Sunday, December 27, 2009

Free SSL Cert on Cisco ASA for WebVPN - Anyconnect

So I received a nice article on How to obtain and install an SSL/TLS certificate, for free.  The site  describes how to acquire a Class 1 certificate at no cost.  Basically, a Class 1 cert only validates a legal email on the domain.  Your traffic will be encrypted though.  

The instruction below is how to apply and use the free certificate on the Cisco ASA firewall not how to create the anyconnect configuration.

StartSSL uses an S/MIME personal certificate to let you log in after sign-up.  You will create this certificate and one other for free.

Start at the Authenticate or Sign-Up page.
Create Account for your domain. 
Log into account
You'll see 3 options
Tool Box, Certificates Wizard, Validations Wizard.
Pick Validations Wizard and change drop down time to Domain Name Validation.
Fill out domain name, press continue.
Pick email address to get validation key.  Follow instructions.

Go to Certificates Wizard.
Pick Web Server SSL/TLS Certificate for Certificate Target
Generate Private Key, I left keysize to 2048
!! I know the ASA can generate CSR, but StartCom only accepts SHA and the ASA generates using MD5.
A private Key is generated.  Save as ssl.key - Important to save this certificate.
Continue through following instruction.

Tool Box
Retrieve Certificate
 - pick Certificate just created.
  - should be 2 in there, the one for the browser to use the StartCom site and one for the Server - Class 1)
 - copy and paste certificate.

Go go Create PKCS#12 (PFX) File
 - copy and paste private key into Private Key box
 - copy and paste certificate you just grabbed into Enter Certificate box.
 - provide a password
 - save p12 file that is created, this will be imported into the ASDM.

In ASDM
 - Configuration
  - Device Management
   - Certificate Management
    - Identity Certificates
    - Add
    - Create Trustpoint Name (Startcom-SSL)
    - Enter Decryption Passphrase used earlier
    - import p12 file.
    - Add Certificate.
  - Advanced
   - SSL Settings
   - Change outside trustpoint to one created earlier (Startcom-SSL)
-Apply
-Save

Monday, December 07, 2009

IP Conflict Detection on Ubuntu

One thing that drives me crazy as a consultant is going to sites and acquiring a duplicate IP.  Windows tells you there is a conflict.  Ubuntu does not unless you install some additional software - IPwatchD.

There are 2 ways to install IPwatchD.  Passive mode or active mode.  Passive mode just logs packets, active mode uses Gratuitous Arp and notifies you of a problem.

The notification works nicely in 9.10 (as shown).




Here are the steps I followed:

http://www.linuxconfig.org/IPwatchD_an_IP_conflict_detection_tool_for_Linux

I will add some additional info.

The article doesn't say what to do to get the script to run at setup.  It's simple.  In 9.10 there is a file  you can update to run scripts as root after user login.  They are nice enough to provide a sample.

/etc/gdm/PostLogin/Default.sample
# Note: this is a sample and will not be run as is.  Change the name of this
# file to /PostLogin/Default for this script to be run.  This
# script will be run before any setup is run on behalf of the user and is
# useful if you for example need to do some setup to create a home directory
# for the user or something like that.  $HOME, $LOGIN and such will all be
# set appropriately and this script is run as root.



If you don't already use the file, copy the sample it to its final destination and add the login script for IPwatchD:


sudo cp /etc/gdm/PostLogin/Default.sample /etc/gdm/PostLogin/Default
echo /usr/local/sbin/ipwatchd -c /usr/local/etc/ipwatchd.conf | sudo tee -a /etc/gdm/PostLogin/Default

logout and back in or reboot to check the work.

Show running status:

ps aux | grep ipwatchd
You'll see something like:

mikem@mikem-9751L:~$ ps aux | grep ipwatchd 
root     28581  0.0  0.1  12388  4744 ?        Ss   21:58   0:00 /usr/local/sbin/ipwatchd -c /usr/local/etc/ipwatchd.conf
mikem    30234  0.0  0.0   7340   892 pts/0    S+   22:15   0:00 grep ipwatchd

Friday, December 04, 2009

Access gmail from your Cisco IP Phone

Nice article on IP Phone Web Services for IP Phones.  Weather, Gmail, etc.




http://unifiedcommunicationsblog.globalknowledge.com/2009/12/02/ip-phone-web-services-part-1/

Another IP Phone service URL that I know is popular and floating around is from Berbee:
http://phone-xml.berbee.com/menu.xml

Thursday, December 03, 2009

Compare files easily with Ubuntu

Sometimes you need to compare old configs with new configs.  Instead of comparing the files manually you can run a great program called Meld Diff Viewer.

Just load up both files and you'll see missing lines, changed lines, etc.



To install in Ubuntu:


sudo apt-get install diff 

You'll see the program in Applications - Programming
http://meld.sourceforge.net/



Wednesday, December 02, 2009

Publishing

Adding an entry for Technorati.

code 65BHJAS792BE 

Also, if you have Google Wave you can reach me at michaelmunoz@googlewave.com

Tuesday, December 01, 2009

Cisco Console software for Linux

There is a nice tool that I use regularly to access consoles on routers, switches, etc.

minicom.  This is a great tool for doing simple console work.

get started with Ubuntu:


sudo apt-get install minicom


Here is a link on configuration and setup.
https://help.ubuntu.com/community/CiscoConsole

Basically, minicom -s for initial configuration.
E - Bps/Par/Bits       : 9600 8N1                                 
F - Hardware Flow Control : No
G - Software Flow Control : No
Save setup as dfl
Ctrl-a f is the break sequence for password recovery
Ctrl-a z for the help menu, say you want to upload files through the console.  I hope you never have to :)

Wednesday, November 25, 2009

Cisco VPN Client on Karmic Koala

This link worked for me to install the Cisco VPN client on Ubuntu 9.10 (64 bit btw).

http://ilapstech.blogspot.com/2009/09/cisco-vpn-client-on-karmic-koala.html

I also have a simple script I run when I need to connect to a client.  The script lists all my profiles and I just type in the name to connect.

I have a folder I place some scripts in.
Assuming you have the client installed in the recommended directories.

code:


cd ~mkdir Tools
cd Tools
gedit vpnconnect
#! /bin/bash
sudo /etc/init.d/vpnclient_init stop
sudo /etc/init.d/vpnclient_init start
ls /etc/opt/cisco-vpnclient/Profiles/
echo -n "Enter VPN Client: "
read -e VPN
sudo vpnclient connect $VPN
! save gedit and close
chmod +x vpnconnect


Create a shortcut to the file if desired.
On the desktop - Right click and create launcher.
Choose Run application in Terminal.
Browse the vpnconnect file you just created.

Should be good to go.

--
If you run updates on Ubuntu, you'll notice a message about a kernel header not loading.  You will need to reinstall the client, no big deal.

I suggest copying the install directory to the cisco-vpnclient directory so you have the files ready to go in case you accidentally delete the install folder.


mkdir /etc/opt/cisco-vpnclient/install
cp -r vpnclient /etc/opt/cisco-vpnclient/install/
cd  /etc/opt/cisco-vpnclient/install/vpnclient/
sudo ./vpn_install

Tuesday, November 24, 2009

Cisco Training - Cisco Learning Network

I'm not sure what level of Cisco access is required for the following training sessions, but give it a shot.

Cisco CRS-1 Carrier Routing System Essentials (CRS) v2 (Advanced Solutions Education (ASE) Training Sample)

Advanced Implementing and Troubleshooting MPLS VPNs (AMPLS) (Advanced Solutions Education (ASE) Training Sample)

Building Core Networks with OSPF, ISIS, BGP and MPLS (Advanced Solutions Education (ASE) Training Sample)

Basic IP Routing Concepts
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with Basic IP Routing Concepts.

Routing Information Protocol (RIP)
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with Routing Information Protocol.

Enhanced Interior Gateway Routing Protocol (EIGRP)
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with Enhanced Interior Gateway Routing Protocol.

Open Shortest Path First (OSPF)
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with Open Shortest Path First. Apr-24-2007 CCNP OSPF Lab

Moving traffic using Access Lists
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with Access Lists. Web-based Apr-24-2007 CCNA Access Lists Lab

BGP Introduction and Basics
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with BGP Introduction and Basics. Apr-24-2007 CCNP CCIP BGP Lab

BGP Path Selection
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with BGP Path Selection. Apr-24-2007 CCNP CCIP BGP Lab

Controlling the Flow of BGP Updates
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with Controlling the Flow of BGP Updates. Apr-24-2007 CCNP CCIP BGP Lab

BGP Multipath and Conditional Advertisement
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with BGP Multipath and Conditional Advertisement. Apr-24-2007 CCNP CCIP BGP Lab

BGP Load Sharing in Single and Multihomed Environments: Sample Configurations.
Provides information on Load sharing for:
  • Loopback Address as a BGP Neighbor
  • Dual-Homed to One Internet Service Provider (ISP) Through a Single Local Router
  • Dual-Homed to One ISP Through Multiple Local Routers
  • Multihomed to Two ISPs Through a Single Local Router
  • Multihomed to Two ISPs Through Multiple Local Routers CCNP CCIP BGP

BGP Challenge Labs
Master protocols that are the backbone of the Internet and enable traffic to move across business networks with BGP Challenge Labs. CCNP CCIP CCIE BGP Lab

Securing Cisco Routers (SECR) v1.0 Learn the top ten steps to improving Cisco router security. This course combines an updated version of the popular Cisco Router Security (CRS) course with the new Advanced Cisco Router Security (ACRS) course. Based on industry best practices and the newest in Cisco IOS security features, it contains tutorials, configuration examples, e-lab simulations, a built-in assessment to test your knowledge, and a course evaluation to provide feedback. CCSP Router Security

IP Routing - Introduction Learn the fundamentals of IP Routing. You will be able to define routing, explain the benefits of segmenting a LAN with routers, understand how a router selects routes, discuss the differences between static and dynamic routing, discuss the differences between distance-vector and link-state routing protocols, understand the difference between classful and classless routing, and briefly explain how routing protocols such as RIP, IGRP, EIGRP and OSPF work. CCNA Router

IP Routing Access Lists Learn how to onfigure access lists in an IP routing environment. You will also do hands-on Configuration Labs, and a Challenge Lab to test your troubleshooting knowledge. Feb-19-2003 CCNA Router IP Routing

Intermediate System-to-Intermediate System Routing Protocol (IS-IS) In this module, you will learn the basic concepts behind IS-IS. You will also do hands-on Configuration Labs and a Challenge Lab to test your troubleshooting knowledge. CCIP IS-IS ISIS Lab

Enhanced Interior Gateway Routing Protocol (EIGRP) Learn the basic concepts behind Enhanced Interior Gateway Routing Protocol (EIGRP). You will also do hands-on Configuration Labs to learn some fundamental concepts of EIGRP, and a Challenge Lab to test your troubleshooting knowledge. Oct-16-2002 CCNP CCIP

Fundamental Configuration and Verification of EIGRP Learn the fundamental configuration and verification of the Cisco proprietary routing protocol, Enhanced Interior Gateway Routing Protocol (EIGRP).

Open Shortest Path First (OSPF) Network Types Gain a basic understanding of Open Shortest Path First (OSPF) network types. You will understand: the differences between three default OSPF network types; when it is appropriate to use each network type; how to configure each network type; and how to resolve problems with OSPF over non-broadcast multi-access (NBMA) networks. CCNP OSPF

Adjacencies Gain a basic understanding of troubleshooting neighbor adjacencies in Open Shortest Path First (OSPF).

IOS-XR 3.6.0 Product Enhancements for CRS & GSR
IOS-XR 3.6.0 is the latest software enhancement release for the CRS and GSR platforms. Check out this podcast to learn more about this new release's major features, including multi-chassis scalability, ISSU, NSR, and more. Podcast (AOD) English 11:06:06 NPI

Techtips Podcasts and VoDs (was "Fall07") includes information on the following topics (AOD English 3 hours) NPI:
  • Configurable Queue Assignment/Mgmt Plane Traffic
  • Multicast Traffic Convergence over Flexlink
  • Small Frame Arrival Threshold
  • Control Place Security
  • Auto-install with Saved Configuration
  • HTTP(S) over IPv6, SNMP/Syslog over IPv6
  • IPv6 Address Auto-configuration
  • FSPAN on PIXAR
  • Voice-aware 802.1x and Readiness Check
  • MAB Security Violations,
  • SSM Mapping
  • Enhanced Power over Ethernet at 20 Watts.

Cisco Training - Support Community

It looks like Cisco combined their NetPro and Support Wiki into one Community which I think is a great idea.  If you aren't using this as a resource, you should be.

https://supportforums.cisco.com/index.jspa

Here are some Field Trainer Lab Walk Thrus.

ASA Jumpstart Lab Walk-thru and Discussion
https://cisco.webex.com/tc0500l/trainingcenter/record/downloadViewAction.do?actionType=view&recordId=39426977&siteurl=cisco&setted=102

ASA Pix to ASA and Basic SSL VPN Lab Walk-thru and Discussion
https://cisco.webex.com/tc0500l/trainingcenter/record/downloadViewAction.do?actionType=view&recordId=39432317&siteurl=cisco&setted=102

ASA SSL VPN with DAP Lab Walk-thru and Discussion
https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=TC&rID=39686267&rKey=6951E336832960F8&act=pb

ASA Phone Proxy - Added 11-23-09
https://ciscosales.webex.com/ciscosales/lsr.php?AT=pb&SP=TC&rID=41020937&act=pb&rKey=9fc7381cb59498fc

NAC In-Band Lab Walk-thru and Discussion
https://ciscosales.webex.com/ciscosales/lsr.php?AT=pb&SP=TC&rID=27297852&act=pb&rKey=04EE6FC423829BE2

NAC Out-of-Band Lab Walk-thru and Discussion
https://ciscosales.webex.com/ciscosales/lsr.php?AT=pb&SP=TC&rID=27049167&act=pb&rKey=B91F0ED4432C63AA

NAV Out-of-Band with Centralized CAS Lab Walk-thru and Discussion
https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=TC&rID=39791952&rKey=13b3a5fc3e0c7ed0&act=pb

MARS Jumpstart Lab Walk-thru and Discussion
https://ciscosales.webex.com/tc0500l/trainingcenter/record/downloadViewAction.do?actionType=view&recordId=27298357&siteurl=ciscosales&setted=102

MARS 6.0 NPI Jumpstart Lab Walk-thru and Discussion
https://ciscosales.webex.com/tc0500l/trainingcenter/record/downloadViewAction.do?actionType=view&recordId=29402802&siteurl=ciscosales&setted=102

Routing & Switching - Skill Builder I
https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=TC&rID=40438737&rKey=4ac4acea316a439c&act=pb

Sunday, November 22, 2009

AnyConnect on 64 bit Ubuntu 9.10



Thanks to a post in the Ubuntu forum I was able to easily install the AnyConnect using the following instruction:
Let me rephrase that.  I was always able to install the client but constantly received a server certificate error.  I tried to import the certificates, but no dice.  These instructions fixed that problem.

Install, or verify installed, the following packages:
1) ia32-libs
2) lib32nss-mdns
3) libcurl3
4) libxml2

Create the directory /usr/local/firefox and create symlinks for the following files: /usr/lib32/libnss3.so, /usr/lib32/libplc4.so, /usr/lib32/libnspr4.so, /usr/lib32/libsmime3.so, and /usr/lib32/nss/libsoftokn3.so.

You may need to reboot or run ldconfig so the symlinked libraries can be found.


Code:

sudo apt-get install ia32-libs lib32nss-mdns libcurl3 libxml2
cd /usr/local
sudo mkdir firefox
cd firefox
sudo ln -s /usr/lib32/libnss3.so
sudo ln -s /usr/lib32/libplc4.so
sudo ln -s /usr/lib32/libnspr4.so
sudo ln -s /usr/lib32/libsmime3.so
sudo ln -s /usr/lib32/nss/libsoftokn3.so
sudo ldconfig

Go to the directory where you have the AnyConnect software
Untar the AnyConnect client file and run


Code:

sudo sh ./vpn_install.sh

The GUI client is automatically installed under Applications -> Internet.

Chromium-OS

Installed Chromium-OS with Virtual Box file. Seems to work ok. Here's the location for the file:
http://www.megaupload.com/?d=XIN4NSR0

Saturday, November 21, 2009

Cisco IP Phone HD Images

HD Background Images for the new Cisco IP Phones.

Cisco IP Phone HD Images | UC500.com

CPU and Memory Thresholding

Quick little article showing how to set up CPU and Memory Thresholding.

CPU and Memory Thresholding « Routing Bits

How-to configure Cisco Flexible NetFlow for NBAR exports

Great article showing usage and configuration for expanded NetFlow.  You'll need version 15 though.

How-to configure Cisco Flexible NetFlow for NBAR exports | NetworkWorld.com Community

CCA 2.2 is Live on Cisco.com

Cisco Configuration Assistant simplifies the task of configuring, deploying, and administering the Cisco Smart Business Communications System
-- a complete system of advanced voice, data, security, and wireless networking products designed specifically for small and medium-sized businesses. Cisco Configuration Assistant improves network security and performance and substantially reduces deployment and configuration time. This PC-based application features a simple graphical user interface and provides everything you need to quickly set up a small office network. Download Cisco Configuration Assistant at no charge by selecting the "LAN Network Management" option.

CCA 2.2 is Live on Cisco.com | UC500.com

Configuration Replace and Configuration Rollback

The Configuration Replace and Configuration Rollback feature provides the capability to replace the current running configuration with any saved Cisco IOS configuration file. This functionality can be used to revert to a previous configuration state, effectively rolling back any configuration changes that were made since that configuration file was saved.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtrollbk.html



Warm Upgrade for IOS software


The Warm Upgrade feature provides the capability for a Cisco IOS image to read and decompress another Cisco IOS image and then transfer control to this new image. This functionality reduces the downtime of a device during planned Cisco IOS software upgrades or downgrades. To perform a warm upgrade, use the reload warm file url command. The Warm Upgrade feature is complementary with the Warm Reload feature introduced in Cisco IOS Release 12.3(2)T.



http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gtwarmup.html