Happy Easter!

Happy Easter all.  He is risen!

Good Friday: A note from me to you

All, happy Good Friday to you.  Thank You Jesus for what you have done for us all.  If you want to know more about what He did for us, please go read more about it here.  If you are sincere and want to ask me any questions about this (and you dont just want to argue with me), please feel free to email me.  Most questions can probably be answered by simply watching a really good movie called "The Encounter".  I found it on NetFlix.  Even if you dont have questions, its a really great movie!

Cisco H323 Gateway: Upgrading PRI From 8 To 21 Channels

I have a customer that is upgrading their PRI circuit from 8 channels to 21 channels.  Why?  I have no idea.  Its for faxes only, and they only have 8 fax machines.  So, they have a hosted VoiP system with THIS H323 gateway.  It works pretty good.  Here is the changes I made to the gateway (not on the CUCM, remember, its H323):
config t
int serial0/0/0:23
shut
voice-port 0/0/0:23
shut
controller t1 0/0/0
shut
no pri-group timeslot 1-8,24
pri-group timeslots 1-21,24
no shut
int serial0/0/0:23
no shut
voice-port 0/0/0:23
no shut

dial-peer voice 911 pots
 port 0/0/0:23
translation-profile outgoing outbound_calls
dial-peer voice 1001 pots
port 0/0/0:23
translation-profile outgoing outbound_calls
dial-peer voice 1 pots
 port 0/0/0:23
translation-profile outgoing outbound_calls
dial-peer voice 1003 pots
port 0/0/0:23
translation-profile outgoing outbound_calls

So, one thing to note here.  On the dial-peers, when I shut down the ports, it took the port command off the dial-peer.  Im not sure why, but when you bring the ports back up, it will NOT automatically put the port command back into the dial-peer.  You have to go put it in.  Also, my translation-profile outgoing command is so that I can send out a caller-ID that the Telco wants.  

PRI: What Is A PRI?

I drew up a chart of info about PRIs.  Maybe it will be helpful to you as well.  ADDITION** I had to go edit my chart here.  My peer Jim S had to correct me and tell me had has got data over a PRI before.  So I stand corrected and now Im having to say that a PRI is not for voice only, but you can put data on it as well.  I modified my chart below.  I personally have not done that before.  Every time I have put in a PRI or used a PRI in any way, it has always been for voice only.  However, Jim is a pretty smart guy and he says he has done voice and data across a PRI before.  So, I have no reason not to believe him.  Thanks Jim.

Cisco ASA: MM_REKEY_DONE_H2 and MM_ACTIVE_REKEY VPN Messages

This was a pain because I am not sure what the real problem was.  I have this VPN and no one is complaining about anything, but I get the following below:
ASA# sh cry isa sa

   Active SA: 9
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 10

1   IKE Peer: 4.40.40.3
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_REKEY_DONE_H2

2   IKE Peer: 4.40.40.3
    Type    : L2L             Role    : initiator
    Rekey   : yes             State   : MM_ACTIVE_REKEY

So what is up with the MM_REKEY_DONE_H2 and MM_ACTIVE_REKEY messages?  Well, I cleared the VPN and watched it come back up to the following message:
ASA# clear crypto isakmp sa 4.40.40.3
ASA# sh cry isa sa
1   IKE Peer: 4..40.40.3
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
ASA#

I dont know, but it seems to have worked in this case. 

Cisco Kron: How To Schedule A Reboot On A Cisco Router/UC500/CME Every Night

I had a little problem on a UC500 that would crop up every now and then, say once a week or so.  I have seen this on two different UC500s so far, and I have gotten no resolution from Cisco on them.  So, I noticed that when the UC500 was rebooted, the problem would clear out for a while, then come back some time later.  Anyway, I just decided to reboot the router every night at midnight so that the issue would not come back to hinder the customer.  They are a 8 to 5 business, so rebooting at midnight wouldnt be an issue.  Here is the commands I took to great a kron job and schedule the reboot every night at 12:01 AM.

UC(config)#kron policy-list reloadrouter
UC(config-kron-policy)#cli reload
UC(config-kron-policy)#exit
UC(config)#kron occurrence reloadrouter at 00:01 recurring
UC(config-kron-occurrence)#policy-list reloadrouter
UC(config-kron-occurrence)#exit
UC(config)#wr mem

Cisco CME/UC500: How To Set The Time/Clock On The Phones

I come across this on occasion where CME just wont keep time correctly.  It just seems to 'drift' at times.  Well, here is how you correct the time on the pohnes:
UC520#clock set 10:00:00 March 25 2013
UC520#sh clock
.10:00:02.191 CST Mon Mar 25 2013
UC520#config t
Enter configuration commands, one per line.  End with CNTL/Z.
UC520(config)#tele
UC520(config)#telephony-service
UC520(config-telephony)#create cnf-files
Creating CNF files
UC520(config-telephony)#exit
UC520(config)#exit
UC520#wr mem

You just have to re-create the CNF files for the action to take place. 

Cisco CUE: How To Add A User And Create A Voicemail Box

So CUE is not very hard at all, but I thought Id post on how to create a user and voicemail box for someone. 
First, we add a user.  Fill in the appropriate information like userID, name, extension, phone, passwords, etc.

Then configure the mailbox options.

Thats all you have to do.

Integrating A Viking RC-2A Into A ShoreTel System For Unlocking A Door/Gate: PART 2

If you saw my earlier post about the Viking unit integration with the ShoreTel system, I thought I would post a second implementation that I did.  Basically the same config as the last post (see link above), but the Viking unit was a little different. Here is the topology and a picture of the Viking unit.  I think it will help if you run into this Viking box.  It happens to be the same model number, but with different port availability.  Interesting.
TOPOLOGY:

PICTURE OF UNIT:

Cisco ASA: How To Add A Static NAT In 8.3 And Higher Code

Have you ever needed to add a static NAT translation on an ASA that is running code 8.3 or higher, but didnt know how?  Well, here is what you do.  In this example, I have a printer that needs accessed from the Internet from a company with the IP address of 2.2.2.58.  Follow along the config below and I think you will see that this is somewhat easy.  My printer IP is 192.168.1.3 and Im using port 9100.
ASA 8.3 code and higher:
object network obj-192.168.1.3
 host 192.168.1.23
nat (inside,outside) static 4.4.4.11 service tcp 9100 9100

access-list outside_in  permit tcp host 2.2.2.58 host 192.168.1.3 eq 9100

That is all you have to do.

Is SSH secure?

Is SSH secure?  Yep.  It is.  So, if someone gets nuts because you SSH'ed into their ASA, you can safely tell them it is secure.  See below for proof of it.  I SSH'ed into my own ASA and this is what it says.  See the encryption and hash?  Id say those are very secure.

ASA# sho ssh session

SID Client IP       Version Mode Encryption Hmac     State            Username
0   192.168.1.145  2.0     IN   aes256-cbc sha1     SessionStarted   skillen
                                         OUT  aes256-cbc sha1     SessionStarted   skillen

Cisco ASA: How To Add A Second ASA To A HA Cluster For High Availability In Active/Standby

I think I've covered this once already, but I thought since I just did this the other day again, I would post some outputs on it.  I really like Cisco's HA feature.  From my experience, its very reliable and I have never seen it let me down before.  Here is a template on what I did on the secondary ASA to get it to get the primary ASA's config:
interface Management0/0
no shut

failover lan unit secondary
failover lan interface failover_state Management0/0
failover key mypasskey
failover link failover_state Management0/0
failover interface ip failover_state 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover

Once I did this, I get the following on the secondary ASA:
ciscoasa(config)# .
    Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

This is what the primary ASA said before the secondary came up:
sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover_state Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 110 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 12:56:25 UTC Mar 8 2013
    This host: Primary - Active
    Other host: Secondary - Failed  
(shortened for brevity)

By the way, make sure the images are the same.  I had to upgrade my primary image to match what came on the secondary unit.

ASA# sh fail
Failover On
Failover unit Secondary
Failover LAN Interface: failover_state Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 14:44:56 UTC Mar 8 2013
    This host: Secondary - Standby Ready
    Other host: Primary - Active
(shortened for brevity)

How To Prevent Toll Fraud On A UC500/520/CME Cisco Router

Today I had a customer that complained about toll fraud on their UC500 and wanted me to make sure they were secure against such an attack.  So, I looked over what they had and did what Ive outlined below.  I found a good document on Cisco's site for this.  Im researching more on what other changes might be good for the fight against toll fraud.
Here is the document on Cisco's site.  Below is what I did.

In CME:
 I took out any dial-peers that were not needed.

telephony-service
 after-hours block pattern 1 91
 after-hours block pattern 2 9011 7-24
 after-hours block pattern 3 91900 7-24
 after-hours day mon 17:30 08:00
 after-hours day tue 17:30 08:00
 after-hours day wed 17:30 08:00
 after-hours day thu 17:30 08:00
 after-hours day fri 17:30 08:00
 after-hours day sat 17:00 08:00
 after-hours day sun 12:00 23:59

telephony-service
no transfer-pattern 9.1T
no transfer-pattern .1T

(I did this on all ephone-dns)
ephone-dn  17  dual-line
call-forward max-length 3

telephony-service
no auto-reg-ephone

In CUE:
deny in the AA script "Allow external transfers" (unchecked)

apply restriction tables (example below)

***ADDED March 10th***
I modified my outside ACL to be the following for the outside interface:
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny   udp any any range 5060 5061 log
access-list 101 deny   tcp any any range 5060 5061 log
access-list 101 deny   tcp any any range 1720 1721 log
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 deny   ip 10.1.1.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any

interface FastEthernet0/0
 ip access-group 101 in

Cisco UC500: Another One Bites The Dust

Man, these UC500s are terrible (in my opinion).  Ive just seen to many issues with these things.  Well, today I had to replace one that died.  It would start to boot to a certain point, and then reboot.  It continues to do the same thing, over and over again.  Well, lets replace it.  Here is what I did.  Real simple:
Note: The hardware is the same.
Swap the Flash card.
Put the T1 MFT module in the new unit.
Physically connect everything back into the network.
TFTP the CME config to the new UC500.
Initialize the CUE.
Synchronize the users.
Rerecord AA prompts and Rework AA.
Done.

2013 Gartner Enterprise Network Firewall Graph

I wanted to put up the 2013 Gartner Enterprise Network Firewalls graph.  Check Point and Palo Alto.

Ping -i Command

I like this command.  Its been helpful to me because when I need to do a traceroute and the firewall guys at a customer site decide they want to block that, well, that just wont do.  So, Ill go at it another way.  I use the 'ping -i' command.
So notice below that every time I do a ping, I increase the hop by one.  First, I do 3, then 4, then 5.  Notice that the replying IP address is different every time.  


C:\Users\skillen>ping -i 3 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:
Reply from 96.34.74.140: TTL expired in transit.
Reply from 96.34.74.140: TTL expired in transit.
Reply from 96.34.74.140: TTL expired in transit.
Reply from 96.34.74.140: TTL expired in transit.

Ping statistics for 4.2.2.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Users\skillen>ping -i 4 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:
Reply from 96.34.79.22: TTL expired in transit.
Reply from 96.34.79.22: TTL expired in transit.
Reply from 96.34.79.22: TTL expired in transit.
Reply from 96.34.79.22: TTL expired in transit.

Ping statistics for 4.2.2.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Users\skillen>ping -i 5 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:
Reply from 96.34.74.241: TTL expired in transit.
Reply from 96.34.74.241: TTL expired in transit.
Reply from 96.34.74.241: TTL expired in transit.
Reply from 96.34.74.241: TTL expired in transit.

Ping statistics for 4.2.2.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Notice this traceroute chart, and you will see that the above is reflected correctly.

Brocade: Redundant Fiber Links And 99% CPU Utilization

You gotta have spanning-tree folks when you do redundant fiber links.  Either that, or do what I prefer which is static trunks (which is the same as Cisco etherchannel).  Networks dont like loops, and can you blame them?  They cause havoc!!!
I sat at home tonight while another engineer who lived close to this customer went onsite.  99% utilization on the core and as it turns out, if you plug that second fiber in, the network goes nuts.  

Atlanta, GA: View From The Westin Hotel

I just thought this was neat.  I took this on a concert trip my wife and I took.