Ive needed to do this, but not in WebUI. In CLI. Here is the command I run to do this:
CP1> netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
87.87.95.23 0.0.0.0 255.255.255.192 U 0 0 0 eth2
10.8.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.16.78.0 0.0.0.0 255.255.255.0 U 0 0 0 eth4
10.0.0.0 172.16.78.1 255.0.0.0 UGD 0 0 0 eth4
0.0.0.0 87.87.95.24 0.0.0.0 UGD 0 0 0 eth2
Sunday, June 30, 2013
Saturday, June 29, 2013
6-28-2013
Hmm. It is supposed to be daytime in this picture.
And after the downpour of rain, we get this sunset.
Friday, June 28, 2013
Check Point Gaia: How Do I Add A Static Route In CLI
Good question. Here is how you do it in Check Point's Gaia.
CP1> set static-route default nexthop gateway address 87.87.96.23 on
Here is what Im saying: set a static-route for my default route and my nexthop gateway address is 87.87.96.23. Turn this route on.
That pretty much to the point.
CP1> set static-route default nexthop gateway address 87.87.96.23 on
Here is what Im saying: set a static-route for my default route and my nexthop gateway address is 87.87.96.23. Turn this route on.
That pretty much to the point.
Thursday, June 27, 2013
Check Point Gaia: What Is The "Ping" Check Box Under IPv4 Static Routes?
Well, this is an interesting 'feature'. Actually, it caused me and another engineer a little bit of headache, but this check box in static routes for 'ping' is interesting. We had two check point 4800s in a cluster. One of the boxes could ping 4.2.2.2 while the other box would not. In Gaia, there is this check box under the static routes. You select the box for a 'yes' and uncheck the box for a 'no'. What does this do? If you have this checked, it will ping the next hop. IF it misses one ping, it will take the route out completely. Here is what Im talking about:
See that 'ping' column? On the secondary box that would not ping out to 4.2.2.2, we had the default route ping check box checked, meaning yes. Apparently, it missed a ping (a time out) and took the default route out. With no default route, it wouldnt ping anything on the Internet. So, if you dont want this 'feature', make sure you turn ping off in the routing table.
With that said, I can see a really cool feature in this that is a lot like Cisco's object tracking. With dual ISP, you can set one route a higher priority than the second ISP link. When the first ISP link fails, causing the ping to fail, causing the route to be taken out, then the Internet traffic defaults to the second route. This is much like object tracking, and I really like object tracking. You dont need BGP, OSPF, etc. Its all done with static routing, with some monitoring in place. I like it.
With that said, I can see a really cool feature in this that is a lot like Cisco's object tracking. With dual ISP, you can set one route a higher priority than the second ISP link. When the first ISP link fails, causing the ping to fail, causing the route to be taken out, then the Internet traffic defaults to the second route. This is much like object tracking, and I really like object tracking. You dont need BGP, OSPF, etc. Its all done with static routing, with some monitoring in place. I like it.
Wednesday, June 26, 2013
Cisco ASA: High Availability (HA) Configuration Explanations
Tuesday, June 25, 2013
T1 and YouTube: A Not So Great Combination For A Hosted Voice Solution
Ok folks. Simple scenario here. A customer with a hosted voice solution, meaning the phone system is someone else other than your facility. You also have your Internet traffic going out the same link hosted voice traffic. In this case, its a T1. 1.544 Meg. Not a lot, but enough for a small office. I get a call complaining of voice quality problems. Customer cant hear their customers. Calls get hung up on. You get the picture. So, with that said, lets take a look at what is going on, on their circuit. After all, none of the other hosted customers are complaining about voice quality.
Oh, here is the problem. See below. You cant fill up a T1 and expect voice to be of good quality.
So, notice that number circled 2234? That is 2234 milliseconds. Yeah, thats right. 2.2 SECONDS of delay at the most in that graph. Id say that is enough to qualify for some voice quality issues, since 150 milliseconds of delay is the most you can have without noticing. Also notice that 100% utilization. Not good.
Oh, here is the problem. See below. You cant fill up a T1 and expect voice to be of good quality.
Monday, June 24, 2013
Cisco CE520: What A Config Looks Like In Text File
Ever wonder what a config for a CE520 looks like? It does have a menu driven configuration mode, as well as a GUI. But, it will put out a config file for you if want one, as a backup that can import into another switch if you like. Look it over, there is some interesting things in it (not that Im a fan of these switches).
interface range ethernet e(1-24)
port storm-control broadcast enable
exit
interface ethernet e1
port storm-control broadcast rate 10000
exit
interface ethernet e2
port storm-control broadcast rate 10000
exit
interface ethernet e3
port storm-control broadcast rate 10000
exit
interface ethernet e4
port storm-control broadcast rate 10000
exit
interface ethernet e5
port storm-control broadcast rate 10000
exit
interface ethernet e6
port storm-control broadcast rate 10000
exit
interface ethernet e7
port storm-control broadcast rate 10000
exit
interface ethernet e8
port storm-control broadcast rate 10000
exit
interface ethernet e9
port storm-control broadcast rate 10000
exit
interface ethernet e10
port storm-control broadcast rate 10000
exit
interface ethernet e11
port storm-control broadcast rate 10000
exit
interface ethernet e12
port storm-control broadcast rate 10000
exit
interface ethernet e13
port storm-control broadcast rate 10000
exit
interface ethernet e14
port storm-control broadcast rate 10000
exit
interface ethernet e15
port storm-control broadcast rate 10000
exit
interface ethernet e16
port storm-control broadcast rate 10000
exit
interface ethernet e17
port storm-control broadcast rate 10000
exit
interface ethernet e18
port storm-control broadcast rate 10000
exit
interface ethernet e19
port storm-control broadcast rate 10000
exit
interface ethernet e20
port storm-control broadcast rate 10000
exit
interface ethernet e21
port storm-control broadcast rate 10000
exit
interface ethernet e22
port storm-control broadcast rate 10000
exit
interface ethernet e23
port storm-control broadcast rate 10000
exit
interface ethernet e24
port storm-control broadcast rate 10000
exit
interface range ethernet e(2-24)
spanning-tree portfast
exit
interface range ethernet g(1-4)
spanning-tree link-type point-to-point
exit
interface range ethernet e(2-24)
spanning-tree bpduguard
exit
interface range ethernet e(2-24)
port security mode max-addresses
exit
interface range ethernet e(2-24)
port security max 5
exit
interface range ethernet e(2-24)
no port security
exit
interface range ethernet e(1-2),g(1-4)
switchport mode trunk
exit
ip dhcp snooping information option allowed-untrusted
ip dhcp snooping vlan 1
interface ethernet e2
ip dhcp snooping trust
exit
interface vlan 1
ip address 192.168.104.200 255.255.255.0
exit
ip default-gateway 192.168.104.1
interface vlan 1
ip dhcp relay enable
exit
qos advanced
wrr-queue cos-map 4 0
wrr-queue cos-map 4 1
wrr-queue cos-map 3 2
wrr-queue cos-map 1 5
wrr-queue cos-map 2 6
wrr-queue cos-map 2 7
qos map dscp-queue 0 to 4
qos map dscp-queue 1 to 4
qos map dscp-queue 2 to 4
qos map dscp-queue 4 to 4
qos map dscp-queue 5 to 4
qos map dscp-queue 6 to 4
qos map dscp-queue 7 to 4
qos map dscp-queue 8 to 4
qos map dscp-queue 9 to 4
qos map dscp-queue 10 to 4
qos map dscp-queue 12 to 4
qos map dscp-queue 13 to 4
qos map dscp-queue 14 to 4
qos map dscp-queue 15 to 4
qos map dscp-queue 16 to 3
qos map dscp-queue 17 to 3
qos map dscp-queue 18 to 3
qos map dscp-queue 20 to 3
qos map dscp-queue 21 to 3
qos map dscp-queue 22 to 3
qos map dscp-queue 23 to 3
qos map dscp-queue 40 to 1
qos map dscp-queue 41 to 1
qos map dscp-queue 42 to 1
qos map dscp-queue 44 to 1
qos map dscp-queue 45 to 1
qos map dscp-queue 46 to 1
qos map dscp-queue 47 to 1
qos map dscp-queue 48 to 2
qos map dscp-queue 49 to 2
qos map dscp-queue 50 to 2
qos map dscp-queue 52 to 2
qos map dscp-queue 53 to 2
qos map dscp-queue 54 to 2
qos map dscp-queue 55 to 2
qos map dscp-queue 56 to 2
qos map dscp-queue 57 to 2
qos map dscp-queue 58 to 2
qos map dscp-queue 60 to 2
qos map dscp-queue 61 to 2
qos map dscp-queue 62 to 2
qos map dscp-queue 63 to 2
qos map policed-dscp 18 to 0
qos map policed-dscp 24 to 0
qos map policed-dscp 26 to 0
qos map policed-dscp 34 to 0
qos map policed-dscp 40 to 0
qos map policed-dscp 46 to 0
ip access-list 2140
permit any any any
exit
ip access-list 2141
permit any any any dscp 46
permit any any any dscp 40
exit
ip access-list 2142
permit any any any dscp 24
permit any any any dscp 26
exit
class-map general-class match-any
match access-group 2140
exit
class-map general-switch
match access-group 2140
exit
class-map general-router
match access-group 2140
exit
class-map VoIP-data-class
match access-group 2141
exit
class-map VoIP-Control-class
match access-group 2142
exit
class-map general-VoIP
match access-group 2140
exit
policy-map general-map
class general-class
set dscp 7
police 30000 80000 exceed-action policed-dscp-transmit
exit
exit
policy-map switch-map
class general-switch
exit
exit
policy-map router-map
class general-router
exit
exit
policy-map voice-map
class VoIP-data-class
set dscp 46
police 3200 8000 exceed-action policed-dscp-transmit
exit
class VoIP-Control-class
set dscp 26
police 640 8000 exceed-action policed-dscp-transmit
exit
class general-VoIP
set dscp 7
police 30000 800000 exceed-action policed-dscp-transmit
exit
exit
interface ethernet e1
service-policy input router-map
exit
interface ethernet e2
service-policy input general-map
exit
interface ethernet e3
service-policy input general-map
exit
interface ethernet e4
service-policy input general-map
exit
interface ethernet e5
service-policy input general-map
exit
interface ethernet e6
service-policy input general-map
exit
interface ethernet e7
service-policy input general-map
exit
interface ethernet e8
service-policy input general-map
exit
interface ethernet e9
service-policy input general-map
exit
interface ethernet e10
service-policy input general-map
exit
interface ethernet e11
service-policy input general-map
exit
interface ethernet e12
service-policy input general-map
exit
interface ethernet e13
service-policy input general-map
exit
interface ethernet e14
service-policy input general-map
exit
interface ethernet e15
service-policy input general-map
exit
interface ethernet e16
service-policy input general-map
exit
interface ethernet e17
service-policy input general-map
exit
interface ethernet e18
service-policy input general-map
exit
interface ethernet e19
service-policy input general-map
exit
interface ethernet e20
service-policy input general-map
exit
interface ethernet e21
service-policy input general-map
exit
interface ethernet e22
service-policy input general-map
exit
interface ethernet e23
service-policy input general-map
exit
interface ethernet e24
service-policy input general-map
exit
interface ethernet g1
service-policy input switch-map
exit
interface ethernet g2
service-policy input switch-map
exit
interface ethernet g3
service-policy input switch-map
exit
interface ethernet g4
service-policy input switch-map
exit
priority-queue out num-of-queues fastethernet 0
priority-queue out num-of-queues gigabitethernet 0
clock timezone -6
no ip domain-lookup
ip name-server 192.168.104.1
snmp-server set rlSmartPortsTable ifIndex 1 rlSmartPortsMacro Router
snmp-server set rlSmartPortsTable ifIndex 2 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 3 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 4 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 5 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 6 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 7 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 8 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 9 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 10 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 11 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 12 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 13 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 14 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 15 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 16 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 17 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 18 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 19 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 20 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 21 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 22 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 23 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 24 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 49 rlSmartPortsMacro Switch
snmp-server set rlSmartPortsTable ifIndex 50 rlSmartPortsMacro Switch
snmp-server set rlSmartPortsTable ifIndex 51 rlSmartPortsMacro Switch
snmp-server set rlSmartPortsTable ifIndex 52 rlSmartPortsMacro Switch
interface range ethernet e(1-24)
port storm-control broadcast enable
exit
interface ethernet e1
port storm-control broadcast rate 10000
exit
interface ethernet e2
port storm-control broadcast rate 10000
exit
interface ethernet e3
port storm-control broadcast rate 10000
exit
interface ethernet e4
port storm-control broadcast rate 10000
exit
interface ethernet e5
port storm-control broadcast rate 10000
exit
interface ethernet e6
port storm-control broadcast rate 10000
exit
interface ethernet e7
port storm-control broadcast rate 10000
exit
interface ethernet e8
port storm-control broadcast rate 10000
exit
interface ethernet e9
port storm-control broadcast rate 10000
exit
interface ethernet e10
port storm-control broadcast rate 10000
exit
interface ethernet e11
port storm-control broadcast rate 10000
exit
interface ethernet e12
port storm-control broadcast rate 10000
exit
interface ethernet e13
port storm-control broadcast rate 10000
exit
interface ethernet e14
port storm-control broadcast rate 10000
exit
interface ethernet e15
port storm-control broadcast rate 10000
exit
interface ethernet e16
port storm-control broadcast rate 10000
exit
interface ethernet e17
port storm-control broadcast rate 10000
exit
interface ethernet e18
port storm-control broadcast rate 10000
exit
interface ethernet e19
port storm-control broadcast rate 10000
exit
interface ethernet e20
port storm-control broadcast rate 10000
exit
interface ethernet e21
port storm-control broadcast rate 10000
exit
interface ethernet e22
port storm-control broadcast rate 10000
exit
interface ethernet e23
port storm-control broadcast rate 10000
exit
interface ethernet e24
port storm-control broadcast rate 10000
exit
interface range ethernet e(2-24)
spanning-tree portfast
exit
interface range ethernet g(1-4)
spanning-tree link-type point-to-point
exit
interface range ethernet e(2-24)
spanning-tree bpduguard
exit
interface range ethernet e(2-24)
port security mode max-addresses
exit
interface range ethernet e(2-24)
port security max 5
exit
interface range ethernet e(2-24)
no port security
exit
interface range ethernet e(1-2),g(1-4)
switchport mode trunk
exit
ip dhcp snooping information option allowed-untrusted
ip dhcp snooping vlan 1
interface ethernet e2
ip dhcp snooping trust
exit
interface vlan 1
ip address 192.168.104.200 255.255.255.0
exit
ip default-gateway 192.168.104.1
interface vlan 1
ip dhcp relay enable
exit
qos advanced
wrr-queue cos-map 4 0
wrr-queue cos-map 4 1
wrr-queue cos-map 3 2
wrr-queue cos-map 1 5
wrr-queue cos-map 2 6
wrr-queue cos-map 2 7
qos map dscp-queue 0 to 4
qos map dscp-queue 1 to 4
qos map dscp-queue 2 to 4
qos map dscp-queue 4 to 4
qos map dscp-queue 5 to 4
qos map dscp-queue 6 to 4
qos map dscp-queue 7 to 4
qos map dscp-queue 8 to 4
qos map dscp-queue 9 to 4
qos map dscp-queue 10 to 4
qos map dscp-queue 12 to 4
qos map dscp-queue 13 to 4
qos map dscp-queue 14 to 4
qos map dscp-queue 15 to 4
qos map dscp-queue 16 to 3
qos map dscp-queue 17 to 3
qos map dscp-queue 18 to 3
qos map dscp-queue 20 to 3
qos map dscp-queue 21 to 3
qos map dscp-queue 22 to 3
qos map dscp-queue 23 to 3
qos map dscp-queue 40 to 1
qos map dscp-queue 41 to 1
qos map dscp-queue 42 to 1
qos map dscp-queue 44 to 1
qos map dscp-queue 45 to 1
qos map dscp-queue 46 to 1
qos map dscp-queue 47 to 1
qos map dscp-queue 48 to 2
qos map dscp-queue 49 to 2
qos map dscp-queue 50 to 2
qos map dscp-queue 52 to 2
qos map dscp-queue 53 to 2
qos map dscp-queue 54 to 2
qos map dscp-queue 55 to 2
qos map dscp-queue 56 to 2
qos map dscp-queue 57 to 2
qos map dscp-queue 58 to 2
qos map dscp-queue 60 to 2
qos map dscp-queue 61 to 2
qos map dscp-queue 62 to 2
qos map dscp-queue 63 to 2
qos map policed-dscp 18 to 0
qos map policed-dscp 24 to 0
qos map policed-dscp 26 to 0
qos map policed-dscp 34 to 0
qos map policed-dscp 40 to 0
qos map policed-dscp 46 to 0
ip access-list 2140
permit any any any
exit
ip access-list 2141
permit any any any dscp 46
permit any any any dscp 40
exit
ip access-list 2142
permit any any any dscp 24
permit any any any dscp 26
exit
class-map general-class match-any
match access-group 2140
exit
class-map general-switch
match access-group 2140
exit
class-map general-router
match access-group 2140
exit
class-map VoIP-data-class
match access-group 2141
exit
class-map VoIP-Control-class
match access-group 2142
exit
class-map general-VoIP
match access-group 2140
exit
policy-map general-map
class general-class
set dscp 7
police 30000 80000 exceed-action policed-dscp-transmit
exit
exit
policy-map switch-map
class general-switch
exit
exit
policy-map router-map
class general-router
exit
exit
policy-map voice-map
class VoIP-data-class
set dscp 46
police 3200 8000 exceed-action policed-dscp-transmit
exit
class VoIP-Control-class
set dscp 26
police 640 8000 exceed-action policed-dscp-transmit
exit
class general-VoIP
set dscp 7
police 30000 800000 exceed-action policed-dscp-transmit
exit
exit
interface ethernet e1
service-policy input router-map
exit
interface ethernet e2
service-policy input general-map
exit
interface ethernet e3
service-policy input general-map
exit
interface ethernet e4
service-policy input general-map
exit
interface ethernet e5
service-policy input general-map
exit
interface ethernet e6
service-policy input general-map
exit
interface ethernet e7
service-policy input general-map
exit
interface ethernet e8
service-policy input general-map
exit
interface ethernet e9
service-policy input general-map
exit
interface ethernet e10
service-policy input general-map
exit
interface ethernet e11
service-policy input general-map
exit
interface ethernet e12
service-policy input general-map
exit
interface ethernet e13
service-policy input general-map
exit
interface ethernet e14
service-policy input general-map
exit
interface ethernet e15
service-policy input general-map
exit
interface ethernet e16
service-policy input general-map
exit
interface ethernet e17
service-policy input general-map
exit
interface ethernet e18
service-policy input general-map
exit
interface ethernet e19
service-policy input general-map
exit
interface ethernet e20
service-policy input general-map
exit
interface ethernet e21
service-policy input general-map
exit
interface ethernet e22
service-policy input general-map
exit
interface ethernet e23
service-policy input general-map
exit
interface ethernet e24
service-policy input general-map
exit
interface ethernet g1
service-policy input switch-map
exit
interface ethernet g2
service-policy input switch-map
exit
interface ethernet g3
service-policy input switch-map
exit
interface ethernet g4
service-policy input switch-map
exit
priority-queue out num-of-queues fastethernet 0
priority-queue out num-of-queues gigabitethernet 0
clock timezone -6
no ip domain-lookup
ip name-server 192.168.104.1
snmp-server set rlSmartPortsTable ifIndex 1 rlSmartPortsMacro Router
snmp-server set rlSmartPortsTable ifIndex 2 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 3 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 4 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 5 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 6 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 7 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 8 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 9 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 10 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 11 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 12 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 13 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 14 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 15 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 16 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 17 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 18 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 19 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 20 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 21 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 22 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 23 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 24 rlSmartPortsMacro Desktop
snmp-server set rlSmartPortsTable ifIndex 49 rlSmartPortsMacro Switch
snmp-server set rlSmartPortsTable ifIndex 50 rlSmartPortsMacro Switch
snmp-server set rlSmartPortsTable ifIndex 51 rlSmartPortsMacro Switch
snmp-server set rlSmartPortsTable ifIndex 52 rlSmartPortsMacro Switch
Sunday, June 23, 2013
ICMP Types: Echo And Echo-Reply
I find this interesting. This topic should come up because if you really want to be able to ping out from your site and allow that ping back in, then it may become important for you to modify your ACLs properly, and not just allow all ICMP traffic. You certainly wont want someone to be able to ping your servers from the outside. So what does ICMP look like in a packet capture? Lets take a look:
In the above screen capture, you will notice that at Layer 4, you will see a "Type" field. That type field, for the ICMP at Layer 4, is a code of 8. That means its a ping request going out. Which, according to the packet capture is sourced from 192.168.2.14 and destined to 4.2.2.2. You can see that the "ICMP request" is actually an "Echo" request.
Below in the second screenshot, you will find something similar. However, you will notice that the "Type" code is a 0. That will mean a reply back from the destination you pinged. Notice though, that at Layer 4, its still ICMP, just a different "Type".
Very interesting stuff when looking at it in depth. ICMP has many codes that you will recognize by name. You have seen several of the before in CMD when trying to ping something Im sure. Take a good look at the codes, all of which are ICMP.
Below in the second screenshot, you will find something similar. However, you will notice that the "Type" code is a 0. That will mean a reply back from the destination you pinged. Notice though, that at Layer 4, its still ICMP, just a different "Type".
Very interesting stuff when looking at it in depth. ICMP has many codes that you will recognize by name. You have seen several of the before in CMD when trying to ping something Im sure. Take a good look at the codes, all of which are ICMP.
Saturday, June 22, 2013
Cisco: "You Cannot Obtain License For 0 Quantity"
I was trying to get my PAK key put in for license file for another 100 device licenses and I came across this error message: "You Cannot Obtain License For 0 Quantity". Interestingly, it says "1" in my picture below for a count. Take a look:
So, to resolve this issue? I had to create a case with the licensing team at Cisco. When I asked my engineer what the issue was, he said it was a 'glitch' and that he ran into it also. But, he said he had to 'create a workaround' for him to get me the license file. Im not sure what he did, but if you run into this problem like I did, create a TAC case and get the licensing team to take care of it for you.
So, to resolve this issue? I had to create a case with the licensing team at Cisco. When I asked my engineer what the issue was, he said it was a 'glitch' and that he ran into it also. But, he said he had to 'create a workaround' for him to get me the license file. Im not sure what he did, but if you run into this problem like I did, create a TAC case and get the licensing team to take care of it for you.
Friday, June 21, 2013
How Does Traceroute Work
This is actually a pretty cool tool. This works basically by sending out a "ping -i" command. Lets say I wanted to know what the third hop was from where my laptop was sitting. I would do the following:
ping -i 3 4.2.2.2
You would find the third hop IP address reply back, because you are setting the TTL of 3 when sending that ping out. That is exactly how traceroute works, except it keeps sending out a 'ping -i' command up until hop #30, which is the default expiration.
Notice this packet captures below:
See above. I stared my capture at TTL of 3 on my traceroute.
Now look below, you can see the next TTL of 4 that is sent out by the traceroute.
Now, see again below, the next TTL of 5 is set by the program traceroute.
Traceroute is a pretty cool tool. It takes advantage of incrementing the TTL until it reaches its destination (or reaches its limit), telling you all the way what IP you are hitting to your destination.
If you want to read more on "ping -i", click on this link.
ping -i 3 4.2.2.2
You would find the third hop IP address reply back, because you are setting the TTL of 3 when sending that ping out. That is exactly how traceroute works, except it keeps sending out a 'ping -i' command up until hop #30, which is the default expiration.
Notice this packet captures below:
See above. I stared my capture at TTL of 3 on my traceroute.
Now look below, you can see the next TTL of 4 that is sent out by the traceroute.
Now, see again below, the next TTL of 5 is set by the program traceroute.
Traceroute is a pretty cool tool. It takes advantage of incrementing the TTL until it reaches its destination (or reaches its limit), telling you all the way what IP you are hitting to your destination.
If you want to read more on "ping -i", click on this link.
Thursday, June 20, 2013
Cisco Router: How To 'NAT' Site-To-Site VPN Traffic On A Cisco IOS Router
I got an email from a fellow IT guy inquiring about NAT'ing VPN traffic on a Cisco router. He referenced a post that I had back in 2011, but I realized that post was for an ASA after we started talking. So, I thought I should post how you would do this on a Cisco router. Thanks J for asking me to do this. I should have done this sooner. Here is the configuration side for the router with notes to explain what is going on in the config below. Also, just note that on ACLs, I tend to use numbers. Use what you like. Also, name your route-map what you like as well. It makes no difference.
Phase I config:
crypto isakmp policy 10
encryption aes
hash md5
authentication pre-share
group 2
Set your peer and VPN pre-shared key. Use 'no-xauth' so that the site-to-site VPN doesnt have to 'login':
crypto isakmp key PASSKEY address 4.4.2.2 no-xauth
crypto isakmp keepalive 20 3 periodic
Phase II config. Transform-set is called 'to_remote':
crypto ipsec transform-set to_remote esp-aes 256 esp-sha-hmac
Configure the NAT. Source address range of 192.168.108.0 and destinations of 192.168.75.0 and 76.0:
access-list 133 permit ip 192.168.108.0 0.0.0.255 192.168.76.0 0.0.0.255
access-list 133 permit ip 192.168.108.0 0.0.0.255 192.168.75.0 0.0.0.255
Create a route-map called 'static-vpn' and match traffic to ACL 133:
route-map static-vpn
match ip address 133
Create a NAT-POOL for the public IP address (or range) you want to use to NAT to. In this case, Im NAT'ing to 10.50.1.10:
ip nat pool NAT-POOL 10.50.1.10 10.50.1.10 netmask 255.255.255.255
Create a NAT rule to use the route-map 'static-vpn'. Upon a match to ACL 133, NAT that traffic to one of the NAT-POOL addresses (10.50.1.10):
ip nat inside source route-map static-vpn pool NAT-POOL Overload
Once you have configured the NAT you need to modify the interesting traffic. You need your 'interesting traffic' ACL 121 to look like this below. 10.50.1.10 is the IP address you are NAT'ing to:
access-list 121 permit ip host 10.50.1.10 192.168.76.0 0.0.0.255
access-list 121 permit ip host 10.50.1.10 192.168.75.0 0.0.0.255
Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map to_clearwinds 5 ipsec-isakmp
set peer 4.4.2.2
set transform-set to_remote
match address 121
qos pre-classify
Apply the crypto map to the public interface and tell the public interface that its part in NAT is on the public side:
interface GigabitEthernet0/0
ip address 12.X.X.186 255.255.255.248
ip nat outside
crypto map to_remote
Tell the inside interface that its part in NAT is the internal side:
interface GigabitEthernet0/1
ip address 192.168.108.1 255.255.255.0
ip nat inside
Phase I config:
crypto isakmp policy 10
encryption aes
hash md5
authentication pre-share
group 2
Set your peer and VPN pre-shared key. Use 'no-xauth' so that the site-to-site VPN doesnt have to 'login':
crypto isakmp key PASSKEY address 4.4.2.2 no-xauth
crypto isakmp keepalive 20 3 periodic
Phase II config. Transform-set is called 'to_remote':
crypto ipsec transform-set to_remote esp-aes 256 esp-sha-hmac
Configure the NAT. Source address range of 192.168.108.0 and destinations of 192.168.75.0 and 76.0:
access-list 133 permit ip 192.168.108.0 0.0.0.255 192.168.76.0 0.0.0.255
access-list 133 permit ip 192.168.108.0 0.0.0.255 192.168.75.0 0.0.0.255
Create a route-map called 'static-vpn' and match traffic to ACL 133:
route-map static-vpn
match ip address 133
Create a NAT-POOL for the public IP address (or range) you want to use to NAT to. In this case, Im NAT'ing to 10.50.1.10:
ip nat pool NAT-POOL 10.50.1.10 10.50.1.10 netmask 255.255.255.255
Create a NAT rule to use the route-map 'static-vpn'. Upon a match to ACL 133, NAT that traffic to one of the NAT-POOL addresses (10.50.1.10):
ip nat inside source route-map static-vpn pool NAT-POOL Overload
Once you have configured the NAT you need to modify the interesting traffic. You need your 'interesting traffic' ACL 121 to look like this below. 10.50.1.10 is the IP address you are NAT'ing to:
access-list 121 permit ip host 10.50.1.10 192.168.76.0 0.0.0.255
access-list 121 permit ip host 10.50.1.10 192.168.75.0 0.0.0.255
Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map to_clearwinds 5 ipsec-isakmp
set peer 4.4.2.2
set transform-set to_remote
match address 121
qos pre-classify
Apply the crypto map to the public interface and tell the public interface that its part in NAT is on the public side:
interface GigabitEthernet0/0
ip address 12.X.X.186 255.255.255.248
ip nat outside
crypto map to_remote
Tell the inside interface that its part in NAT is the internal side:
interface GigabitEthernet0/1
ip address 192.168.108.1 255.255.255.0
ip nat inside
Wednesday, June 19, 2013
Cisco Voice: "Error Pass Limit" Error Message
This really is frustrating, to say the least. I came behind someone who had 'setup an ip phone' at one of my customers, only to find that they added the phone into CUCM, but gave it no extension. I dont normally see this error message when there is no extension, but this time I did. Once I completed the configuration of the phone, it worked fine. There are other things to try if you find this message. Click here to go to Cisco's resolution page for this.
Tuesday, June 18, 2013
Cisco CME: Some Changes Using Notepad For Cut-And-Paste
I went in yesterday to a customer that needed some CME changes. I usually write them out in notepad and paste them in when ready. This is what it looked like in this scenario. Its quick and easy in CLI.
ephone-dn 37 dual-line
no call-waiting beep
number 1414
description Nurse-1414
name Nurse-1414
ephone 27
description Nurse-141408
mac-address 08CC.68E8.FA13
paging-dn 33 unicast
type 7962
button 1:37 2:1 3:2 4:3
button 5:4 6:5
----------------------------------------
ephone-dn 38 dual-line
no call-waiting beep
number 1415
description Dr Ben
name Dr Ben
ephone 23
no description JoAnn
descrip Dr Ben
no username "joann"
paging-dn 33 unicast
type 7941
button 1:38
!
ephone 28
description JoAnn
mac-address 08CC.68E9.064D
username "joann"
paging-dn 33 unicast
type 7962
button 1:34 2:1 3:2 4:3
button 5:4 6:5
!
ephone 13
no button 6:6
button 6:5
reset
=================================
ephone-hunt 3 sequential
no list 1500, 6963, 6962, 8953, 6965
list 1500, 6963, 6962, 8953
ephone 23
no descrip Dr Ben
descrip Dr P
no button 1:38
no ephone-dn 6
ephone-dn 6 dual-line
no call-waiting beep
call-forward busy 7000
call-forward noan 7000 timeout 16
number 6965
ephone 23
mac-addre 0025.4593.4BF1
button 1:6
reset
ephone-dn 26
no description Nita
no name Nita
name Jeff
descrip Jeff
ephone 6
no description Nita
descr jeff
ephone-dn 26
call-forward busy 7000
call-forward noan 7000 timeout 16
ephone 6
no button 2s4
reset
ephone 28
no button 1:34 2:1 3:2 4:3
no button 5:4 6:5
button 1:34 2s1 3s2 4s3
button 5s4 6s5
reset
ephone-dn 37 dual-line
no call-waiting beep
number 1414
description Nurse-1414
name Nurse-1414
ephone 27
description Nurse-141408
mac-address 08CC.68E8.FA13
paging-dn 33 unicast
type 7962
button 1:37 2:1 3:2 4:3
button 5:4 6:5
----------------------------------------
ephone-dn 38 dual-line
no call-waiting beep
number 1415
description Dr Ben
name Dr Ben
ephone 23
no description JoAnn
descrip Dr Ben
no username "joann"
paging-dn 33 unicast
type 7941
button 1:38
!
ephone 28
description JoAnn
mac-address 08CC.68E9.064D
username "joann"
paging-dn 33 unicast
type 7962
button 1:34 2:1 3:2 4:3
button 5:4 6:5
!
ephone 13
no button 6:6
button 6:5
reset
=================================
ephone-hunt 3 sequential
no list 1500, 6963, 6962, 8953, 6965
list 1500, 6963, 6962, 8953
ephone 23
no descrip Dr Ben
descrip Dr P
no button 1:38
no ephone-dn 6
ephone-dn 6 dual-line
no call-waiting beep
call-forward busy 7000
call-forward noan 7000 timeout 16
number 6965
ephone 23
mac-addre 0025.4593.4BF1
button 1:6
reset
ephone-dn 26
no description Nita
no name Nita
name Jeff
descrip Jeff
ephone 6
no description Nita
descr jeff
ephone-dn 26
call-forward busy 7000
call-forward noan 7000 timeout 16
ephone 6
no button 2s4
reset
ephone 28
no button 1:34 2:1 3:2 4:3
no button 5:4 6:5
button 1:34 2s1 3s2 4s3
button 5s4 6s5
reset
Monday, June 17, 2013
Im Not Sure What To Say
I had a customer this weekend that wanted me to move them over to a new ISP. They were going from two bonded T1s, a 3Meg circuit to a 10Meg MetroE. I showed up to connect the firewall in to the new ISP router, and things just wouldnt work. I couldnt get anyone at the ISP, so I broke into the router to find out what I needed to. As it turns out, the ISP just didnt have the router configured properly. This is what I ran into below. I blanked out names and IP addresses for security and so not to embarrass anyone publicly.
Friday, June 14, 2013
Cisco Router: IOS 15 Upgrade Gone Bad
Well, this was a surprise to me. I had a router with the IOS of 15.1.?? (I dont recall exactly which is was), but I needed to overcome a NAT problem in particular that I thought was an IOS bug. So, I did an upgrade to version c2900-universalk9-mz.SPA.153-2.T.bin. To my surprise, once I tftp'ed the .bin file, put in the boot sys flash:c2900-universalk9-mz.SPA.153-2.T.bin statement, and typed reload, the router booted up to the initial configuration prompt. WOW. I was not expecting that. Im not sure what happened exactly, but I quickly tftp'ed the 'sh run' I had taken before and got them up quickly. Very surprising. I dont think that is normal, but I at least wanted to share the experience with you all.
Thursday, June 13, 2013
Cisco Router: SDRAM ECC Error
Well, I went to replace a router here recently, and the router I was using to be the new router came up with this error after I had setup the router and was doing a ping test to test out the ISP line:
#ping 4.2.2.1 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 97.65.10.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!SDRAM ECC Error,
err addr - 0x236C7B2F, err data_l 0xE0F69399,err data_h 0xE6004C73,
rcv ecc - 0xA3000000, calc ecc 0xAF000000, err cnt 0x73000000
r0 = FFFFFFFF r1 = FFFFFFFF r2 = 0 r3 = 800 r4 = 0
r5 = 0 r6 = 0 r7 = 0 r8 = 0 r9 = 3F7B6C30
r10 = 0 r11 = CA657BA r12 = 0 r13 = 0 r14 = 0
r15 = 1 r16 = 0 r17 = F400 r18 = 0 r19 = FFFFFFFF
r20 = FFFFFFFF r21 = FFFF0000 r22 = 0 r23 = F601F400 r24 = 0
r25 = 61410A01 r26 = 0 r27 = 1 r28 = 0 r29 = F300
r30 = 0 r31 = 8070 r32 = FFFFFFFF r33 = FFFFFFFF r34 = FFFFFFFF
r35 = FFFFFFFF r36 = FFFFFFFF r37 = FFFFFFFF r38 = FFFFFFFF r39 = FFFFFFFF
r40 = FFFFFFFF r41 = FFFFFFFF r42 = FFFFFFFF r43 = FFFFFFFF r44 = FFFFFFFF
r45 = FFFFFFFF r46 = FFFFFFFF r47 = FFFFFFFF r48 = 0 r49 = 1000C00
r50 = 0 r51 = 269993 r52 = 0 r53 = 0 r54 = 0
r55 = 0 r56 = FFFFFFFF r57 = FFFFFFFF r58 = 0 r59 = 4672F4E0
r60 = FFFFFFFF r61 = FFFFFFFF r62 = 0 r63 = 42ECE8A8
sreg = 3400F903 mdlo_hi = 0 mdlo = 0
mdhi_hi = 0 mdhi = 7 badvaddr_hi = FFFFFFFF
badvaddr = FFFFFFFF cause = FFFFFFFF epc_hi = 0
epc = 42ECE914 err_epc_hi = FFFFFFFF err_epc = FFFFFFFF
%ERR-1-FATAL: Fatal error interrupt, reloading
err_stat=0x0
=== Flushing messages (07:11:18 UTC Thu Jun 6 2013) ===
Queued messages:
07:11:19 UTC Thu Jun 6 2013: Interrupt exception, CPU signal 22, PC = 0x0
--------------------------------------------------------------------
Possible software fault. Upon reccurence, please collect
crashinfo, "show tech" and contact Cisco Technical Support.
--------------------------------------------------------------------
As it turns out, the memory was bad in this router. So, if you come across something like this, you may want to keep in mind your memory. Its just like changing out the memory of a PC.
#ping 4.2.2.1 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 97.65.10.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!SDRAM ECC Error,
err addr - 0x236C7B2F, err data_l 0xE0F69399,err data_h 0xE6004C73,
rcv ecc - 0xA3000000, calc ecc 0xAF000000, err cnt 0x73000000
r0 = FFFFFFFF r1 = FFFFFFFF r2 = 0 r3 = 800 r4 = 0
r5 = 0 r6 = 0 r7 = 0 r8 = 0 r9 = 3F7B6C30
r10 = 0 r11 = CA657BA r12 = 0 r13 = 0 r14 = 0
r15 = 1 r16 = 0 r17 = F400 r18 = 0 r19 = FFFFFFFF
r20 = FFFFFFFF r21 = FFFF0000 r22 = 0 r23 = F601F400 r24 = 0
r25 = 61410A01 r26 = 0 r27 = 1 r28 = 0 r29 = F300
r30 = 0 r31 = 8070 r32 = FFFFFFFF r33 = FFFFFFFF r34 = FFFFFFFF
r35 = FFFFFFFF r36 = FFFFFFFF r37 = FFFFFFFF r38 = FFFFFFFF r39 = FFFFFFFF
r40 = FFFFFFFF r41 = FFFFFFFF r42 = FFFFFFFF r43 = FFFFFFFF r44 = FFFFFFFF
r45 = FFFFFFFF r46 = FFFFFFFF r47 = FFFFFFFF r48 = 0 r49 = 1000C00
r50 = 0 r51 = 269993 r52 = 0 r53 = 0 r54 = 0
r55 = 0 r56 = FFFFFFFF r57 = FFFFFFFF r58 = 0 r59 = 4672F4E0
r60 = FFFFFFFF r61 = FFFFFFFF r62 = 0 r63 = 42ECE8A8
sreg = 3400F903 mdlo_hi = 0 mdlo = 0
mdhi_hi = 0 mdhi = 7 badvaddr_hi = FFFFFFFF
badvaddr = FFFFFFFF cause = FFFFFFFF epc_hi = 0
epc = 42ECE914 err_epc_hi = FFFFFFFF err_epc = FFFFFFFF
%ERR-1-FATAL: Fatal error interrupt, reloading
err_stat=0x0
=== Flushing messages (07:11:18 UTC Thu Jun 6 2013) ===
Queued messages:
07:11:19 UTC Thu Jun 6 2013: Interrupt exception, CPU signal 22, PC = 0x0
--------------------------------------------------------------------
Possible software fault. Upon reccurence, please collect
crashinfo, "show tech" and contact Cisco Technical Support.
--------------------------------------------------------------------
As it turns out, the memory was bad in this router. So, if you come across something like this, you may want to keep in mind your memory. Its just like changing out the memory of a PC.
Wednesday, June 12, 2013
Cisco ASA: NAT Statement Order Does Matter
Ok, so I came across this today and I thought this was interesting. On the Cisco ASA (and really all other firewalls), your NAT statement order does matter. I had a case today where a remote group (5.5.5.5) was trying to send traffic TO my customer end, and they did not get a response back. As it turns out, my statement in RED below was causing the problem. The remote side was trying to get to obj-192.168.10.94, but the statement in RED was causing that internal server of 192.168.10.94 to get NAT'ed to any IP in the 78.78.78.0 subnet range. Notice the order below:
nat (inside,outside) source static obj-192.168.10.90 obj-78.78.78.90 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.26 obj-78.78.78.91 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.1 obj-78.78.78.92 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.42 obj-78.78.78.93 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.0 obj-78.78.78.0 destination static obj-5.5.5.0 obj-5.5.5.0
nat (inside,outside) source static obj-192.168.10.94 obj-78.78.78.94 destination static obj-5.5.5.5 obj-5.5.5.5
So, what I had to do was take the statement out, and then put it back in again. But putting it back in looked like this instead:
nat (inside,outside) 1 source static obj-192.168.10.94 obj-78.78.78.94 destination static obj-5.5.5.5 obj-5.5.5.5
Notice the "1" in the above statement. It simply means to put that statement on line 1 in the 'NAT' order. It will then look like this:
nat (inside,outside) source static obj-192.168.10.94 obj-78.78.78.94 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.90 obj-78.78.78.90 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.26 obj-78.78.78.91 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.1 obj-78.78.78.92 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.42 obj-78.78.78.93 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.0 obj-78.78.78.0 destination static obj-5.5.5.0 obj-5.5.5.0
After I made this change, the remote site could get to the 192.168.10.94 server and all was in good working order. So, if you ever wondered if the NAT statement order ever mattered, well, it does. This was a good case study for this particular kind of problem.
nat (inside,outside) source static obj-192.168.10.90 obj-78.78.78.90 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.26 obj-78.78.78.91 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.1 obj-78.78.78.92 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.42 obj-78.78.78.93 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.0 obj-78.78.78.0 destination static obj-5.5.5.0 obj-5.5.5.0
nat (inside,outside) source static obj-192.168.10.94 obj-78.78.78.94 destination static obj-5.5.5.5 obj-5.5.5.5
So, what I had to do was take the statement out, and then put it back in again. But putting it back in looked like this instead:
nat (inside,outside) 1 source static obj-192.168.10.94 obj-78.78.78.94 destination static obj-5.5.5.5 obj-5.5.5.5
Notice the "1" in the above statement. It simply means to put that statement on line 1 in the 'NAT' order. It will then look like this:
nat (inside,outside) source static obj-192.168.10.94 obj-78.78.78.94 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.90 obj-78.78.78.90 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.26 obj-78.78.78.91 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.1 obj-78.78.78.92 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.42 obj-78.78.78.93 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.0 obj-78.78.78.0 destination static obj-5.5.5.0 obj-5.5.5.0
After I made this change, the remote site could get to the 192.168.10.94 server and all was in good working order. So, if you ever wondered if the NAT statement order ever mattered, well, it does. This was a good case study for this particular kind of problem.
Thursday, June 6, 2013
ShoreTel: What Is The T1/T1k ShoreGear Default Password
Have you ever needed to look up the default password on a ShoreTel T1 or T1k? I have, many times. Here is what their documentation says (although very hard to find):
You are prompted for a user name and password.
Step 2:For the user name, enter anonymous.
Step 3:For the password, enter ShoreTel (case sensitive).
You are prompted for a user name and password.
Step 2:For the user name, enter anonymous.
Step 3:For the password, enter ShoreTel (case sensitive).
Monday, June 3, 2013
Palo Alto: How To Put An IP Address On The Firewall When Starting To Configure It
Today, one of the remote engineers (Jim) asked me to put an IP address
on a Palo Alto firewall so he could configure it remotely. He is a
couple of hours away from the box, so after the 13th time of him asking
me, I was happy to do so. So, I plugged a network cable into the
management port, put it in the right vlan on my core switch, and log
into the console port of the Palo Alto with the admin/admin
userID/password. You can use a Cisco console cable if you have one, as
that is what I had. Once you get to the prompt, here is what you do to
get an IP address onto the box:
configure
set deviceconfig system ip-address 192.168.1.6
set deviceconfig system default-gateway 192.168.1.1
commit
That should get Jim onto the box and work his magic remotely.
configure
set deviceconfig system ip-address 192.168.1.6
set deviceconfig system default-gateway 192.168.1.1
commit
That should get Jim onto the box and work his magic remotely.
Sunday, June 2, 2013
For Sale Or Not For Sale???
Just curious, but the boat in the background has had that "NO" sign in front of it for the many years I have been here in Birmingham. Today, there was the truck in front of the house with a "YES" sign in front of it. What does it mean exactly? If you know, please do comment.
Saturday, June 1, 2013
Cisco Router - IOS Version 15: How To Upgrade/Add A License File For More Features
I had to do this today on a router because I needed VPN capability, but I didn't have it because we had not bought a security license on this particular 2901 router. I had to buy a license and get it sent electronically (because that is the fastest way) so I could get this done today. Well, here are the steps I had to take to get this done:
Get the PAK key.
Go to the Cisco license page and login.
Put the PAK key in and get add your UDI Product and Serial ID. Find this by doing a 'show license UDI' command on the router.
Download your license.
TFTP the license to your router flash.
Use the 'license install flash:licensename.lic' to install the license.
Reboot the router.
It looked like this when installing the license:
2901#license install flash:licensename.lic
Installing licenses from "flash:licensename.lic"
Installing...Feature:securityk9...Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install
Verify with the 'show license all' command:
2901#sh license all
License Store: Primary License Storage
StoreIndex: 0 Feature: ipbasek9 Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
StoreIndex: 1 Feature: uck9 Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
StoreIndex: 2 Feature: securityk9 Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
License Store: Built-In License Storage
StoreIndex: 0 Feature: securityk9 Version: 1.0
License Type: EvalRightToUse
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 1 Feature: uck9 Version: 1.0
License Type: EvalRightToUse
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 2 Feature: datak9 Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 3 Feature: gatekeeper Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 4 Feature: SSL_VPN Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: 0/0 (In-use/Violation)
License Priority: None
StoreIndex: 5 Feature: ios-ips-update Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 6 Feature: SNASw Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 7 Feature: cme-srst Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: 0/0 (In-use/Violation)
License Priority: None
StoreIndex: 8 Feature: WAAS_Express Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 9 Feature: UCVideo Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Get the PAK key.
Go to the Cisco license page and login.
Put the PAK key in and get add your UDI Product and Serial ID. Find this by doing a 'show license UDI' command on the router.
Download your license.
TFTP the license to your router flash.
Use the 'license install flash:licensename.lic' to install the license.
Reboot the router.
It looked like this when installing the license:
2901#license install flash:licensename.lic
Installing licenses from "flash:licensename.lic"
Installing...Feature:securityk9...Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install
Verify with the 'show license all' command:
2901#sh license all
License Store: Primary License Storage
StoreIndex: 0 Feature: ipbasek9 Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
StoreIndex: 1 Feature: uck9 Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
StoreIndex: 2 Feature: securityk9 Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
License Store: Built-In License Storage
StoreIndex: 0 Feature: securityk9 Version: 1.0
License Type: EvalRightToUse
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 1 Feature: uck9 Version: 1.0
License Type: EvalRightToUse
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 2 Feature: datak9 Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 3 Feature: gatekeeper Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 4 Feature: SSL_VPN Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: 0/0 (In-use/Violation)
License Priority: None
StoreIndex: 5 Feature: ios-ips-update Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 6 Feature: SNASw Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 7 Feature: cme-srst Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: 0/0 (In-use/Violation)
License Priority: None
StoreIndex: 8 Feature: WAAS_Express Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
StoreIndex: 9 Feature: UCVideo Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Subscribe to:
Posts (Atom)