Thursday, January 31, 2013
Wednesday, January 30, 2013
PRI And ShoreTel: I Get Dial Tone When I Dial All Digits I'm Supposed To Dial
This was really weird, because I had this working on the new PRI and then the Telco did something on their side (which they never admit), and then after a full day of working properly, I start to get dial-tone after I dial 7 digits out for a local call. Well, the Telco says they didnt do anything, and I KNOW I didnt do anything. So, who did it? I can tell you, the Telco did something. So, I had to fix it on my end. Here is what I did.
I had to login as Support.
Then I did this below. Follow the red squares. If you cant read it in the entry box, that is a ";2E" for an NI2 PRI.
I had to login as Support.
Then I did this below. Follow the red squares. If you cant read it in the entry box, that is a ";2E" for an NI2 PRI.
Tuesday, January 29, 2013
Brocade Switch: the CPU utilization data collected may have wrapped around and result in high utilization
Sometimes I have an issue when I see a very high utilization on a Brocade switch when doing a "show cpu-utilization" command. Because it may report 99%, but anytime after I run that command, its always down to 1% (or so). Why does it do that? Well, I asked a Brocade engineer that I trust, and his reply was just what I thought (for the most part). He said that the first % rating was pretty much bogus. He says the average values should be right, but the best idea is to run the command 2 or 3 times to get something accurate. Im ok with that, as long as I know the first reported percentage rate may be bogus if its been a while since I ran the command. Here is an example below:
telnet@Switch#sh cpu-utilization
99 percent busy, from 7200216 sec ago <------------- Bogus % rating, run the command again
It's been more than 50 hours since last call, the CPU utilization data collected may have wrapped around and result in high utilization
1 sec avg: 1 percent busy <------------- Should be correct
5 sec avg: 1 percent busy <------------- Should be correct
60 sec avg: 1 percent busy <------------- Should be correct
300 sec avg: 1 percent busy <------------- Should be correct
telnet@Switch#sh cpu-utilization
1 percent busy, from 4 sec ago
1 sec avg: 1 percent busy
5 sec avg: 1 percent busy
60 sec avg: 1 percent busy
300 sec avg: 1 percent busy
telnet@Switch#sh cpu-utilization
1 percent busy, from 62 sec ago
1 sec avg: 1 percent busy
5 sec avg: 1 percent busy
60 sec avg: 1 percent busy
300 sec avg: 1 percent busy
Very interesting.
telnet@Switch#sh cpu-utilization
99 percent busy, from 7200216 sec ago <------------- Bogus % rating, run the command again
It's been more than 50 hours since last call, the CPU utilization data collected may have wrapped around and result in high utilization
1 sec avg: 1 percent busy <------------- Should be correct
5 sec avg: 1 percent busy <------------- Should be correct
60 sec avg: 1 percent busy <------------- Should be correct
300 sec avg: 1 percent busy <------------- Should be correct
telnet@Switch#sh cpu-utilization
1 percent busy, from 4 sec ago
1 sec avg: 1 percent busy
5 sec avg: 1 percent busy
60 sec avg: 1 percent busy
300 sec avg: 1 percent busy
telnet@Switch#sh cpu-utilization
1 percent busy, from 62 sec ago
1 sec avg: 1 percent busy
5 sec avg: 1 percent busy
60 sec avg: 1 percent busy
300 sec avg: 1 percent busy
Very interesting.
Monday, January 28, 2013
What You Can Do When You Cant See The Wall Jack Numbers
Well, I have two customers that when I need to trace down a cable, its a real bear because I can not see the wall jack numbers to know where to go in the wiring closet. They have these huge desks in the way that I simply can not move. The kind you build when you get them in the room, and once you get them built, they are in there. I have thought about getting an extendable mirror, but in a pinch, I had to come up with something and quick. So, I came up with this little thing below. I punched down a phone cable into a RJ45 jack and clipped my toner to the ends of two of the copper cables inside the phone line. So, instead of moving the desk (which would be impossible), I just took the cat5 cable out of the IP phone (in this case, could be a computer) and plugged it into my RJ45 jack. Now, I didn't have to move my desk. I just created an extension for my toner, which works really well by the way. See below, and hopefully this is helpful to you all who don't like to move desks.
Saturday, January 26, 2013
Brocade Switch: Taking A Packet Capture With Mirror/Monitor Commands In CLI
Sometimes I have to troubleshoot a network where there are brocade switches (which I personally like) and Ill need to do a packet capture on the network. Its very different in the CLI on how you configure this than Cisco. You dont do the normal "monitor session" commands in Brocade like you do in Cisco. Here below is some sample config I put together and some side notes.
Where your laptop resides:
config t
mirror-port ethernet 1/1/17 <--------- This is the port you connect your packet capture to (your laptop).
If you are monitoring a VLAN:
int ve 1
monitor <--------- This is the vlan that you will be monitoring (capturing packets from)
If you are monitoring a certain port:
interface ethernet 1/1/23 <--------- The port you are going to monitor.
dual-mode 25
mon ethe 1/1/17 both <-------- This says capture packets on int 1/1/23 in both directions and send it 1/1/17.
inline power
trust dscp
Now you are ready to capture packets on the Brocade switch.
Where your laptop resides:
config t
mirror-port ethernet 1/1/17 <--------- This is the port you connect your packet capture to (your laptop).
If you are monitoring a VLAN:
int ve 1
monitor <--------- This is the vlan that you will be monitoring (capturing packets from)
If you are monitoring a certain port:
interface ethernet 1/1/23 <--------- The port you are going to monitor.
dual-mode 25
mon ethe 1/1/17 both <-------- This says capture packets on int 1/1/23 in both directions and send it 1/1/17.
inline power
trust dscp
Now you are ready to capture packets on the Brocade switch.
Wednesday, January 23, 2013
Cisco ASA: 8.3/8.4 Site To Site VPN To NAT 'Interesting Traffic' Configuration Sample
Ever need to configure a site to site VPN on an ASA with the new code on it (8.3 and later)? Also, did you need to NAT that interesting traffic across the VPN? I have, so much that I needed to create me a template to refer to and modify as needed. Here is what I have, maybe this will help you out as well.
Phase I:
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
Phase II:
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
OBJECTS:
Remote side:
object network obj-5.5.5.128
subnet 5.5.5.128 255.255.255.128
Internal side (Traffic will be NAT'ed to this address range):
object network obj-192.168.1.88
subnet 192.168.1.88 255.255.255.248
Internal servers:
object network obj-192.168.1.24
host 192.168.1.24
object network obj-192.168.1.3
host 192.168.1.3
object network obj-192.168.1.5
host 192.168.1.5
object network obj-192.168.1.6
host 192.168.1.6
object network obj-192.168.1.42
host 192.168.1.42
object network obj-192.168.1.155
host 192.168.1.155
object network obj-192.168.1.40
host 192.168.1.40
Object-group network Internal-SvrGroup
Network-object object obj-192.168.1.24
Network-object object obj-192.168.1.3
Network-object object obj-192.168.1.5
Network-object object obj-192.168.1.6
Network-object object obj-192.168.1.42
Network-object object obj-192.168.1.155
Network-object object obj-192.168.1.40
Object-group network Remote-SvrGroup
Network-object object obj-5.5.5.128
INTERESTING TRAFFIC ACL
access-list Remote-acl permit ip object obj-192.168.1.88 object obj-5.5.5.128
NAT'ING THE VPN TRAFFIC
nat (inside,outside) source static Internal-SvrGroup obj-192.168.1.88 destination static Remote-SvrGroup Remote-SvrGroup
PHASE I TUNNEL CONFIG
tunnel-group 34.34.34.34 type ipsec-l2l
tunnel-group 34.34.34.34 ipsec-attributes
ikev1 pre-shared-key vpnkey
PHASE II TUNNEL CONFIG
crypto map Tulsa 40 match address Remote-acl
crypto map Tulsa 40 set peer 34.34.34.34
crypto map Tulsa 40 set ikev1 transform-set ESP-AES-256-SHA
Phase I:
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
Phase II:
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
OBJECTS:
Remote side:
object network obj-5.5.5.128
subnet 5.5.5.128 255.255.255.128
Internal side (Traffic will be NAT'ed to this address range):
object network obj-192.168.1.88
subnet 192.168.1.88 255.255.255.248
Internal servers:
object network obj-192.168.1.24
host 192.168.1.24
object network obj-192.168.1.3
host 192.168.1.3
object network obj-192.168.1.5
host 192.168.1.5
object network obj-192.168.1.6
host 192.168.1.6
object network obj-192.168.1.42
host 192.168.1.42
object network obj-192.168.1.155
host 192.168.1.155
object network obj-192.168.1.40
host 192.168.1.40
Object-group network Internal-SvrGroup
Network-object object obj-192.168.1.24
Network-object object obj-192.168.1.3
Network-object object obj-192.168.1.5
Network-object object obj-192.168.1.6
Network-object object obj-192.168.1.42
Network-object object obj-192.168.1.155
Network-object object obj-192.168.1.40
Object-group network Remote-SvrGroup
Network-object object obj-5.5.5.128
INTERESTING TRAFFIC ACL
access-list Remote-acl permit ip object obj-192.168.1.88 object obj-5.5.5.128
NAT'ING THE VPN TRAFFIC
nat (inside,outside) source static Internal-SvrGroup obj-192.168.1.88 destination static Remote-SvrGroup Remote-SvrGroup
PHASE I TUNNEL CONFIG
tunnel-group 34.34.34.34 type ipsec-l2l
tunnel-group 34.34.34.34 ipsec-attributes
ikev1 pre-shared-key vpnkey
PHASE II TUNNEL CONFIG
crypto map Tulsa 40 match address Remote-acl
crypto map Tulsa 40 set peer 34.34.34.34
crypto map Tulsa 40 set ikev1 transform-set ESP-AES-256-SHA
Tuesday, January 22, 2013
ShoreTel: Route-Point For Incoming Calls
I had a requirement from the customer to have all incoming calls come in to an AA during business hours, and after hours have all calls routed out to an answering service. So, I had to do some re-work on this, but what I ultimately did was to create a route-point in ShoreTel Director and during 'on hours', I had all calls forward to my AA. On the 'off-hours' tab, I selected an internal extension (116). That internal extension (116) I had set up to forward all calls to an external phone number (answering service). It cost me a license, but that was ok in this situation.
Monday, January 21, 2013
Wireless Assessment Kit
I do a lot of wireless assessments and one of the things that is very helpful to me is to have a small wireless assessment kit handy. I don't usually have a lot of time and I keep a pretty busy schedule. So it has helped me to keep two APs ready, one Cisco and one Brocade, so that all I have to do is grab the kit and go. No setup, since Ive already done that. And whatever solution that has been shown to the customer is what Ill plan on using. I take both just in case something happens to one of them when Im onsite. That way I have a backup.
Sunday, January 20, 2013
Sunset In Alabama
I thought Id put in a sunset in Alabama. Sometimes you have to slow down and enjoy the things God has given us.
T1 Crossover Cable: How To Make One
I seems like every time I do a ShoreTel install (or tie two phone systems together), I always have to make up a T1 crossover cable so that I can tie the ShoreGear equipment to the ISP device (usually a Cisco router with a T1 CSU/DSU module). And, I always have to look up the pinout so I can make the cable correctly. So, I thought Id put the pinout up here so that I can reference it later and so that it might help you all who might be looking to make one. You can also dub this as a Loopback cable. I usually do this with just one RJ45 connector and route the wire from 4 and 5 to 1 and 2.
Here is a picture of a cable I created for a loopback.
Thursday, January 17, 2013
Palo Alto Partner Conference
Well, I just got back from a Palo Alto partner conference. I have to say that Im impressed with what I saw in this firewall. In fact, so much so, that it has changed my whole view on firewall protection. Times are changing, and firewall protection must change with the times to keep our customers safe. With that said, I have not yet touched one of these units. Although, that is about to change. Im planning on putting this product through some good testing to see what it will do. In fact, Im a little excited about it. With that said, I still like the Check Point product when it comes to its 'capabilities'. And I still think there is a time and place for Cisco.
Gartner's magic quadrant looks like this as of Dec 2011:
Check Point and Palo Alto as the enterprise firewall leaders. I guess Im not surprised. After all, the IPS piece of these two far surpasses any of the others that I have seen. My personal experience says that I dont care for SonicWALL. You all already know I hate Fortinet. Ive seen too many problems with WatchGuard. I dont know much about McAfee and the others. I do like Cisco, but it does lack in the IPS area for this day in time. Check Point is a good product. Im real anxious to get my hands on the Palo Alto and start looking at it in more depth. Ill update in later posts as I have time to look at it. All in all, this was a good conference for me. I was real glad to see this product.
Gartner's magic quadrant looks like this as of Dec 2011:
Wednesday, January 16, 2013
What Is Wrong With This Picture?
Ok, I was THREE hours away from home when I saw nothing but signs like this below! What is wrong with this place? I live in Alabama, NOT Korea.
Cisco Presence: Use The Recovery CD
Well, a couple of days ago, I had a customer call me and tell me their Cisco Presence server wouldnt come back up after a power outage. Well, I guess I wasn't surprised. Its the second time this has happened to this customer. Both times it was the Presence server. Well, it wouldn't boot up, so I got a keyboard and monitor and found the following message:
So, what to do? I had to download the recovery CD. Here are the steps I took:
I admit, I was a little worried that I would have to rebuild this server. Thankfully, the recovery CD worked out.
1. Boot from Recovery CD.
2. Choose Option F
3. Say YES if system requests to correct the files
4. Choose option Q
5. Reboot the serve. It didn't fix it, same error.
6. Boot from CD again and choose option M
7. Say YES system requests to correct the files
8. Finally choose option Q
9. Reboot the server. This time, it booted up without issue.I admit, I was a little worried that I would have to rebuild this server. Thankfully, the recovery CD worked out.
Tuesday, January 15, 2013
ShoreTel: How To Configure/Add A BB (Button Box) (Part 2)
You can refer to my original post on how to configure the BB in the ShoreTel system here. Its a good step by step on how to do it, but this is a follow up post. So, if you read this post, be sure to read the first one. It has more information in it.
Ok, I just didn't like the last post about I did about the ShoreTel BB. I wasn't satisfied with running two cat5 cables, one for the BB and one for the IP phone. I called ShoreTel and asked them about how to configure the data switch to let both the IP phone and the BB to register to the system, but the tech I got couldn't tell me how to do it. He just referred me to the admin guide. That is frustrating. Anyway, I plugged the one network cable into the BB and tied the IP phone to the other port in the BB and the phone registers but the BB didnt. It turns out that on the BB, I had to enable 'tagging' on it. I do have everything configured statically here (small facility). So, although I do NOT have 'tagging' enabled on the IP phone, I do have to have it configured as 'on' on the BB. So now, its just one network cable to the data switch instead of two. Im much happier with this now.
*** Added 1-13-2013 ***
I thought I would add what the power ratings look like when a BB and an IP230 are attached to the switch port (Brocade in this case). See below:
Ok, I just didn't like the last post about I did about the ShoreTel BB. I wasn't satisfied with running two cat5 cables, one for the BB and one for the IP phone. I called ShoreTel and asked them about how to configure the data switch to let both the IP phone and the BB to register to the system, but the tech I got couldn't tell me how to do it. He just referred me to the admin guide. That is frustrating. Anyway, I plugged the one network cable into the BB and tied the IP phone to the other port in the BB and the phone registers but the BB didnt. It turns out that on the BB, I had to enable 'tagging' on it. I do have everything configured statically here (small facility). So, although I do NOT have 'tagging' enabled on the IP phone, I do have to have it configured as 'on' on the BB. So now, its just one network cable to the data switch instead of two. Im much happier with this now.
*** Added 1-13-2013 ***
I thought I would add what the power ratings look like when a BB and an IP230 are attached to the switch port (Brocade in this case). See below:
Monday, January 14, 2013
Brocade PoE: "Power disabled on port X/X/X because of PD overload"
I got a call from a customer today about the new Brocade ICX 6430 switch I put in not long ago. He was telling me that they were having power issues on those phones, and that the phones would boot up, loose power, then boot back up again only to just reboot continuously. Well, that's not good. So, I consoled into the switch and found this issue right off: ' PoE: Power disabled on port 1/1/6 because of PD overload". Well, I then did a 'show inline power' only to find that I did not have enough power on the ports where the Cisco 7945 phones where connected to. Well, I have to say that was my fault. I ran the power down to category 2 (7000mW) instead of the default category 3 (15000mW). I have a habit of doing this when I think we dont need that kind of power on the ports, to save power availability. However, in this case, this bit me. Anyway, I just ran the power back up on those ports where the IP phones were connected and all was good again.
Friday, January 11, 2013
Taking Down A Cisco UC500 Due To A Facility Move
I had a customer yesterday ask me to come and take down their Cisco UC500/CE520. They had moved their home office to Dallas, and they asked me to come and bring down the current phone system so that they could put in a temporary solution until they closed. They really wanted to bring down the PRI so that they could save money on the remaining time they had left at this facility. They ended up with 3 analog lines and 3 analog phones.
Here is what I took out:
And as always with bringing out equipment, sometimes the short cables can really be a burden on you. But, short cables are good. We like short cables.
Here is what I took out:
And as always with bringing out equipment, sometimes the short cables can really be a burden on you. But, short cables are good. We like short cables.
Thursday, January 10, 2013
ShoreTel: How To Configure/Add A BB (Button Box) In ShoreTel 13 (Part 1)
Im in the middle of installing a ShoreTel system, version 13, and I am close to the end of this install. I had to install some button boxes and I thought Id write about this process. I took some screenshots and thought I put up the process with items circled on what to do. Following along with these visuals. Below, the BB has to be on the network and registered with ShoreTel Director for you to see it in the IP Phones window.
Below is what the phone looks like when I have someone on hold. The first button is the call parked on 300. The second blinking button is the unpark call button, which is blinking.
Below, I have this BB connected directly to a Cisco switch. Notice the config of port fa0/22. The BB is on the voice vlan (vlan 2) but is configured as a 'switchport access vlan 2', and not a 'switchport voice vlan 2'.
*** ADDED 1/15/2013 *** I didnt like that I ran two cables to get this to work right. So, I added a 'Part 2" to this post. Go here to read more on it.
Below is what the phone looks like when I have someone on hold. The first button is the call parked on 300. The second blinking button is the unpark call button, which is blinking.
Below, I have this BB connected directly to a Cisco switch. Notice the config of port fa0/22. The BB is on the voice vlan (vlan 2) but is configured as a 'switchport access vlan 2', and not a 'switchport voice vlan 2'.
Wednesday, January 9, 2013
fortigate 60C: What A Pain
OK, first and foremost, I can not stand this product. I am NOT a fortinet fan. I had to work on one today and this product is terrible. Yeah, it might get you internet access. Yeah, there may be some cool things about it. But I can tell you I will never have one of these on my network. Its just not an "enterprise" level solution. Its more like a soho solution or a paper weight. Really, more like a paper weight.
I went onsite to do some IP Telephony work today at a customer, and one of the things I needed to do was to configure their 60C (I cant even say that brand name, Ugh) to do DHCP. It took me 10 minutes just to log into the box. I got a frame of the screen of selections, with no links to "system", "router", "utm", etc. until a significant amount of time passed. Terrible.
So my goal was to change parameters in an existing DHCP scope. It took 6 minutes and 25 seconds just to make a change in the already existing DHCP scope. Terrible.
Even when I had this DHCP scope enabled and I plugged my laptop in directly to the 60C, it still wouldn't hand out DHCP over the Microsoft DHCP server. And it should have, since the 60C was the first device that should have seen my DHCP request from my laptop (since I was connected directly to it).
Now, with that said, I have been on fortinet firewalls before that did not present THIS problem. There is not doubt that there was just something wrong with this unit, and I understand that. Although, it seems like everytime I have touched one of these fortinets, something just wouldn't act right on them. My last experience was a VPN. Simple enough to configure, but for some reason it just wouldnt work (and this was with another fortinet on the other end). When I replace it with Cisco, everything worked fine.
I understand that everyone's experience is different. But Ive been working with firewalls for a long time. This isnt rocket science. To me, fortinet is at the bottom of the list. Right down there with Linksys.
********ADDITION********
Ok, while I respect other peoples opinions on technologies, Im going to post here a 'respected' opinion by most. Not my opinion, or any other regular Joe out there like me. This is Gartner themselves.
I went onsite to do some IP Telephony work today at a customer, and one of the things I needed to do was to configure their 60C (I cant even say that brand name, Ugh) to do DHCP. It took me 10 minutes just to log into the box. I got a frame of the screen of selections, with no links to "system", "router", "utm", etc. until a significant amount of time passed. Terrible.
So my goal was to change parameters in an existing DHCP scope. It took 6 minutes and 25 seconds just to make a change in the already existing DHCP scope. Terrible.
Even when I had this DHCP scope enabled and I plugged my laptop in directly to the 60C, it still wouldn't hand out DHCP over the Microsoft DHCP server. And it should have, since the 60C was the first device that should have seen my DHCP request from my laptop (since I was connected directly to it).
Now, with that said, I have been on fortinet firewalls before that did not present THIS problem. There is not doubt that there was just something wrong with this unit, and I understand that. Although, it seems like everytime I have touched one of these fortinets, something just wouldn't act right on them. My last experience was a VPN. Simple enough to configure, but for some reason it just wouldnt work (and this was with another fortinet on the other end). When I replace it with Cisco, everything worked fine.
I understand that everyone's experience is different. But Ive been working with firewalls for a long time. This isnt rocket science. To me, fortinet is at the bottom of the list. Right down there with Linksys.
********ADDITION********
Ok, while I respect other peoples opinions on technologies, Im going to post here a 'respected' opinion by most. Not my opinion, or any other regular Joe out there like me. This is Gartner themselves.
Tuesday, January 8, 2013
Cisco ASA: 8.3/8.4 NAT Explanation For Hairpinning For Remote-Access Clients To The Internet
Ok, here is what Im trying to do. My remote-access client IP is 10.10.10.0 and my website Im trying to get to from the client, through my ASA and out to the Internet is 5.5.5.0 network (just for example). The diagram below shows different IPs, but you get the idea of what Im trying to do:
So, I have to admit, Im not just excited about the new NAT translation syntax. Its taken me some time to understand it. Here is the NAT command that I need to accomplish what Im trying to do above:
nat (outside,outside) source dynamic obj-10.10.10.0 interface destination static obj-5.5.5.0 obj-5.5.5.0
I also needed this command, for hairpinning to take place (some people call this u-turning):
same-security-traffic permit intra-interface
Anyway, when I look at the command above, what does it mean exactly. Well, generically speaking, it allows 10.10.10.0 (remote-access vpn traffic) to be NAT'ed to the public address (interface keyword) of the ASA, when its destined for the remote network (on the Internet) of 5.5.5.0. Well, lets dive deeper into this explanation. This is called "twice NAT'ing".
nat (outside,outside)
Notice the nat (outside,outside) piece of the command. That means that traffic coming IN from the outside interface and traffic going OUT the outside interface. Remember, you cant do that in an ASA, unless you use that second command above.
source
Source meaning what is the source address of the packet. In this case above, its two entries: obj-10.10.10.0 and interface
The first entry (obj-10.10.10.0) is the original address. In this case, the remote-access client IP. The IP DHCP pool gave out. Its the "LAN-LOCAL" address. If you do a "?" after the dynamic command, you get this: Specify object or object-group name for real source
The second entry (interface) is the NAT'ed address. Its what the destination sees you coming from. In this case, its the ASA public IP address. Lets just say is 65.65.65.65. If you do a "?" after the dynamic command, you get this: Specify object or object-group name for mapped source So, 10.10.10.0 remote-access clients get NAT'ed to be 65.65.65.65 (only when the destination is 5.5.5.0).
destination
Ok, this is the stating you are about to see the destination addresses in the command.
obj-5.5.5.0 obj-5.5.5.0
Ok, notice that you have two entries here. Both, in this case, are the same. We want our destination address in this NAT statement to be 5.5.5.0. Meaning, we want our remote-access clients to be able to come across the VPN tunnel, traverse through the ASA, and then out to the Internet to a destination of 5.5.5.0. Now, why two entries? Ok, stay with me here. It gets a little messed up in the syntax if you ask me. So the first "obj-5.5.5.0" is the NAT'ed address. Ok, so that sounds to me like you can change the destination address, or forward it to somewhere else if you wanted to. I mean, Im thinking if someone wanted to go to www.google.com, you could, as the admin of the firewall, forward them to www.ipchicken.com instead. That is what I get from it, although I have never done anything else besides the same destination for both. It might be funny to mess with some people though, to redirect them to something else. [: p Ill have to test that later, this is only a thought on that. If you do a "?" after the keyword "destination static", you get this: Specify object or object-group name for mapped destination Ahhh. That seems odd and backwards to me. Yes, that is the NAT'ed address of the destination. I really dont get what Cisco was thinking when they came up with this order. I miss the pre-8.3 static commands. Now, for the second "obj-5.5.5.0", that is the real IP of the destination the remote-access client was trying to get to. If you do a "?" after the keyword "destination static", you get this: Specify object or object-group name for real destination. That is messed up, but that is the way it is.
So, here is the what the syntax really looks like:
nat (outside,outside) source dynamic LAN-LOCAL LAN-NAT'ed destination static REMOTE-NAT'ed REMOTE-LOCAL
Now, lets look at two more entries that I didnt mention yet. The keywords "dynamic" and "static".
Im using dynamic in the first part to say that if I wanted to use a pool of addresses to NAT to, I could do that for the 10.10.10.0 remote-access clients. For example, if I have 65.65.65.65 through 65.65.65.68. I could let dynamic NAT use any of these addresses as it chooses.
If I used the keyword static, that will mean Im doing a 1 to 1 NAT translation. In this case, the destination is "not NAT'ing", but I have to use a keyword there anyway, and static is appropriate in this case.
Im going to put these two side by side each other, just for comparison.
nat (outside,outside) source dynamic obj-10.10.10.0 interface destination static obj-5.5.5.0 obj-5.5.5.0
nat (outside,outside) source dynamic LAN-LOCAL LAN-NAT'ed destination static REMOTE-NAT'ed REMOTE-LOCAL
I hope this was helpful. Its a new command in this 8.3 and above IOS that is a little difficult to grasp.
So, I have to admit, Im not just excited about the new NAT translation syntax. Its taken me some time to understand it. Here is the NAT command that I need to accomplish what Im trying to do above:
nat (outside,outside) source dynamic obj-10.10.10.0 interface destination static obj-5.5.5.0 obj-5.5.5.0
I also needed this command, for hairpinning to take place (some people call this u-turning):
same-security-traffic permit intra-interface
Anyway, when I look at the command above, what does it mean exactly. Well, generically speaking, it allows 10.10.10.0 (remote-access vpn traffic) to be NAT'ed to the public address (interface keyword) of the ASA, when its destined for the remote network (on the Internet) of 5.5.5.0. Well, lets dive deeper into this explanation. This is called "twice NAT'ing".
nat (outside,outside)
Notice the nat (outside,outside) piece of the command. That means that traffic coming IN from the outside interface and traffic going OUT the outside interface. Remember, you cant do that in an ASA, unless you use that second command above.
source
Source meaning what is the source address of the packet. In this case above, its two entries: obj-10.10.10.0 and interface
The first entry (obj-10.10.10.0) is the original address. In this case, the remote-access client IP. The IP DHCP pool gave out. Its the "LAN-LOCAL" address. If you do a "?" after the dynamic command, you get this: Specify object or object-group name for real source
The second entry (interface) is the NAT'ed address. Its what the destination sees you coming from. In this case, its the ASA public IP address. Lets just say is 65.65.65.65. If you do a "?" after the dynamic command, you get this: Specify object or object-group name for mapped source So, 10.10.10.0 remote-access clients get NAT'ed to be 65.65.65.65 (only when the destination is 5.5.5.0).
destination
Ok, this is the stating you are about to see the destination addresses in the command.
obj-5.5.5.0 obj-5.5.5.0
Ok, notice that you have two entries here. Both, in this case, are the same. We want our destination address in this NAT statement to be 5.5.5.0. Meaning, we want our remote-access clients to be able to come across the VPN tunnel, traverse through the ASA, and then out to the Internet to a destination of 5.5.5.0. Now, why two entries? Ok, stay with me here. It gets a little messed up in the syntax if you ask me. So the first "obj-5.5.5.0" is the NAT'ed address. Ok, so that sounds to me like you can change the destination address, or forward it to somewhere else if you wanted to. I mean, Im thinking if someone wanted to go to www.google.com, you could, as the admin of the firewall, forward them to www.ipchicken.com instead. That is what I get from it, although I have never done anything else besides the same destination for both. It might be funny to mess with some people though, to redirect them to something else. [: p Ill have to test that later, this is only a thought on that. If you do a "?" after the keyword "destination static", you get this: Specify object or object-group name for mapped destination Ahhh. That seems odd and backwards to me. Yes, that is the NAT'ed address of the destination. I really dont get what Cisco was thinking when they came up with this order. I miss the pre-8.3 static commands. Now, for the second "obj-5.5.5.0", that is the real IP of the destination the remote-access client was trying to get to. If you do a "?" after the keyword "destination static", you get this: Specify object or object-group name for real destination. That is messed up, but that is the way it is.
So, here is the what the syntax really looks like:
nat (outside,outside) source dynamic LAN-LOCAL LAN-NAT'ed destination static REMOTE-NAT'ed REMOTE-LOCAL
Now, lets look at two more entries that I didnt mention yet. The keywords "dynamic" and "static".
Im using dynamic in the first part to say that if I wanted to use a pool of addresses to NAT to, I could do that for the 10.10.10.0 remote-access clients. For example, if I have 65.65.65.65 through 65.65.65.68. I could let dynamic NAT use any of these addresses as it chooses.
If I used the keyword static, that will mean Im doing a 1 to 1 NAT translation. In this case, the destination is "not NAT'ing", but I have to use a keyword there anyway, and static is appropriate in this case.
Im going to put these two side by side each other, just for comparison.
nat (outside,outside) source dynamic obj-10.10.10.0 interface destination static obj-5.5.5.0 obj-5.5.5.0
nat (outside,outside) source dynamic LAN-LOCAL LAN-NAT'ed destination static REMOTE-NAT'ed REMOTE-LOCAL
I hope this was helpful. Its a new command in this 8.3 and above IOS that is a little difficult to grasp.
Sunday, January 6, 2013
Good Customer Service Thoughts For The IT Services Industry
These are some thoughts I have about "customer service" in the IT services business. They probably should be in a better order, but these are just thoughts I jotted down. Ill probably update this post on occasion to add other thoughts to it.
Customer Service Thoughts:
1. Check in on your customer often. You can not grow relationships by talking to someone once a month.
2. Never say "Its not my problem". Always participate in the problem until the very end if possible.
3. Communicate well with the customer.
4. Consistency is key --> Be consistent.
5. Never use fowl language around a customer. YOU look bad when you do this. You are a professional. ACT like one. (I specifically remember one consultant in particular that had a fowl mouth when he was onsite at a customer. He worked for a different company than I, and the customer had literally no respect for him at all because of his fowl mouth. He had technical ability and was good at what he did, but his fowl mouth ruined his potential relationship with this customer. He was asked not to come back.)
6. Try to understand problems from the customer's point of view. REALLY LISTEN to the customer.
7. Always look the customer in the eye when you talk with them and when they talk with you.
8. Don't give up on trying to find the right solution for your customer. Their problem/need is very important to them. Therefore, it should be very important to you. This is what they pay you for.
9. If your customer changes their mind on something that they wanted to do, even after you have done the work, obtain the new goal they want. Even if it means you have to undo everything you just did for the first goal they had.
10. Always contact the customer when you are going to work on their equipment. A phone call is appropriate in this situation.
11. Always contact the customer when you have updates for them. A phone call OR email is appropriate in this situation. Preferably both.
12. Try to give a general time frame on when you will show up onsite. It doesn't have to be exact, just a window of time. An example might be "between 8am and 9am". Most people are OK with that. An example of what NOT to do is "between 8am and 12noon" (This gap is too wide).
13. When you walk into a customer site, the CUSTOMER is the boss. Do what they ask you to do (unless it is completely unreasonable).
14. Most customers like reports. If you provide manages services to them, give them monthly reports on what you are doing for them. They want to know.
15. Be a 'servant' to your customer. Its called "IT Services" for a reason. Serve, don't expect to 'be served'.
16. Never lie to your customer. Never lie to anyone. BAD BAD BAD!
17. If a mistake is made at a customer site, own up to it. Be accountable. Most people respect honesty. Everyone makes mistakes.
18. If you need to cancel an appointment with a customer, call them and let them know. Don't email them, call them.
19. Try to make your appointment with the customer convenient for them. It needs to be convenient for you too, but for them as well.
20. Take the time to get to know your customer. If you know that they don't like to be approached early in the morning, don't do that unless you have to. If you know they need their coffee first before you start conversation, wait until they have had their coffee. If you know they need an email BEFORE conversation, so that they have time to process what you are trying to say them them, send the email first, then have the conversation. I could go on and on with situations. The bottom line is "Get to know who you are dealing with."
21. Do what you tell the customer that you are going to do. If you don't plan on doing something, dont tell the customer that you are going to do it. *added Jan 08, 2013*
22. If your customer wants to learn the technology, be the first to teach them. Even if that means you will "put yourself out of a job". They will appreciate you if you teach them. This helps your relationship and it instills more trust in you as their provider. *added Jan 09, 2013*
Customer Service Thoughts:
1. Check in on your customer often. You can not grow relationships by talking to someone once a month.
2. Never say "Its not my problem". Always participate in the problem until the very end if possible.
3. Communicate well with the customer.
4. Consistency is key --> Be consistent.
5. Never use fowl language around a customer. YOU look bad when you do this. You are a professional. ACT like one. (I specifically remember one consultant in particular that had a fowl mouth when he was onsite at a customer. He worked for a different company than I, and the customer had literally no respect for him at all because of his fowl mouth. He had technical ability and was good at what he did, but his fowl mouth ruined his potential relationship with this customer. He was asked not to come back.)
6. Try to understand problems from the customer's point of view. REALLY LISTEN to the customer.
7. Always look the customer in the eye when you talk with them and when they talk with you.
8. Don't give up on trying to find the right solution for your customer. Their problem/need is very important to them. Therefore, it should be very important to you. This is what they pay you for.
9. If your customer changes their mind on something that they wanted to do, even after you have done the work, obtain the new goal they want. Even if it means you have to undo everything you just did for the first goal they had.
10. Always contact the customer when you are going to work on their equipment. A phone call is appropriate in this situation.
11. Always contact the customer when you have updates for them. A phone call OR email is appropriate in this situation. Preferably both.
12. Try to give a general time frame on when you will show up onsite. It doesn't have to be exact, just a window of time. An example might be "between 8am and 9am". Most people are OK with that. An example of what NOT to do is "between 8am and 12noon" (This gap is too wide).
13. When you walk into a customer site, the CUSTOMER is the boss. Do what they ask you to do (unless it is completely unreasonable).
14. Most customers like reports. If you provide manages services to them, give them monthly reports on what you are doing for them. They want to know.
15. Be a 'servant' to your customer. Its called "IT Services" for a reason. Serve, don't expect to 'be served'.
16. Never lie to your customer. Never lie to anyone. BAD BAD BAD!
17. If a mistake is made at a customer site, own up to it. Be accountable. Most people respect honesty. Everyone makes mistakes.
18. If you need to cancel an appointment with a customer, call them and let them know. Don't email them, call them.
19. Try to make your appointment with the customer convenient for them. It needs to be convenient for you too, but for them as well.
20. Take the time to get to know your customer. If you know that they don't like to be approached early in the morning, don't do that unless you have to. If you know they need their coffee first before you start conversation, wait until they have had their coffee. If you know they need an email BEFORE conversation, so that they have time to process what you are trying to say them them, send the email first, then have the conversation. I could go on and on with situations. The bottom line is "Get to know who you are dealing with."
21. Do what you tell the customer that you are going to do. If you don't plan on doing something, dont tell the customer that you are going to do it. *added Jan 08, 2013*
22. If your customer wants to learn the technology, be the first to teach them. Even if that means you will "put yourself out of a job". They will appreciate you if you teach them. This helps your relationship and it instills more trust in you as their provider. *added Jan 09, 2013*
Saturday, January 5, 2013
Brocade: Stacking Two FCX Switches
Im not sure if I have gone over this or not, but I thought Id run over how to configure a stack on a pair of Brocade FCX switches. That means using the two cables on the back on the 16G ports of the units. This below is the process I went through. This was a real live capture of what I did the other day when I put two of these together. The first FCX was already in place and I added a second FCX for redundancy.
CoreStack#config t
CoreStack(config)#stack enable
Enable stacking. This unit actively participates in stacking
CoreStack(config)#exit
CoreStack#stack secure-setup
CoreStack#Discovering the stack topology...
Current Discovered Topology - RING
Available UPSTREAM units
Hop(s) Id Type Mac Address
1 new FCX648S 0024.38c2.1111
Available DOWNSTREAM units
Hop(s) Id Type Mac Address
1 new FCX648S 0024.38c2.1111
Do you accept the topology (RING) (y/n)?: y
Selected Topology:
Active Id Type Mac Address
1 FCX648S 0024.38c3.2222
Selected UPSTREAM units
Hop(s) Id Type Mac Address
1 2 FCX648S 0024.38c2.1111
Selected DOWNSTREAM units
Hop(s) Id Type Mac Address
1 2 FCX648S 0024.38c2.1111
Do you accept the unit id's (y/n)?: y
CoreStack#Election, was alone --> active, ID=1, priority=128, total 2 u, active=u1
reset unit 2: diff bootup id=1
Unit 1 loses all neighbors.
Active unit 1 deletes u2 and its config because it is learned.
Election, was alone --> active, ID=1, priority=128, total 2 u, active=u1
Detect stack unit 2 has different startup config flash, will synchronize it
Done hot swap: active controller unit 1 sets unit 2 to Ready.
Synchronize startup config to stack unit 2
Config changed due to add/del units. Do write mem if you want to keep it
Stack unit 2 Power supply 1 is up
Stack unit 2 Power supply 2 is down
CoreStack#config t
CoreStack(config)#
CoreStack(config)#stack mac 0024.38c3.2222
CoreStack(config)#hitless-failover en
CoreStack(config)#
CoreStack(config)#exit
CoreStack#wr mem
.Write startup-config done.
CoreStack#Flash Memory Write (8192 bytes per dot) .
Flash to Flash Done.
CoreStack#
CoreStack#config t
CoreStack(config)#stack enable
Enable stacking. This unit actively participates in stacking
CoreStack(config)#exit
CoreStack#stack secure-setup
CoreStack#Discovering the stack topology...
Current Discovered Topology - RING
Available UPSTREAM units
Hop(s) Id Type Mac Address
1 new FCX648S 0024.38c2.1111
Available DOWNSTREAM units
Hop(s) Id Type Mac Address
1 new FCX648S 0024.38c2.1111
Do you accept the topology (RING) (y/n)?: y
Selected Topology:
Active Id Type Mac Address
1 FCX648S 0024.38c3.2222
Selected UPSTREAM units
Hop(s) Id Type Mac Address
1 2 FCX648S 0024.38c2.1111
Selected DOWNSTREAM units
Hop(s) Id Type Mac Address
1 2 FCX648S 0024.38c2.1111
Do you accept the unit id's (y/n)?: y
CoreStack#Election, was alone --> active, ID=1, priority=128, total 2 u, active=u1
reset unit 2: diff bootup id=1
Unit 1 loses all neighbors.
Active unit 1 deletes u2 and its config because it is learned.
Election, was alone --> active, ID=1, priority=128, total 2 u, active=u1
Detect stack unit 2 has different startup config flash, will synchronize it
Done hot swap: active controller unit 1 sets unit 2 to Ready.
Synchronize startup config to stack unit 2
Config changed due to add/del units. Do write mem if you want to keep it
Stack unit 2 Power supply 1 is up
Stack unit 2 Power supply 2 is down
CoreStack#config t
CoreStack(config)#
CoreStack(config)#stack mac 0024.38c3.2222
CoreStack(config)#hitless-failover en
CoreStack(config)#
CoreStack(config)#exit
CoreStack#wr mem
.Write startup-config done.
CoreStack#Flash Memory Write (8192 bytes per dot) .
Flash to Flash Done.
CoreStack#
Friday, January 4, 2013
Cisco: Console Port
Have you ever been asked to "console" into a device? I talked to an engineer once and told him he needed to console into a switch and do a configuration, and his response was "How do you console into the switch"? Needless to say, I was a little shocked to hear that. So, I thought Id put a picture up of what a Cisco console port looks like, with the console cable plugged in. Its below FYI. But most enterprise level equipment has a console port for you to be able to get in with. Cisco, Brocade, Check Point, etc. Most have them, and Im glad they do. Sometimes you just have to have that access.
Thursday, January 3, 2013
Preventive Maintenance!
Ok folks. You have to do PMs to your equipment. Dust is BAD. Clean is GOOD. Dust will shorten the life of your equipment. Its a great idea to have scheduled PMs for all your equipment for extending the life of your investment. Its just a good idea.
Subscribe to:
Posts (Atom)