Sunday, December 27, 2009

Free SSL Cert on Cisco ASA for WebVPN - Anyconnect

So I received a nice article on How to obtain and install an SSL/TLS certificate, for free.  The site  describes how to acquire a Class 1 certificate at no cost.  Basically, a Class 1 cert only validates a legal email on the domain.  Your traffic will be encrypted though.  

The instruction below is how to apply and use the free certificate on the Cisco ASA firewall not how to create the anyconnect configuration.

StartSSL uses an S/MIME personal certificate to let you log in after sign-up.  You will create this certificate and one other for free.

Start at the Authenticate or Sign-Up page.
Create Account for your domain. 
Log into account
You'll see 3 options
Tool Box, Certificates Wizard, Validations Wizard.
Pick Validations Wizard and change drop down time to Domain Name Validation.
Fill out domain name, press continue.
Pick email address to get validation key.  Follow instructions.

Go to Certificates Wizard.
Pick Web Server SSL/TLS Certificate for Certificate Target
Generate Private Key, I left keysize to 2048
!! I know the ASA can generate CSR, but StartCom only accepts SHA and the ASA generates using MD5.
A private Key is generated.  Save as ssl.key - Important to save this certificate.
Continue through following instruction.

Tool Box
Retrieve Certificate
 - pick Certificate just created.
  - should be 2 in there, the one for the browser to use the StartCom site and one for the Server - Class 1)
 - copy and paste certificate.

Go go Create PKCS#12 (PFX) File
 - copy and paste private key into Private Key box
 - copy and paste certificate you just grabbed into Enter Certificate box.
 - provide a password
 - save p12 file that is created, this will be imported into the ASDM.

In ASDM
 - Configuration
  - Device Management
   - Certificate Management
    - Identity Certificates
    - Add
    - Create Trustpoint Name (Startcom-SSL)
    - Enter Decryption Passphrase used earlier
    - import p12 file.
    - Add Certificate.
  - Advanced
   - SSL Settings
   - Change outside trustpoint to one created earlier (Startcom-SSL)
-Apply
-Save

Monday, December 07, 2009

IP Conflict Detection on Ubuntu

One thing that drives me crazy as a consultant is going to sites and acquiring a duplicate IP.  Windows tells you there is a conflict.  Ubuntu does not unless you install some additional software - IPwatchD.

There are 2 ways to install IPwatchD.  Passive mode or active mode.  Passive mode just logs packets, active mode uses Gratuitous Arp and notifies you of a problem.

The notification works nicely in 9.10 (as shown).




Here are the steps I followed:

http://www.linuxconfig.org/IPwatchD_an_IP_conflict_detection_tool_for_Linux

I will add some additional info.

The article doesn't say what to do to get the script to run at setup.  It's simple.  In 9.10 there is a file  you can update to run scripts as root after user login.  They are nice enough to provide a sample.

/etc/gdm/PostLogin/Default.sample
# Note: this is a sample and will not be run as is.  Change the name of this
# file to /PostLogin/Default for this script to be run.  This
# script will be run before any setup is run on behalf of the user and is
# useful if you for example need to do some setup to create a home directory
# for the user or something like that.  $HOME, $LOGIN and such will all be
# set appropriately and this script is run as root.



If you don't already use the file, copy the sample it to its final destination and add the login script for IPwatchD:


sudo cp /etc/gdm/PostLogin/Default.sample /etc/gdm/PostLogin/Default
echo /usr/local/sbin/ipwatchd -c /usr/local/etc/ipwatchd.conf | sudo tee -a /etc/gdm/PostLogin/Default

logout and back in or reboot to check the work.

Show running status:

ps aux | grep ipwatchd
You'll see something like:

mikem@mikem-9751L:~$ ps aux | grep ipwatchd 
root     28581  0.0  0.1  12388  4744 ?        Ss   21:58   0:00 /usr/local/sbin/ipwatchd -c /usr/local/etc/ipwatchd.conf
mikem    30234  0.0  0.0   7340   892 pts/0    S+   22:15   0:00 grep ipwatchd

Friday, December 04, 2009

Access gmail from your Cisco IP Phone

Nice article on IP Phone Web Services for IP Phones.  Weather, Gmail, etc.




http://unifiedcommunicationsblog.globalknowledge.com/2009/12/02/ip-phone-web-services-part-1/

Another IP Phone service URL that I know is popular and floating around is from Berbee:
http://phone-xml.berbee.com/menu.xml

Thursday, December 03, 2009

Compare files easily with Ubuntu

Sometimes you need to compare old configs with new configs.  Instead of comparing the files manually you can run a great program called Meld Diff Viewer.

Just load up both files and you'll see missing lines, changed lines, etc.



To install in Ubuntu:


sudo apt-get install diff 

You'll see the program in Applications - Programming
http://meld.sourceforge.net/



Wednesday, December 02, 2009

Publishing

Adding an entry for Technorati.

code 65BHJAS792BE 

Also, if you have Google Wave you can reach me at michaelmunoz@googlewave.com

Tuesday, December 01, 2009

Cisco Console software for Linux

There is a nice tool that I use regularly to access consoles on routers, switches, etc.

minicom.  This is a great tool for doing simple console work.

get started with Ubuntu:


sudo apt-get install minicom


Here is a link on configuration and setup.
https://help.ubuntu.com/community/CiscoConsole

Basically, minicom -s for initial configuration.
E - Bps/Par/Bits       : 9600 8N1                                 
F - Hardware Flow Control : No
G - Software Flow Control : No
Save setup as dfl
Ctrl-a f is the break sequence for password recovery
Ctrl-a z for the help menu, say you want to upload files through the console.  I hope you never have to :)