|
Yet another call manager question: Can you put a second extension on a 7911 in Call Manager 6.1? I know you can on CME, but on CCM I can't get it to work.
|
#
?
Jun 10, 2009 21:41
|
|
|
|
| # ? May 13, 2024 23:39 |
|
|
Has anyone had success with the cisco anyconnect client? I don't know what I'm missing. We have an ASA 5540 running ASA 8.2(1)/ASDM 6.2(1) The 5.0 client works fine; when I installed and ran the newer client I receive. "Connection attempt has failed (timeout)." I've read the installation guide at Cisco; I've googled and failed. I've edited the .xml file, but there's a part where it asks for a hostname. Is it wanting a DNS resolvable record? Thanks for any help.
|
|
#
?
Jun 12, 2009 01:16
|
|
|
Weissbier posted:Has anyone had success with the cisco anyconnect client? I don't know what I'm missing. We have an ASA 5540 running ASA 8.2(1)/ASDM 6.2(1) I take it this isn't in production? If it isn't enable buffered logging. Increase the buffer size, and set it to debug level. That's the best place to start. If you type "show asp table socket" do you see an entry like *:443?
|
|
#
?
Jun 12, 2009 05:16
|
|
|
Weissbier posted:Has anyone had success with the cisco anyconnect client? I don't know what I'm missing. We have an ASA 5540 running ASA 8.2(1)/ASDM 6.2(1)
|
|
#
?
Jun 12, 2009 16:02
|
|
|
It is in production. I opened up the xml but I don't see a webvpn section. I'm really lost here - The only part I see that needs to be changed from the sample xml is:code:
|
|
#
?
Jun 13, 2009 14:54
|
|
|
Weissbier posted:It is in production. I opened up the xml but I don't see a webvpn section. I'm really lost here - The only part I see that needs to be changed from the sample xml is:
|
|
#
?
Jun 13, 2009 15:50
|
|
|
Weissbier posted:I've edited the .xml file, but there's a part where it asks for a hostname. Is it wanting a DNS resolvable record? Thanks for any help. At the top of the XML file where there is the help (massive block of comments) it should say what it wants for the hostname tag. I'll take a look at our ASA on Monday and confirm, it's been a while since we set it up. You can connect to it with the normal VPN client / SSL vpn client though, right?
|
|
#
?
Jun 13, 2009 20:11
|
|
|
Does anyone have experience with 2811 or 7204VXR ITPs? I figure it's a bit of a niche product and it's better to ask before typing up/drawing everything. The questions revolve around DS0 muxing, TDM/SIGTRAN capabilities and if it can also be used as an IPSEC endpoint on the ITP IOS. FatCow fucked around with this message at 23:39 on Jun 13, 2009 |
|
#
?
Jun 13, 2009 23:35
|
|
|
falz posted:The 'webvpn' section I was talking about is in the actual ASA's config, nothing related to XML at all. Sorry, as you can tell I'm seriously lost on this. Sojourner posted:At the top of the XML file where there is the help (massive block of comments) it should say what it wants for the hostname tag. I'll take a look at our ASA on Monday and confirm, it's been a while since we set it up. You can connect to it with the normal VPN client / SSL vpn client though, right? I'll look at mine as well. I currently conenct using VPN client version 5.0.01.0600. It's the only client that I've ever connected with for this ASA and it must have been vendor configured a long time ago. The current client has a .pcf file, which if you open in a text editor seems relatively simple. This client doesn't work under Vista 64, and hence my attempted upgrade. Thanks
|
|
#
?
Jun 15, 2009 02:35
|
|
|
I have a weird issue with a Cisco PIX 501 that I can't seem to figure out. A small client of ours is using it as their WAN firewall in our datacenter, but we have management to the device as well. What they're seeing is every few days network performance out to the Internet degrades, and over time it slows to a crawl. Management access via SSH and HTTPS no longer responds but I can connect my laptop up to it via the console port and manage the device. Memory usage is low, cpu usage is low, etc. I was expecting to see a ton of xlates indicating a compromise of some sort on the inside network - and there are a few hosts showing 10-15 xlates, but that doesn't seem too out of the ordinary. I'm stumped. A "reload" resolves the issue - speed to the Internet is restored to its normal level, I can manage via SSH/HTTPS again, etc. But, it only takes a few days and then its back at the same level again. The firewall is running 6.3(5) software, so it's not the well known bug that's out there, I don't think. sh xlate sh conn count etc. All show fairly low usage. Any ideas?
|
|
#
?
Jun 15, 2009 21:25
|
|
|
Is the PIX actually performing any NAT/PAT operations? If not, try "xlate-bypass"
|
|
#
?
Jun 15, 2009 21:30
|
|
|
Yeah, it actually does PAT from the inside networks outbound and has a few 1:1 static NATs public/private setup for a few different servers. This device also acts as an IPSec VPN endpoint to an off-site partner of theirs. Since this thing is end-of-life I'm thinking about throwing in a Juniper Netscreen, of which I'm more familiar/comfortable and calling it good. Anybody else seen this? A couple of the network guys here have anecdotal experiences of PIX 501's doing this but don't have any suggestions of how to fix it other than replacing it.  EDIT - It's starting to look like an internal network compromise. There's an inside host that has a bunch of xlate's that are successive ports - PAT Global <public IP>(1630) Local 192.168.1.92(1040) PAT Global <public IP>(1631) Local 192.168.1.92(1041) PAT Global <public IP>(1632) Local 192.168.1.92(1042) etc., etc. I'm having them take a look at this particular inside host as it seems to be the biggest offender. The sheer amount of translation slots plus the successive nature of the ports tells me it's probably not something benign. GOOCHY fucked around with this message at 22:23 on Jun 15, 2009 |
|
#
?
Jun 15, 2009 21:35
|
|
|
There is a Cisco VG248 that I need to get "show tech-support" output from. When I telnet into it, I am presented with this totally alien GUI. Is there a way to bring up the command line on this thing, or a way to get the show tech out of the GUI?
|
|
#
?
Jun 15, 2009 23:02
|
|
|
WT Wally posted:There is a Cisco VG248 that I need to get "show tech-support" output from. When I telnet into it, I am presented with this totally alien GUI. Is there a way to bring up the command line on this thing, or a way to get the show tech out of the GUI? Is getting physical access to the switch and using a console cable an option? and when you say alien gui do you mean like weird crazy characters or "linux kernel 2.6.27"(or whatever it was)? Also I forgot I was spending my monday in an un-air conditioned comms closet patching so I'll look at the vpn as soon as I can get a chance.
|
|
#
?
Jun 16, 2009 00:18
|
|
|
tortilla_chip posted:Is the PIX actually performing any NAT/PAT operations? If not, try "xlate-bypass" This doesn't exist in PIX 6.X and prior. Goochy, can you PM me a show tech when its slow?
|
|
#
?
Jun 16, 2009 00:23
|
|
|
Sojourner posted:Is getting physical access to the switch and using a console cable an option? and when you say alien gui do you mean like weird crazy characters or "linux kernel 2.6.27"(or whatever it was)? I just meant alien as in non-Cisco-like. It's actually a pretty good gui. It gives me options to pull a show version, show running-config, etc. I just can't see the option for show tech in there anywhere. I'm about 3,000 miles away from the device, unfortunately.
|
|
#
?
Jun 16, 2009 03:24
|
|
|
WT Wally posted:I just meant alien as in non-Cisco-like. It's actually a pretty good gui. It gives me options to pull a show version, show running-config, etc. I just can't see the option for show tech in there anywhere. I'm about 3,000 miles away from the device, unfortunately. Can you ctrl+c / shift+ctrl+6 out ? There is a way in there somewhere to get to a CLI I bet, or even a way in the menu to get into the CLI. Here is a quick google book on cisco, in particular the menu part and it may be able to help, good luck! http://books.google.ca/books?id=BYc...result&resnum=5
|
|
#
?
Jun 16, 2009 03:54
|
|
|
I'm looking for feedback of any kind about the Secure Services Client for 802.1x on the wired LAN. Apparently it works around some XP related issues better than the Microsoft supplicant, but first-hand information is very hard to come by.
|
|
#
?
Jun 17, 2009 16:46
|
|
|
Random question if someone has ever encountered this. I am doing a PIX 6.x migration to ASA and am familiar with the process. But I need to upgrade the memory in the PIX before I can convert the config to 7.x and migrate it to the ASA. The PIX is a 515 UR model, with 64MB of memory now. Kind of short term since I am doing the upgrade tomorrow but cannot find spec memory(PC100 64MB). Has anyone tested memory other than spec on a PIX 515? I am trying to use a 128MB stick of PC100 but have no way of testing until I get onsite. Do I need to go nuts and try to find a 64MB stick or will the 128MB stick register as 64MB and work just fine?
|
|
#
?
Jun 17, 2009 21:44
|
|
|
bj2001holt posted:Random question if someone has ever encountered this. I am doing a PIX 6.x migration to ASA and am familiar with the process. But I need to upgrade the memory in the PIX before I can convert the config to 7.x and migrate it to the ASA. It's essentially just a PC, so the 128MB stick should work, but you won't be able to put the cover back on unless you found the elusive super-low profile DIMM that the PIXes seem to need.
|
|
#
?
Jun 17, 2009 22:32
|
|
|
jwh posted:I'm looking for feedback of any kind about the Secure Services Client for 802.1x on the wired LAN. Apparently it works around some XP related issues better than the Microsoft supplicant, but first-hand information is very hard to come by. That is what Cisco has on their work laptops. I liked the Funk Odyessey client better but the SSC has integrated VPN. Do you have any specific questions?
|
|
#
?
Jun 17, 2009 22:46
|
|
|
ragzilla posted:It's essentially just a PC, so the 128MB stick should work, but you won't be able to put the cover back on unless you found the elusive super-low profile DIMM that the PIXes seem to need. Only need it temporarily so cover is not an issue. My only concern is the fact that it is a "purpose built" motherboard and I wasn't sure on how flexible it would be.
|
|
#
?
Jun 17, 2009 23:51
|
|
|
Ok this should be pretty simple for the calibre of this thread  In the configs for edge routers that we had a contractor write for us (before I had any idea) I notice the following in the incoming ACL. code:My question is this, the WAN link is an ADSL connection so the first hop after the edge router will be the ISP's router. The ISP's routers will be configured to drop these private network packets, just as this router is configured to. So why have the entries in there? Don't poo poo up the link between us and the ISP with stuff they're going to drop anyway? Generally do your bit for the wider Internet and configure your edge routers not to be generating unnecessary traffic outside your network?
|
|
#
?
Jun 18, 2009 03:11
|
|
|
Tony Montana posted:
You can't assume the ISP is configured to do that kind of filtering. BCP 38 goes into the reasons for edge filtering. http://tools.ietf.org/html/rfc2827
|
|
#
?
Jun 18, 2009 03:21
|
|
|
Powercrazy posted:That is what Cisco has on their work laptops. I liked the Funk Odyessey client better but the SSC has integrated VPN. Do you have any specific questions? I guess my specific question is, is the 802.1x functionality juice worth the squeeze? We're seeing bulk volume pricing in the territory of $40 per seat, which in our environment, would be many many tens of thousands of dollars. I'm just looking into whether this solution is solving a problem that's worth spending the money, or whether we can get away with the native supplicant.
|
|
#
?
Jun 18, 2009 05:03
|
|
|
inignot posted:You can't assume the ISP is configured to do that kind of filtering. Ok, thanks. The jist of that RFC seemed (to me) to be that an attacker could spoof a private network address as the source of their packets, which would then hit the routing tables inside the target's router and be routed to the host they want to compromise. But would their ISP route packets with a source in the private network range? Maybe the attacker owns their own links, in Russia or something and doesn't have to go through an ISP. But wouldn't my ISP have private network filtering in place as a precaution anyway? Are you suggesting that even though my ISP probably does, just assuming that isn't the smartest security policy? I may not understand this at all, be gentle please lol
|
|
#
?
Jun 18, 2009 05:49
|
|
|
Tony Montana posted:Ok, thanks. You *could* trust the upstream is doing this filter, and is watching out for you. Of course, you can trust that every link on here is work safe, and that Bob from accounting packed your parachute correctly. Honestly, the higher up you go in the aggregation layer the more expensive (in CPU/ASIC resources) it becomes to do filters like this. Now, high end routers say they are line rate on filtering ACLs, but there are still limits on many of them - so normally you want to filter at the edges, especially the smaller link size edges. There are valid reasons that your upstream may not drop the packets, and incompetence is only one of them.
|
|
#
?
Jun 18, 2009 06:14
|
|
|
jwh posted:I guess my specific question is, is the 802.1x functionality juice worth the squeeze? We're seeing bulk volume pricing in the territory of $40 per seat, which in our environment, would be many many tens of thousands of dollars. Unfortunately I can't do a fair comparison because I haven't used Microsofts only Junipers and Cisco's. Both did work flawlessly on our XP laptops, and as far as connectivity and ease of deployment it went really well when our IT department rolled SSC out to the whole company (60,000ish including contractors). But I'm not in your shoes and didn't have to pay for it. However from actually using it, it was transparent to the user except the icon turned green after 802.1x authentication, so I assume that is desirable? Hopefully that helps a little. If you are using a Cisco ACS server then it might be worth it to you, but if you are using standard RADIUS then I'd probably go with the cheaper option, unless of course Microsofts quirks are going to make your life more difficult
|
|
#
?
Jun 18, 2009 07:46
|
|
|
Here's a question: I use Solaris at work and was testing our scp capability to get and put IOS files on our deployed routers. I could scp files from the 3800 series routers back to my mgmt server just fine. When I tried to go to a 7500 or 7600 series and scp the rsp.bin file back to my server it appeared to work but dropped the connection before transferring any bits. I set "ip scp server enable" and still had the same indications. What should I do to fix this? I have no problem ssh'ing to any router so tcp/22 is good, access-class on the vty is not a problem (the same list gets me the files from 3800s).
|
|
#
?
Jun 18, 2009 11:22
|
|
|
Tony Montana posted:But would their ISP route packets with a source in the private network range? Routing only concerns itself with the destination address of a packet. The source address is only relevant to processes such as acls or unicast reverse path verify; which may or may not be implemented. Tony Montana posted:But wouldn't my ISP have private network filtering in place as a precaution anyway? Are you suggesting that even though my ISP probably does, just assuming that isn't the smartest security policy? Do a "show access list <whatever name or number>" and see what lines have hits. If any of the lines for filtering out private addresses have hits, then no upstream is filtering for you.
|
|
#
?
Jun 18, 2009 12:20
|
|
|
I'd say use SFTP. SCP is a very old protocol and just guessing here, probably has a problem with files that are above a certain size say 48megs. I know that if I tried to use TFTP to upload images to a 3800 or below router it wasn't a problem, but if I tried the same thing with a 6500 or 7600 the transfer would timeout. That's the only thing I can think of. e: Hmm, a little research says you can't do SFTP in IOS only in IOX. drat, then I'm not sure what the problem is or how you'd do what you want to do. Are you trying to transfer the images, or just the configs? If its just the configs and its still failing then obviously file size isn't the problem and I have no idea. If its just the images, then why are you bothering with SCP anyway, just FTP them over. ate shit on live tv fucked around with this message at 12:44 on Jun 18, 2009 |
|
#
?
Jun 18, 2009 12:21
|
|
|
inignot posted:Routing only concerns itself with the destination address of a packet. The source address is only relevant to processes such as acls or unicast reverse path verify; which may or may not be implemented. None of the private address lines ever have hits, so I guess I could conclude that it's being filtered for me and is hence unnecessary. I guess it's actually slowing things down a minuscule amount, it's a few extra lines the router has to process for every packet coming through when it's never going to match those lines. I think I really don't understand that RFC you posted. I'm going to have another run at it tomorrow, when I'm less tired. Feel free to post an insightful summary if you feel like it, hehe, but I'm genuinely interested and am happy to nut it out.
|
|
#
?
Jun 18, 2009 14:05
|
|
|
Powercrazy posted:I'd say use SFTP. SCP is a very old protocol and just guessing here, probably has a problem with files that are above a certain size say 48megs. I know that if I tried to use TFTP to upload images to a 3800 or below router it wasn't a problem, but if I tried the same thing with a 6500 or 7600 the transfer would timeout. It could be an SCP bug in the version of code he's running.
|
|
#
?
Jun 18, 2009 16:58
|
|
|
I had a weird problem earlier today, not sure if anyone has run into it and knows why it might be happening. I was setting up an ASA 5510 with an l2l vpn tunnel to some crappy checkpoint firewall and while it all looked good yesterday when I left (minus me forgetting to add access lists that allow access between the networks which I had planned to do today), today I come back and find that the connection between the two is broken. running a 'show crypto isakmp sa' gave me something similar to... code:code:This isn't something that requires high availability, but I would still like to figure out what could have caused the problem. If anyone has any clues it would be much appreciated. edit: it's possible I had the transform-set wrong in the original config but I could have sworn it wasn't showing any problems yesterday.
|
|
#
?
Jun 18, 2009 18:47
|
|
|
Anyone want to give me a high-level overview of best practices for setting up a site-to-site VPN link between a PIX 515E and a 871 Integrated Services Router? The PIX is running 6.3(5), not sure about the 871 since it's at a remote site I haven't been to yet.
|
|
#
?
Jun 23, 2009 18:29
|
|
|
The best practice that I use regarding PIX is to use an ASA instead.
|
|
#
?
Jun 23, 2009 20:41
|
|
|
cptInsane0 posted:The best practice that I use regarding PIX is to use an ASA instead. Oh, don't think I haven't pitched the trade-in package to management.
|
|
#
?
Jun 23, 2009 20:46
|
|
|
Mierdaan posted:Anyone want to give me a high-level overview of best practices for setting up a site-to-site VPN link between a PIX 515E and a 871 Integrated Services Router? The PIX is running 6.3(5), not sure about the 871 since it's at a remote site I haven't been to yet.
|
|
#
?
Jun 24, 2009 21:58
|
|
|
Quick question for Pix 501 series: I recently bought one from a friend, and am able to get into the CLI for the PIX, however anything I type into the console (or read from it) is utter gibberish, eg: Mo»\ÿ[ûM½]×××íµeÅííwo{² õp7ª-\u{{×kÕï©ÿ+««~«« -ki{k}¶å k[¯Ö¯¥å©ÿ c[¿ck®¬m}«dªKc璘+ñ©ÿ«¬Ç¬«mü£¥«íµeÅííwo{² I assume this is some kind of security feature of the Pix that will protect itself in the event that it was ever physically stolen. I have double checked my console settings and everything is right with the console itself. Is there any way I can reset the PIX to it's factory defaults, or disable the gibberish text? Thanks in advance.
|
|
#
?
Jun 24, 2009 23:02
|
|
|
|
| # ? May 13, 2024 23:39 |
|
|
Wicaeed posted:Quick question for Pix 501 series: What terminal / console client? Hyperterm? TeraTerm? 9600-8-N-1? That isn't a feature to output crap text, something is wrong with your settings.
|
|
#
?
Jun 24, 2009 23:19
|
|
