Cisco ASA: show cry ipsec sa peer | i ident|caps

I wanted to add a quick note on a cool addition to a command in the Cisco ASA.  If you troubleshoot VPNs much or configure them often, then you know what its like to check for phase I and phase II to make sure everything is good with the VPN.  I know I do!  So I found a 'include' statement tonight that might be helpful to you when looking at phase II traffic statistics. It really shortens up the amount of info it gives you if you are just trying to verify traffic.  Here it is:
show cry ipsec sa | i ident|caps

Here is a sample output when running that command above:
 ciscoasa# show cry ipsec sa | i ident|caps
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      #pkts encaps: 149, #pkts encrypt: 149, #pkts digest: 149
      #pkts decaps: 95, #pkts decrypt: 95, #pkts verify: 95
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

This is all it shows, and that helps a lot when just trying to get the VPN up and verifying traffic.

Network Diagrams: Created In MS Paint vs MS Visio - What Is Your Preference?

So I have an opinion about doing network diagrams these days, and now Im looking for your opinion and what you like.  I happen to like doing network diagrams in MS Paint.  Its a personal opinion, of course.  But I find that I can do a diagram quicker in Paint than in Visio.  So, Im asking you to participate in the poll below.  I appreciate any input, as always.

Question:

Which network diagram below do you like better?
	I like the MS Paint diagram
	I like the MS Visio diagram
pollcode.com free polls

Made in MS Paint:

Made in MS Visio:

Brocade: 7131 AP/Access Point Password Reset

I have to thank Jim for this.  I was in a place with no Internet connection and I asked him to forward to me the steps for a password reset on the 7131 AP.  Here is what he sent me.

> Step 1. Serial up to the AP with 19200-8-N-1
> Step 2. Power cycle the AP
> Step 3. Press the “Escape” key when the AP states “Press escape key to run boot firmware”.
> Step 4. From the “boot>” prompt enter “passwd default”.
> Step 5. Reset the system by entering “reset system”.

What Does A Barber Dime Look Like?

I have never even heard of a Barber Dime until I found one.  This was under my carpet in my house and we found it as we were having it replaced.  If you ever wondered what a Barber Dime looks like, here is one from 1904.

Florida... Take A Break Every Now And Then

 

What An AT&T Grey SmartJack Looks Like

This was the first time I have seen one of these.  This was a couple of weeks ago, but I normally see a tan smartjack instead when I go into a install of a WAN technology.  This is what I saw.

Cisco ASA: "same-security-traffic permit intra-interface" Command In CLI

I probably have posted this before, but I came across it again tonight.  Have you ever needed to get across a site to site VPN from another site to site VPN?  Like this below:

On the ASA, in order for you to get from point 1 to point 3, you have to use the "same-security-traffic permit intra-interface" command in CLI.  That is called "hair-pinning".  Anyway, I hope that explains what this command is going to do for you, in this type of scenario.  

NOTE*  Yeah, I looked back and I've done two other posts in particular dealing with hair-pinning.  The first one was here at this link on June 9, 2011.  The second one, which to me is a much further detail of hair-pinning and an explanation of the NAT statement in 8.3 and later, was on January 8th of this year and you can click on this link to get to it.  Sorry for doing this over again, but since Ive already got it up there, Ill just let it stay. 

Brocade Core: VRRP Configuration Examples For Dual Core Switching Redundancy

I thought I would put up a config of two FastIron SuperX core switches I put in a little while back.  Both switch configs are below.  The topology was pretty much what you see below, except that there were more access switches in place.  Internet comes off the ASAs of course.

Switch 1:
sh run
Current configuration:
!
ver 05.1.00cT3e2
!
module 1 fi-sx4-2-port-10g-module
module 2 fi-sx4-2-port-10g-module
module 3 fi-sx4-2-port-10g-module
module 4 fi-sx4-2-port-10g-module
module 5 fi-sx4-2-port-10g-module
module 9 fi-sx4-12-combo-port-management-module
!
global-stp
!
!
vlan 1 name CORE by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 router-interface ve 1
 spanning-tree 802-1w
 spanning-tree 802-1w priority 1000
!
vlan 2 name Servers by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 router-interface ve 2
 spanning-tree 802-1w
 spanning-tree 802-1w priority 1024
!
vlan 5 name Legacy by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 untagged ethe 9/1 to 9/12
 router-interface ve 25
 spanning-tree 802-1w
 spanning-tree 802-1w priority 1024
!
vlan 498 name DMZ by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 spanning-tree 802-1w
 spanning-tree 802-1w priority 1024
!
vlan 499 name Internet by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 spanning-tree 802-1w
 spanning-tree 802-1w priority 1024
!
vlan 500 name DEFAULT-VLAN by port
!
!
default-vlan-id 500
hostname CORE_1
ip route 0.0.0.0 0.0.0.0 172.24.255.254
!
router vrrp
fdp run
interface ve 1
 ip address 192.168.1.1 255.255.255.0
 ip vrrp vrid 1
  owner
  ip-address 192.168.1.1
  activate
!
interface ve 2
 ip address 192.168.2.1 255.255.255.0
 ip vrrp vrid 1
  owner
  ip-address 192.168.2.1
  activate
      !
interface ve 5
 ip address 192.168.3.254 255.255.0.0
 ip vrrp vrid 1
  owner
  ip-address 192.168.3.254
  activate
!
!
end

CORE_1#  

Switch 2:
sh run
Current configuration:
!
ver 05.1.00cT3e2
!
module 1 fi-sx4-2-port-10g-module
module 2 fi-sx4-2-port-10g-module
module 3 fi-sx4-2-port-10g-module
module 4 fi-sx4-2-port-10g-module
module 5 fi-sx4-2-port-10g-module
module 9 fi-sx4-12-combo-port-management-module
!
global-stp
!
!
vlan 1 name CORE by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 router-interface ve 1
 spanning-tree 802-1w
 spanning-tree 802-1w priority 2000
!
vlan 2 name Servers by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 router-interface ve 2
 spanning-tree 802-1w
 spanning-tree 802-1w priority 2048
!
vlan 5 name Legacy by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 untagged ethe 9/1 to 9/12
 router-interface ve 25
 spanning-tree 802-1w
 spanning-tree 802-1w priority 2048
!
vlan 498 name DMZ by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 spanning-tree 802-1w
 spanning-tree 802-1w priority 2048
!
vlan 499 name Internet by port
 tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2
 spanning-tree 802-1w
 spanning-tree 802-1w priority 2048
!
vlan 500 name DEFAULT-VLAN by port
!
!
default-vlan-id 500
hostname CORE_2
router vrrp
fdp run
interface ve 1
 ip address  192.168.1.254 255.255.255.0
 ip vrrp vrid 1
  backup
  advertise backup
  ip-address  192.168.1.1
  activate
!
interface ve 2
 ip address  192.168.2.254 255.255.255.0
 ip vrrp vrid 1
  backup
  advertise backup
  ip-address  192.168.2.1
  activate
      !
interface ve 5
 ip address  192.168.3.253 255.255.0.0
 ip vrrp vrid 1
  backup
  advertise backup
  ip-address  192.168.3.254
  activate
!
!
end

CORE_2#      

Cisco Router: How To Add A HWIC-4ESW= Module To A 2901 Router

I came across a need where I needed more than the two interfaces of the 2901 router that I had been working with.  I decided that I would do a dual-ISP topology like the one below.  I was the one providing both routers in this case, and the router attached to the Brocade is where this HWIC-4ESW= module went in on. (I took out the public IPs, as Im sure you understand why).

Here is the part number of the module:

First, I had to add the module into the router.  It slides in pretty easy, you just need access.

After you slide this into the slot, you screw the two screws in and it will automatically show up in the config as VLAN 1.  You will need to put an IP address on the VLAN and do a 'no shut' on the VLAN interface.  That is all there is to it.

How To Draw Out A Wiring Closet So Others Can Follow What Is There

First time I was in this closet and I thought others would be coming behind me.  So, I labeled what I found to be true about this closet so that anyone coming behind me would know what is what in this closet.

Basic Anatomy Of A ShoreTel Voice Packet From Wireshark

I picked up this packet during a troubleshooting session and thought Id post what a packet from a ShoreTel phone call looks like.  I just find this sort of thing interesting.

Check Point: Blades Training

Ive been at a Check Point blades training today and tomorrow.  Its been interesting to listen to some of the Check Point guys talk today.  I know a lot of the information already presented today, but I think that having some good technical expertise in the same room is always interesting. 

Cisco Router: How To Add A T1 Module

Have you ever added a T1 module in a router and it wouldnt show up in the config as an interface (serial)?  Here is what you do to get it to show up, depending on the slot its in.  Mine is in 0/0 with one port on the wic (0):

yourname(config)#card type t1 0 0


Then to configure the timeslots:
yourname(config)#controller t1 0/0/0
yourname(config-controller)#channel-group 0 timeslots 1-24

What Is A Voice Call Routing Loop?

Well, I have officially decided I am a nerd to draw this out.

Brocade BCNP Test

I passed the Brocade BCNP test today.  Its a pretty tough test to me.  If you happen to be sitting for this test, make sure you know the items listed on the Brocade site.  Here is the link so that you can review what to study for. 

Cisco CUCM: "Cisco Messaging Interface" down

This service is for non-Cisco voicemail servers, so if you have Unity/Unity Connection/Unity Express, I wouldnt worry about this service.  If you do have an external non-Cisco service, you probably need to get this going.  I know this isnt too detailed and is generic, but its a start.

Check Point: Enforcement Module Does Not Send Logs To Management Station

I thought this was going to be difficult to resolve, but as it turns out, it wasnt (in my scenario).  So I wasnt getting log messages to my management server from BOTH of my enforcement modules (a clustered configuration).  However, I was getting logs from my other Check Point enforcement module (that was not part of that cluster Im speaking of).  So, Im thinking my management station seems ok if it gets logs from one, and not the other two.  I mean, logging is working, right?  Sure.  So, I SSH'ed into the two enforcement modules and looked at the fw.log.  Nothing appeared to be in them when I did a 'more fw.log'.  So, I wanted to see if the logs where growing, so I ran the following command 'tail -f  /var/logs/fw.log'.  On both enforcement modules, the size stayed the same.  No increase.  So I came back in during non-production hours and pushed policy to see if that would clear up the logging issue.  It didnt.  So, on one of the enforcement modules, I did a 'cpstop' and restarted services with a 'cpstart', then pushed policy.  I started getting log messages from that enforcement module.  I did the same on the second and now both are sending log messages to my  management station.  Im not sure what exactly  happened that they would stop, but the issue is now resolved.

Remember These?

Cisco ASA: Too Much Log Information Being Sent To My Syslog Server - Cutting Down On Syslog Traffic

Does your logging server get bogged down with big log files, and you need to cut that size down some?  Stop sending informational data.  Cut it down to just audit type traffic.  Here is what I do on my ASA (if I dont need informational data to look through) for both my Syslog and my ASDM (not that I use ASDM much):

logging enable
no logging trap informational    <------ This is a setting of "6", which is informational data
logging trap notifications  <------ This is a setting of "5", which is for notification data (like firewall audit trail for users and activity)
no logging asdm informational   <------ This is a setting of "6", which is informational data
logging asdm notifications    <------ This is a setting of "5", which is for notification data (like firewall audit trail for users and activity)

Cisco Unity: How Do I Forward My Unity Voicemail To My (External) SMTP Mail Account Like Yahoo/Gmail/etc.

At times, I have to forward peoples voice mail to their SMTP mail account.  I do this through Exchange and it pretty easy once you know how to do it.  Below is how I do this.  I usually find out about this after Ive already created the users in Unity (and Exchange). 

go into exchange console
under recipient configuration --> mail contact
create new mail contact
fill out necessary information for the contact info.
finish.
go to users mailbox --> mail flow settings
edit delivery options
under forwarding address: check 'forward to' and select the contact you just created.
apply and ok.

Cisco CUCM: How Do I Ping A Device From My CUCM (CallManager)

Here is how you do it in CLI on the CUCM server.  I much prefer CLI for some reason, but in CUCM, the CLI is a little limited if you are used to a Cisco router or switch.  You have to SSH into the server.  Here is what you do:

admin: utils network ping 192.168.106.1
PING 192.168.106.1 (192.168.106.1) 56(84) bytes of data.

--- 192.168.106.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms

How Do You Troubleshoot Telco Problems - Calls Not Coming In To Your Phone System

Man, these can be tough.  Especially because Telcos dont normally like to admit to anything wrong on their side.  I have this SIP trunk coming into a company where about every 5th call, they get a message on the caller's phone saying something like "the number you dialed has been disconnected.... Error ....".  Well, this is a real pain to my customer, since they are loosing business because of it.  I can tell them easily that its not my phone system problem, but then that doesnt really help them out any.  They don't know where to go from there.  So I call up the SIP provider and tell them.  I have to have a record of my calls and when I called, so I did that.  The SIP provider tells me they see all three calls I made and what time I made them.  The only problem is, I made four calls, not three.  See my proof, the call circled at the bottom is the one they did not get:

 

So, I tell the SIP provider this, and they go to their provider (the carrier).  They say they see all four calls, and they forwarded all of them.  Hmmm.  The SIP provider say they never got it.  I tell the SIP provider to change carriers immediately.  Meanwhile, Im looking for another SIP provider.

Cisco Router: Why Do My ACLs Look Different Than What I Typed Into The Config In CLI

Have you ever wondered why your access-list didn't look right after putting in some entries?  Like this example:
"access-list 121 permit ip 192.168.106.0 0.0.0.255 any"
when you know that you typed in this:
"access-list 121 permit ip 192.168.106.0 0.0.0.255 192.168.107.1 255.255.255.255"
Weird.  Well, its because it didnt like what you put in, so it put in the first line above.  I needed the keyword 'host' in my second command above.  It wanted to see this:
 "access-list 121 permit ip 192.168.106.0 0.0.0.255 host 192.168.107.1"
If I had typed it in right, it would have gone it correctly and I wouldn't be wondering what happened.  It would be nice it it would just complain to you somewhat, but it never does.  Just keep that in mind when you are wondering why your ACL doesn't look right after you know you typed something different.