside acl to allow those services through.  If you 
do a one to one translation for the public to private address, you'll need a no 
nat acl to fix your private communications.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Etherchannels on a 4506E?

[Ryan West]

I think it's closer to 64. 

Sent from handheld. 

On Sep 25, 2012, at 5:43 PM, Mohamed A. Abbas m.abdelmon...@gmail.com wrote:

 8 ether channel i just faced it two days ago max is 8 + refer to the
 configuration document to be sure.
 
 
 Thanks,
 
 Monsef ®™
 
 On Tue, Sep 25, 2012 at 11:25 PM, Scott Voll svoll.v...@gmail.com wrote:
 
 How many Ether channels (port channels) can you have setup on a Cat 4506E
 with sup 6E?  I can't find the documentation on it.
 
 Thanks
 
 Scott
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
 
 
 -- 
 *--*
 **
 *Eng. Mohamed A. Monsef*
 *Cisco Networks Engineer*
 *CCNP® - CCIP® - CCDP®*
 CS-RSSS® - *IPv6-FGCE
 ®
 *
 ITIL® - *ISO/IEC 27002®*
 ***Cell Phone : +2 0100 677 2 887*
 *  **+2 0109 255  **
 
 *
 *
 Land Line : +2 02 267 42 453
 
 
 *
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Port channel

[Ryan West]

On Fri, Aug 24, 2012 at 06:40:07, Xu Hu wrote:
 Subject: Re: [c-nsp] Port channel
 
 What is the flex links about?
 Because the traffic load-balance or not is depend on your settings, by 
 default is source mac address, let's say if you just have one source 
 then the traffic will just use one port-channel link, if you have two 
 sources, then should be load-balance between the two members.
 Correct me if I have the wrong understanding of hashing algorithm.
 

The default hashing algorithm is different on some platforms in the Catalyst 
line.  In the Nexus line, the default is different for a layer 3 port channel 
vs a layer 2.  Flex Links disable STP and one interface or Portchannel acts as 
a backup.  

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/flexlink.html

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Port channel

[Ryan West]

Flex links is an option as well. 

Sent from handheld 

On Aug 23, 2012, at 5:45 PM, Andrew Miehs and...@2sheds.de wrote:

 You could shut the one of the links down but if you really want to do this, 
 why use a port channel at all - spanning tree can do what you are after...
 
 Sent from a mobile device
 
 On 24/08/2012, at 3:08, Harry Hambi harry.ha...@bbc.co.uk wrote:
 
 Hi all,
 In a port channel can you force traffic down a particular link,   don't
 use the hashing algorithm.
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] help with NAT on ASA 8.3+

[Ryan West]

Double NAT. 

Should look something like this:

nat (inside,outside) source static obj_10.10.0.1 obj_172.17.1.1 destination 
static obj_10.10.1.0 obj_10.10.1.0

Since this equivalent to static policy nat in 8.2 and below, make sure you 
position this nat rule near the top. 

Sent from handheld 

On Aug 7, 2012, at 10:12 AM, Scott Voll svoll.v...@gmail.com wrote:

 I have a LAN to LAN connection (say 10.10.1.x/24) that terminates on my ASA
 8.3+.
 
 I have a internal IP address on the inside of 10.10.0.1 that because of DNS
 needs to look like 172.17.1.1.
 
 So client at remote site 10.10.1.250 gets DNS for 172.17.1.1 but should be
 NAT'd and connecting to 10.10.0.1.  How do I setup the NAT in 8.3+?
 
 10.10.1.x looks to be on the outside interface and 10.10.0.1 looks to be on
 the inside interface.
 
 TIA
 
 Scott
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 5596 - B22HP FCOE question

[Ryan West]

Have you applied the QoS policies needed for FCoE?  What do your virtual FC 
interfaces show?  You should see something like vfc# is trunking with a VSAN up 
and the proper FCoE VLAN listed.

Here's an example of non SAN boot FCoE config:

interface Ethernet2/4
  description To esx4 CNA port1
  switchport mode trunk
  switchport trunk allowed vlan 100,200,400-430
  spanning-tree port type edge trunk
  channel-group 124
!
interface vfc124
  bind interface port-channel124
  switchport trunk allowed vsan 100
  no shutdown

The SAN boot version is the same, except you bind to the Ethernet interface 
instead.

Have you already read this?

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps10110/ps11975/guide_c07-686089.html#wp9000363

-ryan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of simon thomason
Sent: Wednesday, July 18, 2012 5:34 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Nexus 5596 - B22HP FCOE question

Hi All,

Not certain if anyone can help but I have configured a new set of 5k for LAN 
fine all up and running but struggling with the SAN config. Current I have 
storage attacked to the 5k fine but the problem i am having is with the B22HP. 
I can see the ethernet ports fine and in DCNM see the FCOE ports but they are 
not talking back to the 5k to attack to the SAN. Can not see Flogi entry for 
the fcoe ports.

I have followed the fcoe config guides closely but it seems like i am missing a 
step to attach the FCOE ports to the san management?

I know there is not a lot of details but anyone run into something like this 
before?

Good with the LAN side not so good with the SAN.

Cheers,

Simon.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rancid use without level 15 access?

[Ryan West]

On Fri, Jul 06, 2012 at 10:50:15, Steven Raymond wrote:
 Subject: [c-nsp] Rancid use without level 15 access?
 
 Is it possible to make use RANCID for Cisco config archiving without 
 having to grant it full level 15 access?  So far we've found no, but 
 wondered if anyone has a trick or two?
 

Steven,

RANCID has a mailing list you can try, rancid-disc...@shrubbery.net.  We use 
TACACS+ for command authorization and the RANCID user has the ability to run 
the commands listed in the commandtable.   You can crawl the archives for 
examples -  http://www.shrubbery.net/pipermail/rancid-discuss/

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rancid use without level 15 access?

[Ryan West]

On Fri, Jul 06, 2012 at 12:06:54, Alan Buxey wrote:
 Subject: Re: [c-nsp] Rancid use without level 15 access?
 
 We use TACACS+ (shrubbery) to give the rancid user the rights to only 
 the commands it needs. As for silently failing, you can eg run the 
 login command and scripts manually (it was through checking those 
 scripts we knew what commands to allow)
 

When RANCID can't access a device for some reason, then you usually end up with 
silent fails.  Failing on commands, from my experience, is pretty easy to find 
in $install_path/var/log.  

The commands are all listed in the commandtable, in a Cisco environment, that 
would include bin/rancid and bin/nxrancid.   Most devices are covered under 
bin/rancid.

@commandtable = (
{'show version' = 'ShowVersion'},
{'show redundancy secondary'= 'ShowRedundancy'},
{'show idprom backplane',   = 'ShowIDprom'},
{'show install active'  = 'ShowInstallActive'},
{'show env all' = 'ShowEnv'},
{'show rsp chassis-info',   = 'ShowRSP'},
{'show gsr chassis' = 'ShowGSR'},
{'show diag chassis-info'   = 'ShowGSR'},
{'show boot'= 'ShowBoot'},
{'show bootvar' = 'ShowBoot'},
{'show variables boot'  = 'ShowBoot'},
{'show flash'   = 'ShowFlash'},
{'dir /all nvram:'  = 'DirSlotN'},
{'dir /all bootflash:'  = 'DirSlotN'},
{'dir /all slot0:'  = 'DirSlotN'},
{'dir /all disk0:'  = 'DirSlotN'},
{'dir /all slot1:'  = 'DirSlotN'},
{'dir /all disk1:'  = 'DirSlotN'},
{'dir /all slot2:'  = 'DirSlotN'},
{'dir /all disk2:'  = 'DirSlotN'},
{'dir /all harddisk:'   = 'DirSlotN'},
{'dir /all harddiska:'  = 'DirSlotN'},
{'dir /all harddiskb:'  = 'DirSlotN'},
{'dir /all sup-bootdisk:'   = 'DirSlotN'}, # 6500 sup32
{'dir /all sup-bootflash:'  = 'DirSlotN'}, # cat 6500-ios
{'dir /all sup-microcode:'  = 'DirSlotN'}, # cat 6500-ios
{'dir /all slavenvram:' = 'DirSlotN'},
{'dir /all slavebootflash:' = 'DirSlotN'},
{'dir /all slaveslot0:' = 'DirSlotN'},
{'dir /all slavedisk0:' = 'DirSlotN'},
{'dir /all slaveslot1:' = 'DirSlotN'},
{'dir /all slavedisk1:' = 'DirSlotN'},
{'dir /all slaveslot2:' = 'DirSlotN'},
{'dir /all slavedisk2:' = 'DirSlotN'},
{'dir /all slavesup-bootflash:' = 'DirSlotN'}, # cat 7609
{'dir /all sec-nvram:'  = 'DirSlotN'},
{'dir /all sec-bootflash:'  = 'DirSlotN'},
{'dir /all sec-slot0:'  = 'DirSlotN'},
{'dir /all sec-disk0:'  = 'DirSlotN'},
{'dir /all sec-slot1:'  = 'DirSlotN'},
{'dir /all sec-disk1:'  = 'DirSlotN'},
{'dir /all sec-slot2:'  = 'DirSlotN'},
{'dir /all sec-disk2:'  = 'DirSlotN'},
{'show controllers' = 'ShowContAll'},
{'show controllers cbus'= 'ShowContCbus'},
{'show diagbus' = 'ShowDiagbus'},
{'show diag'= 'ShowDiag'},
{'show capture' = 'ShowCapture'},  # ASA/PIX
{'show module'  = 'ShowModule'},   # cat 6500-ios
{'show spe version' = 'ShowSpeVersion'},
{'show c7200'   = 'ShowC7200'},
{'show inventory raw'   = 'ShowInventory'},
{'show vtp status'  = 'ShowVTP'},
{'show vlan'= 'ShowVLAN'},
{'show vlan-switch' = 'ShowVLAN'},
{'show debug'   = 'ShowDebug'},
{'show cdp neighbor detail' = 'ShowCDPDetail'},
{'show shun'= 'ShowShun'}, # ASA/PIX
{'more system:running-config'   = 'WriteTerm'},# ASA/PIX
{'show running-config view full'= 'WriteTerm'},# workaround for
{'show running-config'  = 'WriteTerm'},
{'write term'   = 'WriteTerm'},
);

-ryan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA wild card cert...

[Ryan West]

Did you get the entire chain as part of your export, sounds like you're missing 
an intermediate cert?  Do you see a difference between the ASA's when issue 
'show crypto ca certificate'?

-ryan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll
Sent: Thursday, July 05, 2012 11:38 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASA wild card cert...

I have exported from one ASA and would like to move to a second ASA our Wild 
card cert.  It looks like the export / import went well.  I can even see in IE 
that the cert is my *.domain.com but I'm still getting a Cert
Error.   This Certificate cannot be verified up to a trusted certification
authority  What did I miss?

Thanks

Scott

ASA 8.4.4
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA - SSH/ASDM - Current logged on users

[Ryan West]

On Wed, Jun 06, 2012 at 06:28:49, Hansen, Ulrich Vestergaard B. (E W EN RD DT 
ES 1 2) wrote:
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] ASA - SSH/ASDM - Current logged on users
 
 Hi nsp-group!
 
 Is there a command or method to display the current logged on users on 
 Cisco ASA - like you can issue the who command in IOS.
 Or is there a way we can display a visual banner upon login to ASDM 
 displaying who is working on the device?
 

I wasn't able to find anything on a visual banner, the banner macro's are 
pretty basic.  If you're using ASDM, Monitoring - properties - Device Access 
and click ASDM/HTTPS/Telnet/SSH Sessions.  From cli it's a kludge.  Run who to 
see telnet sessions, show asdm sessions for ASDM, and show ssh sessions for SSH.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA5510 - show vpn-sessiondb l2l - Question

[Ryan West]

On Mon, Jun 04, 2012 at 20:23:47, Erik Sundberg wrote:
 Subject: [c-nsp] ASA5510 - show vpn-sessiondb l2l - Question
 
 When I do a show vpn-sessiondb l2l for  my one peer Encryption and 
 hashing alg is repeated 3 times
 
 Encryption   : AES256 AES256 AES256   Hashing  : SHA1 SHA1 SHA1
 
 The Remote side of the VPN shows the following
 
 Encryption   : AES256 Hashing  : SHA1
 
 Does anyone know why this happening config issue or output bug?
 
 

I'm going with output bug, here is my 8.4.3:

Protocol : IKEv1 IPsec
Encryption   : 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES 3DES
Hashing  : SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1

Wasn't able to find a specific bug, but it appears to just be cosmetic.  Maybe 
each time Phase 1 is restarted.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] L2/DHCP protection

[Ryan West]

On May 31, 2012, at 10:01 AM, Jason Lixfeld ja...@lixfeld.ca wrote:

 I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and 
 I'm wondering what features other folks are using to prevent nefarious 
 activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, 
 etc.) from causing havoc when initiated from the customer side.
 
 So far, I've built up a config that looks sorta like so:
 
 !
 interface GigabitEthernet1/1
 switchport trunk allowed vlan 4001-4003
 switchport mode trunk
 switchport nonegotiate
 switchport block multicast
 switchport block unicast
 switchport port-security violation shutdown vlan
 switchport port-security maximum 1 vlan
 logging event link-status
 logging event trunk-status
 storm-control broadcast include multicast
 storm-control broadcast level 1.00
 storm-control action shutdown
 storm-control action trap
 no cdp enable
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
 ip verify source vlan dhcp-snooping port-security
 ip dhcp snooping limit rate 1
 ip dhcp snooping information option allow-untrusted
 !
 
 In addition to above, there was the 'port-type uni' feature on the ME3400 and 
 'switchport protected' feature on the 3550s that would prevent two customers 
 on the same VLAN from being able to talk together.  I can't seem to find 
 their equivalent on the 4500.  Do they exist?
 

Private-vlan isolated to mimic switchport protected and DAI for your DHCP 
needs. 


 Anything else anyone can think of that might be useful here, or anything that 
 is redundant and useless?
 
 Thanks in advance!
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Stacking 3750X vs diverse 4948E

[Ryan West]

On Tue, May 22, 2012 at 16:00:09, Mark Tinka wrote:
 Cc: scott owens
 Subject: Re: [c-nsp] Stacking 3750X vs diverse 4948E
 
 On Sunday, May 20, 2012 07:57:41 AM Reuben Farrelly wrote:
 
  It's also nice to be able to go from 1G to 10G by just upgrading 
  SFP's.
 
 That's why we're looking at the 4500-X (Cisco) and EX4500 (Juniper), 
 and ignoring the typical core switch devices like the 6500, Nexus 7000 
 (Cisco) and EX8200, EX6200 (Juniper), for small-to-mid size core deployments.
 

And you'll have VSS in the X.  I realize the 5500 and 4500-X are positioned 
differently, but the 10G capacity of the 4500-X does seem a little low for the 
price.  I guess it all depends on the feature set you need.  What are you 
needing in the 4500-X that isn't available in the 5500?

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Stacking 3750X vs diverse 4948E

[Ryan West]

On Tue, May 22, 2012 at 16:42:20, Mark Tinka wrote:
 Subject: Re: [c-nsp] Stacking 3750X vs diverse 4948E
 
 On Tuesday, May 22, 2012 10:19:47 PM Ryan West wrote:
 
  And you'll have VSS in the X.  I realize the 5500 and 4500-X are 
  positioned differently, but the 10G capacity of the 4500-X does seem 
  a little low for the price.  I guess it all depends on the feature 
  set you need.  What are you needing in the 4500-X that isn't 
  available in the 5500?
 
 Not much - pure Layer 2 switching in the core, and customer 
 aggregation in the edge where router line cards are more expensive than the 
 switch.
 
 We looked at the 5500 for such a purpose a while back, but we had 6500 
 in the core then, with typical 1U switches at the edge inside the data 
 centres.
 
 For the price (or for what the price will be), the 4500-X fits our 
 bill quite nicely in both segments we're looking at.
 

The bundle price on the 5500 seems about 35% less than the 4500-X.  Maybe I'm 
missing the other models, but the 3 listed in netformx start off at Land Rover 
pricing.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Call rejeciton from Cisco

[Ryan West]

On Tue, May 15, 2012 at 14:08:17, Joseph Mays wrote:
 Subject: Re: [c-nsp] Call rejeciton from Cisco
 
 On a related note, I am aware that part of the problem might be that 
 the called party number might be listed as plan unknown and type 
 unknown. I've been trying to figure out a way on the IAD 2400 to set 
 this to national and isdn for all outgoing calls, but the only way I 
 can find to do that is with translation rules, and those all seem to 
 assume that the first thing you want to do is search and replace part 
 of the dialed number. I really don't care what the dialed number is. 
 Is there some way to match just on the plan and type, or some way to set 
 those values other than a translation rule?

You can try this:

voice translation-rule 100
 rule 1 /^\(.*\)/ /\1/ type any national plan any isdn
!
voice translation-profile outbound-set
 translate called 100

Then put that on your POTS dial-peer outbound.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Monitoring 6K performance (pps)

[Ryan West]

On Sun, May 13, 2012 at 02:19:30, Aaron Riemer wrote:
 Subject: [c-nsp] Monitoring 6K performance (pps)
 
 Hey guys,
 
 
 
 We are looking at upgrading our CAT6K SUP's and I am trying to figure 
 out how I can monitor the current throughput.
 
 
 
 We currently monitor the interface utilisation (bits / sec) with SNMP. 
 That is all well and good but I am looking to obtain raw packets per 
 second (pps) that are actually processed by the switch. Obviously bits 
 / sec are not the same as packets / sec.
 
 
 
 Is there any real way to go about this other than monitoring each 
 interface and calculating a total for a given time period?
 

Aaron,

Are you looking for the information contained in 'show platform hardware 
capacity'?   There are sub commands that show PFC usage, fabric usage, and 
forwarding engine load with peak numbers.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA 5550 Throughput

[Ryan West]

On Tue, May 08, 2012 at 11:15:56, Covalciuc Piotr wrote:
 Subject: [c-nsp] Cisco ASA 5550 Throughput
 
 Hello,
 
 Can anybody explain me what is the maximum throughput of Cisco ASA- 
 5550?
 
 By the specification it's 1.2Gbps. But it's divided on 2 buses: slot0 
 and slot1 with 600Mbps of throughput each.
 If traffic flows via ASA, it enters to slot0 and it exit from slot1:
 

Peter,

It's 1 gbps across the bus, but each one of the slots can handle a total of 600 
mbps.  So that would mean 600 max passing between those slots.   With your 
drawing if you just had 1 interface on each bus, it would be 600 in and 600 out.

http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/5500_quick_start.html#wp35995

-ryan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CAB-SFP-50CM 2960S

[Ryan West]

On Mon, May 07, 2012 at 03:00:08, Mal wrote:
 Subject: [c-nsp] CAB-SFP-50CM  2960S
 
 Anyone successfully using CAB-SFP-50CM between 2960S switches
 (WS-C2960S-48LPD-L)  ?
 
 
 
 I have a link up between two 10G 2960S SFP+ port interfaces (and can 
 ping across it) but its reporting a 10Gig speed connection via the
 cab-stack-50 SFP cable..
 

It's 10G, were you expecting stackwise speed?  I think you have the part number 
confused with the 3750 line as well.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-578928.html

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Will the Cisco 2911 push GigE with NAT enabled ?

[Ryan West]

Might want to look at the 5525-X.  Rated at 2Gbps, so with basic services 
turned on should get very close to handling a gig with NAT enabled.  I'm not 
sure about FCS on the new boxes though.

-ryan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Huff
Sent: Monday, April 30, 2012 12:11 PM
To: 'Chuck Church'; 'dcostell-cisco...@torzo.com'; 'cisco-nsp@puck.nether.net'
Subject: Re: [c-nsp] Will the Cisco 2911 push GigE with NAT enabled ?

If you need the full 1GB for VPN, yes, the 5585-X with SSP10 will be the best 
bet. It will probably be on the close order of 20k though.




Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff    | Fax:   914-460-4139


 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- 
 boun...@puck.nether.net] On Behalf Of Chuck Church
 Sent: Monday, April 30, 2012 12:02 PM
 To: dcostell-cisco...@torzo.com; cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Will the Cisco 2911 push GigE with NAT enabled ?
 
 Since everything looks like Ethernet, why not consider an ASA 5585-X?
 This is probably the cheapest thing you'll find that can do a gigabit 
 of VPN.
 
 Chuck
 
 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dave
 Sent: Monday, April 30, 2012 11:53 AM
 To: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Will the Cisco 2911 push GigE with NAT enabled ?
 
 Thats what I was afraid someone was going to say :) I guess its time 
 to start looking into the ASRs and see what my options are.
 
 Thanks all! Really appreciate the help and information.
 
 Dave
 
 On 04/30/2012 08:50 AM, Aled Morris wrote:
  On 30 April 2012 16:40, Dave dcostell-cisco...@torzo.com 
  mailto:dcostell-cisco...@torzo.com wrote:
 
  Thank you all for the responses. I actually found the PDF shortly
  after sending the e-mail. Sorry for wasting everyone's time.
 (Also a
  part of me was hoping the PDF was wrong). So for an office router
  that will do GigE + VPN + NAT anyone have any recommendations ?
 Is
  it the ASR1k or bust now days ?
 
 
  You're only going to get near gigabit performance with hardware 
  forwarding, so ASR is your best bet.  Switch platforms with Layer 3 
  (like the Catalyst 3560-X) aren't going to support the features you 
  need in their forwarding ASICs so you'll get performance worse than 
  the ISR2 you've already tried.
 
  Aled
 
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAT on Cisco ASA

[Ryan West]

On Fri, Apr 13, 2012 at 10:13:28, Brian Morgan wrote:
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] NAT on Cisco ASA
 
 On Thu, Apr 12, 2012 at 12:49 PM, Covalciuc Piotr 
 pkovalc...@gmail.com
 wrote:
  I know, the servers can communicate through local network (10.10.10.x).
  I'd like just to know if the communication between local servers can 
  be established through NATed IP.
  If so, how it should be configured on ASA?
 
 
 Good day Peter,
 It is possible for this to work by using a technique called hair 
 pinning, the problem is that you may start getting strange behavior 
 with your inside network.
 This feature was originally intended to allow vpn clients to 
 communicate to each other, but can be abused to perform the NATing that you 
 need.
 Cisco has released a nice video tutorial on how to do this 
 http://www.youtube.com/watch?v=wjEfdfI0BqY and we have used this 
 technique in labs, but try not to use it for production networks.
 

Ah.. I've done this for outside to outside traffic during a move before, didn't 
think about applying to the internal segments though, but same setup.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAT on Cisco ASA

[Ryan West]

On Thu, Apr 12, 2012 at 12:49:47, Covalciuc Piotr wrote:
 Subject: [c-nsp] NAT on Cisco ASA
 I know, the servers can communicate through local network (10.10.10.x).
 I'd like just to know if the communication between local servers can 
 be established through NATed IP.
 If so, how it should be configured on ASA?
 

Are you connecting to the NAT'd IP because of a public DNS record?  If so, you 
could do a DNS rewrite to provide the local IP address when you query for the 
public.  Just add the 'dns' keyword to the end of the statement.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAT on the 3750X

[Ryan West]

On Thu, Mar 22, 2012 at 13:56:36, Keegan Holley wrote:
 Subject: [c-nsp] NAT on the 3750X
 
 Does cisco support NAT on it's rack mountable switches yet?  
 3560/3750X etc..

No, only on the 6500 in the catalyst series to my knowledge.  The ME switch 
based on the 6500 may though.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 5000 convert between FC and FCoE?

[Ryan West]

Output of FCoE to a server?  Currently multihop FCoE is not supported, but 
connecting to a CNA in that topology is. 

Sent from handheld 

On Mar 19, 2012, at 6:01 PM, Ray Van Dolson rvandol...@esri.com wrote:

 We're looking to run straight FC from an XIV storage rack into a Nexus
 5000 and output FCoE via another port on that same 5000.
 
 Can anyone advise if this is doable or if we'd need additional hardware
 to make it happen?
 
 Thanks,
 Ray
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS display of show run on standby switch

[Ryan West]

On Wed, Mar 14, 2012 at 10:26:35, Chuck Church wrote:
 Subject: Re: [c-nsp] VSS display of show run on standby switch
 
 Haven't touched VSS in 8 months, but I believe you can do a 'sh mod ?' 
 and after mod, you can do options for the individual chassis numbers.
 

Yup, 'show mod switch all' will list both.  Show inv will also get you both 
with a Chassis # identifier.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus network Design - Switching LOOP

[Ryan West]

N2k's do not run spanning-tree and will block ports if a bpdu is detected. You 
can disable spanning tree on those ports, but your 3750 will be flat at that 
point. 

Sent from handheld 

On Mar 13, 2012, at 8:57 AM, Nick Hilliard n...@foobar.org wrote:

 On 13/03/2012 11:56, jack daniels wrote:
 In this scenario Switching LOOP is getting formed. Only way I'm able
 to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this
 case.
 
 are the 3750 and both the n5k boxes running spanning tree?
 
 Nick
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Moving ports on ASA's

[Ryan West]

On Thu, Mar 08, 2012 at 13:11:17, Scott Voll wrote:
 Subject: [c-nsp] Moving ports on ASA's
 
 I have two ASA's running in Active / Standby.  I need to move a set of 
 interfaces (non production DMZ set) from one switch to a different switch.
 
 if I don't want the ASA's to failover during the move, can I just shut 
 the interface do the move and then no shut the interfaces?  I don't 
 want to affect other traffic on the ASA's with a Failover.
 

no monitor-interface dmz

Stops the interface monitoring status states that would cause a failover.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Config Backups

[Ryan West]

Websvn here. 

Sent from handheld 

On Mar 2, 2012, at 6:30 PM, Erik Sundberg esundb...@nitelusa.com wrote:

 Thanks everyone, I just finished installing rancid and have it up and running 
 already.
 
 What web front end are you using to browse the CVS tree?
 
 
 Thanks
 
 Erik
 
 
 
 CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
 previous e-mail messages attached to it may contain confidential information 
 that is legally privileged. If you are not the intended recipient, or a 
 person responsible for delivering it to the intended recipient, you are 
 hereby notified that any disclosure, copying, distribution or use of any of 
 the information contained in or attached to this transmission is STRICTLY 
 PROHIBITED. If you have received this transmission in error please notify the 
 sender immediately by replying to this e-mail. You must destroy the original 
 transmission and its attachments without reading or saving in any manner. 
 Thank you.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA SSL VPN client communicating across IPsec tunnel

[Ryan West]

It's possible, try 'same-security intra-interface'

Sent from handheld 

On Feb 12, 2012, at 6:20 PM, Andy Dills a...@xecu.net wrote:

 
 I have a customer who has a couple of ASA 5510s connected with a typical 
 IPsec tunnel, and on one of them he has a 10 seat Anyconnect SSL license.
 
 He'd like for the Anyconnect VPN users to be able to communicate with the 
 network on the other side of IPsec tunnel. In theory that would work, but 
 I've found the ASAs to sometimes ignore theory.
 
 I updated the NAT exemption ACL (to include traffic from the VPN users to 
 the remote network and vice versa), the split-tunnel ACL (to have it 
 advertise the remote network in addition to the local), and the crypto map 
 ACL (so that the VPN users are included in the ipsec sa).
 
 It didn't seem to work...I didn't have good access to test, but before I 
 arrange for better access to really work with it, is this indeed possible? 
 Any configuration tips?
 
 Thanks,
 Andy
 
 ---
 Andy Dills
 Xecunet, Inc.
 www.xecu.net
 301-682-9972
 ---
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SSL VPN on an ASA 5505

[Ryan West]

On Tue, Jan 31, 2012 at 15:59:49, Ryan wrote:
 Subject: [c-nsp] SSL VPN on an ASA 5505
 
 I used the VPN Wizard on ASDM 6.4(7) with an ASA 5505 running 8.4(3) 
 to create a config for SSL VPNs. The ASDM didn't configure 
 split-tunneling, so I did that manually by creating the NONAT access 
 list and applying it to the Group Policy.
 
 The Anyconnect client connects successfully with the appropriate 
 routes, but I can't get any traffic going to the networks that I've 
 VPNed into. The sanitized config is below. Any thoughts?
 

Anything in the logs or debugs that you could post as well?  The new butchered 
no nat statements look ok to me.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA and ipads

[Ryan West]

On Sun, Jan 29, 2012 at 21:54:59, Thomason, Simon wrote:
 Subject: [c-nsp] Cisco ASA and ipads
 
 I am looking at allowing IPADS to from a VPN with our ASA to provide 
 limited access.
 
 I would like to ideally have the IPAD connect with a cert and username 
 password but have the ASA aware that the device connecting is an IPAD 
 and heavily restrict its access.
 

Since the Ipad/Iphone's do not run host scan, they are detected through a 
plugin value returned from DAP.  That combined with cert based login should 
give you want and I don't think you would need the premium license for the 
plugin value.  

 I really need the ASA to be aware what these device are to prevent 
 users importing a laptop certain and gaining full access to the 
 network over their IPAD. I am pretty certain you can get this 
 functionality with premium but just want to check you can and it works well.
 
 Has anyone look into this at all?
 
 Just did a quick search to see if the ASA would support Dot1x and does 
 not look like they do as this might have been a different option.
 

-ryan 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Quick (?) ASA VPN w/AD question...

[Ryan West]

Jeff,

On Mon, Jan 30, 2012 at 16:41:00, Jeff Kell wrote:
 Subject: [c-nsp] Quick (?) ASA VPN w/AD question...
 
 Trying to break some new ground on ASA 8.4(2) VPN configuration (quite 
 a number of
 changes)
 
 Need to map AD group membership onto a group policy selection.
 
 (1) Previous examples are using the Cisco name IETF-Radius-Class to 
 map into the policy name, while 8.4(2) seems to want Group Policy 
 saying that replaces IETF-Radius-Class.
 
 (2) You can now specify a Group Base DN for the group membership 
 location, so I have a OU=Groups,DC=our,DC=domain,DC=specification.
 
 I don't seem to be getting hits on the group membership (memberOf) on 
 any
 of:
 
 a) plain old group name (FOOBAR),
 b) qualified item name (CN=FOOBAR),
 c) fully-qualified group name
 (CM=FOOBAR,OU=Groups,DC=our,DC=domain,DC=specification)
 
 Anyone crossed this bridge and kept notes they could share?

I have a fair amount of notes on 8.4.1 and below.  I didn't see anything in the 
release notes for 8.4.2 that hinted to a change in LDAP.  Unless I'm confusing 
it with another option, the group base dn is where the search for your users 
starts.  Unless you're using DAP, the matching is still in the traditional LDAP 
map.  I've found the easiest way to find the proper groups is to start with 
login@domain.local/com/whatever and password and query a username for 
authorization.  Here's an example:

aaa-server LDAP (inside) host 192.168.168.168
 ldap-base-dn OU=Foo,DC=test,DC=local
 ldap-scope subtree
 ldap-login-password *
 ldap-login-dn CN=ldapadmin,OU=Foo,DC=test,DC=local (ldapadmin@test.local 
also works)
 server-type auto-detect
 ldap-attribute-map memberOf
!
test-fw1# debug ldap 255
debug ldap  enabled at level 255
test-fw1# show run ldap
ldap attribute-map department
ldap attribute-map memberOf
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=cust1-test,OU=Foo,DC=test,DC=local cust1-test
  map-value memberOf CN=vpn_users,OU=Foo,DC=test,DC=local work
test-fw1# test aaa autho LDAP host 192.168.168.168 username rwest
INFO: Attempting Authorization test to IP address 192.168.168.168 (timeout: 
12 seconds)
.
.
.
[68587] memberOf: value = CN=cust1-test,OU=Foo,DC=test,DC=local
[68587] mapped to IETF-Radius-Class: value = cust1-test
[68587] mapped to LDAP-Class: value = cust1-test
[68587] memberOf: value = CN=vpn_users,OU=Foo,DC=test,DC=local
[68587] mapped to IETF-Radius-Class: value = work
[68587] mapped to LDAP-Class: value = work

A couple of caveats on the testing; your primary POSIX group does not show up 
in the LDAP query (usually Domain Users) and your first match is the winner 
(unless you are using DAP policies that allow combining).

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN L2L connecting to SSL VPN user?

[Ryan West]

On Tue, Dec 06, 2011 at 12:12:39, Scott Voll wrote:
 Subject: [c-nsp] VPN L2L connecting to SSL VPN user?
 
 I have a ASA at the hub and IPSEC VPN tunnels back to it from home offices.
  I also use this ASA to head end all my road warrior anyconnect traffic.
 
 For some reason I can not place a call between the Home office and the 
 road warrior.  All ACL's look to be setup correctly.  is there a 
 command I might have missed to allow the IPSEC tunnels to communicate with 
 the SSL VPN users?
 

Same-security-traffic permit intra-interface?

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN L2L connecting to SSL VPN user?

[Ryan West]

On Tue, Dec 06, 2011 at 12:24:11, Scott Voll wrote:
 Subject: Re: [c-nsp] VPN L2L connecting to SSL VPN user?
 
 I think that was the one I was asking about unfortunately I 
 already have it must be my config.  Thanks.
 
 Scott
 
 

Check out the Identity NAT configurable proxy ARP and route lookup section of 
Table 7 here.  It may be the cause of your issue:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Profiling with ASA?

[Ryan West]

On Mon, Nov 21, 2011 at 14:00:47, Scott Voll wrote:
 Subject: Re: [c-nsp] Profiling with ASA?
 
 Ryan--
 
 Thanks for the direction.  I have setup CSD and DAP's but I'm 
 wondering if there is some way to move from there to Group Policy?
 
 Where I'm going with all of this, is I have a Large telecommuting base 
 and some use corporate laptops (that we want to use Scan Safe / 
 Anyconnect
 3.0) and home PC's that we don't want to use Scan Safe on.
 
 Any ideas?
 
 TIA
 
 Scott
 

Hey Scott,

I was out of town for a bit, have you checked out the SBA deployment guides.  
They have one for ScanSafe that should meet your needs.  Basically, you're 
going to take the aggregate decision from CSD and DAP to make a mapping to a 
group-policy.  That group-policy will have the ScanSafe settings and module 
download.  If they don't map properly, you can dump them into a more 
restrictive group using the default-group-policy setting under the tunnel-group.

Here is the SBA:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/August2011/SBA_Ent_BN_SecureRemoteMobileAccessDeploymentGuide.pdf

Thanks,

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Can ASA support 2 WAN connections?

[Ryan West]

It can support failover. Look up ISP failover for an example.  You can 
statically route other networks out the backup interface, but if you're looking 
for PBR, it's not on the ASA. 

Sent from handheld 

On Nov 23, 2011, at 8:55 PM, Deric Kwok deric.kwok2...@gmail.com wrote:

 Hi
 
 Can ASA support 2 WAN connections
 
 and do load sharing?
 
 Thank you
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Profiling with ASA?

[Ryan West]

Scott,

On Thu, Nov 17, 2011 at 12:06:55, Scott Voll wrote:
 Subject: [c-nsp] Profiling with ASA?
 
 Has anyone done any Profiling of Devices connecting to ASA for 
 anyconnect VPN service?
 
 I'm looking at how the ASA can Profile a user device, example.  user 
 Joe connects with Corporate Laptop, use profile Corp.  user Joe turns 
 around and connects via his home PC, use profile Home.
 
 I'm not sure where to look for the documentation, because I don't know 
 what Cisco would call it.  Any info or links would be Highly appreciated.
 

If you already have premium anyconnect licensing, you could leverage host scan 
with CSD to pull a file or registry key to determine if the laptop is a 
corporate entity or not.  If you need more a robust solution, Cisco is pushing 
ISE pretty hard these days and you could use an iPEP device after your ASA to 
enforce policy.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac05hostscanposture.html#wp1033842

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco AnyConnect VPN Client

[Ryan West]

ASA 8.4 added support for IKEv2, which you'll need to run IPSec using the 
AnyConnect Secure Mobility Client.  IKEv1, ASA 8.3 and before, is not supported 
with the AnyConnect client.

-ryan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manu Chao
Sent: Thursday, November 03, 2011 12:24 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco AnyConnect VPN Client

I haven't found how to configure IPSec with Cisco AnyConnect VPN Client.

Is it possible?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA - Configuring Accounting for Network Access

[Ryan West]

On Mon, Oct 31, 2011 at 13:38:21, Antonio Soares wrote:
 Access
 
 Thanks Ryan. I was reading about that feature and I don't see how the 
 session information is sent:
 
 http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide
 /
 acces
 s_idfw.html
 
 Do you have experience with this feature ?
 

I haven't implemented yet, but it's supposed to take a syslog message like this:

Oct 31 2011 13:40:25: %ASA-5-304001: 192.168.x.x Accessed URL 
96.17.203.95:http://www.static-cisco.com/web/fw/tools/mbox/mbox.js

And translate it to:

Oct 31 2011 13:40:25: %ASA-5-304001: (rwest) Accessed URL 
96.17.203.95:http://www.static-cisco.com/web/fw/tools/mbox/mbox.js

Similar to what you see with your RA VPN users.  I'll be testing 8.4.2 again 
shortly and let you know what my results are.

-ryan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] HP VM ESX fcoe issues with Nexus 5020

[Ryan West]

On Tue, Oct 25, 2011 at 08:45:25, Nyman, Eric wrote:
 Subject: [c-nsp] HP VM ESX fcoe issues with Nexus 5020
 
 All,
 
 I'm having an issue with my ESX servers that are connected to our 
 Nexus 5020's using FCOE to connect to our storage MDS9500's. 
 Basically, if for any reason connectivity (either FCOE or Ethernet) is 
 disrupted to the 5K's, the ESX servers will not recover and will 
 require a reboot to reconnect to the storage. Cisco TAC have been 
 looking into it for some time now but they have not been able to 
 provide any information. Cisco's recommendations were to try the 5K's in 
 either NPV or NPIV mode but we get the same result.
 In another scenario, we also had a Cisco UCS chassis that would not 
 connect to the storage unless a shut/no shut was initiated on the 
 switch port. That seems to be resolved with a driver update but only 
 on the 5K switch that is NOT NPV enabled.
 
 
 
 Anyone ever had any experiences with ESX servers connecting to storage 
 on the 5K's?
 

I had many issues in the beginning with FCoE coming online as an access port 
with Emulex cards.  Trunking resolved that issue.  As far as recovery goes, I 
was having problems with the 5010 rebooting on an earlier 5.0(2) code and 
corrupting portions of my voice lab.  That's been resolved with 5.0(3)N1(1b), 
which has been running a little over a month with no incident.  During the 
reload, the hosts were obviously disconnected from storage, but would reconnect 
when the fabric came back online.  These are the versions I've tested:

C210 M[12] - QLogic QLE8152 10 Gbps 2 port CAN
5010 w/ N5K-M1008 8x1/2/4G FC Module
Hitachi AMS2100 directly attached to N5k-M1008
CIMC/BIOS version from 1.3 to 1.4(1a) currently
ESXi 4.1 Initial release to 5.0

Haven't tested with NPV or NPIV though.

Thanks,

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Change hostname on ASA

[Ryan West]

If you're using a public cert for ssl VPN, it shouldn't affect anything.  I 
think I remember changing a hostname recently and having it not regenerate the 
general use RSA key as well. 

Sent from handheld 

On Oct 22, 2011, at 11:53 AM, Scott Voll svoll.v...@gmail.com wrote:

 Will Changing the Hostname on an ASA brake anything?
 
 I'm using the ASA for SSL VPN termination, IPSEC L2L tunnels, and
 Firewalling.
 
 I understand that my Cert will need to be updated but will it brake
 the stuff.
 
 TIA
 
 Scott
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2800 series IOS versions.

[Ryan West]

On Tue, Oct 04, 2011 at 19:00:37, Keith wrote:
 Subject: [c-nsp] 2800 series IOS versions.
 
 
 Have a 2811 and a 2801.
 
 The 2801 runs this:
 
 c2801-ipbase-mz.124-1c.bin
 
 The 2811 runs:
 
 c2800nm-ipbase-mz.123-8.T5.bin
 
 What does the nm part of the version mean on the 2811?
 

Network module.  And that's just the naming convention of the 2801 vs the rest 
of the 2800 line.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA VPN groups... pointer/howto/cookbook?

[Ryan West]

On Wed, Sep 28, 2011 at 14:05:51, Jeff Kell wrote:
 Subject: [c-nsp] ASA VPN groups... pointer/howto/cookbook?
 
 I have been running standard VPN client profiles for VPN access for 
 quite a few years, on PIX and now on ASA.  I'm working on our next 
 generation prototype now, and the number of VPN groups are growing a 
 bit out of hand.
 
 Up to this point we have been distributing groups/roles by providing a 
 suitable .pcf connection profile with the VPN client to each user.  
 The .pcf contains the group name and preshared key (yes, admittedly 
 not that secure).
 
 The current scheme is working fine, just getting a bit out of hand 
 with the growing number of groups and necessity of distributing the .pcf 
 files.
 
 It would be nicer if the client simply connected to the VPN server, 
 authenticated (we are using TACACS+, but I also have a working Active 
 Directory profile for a more general-purpose group), and had the 
 appropriate group supplied by TACACS+ (or AD).
 
 It would be even nicer still if the client could connect either 
 split-tunnel (from home or a secure location) or full-tunnel (to 
 encrypt everything, if on a hotspot or WiFi for example).  Currently 
 this is done with two .pcf files (and two corresponding groups on the ASA).
 
 There are a dizzying number of possibilities and methods outlined in 
 the documentation, but I was hoping for a more direct approach to 
 accomplishing this goal.
 
 Pointers?  References?  Suggestions?  (I would RTFM if it weren't so 
 F'ing huge :)  )
 

I'm not sure what licensing model you currently have for AnyConnect, but with 
some premium licenses you could run CSD combined with DAP to apply policies for 
company owned vs. public computers.  DAP can also leverage LDAP attributes from 
AD to provide different levels of access based on AD group or department 
membership.   The main negative point with DAP is being locked into ASDM to 
make future changes.  

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1169923

-ryan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 8.3/8.4 management issues...

[Ryan West]

Jeff,

On Tue, Jul 26, 2011 at 10:44:19, Jeff Kell wrote:
 Subject: [c-nsp] ASA 8.3/8.4 management issues...
 
 I have some remote sites running off of ASA 5505s, and an existing VPN 
 cluster running 8.4(2).
 
 For consistency's sake, I was trying to update the 5505s to 8.4(2) -- 
 had one on 7.2 and one on 8.1.
 

I've rolled everything back to 8.4.1 interim.  I have an open bug for 8.4(2) 
relating to remote access VPN tunnels traversing other tunnels (same-security 
intra-interface).  I would switch back to 8.4.1 and see if your problem 
follows.  If you're interested in the bugID, I'll let you know once one is 
generated.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Graph cisco 4948 SVI

[Ryan West]

On Fri, Jul 08, 2011 at 11:33:34, Nick Ryce wrote:
 Subject: [c-nsp] Graph cisco 4948 SVI
 
 Hi,
 
 Does anyone know if the 4948 has the ability to be able to graph 
 traffic transiting the SVI of a vlan?  I know the 3550/3560's are unable to 
 do this?
 
 Nick

It's based on the 4500, so it should work fine.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA VPN, enabling Windows L2TP?

[Ryan West]

Are you trying to authenticate protocol nt?  You could add LDAP authorization 
with an attribute map for group to local policy matching. If you want more 
details on that config, let me know.  Then again, maybe I missed the question. 

Sent from handheld 

On Jul 8, 2011, at 5:27 PM, Jeff Kell jeff-k...@utc.edu wrote:

 Yes, another PIX migration question ('tis the season...).
 
 Our legacy VPN has several groups / profiles for different access types.  I 
 have been
 able to move these to the ASA successfully (users have VPN client, and get a 
 matching
 profile .pcf for their respective access).
 
 The legacy used TACACS+ authentication, but I have some vanilla access 
 profiles setup
 now using AD authentication to reduce the overhead in setting up new users 
 with basic needs.
 
 To take this to the next level, I enabled L2TP with IPsec access on one of 
 them and
 gave it a shot from Win7, taking a best guess at the L2TP setup.
 
 However, there appears to be no way to convey a group to an L2TP connection.
 
 Is there a reasonably transparent way to accomplish this from the Windows 
 side?
 
 Jeff
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MultiChassis LACP

[Ryan West]

Yes, it works on the 3750.

Sent from handheld 

On Jul 5, 2011, at 8:53 PM, Timothy Riendeau triend...@grid4.com wrote:

 Have you actually done it with the 3750? I cannot find anything on cco
 about 3750  mlacp.
 
 --Tim Riendeau 
 
 On 7/5/11 4:55 PM, Nick Hilliard n...@foobar.org wrote:
 
 On 05/07/2011 19:27, Timothy Riendeau wrote:
 Anyone know where to find a list of switches that support MLACP
 particularly
 metro ethernet switches?
 
 Catalyst 3750
 Catalyst 6500 with VSS supervisor
 Nexus 7000
 
 Nick
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 8.3 full-tunnel VPN paradox...

[Ryan West]

On Wed, Jun 29, 2011 at 16:30:13, Jeff Kell wrote:
 Subject: [c-nsp] ASA 8.3 full-tunnel VPN paradox...
 
 I'm working on replacing an old PIX VPN setup with a new ASA, and 
 having a bear of a time with a full tunnel setup.
 
 The PIX (old 6.x software) has setups for both split-tunnel and 
 full-tunnel profiles.
 It is *not* the outbound gateway for internet-destined traffic.
 
 Our internet traffic goes from the border to a pair of active/active 
 ASAs along with our perimeter protection, IPS, and other assorted 
 goodies, so that is the desired path for the full-tunnel traffic.  
 Since the active/active pair can't do VPN, another ASA is serving that 
 purpose (inside the other ASAs), also connected to our core.
 
 On the PIX, there is a default route on both the outside and inside
 interfaces thusly:
 
  utc-pix# sho route | i 0.0.0.0
  outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.246 1 OTHER static
  inside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.20 10 OTHER static
 
 Anything connecting to the VPN (or otherwise hitting the outside 
 interface) follows the outside route.
 
 Any VPN-originated traffic on the full tunnel follows the inside route.
 
 The ASA is not behaving this way... it wants to always follow the 
 outside route for the VPN-originated full-tunnel traffic if I include 
 both routes (with unequal weights, as it doesn't allow them to be the same).
 
 If I define an explicit outside route to where I VPN from, and remove 
 the default outside route, it works perfectly.
 
 Is there something obvious I'm missing here to make it behave like the 
 PIX does?
 

Try the keyword 'tunneled' at the end of the route statement.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Newb Question about site to site vpn....

[Ryan West]

On Thu, Jun 16, 2011 at 10:45:56, Scott Voll wrote:
 Subject: [c-nsp] Newb Question about site to site vpn
 
 I have setup a couple 881's to do a Dynamic site to site vpn tunnel 
 back to my ASA at the head end.
 
 All traffic ends up stopping even thou the tunnel is still up.  If I 
 start some traffic from the 881 than the traffic starts working from 
 the head end (ASA side).
 
 What have I missed to get traffic on the ASA side to start passing traffic?
  With out starting it on the far side (881).
 

On the ASA you can try 'logging class vpn monitor debugging' and run term mon.  
The receiver usually has better information, so the 881 should debug as well.  
Can you post some of those debugs?

Thanks,

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Vwic-1mft-g703 on cisco1841

[Ryan West]

On Tue, May 31, 2011 at 10:38:21, ccie wrote:
 Subject: [c-nsp] Vwic-1mft-g703 on cisco1841
 
 Is there any requirements for vwic-1mft-g703 on 1841, the router see 
 it in the show inventory, but once I go to the configuration I can't 
 configure anything like
 
 Isdn switch-type ?   ! not available
 
 Controller e1 0/0/0 ! also no available.
 Any hints on that??
 

Check on 'card type'

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN for Android

[Ryan West]

On Tue, May 31, 2011 at 06:47:46, Justin M. Streiner wrote:
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] VPN for Android
 
 On Tue, 31 May 2011, Soon Lee wrote:
 
  Is anyone who success to connect vpn for Android on ASA or router?
 
  I tried it with ASA L2TP but i couldnt.
  Pls let me know. Thanks.
 
 I've heard of people doing things to get a working IPSEC session, like 
 rooting their phones and compiling vpnc themselves.
 

If you can stomach the new NAT, 8.4 has support for Android using L2TP/IPsec:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.pdf

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN for Android

[Ryan West]

On Tue, May 31, 2011 at 11:04:12, Mohlmaster, Jarod wrote:
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] VPN for Android
 
 ASA 8.2(5) and 8.4(1) add L2TP/IPsec support and SHA2 cert support for 
 the native Android VPN client.
 

Release notes also claim AnyConnect for Android version 2.4, but I haven't 
downloaded or tested that.

-ryan

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- 
 boun...@puck.nether.net] On Behalf Of Soon Lee
 Sent: Tuesday, May 31, 2011 10:51 AM
 To: Justin M. Streiner
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] VPN for Android
 
 Do i have to do rooting ? Is there no option?
 2011. 5. 31. 오후 11:42에 Justin M. Streiner
 strei...@cluebyfour.org님이 작성:
  On Tue, 31 May 2011, Soon Lee wrote:
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] using RANCID in a CCIE lab

[Ryan West]

On Sun, May 29, 2011 at 13:10:57, Keegan Holley wrote:
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] using RANCID in a CCIE lab
 
 rancid is a good tool.  It's also base on expect and perl so it's easy 
 to modify the scripts to do other things.  I installed this in a few 
 other labs
 (non-certification) the biggest problem I ran into was everyone's 
 tendency to blow away the routes,interface IP's and account info that 
 alows RANCID to do it's work.  Beyond that it's a great tool.  Be careful 
 where you run it.
 It's a pain to install on certain linux distros.
 

It can modified pretty easily to allow backup and configuration pushes via a 
terminal server.  Look for user_chat to see the modifications to clogin that 
allow it.  RANCID is great IMO, with all the expect and credential information 
in place, it's easily adaptable cron jobs and scripts.   I'm far from a 
programmer, but I was able to setup an automated block list for the ASA based 
off the emerging threats IP list using RANCID to push the changes.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] using RANCID in a CCIE lab

[Ryan West]

On Sun, May 29, 2011 at 14:28:34, Keegan Holley wrote:
 Subject: Re: [c-nsp] using RANCID in a CCIE lab
 
 what platform did you install it on?  RANCID was pretty easy to 
 install, but I could never get the cvs viewer they recommended 
 working.  I had to switch back to CVS web.
 
 
 
I've had no issues installing it on Debian boxes, but we've been using websvn.  
What was the recommended CVS viewer?  Viewvc?

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Remote LAN (IPsec) to Client (anyconnect) w/ ASA

[Ryan West]

On Wed, Apr 27, 2011 at 11:03:19, Scott Voll wrote:
 Subject: [c-nsp] Remote LAN (IPsec) to Client (anyconnect) w/ ASA
 
 I have an ASA 5510 that I use for both the head end for Anyconnect 
 clients and Hub and Spoke IPSec tunnels for Lan to Lan.
 
 beside the no Nat, ACL for interesting traffic, and 
 same-security-traffic permit intra-interface command is there 
 anything else that needs to be done, in order to have the Anyconnect client 
 access the remote IPSec LAN?
 

Without seeing what the interesting traffic ACLs are (private vs public 
addressing), that should cover it.  By default there isn't an outside NAT on a 
typical firewall deployment, so you shouldn't need to include the AnyConnect 
pool as part of your no nat.

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] asa 8.4 + etherchannel + nexus7k

[Ryan West]

On Tue, Apr 05, 2011 at 14:27:18, Federico Cossu wrote:
 Subject: [c-nsp] asa 8.4 + etherchannel + nexus7k
 
 hi all,
 i can't find any useful information about connecting ASA 8.4 
 etherchannels to
 2 different nexus7K, where the 2 nexus devices are aggregating 
 channels with vPC.
 the idea is to trunk inside, outside and failover vlan to ASA and let 
 it manage routing between them.
 
8.4 supports LACP, so you should be fine to configure in this manner.  Might 
want to consider a direct cable for the failover though.

 no L3 dynamic routing between asa --- nexus, my concern is that the 
 nexus are also the L2/L3 boundary for the servers vlan, server have 
 their default gateway on the nexus (hsrp).
 
 configuration guide cites only vss, not vpc unfortunately.
 http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide
 /
 interface_start.html#wp1329030
 
 thank you all for any shared information or experience.
 bye

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Perl Script for Nexus Switch

[Ryan West]

Have you tried RANCID?

Sent from handheld 

On Mar 29, 2011, at 5:01 AM, Vineeth vineeth.mo...@sifycorp.com wrote:

 Hi ,
 
 Did any one have the custom made perl Script for take the  sh run of  Cisco 
 Nexus Switch  .
 I have tried  with  Perl Script which runs for my Cisco IOS Switch but  
 Switch but it was not working for me
 My Scripting knowledge is very  minimal  .
 
 -- 
 Regards
 Vineeth
 
 
 
 
 
 Get your world in your inbox!
 
 Mail, widgets, documents, spreadsheets, organizer and much more with your 
 Sifymail WIYI id!
 Log on to http://www.sify.com
 
 ** DISCLAIMER **
 Information contained and transmitted by this E-MAIL is proprietary to Sify 
 Limited and is intended for use only by the individual or entity to which it 
 is addressed, and may contain information that is privileged, confidential or 
 exempt from disclosure under applicable law. If this is a forwarded message, 
 the content of this E-MAIL may not have been sent with the authority of the 
 Company. If you are not the intended recipient, an agent of the intended 
 recipient or a  person responsible for delivering the information to the 
 named recipient,  you are notified that any use, distribution, transmission, 
 printing, copying or dissemination of this information in any way or in any 
 manner is strictly prohibited. If you have received this communication in 
 error, please delete this mail  notify us immediately at ad...@sifycorp.com
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Power Consumption OID

[Ryan West]

The following MIB should work for the 7606, but since the 3750 is fixed, I'm 
not sure you'll be able to extract the information via SNMP.

snmpwalk 4510E 1.3.6.1.4.1.9.9.117.1.1.1
CISCO-ENTITY-FRU-CONTROL-MIB::cefcPowerRedundancyMode.15 = INTEGER: redundant(2)
CISCO-ENTITY-FRU-CONTROL-MIB::cefcPowerUnits.15 = STRING: centiAmpsAt12V
CISCO-ENTITY-FRU-CONTROL-MIB::cefcTotalAvailableCurrent.15 = INTEGER: 18333
CISCO-ENTITY-FRU-CONTROL-MIB::cefcTotalDrawnCurrent.15 = INTEGER: 10766
CISCO-ENTITY-FRU-CONTROL-MIB::cefcPowerRedundancyOperMode.15 = INTEGER: 
redundant(2)

18333 * 0.01 * 12 = 2199.66
10766 * 0.01 * 12 = 1291.92

4510E#show power
Power Fan  Inline
Supply  Model No  Type   Status   Sensor   Status
--    -  ---  ---  ---
PS1 PWR-C45-6000ACV   AC 6000W   good good good
PS1-1 220V   good
PS1-2 220V   good
PS2 PWR-C45-6000ACV   AC 6000W   good good good
PS2-1 220V   good
PS2-2 220V   good

Power supplies needed by system: 1
Power supplies currently available : 2

Power Summary  Maximum
(in Watts)  Used Available
--    -
System Power (12V)   12922200

-ryan

From: Mohammad Khalil [mailto:eng_m...@hotmail.com]
Sent: Monday, March 28, 2011 4:40 AM
To: Ryan West; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] Power Consumption OID

Hi

yes that what i am looking for , but the OIDs does not exist for my devices 
such as 7606S and ME3750

 From: rw...@zyedge.commailto:rw...@zyedge.com
 To: eng_m...@hotmail.commailto:eng_m...@hotmail.com; 
 cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net
 Subject: RE: [c-nsp] Power Consumption OID
 Date: Sun, 27 Mar 2011 17:34:24 +

 Is this what you're looking for:

 ftp://ftp.cisco.com/pub/mibs/v2/POWER-ETHERNET-MIB.my

 3560:
 snmpwalk test1-sw1 .1.3.6.1.2.1.105.1.3.1.1.2
 POWER-ETHERNET-MIB::pethMainPsePower.1 = Gauge32: 370 Watts
 snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.4
 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.1 = Gauge32: 189 Watts

 4510E
 snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.2
 POWER-ETHERNET-MIB::pethMainPsePower.1 = Gauge32: 1550 Watts
 POWER-ETHERNET-MIB::pethMainPsePower.2 = Gauge32: 1550 Watts
 POWER-ETHERNET-MIB::pethMainPsePower.3 = Gauge32: 800 Watts
 POWER-ETHERNET-MIB::pethMainPsePower.4 = Gauge32: 800 Watts
 POWER-ETHERNET-MIB::pethMainPsePower.7 = Gauge32: 800 Watts
 POWER-ETHERNET-MIB::pethMainPsePower.8 = Gauge32: 800 Watts
 snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.4
 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.1 = Gauge32: 6 Watts
 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.2 = Gauge32: 11 Watts
 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.3 = Gauge32: 0 Watts
 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.4 = Gauge32: 0 Watts
 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.7 = Gauge32: 30 Watts
 POWER-ETHERNET-MIB::pethMainPseConsumptionPower.8 = Gauge32: 3 Watts

 -ryan

 -Original Message-
 From: 
 cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net]mailto:[mailto:cisco-nsp-boun...@puck.nether.net]
  On Behalf Of Mohammad Khalil
 Sent: Sunday, March 27, 2011 10:45 AM
 To: cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net
 Subject: [c-nsp] Power Consumption OID


 i am trying to find an OID for power consumption ? is there a way to extract 
 these information?

 Thanks

 ___
 cisco-nsp mailing list 
 cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Power Consumption OID

[Ryan West]

Is this what you're looking for:

ftp://ftp.cisco.com/pub/mibs/v2/POWER-ETHERNET-MIB.my

3560:
snmpwalk test1-sw1 .1.3.6.1.2.1.105.1.3.1.1.2
POWER-ETHERNET-MIB::pethMainPsePower.1 = Gauge32: 370 Watts
snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.4
POWER-ETHERNET-MIB::pethMainPseConsumptionPower.1 = Gauge32: 189 Watts

4510E
snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.2
POWER-ETHERNET-MIB::pethMainPsePower.1 = Gauge32: 1550 Watts
POWER-ETHERNET-MIB::pethMainPsePower.2 = Gauge32: 1550 Watts
POWER-ETHERNET-MIB::pethMainPsePower.3 = Gauge32: 800 Watts
POWER-ETHERNET-MIB::pethMainPsePower.4 = Gauge32: 800 Watts
POWER-ETHERNET-MIB::pethMainPsePower.7 = Gauge32: 800 Watts
POWER-ETHERNET-MIB::pethMainPsePower.8 = Gauge32: 800 Watts
snmpwalk test2-sw1 .1.3.6.1.2.1.105.1.3.1.1.4
POWER-ETHERNET-MIB::pethMainPseConsumptionPower.1 = Gauge32: 6 Watts
POWER-ETHERNET-MIB::pethMainPseConsumptionPower.2 = Gauge32: 11 Watts
POWER-ETHERNET-MIB::pethMainPseConsumptionPower.3 = Gauge32: 0 Watts
POWER-ETHERNET-MIB::pethMainPseConsumptionPower.4 = Gauge32: 0 Watts
POWER-ETHERNET-MIB::pethMainPseConsumptionPower.7 = Gauge32: 30 Watts
POWER-ETHERNET-MIB::pethMainPseConsumptionPower.8 = Gauge32: 3 Watts

-ryan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Sunday, March 27, 2011 10:45 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Power Consumption OID


i am trying to find an OID for power consumption ? is there a way to extract 
these information?

Thanks
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5520 to Pix sudden loss of tunnel

[Ryan West]

Scott,


I have two devices a Pix running the 7.x code base in the field and a pair of 
ASA 5520 devices running 8.2.2.  
The 5520 pair is set up in an active passive arrangement.

Which version of 7.x are you running.  7.2.4 below interim 33 was very buggy 
with VPNs.  They stop for no reason and removing the crypto map completely and 
re-applying it does not fix it.   Try the following if you don't plan to 
upgrade soon:

Enable logging class vpn monitor debugging, clear isakmp sa on both sides.  The 
receiver of the tunnel is going to have the most useful debugs and if you don't 
have access to the devices on either side, use packet-tracer to simulate 
interesting traffic.  Try initiating from both sides, if you still aren't 
getting anywhere, remove and add back the crypto map from the outside 
interface.   Debug cry isa 255 and debug cry ipsec 255 should also help.  
Beyond that, a reboot will clear up the 7.2.4 bug.

-ryan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5520 to Pix sudden loss of tunnel

[Ryan West]

NP.  While you're upgrading, check to see if you're affected and think about 
upgrading to  asa824-4-k8.bin/asa824-1-k8.bin.

http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6e14d.shtml

-ryan

-Original Message-
From: Scott Granados [mailto:sc...@granados-llc.net] 
Sent: Thursday, March 10, 2011 2:25 PM
To: Ryan West
Cc: cisco-nsp
Subject: Re: [c-nsp] ASA 5520 to Pix sudden loss of tunnel

Hi, thanks as always for the great response.

This is more or less what I was running in to.  I rebooted the Pix with no luck 
but when I restarted the ASA pair all began to function.

I have some ASA hardware on the way to replac the pixes, I just need to make 
this hold together for a few more weeks.

Thanks for the pointers!

On Mar 10, 2011, at 6:32 AM, Ryan West wrote:

 Scott,
 
 
 I have two devices a Pix running the 7.x code base in the field and a pair 
 of ASA 5520 devices running 8.2.2.  
 The 5520 pair is set up in an active passive arrangement.
 
 Which version of 7.x are you running.  7.2.4 below interim 33 was very buggy 
 with VPNs.  They stop for no reason and removing the crypto map completely 
 and re-applying it does not fix it.   Try the following if you don't plan to 
 upgrade soon:
 
 Enable logging class vpn monitor debugging, clear isakmp sa on both sides.  
 The receiver of the tunnel is going to have the most useful debugs and if you 
 don't have access to the devices on either side, use packet-tracer to 
 simulate interesting traffic.  Try initiating from both sides, if you still 
 aren't getting anywhere, remove and add back the crypto map from the outside 
 interface.   Debug cry isa 255 and debug cry ipsec 255 should also help.  
 Beyond that, a reboot will clear up the 7.2.4 bug.
 
 -ryan
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5505 doesn't like itself

[Ryan West]

Can you post the show runs for the NAT, ACL, access-groups, and interfaces?

Sent from handheld 

On Feb 17, 2011, at 6:54 PM, Michael Loether m...@azloether.com wrote:

 On Feb 17, 2011, at 4:04 PM, Michael Balasko wrote:
 Not sure what version of code you are on, but two things. Pre 8.3 code with 
 nat control enabled, you need Fixup protocol icmp and you probably need a 
 global statement to match the nat statement. Your nat looks more like a 
 static statement so I'm not sure if that is an 8.3 thing...
 
 Running 8.3.2, Probably part of the problem, I still am not used to the NAT 
 changes.
 
 Note icmp is NOT IP and thus is unaffected by ip any any
 
 
 Good point not sure why I missed it.  I have added any any icmp to both the 
 ingress and egress acls and not change.  Also pings from the inside interface 
 will not cross the outside interface either.  Which leads to to think its a 
 nat issue, but I am all out of ideas.
 
 Mike
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA

[Ryan West]

Deric,

Check out this link.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html

-ryan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Deric Kwok
Sent: Monday, February 14, 2011 2:34 PM
To: Cisco Network Service Providers
Subject: [c-nsp] ASA

Hi

How can I be easy to do?

1/ disable httpd access from inside/management ip?
2/ allow ssh from outside int
3/ only allow dedicated access to https from outside interface

Thank you so much
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 5548P - 1 Gbps support

[Ryan West]

Vijay,

I just checked through a partner slide and came up with the same information 
about a future release.  The 5010 shipped with the first 8 capable and 5020 
enabled with the first 16.  All 48 are supposed to be gigabit capable (when the 
upgrade is available).  I would test it out.

-ryan


From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] on 
behalf of Ramcharan, Vijay A [vijay.ramcha...@verizonbusiness.com]
Sent: Tuesday, February 08, 2011 2:36 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Nexus 5548P - 1 Gbps support

This may be a dumb question but the best I could find was that 1 Gbps
software support will be added in a future release.

Can the Nexus 5548P switch make use of 1 Gbps copper and fiber modules
or is it all 10 Gbps at this time?

Thanks.

Vijay Ramcharan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VRF aware syslog and snmps on IOS and IOS-XR

[Ryan West]

On 2/2/11 7:15 AM, Jason Lixfeld wrote:
 Sorry for the noise.  Further testing suggests that I should also ask about 
 vrf aware tacacs+ authentication.
 

Hi Jason,

afair SNMP is VRF-aware, haven't heard of exception with traps, tacacs+ and 
syslog are not yet.

TACACS+ is VRF-aware, at least in the ISR line.

aaa group server tacacs+ ACS
 server x.x.x.x
 server x.x.x.x
 ip vrf forwarding cust1
!

-ryan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] active/standy failover

[Ryan West]

On 28/01/2011 20:21, Deric Kwok wrote:

 4/ Where is port for cross over cable between active and standy?

you need two ports, one to signal failover, and the other to transmit the 
firewall state.

You can combine them onto a single cable as well.

-ryan




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/