Friday, July 31, 2015
Brocade ICX6450: Stack Cable Configuration Diagram
I thought I would put together this diagram on how to stack the 6450s as far as the physical cabling goes. These are 10Gig stacking cables between each. You run the command "stack enable" in config mode of each switch one at a time. You also want to configure the stack unit ID priorities, stack mac address and hitless failover.
Thursday, July 30, 2015
SonicWall: Certification And Support
Im trying to figure out if this is a good thing or not. With Dell SonicWall, if you want to get to level 2 support, you have to at least be CSSA certified. Now I do have CSSA, but what if you don't have it and you have a level 2 problem? It sounds to me that you wont be able to get support from them. I'm going to have to think about this, but at first glance, I don't like that approach to the level of support you can get to. I figure if my customer pays for a firewall, they should be able to get support on it.
Tuesday, July 28, 2015
Cisco Nexus: Module Troubleshooting
Sometimes it happens. I mean, its all electronics, right? Module 9 in this Nexus 7K went bad at some point and now the only thing we can really do is RMA it. We re-seated the module with no success. I created a TAC case and will expect a replacement soon.
Core2# sh module
Mod Ports Module-Type Model Status
--- ----- ----------------------------------- ------------------ ----------
1 0 Supervisor Module-2 N7K-SUP2 active *
2 0 Supervisor Module-2 N7K-SUP2 ha-standby
3 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
4 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
5 12 10/40 Gbps Ethernet Module N7K-F312FQ-25 ok
7 48 1000 Mbps Optical Ethernet XL Modul N7K-M148GS-11L ok
8 48 10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L ok
9 48 10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L powered-dn
Mod Power-Status Reason
--- ------------ ---------------------------
9 powered-dn Reset (powered-down) because module does not boot
Mod Sw Hw
--- --------------- ------
1 7.2(0)D1(1) 3.0
2 7.2(0)D1(1) 3.0
3 7.2(0)D1(1) 1.0
4 7.2(0)D1(1) 1.2
5 7.2(0)D1(1) 1.1
7 7.2(0)D1(1) 2.1
8 7.2(0)D1(1) 2.1
Core2# sh module
Mod Ports Module-Type Model Status
--- ----- ----------------------------------- ------------------ ----------
1 0 Supervisor Module-2 N7K-SUP2 active *
2 0 Supervisor Module-2 N7K-SUP2 ha-standby
3 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
4 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
5 12 10/40 Gbps Ethernet Module N7K-F312FQ-25 ok
7 48 1000 Mbps Optical Ethernet XL Modul N7K-M148GS-11L ok
8 48 10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L ok
9 48 10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L powered-dn
Mod Power-Status Reason
--- ------------ ---------------------------
9 powered-dn Reset (powered-down) because module does not boot
Mod Sw Hw
--- --------------- ------
1 7.2(0)D1(1) 3.0
2 7.2(0)D1(1) 3.0
3 7.2(0)D1(1) 1.0
4 7.2(0)D1(1) 1.2
5 7.2(0)D1(1) 1.1
7 7.2(0)D1(1) 2.1
8 7.2(0)D1(1) 2.1
Monday, July 27, 2015
Check Point/Palo Alto/SonicWall: GeoLocation Is A Really Cool Thing
I always like the geolocation feature in a firewall. Check Point and Palo Alto do this well for both inbound and outbound (separately). SonicWall is either on or off, meaning I either have to enable it for a country for both inbound and outbound, or I disable it for that country. I'd like to see inbound/outbound for SonicWall like I do with Check Point and Palo Alto. Either way, these countries are the ones I block most frequently for customers when I can. Below is the abbreviations on a Palo unit:
MX Mexico
BR Brazil
CF Central African Republic
CN China
DE Germany
EU European Union
RU Russian Federation
SE Sweden
ZA South Africa
HU Hungary
IT Italy
IN India
RO Romania
BR Brazil
TW Taiwan
TR Turkey
MX Mexico
BR Brazil
CF Central African Republic
CN China
DE Germany
EU European Union
RU Russian Federation
SE Sweden
ZA South Africa
HU Hungary
IT Italy
IN India
RO Romania
BR Brazil
TW Taiwan
TR Turkey
Sunday, July 26, 2015
Sunday Thought: John 1:1-5
1 In the beginning was the Word, and the Word was with God, and the Word was God. 2 He was with God in the beginning.3 Through him all things were made; without him nothing was made that has been made. 4 In him was life, and that life was the light of all mankind. 5 The light shines in the darkness, and the darkness has not overcome it.
There is a lot of neat wonder in the first verses of John.
There is a lot of neat wonder in the first verses of John.
Saturday, July 25, 2015
Thursday, July 23, 2015
Cisco Voice: CUBE Troubleshooting For SIP Calls Inbound
While implementing a Cisco voice solution one weekend, I found that my CUBE was not sending inbound calls to my new CUCM. Outbound worked fine, but inbound did not. What we found was that SIP was not enabled on the dial-peer on the CUBE. I typed the fix in the drawing below, but in case you cant see it:
dial-peer voice 100 voip
session protocol sipv2
end
dial-peer voice 100 voip
session protocol sipv2
end
Wednesday, July 22, 2015
Check Point: How To Take A CPINFO
Check Point expects you to know how to take a CPInfo, which really drives me nuts. Not everyone knows how to do this, and I have found that not everyone at Check Point knows how to do this. Well, I have done it enough to know how, but I run into people a lot that do not know. This post is just a "how to take a cpinfo" post. Here is what I did the last time I took one.
CPFW> cpinfo -z -l -o /var/log/gateway.cpinfo
Would you like to download the latest CPinfo package from Check Point Download Center? y/n: [y]y
Updating...
Verifying CK...
An updated package was found, downloading and installing it
Started downloading updated package
Downloading update package cpinfo_914000118_1.tgz - 3757294/3757294 (100%)
Downloaded package verification succeeded
Starting installation of new CPinfo version
CPinfo update finished successfully!
Launching new version of CPinfo
Would you like to upload CPinfo file securely to Check Point Download Center? y/n: [y]n
CPinfo Creation...
Collecting information...: 100%
Compressing output file...
Compressing output file - done (/var/log/gateway.cpinfo.gz)
Done
CPFW>
CPFW> expert
Enter expert password:
Warning! All configuration should be done through clish
You are in expert mode now.
[Expert@CPFW:0]# pwd
/home/admin
[Expert@CPFW:0]# cd /var/log
[Expert@CPFW:0]# ls -l *ga*
-rw-r--r-- 1 admin root 511 Jun 4 09:51 gaia_init_config.log
-rw-rw-r-- 1 admin root 56948317 Jul 1 13:30 gateway.cpinfo.gz
[Expert@CPFW:0]#
CPFW> cpinfo -z -l -o /var/log/gateway.cpinfo
Would you like to download the latest CPinfo package from Check Point Download Center? y/n: [y]y
Updating...
Verifying CK...
An updated package was found, downloading and installing it
Started downloading updated package
Downloading update package cpinfo_914000118_1.tgz - 3757294/3757294 (100%)
Downloaded package verification succeeded
Starting installation of new CPinfo version
CPinfo update finished successfully!
Launching new version of CPinfo
Would you like to upload CPinfo file securely to Check Point Download Center? y/n: [y]n
CPinfo Creation...
Collecting information...: 100%
Compressing output file...
Compressing output file - done (/var/log/gateway.cpinfo.gz)
Done
CPFW>
CPFW> expert
Enter expert password:
Warning! All configuration should be done through clish
You are in expert mode now.
[Expert@CPFW:0]# pwd
/home/admin
[Expert@CPFW:0]# cd /var/log
[Expert@CPFW:0]# ls -l *ga*
-rw-r--r-- 1 admin root 511 Jun 4 09:51 gaia_init_config.log
-rw-rw-r-- 1 admin root 56948317 Jul 1 13:30 gateway.cpinfo.gz
[Expert@CPFW:0]#
Tuesday, July 21, 2015
ACME Packet SBC Firmware Upgrade ~~ By Mike Parks
Mike Parks was generous enough to share his experience in upgrading ACME SBCs and post on the blog about it. Thank you Mike for participating in the blog. ~~ Shane Killen
If you want to upgrade your Acme Packet SBC (Oracle Net-Net SBC), hopefully my notes
will make the proses smother. If you have an Oracle account, you can obtain the
upgrade software here https://edelivery.oracle.com/
if not, you will need to sign up, and have yourself associated with your
company. The best one stop shop for SBC documentation is here http://www.oracle.com/technetwork/indexes/documentation/oracle-comms-acme-packet-2046907.html
and finally, for the Oracle SCX
upgrade, look up sbc_scx640_troubleshooting.pdf
The following example was performed on a standalone Acme Packet 3820
SBC.
Preliminary
work, back it up!
*acmesbc# show ver
*acmesbc#
verify-config (Resolve config errors prior to upgrading)
*acmesbc#
check-space-remaining
code (Check for at least 8
meg of space)
*acmesbc#
show version
boot (Validate bootloader
dated June 21, 2011 or later)
*acmesbc#
backup-config
(Enter NEW backup name, ex. Backup-config New_Backup)
*acmesbc#
display-backups (New backup will display, if you need to
restore your config later type: restore-backup-config FILENAME)
After you download the new software to your PC, you
need to FTP the software to the SBC (Filezilla works great). In the Host field,
enter the SBC host IP. Unless you changed the login, the default login is, Username:
user /
Password: acme
FTP
your file into /code/images
directory, it should look like this after loaded /code/images/nnSCX640m6p1.xz
Next, you need to make the file part of your
bootupconfig in your SBC.
*acmesbc#
configure
terminal
*acmesbc#
bootparam (Hit enter until you see file name, type your
new filename to the right of your old filename.
file
name : /code/images/nnSCX630.gz /code/images/nnSCX640m6p1.xz
(example)
Enter through the reaming commands, and reboot.
After the reboot, log back in, and you should see your new firmware.
ACME
Net-Net 3820 Firmware SCX6.4.0 MR-6 Patch 1 (Build 547)
Build
Date=05/21/15/code/images/nnSCX640m6p1.xz
That’s it, you just completed the upgrade!
Monday, July 20, 2015
Cisco ASA: 5505 ASA Config Template
Below is a template I created while doing an ASA 5505 (directly out of box) for a remote site. It had one VPN and the rest was a just plane Jane config. Below is my template for such a config. Its a pre8.3 config. Make sure you upgrade something like this before you send it onsite:
ASA(config)# username shane pass password
ASA(config)# enable pass apasswordthatissecret
ASA(config)# hostname ASA
ASA(config)# aaa authentication ssh con LOCAL
ASA(config)# crypto key generate rsa mod 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA(config)# ssh 0.0.0.0 0.0.0.0 outside
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
ASA(config)# route outside 0.0.0.0 0.0.0.0 7.8.9.106
ASA(config)# int vlan 2
ASA(config-if)# ip add 7.8.9.105 255.255.255.252
ASA(config-if)# no shut
ASA(config)# no dhcpd enable inside
ASA(config)# no dhcpd address 10.10.1.5-10.10.1.254 inside
ASA(config)#
ASA(config)# no dhcpd enable inside
ASA(config)# no dhcpd address 10.10.1.5-10.10.1.254 inside
ASA(config)# interface Vlan1
ASA(config-if)# no ip add
ASA(config-if)# ip add 10.10.199.1 255.255.255.0
ASA(config-if)# no shut
ASA(config-if)# route inside 10.10.4.0 255.255.255.0 10.10.199.2
ASA(config)# route inside 10.10.14.0 255.255.255.0 10.10.199.2
ASA(config)#
ASA(config)# aaa authentication serial console LOCAL
ASA(config)# crypto isakmp policy 10
ASA(config-isakmp-policy)# authentication pre-share
ASA(config-isakmp-policy)# encryption aes-256
ASA(config-isakmp-policy)# hash sha
ASA(config-isakmp-policy)# group 2
ASA(config-isakmp-policy)# lifetime 86400
ASA(config-isakmp-policy)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ASA(config)# access-list 2HQ permit ip 10.10.4.0 255.255.255.0 10.10.2.0 255.255.255.0
ASA(config)# access-list 2HQ permit ip 10.10.14.0 255.255.255.0 10.10.12.0 255.255.255.0
ASA(config)# access-list 2HQ permit ip 10.10.14.0 255.255.255.0 10.10.13.0 255.255.255.0
ASA(config)# access-list 2HQ permit ip 10.10.14.0 255.255.255.0 10.10.11.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.4.0 255.255.255.0 10.10.2.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.14.0 255.255.255.0 10.10.12.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.14.0 255.255.255.0 10.10.13.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.14.0 255.255.255.0 10.10.11.0 255.255.255.0
ASA(config)# nat (inside) 0 access-list nonat
ASA(config)# tunnel-group 20.30.40.55 type ipsec-l2l
ASA(config)# tunnel-group 20.30.40.55 ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key veryprivatevpnkeynothisisnotwhatiuse
ASA(config-tunnel-ipsec)# exit
ASA(config)# crypto map outside_map 10 match address 2HQ
ASA(config)# crypto map outside_map 10 set peer 20.30.40.55
ASA(config)# crypto map outside_map 10 set transform-set ESP-3DES-SHA
ASA(config)# crypto map outside_map interface outside
ASA(config)# crypto isakmp enable outside
ASA(config)# username shane pass password
ASA(config)# enable pass apasswordthatissecret
ASA(config)# hostname ASA
ASA(config)# aaa authentication ssh con LOCAL
ASA(config)# crypto key generate rsa mod 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA(config)# ssh 0.0.0.0 0.0.0.0 outside
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
ASA(config)# route outside 0.0.0.0 0.0.0.0 7.8.9.106
ASA(config)# int vlan 2
ASA(config-if)# ip add 7.8.9.105 255.255.255.252
ASA(config-if)# no shut
ASA(config)# no dhcpd enable inside
ASA(config)# no dhcpd address 10.10.1.5-10.10.1.254 inside
ASA(config)#
ASA(config)# no dhcpd enable inside
ASA(config)# no dhcpd address 10.10.1.5-10.10.1.254 inside
ASA(config)# interface Vlan1
ASA(config-if)# no ip add
ASA(config-if)# ip add 10.10.199.1 255.255.255.0
ASA(config-if)# no shut
ASA(config-if)# route inside 10.10.4.0 255.255.255.0 10.10.199.2
ASA(config)# route inside 10.10.14.0 255.255.255.0 10.10.199.2
ASA(config)#
ASA(config)# aaa authentication serial console LOCAL
ASA(config)# crypto isakmp policy 10
ASA(config-isakmp-policy)# authentication pre-share
ASA(config-isakmp-policy)# encryption aes-256
ASA(config-isakmp-policy)# hash sha
ASA(config-isakmp-policy)# group 2
ASA(config-isakmp-policy)# lifetime 86400
ASA(config-isakmp-policy)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ASA(config)# access-list 2HQ permit ip 10.10.4.0 255.255.255.0 10.10.2.0 255.255.255.0
ASA(config)# access-list 2HQ permit ip 10.10.14.0 255.255.255.0 10.10.12.0 255.255.255.0
ASA(config)# access-list 2HQ permit ip 10.10.14.0 255.255.255.0 10.10.13.0 255.255.255.0
ASA(config)# access-list 2HQ permit ip 10.10.14.0 255.255.255.0 10.10.11.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.4.0 255.255.255.0 10.10.2.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.14.0 255.255.255.0 10.10.12.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.14.0 255.255.255.0 10.10.13.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.14.0 255.255.255.0 10.10.11.0 255.255.255.0
ASA(config)# nat (inside) 0 access-list nonat
ASA(config)# tunnel-group 20.30.40.55 type ipsec-l2l
ASA(config)# tunnel-group 20.30.40.55 ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key veryprivatevpnkeynothisisnotwhatiuse
ASA(config-tunnel-ipsec)# exit
ASA(config)# crypto map outside_map 10 match address 2HQ
ASA(config)# crypto map outside_map 10 set peer 20.30.40.55
ASA(config)# crypto map outside_map 10 set transform-set ESP-3DES-SHA
ASA(config)# crypto map outside_map interface outside
ASA(config)# crypto isakmp enable outside
Saturday, July 18, 2015
Friday, July 17, 2015
Palo Alto: What Is Licensed, What Is Not
There seems to be some confusion around what you need a license for on the Palo Alto and what you don't need a license for. I thought I would put some things down I had from my own notes.
App-ID: free with the purchase of the Palo unit.
VPN global protect client: no licensing required for global protect client. There are some connection limitations based on the model of the unit.
URL filtering: requires a license.
Wildfire: With subscription, it takes about 15 minutes to get an update for infected file types Customers without Wildfire subscription get the fix in the next day update.
Threat Prevention: (IPS, Spyware, AV) requires a license.
For VPN - Posture assessment (hip check) is a "paid for" solution. Mobile client is a "paid for" solution. This is called "global protect gateway".
App-ID: free with the purchase of the Palo unit.
VPN global protect client: no licensing required for global protect client. There are some connection limitations based on the model of the unit.
Wildfire: With subscription, it takes about 15 minutes to get an update for infected file types Customers without Wildfire subscription get the fix in the next day update.
Threat Prevention: (IPS, Spyware, AV) requires a license.
For VPN - Posture assessment (hip check) is a "paid for" solution. Mobile client is a "paid for" solution. This is called "global protect gateway".
Thursday, July 16, 2015
The Dad Moments
Its the Daddy moments. My daughter is older now, but Im still a Dad. I helped her put a light bar on her SUV. It was some work and very hot outside (in the 90s), but the few moments she expresses thankfulness for my time and effort is worth the several hours of working on something she wanted.
Wednesday, July 15, 2015
Cisco Voice: Putting An IP Address In VMware
In the new world of technology, it seems now when Im doing a voice install, its on top of VMware. So, to get this thing started, I need an IP address for the host. Here are the steps get to that.
Step 1:
Step 2:
Step 3:
Step 4:
Step 5:
Step 1:
Step 2:
Step 3:
Step 4:
Step 5:
Tuesday, July 14, 2015
Cisco ASA: Activating The AnyConnect License
How to activate an anyconnect mobile license key on the Cisco ASA.
ASA(config)# activation-key 9f9k7747 38hghfd5 kf74jhtr 9ceffc1c 7764e4a6
Validating activation key. This may take a few minutes...
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Both running and flash activation keys were updated with the requested key.
ASA(config)#
ASA(config)# activation-key 9f9k7747 38hghfd5 kf74jhtr 9ceffc1c 7764e4a6
Validating activation key. This may take a few minutes...
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Both running and flash activation keys were updated with the requested key.
ASA(config)#
Monday, July 13, 2015
I Dont Want You To Miss This
This is worth repeating! If you missed yesterday's post, go back to yesterday's post, click on the link, and listen to the words.
Sunday, July 12, 2015
Saturday, July 11, 2015
Pic Of The Week: Closed...
We came to this place to see what their hours of operation was, so that we could come back the next day.
Thursday, July 9, 2015
Palo Alto/Check Point: 2015 Gartner Enterprise Network Firewall Leaders
FYI, as of April 2015 from Gartner.
Wednesday, July 8, 2015
Palo Alto: Software Upgrades
One thing you have to remember when upgrading the software to the latest version: download the base image first, then the latest upgrade. It needs that base image first before the latest. See below. I downloaded the 6.1 image before I downloaded the 6.1.4.
Tuesday, July 7, 2015
Packet Capture: Check Point CLI To Wireshark Dump
It always helpful taking a packet capture from a firewall when you need to. Here on a Check Point 2200 firewall, I needed to see what was going on during a trouble call. So I wanted to take a packet capture into a wireshark readable format. Here is how I did that.
[Expert@CPFW:0]# fw monitor -i -p all -o capture2.cap
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
in chain (16):
0: -7f800000 (f2768890) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -7d000000 (f14e5690) (00000003) vpn multik forward in
2: - 2000000 (f14bda30) (00000003) vpn decrypt (vpn)
3: - 1fffffa (f14d6070) (00000001) l2tp inbound (l2tp)
4: - 1fffff8 (f276a040) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (f27a9500) (00000001) fw multik misc proto forwarding
6: - 1fffff2 (f14f65c0) (00000003) vpn tagging inbound (tagging)
7: - 1fffff0 (f14bc5f0) (00000003) vpn decrypt verify (vpn_ver)
8: - 1000000 (f28493a0) (00000003) SecureXL conn sync (secxl_sync)
9: 0 (f270d390) (00000001) fw VM inbound (fw)
10: 2000000 (f14bbc60) (00000003) vpn policy inbound (vpn_pol)
11: 10000000 (f2847420) (00000003) SecureXL inbound (secxl)
12: 7f600000 (f275de30) (00000001) fw SCV inbound (scv)
13: 7f730000 (f2966080) (00000001) passive streaming (in) (pass_str)
14: 7f750000 (f2b76c90) (00000001) TCP streaming (in) (cpas)
15: 7f800000 (f2768c30) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (14):
0: -7f800000 (f2768890) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -78000000 (f14e5670) (00000003) vpn multik forward out
2: - 1ffffff (f14bb520) (00000003) vpn nat outbound (vpn_nat)
3: - 1fffff0 (f2b76ec0) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (f2966080) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (f14f65c0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (f276a040) (00000001) Stateless verifications (out) (asm)
7: 0 (f270d390) (00000001) fw VM outbound (fw)
8: 2000000 (f14bb740) (00000003) vpn policy outbound (vpn_pol)
9: 10000000 (f2847420) (00000003) SecureXL outbound (secxl)
10: 1ffffff0 (f14d6c20) (00000001) l2tp outbound (l2tp)
11: 20000000 (f14be470) (00000003) vpn encrypt (vpn)
12: 7f700000 (f2b770b0) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (f2768c30) (ffffffff) IP Options Restore (out) (ipopt_res)
monitor: monitoring (control-C to stop)
15752 monitor: caught sig 2
monitor: unloading
[Expert@CPFW:0]# ls -l
total 48240
-rw-rw-r-- 1 admin root 29636521 Jun 3 10:10 CPFWCPinfo.tgz.gz
-rw-r----- 1 admin root 5738635 Jun 1 14:52 CPFW_1_6_2015_14_50.CPViewDB.dat.gz
-rw-r--r-- 1 admin root 5735899 Jun 3 10:10 CPFW_3_6_2015_10_08.CPViewDB.dat.gz
-rw-rw---- 1 admin root 2655555 Jun 11 13:50 capture.test.txt
-rw-rw---- 1 admin root 1480 Jun 11 13:39 capture1
-rw-rw---- 1 admin root 5517380 Jun 11 14:00 capture2.cap
-rwxrwx--- 1 admin root 13894 Apr 21 12:53 crypt.def
[Expert@CPFW:0]# ftp 192.168.50.60
Connected to 192.168.50.60 (192.168.50.60).
220-GuildFTPd FTP Server (c) 1997-2002
220-Version 0.999.14
220 Please enter your name:
Name (192.168.50.60:admin): shane
331 User name okay, Need password.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bi
200 Type set to I.
ftp> put capture2.cap
local: capture2.cap remote: capture2.cap
227 Entering Passive Mode (192,168,50,60,201,12)
150 Opening binary mode data connection for /capture2.cap.
226 Transfer complete. 5517380 bytes in 2 sec. (2758.69 Kb/s).
5517380 bytes sent in 1.56 secs (3.5e+03 Kbytes/sec)
ftp> bye
221 Goodbye. Control connection closed.
[Expert@CPFW:0]#
[Expert@CPFW:0]# fw monitor -i -p all -o capture2.cap
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
in chain (16):
0: -7f800000 (f2768890) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -7d000000 (f14e5690) (00000003) vpn multik forward in
2: - 2000000 (f14bda30) (00000003) vpn decrypt (vpn)
3: - 1fffffa (f14d6070) (00000001) l2tp inbound (l2tp)
4: - 1fffff8 (f276a040) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (f27a9500) (00000001) fw multik misc proto forwarding
6: - 1fffff2 (f14f65c0) (00000003) vpn tagging inbound (tagging)
7: - 1fffff0 (f14bc5f0) (00000003) vpn decrypt verify (vpn_ver)
8: - 1000000 (f28493a0) (00000003) SecureXL conn sync (secxl_sync)
9: 0 (f270d390) (00000001) fw VM inbound (fw)
10: 2000000 (f14bbc60) (00000003) vpn policy inbound (vpn_pol)
11: 10000000 (f2847420) (00000003) SecureXL inbound (secxl)
12: 7f600000 (f275de30) (00000001) fw SCV inbound (scv)
13: 7f730000 (f2966080) (00000001) passive streaming (in) (pass_str)
14: 7f750000 (f2b76c90) (00000001) TCP streaming (in) (cpas)
15: 7f800000 (f2768c30) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (14):
0: -7f800000 (f2768890) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -78000000 (f14e5670) (00000003) vpn multik forward out
2: - 1ffffff (f14bb520) (00000003) vpn nat outbound (vpn_nat)
3: - 1fffff0 (f2b76ec0) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (f2966080) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (f14f65c0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (f276a040) (00000001) Stateless verifications (out) (asm)
7: 0 (f270d390) (00000001) fw VM outbound (fw)
8: 2000000 (f14bb740) (00000003) vpn policy outbound (vpn_pol)
9: 10000000 (f2847420) (00000003) SecureXL outbound (secxl)
10: 1ffffff0 (f14d6c20) (00000001) l2tp outbound (l2tp)
11: 20000000 (f14be470) (00000003) vpn encrypt (vpn)
12: 7f700000 (f2b770b0) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (f2768c30) (ffffffff) IP Options Restore (out) (ipopt_res)
monitor: monitoring (control-C to stop)
15752 monitor: caught sig 2
monitor: unloading
[Expert@CPFW:0]# ls -l
total 48240
-rw-rw-r-- 1 admin root 29636521 Jun 3 10:10 CPFWCPinfo.tgz.gz
-rw-r----- 1 admin root 5738635 Jun 1 14:52 CPFW_1_6_2015_14_50.CPViewDB.dat.gz
-rw-r--r-- 1 admin root 5735899 Jun 3 10:10 CPFW_3_6_2015_10_08.CPViewDB.dat.gz
-rw-rw---- 1 admin root 2655555 Jun 11 13:50 capture.test.txt
-rw-rw---- 1 admin root 1480 Jun 11 13:39 capture1
-rw-rw---- 1 admin root 5517380 Jun 11 14:00 capture2.cap
-rwxrwx--- 1 admin root 13894 Apr 21 12:53 crypt.def
[Expert@CPFW:0]# ftp 192.168.50.60
Connected to 192.168.50.60 (192.168.50.60).
220-GuildFTPd FTP Server (c) 1997-2002
220-Version 0.999.14
220 Please enter your name:
Name (192.168.50.60:admin): shane
331 User name okay, Need password.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bi
200 Type set to I.
ftp> put capture2.cap
local: capture2.cap remote: capture2.cap
227 Entering Passive Mode (192,168,50,60,201,12)
150 Opening binary mode data connection for /capture2.cap.
226 Transfer complete. 5517380 bytes in 2 sec. (2758.69 Kb/s).
5517380 bytes sent in 1.56 secs (3.5e+03 Kbytes/sec)
ftp> bye
221 Goodbye. Control connection closed.
[Expert@CPFW:0]#
Monday, July 6, 2015
Cisco CUCM: Security Password Reset
I have, very rarely, had to change the security password on a CUCM before. This is not an account in particular, but in this case, it was for restoring from a backup. For whatever reason, the backup password was not working. So, I needed to reset this to try to match what we thought it was. Here is the process I went through on the Publisher to get this reset:
admin:set password user security
Please enter the old password: **********
Please enter the new password: *********
Reenter new password to confirm: *********
WARNING:
The Disaster Recovery System is dependent on this security password you are attempting to change.
If you need to use any of the older backup archive to restore this system, you need to remember the
older security password. To avoid this scenario, we recommend you to conduct a DRS Backup of your
system/cluster immediately after this password change.
Please make sure that the security password on the publisher is changed first.
The security password needs to be the same on all cluster nodes,
or the publisher and subscriber(s) will not communicate.
After changing the security password on a cluster node, please restart that node.
Continue (y/n)?y
Please wait...
Password updated successfully.
admin:
admin:set password user security
Please enter the old password: **********
Please enter the new password: *********
Reenter new password to confirm: *********
WARNING:
The Disaster Recovery System is dependent on this security password you are attempting to change.
If you need to use any of the older backup archive to restore this system, you need to remember the
older security password. To avoid this scenario, we recommend you to conduct a DRS Backup of your
system/cluster immediately after this password change.
Please make sure that the security password on the publisher is changed first.
The security password needs to be the same on all cluster nodes,
or the publisher and subscriber(s) will not communicate.
After changing the security password on a cluster node, please restart that node.
Continue (y/n)?y
Please wait...
Password updated successfully.
admin:
Sunday, July 5, 2015
Sunday Thought: Outsiders
You know, we are literally, the outsiders in this. We were the ones that sinned. We are the ones that are on the outside, until we come to know Jesus anyway. Outsiders
Saturday, July 4, 2015
Friday, July 3, 2015
Patch Cable Condition
Its always a good idea to check the condition of the cabling that you are using. I can tell you from first hand experience, that having a patch cable in poor condition will slow your connection speeds down. I initially had this long patch cable that had some places that made me a little concerned. It would connect me just fine, but when I ran a speed test from my cable provider, all I got was 9 Meg or so down. I went down and re-crimped the cabling and now I get 84 Meg down. Interesting.
You might as well forget that convenient wireless. Its half the wired speed.
You might as well forget that convenient wireless. Its half the wired speed.
Thursday, July 2, 2015
Check Point: The Sometimes Quirky
If you read my blog, you know that I do like Check Point firewalls. They are one of the top two, if you ask me (and Gartner). But, I have seen some flakiness that I don't like on occasion. This troubleshooting time was one of those times. I was on this problem for a while before I got any resolution. Check Point TAC didnt know the answer, and I just happened to come upon a fix for it. See below, the screenshot. What real sense does this make, when a packet is accepted and sent across the VPN, and the next packet is dropped. UDP_10001, for a Shoretel packet traversing a to a remote-access client. This kind of issue will drive you crazy.
I know I'm going to catch some flack for this, but sometimes Check Point is just down right flaky.
Wednesday, July 1, 2015
SDN: The Game Changer
I saw a demo of what the capabilities of SDN is going to be like. I have a feeling that was just the tip of the iceberg. I saw a packet get routed from one vlan to another in a L2 switch. Not L3, L2! I'm thinking William at nycnetworkers.com probably had some good info on this. But I'm planning on diving in. More to come.
Subscribe to:
Posts (Atom)